Score:3

Crypto

Purpose of the b1, b2, b3.... terms in Rabin-Miller Primality Test

Kevin Stefanov

7/9/24, 7:05 AM

In Rabin-Miller primality test, let N be the number you're checking for primality. Here N = 78007. Let m be the number you get after dividing (N - 1) by 2 several times until you can no longer do so. In this case, m = 39003.

The next step is to pick an A, here we pick A = 3. Now we calculate b₀ = A^m mod N. Now, if that A's b₀ turned out to be (N-1) or 1, then the algorithm says "N is probably prime". In any other case, it says "N is composite".

At this point, we have two choises: Pick another A and compute its b₀ OR keep that A and start computing b_i terms for it, where b_i = (b_i-1)² mod N. If a particular b_i = (N-1), the algorithm says "N is probably prime", if it's anything else, it says "N is composite".

MY QUESTION IS: What exactly is the purpose of those b_i terms? How do I know when to stop computing a particular A's b_i terms and go to a new A? Do I just see how many b_i terms it will take before the algorithm says "probably prime" and then go to a different A? Or do I just compute every A's b₀ only, record what the algorithm says and go to a new A value right away and completely ignore every A's b_i terms?

Any explanation I'd highly appreciate. Even more so one that doesn't use heavy terminology from number theory so I can actually understand it. :P

178

1 + 1

number-theory

prime-numbers

Kevin Stefanov

7/9/24, 8:20 AM

It was (N-1) divided by 2, not N. My bad, I corrected it.

Score:4

Crypto

poncho

7/9/24, 11:36 AM

What exactly is the purpose of those $b_i$ terms?

$b_i = A^{2^i m} \bmod N$

If $\lambda$ is the number of times you divided by 2 in the first step, then $2^\lambda m = N-1$.

Hence, by Fermat's little theorem, if $b_\lambda \ne 1$, then we know $N$ is not prime (because $A^{N-1} = 1 \pmod N$ for any prime $N$, as long as $A$ is a not multiple of $N$). Hence, if you go $\lambda$ steps, and don't hit one, we know we have a composite.

At this point, we have two choises

Actually, you don't; you always perform $\lambda$ squarings unless you hit $N-1$ (actually, it turns out $\lambda-1$ is sufficient). That is, unless you hit 1 initially, or $N-1$ on any later step, we know $N$ is composite (either by Fermat's Last Theorem, or because nontrivial factors are deducible). We have to do that for the Miller-Rabin proof to hold (and anyways, that's a lot cheaper than picking another $A$ and computing $A^m$ all over again).

This is because if we have a value $B \ne 1, N-1$, and $B^2 = 1 \pmod N$, then $N$ is composite (and $\gcd(B-1, N), \gcd(B+1, N)$ are nontrivial factors). This (along with Fermat's little theorem) are why when MR says composite, it has proven it.

+ 15

Kevin Stefanov

7/9/24, 2:34 PM

And if you go up to λ steps in the Bi terms and you DO hit 1 somewhere along the way, then (and only then) the algorithm says "probably prime"? And doing this for a number of A's is how you become more and more certain that the number is prime, right?

Kevin Stefanov

7/9/24, 3:43 PM

Im still confused about when to look for (N-1) as a result and when to look for 1 and when to stop computing Bi terms.

poncho

7/9/24, 3:54 PM

@KevinStefanov: at the very first step (immediately after computing $A^m \bmod N$), you look for 1 or $N-1$ - if you see either, it's "probably prime". After that, $N-1$ means "probably prime", a 1 means "composite" (assuming you would have stopped for a previous $N-1$ term). And, if you don't see an $N-1$ after $\lambda$ steps, that's "composite"

Kevin Stefanov

7/9/24, 4:05 PM

Okay, so to summarize: For any value of A and let K be the number of times we managed to divide by 2: if b0 = 1 OR b0 = (N-1) => probably prime. Else if b0 is neither of those, begin computing Bi terms until you hit one of 3 cases: **EITHER** you see (N-1), in which case you stop and say "probably prime" and go test other A's, **OR** you see 1 in which case you stop and conclude "N is composite, no need to test other A's", **OR** you have reached the B(k-1)th term and so far have not seen (N-1) even once, in which case you conclude "N is composite, no need to test other A's".

Kevin Stefanov

7/9/24, 4:05 PM

Did I finally get the hang of it?

poncho

7/9/24, 4:21 PM

@KevinStefanov: yes (minor note: there's no need for the "you see 1 in which case you stop" case - if you hit a 1, you'll never see (N-1) even once and so you'll output composite in any case. And, it's not that important of an optimization, as hitting 1 here would be an extremely rare event, except for some specifically crafted composites...

Kevin Stefanov

7/9/24, 4:24 PM

So the part after you didn't see 1 or (N-1) for b0 can be reduced to: You either see (N-1) by the B(k-1)th term, or you don't. The former case is "probably prime", the latter case is "definitely composite". Right?

poncho

7/9/24, 4:28 PM

@KevinStefanov: that is correct

Kevin Stefanov

7/9/24, 4:35 PM

Thank you you've been extremely helpful!

Kevin Stefanov

7/9/24, 11:31 PM

Is there anything to be said about how we pick the A's? Do small values like 3 to 10 work for huge 3000-bit numbers? Or do bigger numbers need bigger values of A? Another answer told me the bigger the number is, the fewer A's you gotta check, and for 3000-bit numbers, only 2 A's saying "probably prime" suffice. Also, is it a good idea to hardcode the same couple of A's in my implementation or is it better to pick the A's at random each time?

poncho

7/10/24, 1:22 AM

@KevinStefanov: well, for the MR proof to be valid, the $A$s need to be selected randomly. On the other hand, what are you using MR for? If you're using it to generate primes (rather than testing values sent to you by someone else), then using the first several primes (i.e. 2, 3, 5, ...) is as good as any (and may make the computation a bit cheaper).

Kevin Stefanov

7/10/24, 9:05 AM

I'm using MR to generate primes for Diffie-Hellman, yes. I am making a chat room website with my own custon encryption scheme and if Wikipedia is to be believed, XOR-ing each byte of the messages with a unique byte from a secret key is enough to make a good encryption. DH is how I'll get each side to end up with the same 3000-bit secret key. I'm writing the web server by myself in C. I even wrote my own big-integer library in C for this. It's super interesting. 3000-bit keys have 375 bytes in them, which means all messages up to 375 characters will have a unique byte to be XOR-ed with.

Kevin Stefanov

7/10/24, 9:24 PM

Also why did you say using the first several PRIMES? I thought any value of A is good, doesn't have to be prime?

poncho

7/10/24, 9:28 PM

@KevinStefanov: well, if I did a MR test with $m=x$ and again with $m=y$ (and they both returned "probably prime", then testing it with $m=x \times y$ will quite likely also return "probably prime", even if the $N$ we were testing was composite. Making all the $m$'s we test be relatively prime avoids this, and the easiest way to do that is to use consecutive primes...

Kevin Stefanov

7/10/24, 9:39 PM

I see. So simply hardcoding an array of the first few primes to use for my A's is enough.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Purpose of the b1, b2, b3.... terms in Rabin-Miller Primality Test

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.