Journal of Cryptology

, Volume 8, Issue 3, pp 123–155 | Cite as

Fast generation of prime numbers and secure public-key cryptographic parameters

  • Ueli M. Maurer


A very efficient recursive algorithm for generating nearly random provable primes is presented. The expected time for generating a prime is only slightly greater than the expected time required for generating a pseudoprime of the same size that passes the Miller-Rabin test for only one base. Therefore our algorithm is even faster than algorithms presently used for generating only pseudoprimes because several Miller-Rabin tests with independent bases must be applied for achieving a sufficient confidence level. Heuristic arguments suggest that the generated primes are close to uniformly distributed over the set of primes in the specified interval.

Security constraints on the prime parameters of certain cryptographic systems are discussed, and in particular a detailed analysis of the iterated encryption attack on the RSA public-key cryptosystem is presented. The prime-generation algorithm can easily be modified to generate nearly random primes or RSA-moduli that satisfy these security constraints. Further results described in this paper include an analysis of the optimal upper bound for trial division in the Miller-Rabin test as well as an analysis of the distribution of the number of bits of the smaller prime factor of a random k-bit RSA-modulus, given a security bound on the size of the two primes.

Key words

Public-key cryptography Prime numbers Primality proof Miller-Rabin test RSA cryptosystem Number theory 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    L. M. Adleman and M. A. Huang, Primality Testing and Abelian Varieties over Finite Fields, Lecture Notes in Mathematics, Vol. 1512, Berlin: Springer-Verlag, 1992.Google Scholar
  2. [2]
    L. M. Adleman, C. Pomerance, and R. S. Rumely, On distinguishing prime numbers from composite numbers, Annals of Mathematics, Vol. 117, pp. 173–206, 1983.Google Scholar
  3. [3]
    A. V. Aho, J. E. Hopcroft, and J. D. Ullman, The Design and Analysis of Computer Algorithms, Reading, MA: Addison-Wesley, 1974.Google Scholar
  4. [4]
    E. Bach, How to generate factored random numbers, SIAM Journal on Computing, Vol. 17, No. 4, pp. 173–193, 1988.Google Scholar
  5. [5]
    E. Bach, Personal communication, April 1992.Google Scholar
  6. [6]
    E. Bach, Exact analysis of a priority queue algorithm for random variate generation, Proc. 5th CM-SIAM Symp. on Discrete Algorithms (SODA), pp. 48–56, 1994.Google Scholar
  7. [7]
    E. Bach and J. Shallit, Factoring with cyclotomic polynomials, Mathematics of Computation, Vol. 52, pp. 201–219, 1989.Google Scholar
  8. [8]
    E. Bach and J. Shallit, Algorithmic Number Theory, Vol. I: Efficient Algorithms, Cambridge, MA: MIT Press, to appear.Google Scholar
  9. [9]
    E. Bach and J. Sorensen, Sieve algorithms for perfect power testing, Algorithmica, Vol. 9, pp. 313–328, 1993.Google Scholar
  10. [10]
    A. Balog, p+a without large prime factors, Seminaire de theorie des nombres de Bourdeaux, No. 31, 1983.Google Scholar
  11. [11]
    P. Beauchemin, G. Brassard, C. Crépeau, C. Goutier, and C. Pomerance, The generation of random numbers that are probability prime, Journal of Cryptology, Vol. 1, No. 2, pp. 53–64, 1988.Google Scholar
  12. [12]
    B. Blakley and G. B. Blakley, Security of number theoretic cryptosystems against random attacks, I, Cryptologia, Vol. 2, No. 4, pp. 305–320, 1978.Google Scholar
  13. [13]
    D. Bleichenbacher, On the power of pseudo-primality tests, Tech. Rep., Dept. of Computer Science, ETH Zurich, Sept. 1993.Google Scholar
  14. [14]
    D. Bleichenbacher and U. M. Maurer, Finding All Strong Pseudoprimes ≤x, Preprint, 1993.Google Scholar
  15. [15]
    M. Blum and S. Micali, How to generate cryptographically strong sequences of pseudo-random bits, SIAM Journal on Computing, Vol. 13, No. 4, pp. 850–864, 1984.Google Scholar
  16. [16]
    D. M. Bressoud, Factorization and Primality Testing, Berlin: Springer-Verlag, 1989.Google Scholar
  17. [17]
    J. Brillhart, D. H. Lehmer, and J. L. Selfridge, New primality criteria and factorizations of 2 m ± 1, Mathematics of Computation, Vol. 29, pp. 620–647, 1975.Google Scholar
  18. [18]
    R. D. Carmichael, On composite numbers P which satisfy the Fermat congruence a Ps-1 ≡ 1 (mod P), American Mathematical Monthly, Vol. 19, pp. 22–27, 1912.Google Scholar
  19. [19]
    A. Cobham, The recognition problem for the set of perfect squares, Proc. 7th Annual Symp. on Switching and Automata Theory, pp. 78–87, 1966.Google Scholar
  20. [20]
    H. Cohen and A. K. Lenstra, Implementation of a new primality test, Mathematics of Computation, Vol. 48, No. 177, pp. 103–121, 1987.Google Scholar
  21. [21]
    D. Coppersmith, A. M. Odlyzko, and R. Schroeppel, Discrete logarithms in GF(p), Algorithmica, Vol. 1, pp. 1–15, 1986.MathSciNetGoogle Scholar
  22. [22]
    C. Couvreur and J. J. Quisquater, An introduction to fast generation of large prime numbers, Philips Journal of Research, Vol. 37, pp. 231–264, 1982 (errata: ibid., Vol. 38, p. 77, 1983).Google Scholar
  23. [23]
    I. Damgård, P. Landrock, and C. Pomerance, Average case error estimates for the strong probable prime test, Mathematics of Computation, Vol. 61, pp. 177–194, 1993.Google Scholar
  24. [24]
    J. van de Lune and E. Wattel, On the numerical solution of a differential-difference equation arising in analytic number theory, Mathematics of Computation, Vol. 23, pp. 417–421, 1969.Google Scholar
  25. [25]
    R. De Moliner, Effiziente Konstruktion zufälliger grosser Primzahlen, Diploma Thesis, Inst. for Signal and Information Processing, Swiss Federal Institute of Technology, Zurich, 1989.Google Scholar
  26. [26]
    H. G. Diamond, Elementary methods in the study of the distribution of prime numbers, Bulletin of the American Mathematical Society (New Series), Vol. 7, No. 3, pp. 553–589, 1982.Google Scholar
  27. [27]
    K. Dickman, On the frequency of numbers containing prime factors of a certain relative magnitude, Arkiv for Matematik, Astronomi och Fysik, Vol. 22A, No. 10, pp. 1–14, 1930.Google Scholar
  28. [28]
    W. Diffie and M. E. Hellman, New directions in cryptography, IEEE Transactions on Information Theory, Vol. 22, No. 6, pp. 644–654, 1976.Google Scholar
  29. [29]
    B. Dixon and A. K. Lenstra, Massively parallel elliptic curve factoring, Advances in Cryptology—EUROCRYPT '92, Lecture Notes in Computer Science, Vol. 658, pp. 183–193, Berlin: Springer-Verlag, 1993.Google Scholar
  30. [30]
    T. El-Gamal, A public key cryptosystem and a signature scheme based on the discrete logarithm, IEEE Transactions on Information Theory, Vol. 31, No. 4, pp. 469–472, 1985.Google Scholar
  31. [31]
    P. Erdös, On the normal number of prime factors of p- 1 and some related problems concerning Euler's ϕ-function, Quarterly Journal of Mathematics, Oxford, Vol. 6, pp. 205–213, 1935.Google Scholar
  32. [32]
    A. Fiat and A. Shamir, How to prove yourself: practical solution to identification and signature problems, Advances in Cryptology—CRYPTO '86, Lecture Notes in Computer Science, Vol. 263, pp. 186–194, Berlin: Springer-Verlag, 1987.Google Scholar
  33. [33]
    J. B. Friedlander, Shifted primes without large prime factors, in Number Theory and Applications, R. A. Mollin (ed.), Dordrecht: Kluwer, pp. 393–401, 1989.Google Scholar
  34. [34]
    M. Goldfeld, On the number of primes p for which p+a has a large prime factor, Mathematika, Vol. 16, pp. 23–27, 1969.Google Scholar
  35. [35]
    S. Goldwasser and J. Kilian, Almost all primes can be quickly certified, Proc. 18th Annual ACM Symp. on the Theory of Computing, pp. 316–329, 1986.Google Scholar
  36. [36]
    S. Goldwasser and S. Micali, Probabilistic encryption, Journal of Computer and System Sciences, Vol. 28, pp. 270–299, 1984.Google Scholar
  37. [37]
    J. Gordon, Strong RSA Keys, Electronics Letters, Vol. 20, No. 12, pp. 514–516, 1984.Google Scholar
  38. [38]
    A. Granville, Primality testing and Carmichael numbers, Notices of the American Mathematical Society, Vol. 39, No. 6, pp. 696–700, 1992.Google Scholar
  39. [39]
    L. C. Guillou and J.-J. Quisquater, A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory, Advances in Cryptology—EUROCRYPT '88, Lecture Notes in Computer Science, Vol. 330, pp. 123–128, Berlin: Springer-Verlag, 1988.Google Scholar
  40. [40]
    G. H. Hardy and J. E. Littlewood, Some problems of “partitio numerorum”; III: on the expression of a number as a sum of primes, Acta Mathematica, Vol. 44, pp. 1–70, 1922.Google Scholar
  41. [41]
    C. Hooley, On the largest prime factor of p+a, Mathematika, Vol. 20, pp. 135–143, 1973.Google Scholar
  42. [42]
    G. Jaeschke, On strong pseudoprimes to several bases, Mathematics of Computation, Vol. 61, pp. 915–926, 1993.Google Scholar
  43. [43]
    S. H. Kim and C. Pomerance, The probability that a random probable prime is composite, Mathematics of Computation, Vol. 53, pp. 721–741, 1989.Google Scholar
  44. [44]
    D. E. Knuth and L. Trabb Pardo, Analysis of a simple factorization algorithm, Theoretical Computer Science, Vol. 3, pp. 321–348, 1976.Google Scholar
  45. [45]
    N. Koblitz, A Course in Number Theory and Cryptography, Berlin: Springer-Verlag, 1987.Google Scholar
  46. [46]
    N. Koblitz, Primality of the number of points on an elliptic curve over a finite field, Pacific Journal of Mathematics, Vol. 131, No. 1, pp. 157–165, 1988.MathSciNetzbMATHGoogle Scholar
  47. [47]
    K. Koyama, U. M. Maurer, T. Okamoto, and S. A. Vanstone, New public-key cryptosystem based on elliptic curves over the ring Z n, Advances in Cryptology—CRYPTO '91, Lecture Notes in Computer Science, Vol. 576, pp. 252–266, Berlin: Springer-Verlag, 1992.Google Scholar
  48. [48]
    E. Kranakis, Primality and Cryptography, Stuttgart: Teubner; New York: Wiley, 1986.Google Scholar
  49. [49]
    A. K. Lenstra, Primality testing, in Cryptology and Computational Number Theory, C. Pomerance (ed.), Proceedings of Symposia in Applied Mathematics, Vol. 42, pp. 13–25, Providence, RI: American Mathematical Society, 1990.Google Scholar
  50. [50]
    A. K. Lenstra, D. Atkins, M. Graff, and P. C. Leyland, The magic words are squeamish ossifrage, Proc. Asiacrypt '94, Wollongong, Australia, Nov. 28–Dec. 1, 1994, to appear.Google Scholar
  51. [51]
    A. K. Lenstra and H. W. Lenstra, Algorithms in number theory, in Handbook of Theoretical Computer Science, J. van Leeuwen (ed.), Chapter 12, Elsevier, 1990.Google Scholar
  52. [52]
    A. K. Lenstra, H. W. Lenstra, M. S. Manasse, and J. M. Pollard, The number field sieve, Proc. 22nd ACM Symp. on Theory of Computing, pp. 564–572, 1990.Google Scholar
  53. [53]
    A. K. Lenstra and M. S. Manasse, Factoring with two large primes, Advances in Cryptology—EUROCRYPT '90, Lecture Notes in Computer Science, Vol. 473, pp. 69–80, Berlin: Springer-Verlag, 1991.Google Scholar
  54. [54]
    H. W. Lenstra, Jr., Factoring integers with elliptic curves, Annals of Mathematics, Vol. 126, pp. 649–673, 1987.MathSciNetGoogle Scholar
  55. [55]
    U. M. Maurer, Fast generation of secure RSA-moduli with almost maximal diversity, Advances in Cryptology—EUROCRYPT '89, Lecture Notes in Computer Science, Vol. 434, pp. 636–647, Berlin: Springer-Verlag, 1990.Google Scholar
  56. [56]
    U. M. Maurer, Some number-theoretic conjectures and their relation to the generation of cryptographic primes, in Cryptography and Coding II, C. Mitchell (ed.), pp. 173–191, Oxford: Oxford, University Press, 1992.Google Scholar
  57. [57]
    U. M. Maurer, Towards the equivalence of breaking the Diffie-Hellman protocol and computing discrete logarithms, Advances in Cryptology—CRYPTO '94, Lecture Notes in Computer Science, Vol. 839, pp. 271–281, Berlin: Springer-Verlag, 1994.Google Scholar
  58. [58]
    U. M. Maurer and Y. Yacobi, Non-interactive public-key cryptography, Advances in Cryptology —EUROCRYPT '91, Lecture Notes in Computer Science, Vol. 547, pp. 498–507, Berlin: Springer-Verlag, 1991.Google Scholar
  59. [59]
    K. McCurley, The discrete logarithm problem, in Cryptology and Computational Number Theory, C. Pomerance (ed.), Proceedings of Symposia in Applied Mathematics, Vol. 42, pp. 49–74, Providence, RI: American Mathematical Society, 1990.Google Scholar
  60. [60]
    A. Menezes, Elliptic Curve Public Key Cryptosystems, Dordrecht: Kluwer, 1993.Google Scholar
  61. [61]
    P. Mihailescu, Fast generation of provable primes using search in arithmetic progressions, Advances in Cryptology—CRYPTO '94, Lecture Notes in Computer Science, Vol. 839, pp. 282–293, Berlin: Springer-Verlag, 1994.Google Scholar
  62. [62]
    G. L. Miller, Riemann's hypothesis and tests for primality, Journal of Computer and System Sciences, Vol. 13, pp. 300–317, 1976.Google Scholar
  63. [63]
    L. Monier, Evaluation and comparison of two efficient probabilistic primality testing algorithms, Theoretical Computer Science, Vol. 12, pp. 97–108, 1980.Google Scholar
  64. [64]
    F. Morain, Distributed primality proving and the primality of (23539+1)/3, Advances in Cryptology—EUROCRYPT '90, Lecture Notes in Computer Science, Vol. 473, pp. 110–123, Berlin: Springer-Verlag, 1991.Google Scholar
  65. [65]
    F. Morain, Prime Values of Partition Numbers and the Primality of p(1840926), Tech. Report LIX/92/RR/11, Laboratoire d'Informatique de l'Ecole Polytechnique (LIX), F-91128 Palaiseau Cedex, France, 1992.Google Scholar
  66. [66]
    F. Morain, Personal communication, September 1993.Google Scholar
  67. [67]
    M. Ogiwara, A Method for Generating Cryptographically Strong Primes, Research Reports on Informaion Sciences, No. C-93, Dept. of Information Sciences, Tokyo Institute of Technology, April 1989.Google Scholar
  68. [68]
    D. A. Plaisted, Fast verification, testing, and generation of large primes, Theoretical Computer Science, Vol. 9, pp. 1–16, 1979 (errata: ibid., Vol. 14, p. 345, 1981).Google Scholar
  69. [69]
    H. C. Pocklington, The determination of the prime or composite nature of large numbers by Fermat's theorem, Proceedings of the Cambridge Philosphical Society, Vol. 18, pp. 29–30, 1914–1916.Google Scholar
  70. [70]
    S. C. Pohlig and M. E. Hellman, An improved algorithm for computing logarithms over GF(p) and its cryptographic significance, IEEE Transactions on Information Theory, Vol. 24, No. 1, pp. 106–110, 1978.Google Scholar
  71. [71]
    J. M. Pollard, Theorems on factorization and primality testing, Proceedings of the Cambridge Philosophical Society, Vol. 76, pp. 521–528, 1974.Google Scholar
  72. [72]
    C. Pomerance, Popular values of Euler's function, Mathematika, Vol. 27, pp. 84–89, 1980.Google Scholar
  73. [73]
    C. Pomerance, Factoring, in Cryptology and Computational Number Theory, C. Pomerance (ed.), Proceedings of Symposia in Applied Mathematics, Vol. 42, pp. 27–47, Providence, RI: American Mathematical Society, 1990.Google Scholar
  74. [74]
    K. Prachar, Über die Anzahl der Teiler einer natürlichen Zahl, welche die Form p- 1 haben, Monatshefte für Mathematik, Vol. 59, pp. 91–97, 1955.Google Scholar
  75. [75]
    V. R. Pratt, Every prime has a succinct certificate, SIAM Journal on Computing, Vol. 4, No. 3, pp. 214–220, 1975.Google Scholar
  76. [76]
    M. O. Rabin, Probabilistic algorithm for testing primality, Journal of Number Theory, Vol. 12, pp. 128–138, 1980.Google Scholar
  77. [77]
    H. Riesel, Prime Numbers and Computer Methods for Factorization, Boston: Birkhäuser, 1985.Google Scholar
  78. [78]
    R. L. Rivest, Remarks on a proposed cryptanalytic attack on the M.I.T. public key cryptosystem, Cryptologia, Vol. 2, No. 1, pp. 62–65, 1978.Google Scholar
  79. [79]
    R. L. Rivest, A. Shamir, and L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Communications of the Association for Computing Machinery, Vol. 21, No. 2, pp. 120–126, 1978.Google Scholar
  80. [80]
    C. P. Schnorr, Efficient identification and signatures for smart cards, Advances in Cryptology—CRYPTO '89, Lecture Notes in Computer Science, Vol. 435, pp. 239–252, Berlin: Springer-Verlag, 1990.Google Scholar
  81. [81]
    A. Schönhage and V. Strassen, Schnelle Multiplikation grosser Zahlen, Computing, Vol. 7, pp. 281–292, 1971.Google Scholar
  82. [82]
    A. Shamir, Efficient signature schemes based on birational permutations, Advances in Cryptology—CRYPTO '93, Lecture Notes in Computer Science, Vol. 773, pp. 1–12, Berlin: Springer-Verlag, 1994.Google Scholar
  83. [83]
    J. Shawe-Taylor, Generating strong primes, Electronics Letters, Vol. 22, No. 16, pp. 875–877, 1986.Google Scholar
  84. [84]
    G. Simmons and M. Norris, Preliminary comments on the M.I.T. public key cryptosystem, Cryptologia, Vol. 1, No. 4, pp. 406–414, 1977.Google Scholar
  85. [85]
    R. Solovay and V. Strassen, A fast Monte-Carlo test for primality, SIAM Journal on Computing, Vol. 6, No. 1, pp. 84–85, 1977 (errata: ibid., Vol. 7, p. 118, 1978).Google Scholar
  86. [86]
    G. Trenta, Werkzeuge zur Realisierung eines RSA-Kryptosystems, Diploma Thesis, Dept. of Computer Science, Swiss Federal Institute of Technology, March 1990.Google Scholar
  87. [87]
    H. C. Williams, A p+ 1 method of factoring, Mathematics of Computation, Vol. 39, No. 159, pp. 225–234, 1982.Google Scholar
  88. [88]
    H. C. Williams and B. Schmid, Some remarks concerning the M.I.T. public-key cryptosystem, BIT, Vol. 19, pp. 525–538, 1979.Google Scholar
  89. [89]
    K. Wooldridge, Values taken many times by Euler's phi-function, Proceedings of the American Mathematical Society, Vol. 76, pp. 229–234, 1979.Google Scholar
  90. [90]
    Specifications for a digital signature standard, US Federal Register, Vol. 56, No. 169, August 30, 1991.Google Scholar

Copyright information

© International Association for Cryptologic Research 1995

Authors and Affiliations

  • Ueli M. Maurer
    • 1
  1. 1.Institute for Theoretical Computer Science, ETH ZürichZürichSwitzerland

Personalised recommendations