| An integer n>1 for which an-1
= 1 (mod n) is called a probable-prime base a (an a-PRP).
By Fermat's Little Theorem all primes are PRP for every base a not
divisible by p. For every base a there are also infinitely
many composites that are a-PRP's (see our pages on primality
proving). Nevertheless, PRP's are so often prime that Henri Cohen
suggested they are "industrial grade primes" (not proven primes, but good
enough for RSA encryption and similar tasks). What's good enough?
Su Hee Kim and Carl Pomerance [KP89] considered the probability
P(x) that a PRP less than x is composite. More specifically,
let x be a positive number and define P(x) to be
the probability that an an odd number n is composite
Here is part of what they found [KP89 table 1, p723]:
- n is chosen at random with 1 < n <= x
- a is chosen at random with 1 < a < n-1,
- an-1 = 1 (mod n) (that is, n
is a PRP base a).
Table 1. Probability that a random PRP is composite
For example, if you pick a random 120 digit odd number n, pick
a smaller random base a, then if n is an a-PRP, the
probability that n is composite is less than 0.00000000000528!
If you use a strong PRP
test you can divide this bound at least in half. If you perform
k strong PRP tests (with randomly chosen bases), then the probability
is at most
For better estimates inthe strong PRP case see [Burthe1996]
Finally, it seems obvious that the probability bounds given in Table
1 are heading toward zero as x approaches infinity, this was first
shown by Paul Erdös and Carl Pomerance in 1986 [EP86].