Strong pseudoprime

Let us say we want to investigate if n = 31697 is a probable prime (PRP). We pick base a = 3 and, inspired by Fermat's little theorem, calculate:

${\displaystyle 3^{31696}\equiv 1{\pmod {31697}}}$

This shows 31697 is a Fermat PRP (base 3), so we may suspect it is a prime. We now repeatedly halve the exponent:

${\displaystyle 3^{15848}\equiv 1{\pmod {31697}}}$

${\displaystyle 3^{7924}\equiv 1{\pmod {31697}}}$

${\displaystyle 3^{3962}\equiv 28419{\pmod {31697}}}$

The first couple of times do not yield anything interesting (the result was still 1 modulo 31697), but at exponent 3962 we see a result that is neither 1 nor −1 (i.e. 31696) modulo 31697, proving 31697 is composite, and therefore not a strong pseudoprime to base 3. Modulo a prime, the residue 1 can have no other square roots than +1 and −1, but if the modulus is composite, 1 can have square root +1 modulo some factors and −1 modulo others, leading to additional possibilities.

In cases like this, where a number is a Fermat pseudoprime but not a strong pseudoprime, this even gives us a factorization: 31697 = gcd(28419+1, 31697) × gcd(28419−1, 31697) = 29 × 1093.

For another example, pick n = 47197 and calculate in the same manner:

${\displaystyle 3^{47196}\equiv 1{\pmod {47197}}}$

${\displaystyle 3^{23598}\equiv 1{\pmod {47197}}}$

${\displaystyle 3^{11799}\equiv 1{\pmod {47197}}}$

In this case, the result continues to be +1 (mod 47197) until we reach an odd exponent. In this situation, we say that 47197 is a strong probable prime to base 3. Because it turns out this PRP is in fact composite (can be seen by picking other bases than 3), we have that 47197 is a strong pseudoprime to base 3.

Finally, consider n = 74593 where we get:

${\displaystyle 3^{74592}\equiv 1{\pmod {74593}}}$

${\displaystyle 3^{37296}\equiv 1{\pmod {74593}}}$

${\displaystyle 3^{18648}\equiv 74592\equiv -1{\pmod {74593}}}$

Here, we reach minus −1 modulo 74593, a situation that is perfectly possible with a prime. When this occurs, we stop the calculation (even though the exponent is not odd yet) and say that 74593 is a strong probable prime (and, as it turns out, a strong pseudoprime) to base 3.

An odd composite number n = d · 2^s + 1 where d is odd is called a strong (Fermat) pseudoprime to base a if:

${\displaystyle a^{d}\equiv 1{\pmod {n}}}$

or

${\displaystyle a^{d\cdot 2^{r}}\equiv -1{\pmod {n}}\quad {\mbox{ for some }}0\leq r<s.}$

(If a number n satisfies one of the above conditions and we don't yet know whether it is prime, it is more precise to refer to it as a strong probable prime to base a. But if we know that n is not prime, then we may use the term strong pseudoprime.)

The definition is trivially met if a ≡ ±1 (mod n) so these trivial bases are often excluded.

Guy mistakenly gives a definition with only the first condition, which is not satisfied by all primes.^[1]

A strong pseudoprime to base a is always an Euler–Jacobi pseudoprime, an Euler pseudoprime^[2] and a Fermat pseudoprime to that base, but not all Euler and Fermat pseudoprimes are strong pseudoprimes. Carmichael numbers may be strong pseudoprimes to some bases—for example, 561 is a strong pseudoprime to base 50—but not to all bases.

A composite number n is a strong pseudoprime to at most one quarter of all bases below n;^[3][4] thus, there are no "strong Carmichael numbers", numbers that are strong pseudoprimes to all bases. Thus given a random base, the probability that a number is a strong pseudoprime to that base is less than 1/4, forming the basis of the widely used Miller–Rabin primality test. The true probability of a failure is generally vastly smaller. Paul Erdős and Carl Pomerance showed in 1986 that if a random integer n passes the Miller–Rabin primality test to a random base b, then n is almost surely a prime.^[5] For example, of the first odd natural numbers less than 25×10⁹, there are 1,091,987,405 probable primes to base 2, but only 21,853 of them are pseudoprimes, and only 4,842 of those are strong pseudoprimes.^[6]

However, there are infinitely many strong pseudoprimes to any base,^[2] and there exist numbers which are strong pseudoprimes any desired set of bases. Arnault ^[7]: 157 gives a 397-digit Carmichael number that is a strong pseudoprime to every prime base less than 307.

One way to reduce the chance that such a number is wrongfully declared probably prime is to combine a strong probable prime test with a Lucas probable prime test, as in the Baillie–PSW primality test.

The first strong pseudoprimes to base 2 are

2047, 3277, 4033, 4681, 8321, 15841, 29341, 42799, 49141, 52633, 65281, 74665, 80581, 85489, 88357, 90751, ... (sequence A001262 in the OEIS).

The first to base 3 are

121, 703, 1891, 3281, 8401, 8911, 10585, 12403, 16531, 18721, 19345, 23521, 31621, 44287, 47197, 55969, 63139, 74593, 79003, 82513, 87913, 88573, 97567, ... (sequence A020229 in the OEIS).

The first to base 5 are

781, 1541, 5461, 5611, 7813, 13021, 14981, 15751, 24211, 25351, 29539, 38081, 40501, 44801, 53971, 79381, ... (sequence A020231 in the OEIS).

For base 4, see (sequence A020230 in the OEIS), and for bases 6 to 100, see (sequence A020232 in the OEIS) to (sequence A020326 in the OEIS). By testing the above conditions to several bases, one gets somewhat more powerful primality tests than by using one base alone. For example, there are only 13 numbers less than 25·10⁹ that are strong pseudoprimes to bases 2, 3, and 5 simultaneously;^{[2]: Table 7} the smallest such number is 25326001. This means that, if n is less than 25326001 and n is a strong probable prime to bases 2, 3, and 5, then n is prime.

Carrying this further, 3825123056546413051 is the smallest number that is a strong pseudoprime to the 9 bases 2, 3, 5, 7, 11, 13, 17, 19, and 23.^[8][9] So, if n is less than 3825123056546413051 and n is a strong probable prime to these 9 bases, then n is prime.

By judicious choice of bases that are not necessarily prime, even better tests can be constructed. For example, there is no composite ${\displaystyle <2^{64}}$ that is a strong pseudoprime to all of the seven bases 2, 325, 9375, 28178, 450775, 9780504, and 1795265022.^[10]

9, being the least odd composite number, is the least number which can be a pseudoprime, and shows up often because it is a strong pseudoprime to any base a ≡ ±1 (mod 9).