# Fingerprinting

Both the Freivald's algorithm for checking matrix multiplication and Schwartz-Zippel theorem for testing polynomial identity learnt in the previous lecture can be abstracted as the following procedure:

 Fingerprinting Suppose we want to compare two items ${\displaystyle Z_{1}}$ and ${\displaystyle Z_{2}}$. Instead of comparing them directly, we compute random fingerprints ${\displaystyle \mathrm {FING} (Z_{1})}$ and ${\displaystyle \mathrm {FING} (Z_{2})}$ of them and compare the fingerprints. The fingerprints has the following properties: ${\displaystyle \mathrm {FING} (\cdot )}$ is a function, so if ${\displaystyle Z_{1}=Z_{2}}$ then ${\displaystyle \mathrm {FING} (Z_{1})=\mathrm {FING} (Z_{2})}$. If ${\displaystyle Z_{1}\neq Z_{2}}$ then ${\displaystyle \Pr[\mathrm {FING} (Z_{1})=\mathrm {FING} (Z_{2})]}$ is small. It is much easier to compute and compare the fingerprints than to compare ${\displaystyle Z_{1}}$ and ${\displaystyle Z_{2}}$ directly.

In Freivald's algorithm, the items to compare are two ${\displaystyle n\times n}$ matrices ${\displaystyle AB}$ and ${\displaystyle C}$, and given an ${\displaystyle n\times n}$ matrix ${\displaystyle M}$, its random fingerprint is computed as ${\displaystyle \mathrm {FING} (M)=Mr}$ for a uniformly random ${\displaystyle r\in \{0,1\}^{n}}$.

In Schwartz-Zippel theorem, the items to compare are two polynomials ${\displaystyle P_{1}(x_{1},\ldots ,x_{n})}$ and ${\displaystyle P_{2}(x_{1},\ldots ,x_{n})}$, and given a polynomial ${\displaystyle Q(x_{1},\ldots ,x_{n})}$, its random fingerprint is computed as ${\displaystyle \mathrm {FING} (Q)=Q(r_{1},\ldots ,r_{n})}$ for ${\displaystyle r_{i}}$ chosen independently and uniformly at random from some fixed set ${\displaystyle S}$.

For different problems, we may have different definitions of ${\displaystyle \mathrm {FING} (\cdot )}$.

## Communication complexity revisited

Now consider again the communication model where the two players Alice with a private input ${\displaystyle x\in \{0,1\}^{n}}$ and Bob with a private input ${\displaystyle y\in \{0,1\}^{n}}$ together compute a function ${\displaystyle f(x,y)}$ by running a communication protocol.

We still consider the communication protocols for the equality function EQ

${\displaystyle \mathrm {EQ} (x,y)={\begin{cases}1&{\mbox{if }}x=y,\\0&{\mbox{otherwise.}}\end{cases}}}$

With the language of fingerprinting, this communication problem can be solved by the following generic scheme:

 A protocol for EQ by fingerprinting Alice does: choose a random fingerprint function ${\displaystyle \mathrm {FING} (\cdot )}$ and compute the fingerprint ${\displaystyle \mathrm {FING} (x)}$ of her input ${\displaystyle x}$; send the description of ${\displaystyle \mathrm {FING} (\cdot )}$ and the value of ${\displaystyle \mathrm {FING} (x)}$ to Bob; Upon receiving ${\displaystyle \mathrm {FING} (\cdot )}$ and ${\displaystyle \mathrm {FING} (x)}$, Bob does: check whether ${\displaystyle \mathrm {FING} (x)=\mathrm {FING} (y)}$.

The communication cost and the accuracy of this randomized protocol are guaranteed by the performance of the fingerprint function ${\displaystyle \mathrm {FING} (\cdot )}$:

1. A random ${\displaystyle \mathrm {FING} (\cdot )}$ can be described succinctly.
2. The range of ${\displaystyle \mathrm {FING} (\cdot )}$ is small, so the fingerprints are succinct.
3. If ${\displaystyle x\neq y}$, the probability ${\displaystyle \Pr[\mathrm {FING} (x)=\mathrm {FING} (y)]}$ is small.

In above application of single-variate PIT, we know that ${\displaystyle \mathrm {FING} (x)=\sum _{i=1}^{n}x_{i}r^{i}}$, where ${\displaystyle r}$ is a random element from a finite field and the additions and multiplications are defined over the finite field, is a good fingerprint function. Now we introduce another fingerprint and hence a new communication protocol.

The new fingerprint function we design is as follows: by treating the input string ${\displaystyle x\in \{0,1\}^{n}}$ as the binary representation of a number from ${\displaystyle [2^{n}]}$, let ${\displaystyle \mathrm {FING} (x)=x{\bmod {p}}}$ for some random prime ${\displaystyle p}$. The prime ${\displaystyle p}$ can uniquely specify a random fingerprint function ${\displaystyle \mathrm {FING} (\cdot )}$, thus can be used as a description of the function, and also the range of the fingerprints is ${\displaystyle [p]}$, thus we want the prime ${\displaystyle p}$ to be reasonably small, but still has a good chance to distinguish different ${\displaystyle x}$ and ${\displaystyle y}$ after modulo ${\displaystyle p}$.

 A randomized protocol for EQ Alice does: for some parameter ${\displaystyle k}$ (to be specified), choose uniformly at random a prime ${\displaystyle p\in [k]}$; send ${\displaystyle p}$ and ${\displaystyle x{\bmod {p}}}$ to Bob; Upon receiving ${\displaystyle p}$ and ${\displaystyle x{\bmod {p}}}$, Bob does: check whether ${\displaystyle x{\bmod {p}}=y{\bmod {p}}}$.

The number of bits to be communicated is ${\displaystyle O(\log k)}$. We then bound the probability of error ${\displaystyle \Pr[x{\bmod {p}}=y{\bmod {p}}]}$ for ${\displaystyle x\neq y}$, in terms of ${\displaystyle k}$.

Suppose without loss of generality ${\displaystyle x>y}$. Let ${\displaystyle z=x-y}$. Then ${\displaystyle z<2^{n}}$ since ${\displaystyle x,y\in [2^{n}]}$, and ${\displaystyle z\neq 0}$ for ${\displaystyle x\neq y}$. It holds that ${\displaystyle x{\bmod {p}}=y{\bmod {p}}}$ if and only if ${\displaystyle z}$ is dividable by ${\displaystyle p}$. Note that ${\displaystyle z<2^{n}}$ since ${\displaystyle x,y\in [2^{n}]}$. We only need to bound the probability

${\displaystyle \Pr[z{\bmod {p}}=0]}$ for ${\displaystyle 0, where ${\displaystyle p}$ is a random prime chosen from ${\displaystyle [k]}$.

The probability ${\displaystyle \Pr[z{\bmod {p}}=0]}$ is computed directly as

${\displaystyle \Pr[z{\bmod {p}}=0]\leq {\frac {{\mbox{the number of prime divisors of }}z}{{\mbox{the number of primes in }}[k]}}}$.

For the numerator, we have the following lemma.

 Lemma The number of distinct prime divisors of any natural number less than ${\displaystyle 2^{n}}$ is at most ${\displaystyle n}$.
Proof.
 Each prime number is ${\displaystyle \geq 2}$. If an ${\displaystyle N>0}$ has more than ${\displaystyle n}$ distinct prime divisors, then ${\displaystyle N\geq 2^{n}}$.
${\displaystyle \square }$

Due to this lemma, ${\displaystyle z}$ has at most ${\displaystyle n}$ prime divisors.

We then lower bound the number of primes in ${\displaystyle [k]}$. This is given by the celebrated Prime Number Theorem (PNT).

 Prime Number Theorem Let ${\displaystyle \pi (k)}$ denote the number of primes less than ${\displaystyle k}$. Then ${\displaystyle \pi (k)\sim {\frac {k}{\ln k}}}$ as ${\displaystyle k\rightarrow \infty }$.

Therefore, by choosing ${\displaystyle k=tn\ln tn}$ for some ${\displaystyle t}$, we have that for a ${\displaystyle 0, and a random prime ${\displaystyle p\in [k]}$,

${\displaystyle \Pr[z{\bmod {p}}=0]\leq {\frac {n}{\pi (k)}}\sim {\frac {1}{t}}}$.

We can make this error probability polynomially small and the number of bits to be communicated is still ${\displaystyle O(\log k)=O(\log n)}$.

## Randomized pattern matching

Consider the following problem of pattern matching, which has nothing to do with communication complexity.

• Input: a string ${\displaystyle x\in \{0,1\}^{n}}$ and a "pattern" ${\displaystyle y\in \{0,1\}^{m}}$.
• Determine whether the pattern ${\displaystyle y}$ is a contiguous substring of ${\displaystyle x}$. Usually, we are also asked to find the location of the substring.

A naive algorithm trying every possible match runs in ${\displaystyle O(nm)}$ time. The more sophisticated KMP algorithm inspired by automaton theory runs in ${\displaystyle O(n+m)}$ time.

A simple randomized algorithm, due to Karp and Rabin, uses the idea of fingerprinting and also runs in ${\displaystyle O(n+m)}$ time.

Let ${\displaystyle X(j)=x_{j}x_{j+1}\cdots x_{j+m-1}}$ denote the substring of ${\displaystyle x}$ of length ${\displaystyle m}$ starting at position ${\displaystyle j}$.

 Algorithm (Karp-Rabin) pick a random prime ${\displaystyle p\in [k]}$; for ${\displaystyle j=1}$ to ${\displaystyle n-m+1}$ do if ${\displaystyle X(j){\bmod {p}}=y{\bmod {p}}}$ then report a match; return "no match";

So the algorithm just compares the ${\displaystyle \mathrm {FING} (X(j))}$ and ${\displaystyle \mathrm {FING} (y)}$ for every ${\displaystyle j}$, with the same definition of fingerprint function ${\displaystyle \mathrm {FING} (\cdot )}$ as in the communication protocol for EQ.

By the same analysis, by choosing ${\displaystyle k=n^{2}m\ln(n^{2}m)}$, the probability of a single false match is

${\displaystyle \Pr[X(j){\bmod {p}}=y{\bmod {p}}\mid X(j)\neq y]=O\left({\frac {1}{n^{2}}}\right)}$.

By the union bound, the probability that a false match occurs is ${\displaystyle O\left({\frac {1}{n}}\right)}$.

The algorithm runs in linear time if we assume that we can compute ${\displaystyle X(j){\bmod {p}}}$ for each ${\displaystyle j}$ in constant time. This outrageous assumption can be made realistic by the following observation.

 Lemma Let ${\displaystyle \mathrm {FING} (a)=a{\bmod {p}}}$. ${\displaystyle \mathrm {FING} (X(j+1))\equiv 2(\mathrm {FING} (X(j))-2^{m-1}x_{j})+x_{j+m}{\pmod {p}}\,}$.
Proof.
 It holds that ${\displaystyle X(j+1)=2(X(j)-2^{m-1}x_{j})+x_{j+m}\,}$. So the equation holds on the finite field modulo ${\displaystyle p}$.
${\displaystyle \square }$

Due to this lemma, each fingerprint ${\displaystyle \mathrm {FING} (X(j))}$ can be computed in an incremental way, each in constant time. The running time of the algorithm is ${\displaystyle O(n+m)}$.

# Primality Test

In above applications, our algorithm is required to "sample a uniform random prime from ${\displaystyle [N]}$". This can be done by first sample a uniform random integer ${\displaystyle n}$ from ${\displaystyle [N]}$ and then test whether ${\displaystyle n}$ is prime (and repeat the procedure if it fails the test). This requires us to efficiently determines whether a given integer is prime.

A primality test is an algorithm that given as input a number ${\displaystyle n}$ determines whether ${\displaystyle n}$ is prime. A naive deterministic algorithm is to check for every ${\displaystyle 2\leq i\leq {\sqrt {n}}}$ whether ${\displaystyle n}$ is divisible by ${\displaystyle i}$. The time complexity of this naive algorithm is ${\displaystyle O({\sqrt {n}})}$ assuming that a modular computation takes constant time. Note that ${\displaystyle {\sqrt {n}}}$ is obviously bounded by polynomial of ${\displaystyle n}$, so do we have a "polynomial-time" algorithm?

The answer depends what exactly we mean by "polynomial-time" algorithms. Rigorously, an algorithm is polynomial-time if its worst-case running time is bounded by a polynomial in the size of the input, measured by the number of bits representing the input. In the case of primality testing, the input is a natural number ${\displaystyle n}$ represented in binary code, which takes ${\displaystyle \log n}$ bits. So for the problem of primality testing, or similar number theory problems, an algorithm is polynomial time if its running time is in polynomial of ${\displaystyle \log n}$ instead of ${\displaystyle n}$.

However, much faster and simpler randomized primality testing algorithms were known long before the discovery of efficient deterministic primality test.

## Fermat Test

Recall the Fermat's little theorem.

 Fermat's little theorem If ${\displaystyle n>2}$ is prime, then ${\displaystyle a^{n-1}\equiv 1{\pmod {n}}}$ for every ${\displaystyle a\in \{1,2,\ldots ,n-1\}}$.

There are several proofs for this famous theorem. We will not prove the theorem but will only use it here.

If we can find an ${\displaystyle a\in \{1,2,\ldots ,n-1\}}$ such that ${\displaystyle a^{n-1}\not \equiv 1{\pmod {n}}}$, it will prove that ${\displaystyle n}$ is composite. This inspires the following "primality testing" algorithm.

 Fermat test Choose a uniformly random ${\displaystyle a\in \{1,2,\ldots ,n-1\}}$. If ${\displaystyle a^{n-1}\not \equiv 1{\pmod {n}}}$, then return "composite". Else return "probably prime".

### Complexity of Fermat test

The time complexity of this algorithm depends on the computational cost ${\displaystyle a^{n-1}{\bmod {n}}}$, whose straightforward computing takes ${\displaystyle n-2}$ multiplications, which is too expensive. We describe an efficient way of computing the modular exponent ${\displaystyle a^{x}{\bmod {n}}\,}$ where ${\displaystyle x\in [n]}$.

We first make the following observations regarding the modular exponentiations:

• If the values of ${\displaystyle a^{x}{\bmod {n}}}$ and ${\displaystyle a^{y}{\bmod {n}}}$ are both known, then ${\displaystyle a^{x+y}{\bmod {n}}}$ can be computed by multiplying (modulo ${\displaystyle n}$) them.
• ${\displaystyle a^{2^{i}}}$ can be computed by letting ${\displaystyle a_{0}=a}$ and ${\displaystyle a_{j}=a_{j-1}^{2}{\pmod {n}}}$ for ${\displaystyle j=1,2,\ldots ,i}$, which takes only ${\displaystyle i}$ modular multiplications.

Let ${\displaystyle \ell =\lceil \log _{2}n\rceil }$. A number ${\displaystyle x\in [n]}$ can be represented in its binary form: ${\displaystyle x_{\ell }x_{\ell -1}\cdots x_{1}x_{0}}$, where each ${\displaystyle x_{i}\in \{0,1\}}$, so that ${\displaystyle x=\sum _{i=0}^{\ell }x_{i}\cdot 2^{i}}$.

Combining the above two observations, all ${\displaystyle a^{x_{i}2^{i}}{\bmod {n}}}$ can be computed in ${\displaystyle O(\log n)}$ many multiplications, and ${\displaystyle a^{x}{\bmod {n}}}$ can be computed by multiplying (modulo ${\displaystyle n}$) them together.

The time complexity of Fermat test thus can be made in polynomial of ${\displaystyle \log n}$.

### Accuracy of Fermat test

If the output is "composite", then ${\displaystyle a^{n-1}\not \equiv 1{\pmod {n}}}$ for some ${\displaystyle a\in \{1,2,\ldots ,n-1\}}$. By the Fermat's little theorem, ${\displaystyle n}$ must be composite. Therefore, for any prime ${\displaystyle n}$, the output is always "probably prime".

For composite ${\displaystyle n}$, it is possible that the algorithm picks an ${\displaystyle a}$ such that ${\displaystyle a^{n-1}\equiv 1{\pmod {n}}}$ and outputs "probably prime". But if the fraction of such bad ${\displaystyle a}$ in ${\displaystyle \{1,2,\ldots ,n-1\}}$ is small enough, then the testing algorithm may still correctly output "composite" with a good chance. However, there exist (though very rare) such composites, called Carmichael numbers, that may fool the Fermat test.

 Definition (Carmichael number) A composite number ${\displaystyle n}$ is a Carmichael number if ${\displaystyle a^{n-1}\equiv 1{\pmod {n}}}$ for all ${\displaystyle a\in \mathbb {Z} _{n}^{*}}$.

Here ${\displaystyle \mathbb {Z} _{n}^{*}}$ is the multiplicative group modulo ${\displaystyle n}$, defined as ${\displaystyle \mathbb {Z} _{n}^{*}=\{a\mid 1\leq a\leq n-1\wedge \mathrm {gcd} (a,n)=1\}}$.

For non-Carmichael composites, the Fermat test may detect the compositeness with a fairly good chance. Let ${\displaystyle B=\{a\in \mathbb {Z} _{n}^{*}\mid a^{n-1}\equiv 1{\pmod {n}}\}}$. Note that ${\displaystyle B}$ is closed under multiplication (modulo ${\displaystyle n}$), thus ${\displaystyle B}$ is a subgroup of ${\displaystyle \mathbb {Z} _{n}^{*}}$. Therefore, ${\displaystyle |\mathbb {Z} _{n}^{*}|}$ is divisible by ${\displaystyle |B|}$.

If ${\displaystyle n}$ is neither prime nor Carmichael, then ${\displaystyle \mathbb {Z} _{n}^{*}\setminus B}$ is nonempty, i.e. ${\displaystyle B}$ is a proper subgroup of ${\displaystyle \mathbb {Z} _{n}^{*}}$, thus ${\displaystyle |\mathbb {Z} _{n}^{*}|/|B|}$ is at least 2 and there are at least half ${\displaystyle a\in \{1,2,\ldots ,n-1\}}$ satisfying ${\displaystyle a^{n-1}\not \equiv 1}$.

In conclusion,

• if ${\displaystyle n}$ is prime, then the Fermat test returns "probably prime" with probability 1;
• if ${\displaystyle n}$ is non-Carmichael composite, then the Fermat test returns "composite" with probability at least ${\displaystyle 1/2}$;
• if ${\displaystyle n}$ is a Carmichael number, the Fermat test breaks down.

As long as the input is not a Carmichael number, we can repeat the Fermat test independently for ${\displaystyle k}$ times and reduce the error probability to ${\displaystyle 2^{-k}}$.

The Carmichael numbers are very rare. Let ${\displaystyle c(n)}$ be the "Carmichael density" that

${\displaystyle c(n)={\frac {{\text{number of Carmichael numbers }}\leq n}{n}}}$.

In 1956, Erdős proved that

${\displaystyle c(n)\leq \exp \left(-\Omega \left({\frac {\log n\log \log \log n}{\log \log n}}\right)\right)=n^{-\Omega \left({\frac {\log \log \log n}{\log \log n}}\right)}}$.

If one only needs to generates a prime number instead of testing the primality of a given number, then we can generates a random number, and apply the Fermat test. Due to the prime number theorem, the number of prime numbers less than or equal to ${\displaystyle n}$ is ${\displaystyle \pi (n)\sim {\frac {n}{\ln n}}}$. This scheme will generates a prime number in a reasonable number of independent trials with a good chance.

## Miller-Rabin Test

The Fermat test is based on the following way to prove that a number ${\displaystyle n}$ is composite:

• there exists a number ${\displaystyle a}$ such that ${\displaystyle a^{n-1}\not \equiv 1{\pmod {n}}}$.

The Miller-Rabin primality test is based on an additional way to prove that a number ${\displaystyle n}$ is composite:

• 1 has a nontrivial square root, that is, a number ${\displaystyle a}$ satisfying that ${\displaystyle a^{2}\equiv 1{\pmod {n}}}$ but ${\displaystyle a\not \equiv \pm 1{\pmod {n}}}$.

The following theorem states that the existence of nontrivial square root of 1 is a valid proof of compositeness of ${\displaystyle n}$.

 Theorem If ${\displaystyle n>2}$ is prime, then ${\displaystyle 1}$ does not have a nontrivial square root.
Proof.
 Suppose ${\displaystyle a}$ is a square root of 1, that is, ${\displaystyle a^{2}\equiv 1{\pmod {n}}}$. Therefore, ${\displaystyle (a-1)(a+1)=a^{2}-1\equiv 0{\pmod {n}}}$, which means that ${\displaystyle (a-1)(a+1)|n\,}$. If ${\displaystyle a\not \equiv \pm 1{\pmod {n}}}$, then ${\displaystyle n}$ divides neither ${\displaystyle (a-1)}$ nor ${\displaystyle (a+1)}$, which contradicts that ${\displaystyle n}$ is prime and divides ${\displaystyle (a-1)(a+1)}$.
${\displaystyle \square }$

The idea of Miller-Rabin test is to find either a Fermat proof of compositeness, or a nontrivial square root of 1.

 Miller-Rabin Primality Test Choose a uniformly random ${\displaystyle a\in \{1,2,\ldots ,n-1\}}$. Let ${\displaystyle t}$ and ${\displaystyle m}$ be such that ${\displaystyle t\geq 1}$, ${\displaystyle m}$ is odd, and ${\displaystyle n-1=2^{t}m}$. Let ${\displaystyle a_{0}=a^{m}{\bmod {\,}}n\,}$. For ${\displaystyle i=1}$ to ${\displaystyle t}$, let ${\displaystyle a_{i}=a_{i-1}^{2}{\bmod {\,}}n}$. If ${\displaystyle a_{t}\not \equiv 1{\pmod {n}}}$, then return "composite". If there is an ${\displaystyle i}$, ${\displaystyle 1\leq i\leq t}$, such that ${\displaystyle a_{i}\equiv 1{\pmod {n}}}$ but ${\displaystyle a_{i-1}\not \equiv \pm 1{\pmod {n}}}$, then return "composite". Else return "probably prime".

An easy inductive proof shows that ${\displaystyle a_{i}=a^{2^{i}m}{\bmod {\,}}n}$ for all ${\displaystyle i}$, ${\displaystyle 0\leq i\leq t}$. In particular, ${\displaystyle a_{t}\equiv a^{2^{t}m}=a^{n-1}{\pmod {n}}}$.

The original algorithm due to Miller is deterministic, which test all small ${\displaystyle a}$ up to an ${\displaystyle O(\log n)}$ order. The correctness of this deterministic algorithm relies on the unproven conjecture of Generalized Riemann hypothesis. It was observed by Rabin that the deterministic searching can be replaced by random sampling.

Line 4 of the algorithm is equivalent to that ${\displaystyle a^{n-1}\not \equiv 1{\pmod {n}}}$, thus line 4 is just the Fermat test. If ${\displaystyle n}$ passes the Fermat test, line 5 tries to find a nontrivial square root of 1 in form of ${\displaystyle a^{2^{i}m}}$.

If ${\displaystyle n}$ is prime, then due to the Fermat little theorem and the fact that prime numbers do not have nontrivial square roots of 1, the conditions in line 4 and line 5 will never hold, thus the algorithm will return "probably prime". If ${\displaystyle n}$ is a non-Carmichael composite, as in the Fermat test, line 4 returns "composite" with probability at least ${\displaystyle 1/2}$. The only remaining case is when ${\displaystyle n}$ is a Carmichael number.

We pick the largest ${\displaystyle j}$ such that there is a ${\displaystyle b\in \mathbb {Z} _{n}^{*}}$ satisfying ${\displaystyle b^{2^{j}m}\equiv -1{\pmod {n}}}$, and define

${\displaystyle B=\{a\in \mathbb {Z} _{n}^{*}\mid a^{2^{j}m}\equiv \pm 1{\pmod {n}}\}}$.
 Theorem If ${\displaystyle n}$ is a Carmichael number, then the ${\displaystyle B}$ defined as above is a proper subgroup of ${\displaystyle \mathbb {Z} _{n}^{*}}$.

Since ${\displaystyle j}$ is fixed, it is easy to verify that ${\displaystyle B}$ is closed under multiplication, thus ${\displaystyle B}$ is a subgroup of ${\displaystyle \mathbb {Z} _{n}^{*}}$. It is a bit complicated to show that ${\displaystyle \mathbb {Z} _{n}^{*}\setminus B}$ is nonempty and we will not give the full proof here.

The accuracy of Miller-Rabin test on Carmichael numbers is implied by this theorem. Suppose ${\displaystyle n}$ is a Carmichael number. We call an ${\displaystyle a\in \{1,2,\ldots ,n-1\}}$ a liar if it fools the test in line 5, i.e. there is no such ${\displaystyle i}$ that ${\displaystyle a^{2^{i}m}\equiv 1{\pmod {n}}}$ but ${\displaystyle a^{2^{i-1}m}\not \equiv \pm 1{\pmod {n}}}$.

We claim that all liars belong to ${\displaystyle B}$. Due to the maximality of ${\displaystyle j}$, ${\displaystyle a^{2^{i}m}\not \equiv -1}$ for all ${\displaystyle i>j}$. Since ${\displaystyle n}$ is a Carmichael number, ${\displaystyle a^{n-1}\equiv 1{\pmod {n}}}$, if ${\displaystyle a}$ is a liar then it mus hold that ${\displaystyle a^{2^{i}m}\equiv 1{\pmod {n}}}$ for all ${\displaystyle i>j}$ or otherwise ${\displaystyle a}$ cannot be a liar. In particular, ${\displaystyle a^{2^{j+1}m}\equiv 1{\pmod {n}}}$. Again, since ${\displaystyle a}$ is a liar, ${\displaystyle a^{2^{j}m}\equiv \pm 1{\pmod {n}}}$, therefore ${\displaystyle a\in B}$.

We show that when ${\displaystyle n}$ is a Carmichael number, all numbers ${\displaystyle a}$ that fools the Miller-Rabin test belongs to a proper subgroup of ${\displaystyle \mathbb {Z} _{n}^{*}}$, therefore the Miller-Rabin test returns a "composite" with probability ${\displaystyle 1/2}$.

In conclusion,

• if ${\displaystyle n}$ is prime, the algorithm returns "probably prime";
• if ${\displaystyle n}$ is a non-Carmichael composite, the algorithm returns "composite" in line 4 with probability at least ${\displaystyle 1/2}$;
• if ${\displaystyle n}$ is a Carmichael number, the algorithm returns "composite" in line 5 with probability at least ${\displaystyle 1/2}$.