1. Introduction
The MillerRabin primality test is an algorithm that checks whether a given number is prime or composite. Its original version, due to Gary L. Miller, was deterministic and relied on the unproved extended Riemann Hypothesis [
1]. Michael O. Rabin modified it to obtain a probabilistic algorithm [
2].
Definition 1. Let m be a positive integer represented as where u is odd. We introduce two auxiliary functions and .
Definition 2. Let n be an odd natural, . An integer is called a primality witness for n if it is co-prime to n and one of the following conditions holds: (We replaced original Rabin’s definition of the compositeness witnesses by the opposite relation). For generality, we count 1 and
as primality witnesses and call them trivial witnesses since they satisfy (
1) for any
n.
Let
denote the set of all primality witnesses for
n. The Rabin theorem [
2] asserts that if number
n is prime then each non-zero integer,
is a primality witness for
n, and therefore, the number of all witnesses
. For composite
n, it satisfies inequality
where
is Euler’s totient function. Since Rabin did not consider 1 as a witness, then he stated the strict inequality
.
Later, Gary Miller [
1] developed a primality test that takes any integer
, checks if
a is not a factor of
n (otherwise,
n is trivially composite), and whether
a is a primality witness for
n, that is, lies in the set
. If the answer is positive, then
n is probable prime with probability exceeding
. If we need in a more exact result, we should repeat this procedure several times taking different numbers
.
The researchers refer to this algorithm as to the Miller and Rabin primality test. We abbreviate it to MR test.
Definition 3. Parameters a which are used in Miller’s algorithm are called bases
. They are chosen randomly from interval . If, for a given odd integer, n relation (1) holds at a base a, we say, n passes the MR test at base a. Otherwise, we call a a compositeness witness for n and deduce that n is certainly composite. The probability of error after k successful iterations becomes less than . The only type of error in the Rabin’ procedure is defining a composite integer as prime.
More details on the Miller–Rabin test can be found in Chapter 3 of text-book [
3] by Crandall and Pomerance. We abbreviate Miller–Rabin test as MR test.
Definition 4. Composite integers qualifying by MR test as probable prime at a base a are called strong pseudoprimes relative to base a. Composite integers being probably prime relative to all a from a set A of bases are called strong probable prime relative to set of bases A.
Investigation of pseudoprime integers has a long history in the Computational Number Theory. We outline main advantages in this direction in the next section.
2. Some History Remarks
Fist attempts to find fast primality algorithms were based on Fermat’s Little Theorem asserting that for prime
n and for any positive integer
a, the following relation holds
Indeed, many composite integers do not satisfy (
2) and can be discarded after the first check. Composite
n that satisfy (
2) are called Fermat pseudoprimes relative to base
a.
It is important to note that all strong pseudoprimes relative to a base a are also Fermat pseudoprimes relative to a.
We can decrease the number of false decisions by Fermat’s test by checking the relation (
2) with several different
a. However, this does not allow us to completely avoid false conclusions since so-called Carmichael numbers exist.
Integer
n is called a Carmichael number if it satisfies (
2) for all
a. Carmichael numbers appear relatively rarely and the least Carmichael number is
. It is known that Carmichael numbers are exactly those integers which satisfy Korselt’s criterion:
Korselt Criterion (1899). A positive compositeinteger n is a Carmichael number if and only if n is square-free, and for all prime divisors p of n, it is true that .
One of the interesting problems is to find for a given odd integer
n the least witness. In 1994 Alford, Granville and Pomerance proved [
4] that such witnesses exceed
for infinitely many n. We also show that there are finite sets of odd composites which do not have a reliable witness, namely a common witness for all of the numbers in the set.
MR test discards a Carmichael number n, if the base was chosen from .
Let us fix a base a and let be a least composite integer that the MR Test accepts at the base a. Then, any odd for which a is a primality witness, is definitely prime. This means that when we know , we can definitely check any for primality using only one round of the MR procedure. The corresponding integer is small. But if we take a set A of several different bases a and find a least composite for which all are primality witness, this can be very large. Candidates for bases a can be any positive integers that are not squares. However, historically, candidates for special bases are chosen from the set of primes.
Let denote the set of the first k primes , and let be a least strong pseudoprime relative to for a . Function is well defined and is exponentially computable. Its computation began already 40 years ago.
First four values of
have been found by C. Pomerance, J. Selfridge, and S.Waggstaff [
5] in 1980.
A systematic calculation of
for larger
k has been initiated by J. Jaeschke [
6] who elaborated basic algorithms helpful for searching for strong pseudoprimes of different forms. In 1993 Jaeschke calculated
for
and proposed upper bounds for
at
.
F. Arnault in papers [
7,
8] described another algorithm to search for Carmichael numbers and strong pseudoprimes integers.
Jaeschke’ hypothesis have been improved in 2001 by Z. Zang [
9] who constructed a lesser 19-digits decimal integer
bounding above
. Z.Zang conjectures that values
for
are equal to each other and coincide with
.
In 2012 J. Jiang and Y. Deng [
10] confirmed Zang’s Hypothesis by showing that
.
The last record is reached by J. Sorenson and J. Webster [
11] in 2016. They found
and
, where
. So at the moment we can successfully determine prime integers less than
by only 13 rounds of the MR test. But this bound is much less than integers used in Cryptography. For example, DSS algorithm uses prime integers of length 256 bits (≈80 decimal digits).
Another branch of investigations in connected with the problem of distribution of Fermat pseudoprimes and strong pseudoprimes. Let
denote set
Clearly, .
In 1985 P. Erdos and C. Pomerance [
12] studied an asymptotic behavior of average function
where sum is counted over odd integers. They showed using complex number-theoretical calculations that
is a growing function bounded below by
.
Our average function looks close to but we show that for almost all composite n consists of only two elements 1 and and function tends to zero with x tending to infinity.
Average number of errors in the MR test was also studied in 1993 by I. Damgard, P. Landrock and C Pomerance. In paper [
13] they studied an average probability of the false decision by the MR test in the following procedure:
Fix and and choose randomly k-bit odd integer n. Check it with t rounds of MR test with randomly chosen bases from . If n was discarded during the procedure (that is, found ), take another n. Continue until n was found passed t rounds. Let be the probability that the procedure returns a composite integer.
The authors found explicit upper bounds for various k and t. In particular they proved that Their results show that the probability of false decisions of the MR test depends on the length of tested numbers and it decreases if the length of the numbers increases.
3. Counting Number of Witnesses
In this section we deduce exact formulas for the number of primality witnesses for different types of composite integers.
We begin our investigation with a little proposition improving Rabin’s estimate.
Theorem 1. If , then .
Proof. Let . If k is odd, then , and , therefore, is also a witness.
If k is even, then . If is even, then , and is a witness.
Finally, if is odd, then . Since , then , and again is a witness.
This completes the proof. □
Corollary 1. (The Improved Rabin Theorem). Let n be a natural, and A be an arbitrary set of bases less than n, co-prime to n, such that for any , is not in A. If all bases are primality witnesses of n, then n is probable prime with probability of error less than or equal to .
Indeed, when we found a primality witness a for integer n, we get two primality witnesses for n, namely, a and . So, this reduces the probability of error by a factor of .
Let be the power of number of primality witnesses . As mentioned earlier, for prime n, and for composite n.
Below we estimate function more exactly. First we formulate a theorem restricting possible witnesses for a composite n.
Theorem 2. Let for co-prime factors u and v (possibly, composite), and . Then, Proof. Since
a is a primality witness for
n then
and
. Besides,
, so
since
by Euler’s Theorem.
By symmetry.
If is odd, then (otherwise, a satisfies the second clause of the MRT, and should be even). Then and is odd.
If for , then a is a witness by second clause of the MRT, so , , and , so and is equal to i.
The theorem is proved. □
Example 1. Let and . By Theorem 2: So, possible a satisfies , or, , so has only trivial witnesses 1 and .
Theorem 3. Let be a degree of prime p, then .
Proof. Let a be a witness for , then
Besides, any a satisfying is a witness of n. Indeed, let . Then, is a factor of . Let for odd t, therefore, , where and is a factor of t.
If , then , and a is a witness by the first clause of the MRT. Otherwise, let be such that . Then and a is a witness by the second clause of the MRT. This completes the proof. □
We call integer n semiprime if it is a product of two distinct primes Semiprimes are close to primes, and we prove below that they have a maximal number of primality witnesses among composite numbers.
Theorem 4. Number of witnesses of semiprime is equal towhere . We begin with example of application of this formula.
Example 2. Let . Then , , . By the theorem, Proof. Let
. Applying Theorem 2 to
we obtain
We distribute all n-witnesses a into classes , , where class consists of a with .
Class contains such a that both and are odd. Let , and . Numbers i and j are factors of by the choice of a. Conversely, each integer satisfying is a witness of n and lies in .
Let fix a pair
. By Euler’s theorem, in
there are exactly
elements of multiplicative order
i, and in
there are
elements of multiplicative order
j, so, there exist exactly
pairs
such that
. But for each such pair
there exists a unique
with
, so there is a injective correspondence between witnesses
a of
n with odd orders
,
, and pairs
with
,
. Therefore, the power of
is equal to
since by a known theorem of Euler for any natural
m .
The next class
has the same power
since is consists of witnesses
a with
, and
since
for odd
z.
The power of class
is equal to
Therefore, the number of all witnesses This completes the proof. □
Corollary 2. (Rabin’s theorem for semiprimes). The number of witnesses of is less or equal to .
Proof. If , then by Theorem 3, and , so at .
Let
. Ratio
reaches its maximum when
,
and
. Indeed,
is diminishing in two times when
is added by 1, and the whole expression in (
4) becomes less. Then,
, so
□
Example 3. Let . .
Now we study function at products of k distinct primes. The general result for such products is formulated below:
Theorem 5. Let be the product of k distinct primes. Then. Let us begin with an example
The corresponding restrictions are listed below:
Since
, we obtain
(compare with
).
Proof. Let
and
k-tuple
contains components
,
. There are
witnesses of
n with
for
. So,
As in the previous theorem, the power of class
is equal to power of
, while the power of the each further class
is equal to the power of the previous one multiplied by
since each additive
in the previous class corresponds to additive
and their ratio
is
The proof is complete. □
4. Frequency Function
In this part we introduce a notion of frequency function that characterizes the probability to find at one attempt a primality witness for a given integer n.
Let define frequency function
as follows
According to Rabin’s theorem, for prime n, and for composite n. We study distribution of values for semiprime integers .
1. We begin our research with case for . Numbers of this type appear frequently among strong pseudoprimes. Let rewrite p and q in form where u is odd, , and consider different s:
Case 1. Function reaches its maximum at : . Since, both p and q are prime then , so , . Such pairs form a sequence Case 2. and Maximum of is now at .
Case 3. , At arbitrary s we have Thus, function at semiprimes , is located in the interval 2. Now, we turn to a common case
:
Conclusion. Function at semiprimes depends mostly on values and in representation , . takes maximal values close to only at small and . This completely corresponds to experimental data. Among values the most expected are pseudoprimes of form with minimal values and .
An important question connecting with efficiency of MRT is the average frequency of witnesses for composite numbers. As earlier, we study this problem for semiprime integers.
Let fix any prime p and a board B. We count average frequency of integers . For convenience, we assume that for a positive .
For simplicity we explain all deductions at example . Every prime q has equal either 2, or 10.
Let
. Corresponding
q lie in the set
, where
. Each third integer in the sequence is a multiple of 3, some others are multiples of 7, 11 etc. Since
q should be prime we need to remove them from the sequence. The rest consists of integers
We assume that primes
are distributed uniformly in the interval
. Then the average frequency can be estimated as
(we remind that
).
The expression in the last brackets is a partial sum of the Harmonic Series. Its value is
where
is the Euler—Mascheroni constant and
. Constant
and additive
can be ignored so
Since
then
and
, so
Let us move now to primes
q of type
. They lie in the sequence
where
. When we remove composite integers, the rest contains at least half members.
Integers
with
have only trivial witnesses 1 and
so their frequency function takes values
Assuming that such
n are distributed uniformly in the interval
we estimate the average frequency by expression
Substituting in the last expression
we get
Expressions (
7) and (
8) give upper bounds for two types of integers
. In the second case the estimation is lesser so average estimation for the united class of all
,
, can be set by the upper bound of (
7). This assertion does not depend on a special
so we can state the following theorem.
Theorem 6. Let p be a prime and B satisfy . Then the average frequency of witnesses in the class of semiprimes has an upper bound Note than limit of the average function is 0 as . This explains the phenomenon that the number of false conclusions in the Miller–Rabin test decreases when length of tested integers increases.
5. Numbers with Maximal Frequency of Witnesses
In this section we study composite n with maximal frequency . Let be the product of k different primes.
We begin with case . As we see from the previous section, integers have maximal frequency only in case when . Such pairs appear comparatively often, and their quantity is diminishing together with their size.
Table 1 contains number of semiprimes with maximal frequency in intervals
.
Case
is more interesting. In order function
reached its maximum =
, we need satisfaction of four requirements:
Such triples exist, and an example of it was already given in Rabin’s paper [
2]
. Rabin himself estimated
as
, but the difference is due to the fact that he did not include 1 in the list of witnesses.
Such triples appear much more seldom and have a form
We arranged the search of such triples at a computer and found 160 such integers not exceeding
. The least triple we found is
The largest found triple has a form
at
:
Let us study the form
and find restrictions on
u in order to
satisfies first 3 conditions of (
9). The first requirement is satisfied automatically. The second and third requirement are listed below:
so
for
. If we add requirements
we obtain
Let now consider products of
k primes where
. The maximum of frequency of such products is
, since it is reached when for any
is odd, and
. Then,
A quick search of tuples
below
gave 70 examples of them. The least 4-tuple was
while the largest was
Some computational results on distribution of strong semiprime integers can be found in [
14].