THE MILLER{RABIN TEST KEITH CONRAD 1. Introduction The Miller{Rabin test is the most widely used probabilistic primality test. For odd composite n > 1 over 75% of numbers from to 2 to n − 1 are witnesses in the Miller{Rabin test for n. We will describe the test, prove the 75% lower bound (an improvement on the Solovay{Strassen test), and in an appendix use the main idea in the test to show factoring n into primes and computing '(n) are similar computational tasks. 2. The Miller{Rabin test The Fermat and Solovay{Strassen tests are each based on translating a congruence mod- ulo prime numbers, either Fermat's little theorem or Euler's congruence, over to the setting of composite numbers and hoping to make it fail there. The Miller{Rabin test uses a similar idea, but involves a system of congruences. For an odd integer n > 1, factor out the largest power of 2 from n − 1, say n − 1 = 2ek where e ≥ 1 and k is odd. This meaning for e and k will be used throughout. The polynomial xn−1 − 1 = x2ek − 1 can be factored repeatedly as often as we have powers of 2 in the exponent: e e−1 x2 k − 1 = (x2 k)2 − 1 e−1 e−1 = (x2 k − 1)((x2 k + 1) e−2 e−2 e−1 = (x2 k − 1)(x2 k + 1)((x2 k + 1) . e−1 = (xk − 1)(xk + 1)(x2k + 1)(x4k + 1) ··· (x2 k + 1): If n is prime and 1 ≤ a ≤ n − 1 then an−1 − 1 ≡ 0 mod n by Fermat's little theorem, so using the above factorization we have e−1 (ak − 1)(ak + 1)(a2k + 1)(a4k + 1) ··· (a2 k + 1) ≡ 0 mod n: When n is prime one of these factors must be 0 mod n, so i (2.1) ak ≡ 1 mod n or a2 k ≡ −1 mod n for some i 2 f0; : : : ; e − 1g: Example 2.1. If n = 13 then n − 1 = 4 · 3, so e = 2, k = 3, and (2.1) says a3 ≡ 1 mod n or a3 ≡ −1 mod n or a6 ≡ −1 mod n for each a from 1 to 12. Example 2.2. If n = 41 then n − 1 = 8 · 5, so e = 3, k = 5, and (2.1) says a7 ≡ 1 mod n or one of a5; a10, or a20 is congruent to −1 mod n for each a from 1 to 40. The congruences in (2.1) make sense for all odd n > 1, prime or not. Their simultaneous failure for some a in f1; : : : ; n − 1g will lead to a primality test. 1 2 KEITH CONRAD Definition 2.3. For odd n > 1, write n − 1 = 2ek with k odd and pick a 2 f1; : : : ; n − 1g. We say a is a Miller{Rabin witness for n if all of the congruences in (2.1) are false: i ak 6≡ 1 mod n and a2 k 6≡ −1 mod n for all i 2 f0; : : : ; e − 1g: We say a is a Miller{Rabin nonwitness for n (and n is called a strong pseudoprime to the base a) if one of the congruences in (2.1) is true: i ak ≡ 1 mod n or a2 k ≡ −1 mod n for some i 2 f0; : : : ; e − 1g: As in the Fermat and Solovay{Strassen tests, we are using the term \witness" to mean a number that proves n is composite. An odd prime has no Miller{Rabin witnesses, so when n has a Miller{Rabin witness it must be composite. In the definition of a Miller{Rabin witness, the case i = 0 says ak 6≡ −1 mod n, so another way of describing a witness is ak 6≡ ±1 mod n and a2ik 6≡ −1 mod n for all i 2 f1; : : : ; e−1g, where this range of values for i is empty if e = 1 (that is, if n ≡ 3 mod 4). Example 2.4. If n ≡ 3 mod 4 then e = 1 (and conversely). In this case k = (n − 1)=2, so a is a Miller{Rabin witness for n if a(n−1)=2 6≡ ±1 mod n, while a is a Miller{Rabin nonwitness for n if a(n−1)=2 ≡ ±1 mod n. Miller{Rabin witnesses and nonwitnesses can also be described using the list of powers k 2k 4k 2e−1k 2ik e−1 (2.2) (a ; a ; a ; : : : ; a ) = (fa g)i=0 with all terms considered modulo n. We call this the Miller{Rabin sequence for n that is generated by a. For example, to write a Miller{Rabin sequence for n = 57 write 57 − 1 = 23 · 7. Since e = 3 and k = 7, the Miller{Rabin sequence for 57 that is generated by a is (a7; a14; a28). Each term in a Miller{Rabin sequence is the square of the previous term, so if 1 occurs in the sequence then all later terms are 1. If −1 occurs in the sequence then all later terms are also 1. Thus −1 can occur at most once in this sequence. If 1 ≤ a ≤ n − 1 then a is a Miller{Rabin nonwitness for n if and only if (2.2) looks like (1;::: ) mod n or (:::; −1;::: ) mod n and a is a Miller{Rabin witness for n if and only if (2.2) is anything else: the first term is not 1 (equivalently, the terms in the Miller{Rabin sequence are not all 1) and there is no −1 anywhere in (2.2). So 1 and n − 1 are always Miller-Rabin nonwitnesses for n. Example 2.5. Let n = 9. Since n − 1 = 8 = 23, e = 3 and k = 1. The Miller{Rabin sequence for 9 generated by a is (a; a2; a4) mod 9. In the table below we list this sequence for a = 1; 2;:::; 8. The Miller{Rabin witnesses for 9 are 2, 3, 4, 5, 6, and 7. a mod 9 1 2 3 4 5 6 7 8 a2 mod 9 1 4 0 7 7 0 4 1 a4 mod 9 1 7 0 4 4 0 7 1 Example 2.6. Let n = 29341. Since n − 1 = 22 · 7335, the Miller{Rabin sequence for n generated by a is (ak; a2k) mod n where k = 7335. When a = 2, the Miller{Rabin sequence is (26424; 29340). The last term is −1 mod n, so −1 appears and therefore 2 is not a Miller{ Rabin witness for n. When a = 3 the Miller{Rabin sequence is (22569; 1). The first term is not 1 and no term is −1, so 3 is a Miller{Rabin witness for n and thus n is composite. THE MILLER{RABIN TEST 3 Example 2.7. Let n = 30121. Since n − 1 = 23 · 3765, the Miller{Rabin sequence for n generated by a is (ak; a2k; a4k) mod n where k = 3765. When a = 2, this sequence is (15036,73657, 39898,1,1). The first term is not 1 and no term is −1 mod n, so 2 is a Miller{Rabin witness for n. Example 2.8. Let n = 75361. Since n − 1 = 25 · 2355, the Miller{Rabin sequence for n generated by a is (ak; a2k; a4k; a8k; a16k) mod n where k = 2355. When a = 2, this sequence is (330, 18537,1). The first term is not 1 and there is no −1 mod n, so 2 is a Miller{Rabin witness for n. The first odd composite number not having 2 or 3 as an Euler witness is 1729, while the first odd composite number not having 2 or 3 as a Miller{Rabin witness is n = 1373653. Since n−1 = 22 ·343413, a Miller{Rabin sequence for n is (ak; a2k) mod n where k = 343413. The Miller{Rabin sequence generated by 2 is (890592; 137652), with the last term being −1 mod n, and the Miller{Rabin sequence generated by 3 is (1; 1). The number 5 is a Miller{Rabin witness for n: it generates the Miller{Rabin sequence (1199564, 73782). An exhaustive computer search has shown that every odd positive composite number less than 1010 has 2, 3, 5, or 7 as a Miller{Rabin witness except for 3215031751, and 11 is a Miller{ Rabin witness for that number. There is a more intuitive way to think about Miller{Rabin witnesses. If n is an odd prime the congruence an−1 ≡ 1 mod n from Fermat's little theorem can be rewritten as (ak)2e ≡ 1 mod n, so ak mod n has order equal to a power of 2 that is at most 2e. Therefore if ak 6≡ 1 mod n the order of ak mod n is 2j for some j 2 f1; : : : ; eg, so x := a2j−1k mod n has x2 ≡ 1 mod n and x 6≡ 1 mod n. The only square roots of unity modulo an odd prime n are ±1 mod n, so if ak 6≡ 1 mod n and none of the numbers a; a2; a4; : : : ; a2e−1k is −1 mod n then we have a contradiction: n can't be prime. We have rediscovered the definition of a Miller{Rabin nonwitness, and it shows us that the idea behind Miller{Rabin witnesses is to find an unexpected square root of 1 mod n. This is not always what we actually find, since the premise an−1 ≡ 1 mod n for prime n might not actually be true for composite n. In Example 2.5, for instance, no Miller{Rabin witness for 9 is a square root of 1 mod 9.