Fermat's primality test vs. Miller-Rabin
Joseph Ashwood
ashwood at msn.com
Tue Nov 22 05:50:18 EST 2005
----- Original Message -----
From: "Anton Stiglic" <astiglic at okiok.com>
Subject: RE: Fermat's primality test vs. Miller-Rabin
> -----Original Message-----
> From: [Joseph Ashwood]
> Subject: Re: Fermat's primality test vs. Miller-Rabin
>>I think much of the problem is the way the number is being applied. Giving
>>a stream of random numbers that have passed a single round of MR you will
>>find that very close to 50% of them are not prime, this does not mean that
>>it passes 50% of the numbers (the 2^-80 probability given above is of this
>>type).
>
> Do you do an initial sieving to get rid of the more obvious primes?
No I did not, since this was specifically to test the effectiveness of MR I
determined that it would be better to test purely based on MR, and not use
any sieving. The actual algorithm was:
16384 times
{
question = random 512-bit number
//this is not the most efficient, but it should remove bias making this
just MR
while(question does not pass a single round of MR) question = random
512-bit number
127 times
{
perform an MR round
log MR round result
}
}
Then I performed analysis based on the log generated. I will gladly disclose
the source code to anyone who asks (it's in Java).
> I'm
> guessing you don't since you seem to have a result contradictory to what
> has
> been proven by Damgard, Landrock and Pomerance. If you look at table 4.3
> of
> HAC (which comes from Damgard & al. paper), it says that if your
> candidates
> come from a uniform random distribution, then for 500 bit candidate, the
> probability that a candidate n is composite when one round of miller-Rabin
> said it was prime is <= (1/2)^56. You are finding that the probability is
> about 1/2, that seems very wrong (unless you are not doing the sieving,
> which is very important). Am I misunderstanding something?
No you're not. The seiving is important from a speed standpoint, in that the
odds improve substantially based on it, however it is not, strictly
speaking, necessary, MR will return a valid result either way.
>>In fact it appears that integers fall on a continuum of difficulty
>>for MR, where some numbers will always fail (easy composites), and other
>>numbers will always pass (primes). The problem comes when trying to denote
>>which type of probability you are discussing.
>
> Well I think I explained it pretty clearly. I can try to re-iterate. Let
> X
> represent the event that a candidate n is composite, and let Y_n denote
> the
> event that Miller-Rabin(n,t) declares n to be prime, where
> Miller-Rabin(n,t)
> means you apply t iterations of Miller-Rabin on n.
> Now the basic theorem that we all know is that P(Y_t | X) <= (1/4)^t (this
> is problem in one of Koblitz basic textbooks on cryptography, for
> example).
> But this is not the probability that we are interested in, we are (at
> least
> I am) more interested in P(X | Y_t). In other words, what is the
> probability that n is in fact composite when Miller-Rabin(n, t) declared n
> to be prime? Do we agree that this is the probability that we are
> interested in?
If we are discussing that aspect, then yes we can agree to it. That is the
probability I gave, at exactly a single round (i.e. no sieving involved),
approaching 1/2 (my sample was too small to narrow it beyond about 2
significant digits). I know this result is different from the standard
number, but the experiment was performed, and the results are what I
reported. This is where the additional question below becomes important
(since it gives how quickly the odds of being incorrect will fall).
>>What are the odds that a
>>random 512-bit composite will be detected as composite by MR in one round?
>>I don't think anyone has dependably answered that question, but the answer
>>is very different from 1-(probability that MR-* says it's a prime)^-k. Any
>>discussion needs to be more accurately phrased.
>
> You are looking for P( Comp Y_t | X), where Comp Z is the complementary
> event of Z. In our case, Comp Y_t is the event that Miller-Rabin(n,t)
> proves
> n to be composite. Is that what you are looking for?
Actually I'm not, the probability is a subtley different one and the key
different is in Y. Instead it is given random composite RC what is P(MR(RC,
k) | Comp X). This appears to me to be a complex probability based on the
size of the composite. But this is the core probability that governs the
probability of composites remaining in the set of numbers that pass MR-k.
Fortunately, while it is a core probability, it is not necessary for MRs
main usefulness. Performing log_2(N)/4 rounds of MR appears to be a solid
upper bound on the requirements, and as this is the probability given by
Koblitz, and the most common assumption on usage it is a functionable
substitute.
>>For example, my phrasing is that in the tests that I performed 50% (+/-
>>experimental noise) of those numbers that passed a single round of MR also
>>passed 128 rounds, leading me to conclude that 50% of the numbers that
>>passed a single round of MR are in fact prime. Since each number that
>>passed a single round was subjected to 127 additional rounds, a number of
>>additional statistics can be drawn, in particular that of those that
>>failed
>
>>at least one round none failed less than 40 rounds, and that few passed
>>less than 40 rounds. Due to the fact that this was only iterated 65536
>>times there is still substantial experimental error available. These
>>pieces
>>of information combined indicate that for 512-bits it is necessary to have
>>80 rounds of MR to verify a prime.
>
> I don't understand what you are trying to point out. If you chose your
> candidates uniformly at random, do the sieving before applying the
> Miller-Rabin tests, then for 512 bit number it is sufficient to apply 5
> rounds to get probability of error lower than (1/2)^80.
But that would be entirely insufficient to isolate MR, which is what I was
discussing. Including sieving does speed up the process enormously, but it
fails to discuss what the actual behaviors of MR alone are, a very critical
difference.
> You should take a look at Damgard & al's paper, they did a very good
> analysis.
And I'm saying that if you have accurately represented their analysis, their
analysis does not apply to MR itself, but on a combination of MR with other
techniques. As such it is not a valid analysis of MR alone.
Joe
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list