Bad witnesses for a composite number

We describe the average sizes of the set of bad witnesses for a pseudo-primality test which is the product of a multiple-rounds Miller-Rabin test by the Galois test.


INTRODUCTION
One of the simplest questions we have in mind, when handling a large number, is to know whether this number is prime or composite.There are of course several methods allowing to decide primality.The most important algorithms are divided into two subfamilies: primality tests and pseudo-primality tests.We refer to [4,Chapters 8 and 9], [8] and [13]] for surveys on known algorithms, from oldest to most recent.Actually, we are talking about a very long-standing mathematical problem which was already addressed by Euclid's Elements.Closer to our time, the Fermat's little theorem gives rise to a pseudoprimality test which studies the primality of an odd integer n by checking the congruence x n−1 ≡ 1 (mod n) whenever an integer x relatively prime to n is randomly chosen.If the congruence is false, then n is obviously composite.When the congruence is true, one can only conclude that n is probably prime.Indeed, Carmichael numbers are composite numbers for which the previous congruence is true for any x.However, Alford, Granville and Pomerance proved in [1] that there are infinitely many Carmichael numbers.This compromises the reliability of the Fermat test.The most commonly used algorithm in practice for prime detection is the Miller-Rabin pseudo-primality test.This algorithm is an improvement of the Fermat test resulting from the work by Artjuhov [2], Miller [10] and Rabin [12].Setting n − 1 = 2 k m with m odd, we say that n passes a Miller-Rabin test if one of the congruences (1) x m ≡ 1 (mod n), or x 2 i m ≡ −1 (mod n) for some i < k holds with an integer x relatively prime to n chosen randomly.Such an x is a witness of the pseudoprimality of n with respect to the Miller-Rabin test.One says that x is a bad witness if it satisfies one of the above congruences while n is in fact composite.The density of bad witnesses is an important characteristic for a pseudo-primality test as it measures the reliability of this test.It is proved [13, Proof of theorem 2.1] that the Miller-Rabin test is very effective in the case when n has many prime divisors.A pseudo-primality test called the Galois test which is efficient when the integer to be tested has only very few prime divisors has been constructed in [5].At the end of that paper, the authors deduced a stronger pseudo-primality test which is the product of a multiple-rounds Miller-Rabin test (i.e running several Miller-Rabin tests at the same time) by a Galois test.This product test takes advantages of strengths of each of its components, especially in the extreme cases when the integer to be tested has either many or very few prime divisors.However, nothing is known yet about the average case analysis.A first step 1 in this direction has been made by Erdös and Pomerance in [7], they focused on the special case of a one-round Miller-Rabin test.The present paper describes the average sizes of the set Str(n) of bad witnesses of an odd number n with respect to the stronger test proposed in [5].We start by studying the set Gal(n) of bad witnesses for the Galois test in Section 2. We recall some well known results concerning Gal(n) in 2.1.Then, we focus on the arithmetic and geometric mean values of its cardinality denoted by Gal(n) in Subsections 2.2 and 2.3.Section 3 is devoted to the stronger test.We first describe the average numbers of bad witnesses for a multiple-rounds Miller-Rabin test.And then, we specify the case of the stronger test.
Acknowledgments.This study has been carried out with financial support from the French State, managed by CNRS in the frame of the Dispositif de Soutien aux Collaborations avec l'Afrique subsaharienne (via the REDGATE Project and the IRN AFRIMath).The first two authors were supported by Simons Foundation via the PREMA project.The first author is grateful to EMS-Simons for Africa for their support to his PhD education.

BAD WITNESSES OF THE GALOIS TEST
In this section, we compute functions that bound from above and from below the arithmetic mean of the number of bad witnesses for the Galois test, we also specify its geometric mean.We start by recalling some known results.
2.1.Preliminaries.Let n ≥ 3 be an odd integer to be tested, and n = p vp n p vp its prime factorization.Let S be a d-dimensional cyclic extension of R := Z/nZ with Galois group generated by σ.As a ring S is isomorphic to p|n S p , where S p := S/p vp S. Fixing a prime factor p of n, we set L p := S p /pS p and K := R/pR.It is known [5,Section 2] that S is a free R[σ]-module of rank 1.We denote by (σ i (ω)) 0≤i≤d−1 a normal basis of S over R. The ring L p has only a finite number of prime ideals, say p 1 , . . ., p m .The residue fields L p /p i for i = 1, . . ., m are all isomorphic to F p f , the finite field with f elements, where of course d = f m.In particular, the ring L p is isomorphic to p|n F p f .So, the more composite d is the more possibilities for the pair (m, f ) = (m, d/m).The R-automorphism σ : S −→ S induces a K-automorphism of L p .There is an integer z coprime to m such that We denote by t ∈ 1, f − 1 the inverse of z modulo f (if f = 1, we have z = t = 0).Note that the integers f, m and t depend on the prime p.For a fixed dimension d, there are only finitely many possibilities for (m, f, t), and every prime gets some such possibility assigned to it (these possibilities might not all be the same they may vary with the primes).
Assume that σ(ω) = ω n .Then n passes successfully a Galois test of dimension d if by choosing randomly a nonzero element x in S, we have that x is invertible and Let Gal(n) be the set of invertible elements in S × which are solutions of Equation (2).We denote by Gal(n) its cardinality.It is proved [5, Section 1 and Section 2] that (3) Note that the latter quantity counts the number of elements x in the group of invertible elements of the ring p|n Since these elements form a subgroup, there exists some positive integer k such that (4) Set L(x) = exp log x log log log x log log x for all large x.The lemma below is very useful.
Lemma 1.Given a positive integer k, the number of composite numbers n ≤ x having a prime divisor p > kL(x) and such that (1) .
Proof.Indeed, equation (4) implies that p|n (p f − 1) divides k(n d − 1).So, Set D := (p − 1)/ gcd(k, p − 1).Since p is fixed and so is k, the number D is fixed.We need to count the n ≤ x divisible by p such that n d − 1 is divisible by D. Write D = q u D q u .Then the number of solutions y to the congruence where for a prime power q j , ρ(q j ) denotes the number of solutions y modulo q j of the congruence y d −1 ≡ 0 (mod q) j .Therefore, the number of n ≤ x divisible by p such that n d − 1 is divisible by D is bounded from above by C d d ω (D) , where C d depends only on d.This upper bound is obvious for q > d, since y d − 1 ≡ 0 (mod q) has then at most d solutions modulo q which by Hensel's lemma are each extendible in a unique way to a solution x modulo q j for every j ≥ 1.The constant term C d obviously equals 1 in this case.A nontrivial C d appears when dealing with moduli which are small prime powers of primes dividing d.Since (1) , the number of such progressions is L(x) o (1) .Let us count the n ≤ x in a fixed progression.We take and we count the number of n ≤ x such that n ≡ x 0 (mod D).Since n ≡ 0 (mod p) and (p, D) = 1 (since D | p − 1), we get that this puts n into some progression n ≡ x ′ 0 (mod pD).The number of such n ≤ x is , .
It remains to count the 1's in equation (5).These are the initial terms x ′ 0 of the solutions modulo Dp, namely the smallest positive integer n ≤ x such that n ≡ x 0 (mod D) and n ≡ 0 (mod p).Write Let us make a parenthesis and take a closer look at as x → ∞.Assume now that k 1 | k is fixed and let us count primes p ≤ x such that gcd(p − 1, k) = k 1 .Then p ≡ 1 (mod k 1 ).We bound the number of such primes p ≤ x trivially ≤ x/k 1 ≤ x/L(x).Given p, D is a divisor of p − 1, so D can have at most τ (p − 1) = L(x) o (1) possibilities.Thus, for fixed k 1 , there are x/L(x) 1+o (1) possibilities for the pair (p, D).Summing up over the L(x) o (1) possible values of k 1 (divisors of k larger than L(x)), we get a count of x/L(x) 1+o (1) for the number of such pairs (p, D).
Next, we assume that k 1 < L(x).Then 1) , showing that p ≤ x d/(d+1)+o (1) .Given p, D is determined in at most τ (p−1) = L(x) o (1) ways, so the modulus Dp is determined in at most x d/(d+1)+o (1)  ways.Thus, the number of starting points x 0 (mod D) is also determined in at most L(x) o (1) ways.So, the number of 1's in this last case is in fact much smaller namely at most for large x.This concludes the proof of the lemma.

Average order of Gal(n).
Here, we study the arithmetic mean of the number of bad witnesses of the Galois test.We first compute a function which bounds it from below.In what follows ′ denotes a sum over composite numbers.
Theorem 1.For all large x, Proof.Let M (x) denote the least common multiple of the integers up to x.For any y, let ([6] or [11]) that there is a real number α > 1 such that (1) for all 0 < α ′ < α}.From [3], we have β > 23/8.Let L denote an upper bound for Linnik's constant, so that given positive integers a, m with gcd(a, m) = 1 and m > 1, then there is a prime p ≡ a (mod m) with p < m L .Let α be such that 1 < α < β and 0 < ǫ < α − 1 arbitrarily small.We set Let S denote the set of integers composed of exactly k = [log(x/M L )/ log(log α x)] distinct primes in P. Thus, if s ∈ S, then (6) x 1−ǫ < s < x/M L .Let S ′ be the set of products sq, where s ∈ S and q is the least prime such that sq ≡ 1 (mod M ).It is shown ( [7], Proof of Theorem 2.1) that (7) sq ≤ x, and #S ′ ≥ x (α−1)α −1 +o (1) .
Since ε > 0 is arbitrarily small and α is arbitrarily close to β, we have Hence, We now compute a function which bounds from above the number of bad witnesses of the Galois test. (1).
Proof.We saw in Subsection 2.1 that Gal(n) divides D(n).Therefore, it suffices to show that (1) .
For every integer k ≥ 1, we let C k (x) be the set of composite numbers n ≤ x such that Therefore, we have to show that (1) for k ≤ L(x).There are three cases to be considered: (i) n < x/L(x), (ii) n is divisible by some prime p > kL(x), (iii) n ≥ x/L(x) and every prime divisor of n is at most kL(x).Situation (i) is trivial.Situation (ii) is taken care of by Lemma 1. Situation (iii) implies that n has a divisor n 1 satisfying .
By (4), we know that the exponent λ S (n) of the group p|n F * p f divides k(n d − 1).We would like to follow the proof of case (iii) of Theorem 2.2 in [7], but there are additional complications due to the possible prime factors of n which might appear to powers larger than 1 in the factorization of n.So, we write n 1 = ab, where a is squarefree and b is squarefull.We may assume that b we get that the set of such n is of cardinality irregardless of the value of k.So, assuming b ≤ L(x) 2 , we get that (10) x kL(x) 4 We fix a squarefree a, a squarefull b coprime to a and smaller than L(x) 2  1.
Here, for a fixed b, the star on the inner summation indicates that the summation is over the squarefree a's satisfying (10).The second sum is the number of positive integers up to x/L(x) so it is O(x/L(x)).The first inner sum is for fixed b estimated as on the bottom of page 283 and top of page 284 in [7].For a fixed b it ends up being x(log x) 2 bL(x/(kL(x) 2 b) 2 (1+o(1)) log x/ log 2 x .

Geometric mean value of Gal(n). Theorem 3.1 in
The result there is that where Λ(n) denotes the von Mangoldt's function and ϕ(n) denotes the Euler's ϕ-function.Since it follows that the geometric mean value of Gal(n) is at least as large as the geometric mean value of F (n).
Since m, t depend on the prime p, it seems hard to find an asymptotic for the geometric mean of Gal(n).However, since Gal(n) divides it follows that the geometric mean of Gal(n) is at most as large as the geometric mean of H(n).Concerning this last one we have the following result.
Theorem 3. The estimate holds with In the above, λ(s) is the Carmichael function of s, and a for a prime power s and denotes the number of elements in (Z/sZ) * of order exactly d 1 .Note that when s is a prime power we have f (s, One may ask how big is c 3 (d)?Well since s ≍ φ(s) ≍ λ(s) and f (s, d 1 ) ≍ d 1 when s is a prime power, it follows that for a fixed d 1 , showing that In particular, c 3 = d o (1) as d → ∞.
Proof.We have In the above, we wrote the condition p | n, n ≤ x as n = pℓ ≤ x, so ℓ ≤ x/p.We first deal with large values of s.Let S 1 be the sum corresponding to s = q λ , where q ≥ x.Firstly, λ ≤ d.Secondly, if such q appears then q | p d − 1 for some p ≤ x.Further, since p ≤ x and q > x, it follows that the above congruence has only at most d solutions p altogether.Thus, for each such s, there are at most d occurrences of p such that p d ≡ 1 (mod s), and the same goes for the ℓ's.For each such q let s q be the maximal power of q for which s q appears in S 1 .Then the product of s q 's divides where the last equality follows from the Prime Number Theorem.Thus, where ′ means that we are only summing over the q's that appear in S 1 .Since the exponents of such q in s q is at most d (so there are at most d values of s dividing s q appearing in S 1 ) and since for each such s there are at most d 2 pairs (p, ℓ) such that p d ≡ ℓ d ≡ 1 (mod s), we get that From now on, we look at s = q λ but q < x.Let S 2 be the sum corresponding to s = q λ ≥ x.The equation p d ≡ 1 (mod s) has O(d) solutions and the same is true for the equation ℓ d ≡ 1 (mod s).Thus, given s, there are at most we have λ ∈ (log x/ log q, d log x/ log q].Thus, there are O(d log x/ log q) possibilities for the exponent λ in s once q is fixed.Hence, From now on, we may assume that s ≤ x.We now look at the condition p d ≡ 1 (mod s).But we also have p λ(s) ≡ 1 (mod s), where λ(s) is the Carmichael function of s.Thus, p gcd(d,λ(s)) ≡ 1 (mod s).This suggests putting d 1 = gcd(d, λ(s)) and studying p d 1 ≡ 1 (mod s).The unit group modulo s is cyclic for primes powers s except when s = 2 a with a ≥ 3, in which case it is isomorphic Z/2Z × Z/2 a−2 Z.It thus follows that the number of residue classes modulo s say y such that like in the statement of the theorem and let these residues be y i (s, d 1 ) for i = 1, . . ., f (s, d 1 ).We then have that p d ≡ 1 (mod s) forces p ≡ y i (s, d 1 ) (mod s) for some i = 1, . . ., f (s, d 1 ).For each such p ≤ x, the equation ℓ d ≡ 1 (mod s) also has exactly f (s, d 1 ) solutions ℓ modulo s and since ℓ ≤ x/p, the number of such solutions is When ps > x, the first term in integer part is not present.We remove integer parts and include the fractional parts into the O(1) terms so the remaining sum is now where S 3 is the sum involving the terms x/ps and S 4 is the sum involving the 1's.For S 4 , since ps > x, each class y i (s, d 1 ) contains at most one such prime p. So, It remains to deal with S 3 .For this we proceed as in [7] and split into S 3,1 and S 3,2 with S 3,1 being the sum over small s (say s ≤ (log x) 2 ) and S 3,2 being the sum over large s (say s > (log x) 2 ).As in that proof, using results of Norton and Pomerance, we get that for (13) p≤x p≡y i (s,d 1 ) (mod s) .
The inner sum inside the O over the s is convergent so that sum is O(d 2 x).The remaining sum is In the error terms, the first one is O(d 2 x/ log x) = o(d 2 x) as x → ∞ and the second one is O(d 2 log 2 x/(log x) 2 ) = o(d 2 x).Finally, note that the first term above is just c 3 x log 2 x.This finishes the proof.

BAD WITNESSES OF THE STRONGER TEST
The authors of [5] described the needed formalism concerning the product of pseudo-primality tests.In this section, we study the average sizes of the set of bad witnesses for a pseudo-primality test which is the product of several Miller-Rabin tests by the Galois test.
3.1.Preliminaries.Let n > 2 be an odd composite integer such that n − 1 = 2 k m with m odd.Let and be the sets of bad witnesses for the Fermat test and the Miller-Rabin test respectively.Then MR(n) is a subset of F(n), and the later is a subgroup of the group of units in Z/nZ.Note that #F(n) = F (n), where F (n) is given in equation (11).Set #MR(n) = MR(n).Let v p (n) be the exponent on p in the prime factorization of n.For a positive integer k we let k ′ := (k − 1)/2 ν 2 (k−1) denote the largest odd divisor of k − 1.For example, n ′ = m.We set It is shown ( [7], proof of Theorem 5.2) that  (1) .Given a positive integer r ≥ 2, we denote by F r (n) and MR r (n) the number of bad witnesses of the product of r Fermat tests and the product of r Miller-Rabin tests respectively.So 1) .
Since ε > 0 is arbitrarily small and α is arbitrarily close to β, we have On the other hand, let C k (x) denote the set of composite number n ≤ x such that It is shown ( [7], proof of Theorem 2.2) that C k (x) ≤ xL(x) −1+o (1) uniformly for k ≤ L(x), as x → ∞.Further, On the other hand, the geometric mean of Str(n) is at most as large as the geometric mean of MR r (n)× x because Gal(n) divides H(n).By Theorem 3 and Theorem 5, we have that 1<n≤x MR r (n)× x is of order ≍ d (log x) r(c 1 − 2 log 2 3 )+2c3 , where the constant implied by the above sign are of size e O(d 4 ) .