Lecture 11 - Primality Testing

1 Fermat's Little Theorem and Carmichael Numbers
2 The Rabin-Miller Test

1 Fermat's Little Theorem and Carmichael Numbers

Recall that Fermat's Little Theorem states that if $p$ is a prime number, then for any number $a$ such that $p \not| a$ we have \[ a^{p-1} \equiv 1 \text{ (mod $p$)} \]
One consequence of this is that we have an easy way to be sure that a given number is not prime: if $m$ is a given number and $a$ any value which is not a multiple of $m$ such that \[ a^{m-1} \not\equiv 1 \text{ (mod $m$)} \] then we can be sure that $m$ is not prime.
As a silly example, we can generate some big number \[ m = 239487987149834243489723498723 \] Then pick a random value for $a$ between $1$ and $m$, say \[ a = 154554292586163418415750971392 \] Now compute $a^{m-1}$ modulo $m$. (Note this is something we can do efficiently on a computer using the method of successive squares mentioned previously.) \[ a^{m-1} \equiv 40380838742615519967060896622 \text{ (mod $m$)}. \] Since this is not congruent to 1 modulo $m$, we can be sure that $m$ is not prime. (If it were prime Fermat's little theorem would guarantee that $a^{m-1} \equiv 1 \text{ (mod }m\text{)}$.
Thus we know that 239487987149834243489723498723 is not prime, and we didn't even have to factor it.
Another way to phrase Fermat's little theorem would be to say that \[ a^p \equiv a \text{ (mod $p$)} \] if $p$ is prime and $a$ is not a multiple of $p$. Thus $m$ is not prime if there exists an $a$ which is not a multiple of $m$ such that \[ a^m \not\equiv a \text{ (mod $m$)} \]
It could be, however, that $m$ is not prime and $a^m$ is still congruent to $a$ modulo $m$. For example, 12 is not prime, yet $9^12 \equiv 12 \text{ (mod}12\text{)}$. So just because $a^m \equiv a \text{ (mod}m\text{)}$, we can not conclude that $m$ is prime. We do have some evidence, however, that $m$ might be prime.
Could it be, though, that $m$ is not prime and $a^m$ is congruent to $a$ for all $a$ which are not multiples of $m$?
This can happen, and if that is the case we call $m$ a Carmichael number.
Precisely, we say that a number $m$ is a Carmichael number if $m$ is a composition number (i.e., $m$ is not prime) and $a^m ≡ a \text{ (mod}m\text{)} for each $a$ that is not a multiple of $m$.
The smallest example of a Carmichael number is 561. To verify that 561 is a Carmichael number we could compute $a^{561}$ modulo $561$ for each $1 \leq a < 561$, but it's actually easier than that. Notice the prime factorization of 561 is $3 \cdot 11 \cdot 17$. Let's just compute $a^561$ modulo 3, modulo 11, and modulo 17. If this is congruent to $a$ in each situation, then we know that $a^561 - a$ is a multiple of $3$, a multiple of $11$, and a multiple of $17$. Thus $a^561 - a$ is a multiple of $561$.
In the case of congruences modulo $3$, first suppose that $a$ was a multiple of $3$. Then $a^561 \equiv a \equiv 0 \text{ (mod}3\text{)}$. If $a$ is not a multiple of $3$, then it's not too hard to see that $a^561 \equiv a \text{ (mod}3\text{)}$ due to Fermat's little theorem: \[ a^{561} = a^{2 \cdot 280 + 1} = a^{2 \cdot 280} \cdot a = \left(a^2\right)^{280} \cdot a. \] By Fermat's little theorem, however, $a^2 \equiv a \text{ (mod}3\text{)}$ if $a$ is not a multiple of $3$. We can perform the exact same argument for the congruence class of $a^{561}$ modulo 11 and modulo 17.
A natural question to ask is how can we tell if a number is Carmichael or not? To this end we make two observations: every Carmichael number is odd, and every Carmichael number is a product of distinct primes.
To see that every Carmichael number is odd, notice that if $m$ is a Carmichael number, then by definition $m | (a^m - a)$ for each $1 \leq a < m$. In particular, $m | ((m-1)^m - (m-1))$. However, $m - 1 \equiv -1 \text{ (mod}m\text{)}$, and so we have that \[ (-1)^m \equiv -1 \text{ (mod $m$)} \] If $m$ were even, say $m = 2n$, then we'd have \[ (-1)^m = (-1)^{2n} = \left( (-1)^2 \right)^n = 1^n = 1 \] So $m$ must be odd (or it could be that $m = 2$, but we know that $m$ is composite since it's a Carmichael number).
Theorem: Every Carmichael number is a product of distinct primes.
Proof: Let $m$ be a Carmichael number and $p$ some prime dividing $m$. Suppose $p^{n+1}$ divides $m$. Since $m$ is Carmichael, \[ p^{mn} \equiv p^n \text{ (mod $m$)} \] Then $m|\left(p^{mn} - p^n\right)$ and so $p^{n+1} | \left(p^{mn} - p^n\right)$. Thus \[ \frac{p^{mn} - p^n}{p^{n+1}} = \frac{p^{mn - n}p^n - p^n}{p^{n+1}} = \frac{p^{mn - n} - 1}{p} \in \mathbb{Z}. \] However, $p^x - 1$ can not be a multiple of $p$ unless $p^x - 1 = 0$ meaning $x = 0$. (The remainder of $p^x - 1$ when divided by $p$ is $p - 1$: $p^x - 1 = p \cdot \left(p^{x - 1} - 1\right) + p - 1$, and this remainder is unique by the division algorithm.)
Theorem (Korselt's Criterion): Let $m$ be a composition number. Then $m$ is a Carmichael number if and only if it is odd and for every prime $p$ dividing $m$, $p^2 \not| m$ and $(p-1)|(n-1)$.
Proof: Homework. (3/4 of this are in the book.)
Example: 8911 is a Carmichael number. To see this we just need to verify the conditions of Korselt's theorem hold for 8911. Of course, 8911 is odd. Computing its prime factorization we have $8911 = 7 \cdot 19 \cdot 67$, so it's composite. We just need to verify that $6 | 8910$, $18 | 8910$ and $66 | 8910$, but this is easily done by direct calculation: \[ 8910 = 6 \cdot 1485 = 18 \cdot 485 = 66 \cdot 135. \]
Theorem: There are infinitely-many Carmichael numbers.
This was proven in 1994 (this was an open question since 1910), and the original paper appears on one of the author's (Carl Pomerace) website. The only technical tool you need to read the proof is a little abstract algebra, but the proof is too long for us to do in class (the paper is ~20 pages).

2 The Rabin-Miller Test

Theorem: Let $p > 2$ be a prime, so $p-1$ is even. Write $p-1 = 2^k q$ where $q$ is odd. Now let $a$ be any number which is not a multiple of $p$. Then one of the following occurs:
1. $a^q \equiv 1 \text{ (mod }p\text{)}$
2. One of $a^q$, $a^{2q}$, $a^{4q}$, …, $a^{2^{k-1} q}$ is congruent to $-1$ modulo $p$.
Proof: By Fermat's little theorem we know $a^{p-1}$ is congruent to $1$ modulo $p$. Hence $a^{2^k q}$ is congruent to $1$ modulo $p$. Notice that in the list of powers of $a^q$ above, each element is the square of the previous element. Hence we're squaring values to get up to $1$. However the only values which square to $1$ are $1$ and $-1$. Thus either a $-1$ appears somewhere in the list (we then square it and only have $1$'s afterwards), or everything in the list is congruent to $1$ – in particular, $a^q$ is congruent to $1$.
We can use the above theorem to test a number of primality, and this is called the Rabin-Miller Test.
Theorem (Rabin-Miller): Let $m$ be an odd integer and write $m - 1 = 2^k q$ with $q$ odd. If both of the following conditions are true for some $a$ which is not a multiple of $m$, then $m$ must be prime:
1. $a^q \not\equiv 1 \text{ (mod }m\text{)}$
2. $a^{2^i q} \not\equiv 1 \text{ (mod }m\text{)}$
(Note we can efficiently implement the Rabin-Miller test on a computer using the method of successive squares).
One important property of the Rabin-Miller test (which we won't prove) is that unlike Carmichael numbers, there aren't any composite numbers which masquerade as prime numbers: The Rabin-Miller test always works: for any prime number, there is always an $a$ satisfying the properties of the Rabin-Miller test. In fact, if $m$ is a composite number, then at least 75% of the numbers between $1$ and $m-1$ will satisfy the properties of the Rabin-Miller test.
This gives us a probabilistic way of efficiently testing whether a number is prime or not. If we randomly pick a number between $1$ and $m-1$, the chance we picked a value for which the Rabin-Miller test did no larger than $\frac{1}{4}$. Hence if we try two numbers, the chance we that neither of them satisfied the properties of the Rabin-Miller test is $\left(\frac{1}{4}\right)^2$… If we pick $x$ random numbers the probability that we just happened to only pick numbers where the Rabin-Miller test failed is no larger than $\left(\frac{1}{4}\right)^x$.

Lecture 11 - Primality Testing

Table of Contents

1 Fermat's Little Theorem and Carmichael Numbers

2 The Rabin-Miller Test