Fermat's primality test vs. Miller-Rabin
Anton Stiglic
astiglic at okiok.com
Mon Nov 21 22:39:17 EST 2005
-----Original Message-----
From: owner-cryptography at metzdowd.com
[mailto:owner-cryptography at metzdowd.com] On Behalf Of Joseph Ashwood
Sent: November 18, 2005 3:18 AM
To: cryptography at metzdowd.com
Subject: Re: Fermat's primality test vs. Miller-Rabin
>> Look at table 4.3 of the Handbook of
>> applied cryptography: for t = 1 (one iteration) and for a 500-bit
>> candidate,
>> we have probability p(X | Y_1) <= 2^-56, which is better than what you
>> concluded. (X representing the event that the candidate n is composite,
>> Y_t
>> representing the event that Miller-Rabin(n, t) declares n to be prime).
>>
>> The results in table 4.3 and 4.4 of HAC are for randomly (uniform) chosen
>> candidates, and I think you need to do a basic sieving (don't remeber if
>> that is necessary, but I think it is). The result is due to the fact
>> that under these conditions, the strong pseudoprime test does in fact
>> much better than 1/4 probability of error ( value of P(Y_t | X) is very
>> low ), this result is due to Damgard, Landrock and Pomerance, based on
>> earlier work of Erdos and Pomerance.
>I think much of the problem is the way the number is being applied. Giving
>a stream of random numbers that have passed a single round of MR you will
>find that very close to 50% of them are not prime, this does not mean that
>it passes 50% of the numbers (the 2^-80 probability given above is of this
>type).
Do you do an initial sieving to get rid of the more obvious primes? I'm
guessing you don't since you seem to have a result contradictory to what has
been proven by Damgard, Landrock and Pomerance. If you look at table 4.3 of
HAC (which comes from Damgard & al. paper), it says that if your candidates
come from a uniform random distribution, then for 500 bit candidate, the
probability that a candidate n is composite when one round of miller-Rabin
said it was prime is <= (1/2)^56. You are finding that the probability is
about 1/2, that seems very wrong (unless you are not doing the sieving,
which is very important). Am I misunderstanding something?
>In fact it appears that integers fall on a continuum of difficulty
>for MR, where some numbers will always fail (easy composites), and other
>numbers will always pass (primes). The problem comes when trying to denote
>which type of probability you are discussing.
Well I think I explained it pretty clearly. I can try to re-iterate. Let X
represent the event that a candidate n is composite, and let Y_n denote the
event that Miller-Rabin(n,t) declares n to be prime, where Miller-Rabin(n,t)
means you apply t iterations of Miller-Rabin on n.
Now the basic theorem that we all know is that P(Y_t | X) <= (1/4)^t (this
is problem in one of Koblitz basic textbooks on cryptography, for example).
But this is not the probability that we are interested in, we are (at least
I am) more interested in P(X | Y_t). In other words, what is the
probability that n is in fact composite when Miller-Rabin(n, t) declared n
to be prime? Do we agree that this is the probability that we are
interested in?
>What are the odds that a
>random 512-bit composite will be detected as composite by MR in one round?
>I don't think anyone has dependably answered that question, but the answer
>is very different from 1-(probability that MR-* says it's a prime)^-k. Any
>discussion needs to be more accurately phrased.
You are looking for P( Comp Y_t | X), where Comp Z is the complementary
event of Z. In our case, Comp Y_t is the event that Miller-Rabin(n,t) proves
n to be composite. Is that what you are looking for?
>For example, my phrasing is that in the tests that I performed 50% (+/-
>experimental noise) of those numbers that passed a single round of MR also
>passed 128 rounds, leading me to conclude that 50% of the numbers that
>passed a single round of MR are in fact prime. Since each number that
>passed a single round was subjected to 127 additional rounds, a number of
>additional statistics can be drawn, in particular that of those that failed
>at least one round none failed less than 40 rounds, and that few passed
>less than 40 rounds. Due to the fact that this was only iterated 65536
>times there is still substantial experimental error available. These pieces
>of information combined indicate that for 512-bits it is necessary to have
>80 rounds of MR to verify a prime.
I don't understand what you are trying to point out. If you chose your
candidates uniformly at random, do the sieving before applying the
Miller-Rabin tests, then for 512 bit number it is sufficient to apply 5
rounds to get probability of error lower than (1/2)^80.
You should take a look at Damgard & al's paper, they did a very good
analysis.
--Anton
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list