Fast generation of prime numbers and secure public-key cryptographic parameters

Abstract

A very efficient recursive algorithm for generating nearly random provable primes is presented. The expected time for generating a prime is only slightly greater than the expected time required for generating a pseudoprime of the same size that passes the Miller-Rabin test for only one base. Therefore our algorithm is even faster than algorithms presently used for generating only pseudoprimes because several Miller-Rabin tests with independent bases must be applied for achieving a sufficient confidence level. Heuristic arguments suggest that the generated primes are close to uniformly distributed over the set of primes in the specified interval.

Security constraints on the prime parameters of certain cryptographic systems are discussed, and in particular a detailed analysis of the iterated encryption attack on the RSA public-key cryptosystem is presented. The prime-generation algorithm can easily be modified to generate nearly random primes or RSA-moduli that satisfy these security constraints. Further results described in this paper include an analysis of the optimal upper bound for trial division in the Miller-Rabin test as well as an analysis of the distribution of the number of bits of the smaller prime factor of a random k-bit RSA-modulus, given a security bound on the size of the two primes.

References

  1. [1]

    L. M. Adleman and M. A. Huang, Primality Testing and Abelian Varieties over Finite Fields, Lecture Notes in Mathematics, Vol. 1512, Berlin: Springer-Verlag, 1992.

    Google Scholar 

  2. [2]

    L. M. Adleman, C. Pomerance, and R. S. Rumely, On distinguishing prime numbers from composite numbers, Annals of Mathematics, Vol. 117, pp. 173–206, 1983.

    Google Scholar 

  3. [3]

    A. V. Aho, J. E. Hopcroft, and J. D. Ullman, The Design and Analysis of Computer Algorithms, Reading, MA: Addison-Wesley, 1974.

    Google Scholar 

  4. [4]

    E. Bach, How to generate factored random numbers, SIAM Journal on Computing, Vol. 17, No. 4, pp. 173–193, 1988.

    Google Scholar 

  5. [5]

    E. Bach, Personal communication, April 1992.

  6. [6]

    E. Bach, Exact analysis of a priority queue algorithm for random variate generation, Proc. 5th CM-SIAM Symp. on Discrete Algorithms (SODA), pp. 48–56, 1994.

  7. [7]

    E. Bach and J. Shallit, Factoring with cyclotomic polynomials, Mathematics of Computation, Vol. 52, pp. 201–219, 1989.

    Google Scholar 

  8. [8]

    E. Bach and J. Shallit, Algorithmic Number Theory, Vol. I: Efficient Algorithms, Cambridge, MA: MIT Press, to appear.

  9. [9]

    E. Bach and J. Sorensen, Sieve algorithms for perfect power testing, Algorithmica, Vol. 9, pp. 313–328, 1993.

    Google Scholar 

  10. [10]

    A. Balog, p+a without large prime factors, Seminaire de theorie des nombres de Bourdeaux, No. 31, 1983.

  11. [11]

    P. Beauchemin, G. Brassard, C. Crépeau, C. Goutier, and C. Pomerance, The generation of random numbers that are probability prime, Journal of Cryptology, Vol. 1, No. 2, pp. 53–64, 1988.

    Google Scholar 

  12. [12]

    B. Blakley and G. B. Blakley, Security of number theoretic cryptosystems against random attacks, I, Cryptologia, Vol. 2, No. 4, pp. 305–320, 1978.

    Google Scholar 

  13. [13]

    D. Bleichenbacher, On the power of pseudo-primality tests, Tech. Rep., Dept. of Computer Science, ETH Zurich, Sept. 1993.

  14. [14]

    D. Bleichenbacher and U. M. Maurer, Finding All Strong Pseudoprimes ≤x, Preprint, 1993.

  15. [15]

    M. Blum and S. Micali, How to generate cryptographically strong sequences of pseudo-random bits, SIAM Journal on Computing, Vol. 13, No. 4, pp. 850–864, 1984.

    Google Scholar 

  16. [16]

    D. M. Bressoud, Factorization and Primality Testing, Berlin: Springer-Verlag, 1989.

    Google Scholar 

  17. [17]

    J. Brillhart, D. H. Lehmer, and J. L. Selfridge, New primality criteria and factorizations of 2 m ± 1, Mathematics of Computation, Vol. 29, pp. 620–647, 1975.

    Google Scholar 

  18. [18]

    R. D. Carmichael, On composite numbers P which satisfy the Fermat congruence a Ps-1 ≡ 1 (mod P), American Mathematical Monthly, Vol. 19, pp. 22–27, 1912.

    Google Scholar 

  19. [19]

    A. Cobham, The recognition problem for the set of perfect squares, Proc. 7th Annual Symp. on Switching and Automata Theory, pp. 78–87, 1966.

  20. [20]

    H. Cohen and A. K. Lenstra, Implementation of a new primality test, Mathematics of Computation, Vol. 48, No. 177, pp. 103–121, 1987.

    Google Scholar 

  21. [21]

    D. Coppersmith, A. M. Odlyzko, and R. Schroeppel, Discrete logarithms in GF(p), Algorithmica, Vol. 1, pp. 1–15, 1986.

    MathSciNet  Google Scholar 

  22. [22]

    C. Couvreur and J. J. Quisquater, An introduction to fast generation of large prime numbers, Philips Journal of Research, Vol. 37, pp. 231–264, 1982 (errata: ibid., Vol. 38, p. 77, 1983).

    Google Scholar 

  23. [23]

    I. Damgård, P. Landrock, and C. Pomerance, Average case error estimates for the strong probable prime test, Mathematics of Computation, Vol. 61, pp. 177–194, 1993.

    Google Scholar 

  24. [24]

    J. van de Lune and E. Wattel, On the numerical solution of a differential-difference equation arising in analytic number theory, Mathematics of Computation, Vol. 23, pp. 417–421, 1969.

    Google Scholar 

  25. [25]

    R. De Moliner, Effiziente Konstruktion zufälliger grosser Primzahlen, Diploma Thesis, Inst. for Signal and Information Processing, Swiss Federal Institute of Technology, Zurich, 1989.

    Google Scholar 

  26. [26]

    H. G. Diamond, Elementary methods in the study of the distribution of prime numbers, Bulletin of the American Mathematical Society (New Series), Vol. 7, No. 3, pp. 553–589, 1982.

    Google Scholar 

  27. [27]

    K. Dickman, On the frequency of numbers containing prime factors of a certain relative magnitude, Arkiv for Matematik, Astronomi och Fysik, Vol. 22A, No. 10, pp. 1–14, 1930.

    Google Scholar 

  28. [28]

    W. Diffie and M. E. Hellman, New directions in cryptography, IEEE Transactions on Information Theory, Vol. 22, No. 6, pp. 644–654, 1976.

    Google Scholar 

  29. [29]

    B. Dixon and A. K. Lenstra, Massively parallel elliptic curve factoring, Advances in Cryptology—EUROCRYPT '92, Lecture Notes in Computer Science, Vol. 658, pp. 183–193, Berlin: Springer-Verlag, 1993.

    Google Scholar 

  30. [30]

    T. El-Gamal, A public key cryptosystem and a signature scheme based on the discrete logarithm, IEEE Transactions on Information Theory, Vol. 31, No. 4, pp. 469–472, 1985.

    Google Scholar 

  31. [31]

    P. Erdös, On the normal number of prime factors of p- 1 and some related problems concerning Euler's ϕ-function, Quarterly Journal of Mathematics, Oxford, Vol. 6, pp. 205–213, 1935.

    Google Scholar 

  32. [32]

    A. Fiat and A. Shamir, How to prove yourself: practical solution to identification and signature problems, Advances in Cryptology—CRYPTO '86, Lecture Notes in Computer Science, Vol. 263, pp. 186–194, Berlin: Springer-Verlag, 1987.

    Google Scholar 

  33. [33]

    J. B. Friedlander, Shifted primes without large prime factors, in Number Theory and Applications, R. A. Mollin (ed.), Dordrecht: Kluwer, pp. 393–401, 1989.

    Google Scholar 

  34. [34]

    M. Goldfeld, On the number of primes p for which p+a has a large prime factor, Mathematika, Vol. 16, pp. 23–27, 1969.

    Google Scholar 

  35. [35]

    S. Goldwasser and J. Kilian, Almost all primes can be quickly certified, Proc. 18th Annual ACM Symp. on the Theory of Computing, pp. 316–329, 1986.

  36. [36]

    S. Goldwasser and S. Micali, Probabilistic encryption, Journal of Computer and System Sciences, Vol. 28, pp. 270–299, 1984.

    Google Scholar 

  37. [37]

    J. Gordon, Strong RSA Keys, Electronics Letters, Vol. 20, No. 12, pp. 514–516, 1984.

    Google Scholar 

  38. [38]

    A. Granville, Primality testing and Carmichael numbers, Notices of the American Mathematical Society, Vol. 39, No. 6, pp. 696–700, 1992.

    Google Scholar 

  39. [39]

    L. C. Guillou and J.-J. Quisquater, A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory, Advances in Cryptology—EUROCRYPT '88, Lecture Notes in Computer Science, Vol. 330, pp. 123–128, Berlin: Springer-Verlag, 1988.

    Google Scholar 

  40. [40]

    G. H. Hardy and J. E. Littlewood, Some problems of “partitio numerorum”; III: on the expression of a number as a sum of primes, Acta Mathematica, Vol. 44, pp. 1–70, 1922.

    Google Scholar 

  41. [41]

    C. Hooley, On the largest prime factor of p+a, Mathematika, Vol. 20, pp. 135–143, 1973.

    Google Scholar 

  42. [42]

    G. Jaeschke, On strong pseudoprimes to several bases, Mathematics of Computation, Vol. 61, pp. 915–926, 1993.

    Google Scholar 

  43. [43]

    S. H. Kim and C. Pomerance, The probability that a random probable prime is composite, Mathematics of Computation, Vol. 53, pp. 721–741, 1989.

    Google Scholar 

  44. [44]

    D. E. Knuth and L. Trabb Pardo, Analysis of a simple factorization algorithm, Theoretical Computer Science, Vol. 3, pp. 321–348, 1976.

    Google Scholar 

  45. [45]

    N. Koblitz, A Course in Number Theory and Cryptography, Berlin: Springer-Verlag, 1987.

    Google Scholar 

  46. [46]

    N. Koblitz, Primality of the number of points on an elliptic curve over a finite field, Pacific Journal of Mathematics, Vol. 131, No. 1, pp. 157–165, 1988.

    MathSciNet  MATH  Google Scholar 

  47. [47]

    K. Koyama, U. M. Maurer, T. Okamoto, and S. A. Vanstone, New public-key cryptosystem based on elliptic curves over the ring Z n , Advances in Cryptology—CRYPTO '91, Lecture Notes in Computer Science, Vol. 576, pp. 252–266, Berlin: Springer-Verlag, 1992.

    Google Scholar 

  48. [48]

    E. Kranakis, Primality and Cryptography, Stuttgart: Teubner; New York: Wiley, 1986.

    Google Scholar 

  49. [49]

    A. K. Lenstra, Primality testing, in Cryptology and Computational Number Theory, C. Pomerance (ed.), Proceedings of Symposia in Applied Mathematics, Vol. 42, pp. 13–25, Providence, RI: American Mathematical Society, 1990.

    Google Scholar 

  50. [50]

    A. K. Lenstra, D. Atkins, M. Graff, and P. C. Leyland, The magic words are squeamish ossifrage, Proc. Asiacrypt '94, Wollongong, Australia, Nov. 28–Dec. 1, 1994, to appear.

  51. [51]

    A. K. Lenstra and H. W. Lenstra, Algorithms in number theory, in Handbook of Theoretical Computer Science, J. van Leeuwen (ed.), Chapter 12, Elsevier, 1990.

  52. [52]

    A. K. Lenstra, H. W. Lenstra, M. S. Manasse, and J. M. Pollard, The number field sieve, Proc. 22nd ACM Symp. on Theory of Computing, pp. 564–572, 1990.

  53. [53]

    A. K. Lenstra and M. S. Manasse, Factoring with two large primes, Advances in Cryptology—EUROCRYPT '90, Lecture Notes in Computer Science, Vol. 473, pp. 69–80, Berlin: Springer-Verlag, 1991.

    Google Scholar 

  54. [54]

    H. W. Lenstra, Jr., Factoring integers with elliptic curves, Annals of Mathematics, Vol. 126, pp. 649–673, 1987.

    MathSciNet  Google Scholar 

  55. [55]

    U. M. Maurer, Fast generation of secure RSA-moduli with almost maximal diversity, Advances in Cryptology—EUROCRYPT '89, Lecture Notes in Computer Science, Vol. 434, pp. 636–647, Berlin: Springer-Verlag, 1990.

    Google Scholar 

  56. [56]

    U. M. Maurer, Some number-theoretic conjectures and their relation to the generation of cryptographic primes, in Cryptography and Coding II, C. Mitchell (ed.), pp. 173–191, Oxford: Oxford, University Press, 1992.

    Google Scholar 

  57. [57]

    U. M. Maurer, Towards the equivalence of breaking the Diffie-Hellman protocol and computing discrete logarithms, Advances in Cryptology—CRYPTO '94, Lecture Notes in Computer Science, Vol. 839, pp. 271–281, Berlin: Springer-Verlag, 1994.

    Google Scholar 

  58. [58]

    U. M. Maurer and Y. Yacobi, Non-interactive public-key cryptography, Advances in Cryptology —EUROCRYPT '91, Lecture Notes in Computer Science, Vol. 547, pp. 498–507, Berlin: Springer-Verlag, 1991.

    Google Scholar 

  59. [59]

    K. McCurley, The discrete logarithm problem, in Cryptology and Computational Number Theory, C. Pomerance (ed.), Proceedings of Symposia in Applied Mathematics, Vol. 42, pp. 49–74, Providence, RI: American Mathematical Society, 1990.

    Google Scholar 

  60. [60]

    A. Menezes, Elliptic Curve Public Key Cryptosystems, Dordrecht: Kluwer, 1993.

    Google Scholar 

  61. [61]

    P. Mihailescu, Fast generation of provable primes using search in arithmetic progressions, Advances in Cryptology—CRYPTO '94, Lecture Notes in Computer Science, Vol. 839, pp. 282–293, Berlin: Springer-Verlag, 1994.

    Google Scholar 

  62. [62]

    G. L. Miller, Riemann's hypothesis and tests for primality, Journal of Computer and System Sciences, Vol. 13, pp. 300–317, 1976.

    Google Scholar 

  63. [63]

    L. Monier, Evaluation and comparison of two efficient probabilistic primality testing algorithms, Theoretical Computer Science, Vol. 12, pp. 97–108, 1980.

    Google Scholar 

  64. [64]

    F. Morain, Distributed primality proving and the primality of (23539+1)/3, Advances in Cryptology—EUROCRYPT '90, Lecture Notes in Computer Science, Vol. 473, pp. 110–123, Berlin: Springer-Verlag, 1991.

    Google Scholar 

  65. [65]

    F. Morain, Prime Values of Partition Numbers and the Primality of p(1840926), Tech. Report LIX/92/RR/11, Laboratoire d'Informatique de l'Ecole Polytechnique (LIX), F-91128 Palaiseau Cedex, France, 1992.

  66. [66]

    F. Morain, Personal communication, September 1993.

  67. [67]

    M. Ogiwara, A Method for Generating Cryptographically Strong Primes, Research Reports on Informaion Sciences, No. C-93, Dept. of Information Sciences, Tokyo Institute of Technology, April 1989.

  68. [68]

    D. A. Plaisted, Fast verification, testing, and generation of large primes, Theoretical Computer Science, Vol. 9, pp. 1–16, 1979 (errata: ibid., Vol. 14, p. 345, 1981).

    Google Scholar 

  69. [69]

    H. C. Pocklington, The determination of the prime or composite nature of large numbers by Fermat's theorem, Proceedings of the Cambridge Philosphical Society, Vol. 18, pp. 29–30, 1914–1916.

    Google Scholar 

  70. [70]

    S. C. Pohlig and M. E. Hellman, An improved algorithm for computing logarithms over GF(p) and its cryptographic significance, IEEE Transactions on Information Theory, Vol. 24, No. 1, pp. 106–110, 1978.

    Google Scholar 

  71. [71]

    J. M. Pollard, Theorems on factorization and primality testing, Proceedings of the Cambridge Philosophical Society, Vol. 76, pp. 521–528, 1974.

    Google Scholar 

  72. [72]

    C. Pomerance, Popular values of Euler's function, Mathematika, Vol. 27, pp. 84–89, 1980.

    Google Scholar 

  73. [73]

    C. Pomerance, Factoring, in Cryptology and Computational Number Theory, C. Pomerance (ed.), Proceedings of Symposia in Applied Mathematics, Vol. 42, pp. 27–47, Providence, RI: American Mathematical Society, 1990.

    Google Scholar 

  74. [74]

    K. Prachar, Über die Anzahl der Teiler einer natürlichen Zahl, welche die Form p- 1 haben, Monatshefte für Mathematik, Vol. 59, pp. 91–97, 1955.

    Google Scholar 

  75. [75]

    V. R. Pratt, Every prime has a succinct certificate, SIAM Journal on Computing, Vol. 4, No. 3, pp. 214–220, 1975.

    Google Scholar 

  76. [76]

    M. O. Rabin, Probabilistic algorithm for testing primality, Journal of Number Theory, Vol. 12, pp. 128–138, 1980.

    Google Scholar 

  77. [77]

    H. Riesel, Prime Numbers and Computer Methods for Factorization, Boston: Birkhäuser, 1985.

    Google Scholar 

  78. [78]

    R. L. Rivest, Remarks on a proposed cryptanalytic attack on the M.I.T. public key cryptosystem, Cryptologia, Vol. 2, No. 1, pp. 62–65, 1978.

    Google Scholar 

  79. [79]

    R. L. Rivest, A. Shamir, and L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Communications of the Association for Computing Machinery, Vol. 21, No. 2, pp. 120–126, 1978.

    Google Scholar 

  80. [80]

    C. P. Schnorr, Efficient identification and signatures for smart cards, Advances in Cryptology—CRYPTO '89, Lecture Notes in Computer Science, Vol. 435, pp. 239–252, Berlin: Springer-Verlag, 1990.

    Google Scholar 

  81. [81]

    A. Schönhage and V. Strassen, Schnelle Multiplikation grosser Zahlen, Computing, Vol. 7, pp. 281–292, 1971.

    Google Scholar 

  82. [82]

    A. Shamir, Efficient signature schemes based on birational permutations, Advances in Cryptology—CRYPTO '93, Lecture Notes in Computer Science, Vol. 773, pp. 1–12, Berlin: Springer-Verlag, 1994.

    Google Scholar 

  83. [83]

    J. Shawe-Taylor, Generating strong primes, Electronics Letters, Vol. 22, No. 16, pp. 875–877, 1986.

    Google Scholar 

  84. [84]

    G. Simmons and M. Norris, Preliminary comments on the M.I.T. public key cryptosystem, Cryptologia, Vol. 1, No. 4, pp. 406–414, 1977.

    Google Scholar 

  85. [85]

    R. Solovay and V. Strassen, A fast Monte-Carlo test for primality, SIAM Journal on Computing, Vol. 6, No. 1, pp. 84–85, 1977 (errata: ibid., Vol. 7, p. 118, 1978).

    Google Scholar 

  86. [86]

    G. Trenta, Werkzeuge zur Realisierung eines RSA-Kryptosystems, Diploma Thesis, Dept. of Computer Science, Swiss Federal Institute of Technology, March 1990.

  87. [87]

    H. C. Williams, A p+ 1 method of factoring, Mathematics of Computation, Vol. 39, No. 159, pp. 225–234, 1982.

    Google Scholar 

  88. [88]

    H. C. Williams and B. Schmid, Some remarks concerning the M.I.T. public-key cryptosystem, BIT, Vol. 19, pp. 525–538, 1979.

    Google Scholar 

  89. [89]

    K. Wooldridge, Values taken many times by Euler's phi-function, Proceedings of the American Mathematical Society, Vol. 76, pp. 229–234, 1979.

    Google Scholar 

  90. [90]

    Specifications for a digital signature standard, US Federal Register, Vol. 56, No. 169, August 30, 1991.

Download references

Author information

Affiliations

Authors

Additional information

Some results of this paper were presented at EUROCRYPT '89, Houthalen, Belgium, April 10–13, 1989 [55].

Communicated by Gilles Brassard

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Maurer, U.M. Fast generation of prime numbers and secure public-key cryptographic parameters. J. Cryptology 8, 123–155 (1995). https://doi.org/10.1007/BF00202269

Download citation

Key words

  • Public-key cryptography
  • Prime numbers
  • Primality proof
  • Miller-Rabin test
  • RSA cryptosystem
  • Number theory