# Fast generation of prime numbers and secure public-key cryptographic parameters

- 458 Downloads
- 34 Citations

## Abstract

A very efficient recursive algorithm for generating nearly random provable primes is presented. The expected time for generating a prime is only slightly greater than the expected time required for generating a pseudoprime of the same size that passes the Miller-Rabin test for only one base. Therefore our algorithm is even faster than algorithms presently used for generating only pseudoprimes because several Miller-Rabin tests with independent bases must be applied for achieving a sufficient confidence level. Heuristic arguments suggest that the generated primes are close to uniformly distributed over the set of primes in the specified interval.

Security constraints on the prime parameters of certain cryptographic systems are discussed, and in particular a detailed analysis of the iterated encryption attack on the RSA public-key cryptosystem is presented. The prime-generation algorithm can easily be modified to generate nearly random primes or RSA-moduli that satisfy these security constraints. Further results described in this paper include an analysis of the optimal upper bound for trial division in the Miller-Rabin test as well as an analysis of the distribution of the number of bits of the smaller prime factor of a random *k*-bit RSA-modulus, given a security bound on the size of the two primes.

## Key words

Public-key cryptography Prime numbers Primality proof Miller-Rabin test RSA cryptosystem Number theory## Preview

Unable to display preview. Download preview PDF.

## References

- [1]L. M. Adleman and M. A. Huang,
*Primality Testing and Abelian Varieties over Finite Fields*, Lecture Notes in Mathematics, Vol. 1512, Berlin: Springer-Verlag, 1992.Google Scholar - [2]L. M. Adleman, C. Pomerance, and R. S. Rumely, On distinguishing prime numbers from composite numbers,
*Annals of Mathematics*, Vol. 117, pp. 173–206, 1983.Google Scholar - [3]A. V. Aho, J. E. Hopcroft, and J. D. Ullman,
*The Design and Analysis of Computer Algorithms*, Reading, MA: Addison-Wesley, 1974.Google Scholar - [4]E. Bach, How to generate factored random numbers,
*SIAM Journal on Computing*, Vol. 17, No. 4, pp. 173–193, 1988.Google Scholar - [5]E. Bach, Personal communication, April 1992.Google Scholar
- [6]E. Bach, Exact analysis of a priority queue algorithm for random variate generation,
*Proc. 5th CM-SIAM Symp. on Discrete Algorithms (SODA)*, pp. 48–56, 1994.Google Scholar - [7]E. Bach and J. Shallit, Factoring with cyclotomic polynomials,
*Mathematics of Computation*, Vol. 52, pp. 201–219, 1989.Google Scholar - [8]E. Bach and J. Shallit,
*Algorithmic Number Theory*, Vol. I:*Efficient Algorithms*, Cambridge, MA: MIT Press, to appear.Google Scholar - [9]E. Bach and J. Sorensen, Sieve algorithms for perfect power testing,
*Algorithmica*, Vol. 9, pp. 313–328, 1993.Google Scholar - [10]A. Balog,
*p+a*without large prime factors, Seminaire de theorie des nombres de Bourdeaux, No. 31, 1983.Google Scholar - [11]P. Beauchemin, G. Brassard, C. Crépeau, C. Goutier, and C. Pomerance, The generation of random numbers that are probability prime,
*Journal of Cryptology*, Vol. 1, No. 2, pp. 53–64, 1988.Google Scholar - [12]B. Blakley and G. B. Blakley, Security of number theoretic cryptosystems against random attacks, I,
*Cryptologia*, Vol. 2, No. 4, pp. 305–320, 1978.Google Scholar - [13]D. Bleichenbacher, On the power of pseudo-primality tests, Tech. Rep., Dept. of Computer Science, ETH Zurich, Sept. 1993.Google Scholar
- [14]D. Bleichenbacher and U. M. Maurer, Finding All Strong Pseudoprimes ≤
*x*, Preprint, 1993.Google Scholar - [15]M. Blum and S. Micali, How to generate cryptographically strong sequences of pseudo-random bits,
*SIAM Journal on Computing*, Vol. 13, No. 4, pp. 850–864, 1984.Google Scholar - [16]D. M. Bressoud,
*Factorization and Primality Testing*, Berlin: Springer-Verlag, 1989.Google Scholar - [17]J. Brillhart, D. H. Lehmer, and J. L. Selfridge, New primality criteria and factorizations of
*2*^{m}*±*1,*Mathematics of Computation*, Vol. 29, pp. 620–647, 1975.Google Scholar - [18]R. D. Carmichael, On composite numbers
*P*which satisfy the Fermat congruence*a*^{Ps-1}≡ 1 (mod*P)*,*American Mathematical Monthly*, Vol. 19, pp. 22–27, 1912.Google Scholar - [19]A. Cobham, The recognition problem for the set of perfect squares,
*Proc. 7th Annual Symp. on Switching and Automata Theory*, pp. 78–87, 1966.Google Scholar - [20]H. Cohen and A. K. Lenstra, Implementation of a new primality test,
*Mathematics of Computation*, Vol. 48, No. 177, pp. 103–121, 1987.Google Scholar - [21]D. Coppersmith, A. M. Odlyzko, and R. Schroeppel, Discrete logarithms in
*GF(p)*,*Algorithmica*, Vol. 1, pp. 1–15, 1986.MathSciNetGoogle Scholar - [22]C. Couvreur and J. J. Quisquater, An introduction to fast generation of large prime numbers,
*Philips Journal of Research*, Vol. 37, pp. 231–264, 1982 (errata:*ibid.*, Vol. 38, p. 77, 1983).Google Scholar - [23]I. Damgård, P. Landrock, and C. Pomerance, Average case error estimates for the strong probable prime test,
*Mathematics of Computation*, Vol. 61, pp. 177–194, 1993.Google Scholar - [24]J. van de Lune and E. Wattel, On the numerical solution of a differential-difference equation arising in analytic number theory,
*Mathematics of Computation*, Vol. 23, pp. 417–421, 1969.Google Scholar - [25]R. De Moliner, Effiziente Konstruktion zufälliger grosser Primzahlen, Diploma Thesis, Inst. for Signal and Information Processing, Swiss Federal Institute of Technology, Zurich, 1989.Google Scholar
- [26]H. G. Diamond, Elementary methods in the study of the distribution of prime numbers,
*Bulletin of the American Mathematical Society*(New Series), Vol. 7, No. 3, pp. 553–589, 1982.Google Scholar - [27]K. Dickman, On the frequency of numbers containing prime factors of a certain relative magnitude,
*Arkiv for Matematik, Astronomi och Fysik*, Vol. 22A, No. 10, pp. 1–14, 1930.Google Scholar - [28]W. Diffie and M. E. Hellman, New directions in cryptography,
*IEEE Transactions on Information Theory*, Vol. 22, No. 6, pp. 644–654, 1976.Google Scholar - [29]B. Dixon and A. K. Lenstra, Massively parallel elliptic curve factoring,
*Advances in Cryptology—EUROCRYPT '92*, Lecture Notes in Computer Science, Vol. 658, pp. 183–193, Berlin: Springer-Verlag, 1993.Google Scholar - [30]T. El-Gamal, A public key cryptosystem and a signature scheme based on the discrete logarithm,
*IEEE Transactions on Information Theory*, Vol. 31, No. 4, pp. 469–472, 1985.Google Scholar - [31]P. Erdös, On the normal number of prime factors of
*p-*1 and some related problems concerning Euler's ϕ-function,*Quarterly Journal of Mathematics, Oxford*, Vol. 6, pp. 205–213, 1935.Google Scholar - [32]A. Fiat and A. Shamir, How to prove yourself: practical solution to identification and signature problems,
*Advances in Cryptology—CRYPTO '86*, Lecture Notes in Computer Science, Vol. 263, pp. 186–194, Berlin: Springer-Verlag, 1987.Google Scholar - [33]J. B. Friedlander, Shifted primes without large prime factors, in
*Number Theory and Applications*, R. A. Mollin (ed.), Dordrecht: Kluwer, pp. 393–401, 1989.Google Scholar - [34]M. Goldfeld, On the number of primes
*p*for which*p+a*has a large prime factor,*Mathematika*, Vol. 16, pp. 23–27, 1969.Google Scholar - [35]S. Goldwasser and J. Kilian, Almost all primes can be quickly certified,
*Proc. 18th Annual ACM Symp. on the Theory of Computing*, pp. 316–329, 1986.Google Scholar - [36]S. Goldwasser and S. Micali, Probabilistic encryption,
*Journal of Computer and System Sciences*, Vol. 28, pp. 270–299, 1984.Google Scholar - [37]J. Gordon, Strong RSA Keys,
*Electronics Letters*, Vol. 20, No. 12, pp. 514–516, 1984.Google Scholar - [38]A. Granville, Primality testing and Carmichael numbers,
*Notices of the American Mathematical Society*, Vol. 39, No. 6, pp. 696–700, 1992.Google Scholar - [39]L. C. Guillou and J.-J. Quisquater, A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory,
*Advances in Cryptology—EUROCRYPT '88*, Lecture Notes in Computer Science, Vol. 330, pp. 123–128, Berlin: Springer-Verlag, 1988.Google Scholar - [40]G. H. Hardy and J. E. Littlewood, Some problems of “partitio numerorum”; III: on the expression of a number as a sum of primes,
*Acta Mathematica*, Vol. 44, pp. 1–70, 1922.Google Scholar - [41]C. Hooley,
*On the largest prime factor of p+a, Mathematika*, Vol. 20, pp. 135–143, 1973.Google Scholar - [42]G. Jaeschke, On strong pseudoprimes to several bases,
*Mathematics of Computation*, Vol. 61, pp. 915–926, 1993.Google Scholar - [43]S. H. Kim and C. Pomerance, The probability that a random probable prime is composite,
*Mathematics of Computation*, Vol. 53, pp. 721–741, 1989.Google Scholar - [44]D. E. Knuth and L. Trabb Pardo, Analysis of a simple factorization algorithm,
*Theoretical Computer Science*, Vol. 3, pp. 321–348, 1976.Google Scholar - [45]N. Koblitz,
*A Course in Number Theory and Cryptography*, Berlin: Springer-Verlag, 1987.Google Scholar - [46]N. Koblitz, Primality of the number of points on an elliptic curve over a finite field,
*Pacific Journal of Mathematics*, Vol. 131, No. 1, pp. 157–165, 1988.MathSciNetzbMATHGoogle Scholar - [47]K. Koyama, U. M. Maurer, T. Okamoto, and S. A. Vanstone, New public-key cryptosystem based on elliptic curves over the ring
*Z*_{n},*Advances in*Cryptology—CRYPTO*'91*, Lecture Notes in Computer Science, Vol. 576, pp. 252–266, Berlin: Springer-Verlag, 1992.Google Scholar - [48]E. Kranakis,
*Primality and Cryptography*, Stuttgart: Teubner; New York: Wiley, 1986.Google Scholar - [49]A. K. Lenstra, Primality testing, in
*Cryptology and Computational Number Theory*, C. Pomerance (ed.), Proceedings of Symposia in Applied Mathematics, Vol. 42, pp. 13–25, Providence, RI: American Mathematical Society, 1990.Google Scholar - [50]A. K. Lenstra, D. Atkins, M. Graff, and P. C. Leyland, The magic words are squeamish ossifrage,
*Proc. Asiacrypt '94*, Wollongong, Australia, Nov. 28–Dec. 1, 1994, to appear.Google Scholar - [51]A. K. Lenstra and H. W. Lenstra, Algorithms in number theory, in
*Handbook of Theoretical Computer Science*, J. van Leeuwen (ed.), Chapter 12, Elsevier, 1990.Google Scholar - [52]A. K. Lenstra, H. W. Lenstra, M. S. Manasse, and J. M. Pollard, The number field sieve,
*Proc. 22nd ACM Symp. on Theory of Computing*, pp. 564–572, 1990.Google Scholar - [53]A. K. Lenstra and M. S. Manasse, Factoring with two large primes,
*Advances in Cryptology—EUROCRYPT '90*, Lecture Notes in Computer Science, Vol. 473, pp. 69–80, Berlin: Springer-Verlag, 1991.Google Scholar - [54]H. W. Lenstra, Jr., Factoring integers with elliptic curves,
*Annals of Mathematics*, Vol. 126, pp. 649–673, 1987.MathSciNetGoogle Scholar - [55]U. M. Maurer, Fast generation of secure RSA-moduli with almost maximal diversity,
*Advances in Cryptology—EUROCRYPT '89*, Lecture Notes in Computer Science, Vol. 434, pp. 636–647, Berlin: Springer-Verlag, 1990.Google Scholar - [56]U. M. Maurer, Some number-theoretic conjectures and their relation to the generation of cryptographic primes, in
*Cryptography and Coding II*, C. Mitchell (ed.), pp. 173–191, Oxford: Oxford, University Press, 1992.Google Scholar - [57]U. M. Maurer, Towards the equivalence of breaking the Diffie-Hellman protocol and computing discrete logarithms,
*Advances in Cryptology—CRYPTO '94*, Lecture Notes in Computer Science, Vol. 839, pp. 271–281, Berlin: Springer-Verlag, 1994.Google Scholar - [58]U. M. Maurer and Y. Yacobi, Non-interactive public-key cryptography,
*Advances in Cryptology —EUROCRYPT '91*, Lecture Notes in Computer Science, Vol. 547, pp. 498–507, Berlin: Springer-Verlag, 1991.Google Scholar - [59]K. McCurley, The discrete logarithm problem, in
*Cryptology and Computational Number Theory*, C. Pomerance (ed.), Proceedings of Symposia in Applied Mathematics, Vol. 42, pp. 49–74, Providence, RI: American Mathematical Society, 1990.Google Scholar - [60]A. Menezes,
*Elliptic Curve Public Key Cryptosystems*, Dordrecht: Kluwer, 1993.Google Scholar - [61]P. Mihailescu, Fast generation of provable primes using search in arithmetic progressions,
*Advances in Cryptology—CRYPTO '94*, Lecture Notes in Computer Science, Vol. 839, pp. 282–293, Berlin: Springer-Verlag, 1994.Google Scholar - [62]G. L. Miller, Riemann's hypothesis and tests for primality,
*Journal of Computer and System Sciences*, Vol. 13, pp. 300–317, 1976.Google Scholar - [63]L. Monier, Evaluation and comparison of two efficient probabilistic primality testing algorithms,
*Theoretical Computer Science*, Vol. 12, pp. 97–108, 1980.Google Scholar - [64]F. Morain, Distributed primality proving and the primality of (2
^{3539}+1)/3,*Advances in Cryptology—EUROCRYPT '90*, Lecture Notes in Computer Science, Vol. 473, pp. 110–123, Berlin: Springer-Verlag, 1991.Google Scholar - [65]F. Morain, Prime Values of Partition Numbers and the Primality of p(1840926), Tech. Report LIX/92/RR/11, Laboratoire d'Informatique de l'Ecole Polytechnique (LIX), F-91128 Palaiseau Cedex, France, 1992.Google Scholar
- [66]F. Morain, Personal communication, September 1993.Google Scholar
- [67]M. Ogiwara, A Method for Generating Cryptographically Strong Primes, Research Reports on Informaion Sciences, No. C-93, Dept. of Information Sciences, Tokyo Institute of Technology, April 1989.Google Scholar
- [68]D. A. Plaisted, Fast verification, testing, and generation of large primes,
*Theoretical Computer Science*, Vol. 9, pp. 1–16, 1979 (errata:*ibid.*, Vol. 14, p. 345, 1981).Google Scholar - [69]H. C. Pocklington, The determination of the prime or composite nature of large numbers by Fermat's theorem,
*Proceedings of the Cambridge Philosphical Society*, Vol. 18, pp. 29–30, 1914–1916.Google Scholar - [70]S. C. Pohlig and M. E. Hellman, An improved algorithm for computing logarithms over GF(p) and its cryptographic significance,
*IEEE Transactions on Information Theory*, Vol. 24, No. 1, pp. 106–110, 1978.Google Scholar - [71]J. M. Pollard, Theorems on factorization and primality testing,
*Proceedings of the Cambridge Philosophical Society*, Vol. 76, pp. 521–528, 1974.Google Scholar - [72]C. Pomerance, Popular values of Euler's function,
*Mathematika*, Vol. 27, pp. 84–89, 1980.Google Scholar - [73]C. Pomerance, Factoring, in
*Cryptology and Computational Number Theory*, C. Pomerance (ed.), Proceedings of Symposia in Applied Mathematics, Vol. 42, pp. 27–47, Providence, RI: American Mathematical Society, 1990.Google Scholar - [74]K. Prachar, Über die Anzahl der Teiler einer natürlichen Zahl, welche die Form
*p-*1 haben,*Monatshefte für Mathematik*, Vol. 59, pp. 91–97, 1955.Google Scholar - [75]V. R. Pratt, Every prime has a succinct certificate,
*SIAM Journal on Computing*, Vol. 4, No. 3, pp. 214–220, 1975.Google Scholar - [76]M. O. Rabin, Probabilistic algorithm for testing primality,
*Journal of Number Theory*, Vol. 12, pp. 128–138, 1980.Google Scholar - [77]H. Riesel,
*Prime Numbers and Computer Methods for Factorization*, Boston: Birkhäuser, 1985.Google Scholar - [78]R. L. Rivest, Remarks on a proposed cryptanalytic attack on the M.I.T. public key cryptosystem,
*Cryptologia*, Vol. 2, No. 1, pp. 62–65, 1978.Google Scholar - [79]R. L. Rivest, A. Shamir, and L. Adleman, A method for obtaining digital signatures and public-key cryptosystems,
*Communications of the Association for Computing Machinery*, Vol. 21, No. 2, pp. 120–126, 1978.Google Scholar - [80]C. P. Schnorr, Efficient identification and signatures for smart cards,
*Advances in Cryptology—CRYPTO '89*, Lecture Notes in Computer Science, Vol. 435, pp. 239–252, Berlin: Springer-Verlag, 1990.Google Scholar - [81]A. Schönhage and V. Strassen, Schnelle Multiplikation grosser Zahlen,
*Computing*, Vol. 7, pp. 281–292, 1971.Google Scholar - [82]A. Shamir, Efficient signature schemes based on birational permutations,
*Advances in Cryptology—CRYPTO '93*, Lecture Notes in Computer Science, Vol. 773, pp. 1–12, Berlin: Springer-Verlag, 1994.Google Scholar - [83]J. Shawe-Taylor, Generating strong primes,
*Electronics Letters*, Vol. 22, No. 16, pp. 875–877, 1986.Google Scholar - [84]G. Simmons and M. Norris, Preliminary comments on the M.I.T. public key cryptosystem,
*Cryptologia*, Vol. 1, No. 4, pp. 406–414, 1977.Google Scholar - [85]R. Solovay and V. Strassen, A fast Monte-Carlo test for primality,
*SIAM Journal on Computing*, Vol. 6, No. 1, pp. 84–85, 1977 (errata:*ibid.*, Vol. 7, p. 118, 1978).Google Scholar - [86]G. Trenta, Werkzeuge zur Realisierung eines RSA-Kryptosystems, Diploma Thesis, Dept. of Computer Science, Swiss Federal Institute of Technology, March 1990.Google Scholar
- [87]H. C. Williams, A
*p+*1 method of factoring,*Mathematics of Computation*, Vol. 39, No. 159, pp. 225–234, 1982.Google Scholar - [88]H. C. Williams and B. Schmid, Some remarks concerning the M.I.T. public-key cryptosystem,
*BIT*, Vol. 19, pp. 525–538, 1979.Google Scholar - [89]K. Wooldridge, Values taken many times by Euler's phi-function,
*Proceedings of the American Mathematical Society*, Vol. 76, pp. 229–234, 1979.Google Scholar - [90]Specifications for a digital signature standard,
*US Federal Register*, Vol. 56, No. 169, August 30, 1991.Google Scholar