On the Number of Witnesses in the Miller–Rabin Primality Test

Abstract

In this paper, we investigate the popular Miller–Rabin primality test and study its effectiveness. The ability of the test to determine prime integers is based on the difference of the number of primality witnesses for composite and prime integers. Let $W\left(n\right)$ denote the set of all primality witnesses for odd n. By Rabin’s theorem, if n is prime, then each positive integer $a<n$ is a primality witness for n. For composite n, the power of $W\left(n\right)$ is less than or equal to $\phi \left(n\right)/4$ where $\phi \left(n\right)$ is Euler’s Totient function. We derive new exact formulas for the power of $W\left(n\right)$ depending on the number of factors of tested integers. In addition, we study the average probability of errors in the Miller–Rabin test and show that it decreases when the length of tested integers increases. This allows us to reduce estimations for the probability of the Miller–Rabin test errors and increase its efficiency.

1. Introduction

The MillerRabin primality test is an algorithm that checks whether a given number is prime or composite. Its original version, due to Gary L. Miller, was deterministic and relied on the unproved extended Riemann Hypothesis [1]. Michael O. Rabin modified it to obtain a probabilistic algorithm [2].

Definition 1.

Let m be a positive integer represented as $m=2^s·u$ where u is odd. We introduce two auxiliary functions $bin\left(m\right)=s$ and $odd\left(m\right)=u$.

Definition 2.

Let n be an odd natural, $n>9$. An integer $a,1\le a<n,$ is called a primality witness for n if it is co-prime to n and one of the following conditions holds:

$$\begin{array}{c}1.a^{odd(n-1)}\equiv 1modn,\hfill \\ 2.a^{odd(n-1)2^i}\equiv -1modn for some i,0\le i<bin(n-1),\hfill \end{array}$$

(1)

(We replaced original Rabin’s definition of the compositeness witnesses by the opposite relation). For generality, we count 1 and $n-1$ as primality witnesses and call them trivial witnesses since they satisfy (1) for any n.

Let $W\left(n\right)$ denote the set of all primality witnesses for n. The Rabin theorem [2] asserts that if number n is prime then each non-zero integer, $a<n$ is a primality witness for n, and therefore, the number of all witnesses $|W(n)|=n-1$. For composite n, it satisfies inequality $|W(n)|\le \phi \left(n\right)/4$ where $\phi \left(n\right)$ is Euler’s totient function. Since Rabin did not consider 1 as a witness, then he stated the strict inequality $|W(n)|<\phi \left(n\right)/4$.

Later, Gary Miller [1] developed a primality test that takes any integer $a,1<a<n$, checks if a is not a factor of n (otherwise, n is trivially composite), and whether a is a primality witness for n, that is, lies in the set $W\left(n\right)$. If the answer is positive, then n is probable prime with probability exceeding $3/4$. If we need in a more exact result, we should repeat this procedure several times taking different numbers $a<n$.

The researchers refer to this algorithm as to the Miller and Rabin primality test. We abbreviate it to MR test.

Definition 3.

Parameters a which are used in Miller’s algorithm are called bases. They are chosen randomly from interval $[1;n-1]$. If, for a given odd integer, n relation (1) holds at a base a, we say, n passes the MR test at base a. Otherwise, we call a a compositeness witness for n and deduce that n is certainly composite.

The probability of error after k successful iterations becomes less than $1/4^k$. The only type of error in the Rabin’ procedure is defining a composite integer as prime.

More details on the Miller–Rabin test can be found in Chapter 3 of text-book [3] by Crandall and Pomerance. We abbreviate Miller–Rabin test as MR test.

Definition 4.

Composite integers qualifying by MR test as probable prime at a base a are called strong pseudoprimes relative to base a. Composite integers being probably prime relative to all a from a set A of bases are called strong probable prime relative to set of bases A.

Investigation of pseudoprime integers has a long history in the Computational Number Theory. We outline main advantages in this direction in the next section.

2. Some History Remarks

Fist attempts to find fast primality algorithms were based on Fermat’s Little Theorem asserting that for prime n and for any positive integer a, the following relation holds

$$a^n\equiv amodn$$

(2)

Indeed, many composite integers do not satisfy (2) and can be discarded after the first check. Composite n that satisfy (2) are called Fermat pseudoprimes relative to base a.

It is important to note that all strong pseudoprimes relative to a base a are also Fermat pseudoprimes relative to a.

We can decrease the number of false decisions by Fermat’s test by checking the relation (2) with several different a. However, this does not allow us to completely avoid false conclusions since so-called Carmichael numbers exist.

Integer n is called a Carmichael number if it satisfies (2) for all a. Carmichael numbers appear relatively rarely and the least Carmichael number is $561=3·7·11$. It is known that Carmichael numbers are exactly those integers which satisfy Korselt’s criterion:

Korselt Criterion (1899). A positive compositeinteger n is a Carmichael number if and only if n is square-free, and for all prime divisors p of n, it is true that $p-1|n-1$.

One of the interesting problems is to find for a given odd integer n the least witness. In 1994 Alford, Granville and Pomerance proved [4] that such witnesses exceed ${(logn)}^{1/(3logloglogn)}$ for infinitely many n. We also show that there are finite sets of odd composites which do not have a reliable witness, namely a common witness for all of the numbers in the set.

MR test discards a Carmichael number n, if the base was chosen from $[1;n-1]\backslash W\left(n\right)$.

Let us fix a base a and let $n_a$ be a least composite integer that the MR Test accepts at the base a. Then, any odd $n<n_a$ for which a is a primality witness, is definitely prime. This means that when we know $n_a$, we can definitely check any $n<n_a$ for primality using only one round of the MR procedure. The corresponding integer $n_a$ is small. But if we take a set A of several different bases a and find a least composite $n_A$ for which all $a\in A$ are primality witness, this $n_A$ can be very large. Candidates for bases a can be any positive integers that are not squares. However, historically, candidates for special bases are chosen from the set of primes.

Let $P_k$ denote the set of the first k primes $P_k=\{2,3,5,7,\dots ,p_k\}$, and let ${\psi }_k$ be a least strong pseudoprime relative to $P_k$ for a $k\ge 1$. Function ${\psi }_k$ is well defined and is exponentially computable. Its computation began already 40 years ago.

First four values of ${\psi }_k$ have been found by C. Pomerance, J. Selfridge, and S.Waggstaff [5] in 1980.

A systematic calculation of ${\psi }_k$ for larger k has been initiated by J. Jaeschke [6] who elaborated basic algorithms helpful for searching for strong pseudoprimes of different forms. In 1993 Jaeschke calculated ${\psi }_k$ for $5\le k\le 8$ and proposed upper bounds for ${\psi }_k$ at $9\le k\le 11$.

F. Arnault in papers [7,8] described another algorithm to search for Carmichael numbers and strong pseudoprimes integers.

Jaeschke’ hypothesis have been improved in 2001 by Z. Zang [9] who constructed a lesser 19-digits decimal integer $Q_{11}=3825123056546413051$ bounding above ${\psi }_{11}$. Z.Zang conjectures that values ${\psi }_k$ for $9\le k\le 11$ are equal to each other and coincide with $Q_{11}$.

In 2012 J. Jiang and Y. Deng [10] confirmed Zang’s Hypothesis by showing that $Q_{11}={\psi }_9={\psi }_{10}={\psi }_{11}$.

The last record is reached by J. Sorenson and J. Webster [11] in 2016. They found ${\psi }_{12}$ and ${\psi }_{13}$, where ${\psi }_{13}=3317044064679887385961981\approx 3.3·{10}^{24}$. So at the moment we can successfully determine prime integers less than $3.3·{10}^{24}$ by only 13 rounds of the MR test. But this bound is much less than integers used in Cryptography. For example, DSS algorithm uses prime integers of length 256 bits (≈80 decimal digits).

Another branch of investigations in connected with the problem of distribution of Fermat pseudoprimes and strong pseudoprimes. Let $F\left(n\right)$ denote set

$$F\left(n\right)=\{amodn:a^{n-1}\equiv 1modn\}.$$

Clearly, $F\left(n\right)\supseteq W\left(n\right)$.

In 1985 P. Erdos and C. Pomerance [12] studied an asymptotic behavior of average function

$$A\left(x\right)=\frac{1}{x}\sum _{n\le x}{}^{\prime }|F\left(n\right)|$$

where sum is counted over odd integers. They showed using complex number-theoretical calculations that $A\left(x\right)$ is a growing function bounded below by $x^{15/23}$.

Our average function $Avg\left(x\right)$ looks close to $A\left(x\right)$ but we show that for almost all composite n$W\left(n\right)$ consists of only two elements 1 and $n-1$ and function $Avg\left(x\right)$ tends to zero with x tending to infinity.

Average number of errors in the MR test was also studied in 1993 by I. Damgard, P. Landrock and C Pomerance. In paper [13] they studied an average probability of the false decision by the MR test in the following procedure:

Fix $k>0$ and $t>0$ and choose randomly k-bit odd integer n. Check it with t rounds of MR test with randomly chosen bases from $[1;n-1]$. If n was discarded during the procedure (that is, found $a\notin W\left(n\right)$), take another n. Continue until n was found passed t rounds. Let $p_{k,t}$ be the probability that the procedure returns a composite integer.

The authors found explicit upper bounds for various k and t. In particular they proved that $p_{k,1}\le k^2{4}^{2-\sqrt{k}}\mathrm{for}k\ge 2.$ Their results show that the probability of false decisions of the MR test depends on the length of tested numbers and it decreases if the length of the numbers increases.

3. Counting Number of Witnesses

In this section we deduce exact formulas for the number of primality witnesses for different types of composite integers.

We begin our investigation with a little proposition improving Rabin’s estimate.

Theorem 1.

If $a\in W\left(n\right)$, then $n-a\in W\left(n\right)$.

Proof. 

Let $k=or{d}_n\left(a\right)$. If k is odd, then $a^{odd(n-1)}modn=1$, and ${(n-a)}^{odd(n-1)}\equiv -1modn$, therefore, $n-a$ is also a witness.

If k is even, then $a^{k/2}\equiv -1modn$. If $k/2$ is even, then ${(n-a)}^{k/2}\equiv a^{k/2}\equiv -1modn$, and $(n-a)$ is a witness.

Finally, if $k/2$ is odd, then ${(n-a)}^{k/2}\equiv -a^{k/2}\equiv 1modn$. Since $k/2|odd(n-1)$, then $a^{odd(n-1)}\equiv 1modn$, and $(n-a)$ again is a witness.

This completes the proof. □

Corollary 1.

(The Improved Rabin Theorem). Let n be a natural, and A be an arbitrary set of bases less than n, co-prime to n, such that for any $a\in A$, $n-a$ is not in A. If all bases $a\in A$ are primality witnesses of n, then n is probable prime with probability of error less than or equal to $1/{16}^k$.

Indeed, when we found a primality witness a for integer n, we get two primality witnesses for n, namely, a and $n-a$. So, this reduces the probability of error by a factor of $4^2=16$.

Let $N_w\left(n\right)=|W\left(n\right)|$ be the power of number of primality witnesses $W\left(n\right)$. As mentioned earlier, for prime n$N_w\left(n\right)=n-1$, and for composite n$N_w\le \phi \left(n\right)/4$.

Below we estimate function $N_w\left(n\right)$ more exactly. First we formulate a theorem restricting possible witnesses for a composite n.

Theorem 2.

Let $n=u·v$ for co-prime factors u and v (possibly, composite), and $a\in W\left(n\right)$. Then,

$$\begin{array}{c}1.or{d}_u\left(a\right)|GCD(\phi \left(u\right),(u-\phi \left(u\right))v-1),\hfill \\ 2.or{d}_v\left(a\right)|GCD(\phi \left(v\right),(v-\phi \left(v\right))u-1),\hfill \\ 3.bin\left(or{d}_u\left(a\right)\right)=bin\left(or{d}_v\left(b\right)\right).\hfill \end{array}$$

(3)

Proof. 

• Since a is a primality witness for n then $a^{n-1}\equiv 1modn$ and $a^{n-1}\equiv 1modu$. Besides, $n-1=uv-1=\phi \left(u\right)v+(u-\phi (u\left)\right)v-1$, so

  $$1\equiv a^{n-1}\equiv a^{\phi \left(u\right)v+(u-\phi (u\left)\right)v-1}\equiv a^{(u-\phi (u\left)\right)v-1}modu,$$

  since $a^{\phi \left(u\right)}\equiv 1modu$ by Euler’s Theorem.
• By symmetry.
• If $or{d}_u\left(a\right)$ is odd, then $a^{odd(n-1)}\equiv 1modn$ (otherwise, a satisfies the second clause of the MRT, and $or{d}_u\left(a\right)$ should be even). Then $a^{odd(n-1)}\equiv 1modv$ and $or{d}_v\left(a\right)$ is odd.

If $bin\left(or{d}_u\left(a\right)\right)=i$ for $0<i<bin(n-1)$, then a is a witness by second clause of the MRT, so $a^{odd(n-1)2^{i-1}}\equiv -1modn$, $a^{odd(n-1)2^{i-1}}\equiv -1modv$, and $a^{odd(n-1)2^i}\equiv 1modv$, so $or{d}_v\left(a\right)=odd(n-1)2^i$ and $bin\left(or{d}_v\left(a\right)\right)$ is equal to i.

The theorem is proved. □

Example 1.

Let $n=15·19=285,$ and $a\in W\left(n\right)$. By Theorem 2:

$$\begin{array}{c}1.or{d}_u\left(a\right)|GCD(\phi \left(u\right),(u-\phi \left(u\right))v-1)=GCD(8,132)=4,\hfill \\ 2.or{d}_v\left(a\right)|GCD(\phi \left(v\right),(v-\phi \left(v\right))u-1)=GCD(18,14)=2,\hfill \\ 3.bin\left(or{d}_u\left(a\right)\right)=bin\left(or{d}_v\left(b\right)\right).\hfill \end{array}$$

So, possible a satisfies $(or{d}_u\left(a\right),or{d}_v\left(a\right))=(1,1)$, or, $(or{d}_u\left(a\right),or{d}_v\left(a\right))=(2,2)$, so $n=285$ has only trivial witnesses 1 and $n-1$.

Theorem 3.

Let $n=p^k$ be a degree of prime p, then $N_w\left(n\right)=p-1$.

Proof. 

Let a be a witness for $n=p^k$, then $or{d}_a\left(n\right)|GCD(\phi \left(n\right),n-1)=GCD(p^{k-1}(p-1),$$p^k-1)=p-1.$

Besides, any a satisfying $a^{p-1}modn=1$ is a witness of n. Indeed, let $a^{p-1}modn=1$. Then, $m=or{d}_n\left(a\right)$ is a factor of $n-1=p^k-1$. Let $n-1=2^s·t$ for odd t, therefore, $m=2^{s_1}·t_1$, where $s_1\le s$ and $t_1$ is a factor of t.

If $s_1=0$, then $a^{t_1}modn=1$, $a^{t}modn=1$ and a is a witness by the first clause of the MRT. Otherwise, let $0\le r\le s_1$ be such that $a^{t_1{2}^r}\equiv -1modn$. Then $a^{t{2}^r}\equiv -1modn$ and a is a witness by the second clause of the MRT. This completes the proof. □

We call integer n semiprime if it is a product of two distinct primes $n=pq,p<q.$ Semiprimes are close to primes, and we prove below that they have a maximal number of primality witnesses among composite numbers.

Theorem 4.

Number of witnesses of semiprime $n=pq$ is equal to

$$N_w\left(pq\right)={\left(odd\left(d\right)\right)}^2·(4^{bin\left(d\right)}+2)/3,$$

(4)

where $d=GCD(p-1,q-1)$.

We begin with example of application of this formula.

Example 2.

Let $n=11·31=341$. Then $d=GCD(p-1,q-1)=10=5·2^1$, $odd\left(d\right)=5$, $s=bin\left(d\right)=1$. By the theorem,

$$N_w\left(31\right)=5^2·(4+2)/3=50.$$

Proof. 

Let $d=GCD(p-1,q-1)$. Applying Theorem 2 to $n=pq$ we obtain

$$\begin{array}{c}1.or{d}_p\left(a\right)|d,or{d}_q\left(a\right)|d,\hfill \\ 2.bin\left(or{d}_u\left(a\right)\right)=bin\left(or{d}_v\left(b\right)\right).\hfill \end{array}$$

We distribute all n-witnesses a into $s+1$ classes $W_i$, $0\le i\le s$, where class $W_i$ consists of a with $bin\left(or{d}_p\left(a\right)\right)=bin\left(or{d}_q\left(a\right)\right)=i$.

Class $W_0$ contains such a that both $or{d}_p\left(a\right)$ and $or{d}_q\left(a\right)$ are odd. Let $a\in W_0$, and $(i,j)=(or{d}_p\left(a\right),or{d}_q\left(a\right))$. Numbers i and j are factors of $u=odd\left(d\right)$ by the choice of a. Conversely, each integer $a<n$ satisfying $or{d}_p\left(a\right)|u,or{d}_q\left(a\right)|u,$ is a witness of n and lies in $W_0$.

Let fix a pair $(i,j),i|d,j|d$. By Euler’s theorem, in $Z_p$ there are exactly $\phi \left(i\right)$ elements of multiplicative order i, and in $Z_q$ there are $\phi \left(j\right)$ elements of multiplicative order j, so, there exist exactly $\phi \left(i\right)·\phi \left(j\right)$ pairs $(x,y),0<x<p,0<y<q,$ such that $(or{d}_p\left(x\right),or{d}_q\left(y\right))=(i,j)$. But for each such pair $(x,y)$ there exists a unique $a<n$ with $(amodp,amodq)=(x,y)$, so there is a injective correspondence between witnesses a of n with odd orders $or{d}_p\left(a\right)$, $or{d}_q\left(a\right)$, and pairs $(x,y)$ with $x|u$, $y|u$. Therefore, the power of $W_0$ is equal to

$$|W_0|=\sum _{x|u,y|u}\phi \left(x\right)·\phi \left(y\right)=\left(\sum _{x|u}\phi \left(x\right)\right)\left(\sum _{y|u}\phi \left(y\right)\right)=u^2,$$

since by a known theorem of Euler for any natural m ${\sum }_{v|m}\phi \left(v\right)=m$.

The next class $W_1$ has the same power $u^2$ since is consists of witnesses a with $bin\left(or{d}_p\left(a\right)\right)=bin\left(or{d}_q\left(a\right)\right)=1$, and

$$|W_1|=\sum _{x|d,y|d}\phi \left(2x\right)·\phi \left(2y\right)=u^2,$$

since $\phi \left(2z\right)=\phi \left(z\right)$ for odd z.

The power of class $W_i$ is equal to

$$\sum _{x|d,y|d}\phi \left(2^{i}x\right)·\phi \left(2^{i}y\right)=4^{i-1}{u}^2.$$

Therefore, the number of all witnesses $N_w\left(n\right)=u^2(1+1+4+\dots +4^{s-1})=u^2·(4^s+2)/3.$ This completes the proof. □

Corollary 2.

(Rabin’s theorem for semiprimes). The number of witnesses of $n=pq,p\le q,$ is less or equal to $\phi \left(n\right)/4$.

Proof. 

If $p=q$, then $N_w\left(n\right)=p-1$ by Theorem 3, and $\phi \left(n\right)/4=p(p-1)/4$, so $N_w\left(n\right)<\phi \left(n\right)/4$ at $p\ge 5$.

Let $p<q$. Ratio $N_w\left(n\right)/n$ reaches its maximum when $GCD(p-1;q-1)=p-1$, $q=2p-1,$ and $bin(p-1)=1$. Indeed, $odd\left(n\right)$ is diminishing in two times when $bin(p-1)$ is added by 1, and the whole expression in (4) becomes less. Then, $maxodd\left(d\right)=(p-1)/2$, so

$$max{N}_w\left(pq\right)=N_w\left(p(2p-1)\right)=\frac{{(p-1)}^2}{2}=\frac{\phi \left(n\right)}{4}.$$

□

Example 3.

Let $n=7·13=91$. $N_w\left(91\right)=3^2·2=18=\phi \left(91\right)/4$.

Now we study function $N_w\left(n\right)$ at products of k distinct primes. The general result for such products is formulated below:

Theorem 5.

Let $n=p_1·p_2·\dots p_k$ be the product of k distinct primes. Then

$$N_w\left(n\right)=u_1·u_2·\dots ·u_k·\left(1+\frac{2^{ks}-1}{2^k-1}\right),where$$

$$s=min\{bin\left(d_1\right),bin\left(d_2\right),\dots ,bin\left(d_k\right)\},d_i=GCD\left(p_i-1;\prod _{j\ne i}{p}_j-1\right),$$

$u_i=odd\left(d_i\right)$.

Let us begin with an example $n=7·13·31=2821.$ The corresponding restrictions are listed below:

$$\begin{array}{l}1.or{d}_p\left(a\right)|d_1=GCD(p-1;qr-1)=6,u_1=3,\hfill \\ 2.or{d}_q\left(a\right)|d_2=GCD(q-1;pr-1)=12,u_2=3,\hfill \\ 3.or{d}_r\left(a\right)|d_3=GCD(r-1;pq-1)=30,u_3=15,\hfill \\ 4.bin\left(or{d}_p\left(a\right)\right)=bin\left(or{d}_q\left(b\right)\right)=bin\left(or{d}_r\left(b\right)\right).\hfill \end{array}$$

Since $s=min\{bin\left(d_1\right),bin\left(d_2\right),bin\left(d_3\right)\}=min\{1,2,1\}=1$, we obtain

$$N_w\left(2821\right)=3·3·15\left(1+\frac{2^3-1}{2^3-1}\right)=270$$

(compare with $\phi \left(n\right)/4=6·12·30/4=540$).

Proof. 

Let $u_i=odd\left(d_i\right)$ and k-tuple $(x_1,x_2,\dots ,x_k)$ contains components $x_i|u_i$, $1\le i\le k$. There are $\phi \left(x_1\right)·\dots ·\phi \left(x_k\right)$ witnesses of n with $or{d}_{p_i}\left(a\right)=x_i$ for $1\le i\le k$. So,

$$|W_0|=\sum _{(x_1,x_2,\dots ,x_k),x_i|u_i}\phi \left(x_1\right)·\dots ·\phi \left(x_k\right)=$$

$$=\left(\sum _{x|u_1}\phi \left(x\right)\right)·\left(\sum _{x|u_2}\phi \left(x\right)\right)\dots \left(\sum _{x|u_k}\phi \left(x\right)\right)=u_1·u_2·\dots ·u_k.$$

As in the previous theorem, the power of class $W_1$ is equal to power of $W_0=u_1·u_2·\dots ·u_k$, while the power of the each further class $W_{i+1}$ is equal to the power of the previous one multiplied by $\phi \left(2^k\right)=2^{k-1}$ since each additive $\phi \left(2^i{x}_1\right)·\dots ·\phi \left(2^i{x}_k\right)$ in the previous class corresponds to additive $\phi \left(2^{i+1}{x}_1\right)·\dots ·\phi \left(2^{i+1}{x}_k\right)$ and their ratio $r_i$ is

$$r_i=\frac{\phi \left(2^{i+1}{x}_1\right)·\dots ·\phi \left(2^{i+1}{x}_k\right)}{\phi \left(2^i{x}_1\right)·\dots ·\phi \left(2^i{x}_k\right)}=2^k.$$

The proof is complete. □

4. Frequency Function

In this part we introduce a notion of frequency function that characterizes the probability to find at one attempt a primality witness for a given integer n.

Let define frequency function $Fr\left(n\right)$ as follows

$$Fr\left(n\right)=\frac{N_w\left(n\right)}{\phi \left(n\right)}.$$

According to Rabin’s theorem, $Fr\left(n\right)=1$ for prime n, and $Fr\left(n\right)\le 1/4$ for composite n. We study distribution of values $Fr\left(n\right)$ for semiprime integers $n=pq,p<q$.

1. We begin our research with case $q-1=k(p-1)$ for $k\ge 2$. Numbers of this type appear frequently among strong pseudoprimes. Let rewrite p and q in form $p=2^{s}u+1,q=2^{s}ku+1,$ where u is odd, $s\ge 1$, and consider different s:

Case 1.

$s=1,u=odd\left(d\right)=(p-1)/2,N_w\left(pq\right)=2u^2={(p-1)}^2/2,$

$$Fr\left(n\right)=\frac{{(p-1)}^2/2}{(p-1)(q-1)}=\frac{2u^2}{2u·2ku}=\frac{1}{2k}.$$

Function $Fr\left(n\right)$ reaches its maximum $1/4$ at $k=2$: $(p,q)=(2u+1,4u+1)$. Since, both p and q are prime then $u\equiv 0mod3$, so $(p,q)=(6t+1,12t+1)$, $t\ge 1$. Such pairs form a sequence

$$(7,13),(19,37),(31,61),(37,73),\dots .$$

Case 2.

$s=2,u=odd\left(d\right)=(p-1)/4,N_w\left(pq\right)=6u^2,$ and

$$Fr\left(n\right)=\frac{6u^2}{(p-1)(q-1)}=\frac{6u^2}{4u·4ku}=\frac{3}{8k}.$$

Maximum of $Fr\left(n\right)$ is now $3/16=0.1875$ at $k=2$.

Case 3.

$s\ge 1$, At arbitrary s we have

$$Fr\left(n\right)=\frac{(1+(4^s-1)/3)u^2}{(p-1)(q-1)}=\frac{(1+(4^s-1)/3)u^2}{2^{s}u·2^{s}ku}=\frac{1}{3k{u}^2·2^{2s-1}}+\frac{1}{3k}.$$

Thus, function $Fr\left(n\right)$ at semiprimes $n=pq$, $q-1=k(p-1),$ is located in the interval

$$\frac{1}{3k}<Fr\left(n\right)\le \frac{1}{2k},k\ge 2.$$

(5)

2. Now, we turn to a common case $n=pq$:

$$p=1+k_{1}u,q=1+k_{2}u,GCD(k_1,k_2)=1,u=t{2}^s,todd.$$

For such n

$$N_w\left(n\right)=t^2(4^s+2)/3,\phi \left(n\right)=k_1{k}_2{t}^2{4}^s,Fr\left(n\right)=\frac{4^s+2}{3k_1{k}_2·4^s}.$$

So,

$$\frac{1}{3k_1{k}_2}<Fr\left(n\right)\le \frac{1}{2k_1{k}_2}$$

Conclusion. Function $Fr\left(n\right)$ at semiprimes $n=pq$ depends mostly on values $k_1$ and $k_2$ in representation $p=k_{1}u+1$, $q=k_{2}u+1$. $Fr\left(n\right)$ takes maximal values close to $1/4$ only at small $k_1$ and $k_2$. This completely corresponds to experimental data. Among values ${\psi }_k$ the most expected are pseudoprimes of form $u=(u+1)(2u+1)$ with minimal values $k_1=1$ and $k_2=2$.

An important question connecting with efficiency of MRT is the average frequency of witnesses for composite numbers. As earlier, we study this problem for semiprime integers.

Let fix any prime p and a board B. We count average frequency of integers $pq,q>p,pq\le B$. For convenience, we assume that $B=p(p+(p-1\left)k\right)$ for a positive $k\in \mathbf{Z}$.

For simplicity we explain all deductions at example $p=11$. Every prime q has $d=GCD(p-1,q-1)$ equal either 2, or 10.

Let $d=10$. Corresponding q lie in the set $\{21,31,41,51,61,71,81,91,101,\dots ,$$10k+11\}$, where $10k+11=B/p$. Each third integer in the sequence is a multiple of 3, some others are multiples of 7, 11 etc. Since q should be prime we need to remove them from the sequence. The rest consists of integers

$$Q_B=\{31,41,61,71,101,113\dots \}.$$

(6)

We assume that primes $q\in Q_B$ are distributed uniformly in the interval $[1,B/p]$. Then the average frequency can be estimated as

$$Avg\left(Fr\left(n\right)\right)\approx \frac{1}{k}\left(\frac{1}{4}+\frac{1}{6}+\dots +\frac{1}{2k}\right)=\frac{1}{2k}\left(1+\frac{1}{2}+\frac{1}{3}+\dots +\frac{1}{k}\right)$$

(we remind that $Fr\left(p\right(i(p-1)+p)=1/2(i+1)$).

The expression in the last brackets is a partial sum of the Harmonic Series. Its value is

$$\sum _{i=1}^k\frac{1}{i}<\sum _{i=1}^{k+1}\frac{1}{i}=lnk+\gamma +{\epsilon }_n,$$

where $\gamma =0.5772...$ is the Euler—Mascheroni constant and ${lim}_{k\to \infty }{\epsilon }_n=0$. Constant $\gamma$ and additive ${\epsilon }_n$ can be ignored so

$$Avg\left(Fr\left(n\right)\right)<\frac{lnk}{2k}$$

Since $(p-1)k+1=B/p,$ then $k>B/p^2-1$ and $lnk<lnB$, so

$$Avg\left(Fr\left(n\right)\right)<\frac{lnB}{2(B-p^2)}·p^2$$

(7)

Let us move now to primes q of type $d=GCD(p-1,q-1)=2$. They lie in the sequence

$$q\in \{13,15,17,19,23,,25,27,29,\dots ,2m+1\}$$

where $2m+1=B/p,q=2i+1,GCD(i,5)=1$. When we remove composite integers, the rest contains at least half members.

Integers $n=pq$ with $GCD(p-1,q-1)=2$ have only trivial witnesses 1 and $n-1$ so their frequency function takes values

$$Fr\left(n\right)=\frac{2}{(p-1)(q-1)}.$$

Assuming that such n are distributed uniformly in the interval $[p^2;B]$ we estimate the average frequency by expression

$$Avg\left(Fr\right)\approx \left(2\sum _{p\le k\le m}\frac{1}{(p-1)(2k+1)}\right)/\left(\frac{2m+1-p}{2}\right)<$$

$$\frac{4}{(2m+1-p)(p-1)}·\frac{1}{2}·\sum _{i=(p+1)/2}^m\frac{1}{i}<\frac{2}{(2m+1-p)(p-1)}·lnm$$

Substituting in the last expression $2m+1=B/p$ we get

$$Avg\left(Fr\right)<\frac{2plnB}{(B-p^2)(p-1)}$$

(8)

Expressions (7) and (8) give upper bounds for two types of integers $n=pq$. In the second case the estimation is lesser so average estimation for the united class of all $n=pq\le B$, $p<q$, can be set by the upper bound of (7). This assertion does not depend on a special $p=11$ so we can state the following theorem.

Theorem 6.

Let p be a prime and B satisfy $B>p^2$. Then the average frequency of witnesses in the class of semiprimes $n=pq\le B,q>p,$ has an upper bound

$$Avg\left(Fr\left(n\right)\right)<\frac{p^{2}lnB}{2(B-p^2)}$$

Note than limit of the average function is 0 as $B\to \infty$. This explains the phenomenon that the number of false conclusions in the Miller–Rabin test decreases when length of tested integers increases.

5. Numbers with Maximal Frequency of Witnesses

In this section we study composite n with maximal frequency $Fr\left(n\right)=1/4$. Let $n=p_1{p}_2\dots p_k$ be the product of k different primes.

We begin with case $k=2$. As we see from the previous section, integers $n=pq$ have maximal frequency only in case when $q=2p-1$. Such pairs appear comparatively often, and their quantity is diminishing together with their size.

Table 1. Distribution of semiprimes with maximal frequency below ${10}^6$.

1	2	3	4	5	6	7	8	9	10
670	494	448	412	424	386	393	358	370	343

contains number of semiprimes with maximal frequency in intervals $[(i-1)·{10}^5;i·{10}^5;],1\le i<10$.

Case $k=3$ is more interesting. In order function $Fr\left(pqr\right)$ reached its maximum = $0.25$, we need satisfaction of four requirements:

$$\begin{array}{c}1.GCD(p-1;qr-1)=p-1,\hfill \\ 2.GCD(q-1;pr-1)=q-1,\hfill \\ 3.GCD(r-1;pq-1)=r-1.\hfill \\ 4.bin(p-1)=bin(q-1)=bin(r-1)=1.\hfill \end{array}$$

(9)

Such triples exist, and an example of it was already given in Rabin’s paper [2] $n=487·1531·2683=2000436751$. Rabin himself estimated $Fr\left(n\right)$ as $0.2493$, but the difference is due to the fact that he did not include 1 in the list of witnesses.

Such triples appear much more seldom and have a form

$$n=(2k_1+1)u·(2k_2+1)u·(2k_3+1)uforu\in N.$$

We arranged the search of such triples at a computer and found 160 such integers not exceeding $2·{10}^{14}$. The least triple we found is

$$n=19·199·271=1024651.$$

The largest found triple has a form $n=(u+1)(3u+1)(5u+1)$ at $u=24102$:

$$n=24103·72307·120511=210028453302331.$$

Let us study the form $\langle u,3u,5u\rangle$ and find restrictions on u in order to $n=(u+1)(3u+1)(5u+1)$ satisfies first 3 conditions of (9). The first requirement is satisfied automatically. The second and third requirement are listed below:

$$(3u+1)-1|(u+1\left)\right(5u+1)-1\to u\equiv 0mod3.$$

$$(5u+1)-1|(u+1\left)\right(3u+1)-1\to 3u+4\equiv 0mod5,$$

so $u=6+15t$ for $t\ge 1$. If we add requirements $p\equiv q\equiv r\equiv 3mod4$ we obtain

$$15t+7\equiv 3mod4\to t\equiv 1mod4,u=6+15(1+4t_1)=21+60t_1.$$

Let now consider products of k primes where $k\ge 4$. The maximum of frequency of such products is $1/2^{k-1}$, since it is reached when for any $i\le k$$(p_i-1)/2$ is odd, and $(p_i-1)|\prod (p_{j\ne i}-1)$. Then,

$$Fr\left(p\right)=2·\prod _{i=1}^k\frac{p_i-1}{2}=\frac{\phi \left(n\right)}{2^{k-1}}.$$

A quick search of tuples $n=pqrt$ below ${10}^{12}$ gave 70 examples of them. The least 4-tuple was

$$n=19·31·127·547=40917241,$$

while the largest was

$$n=19·127·14071·29347=996428170081.$$

Some computational results on distribution of strong semiprime integers can be found in [14].

6. Conclusions

In this section we will summarize the main results of the paper.

• We found exact formulas for the number of witnesses for composite n with different number of factors.
• We introduced the frequency function $Fr\left(n\right)$ characterizing the probability to find at one attempt a primality witness for a given n and found exact bounds for distribution of this function for semiprime integers n.
• Like as Damgard, Landrock, and Pomerance in [13], we studied an average values of $Fr\left(n\right)$ at intervals $[1;x]$ for semiprime integers $n=pq,n\le x$, with fixed p and showed that it bounded above by $p^{2}logx/2(x-p^2)$.
  Since such integers have maximal values of $F\left(n\right)$ among all composites, this opens a way in future investigations to find exact upper bounds for average values of frequency function among all k-bit odd integers for any k.
• Finally, we described possible forms of composites with maximal values of frequency function for products of k distinct primes at $k\ge 2$ and using computer calculations found their examples and their quantity at initial intervals of set of all naturals.