probability is acceptably small for most practical purposes.
Primes in arithmetic progressions
For some applications, one needs a prime number of a given bitlength
k
, but with additional special
properties. One convenient property is that
p

1 should be divisible by a prime
q
of given length
‘
. So we want an algorithm takes as input
k
and
‘
, with
‘ < k
, and outputs
p
and
q
such that
p
is
a
k
bit prime,
q
is an
‘
bit prime, and
p
≡
1 (mod
q
).
One way to generate
p
and
q
is as follows:
68
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Step 1:
Generate an
‘
bit prime
q
, using an algorithm such as the “generate and test” algorithm
discussed above.
Step 2:
Choose
m
at random from the interval
I
=
{
x
∈
Z
: (2
k

1

1)
/q < x <
(2
k

1)
/q
}
,
set
p
=
mq
+ 1 (which is a
k
bit integer), and test if
p
is prime; if not, repeat this step;
otherwise, output
p
and
q
.
For what values of
k
and
‘
will this algorithm perform reasonably well?
If we view
‘
as fixed and let
k
tend to infinity, then Dirichlet’s theorem on primes in arithmetic
progressions tells us that for any
‘
bit prime
q
, the probability that
m
chosen at random from
I
yields a prime is Θ(1
/k
).
However, suppose we want to let both
k
and
‘
tend to infinity. Clearly, if
k
=
‘
+ 1, for a given
q
of length
‘
, there is only one possible value for
p
, namely
p
= 2
q
+ 1. So if 2
q
+ 1 is not prime,
the above algorithm will never terminate. But suppose that
k
and
‘
both tend to infinity, but we
restrict
‘
so that it is not too big relative to
k
. For example, we may require that
‘ < k/
3. In this
case, it turns out that there is strong mathematical evidence (namely, the Generalized Riemann
Hypothesis) that the probability that
m
chosen at random from
I
yields a prime is Θ(1
/k
). Thus,
in this case it is reasonable to conjecture, and it is born out in practice, that Step 2 of the above
algorithm terminates on average after Θ(
k
) iterations.
Sophie Germain primes
Sometimes, one wants a prime
p
of a given length to satisfy a stronger property; namely, that
p
= 2
q
+ 1, where
q
is prime. Mathemeticians call the prime
q
in this case a “Sophie Germain”
prime, while cryptographers call the prime
p
in this case a “strong” or “safe” prime.
It is not known whether there exist an infinite number of strong primes. However, it is conjec
tured, and supported by experiment, that the probability that a random
k
bit number is a strong
prime is Θ(1
/k
2
). The intuition is that a random number
p
of length
k
is prime with probability
1
/k
, and for a random prime
p
, it does not seem unreasonable to believe that
q
= (
p

1)
/
2 is also
prime with roughly the same probability.
If we believe this conjecture, then a reasonable way to generate strong primes is the same
“generate and test” procedure we used above; namely, generate a random
k
bit number
p
, and test
if both
p
and
q
= (
p

1)
/
2 are prime; if so, output
p
; otherwise, repeat.
This is the end of the preview.
Sign up
to
access the rest of the document.
 Spring '13
 MRR
 Math, Algebra, Number Theory

Click to edit the document details