Unformatted text preview: i ¤¦$$¥ $©¤¢ ¢ t¥ b¥ w fd £ i v £ f ¡ ¥ #! ¥¥ w % #! v £ £ z £ £ ¨ d ¤¦tx'# 1¤
¢"$u
©)¢$"~¤t'
{U¦thu¤¦t`# d ¥ % t £¥ £ % i y ¨ #! # b¥ # z z t v £ ¨ #! b t £ # % # # y{I¤x¦#$
¥U$ ye¤}£ ue¤hu¦$¥ $§"x$f$e¡¤¤¦tu$ §"x¤¦#~$¤§"! b¤¦#¤¦d$'¦¥¤s
u¤t
"h¤¦tx'# Ex¤u'Q~ ¤
¥ ¤{$¥ $© )¢§'t $¤# U¤¢ t £ £ £ y ¨ v #! v £ f # t # t # ¥ w ! # ¥ t ¡ i ¡ y d ¡ % #! v £ £ z £ t £¥ £ %
u¤
¥¦£¤¤{ $"~¤t'
{U¦t1#
$¦¥~
ue £ # ¡ £ z b ¥ f¥ y ¨ £ # v ¨ # ¥ t £ ¨ % #! £ f t ¨ f d # b v £ t #
¤~{cU% yIs¦$'$e
I¦# U$"¤t'S'7¤t$# u$¨ b v £ y } # £ % b v £ f # # ¡ v £ y £ y ¨ £ t ¨ ¡ % # £ t # y b¥ t ¨ % ft ¨ f ¤¦t~¦%¤
u¦U¢¤¦tx'# ' ¤¤¤¦t¤¤¦uth¦bu¦¤¤ U¦¤
u¦uh$¤uU''d # % #! f t ¨ £ £ %¥ t ¨ # # d f ¨ % ¨ f t ¨ # t # # d £ ¡ ¡ £ u$"h¦tu'$~
¤
8 u¤¤Q$u$e1Uph§Qy§¥¤' ¤up t £¥ £ t # y £ ¡ # ¥ y ¨ ¥¥ w % # ¤#
$u¤h¦¤
u¦uh¥7u¦£¤$u
©)¢$"! ' ¤x'¦v$y'u$¤I¤b reS¦#$$¦¥U$ yE¤¦}u y
¤''u¤
Iur
u¤{`uuy8 £ # t ¡ £ f # ¨ t ¨ ¥ ¡ # d ¨ t £¥ £ % £ ¥ ¡ f d t £ # ¡ z i¥¥ w % #! v £ £ z £ t £¥ £ % £ # ¡ £ z ¥ ¡ $
u
&)¢$"~¤t'
{U¦t1#
$¦¥~
ueh#
¤¤'{s
u¤' # f d y ¨ £ #! y d £ ¨ ¨ ¥ £ £ t # y v £ ¨ % # b f # ¡ v £ ¨ t #¥ '¦$'
"¤¨¦yu¦¤# E¤$u¦u¤¦tfU¢'u¤¦tu$ S$
ue ¡ ! # ¥ y ¨ t #¥ t ¨ ¡ ¡ # #! ¥ £ v £ # # v £ f # # # ¡ b # # d ¡ ¤
¤©¤
$ue¤¢u w"{u¦¤# 1¤¦tu¤
¤ws¤¦tyuQ ¤fQe¤' !$ ¦¤'1t¤t¤hh¤u'Q¤¥ ¦#$$¦¥U$ y¥¤¢1u$¤$
ue # ¥ ¨ ¡ y £ y % v £ £ d # t # t # t £¥ £ % £ ¡ i¥ y ¨ t #¥ #! ¨ ¡ £ ¡ ! # f # y v £¥ ¨ # ¥ t ¨ £ b £ # t ¨ v £ t £¥ £ % " ¤¦¥¤f'upt
$'
'¦t$¤yur
$'{ '$¦¥E#
$¦¥U$uFw ## fed ¦¥¤c#
$u¤w¦¤
u¦u~¤)"¤¦#$$¦¥U$ y~¤¦}uue$¤¦t{¦#¦y"U¤xu'
w¤$u
©u)¢ £ ¡ ! # t £¥ £ t # y ¡ #! ¥ t £¥ £ % £ ¥ v £ z y #! ¡ t ¨ v ¥ ¨ ¡ ¥¥ w i j n t j ig r r q k p m j d og n m j lg k i j ig d d d ¥ b t £ ¨ % #! £ ¡ ! # Qy'f
sQfyffyfIhQ'yIhff
hQfeu
8¤¦# U
"¤¦t ¤I¤"¢@ i b¥ w t # ¥ t ¨ i t ¨ b # ¡¥
$¥ $©)¢cb ¤I¤¤h¤c' ¤
$# t ¨ i w b t q i g f d b V a D 0 T Y 6 X D V T R 3 PHG D D C B 6 9 6 6 5 3 2 0 ( ¡ % #! ¨ ¡ ¨ £ £ ¡ yx$¥ uv ¤usrph'ec8F`@@[email protected]@8744¤1)¤'&$"© ¢©¦¥§¦¥¤¢ Chapter PublicKey Parameters
Contents in Brief 4.1 Introduction
The efﬁcient generation of publickey parameters is a prerequisite in publickey systems. A speciﬁc example is the requirement of a prime number to deﬁne a ﬁnite ﬁeld for use in the DifﬁeHellman key agreement protocol and its derivatives ( 12.6). In this case, an element of high order in is also required. Another example is the requirement of primes and for an RSA modulus ( 8.2). In this case, the prime must be of sufﬁcient size, and be “random” in the sense that the probability of any particular prime being selected must be sufﬁciently small to preclude an adversary from gaining advantage through optimizing a search strategy based on such probability. Prime numbers may be required to have certain additional properties, in order that they do not make the associated cryptosystems susceptible to specialized attacks. A third example is the requirement of an irreducible polynomial of degree over the ﬁnite ﬁeld for constructing the ﬁnite ﬁeld . In this case, an element of high order in is also required. Chapter outline
The remainder of 4.1 introduces basic concepts relevant to prime number generation and summarizes some results on the distribution of prime numbers. Probabilistic primality tests, the most important of which is the MillerRabin test, are presented in 4.2. True primality tests by which arbitrary integers can be proven to be prime are the topic of 4.3; since these tests are generally more computationally intensive than probabilistic primality tests, they are not described in detail. 4.4 presents four algorithms for generating prime numbers, strong primes, and provable primes. 4.5 describes techniques for constructing irreducible and primitive polynomials, while 4.6 considers the production of generators and elements of high orders in groups. 4.7 concludes with chapter notes and references. 133 ¬ §8ccc8ccxccc8ccc8cc8§ §§§§§§§§§§§§§§§§§§ §8ccc8ccxccc8cc§ §§§§§§§§§§§§§ §§§§§§§§§§§§§§§§§§ © 8ccc8ccxccc8ccc8cª¨ §8ccc8ccxccc8ccc8cc8cc§ §§§§§§§§§§§§§§§§§§§§ §8ccc8ccxccc8ccc8cc8ccc8§ §§§§§§§§§§§§§§§§§§§§§§ §§§§§§§§§§§§§§§§§§§§ 8ccc8ccxccc8ccc8cc8c§ §§§§§§§§§§§§§§§§§§§§§§§§§§§§ 8ccc8ccxccc8ccc8cc8ccc8cccxc§ ® ® ® ¬ « º ¯ ¹ ® &³± °« ² ¸ ® ® ¯ x¬ ® 4.1 4.2 4.3 4.4 4.5 4.6 4.7 Introduction Probabilistic primality tests (True) Primality tests Prime number generation Irreducible polynomials over Generators and elements of high order Notes and further references 133 135 142 145 154 160 165 ·µ ¦¶´ ® ® ° º $r¹ « 134 Ch. 4 PublicKey Parameters 4.1.1 Approaches to generating large prime numbers
To motivate the organization of this chapter and introduce many of the relevant concepts, the problem of generating large prime numbers is ﬁrst considered. The most natural method is to generate a random number of appropriate size, and check if it is prime. This can be done by checking whether is divisible by any of the prime numbers . While more efﬁcient methods are required in practice, to motivate further discussion consider the following approach: 1. Generate as candidate a random odd number of appropriate size. 2. Test for primality. 3. If is composite, return to the ﬁrst step. A slight modiﬁcation is to consider candidates restricted to some search sequence start. Using from ; a trivial search sequence which may be used is ing speciﬁc search sequences may allow one to increase the expectation that a candidate is prime, and to ﬁnd primes possessing certain additional desirable properties a priori. In step 2, the test for primality might be either a test which proves that the candidate is prime (in which case the outcome of the generator is called a provable prime), or a test which establishes a weaker result, such as that is “probably prime” (in which case the outcome of the generator is called a probable prime). In the latter case, careful consideration must be given to the exact meaning of this expression. Most socalled probabilistic primality tests are absolutely correct when they declare candidates to be composite, but do not provide a mathematical proof that is prime in the case when such a number is declared to be “probably” so. In the latter case, however, when used properly one may often be able to draw conclusions more than adequate for the purpose at hand. For this reason, such tests are more properly called compositeness tests than probabilistic primality tests. True primality tests, which allow one to conclude with mathematical certainty that a number is prime, also exist, but generally require considerably greater computational resources. While (true) primality tests can determine (with mathematical certainty) whether a typically random candidate number is prime, other techniques exist whereby candidates are specially constructed such that it can be established by mathematical reasoning whether a candidate actually is prime. These are called constructive prime generation techniques. A ﬁnal distinction between different techniques for prime number generation is the use of randomness. Candidates are typically generated as a function of a random input. The technique used to judge the primality of the candidate, however, may or may not itself use random numbers. If it does not, the technique is deterministic, and the result is reproducible; if it does, the technique is said to be randomized. Both deterministic and randomized probabilistic primality tests exist. In some cases, prime numbers are required which have additional properties. For example, to make the extraction of discrete logarithms in resistant to an algorithm due to Pohlig and Hellman ( 3.6.4), it is a requirement that have a large prime divisor. Thus techniques for generating publickey parameters, such as prime numbers, of special form need to be considered. 4.1.2 Distribution of prime numbers
Let denote the number of primes in the interval . The prime number theorem (Fact 2.95) states that . In other words, the number of primes in the interval
If and are two functions, then means that . c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter. » ÃÃÃ Â ¿ »¾ Á ¿ » À ¿ »¾
¾ ¢"u¢I¾ h"e» »½ ¼ ê é ç ææ å ä ã â ¤ââ
èI7áàß ç » Ñ Í¾ W"u ÐÀ ÊÉ
4È ÅÆ xÄ » Û ÙÜ ÞÛ Ù WÝÚWÝÚ`Ø » Ö Ó Ó ÔÕ [email protected] ÒÏÌ » » » Ç ÛÙ WÚÜ » » ÛÙ WÚ`Ø × » ÏÌ [email protected] ë is approximately equal to . The prime numbers are quite uniformly distributed, as the following three results illustrate. 4.1 Fact (Dirichlet theorem) If to modulo . A more explicit version of Dirichlet’s theorem is the following. 4.2 Fact Let denote the number of primes in the interval . Then to modulo , where In other words, the prime numbers are roughly uniformly distributed among the gruence classes in , for any value of . 4.2 Probabilistic primality tests
The algorithms in this section are methods by which arbitrary positive integers are tested to provide partial information regarding their primality. More speciﬁcally, probabilistic primality tests have the following framework. For each odd positive integer , a set is deﬁned such that the following properties hold: (i) given , it can be checked in deterministic polynomial time whether ; (ii) if is prime, then (the empty set); and (iii) if is composite, then . 4.4 Deﬁnition If is composite, the elements of are called witnesses to the compositeness of , and the elements of the complementary set are called liars. A probabilistic primality test utilizes these properties of the sets in the following manner. Suppose that is an integer whose primality is to be determined. An integer is chosen at random, and it is checked if . The test outputs “composite” if , and outputs “prime” if . If indeed , then is said to fail the primality test for the base ; in this case, is surely composite. If , then is said to pass the primality test for the base ; in this case, no conclusion with absolute certainty can be drawn about the primality of , and the declaration “prime” may be incorrect. Any single execution of this test which declares “composite” establishes this with certainty. On the other hand, successive independent runs of the test all of which return the answer “prime” allow the conﬁdence that the input is indeed prime to be increased to whatever level is desired — the cumulative probability of error is multiplicative over independent trials. If the test is run times independently on the composite number , the probability that is declared “prime” all times (i.e., the probability of error) is at most .
This discussion illustrates why a probabilistic primality test is more properly called a compositeness test. Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. ) ù üø&) @û s20ù 'ü (@û 7 ø s& û üø @û s& H Iø P Qü 7 ùû ) [email protected] øs&[email protected] û û [email protected] øs&F)Eù sBAù @û [email protected] ü ø & C) ü @û ø & ) û üø @û s& 9 @ © û § for $" %#û ýüø )@û @8 üû £ @r¦¥!¥£ 4.3 Fact (approximation for the th prime number) Let . More explicitly, denote the th prime number. Then ü @û ø ¢ ñ ðï W"u íî û ø [email protected]@û ¥ ð üø @û s& ¢ û¥ ¤£ ¡ ü ù ïe"ïð @ÿ ûø þ ýüû ø÷ 1r@"ï ù Wö õ þ ý ü û ùø ÷ö 1r@"ï ú`õ ø û 7 û "ü [email protected] 3 ýü 4@@û ø& s5 òò óô û ¥£ ¤û û ø s& ù G û © G û ü ù eIð @ÿ ï ûï ø ©) 10ù û û û û£ ¤¦¥û ü ø & ) @û s20ù© û û ñ ðï W"u íî ù ù
R ¡ © û ì 4.2 Probabilistic primality tests 135 , then there are inﬁnitely many primes congruent which are congruent con 136 Ch. 4 PublicKey Parameters 4.5 Deﬁnition An integer which is believed to be prime on the basis of a probabilistic primality test is called a probable prime. Two probabilistic primality tests are covered in this section: the SolovayStrassen test ( 4.2.2) and the MillerRabin test ( 4.2.3). For historical reasons, the Fermat test is ﬁrst discussed in 4.2.1; this test is not truly a probabilistic primality test since it usually fails to distinguish between prime numbers and special composite integers called Carmichael numbers. 4.2.1 Fermat’s test
Fermat’s theorem (Fact 2.127) asserts that if is a prime and is any integer, , then . Therefore, given an integer whose primality is under question, ﬁnding any integer in this interval such that this equivalence is not true sufﬁces to prove that is composite. such that Conversely, ﬁnding an integer between and makes appear to be a prime in the sense that it satisﬁes Fermat’s theorem for the base . This motivates the following deﬁnition and Algorithm 4.9. 4.9 Algorithm Fermat primality test FERMAT( , ) INPUT: an odd integer and security parameter . OUTPUT: an answer “prime” or “composite” to the question: “Is 1. For from to do the following: . 1.1 Choose a random integer , 1.2 Compute using Algorithm 2.143. 1.3 If then return(“composite”). 2. Return(“prime”). prime?” If Algorithm 4.9 declares “composite”, then is certainly composite. On the other hand, if the algorithm declares “prime” then no proof is provided that is indeed prime. Nonetheless, since pseudoprimes for a given base are known to be rare, Fermat’s test provides a correct answer on most inputs; this, however, is quite distinct from providing a correct answer most of the time (e.g., if run with different bases) on every input. In fact, it does not do the latter because there are (even rarer) composite numbers which are pseudoprimes to every base for which . c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter. g S V VV F S V 4.8 Example (pseudoprime) The composite integer to the base since . U w S u s qp V i g e c x0It
DXfdU VaSWUW %``AV U 4.7 Deﬁnition Let be an odd composite integer and let Then is said to be a pseudoprime to the base if called a Fermat liar (to primality) for . be an integer, ( U w S u s qp V i g e c xEIt
DthfdU S VaSWUW `BFy1V U S Vi %jh Va `S aSWUW m1`0lX U U S V w Ss Up up 4uxtIfrqo U V wV u s qp V i ed [email protected]%Xfr S S us q gecU ¨IthfdBEn U i %AS U h w S u s q p V i g e c xEIEr2%XhU S 4.6 Deﬁnition Let be an odd composite integer. An integer , is called a Fermat witness (to compositeness) for . . The integer ) is a pseudoprime VaS WU W b!`EYXV U S S T U w S u s qp V i g e c xEvtrDY!hfdU S V lFn V S T hS k S S S T , such that . is v If is a Carmichael number, then the only Fermat witnesses for are those integers , , for which . Thus, if the prime factors of are all large, then with high probability the Fermat test declares that is “prime”, even if the number of iterations is large. This deﬁciency in the Fermat test is removed in the SolovayStrassen and MillerRabin probabilistic primality tests by relying on criteria which are stronger than Fermat’s theorem. This subsection is concluded with some facts about Carmichael numbers. If the prime factorization of is known, then Fact 4.11 can be used to easily determine whether is a Carmichael number. 4.11 Fact (necessary and sufﬁcient conditions for Carmichael numbers) A composite integer is a Carmichael number if and only if the following two conditions are satisﬁed: (i) is squarefree, i.e., is not divisible by the square of any prime; and (ii) divides for every prime divisor of . A consequence of Fact 4.11 is the following. 4.12 Fact Every Carmichael number is the product of at least three distinct primes. 4.13 Fact (bounds for the number of Carmichael numbers) (i) There are an inﬁnite number of Carmichael numbers. In fact, there are more than Carmichael numbers in the interval , once is sufﬁciently large. (ii) The best upper bound known for , the number of Carmichael numbers , is: 4.2.2 SolovayStrassen test
The SolovayStrassen probabilistic primality test was the ﬁrst such test popularized by the advent of publickey cryptography, in particular the RSA cryptosystem. There is no longer any reason to use this test, because an alternative is available (the MillerRabin test) which is both more efﬁcient and always at least as correct (see Note 4.33). Discussion is nonetheless included for historical completeness and to clarify this exact point, since many people continue to reference this test. Recall ( 2.4.5) that denotes the Jacobi symbol, and is equivalent to the Legendre symbol if is prime. The SolovayStrassen test is based on the following fact. Fact 4.14 motivates the following deﬁnitions. Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. ~xy m´#0%X~ y xEIt
x y 4.15 Deﬁnition Let be an odd composite integer and let (i) If either or (to compositeness) for . be an integer, . , then is called an Euler witness x xEIt
¹ z } rºfhfºry ¥  { z¤ ¹ z »} ¥  { z ¤ rºfhºry ~ x y
4uxtIf¤q x 4.14 Fact (Euler’s criterion) Let integers which satisfy be an odd prime. Then . · ¶ ~ v% ~¯¶ ~ µ~ ³ ~~ ³ ² ~±¯ `´`@D°x The smallest Carmichael number is relatively scarce; there are only Carmichael numbers . Carmichael numbers are . «ª ®¬#x for x ~ }  { z xEIt
DY!fdy x ` for all x x x x z § § z § § § ¦¥¤ £ ¢¡ { x x ¨ ©¨ v¨ ©¨ ¨ r¤ff  `x x x x ~ x y
4uxtIrr x x x ~ x y
xIr¤ x ~YxxxIyr¤
x x ¹ z ~ mFx ~xy 2%~ y x x y ¸ ~ mE x hx y x x w 4.2 Probabilistic primality tests 137 4.10 Deﬁnition A Carmichael number for all integers which satisfy is a composite integer such that . 138 Ch. 4 PublicKey Parameters (ii) Otherwise, i.e., if and , then is said to be an Euler pseudoprime to the base . (That is, acts like a prime in that it satisﬁes Euler’s criterion for the particular base .) The integer is called an Euler liar (to primality) for . Euler’s criterion (Fact 4.14) can be used as a basis for a probabilistic primality test because of the following result. 4.18 Algorithm SolovayStrassen probabilistic primality test SOLOVAYSTRASSEN( , ) INPUT: an odd integer and security parameter . OUTPUT: an answer “prime” or “composite” to the question: “Is prime?” 1. For from to do the following: 1.1 Choose a random integer , . 1.2 Compute using Algorithm 2.143. and then return(“composite”). 1.3 If 1.4 Compute the Jacobi symbol using Algorithm 2.149. 1.5 If then return (“composite”). 2. Return(“prime”). , then is a divisor of . Hence, testing whether is step 1.3, eliminates the necessity of testing whether . If Algorithm 4.18 declares “composite”, then is certainly composite because prime numbers do not violate Euler’s criterion (Fact 4.14). Equivalently, if is actually prime, then the algorithm always declares “prime”. On the other hand, if is actually composite, then since the bases in step 1.1 are chosen independently during each iteration of step 1, Fact 4.17 can be used to deduce the following probability of the algorithm erroneously declaring “prime”. be an odd composite integer. The to be “prime” is less than . 4.2.3 MillerRabin test
The probabilistic primality test used most in practice is the MillerRabin test, also known as the strong pseudoprime test. The test is based on the following fact. Fact 4.20 motivates the following deﬁnitions. c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter. ÃxÂ0¾IÒt
D¨àíÀ Ñ¿ Å á Ï ðñ Î À å ÃxÂ0¾It
AàdÀ Ò Ñ¿ Å Ï ð åïÝ Ä Å á rîFl#Â Åmá6lß è ß Xó ò ÅÄÃxÂtIÀr¤¾½¼ ò Á¿ Â 4.20 Fact Let such that , be an odd prime, and let . Then either . where or is odd. Let be any integer for some Î ì íÃ Ê ¿ Â Â 4.19 Fact (SolovayStrassen errorprobability bound ) Let probability that SOLOVAYSTRASSEN( , ) declares Å çÄ Ã Â Á À ¿ ¾ ½ ëxvfrq¼ Â ¾ Ò Ñ Î ÌË Ê É ÈÇ À Ä ¨Itbrºrfºrå Â Â âÂ Â é é Ä Ã ÂÁ À¿ ¾½ !xtIrr¼ If ß Å À Â Û Ý ÜÃ Â¿ Þfx©Û Åã %jâ Ã Â ¾ Ò Ñ ¿ è çÏ xEIt
´%Få È Ð jè Ä Å á Â çÄ m´®2å Å çÄ lFå Â ¾ Ò Ñ Î ÌË Ê É ÈÇ À Ä æItbrºfhfºrBEå ÝáÂßÀß m1`0lXÝ À Â Öã %AÂ âÂ â Å Â 4.17 Fact Let be an odd composite integer. Then at most , are Euler liars for (Deﬁnition 4.15). Here, nition 2.100). of all the numbers , is the Euler phi function (Deﬁ Ú Å %Ä ÖÅ Õ Ô [email protected] Ó Å 4.16 Example (Euler pseudoprime) The composite integer prime to the base since and ( ) is an Euler pseudo . Â ÃÂ ¾Ò Ñ xEIt
¿ À Ð È À Â À Ï Î ÌË Ê É ÈÇ
ÍrfºrÀ ÊÙ Ù Ã Å Ó ¾ Ò Ñ¿ Å Ï Ø× It
AYXrÓ Å Ä Ã ÂÁ À¿ ¾½ Æ6xIr¤¼ Â Ó ä ÅáÂß m2®àÀ À ô Å çÄ ëêå (i) If and if for all , , then is called a strong witness (to compositeness) for . (ii) Otherwise, i.e., if either or for some , , then is said to be a strong pseudoprime to the base . (That is, acts like a prime in that it satisﬁes Fact 4.20 for the particular base .) The integer is called a strong liar (to primality) for . Fact 4.20 can be used as a basis for a probabilistic primality test due to the following result.
F b ö§ H2aY ø÷ö$ý$ 1tAE%fø ý 4.23 Fact If is an odd composite integer, then at most of all the numbers , are strong liars for . In fact, if , the number of strong liars for is at most where is the Euler phi function (Deﬁnition 2.100). 4.24 Algorithm MillerRabin probabilistic primality test MILLERRABIN( , ) and security parameter . INPUT: an odd integer OUTPUT: an answer “prime” or “composite” to the question: “Is prime?” 1. Write such that is odd. 2. For from to do the following: 2.1 Choose a random integer , . 2.2 Compute using Algorithm 2.143. and then do the following: 2.3 If . While and do the following: Compute . If then return(“composite”). . If then return (“composite”). 3. Return(“prime”). Algorithm 4.24 tests whether each base satisﬁes the conditions of Deﬁnition 4.21(i). , then . Since it is also the case that In the ﬁfth line of step 2.3, if , it follows from Fact 3.18 that is composite (in fact is a nontrivial factor of ). In the seventh line of step 2.3, if , then is a strong witness for . If Algorithm 4.24 declares “composite”, then is certainly composite because prime numbers do not violate Fact 4.20. Equivalently, if is actually prime, then the algorithm always declares “prime”. On the other hand, if is actually composite, then Fact 4.23 can be used to deduce the following probability of the algorithm erroneously declaring “prime”. Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. ö ö ý ø 2l&u ÷ ö ¤ù ÷ ¢ ý§ 44fC d Y ö ö ö Fb ø 6§ Y ù V UcH©a``Hø ö ¨§ E©¥ø øi %qh ú÷ö$ý$ m1`tlsú ý ö e I ö ¨ u y 3
u ø ÷ ö ¤ù m´mwu ¦ ¢ ý ý ø 6 Notice that the number of strong liars for function (cf. Fact 4.23). is ø ø 6 ¨§ 6 HR©Qø Bø @ 8 CA9ù 7Aö ø6 ù 4.22 Example (strong pseudoprime) Consider the composite integer , and . Since pseudoprime to the base . The set of all strong liars for is:
¦ ( , ). Since is a strong , where is the Euler phi ý $ %# ý ý ö " ø j)'&%# ÷( $" $ XW#6ÿúVÿøVÿ68ÿG8ÿF8ÿ6TÿúTÿBGÿVBÿ6úÿúúÿ8øÿT 03UHHHH¡¡UUUqÞqHqCø ü ö ¨§ ø 0©¥¨÷ ý ý üûú ù ø ÷ r4XmFö " ø 6 PI6 ù ¢ 24Db6 ¦ ¢ 4ý ö ¨§ ø t©¥¨÷ ö ö ¨§ E321ø ö GF ù HDü ¤ !¢ ý ¦ 6 ¤ù ggö ø ÷ öÿ ¡#1tv þø ü ø ÷( $ #p" øy m" ø ÷ ö ¤ù #1mxu ø ¤ù lwu ö ¨ ¢ý ù ¨v£Bu øù Bu ¦ ¢ 0ý ö ø ÷ ö ¤ù m´®wu ø "y ®'" øù 4u ø ¨( ù Bi pQö ö ¨§ E©¥ø ÿú ÿ# ÿ6ÿ ø vHø v¡vø 6 h ø üûú ù ø ÷ r%bm1ö ö ö ¨§ t©¥ø GF @ H5Eú h ö ö ö ö ø j)5" ÷( $ ù #6 ù ø ÷ ø XCDX®6 S ¤¢ ¥£ý ¦ r öÿ tø ¤ ¢ 44ý p¦ ö Y õ 4.2 Probabilistic primality tests 139 4.21 Deﬁnition Let be an odd composite integer and let be an integer in the interval . where is odd. Let , , 140 Ch. 4 PublicKey Parameters 4.25 Fact (MillerRabin errorprobability bound ) For any odd composite integer , the probability that MILLERRABIN( , ) declares to be “prime” is less than . 4.26 Remark (number of strong liars) For most composite integers , the number of strong liars for is actually much smaller than the upper bound of given in Fact 4.23. Consequently, the MillerRabin errorprobability bound is much smaller than for most positive integers . 4.27 Example (some composite integers have very few strong liars) The only strong liars for ( ) are and . More generally, if and the composite integer is the product of the ﬁrst odd primes, there are only strong liars for , namely and . 4.28 Remark (ﬁxed bases in MillerRabin) If and are strong liars for , their product is very likely, but not certain, to also be a strong liar for . A strategy that is sometimes employed is to ﬁx the bases in the MillerRabin algorithm to be the ﬁrst few primes (composite bases are ignored because of the preceding statement), instead of choosing them at random. 4.29 Deﬁnition Let denote the ﬁrst primes. Then is deﬁned to be the smallest positive composite integer which is a strong pseudoprime to all the bases . can be interpreted as follows: to determine the primality of any integer The numbers , it is sufﬁcient to apply the MillerRabin algorithm to with the bases being the ﬁrst prime numbers. With this choice of bases, the answer returned by MillerRabin is always correct. Table 4.1 gives the value of for .
z
pwfo 4444© 4444© 444©© ©4444 444 444 44 i i } ~~~ } i  4} {  ¡e  i } ~~~ } i  4} {  e  { z e z z { z e z y o wv pu w p m Co o tsqsr E5Epn u qpo n CH7¥ ox x' i g ef d m l d U2g ak i g ef jhd Table 4.1: Smallest strong pseudoprimes. The table lists values of , the smallest positive composite integer that is a strong pseudoprime to each of the ﬁrst prime bases, for .
q 4.2.4 Comparison: Fermat, SolovayStrassen, and MillerRabin
Fact 4.30 describes the relationships between Fermat liars, Euler liars, and strong liars (see Deﬁnitions 4.7, 4.15, and 4.21). 4.30 Fact Let be an odd composite integer. (i) If is an Euler liar for , then it is also a Fermat liar for . (ii) If is a strong liar for , then it is also an Euler liar for . c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter.
z z i Q For a ﬁxed composite candidate , the situation is depicted in Figure 4.1. This set© Figure 4.1: Relationships between Fermat, Euler, and strong liars for a composite integer . tles the question of the relative accuracy of the Fermat, SolovayStrassen, and MillerRabin tests, not only in the sense of the relative correctness of each test on a ﬁxed candidate , but also in the sense that given , the speciﬁed containments hold for each randomly chosen base . Thus, from a correctness point of view, the MillerRabin test is never worse than the SolovayStrassen test, which in turn is never worse than the Fermat test. As the following result shows, there are, however, some composite integers for which the SolovayStrassen and MillerRabin tests are equally good.
ª « 4.32 Fact If , then What remains is a comparison of the computational costs. While the MillerRabin test may appear more complex, it actually requires, at worst, the same amount of computation as Fermat’s test in terms of modular multiplications; thus the MillerRabin test is better than Fermat’s test in all regards. At worst, the sequence of computations deﬁned in MILLERRABIN( ,1) requires the equivalent of computing . It is also the case that MILLERRABIN( ,1) requires less computation than SOLOVAYSTRASSEN( ,1), the and possibly a further Jacobi symbol latter requiring the computation of computation. For this reason, the SolovayStrassen test is both computationally and conceptually more complex. 4.33 Note (MillerRabin is better than SolovayStrassen) In summary, both the MillerRabin and SolovayStrassen tests are correct in the event that either their input is actually prime, or that they declare their input composite. There is, however, no reason to use the SolovayStrassen test (nor the Fermat test) over the MillerRabin test. The reasons for this are summarized below. (i) The SolovayStrassen test is computationally more expensive. (ii) The SolovayStrassen test is harder to implement since it also involves Jacobi symbol computations. , while the error (iii) The error probability for SolovayStrassen is bounded above by probability for MillerRabin is bounded above by . Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.
º° µ ¸ ¬ º° µ» ¬ ¯® E ¸ ·¶ µ ´ ²± 2³ch³ª ¯® ¸ ·¶ µ ´ ²± 2³c¹ª ¨ C ¡ § ¥ H¦ 3 3HCHCC¡CC ¢ ¢ ¢¦¥¢£¢¥¢£¢ ¡ H § C¥ H¦ H C CUCUCUCUCUCUCC¡CC¡3H¡3HC¡3 ¢ ¢ ¢ ¢¦¥¢¥¥¢£ ¢¥ ¢ ¢¦¤¢¤¢£¢¥¢¤¢£¢ R H Fermat liars for
© Euler liars for strong liars for is an Euler liar for if and only if it is a strong liar for . © © ° ¥ ¯ ® ¬ CR©¥ C § 3¥ ¢ 3¦
¢¦¥¢£¢£¢ 3HCHCC ª H ¡ 4.2 Probabilistic primality tests 141 4.31 Example (Fermat, Euler, strong liars) Consider the composite integer ( ). The Fermat liars for are The Euler liars for are , while the strong liars for . . are 142 Ch. 4 PublicKey Parameters (iv) Any strong liar for is also an Euler liar for . Hence, from a correctness point of view, the MillerRabin test is never worse than the SolovayStrassen test.
¼ ¼ 4.3 (True) Primality tests
The primality tests in this section are methods by which positive integers can be proven to be prime, and are often referred to as primality proving algorithms. These primality tests are generally more computationally intensive than the probabilistic primality tests of 4.2. Consequently, before applying one of these tests to a candidate prime , the candidate should be subjected to a probabilistic primality test such as MillerRabin (Algorithm 4.24). 4.34 Deﬁnition An integer which is determined to be prime on the basis of a primality proving algorithm is called a provable prime.
¼ ¼ ½ á 4.3.1 Testing Mersenne numbers
Efﬁcient algorithms are known for testing primality of some special classes of numbers, such as Mersenne numbers and Fermat numbers. Mersenne primes are useful because the arithmetic in the ﬁeld for such can be implemented very efﬁciently (see 14.3.4). The LucasLehmer test for Mersenne numbers (Algorithm 4.37) is such an algorithm.
ÆÄ 1ÅÁ Ã ½ ¼ 4.35 Deﬁnition Let be an integer. A Mersenne number is an integer of the form is prime, then it is called a Mersenne prime. If
ÃÂ &Á ÆÄ xÇÁ Ã The following are necessary and sufﬁcient conditions for a Mersenne number to be prime.
ÆÄÃÊ ËÁ É¼ Fact 4.36 leads to the following deterministic polynomialtime algorithm for determining (with certainty) whether a Mersenne number is prime. 4.37 Algorithm LucasLehmer primality test for Mersenne numbers INPUT: a Mersenne number with . OUTPUT: an answer “prime” or “composite” to the question: “Is prime?” 1. Use trial division to check if has any factors between and . If it does, then return(“composite”). 2. Set . 3. For from 1 to do the following: compute . 4. If then return(“prime”). Otherwise, return(“composite”). It is unknown whether there are inﬁnitely many Mersenne primes. Table 4.2 lists the known Mersenne primes.
¼ Ø× ÖÕ ECÃ ßÞ 2Á 1Ý ¼ Ô ÌÓ à Ä aÌ Ã ÈÂ pvÁ ÆÄÃÊ xvÁ pQ¼ Á Ã ÄÁ ÚÊ 7!Ì Ù Îà xÌ c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter. ÚÂ 7Ù ¼ Ø× ÖÕ HÃ ÏÔ Ì Ó Ê Ò Ñ Ï Ä aDHÐÌ Î ÊÍ DtaÌ 4.36 Fact Let . The Mersenne number two conditions are satisﬁed: (i) is prime; and (ii) the sequence of integers deﬁned by satisﬁes .
Ú 7Ê Ô ÜÛ 4ÐÌ ÈÂ ÉsÁ Á ¼ ¿ À¾ . is prime if and only if the following and for È HÈ Table 4.2: Known Mersenne primes. The table shows the known exponents , , for which is a Mersenne prime, and also the number of decimal digits in . The question marks after and indicate that it is not known whether there are any other exponents between and these numbers for which is prime.
ö æ 5ô ö ç è è õ vå ç 4è õ å æ ôóò aç ø÷ 2ã This section presents results which can be used to prove that an integer is prime, provided that the factorization or a partial factorization of is known. It may seem odd to consider a technique which requires the factorization of as a subproblem — if integers of this size can be factored, the primality of itself could be determined by factoring . However, the factorization of may be easier to compute if has a special form, such as a Fermat number . Another situation where the factorization of may be easy to compute is when the candidate is “constructed” by speciﬁc methods (see 4.4.4).
ý This result follows from the fact that has an element of order (Deﬁnition 2.128) if and only if is prime; an element satisfying conditions (i) and (ii) has order . 4.39 Note (primality test based on Fact 4.38) If is a prime, the number of elements of order is precisely . Hence, to prove a candidate prime, one may simply choose an integer at random and uses Fact 4.38 to check if has order . If this is the case, then is certainly prime. Otherwise, another is selected and the test is repeated. If is indeed prime, the expected number of iterations before an element of order is selected is ; this follows since for
ÿþ w5ý ÿþ 1ý ý Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. ý fWVeWX1cdbY0I HGI7a0` " V " S# EP ÿ þ xý ÿ þ 1ý ÿþ w5ý ÿ þ 1ý ý D F ©E 0V" 1 XWYXW%VUT ý ý E 0" I HG ÿþ 5ý ý ÿ & RQ EP ÿ p 4.38 Fact Let satisfying: (i) (ii)
ý be an integer. Then is prime if and only if there exists an integer ; and for each prime divisor of . ý ÿ þ ý ý ûú ü9ù 4.3.2 Primality testing using the factorization of
ÿþ %ý ÿ Aý þ èè ñ å æ ôóò Ð£ç ä 1ã ñ qæ ìæëîé 44ç çèîëç 44ç ïéïé 44ì æéëí 44è éìçè 44è çìíé 44ç éíèè 44æ ë44ì îí è44ì èé ç44ì ïï ì44è ëè è44ç íí ë44ç æí ç44æ èè æ44æ îç íì 4í ä 1ã èè êíé 4©4î íèîìé 44ë æíïìæ 44ç í êïçè ©4æ èïéïæ 44æ è©4î êçì ëíêê 44ê í44ç ïçè æ44ç ïëæ ë44æ èíí è44æ æçæ æ êí ©4í íîì 44í èçê 44ê è4ê éç ëæç 44è è è ý ðè è ðè ç æè ïè íç îç ëç ìç éç ê ©ç èç çç æç ïç íæ î æ å æ æ ç è ì ì ëî 4ì êì ì ìî 4è èî 4æ ëé 4æ í4è è4è ë4ç í4æ ï 4æ ê ý ý 0( 1 C&'7$"# [email protected]43 A! 2 0( 1 )&'%$"# © § ! ä 1ã ç è é ë æîç 4ç èïç 4ç íëç 4æ ë4ì ï æ4é ç ë4æ ç ë4æ ï í4î æ4ì æ4è í4æ ë4æ è 4æ ÿ þ ý ÿ ëæ ìæ éæ ê ©æ èæ çæ ææ ï æ í ¨¦¢ ©§¥¤£¡ æ ç è é ì ë î å ê ý ý ý ÿþ Ë¥ý ý ÿþ ý â 4.3 (True) Primality tests 143 Index decimal digits Index decimal digits 144 Ch. 4 PublicKey Parameters (Fact 2.102). Thus, if such an is not found after a “reasonable” number (for example, ) of iterations, then is probably composite and should again be subjected to a probabilistic primality test such as MillerRabin (Algorithm 4.24). This method is, in effect, a probabilistic compositeness test. The next result gives a method for proving primality which requires knowledge of only . a partial factorization of 4.40 Fact (Pocklington’s theorem) Let be an integer, and let (i.e. divides ) where the prime factorization of is . If there exists an integer satisfying: (i) ; and (ii) for each , , , then every prime divisor of is congruent to 1 modulo . It follows that if then is prime. If is indeed prime, then the following result establishes that most integers conditions (i) and (ii) of Fact 4.40, provided that the prime divisors of sufﬁciently large. satisfy are 4.41 Fact Let be an odd prime with and . Let the distinct prime factors of be , . Then the probability that a randomly selected base , , satisﬁes both: (i) ; and (ii) for each , , is . Thus, if the factorization of a divisor of is known then to test for primality, one may simply choose random integers in the interval until one is found satisfying conditions (i) and (ii) of Fact 4.40, implying that is prime. If such an is not found after a “reasonable” number of iterations, then is probably composite and this could be established by subjecting it to a probabilistic primality test (footnote 3 also applies here). This method is, in effect, a probabilistic compositeness test. The next result gives a method for proving primality which only requires the factorization of a divisor of that is greater than . For an example of the use of Fact 4.42, see Note 4.63. 4.42 Fact Let be an odd integer. Let , and suppose that there exists an integer satisfying both: (i) ; and (ii) for each prime divisor of . Let and be deﬁned by and . If and if is neither nor a perfect square, then is prime. 4.3.3 Jacobi sum test
The Jacobi sum test is another true primality test. The basic idea is to test a set of congruences which are analogues of Fermat’s theorem (Fact 2.127(i)) in certain cyclotomic rings. The running time of the Jacobi sum test for determining the primality of an integer is bit operations for some constant . This is “almost” a polynomialtime algorithm since the exponent acts like a constant for the range of values for
Another approach is to run both algorithms in parallel (with an unlimited number of iterations), until one of them stops with a deﬁnite conclusion “prime” or “composite”. The number of iterations may be taken to be where , and where . c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter. r g r g t r t g Ct s g g s g ~ S } Cs s zwvw 'Qxs v s
j Is t h Is %sf d n f l j i h f j e d s #g s 1g @s4rqp 43qrmiIk 1g )7gs or ¥
¥
t wrw r t s U t miIk s {g ~ £ s U£g
j f l }
s Qg ~ r } s } 'g ~ R {yQxs v zwvw ¹ » ½¾ ¼ » ¹ ¸ ´ ¾ ¥ÂÁ)À¹° ² ¿)º{ ¡ g ~ R g h ih ¢ s w d n f Sl t
d r
j t 1g Is qsr7p 437rm¥i`k s 1g t )7gs y or j ih f
S g e h qg
s UR#g @ g
h y ·µ¶µ² `³² ±'© ´°¯® © g~ uu g Xw©fw©Xwu ¬ rg g g g s uj1g Is o437rm¥i`k dnfl
t j ih e d 1g )[email protected]%g4r#qpf s © §r s g s 'g Ã « ª j ¨ o¨ o¨ §¥¤1g Xw%u7fU£ g ¦¦¦j f u ut g fwxfwv`s ph qig s Qg of interest. For example, if , then . The version of the Jacobi sum primality test used in practice is a randomized algorithm which terminates within steps with probability at least for every , and always gives a correct answer. One drawback of the algorithm is that it does not produce a “certiﬁcate” which would enable the answer to be veriﬁed in much shorter time than running the algorithm itself. The Jacobi sum test is, indeed, practical in the sense that the primality of numbers that are several hundred decimal digits long can be handled in just a few minutes on a computer. However, the test is not as easy to program as the probabilistic MillerRabin test (Algorithm 4.24), and the resulting code is not as compact. The details of the algorithm are complicated and are not given here; pointers to the literature are given in the chapter notes on page 166. 4.3.4 Tests using elliptic curves
Elliptic curve primality proving algorithms are based on an elliptic curve analogue of Pocklington’s theorem (Fact 4.40). The version of the algorithm used in practice is usually referred to as Atkin’s test or the Elliptic Curve Primality Proving algorithm (ECPP). Under heuristic arguments, the expected running time of this algorithm for proving the primality of an integer has been shown to be bit operations for any . Atkin’s test has the advantage over the Jacobi sum test ( 4.3.3) that it produces a short certiﬁcate of primality which can be used to efﬁciently verify the primality of the number. Atkin’s test has been used to prove the primality of numbers more than 1000 decimal digits long. The details of the algorithm are complicated and are not presented here; pointers to the literature are given in the chapter notes on page 166. 4.4 Prime number generation
This section considers algorithms for the generation of prime numbers for cryptographic purposes. Four algorithms are presented: Algorithm 4.44 for generating probable primes (see Deﬁnition 4.5), Algorithm 4.53 for generating strong primes (see Deﬁnition 4.52), Algorithm 4.56 for generating probable primes and suitable for use in the Digital Signature Algorithm (DSA), and Algorithm 4.62 for generating provable primes (see Deﬁnition 4.34). 4.43 Note (prime generation vs. primality testing) Prime number generation differs from primality testing as described in 4.2 and 4.3, but may and typically does involve the latter. The former allows the construction of candidates of a ﬁxed form which may lead to more efﬁcient testing than possible for random candidates. 4.4.1 Random search for probable primes
By the prime number theorem (Fact 2.95), the proportion of (positive) integers that are prime is approximately . Since half of all integers are even, the proportion of odd integers that are prime is approximately . For instance, the proportion of all odd integers that are prime is approximately . This suggests that a reasonable strategy for selecting a random bit (probable) prime is to repeatedly pick random bit odd integers until one is found that is declared to be “prime” Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. ê ëÆ Ò``Ð`IÐñ©7××`È Õ ÎXÍ ðÈIÐ %ïÕ IÖì È fÎÍ Òì ê IÈ ì ê íÆ æå qxä Ð QÖ à ¥ß× Ë Ì Õ Ð Þ Ó ÑÐ Ï Í Í `fÒIÉÅ XÎ©XÎ©fÎÍ é ç ×m§Àá1Å XÎÍ 7ÕUÔ ãâ × Õ è Å ÀÌ¥ÊÉÇÅ ËÈ Æ ç ê fÎÍ IÐ ì ç Ö ÀÌ¥ÊîÆ ËÈ ×Ü Ú Ú Ú × Õ Õ ÝHÛ HÛ oÛ ÙØ1Å fÎÍ 37ÖUÔ ê Æ Å Å Ä 4.4 Prime number generation 145 146 Ch. 4 PublicKey Parameters by MILLERRABIN( , ) (Algorithm 4.24) for an appropriate value of the security parameter (discussed below). If a random bit odd integer is divisible by a small prime, it is less computationally expensive to rule out the candidate by trial division than by using the MillerRabin test. Since the probability that a random integer has a small prime divisor is relatively large, before applying the MillerRabin test, the candidate should be tested for small divisors below a predetermined bound . This can be done by dividing by all the primes below , or by computing greatest common divisors of and (precomputed) products of several of the primes . The proportion of candidate odd integers not ruled out by this trial division is which, by Mertens’s theorem, is approximately (here ranges over prime values). For example, if , then only 20% of candidate odd integers pass the trial division stage, i.e., 80% are discarded before the more costly MillerRabin test is performed. 4.44 Algorithm Random search for a prime using the MillerRabin test RANDOMSEARCH( , ) INPUT: an integer , and a security parameter (cf. Note 4.49). OUTPUT: a random bit probable prime. 1. Generate an odd bit integer at random. 2. Use trial division to determine whether is divisible by any odd prime Note 4.45 for guidance on selecting ). If it is then go to step 1. 3. If MILLERRABIN( , ) (Algorithm 4.24) outputs “prime” then return( ). Otherwise, go to step 1. 4.45 Note (optimal trial division bound ) Let denote the time for a full bit modular exponentiation, and let denote the time required for ruling out one small prime as divisor of a bit integer. (The values and depend on the particular implementation of longinteger arithmetic.) Then the trial division bound that minimizes the expected running time of Algorithm 4.44 for generating a bit prime is roughly . A more accurate estimate of the optimum choice for can be obtained experimentally. The odd primes up to can be precomputed and stored in a table. If memory is scarce, a value of that is smaller than the optimum value may be used. Since the MillerRabin test does not provide a mathematical proof that a number is indeed prime, the number returned by Algorithm 4.44 is a probable prime (Deﬁnition 4.5). It is important, therefore, to have an estimate of the probability that is in fact composite. 4.46 Deﬁnition The probability that RANDOMSEARCH( , ) (Algorithm 4.44) returns a composite number is denoted by . 4.47 Note (remarks on estimating ) It is tempting to conclude directly from Fact 4.25 that . This reasoning is ﬂawed (although typically the conclusion will be correct in practice) since it does not take into account the distribution of the primes. (For example, if all candidates were chosen from a set of composite numbers, the probability of error is 1.) The following discussion elaborates on this point. Let represent the event that is composite, and let denote the event than MILLERRABIN( , ) declares to be prime. Then Fact 4.25 states that . What is relevant, however, to the estimation of is the quantity . Suppose that candidates are drawn uniformly and randomly c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter. ò õö õ õ §¥ £ ¨¦¤¢ ò fü¡ü ò ô £ ò óò ò ò õ óô & ¡¢ ò ò õ ò ò ó õ ò õ " ÿ þ $ ö ÿ û % ô õ ò " ¡ © ! õ ò ò " ¡#© ! & " '0 2 ( 0& ' 1" ) ( "' õ óò ÿU û û U ÿ où ø ù ø þý)7üû©ú§÷ õ £ö óô ò óò ô ô ô ô ò " ÿ C$þ Sö û ò ô ó " ¡ © ! " ¡ © ! õ 3 õ © (see since . Thus the probability may be considerably larger than if is (see small. However, the errorprobability of MillerRabin is usually far smaller than Remark 4.26). Using better estimates for and estimates on the number of bit prime numbers, it has been shown that is, in fact, smaller than for all sufﬁciently large . A more concrete result is the following: if candidates are chosen at random from the set of odd numbers in the interval , then for all . for For example, if and , then Fact 4.48(ii) gives . In other words, the probability that RANDOMSEARCH(512,6) returns a 512bit composite integer . Using more advanced techniques, the upper bounds on given by is less than Fact 4.48 have been improved. These upper bounds arise from complicated formulae which are not given here. Table 4.3 lists some improved upper bounds on for some sample values of and . As an example, the probability that RANDOMSEARCH(500,6) returns a composite number is . Notice that the values of implied by the table are considerably smaller than . The estimates of presented in the remainder of this subsection were derived for the situation where Algorithm 4.44 does not use trial division by small primes to rule out some candidates . Since trial division never rules out a prime, it can only give a better chance of rejecting composites. Thus the error probability might actually be even smaller than the estimates given here. Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. { zx y  { ztw yx Table 4.3: Upper bounds on implies . for sample values of and . An entry corresponding to and j h ¡g 6 Q Y uh d y 6 x h XhVR d E g fT C f tf x b b C f tf Y x Y tf g f C ` #) g b dQ C` f tf Y x Y pQ e f x b T for ( , ) or ( , for , . k b nn vl qm vl tl vl ml vl pu vl rvt svs tvr tvq rvp o vo u vl Q h ¤g 6 t rm vl tl vl nl vl qu vl tvt lvt nvs pvr pvq o rp lo Q h ¡g 6 lvl m nvl l qvl u uvl u nvt qvs svr uvr lvq lvp t vn s r q vn pvl l rvl u tvt nvt rvs uvs nvr pvq rvp ro j k q n vn svl u uvl u mvt pvs uvs nvr rvq uvq mvp no j p tvn t vm mvl u nvt pvs svr mvr qvq uvq o rp ro Q e R d¤ET R d E Y Q id VR ¤E o rn p vm o lo pvt qvs svr uvr nvq svp nvp ro n ss tr ur mq pp s #o o o tn o Sn sm u m m m s m r n q o Sp q#o s n n n t m p m um o Sl l p s p vr p vq q vp qo rvn svm tvl o rl l vl { zx y } y ¡A~{ zx w hh d XVR ¤E x uvq u uvp p uvp u uv#o p uv#o u uvn p uvn u uvm p uvm u uvl p uu vl k f h ¤g Q h ¤g Q h ¤g Q h d ¤g 6 6 6 6 (i) (ii) (iii) (iv) C f fT e #) y f 9 g e d )d w y f 9 yQ f e d d Q
f g ) d x )19 Q f`
Q f g 9 b ` hg ¡#6 4.48 Fact (some upper bounds on for in Algorithm 4.44) ). . , . h ¤g 6 Further reﬁnements for various values of and . allow the following explicit upper bounds on f e RdE 6Q e RdE Q Q wu8 Xv¡C b a q Q e d QR E C` 7 eY RE R Q ¨I2FD PH GE Qd7 C 6 Y R Q PXEFD Y R Q )FD PE RWG HXQ P)EFD R HQ PE DR GE WG 1¤XF)WVFD C969 [email protected] 6 R HQPE WG 1¤XFD R Q PH GE )¤¨I2FD sq tra ip Q h ¡g 6 R W HG Q )FD PE Q T R PH GE USQ ¨I2FD yx 5 f 6 b R PE c)Q )FD 5 f
4 4.4 Prime number generation 147 from a set of odd numbers, and suppose is the probability that is prime (this depends on the candidate set ). Assume also that . Then by Bayes’ theorem (Fact 2.10): for 148 Ch. 4 PublicKey Parameters 4.49 Note (controlling the error probability) In practice, one is usually willing to tolerate an error probability of when using Algorithm 4.44 to generate probable primes. For sample values of , Table 4.4 lists the smallest value of that can be derived from Fact 4.48 for which . For example, when generating 1000bit probable primes, MillerRabin with repetitions sufﬁces. Algorithm 4.44 rules out most candidates either by trial division (in step 2) or by performing just one iteration of the MillerRabin test (in step 3). For this reason, the only effect of selecting a larger security parameter on the running time of the algorithm will likely be to increase the time required in the ﬁnal stage when the (probable) prime is chosen. 4.50 Remark (MillerRabin test with base ) The MillerRabin test involves exponentiating the base ; this may be performed using the repeated squareandmultiply algorithm , then multiplication by is a simple procedure relative to mul(Algorithm 2.143). If tiplying by in general. One optimization of Algorithm 4.44 is, therefore, to ﬁx the base when ﬁrst performing the MillerRabin test in step 3. Since most composite numbers will fail the MillerRabin test with base , this modiﬁcation will lower the expected running time of Algorithm 4.44. 4.51 Note (incremental search) (i) An alternative technique to generating candidates at random in step 1 of Algorithm 4.44 is to ﬁrst select a random bit odd number , and then test the numbers for primality. If all these candidates are found to be composite, the algorithm is said to have failed. If where is a constant, the probability that this incremental search variant of Algorithm 4.44 returns a composite number has been shown to be less than for some constant . Table 4.5 gives some explicit bounds on this error probability for and . Under reasonable numbertheoretic assumptions, the probability of the algorithm failing has been shown to be less than for large (here, ). (ii) Incremental search has the advantage that fewer random bits are required. Furthermore, the trial division by small primes in step 2 of Algorithm 4.44 can be accomplished very efﬁciently as follows. First the values are computed for each odd prime . Each time is added to the current candidate, the values in the table are updated as . The candidate passes the trial division stage if and only if none of the values equal . (iii) If is large, an alternative method for doing the trial division is to initialize a table for ; the entry corresponds to the candidate . For each odd prime , is computed. Let be the smallest index for c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter. æ v· Ø·Ø × · Ö ¡Á ¨¾ Ô Ã ÒÒÐ ÑÏ »F ´ ² ± ¯° ® « ª ³³¡A~¬ z#© Table 4.4: For sample , the smallest from Fact 4.48 is given for which ¹ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ÆÅÄ Ã ·ÈÇV¤¹ ¹ v¡ £ v¡ v £¦ v ¦ v £¤ v ¤ v £¢ v ¢ ß Ý ÜÚ à ÛÞ ¦ ÛÙ Î ·Ì Í Ë Ò ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ì v £¨ v ¨ v ££ v £ £ S § S § v £¥ v ¥ ÜÚ âÙ ß à ÛÝ · » âXäS âÙ Ü Ú Ù ãÜ Ú · Õ ÍÔ ¡· µ Ü ç Úæ » º ¾¾¾º½ » » º Á ¿ ¹ ¦ vvv¤¶¼ º · ¼ ¤ WU ÂÀ)· ¥ ¥ ¥ ¥ ¥ ¥ ¥ ¥ å · ¸¶µ · ¸¶µ à [email protected] ëê á Á ¿ ¹ æ é)èÛf¶Ò £¡ v ¡ v £ v v £ v v v¦ £ v¦ Ê S ¤ É ¨ £ £ ¥ § § § § á B v¤ £ v¤ v¢ £ v¢ v¨ £ v¨ v£ £ v£ · @µ X ¤f ¡# Ù ¡ £ ¤ ¢ ¡ ¦ ¤ ¢ ¨ µ µ ) Ò ãÜ Wrç Úæ áå ÒÁ ¡Ó Ë #§ £ #§ ¥ £ ¥ ¡ £ ¡ £ · [email protected] í . which . Then and each entry after it are set to . A candidate then passes the trial division stage if and only if . Note that the estimate for the optimal trial division bound given in Note 4.45 does not apply here (nor in (ii)) since the cost of division is amortized over all candidates.
X 9 c SQ dRba RP WU 'VG e SQ T4 RP a2 0 ( 5`Y)& 6 G E C B% 9 IHFD"[email protected] 7531)'% 642 0 ( & 4.4.2 Strong primes
The RSA cryptosystem ( 8.2) uses a modulus of the form , where and are distinct odd primes. The primes and must be of sufﬁcient size that factorization of their product is beyond computational reach. Moreover, they should be random primes in the sense that they be chosen as a function of a random input through a process deﬁning a pool of candidates of sufﬁcient cardinality that an exhaustive attack is infeasible. In practice, the resulting primes must also be of a predetermined bitlength, to meet system speciﬁcations. The discovery of the RSA cryptosystem led to the consideration of several additional constraints on the choice of and which are necessary to ensure the resulting RSA system safe from cryptanalytic attack, and the notion of a strong prime (Deﬁnition 4.52) was deﬁned. These attacks are described at length in Note 8.8(iii); as noted there, it is now believed that strong primes offer little protection beyond that offered by random primes, since randomly selected primes of the sizes typically used in RSA moduli today will satisfy the constraints with high probability. On the other hand, they are no less secure, and require only minimal additional running time to compute; thus, there is little real additional cost in using them. 4.52 Deﬁnition A prime number is said to be a strong prime if integers , , and exist such that the following three conditions are satisﬁed: has a large prime factor, denoted ; (i) has a large prime factor, denoted ; and (ii) has a large prime factor, denoted . (iii) In Deﬁnition 4.52, a precise qualiﬁcation of “large” depends on speciﬁc attacks that should be guarded against; for further details, see Note 8.8(iii).
r q p q p r G Xs vup XguG 0 Xs tHG h G hG c i`g& h G h f G Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. ü ýû ¨ §¦ ¥££¡ÿ ¤ ¤¢¢ § © Table 4.5: Upper bounds on the error probability of incremental search (Note 4.51) for and sample values of and . An entry corresponding to and implies . , where úú võ óú vñ õú vñ úñ vñ ú ñ ÷ù ù ù óú vñ ù ï úù òù öù ø ÷ óø õø ù ø ð ö õv÷ ÷v÷ ñ vø ï õ övö øvö ò v÷ öõ øõ óö ô þ ó ô ô ö #ô ñ õ ò úvó òvó ÷ vó ï ñ ññ óñ ÷ ñ ð ñ õ ð ú ñ ü ¢ ¢ ò #! ££ $" ð î 4.4 Prime number generation 149 150 Ch. 4 PublicKey Parameters 4.53 Algorithm Gordon’s algorithm for generating a strong prime SUMMARY: a strong prime is generated. 1. Generate two large random primes and of roughly equal bitlength (see Note 4.54). , for 2. Select an integer . Find the ﬁrst prime in the sequence (see Note 4.54). Denote this prime by . . 3. Compute , for 4. Select an integer . Find the ﬁrst prime in the sequence (see Note 4.54). Denote this prime by . 5. Return( ). Justiﬁcation. To see that the prime returned by Gordon’s algorithm is indeed a strong prime, observe ﬁrst (assuming ) that ; this follows from Fermat’s theorem (Fact 2.127). Hence, and . Finally (cf. Deﬁnition 4.52), (i) , and hence has the prime factor ; (ii) , and hence has the prime factor ; and (iii) , and hence has the prime factor . 4.54 Note (implementing Gordon’s algorithm) (i) The primes and required in step 1 can be probable primes generated by Algorithm 4.44. The MillerRabin test (Algorithm 4.24) can be used to test each candidate for primality in steps 2 and 4, after ruling out candidates that are divisible by a small prime less than some bound . See Note 4.45 for guidance on selecting . Since the MillerRabin test is a probabilistic primality test, the output of this implementation of Gordon’s algorithm is a probable prime. (ii) By carefully choosing the sizes of primes , and parameters , , one can control the exact bitlength of the resulting prime . Note that the bitlengths of and will be about half that of , while the bitlength of will be slightly less than that of . 4.55 Fact (running time of Gordon’s algorithm) If the MillerRabin test is the primality test used in steps 1, 2, and 4, the expected time Gordon’s algorithm takes to ﬁnd a strong prime is only about 19% more than the expected time Algorithm 4.44 takes to ﬁnd a random prime.
x ir £ y yx w w y x x y pTx~nFmHl¥eoq z w p n m le 7HFH¥ w q tw vq py nm l 5FD"e dz 5Yvu y q pTVD¥e dz 3tT3 tYguw x nm l xr w p nm l 7DVD¥e dz v
tT31VtYtHw q xr w q p n m le FHFD"} z Vw zyj {)¡h x x w xA w £££ tHr r r w @ xr w 7¡3uVvvw xr t¡5s w y g5H y `
5 w y w r V3ui r q xp n m l k jhxe v
¥7oFH7TigfdVw V31£ x w £ 4.4.3 NIST method for generating DSA primes
Some publickey schemes require primes satisfying various speciﬁc conditions. For example, the NIST Digital Signature Algorithm (DSA of 11.5.1) requires two primes and satisfying the following three conditions: (i) ; that is, is a bit prime; (ii) for a speciﬁed , where for some ; and (iii) divides . This section presents an algorithm for generating such primes and . In the following, denotes the SHA1 hash function (Algorithm 9.53) which maps bitstrings of bitlength to bit hashcodes. Where required, an integer in the range whose binary representation is should be converted to the bit sequence , and vice versa. c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter.
yk k 7j )j y p e y k k Fj y j k y }R } k }fd Fj T v )j ¡ d3 Td u u 3
fd}
q tw y T`s )j T w y y 'Fdo`gV g @ 4.57 Note (choice of primality test in Algorithm 4.56) (i) The FIPS 186 document where Algorithm 4.56 was originally described only speciﬁes that a robust primality test be used in steps 2.4 and 4.4, i.e., a primality test where the probability of a composite integer being declared prime is at most . If the heuristic assumption is made that is a randomly chosen bit integer then, by Table 4.4, MILLERRABIN( , ) is a robust test for the primality of . If is assumed to be a randomly chosen bit integer, then by Table 4.4, MILLERRABIN( , ) is a robust test for the primality of . Since the MillerRabin test is a probabilistic primality test, the output of Algorithm 4.56 is a probable prime. (ii) To improve performance, candidate primes and should be subjected to trial division by all odd primes less than some bound before invoking the MillerRabin test. See Note 4.45 for guidance on selecting . 4.58 Note (“weak” primes cannot be intentionally constructed) Algorithm 4.56 has the feature that the random seed is not input to the prime number generation portion of the algorithm itself, but rather to an unpredictable and uncontrollable randomization process (steps 2.2 and 4.1), the output of which is used as the actual random seed. This precludes manipulation of the input seed to the prime number generation. If the seed and counter are made public, then anyone can verify that and were generated using the approved method. This feature prevents a central authority who generates and as systemwide parameters for use in the DSA from intentionally constructing “weak” primes and which it could subsequently exploit to recover other entities’ private keys. Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.
Å ¦ · ¤ ¤ ¦ ¦ ¤ · ¨¦ Ö è ² Ô Ø ¯ ¦ ¤ £ ff¢ ¦ é ¤ é ¤ ¦ ¡ ¢ ¤ ¥ ¨¹ @1Ä 4.3 Compute and set . (Note that 4.4 If then do the following: Test for primality using MILLERRABIN( , ) for If is a (probable) prime then return( , ). 4.5 Set , . 5. Go to step 2.
Ä¦ ¦¤ ¢ ª³ªÇÆ gæÍo~ÈÇ gçæÅ ¢ ªÅ Æ ¦ ¦ ÔÓ Ò© ¹ )¡Û¦ ²¡©æFÁD"[email protected] ¤ Â ¿¯ ¢ å ² ¢ ±â¯ ± Ï § ¥udtv¦ ¤© ÂÁ ¿ Ï § äFDã3«â Ô Ó Ô ÜË ªÚÚÚ Fg¡Ûª Ù©ØË Vgª Ô © uf¼ÕÎ Ë ª ÖË § × © © Â Á ¿ Ü Ë¯ Ô ¥²5ß¡DVDF¥gª g)Ó ÞÔ × 'Ô © × à áÜiÖ ÜÝ °¡Ö Ö ¥Ø Ö ¥ Ï TgÑ`ÐÏ Ô Ó Ò© ª Î § Î ²Ã© Â Á ¿ ² Ê ª Ç ª ·¯¯ » Æ Ì fTDFHÀtgoÍ¥¥~tÈVË ³ Ê (see Note 4.57). ² ¢ ± ¦¯ ftH'°®¤ £¢ ¹ ffd¸ ´ ³ ¬£ ª ©¢¨ § Vfg«f`}¥ ¡¢ ¹ fd1Ä £ f¢ ²¢ ± ¥ fs~g¯ Ä¤ £ f¢ ¤ ¢ º ²Ã© ÂÁ ¿ ²¢ fTDFDÀfgª g"~o¾g~¼`º ·¯¯ » ½²·¯ » § · ¦ £¢ ¶ ´ fd
du ¥ ´ ª ³£¢ § ¢ ± gµ5fdt¥ ¬£ ª ©¢¨ § t«fd}¥ ¤ ¡ d)@u £Éffd«Å ¬ ¶ ©Æ tÈÇ tÅ Æ ¤ ¤ ¤ £ f¢ º 4.4 Prime number generation 151 4.56 Algorithm NIST method for generating DSA primes INPUT: an integer , . OUTPUT: a bit prime and an bit prime , where and . 1. Compute . Using long division of by , ﬁnd , such that , where . 2. Repeat the following: . 2.1 Choose a random seed (not necessarily secret) of bitlength . 2.2 Compute 2.3 Form from by setting to the most signiﬁcant and least signiﬁcant bits of . (Note that is a bit odd integer.) 2.4 Test for primality using MILLERRABIN( , ) for (see Note 4.57). Until is found to be a (probable) prime. , . 3. Set 4. While do the following: . 4.1 For from to do the following: set 4.2 For the integer deﬁned below, let . ( is an bit integer.) .) 152 Ch. 4 PublicKey Parameters 4.4.4 Constructive techniques for provable primes
Maurer’s algorithm (Algorithm 4.62) generates random provable primes that are almost uniformly distributed over the set of all primes of a speciﬁed size. The expected time for generating a prime is only slightly greater than that for generating a probable prime of equal size using Algorithm 4.44 with security parameter . (In practice, one may wish to choose in Algorithm 4.44; cf. Note 4.49.) The main idea behind Algorithm 4.62 is Fact 4.59, which is a slight modiﬁcation of Pocklington’s theorem (Fact 4.40) and Fact 4.41. 4.59 Fact Let be an odd integer, and suppose that where is an odd prime. . Suppose further that (i) If there exists an integer satisfying and , then is prime. , satisﬁes (ii) If is prime, the probability that a randomly selected base , and is . Algorithm 4.62 recursively generates an odd prime , and then chooses random integers , , until can be proven prime using Fact 4.59(i) for some base . By for prime . On the other hand, if is Fact 4.59(ii) the proportion of such bases is composite, then most bases will fail to satisfy the condition . 4.60 Note (description of constants and in Algorithm 4.62) (i) The optimal value of the constant deﬁning the trial division bound in step 2 depends on the implementation of longinteger arithmetic, and is best determined experimentally (cf. Note 4.45). (ii) The constant ensures that is at least bits long and hence the interval from which is selected, namely , is sufﬁciently large (for the values of of practical interest) that it most likely contains at least one value for which is prime. 4.61 Note (relative size of with respect to in Algorithm 4.62) The relative size of with respect to is deﬁned to be . In order to assure that the generated prime is chosen randomly with essentially uniform distribution from the set of all bit primes, the size of the prime factor of must be chosen according to the probability distribution of the largest prime factor of a randomly selected bit integer. Since must be greater than in order for Fact 4.59 to apply, the relative size of is restricted to being in the interval . It can be deduced from Fact 3.7(i) that the cumulative probability distribution of the relative size of the largest prime factor of a large random integer, given that is at least , is for . In step 4 of Algorithm 4.62, the relative size is generated according to this distribution by selecting a random number and then setting . If then is chosen to be the smallest permissible value, namely , in order to ensure that the interval from which is selected is sufﬁciently large (cf. Note 4.60(ii)).
ë H0 î õ ù ë Aî ô î ö ÿ HFH¥}Û1)I¡ö î þ ý üû ì ú ù ø ÷ î õ õ fì ì ë î© `Àÿ £ì ì õ õ ôó ñì ë Yò`Aî ìë ãæê ì "û ðï dvî ìí `
ê î î c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter. ¤# %$"ë ¤ 0 0 § § ¨¦ ! 0 îö s`ì ¤öû ¢ ¥¥Èþ £¡ #
ô õ )ì© ( 9 B& [email protected] ÿ¡fì õ ö ÿ HFD"[email protected]ö î þ ý üû ì ú ù ø ÷ § & ó õ ì ë î© `òÿ £ì )'ó©ì ñ $5Ûä (' ' 0 # § ì î § ¨¦ î ¡ 43õ ¡ 2H0 1 1 ë ô ¤öû ¢ gtþ ¡ ì ö § ì0 @76 ù ö î & £ó ì ñõô d{Yó ôí oõ õ õ ë ÿ DFD"Ad1)Èö î þ ý üû ì ú ù ø ÷ î 0 0 ¤ ô ë ED# ó ÿ 1 ñì 70 ¡ 51"û ì ñõô 3Yó î 0 # õ ¤ )ì $5© ù ( ù øC ¥ó ô
ù ¤ F ô 4.63 Note (improvements to Algorithm 4.62) (i) A speedup can be achieved by using Fact 4.42 instead of Fact 4.59(i) for proving prime in step 8.2 of Maurer’s algorithm — Fact 4.42 only requires that be greater than . (ii) If a candidate passes the trial division (in step 8.2), then a MillerRabin test (Algorithm 4.24) with the single base should be performed on ; only if passes this test should the attempt to prove its primality (the remainder of step 8.2) be undertaken. This leads to a faster implementation due to the efﬁciency of the MillerRabin test with a single base (cf. Remark 4.50). (iii) Step 4 requires the use of real number arithmetic when computing . To avoid these computations, one can precompute and store a list of such values for a selection of random numbers . 4.64 Note (provable primes vs. probable primes) Probable primes are advantageous over provable primes in that Algorithm 4.44 for generating probable primes with is slightly faster than Maurer’s algorithm. Moreover, the latter requires more runtime memory due Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. `x D I y E¥R I Rx } w`v u BET 5{t Rx
} I U I p ` pp yR x {6I p r ur e 2 yR W E¥fxi I w`v BE uT bR q $srH Iv ` ~d E
W y wR Iv Bd~ uR ` p oHg fq3£ni lki f jh m 3 Y T W aXxi bR P $QH IU I t `XW I
h} W {dBdE I I hHg V W 3%4fe I
} W {ex3dE } I ` p p yR W 5z{XzI I I T Sx T XW o p u t wvR $s¥R sr W m [email protected]%p W b qHi X
H p `x
H TR W £dcb H `x e H i wrRv £E$` `TW aYXV I TR P £SQH I H H G 4.4 Prime number generation 153 4.62 Algorithm Maurer’s algorithm for generating provable primes PROVABLE PRIME( ) INPUT: a positive integer . OUTPUT: a bit prime number . 1. (If is small, then test random integers by trial division. A table of small primes may be precomputed for this purpose.) If then repeatedly do the following: 1.1 Select a random bit odd integer . 1.2 Use trial division by all primes less than to determine whether is prime. 1.3 If is prime then return( ). 2. Set and (see Note 4.60). 3. (Trial division bound ) Set (see Note 4.60). 4. (Generate , the size of relative to — see Note 4.61) If then repeatedly do the following: select a random number in the interval , set , until . Otherwise (i.e. ), set . 5. Compute . 6. Set . 7. success . ) do the following: 8. While (success 8.1 (select a candidate integer ) Select a random integer in the interval and set . 8.2 Use trial division to determine whether is divisible by any prime number . If it is not then do the following: Select a random integer in the interval . Compute . If then do the following: Compute and . If then success . 9. Return( ). 154 Ch. 4 PublicKey Parameters to its recursive nature. Provable primes are preferable to probable primes in the sense that the former have zero error probability. In any cryptographic application, however, there is always a nonzero error probability of some catastrophic failure, such as the adversary guessing a secret key or hardware failure. Since the error probability of probable primes can be efﬁciently brought down to acceptably low levels (see Note 4.49 but note the dependence on ), there appears to be no reason for mandating the use of provable primes over probable primes. Recall (Deﬁnition 2.190) that a polynomial of degree is said to be irreducible over if it cannot be written as a product of two polynomials in each can be used to represent the elements having degree less than . Such a polynomial of the ﬁnite ﬁeld as , the set of all polynomials in of degree less than where the addition and multiplication of polynomials is performed modulo (see 2.6.3). This section presents techniques for constructing irreducible polynomials are of particular interover , where is a prime. The characteristic two ﬁnite ﬁelds est for cryptographic applications because the arithmetic in these ﬁelds can be efﬁciently performed both in software and in hardware. For this reason, additional attention is given to the special case of irreducible polynomials over . The arithmetic in ﬁnite ﬁelds can usually be implemented more efﬁciently if the irreducible polynomial chosen has few nonzero terms. Irreducible trinomials, i.e., irreducible polynomials having exactly three nonzero terms, are considered in 4.5.2. Primitive polynomials, i.e., irreducible polynomials of degree in for which is a generator of , the multiplicative group of the ﬁnite ﬁeld (Deﬁnition 2.228), are the topic of 4.5.3. Primitive polynomials are also used in the generation of linear feedback shift register sequences having the maximum possible period (Fact 6.12). ¤ ¢ ¤ ¢ ¨¦ §¥ ¶ ½ ¬¤ ®gw£kx ¢ ¤¢ ±¡ ¯ ª ¡© ° ¤ ¢ x £¡SQg ¼ « ª © ¥ ° s ¡ ¬¤ ®gw£kx ¢ ¡ «ª s¥ © ¥ ª ¥ © ¯ ¥ ¯ g ª i© ² g 4.5.1 Irreducible polynomials
If is irreducible over and is a nonzero element in , then is also irreducible over . Hence it sufﬁces to restrict attention to monic polynomials in , i.e., polynomials whose leading coefﬁcient is 1. Observe also that if is an irreducible polynomial, then its constant term must be nonzero. In particular, if , then its constant term must be 1. There is a formula for computing exactly the number of monic irreducible polynomials in of a ﬁxed degree. The M¨ bius function, which is deﬁned next, is used in this o formula. µ ¥ 4.65 Deﬁnition Let be a positive integer. The M¨ bius function o ¶ ¨ « ¥ ¥ if if if ¥ ¶º»¨{¹ ¸ ¶ ¶ ¨ · is deﬁned by ¤ ¢ ¤ ¢ ° £gAgw ¡ ´ ¡w£³ ³ ¤ ¢ ¡ ¤¢ x £¡ is divisible by the square of a prime is the product of distinct primes 4.66 Example (M¨ bius function) The following table gives the values of the M¨ bius function o o for the ﬁrst 10 values of : c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter. ¥ ¥ 6µ ¾ 4.5 Irreducible polynomials over « ¨wµ ¥ 4.67 Fact (number of monic irreducible polynomials) Let be a prime and a positive integer. (i) The number of monic irreducible polynomials of degree in is given by the following formula: ØÖÔ x× £¡Õ Â à ÚÞ ßeÜ Û Ò Í Ü %Ú Ï ÝÎ Ò Ã Â ÙÏÂÔ 66Î @Ó ÏÂÔ ¨wÎ {Ó where the summation ranges over all positive divisors of . (ii) The probability of a random monic polynomial of degree in being irreducible over is roughly . More speciﬁcally, the number satisﬁes ØÖÔ × gÕ ÏÂÔ ¨wÎ {Ó Â äåÂ Ã ã Ò ÏÂÔ 6Ü Î @Ó â Ã Â $Ä á Ü Ô gÕ Testing irreducibility of polynomials in is signiﬁcantly simpler than testing primality of integers. A polynomial can be tested for irreducibility by verifying that it has no . The following result leads to an efﬁcient method (Alirreducible factors of degree gorithm 4.69) for accomplishing this. 4.68 Fact Let be a prime and let be a positive integer. (i) The product of all monic irreducible polynomials in equal to . (ii) Let be a polynomial of degree in . Then and only if for each , 4.69 Algorithm Testing a polynomial for irreducibility INPUT: a prime and a monic polynomial of degree in . OUTPUT: an answer to the question: “Is irreducible over ?” 1. Set . 2. For from 1 to do the following: 2.1 Compute using Algorithm 2.227. (Note that polynomial in of degree less than .) 2.2 Compute (using Algorithm 2.218). then return(“reducible”). 2.3 If 3. Return(“irreducible”). Ô gÕ ØÖÔ x× £¡Õ Ã öÙ 2÷Ï × £Ý Î îí Ï × ÐgÏ × Î ò à Ï × Î ë Î £ì Ï × £Ý Ù Î Ø Ö× Ô Õ Â ë Ï × Î Qî nÔ Ï × Î ò ¹Ï × Î ò ó õô èçæ Ü ð × ¹Ï × Î ò ó Ò Â Ï ×Î ë Ï ×Î ë Â îí ÃÙ SÏ × Ð ¥Ô × à Ï × Î ë Î Eì ï é × Ð vÔ × ê Ï ×Î ë Ò ØÖÔ × ±gÕ èæ ç â Ü Fact 4.67 suggests that one method for ﬁnding an irreducible polynomial of degree in is to generate a random monic polynomial of degree in , test it for irreducibility, and continue until an irreducible one is found (Algorithm 4.70). The expected number of polynomials to be tried before an irreducible one is found is approximately . Â ØÖÔ × ±Õ Â ØÖÔ × gÕ Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. Â ÔÕ is irreducible over . é of degree dividing is a Ñ Ï ×Î ò Ã Ì £Ã Â Ì is if Ë Â Ì æ èç ñâ ð â Ã ð Ø Ö× Ô Õ Ï Ü× Î ë Ø Ö× Ô Õ Ê Ý Ã {Ð É Ã È Ã {Ð Ç Ì Æ Ã {Ð Å Ã {Ð Ä Ã Á £À Ã Ï ÂÎ ¨wÍ Â ¿ 4.5 Irreducible polynomials over 155 156 Ch. 4 PublicKey Parameters It is known that the expected degree of the irreducible factor of least degree of a random polynomial of degree in is . Hence for each choice of , the expected . Each iteration number of times steps 2.1 – 2.3 of Algorithm 4.69 are iterated is takes operations. These observations, together with Fact 4.67(ii), determine the running time for Algorithm 4.70. Given one irreducible polynomial of degree over , Note 4.74 describes a method, which is more efﬁcient than Algorithm 4.70, for randomly generating additional such polynomials. 4.74 Note (generating new irreducible polynomials from a given one) Suppose that is a can then be repregiven irreducible polynomial of degree over . The ﬁnite ﬁeld sented as . A random monic irreducible polynomial of degree over can be efﬁciently generated as follows. First generate a random element and then, by repeated exponentiation by , determine the smallest positive integer for which . If , then generate a new random element and repeat; the probability that is known to be at most . If indeed , then compute using the formula (4.1). Then is a random monic irreducible polynomial of degree in . This method has an expected running time of operations (compare with Fact 4.71). ÿþ ¡ý c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter. V ÿ iü hý X ` ¡ srP GQ û û X ¡ ÿ ÿ ú CA ý E ûý §¦®£s7B2w÷@ `¡ G û 3X ` ¡ wvP GQ ÿ¡s0û þý V GQ H SRP P 3 ¡ P Y gÿ ¡ eFý fP'þ U p ÿ û CA gx" ¨ygý ¡ !$ a © db c ¡ 3 û ú ÿþ gwý û V Wû ú ÿþ ¡ý P P 3 ¡ P ` ¡ § V û ÿ hý üý p¥ ®ÿ i¹%q £h ÿþ gwý V Wû ¡ 3 `¡ G ût XuX ÿþ gwý HG ût dxX X ¥£¡ ¦þ ¤§ V P 3 Y¡ P ¡ û 4.73 Fact (i) (ii) (iii) (iv) Let be a ﬁnite ﬁeld of order , and let The minimum polynomial of over , denoted is irreducible over . The degree of is a divisor of . Let be the smallest positive integer such that since, by Fact 2.213, .) Then . , is unique. . (Note that such a exists P ¥ 9þ £ ¡ HGQ TSRP 4.72 Deﬁnition Let be a ﬁnite ﬁeld of characteristic , and let mial of over is a monic polynomial of least degree in ú ¡ ÿ ÿ ú CA ý ÿ û CA ý E ûý §§®£s7B®6s7BF÷@ 4.71 Fact Algorithm 4.70 has an expected running time of û ÿ þý ¡ü ¡ © ¨ 4 8¨ E¨ 75!%" k!%#¨ 5" þ 3 ¡ü þ ÿ þý 4 þ 46 6 6 4 $ þ $ " 4 13 © 2¨ )' 0(ú & $ "¨ !%#!¨ ¨¨© ¥£¡ ¦þ ¤§ û 1. Repeat the following: ) 1.1 (Generate a random monic polynomial of degree in Randomly select integers between and . Let be the polynomial 1.2 Use Algorithm 4.69 to test whether is irreducible over . Until is irreducible. ). 2. Return( ÿ þý gwü ÿ þý ¡ü ÿ þý gwü . A minimum polynohaving as a root. ÿ û CA ý 6s7B÷@ ÿ þý gwü ¥£¡ ¦þ ¤¢ û ¡ § ÿ þý ¡ü INPUT: a prime and a positive integer . OUTPUT: a monic irreducible polynomial û ú of degree in ù ø . with . operations. (4.1) 4.70 Algorithm Generating a random monic irreducible polynomial over " ÿ û CA ý 67B÷@ 3U ¥ 9þ £ ¡ û ¡ §Dÿ ¡ H IG ûÿ ú CA ý ý ±g7B®÷@ & P û 4.5.2 Irreducible trinomials
If a polynomial in has an even number of nonzero terms, then , whence is a factor of . Hence, the smallest number of nonzero terms an irreducible polynomial of degree in can have is three. An irreducible trinomial of degree in must be of the form , where . Choosing an irreducible trinomial of degree to represent the elements of the ﬁnite ﬁeld can lead to a faster implementation of the ﬁeld arithmetic. The following facts are sometimes of use when searching for irreducible trinomials. 4.5.3 Primitive polynomials
Primitive polynomials were introduced at the beginning of 4.5. Let be an irreducible polynomial of degree . If the factorization of the integer is known, then Fact 4.76 yields an efﬁcient algorithm (Algorithm 4.77) for testing whether or not is a primitive polynomial. If the factorization of is unknown, there is no efﬁcient algorithm known for performing this test. 4.77 Algorithm Testing whether an irreducible polynomial is primitive There are precisely monic primitive polynomials of degree in (Fact 2.230), where is the Euler phi function (Deﬁnition 2.100). Since the number of monic irreducible polynomials of degree in is roughly (Fact 4.67(ii)), it follows that the probability of a random monic irreducible polynomial of degree in Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. 9 ¢ 9 ¢ vu k j j {i8 INPUT: a prime , a positive integer , the distinct prime factors and a monic irreducible polynomial of degree in . OUTPUT: an answer to the question: “Is a primitive polynomial?” 1. For from 1 to do the following: 1.1 Compute (using Algorithm 2.227). 1.2 If then return(“not primitive”). 2. Return(“primitive”). j } k } g§i~q¦ ¦ j ¦ ¤§ ¦ £ §wS ¨ §¥¤
z ¢ ro¢ii¬ ¡ § j ¢i j eu k j} geu k i® I§i¬ ® (That is, is an element of order in the ﬁeld .) ¡ q q rxtr #i8q 4.76 Fact Let be a prime and let the distinct prime factors of be an irreducible polynomial is primitive if and only if for each , q fj §i u k w 9 §¢i tu k B¢i085g«f©ª¨§¥¤
I ¦£ ¢ z w 9 ¢WD§ j Tables 4.6 and 4.7 list an irreducible trinomial of degree for which such a trinomial exists. over 9 ! j n
e ¦%k ve k u j e su j s F8SBlfj ! u k j s h de n re k F85gRdj 28SBpdj e n ve k j j 4.75 Fact (i) (ii) (iii) Let be a positive integer, and let denote an integer in the interval . If the trinomial is irreducible over then so is . If , there is no irreducible trinomial of degree in . Suppose that either or . Then a necessary condition to be irreducible over is that either or must be of the for form for some positive divisor of . for each of z {¢y . Then : j dIB u jqsq vvtwdr } g§g~q¦ ! j w 9 i!x0§i peonimeli k 9 i! 9 i! fg h §i e fWi ¦ ! ¢i
4.5 Irreducible polynomials over 157 , 158 Ch. 4 PublicKey Parameters 2 3 4 5 6 7 9 10 11 12 14 15 17 18 20 21 22 23 25 28 29 30 31 33 34 35 36 39 41 42 44 46 47 49 52 54 55 57 58 60 62 63 65 66 68 71 73 74 76 79 81 84 86 87 89 90 92 1 1 1 2 1 1 1 3 2 3 5 1 3 3 3 2 1 5 3 1 2 1 3 10 7 2 9 4 3 7 5 1 5 9 3 9 7 4 19 1 29 1 18 3 9 6 25 35 21 9 4 5 21 13 38 27 21 93 94 95 97 98 100 102 103 105 106 108 110 111 113 118 119 121 123 124 126 127 129 130 132 134 135 137 140 142 145 146 147 148 150 151 153 154 155 156 159 161 162 166 167 169 170 172 174 175 177 178 180 182 183 185 186 191 2 21 11 6 11 15 29 9 4 15 17 33 10 9 33 8 18 2 19 21 1 5 3 17 57 11 21 15 21 52 71 14 27 53 3 1 15 62 9 31 18 27 37 6 34 11 1 13 6 8 31 3 81 56 24 11 9 193 194 196 198 199 201 202 204 207 209 210 212 214 215 217 218 220 223 225 228 231 233 234 236 238 239 241 242 244 247 249 250 252 253 255 257 258 260 263 265 266 268 270 271 273 274 276 278 279 281 282 284 286 287 289 292 294 15 87 3 9 34 14 55 27 43 6 7 105 73 23 45 11 7 33 32 113 26 74 31 5 73 36 70 95 111 82 35 103 15 46 52 12 71 15 93 42 47 25 53 58 23 67 63 5 5 93 35 53 69 71 21 37 33 295 297 300 302 303 305 308 310 313 314 316 318 319 321 322 324 327 329 330 332 333 337 340 342 343 345 346 348 350 351 353 354 358 359 362 364 366 367 369 370 372 375 377 378 380 382 383 385 386 388 390 391 393 394 396 399 401 48 5 5 41 1 102 15 93 79 15 63 45 36 31 67 51 34 50 99 89 2 55 45 125 75 22 63 103 53 34 69 99 57 68 63 9 29 21 91 139 111 16 41 43 47 81 90 6 83 159 9 28 7 135 25 26 152 402 404 406 407 409 412 414 415 417 418 420 422 423 425 426 428 431 433 436 438 439 441 444 446 447 449 450 455 457 458 460 462 463 465 468 470 471 473 474 476 478 479 481 484 486 487 489 490 492 494 495 497 498 500 503 505 506 171 65 141 71 87 147 13 102 107 199 7 149 25 12 63 105 120 33 165 65 49 7 81 105 73 134 47 38 16 203 19 73 93 31 27 9 1 200 191 9 121 104 138 105 81 94 83 219 7 17 76 78 155 27 3 156 23 508 510 511 513 514 516 518 519 521 522 524 526 527 529 532 534 537 538 540 543 545 550 551 553 556 558 559 561 564 566 567 569 570 574 575 577 580 582 583 585 588 590 593 594 596 599 601 602 604 606 607 609 610 612 614 615 617 9 69 10 26 67 21 33 79 32 39 167 97 47 42 1 161 94 195 9 16 122 193 135 39 153 73 34 71 163 153 28 77 67 13 146 25 237 85 130 88 35 93 86 19 273 30 201 215 105 165 105 31 127 81 45 211 200 618 620 622 623 625 626 628 631 633 634 636 639 641 642 646 647 649 650 651 652 654 655 657 658 660 662 663 665 668 670 671 673 676 679 682 684 686 687 689 690 692 694 695 697 698 700 702 705 708 711 713 714 716 718 719 721 722 295 9 297 68 133 251 223 307 101 39 217 16 11 119 249 5 37 3 14 93 33 88 38 55 11 21 107 33 147 153 15 28 31 66 171 209 197 13 14 79 299 169 177 267 215 75 37 17 15 92 41 23 183 165 150 9 231 c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter. ¶ w³ µ Á³ ² ± ± À ½½¼ º ¹ º t»Fª¶ ¹ ¸ · ¿ ¾¸ ± !· ¶ ³µ± ³ ² vT!´W± Table 4.6: Irreducible trinomials irreducible trinomial of degree in is irreducible over . over . For each , , for which an exists, the table lists the smallest for which ° ¯ ° ¯ ° ¯ ° ¯ ° ¹ ¯ ° ¸· ¯ ° ¯ Â 724 726 727 729 730 732 735 737 738 740 742 743 745 746 748 750 751 753 754 756 758 759 761 762 767 769 772 774 775 777 778 780 782 783 785 791 793 794 798 799 801 804 806 807 809 810 812 814 815 817 818 820 822 823 825 826 828 207 5 180 58 147 343 44 5 347 135 85 90 258 351 19 309 18 158 19 45 233 98 3 83 168 120 7 185 93 29 375 13 329 68 92 30 253 143 53 25 217 75 21 7 15 159 29 21 333 52 119 123 17 9 38 255 189 831 833 834 838 839 841 842 844 845 846 847 849 850 852 855 857 858 860 861 862 865 866 868 870 871 873 876 879 881 882 884 887 889 890 892 894 895 897 898 900 902 903 905 906 908 911 913 916 918 919 921 924 926 927 930 932 935 49 149 15 61 54 144 47 105 2 105 136 253 111 159 29 119 207 35 14 349 1 75 145 301 378 352 149 11 78 99 173 147 127 183 31 173 12 113 207 1 21 35 117 123 143 204 91 183 77 36 221 31 365 403 31 177 417 937 938 942 943 945 948 951 953 954 956 959 961 964 966 967 969 972 975 977 979 982 983 985 986 988 990 991 993 994 996 998 999 1001 1007 1009 1010 1012 1014 1015 1020 1022 1023 1025 1026 1028 1029 1030 1031 1033 1034 1036 1039 1041 1042 1044 1047 1049 217 207 45 24 77 189 260 168 131 305 143 18 103 201 36 31 7 19 15 178 177 230 222 3 121 161 39 62 223 65 101 59 17 75 55 99 115 385 186 135 317 7 294 35 119 98 93 68 108 75 411 21 412 439 41 10 141 1050 1052 1054 1055 1057 1058 1060 1062 1063 1065 1071 1078 1079 1081 1082 1084 1085 1086 1087 1089 1090 1092 1094 1095 1097 1098 1100 1102 1103 1105 1106 1108 1110 1111 1113 1116 1119 1121 1122 1126 1127 1129 1130 1134 1135 1137 1138 1140 1142 1145 1146 1148 1151 1153 1154 1156 1158 159 291 105 24 198 27 439 49 168 463 7 361 230 24 407 189 62 189 112 91 79 23 57 139 14 83 35 117 65 21 195 327 417 13 107 59 283 62 427 105 27 103 551 129 9 277 31 141 357 227 131 23 90 241 75 307 245 1159 1161 1164 1166 1167 1169 1170 1174 1175 1177 1178 1180 1182 1183 1185 1186 1188 1190 1191 1193 1196 1198 1199 1201 1202 1204 1206 1207 1209 1210 1212 1214 1215 1217 1218 1220 1223 1225 1226 1228 1230 1231 1233 1234 1236 1238 1239 1241 1242 1246 1247 1249 1252 1255 1257 1260 1263 66 365 19 189 133 114 27 133 476 16 375 25 77 87 134 171 75 233 196 173 281 405 114 171 287 43 513 273 118 243 203 257 302 393 91 413 255 234 167 27 433 105 151 427 49 153 4 54 203 25 14 187 97 589 289 21 77 1265 1266 1268 1270 1271 1273 1276 1278 1279 1281 1282 1284 1286 1287 1289 1294 1295 1297 1298 1300 1302 1305 1306 1308 1310 1311 1313 1314 1319 1321 1324 1326 1327 1329 1332 1334 1335 1337 1338 1340 1343 1345 1348 1350 1351 1353 1354 1356 1358 1359 1361 1362 1364 1366 1367 1369 1372 119 7 345 333 17 168 217 189 216 229 231 223 153 470 99 201 38 198 399 75 77 326 39 495 333 476 164 19 129 52 337 397 277 73 95 617 392 75 315 125 348 553 553 237 39 371 255 131 117 98 56 655 239 1 134 88 181 1374 1375 1377 1380 1383 1385 1386 1388 1390 1391 1393 1396 1398 1399 1401 1402 1404 1407 1409 1410 1412 1414 1415 1417 1420 1422 1423 1425 1426 1428 1430 1431 1433 1434 1436 1438 1441 1442 1444 1446 1447 1449 1452 1454 1455 1457 1458 1460 1463 1465 1466 1468 1470 1471 1473 1476 1478 609 52 100 183 130 12 219 11 129 3 300 97 601 55 92 127 81 47 194 383 125 429 282 342 33 49 15 28 103 27 33 17 387 363 83 357 322 395 595 421 195 13 315 297 52 314 243 185 575 39 311 181 49 25 77 21 69 Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. Ì rÊ Ë uÊ É È È Ù ÖÐ ÕÌ Ó Ï Ó ÒÑ BtÔF(Ð Ï Î Ä Ø ×Î È Ä Ï Ì ÊËÈ Ê É Í#!D(È Table 4.7: Irreducible trinomials irreducible trinomial of degree in is irreducible over . over . For each , , for which an exists, the table gives the smallest for which Ç Æ Ç Æ Ç Æ Ç Æ Ç Æ Å Ä Ç ÎÄ Æ Ç Æ Ã 4.5 Irreducible polynomials over 159 160 Ch. 4 PublicKey Parameters being primitive is approximately . Using the lower bound for the Euler phi function (Fact 2.102), this probability can be seen to be at least . This suggests the following algorithm for generating primitive polynomials. For each , , Table 4.8 lists a polynomial of degree that is primitive over . If there exists a primitive trinomial , then the trinomial with the smallest is listed. If no primitive trinomial exists, then a primitive pentanomial of the form is listed. If is prime, then Fact 4.76 implies that every irreducible polynomial of degree in is also primitive. Table 4.9 gives either a primitive trinomial or a primitive pentanomial of degree over where is an exponent of one of the ﬁrst 27 Mersenne primes (Deﬁnition 4.35). 4.6 Generators and elements of high order
Recall (Deﬁnition 2.169) that if is a (multiplicative) ﬁnite group, the order of an element is the least positive integer such that . If there are elements in , and if is an element of order , then is said to be cyclic and is called a generator or a primitive element of (Deﬁnition 2.167). Of special interest for cryptographic applications are the multiplicative group of the integers modulo a prime , and the multiplicative group of the ﬁnite ﬁeld of characteristic two; these groups are cyclic (Fact 2.213). Also of interest is the group (Deﬁnition 2.124), where is the product of two distinct odd primes. This section deals with the problem of ﬁnding generators and other elements of high order in , , and . See 2.5.1 for background in group theory and 2.6 for background in ﬁnite ﬁelds. Algorithm 4.79 is an efﬁcient method for determining the order of a group element, given the prime factorization of the group order . The correctness of the algorithm follows from the fact that the order of an element must divide (Fact 2.171).
¢ § c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter. à ðÛ ¢iï ßÞÝ edÜ INPUT: a prime , integer , and the distinct prime factors of OUTPUT: a monic primitive polynomial of degree in . 1. Repeat the following: 1.1 Use Algorithm 4.70 to generate a random monic irreducible polynomial of degree in . 1.2 Use Algorithm 4.77 to test whether is primitive. Until is primitive. ). 2. Return( ôóò ¦ð ¤¢ñ î{qëiíííëìé8é é ëê æ ¤å 4.78 Algorithm Generating a random monic primitive polynomial over à Ý T7xyog~ß Ü äã äã â Û á ç Ü ß û ü ð û Ý ð ú à ðÛ eªi0eo§ï £ § ç § ß vú î à ðÛ ¢iï § Ý Ü áà ß Þ Ý ÜÛ 8grfiÚ
£ . à ðÛ ¢iï ç ìñ ç ôóò ¦ð ¤§ñ ç ß Þ 8Ü Ý ßöûT ¡üivûIÿ#üðRû§þüðRûÝiðro¢iï ð ú à ðÛ ý ìñ ¢ ¦ ßè fç
© ôóò 9ð §ñ ¢ © ñ ¡ì ©ò ñ ùøø õ ç õ ÷öSß ñ § ¡© ì © ò ç ¢ à¢ðiï Û à ðÛ §ï Ü ñ ç © ì ¢ ¢ ¤ ¨£ ¤ ¥£ or 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 or 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 or 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 1 1 1 2 1 1 6, 5, 1 4 3 2 7, 4, 3 4, 3, 1 12, 11, 1 1 5, 3, 2 3 7 6, 5, 1 3 2 1 5 4, 3, 1 3 8, 7, 1 8, 7, 1 3 2 16, 15, 1 3 28, 27, 1 13 15, 14, 1 2 11 12, 10, 2 6, 5, 1 4 21, 19, 2 3 23, 22, 1 6, 5, 1 27, 26, 1 4, 3, 1 21, 20, 1 5 28, 27, 1 9 27, 26, 1 16, 15, 1 3 16, 15, 1 37, 36, 1 24 22, 21, 1 7 19 22, 21, 1 1 16, 15, 1 57, 56, 1 1 4, 3, 1 18 10, 9, 1 10, 9, 1 9 29, 27, 2 16, 15, 1 6 53, 47, 6 25 16, 15, 1 11, 10, 1 36, 35, 1 31, 30, 1 20, 19, 1 9 38, 37, 1 4 38, 35, 3 46, 45, 1 13 28, 27, 1 13, 12, 1 13 72, 71, 1 38 19, 18, 1 84, 83, 1 13, 12, 1 2 21 11 49, 47, 2 6 11 47, 45, 2 37 7, 6, 1 77, 76, 1 9 11, 10, 1 16 15 65, 63, 2 31 7, 6, 1 13, 12, 1 10 45, 43, 2 9 82, 81, 1 15, 14, 1 71, 70, 1 20, 18, 2 33 8 118, 111, 7 18 60, 59, 1 2 37 108, 107, 1 37, 36, 1 1 29, 27, 2 5 3 48, 47, 1 29 52, 51, 1 57 11 126, 125, 1 21 8, 7, 1 8, 5, 3 29 32, 31, 1 21 21, 20, 1 70, 69, 1 52 60, 59, 1 38, 37, 1 27 110, 109, 1 53 3 66, 65, 1 1 129, 127, 2 32, 31, 1 116, 115, 1 27, 26, 1 27, 26, 1 31 19, 18, 1 18 88, 87, 1 60, 59, 1 14, 13, 1 31, 30, 1 39, 38, 1 6 17, 15, 2 34 23 19, 18, 1 7 Table 4.8: Primitive polynomials over . For each , , an exponent is given for which the trinomial is primitive over . If no such trinomial exists, a triple of exponents is given for which the pentanomial is primitive over . Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. & 6 1 ) # & # ! 5'%(04$" G 8 AQ fT gQ fT dQ 2T bQ I H hH eH cH ECC 9 7 9 F[email protected] 1 ) # & # ! 20%('%$" 7 & 6 1 ) # & # ! 2'%(0%$3 & 6 8 QTH Q I WVUSRPH 1 ) # & # ! 20%('%$" GGG aYY 5) (& `! X 4.6 Generators and elements of high order 161 or 100, 99, 1 13 6 119, 118, 1 8 87 34, 33, 1 37, 36, 1 7, 6, 1 128, 127, 1 56 102, 101, 1 24 23, 22, 1 58, 57, 1 74, 73, 1 127, 126, 1 18, 17, 1 9 28, 27, 1 15 87 10, 9, 1 66, 65, 1 62, 61, 1 65 34 42, 41, 1 14 55 8, 7, 1 74, 73, 1 30, 29, 1 29, 28, 1 43 62, 59, 3 6 35, 32, 3 46, 45, 1 105 8, 7, 1 49, 48, 1 23 196, 195, 1 45 11 19, 18, 1 15, 14, 1 35, 34, 1 92, 91, 1 33 31, 30, 1 32 58, 57, 1 46, 45, 1 148, 147, 1 64, 63, 1 162 Ch. 4 PublicKey Parameters 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 2 3 5 7 13 17 19 31 61 89 107 127 521 607 1279 2203 2281 3217 4253 4423 9689 9941 11213 19937 21701 23209 44497 1 1 2 1, 3 none (4,3,1) 3, 5, 6 none (5,2,1) 3, 6, 7, 13 none (43,26,14) 38 none (82,57,31) 1, 7, 15, 30, 63 32, 48, 158, 168 105, 147, 273 216, 418 none (1656,1197,585) 715, 915, 1029 67, 576 none (3297,2254,1093) 271, 369, 370, 649, 1393, 1419, 2098 84, 471, 1836, 2444, 4187 none (7449,4964,2475) none (8218,6181,2304) 881, 7083, 9842 none (15986,11393,5073) 1530, 6619, 9739 8575, 21034 Table 4.9: Primitive polynomials of degree over , a Mersenne prime. For each exponent of the ﬁrst 27 Mersenne primes, the table lists all values of , , for which the trinomial is irreducible over . If no such trinomial exists, a triple of exponents is listed such that the pentanomial is irreducible over . 4.79 Algorithm Determining the order of a group element INPUT: a (multiplicative) ﬁnite group of order , an element , and the prime factorization . OUTPUT: the order of . 1. Set . 2. For from 1 to do the following: 2.1 Set . 2.2 Compute . 2.3 While do the following: compute and set . 3. Return( ). Suppose now that is a cyclic group of order . Then for any divisor of the number of elements of order in is exactly (Fact 2.173(ii)), where is the Euler phi function (Deﬁnition 2.100). In particular, has exactly generators, and hence the probability of a random element in being a generator is . Using the lower bound for the Euler phi function (Fact 2.102), this probability can be seen to be at least . This c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter.
g  f'
g g5$ g g g V$ f f f f wx m r Fw fi kjh h ~ p x p h g f
l p h hx p h ~( m  w x o}5tyFw { h w u r r r d oq o m l tvo m tFs"m p "ng w z gx yFw v y p q ` $ 5 e d y q
F v xwquvqut qr 5¡25¡5fVsSq y v p p U i xwquvqut q 5¡2(¡2`Vsr Ap 4.81 Note (group elements of high order) In some situations it may be desirable to have an element of high order, and not a generator. Given a generator in a cyclic group of order , and given a divisor of , an element of order in can be efﬁciently obtained as follows: . If is a prime divisor of the order of a cyclic group , then the following method ﬁnds an element of order without ﬁrst having to ﬁnd a generator of : select a random element and compute ; repeat until .
¾ ½¢ S¼ ) There are two basic approaches to ﬁnding a generator of 4.82 Note (generators of Both techniques require the factorization of the order of , namely .
¢É °ÁÀ Â¡¿ § ¾ ½¢ ¡
¼ ¾¢ ¼ Å y§ ÆÆ ÅÄ ÃÄ ÍË Ê `ÏPfVÎÌÅ P¢ É È Æ ÅÄ ÇPÃ ¾ ½¢ ¼ ¾ ½¢ ¡
¼ ¾¢ ¼ (i) Generate a monic primitive polynomial of degree over (Algorithm 4.78). The ﬁnite ﬁeld can then be represented as , the set of all polynomodulo , and the element is a generator. mials over (ii) Select the method for representing elements of ﬁrst. Then use Algorithm 4.80 with and to ﬁnd a generator of . , where and are distinct odd primes, then is a noncyclic group of order . The maximum order of an element in is . Algorithm 4.83 is a method for generating such an element which requires the factorizations of and .
ßÞ Ü ¡ÝÛ Ú Ù× Ø ¬ ½ É µ Æ ° Á µÄÆ ° Á Ä Æ VÂÒ$`0Ñ¥BWÄ Ð µ ¹A If 4.83 Algorithm Selecting an element of maximum order in
µ § , where Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. °¤ÁÑãBâ° á§á º ½ É ª ® ½É à INPUT: two distinct odd primes, , , and the factorizations of and . OUTPUT: an element of maximum order in , where . 1. Use Algorithm 4.80 with and to ﬁnd a generator of . 2. Use Algorithm 4.80 with and to ﬁnd a generator of . 3. Use Gauss’s algorithm (Algorithm 2.121) to ﬁnd an integer , satisfying and . 4. Return( ).
µ P °Á µ § ° Áµ ¤ °Á nj¹ ¬ Æ ° Á µ Ö ° Á Ä Õ Ô VF0¨tÓ ½É °Á ¨ Æµ è ç ÕÄ ª ä ¡}`¥ÂA§ º ½SÂs É ® ½ Âs É Æ è ç ÕÄ à ä Ù¨}`æå§ § Æ ° Á µ Ö ° Á Ä Õ Ô 0ÑF0Â¥tÓ ¡ ¥ £ £ £ (¢ t¦ tt¤} F }k ° » ±¤³ ¬ ½É § º · $V¬ ¹n³ ² µ ³ ¶ A¸· ¶ Ds³ ° Á À¿ n±sk § Æ ÅÄ ÏPÃ ¯®¬ § « 2Ptª ² § µ © ¾ ½¢ ¼ ¡Sn± ¢É ° ±ª ´¬ § 2P¤³ °Á µ § ¨ °Á nj 4.6 Generators and elements of high order 163 suggests the following efﬁcient randomized algorithm for ﬁnding a generator of a cyclic group. 4.80 Algorithm Finding a generator of a cyclic group INPUT: a cyclic group of order , and the prime factorization OUTPUT: a generator of . 1. Choose a random element in . 2. For from 1 to do the following: 2.1 Compute . 2.2 If then go to step 1. 3. Return( ). . . , 164 Ch. 4 PublicKey Parameters In cryptographic applications for which a generator of is required, one usually has the ﬂexibility of selecting the prime . To guard against the PohligHellman algorithm for computing discrete logarithms (Algorithm 3.63), a security requirement is that should contain a “large” prime factor . In this context, “large” means that the quantity represents an infeasible amount of computation; for example, . This suggests the following algorithm for selecting appropriate parameters . Algorithm 4.84 is relatively inefﬁcient as it requires the use of an integer factorization algorithm in step 1.2. An alternative approach is to generate the prime by ﬁrst choosing a large prime and then selecting relatively small integers at random until is prime. Since , the factorization of can be obtained by factoring . A particularly convenient situation occurs by imposing the condition . In this case the factorization of is simply . Furthermore, since , the probability that a randomly selected element is a generator is . 4.85 Deﬁnition A safe prime is a prime of the form
ï where is prime. .
íî ì Algorithm 4.86 generates a safe (probable) prime and a generator of INPUT: the required bitlength of the prime. OUTPUT: a bit safe prime and a generator of . 1. Do the following: 1.1 Select a random bit prime (for example, using Algorithm 4.44). 1.2 Compute , and test whether is prime (for example, using trial division by small primes and Algorithm 4.24). Until is prime. 2. Use Algorithm 4.80 to ﬁnd a generator of . 3. Return( , ).
íî ì íî ì ï ü ò ü ñ òõ 7 æ9'n8ï ýñ ð ¥ VR'ú c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter. 4.86 Algorithm Selecting a bit safe prime and a generator
ÿ of ñ ò õ æ@ï íî ì INPUT: the required bitlength of the prime and a security parameter . OUTPUT: a bit prime such that has a prime factor , and a generator of 1. Repeat the following: 1.1 Select a random bit prime (for example, using Algorithm 4.44). 1.2 Factor . Until has a prime factor . 2. Use Algorithm 4.80 with and to ﬁnd a generator of . 3. Return( , ).
ü íî ì ü ò ñ òõ ¹60ï 1 24 íî ì ) y0ü ÷ 4 5 ÷ 31 ý òú "ý õú " ý ò õú " ý ñ ð ïú (¡f'0`&%¡'`$#V¹g" ñ s! ï ¦ ¤£¡ ¢ ¦ §ô ï ñðï nj¹ ñð æï 4.84 Algorithm Selecting a bit prime and a generator
ñð nWï ÿ of òó ñð ¨ï ¤£¡ ¢ ý üû ï ÏtPú ùø÷ õ ô $'öjò íî ì êë ï ¦ ¨ô ì í î Â© ò 'õ ï ¥ ¥ ï ¥ ò õ ñð @ ±ï ò é ï þ þ 4.6.1 Selecting a prime and generator of . ñð jï ñð Dï ñð jï üï üï ò ¥ ¥ ï ñð ò @ 4.7 Notes and further references
B
4.1 Several books provide extensive treatments of primality testing including those by Bressoud [198], Bach and Shallit [70], and Koblitz [697]. The book by Kranakis [710] offers a more theoretical approach. Cohen [263] gives a comprehensive treatment of modern primality tests. See also the survey articles by A. Lenstra [747] and A. Lenstra and H. Lenstra [748]. Facts 4.1 and 4.2 were proven in 1837 by Dirichlet. For proofs of these results, see Chapter 16 of Ireland and Rosen [572]. Fact 4.3 is due to Rosser and Schoenfeld [1070]. Bach and Shallit [70] have further results on the distribution of prime numbers. The SolovayStrassen probabilistic primality test (Algorithm 4.18) is due to Solovay and Strassen [1163], as modiﬁed by Atkin and Larson [57]. Fact 4.23 was proven independently by Monier [892] and Rabin [1024]. The MillerRabin test (Algorithm 4.24) originated in the work of Miller [876] who presented it as a nonprobabilistic polynomialtime algorithm assuming the correctness of the Extended Riemann Hypothesis (ERH). Rabin [1021, 1024] rephrased Miller’s algorithm as a probabilistic primality test. Rabin’s algorithm required a small number of gcd computations. The MillerRabin test (Algorithm 4.24) is a simpliﬁcation of Rabin’s algorithm which does not require any gcd computations, and is due to Knuth [692, p.379]. Arazi [55], making use of Montgomery modular multiplication ( 14.3.2), showed how the MillerRabin test can be implemented by “divisionless modular exponentiations” only, yielding a probabilistic primality test which does not use any division operations. Miller [876], appealing to the work of Ankeny [32], proved under assumption of the Extended Riemann Hypothesis that, if is an odd composite integer, then its least strong witness is less than , where is some constant. Bach [63] proved that this constant may be taken to be ; see also Bach [64]. As a consequence, one can test for primality in bit operations by executing the MillerRabin algorithm for all bases . This gives a deterministic polynomialtime algorithm for primality testing, under the assumption that the ERH is true. Table 4.1 is from Jaeschke [630], building on earlier work of Pomerance, Selfridge, and Wagstaff [996]. Arnault [56] found the following digit composite integer The MillerRabin test (Algorithm 4.24) randomly generates independent bases and tests to see if each is a strong witness for . Let be an odd composite integer and let . In situations where random bits are scarce, one may choose instead to generate a single random base and use the bases . Bach [66] proved that for a randomly chosen integer , the probability that are all strong liars for is bounded above by ; in other words, the probability that the MillerRabin algorithm using these bases mistakenly declares an odd composite integer “prime” is at most . Peralta and Shoup [969] later improved this bound to . Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. b x F jHh f d aH 'i3ge's Q vv FC p C§` p 8 C p p C p f8 C fp p u Ft C that is a strong pseudoprime to all the prime bases up to digit composite integer which is a strong pseudoprime to all . Arnault also found a prime bases up to . Q CwEEtGwvwCEuCCEGxECCuwCEGvxEuGEvxwuxwuDEvCC b FyyFyyFFFyyFyFyyFFFyyFyyFFFFFFFFFFQ u t ID PH C Q jHh f d H 'i3ge'sQ C C Q Q R B p aY Q WU S q s`h'FG rp Y IY Q gU S S P`ih'Vfe Gb dcR aY Q WU S P`XVTR p jHh f d H 'i3ge's Q GCGED FFFC Q Qg
8XU H a B A 4.7 Notes and further references 165 4.2 Fact 4.13(i) was proven by Alford, Granville, and Pomerance [24]; see also Granville [521]. Fact 4.13(ii) is due to Pomerance, Selfridge, and Wagstaff [996]. Pinch [974] showed that there are Carmichael numbers up to .  166 Ch. 4 PublicKey Parameters Monier [892] gave exact formulas for the number of Fermat liars, Euler liars, and strong liars for composite integers. One consequence of Monier’s formulas is the following improvement (in the case where is not a prime power) of Fact 4.17 (see Kranakis [710, p.68]). If is an odd composite integer having distinct prime factors, and if , then there are at most Euler liars for . Another consequence is the following improvement (in the case where has at least three distinct prime factors) of Fact 4.23. If is an odd composite integer having distinct prime factors, then there strong liars for . Erd¨ s and Pomerance [373] estimated the average o are at most number of Fermat liars, Euler liars, and strong liars for composite integers. Fact 4.30(ii) was proven independently by Atkin and Larson [57], Monier [892], and Pomerance, Selfridge, and Wagstaff [996]. Pinch [975] reviewed the probabilistic primality tests used in the Mathematica, Maple V, Axiom, and Pari/GP computer algebra systems. Some of these systems use a probabilistic primality test known as the Lucas test; a description of this test is provided by Pomerance, Selfridge, and Wagstaff [996]. 4.3 If a number is composite, providing a nontrivial divisor of is evidence of its compositeness that can be veriﬁed in polynomial time (by long division). In other words, the decision problem “is composite?” belongs to the complexity class NP (cf. Example 2.65). Pratt [1000] used Fact 4.38 to show that this decision problem is also in coNP. That is, if is prime there exists some evidence of this (called a certiﬁcate of primality) that can be veriﬁed in polynomial time. Note that the issue here is not in ﬁnding such evidence, but rather in determining whether such evidence exists which, if found, allows efﬁcient veriﬁcation. Pomerance [992] improved Pratt’s results and showed that every prime has a certiﬁcate multiplications modulo for its veriﬁcation. of primality which requires Primality of the Fermat number can be determined in deterministic polynomial time by Pepin’s test: for , is prime if and only if . For the history behind Pepin’s test and the LucasLehmer test (Algorithm 4.37), see Bach and Shallit [70]. In Fact 4.38, the integer does not have to be the same for all . More precisely, Brillhart and Selfridge [212] showed that Fact 4.38 can be reﬁned as follows: an integer is , there exists an integer such that prime if and only if for each prime divisor of and . The same is true of Fact 4.40, which is due to Pocklington [981]. For a proof of Fact 4.41, see Maurer [818]. Fact 4.42 is due to Brillhart, Lehmer, and Selfridge [210]; a simpliﬁed proof is given by Maurer [818]. The original Jacobi sum test was discovered by Adleman, Pomerance, and Rumely [16]. The algorithm was simpliﬁed, both theoretically and algorithmically, by Cohen and H. Lenstra [265]. Cohen and A. Lenstra [264] give an implementation report of the CohenLenstra Jacobi sum test; see also Chapter 9 of Cohen [263]. Further improvements of the Jacobi sum test are reported by Bosma and van der Hulst [174]. Elliptic curves were ﬁrst used for primality proving by Goldwasser and Kilian [477], who presented a randomized algorithm which has an expected running time of bit operations for most inputs . Subsequently, Adleman and Huang [13] designed a primality proving algorithm using hyperelliptic curves of genus two whose expected running time is polynomial for all inputs . This established that the decision problem “is prime?” is in the complexity class RP (Deﬁnition 2.77(ii)). The GoldwasserKilian and AdlemanHuang algorithms are inefﬁcient in practice. Atkin’s test, and an implementation of it, is extensively described by Atkin and Morain [58]; see also Chapter 9 of Cohen [263]. The c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter. mp nqk x k ml k x T' x u t sr cV k k
r XVVr e !p k '
} k k k o o x 0k k l c { 9y{ k
XVr u t sr '0 k ky }{z
~3F'x r k p x
} k k k ky }  l x
~3yk r m{ z x k k k u c'0 t sr m l xv ut s nk FwcVr p
} ~ ¡ 4.4 A proof of Mertens’s theorem can be found in Hardy and Wright [540]. The optimal trial division bound (Note 4.45) was derived by Maurer [818]. The discussion (Note 4.47) on the is from Beauchemin et al. [81]; the result mentioned in the last senprobability tence of this note is due to Kim and Pomerance [673]. Fact 4.48 was derived by Damg˚ rd, a Landrock, and Pomerance [300], building on earlier work of Erd¨ s and Pomerance [373], o Kim and Pomerance [673], and Damg˚ rd and Landrock [299]. Table 4.3 is Table 2 of Dama g˚ rd, Landrock, and Pomerance [300]. The suggestions to ﬁrst do a MillerRabin test with a base (Remark 4.50) and to do an incremental search (Note 4.51) in Algorithm 4.44 were made by Brandt, Damg˚ rd, and Landrock [187]. The error and failure probabilities a for incremental search (Note 4.51(i)) were obtained by Brandt and Damg˚ rd [186]; consult a this paper for more concrete estimates of these probabilities. Algorithm 4.53 for generating strong primes is due to Gordon [514, 513]. Gordon originally proposed computing in step 3. Kaliski (personal communication, April 1996) proposed the modiﬁed formula which can be computed more efﬁciently. Williams and Schmid [1249] proposed an algorithm for generwhere is prime; this ating strong primes with the additional constraint that algorithm is not as efﬁcient as Gordon’s algorithm. Hellman and Bach [550] recommended an additional constraint on strong primes, specifying that (where is a large prime factor of ) must have a large prime factor (see 15.2.3(v)); this thwarts cycling attacks based on Lucas sequences. The NIST method for prime generation (Algorithm 4.56) is that recommended by the NIST Federal Information Processing Standards Publication (FIPS) 186 [406]. Fact 4.59 and Algorithm 4.62 for provable prime generation are derived from Maurer [818]. Algorithm 4.62 is based on that of ShaweTaylor [1123]. Maurer notes that the total diversity of reachable primes using the original version of his algorithm is roughly 10% of all primes. Maurer also presents a more complicated algorithm for generating provable primes with a better diversity than Algorithm 4.62, and provides extensive implementation details and analysis of the expected running time. Maurer [812] provides heuristic justiﬁcation that Algorithm 4.62 generates primes with virtually uniform distribution. Mihailescu [870] observed that Maurer’s algorithm can be improved by using the Eratosthenes sieve method for trial division (in step 8.2 of Algorithm 4.62) and by searching for a prime in an appropriate interval of the arithmetic progression instead of generating ’s at random until is prime. The second improvement comes at the expense of a reduction of the set of primes which may be produced by the algorithm. Mihailescu’s paper includes extensive analysis and an implementation report. 4.5 Lidl and Niederreiter [764] provide a comprehensive treatment of irreducible polynomials; proofs of Facts 4.67 and 4.68 can be found there. Algorithm 4.69 for testing a polynomial for irreducibility is due to BenOr [109]. The fastest algorithm known for generating irreducible polynomials is due to Shoup [1131] and has an expected running time of operations. There is no deterministic polynomialtime algorithm known for ﬁnding an irreducible polynomial of a speciﬁed Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. ¬«ª© ¨ §¥¦¥¤ yFw'V£ Ê Ç © ½ ¸ª ¿ Ã Â Á Å »¹ ¤£ µ · (Äcf~ ¸ V¶ ¸ ÏÏÏ © ¨ ÍË© ¨ ÇÌË© ¨ Ç Ë ÎÇ Tww¤ Ç¤ µ © ½ nÆ¶ ©½ ÉÈ¸ × Ö ª ¶ ÕÔ Å Ó ¨ Ó ÕÔ ¥ Ó£ Ø88X9ÎÎ$h6ÎPfÒ ¸ ¿ Ã Â Á ª¼ »À¿ ½ ¼ »¹¸£ µ · gÄc9Fc¾
~º'¶ ©¨ Ç Ð ¤µ ÑÊ ª ³ ²° ¯£ V±Pf® ¶ ©¨ 0%¶ ¤µ ´ Ð ¢ 4.7 Notes and further references 167 largest number proven prime as of 1996 by a general purpose primality proving algorithm is a 1505decimal digit number, accomplished by Morain [903] using Atkin’s test. The total time for the computation was estimated to be 4 years of CPU time distributed among 21 SUN 3/60 workstations. See also Morain [902] for an implementation report on Atkin’s test which was used to prove the primality of the 1065decimal digit number . 168 Ch. 4 PublicKey Parameters degree in . Adleman and Lenstra [14] give a deterministic algorithm that runs in polynomial time under the assumption that the ERH is true. The best deterministic algorithm known is due to Shoup [1129] and takes operations, ignoring powers of and . Gordon [512] presents an improved method for computing minimum polynomials of elements in . Zierler and Brillhart [1271] provide a table of all irreducible trinomials of degree in . Blake, Gao, and Lambert [146] extended this list to all irreducible trinomials of degree in . Fact 4.75 is from their paper. Table 4.8 extends a similar table by Stahnke [1168]. The primitive pentanomials listed in Table 4.8 have the following properties: (i) ; (ii) ; and (iii) is as small as possible, and for this particular value of , is as small as possible. The rational behind this form is explained in Stahnke’s paper. For ˇ each for which the factorization of is known, Zivkovi´ [1275, 1276] c gives a primitive trinomial in , one primitive polynomial in having ﬁve nonhaving seven nonzero terms, provided zero terms, and one primitive polynomial in that such polynomials exist. The factorizations of are known for all and for some additional . A list of such factorizations can be found in Brillhart et al. [211] and updates of the list are available by anonymous ftp from sable.ox.ac.uk in the /pub/math/cunningham/ directory. Hansen and Mullen [538] describe some improvements to Algorithm 4.78 for generating primitive polynomials. They also give tables of primitive polynomials of degree in for each prime power with . Moreover, for each such and , the primitive polynomial of degree over listed has the smallest number of nonzero coefﬁcients among all such polynomials.
© ¨ be an irreducible polynomial of degree , and consider the ﬁnite ﬁeld . Then is called a normal polynomial if the set , forms a basis for over ; such a basis is called a normal basis. Mullin et al. [911] introduced the concept of an optimal normal basis in order to reduce the hardware complexity of multiplying ﬁeld elements in the ﬁnite ﬁeld . A VLSI implementation of the arithmetic in which uses optimal normal bases is described by Agnew et al. [18]. A normal polynomial which is also primitive is called a primitive normal polynomial. Davenport [301] proved that for any prime and positive integer there exists a primitive normal polynomial of degree in . See also Lenstra and Schoof [760] who generalized this result from prime ﬁelds to prime power ﬁelds . Morgan and Mullen [905] give a primitive normal polynomial of degree over for each prime power with . Moreover, each polynomial has the smallest number of nonzero coefﬁcients among all primitive normal polynomials of degree over ; in fact, each polynomial has at most ﬁve nonzero terms. No polynomialtime algorithm is known for ﬁnding generators, or even for testing whether an element is a generator, of a ﬁnite ﬁeld if the factorization of is unknown. Shoup [1130] considered the problem of deterministically generating in polynomial time a subset of that contains a generator, and presented a solution to the problem for the case where the characteristic of is small (e.g. ). Maurer [818] discusses how his algorithm (Algorithm 4.62) can be used to generate the parameters , where is a provable prime and is a generator of . c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter.
£ 4¢ %%% '&&# 4.6 íì ë ð FÉã #Ý õ Û Ý # Û Ý $º" ã ì ¡6 Ù 2 3è ä 8#ã '7ià êé ~Øè Û ØÚ Ù Let ëë c§ï The entries of Table 4.9 were obtained from Zierler [1270] for Mersenne exponents , and from Kurita and Matsumoto [719] for Mersenne exponents , .
© ¨ íííì FFë Û iÚ û é ø ø ûø Éñ é òù ø øú ñð ò¾Ý íìÿ Fë £ ¤¢ Ù íì ë ð F!ã Ù ÞÜé gÝ Ú Û Ú ä â á Ùà iØ£ã &ÎPfß ì Û ØÚ ì
¡ ¡ ð 3ï Ù ÞÜÛ gÝ £iÚ ÞÜé gÝ
Ú ð ~ï Ù ï &ú ã 2 ã è Ù Ù Û iÚ Þ î ÜÝ Û Ú Û iÚ ÞÜé gÝ
Ú ã Û ê 9è ä Ýà iP¾ ííí FFÿ êé ~Øè Ù 9Û @Ú û ø 2 ë þÙ Þ g ÜÝ é Ú è 0( 1ô )ê Û Ý äVäiÝP¾¤F!îÝ ¾iú ê è à à Þ Ü Û Ú Û Þ Ü Û Ú ä Ýà îÝ iÉiP¾ ï ûü ø é ø ì ñ ÷óÝ ñ õóÝ ñ ôó É6~¾öe¾9F¾Ý êé ~iè ÞÜÛ gÝ ¾iÚ ã ãçæ
FXå ííí FFÿ íííï Fqë ¦ ¥ ¦ ï ë ë !cì ý þÙ Þ î ÜÝ é Ú Ù ë rã Ùçæ 8FXå
¦ §¥ 8 2 è ëã
A 5 , ...
View
Full
Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
 Fall '10
 ALIULGER
 Cryptography, The Land

Click to edit the document details