Cryptography Generation of Big Prime Numbers Uwe Egly Vienna - - PowerPoint PPT Presentation

Cryptography Generation of Big Prime Numbers

Uwe Egly

Vienna University of Technology Institute of Information Systems Knowledge-Based Systems Group

1 / 18

Overview

◮ Generation of big primes, e.g., for RSA ◮ Randomly generated primes required ◮ Prime number theorem: π(x): number of primes ≤ x

limx→∞

π(x) x/ ln x = 1

= ⇒ There are 10151 primes of length up to 512 bits

◮ Fundamental theorem of arithmetic

Every integer n > 2 has a factorization as a product of prime powers, n = pe1

1 pe2 2 · · · pek k , where the pi are distinct primes,

and the ei are positive integers. Furthermore, the factorization is unique up to rearrangement of factors

2 / 18

Overall Procedure to Generate Big Primes

• 1. Generate a prime candidate n, i.e.,

generate a big random number and set msb=lsb=1

• 2. Test n for primality
• 3. If prime, return prime n; otherwise continue with step 1

Possible methods for step 2. (primality test) are:

◮ Deterministic factorization procedure into primes

(trial division, Pollard’s rho- and p-1 method, sieve procedures)

◮ Fast probabilistic decision procedures (no factors)

(Fermat Test, Rabin-Miller, Solovay-Strassen, . . . )

◮ Deterministic decision procedure AKS (in P) (no factors)

(Agrawal, Kayal and Saxens, 2002)

◮ but, at the moment, probabilistic algorithms faster!!!

3 / 18

Trial Division

◮ Decides primality of the given number and returns a factor ◮ Based on the following theorem . . .

If n is a natural number and composed, then n has a prime factor p with p ≤ √n

◮ . . . and naive trials of primes ≤ ⌊√n⌋ ◮ Result always correct, but method computationally expensive

Since π(x) > x/ ln x (for x > 17), √x/ ln √x divisions required

◮ Exa: For 1075, more than 0.36 · 1036 trial divisions required ◮ AKS or probabilistic primality methods are much faster

4 / 18

Computation of the Greatest Common Divisor

◮ Euclidian algorithm to compute gcd(a, b)

Algorithm 1: gcd(a, b)

Input: Two integers a,b Result: gcd(a, b) int r, aa, ab; begin aa = abs(a); ab = abs(b); while ab = 0 do r = aa mod ab; aa = ab; ab = r; return aa; end

◮ a, b are coprime, if gcd(a, b) = 1 ◮ Extended algorithm computes also integers x, y satisfying

gcd(a, b) = xa + yb

5 / 18

Exponentiation

◮ Often needed: Calculation of ge in a monoid G ◮ For crypto applications, the exponent e is usually large ◮ Therefore, computation of ge by e − 1 mult not practicable ◮ Solution: Use fast exponentiation algorithm

(based on iterative squaring)

◮ Binary representation of e ∈ N (ei ∈ {0, 1}): e = k i=0 ei2i ◮ With g ∈ G we get:

ge = g

Pk

i=0 ei2i =

k

• i=0
• g2iei =
• 0≤i≤k,ei=1

g2i

◮ Example: e = 5. Then e has the binary representation

101, ge = g1·20+0·21+1·22 and therefore ge = g20 · g22

6 / 18

A Procedure for Fast Exponentiation

◮ Implementation needed later for exponentiation in Zn ◮ Bit complexity of ge mod n with e < n: O((ld n)3)

Algorithm 2: fastExponentationInZn(g, e)

Input: g ∈ Zn, e (0 ≤ e < n) with binary representation e = Pk

i=0 ei2i

Result: ge mod n begin b = 1; if e = 0 then return b; G = g; if e0 = 1 then b = g; for i = 1 to k step 1 do G = G2 mod n; if ei = 1 then b = (G · b) mod n; return b; end

7 / 18

An Example for Fast Exponentiation: 5596 mod 1234

i 1 2 3 4 5 6 7 8 9 ei 1 1 1 1 G 5 25 625 681 1011 369 421 779 947 925 b 1 1 625 625 67 67 1059 1059 1059 1013

8 / 18

Fermat Test

◮ Based on the following theorem (“Fermat’s Little Theorem”)

Let n be prime. Then (∗) an−1 ≡ 1 mod n holds for all a ∈ Z with gcd(a, n) = 1.

◮ Basic idea:

◮ Find a (0 < a < n), which violates (∗) =

⇒ n not prim

◮ After t failure tests with random a, quit and postulate n prim

Let n ∈ Z be composite and odd. a (0 < a < n) is a Fermat witness to compositeness for n, if an−1 ≡ 1 mod

• n. n is called pseudoprime to the base a, if an−1 ≡ 1 mod
• n. a is a Fermat liar to primality for n.

◮ Exa: n = 341 = 11 · 31 is pseudoprime wrt 2, because

2340 ≡ 1 mod 341

(How do we compute it efficiently?)

9 / 18

Pseudocode for the Fermat Test

Algorithm 3: FermatTest(n,t)

Input: An odd integer n ≥ 3 and a security parameter t > 0 Result: “prime” or “composite” begin for i = 1 to t step 1 do Choose a random integer a with 2 ≤ a ≤ n − 2; r = an−1 mod n ; /* Use fast exponentiation */ if r = 1 then return “composite”; return “prime”; end

◮ 2 ≤ a ≤ n − 2 because (n − 1)n−1 ≡ 1 mod n ◮ Output “composite”: always correct ◮ Output “prime”: often correct, but sometimes wrong

(Wrong results occur seldom because pseudoprimes (PPs) wrt a given basis a are rare)

◮ Observe: no check for (*) gcd(a, n) = 1 in the program

(Why? PPs wrt any basis a, for which (*) holds, are even rarer)

10/ 18

Carmichael Numbers

A Carmichael number (CN) n is a composite integer such that an−1 ≡ 1 mod n for all integers a which satisfy gcd(a, n) = 1.

◮ CNs: often wrongly classified as primes by FT ◮ CN n: pseudoprime for all a (1 ≤ a < n) with gcd(a, n) = 1 ◮ Possible Fermat witnesses for compositeness of a CN n:

a ∈ Z (1 ≤ a < n) with gcd(a, n) > 1

◮ Bad news: Fermat witnesses are factors of n

= ⇒ Hard to find witnesses, if n has only large prime factors

◮ Good news: each CN is a product of at least 3 primes and ◮ CNs are rare: 105.212 CNs in the interval [2, 1015] ◮ Improved probabilistic tests: Solovay-Strassen,

Rabin-Miller

11/ 18

Strong Pseudoprimes

Let n be an odd prime, and let n − 1 = 2sr where r is odd. Let a be any integer such that gcd(a, n) = 1. Then either ar ≡ 1 mod n or a2jr ≡ −1 mod n for some j, 0 ≤ j ≤ s − 1. r = (n − 1)/2s is odd, if 2s | n − 1, but 2s+1 ∤ n − 1 Let n be an odd composite integer and let n − 1 = 2sr where r is odd. Let a be an integer in the interval [1, n − 1].

(i) If ar ≡ 1 mod n and if a2jr ≡ −1 mod n for all j, 0 ≤ j ≤ s − 1, then a is called a strong witness (to compositeness) for n. (ii) Otherwise, i.e., if ar ≡ 1 mod n or a2j r ≡ −1 mod n for some j, 0 ≤ j ≤ s − 1, then n is said to be a strong pseudoprime to the base a. The integer a is called a strong liar (to primality) for n.

12/ 18

An Example for Strong Pseudoprimes

Example: Let n = 91 = 7 · 13

◮ Determine odd r = (n − 1)/2s: 90/2s yields s = 1, r = 45 ◮ Since 0 ≤ j ≤ s − 1 and s = 1, j has to be 0 ◮ Check for all basis a, whether ar ≡ ±1 mod n ◮ Clear for a = 1, for a = 2, ar ≡ 57 mod n, . . . ◮ The set of all 18 strong liars for n = 91 is

{1, 9, 10, 12, 16, 17, 22, 29, 38, 53, 62, 69, 74, 75, 79, 81, 82, 90}

If n is an odd composite integer, then at most 1/4 of all the numbers a, 1 ≤ a ≤ n − 1, are strong liars for n. In fact, if n = 9, the number of strong liars for n is at most ϕ(n)/4, where ϕ(·) is the Euler phi function

13/ 18

Pseudocode for the Rabin-Miller Test

Algorithm 4: RabinMiller(n,t)

Input: An odd integer n ≥ 3 and a security parameter t > 0 Result: “prime” or “composite” begin Write n − 1 = 2sr such that r is odd; for i = 1 to t step 1 do Choose a random integer a with 2 ≤ a ≤ n − 2; y = ar mod n ; /* Use fast exponentiation */ if y = 1 and y = n − 1 then ; /* Check a for being a strong witness */ j = 1; while j < s and y = n − 1 do y = y 2 mod n ; if y == 1 then return return “composite” ; /* (*) */ j=j+1; if y = n − 1 then return return “composite”; ; /* Strong witness detected */ return “prime”; end

14/ 18

A Comment on (*)

◮ Since y == 1, we have a2jr ≡ 1 mod n for the current j ◮ Observe that a2j−1r ≡ ±1 mod n

(Because otherwise, the loop would have terminated earlier!)

◮ For a, b, n integers, we have the following:

If a2 ≡ b2 mod n but a ≡ ±b mod n, then gcd(a − b, n) is a non-trivial factor of n

◮ Therefore, if y == 1, then n is composite and

gcd(a2j−1r − 1, n) is a factor of n

15/ 18

Some Comments

◮ Interpretation of the output: same as in the Fermat test ◮ Probabilities for erroneous answers

◮ For each odd composed integer:

Probability of the output “prime” of Rabin-Miller is ≤ ( 1

4)t

◮ Therefore, error probability pRM(t) ≤ ( 1

4)t for Rabin-Miller

(Practically very often much smaller than ( 1

4)t)

◮ Error probability pF(t) ≤ ( 1

2)t for Fermat

◮ t = 25: pF(t) ≈ 3 · 10−8 and pRM(t) ≈ 9 · 10−16

◮ Comparison of Rabin-Miller and Fermat

◮ Rabin-Miller is computationally not more expensive than

Fermat

◮ Rabin-Miller classifies at most as many primes as Fermat 16/ 18

Generation of Prime Numbers

◮ Generate probable primes or provable primes ◮ The former are randomly generated and checked with

Rabin-Miller

◮ Additionally: Test for small factors ≤ B ◮ The latter are constructed (e.g., with Maurer’s algorithm) ◮ Debatable, whether provable primes are really needed

17/ 18

Random Search for Primes with the Rabin-Miller Test

Algorithm 5: RandomPrimeSearch(k,t)

Input: An integer k and a security parameter t > 0 Result: A random k-bit probable prime begin

• 1. Generate a k-bit integer at random and set lsb=msb=1 (call it n);
• 2. Use trial division to determine whether n is divisible by any prime ≤ B;
• 3. if Rabin-Miller(n,t) outputs “prime” then return n;

else Go to step 1; end

◮ Trial division for small numbers faster than Rabin-Miller ◮ Probability that n possesses small factors is relative high ◮ Use table of all primes ≤ B in the trial division step ◮ Example for B = 256: 80% of the candidate are eliminated ◮ Error probability for k = 512 and t = 6 is ≤ 2−88

18/ 18