|
|
Line 1: |
Line 1: |
| The '''Miller–Rabin primality test''' or '''Rabin–Miller primality test''' is a [[primality test]]: an [[algorithm]] which determines whether a given number is [[prime number|prime]], similar to the [[Fermat primality test]] and the [[Solovay–Strassen primality test]]. Its original version, due to [[Gary Miller (professor)|Gary L. Miller]], is [[deterministic algorithm|deterministic]], but the determinism relies on the unproven [[generalized Riemann hypothesis]];<ref name="miller">{{Citation |last=Miller |first=Gary L. |year=1976 |title=Riemann's Hypothesis and Tests for Primality |journal=Journal of Computer and System Sciences |volume=13 |issue=3 |pages=300–317 |doi=10.1145/800116.803773 }}</ref> [[Michael O. Rabin]] modified it to obtain an unconditional [[randomized algorithm|probabilistic algorithm]].<ref name="rabin">{{Citation |last=Rabin |first=Michael O. |year=1980 |title=Probabilistic algorithm for testing primality |journal=Journal of Number Theory |volume=12 |issue=1 |pages=128–138 |doi=10.1016/0022-314X(80)90084-0 }}</ref>
| | Catrina Le is what's written and published on her birth qualification though she doesn't really like being called prefer that. Software acquiring is where her primary income comes from remember, though , soon her husband and so her will start his or her's own [http://Www.Dailymail.co.uk/home/search.html?sel=site&searchPhrase=business business]. What your sweetheart loves doing is to visit to karaoke but she's thinking on starting a new generation. For years she's been living all over Vermont. She is running and reduce a blog here: http://prometeu.net<br><br>Feel free to visit my web blog: [http://prometeu.net clash of clans bot] |
| | |
| ==Concepts==
| |
| Just like the Fermat and Solovay–Strassen tests, the Miller–Rabin test relies on an equality or set of equalities that hold true for prime values, then checks whether or not they hold for a number that we want to test for primality.
| |
| | |
| First, a [[lemma (mathematics)|lemma]] about square [[root of unity|roots of unity]] in the [[finite field]] '''Z'''/''p'''''Z''', where ''p'' is prime and ''p'' > 2. Certainly 1 and −1 always yield 1 when squared modulo ''p''; call these [[Trivial (mathematics)|trivial]] [[square root]]s of 1. There are no ''nontrivial'' square roots of 1 modulo ''p'' (a special case of the result that, in a field, a [[polynomial]] has no more zeroes than its degree). To show this, suppose that ''x'' is a square root of 1 modulo ''p''. Then:
| |
| :<math>x^{2} \equiv 1\pmod{p} </math>
| |
| :<math> (x - 1)( x + 1) \equiv 0\pmod{p}.</math>
| |
| In other words, prime ''p'' divides the product {{nowrap|(''x'' − 1)(''x'' + 1).}} By [[Euclid's lemma]] it divides one of the factors {{nowrap|''x'' − 1}} or {{nowrap|''x'' + 1,}} implying that ''x'' is congruent to either 1 or −1 modulo ''p''.
| |
| | |
| Now, let ''n'' be prime with ''n'' > 2. It follows that {{nowrap|''n'' − 1}} is even and we can write it as 2<sup>''s''</sup>·''d'', where ''s'' and ''d'' are positive integers (''d'' is odd). For each ''a'' in ('''Z'''/''n'''''Z''')*, either
| |
| :<math>a^{d} \equiv 1\pmod{n}</math>
| |
| or
| |
| :<math>a^{2^r\cdot d} \equiv -1\pmod{n}</math>
| |
| for some 0 ≤ r ≤ ''s'' − 1.
| |
| | |
| To show that one of these must be true, recall [[Fermat's little theorem]], that for a prime number n:
| |
| :<math>a^{n-1} \equiv 1\pmod{n}.</math>
| |
| | |
| By the lemma above, if we keep taking square roots of ''a''<sup>''n''−1</sup>, we will get either 1 or −1. If we get −1 then the second equality holds and it is done. If we never get −1, then when we have taken out every power of 2, we are left with the first equality.
| |
| | |
| The Miller–Rabin primality test is based on the [[contrapositive]] of the above claim. That is, if we can find an ''a'' such that
| |
| :<math>a^{d} \not\equiv 1\pmod{n}</math>
| |
| and
| |
| :<math>a^{2^rd} \not\equiv -1\pmod{n}</math>
| |
| for all 0 ≤ r ≤ ''s'' − 1, then ''n'' is not prime. We call ''a'' a [[Witness (mathematics)|witness]] for the compositeness of ''n'' (sometimes misleadingly called a ''strong witness'', although it is a certain proof of this fact). Otherwise ''a'' is called a ''strong liar'', and ''n'' is a [[probable prime|strong probable prime]] to base ''a''. The term "strong liar" refers to the case where ''n'' is composite but nevertheless the equations hold as they would for a prime.
| |
| | |
| Every odd composite ''n'' has many witnesses ''a'', however, no simple way of generating such an ''a'' is known. The solution is to make the test [[primality test#Probabilistic tests|probabilistic]]: we choose a non-zero ''a'' in '''Z'''/''n'''''Z''' randomly, and check whether or not it is a witness for the compositeness of ''n''. If ''n'' is composite, most of the choices for ''a'' will be witnesses, and the test will detect ''n'' as composite with high probability. There is, nevertheless, a small chance that we are unlucky and hit an ''a'' which is a strong liar for ''n''. We may reduce the probability of such error by repeating the test for several independently chosen ''a''.
| |
| | |
| It is crucial to choose random bases ''a'', as, a priori, we don't know the distribution of witnesses and liars among the numbers 1, 2, ..., ''n'' − 1. In particular, Arnault <ref name="Arnault397Digit">{{cite journal|title=Constructing Carmichael Numbers Which Are Strong Pseudoprimes to Several Bases |journal=Journal of Symbolic Computation|date=August 1995|volume=20|issue=2|pages=151–161 |author=F. Arnault |url=http://www.sciencedirect.com/science/article/pii/S0747717185710425 |doi=10.1006/jsco.1995.1042}}</ref> gave a 397-digit composite number for which all bases ''a'' less than 307 are strong liars; in particular, this number was reported to be prime by the [[Maple (software)|Maple]] <code>isprime()</code> function, which incorrectly implemented the Miller–Rabin test by checking the specific bases 2,3,5,7, and 11 instead of checking random bases.
| |
| | |
| ==Example== | |
| Suppose we wish to determine if ''n'' = 221 is prime. We write {{nowrap|''n'' − 1 {{=}} 220}} as 2<sup>2</sup>·55, so that we have ''s'' = 2 and ''d'' = 55. We randomly select a number ''a'' such that ''a'' < ''n'', say ''a'' = 174. We proceed to compute:
| |
| | |
| * ''a''<sup>2<sup>0</sup>·''d''</sup> mod ''n'' = 174<sup>55</sup> mod 221 = 47 ≠ 1, ''n'' − 1
| |
| * ''a''<sup>2<sup>1</sup>·''d''</sup> mod ''n'' = 174<sup>110</sup> mod 221 = 220 = ''n'' − 1.
| |
| | |
| Since 220 ≡ −1 mod ''n'', either 221 is prime, or 174 is a strong liar for 221. We try another random ''a'', this time choosing ''a'' = 137:
| |
| | |
| * ''a''<sup>2<sup>0</sup>·''d''</sup> mod ''n'' = 137<sup>55</sup> mod 221 = 188 ≠ 1, ''n'' − 1
| |
| * ''a''<sup>2<sup>1</sup>·''d''</sup> mod ''n'' = 137<sup>110</sup> mod 221 = 205 ≠ ''n'' − 1.
| |
| | |
| Hence 137 is a witness for the compositeness of 221, and 174 was in fact a strong liar. Note that this tells us nothing about the factors of 221 (which are 13 and 17). However, the example with 341 in the next section shows how these calculations can sometimes produce a factor of ''n''.
| |
| | |
| ==Algorithm and running time==
| |
| The algorithm can be written in [[pseudocode]] as follows:
| |
| '''Input''': ''n'' > 3, an odd integer to be tested for primality;
| |
| '''Input''': ''k'', a parameter that determines the accuracy of the test
| |
| '''Output''': ''composite'' if ''n'' is composite, otherwise ''probably prime''
| |
| write ''n'' − 1 as 2<sup>''s''</sup>·''d'' with ''d'' odd by factoring powers of 2 from ''n'' − 1
| |
| WitnessLoop: repeat ''k'' times:
| |
| pick a random integer ''a'' in the range [2, ''n'' − 2]
| |
| ''x'' ← ''a''<sup>''d''</sup> mod ''n''
| |
| if ''x'' = 1 or ''x'' = ''n'' − 1 then do next WitnessLoop
| |
| repeat ''s'' − 1 times:
| |
| ''x'' ← ''x''<sup>2</sup> mod ''n''
| |
| if ''x'' = 1 then return ''composite''
| |
| if ''x'' = ''n'' − 1 then do next WitnessLoop
| |
| return ''composite''
| |
| return ''probably prime''
| |
| | |
| Using [[modular exponentiation]] by [[Exponentiation by squaring|repeated squaring]], the running time of this algorithm is [[Big O notation|O]](''k'' log<sup>3</sup>''n''), where ''k'' is the number of different values of ''a'' that we test; thus this is an efficient, polynomial-time algorithm. [[Fast Fourier transform|FFT]]-based multiplication can push the running time down to {{nowrap|O(''k'' log<sup>2</sup>''n'' log log ''n'' log log log ''n'')}} = [[Big O notation#Extensions to the Bachmann–Landau notations|O]](''k'' log<sup>2</sup>''n'').
| |
| | |
| If we insert [[Greatest common divisor]] (GCD) calculations into the above algorithm, we can sometimes obtain a factor of ''n'' instead of merely determining that ''n'' is composite. In particular, if ''n'' is a probable prime base ''a'' but not a strong probable prime base ''a'', then either {{nowrap|GCD((''a''<sup>''d''</sup> mod ''n'') − 1, ''n'')}} or (for some ''r'' in the above range) {{nowrap|GCD((''a''<sup>2<sup>r</sup>·''d''</sup> mod ''n'') − 1, ''n'')}} will produce a (not necessarily prime) factor of ''n''; see page 1402 of.<ref name="baillie">{{cite journal|coauthors=[[Samuel S. Wagstaff, Jr.]]|title=Lucas Pseudoprimes|journal=Mathematics of Computation|date=October 1980|volume=35|issue=152|pages=1391–1417|url=http://mpqs.free.fr/LucasPseudoprimes.pdf|author=Robert Baillie| mr=583518| doi=10.1090/S0025-5718-1980-0583518-6 }}</ref> If factoring is a goal, these GCDs can be inserted into the above algorithm at little additional computational cost.
| |
| | |
| For example, consider ''n'' = 341. We have {{nowrap|''n'' − 1 {{=}} 85·4.}} Then {{nowrap|2<sup>85</sup> mod 341 {{=}} 32.}} This tells us that ''n'' is not a strong probable prime base 2, so we know ''n'' is composite. If we take a GCD at this stage, we can get a factor of 341: {{nowrap|GCD((2<sup>85</sup> mod 341) − 1, 341) {{=}} 31.}} This works because 341 is a pseudoprime base 2, but is not a [[strong pseudoprime]] base 2. | |
| | |
| In the case that the algorithm returns "composite" because ''x'' = 1, it has also discovered that ''d''2<sup>''r''</sup> is (an odd multiple of) the [[order (group theory)|order]] of ''a''—a fact which can (as in [[Shor's algorithm]]) be used to factorize ''n'', since ''n'' then divides
| |
| :<math>a^{d 2^r} - 1 = (a^{d 2^{r-1}} - 1) (a^{d 2^{r-1}} + 1)</math>
| |
| but not either factor by itself. The reason Miller–Rabin does ''not'' yield a probabilistic [[Integer factorization|factorization]] algorithm is that if
| |
| :<math>a^{n-1} \not\equiv 1 \pmod{n}</math>
| |
| (i.e., ''n'' is not a [[pseudoprime]] to base ''a'') then no such information is obtained about the period of ''a'', and the second "return composite" is taken.
| |
| | |
| ==Accuracy of the test==
| |
| The more bases ''a'' we test, the better the accuracy of the test. It can be shown that for any odd composite ''n'', at least 3/4 of the bases ''a'' are witnesses for the compositeness of ''n''.<ref name="rabin"/><ref name="schoof">{{Citation |last=Schoof |first=René |year=2004 |chapter=Four primality testing algorithms |title=Algorithmic Number Theory: Lattices, Number Fields, Curves and Cryptography |publisher=Cambridge University Press |location= | url=http://www.mat.uniroma2.it/~schoof/millerrabinpom.pdf |isbn=0-521-80854-5 }}</ref> The Miller–Rabin test is strictly stronger than the Solovay–Strassen primality test in the sense that for every composite ''n'', the set of strong liars for ''n'' is a subset of the set of [[Euler liar]]s for ''n'', and for many ''n'', the subset is proper. If ''n'' is composite then the Miller–Rabin primality test declares ''n'' probably prime with a probability at most 4<sup>−''k''</sup>. On the other hand, the Solovay–Strassen primality test declares ''n'' probably prime with a probability at most 2<sup>−''k''</sup>.
| |
| | |
| It is important to note that in many common applications of this algorithm, we are not interested in the error bound described above. The above error bound is the probability of a composite number being declared as a probable prime after ''k'' rounds of testing. We are often instead interested in the probability that, after passing ''k'' rounds of testing, the number being tested is actually a composite number. Formally, if we call the event of declaring ''n'' a probable prime after ''k'' rounds of Miller–Rabin ''Y<sub>k</sub>'', and we call the event that ''n'' is composite ''X'' (and denote the event that ''n'' is prime <math>\overline{X}</math>), then the above bound gives us <math>P(Y_k | X)</math>, whereas we are interested in <math>P(X | Y_k)</math>. [[Bayes' theorem]] gives us a way to relate these two conditional probabilities, namely
| |
| :<math>P(X | Y_k) = \frac{P(Y_k | X) P(X)}{P(Y_k | X ) P(X) + P(Y_k | \overline{X}) P(\overline{X})}</math>.
| |
| | |
| This tells us that the probability that we are often interested in is related not just to the 4<sup>−''k''</sup> bound above, but also probabilities related to the density of prime numbers in the region near ''n''.
| |
|
| |
| In addition, for large values of ''n'', on average the probability that a composite number is declared ''probably prime'' is significantly smaller than 4<sup>−''k''</sup>. [[Ivan Damgård|Damgård]], Landrock and [[Carl Pomerance|Pomerance]]<ref>{{Citation |last=Damgård |first=I. |last2=Landrock |first2=P. |last3=Pomerance |first3=C. |lastauthoramp=yes |year=1993 |title=Average case error estimates for the strong probable prime test |journal=Mathematics of Computation |volume=61 |issue=203 |pages=177–194 |url=http://www.math.dartmouth.edu/~carlp/PDF/paper88.pdf |issn= |doi=10.2307/2152945}}</ref> compute some explicit bounds and provide a method to make a reasonable selection for ''k'' for a desired error bound. Such bounds can, for example, be used to ''generate'' probable primes; however, they should not be used to ''verify'' primes with unknown origin, since in [[cryptography|cryptographic]] applications an adversary might try to send you a [[pseudoprime]] in a place where a prime number is required. In such cases, only the error bound of 4<sup>−''k''</sup> can be relied upon.
| |
| | |
| ==Deterministic variants of the test==
| |
| The Miller–Rabin algorithm can be made deterministic by trying all possible ''a'' below a certain limit. The problem in general is to set the limit so that the test is still reliable.
| |
| | |
| If the tested number ''n'' is composite, the strong liars ''a'' coprime to ''n'' are contained in a proper [[subgroup]] of the group ('''Z'''/''n'''''Z''')*, which means that if we test all ''a'' from a set which [[generating set of a group|generates]] ('''Z'''/''n'''''Z''')*, one of them must be a witness for the compositeness of ''n''. Assuming the truth of the [[generalized Riemann hypothesis]] (GRH), it is known that the group is generated by its elements smaller than O((log ''n'')<sup>2</sup>), which was already noted by Miller.<ref name="miller"/> The constant involved in the [[Big O notation]] was reduced to 2 by [[Eric Bach]].<ref>{{Citation |last=Bach |first=Eric |year=1990 |title=Explicit bounds for primality testing and related problems |journal=Mathematics of Computation |volume=55 |issue=191 |pages=355–380 |doi=10.2307/2008811 |issn= }}</ref> This leads to the following conditional primality testing algorithm:
| |
| '''Input''': ''n'' > 1, an odd integer to test for primality.
| |
| '''Output''': ''composite'' if ''n'' is composite, otherwise ''prime''
| |
| write ''n''−1 as 2<sup>s</sup>·''d'' by factoring powers of 2 from ''n''−1
| |
| repeat for all <math>a \in [2,\min(n-1,\lfloor2(\ln n)^2\rfloor)]</math>:
| |
| if <math>a^d \not\equiv 1\pmod{n} \text{ and }a^{2^r \cdot d} \not\equiv -1 \pmod{n} \text{ for all }r \in[0,s-1]</math>
| |
| then return ''composite''
| |
| return ''prime''
| |
| The running time of the algorithm is Õ((log ''n'')<sup>4</sup>) (with FFT-based multiplication). The full power of the generalized Riemann hypothesis is not needed to ensure the correctness of the test: as we deal with subgroups of even [[index of a subgroup|index]], it suffices to assume the validity of GRH for [[Legendre symbol|quadratic]] [[Dirichlet character]]s.<ref name="schoof"/>
| |
| | |
| This algorithm is not used in practice, as it is much slower than the randomized version of the Miller–Rabin test. For theoretical purposes, it was superseded by the [[AKS primality test]], which does not rely on unproven assumptions.
| |
| | |
| When the number ''n'' to be tested is small, trying all {{nowrap|''a'' < 2(ln ''n'')<sup>2</sup>}} is not necessary, as much smaller sets of potential witnesses are known to suffice. For example, Pomerance, Selfridge and Wagstaff<ref name="PSW">{{cite journal|coauthors=[[John L. Selfridge]], [[Samuel S. Wagstaff, Jr.]]|title=The pseudoprimes to 25·10<sup>9</sup>|journal=Mathematics of Computation|date=July 1980|volume=35|issue=151|pages=1003–1026|url=http://www.math.dartmouth.edu/~carlp/PDF/paper25.pdf|author = [[Carl Pomerance]]| doi=10.1090/S0025-5718-1980-0572872-7 }}</ref> and Jaeschke<ref>{{Citation |last=Jaeschke |first=Gerhard |last2= |first2= |last3= |first3= |lastauthoramp= |year=1993 |title=On strong pseudoprimes to several bases |journal=Mathematics of Computation |volume=61 |issue=204 |pages=915–926 |doi=10.2307/2153262 |issn= }}</ref> have verified that
| |
| *if ''n'' < 1,373,653, it is enough to test ''a'' = 2 and 3;
| |
| *if ''n'' < 9,080,191, it is enough to test ''a'' = 31 and 73;
| |
| *if ''n'' < 4,759,123,141, it is enough to test ''a'' = 2, 7, and 61;
| |
| *if ''n'' < 1,122,004,669,633, it is enough to test ''a'' = 2, 13, 23, and 1662803;
| |
| *if ''n'' < 2,152,302,898,747, it is enough to test ''a'' = 2, 3, 5, 7, and 11;
| |
| *if ''n'' < 3,474,749,660,383, it is enough to test ''a'' = 2, 3, 5, 7, 11, and 13;
| |
| *if ''n'' < 341,550,071,728,321, it is enough to test ''a'' = 2, 3, 5, 7, 11, 13, and 17.
| |
| | |
| Other criteria of this sort exist<ref>{{Citation |url=http://primes.utm.edu/prove/prove2_3.html |title=The Primes Page }}</ref><ref>{{Citation |last=Zhang |first=Zhenxiang |last2=Tang |first2=Min |lastauthoramp=yes |year=2003 |title=Finding strong pseudoprimes to several bases. II |journal=Mathematics of Computation |volume=72 |issue=44 |pages=2085–2097 |doi=10.1090/S0025-5718-03-01545-X }}</ref><ref>{{SloanesRef | sequencenumber=A014233 |name=Smallest odd number for which Miller-Rabin primality test on bases <= n-th prime does not reveal compositeness}}</ref><ref>{{Citation |url=http://miller-rabin.appspot.com |title=SPRP Records }}</ref> and these results give very fast deterministic primality tests for numbers in the appropriate range, without any assumptions.
| |
| | |
| There is a small list of potential witnesses for every possible input size (at most ''n'' values for ''n''-bit numbers). However, no finite set of bases is sufficient for all composite numbers. Alford, Granville, and Pomerance have shown that there exist infinitely many composite numbers ''n'' whose smallest compositeness witness is at least {{nowrap|(ln ''n'')<sup>1/(3ln ln ln ''n'')</sup>}}.<ref>{{Citation |last=Alford |first=W. R. |last2=Granville |first2=A. |last3=Pomerance |first3=C. |lastauthoramp= |year=1994 |chapter=On the difficulty of finding reliable witnesses |journal=[[Lecture Notes in Computer Science]] |volume=877 |publisher=Springer-Verlag |pages=1–16 |url=http://www.math.dartmouth.edu/~carlp/PDF/reliable.pdf |doi=10.1007/3-540-58691-1_36 |isbn= }}</ref> They also argue heuristically that the smallest number ''w'' such that every composite number below ''n'' has a compositeness witness less than ''w'' should be of order {{nowrap|[[Big o notation#Family of Bachmann–Landau notations|Θ]](log ''n'' log log ''n'').}}
| |
| | |
| ==Notes==
| |
| {{reflist|2}}
| |
| | |
| == External links ==
| |
| {{wikibooks|Algorithm Implementation|Mathematics/Primality Testing|Primality testing}}
| |
| * {{MathWorld|urlname=Rabin-MillerStrongPseudoprimeTest|title=Rabin-Miller Strong Pseudoprime Test}}
| |
| * [http://gandraxa.com/miller_rabin_primality_test.xml Interactive Online Implementation of the Deterministic Variant] (stepping through the algorithm step-by-step)
| |
| * [http://www.informationsuebertragung.ch/indexAlgorithmenRabinMiller.html Applet (German)]
| |
| * [http://stackoverflow.com/questions/4236673/sample-code-for-fast-primality-testing-in-c-sharp/4236870#4236870 Miller-Rabin primality test in C#]
| |
| * [http://www.javascripter.net/math/primes/millerrabinprimalitytest.htm Miller-Rabin primality test in JavaScript using arbitrary precision arithmetic]
| |
| | |
| {{Number theoretic algorithms}}
| |
| | |
| {{DEFAULTSORT:Miller-Rabin Primality Test}}
| |
| [[Category:Primality tests]]
| |
| [[Category:Finite fields]]
| |