Overview

The Miller–Rabin primality test or Rabin–Miller primality test is a probabilistic primality test: an algorithm which determines whether a given number is likely to be prime, similar to the Fermat primality test and the Solovay–Strassen primality test.

It is of historical significance for the research of a polynomial-time deterministic primality test. Its probabilistic variant remains widely used in practice, as one of the simplest and fastest tests known.

Miller–Rabin test

The algorithm can be written in pseudocode as follows. The parameter k determines the accuracy of the test. The greater the number of rounds, the more accurate the result.

Complexity

Using repeated squaring, the running time of this algorithm is O(k log n), where n is the number tested for primality, and k is the number of rounds performed; thus this is an efficient, polynomial-time algorithm. FFT-based multiplication can push the running time down to O(k log n log log n log log log n) = Õ(k log n).

Accuracy

The error made by the primality test is measured by the probability for a composite number to be declared probably prime. The more bases a are tried, the better the accuracy of the test. It can be shown that if n is composite, then at most ⁄4 of the bases a are strong liars for n. As a consequence, if n is composite then running k iterations of the Miller–Rabin test will declare n probably prime with a probability at most 4 .

This is an improvement over the Solovay–Strassen test, whose worst‐case error bound is 2 . Moreover, the Miller–Rabin test is strictly stronger than the Solovay–Strassen test in the sense that for every composite n, the set of strong liars for n is a subset of the set of Euler liars for n, and for many n, the subset is proper.

In addition, for large values of n, the probability for a composite number to be declared probably prime is often significantly smaller than 4 . For instance, for most numbers n, this probability is bounded by 8 ; the proportion of numbers n which invalidate this upper bound vanishes as we consider larger values of n. Hence the average case has a much better accuracy than 4 , a fact which can be exploited for generating probable primes (see below). However, such improved error bounds should not be relied upon to verify primes whose probability distribution is not controlled, since a cryptographic adversary might send a carefully chosen pseudoprime in order to defeat the primality test. In such contexts, only the worst‐case error bound of 4 can be relied upon.

The above error measure is the probability for a composite number to be declared as a strong probable prime after k rounds of testing; in mathematical words, it is the conditional probability where P is the event that the number being tested is prime, and MRk is the event that it passes the Miller–Rabin test with k rounds. We are often interested instead in the inverse conditional probability : the probability that a number which has been declared as a strong probable prime is in fact composite. These two probabilities are related by Bayes' law:

In the last equation, we simplified the expression using the fact that all prime numbers are correctly reported as strong probable primes (the test has no false negative). By dropping the left part of the denominator, we derive a simple upper bound:

Hence this conditional probability is related not only to the error measure discussed above — which is bounded by 4  — but also to the probability distribution of the input number. In the general case, as said earlier, this distribution is controlled by a cryptographic adversary, thus unknown, so we cannot deduce much about . However, in the case when we use the Miller–Rabin test to generate primes (see below), the distribution is chosen by the generator itself, so we can exploit this result.