The Distribution of Pseudoprimes Matt Green September, 2002 The RSA crypto-system relies on the availability of very large prime num- bers. Tests for finding these large primes can be categorized as deterministic and probabilistic. Deterministic tests, such as the Sieve of Erastothenes, of- fer a 100 percent assurance that the number tested and passed as prime is actually prime. Despite their refusal to err, deterministic tests are generally not used to find large primes because they are very slow (with the exception of a recently discovered polynomial time algorithm). Probabilistic tests offer a much quicker way to find large primes with only a negligibal amount of error. I have studied a simple, and comparatively to other probabilistic tests, error prone test based on Fermat’s little theorem. Fermat’s little theorem states that if b is a natural number and n a prime then bn−1 ≡ 1 (mod n). To test a number n for primality we pick any natural number less than n and greater than 1 and first see if it is relatively prime to n. If it is, then we use this number as a base b and see if Fermat’s little theorem holds for n and b. If the theorem doesn’t hold, then we know that n is not prime. If the theorem does hold then we can accept n as prime right now, leaving a large chance that we have made an error, or we can test again with a different base. Chances improve that n is prime with every base that passes but for really big numbers it is cumbersome to test all possible bases. A number that passes the aforementioned test for an arbitrary base b but is composite is called a pseudoprime base b. I have studied pseudo- primes base 2, which I will henceforth just call pseudoprimes. I have also investigated a family of pseudoprimes called Carmichael numbers, which are pseudoprime with all bases relatively prime. Knowing of the prime number theorem (not necesarrily understanding), and the great interest in the distri- bution of prime numbers, I naturally became curious as to whether there was any theorem describing the distribution of pseudoprimes or Carmichael num- bers. It seemed to be a good research opportunity and so I began by writing some programs in the Java programming language to count pseudoprimes. I 1 also began writing a program to count Carmichael numbers, which is more computationally intensive. My counts would then serve to give me some ap- proximations on the density of pseudoprimes and Carmichael numbers up to an arbitrary upper bound. The results of my programs were accurate but lacked the range I needed in order to make any reasonable estimate on pseudoprime density. My lim- itations mostly came in the form of a lack of computer memory. I looked around on the internet and eventually came across a reference to a paper on Carmichael numbers, and I was later able to obtain this paper thanks to Pro- fessor McCallum. This paper contained pseudoprime counts and Carmichael number counts up to 1016 where as I was only able to achieve counts up to 1011. This motivated me to stop trying to expand my programs and instead focus on theory, which was an appealing prospect. I eventually came across a paper written by Carl Pomerance entitled ”On the Distribution of Pseudoprimes”. Here was the argument I had been looking for. In this paper I will define terms and prove theorems needed to understand Pomerance’s argument and will then follow his argument closely, giving supplementary explanation along the way. First, the smallest integer x such that bx ≡ 1 (mod n) is called the order of b modulo n. In Pomerance’s paper, he will represent the order of 2 modulo m with l2(m). A useful generalization of Fermat’s little theorem, called Euler’s theorem, states that for relatively prime integers b and n, bφ(n) ≡ 1 (mod n), where φ(n) is the Euler phi function. The phi function counts the number of num- bers less than n that are relatively prime to n. A proof of this theorem was given in our project proposal but I’d like to revise it so I will do it again here. The multiplicative group modulo n, Z/nx has φ(n) elements all relatively prime to n. It is important to know that if p is prime, then there exists an element b in the multiplicative group Z/px with an order of p − 1. The element b is called a generator of the group Z/px or a primitive root of p. In fact for any number of the form pa where p is prime and a is any positive integer, there is a primitive root for pa. Proof: By the fundamental theorem of arithmetic, p − 1 can be expressed a1 a2 a3 as a unique product of primes, say p − 1 = q1 q2 q3 ···. If a has order s modulo p and b has order t modulo p, then if gcd(s, t) = 1, the order of ab is st. If we prove that there exist numbers x1, x2,... such that the order of xi ai is qi modulo p, then i=1 xi will have order p − 1 modulo p. We know that xp−1 − 1 ≡ 0 (mod pQ) has exactly p − 1 solutions, all the naturals from 0 to p−1. So since if d|p−1, then xp−1 −1=(xd −1)(xp−1−d +xp−2−d +···+x+1), we can write the previous congruence relation as (xd − 1)(xp−1−d + xp−2−d + ···+x+1) ≡ 0 (mod p). Using induction, it can easily be proven that an n 2 degree polynomial has at most n solutions modulo a prime p. So xd − 1 has at most d solutions modulo p and xp−1−d + ··· + x +1 has at most p − 1 − d solutions modulo p, but since xp−1 − 1 has exactly p − 1 solutions modulo p, xd − 1must have exactly d solutions modulo p and xp−1−d + ··· + x + 1 must have exactly p−1−d solutions modulo p. Therefore if d|p−1 then xd −1 has ai exactly d solutions. Now we want qi to be the order of xi modulo p. So we ai ai−1 need numbers x with orders that divide qi but that don’t divide qi . Since ai ai q ai−1 there are exactly qi solutions to x i − 1 ≡ 0 (mod p) and exactly qi − ai 1 a qi i a1−1 solutions to x − 1 ≡ 0 (mod p) then there are qi − qi solutions that ai ai have order qi modulo p, which just so happens to be φ(qi ). Thus the number a1 a2 of primitive roots of a prime p is φ(q1 )φ(q2 ) ··· = φ(p − 1) > 1. This can a easliy be extended to prime power by noting that xp −1 ≡ 1 (mod pa) ≡ 1 (mod p) and then using the same argument as given above. Another useful formula is called the Euler Product. It converts the Rie- mann zeta function from a sum over all the naturals to a product over all the primes. Here it is: ∞ 1 ∞ 1 s = 1 . X n Y 1 − s n=1 n=1 pn 1 1 Proof: Let S =1+ 2s + 3s + ···. Then 1 1 1 1 S − S = (1 − )S =1+ + + ··· 2s 2s 3s 5s and 1 1 1 1 1 1 1 (1 − )S − (1 − )S = (1 − )(1 − )S =1+ + + ··· 2s 3s 2s 2s 3s 5s 7s Continuing this process over all the prime numbers, which might take a while, we eventually get ∞ 1 S 1 − s =1 nY=1 pn This shows that ∞ 1 S = 1 Y 1 − s n=1 pn as needed. Here I will give a more rigorus definition of a Carmichael number because they are just so neat. A Carmichael number n satisfies all the following critirea: 1. For a Carmichael number n, if a prime p|n, then p − 1|n − 1. This follows directly from Fermat’s little theorem. We know that bn−1 ≡ 1 (mod n) for all bases b that are not multiples of n and since p|n, bn−1 ≡ 1 3 (mod p). From Fermat’s little theorem we have that bp−1 ≡ 1 (mod p) so the order of any base is at most p − 1, and we already know that there is at least one base b with an order p − 1. Therefore n − 1 must be a multiple of p − 1 for bn−1 ≡ 1 (mod n). 2. A Carmichael number n is squarefree, that is, has no repeated prime factors. Suppose p2|n. Then from Fermat’s little theorem we know that for b relatively prime to n, bn−1 ≡ 1 (mod n) and since p2|n, bn−1 ≡ 1 (mod p2). 2 Now, by Euler’s theorem bφ(p ) ≡ 1 (mod p2). Recall that numbers of the form pa, where p is prime and a is an aribitrary integer, have primitive roots, which means there is an element b of the multiplicative group modulo p2 that has an order of φ(p2). Numbers less thanp2 that are relatively prime to p2 are those that are not factors of p and there are p2 − p of them, so φ(p2)= p(p − 1). Since n is a pseudoprime base b, the order of b must divide n − 1, that is, p(p − 1)|n − 1. But this is impossible since p|n and n − 1 ≡ −1 (mod p).