{[ promptMessage ]}

Bookmark it

{[ promptMessage ]}

Primes in arithmetic progressions for some

Info iconThis preview shows pages 73–74. Sign up to view the full content.

View Full Document Right Arrow Icon
probability is acceptably small for most practical purposes. Primes in arithmetic progressions For some applications, one needs a prime number of a given bit-length k , but with additional special properties. One convenient property is that p - 1 should be divisible by a prime q of given length . So we want an algorithm takes as input k and , with ‘ < k , and outputs p and q such that p is a k -bit prime, q is an -bit prime, and p 1 (mod q ). One way to generate p and q is as follows: 68
Background image of page 73

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Step 1: Generate an -bit prime q , using an algorithm such as the “generate and test” algorithm discussed above. Step 2: Choose m at random from the interval I = { x Z : (2 k - 1 - 1) /q < x < (2 k - 1) /q } , set p = mq + 1 (which is a k -bit integer), and test if p is prime; if not, repeat this step; otherwise, output p and q . For what values of k and will this algorithm perform reasonably well? If we view as fixed and let k tend to infinity, then Dirichlet’s theorem on primes in arithmetic progressions tells us that for any -bit prime q , the probability that m chosen at random from I yields a prime is Θ(1 /k ). However, suppose we want to let both k and tend to infinity. Clearly, if k = + 1, for a given q of length , there is only one possible value for p , namely p = 2 q + 1. So if 2 q + 1 is not prime, the above algorithm will never terminate. But suppose that k and both tend to infinity, but we restrict so that it is not too big relative to k . For example, we may require that ‘ < k/ 3. In this case, it turns out that there is strong mathematical evidence (namely, the Generalized Riemann Hypothesis) that the probability that m chosen at random from I yields a prime is Θ(1 /k ). Thus, in this case it is reasonable to conjecture, and it is born out in practice, that Step 2 of the above algorithm terminates on average after Θ( k ) iterations. Sophie Germain primes Sometimes, one wants a prime p of a given length to satisfy a stronger property; namely, that p = 2 q + 1, where q is prime. Mathemeticians call the prime q in this case a “Sophie Germain” prime, while cryptographers call the prime p in this case a “strong” or “safe” prime. It is not known whether there exist an infinite number of strong primes. However, it is conjec- tured, and supported by experiment, that the probability that a random k -bit number is a strong prime is Θ(1 /k 2 ). The intuition is that a random number p of length k is prime with probability 1 /k , and for a random prime p , it does not seem unreasonable to believe that q = ( p - 1) / 2 is also prime with roughly the same probability. If we believe this conjecture, then a reasonable way to generate strong primes is the same “generate and test” procedure we used above; namely, generate a random k -bit number p , and test if both p and q = ( p - 1) / 2 are prime; if so, output p ; otherwise, repeat.
Background image of page 74
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}