Miller–Rabin primality test
The Miller–Rabin primality test or Rabin–Miller primality test is a primality test: an algorithm which determines whether a given number is prime, similar to the Fermat primality test and the Solovay–Strassen primality test. It was first discovered by Russian mathematician M. M. Artjuhov. Gary L. Miller rediscovered it; Miller's version of the test is deterministic, but its correctness relies on the unproven extended Riemann hypothesis. Michael O. Rabin modified it to obtain an unconditional probabilistic algorithm.
Just like the Fermat and Solovay–Strassen tests, the Miller–Rabin test relies on an equality or set of equalities that hold true for prime values, then checks whether or not they hold for a number that we want to test for primality.
First, a lemma about square roots of unity in the finite field Z/pZ, where p is prime and p > 2. Certainly 1 and −1 always yield 1 when squared modulo p; call these trivial square roots of 1. There are no nontrivial square roots of 1 modulo p (a special case of the result that, in a field, a polynomial has no more zeroes than its degree). To show this, suppose that x is a square root of 1 modulo p. Then:
In other words, prime p divides the product (x − 1)(x + 1). By Euclid's lemma it divides one of the factors x − 1 or x + 1, implying that x is congruent to either 1 or −1 modulo p.
Now, let n be prime, and n > 2. It follows that n − 1 is even and we can write it as 2s·d, where s and d are positive integers and d is odd. For each a in (Z/nZ)*, either
for some 0 ≤ r ≤ s − 1.
To show that one of these must be true, recall Fermat's little theorem, that for a prime number n:
By the lemma above, if we keep taking square roots of an−1, we will get either 1 or −1. If we get −1 then the second equality holds and it is done. If we never get −1, then when we have taken out every power of 2, we are left with the first equality.
The Miller–Rabin primality test is based on the contrapositive of the above claim. That is, if we can find an a such that
for all 0 ≤ r ≤ s − 1, then n is not prime. We call a a witness for the compositeness of n (sometimes misleadingly called a strong witness, although it is a certain proof of this fact). Otherwise a is called a strong liar, and n is a strong probable prime to base a. The term "strong liar" refers to the case where n is composite but nevertheless the equations hold as they would for a prime.
Every odd composite n has many witnesses a, however, no simple way of generating such an a is known. The solution is to make the test probabilistic: we choose a non-zero a in Z/nZ randomly, and check whether or not it is a witness for the compositeness of n. If n is composite, most of the choices for a will be witnesses, and the test will detect n as composite with high probability. There is, nevertheless, a small chance that we are unlucky and hit an a which is a strong liar for n. We may reduce the probability of such error by repeating the test for several independently chosen a.
However, there are diminishing returns in doing tests to many bases, because if n is a pseudoprime to base a, then it seems more likely to be a pseudoprime to another base b.:§8
For testing large numbers, it is common to choose random bases a, as, a priori, we don't know the distribution of witnesses and liars among the numbers 1, 2, ..., n − 1. In particular, Arnault  gave a 397-digit composite number for which all bases a less than 307 are strong liars. As expected this number was reported to be prime by the Maple
isprime() function, which implemented the Miller–Rabin test by checking the specific bases 2,3,5,7, and 11. However, selection of a few specific small bases can guarantee identification of composites for n less than some maximum determined by said bases. This maximum is generally quite large compared to the bases. As random bases lack such determinism for small n, specific bases are better in some circumstances.
Suppose we wish to determine if n = 221 is prime. We write n − 1 = 220 as 22·55, so that we have s = 2 and d = 55. We randomly select a number a such that 1 < a < n - 1, say a = 174. We proceed to compute:
- a20·d mod n = 17455 mod 221 = 47 ≠ 1, n − 1
- a21·d mod n = 174110 mod 221 = 220 = n − 1.
Since 220 ≡ −1 mod n, either 221 is prime, or 174 is a strong liar for 221. We try another random a, this time choosing a = 137:
- a20·d mod n = 13755 mod 221 = 188 ≠ 1, n − 1
- a21·d mod n = 137110 mod 221 = 205 ≠ n − 1.
Hence 137 is a witness for the compositeness of 221, and 174 was in fact a strong liar. Note that this tells us nothing about the factors of 221 (which are 13 and 17). However, the example with 341 in the next section shows how these calculations can sometimes produce a factor of n.
The algorithm can be written in pseudocode as follows. The parameter k determines the accuracy of the test. The greater the number of rounds, the more accurate the result.
Input #1: n > 3, an odd integer to be tested for primality Input #2: k, the number of rounds of testing to perform Output: “composite” if n is found to be composite, “probably prime” otherwise write n as 2r·d + 1 with d odd (by factoring out powers of 2 from n − 1) WitnessLoop: repeat k times: pick a random integer a in the range [2, n − 2] x ← ad mod n if x = 1 or x = n − 1 then continue WitnessLoop repeat r − 1 times: x ← x2 mod n if x = n − 1 then continue WitnessLoop return “composite” return “probably prime”
Using repeated squaring, the running time of this algorithm is O(k log3n), where n is the number tested for primality, and k is the number of rounds performed; thus this is an efficient, polynomial-time algorithm. FFT-based multiplication can push the running time down to O(k log2n log log n log log log n) = Õ(k log2n).
The error made by the primality test is measured by the probability for a composite number to be declared probably prime. The more bases a are tried, the better the accuracy of the test. It can be shown that if n is composite, then at most 1⁄4 of the bases a are strong liars for n. As a consequence, if n is composite then the Miller–Rabin test declares n probably prime with a probability at most 4−k.
This is an improvement over the Solovay–Strassen test, whose worst‐case error bound is 2−k. Moreover, the Miller–Rabin test is strictly stronger than the Solovay–Strassen test in the sense that for every composite n, the set of strong liars for n is a subset of the set of Euler liars for n, and for many n, the subset is proper.
In addition, for large values of n, the probability for a composite number to be declared probably prime is often significantly smaller than 4−k. For instance, for most numbers n, this probability is bounded by 8−k; the proportion of numbers n which invalidate this upper bound vanishes as we consider larger values of n. Hence the average case has a much better accuracy than 4−k, a fact which can be exploited for generating probable primes (see below). However, such improved error bounds should not be relied upon to verify primes whose probability distribution is not controlled, since a cryptographic adversary might send a carefully chosen pseudoprime in order to defeat the primality test. In such contexts, only the worst‐case error bound of 4−k can be relied upon.
It is important to note that in many common applications of this algorithm, we are not interested in the error bound described above. The above error bound is the probability of a composite number being declared as a probable prime after k rounds of testing. We are often instead interested in the probability that, after passing k rounds of testing, the number being tested is actually a composite number. Formally, if we call the event of declaring n a probable prime after k rounds of Miller–Rabin Yk, and we call the event that n is composite X (and denote the event that n is prime ), then the above bound gives us , whereas we are interested in . Bayes' theorem gives us a way to relate these two conditional probabilities, namely
This tells us that the probability that we are often interested in is related not just to the 4−k bound above, but also probabilities related to the density of prime numbers in the region near n.
The Miller–Rabin algorithm can be made deterministic by trying all possible a below a certain limit. The problem in general is to set the limit so that the test is still reliable.
If the tested number n is composite, the strong liars a coprime to n are contained in a proper subgroup of the group (Z/nZ)*, which means that if we test all a from a set which generates (Z/nZ)*, one of them must lie outside the said subgroup, hence must be a witness for the compositeness of n. Assuming the truth of the generalized Riemann hypothesis (GRH), it is known that the group is generated by its elements smaller than O((log n)2), which was already noted by Miller. The constant involved in the Big O notation was reduced to 2 by Eric Bach. This leads to the following conditional primality testing algorithm, known as the Miller test:
Input: n > 1, an odd integer to be tested for primality Output: “composite” if n is composite, “prime” otherwise write n as 2r·d + 1 with d odd (by factoring out powers of 2 from n − 1) WitnessLoop: for all a in the range [2, min(n−2, ⌊2(ln n)2⌋)]: x ← ad mod n if x = 1 or x = n − 1 then continue WitnessLoop repeat r − 1 times: x ← x2 mod n if x = n − 1 then continue WitnessLoop return “composite” return “prime”
The full power of the generalized Riemann hypothesis is not needed to ensure the correctness of the test: as we deal with subgroups of even index, it suffices to assume the validity of GRH for quadratic Dirichlet characters.
The running time of the algorithm is, in the soft-O notation, Õ((log n)4) (using FFT‐based multiplication).
The Miller test is not used in practice. For most purposes, proper use of the probabilistic Miller–Rabin test or the Baillie–PSW primality test gives sufficient confidence while running much faster. It is also slower in practice than commonly used proof methods such as APR-CL and ECPP which give results that do not rely on unproven assumptions. For theoretical purposes requiring a deterministic polynomial time algorithm, it was superseded by the AKS primality test, which also does not rely on unproven assumptions.
Testing against small sets of bases
When the number n to be tested is small, trying all a < 2(ln n)2 is not necessary, as much smaller sets of potential witnesses are known to suffice. For example, Pomerance, Selfridge and Wagstaff and Jaeschke have verified that
- if n < 2,047, it is enough to test a = 2;
- if n < 1,373,653, it is enough to test a = 2 and 3;
- if n < 9,080,191, it is enough to test a = 31 and 73;
- if n < 25,326,001, it is enough to test a = 2, 3, and 5;
- if n < 3,215,031,751, it is enough to test a = 2, 3, 5, and 7;
- if n < 4,759,123,141, it is enough to test a = 2, 7, and 61;
- if n < 1,122,004,669,633, it is enough to test a = 2, 13, 23, and 1662803;
- if n < 2,152,302,898,747, it is enough to test a = 2, 3, 5, 7, and 11;
- if n < 3,474,749,660,383, it is enough to test a = 2, 3, 5, 7, 11, and 13;
- if n < 341,550,071,728,321, it is enough to test a = 2, 3, 5, 7, 11, 13, and 17.
Using the work of Feitsma and Galway enumerating all base 2 pseudoprimes in 2010, this was extended (see OEIS: A014233), with the first result later shown using different methods in Jiang and Deng:
- if n < 3,825,123,056,546,413,051, it is enough to test a = 2, 3, 5, 7, 11, 13, 17, 19, and 23.
- if n < 18,446,744,073,709,551,616 = 264, it is enough to test a = 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, and 37.
Sorenson and Webster verify the above and calculate precise results for these larger than 64‐bit results:
- if n < 318,665,857,834,031,151,167,461, it is enough to test a = 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, and 37.
- if n < 3,317,044,064,679,887,385,961,981, it is enough to test a = 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, and 41.
Other criteria of this sort, often more efficient (fewer bases required) than those shown above, exist. They give very fast deterministic primality tests for numbers in the appropriate range, without any assumptions.
There is a small list of potential witnesses for every possible input size (at most b values for b‐bit numbers). However, no finite set of bases is sufficient for all composite numbers. Alford, Granville, and Pomerance have shown that there exist infinitely many composite numbers n whose smallest compositeness witness is at least (ln n)1/(3ln ln ln n). They also argue heuristically that the smallest number w such that every composite number below n has a compositeness witness less than w should be of order Θ(log n log log n).
Variants for finding factors
By inserting greatest common divisor calculations into the above algorithm, we can sometimes obtain a factor of n instead of merely determining that n is composite. This occurs for example when n is a probable prime base a but not a strong probable prime base a.:1402 We can detect this case in the algorithm by comparing x in the inner loop not only to −1, but also to 1.
If at some iteration 1 ≤ i < r of the inner loop, the algorithm discovers that the value ad·2i mod n of the variable x is equal to 1, then, knowing that the previous value x0 = ad·2s−1 of the variable x has been checked to be different from ±1, we can deduce that x0 is a square root of 1 which is neither 1 nor −1. As this is not possible when n is prime, this implies that n is composite. Moreover:
- since x02 ≡ 1 (mod n), we know that n divides x02 − 1 = (x0 − 1)(x0 + 1);
- since x0 ≢ ±1 (mod n), we know that n does not divide x0 − 1 nor x0 + 1.
From this we deduce that A = GCD(x0 − 1, n) and B = GCD(x0 + 1, n) are non‐trivial (not necessarily prime) factors of n (in fact, since n is odd, these factors are coprime and n = A·B). Hence, if factoring is a goal, these GCD calculations can be inserted into the algorithm at little additional computational cost. This leads to the following pseudocode, where the added or changed code is highlighted:
Input #1: n > 3, an odd integer to be tested for primality Input #2: k, the number of rounds of testing to perform Output: (“multiple of”, m) if a non‐trivial factor m of n is found, “composite” if n is otherwise found to be composite, “probably prime” otherwise write n as 2r·d + 1 with d odd (by factoring out powers of 2 from n − 1) WitnessLoop: repeat k times: pick a random integer a in the range [2, n − 2] x ← ad mod n if x = 1 or x = n − 1 then continue WitnessLoop repeat r − 1 times: y ← x2 mod n if y = 1: return (“multiple of”, GCD(x − 1, n)) x ← y if x = n − 1 then continue WitnessLoop return “composite” return “probably prime”
This algorithm does not yield a probabilistic factorization algorithm because it is only able to find factors for numbers n which are pseudoprime to base a (in other words, for numbers n such that an−1 ≡ 1 mod n). For other numbers, the algorithm only returns “composite” with no further information.
For example, consider n = 341 and a = 2. We have n − 1 = 85·4. Then 285 mod 341 = 32. and 322 mod 341 = 1. This tells us that n is a pseudoprime base 2, but not a strong pseudoprime base 2. By computing a GCD at this stage, we find a factor of 341: GCD(32 − 1, 341) = 31. Indeed, 341 = 11·31.
In order to find factors more often, the same ideas can also be applied to the square roots of −1 (or any other number). This strategy can be implemented by exploiting knowledge from previous rounds of the Miller–Rabin test. In those rounds we may have identified a square root modulo n of −1, say R. Then, when x2 mod n = n−1, we can compare the value of x0 against R: if x0 is neither R nor n−R, then GCD(x0 − R, n) and GCD(x0 + R, n) are non‐trivial factors of n.
Generation of probable primes
The Miller–Rabin test can be used to generate strong probable primes, simply by drawing integers at random until one passes the test. This algorithm terminates almost surely (since at each iteration there is a chance to draw a prime number). The pseudocode for generating b‐bit strong probable primes (with the most significant bit set) is as follows:
Input #1: b, the number of bits of the result Input #2: k, the number of rounds of testing to perform Output: a strong probable prime n while True: pick a random odd integer n in the range [2b−1, 2b−1] if the Miller–Rabin test with inputs n and k returns “probably prime” then return n
The error measure of this generator is the probability that it outputs a composite number. Using the fact that the Miller–Rabin test itself often has an error bound much smaller than 4−k (see above), Damgård, Landrock and Pomerance derived several error bounds for the generator, with various classes of parameters b and k. These error bounds allow an implementor to choose a reasonable k for a desired accuracy.
One of these error bounds is 4−k, which holds for all b ≥ 2 (the authors only showed it for b ≥ 51, while Ronald Burthe Jr. completed the proof with the remaining values 2 ≤ b ≤ 50). Again this simple bound can be improved for large values of b. For instance, another bound derived by the same authors is:
which holds for all b ≥ 21 and k ≥ b⁄4. This bound is smaller than 4−k as soon as b ≥ 32.
A number of cryptographic libraries use the Miller-Rabin test to generate probable primes. Albrecht, et al. were able to construct composite numbers that some of these libraries declared to be prime.
- Artjuhov, M. M. (1966–1967), "Certain criteria for primality of numbers connected with the little Fermat theorem", Polska Akademia Nauk, 12: 355–364, MR 0213289
- Miller, Gary L. (1976), "Riemann's Hypothesis and Tests for Primality", Journal of Computer and System Sciences, 13 (3): 300–317, doi:10.1145/800116.803773
- Rabin, Michael O. (1980), "Probabilistic algorithm for testing primality", Journal of Number Theory, 12 (1): 128–138, doi:10.1016/0022-314X(80)90084-0
- Carl Pomerance; John L. Selfridge; Samuel S. Wagstaff, Jr. (July 1980). "The pseudoprimes to 25·109" (PDF). Mathematics of Computation. 35 (151): 1003–1026. doi:10.1090/S0025-5718-1980-0572872-7.
- F. Arnault (August 1995). "Constructing Carmichael Numbers Which Are Strong Pseudoprimes to Several Bases". Journal of Symbolic Computation. 20 (2): 151–161. doi:10.1006/jsco.1995.1042.
- Schoof, René (2004), "Four primality testing algorithms" (PDF), Algorithmic Number Theory: Lattices, Number Fields, Curves and Cryptography, Cambridge University Press, ISBN 978-0-521-80854-5
- Damgård, I.; Landrock, P. & Pomerance, C. (1993), "Average case error estimates for the strong probable prime test" (PDF), Mathematics of Computation, 61 (203): 177–194, doi:10.2307/2152945, JSTOR 2152945
- Bach, Eric (1990), "Explicit bounds for primality testing and related problems", Mathematics of Computation, 55 (191): 355–380, doi:10.2307/2008811, JSTOR 2008811
- Jaeschke, Gerhard (1993), "On strong pseudoprimes to several bases", Mathematics of Computation, 61 (204): 915–926, doi:10.2307/2153262, JSTOR 2153262
- Jiang, Yupeng; Deng, Yingpu (2014). "Strong pseudoprimes to the first eight prime bases". Mathematics of Computation. 83 (290): 2915–2924. doi:10.1090/S0025-5718-2014-02830-5.
- Sorenson, Jonathan; Webster, Jonathan (2015). "Strong Pseudoprimes to Twelve Prime Bases". Mathematics of Computation. 86 (304): 985–1003. arXiv:1509.00864. doi:10.1090/mcom/3134.
- Caldwell, Chris. "Finding primes & proving primality — 2.3: Strong probable-primality and a practical test". The Prime Pages. Retrieved February 24, 2019.
- Zhang, Zhenxiang & Tang, Min (2003), "Finding strong pseudoprimes to several bases. II", Mathematics of Computation, 72 (44): 2085–2097, doi:10.1090/S0025-5718-03-01545-X
- Sloane, N. J. A. (ed.). "Sequence A014233 (Smallest odd number for which Miller-Rabin primality test on bases <= n-th prime does not reveal compositeness)". The On-Line Encyclopedia of Integer Sequences. OEIS Foundation.
- Izykowski, Wojciech. "Deterministic variants of the Miller-Rabin primality test". Retrieved February 24, 2019.
- Alford, W. R.; Granville, A.; Pomerance, C. (1994), "On the difficulty of finding reliable witnesses" (PDF), Lecture Notes in Computer Science, Springer-Verlag, 877: 1–16, doi:10.1007/3-540-58691-1_36, ISBN 978-3-540-58691-3
- Robert Baillie; Samuel S. Wagstaff, Jr. (October 1980). "Lucas Pseudoprimes" (PDF). Mathematics of Computation. 35 (152): 1391–1417. doi:10.1090/S0025-5718-1980-0583518-6. MR 0583518.
- Burthe Jr., Ronald J. (1996), "Further investigations with the strong probable prime test" (PDF), Mathematics of Computation, 65 (213): 373–381, doi:10.1090/S0025-5718-96-00695-3
- Martin R. Albrecht; Jake Massimo; Kenneth G. Paterson; Juraj Somorovsky (15 October 2018). Prime and Prejudice: Primality Testing Under Adversarial Conditions (PDF). ACM SIGSAC Conference on Computer and Communications Security 2018. Toronto: Association for Computing Machinery. pp. 281–298. doi:10.1145/3243734.3243787.
|The Wikibook Algorithm Implementation has a page on the topic of: Primality testing|
- Weisstein, Eric W. "Rabin-Miller Strong Pseudoprime Test". MathWorld.
- Interactive Online Implementation of the Deterministic Variant (stepping through the algorithm step-by-step)
- Applet (German)
- Miller-Rabin primality test in C#