Lecture 016

Primality Testing

Prime Number Theorem: there are about $\frac{n}{\ln n}$ many primes smaller than $n$.

Composite Witness: if $n$ is a composite, then $a$ witness $n$'s compositeness

• divisor witness: $\{a \in \mathbb{Z} | \frac{n}{a} \in \mathbb{Z}\}$

• Fermat witness: $\{a | a < n \land a^{n - 1} \not\equiv 1 \mod n\}$

• gcd witness: $\{a \in \{1, 2, ..., n - 1\} | \gcd(a, n) > 1\}$

$\{\text{divisor witness}\} \subseteq \{\text{gcd witness}\} \subseteq \{\text{Fermat witness}\}$

Fermat Testing

Fermat witness:

Carmichael Numbers: small fraction of composite numbers in which Fermat Test will almost always return "probability-prime"

Fermat's Little Theorem

Fermat's Little Theorem: $n$ is prime $\iff a^{n - 1} \equiv 1 \mod n$ for all $a \in \{1, 2, 3, ..., n - 1\}$

Every divisor witness is a Fermat witness since it cannot be both $(d^{n - 1} \equiv 1 \mod n) \land (d \equiv 0 \mod n)$ where $d$ is divisor witness.

Proof:

1. $n \text{ is composite } \implies (\exists a < n)(a^{n - 1} \not\equiv 1 \mod n)$: since $n$ composite, it has a divisor witness $d$. Therefore $d$ is also Fermat witness. So $d^{n - 1} \not\equiv 1 \mod n$
2. $n \text{ is prime } \implies (\forall a < n)(a^{n - 1} \equiv 1 \mod n)$: this is hard

Lemma: If $p$ is prime, then $\forall a, b \in \mathbb{Z}$:

This is because in Binomial expansion of $(a + b)^p$, all choose terms ${\cdot \choose \cdot}$ (except the first and last term), include a factor of $p$.

Now define $W$

Observe $1 \in W$. And because of the lemma, we know $W$ is closed under addition and subtraction. ($(\forall b)((a + 0)^p \equiv a^p + 0^p \mod p \implies (a + b)^p \equiv a^p + b^p \mod p)$) This means that $\mathbb{Z} \subseteq W$

So, let $x \in \{1, 2, ..., n - 1\}$ where $n$ is prime, then $(x \in W) \implies (x^n \equiv x \mod n) \implies (n | x(x^{n - 1} - 1))$

Since $n < x \implies n \not | x$, it must be $n | x^{n - 1} - 1 \implies x^{n - 1} - 1 \equiv 0 \mod n$.

Fermat Primality Testing Algorithm

The algorithm: given $n$, repeat $k$ round

1. Random choose $a \in \{1, 2, 3, ..., n - 1\}$
2. If $a^{n - 1} \not\equiv 1 \mod n$, return "composite". Else, continue.
3. If haven't stop after $k$ rounds, return "probably-prime"

1-sided error: we might mistakenly identify composite numbers as "probably-prime".

Trivial Fermat witnesses: gcd witnesses. Non-Trivial Fermat witnesses: Fermat witnesses that are relatively prime to $n$ the composite.

Theorem: for composite $n$, $(\exists a \in S = \{1, 2, ..., n - 1\})(a \text{ is non-trivial Fermat witness}) \implies \text{at least half of } S \text{ are Fermat witness}$

Proof: see Chapter 19

However, Carmichael Numbers ($\gcd(a, n) = 1 \land a^{n - 1} \equiv 1 \mod n$) has $0$ non-trivial Fermat witness. Example: 561, 1105, 1729. Some interesting properties are: 1. they are odd 2. they have 3 distinct prime factors 3. they are square free (not divisible by the square of any prime) 4. for every Carmichael number $n$ with prime factor $p$, $p - 1 | n - 1$ 5. they are rare, but there are infinite number of them

Summary: if the algorithm does not stop for $k$ rounds, then it is either

1. $n$ is a Carmichael number
2. $n$ is prime with probability $\geq 1 - \frac{1}{2^k}$

Miller-Rabin Test

Root Witness:

Notice a root witness is by definition a non-trivial root ($x \neq \pm 1$)

Proof: we show if $p$ is prime, then all $x$ such that $x^2 \equiv 1 \mod p$ also satisfy $(x \equiv 1 \mod p \lor x \equiv -1 \mod p)$

Miller-Rabin Primality Testing Algorithm

Miller-Rabin Primality Testing Algorithm: given $n > 2$, then $n$ is odd. 0. Since $n$ is odd, we know $n - 1 = 2^r \cdot d$ for some fixed $r$, $d$.

1. Random choose $a \in \{1, 2, 3, ..., n - 1\}$ and test if $a^{n - 1} \not\equiv 1 \mod n$ by testing $a^{2^r \cdot d} \not\equiv 1 \mod n$ for $k$ rounds. If so return "composite".
2. Since algorithm doesn't return, we know there exists $a$ such that $(a^{2^r \cdot d} \equiv 1 \mod n) \implies ((a^{2^{r - 1} \cdot d})^2 \equiv 1 \mod n)$. If we can find $a$ such that $a^{2^{r - 1} \cdot d} \not\equiv \pm 1 \mod n$ in $k$ rounds, then return "composite"
3. If not, we know $a^{2^{r - 1} \cdot d} \equiv \pm 1 \mod n$ for some $a$, we can again test for $a^{2^{r - 2} \cdot d} \not\equiv \pm 1 \mod n$ and try to return "composite" until $a^{2^{r - r} \cdot d}$
4. If haven't stop, return "probably-prime"

Formally: given $2 < n \in \mathbb{Z}$, where $n$ is odd

• Express $n - 1 = 2^r \cdot d$ for some odd $d$.

• Choose $a \in \{1, 2, ..., n - 1\}$ uniformly at random

• If $a^{2^r \cdot d} \not\equiv 1 \mod n$, return "composite-fermat"

• For $y \in \{r - 1, r - 2, ..., 1, 0\}$:

  • If $a^{2^y \cdot d} \not\equiv \pm 1 \mod n$, return "composite-root"
  • If $a^{2^y \cdot d} \equiv \pm 1 \mod n$, return "probably-prime" (or choose a different $a$ in reality if we allow multiple runs)

• return "probably-prime"

Above algorithm is not as efficient as it computes $a^{2^r \cdot d}$ and do the power every time. Instead we can start from $a^d$ and repeat squaring $r$ times.

More efficiently: given $2 < n \in \mathbb{Z}$, where $n$ is odd

• Express $n - 1 = 2^r \cdot d$ for some odd $d$.

• Choose $a \in \{1, 2, ..., n - 1\}$ uniformly at random

• Let $y = 0$

  • If $a^{2^y \cdot d} \equiv \pm 1 \mod n$, return "probably-prime" (all future square will be $1$, Fermat test will return $1$ when $y = r$)

• For $y \in \{1, 2, ..., r - 1\}$: (no need check for $r$-th power because composite is guaranteed by using both Fermat and root witness)

  • If $a^{2^y \cdot d} \equiv 1 \mod n$, return "composite-root"
  • If $a^{2^y \cdot d} \equiv -1 \mod n$, return "probably-prime" (all future square will be $1$, Fermat test will return $1$ when $y = r$)
  • (we still have potential for a root witness if next round yields a 1)

• return "composite"

Miller-Rabin Test works for all numbers including Carmichael Numbers. If $n$ is composite, it will output composite with probability $> \frac{3}{4}$. (prove omitted) Therefore the probability for a witness if we run $k$ rounds is: $1 - \frac{1}{4^k}$.