•
if
n
is composite,

L
n
 ≤
(
n

1)
/
2.
To test
n
for primality, we set an “error parameter”
t
, and choose random elements
α
1
, . . . , α
t
∈
Z
+
n
. If
α
i
∈
L
n
for all 1
≤
i
≤
t
, then we output “prime”; otherwise, we output “composite.”
It is easy to see that if
n
is prime, this algorithm always outputs “prime,” and if
n
is composite
this algorithm outputs “composite” with probability at least 1

2
t
. If
t
is chosen large enough, say
t
= 100, then the probability that the output is wrong is so small that for all practical purposes, it
is “just as good as zero.”
We now make a first attempt at defining a suitable set
L
n
.
Let us define
L
n
=
{
α
∈
Z
+
n
:
α
n

1
= 1
}
. Note that
L
n
⊂
Z
*
n
, since if
α
n

1
= 1, then
α
has a multiplicative inverse, namely,
α
n

2
. Using a repeatedsquaring algorithm, we can test if
α
∈
L
n
in time
O
(lg(
n
)
3
).
Theorem 11.1
If
n
is prime, then
L
n
=
Z
*
n
. If
n
is composite and
L
n
( Z
*
n
,

L
n
 ≤
(
n

1)
/
2
.
Proof.
Note that
L
n
is the kernel of the (
n

1)power map on
Z
*
n
, and hence is a subgroup of
Z
*
n
.
If
n
is prime, then we know that
Z
*
n
is a group of order
n

1. Hence,
α
n

1
= 1 for all
α
∈
Z
*
n
.
That is,
L
n
=
Z
*
n
.
Suppose that
n
is composite and
L
n
( Z
*
n
. Since the order of a subgroup divides the order of
the group, we have

Z
*
n

=
m

L
n

for some integer
m >
1. From this, we conclude that

L
n

=
1
m

Z
*
n
 ≤
1
2

Z
*
n
 ≤
n

1
2
.
2
Unfortunately, there are odd composite numbers
n
such that
L
n
=
Z
*
n
.
The smallest such
number is
561 = 3
·
11
·
17
.
Such numbers are called
Carmichael numbers
. They are extremely rare, but it is known that
there are infinitely many of them, so we can not ignore them.
The following theorem characterizes Carmichael numbers.
Theorem 11.2
A positive odd integer
n
is a Carmichael number if and only if it is squarefree of
the form
n
=
p
1
· · ·
p
r
, where
(
p
i

1)

(
n

1)
for
1
≤
i
≤
r
.
Proof.
Suppose
n
=
p
e
1
1
· · ·
p
e
r
r
. By the Chinese Remainder Theorem, we have an isomorphism of
Z
*
n
with the group
Z
*
p
e
1
1
× · · · ×
Z
*
p
e
k
k
,
and we know that each group
Z
*
p
e
i
i
is cyclic of order
p
e
i

1
i
(
p
i

1). Thus, the (
n

1)power map
annihilates the group
Z
*
n
if and only if it annihilates each of the groups
Z
*
p
e
i
i
, which occurs if and
only if
p
e
i

1
i
(
p
i

1)

(
n

1). Now, on the one hand,
n
≡
0 (mod
p
i
). On the other hand, if
e
i
>
1,
we would have
n
≡
1 (mod
p
i
), which is clearly impossible. Thus, we must have
e
i
= 1.
2