chap4-cryptography

chap4-cryptography - i ¤¦$$¥ $©¤”¢Ž•• “ „...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: i ¤¦$$¥ $©¤”¢Ž•• “ „ ¢ „ t¥ b¥  w  ‘  fd £ • i v £ f  „ ¡ „ ™¥  #! ¥¥  w  ‘  % #! v £ £ z £ ‡  £ ¨  d ¤¦tx'# 1†¤…¢"$u…©’)¢“$"~¤€t'‹…{U¦thu¤¦t`#  d ¥ ™ % t £¥ £ %   „ „   ˆ i y ¨   #!  # b¥ ‚ # z z t v £  ¨  „  #! b t £  # % #   # y{I¤„x¦#$…€¥U$ ye¤€}£ ue¤hu¦$¥ $§"”x$f$e¡’¤•¤¦t–u$ §"x¤¦#–~$¤§"! b¤¦#¤¦d$'‡¦¥¤s…u¤t …"h¤¦tx'# Ex¤u'Q~ ¤…¥ ‚¤{$¥ $© )¢§†'t $¤# U¤¢ t £  ™ £  £ ‡ y ¨   v  #! v £ f  „ #  ‡ t   Š # t  # ‡ ¥  w  ‘  ! #  ¥ t „  ¡ i  ¡ y d ™   ¡  % #! v £ £ z £ t £¥ £ %  …u¤…€¥¦£¤¤{ $"~¤€t'‹…{U¦t1€#…$¦¥~…ue  £   ™ # ¡ £ z b  ¥ f¥ y ¨ € £   #  v ¨ # ¥ t £ ¨ % #! £ f t ¨ f d  # b v £ ‡ „  ‡ t €#…¤~œ{cU% ‡yIs‚’¦$'’$eŒ…I¦# U$"¤€t'S'š7¤€t$# u$¨ b v £ y } # £ % b v £ f „ # # ¡  v £ ‡ y„ £ y ¨ £ t ¨ ¡  %  # £ t #„ y b¥ t ¨ % ft ¨ f ¤¦t~¦%¤…u¦„U¢¤¦tx'# ‚' ¤¤Ÿ¤¦t¤¤¦™u€th¦bu¦„¤¤†„ U„‰¦„¤…u¦uh$¤uUž''d  # % #! f t ¨ £ ‡   £ %¥ t ¨   #  „ ™ ‡ #    d f ¨ %  ¨  f t ¨  # t ‚ # # d £ ¡   ¡ £  u$"h†¦t‰u'$œ~…¤…8‰‡ u¤¤Q$u$e1‘Up‡h§ŒQy§€¥¤' ¤œup› ƒ t £¥ € £ t #„ y £ ¡ # ¥ y   ¨ ¥¥ w  ‘  % # ¤€#…$u¤h¦„¤…u¦uh€¥š7u¦€£¤$u…©’)¢“$"!  €„' ¤x'¦v$y'u™$¤I‰¤˜b r‘eS¦#$$¦¥U$ yE¤¦}u„ y…‰¤'Ž'—u¤€‡…†Iur‘‰…u¤{•`uuy8” £ # t  ¡ £ f  # „ ‡ ¨ ‡ t ¨ ¥  ¡   €# d ¨ t £¥ £ %   „ £  ¥  ¡  f d t  ‡ £–  €#   ¡ z    „ Š i¥¥  w  ‘  % #! v £ £ z £ t £¥ £ %    £   ™ # ¡ £ z ¥  ¡ $…u…ˆ&)¢“$"~¤€t'‹…{U¦t1€#…$¦¥~…ueh€#…¤¤'‹{s…u¤' # f d y ¨ € £   #! y d £ ¨ € ¨ ¥ £  „ £ t # „ y  v £ ‚ ¨ %  # b f  # „  ¡  v £  ¨  „ t #¥  '”‚’¦$'’…"†€¤€¨¦y‚‘Œu¦¤# E€„¤$u¦u¤¦tfU„¢'u‰¤¦t–u$ S$…ue  ¡  ! # ¥ ™ y ¨ t #¥   t ¨ ¡    ¡ #  #! ¥ £  „ v £ „ ™ ‡ #   # v £ f  # „ # # ¡  b ‚ # # d  ¡ ¤†…¤©¤…$ueŽ¤¢u w"{u¦¤# 1¤¦tu¤‚…¤ws¤¦tyuQ ¤ˆfQe¤' !Œ$ ††¦¤€'‹„1€t¤€t¤hh¤u'Q‰–¤¥ ‚¦#$$¦¥U$ y€¥¤¢1u$ˆ¤$…ue # ¥   ¨ ¡„ y £ y ™ % v £ ‡ £ d # ‡ t Š # t  # ‡ t £¥ £ %   £ ¡ i¥ ™ y ¨ t #¥  #!    ¨ ¡ „ £ ¡  ! # f  # „ y v £¥ ¨  # ¥ ‡ t ¨  £  b  € £  #    t ¨ v £ t £¥ £ %  "” ¤†”¦¥¤f|'up€€t…„$'‡†…'¦t$¤yur€…$„'{‡ '$”¦¥E€#…$¦¥U$uFw ƒ‚## f‚ed ¦¥¤c€#…$u¤w¦„¤…u¦u~¤)"¤¦#$$¦¥U$ y~¤¦}uue$|¤¦t{†¦#¦y"U¤xu'…w¤$u…©u)¢ £ ¡  ! # t £¥  € £ t # „ y   ¡   #! ¥ t £¥ £ %   „ £ „  ¥ v £ z y #!  ¡  ‡   t ¨ v ¥ ¨ ¡ ¥¥  w  ‘ i j n t j ig r r q k p m j d og n m j lg k i j ig d d d  ¥ b t £ ¨ % #! £  ¡  ™!  # Qy'‚f…sQfyffyfIhQ'yIhff…hQfeu…8¤¦# U…"¤¦t ¤I¤"¢@˜ i — • • “ b¥  w  ‘   t # ¥ t ¨ ‰ i ˆ ‡ t ¨ b # ¡„¥ –”…$¥ $©’)¢cb ¤I¤¤h¤c' ¤†…$# ƒ t ¨ € i w b   t  q i g f d b V a D 0 T Y 6 X D V T R 3 PHG D D C B 6 9 6 6 5 3 2 0 (  ¡  % #!    ¨ ¡  ¨ £ £ ¡ ‚yx$¥ uv ¤usrph'ec8F`@@[email protected]@8744¤1)¤'&$"© ¢©¦¥§¦¥¤¢ Chapter Public-Key Parameters Contents in Brief 4.1 Introduction The efficient generation of public-key parameters is a prerequisite in public-key systems. A specific example is the requirement of a prime number to define a finite field for use in the Diffie-Hellman key agreement protocol and its derivatives ( 12.6). In this case, an element of high order in is also required. Another example is the requirement of primes and for an RSA modulus ( 8.2). In this case, the prime must be of sufficient size, and be “random” in the sense that the probability of any particular prime being selected must be sufficiently small to preclude an adversary from gaining advantage through optimizing a search strategy based on such probability. Prime numbers may be required to have certain additional properties, in order that they do not make the associated cryptosystems susceptible to specialized attacks. A third example is the requirement of an irreducible polynomial of degree over the finite field for constructing the finite field . In this case, an element of high order in is also required. Chapter outline The remainder of 4.1 introduces basic concepts relevant to prime number generation and summarizes some results on the distribution of prime numbers. Probabilistic primality tests, the most important of which is the Miller-Rabin test, are presented in 4.2. True primality tests by which arbitrary integers can be proven to be prime are the topic of 4.3; since these tests are generally more computationally intensive than probabilistic primality tests, they are not described in detail. 4.4 presents four algorithms for generating prime numbers, strong primes, and provable primes. 4.5 describes techniques for constructing irreducible and primitive polynomials, while 4.6 considers the production of generators and elements of high orders in groups. 4.7 concludes with chapter notes and references. 133 ­ ‚¬ §8ccc8ccxccc8ccc8cc8§ §§§§§§§§§§§§§§§§§§ §8ccc8ccxccc8cc§ §§§§§§§§§§§§§ §§§§§§§§§§§§§§§§§§ © 8ccc8ccxccc8ccc8cª¨ §8ccc8ccxccc8ccc8cc8cc§ §§§§§§§§§§§§§§§§§§§§ §8ccc8ccxccc8ccc8cc8ccc8§ §§§§§§§§§§§§§§§§§§§§§§ §§§§§§§§§§§§§§§§§§§§ 8ccc8ccxccc8ccc8cc8c§ §§§§§§§§§§§§§§§§§§§§§§§§§§§§ 8ccc8ccxccc8ccc8cc8ccc8cccxc§ ® ® ® ­ ‚¬ « º ¯­ ¹ ® &³± °« ² ¸ ® ® ¯­ x¬ ® 4.1 4.2 4.3 4.4 4.5 4.6 4.7 Introduction Probabilistic primality tests (True) Primality tests Prime number generation Irreducible polynomials over Generators and elements of high order Notes and further references 133 135 142 145 154 160 165 ·µ ‚¦¶´ ® ® ° º­ $r¹ « 134 Ch. 4 Public-Key Parameters 4.1.1 Approaches to generating large prime numbers To motivate the organization of this chapter and introduce many of the relevant concepts, the problem of generating large prime numbers is first considered. The most natural method is to generate a random number of appropriate size, and check if it is prime. This can be done by checking whether is divisible by any of the prime numbers . While more efficient methods are required in practice, to motivate further discussion consider the following approach: 1. Generate as candidate a random odd number of appropriate size. 2. Test for primality. 3. If is composite, return to the first step. A slight modification is to consider candidates restricted to some search sequence start. Using from ; a trivial search sequence which may be used is ing specific search sequences may allow one to increase the expectation that a candidate is prime, and to find primes possessing certain additional desirable properties a priori. In step 2, the test for primality might be either a test which proves that the candidate is prime (in which case the outcome of the generator is called a provable prime), or a test which establishes a weaker result, such as that is “probably prime” (in which case the outcome of the generator is called a probable prime). In the latter case, careful consideration must be given to the exact meaning of this expression. Most so-called probabilistic primality tests are absolutely correct when they declare candidates to be composite, but do not provide a mathematical proof that is prime in the case when such a number is declared to be “probably” so. In the latter case, however, when used properly one may often be able to draw conclusions more than adequate for the purpose at hand. For this reason, such tests are more properly called compositeness tests than probabilistic primality tests. True primality tests, which allow one to conclude with mathematical certainty that a number is prime, also exist, but generally require considerably greater computational resources. While (true) primality tests can determine (with mathematical certainty) whether a typically random candidate number is prime, other techniques exist whereby candidates are specially constructed such that it can be established by mathematical reasoning whether a candidate actually is prime. These are called constructive prime generation techniques. A final distinction between different techniques for prime number generation is the use of randomness. Candidates are typically generated as a function of a random input. The technique used to judge the primality of the candidate, however, may or may not itself use random numbers. If it does not, the technique is deterministic, and the result is reproducible; if it does, the technique is said to be randomized. Both deterministic and randomized probabilistic primality tests exist. In some cases, prime numbers are required which have additional properties. For example, to make the extraction of discrete logarithms in resistant to an algorithm due to Pohlig and Hellman ( 3.6.4), it is a requirement that have a large prime divisor. Thus techniques for generating public-key parameters, such as prime numbers, of special form need to be considered. 4.1.2 Distribution of prime numbers Let denote the number of primes in the interval . The prime number theorem (Fact 2.95) states that . In other words, the number of primes in the interval If and are two functions, then means that . c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter. » ÃÃà  ¿ »¾ Á ¿ » À ¿ »¾ …’…¾ •¢"u„¢I¾ Œh"e» »½ ¼ ê é ç ææ å ä ã ⠚¤ââ …èŽI7œáœàß ç » Ñ Í¾ W"u ÐÀ ÊÉ …4È ÅÆ xÄ » Û ÙÜ ÞÛ Ù WÝږ”WÝÚ`Ø » Ö Ó Ó ÔÕ [email protected] ÒÏÌ » » » Ç ÛÙ W‹Ú–Ü » » ÛÙ W‹Ú`Ø × » ÏÌ [email protected] ë is approximately equal to . The prime numbers are quite uniformly distributed, as the following three results illustrate. 4.1 Fact (Dirichlet theorem) If to modulo . A more explicit version of Dirichlet’s theorem is the following. 4.2 Fact Let denote the number of primes in the interval . Then to modulo , where In other words, the prime numbers are roughly uniformly distributed among the gruence classes in , for any value of . 4.2 Probabilistic primality tests The algorithms in this section are methods by which arbitrary positive integers are tested to provide partial information regarding their primality. More specifically, probabilistic primality tests have the following framework. For each odd positive integer , a set is defined such that the following properties hold: (i) given , it can be checked in deterministic polynomial time whether ; (ii) if is prime, then (the empty set); and (iii) if is composite, then . 4.4 Definition If is composite, the elements of are called witnesses to the compositeness of , and the elements of the complementary set are called liars. A probabilistic primality test utilizes these properties of the sets in the following manner. Suppose that is an integer whose primality is to be determined. An integer is chosen at random, and it is checked if . The test outputs “composite” if , and outputs “prime” if . If indeed , then is said to fail the primality test for the base ; in this case, is surely composite. If , then is said to pass the primality test for the base ; in this case, no conclusion with absolute certainty can be drawn about the primality of , and the declaration “prime” may be incorrect. Any single execution of this test which declares “composite” establishes this with certainty. On the other hand, successive independent runs of the test all of which return the answer “prime” allow the confidence that the input is indeed prime to be increased to whatever level is desired — the cumulative probability of error is multiplicative over independent trials. If the test is run times independently on the composite number , the probability that is declared “prime” all times (i.e., the probability of error) is at most . This discussion illustrates why a probabilistic primality test is more properly called a compositeness test. Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. ) ù üø&) @û s20ù 'ü (@û 7 ø s& û üø @û s& H Iø P Qü 7 ùû ) [email protected] øs&[email protected] û û [email protected] øs&F)Eù sBAù @û [email protected] ü ø & C) ü @û ø & ) û üø @û s& 9 @ © û § for $" %#û ýüø )@û @8 üû £ @r¦¥!¥£  4.3 Fact (approximation for the th prime number) Let . More explicitly, denote the th prime number. Then ü @û ø ¢ ñ ðï W"u íî û ø [email protected]@û ¥ ð üø @û s& ¢  û¥ ¤£ ¡ ü ù ïe"ïð @ÿ ûø þ ýüû ø÷ 1r@"ï ù W’ö õ þ ý ü û ùø ÷ö 1r@"ï ú`’–õ ø ’ û 7 û "ü [email protected] 3 ýü 4@@û ø& s5 òò  óô  û ¥£ ¤û û ø s& ù G û  © G û ü ù eIð @ÿ ï ûï ø ©)  10ù û û û û£ ¤¦¥û ü ø & ) @û s20ù© û û ñ ðï W"u íî ù ù R ¡  © û ì 4.2 Probabilistic primality tests 135 , then there are infinitely many primes congruent which are congruent con- 136 Ch. 4 Public-Key Parameters 4.5 Definition An integer which is believed to be prime on the basis of a probabilistic primality test is called a probable prime. Two probabilistic primality tests are covered in this section: the Solovay-Strassen test ( 4.2.2) and the Miller-Rabin test ( 4.2.3). For historical reasons, the Fermat test is first discussed in 4.2.1; this test is not truly a probabilistic primality test since it usually fails to distinguish between prime numbers and special composite integers called Carmichael numbers. 4.2.1 Fermat’s test Fermat’s theorem (Fact 2.127) asserts that if is a prime and is any integer, , then . Therefore, given an integer whose primality is under question, finding any integer in this interval such that this equivalence is not true suffices to prove that is composite. such that Conversely, finding an integer between and makes appear to be a prime in the sense that it satisfies Fermat’s theorem for the base . This motivates the following definition and Algorithm 4.9. 4.9 Algorithm Fermat primality test FERMAT( , ) INPUT: an odd integer and security parameter . OUTPUT: an answer “prime” or “composite” to the question: “Is 1. For from to do the following: . 1.1 Choose a random integer , 1.2 Compute using Algorithm 2.143. 1.3 If then return(“composite”). 2. Return(“prime”). prime?” If Algorithm 4.9 declares “composite”, then is certainly composite. On the other hand, if the algorithm declares “prime” then no proof is provided that is indeed prime. Nonetheless, since pseudoprimes for a given base are known to be rare, Fermat’s test provides a correct answer on most inputs; this, however, is quite distinct from providing a correct answer most of the time (e.g., if run with different bases) on every input. In fact, it does not do the latter because there are (even rarer) composite numbers which are pseudoprimes to every base for which . c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter. g S V‘ – VV •F”’ •”’€S V“‘  4.8 Example (pseudoprime) The composite integer to the base since . U w S u s qp V i g e c x0It…D‰XˆfdU VaSWUW %`‡`†AV U 4.7 Definition Let be an odd composite integer and let Then is said to be a pseudoprime to the base if called a Fermat liar (to primality) for . be an integer, ( U w S u s qp V i g e c xEIt…D„thfdU S VaSWUW €`BFy1V U S Vi %jh Va €`S —aSWUW m1`0lX— U U S V  w Ss Up up 4uxtIfrq”o U V wV “‘ u s qp V i ed˜ [email protected]%Xfr™— S S us q gecU  ¨IthfdBEn U ‘i %AS U h w S u s q p V ƒi g e c xEIEr2%Xh‚U S 4.6 Definition Let be an odd composite integer. An integer , is called a Fermat witness (to compositeness) for . . The integer ) is a pseudoprime VaS WU W b!`EYXV U S S T U w S u s qp V i g e c xEvtrDY!hfdU S V ƒ lFn V S T hS — k S S S T , such that . is v If is a Carmichael number, then the only Fermat witnesses for are those integers , , for which . Thus, if the prime factors of are all large, then with high probability the Fermat test declares that is “prime”, even if the number of iterations is large. This deficiency in the Fermat test is removed in the Solovay-Strassen and Miller-Rabin probabilistic primality tests by relying on criteria which are stronger than Fermat’s theorem. This subsection is concluded with some facts about Carmichael numbers. If the prime factorization of is known, then Fact 4.11 can be used to easily determine whether is a Carmichael number. 4.11 Fact (necessary and sufficient conditions for Carmichael numbers) A composite integer is a Carmichael number if and only if the following two conditions are satisfied: (i) is square-free, i.e., is not divisible by the square of any prime; and (ii) divides for every prime divisor of . A consequence of Fact 4.11 is the following. 4.12 Fact Every Carmichael number is the product of at least three distinct primes. 4.13 Fact (bounds for the number of Carmichael numbers) (i) There are an infinite number of Carmichael numbers. In fact, there are more than Carmichael numbers in the interval , once is sufficiently large. (ii) The best upper bound known for , the number of Carmichael numbers , is: 4.2.2 Solovay-Strassen test The Solovay-Strassen probabilistic primality test was the first such test popularized by the advent of public-key cryptography, in particular the RSA cryptosystem. There is no longer any reason to use this test, because an alternative is available (the Miller-Rabin test) which is both more efficient and always at least as correct (see Note 4.33). Discussion is nonetheless included for historical completeness and to clarify this exact point, since many people continue to reference this test. Recall ( 2.4.5) that denotes the Jacobi symbol, and is equivalent to the Legendre symbol if is prime. The Solovay-Strassen test is based on the following fact. Fact 4.14 motivates the following definitions. Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. ~‹xˆyˆ m´#0%X~ y ƒxEIt… x ‚ € y 4.15 Definition Let be an odd composite integer and let (i) If either or (to compositeness) for . be an integer, . , then is called an Euler witness ƒx ‚ € xEIt… ¹ z } rºfhfºry “ ”¥ | { z¤ ¹ z »} “ ” ¥ | { z ¤ rºfh‚ºry ~ ‡ ƒ x† y ‚… 4uxtIf¤q•„ x 4.14 Fact (Euler’s criterion) Let integers which satisfy be an odd prime. Then . ·| ¶ ~ žv”%ˆ ™~™¯¶ ”•””•~ µ~ ³ ~~ ³ ² ‡ ~±¯ ‡ •`´”`@D”•°’x The smallest Carmichael number is relatively scarce; there are only Carmichael numbers . Carmichael numbers are . ­«ª ®¬#x for ƒ x ‚  € ~ } | { z xEIt…DY!ˆfdy x `ˆ for all x x x x z § § ” z § § § ¦¥|¤ £ ¢|¡ { x ˆ ƒ x ›¨ ©¨ v”›¨ ©¨ ‚¨ ™žrž™¤ffˆ | `xŸœ x x š x† ›• ˜™ ’ ~ ‡ ƒ x† y ‚… 4uxtIrr™”„ x ƒ x xžœ ~ Ž ƒ x† y ‚… xIr¤™”„ x ~YŽxƒxx†Iyr¤‚™”„ … x x ¹ z ~‹ mFx ~‹xˆyˆ Œ2%Š‰‰~ y x x y ¸ ~‹ mE’ x ‘ –”“ —•hx y x x w 4.2 Probabilistic primality tests 137 4.10 Definition A Carmichael number for all integers which satisfy is a composite integer such that . 138 Ch. 4 Public-Key Parameters (ii) Otherwise, i.e., if and , then is said to be an Euler pseudoprime to the base . (That is, acts like a prime in that it satisfies Euler’s criterion for the particular base .) The integer is called an Euler liar (to primality) for . Euler’s criterion (Fact 4.14) can be used as a basis for a probabilistic primality test because of the following result. 4.18 Algorithm Solovay-Strassen probabilistic primality test SOLOVAY-STRASSEN( , ) INPUT: an odd integer and security parameter . OUTPUT: an answer “prime” or “composite” to the question: “Is prime?” 1. For from to do the following: 1.1 Choose a random integer , . 1.2 Compute using Algorithm 2.143. and then return(“composite”). 1.3 If 1.4 Compute the Jacobi symbol using Algorithm 2.149. 1.5 If then return (“composite”). 2. Return(“prime”). , then is a divisor of . Hence, testing whether is step 1.3, eliminates the necessity of testing whether . If Algorithm 4.18 declares “composite”, then is certainly composite because prime numbers do not violate Euler’s criterion (Fact 4.14). Equivalently, if is actually prime, then the algorithm always declares “prime”. On the other hand, if is actually composite, then since the bases in step 1.1 are chosen independently during each iteration of step 1, Fact 4.17 can be used to deduce the following probability of the algorithm erroneously declaring “prime”. be an odd composite integer. The to be “prime” is less than . 4.2.3 Miller-Rabin test The probabilistic primality test used most in practice is the Miller-Rabin test, also known as the strong pseudoprime test. The test is based on the following fact. Fact 4.20 motivates the following definitions. c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter. ÃxÂ0¾IÒt…D¨‰à홙À Ñ¿ Å á Ï ðñ Î À å ÃxÂ0¾It…AàdÀ Ò Ñ¿ Å Ï ð åïÝ Ä Å á rîFl# Åmá6lß è ß Xó ò ʼnďÃxÂtIÀr¤¾™½”¼ ò Á¿  4.20 Fact Let such that , be an odd prime, and let . Then either . where or is odd. Let be any integer for some Î ì íÃ Ê ¿   4.19 Fact (Solovay-Strassen error-probability bound ) Let probability that SOLOVAY-STRASSEN( , ) declares Å çÄ Ã Â Á À ¿ ¾ ½ ë€xvfrq•¼  ¾ Ò Ñ Î ÌË Ê É ÈÇ À Ä ¨Itbrºrˆfºr‡å   â  é é Ä Ã ÂÁ À¿ ¾½ ‰!xtIrr™”¼ If ß ‰Å À Â Û Ý Üà ¿ ÞfxŸ©Û Åã %jâ à  ¾ Ò Ñ ¿ è çÏ xEIt…´%Få È Ð jè Ä Å á  çÄ m´®2å Å çÄ lFå  ¾ Ò Ñ Î ÌË Ê É ÈÇ À Ä æItbrºfhfºrBEå ÝáÂßÀß m1`0lXÝ À  Öã %A â â Å Â 4.17 Fact Let be an odd composite integer. Then at most , are Euler liars for (Definition 4.15). Here, nition 2.100). of all the numbers , is the Euler phi function (Defi- Ú Å %Ä ÖÅ Õ Ô [email protected] ”Ó Å 4.16 Example (Euler pseudoprime) The composite integer prime to the base since and ( ) is an Euler pseudo- .  Ã ¾Ò Ñ xEIt…¿ À Ð È À  À Ï Î ÌË Ê É ÈÇ …ÍrˆfºrÀ ÊÙ Ù Ã Å Ó ¾ Ò Ñ¿ Å Ï Ø× ”•It…AYXr™Ó Å Ä Ã ÂÁ À¿ ¾½ Æ6xIr¤™”¼ Â Ó ä ÅáÂß m2®àÀ À ô Å çÄ ëêå (i) If and if for all , , then is called a strong witness (to compositeness) for . (ii) Otherwise, i.e., if either or for some , , then is said to be a strong pseudoprime to the base . (That is, acts like a prime in that it satisfies Fact 4.20 for the particular base .) The integer is called a strong liar (to primality) for . Fact 4.20 can be used as a basis for a probabilistic primality test due to the following result. F b ö§ H2ŸaY ø÷ö$ý$ 1tAE%fø ý 4.23 Fact If is an odd composite integer, then at most of all the numbers , are strong liars for . In fact, if , the number of strong liars for is at most where is the Euler phi function (Definition 2.100). 4.24 Algorithm Miller-Rabin probabilistic primality test MILLER-RABIN( , ) and security parameter . INPUT: an odd integer OUTPUT: an answer “prime” or “composite” to the question: “Is prime?” 1. Write such that is odd. 2. For from to do the following: 2.1 Choose a random integer , . 2.2 Compute using Algorithm 2.143. and then do the following: 2.3 If . While and do the following: Compute . If then return(“composite”). . If then return (“composite”). 3. Return(“prime”). Algorithm 4.24 tests whether each base satisfies the conditions of Definition 4.21(i). , then . Since it is also the case that In the fifth line of step 2.3, if , it follows from Fact 3.18 that is composite (in fact is a non-trivial factor of ). In the seventh line of step 2.3, if , then is a strong witness for . If Algorithm 4.24 declares “composite”, then is certainly composite because prime numbers do not violate Fact 4.20. Equivalently, if is actually prime, then the algorithm always declares “prime”. On the other hand, if is actually composite, then Fact 4.23 can be used to deduce the following probability of the algorithm erroneously declaring “prime”. Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. ö ö ý ø 2l&u ÷ ö ¤ù ÷ ¢‘ ‰  ý§  – ˆ—44f„C• d Y ö ö ö Fb ø 6§ Y ù V UcH•©a``Hø  ö   ¨§ E©¥ø øi %qh ú÷ö$ý$ m1`tlsú ý ö e I ö  ¨ u y 3…„ƒ‚u ø ÷ ö ¤ù m´mwu ¦ ¢ ý  ý ø ”6 Notice that the number of strong liars for function (cf. Fact 4.23). is ø  ø 6   ¨§ ”6 H•R©Qø Bø @ 8 CA9ù ”7Aö ø6 ù 4.22 Example (strong pseudoprime) Consider the composite integer , and . Since pseudoprime to the base . The set of all strong liars for is: ¦ ( , ). Since is a strong , where is the Euler phi ý $ %# ý ý ö " ø j)'&%# ÷( $" $ XW#6ÿúVÿøVÿ68ÿG8ÿF8ÿ6TÿúTÿBGÿVBÿ6úÿúúÿ8øÿT 03U”””””H”H”H”H¡•”¡•U•U•Uq•Þq•Hq•Cø ü  ö   ¨§ ø 0©¥¨÷ ý ý üûú ù ø ÷ r4XmFö " ø ”6 PI6 ù ¢ 24Db6 ¦ ¢ 4ý   ö   ¨§ ø t©¥¨÷ ö  ö   ¨§ E321ø ö GF ù HD‰ü ¤  !¢ ý ¦ 6 ¤ù ggö ø ÷ öÿ ¡#1tv þø ü ø ÷( $ #p" øy m€" ø ÷ ö ¤ù #1mxu ø ¤ù lwu ö  ¨ ¢ý ù ¨v£BŠu øù Bu ¦ ¢ 0ý ö ø ÷ ö ¤ù m´®wu ø ‡"y ®ˆ'†" øù 4‰u ø ¨( ù Bi pQö  ö   ¨§ E©¥ø ÿú ÿ# ÿ6ÿ ••ø vHø v¡vø 6 h ø üûú ù ø ÷ r—%bm1ö ö  ö   ¨§ t©¥ø GF @ H5Eú h ö ö ö ö ø j)5" ÷( $ ù #6 ù ø ÷ ø XCDX®”6 S ¤¢ ¥£ý ¦ r  öÿ t•ø ¤ ¢‘ ‰  “’44ý ” p¦ ö Y õ 4.2 Probabilistic primality tests 139 4.21 Definition Let be an odd composite integer and let be an integer in the interval . where is odd. Let , , 140 Ch. 4 Public-Key Parameters 4.25 Fact (Miller-Rabin error-probability bound ) For any odd composite integer , the probability that MILLER-RABIN( , ) declares to be “prime” is less than . 4.26 Remark (number of strong liars) For most composite integers , the number of strong liars for is actually much smaller than the upper bound of given in Fact 4.23. Consequently, the Miller-Rabin error-probability bound is much smaller than for most positive integers . 4.27 Example (some composite integers have very few strong liars) The only strong liars for ( ) are and . More generally, if and the composite integer is the product of the first odd primes, there are only strong liars for , namely and . 4.28 Remark (fixed bases in Miller-Rabin) If and are strong liars for , their product is very likely, but not certain, to also be a strong liar for . A strategy that is sometimes employed is to fix the bases in the Miller-Rabin algorithm to be the first few primes (composite bases are ignored because of the preceding statement), instead of choosing them at random. 4.29 Definition Let denote the first primes. Then is defined to be the smallest positive composite integer which is a strong pseudoprime to all the bases . can be interpreted as follows: to determine the primality of any integer The numbers , it is sufficient to apply the Miller-Rabin algorithm to with the bases being the first prime numbers. With this choice of bases, the answer returned by Miller-Rabin is always correct. Table 4.1 gives the value of for . z ˜ … ƒ™ ƒ p„wfo Š ’‹ŽŠŽŒŒ‘‘Š ‹4444© Š‹4444© ’‹ŽŠŽŒŒ‘‘Š  Œ“ Ž Ž  4’44„„©© Ž©Ž4“444‹  ’ ’‹Œ‹‘Š Š‘Ž444 ŠŒ‘Š‹ Š4Œ44‹ Œ‹‘ ‘Ž 44Š Ž Œ „‹ i€ ˆ ‰‡ Š † i€ } ~~~ } i | ‚4} { | ¡e | i€ ™ } ~~~ } i | 4} { | e | ˜ ˜ { z e z z { z e z y o wv pu ˜ w p m Co o tsqsr ƒE5Epn u qpo n CH7¥˜ ox x'˜ ˜ i g ef d m l ˜d U2g ’ak ˜ ˜ ˜ ˜ i g ef jhd ˜ ™˜ ˜ Table 4.1: Smallest strong pseudoprimes. The table lists values of , the smallest positive composite integer that is a strong pseudoprime to each of the first prime bases, for . ’ •” † ” qŠ † 4.2.4 Comparison: Fermat, Solovay-Strassen, and Miller-Rabin Fact 4.30 describes the relationships between Fermat liars, Euler liars, and strong liars (see Definitions 4.7, 4.15, and 4.21). 4.30 Fact Let be an odd composite integer. (i) If is an Euler liar for , then it is also a Fermat liar for . (ii) If is a strong liar for , then it is also an Euler liar for . c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter. ˜ ˜ ˜ ˜ z z – ˆ ‰‡ ‹  ‘  Ž ’  ™ i ‚Q˜ € For a fixed composite candidate , the situation is depicted in Figure 4.1. This set© Figure 4.1: Relationships between Fermat, Euler, and strong liars for a composite integer . tles the question of the relative accuracy of the Fermat, Solovay-Strassen, and Miller-Rabin tests, not only in the sense of the relative correctness of each test on a fixed candidate , but also in the sense that given , the specified containments hold for each randomly chosen base . Thus, from a correctness point of view, the Miller-Rabin test is never worse than the Solovay-Strassen test, which in turn is never worse than the Fermat test. As the following result shows, there are, however, some composite integers for which the Solovay-Strassen and Miller-Rabin tests are equally good. ˜ ˜ ª « •˜ 4.32 Fact If , then What remains is a comparison of the computational costs. While the Miller-Rabin test may appear more complex, it actually requires, at worst, the same amount of computation as Fermat’s test in terms of modular multiplications; thus the Miller-Rabin test is better than Fermat’s test in all regards. At worst, the sequence of computations defined in MILLERRABIN( ,1) requires the equivalent of computing . It is also the case that MILLER-RABIN( ,1) requires less computation than SOLOVAY-STRASSEN( ,1), the and possibly a further Jacobi symbol latter requiring the computation of computation. For this reason, the Solovay-Strassen test is both computationally and conceptually more complex. 4.33 Note (Miller-Rabin is better than Solovay-Strassen) In summary, both the Miller-Rabin and Solovay-Strassen tests are correct in the event that either their input is actually prime, or that they declare their input composite. There is, however, no reason to use the SolovayStrassen test (nor the Fermat test) over the Miller-Rabin test. The reasons for this are summarized below. (i) The Solovay-Strassen test is computationally more expensive. (ii) The Solovay-Strassen test is harder to implement since it also involves Jacobi symbol computations. , while the error (iii) The error probability for Solovay-Strassen is bounded above by probability for Miller-Rabin is bounded above by . Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. º° µ ¸ ¬ º° µ» ¬ ˜ ˜ ¯® E­ ¸ ·¶ µ ´ ²± 2³ch³„ª ˜ ¯® ­ ¸ ·¶ µ ´ ²± 2³c†¹ª ˜ ˜ ¨  C› ›   ¡ § ¥ H¦ 3Ÿ 3HCHCC¡CCŸ ¢ ¢ ¢¦¥¢£Ÿ¢¥Ÿ¢£¢ ›    ¡  H› § C¥ H¦ H CŸ CUCUCUCUCUCUCC¡CC¡3H¡3HC¡3Ÿ ¢ ¢ ¢ ¢¦¥¢¥¥¢£ ¢¥ ¢Ÿ ¢¦¤¢Ÿ¤¢£Ÿ¢¥Ÿ¢¤Ÿ¢£¢ ž Rœ™ Hœš˜ › ™ Fermat liars for © Euler liars for strong liars for is an Euler liar for if and only if it is a strong liar for . © ˜ ˜ © ˜ ˜ ° ¥ ¯ ® ­¬ CR©¥  C› § 3¥ › ¢ 3¦  ¢¦¥¢£Ÿ¢£¢ 3HCHCCŸ ª HŸ ¡ — 4.2 Probabilistic primality tests 141 4.31 Example (Fermat, Euler, strong liars) Consider the composite integer ( ). The Fermat liars for are The Euler liars for are , while the strong liars for . . are 142 Ch. 4 Public-Key Parameters (iv) Any strong liar for is also an Euler liar for . Hence, from a correctness point of view, the Miller-Rabin test is never worse than the Solovay-Strassen test. ¼ ¼ 4.3 (True) Primality tests The primality tests in this section are methods by which positive integers can be proven to be prime, and are often referred to as primality proving algorithms. These primality tests are generally more computationally intensive than the probabilistic primality tests of 4.2. Consequently, before applying one of these tests to a candidate prime , the candidate should be subjected to a probabilistic primality test such as Miller-Rabin (Algorithm 4.24). 4.34 Definition An integer which is determined to be prime on the basis of a primality proving algorithm is called a provable prime. ¼ ¼ ½ á 4.3.1 Testing Mersenne numbers Efficient algorithms are known for testing primality of some special classes of numbers, such as Mersenne numbers and Fermat numbers. Mersenne primes are useful because the arithmetic in the field for such can be implemented very efficiently (see 14.3.4). The Lucas-Lehmer test for Mersenne numbers (Algorithm 4.37) is such an algorithm. ÆÄ 1ÅÁ à ½ ¼ 4.35 Definition Let be an integer. A Mersenne number is an integer of the form is prime, then it is called a Mersenne prime. If à&ˆÁ ÆÄ xÇÁ à The following are necessary and sufficient conditions for a Mersenne number to be prime. ÆÄÃÊ ËˆÁ ɂ¼ Fact 4.36 leads to the following deterministic polynomial-time algorithm for determining (with certainty) whether a Mersenne number is prime. 4.37 Algorithm Lucas-Lehmer primality test for Mersenne numbers INPUT: a Mersenne number with . OUTPUT: an answer “prime” or “composite” to the question: “Is prime?” 1. Use trial division to check if has any factors between and . If it does, then return(“composite”). 2. Set . 3. For from 1 to do the following: compute . 4. If then return(“prime”). Otherwise, return(“composite”). It is unknown whether there are infinitely many Mersenne primes. Table 4.2 lists the known Mersenne primes. ¼ Ø× ÖÕ ˆE‰Cà ßÞ 2Á 1Ý ¼ Ô ÌÓ à Ä a’•Ì à ȠpvÁ ÆÄÃÊ xvÁ pQ¼ Á à ÄÁ ÚÊ 7!Ì Ù Îà xÌ c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter. Ú 7“Ù ¼ Ø× ÖÕ ˆ‰Hà ÏÔ Ì Ó Ê Ò Ñ Ï Ä a’D„HÐÌ Î ÊÍ DtaÌ 4.36 Fact Let . The Mersenne number two conditions are satisfied: (i) is prime; and (ii) the sequence of integers defined by satisfies . Ú 7Ê Ô ÜÛ 4ÐÌ È ÉsÁ Á ¼ ¿ À¾ . is prime if and only if the following and for È HÈ Table 4.2: Known Mersenne primes. The table shows the known exponents , , for which is a Mersenne prime, and also the number of decimal digits in . The question marks after and indicate that it is not known whether there are any other exponents between and these numbers for which is prime. ö æ 5ô ö ç è è õ vå ç 4è õ ˆå æ ôóò aç ø÷ 2•ã This section presents results which can be used to prove that an integer is prime, provided that the factorization or a partial factorization of is known. It may seem odd to consider a technique which requires the factorization of as a subproblem — if integers of this size can be factored, the primality of itself could be determined by factoring . However, the factorization of may be easier to compute if has a special form, such as a Fermat number . Another situation where the factorization of may be easy to compute is when the candidate is “constructed” by specific methods (see 4.4.4). ý This result follows from the fact that has an element of order (Definition 2.128) if and only if is prime; an element satisfying conditions (i) and (ii) has order . 4.39 Note (primality test based on Fact 4.38) If is a prime, the number of elements of order is precisely . Hence, to prove a candidate prime, one may simply choose an integer at random and uses Fact 4.38 to check if has order . If this is the case, then is certainly prime. Otherwise, another is selected and the test is repeated. If is indeed prime, the expected number of iterations before an element of order is selected is ; this follows since for ÿþ w5ý ÿþ ‚1ý ý Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.  ý  fWVeWX1cdbY0I HGI7a0` " V "  S# EP ÿ þ xý ÿ þ 1ý ÿþ w5ý ÿ  þ 1ý ý D F ©E  0V" 1 XWYXW%VUT ý ý E 0" I HG ÿþ •5ý ý  ÿ &  RQ EP ÿ p 4.38 Fact Let satisfying: (i) (ii) ý be an integer. Then is prime if and only if there exists an integer ; and for each prime divisor of .  ý  ÿ þ •ý ý ûú ü9ù 4.3.2 Primality testing using the factorization of ÿþ •%ý ÿ Aý þ èè •ñ å æ ôóò Ð‰£ç ä 1ã ñ qæ ìæëîé 44ç çèîëç 44ç ïéïé 44ì æéëí 44è éìçè 44è çìíé 44ç éíèè 44æ ë44ì îí è44ì èé ç44ì ïï ì44è ëè è44ç íí ë44ç æí ç44æ èè æ44æ îç íì 4í ä 1ã èè êíé 4„©4î íèîìé 44ë æíïìæ 44ç í êïçè ©4æ èïéïæ 44æ è©4î êçì ëíêê 4„4ê í44ç ïçè æ44ç ïëæ ë44æ èíí è44æ æçæ æ êí ©4í íîì 44í èçê 4„4ê è4ê éç ëæç 44è è è ý ðè è ðè ç æè ïè íç îç ëç ìç éç ê ©ç èç çç æç ïç íæ î æ å æ æ ç è ì ì ëî 4ì êì ì ìî 4è èî 4æ ëé 4æ í4è è4è ë4ç í4æ ï 4æ ê ý ý 0( 1 C&'7$"# [email protected]43 A!   2 0( 1 )&'%$"# © § !    ä 1ã ç è é ë æîç 4ç èïç 4ç íëç 4æ ë4ì ï æ4é ç ë4æ ç ë4æ ï í4î æ4ì æ4è í4æ ë4æ è 4æ ÿ þ ý ÿ ëæ ìæ éæ ê ©æ èæ çæ ææ ï æ í ¨¦¢ ©§¥¤£¡ æ ç è é ì ë î å ê ý ý ý ÿþ Ë¥ý ý ÿþ •ƒý â 4.3 (True) Primality tests 143 Index decimal digits Index decimal digits 144 Ch. 4 Public-Key Parameters (Fact 2.102). Thus, if such an is not found after a “reasonable” number (for example, ) of iterations, then is probably composite and should again be subjected to a probabilistic primality test such as Miller-Rabin (Algorithm 4.24). This method is, in effect, a probabilistic compositeness test. The next result gives a method for proving primality which requires knowledge of only . a partial factorization of 4.40 Fact (Pocklington’s theorem) Let be an integer, and let (i.e. divides ) where the prime factorization of is . If there exists an integer satisfying: (i) ; and (ii) for each , , , then every prime divisor of is congruent to 1 modulo . It follows that if then is prime. If is indeed prime, then the following result establishes that most integers conditions (i) and (ii) of Fact 4.40, provided that the prime divisors of sufficiently large. satisfy are 4.41 Fact Let be an odd prime with and . Let the distinct prime factors of be , . Then the probability that a randomly selected base , , satisfies both: (i) ; and (ii) for each , , is . Thus, if the factorization of a divisor of is known then to test for primality, one may simply choose random integers in the interval until one is found satisfying conditions (i) and (ii) of Fact 4.40, implying that is prime. If such an is not found after a “reasonable” number of iterations, then is probably composite and this could be established by subjecting it to a probabilistic primality test (footnote 3 also applies here). This method is, in effect, a probabilistic compositeness test. The next result gives a method for proving primality which only requires the factorization of a divisor of that is greater than . For an example of the use of Fact 4.42, see Note 4.63. 4.42 Fact Let be an odd integer. Let , and suppose that there exists an integer satisfying both: (i) ; and (ii) for each prime divisor of . Let and be defined by and . If and if is neither nor a perfect square, then is prime. 4.3.3 Jacobi sum test The Jacobi sum test is another true primality test. The basic idea is to test a set of congruences which are analogues of Fermat’s theorem (Fact 2.127(i)) in certain cyclotomic rings. The running time of the Jacobi sum test for determining the primality of an integer is bit operations for some constant . This is “almost” a polynomialtime algorithm since the exponent acts like a constant for the range of values for Another approach is to run both algorithms in parallel (with an unlimited number of iterations), until one of them stops with a definite conclusion “prime” or “composite”. The number of iterations may be taken to be where , and where . c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter. r g” r g —“t r €t Œg Ct ’ s g € ‘g s g ~ S‡ €} Ž Cs sŽ zwvw ‚'Qxs v s … j Is t h Is %sf d n f l • ” “’j ‘ i h € f j e • d ™ € ” “’‘ s #g ‰ˆ‡s 1g € ˜ @s4rqp” 4™3qrmiIk ‘ 1g )‹7gŒs ‘ ‹” oŠr  †¥……¥…t € wrw r t s ‚U‡ t † miIk s {g ~ £‡ • „ƒ• ” • ‡ s €U£„g …j f l €} ˆ ‡† … s Qg ~ ‡ €r } s €} 'g ~ R‡ ‡ {yQxs v zwvw ¹ » ½¾ ¼ » ¹ ¸ ´ ¾ ¥Â—Á‚)À¹° ² „¿š˜)º{­ › ¡  g ~ • R‡ g h  œ ih › ‡¢€ ƒ • ‡ s ‰Ÿw œ  žd ‡ n › f Sl † t ˆ… œ d™ r …j t š1g Is € qs™r7p” 4™37rm¥i`k s 1g t )‹7gŒs y” oŠr j ih f ˆ‡ … S˜† —g e ƒh q–g ‡ … s UR#g @˜—–‘ • ” “’‘ ‰‡ ‡ „‚g ˆ‡† … ƒh y ·µ¶µ² `Š³² ±'©­ ´°¯® © g~ • uu g Xw©fw©Xwu ¬ rg g g g| s uj1g Is € ˜ o4™37rm¥i`k dnfl …t j ih e d™ 1g )[email protected]%g4r#”qpf s ©” §r s g € s 'g ‡ € à « ª j ™ ¨ o¨ o¨ §¥¤1g Xw%u7fU£ g ¦¦¦j f u ut g fwxfwv`s ph qig s Qg € of interest. For example, if , then . The version of the Jacobi sum primality test used in practice is a randomized algorithm which terminates within steps with probability at least for every , and always gives a correct answer. One drawback of the algorithm is that it does not produce a “certificate” which would enable the answer to be verified in much shorter time than running the algorithm itself. The Jacobi sum test is, indeed, practical in the sense that the primality of numbers that are several hundred decimal digits long can be handled in just a few minutes on a computer. However, the test is not as easy to program as the probabilistic Miller-Rabin test (Algorithm 4.24), and the resulting code is not as compact. The details of the algorithm are complicated and are not given here; pointers to the literature are given in the chapter notes on page 166. 4.3.4 Tests using elliptic curves Elliptic curve primality proving algorithms are based on an elliptic curve analogue of Pocklington’s theorem (Fact 4.40). The version of the algorithm used in practice is usually referred to as Atkin’s test or the Elliptic Curve Primality Proving algorithm (ECPP). Under heuristic arguments, the expected running time of this algorithm for proving the primality of an integer has been shown to be bit operations for any . Atkin’s test has the advantage over the Jacobi sum test ( 4.3.3) that it produces a short certificate of primality which can be used to efficiently verify the primality of the number. Atkin’s test has been used to prove the primality of numbers more than 1000 decimal digits long. The details of the algorithm are complicated and are not presented here; pointers to the literature are given in the chapter notes on page 166. 4.4 Prime number generation This section considers algorithms for the generation of prime numbers for cryptographic purposes. Four algorithms are presented: Algorithm 4.44 for generating probable primes (see Definition 4.5), Algorithm 4.53 for generating strong primes (see Definition 4.52), Algorithm 4.56 for generating probable primes and suitable for use in the Digital Signature Algorithm (DSA), and Algorithm 4.62 for generating provable primes (see Definition 4.34). 4.43 Note (prime generation vs. primality testing) Prime number generation differs from primality testing as described in 4.2 and 4.3, but may and typically does involve the latter. The former allows the construction of candidates of a fixed form which may lead to more efficient testing than possible for random candidates. 4.4.1 Random search for probable primes By the prime number theorem (Fact 2.95), the proportion of (positive) integers that are prime is approximately . Since half of all integers are even, the proportion of odd integers that are prime is approximately . For instance, the proportion of all odd integers that are prime is approximately . This suggests that a reasonable strategy for selecting a random -bit (probable) prime is to repeatedly pick random -bit odd integers until one is found that is declared to be “prime” Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. ê ëÆ Ò``Ð`IЗñ©7××`È Õ ÎXÍ ð‚ÈIÐ %ïÕ IÖì È fÎÍ Òì ê IÈ ì ê íÆ æå qxä Ð QÖ à ¥ß× Ë Ì Õ šÐ Þ Ó ÑÐ Ï Í Í `fÒIɉŠXΩXΩfÎÍ é ç —×m§Àá1Å XÎÍ 7ÕUÔ ãâ × Õ è Å À̊¥ÊÉÇÅ ËÈ Æ ç ê fÎÍ IÐ ì ç Ö À̊¥ÊîÆ ËÈ ×Ü Ú Ú Ú × Õ Õ ÝHÛ HÛ oÛ ŠÙØ1Å fÎÍ 37ÖUÔ ê —Æ Å Å Ä 4.4 Prime number generation 145 146 Ch. 4 Public-Key Parameters by MILLER-RABIN( , ) (Algorithm 4.24) for an appropriate value of the security parameter (discussed below). If a random -bit odd integer is divisible by a small prime, it is less computationally expensive to rule out the candidate by trial division than by using the Miller-Rabin test. Since the probability that a random integer has a small prime divisor is relatively large, before applying the Miller-Rabin test, the candidate should be tested for small divisors below a pre-determined bound . This can be done by dividing by all the primes below , or by computing greatest common divisors of and (pre-computed) products of several of the primes . The proportion of candidate odd integers not ruled out by this trial division is which, by Mertens’s theorem, is approximately (here ranges over prime values). For example, if , then only 20% of candidate odd integers pass the trial division stage, i.e., 80% are discarded before the more costly MillerRabin test is performed. 4.44 Algorithm Random search for a prime using the Miller-Rabin test RANDOM-SEARCH( , ) INPUT: an integer , and a security parameter (cf. Note 4.49). OUTPUT: a random -bit probable prime. 1. Generate an odd -bit integer at random. 2. Use trial division to determine whether is divisible by any odd prime Note 4.45 for guidance on selecting ). If it is then go to step 1. 3. If MILLER-RABIN( , ) (Algorithm 4.24) outputs “prime” then return( ). Otherwise, go to step 1. 4.45 Note (optimal trial division bound ) Let denote the time for a full -bit modular exponentiation, and let denote the time required for ruling out one small prime as divisor of a -bit integer. (The values and depend on the particular implementation of longinteger arithmetic.) Then the trial division bound that minimizes the expected running time of Algorithm 4.44 for generating a -bit prime is roughly . A more accurate estimate of the optimum choice for can be obtained experimentally. The odd primes up to can be precomputed and stored in a table. If memory is scarce, a value of that is smaller than the optimum value may be used. Since the Miller-Rabin test does not provide a mathematical proof that a number is indeed prime, the number returned by Algorithm 4.44 is a probable prime (Definition 4.5). It is important, therefore, to have an estimate of the probability that is in fact composite. 4.46 Definition The probability that RANDOM-SEARCH( , ) (Algorithm 4.44) returns a composite number is denoted by . 4.47 Note (remarks on estimating ) It is tempting to conclude directly from Fact 4.25 that . This reasoning is flawed (although typically the conclusion will be correct in practice) since it does not take into account the distribution of the primes. (For example, if all candidates were chosen from a set of composite numbers, the probability of error is 1.) The following discussion elaborates on this point. Let represent the event that is composite, and let denote the event than MILLER-RABIN( , ) declares to be prime. Then Fact 4.25 states that . What is relevant, however, to the estimation of is the quantity . Suppose that candidates are drawn uniformly and randomly c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter. ò õö õ õ §¥ £ ¨¦¤¢ ò fü¡ü ò ô  £ ò   óò ò ò õ óô &  ¡¢ ò ò õ   ò ò ó õ  ò õ " ÿ þ $ „ö ÿ û % ô  õ ò " ¡ © ! õ ò ò " ¡#© ! & " '0 2 ( 0& ' 1" ) ( "' õ  óò ÿU û û U ÿ où ø ù ø þŒý)7üû©úŠ§÷ õ £ö óô ò óò ô  ô ô ô ò " ÿ C$þ Sö û ò ô ó " ¡ © ! " ¡ © ! õ 3 õ © (see since . Thus the probability may be considerably larger than if is (see small. However, the error-probability of Miller-Rabin is usually far smaller than Remark 4.26). Using better estimates for and estimates on the number of -bit prime numbers, it has been shown that is, in fact, smaller than for all sufficiently large . A more concrete result is the following: if candidates are chosen at random from the set of odd numbers in the interval , then for all . for For example, if and , then Fact 4.48(ii) gives . In other words, the probability that RANDOM-SEARCH(512,6) returns a 512-bit composite integer . Using more advanced techniques, the upper bounds on given by is less than Fact 4.48 have been improved. These upper bounds arise from complicated formulae which are not given here. Table 4.3 lists some improved upper bounds on for some sample values of and . As an example, the probability that RANDOM-SEARCH(500,6) returns a composite number is . Notice that the values of implied by the table are considerably smaller than . The estimates of presented in the remainder of this subsection were derived for the situation where Algorithm 4.44 does not use trial division by small primes to rule out some candidates . Since trial division never rules out a prime, it can only give a better chance of rejecting composites. Thus the error probability might actually be even smaller than the estimates given here. Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. { zx † y ‡ | { ztw yx Table 4.3: Upper bounds on implies . for sample values of and . An entry corresponding to and j h ¡g 6 Q  Y uh  d y 6 x h XhVR d E g fT C f tf “ x ‡ ‘b b C f “tf Y x Y ”tf “ ˆ ƒ ‰ g ƒ f C ` #‚)‰ g ƒ ƒ ‡†b ‡ ‡ dQ C` f ”“tf Y x Y pQ e f— x ’’ €b ‡ T for ( , ) or ( , for , . k ‡ †b nn vl qm vl tl vl ml vl pu vl rvt svs tvr tvq rvp o vo u vl Q h ¤g 6 t rm vl tl vl nl vl qu vl tvt lvt nvs pvr pvq o rp lo Q h ¡g 6 lvl m nvl l qvl u uvl u nvt qvs svr uvr lvq lvp t vn s r q vn pvl l rvl u tvt nvt rvs uvs nvr pvq rvp ro j k q n vn svl u uvl u mvt pvs uvs nvr rvq uvq mvp no j p tvn t vm mvl u nvt pvs svr mvr qvq uvq o rp ro Q   e R d¤ET R  d E Y Q id VR ¤E o rn p vm o lo pvt qvs svr uvr nvq svp nvp ro n ss tr ur mq pp s #o o o tn o Sn sm u m m m s m r n q o Sp q#o s n n n t m p m um o Sl l p s p vr p vq q vp qo rvn svm tvl o rl l vl { zx † y ƒ ‚ €  } y „‚¡A~{ zx w  hh d XVR ¤E x uvq u uvp p uvp u uv#o p uv#o u uvn p uvn u uvm p uvm u uvl p uu vl k f h ¤g Q h ¤g Q h ¤g Q h d ¤g 6 6 6 6 (i) (ii) (iii) (iv) C f ‡ fT e • ƒ #‚)‰ ƒ ™y f ‰ 9 • g ‡ e d )d  w y ƒ f –9 ‰ ™yQ f • ‡ e d d ˜Q ‡ … ƒ —ƒ ‰ˆf g ‘‚ )‰ d x ‡ )1‚9 Q f` … Qƒ  f g †„ ‚€9 ‡ †b ` hg ¡#6 4.48 Fact (some upper bounds on for in Algorithm 4.44) ). . , . h ¤g 6 Further refinements for various values of and . allow the following explicit upper bounds on f e RdE 6Q e RdE Q Q wu8 Xv¡C b a q Q e d QR E C` 7 eY RE R Q ¨I2FD PH GE Qd7 C 6 Y R Q PXEFD Y R Q )FD PE RWG HXQ P)EFD R HQ PE DR GE WG 1¤XF)WVFD C969 [email protected] 6 R HQPE WG 1¤XFD R Q PH GE )¤¨I2FD sq tra ip Q h ¡g 6 R W HG Q )FD PE Q T R PH GE USQ ¨I2FD yx 5 f 6 b R PE c)Q )FD 5 f … 4 4.4 Prime number generation 147 from a set of odd numbers, and suppose is the probability that is prime (this depends on the candidate set ). Assume also that . Then by Bayes’ theorem (Fact 2.10): for 148 Ch. 4 Public-Key Parameters 4.49 Note (controlling the error probability) In practice, one is usually willing to tolerate an error probability of when using Algorithm 4.44 to generate probable primes. For sample values of , Table 4.4 lists the smallest value of that can be derived from Fact 4.48 for which . For example, when generating 1000-bit probable primes, MillerRabin with repetitions suffices. Algorithm 4.44 rules out most candidates either by trial division (in step 2) or by performing just one iteration of the Miller-Rabin test (in step 3). For this reason, the only effect of selecting a larger security parameter on the running time of the algorithm will likely be to increase the time required in the final stage when the (probable) prime is chosen. 4.50 Remark (Miller-Rabin test with base ) The Miller-Rabin test involves exponentiating the base ; this may be performed using the repeated square-and-multiply algorithm , then multiplication by is a simple procedure relative to mul(Algorithm 2.143). If tiplying by in general. One optimization of Algorithm 4.44 is, therefore, to fix the base when first performing the Miller-Rabin test in step 3. Since most composite numbers will fail the Miller-Rabin test with base , this modification will lower the expected running time of Algorithm 4.44. 4.51 Note (incremental search) (i) An alternative technique to generating candidates at random in step 1 of Algorithm 4.44 is to first select a random -bit odd number , and then test the numbers for primality. If all these candidates are found to be composite, the algorithm is said to have failed. If where is a constant, the probability that this incremental search variant of Algorithm 4.44 returns a composite number has been shown to be less than for some constant . Table 4.5 gives some explicit bounds on this error probability for and . Under reasonable number-theoretic assumptions, the probability of the algorithm failing has been shown to be less than for large (here, ). (ii) Incremental search has the advantage that fewer random bits are required. Furthermore, the trial division by small primes in step 2 of Algorithm 4.44 can be accomplished very efficiently as follows. First the values are computed for each odd prime . Each time is added to the current candidate, the values in the table are updated as . The candidate passes the trial division stage if and only if none of the values equal . (iii) If is large, an alternative method for doing the trial division is to initialize a table for ; the entry corresponds to the candidate . For each odd prime , is computed. Let be the smallest index for c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter. æ v· Ø·Ø × · Ö ¡Á ¨¾ €–Ô à ÒÒÐ ˜ ÑϏ »FŽ œ ´ ² ± ¯° ® ­ « ª ³³‚¡A~¬ z#© Table 4.4: For sample , the smallest from Fact 4.48 is given for which œ ¹ ž ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡  ÆÅÄ Ã ˜ ’ ·ÈÇV¤–¹ ¹ v¡ £ v¡ vŸ £¦ vŸ ¦ vŸ £¤ vŸ ¤ vŸ £¢ vŸ ¢  ß Ý œ ˜ÜÚ ‘ à Ûގ †¦„‘ ÛÙ Î ·Ì ’ ‘Í „‚Ë  Ò ž ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ì Žœ vŸ £¨ vŸ ¨ vŸ ££ vŸ £ £ SŸ §  SŸ § vŸ £¥ vŸ ¥  ÜÚ „‘ âÙ ß ‘ à ÛÝ ‹ · » ‘ âXäS„‘ âÙ Ü Ú Ùˆ ãÜ Ú · œ Õ ™Š ÍÔ „¡·  µ Ü ç Úæ » º ¾¾¾º½ » » ºœ˜ Á ¿ ¹ ˆ ¦Ž œ ˜vvv¤¶¼Ž œ º · ¼Ž œ ¤Ž WUœ ‹ ÂÀ)·  ž ¥ ¥ ¥ ¥ ¥ ¥ ¥ ¥ å ·˜ ¸¶µ ·˜ ¸¶µ ‘ à [email protected] œ ëê‘ á• Á ¿ ¹ˆ • æ • ‹ ‘é)èÛf¶Ò £¡ vŸ ¡ vŸ £Ÿ vŸ Ÿ vŸ £ vŸ vŸ v¦ £ v¦  ž Ê S” ¤’ É ““ ž ¨ £ £ ¥ § § § § ᕠ€B‘ v¤ £ v¤ v¢ £ v¢ v¨ £ v¨ v£ £ v£   ·˜ @µ š˜ ›™ Ž ‹ ‰Š ˆ • “ ’ X —¤f–” ¡#‘  Ù ž ¡Ÿ £Ÿ ¤Ÿ ¢ ¡ ¦ ¤ ¢ ¨ µ µ Ž‹ )„Œ‰ Š ˆ Ò ãÜ Wrç Úæ áå ÒÁ • ¡‘Ӑ Ë #§ £ #§ ¥ £ ¥ ¡ £ ¡ Ÿ £ Ÿ  ·˜ [email protected] í . which . Then and each entry after it are set to . A candidate then passes the trial division stage if and only if . Note that the estimate for the optimal trial division bound given in Note 4.45 does not apply here (nor in (ii)) since the cost of division is amortized over all candidates. X 9 c SQ dRba RP WU 'VG e SQ T4 RP a2 0 ( 5`Y)& 6 G E C B% 9 IHFD"[email protected] 7531)'% 642 0 ( & 4.4.2 Strong primes The RSA cryptosystem ( 8.2) uses a modulus of the form , where and are distinct odd primes. The primes and must be of sufficient size that factorization of their product is beyond computational reach. Moreover, they should be random primes in the sense that they be chosen as a function of a random input through a process defining a pool of candidates of sufficient cardinality that an exhaustive attack is infeasible. In practice, the resulting primes must also be of a pre-determined bitlength, to meet system specifications. The discovery of the RSA cryptosystem led to the consideration of several additional constraints on the choice of and which are necessary to ensure the resulting RSA system safe from cryptanalytic attack, and the notion of a strong prime (Definition 4.52) was defined. These attacks are described at length in Note 8.8(iii); as noted there, it is now believed that strong primes offer little protection beyond that offered by random primes, since randomly selected primes of the sizes typically used in RSA moduli today will satisfy the constraints with high probability. On the other hand, they are no less secure, and require only minimal additional running time to compute; thus, there is little real additional cost in using them. 4.52 Definition A prime number is said to be a strong prime if integers , , and exist such that the following three conditions are satisfied: has a large prime factor, denoted ; (i) has a large prime factor, denoted ; and (ii) has a large prime factor, denoted . (iii) In Definition 4.52, a precise qualification of “large” depends on specific attacks that should be guarded against; for further details, see Note 8.8(iii). r q p q p r G Xs vup XguG 0 Xs tHG h G hG c i`g& h G h f G Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. ü ýû ¨ §¦ ¥££¡ÿ ¤ ¤¢¢  §  © Table 4.5: Upper bounds on the error probability of incremental search (Note 4.51) for and sample values of and . An entry corresponding to and implies . , where úú võ óú vñ õú vñ úñ vñ ú ñ ÷ù ù ù óú vñ ù ï úù òù öù ø ÷ óø õø ù ø ð ö õv÷ ÷v÷ ñ vø ï õ övö øvö ò v÷ öõ øõ óö ô þ ó ô ô ö #ô ñ õ ò úvó òvó ÷ vó ï ñ ññ óñ ÷ ñ ð ñ õ ð ú ñ ü ¢ ¢ ò #! ££ –$" ð î 4.4 Prime number generation 149 150 Ch. 4 Public-Key Parameters 4.53 Algorithm Gordon’s algorithm for generating a strong prime SUMMARY: a strong prime is generated. 1. Generate two large random primes and of roughly equal bitlength (see Note 4.54). , for 2. Select an integer . Find the first prime in the sequence (see Note 4.54). Denote this prime by . . 3. Compute , for 4. Select an integer . Find the first prime in the sequence (see Note 4.54). Denote this prime by . 5. Return( ). Justification. To see that the prime returned by Gordon’s algorithm is indeed a strong prime, observe first (assuming ) that ; this follows from Fermat’s theorem (Fact 2.127). Hence, and . Finally (cf. Definition 4.52), (i) , and hence has the prime factor ; (ii) , and hence has the prime factor ; and (iii) , and hence has the prime factor . 4.54 Note (implementing Gordon’s algorithm) (i) The primes and required in step 1 can be probable primes generated by Algorithm 4.44. The Miller-Rabin test (Algorithm 4.24) can be used to test each candidate for primality in steps 2 and 4, after ruling out candidates that are divisible by a small prime less than some bound . See Note 4.45 for guidance on selecting . Since the Miller-Rabin test is a probabilistic primality test, the output of this implementation of Gordon’s algorithm is a probable prime. (ii) By carefully choosing the sizes of primes , and parameters , , one can control the exact bitlength of the resulting prime . Note that the bitlengths of and will be about half that of , while the bitlength of will be slightly less than that of . 4.55 Fact (running time of Gordon’s algorithm) If the Miller-Rabin test is the primality test used in steps 1, 2, and 4, the expected time Gordon’s algorithm takes to find a strong prime is only about 19% more than the expected time Algorithm 4.44 takes to find a random prime. – x – „  ir £€ y yx w „ w y x x – y pTx~nFmHl¥e|oq z w †  p – n m le 7HFH¥|† †„ ƒ‘w †q t€w †vq‘– py nm l  5€FD"e dz ƒ5—Yvu– y€‚ ‡ † q pT‚VD¥e dz 3tT”3„  tYguw x nm l  † „ x–r‚ w‡†„ p– nm l  7DVD¥e dz v…tT”31VtYtHw † q x–r‚ „ w ‡ † q p – n m le FHFD"}† z Vw  zyj {)¡h x x w‡ xA– w „ € € ‡ ‘£££‰ˆ€ „  ’  tHr r r‡ w ” @“ ’ x–r‚ „ w ‡ 7¡”3uVvvw x–r‚ t¡5s„  w † „ y€‚ ‡ g˜ƒ5—H– † „ y€ `…ƒ5‚ † w y w “““ ‚ „ r ”•”V3ui’† r † q xp – n m l k jhxe‚ ‡  v…¥7oFH™7Tigfd™Vw “““ ‚ „ € •””V31£’† x w  £€ 4.4.3 NIST method for generating DSA primes Some public-key schemes require primes satisfying various specific conditions. For example, the NIST Digital Signature Algorithm (DSA of 11.5.1) requires two primes and satisfying the following three conditions: (i) ; that is, is a -bit prime; (ii) for a specified , where for some ; and (iii) divides . This section presents an algorithm for generating such primes and . In the following, denotes the SHA-1 hash function (Algorithm 9.53) which maps bitstrings of bitlength to -bit hash-codes. Where required, an integer in the range whose binary representation is should be converted to the -bit sequence , and vice versa. c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter. † yk k 7j ˜ )j ˜ y p  — — ƒ•”š —šš — — ˆe y k k Fj ˜ y ™j ˜ k˜ y˜  }R‚ }„ k ‚ }f•”d„ Fj T‚ —„ — — „ššš — v„ )j ¡‚ —‡ d3— “ ˜‚ Š Td|— u — “ u ’‘Œ „ ‚† ‡ 3…fd} …   † Œ †  †q t€w † y T`ŽsŠ )j T‚ ‚Šw ‹y ‚ Š † Š ‰‡y 'Fdo`‘gˆV‚ ›  † Œ –‚ g‹ @Š œ • 4.57 Note (choice of primality test in Algorithm 4.56) (i) The FIPS 186 document where Algorithm 4.56 was originally described only specifies that a robust primality test be used in steps 2.4 and 4.4, i.e., a primality test where the probability of a composite integer being declared prime is at most . If the heuristic assumption is made that is a randomly chosen -bit integer then, by Table 4.4, MILLER-RABIN( , ) is a robust test for the primality of . If is assumed to be a randomly chosen -bit integer, then by Table 4.4, MILLER-RABIN( , ) is a robust test for the primality of . Since the Miller-Rabin test is a probabilistic primality test, the output of Algorithm 4.56 is a probable prime. (ii) To improve performance, candidate primes and should be subjected to trial division by all odd primes less than some bound before invoking the Miller-Rabin test. See Note 4.45 for guidance on selecting . 4.58 Note (“weak” primes cannot be intentionally constructed) Algorithm 4.56 has the feature that the random seed is not input to the prime number generation portion of the algorithm itself, but rather to an unpredictable and uncontrollable randomization process (steps 2.2 and 4.1), the output of which is used as the actual random seed. This precludes manipulation of the input seed to the prime number generation. If the seed and counter are made public, then anyone can verify that and were generated using the approved method. This feature prevents a central authority who generates and as system-wide parameters for use in the DSA from intentionally constructing “weak” primes and which it could subsequently exploit to recover other entities’ private keys. Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. Å ¦ · ¤ ¤ ¦ ¦ ¤ · ¨¦ Ö è ˆ² Ô Ø ¯ ¦ ¤ Ÿ£ ff¢ ¦ é ¤ é ¤ ¦ ¡ ¢ ¤ ¥ ¨¹ @1Ä 4.3 Compute and set . (Note that 4.4 If then do the following: Test for primality using MILLER-RABIN( , ) for If is a (probable) prime then return( , ). 4.5 Set , . 5. Go to step 2. Ħ ¦¤ ¢ ª³ªÇÆ gæÍo~ÈÇ gçæ”Å ¢ ªÅ Æ ¦ ¦ ÔÓ Ò© ¹ )™¡Ûˆ¦ ²¡©æFÁD"[email protected] ¤  ¿¯ ¢ å ² ¢ ±â¯ ± Ï § ‘¥udtv¦ ¤© ÂÁ ¿ Ï § äFDã3«â Ô ™Ó Ô ÜË ªÚÚÚ Fg¡•”Ûª Ù©ØË ”Vgª ˆÔ © ƒuf¼ÕÎ Ë ª ÖË § × © ©  Á ¿ Ü Ë¯ ˆÔ ¥²5ß¡DVDˆF¥gª g)Ó ÞÔ × 'Ô © × à áÜiÖ ÜÝ °¡Ö Ö ¥Ø Ö ¥ Ï ™™TgÑ`ÐÏ Ô Ó Ò© ª Î § Î ²Ã©  Á ¿ ² Ê ª Ç ª ·¯¯ » Æ Ì fTDFHÀtgó¥¥~tÈVË ³ Ÿ Ê (see Note 4.57). ² ¢ ± ¦¯­ ftH'°®¤ Ÿ£¢ ¹ ffdˆ¸ ´ ³ ž¬£ ª ©¢¨ § Vfg«f`}¥ ¡¢ ¹ fd1Ä Ÿ£ f¢ ²¢ ± ¥ fs~g¯ Ĥ Ÿ£ f¢ ¤ ¢ º ²Ã© ÂÁ ¿ ²¢ fTDFDÀfgª g"~o¾•g~¼`º ·¯¯ » ½²·¯ » § · ¦ Ÿ£¢ ¶ ´ fd…duŸ ¥ ´ ª ³Ÿ£¢ § ¢ ± gµ5fd™t‚¥ ž¬£ ª ©¢¨ § t«fd}¥ ¤ ¡ ž d)@uŸ ž £Éffd«Å Ÿ¬ ¶ ©Æ tÈÇ t”Å ŸÆ ¤ ¤ ¤ Ÿ£ f¢ º  4.4 Prime number generation 151 4.56 Algorithm NIST method for generating DSA primes INPUT: an integer , . OUTPUT: a -bit prime and an -bit prime , where and . 1. Compute . Using long division of by , find , such that , where . 2. Repeat the following: . 2.1 Choose a random seed (not necessarily secret) of bitlength . 2.2 Compute 2.3 Form from by setting to the most significant and least significant bits of . (Note that is a -bit odd integer.) 2.4 Test for primality using MILLER-RABIN( , ) for (see Note 4.57). Until is found to be a (probable) prime. , . 3. Set 4. While do the following: . 4.1 For from to do the following: set 4.2 For the integer defined below, let . ( is an -bit integer.) .) 152 Ch. 4 Public-Key Parameters 4.4.4 Constructive techniques for provable primes Maurer’s algorithm (Algorithm 4.62) generates random provable primes that are almost uniformly distributed over the set of all primes of a specified size. The expected time for generating a prime is only slightly greater than that for generating a probable prime of equal size using Algorithm 4.44 with security parameter . (In practice, one may wish to choose in Algorithm 4.44; cf. Note 4.49.) The main idea behind Algorithm 4.62 is Fact 4.59, which is a slight modification of Pocklington’s theorem (Fact 4.40) and Fact 4.41. 4.59 Fact Let be an odd integer, and suppose that where is an odd prime. . Suppose further that (i) If there exists an integer satisfying and , then is prime. , satisfies (ii) If is prime, the probability that a randomly selected base , and is . Algorithm 4.62 recursively generates an odd prime , and then chooses random integers , , until can be proven prime using Fact 4.59(i) for some base . By for prime . On the other hand, if is Fact 4.59(ii) the proportion of such bases is composite, then most bases will fail to satisfy the condition . 4.60 Note (description of constants and in Algorithm 4.62) (i) The optimal value of the constant defining the trial division bound in step 2 depends on the implementation of long-integer arithmetic, and is best determined experimentally (cf. Note 4.45). (ii) The constant ensures that is at least bits long and hence the interval from which is selected, namely , is sufficiently large (for the values of of practical interest) that it most likely contains at least one value for which is prime. 4.61 Note (relative size of with respect to in Algorithm 4.62) The relative size of with respect to is defined to be . In order to assure that the generated prime is chosen randomly with essentially uniform distribution from the set of all -bit primes, the size of the prime factor of must be chosen according to the probability distribution of the largest prime factor of a randomly selected -bit integer. Since must be greater than in order for Fact 4.59 to apply, the relative size of is restricted to being in the interval . It can be deduced from Fact 3.7(i) that the cumulative probability distribution of the relative size of the largest prime factor of a large random integer, given that is at least , is for . In step 4 of Algorithm 4.62, the relative size is generated according to this distribution by selecting a random number and then setting . If then is chosen to be the smallest permissible value, namely , in order to ensure that the interval from which is selected is sufficiently large (cf. Note 4.60(ii)). ë H0 î õ ù ë Aî ô î ö ÿ HFH¥}Û1)I¡ö î þ ý üû ì ú ù ø ÷ î õ õ fì ì ë î© `Àÿ £ì ì õ õ ôó ñì ë Y|ò`Aî ìë ãæê ì "û ðï dvî ìí `…ê î î c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter. ¤# %$"ë ¤ 0 0 § § ¨¦ ! 0 îö s`ì ¤öû ¢ ¥¥Èþ £¡ # ô õ )ì© ( 9 B”& [email protected] ÿ¡fì õ ö ÿ HFD"[email protected]ö î þ ý üû ì ú ù ø ÷ § & ó õ ì ë î© `òÿ £ì )'ó©ì ñ $5Ûä (' ' 0 # § ì  î § ¨¦ î ¡ 43õ ¡ 2H0 1 1 ë ô ¤öû ¢ gtþ ¡ ì  ö § ì0 @76 ù ö î & £ó ì ñõô d{Yó ôí —oõ õ õ ë ÿ DFD"Ad1)Èö î þ ý üû ì ú ù ø ÷ î 0 0 ¤ ô ë E—D# ó ÿ 1 ñì 70 ¡ 51"û ì ñõô 3Yó î 0 # õ ¤ )ì $5© ù ( ù øC ™”¥ó  ô ù ¤ F ô 4.63 Note (improvements to Algorithm 4.62) (i) A speedup can be achieved by using Fact 4.42 instead of Fact 4.59(i) for proving prime in step 8.2 of Maurer’s algorithm — Fact 4.42 only requires that be greater than . (ii) If a candidate passes the trial division (in step 8.2), then a Miller-Rabin test (Algorithm 4.24) with the single base should be performed on ; only if passes this test should the attempt to prove its primality (the remainder of step 8.2) be undertaken. This leads to a faster implementation due to the efficiency of the Miller-Rabin test with a single base (cf. Remark 4.50). (iii) Step 4 requires the use of real number arithmetic when computing . To avoid these computations, one can precompute and store a list of such values for a selection of random numbers . 4.64 Note (provable primes vs. probable primes) Probable primes are advantageous over provable primes in that Algorithm 4.44 for generating probable primes with is slightly faster than Maurer’s algorithm. Moreover, the latter requires more run-time memory due Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. `x •D” I  €y ‚E¥R I Rx †} w`v u “ BET 5{t Rx †…} I ’‘ U I p ` pp yR x ‚{†6I p r ur e 2|  €yR W ‚E¥fxi I w`v BE uT bR q $srH ˆ Iv ` „ ~dŽ€ EŒ‰Š …‹ W ƒ y wR „ Iv Bd~ uR ˆ` p oHg fq3£ni lki“ f jh ” m 3ƒ ’Y T W aXxi bR P $‘QH IU I t `XW I …ƒ ‚ ‡h} W {‰ˆdBdE€ I I hHg V W 3%4fe I …ƒ ‚ €} W {„e‚x3dE€ } I ` p p yR W 5z{XzI I I T Sx T XW o p u €t wˆvR $s¥R sr W ƒ m [email protected]%p — W b qˆHi „ X‰‡†…H p `x †…Š H TR W £dcb H `x †e€ H i wrRv £E$` `TW aYXV I TR P £SQH I H H ƒ G 4.4 Prime number generation 153 4.62 Algorithm Maurer’s algorithm for generating provable primes PROVABLE PRIME( ) INPUT: a positive integer . OUTPUT: a -bit prime number . 1. (If is small, then test random integers by trial division. A table of small primes may be precomputed for this purpose.) If then repeatedly do the following: 1.1 Select a random -bit odd integer . 1.2 Use trial division by all primes less than to determine whether is prime. 1.3 If is prime then return( ). 2. Set and (see Note 4.60). 3. (Trial division bound ) Set (see Note 4.60). 4. (Generate , the size of relative to — see Note 4.61) If then repeatedly do the following: select a random number in the interval , set , until . Otherwise (i.e. ), set . 5. Compute . 6. Set . 7. success . ) do the following: 8. While (success 8.1 (select a candidate integer ) Select a random integer in the interval and set . 8.2 Use trial division to determine whether is divisible by any prime number . If it is not then do the following: Select a random integer in the interval . Compute . If then do the following: Compute and . If then success . 9. Return( ). 154 Ch. 4 Public-Key Parameters to its recursive nature. Provable primes are preferable to probable primes in the sense that the former have zero error probability. In any cryptographic application, however, there is always a non-zero error probability of some catastrophic failure, such as the adversary guessing a secret key or hardware failure. Since the error probability of probable primes can be efficiently brought down to acceptably low levels (see Note 4.49 but note the dependence on ), there appears to be no reason for mandating the use of provable primes over probable primes. – Recall (Definition 2.190) that a polynomial of degree is said to be irreducible over if it cannot be written as a product of two polynomials in each can be used to represent the elements having degree less than . Such a polynomial of the finite field as , the set of all polynomials in of degree less than where the addition and multiplication of polynomials is performed modulo (see 2.6.3). This section presents techniques for constructing irreducible polynomials are of particular interover , where is a prime. The characteristic two finite fields est for cryptographic applications because the arithmetic in these fields can be efficiently performed both in software and in hardware. For this reason, additional attention is given to the special case of irreducible polynomials over . The arithmetic in finite fields can usually be implemented more efficiently if the irreducible polynomial chosen has few non-zero terms. Irreducible trinomials, i.e., irreducible polynomials having exactly three non-zero terms, are considered in 4.5.2. Primitive polynomials, i.e., irreducible polynomials of degree in for which is a generator of , the multiplicative group of the finite field (Definition 2.228), are the topic of 4.5.3. Primitive polynomials are also used in the generation of linear feedback shift register sequences having the maximum possible period (Fact 6.12). ¤ ‡ ¢› Ÿ ¤ ‡ ¢› Ÿ ¨¦ §¥ ¶ › ½  ›™ ˜™ ¬¤ ®gwš­£kx ¢› Ÿ ¤¢ ‡› ±¡Ÿ ¯ ª ¡© ° ¤ ¢ Ÿ ž  ›™ x› £¡SQgœš˜ ¼ « ª © ¥ ° sŸ  ›™ ¡œš˜  ›™ ˜™ ¬¤ ®gwš­£kx ¢› Ÿ  ›™ ¡œš˜ «ª s¥ © ¥ ª ¥ © Ÿ — ¯ ¥ ¯ gŸ ª i© ²  ›™ gœš˜ 4.5.1 Irreducible polynomials If is irreducible over and is a non-zero element in , then is also irreducible over . Hence it suffices to restrict attention to monic polynomials in , i.e., polynomials whose leading coefficient is 1. Observe also that if is an irreducible polynomial, then its constant term must be non-zero. In particular, if , then its constant term must be 1. There is a formula for computing exactly the number of monic irreducible polynomials in of a fixed degree. The M¨ bius function, which is defined next, is used in this o formula. µ ¥ 4.65 Definition Let be a positive integer. The M¨ bius function o ¶ ¨ « ¥ ¥ if if if ¥ ¶‰º»¨{¹™ ¸ ¶ ¶ ¨ · is defined by ¤ ‡ ¢› Ÿ ¤ ¢ ° Ÿ ž  ›™ ‡› £gAgwš˜  ›™ ¡œš˜  ›™ ˜´ ¡œšw£³ Ÿ ³ Ÿ Ÿ ¤ ‡ ¢› †¡œš˜ Ÿ ž  ›™ ¤¢ x› £¡Ÿ is divisible by the square of a prime is the product of distinct primes 4.66 Example (M¨ bius function) The following table gives the values of the M¨ bius function o o for the first 10 values of : c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter. ¥  ¥™ 6œµ ¾ — 4.5 Irreducible polynomials over « ¨wµ  ¥™ 4.67 Fact (number of monic irreducible polynomials) Let be a prime and a positive integer. (i) The number of monic irreducible polynomials of degree in is given by the following formula: ØÖÔ x× £¡Õ  à ÚÞ ßeÜ Û Ò ­Í Ü %Ú Ï ÝÎ Ò Ã Â ÙÏÂÔ 66œÎ @Ó ÏÂÔ ¨wÎ {Ó where the summation ranges over all positive divisors of . (ii) The probability of a random monic polynomial of degree in being irreducible over is roughly . More specifically, the number satisfies ØÖÔ ‡× šgÕ ÏÂÔ ¨wÎ {Ó Â äå à ã Ò ÏÂÔ 6œÜ Î @Ó â à  $Ä á Ü Ô gÕ Testing irreducibility of polynomials in is significantly simpler than testing primality of integers. A polynomial can be tested for irreducibility by verifying that it has no . The following result leads to an efficient method (Alirreducible factors of degree gorithm 4.69) for accomplishing this. 4.68 Fact Let be a prime and let be a positive integer. (i) The product of all monic irreducible polynomials in equal to . (ii) Let be a polynomial of degree in . Then and only if for each , 4.69 Algorithm Testing a polynomial for irreducibility INPUT: a prime and a monic polynomial of degree in . OUTPUT: an answer to the question: “Is irreducible over ?” 1. Set . 2. For from 1 to do the following: 2.1 Compute using Algorithm 2.227. (Note that polynomial in of degree less than .) 2.2 Compute (using Algorithm 2.218). then return(“reducible”). 2.3 If 3. Return(“irreducible”). Ô gÕ ØÖÔ x× £¡Õ à öÙ 2÷Ï × £Ý Î îí Ï × ÐgÏ × Î ò à Ï × Î ë Î £ì Ï × £Ý Ù Î Ø ‡ Ö× Ô Õ Â ë Ï × Î Qî „nÔ Ï × Î ò ¹Ï × Î ò ó õô èçæ Ü ð × ¹Ï × Î ò ó Ò Â Ï ×Î ë Ï ×Î ë  îí ÃÙ SÏ × Ð ¥Ô × à Ï × Î ë Î Eì ï é × Ð vÔ × ê Ï ×Î ë Ò ØÖÔ ‡× ±gÕ èæ ç Œâ Ü Fact 4.67 suggests that one method for finding an irreducible polynomial of degree in is to generate a random monic polynomial of degree in , test it for irreducibility, and continue until an irreducible one is found (Algorithm 4.70). The expected number of polynomials to be tried before an irreducible one is found is approximately .  ØÖÔ ‡× ±ŽÕ  ØÖÔ ‡× šgÕ Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.  ÔÕ is irreducible over . é of degree dividing is a Ñ Ï ×Î ò Ã Ì £Ã Â Ì is if Ë Â Ì æ èç ñâ ð â à ð Ø ‡ Ö× Ô Õ Ï Ü× Î ë Ø ‡ Ö× Ô Õ Ê Ý Ã {Ð É Ã È Ã {Ð Ç Ì Æ Ã {Ð Å Ã {Ð Ä Ã Á £À Ã Ï ÂÎ ¨wÍ  ¿ 4.5 Irreducible polynomials over 155 156 Ch. 4 Public-Key Parameters It is known that the expected degree of the irreducible factor of least degree of a random polynomial of degree in is . Hence for each choice of , the expected . Each iteration number of times steps 2.1 – 2.3 of Algorithm 4.69 are iterated is takes -operations. These observations, together with Fact 4.67(ii), determine the running time for Algorithm 4.70. Given one irreducible polynomial of degree over , Note 4.74 describes a method, which is more efficient than Algorithm 4.70, for randomly generating additional such polynomials. 4.74 Note (generating new irreducible polynomials from a given one) Suppose that is a can then be repregiven irreducible polynomial of degree over . The finite field sented as . A random monic irreducible polynomial of degree over can be efficiently generated as follows. First generate a random element and then, by repeated exponentiation by , determine the smallest positive integer for which . If , then generate a new random element and repeat; the probability that is known to be at most . If indeed , then compute using the formula (4.1). Then is a random monic irreducible polynomial of degree in . This method has an expected running time of -operations (compare with Fact 4.71). ÿþ ¡œý c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter. V ÿ išü hý X ` ¡ srP GQ û û X ¡ ÿ ÿ ú CA ý E ûý §¦®£s7B2w÷@ `¡ G û 3X ` ¡ wvP GQ ÿ¡œs0û þý V GQ H SRP P 3 ¡ P Y gÿ ¡ eFœý fP'þ  ‚ U p ÿ û CA gx" €¨‚ygý ¡  !$ a © db c ¡ 3 û ú ÿþ gwý û V Wû ú ÿþ ¡œý P P 3 ¡ P ` ¡ § V û ÿ hý üý p¥ ®ÿ iš¹%q £h ÿþ gwý V Wû ¡ 3 `¡ G ût XuX ÿþ gwý HG ût dxX X ¥£¡ ¦þ ¤§ V P 3 Y¡ P ¡ û 4.73 Fact (i) (ii) (iii) (iv) Let be a finite field of order , and let The minimum polynomial of over , denoted is irreducible over . The degree of is a divisor of . Let be the smallest positive integer such that since, by Fact 2.213, .) Then . , is unique. . (Note that such a exists P ¥ 9þ £ ¡ HGQ TSRP 4.72 Definition Let be a finite field of characteristic , and let mial of over is a monic polynomial of least degree in ú ¡ ÿ ÿ ú CA ý ÿ û CA ý E ûý §§®£s7B®6s7BFœ÷@ 4.71 Fact Algorithm 4.70 has an expected running time of û ÿ þý ¡œšü ¡ © ¨ 4 ’8¨  E¨ 75!%" k!%#¨ 5" þ 3 ¡œšü þ ÿ þý 4 þ  46 6 6 4  $ þ $ " 4 13 © 2¨ )' 0(ú &  $ "¨ !%#!¨ ¨¨© ¥£¡ ¦þ ¤§ û 1. Repeat the following: ) 1.1 (Generate a random monic polynomial of degree in Randomly select integers between and . Let be the polynomial 1.2 Use Algorithm 4.69 to test whether is irreducible over . Until is irreducible. ). 2. Return( ÿ þý gwšü ÿ þý ¡œšü ÿ þý gwšü . A minimum polynohaving as a root. ÿ û CA ý 6s7B÷@ ÿ þý gwšü ¥£¡ ¦þ ¤¢ û ¡ § ÿ þý ¡œšü INPUT: a prime and a positive integer . OUTPUT: a monic irreducible polynomial û ú of degree in ù šø . with . -operations. (4.1) 4.70 Algorithm Generating a random monic irreducible polynomial over " ÿ û CA ý 6‚7B÷@ 3U ¥ 9þ £ ¡ û ¡ §Dÿ  ¡ H IG ûÿ ú CA ý ý œ±g7B®÷@ & P ƒ û 4.5.2 Irreducible trinomials If a polynomial in has an even number of non-zero terms, then , whence is a factor of . Hence, the smallest number of non-zero terms an irreducible polynomial of degree in can have is three. An irreducible trinomial of degree in must be of the form , where . Choosing an irreducible trinomial of degree to represent the elements of the finite field can lead to a faster implementation of the field arithmetic. The following facts are sometimes of use when searching for irreducible trinomials. 4.5.3 Primitive polynomials Primitive polynomials were introduced at the beginning of 4.5. Let be an irreducible polynomial of degree . If the factorization of the integer is known, then Fact 4.76 yields an efficient algorithm (Algorithm 4.77) for testing whether or not is a primitive polynomial. If the factorization of is unknown, there is no efficient algorithm known for performing this test. 4.77 Algorithm Testing whether an irreducible polynomial is primitive There are precisely monic primitive polynomials of degree in (Fact 2.230), where is the Euler phi function (Definition 2.100). Since the number of monic irreducible polynomials of degree in is roughly (Fact 4.67(ii)), it follows that the probability of a random monic irreducible polynomial of degree in Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. –•˜ 9‘ ‡¢“ –• 9‘ ‡¢“ — vu k ™ j j Ÿ œ€ žžž€ ”œ€ {i8œ INPUT: a prime , a positive integer , the distinct prime factors and a monic irreducible polynomial of degree in . OUTPUT: an answer to the question: “Is a primitive polynomial?” 1. For from 1 to do the following: 1.1 Compute (using Algorithm 2.227). 1.2 If then return(“not primitive”). 2. Return(“primitive”). j ƒ} k ™ ’’ ‘‰ ˆ‰ }– g§i€~q¦ •‘ ˜ “ – ¦ •‘ ˜ “ j –•˜ ¦‘ ¤§“ ’ ‘‰ ˆ ‹ Š ¦ £ §wS‰ ¨ §¥¤€ … z ˜ ¢ ro¢ii¬ ‘ ˜ ’ ‘‰ ¡ ’ ‘‰ §ˆ j ’ ‘‰ ¢iˆ j — eu k ™ j}’— geu k i‡® ™‰ — ˜ ’ ‘‰ ­I§i¬ ® ™ ‘ (That is, is an element of order in the field .) ¡ q q rxtr— Ÿ œ€ žžž€ ”œ€ #i8qœ 4.76 Fact Let be a prime and let the distinct prime factors of be an irreducible polynomial is primitive if and only if for each , Œ•”— q f“j ’§i‰ˆ ‘ — šu k ™ – • ˜ “ w ’ ‘‰ 9‘ ‡§—¢iˆ ” ’“ — tu k ™ ž€B’¢i‰ˆ0‹8Š5‰g‰«—f©ª¨ƒ§¥¤€ … ˜ I‘ ’‘ ‡ ¦£ ¢ z – • ˜ “ w ’ ‘‰ 9‘ ‡¢WD§ˆ j Tables 4.6 and 4.7 list an irreducible trinomial of degree for which such a trinomial exists. over –•” 9‘ !“ j — n… ‘ †e ¦%k ve k ‘ –— u j€ ƒe‚ •— su Žj s ”“ ’ Œ ‹ Š ‰‰  ‡ F8SBlfŽj – ” !“ — ›u k ™ j s ‘ ‘ h — de n re k ‘ ‘ ’ ŒF‹8Š5‰gRdˆj ‰‡ ’ Œ ‹ Š ‰‰ ™ ‡ 28SBpdˆj — „e n ve k ‘ ‘ j j 4.75 Fact (i) (ii) (iii) Let be a positive integer, and let denote an integer in the interval . If the trinomial is irreducible over then so is . If , there is no irreducible trinomial of degree in . Suppose that either or . Then a necessary condition to be irreducible over is that either or must be of the for form for some positive divisor of . for each of ˜ z” |{¢y . Then : j ™ ˜ ’ —‰ dIBˆ —u jqsq vvtwdr— ’’ ‘‰ ˆ‰ }– • ” g§g~q¦‘ ‡!“ j – • ” “ w ’ ‘‰ 9‘ i!x0§iˆ —peoni‘meli‘ k –•” 9‘ i!“ –9‘ •i!“ fg ” h ’ ‘‰ §iˆ ’— e ‘ fWi‰ –•” ¦‘ !“ ¢iˆ ’ ‘‰ † ‡… ™ „ 4.5 Irreducible polynomials over 157 , 158 Ch. 4 Public-Key Parameters 2 3 4 5 6 7 9 10 11 12 14 15 17 18 20 21 22 23 25 28 29 30 31 33 34 35 36 39 41 42 44 46 47 49 52 54 55 57 58 60 62 63 65 66 68 71 73 74 76 79 81 84 86 87 89 90 92 1 1 1 2 1 1 1 3 2 3 5 1 3 3 3 2 1 5 3 1 2 1 3 10 7 2 9 4 3 7 5 1 5 9 3 9 7 4 19 1 29 1 18 3 9 6 25 35 21 9 4 5 21 13 38 27 21 93 94 95 97 98 100 102 103 105 106 108 110 111 113 118 119 121 123 124 126 127 129 130 132 134 135 137 140 142 145 146 147 148 150 151 153 154 155 156 159 161 162 166 167 169 170 172 174 175 177 178 180 182 183 185 186 191 2 21 11 6 11 15 29 9 4 15 17 33 10 9 33 8 18 2 19 21 1 5 3 17 57 11 21 15 21 52 71 14 27 53 3 1 15 62 9 31 18 27 37 6 34 11 1 13 6 8 31 3 81 56 24 11 9 193 194 196 198 199 201 202 204 207 209 210 212 214 215 217 218 220 223 225 228 231 233 234 236 238 239 241 242 244 247 249 250 252 253 255 257 258 260 263 265 266 268 270 271 273 274 276 278 279 281 282 284 286 287 289 292 294 15 87 3 9 34 14 55 27 43 6 7 105 73 23 45 11 7 33 32 113 26 74 31 5 73 36 70 95 111 82 35 103 15 46 52 12 71 15 93 42 47 25 53 58 23 67 63 5 5 93 35 53 69 71 21 37 33 295 297 300 302 303 305 308 310 313 314 316 318 319 321 322 324 327 329 330 332 333 337 340 342 343 345 346 348 350 351 353 354 358 359 362 364 366 367 369 370 372 375 377 378 380 382 383 385 386 388 390 391 393 394 396 399 401 48 5 5 41 1 102 15 93 79 15 63 45 36 31 67 51 34 50 99 89 2 55 45 125 75 22 63 103 53 34 69 99 57 68 63 9 29 21 91 139 111 16 41 43 47 81 90 6 83 159 9 28 7 135 25 26 152 402 404 406 407 409 412 414 415 417 418 420 422 423 425 426 428 431 433 436 438 439 441 444 446 447 449 450 455 457 458 460 462 463 465 468 470 471 473 474 476 478 479 481 484 486 487 489 490 492 494 495 497 498 500 503 505 506 171 65 141 71 87 147 13 102 107 199 7 149 25 12 63 105 120 33 165 65 49 7 81 105 73 134 47 38 16 203 19 73 93 31 27 9 1 200 191 9 121 104 138 105 81 94 83 219 7 17 76 78 155 27 3 156 23 508 510 511 513 514 516 518 519 521 522 524 526 527 529 532 534 537 538 540 543 545 550 551 553 556 558 559 561 564 566 567 569 570 574 575 577 580 582 583 585 588 590 593 594 596 599 601 602 604 606 607 609 610 612 614 615 617 9 69 10 26 67 21 33 79 32 39 167 97 47 42 1 161 94 195 9 16 122 193 135 39 153 73 34 71 163 153 28 77 67 13 146 25 237 85 130 88 35 93 86 19 273 30 201 215 105 165 105 31 127 81 45 211 200 618 620 622 623 625 626 628 631 633 634 636 639 641 642 646 647 649 650 651 652 654 655 657 658 660 662 663 665 668 670 671 673 676 679 682 684 686 687 689 690 692 694 695 697 698 700 702 705 708 711 713 714 716 718 719 721 722 295 9 297 68 133 251 223 307 101 39 217 16 11 119 249 5 37 3 14 93 33 88 38 55 11 21 107 33 147 153 15 28 31 66 171 209 197 13 14 79 299 169 177 267 215 75 37 17 15 92 41 23 183 165 150 9 231 c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter. ¶ w³ µ Á³ ² ± ± À ½½¼ º ¹ º t»Fª¶ ¹ ¸ ’· ¿ ¾¸ ± ƒ!· ¶ ³µ± ³ ² vT!´W± Table 4.6: Irreducible trinomials irreducible trinomial of degree in is irreducible over . over . For each , , for which an exists, the table lists the smallest for which ° ¯ ° ¯ ° ¯ ° ¯ ° ¹ ¯ ° ¸· ¯ ° ¯  724 726 727 729 730 732 735 737 738 740 742 743 745 746 748 750 751 753 754 756 758 759 761 762 767 769 772 774 775 777 778 780 782 783 785 791 793 794 798 799 801 804 806 807 809 810 812 814 815 817 818 820 822 823 825 826 828 207 5 180 58 147 343 44 5 347 135 85 90 258 351 19 309 18 158 19 45 233 98 3 83 168 120 7 185 93 29 375 13 329 68 92 30 253 143 53 25 217 75 21 7 15 159 29 21 333 52 119 123 17 9 38 255 189 831 833 834 838 839 841 842 844 845 846 847 849 850 852 855 857 858 860 861 862 865 866 868 870 871 873 876 879 881 882 884 887 889 890 892 894 895 897 898 900 902 903 905 906 908 911 913 916 918 919 921 924 926 927 930 932 935 49 149 15 61 54 144 47 105 2 105 136 253 111 159 29 119 207 35 14 349 1 75 145 301 378 352 149 11 78 99 173 147 127 183 31 173 12 113 207 1 21 35 117 123 143 204 91 183 77 36 221 31 365 403 31 177 417 937 938 942 943 945 948 951 953 954 956 959 961 964 966 967 969 972 975 977 979 982 983 985 986 988 990 991 993 994 996 998 999 1001 1007 1009 1010 1012 1014 1015 1020 1022 1023 1025 1026 1028 1029 1030 1031 1033 1034 1036 1039 1041 1042 1044 1047 1049 217 207 45 24 77 189 260 168 131 305 143 18 103 201 36 31 7 19 15 178 177 230 222 3 121 161 39 62 223 65 101 59 17 75 55 99 115 385 186 135 317 7 294 35 119 98 93 68 108 75 411 21 412 439 41 10 141 1050 1052 1054 1055 1057 1058 1060 1062 1063 1065 1071 1078 1079 1081 1082 1084 1085 1086 1087 1089 1090 1092 1094 1095 1097 1098 1100 1102 1103 1105 1106 1108 1110 1111 1113 1116 1119 1121 1122 1126 1127 1129 1130 1134 1135 1137 1138 1140 1142 1145 1146 1148 1151 1153 1154 1156 1158 159 291 105 24 198 27 439 49 168 463 7 361 230 24 407 189 62 189 112 91 79 23 57 139 14 83 35 117 65 21 195 327 417 13 107 59 283 62 427 105 27 103 551 129 9 277 31 141 357 227 131 23 90 241 75 307 245 1159 1161 1164 1166 1167 1169 1170 1174 1175 1177 1178 1180 1182 1183 1185 1186 1188 1190 1191 1193 1196 1198 1199 1201 1202 1204 1206 1207 1209 1210 1212 1214 1215 1217 1218 1220 1223 1225 1226 1228 1230 1231 1233 1234 1236 1238 1239 1241 1242 1246 1247 1249 1252 1255 1257 1260 1263 66 365 19 189 133 114 27 133 476 16 375 25 77 87 134 171 75 233 196 173 281 405 114 171 287 43 513 273 118 243 203 257 302 393 91 413 255 234 167 27 433 105 151 427 49 153 4 54 203 25 14 187 97 589 289 21 77 1265 1266 1268 1270 1271 1273 1276 1278 1279 1281 1282 1284 1286 1287 1289 1294 1295 1297 1298 1300 1302 1305 1306 1308 1310 1311 1313 1314 1319 1321 1324 1326 1327 1329 1332 1334 1335 1337 1338 1340 1343 1345 1348 1350 1351 1353 1354 1356 1358 1359 1361 1362 1364 1366 1367 1369 1372 119 7 345 333 17 168 217 189 216 229 231 223 153 470 99 201 38 198 399 75 77 326 39 495 333 476 164 19 129 52 337 397 277 73 95 617 392 75 315 125 348 553 553 237 39 371 255 131 117 98 56 655 239 1 134 88 181 1374 1375 1377 1380 1383 1385 1386 1388 1390 1391 1393 1396 1398 1399 1401 1402 1404 1407 1409 1410 1412 1414 1415 1417 1420 1422 1423 1425 1426 1428 1430 1431 1433 1434 1436 1438 1441 1442 1444 1446 1447 1449 1452 1454 1455 1457 1458 1460 1463 1465 1466 1468 1470 1471 1473 1476 1478 609 52 100 183 130 12 219 11 129 3 300 97 601 55 92 127 81 47 194 383 125 429 282 342 33 49 15 28 103 27 33 17 387 363 83 357 322 395 595 421 195 13 315 297 52 314 243 185 575 39 311 181 49 25 77 21 69 Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. Ì rÊ Ë uÊ É È È Ù ÖÐ ÕÌ Ó Ï Ó ÒÑ BtÔF(Ð Ï Î ’Ä Ø ×Î È ƒ’Ä Ï Ì ÊËÈ Ê É Í#!D(È Table 4.7: Irreducible trinomials irreducible trinomial of degree in is irreducible over . over . For each , , for which an exists, the table gives the smallest for which Ç Æ Ç Æ Ç Æ Ç Æ Ç Æ Å ‡Ä Ç ÎÄ Æ Ç Æ Ã 4.5 Irreducible polynomials over 159 160 Ch. 4 Public-Key Parameters being primitive is approximately . Using the lower bound for the Euler phi function (Fact 2.102), this probability can be seen to be at least . This suggests the following algorithm for generating primitive polynomials. For each , , Table 4.8 lists a polynomial of degree that is primitive over . If there exists a primitive trinomial , then the trinomial with the smallest is listed. If no primitive trinomial exists, then a primitive pentanomial of the form is listed. If is prime, then Fact 4.76 implies that every irreducible polynomial of degree in is also primitive. Table 4.9 gives either a primitive trinomial or a primitive pentanomial of degree over where is an exponent of one of the first 27 Mersenne primes (Definition 4.35). 4.6 Generators and elements of high order Recall (Definition 2.169) that if is a (multiplicative) finite group, the order of an element is the least positive integer such that . If there are elements in , and if is an element of order , then is said to be cyclic and is called a generator or a primitive element of (Definition 2.167). Of special interest for cryptographic applications are the multiplicative group of the integers modulo a prime , and the multiplicative group of the finite field of characteristic two; these groups are cyclic (Fact 2.213). Also of interest is the group (Definition 2.124), where is the product of two distinct odd primes. This section deals with the problem of finding generators and other elements of high order in , , and . See 2.5.1 for background in group theory and 2.6 for background in finite fields. Algorithm 4.79 is an efficient method for determining the order of a group element, given the prime factorization of the group order . The correctness of the algorithm follows from the fact that the order of an element must divide (Fact 2.171).  ¢ § c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter. à ðÛ ¢iï ßÞÝ edÜ INPUT: a prime , integer , and the distinct prime factors of OUTPUT: a monic primitive polynomial of degree in . 1. Repeat the following: 1.1 Use Algorithm 4.70 to generate a random monic irreducible polynomial of degree in . 1.2 Use Algorithm 4.77 to test whether is primitive. Until is primitive. ). 2. Return( ôóò ¦ð ¤¢ñ î{qëiíííëìé8é é ëê æ ¤å 4.78 Algorithm Generating a random monic primitive polynomial over à Ý T7xyog~ß Ü äã äã â Û á ç Ü ß û ü ð û Ý ð ú à ðÛ eªi0†eo§ï £ § ç § ß vú î à ðÛ ¢iï § Ý Ü áà ß Þ Ý ÜÛ 8grfi‡Ú £ . à ðÛ ¢iï ç ì’ñ ç ôóò ¦ð ¤§ñ ç ß Þ 8Ü Ý ßöûT ¡üivûIÿ#üðRû§þüðRûÝiðro¢iï ð ú à ðÛ ý ìñ  ¢ ¦ ßè fŽç © ôóò 9𠐧ñ ¢ © ñ  ¡ì  ©ò ñ ùøø õ ç õ ­÷öSß ñ §  ¡© ì  © ò ç ¢ à¢ðiï Û à ðÛ §ï Ü ñ ç  © ì  ¢ ¢ ¤ ¨£ ¤ ¥£  or 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 or 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 or 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 1 1 1 2 1 1 6, 5, 1 4 3 2 7, 4, 3 4, 3, 1 12, 11, 1 1 5, 3, 2 3 7 6, 5, 1 3 2 1 5 4, 3, 1 3 8, 7, 1 8, 7, 1 3 2 16, 15, 1 3 28, 27, 1 13 15, 14, 1 2 11 12, 10, 2 6, 5, 1 4 21, 19, 2 3 23, 22, 1 6, 5, 1 27, 26, 1 4, 3, 1 21, 20, 1 5 28, 27, 1 9 27, 26, 1 16, 15, 1 3 16, 15, 1 37, 36, 1 24 22, 21, 1 7 19 22, 21, 1 1 16, 15, 1 57, 56, 1 1 4, 3, 1 18 10, 9, 1 10, 9, 1 9 29, 27, 2 16, 15, 1 6 53, 47, 6 25 16, 15, 1 11, 10, 1 36, 35, 1 31, 30, 1 20, 19, 1 9 38, 37, 1 4 38, 35, 3 46, 45, 1 13 28, 27, 1 13, 12, 1 13 72, 71, 1 38 19, 18, 1 84, 83, 1 13, 12, 1 2 21 11 49, 47, 2 6 11 47, 45, 2 37 7, 6, 1 77, 76, 1 9 11, 10, 1 16 15 65, 63, 2 31 7, 6, 1 13, 12, 1 10 45, 43, 2 9 82, 81, 1 15, 14, 1 71, 70, 1 20, 18, 2 33 8 118, 111, 7 18 60, 59, 1 2 37 108, 107, 1 37, 36, 1 1 29, 27, 2 5 3 48, 47, 1 29 52, 51, 1 57 11 126, 125, 1 21 8, 7, 1 8, 5, 3 29 32, 31, 1 21 21, 20, 1 70, 69, 1 52 60, 59, 1 38, 37, 1 27 110, 109, 1 53 3 66, 65, 1 1 129, 127, 2 32, 31, 1 116, 115, 1 27, 26, 1 27, 26, 1 31 19, 18, 1 18 88, 87, 1 60, 59, 1 14, 13, 1 31, 30, 1 39, 38, 1 6 17, 15, 2 34 23 19, 18, 1 7 Table 4.8: Primitive polynomials over . For each , , an exponent is given for which the trinomial is primitive over . If no such trinomial exists, a triple of exponents is given for which the pentanomial is primitive over . Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. & 6 1 ) # & # ! 5'%(04$"  G  8 AQ fT gQ fT dQ 2T bQ I H hH eH cH ECC 9 7 9 F[email protected] 1 ) # & # ! 20%('%$"  7  & 6 1 ) # & # ! 2'%(0%$3  & 6  8 QTH Q I WVUSRPH 1 ) # & # ! 20%('%$"   GGG aYY 5) (& `! X  4.6 Generators and elements of high order 161 or 100, 99, 1 13 6 119, 118, 1 8 87 34, 33, 1 37, 36, 1 7, 6, 1 128, 127, 1 56 102, 101, 1 24 23, 22, 1 58, 57, 1 74, 73, 1 127, 126, 1 18, 17, 1 9 28, 27, 1 15 87 10, 9, 1 66, 65, 1 62, 61, 1 65 34 42, 41, 1 14 55 8, 7, 1 74, 73, 1 30, 29, 1 29, 28, 1 43 62, 59, 3 6 35, 32, 3 46, 45, 1 105 8, 7, 1 49, 48, 1 23 196, 195, 1 45 11 19, 18, 1 15, 14, 1 35, 34, 1 92, 91, 1 33 31, 30, 1 32 58, 57, 1 46, 45, 1 148, 147, 1 64, 63, 1 162 Ch. 4 Public-Key Parameters 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 2 3 5 7 13 17 19 31 61 89 107 127 521 607 1279 2203 2281 3217 4253 4423 9689 9941 11213 19937 21701 23209 44497 1 1 2 1, 3 none (4,3,1) 3, 5, 6 none (5,2,1) 3, 6, 7, 13 none (43,26,14) 38 none (82,57,31) 1, 7, 15, 30, 63 32, 48, 158, 168 105, 147, 273 216, 418 none (1656,1197,585) 715, 915, 1029 67, 576 none (3297,2254,1093) 271, 369, 370, 649, 1393, 1419, 2098 84, 471, 1836, 2444, 4187 none (7449,4964,2475) none (8218,6181,2304) 881, 7083, 9842 none (15986,11393,5073) 1530, 6619, 9739 8575, 21034 Table 4.9: Primitive polynomials of degree over , a Mersenne prime. For each exponent of the first 27 Mersenne primes, the table lists all values of , , for which the trinomial is irreducible over . If no such trinomial exists, a triple of exponents is listed such that the pentanomial is irreducible over . 4.79 Algorithm Determining the order of a group element INPUT: a (multiplicative) finite group of order , an element , and the prime factorization . OUTPUT: the order of . 1. Set . 2. For from 1 to do the following: 2.1 Set . 2.2 Compute . 2.3 While do the following: compute and set . 3. Return( ). Suppose now that is a cyclic group of order . Then for any divisor of the number of elements of order in is exactly (Fact 2.173(ii)), where is the Euler phi function (Definition 2.100). In particular, has exactly generators, and hence the probability of a random element in being a generator is . Using the lower bound for the Euler phi function (Fact 2.102), this probability can be seen to be at least . This c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter. Œ g “’ “’ ‘ Š | Ž—–•”Žf'… g ˆ ‰ g5|$Ž‹‰ Œ gŠ Œ gŠ Ž‹‰ g ŒˆŠ V$‹‰ f f f f ˆ ˜ wx  m r ”Fw fi kjh ‡h ~ p ‚€x p h g f … ƒl †„p h ‚h€x p h ~( m | w x o}5tyFw { h w u r r r d oq o m l tvo m tFs"m ™ p "n—g w z gx yFw v y € “ ”p ‘ q ‘ ’„ „ – `˜ • – $˜ • – 5˜ • –  • e d ™ y q „‚ …ƒF€ v xwquvqut qr 5¡25¡5fVsSq y v p p „ – U• — • – ˜ i xwquvqut q 5¡2(¡2`Vsr ˆ† A‰‡p 4.81 Note (group elements of high order) In some situations it may be desirable to have an element of high order, and not a generator. Given a generator in a cyclic group of order , and given a divisor of , an element of order in can be efficiently obtained as follows: . If is a prime divisor of the order of a cyclic group , then the following method finds an element of order without first having to find a generator of : select a random element and compute ; repeat until . ¾ ½¢ S¼ ) There are two basic approaches to finding a generator of 4.82 Note (generators of Both techniques require the factorization of the order of , namely . ¢É °ÁÀ €Â¡¿ § ¾ ½¢ ¡…¼ ¾¢ ¼ Ŝ €y§ ÆÆ ÅÄ ÃÄ ÍË Ê `ύPfVÎÌÅ P¢ É È Æ ÅÄ ÇPà ¾ ½¢ ¼ ¾ ½¢ ¡…¼ ¾¢ ¼ (i) Generate a monic primitive polynomial of degree over (Algorithm 4.78). The finite field can then be represented as , the set of all polynomodulo , and the element is a generator. mials over (ii) Select the method for representing elements of first. Then use Algorithm 4.80 with and to find a generator of . , where and are distinct odd primes, then is a non-cyclic group of order . The maximum order of an element in is . Algorithm 4.83 is a method for generating such an element which requires the factorizations of and . ßÞ Ü ¡”ÝÛ Ú Ù× Ø ¬ ½ É µ Æ ° Á µÄÆ ° Á Ä œ Æ › VÂÒ$`0Ñ¥BWŽÄ Ð  µ œ ‹¹A› If 4.83 Algorithm Selecting an element of maximum order in µ  § , where Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. °¤ÁћãB↰ á§á º ½ É ª ® ½É à INPUT: two distinct odd primes, , , and the factorizations of and . OUTPUT: an element of maximum order in , where . 1. Use Algorithm 4.80 with and to find a generator of . 2. Use Algorithm 4.80 with and to find a generator of . 3. Use Gauss’s algorithm (Algorithm 2.121) to find an integer , satisfying and . 4. Return( ). µ œ P€—› °Á €•µ § ° Áµ œ €¤—› °Áœ nj¹—› ¬ Æ ° Á µ Ö ° Á Ä Õ Ô V€F0€¨’t–Ó ½É °Á €¨ Ƶ è ç ÕÄ ª ä ¡”}’`¥ÂA§ º ½SÂsš ɜ ® ½ Âsš ɜ Æ  è ç ÕÄ à ä Ù¨}’`æ†å§ § Æ ° Á µ Ö ° Á Ä Õ Ô 0уF0Â¥’t–Ó ¡ ¥ £ £ £ (ž¢ Ÿ ž  œ t¦ž  tt¤} F }€k› š ° »œ ±¤³ š ¬ ½É § º­ · œ $V¬ ¹n³ š › ² µ ³ š¶ A¸· š¶ Ds³ š ° Á À¿ œ n±sk› › § Æ ÅÄ ÏPà ¯®­¬ § « 2P€tª š › š ² § µ © ¾ ½¢ ¼ œ ¡Sn±š ¢É °œ ±ª ´­¬ § œ 2P¤—³ °Á €µ § ¨ °Á nj š › ™ 4.6 Generators and elements of high order 163 suggests the following efficient randomized algorithm for finding a generator of a cyclic group. 4.80 Algorithm Finding a generator of a cyclic group INPUT: a cyclic group of order , and the prime factorization OUTPUT: a generator of . 1. Choose a random element in . 2. For from 1 to do the following: 2.1 Compute . 2.2 If then go to step 1. 3. Return( ). . . , 164 Ch. 4 Public-Key Parameters In cryptographic applications for which a generator of is required, one usually has the flexibility of selecting the prime . To guard against the Pohlig-Hellman algorithm for computing discrete logarithms (Algorithm 3.63), a security requirement is that should contain a “large” prime factor . In this context, “large” means that the quantity represents an infeasible amount of computation; for example, . This suggests the following algorithm for selecting appropriate parameters . Algorithm 4.84 is relatively inefficient as it requires the use of an integer factorization algorithm in step 1.2. An alternative approach is to generate the prime by first choosing a large prime and then selecting relatively small integers at random until is prime. Since , the factorization of can be obtained by factoring . A particularly convenient situation occurs by imposing the condition . In this case the factorization of is simply . Furthermore, since , the probability that a randomly selected element is a generator is . 4.85 Definition A safe prime is a prime of the form ï where is prime. . íî ì Algorithm 4.86 generates a safe (probable) prime and a generator of INPUT: the required bitlength of the prime. OUTPUT: a -bit safe prime and a generator of . 1. Do the following: 1.1 Select a random -bit prime (for example, using Algorithm 4.44). 1.2 Compute , and test whether is prime (for example, using trial division by small primes and Algorithm 4.24). Until is prime. 2. Use Algorithm 4.80 to find a generator of . 3. Return( , ). íî ì íî ì ï ü ò ü ñ òõ 7 æ9'n8ï ýñ ð ¥ V€R'ú c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter. 4.86 Algorithm Selecting a -bit safe prime and a generator ÿ of ñ ò õ  æ@†ï íî ì INPUT: the required bitlength of the prime and a security parameter . OUTPUT: a -bit prime such that has a prime factor , and a generator of 1. Repeat the following: 1.1 Select a random -bit prime (for example, using Algorithm 4.44). 1.2 Factor . Until has a prime factor . 2. Use Algorithm 4.80 with and to find a generator of . 3. Return( , ). ü íî ì ü ò ñ  òõ  ¹60†ï 1 24 íî ì ) •y0ü ÷ 4 5 ÷ 31  ý òú "ý õú "  ý ò õú "  ý ñ ð ïú (¡f‹'0`‹&%¡'`‹$#V¹g‹" ñ s!  ï ¦ ¤£¡ ¢ ¦ §ô  ï ñðï nj¹ ñð æ„ï 4.84 Algorithm Selecting a -bit prime and a generator ñð nWï ÿ of òó ñð ¨—ï ¤£¡ ¢ ý üû ï ÏtPú ùø÷ õ ô $'öjò íî ì êë ï ¦ ¨ô ì í î © ò 'õ ï ¥ ¥ ï ¥ ò õ ñð @ ±—„ï ò é ï þ þ 4.6.1 Selecting a prime and generator of . ñð €jï ñð D’ï ñð €jï üï üï ò ¥ ¥ ï ñð €ò @ 4.7 Notes and further references B 4.1 Several books provide extensive treatments of primality testing including those by Bressoud [198], Bach and Shallit [70], and Koblitz [697]. The book by Kranakis [710] offers a more theoretical approach. Cohen [263] gives a comprehensive treatment of modern primality tests. See also the survey articles by A. Lenstra [747] and A. Lenstra and H. Lenstra [748]. Facts 4.1 and 4.2 were proven in 1837 by Dirichlet. For proofs of these results, see Chapter 16 of Ireland and Rosen [572]. Fact 4.3 is due to Rosser and Schoenfeld [1070]. Bach and Shallit [70] have further results on the distribution of prime numbers. The Solovay-Strassen probabilistic primality test (Algorithm 4.18) is due to Solovay and Strassen [1163], as modified by Atkin and Larson [57]. Fact 4.23 was proven independently by Monier [892] and Rabin [1024]. The Miller-Rabin test (Algorithm 4.24) originated in the work of Miller [876] who presented it as a nonprobabilistic polynomial-time algorithm assuming the correctness of the Extended Riemann Hypothesis (ERH). Rabin [1021, 1024] rephrased Miller’s algorithm as a probabilistic primality test. Rabin’s algorithm required a small number of gcd computations. The MillerRabin test (Algorithm 4.24) is a simplification of Rabin’s algorithm which does not require any gcd computations, and is due to Knuth [692, p.379]. Arazi [55], making use of Montgomery modular multiplication ( 14.3.2), showed how the Miller-Rabin test can be implemented by “divisionless modular exponentiations” only, yielding a probabilistic primality test which does not use any division operations. Miller [876], appealing to the work of Ankeny [32], proved under assumption of the Extended Riemann Hypothesis that, if is an odd composite integer, then its least strong witness is less than , where is some constant. Bach [63] proved that this constant may be taken to be ; see also Bach [64]. As a consequence, one can test for primality in bit operations by executing the Miller-Rabin algorithm for all bases . This gives a deterministic polynomial-time algorithm for primality testing, under the assumption that the ERH is true. Table 4.1 is from Jaeschke [630], building on earlier work of Pomerance, Selfridge, and Wagstaff [996]. Arnault [56] found the following -digit composite integer The Miller-Rabin test (Algorithm 4.24) randomly generates independent bases and tests to see if each is a strong witness for . Let be an odd composite integer and let . In situations where random bits are scarce, one may choose instead to generate a single random base and use the bases . Bach [66] proved that for a randomly chosen integer , the probability that are all strong liars for is bounded above by ; in other words, the probability that the MillerRabin algorithm using these bases mistakenly declares an odd composite integer “prime” is at most . Peralta and Shoup [969] later improved this bound to . Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. b ‚ x€ F€ jHh f d a˜H 'i3ge's—– Q vv FC p C§’` ‰ p†  •‘8ˆ‘‘† C •‘‡p ‰ p† C ’ ‰ p†  ”“ fˆ8‘‘ˆ† C fˆ‡p ‰ p† u Ft C € that is a strong pseudoprime to all the prime bases up to digit composite integer which is a strong pseudoprime to all . Arnault also found a prime bases up to . Q CwEEtGwvwCE€uCCEGxEC€Cu€wCEGvxEuGEvxwuxwuDEvCC b FyyFyyFFFyyFyFyyFFFyyFyyFFFFFFFFFFQ  u t ID PH C Q jHh f d ™˜H – 'i3ge's—“Q C C Q Q R B p aY Q WU S q s`h'FG rp Y IY Q gU S S P`ih'Vfe Gb dcR aY Q WU S P`XVTR p jHh f d ™˜H 'i3ge's—– Q GCGED FFFC Q „Qg …8XU H a ƒ B A 4.7 Notes and further references 165 4.2 Fact 4.13(i) was proven by Alford, Granville, and Pomerance [24]; see also Granville [521]. Fact 4.13(ii) is due to Pomerance, Selfridge, and Wagstaff [996]. Pinch [974] showed that there are Carmichael numbers up to . - 166 Ch. 4 Public-Key Parameters Monier [892] gave exact formulas for the number of Fermat liars, Euler liars, and strong liars for composite integers. One consequence of Monier’s formulas is the following improvement (in the case where is not a prime power) of Fact 4.17 (see Kranakis [710, p.68]). If is an odd composite integer having distinct prime factors, and if , then there are at most Euler liars for . Another consequence is the following improvement (in the case where has at least three distinct prime factors) of Fact 4.23. If is an odd composite integer having distinct prime factors, then there strong liars for . Erd¨ s and Pomerance [373] estimated the average o are at most number of Fermat liars, Euler liars, and strong liars for composite integers. Fact 4.30(ii) was proven independently by Atkin and Larson [57], Monier [892], and Pomerance, Selfridge, and Wagstaff [996]. Pinch [975] reviewed the probabilistic primality tests used in the Mathematica, Maple V, Axiom, and Pari/GP computer algebra systems. Some of these systems use a probabilistic primality test known as the Lucas test; a description of this test is provided by Pomerance, Selfridge, and Wagstaff [996]. 4.3 If a number is composite, providing a non-trivial divisor of is evidence of its compositeness that can be verified in polynomial time (by long division). In other words, the decision problem “is composite?” belongs to the complexity class NP (cf. Example 2.65). Pratt [1000] used Fact 4.38 to show that this decision problem is also in co-NP. That is, if is prime there exists some evidence of this (called a certificate of primality) that can be verified in polynomial time. Note that the issue here is not in finding such evidence, but rather in determining whether such evidence exists which, if found, allows efficient verification. Pomerance [992] improved Pratt’s results and showed that every prime has a certificate multiplications modulo for its verification. of primality which requires Primality of the Fermat number can be determined in deterministic polynomial time by Pepin’s test: for , is prime if and only if . For the history behind Pepin’s test and the Lucas-Lehmer test (Algorithm 4.37), see Bach and Shallit [70]. In Fact 4.38, the integer does not have to be the same for all . More precisely, Brillhart and Selfridge [212] showed that Fact 4.38 can be refined as follows: an integer is , there exists an integer such that prime if and only if for each prime divisor of and . The same is true of Fact 4.40, which is due to Pocklington [981]. For a proof of Fact 4.41, see Maurer [818]. Fact 4.42 is due to Brillhart, Lehmer, and Selfridge [210]; a simplified proof is given by Maurer [818]. The original Jacobi sum test was discovered by Adleman, Pomerance, and Rumely [16]. The algorithm was simplified, both theoretically and algorithmically, by Cohen and H. Lenstra [265]. Cohen and A. Lenstra [264] give an implementation report of the CohenLenstra Jacobi sum test; see also Chapter 9 of Cohen [263]. Further improvements of the Jacobi sum test are reported by Bosma and van der Hulst [174]. Elliptic curves were first used for primality proving by Goldwasser and Kilian [477], who presented a randomized algorithm which has an expected running time of bit operations for most inputs . Subsequently, Adleman and Huang [13] designed a primality proving algorithm using hyperelliptic curves of genus two whose expected running time is polynomial for all inputs . This established that the decision problem “is prime?” is in the complexity class RP (Definition 2.77(ii)). The Goldwasser-Kilian and AdlemanHuang algorithms are inefficient in practice. Atkin’s test, and an implementation of it, is extensively described by Atkin and Morain [58]; see also Chapter 9 of Cohen [263]. The c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter. mp nqk x ‡† k ml ›šk x T' x u t sr ‡cV—Ž k k …„ r XVVr œ e˜ ƒ – !p k ’ “‘  ‹ •”  '“…} Œ ™ k k k o Ž o x – 0k k l c ‡† { ‰Š‡ˆ† Ž€9Œy‹‘{ k ƒ …„ XVr u t sr ‡Š'0Ž ™ k ky  }|{z …~3F'x r k Ÿp x œ ˜ œ “…} ž‘ •”  k k k ˜ ky  } | l x …~3y€k r m{ z x k k k u c'0Ž t sr m l xv ut s n”k Fw‡cVr p  …} œ ~˜ ¡ ‚ 4.4 A proof of Mertens’s theorem can be found in Hardy and Wright [540]. The optimal trial division bound (Note 4.45) was derived by Maurer [818]. The discussion (Note 4.47) on the is from Beauchemin et al. [81]; the result mentioned in the last senprobability tence of this note is due to Kim and Pomerance [673]. Fact 4.48 was derived by Damg˚ rd, a Landrock, and Pomerance [300], building on earlier work of Erd¨ s and Pomerance [373], o Kim and Pomerance [673], and Damg˚ rd and Landrock [299]. Table 4.3 is Table 2 of Dama g˚ rd, Landrock, and Pomerance [300]. The suggestions to first do a Miller-Rabin test with a base (Remark 4.50) and to do an incremental search (Note 4.51) in Algorithm 4.44 were made by Brandt, Damg˚ rd, and Landrock [187]. The error and failure probabilities a for incremental search (Note 4.51(i)) were obtained by Brandt and Damg˚ rd [186]; consult a this paper for more concrete estimates of these probabilities. Algorithm 4.53 for generating strong primes is due to Gordon [514, 513]. Gordon originally proposed computing in step 3. Kaliski (personal communication, April 1996) proposed the modified formula which can be computed more efficiently. Williams and Schmid [1249] proposed an algorithm for generwhere is prime; this ating strong primes with the additional constraint that algorithm is not as efficient as Gordon’s algorithm. Hellman and Bach [550] recommended an additional constraint on strong primes, specifying that (where is a large prime factor of ) must have a large prime factor (see 15.2.3(v)); this thwarts cycling attacks based on Lucas sequences. The NIST method for prime generation (Algorithm 4.56) is that recommended by the NIST Federal Information Processing Standards Publication (FIPS) 186 [406]. Fact 4.59 and Algorithm 4.62 for provable prime generation are derived from Maurer [818]. Algorithm 4.62 is based on that of Shawe-Taylor [1123]. Maurer notes that the total diversity of reachable primes using the original version of his algorithm is roughly 10% of all primes. Maurer also presents a more complicated algorithm for generating provable primes with a better diversity than Algorithm 4.62, and provides extensive implementation details and analysis of the expected running time. Maurer [812] provides heuristic justification that Algorithm 4.62 generates primes with virtually uniform distribution. Mihailescu [870] observed that Maurer’s algorithm can be improved by using the Eratosthenes sieve method for trial division (in step 8.2 of Algorithm 4.62) and by searching for a prime in an appropriate interval of the arithmetic progression instead of generating ’s at random until is prime. The second improvement comes at the expense of a reduction of the set of primes which may be produced by the algorithm. Mihailescu’s paper includes extensive analysis and an implementation report. 4.5 Lidl and Niederreiter [764] provide a comprehensive treatment of irreducible polynomials; proofs of Facts 4.67 and 4.68 can be found there. Algorithm 4.69 for testing a polynomial for irreducibility is due to Ben-Or [109]. The fastest algorithm known for generating irreducible polynomials is due to Shoup [1131] and has an expected running time of -operations. There is no deterministic polynomial-time algorithm known for finding an irreducible polynomial of a specified Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. ¬«ª© ¨ §¥¦¥¤ yFw—'ˆV£ Ê Ç © ½ ¸ª ¿ à  Á Å »¹ ¤£ µ · €(‡Ä‡cf‡~ ¸ VšŠ¶ ¸ ÏÏÏ © ¨ ÍË© ¨ ÇÌË© ¨ Ç ‘ˆ‘Ë ÎˆÇ Twˆ‘wˆ¤ Ǥ µ © ½ nƀŠ¶ ©½ Éȸ × Ö ª ¶ ÕÔ Å Ó ¨ Ó ÕÔ ¥ Ó£ Ø8ˆ8X9ÎÎ$—h6ÎPfÒ ­ ¸ ¿ à  Á ª¼ »À¿ ½ ¼ »¹¸£ µ · gćc9‘—‘Fc¾…~º'¶ ©¨ ——Ç Ð ¤µ Ñ—Ê ª ³ ²° ¯£ V‡ž±Pf® ¶ ©¨ 0%¶ ¤µ š´ Ð ­ ­ ¢ 4.7 Notes and further references 167 largest number proven prime as of 1996 by a general purpose primality proving algorithm is a 1505-decimal digit number, accomplished by Morain [903] using Atkin’s test. The total time for the computation was estimated to be 4 years of CPU time distributed among 21 SUN 3/60 workstations. See also Morain [902] for an implementation report on Atkin’s test which was used to prove the primality of the 1065-decimal digit number . 168 Ch. 4 Public-Key Parameters degree in . Adleman and Lenstra [14] give a deterministic algorithm that runs in polynomial time under the assumption that the ERH is true. The best deterministic algorithm known is due to Shoup [1129] and takes -operations, ignoring powers of and . Gordon [512] presents an improved method for computing minimum polynomials of elements in . Zierler and Brillhart [1271] provide a table of all irreducible trinomials of degree in . Blake, Gao, and Lambert [146] extended this list to all irreducible trinomials of degree in . Fact 4.75 is from their paper. Table 4.8 extends a similar table by Stahnke [1168]. The primitive pentanomials listed in Table 4.8 have the following properties: (i) ; (ii) ; and (iii) is as small as possible, and for this particular value of , is as small as possible. The rational behind this form is explained in Stahnke’s paper. For ˇ each for which the factorization of is known, Zivkovi´ [1275, 1276] c gives a primitive trinomial in , one primitive polynomial in having five nonhaving seven non-zero terms, provided zero terms, and one primitive polynomial in that such polynomials exist. The factorizations of are known for all and for some additional . A list of such factorizations can be found in Brillhart et al. [211] and updates of the list are available by anonymous ftp from sable.ox.ac.uk in the /pub/math/cunningham/ directory. Hansen and Mullen [538] describe some improvements to Algorithm 4.78 for generating primitive polynomials. They also give tables of primitive polynomials of degree in for each prime power with . Moreover, for each such and , the primitive polynomial of degree over listed has the smallest number of non-zero coefficients among all such polynomials. © ¨ be an irreducible polynomial of degree , and consider the finite field . Then is called a normal polynomial if the set , forms a basis for over ; such a basis is called a normal basis. Mullin et al. [911] introduced the concept of an optimal normal basis in order to reduce the hardware complexity of multiplying field elements in the finite field . A VLSI implementation of the arithmetic in which uses optimal normal bases is described by Agnew et al. [18]. A normal polynomial which is also primitive is called a primitive normal polynomial. Davenport [301] proved that for any prime and positive integer there exists a primitive normal polynomial of degree in . See also Lenstra and Schoof [760] who generalized this result from prime fields to prime power fields . Morgan and Mullen [905] give a primitive normal polynomial of degree over for each prime power with . Moreover, each polynomial has the smallest number of non-zero coefficients among all primitive normal polynomials of degree over ; in fact, each polynomial has at most five non-zero terms. No polynomial-time algorithm is known for finding generators, or even for testing whether an element is a generator, of a finite field if the factorization of is unknown. Shoup [1130] considered the problem of deterministically generating in polynomial time a subset of that contains a generator, and presented a solution to the problem for the case where the characteristic of is small (e.g. ). Maurer [818] discusses how his algorithm (Algorithm 4.62) can be used to generate the parameters , where is a provable prime and is a generator of . c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter. £ 4¢ %%% '&&# 4.6 íì ë ð Fɚ‡ã #Ý õ Û Ý # Û Ý $º" ã ì ¡6 Ù 2 3è ä 8#㠗'7ià êé ~Øè Û ØÚ Ù Let ëë c§ï The entries of Table 4.9 were obtained from Zierler [1270] for Mersenne exponents , and from Kurita and Matsumoto [719] for Mersenne exponents , . © ¨ íííì FFšë Û iÚ û é ø ˆø ûø ‘Éñ é òù ø øú ñð ò¾Ý íìÿ Fë £ ¤¢ Ù íì ë ð F!š‡ã Ù ÞÜé gÝ ˆ—Ú Û Ú ä â á Ùà iØ£ã &ÎPfß ì Û ØÚ ì ¡ ¡ ð 3ï Ù ÞÜÛ gÝ £iÚ ÞÜé gÝ ˆ…Ú ð ~ï Ù ï &ú ã 2 ã è Ù Ù Û iÚ Þ î ÜÝ Û Ú Û iÚ ÞÜé gÝ ˆ…Ú ã Û ê 9è ä Ýà iP¾ ííí FFÿ êé ~Øè Ù 9Û @Ú û ‘ø 2 ë þÙ Þ g ÜÝ é Ú è 0( 1ô )ê Û Ý äVäiÝP¾¤F!îÝ ¾iú ê è à à Þ Ü Û Ú Û Þ Ü Û Ú  ä Ýà îÝ ˆiÉiP¾ ï ûü ˆø —é ø ì ñ ÷óÝ ñ õóÝ ñ ôó É6~¾öe¾9F¾Ý êé ~iè ÞÜÛ gÝ ¾iÚ ã ãçæ …FXå ííí FFÿ íííï Fqë ¦ ¥ ¦ ï ë  ë !cì ý þÙ Þ î ÜÝ é Ú Ù ë rã Ùçæ 8FXå ¦ §¥ 8 2 è ëã A 5 , ...
View Full Document

This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.

Ask a homework question - tutors are online