## Abstract

A very efficient recursive algorithm for generating nearly random provable primes is presented. The expected time for generating a prime is only slightly greater than the expected time required for generating a pseudoprime of the same size that passes the Miller-Rabin test for only one base. Therefore our algorithm is even faster than algorithms presently used for generating only pseudoprimes because several Miller-Rabin tests with independent bases must be applied for achieving a sufficient confidence level. Heuristic arguments suggest that the generated primes are close to uniformly distributed over the set of primes in the specified interval.

Security constraints on the prime parameters of certain cryptographic systems are discussed, and in particular a detailed analysis of the iterated encryption attack on the RSA public-key cryptosystem is presented. The prime-generation algorithm can easily be modified to generate nearly random primes or RSA-moduli that satisfy these security constraints. Further results described in this paper include an analysis of the optimal upper bound for trial division in the Miller-Rabin test as well as an analysis of the distribution of the number of bits of the smaller prime factor of a random *k*-bit RSA-modulus, given a security bound on the size of the two primes.

## References

- [1]
L. M. Adleman and M. A. Huang,

*Primality Testing and Abelian Varieties over Finite Fields*, Lecture Notes in Mathematics, Vol. 1512, Berlin: Springer-Verlag, 1992. - [2]
L. M. Adleman, C. Pomerance, and R. S. Rumely, On distinguishing prime numbers from composite numbers,

*Annals of Mathematics*, Vol. 117, pp. 173–206, 1983. - [3]
A. V. Aho, J. E. Hopcroft, and J. D. Ullman,

*The Design and Analysis of Computer Algorithms*, Reading, MA: Addison-Wesley, 1974. - [4]
E. Bach, How to generate factored random numbers,

*SIAM Journal on Computing*, Vol. 17, No. 4, pp. 173–193, 1988. - [5]
E. Bach, Personal communication, April 1992.

- [6]
E. Bach, Exact analysis of a priority queue algorithm for random variate generation,

*Proc. 5th CM-SIAM Symp. on Discrete Algorithms (SODA)*, pp. 48–56, 1994. - [7]
E. Bach and J. Shallit, Factoring with cyclotomic polynomials,

*Mathematics of Computation*, Vol. 52, pp. 201–219, 1989. - [8]
E. Bach and J. Shallit,

*Algorithmic Number Theory*, Vol. I:*Efficient Algorithms*, Cambridge, MA: MIT Press, to appear. - [9]
E. Bach and J. Sorensen, Sieve algorithms for perfect power testing,

*Algorithmica*, Vol. 9, pp. 313–328, 1993. - [10]
A. Balog,

*p+a*without large prime factors, Seminaire de theorie des nombres de Bourdeaux, No. 31, 1983. - [11]
P. Beauchemin, G. Brassard, C. Crépeau, C. Goutier, and C. Pomerance, The generation of random numbers that are probability prime,

*Journal of Cryptology*, Vol. 1, No. 2, pp. 53–64, 1988. - [12]
B. Blakley and G. B. Blakley, Security of number theoretic cryptosystems against random attacks, I,

*Cryptologia*, Vol. 2, No. 4, pp. 305–320, 1978. - [13]
D. Bleichenbacher, On the power of pseudo-primality tests, Tech. Rep., Dept. of Computer Science, ETH Zurich, Sept. 1993.

- [14]
D. Bleichenbacher and U. M. Maurer, Finding All Strong Pseudoprimes ≤

*x*, Preprint, 1993. - [15]
M. Blum and S. Micali, How to generate cryptographically strong sequences of pseudo-random bits,

*SIAM Journal on Computing*, Vol. 13, No. 4, pp. 850–864, 1984. - [16]
D. M. Bressoud,

*Factorization and Primality Testing*, Berlin: Springer-Verlag, 1989. - [17]
J. Brillhart, D. H. Lehmer, and J. L. Selfridge, New primality criteria and factorizations of

*2*^{m}*±*1,*Mathematics of Computation*, Vol. 29, pp. 620–647, 1975. - [18]
R. D. Carmichael, On composite numbers

*P*which satisfy the Fermat congruence*a*^{Ps-1}≡ 1 (mod*P)*,*American Mathematical Monthly*, Vol. 19, pp. 22–27, 1912. - [19]
A. Cobham, The recognition problem for the set of perfect squares,

*Proc. 7th Annual Symp. on Switching and Automata Theory*, pp. 78–87, 1966. - [20]
H. Cohen and A. K. Lenstra, Implementation of a new primality test,

*Mathematics of Computation*, Vol. 48, No. 177, pp. 103–121, 1987. - [21]
D. Coppersmith, A. M. Odlyzko, and R. Schroeppel, Discrete logarithms in

*GF(p)*,*Algorithmica*, Vol. 1, pp. 1–15, 1986. - [22]
C. Couvreur and J. J. Quisquater, An introduction to fast generation of large prime numbers,

*Philips Journal of Research*, Vol. 37, pp. 231–264, 1982 (errata:*ibid.*, Vol. 38, p. 77, 1983). - [23]
I. Damgård, P. Landrock, and C. Pomerance, Average case error estimates for the strong probable prime test,

*Mathematics of Computation*, Vol. 61, pp. 177–194, 1993. - [24]
J. van de Lune and E. Wattel, On the numerical solution of a differential-difference equation arising in analytic number theory,

*Mathematics of Computation*, Vol. 23, pp. 417–421, 1969. - [25]
R. De Moliner, Effiziente Konstruktion zufälliger grosser Primzahlen, Diploma Thesis, Inst. for Signal and Information Processing, Swiss Federal Institute of Technology, Zurich, 1989.

- [26]
H. G. Diamond, Elementary methods in the study of the distribution of prime numbers,

*Bulletin of the American Mathematical Society*(New Series), Vol. 7, No. 3, pp. 553–589, 1982. - [27]
K. Dickman, On the frequency of numbers containing prime factors of a certain relative magnitude,

*Arkiv for Matematik, Astronomi och Fysik*, Vol. 22A, No. 10, pp. 1–14, 1930. - [28]
W. Diffie and M. E. Hellman, New directions in cryptography,

*IEEE Transactions on Information Theory*, Vol. 22, No. 6, pp. 644–654, 1976. - [29]
B. Dixon and A. K. Lenstra, Massively parallel elliptic curve factoring,

*Advances in Cryptology—EUROCRYPT '92*, Lecture Notes in Computer Science, Vol. 658, pp. 183–193, Berlin: Springer-Verlag, 1993. - [30]
T. El-Gamal, A public key cryptosystem and a signature scheme based on the discrete logarithm,

*IEEE Transactions on Information Theory*, Vol. 31, No. 4, pp. 469–472, 1985. - [31]
P. Erdös, On the normal number of prime factors of

*p-*1 and some related problems concerning Euler's ϕ-function,*Quarterly Journal of Mathematics, Oxford*, Vol. 6, pp. 205–213, 1935. - [32]
A. Fiat and A. Shamir, How to prove yourself: practical solution to identification and signature problems,

*Advances in Cryptology—CRYPTO '86*, Lecture Notes in Computer Science, Vol. 263, pp. 186–194, Berlin: Springer-Verlag, 1987. - [33]
J. B. Friedlander, Shifted primes without large prime factors, in

*Number Theory and Applications*, R. A. Mollin (ed.), Dordrecht: Kluwer, pp. 393–401, 1989. - [34]
M. Goldfeld, On the number of primes

*p*for which*p+a*has a large prime factor,*Mathematika*, Vol. 16, pp. 23–27, 1969. - [35]
S. Goldwasser and J. Kilian, Almost all primes can be quickly certified,

*Proc. 18th Annual ACM Symp. on the Theory of Computing*, pp. 316–329, 1986. - [36]
S. Goldwasser and S. Micali, Probabilistic encryption,

*Journal of Computer and System Sciences*, Vol. 28, pp. 270–299, 1984. - [37]
J. Gordon, Strong RSA Keys,

*Electronics Letters*, Vol. 20, No. 12, pp. 514–516, 1984. - [38]
A. Granville, Primality testing and Carmichael numbers,

*Notices of the American Mathematical Society*, Vol. 39, No. 6, pp. 696–700, 1992. - [39]
L. C. Guillou and J.-J. Quisquater, A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory,

*Advances in Cryptology—EUROCRYPT '88*, Lecture Notes in Computer Science, Vol. 330, pp. 123–128, Berlin: Springer-Verlag, 1988. - [40]
G. H. Hardy and J. E. Littlewood, Some problems of “partitio numerorum”; III: on the expression of a number as a sum of primes,

*Acta Mathematica*, Vol. 44, pp. 1–70, 1922. - [41]
C. Hooley,

*On the largest prime factor of p+a, Mathematika*, Vol. 20, pp. 135–143, 1973. - [42]
G. Jaeschke, On strong pseudoprimes to several bases,

*Mathematics of Computation*, Vol. 61, pp. 915–926, 1993. - [43]
S. H. Kim and C. Pomerance, The probability that a random probable prime is composite,

*Mathematics of Computation*, Vol. 53, pp. 721–741, 1989. - [44]
D. E. Knuth and L. Trabb Pardo, Analysis of a simple factorization algorithm,

*Theoretical Computer Science*, Vol. 3, pp. 321–348, 1976. - [45]
N. Koblitz,

*A Course in Number Theory and Cryptography*, Berlin: Springer-Verlag, 1987. - [46]
N. Koblitz, Primality of the number of points on an elliptic curve over a finite field,

*Pacific Journal of Mathematics*, Vol. 131, No. 1, pp. 157–165, 1988. - [47]
K. Koyama, U. M. Maurer, T. Okamoto, and S. A. Vanstone, New public-key cryptosystem based on elliptic curves over the ring

*Z*_{ n },*Advances in*Cryptology—CRYPTO*'91*, Lecture Notes in Computer Science, Vol. 576, pp. 252–266, Berlin: Springer-Verlag, 1992. - [48]
E. Kranakis,

*Primality and Cryptography*, Stuttgart: Teubner; New York: Wiley, 1986. - [49]
A. K. Lenstra, Primality testing, in

*Cryptology and Computational Number Theory*, C. Pomerance (ed.), Proceedings of Symposia in Applied Mathematics, Vol. 42, pp. 13–25, Providence, RI: American Mathematical Society, 1990. - [50]
A. K. Lenstra, D. Atkins, M. Graff, and P. C. Leyland, The magic words are squeamish ossifrage,

*Proc. Asiacrypt '94*, Wollongong, Australia, Nov. 28–Dec. 1, 1994, to appear. - [51]
A. K. Lenstra and H. W. Lenstra, Algorithms in number theory, in

*Handbook of Theoretical Computer Science*, J. van Leeuwen (ed.), Chapter 12, Elsevier, 1990. - [52]
A. K. Lenstra, H. W. Lenstra, M. S. Manasse, and J. M. Pollard, The number field sieve,

*Proc. 22nd ACM Symp. on Theory of Computing*, pp. 564–572, 1990. - [53]
A. K. Lenstra and M. S. Manasse, Factoring with two large primes,

*Advances in Cryptology—EUROCRYPT '90*, Lecture Notes in Computer Science, Vol. 473, pp. 69–80, Berlin: Springer-Verlag, 1991. - [54]
H. W. Lenstra, Jr., Factoring integers with elliptic curves,

*Annals of Mathematics*, Vol. 126, pp. 649–673, 1987. - [55]
U. M. Maurer, Fast generation of secure RSA-moduli with almost maximal diversity,

*Advances in Cryptology—EUROCRYPT '89*, Lecture Notes in Computer Science, Vol. 434, pp. 636–647, Berlin: Springer-Verlag, 1990. - [56]
U. M. Maurer, Some number-theoretic conjectures and their relation to the generation of cryptographic primes, in

*Cryptography and Coding II*, C. Mitchell (ed.), pp. 173–191, Oxford: Oxford, University Press, 1992. - [57]
U. M. Maurer, Towards the equivalence of breaking the Diffie-Hellman protocol and computing discrete logarithms,

*Advances in Cryptology—CRYPTO '94*, Lecture Notes in Computer Science, Vol. 839, pp. 271–281, Berlin: Springer-Verlag, 1994. - [58]
U. M. Maurer and Y. Yacobi, Non-interactive public-key cryptography,

*Advances in Cryptology —EUROCRYPT '91*, Lecture Notes in Computer Science, Vol. 547, pp. 498–507, Berlin: Springer-Verlag, 1991. - [59]
K. McCurley, The discrete logarithm problem, in

*Cryptology and Computational Number Theory*, C. Pomerance (ed.), Proceedings of Symposia in Applied Mathematics, Vol. 42, pp. 49–74, Providence, RI: American Mathematical Society, 1990. - [60]
A. Menezes,

*Elliptic Curve Public Key Cryptosystems*, Dordrecht: Kluwer, 1993. - [61]
P. Mihailescu, Fast generation of provable primes using search in arithmetic progressions,

*Advances in Cryptology—CRYPTO '94*, Lecture Notes in Computer Science, Vol. 839, pp. 282–293, Berlin: Springer-Verlag, 1994. - [62]
G. L. Miller, Riemann's hypothesis and tests for primality,

*Journal of Computer and System Sciences*, Vol. 13, pp. 300–317, 1976. - [63]
L. Monier, Evaluation and comparison of two efficient probabilistic primality testing algorithms,

*Theoretical Computer Science*, Vol. 12, pp. 97–108, 1980. - [64]
F. Morain, Distributed primality proving and the primality of (2

^{3539}+1)/3,*Advances in Cryptology—EUROCRYPT '90*, Lecture Notes in Computer Science, Vol. 473, pp. 110–123, Berlin: Springer-Verlag, 1991. - [65]
F. Morain, Prime Values of Partition Numbers and the Primality of p(1840926), Tech. Report LIX/92/RR/11, Laboratoire d'Informatique de l'Ecole Polytechnique (LIX), F-91128 Palaiseau Cedex, France, 1992.

- [66]
F. Morain, Personal communication, September 1993.

- [67]
M. Ogiwara, A Method for Generating Cryptographically Strong Primes, Research Reports on Informaion Sciences, No. C-93, Dept. of Information Sciences, Tokyo Institute of Technology, April 1989.

- [68]
D. A. Plaisted, Fast verification, testing, and generation of large primes,

*Theoretical Computer Science*, Vol. 9, pp. 1–16, 1979 (errata:*ibid.*, Vol. 14, p. 345, 1981). - [69]
H. C. Pocklington, The determination of the prime or composite nature of large numbers by Fermat's theorem,

*Proceedings of the Cambridge Philosphical Society*, Vol. 18, pp. 29–30, 1914–1916. - [70]
S. C. Pohlig and M. E. Hellman, An improved algorithm for computing logarithms over GF(p) and its cryptographic significance,

*IEEE Transactions on Information Theory*, Vol. 24, No. 1, pp. 106–110, 1978. - [71]
J. M. Pollard, Theorems on factorization and primality testing,

*Proceedings of the Cambridge Philosophical Society*, Vol. 76, pp. 521–528, 1974. - [72]
C. Pomerance, Popular values of Euler's function,

*Mathematika*, Vol. 27, pp. 84–89, 1980. - [73]
C. Pomerance, Factoring, in

*Cryptology and Computational Number Theory*, C. Pomerance (ed.), Proceedings of Symposia in Applied Mathematics, Vol. 42, pp. 27–47, Providence, RI: American Mathematical Society, 1990. - [74]
K. Prachar, Über die Anzahl der Teiler einer natürlichen Zahl, welche die Form

*p-*1 haben,*Monatshefte für Mathematik*, Vol. 59, pp. 91–97, 1955. - [75]
V. R. Pratt, Every prime has a succinct certificate,

*SIAM Journal on Computing*, Vol. 4, No. 3, pp. 214–220, 1975. - [76]
M. O. Rabin, Probabilistic algorithm for testing primality,

*Journal of Number Theory*, Vol. 12, pp. 128–138, 1980. - [77]
H. Riesel,

*Prime Numbers and Computer Methods for Factorization*, Boston: Birkhäuser, 1985. - [78]
R. L. Rivest, Remarks on a proposed cryptanalytic attack on the M.I.T. public key cryptosystem,

*Cryptologia*, Vol. 2, No. 1, pp. 62–65, 1978. - [79]
R. L. Rivest, A. Shamir, and L. Adleman, A method for obtaining digital signatures and public-key cryptosystems,

*Communications of the Association for Computing Machinery*, Vol. 21, No. 2, pp. 120–126, 1978. - [80]
C. P. Schnorr, Efficient identification and signatures for smart cards,

*Advances in Cryptology—CRYPTO '89*, Lecture Notes in Computer Science, Vol. 435, pp. 239–252, Berlin: Springer-Verlag, 1990. - [81]
A. Schönhage and V. Strassen, Schnelle Multiplikation grosser Zahlen,

*Computing*, Vol. 7, pp. 281–292, 1971. - [82]
A. Shamir, Efficient signature schemes based on birational permutations,

*Advances in Cryptology—CRYPTO '93*, Lecture Notes in Computer Science, Vol. 773, pp. 1–12, Berlin: Springer-Verlag, 1994. - [83]
J. Shawe-Taylor, Generating strong primes,

*Electronics Letters*, Vol. 22, No. 16, pp. 875–877, 1986. - [84]
G. Simmons and M. Norris, Preliminary comments on the M.I.T. public key cryptosystem,

*Cryptologia*, Vol. 1, No. 4, pp. 406–414, 1977. - [85]
R. Solovay and V. Strassen, A fast Monte-Carlo test for primality,

*SIAM Journal on Computing*, Vol. 6, No. 1, pp. 84–85, 1977 (errata:*ibid.*, Vol. 7, p. 118, 1978). - [86]
G. Trenta, Werkzeuge zur Realisierung eines RSA-Kryptosystems, Diploma Thesis, Dept. of Computer Science, Swiss Federal Institute of Technology, March 1990.

- [87]
H. C. Williams, A

*p+*1 method of factoring,*Mathematics of Computation*, Vol. 39, No. 159, pp. 225–234, 1982. - [88]
H. C. Williams and B. Schmid, Some remarks concerning the M.I.T. public-key cryptosystem,

*BIT*, Vol. 19, pp. 525–538, 1979. - [89]
K. Wooldridge, Values taken many times by Euler's phi-function,

*Proceedings of the American Mathematical Society*, Vol. 76, pp. 229–234, 1979. - [90]
Specifications for a digital signature standard,

*US Federal Register*, Vol. 56, No. 169, August 30, 1991.

## Author information

### Affiliations

## Additional information

Some results of this paper were presented at EUROCRYPT '89, Houthalen, Belgium, April 10–13, 1989 [55].

Communicated by Gilles Brassard

## Rights and permissions

## About this article

### Cite this article

Maurer, U.M. Fast generation of prime numbers and secure public-key cryptographic parameters.
*J. Cryptology* **8, **123–155 (1995). https://doi.org/10.1007/BF00202269

Received:

Revised:

Issue Date:

### Key words

- Public-key cryptography
- Prime numbers
- Primality proof
- Miller-Rabin test
- RSA cryptosystem
- Number theory