https://wiki.sarg.dev/index.php?action=history&feed=atom&title=Fermat_primality_testFermat primality test - Revision history2026-06-16T02:11:12ZRevision history for this page on the wikiMediaWiki 1.44.2https://wiki.sarg.dev/index.php?title=Fermat_primality_test&diff=114714&oldid=previmported>Artoria2e5: /* Corollaries */ ~2025-11-06T09:25:51Z<p><span class="autocomment">Corollaries: </span> ~</p>
<p><b>New page</b></p><div>{{Short description|Probabilistic primality test}}<br />
{{for|the test for determining whether a Fermat number is prime|Pépin's test}}<br />
The '''Fermat primality test''' is a [[randomized algorithm|probabilistic]] test to determine whether a number is a [[probable prime]].<br />
<br />
==Concept==<br />
[[Fermat's little theorem]] states that if ''p'' is prime and ''a'' is not divisible by ''p'', then<br />
<br />
:<math>a^{p-1} \equiv 1 \pmod{p}.</math><br />
<br />
If one wants to test whether ''p'' is prime, then we can pick random integers ''a'' not divisible by ''p'' and see whether the congruence holds. If it does not hold for a value of ''a'', then ''p'' is composite. This congruence is unlikely to hold for a random ''a'' if ''p'' is composite.<ref name="PSW">{{cite journal |author1 = Carl Pomerance |author-link1 = Carl Pomerance |author2 = John L. Selfridge |author-link2 = John L. Selfridge |author3 = Samuel S. Wagstaff, Jr. |author-link3 = Samuel S. Wagstaff, Jr. |title=The pseudoprimes to 25·10<sup>9</sup> |journal=Mathematics of Computation |date=July 1980 |volume=35 |issue=151 |pages=1003–1026 |url=//math.dartmouth.edu/~carlp/PDF/paper25.pdf |jstor=2006210 |doi=10.1090/S0025-5718-1980-0572872-7 |doi-access=free }}</ref> Therefore, if the equality does hold for one or more values of ''a'', then we say that ''p'' is [[probable prime|probably prime]].<br />
<br />
However, note that the above congruence holds trivially for <math>a \equiv 1 \pmod{p}</math>, because the congruence relation is [[Modular arithmetic#Basic properties|compatible with exponentiation]]. It also holds trivially for <math>a \equiv -1 \pmod{p}</math> if ''p'' is odd, for the same reason. That is why one usually chooses a random ''a'' in the interval <math>1 < a < p - 1</math>.<br />
<br />
Any ''a'' such that <br />
:<math>a^{n-1} \equiv 1 \pmod{n}</math><br />
when ''n'' is composite is known as a ''Fermat liar''. In this case ''n'' is called [[Fermat pseudoprime]] to base ''a''.<br />
<br />
If we do pick an ''a'' such that <br />
:<math>a^{n-1} \not\equiv 1 \pmod{n}</math><br />
then ''a'' is known as a ''Fermat witness'' for the compositeness of ''n''.<br />
<br />
== Example ==<br />
Suppose we wish to determine whether ''n''&nbsp;=&nbsp;221 is prime. Randomly pick 1 < ''a'' < 220, say ''a''&nbsp;=&nbsp;38. We check the above congruence and find that it holds:<br />
:<math>a^{n-1} = 38^{220} \equiv 1 \pmod{221}.</math><br />
Either 221 is prime, or 38 is a Fermat liar, so we take another ''a'', say 24:<br />
:<math>a^{n-1} = 24^{220} \equiv 81 \not\equiv 1 \pmod{221}.</math><br />
So 221 is composite and 38 was indeed a Fermat liar. Furthermore, 24 is a Fermat witness for the compositeness of 221.<br />
<br />
==Algorithm==<br />
The algorithm can be written as follows:<br />
:'''Inputs''': ''n'': a value to test for primality, ''n''>3; ''k'': a parameter that determines the number of times to test for primality<br />
:'''Output''': ''composite'' if ''n'' is composite, otherwise ''probably prime''<br />
:Repeat ''k'' times:<br />
::Pick ''a'' randomly in the range [2, ''n'' &minus; 2]<br />
::If <math>a^{n-1}\not\equiv1 \pmod n</math>, then return ''composite''<br />
:If composite is never returned: return ''probably prime''<br />
<br />
The ''a'' values 1 and ''n''&nbsp;−&nbsp;1 are not used as the equality holds for all ''n'' and all odd ''n'' respectively, hence testing them adds no value.<br />
<br />
=== Complexity ===<br />
<br />
Using fast algorithms for [[modular exponentiation]] and multiprecision multiplication, the running time of this algorithm is {{math|[[Big O notation|O]](''k'' log<sup>2</sup>''n'' log log ''n'') {{=}} [[Big O notation#Extensions to the Bachmann–Landau notations|Õ]](''k''&nbsp;log<sup>2</sup>''n'')}}, where ''k'' is the number of times we test a random ''a'', and ''n'' is the value we want to test for primality; see [[Miller–Rabin primality test#Complexity|Miller–Rabin primality test]] for details.<br />
<br />
==Flaw==<br />
There are infinitely many [[Fermat pseudoprime]]s to any given basis ''a'' > 1.{{r|PSW|p=Theorem 1}}<br />
Even worse, there are infinitely many [[Carmichael number]]s.<ref name="Alford1994">{{cite journal |last1=Alford |first1=W. R. |author-link=W. R. (Red) Alford |last2=Granville |first2=Andrew |author-link2=Andrew Granville |last3=Pomerance |first3=Carl |author-link3=Carl Pomerance |year=1994 |title=There are Infinitely Many Carmichael Numbers |journal=[[Annals of Mathematics]] |doi=10.2307/2118576 |volume=140 |issue=3 |pages=703–722 |url=http://www.math.dartmouth.edu/~carlp/PDF/paper95.pdf |jstor=2118576 }}</ref> These are numbers <math>n</math> for which <em>all</em> values of <math>a</math> with <math>\operatorname{gcd}(a, n) = 1</math> are Fermat liars. For these numbers, repeated application of the Fermat primality test performs the same as a simple random search for factors. While Carmichael numbers are substantially rarer than prime numbers (Erdős' upper bound for the number of Carmichael numbers<ref><br />
{{cite journal |author = Paul Erdős<br />
|date=1956 |title=On pseudoprimes and Carmichael numbers<br />
|journal=Publ. Math. Debrecen |volume=4 |pages=201–206|author-link=Paul Erdős|mr=0079031 }}</ref> is lower than the [[Prime number theorem|prime number function n/log(n)]]) there are enough of them that Fermat's primality test is not often used in the above form. Instead, other more powerful extensions of the Fermat test, such as [[Baillie–PSW primality test|Baillie–PSW]], [[Miller–Rabin primality test|Miller–Rabin]], and [[Solovay–Strassen primality test|Solovay–Strassen]] are more commonly used.<br />
<br />
In general, if <math>n</math> is a composite number that is not a Carmichael number, then at least half of all<br />
<br />
:<math>a\in(\mathbb{Z}/n\mathbb{Z})^*</math> (i.e. <math>\operatorname{gcd}(a,n)=1</math>)<br />
<br />
are Fermat witnesses. For proof of this, let <math>a</math> be a Fermat witness and <math>a_1</math>, <math>a_2</math>, ..., <math>a_s</math> be Fermat liars. Then<br />
<br />
:<math>(a\cdot a_i)^{n-1} \equiv a^{n-1}\cdot a_i^{n-1} \equiv a^{n-1} \not\equiv 1\pmod{n}</math><br />
<br />
and so all <math>a \cdot a_i</math> for <math>i = 1, 2, ..., s</math> are Fermat witnesses.<br />
<br />
== Corollaries ==<br />
Analogous to the [[Lucas–Lehmer residue]], <math>r = a^{n-1} \pmod{n}</math> is called the '''Fermet residue''' of ''n'' to base ''a''. There are a few variants that produce different types of residues,<ref name="primenet"/> most importantly the [[strong probable prime]] (SPRP) residue.<ref>{{cite web |title=The Prime Glossary: strong probable prime |url=https://t5k.org/glossary/page.php?sort=StrongPRP |website=t5k.org}}</ref><br />
<br />
=== Efficient exponentiation ===<br />
For Mersenne numbers (or more broadly, any <math>n = 2^p - 1</math>, ''p'' not necessarily a prime), it is more efficient to calculate <math>a^2r = a^{2^p} \pmod{n}</math> than to calculate <math>r</math> due to [[exponentiation by squaring]] preferring a low [[Hamming weight]] (number of ones) in the exponent. The desired ''r'' may be recovered by multiplying by the [[modular inverse]] of <math>a^2</math> mod ''n''. It can alternatively be recovered by finding a small multiplier ''u'' such that <math>\operatorname{lift}(a^2r) + un</math> is divisible by <math>a^2</math> in ordinary integer arithmetic, then <math>r = (\operatorname{lift}(a^2r) + un) / a^2</math>. This can proceed by trial and error, or by noticing that <math>u = \operatorname{modinv}(n, a^2)</math>.<ref>{{cite web |last1=Mayer |first1=Ernst |title=Mlucas.c |url=https://github.com/primesearch/Mlucas/blob/6144ed0dcccd3a68f48c6ba92718c0bb78a4ba5c/src/Mlucas.c#L639}}</ref><br />
<br />
=== Testing cofactors of ''n'' ===<br />
If the residue ''r'' for ''n'' to base ''a'' is known, then for any proper divisor ''k'' of ''n'', it is possible to perform a quick though weaker primality test on ''n''/''k''. If ''n''/''k'' is prime, by Fermat's theorem <math display=inline>a^{n/k} = a^k \pmod{n/k}</math> and <math display=inline>a^n = a^k \pmod{n/k}</math>. As a result <math display=inline>r = a^{k-1} \pmod{n/k}</math>, which can be much more efficiently checked for values of ''k'' much smaller than ''n''. (This is the method used by the [[Great Internet Mersenne Prime Search]] for testing cofactors.)<ref name="primenet">{{cite web |title=primenet.h |url=https://github.com/shafferjohn/Prime95/blob/6904c8d179103e77267219760b9ba7ea72325704/primenet.h#L262 |quote=There are (at least) 5 PRP residue types for testing N=(k*b^n+c)/d: (1) Fermat PRP. Calculate a^(N-1) mod N. PRP if result = 1. (2) SPRP variant. Calculate a^((N-1)/2) mod N. PRP if result = +/-1. (3) Type 1 variant,b=2,d=1. Calculate a^(N-c) mod N. PRP if result = a^-(c-1). (4) Type 2 variant,b=2,d=1. Calculate a^((N-c)/2) mod N. PRP if result = +/-a^-((c-1)/2). (5) Cofactor variant. Calculate a^(N*d-1) mod N*d. PRP if result = a^(d-1) mod N. }}</ref><br />
<br />
A even weaker form of the test can be conducted with a truncated <math>a^n \pmod{n} \pmod{2^t}</math> if storage space for the residue is a concern, so long as <math display=inline>d \leq 2^t</math> and <math>n > 2^t</math>. Let <math display=inline>s = a^k \pmod{n/k}</math>, then <math display=inline>r = s+wn/k</math> for some ''w''. Take this mod 2<sup>''t''</sup> and we have <math display=inline>w = (n/k)^{-1}(s-r) \pmod{2^t}</math>. ''n''/''k'' is composite if <math>w \geq d</math>. A similar test can be done on truncated Lucas–Lehmer residues.<ref>{{cite web |last1=Gerbicz |first1=Robert |title=Saving tons of PRP-C and (hypotetical) LL-C tests, a new method |url=https://www.mersenneforum.org/node/17770?t=23462 |website=www.mersenneforum.org |language=en |date=2018-06-22|url-access=registration}}</ref><br />
<br />
=== Path to being deterministic ===<br />
It is also true that if all bases ''a'' are systematically checked in the interval <math>[2,\sqrt{n}]</math>, each demonstrating congruence to 1, the test is effectively deterministic. We may say that ''n'' is definitely prime. At cursory glance one may assume that ''n'' exists in the union of both primes and Carmichael numbers for such a scenario, but if ''a''-values are systematically checked in the interval, one is bound to be a prime factor of a composite ''n'' at some point before <math>\sqrt{n}</math>, thus making ''a'' and ''n'' not coprime, and failing the congruence, even if ''n'' is indeed a Carmichael number. Carmichael numbers do fail Fermat's congruence to 1 if the base used is not coprime. Though this is more computationally expensive than brute force divisibility checking (trial division), it is of theoretical value.<br />
<br />
==Applications==<br />
<br />
As mentioned above, most applications use a [[Miller–Rabin primality test|Miller–Rabin]] or [[Baillie–PSW primality test|Baillie–PSW]] test for primality. Sometimes a Fermat test (along with some trial division by small primes) is performed first to improve performance. [[GNU Multiple Precision Arithmetic Library|GMP]] since version 3.0 uses a base-210 Fermat test after trial division and before running Miller–Rabin tests. [[Libgcrypt]] uses a similar process with base 2 for the Fermat test, but [[OpenSSL]] does not.<br />
<br />
In practice with most big number libraries such as GMP, the Fermat test is not noticeably faster than a Miller–Rabin test, and can be slower for many inputs.<ref>{{citation|author=Joe Hurd|date=2003|title=Verification of the Miller–Rabin Probabilistic Primality Test|page=2|citeseerx=10.1.1.105.3196}}</ref><br />
<br />
As an exception, OpenPFGW uses only the Fermat test for probable prime testing. The program is typically used with multi-thousand digit inputs with a goal of maximum speed with very large inputs. Another well known program that relies only on the Fermat test is [[Pretty Good Privacy|PGP]] where it is only used for testing of self-generated large random values (an open source counterpart, [[GNU Privacy Guard]], uses a Fermat pretest followed by Miller–Rabin tests).<br />
<br />
=== Prime number search projects ===<br />
Internet [[volunteer computing]] projects such as [[Great Internet Mersenne Prime Search]] (GIMPS) and [[PrimeGrid]] use the Fermat primality test because there is an efficient proof scheme (Gerbicz-Li) for modular exponentiation. Selected intermediate results, combined with a [[verifiable delay function]], are used to generate a "[[Primality certificate|proof]]" file for verifying the authenticity and correctness of the computation, protecting against both hardware error and malicious actors. This proof is hard to forge given a low order assumption. The original form of the verification (Gerbicz-Pietrzak) only worked with ''n'' being derivable from powers of 2, such as in the case of Mersenne primes, Mersenne cofactors, and Proth primes; Li's modification generalizes it to any ''n''.<ref>{{cite web |author1=Darren Li|author2=Yves Gallot|title=An Efficient Modular Exponentiation Proof Scheme |url=https://arxiv.org/abs/2209.15623 |website=arXiv |date=8 Feb 2023}}</ref><br />
<br />
The GIMPS in particular tests Mersenne primes and Mersenne cofactors. The default is to use ''a'' = 3 as all Mersenne numbers would pass the test with ''a'' = 2.<br />
<br />
==References==<br />
{{reflist}}<br />
* {{cite book |author1=[[Thomas H. Cormen]]|author2=[[Charles E. Leiserson]]|author3= [[Ronald L. Rivest]]|author4= [[Clifford Stein]] |title=Introduction to Algorithms |edition=Second |publisher=MIT Press; McGraw-Hill |year=2001 |isbn=0-262-03293-7 |page=889&ndash;890 |chapter=Section 31.8: Primality testing|title-link=Introduction to Algorithms }}<br />
<br />
<br />
{{Pierre de Fermat}}<br />
{{number theoretic algorithms}}<br />
<br />
[[Category:Primality tests]]<br />
[[Category:Modular arithmetic]]</div>imported>Artoria2e5