Why does GMP only run Miller-Rabin test twice when generating a prime?

Question

In mpz_nextprime(), after some sieving with small primes, an MR test function is called, with the number of trials set to 25 (https://github.com/alisw/GMP/blob/master/mpz/nextprime.c#L118):

      if (mpz_millerrabin (p, 25))
        goto done;

But then in mpz_millerrabin(), for large enough candidates (candidates bigger than $31\times2^{46}$), the number of trials is suddenly reduced to 1 (https://github.com/alisw/GMP/blob/master/mpz/millerrabin.c#L142):

      reps -= 24;

with no explanations.

As a result, for large candidates only three tests are run:

• MR with base 2
• Lucas
• MR with random base

But the comment at the top of the millerrabin.c says that "Knuth indicates that 25 passes are reasonable." What is the reason the number of trials is unconditionally slashed this way?

Answer 1

The Baillie-PSW test is being used in place of 24 Miller-Rabin tests. This is not unreasonable for large numbers when the cost of Miller-Rabin testing can become burdensome and also helps to prevent adversarial prime generation when the random base selection is poor.

It is an open question as to whether a Baillie-PSW pseudoprime exists or not. It is known that none exist up to certain bounds ($2^{64}$ has certainly been checked, but may have been surpassed). The problem has a certain notoriety among the computational number theory community.

It is argued that as there may be a lack of independence in failing Miller-Rabin tests, mixing Miller-Rabin and Lucas tests may be more effective. For example, pseudoprimes have been constructed that pass Miller-Rabin for all bases up to 307 and implementations that used fixed bases for Miller-Rabin tests have often had bespoke pseudoprimes constructed in order to show the limitations of this approach.

The change may have been motivated by the 2018 Prime and Prejudice paper by Albrecht et al which recommends the use of the Baillie-PSW test to counteract adversarial prime generation. In particular they construct a 1024-bit "GMP pseudoprime" that is a composite that tests as prime when GMP is instantiated with the PRNG in a static state.

Answer 2

The article, "Strengthening the Baillie-PSW primality test" referred to above, suggests adding a third test to the standard BPSW (MR test base 2 combined with Lucas).

But there's a third congruence that is true for primes, and rarely true for composite $N$: $V_{N+1} = 2 Q \pmod N$. A composite that satisfies this congruence is called a $V$-pseudoprime.

Up to 1E15, there are about 2 million base-2 psp's, and about 2 million Lucas pseudoprimes (and no overlap between these two sets).

However, there are only five $V$-pseudoprimes up to 1E15. None of these is either a base-2 psp or a Lucas pseudoprime.

Therefore, we recommended that a primality test include a check on the value of $V_{N+1}$. The $V$'s are typically computed along with the $U$'s, so almost no additional computation would be required.

Answer 3

Further thoughts: Doing dozens of MR tests (that is, strong Fermat tests) tests may not be the way to go.

1. It takes roughly 4 times as long to do a BPSW test (Fermat + Lucas) as to do a Fermat test. It is not clear that the additional time needed to do one or two dozen Fermat tests produces more trustworthy results than BPSW.

2. Most importantly: Fermat tests to different bases are not independent. The Pomerance/Selfridge/Wagstaff paper The Pseudoprimes to 25⋅10⁹, has data to back this up. For example, Table 6 shows that there are 21853 psp(2) below 25*10^9, but that 4709 of these (21%) are also psp(3).

   The Baillie/Wagstaff paper Lucas Pseudoprimes, explains why: If N is a pseudoprime to some base a, this is probably because N is one of those few numbers that is pseudoprime to many bases. Therefore, N is more likely than most numbers of that size to be pseudoprime to another base, b. Theorem 1 in that paper gives a formula for the number of such bases mod N. For example, N = 341 is psp(2), but it is also psp to 99 other bases between 2 and N - 2.

By contrast, there are hints that Fermat and Lucas tests are independent. For example, Fermat and Lucas psp's tend (with exceptions, of course) to fall into residue classes +1 and -1 (mod m) for small m.