Cryptography Generation of Big Prime Numbers Uwe Egly Vienna - PowerPoint PPT Presentation

Cryptography Generation of Big Prime Numbers Uwe Egly Vienna University of Technology Institute of Information Systems Knowledge-Based Systems Group 1 / 18

Overview ◮ Generation of big primes, e.g., for RSA ◮ Randomly generated primes required ◮ Prime number theorem: π ( x ) : number of primes ≤ x π ( x ) lim x →∞ x / ln x = 1 ⇒ There are 10 151 primes of length up to 512 bits = ◮ Fundamental theorem of arithmetic Every integer n > 2 has a factorization as a product of prime powers, n = p e 1 1 p e 2 2 · · · p e k k , where the p i are distinct primes, and the e i are positive integers. Furthermore, the factorization is unique up to rearrangement of factors 2 / 18

Overall Procedure to Generate Big Primes 1. Generate a prime candidate n , i.e., generate a big random number and set msb=lsb=1 2. Test n for primality 3. If prime, return prime n ; otherwise continue with step 1 Possible methods for step 2. (primality test) are: ◮ Deterministic factorization procedure into primes (trial division, Pollard’s rho- and p-1 method, sieve procedures) ◮ Fast probabilistic decision procedures (no factors) (Fermat Test, Rabin-Miller, Solovay-Strassen, . . . ) ◮ Deterministic decision procedure AKS (in P) (no factors) (Agrawal, Kayal and Saxens, 2002) ◮ but, at the moment, probabilistic algorithms faster!!! 3 / 18

Trial Division ◮ Decides primality of the given number and returns a factor ◮ Based on the following theorem . . . If n is a natural number and composed, then n has a prime factor p with p ≤ √ n ◮ . . . and naive trials of primes ≤ ⌊√ n ⌋ ◮ Result always correct, but method computationally expensive Since π ( x ) > x / ln x (for x > 17), √ x / ln √ x divisions required ◮ Exa: For 10 75 , more than 0 . 36 · 10 36 trial divisions required ◮ AKS or probabilistic primality methods are much faster 4 / 18

Computation of the Greatest Common Divisor ◮ Euclidian algorithm to compute gcd ( a , b ) Algorithm 1 : gcd( a , b ) Input : Two integers a , b Result : gcd ( a , b ) int r , aa , ab ; begin aa = abs ( a ) ; ab = abs ( b ) ; while ab � = 0 do r = aa mod ab ; aa = ab ; ab = r ; return aa; end ◮ a , b are coprime, if gcd ( a , b ) = 1 ◮ Extended algorithm computes also integers x , y satisfying gcd ( a , b ) = xa + yb 5 / 18

Exponentiation ◮ Often needed: Calculation of g e in a monoid G ◮ For crypto applications, the exponent e is usually large ◮ Therefore, computation of g e by e − 1 mult not practicable ◮ Solution: Use fast exponentiation algorithm (based on iterative squaring) ◮ Binary representation of e ∈ N ( e i ∈ { 0 , 1 } ): e = � k i = 0 e i 2 i ◮ With g ∈ G we get: k i = 0 e i 2 i = g e = g P k g 2 i � e i = g 2 i � � � i = 0 0 ≤ i ≤ k , e i = 1 ◮ Example: e = 5. Then e has the binary representation 101, g e = g 1 · 2 0 + 0 · 2 1 + 1 · 2 2 and therefore g e = g 2 0 · g 2 2 6 / 18

A Procedure for Fast Exponentiation ◮ Implementation needed later for exponentiation in Z n ◮ Bit complexity of g e mod n with e < n : O (( ld n ) 3 ) Algorithm 2 : fastExponentationInZn(g, e) Input : g ∈ Z n , e (0 ≤ e < n ) with binary representation e = P k i = 0 e i 2 i Result : g e mod n begin b = 1; if e = 0 then return b; G = g ; if e 0 = 1 then b = g ; for i = 1 to k step 1 do G = G 2 mod n ; if e i = 1 then b = ( G · b ) mod n ; return b; end 7 / 18

An Example for Fast Exponentiation: 5 596 mod 1234 i 0 1 2 3 4 5 6 7 8 9 e i 0 0 1 0 1 0 1 0 0 1 G 5 25 625 681 1011 369 421 779 947 925 b 1 1 625 625 67 67 1059 1059 1059 1013 8 / 18

Fermat Test ◮ Based on the following theorem (“Fermat’s Little Theorem”) Let n be prime. Then ( ∗ ) a n − 1 ≡ 1 mod n holds for all a ∈ Z with gcd ( a , n ) = 1. ◮ Basic idea: ◮ Find a (0 < a < n ), which violates ( ∗ ) = ⇒ n not prim ◮ After t failure tests with random a , quit and postulate n prim Let n ∈ Z be composite and odd. a (0 < a < n ) is a Fermat witness to compositeness for n , if a n − 1 �≡ 1 mod n . n is called pseudoprime to the base a , if a n − 1 ≡ 1 mod n . a is a Fermat liar to primality for n . ◮ Exa: n = 341 = 11 · 31 is pseudoprime wrt 2, because 2 340 ≡ 1 mod 341 (How do we compute it efficiently?) 9 / 18

Pseudocode for the Fermat Test Algorithm 3 : FermatTest( n , t ) Input : An odd integer n ≥ 3 and a security parameter t > 0 Result : “prime” or “composite” begin for i = 1 to t step 1 do Choose a random integer a with 2 ≤ a ≤ n − 2; r = a n − 1 mod n ; /* Use fast exponentiation */ if r � = 1 then return “composite” ; return “prime” ; end ◮ 2 ≤ a ≤ n − 2 because ( n − 1 ) n − 1 ≡ 1 mod n ◮ Output “composite”: always correct ◮ Output “prime”: often correct, but sometimes wrong (Wrong results occur seldom because pseudoprimes (PPs) wrt a given basis a are rare) ◮ Observe: no check for (*) gcd ( a , n ) = 1 in the program (Why? PPs wrt any basis a , for which (*) holds, are even rarer) 10/ 18

Carmichael Numbers A Carmichael number (CN) n is a composite integer such that a n − 1 ≡ 1 mod n for all integers a which satisfy gcd ( a , n ) = 1. ◮ CNs: often wrongly classified as primes by FT ◮ CN n : pseudoprime for all a (1 ≤ a < n ) with gcd ( a , n ) = 1 ◮ Possible Fermat witnesses for compositeness of a CN n : a ∈ Z (1 ≤ a < n ) with gcd ( a , n ) > 1 ◮ Bad news: Fermat witnesses are factors of n = ⇒ Hard to find witnesses, if n has only large prime factors ◮ Good news: each CN is a product of at least 3 primes and ◮ CNs are rare: 105.212 CNs in the interval [ 2 , 10 15 ] ◮ Improved probabilistic tests: Solovay-Strassen, Rabin-Miller 11/ 18

Strong Pseudoprimes Let n be an odd prime, and let n − 1 = 2 s r where r is odd. Let a be any integer such that gcd ( a , n ) = 1. Then either a r ≡ 1 mod n or a 2 j r ≡ − 1 mod n for some j , 0 ≤ j ≤ s − 1. r = ( n − 1 ) / 2 s is odd, if 2 s | n − 1, but 2 s + 1 ∤ n − 1 Let n be an odd composite integer and let n − 1 = 2 s r where r is odd. Let a be an integer in the interval [ 1 , n − 1 ] . (i) If a r �≡ 1 mod n and if a 2 j r �≡ − 1 mod n for all j , 0 ≤ j ≤ s − 1, then a is called a strong witness (to compositeness) for n . (ii) Otherwise, i.e., if a r ≡ 1 mod n or a 2 j r ≡ − 1 mod n for some j , 0 ≤ j ≤ s − 1, then n is said to be a strong pseudoprime to the base a . The integer a is called a strong liar (to primality) for n . 12/ 18

An Example for Strong Pseudoprimes Example: Let n = 91 = 7 · 13 ◮ Determine odd r = ( n − 1 ) / 2 s : 90 / 2 s yields s = 1, r = 45 ◮ Since 0 ≤ j ≤ s − 1 and s = 1, j has to be 0 ◮ Check for all basis a , whether a r ≡ ± 1 mod n ◮ Clear for a = 1, for a = 2, a r ≡ 57 mod n , . . . ◮ The set of all 18 strong liars for n = 91 is { 1 , 9 , 10 , 12 , 16 , 17 , 22 , 29 , 38 , 53 , 62 , 69 , 74 , 75 , 79 , 81 , 82 , 90 } If n is an odd composite integer, then at most 1 / 4 of all the numbers a , 1 ≤ a ≤ n − 1, are strong liars for n . In fact, if n � = 9, the number of strong liars for n is at most ϕ ( n ) / 4, where ϕ ( · ) is the Euler phi function 13/ 18

Pseudocode for the Rabin-Miller Test Algorithm 4 : RabinMiller( n , t ) Input : An odd integer n ≥ 3 and a security parameter t > 0 Result : “prime” or “composite” begin Write n − 1 = 2 s r such that r is odd; for i = 1 to t step 1 do Choose a random integer a with 2 ≤ a ≤ n − 2; y = a r mod n ; /* Use fast exponentiation */ if y � = 1 and y � = n − 1 then /* Check a for being a strong witness */ ; j = 1; while j < s and y � = n − 1 do y = y 2 mod n ; if y == 1 then return return “composite” ; /* (*) */ j=j+1; if y � = n − 1 then return return “composite” ; /* Strong witness detected */ ; return “prime” ; end 14/ 18

A Comment on (*) ◮ Since y == 1, we have a 2 j r ≡ 1 mod n for the current j ◮ Observe that a 2 j − 1 r �≡ ± 1 mod n (Because otherwise, the loop would have terminated earlier!) ◮ For a , b , n integers, we have the following: If a 2 ≡ b 2 mod n but a �≡ ± b mod n , then gcd ( a − b , n ) is a non-trivial factor of n ◮ Therefore, if y == 1, then n is composite and gcd ( a 2 j − 1 r − 1 , n ) is a factor of n 15/ 18

Some Comments ◮ Interpretation of the output: same as in the Fermat test ◮ Probabilities for erroneous answers ◮ For each odd composed integer: Probability of the output “prime” of Rabin-Miller is ≤ ( 1 4 ) t 4 ) t for Rabin-Miller ◮ Therefore, error probability p RM ( t ) ≤ ( 1 (Practically very often much smaller than ( 1 4 ) t ) 2 ) t for Fermat ◮ Error probability p F ( t ) ≤ ( 1 ◮ t = 25: p F ( t ) ≈ 3 · 10 − 8 and p RM ( t ) ≈ 9 · 10 − 16 ◮ Comparison of Rabin-Miller and Fermat ◮ Rabin-Miller is computationally not more expensive than Fermat ◮ Rabin-Miller classifies at most as many primes as Fermat 16/ 18

Generation of Prime Numbers ◮ Generate probable primes or provable primes ◮ The former are randomly generated and checked with Rabin-Miller ◮ Additionally: Test for small factors ≤ B ◮ The latter are constructed (e.g., with Maurer’s algorithm) ◮ Debatable, whether provable primes are really needed 17/ 18