PRIME NUMBER GENERATION BASED ON POCKLINGTON S THEOREM

Transcription

1 PRIME NUMBER GENERATION BASED ON POCKLINGTON S THEOREM Alexandros Papankolaou and Song Y. Yan Department of Computer Scence, Aston Unversty, Brmngham B4 7ET, UK 24 October 2000, Receved 26 June 2001 Abstract Publc-key cryptosystems base ther securty on well-known number-theoretc problems, such as factorsaton of a gven number n. Hence, prme number generaton s an absolute requrement. Many prme number generaton technques have been proposed up-to-date, whch dffer manly n terms of complexty, certanty and speed. Pocklngton s theorem, f mplemented, can guarantee the generaton of a true prme. The proposed mplementaton exhbts low complexty at the expense of long executon tme. Keywords: Prmalty, Prme Number Generaton, Computatonal Number Theory. 1 BACKGROUND Testng the prmalty of a number s not the same as fndng ts prme factors. However, for applcatons such as publc-key encrypton, knowledge of prmalty s suffcent. Many prmalty tests have been devsed untl now, some better than others. They can be classfed nto two man categores: determnstc and probablstc. Determnstc They provde the defnte answer to the queston whether a number n s prme or not. The older ones requred, at some pont, a factorsaton of a number related to n. Ths factorsaton can prove to be as hard as factorng n tself. Such paradgms are the ellptc curve test 1, the APR test and the Lucas-Lehmer test for Mersenne prmes. Probablstc Generally speakng, they are much easer to mplement and ther executon tme s sgnfcantly less than determnstc ones. Once a number n has passed such a test, ts probablty of beng prme s very hgh, nevertheless, ts prmalty cannot be guaranteed. These methods make t feasble for large numbers to be tested for prmalty, although t s not possble to provde a certan answer. Tests that belong to ths category are the APRCL test 2, the Solovay-Strassen test 3, the Lehmann test, the Lucas pseudoprmalty test and the Rabn-Mller test 4. Correspondng author. E-mal: {papana1, s.yan@aston.ac.uk 1 Although a determnstc test, ts runnng tme s probablstc. For more nformaton, readers are referred to [6]. 2 There also exsts a determnstc, but less practcal verson. 3 Also known as Euler s pseudoprmalty test. 4 Also known as Strong pseudoprmalty test

2 2 PRIME NUMBER GENERATION 2.1 Prme-Generatng Sequences Probably the most famous one has been proposed by Euler: a n = n 2 + n Ths polynomal wll produce an unnterrupted sequence of 80 prmes for n = 40, 39,..., 39 [3]. However, the sequence s symmetrc and snce each prme occurs twce, 40 prmes are actually produced. Another sequence s c = (c 0 ) c 1 1 [3]. Startng wth c 0 = 2, t does produce a sequence of prmes, but t s not known whether t produces just prmes, because the numbers grow extremely rapdly: c 0 = 2 c 1 = 3 c 2 = 7 c 3 = 127 c 4 = 170, 141, 183, 460, 469, 231, 731, 687, 303, 715, 884, 105, 727 c 5 > 10 51,217,599,719,369,681,879,879,723,386,331,576,246. The number c 4 = s actually the 12 th Mersenne prme, that was proved to be prme by Lucas n It s very unlkely that the prmalty of the number c 6, or the ones that follow t, could ever be determned [3]. 2.2 Modern Prme Number Generaton Methods It seems that most people are n favour of the followng way of generatng prme numbers: 1. Generate a random, odd number. 2. Test for prmalty wth a method that s guaranteed to have a hgh ht rate. Farly quck methods for testng the prmalty of a gven number n are the Solovay-Strassen method [5], the Lehmann test [4] and the Rabn-Mller test [5], although the latter seems to be the most wdely used one. However, ths method s stll not guaranteed to produce a true prme number, although the probablty of producng a pseudoprme s very small. Perhaps a better approach would be the followng [6]: 1. Generate an odd nteger n. 2. Prmalty testng Probablstc method. Use a combnaton of the Rabn-Mller test and the Lucas pseudoprmalty test. 3. Prmalty provng Ellptc curve method [2]. Suppose that the method followed for generatng a prme number has actually produced a pseudoprme n. Although the probablty of such a case to occur s very low, t s stll worth lookng at the consequences that t could possbly have. For most publc-key cryptosystems ths means jeopardsng securty. The rsk of an encrypted message to be successfully cryptanalysed s nversely proportonal to the ease of factorng n. Some numbers are easer to factor than others. For example, by usng the Number Feld Seve (NFS), Fermat numbers are easer to factor than hard numbers 5 [5]. 5 A hard number s one that does not have any small factors and s not of a specal form that allows t to be factored more easly

3 3 POCKLINGTON S THEOREM 3.1 Introducton When the generaton of a true prme s an absolute requrement, a way of achevng ths s by usng Pocklngton s theorem [6]. Ths states that: Let p be an odd prme, k a natural number such that p does not dvde k and 1 < k < 2(p + 1), and let n = 2kp + 1. Then, the followng condtons are equvalent: 1. n s prme. 2. There exsts a natural number a, 2 a < n such that a kp 1 (mod n) (1) gcd(a k + 1, n) = 1 (2) An algorthm derved from the above theorem s the followng [6]: 1. Choose, for example, a prme p 1 wth d 1 = 5 dgts. Fnd k 1 < 2(p 1 + 1) such that p 2 = 2k 1 p has d 2 = 10 dgts, or d 2 = d 1 1 = 9 dgts and there exsts a 1 < p 2 satsfyng the condtons a k 1p (mod p 2 ) and gcd(a k , p 2) = 1. By Pocklngton s theorem, p 2 s prme. 2. Repeat the same procedure startng from p 2 to obtan the prmes p 3, p 4,..., p n. In order to produce a prme wth 100 dgts, the process must be terated fve tmes, as shown n table 1. Iteraton Number Of Dgts 1 d 2 = 2 d 1 = 10 dgts 2 d 3 = 2 d 2 = 20 dgts 3 d 4 = 2 d 3 = 40 dgts 4 d 5 = 2 d 4 = 80 dgts 5 d 6 = 100 dgts Table 1: Iteratons. In the last teraton, k 5 should be chosen so that p 6 = 2k 5 p has 100 dgts. 3.2 Implementaton In what follows, the exstence of a multple-precson nteger lbrary s assumed, whch wll enable the handlng of large ntegers. Fast exponentaton and fast modular exponentaton technques wll be used, snce the powers are expected to be qute large (nterested readers are referred to [6])

4 3.2.1 Problems Faced When the algorthm was ntally used, a few dgts would suffce for generatng a secure key. Nowadays, more computatonal power s avalable at relatvely low cost and more effcent factorng algorthms have been dscovered, thus creatng a demand for larger numbers that wll be harder to factor under the current crcumstances. The only dffcult part n the mplementaton stage s the evaluaton of gcd(a k + 1, p +1 ), and more specfcally, the calculaton of a k. Even f a s a 1-dgt prme, the sze of k s expected to be of approxmately the same number of dgts as p 1, snce p = 2k p 1. To gve an approxmaton of the order of magntude, the 37 th Mersenne prme s M 37 = and has dgts [6]. Supposng that k was a 20-dgt number, the calculaton of a k would ether be mpossble, or would take far too long, even by usng a fast exponentaton technque. However, the above calculaton would be feasble by usng a fast modular exponentaton technque, provded that the condton can be re-wrtten n an approprate form. For example, provng that f then also gcd((a k mod p +1 ) + 1, p +1 ) = 1 (3) gcd(a k + 1, p +1 ) = 1, (4) would solve the problem, snce a k mod p +1 can be calculated very effcently. Another ssue worth mentonng s the procedure followed for choosng a and k. For effcency reasons, t s not worth calculatng any power of a for large values of a. For that reason, n the calculaton of a k p and a k, a wll take the values 3, 5 and 7, cyclcally. Hence, once a k has been generated, the theorem s condtons wll be tested for each one of the values of a. If they are not satsfed, a new k wll be generated and the process repeated. Choosng k by algebrac methods s mpossble because of the amount of numbers that are to be tested. The use of random numbers s preferred, as t wll speed the executon up Auxlary Functons The algorthm presented n secton s an mplementaton of Pocklngton s theorem for generatng a 100-dgt prme. It s wrtten n pseudo-c++ notaton. Moreover, for smplcty reasons, the exstence of the followng functons s assumed: SetNewNumOfDgts(d_old, d_new): Checks the number of dgts of p (d_old) and sets the correct number of dgts for p +1 (d_new). DgtsOf(num, dg): Checks f num has dg number of dgts. FastModExp(base, exp, m): Performs base exp mod m, usng a fast modular exponentaton technque. Gcd(num1, num2): Fnds the greatest common dvsor of num1 and num2, usng Eucldes algorthm [6]. NextBase(base): Examnes the current value of base and returns the next one, cyclcally. GenerateRandomK(old, new): Gven an old-dgt long p, t randomly generates a k, such that p +1 = 2kp + 1 wll approxmately have new dgts

5 3.2.3 Algorthm //5 teratons are needed for a 100-dgt prme for(j=0; j<5, ++j){ p1 = p2; k = 1; //Intalse prmefound = false; whle(!prmefound){ twop1 = 2 * (p1 + 1); SetNewNumOfDgts(d, d1); whle(!prmefound){ p2 = (2 * k * p1) + 1; kp1 = k * p1; f(dgtsof(p2, d1)){ a = 3; for(=0; <2; ++){ // Snce there are only 3 bases a_kp1 = FastModExp(a, kp1, p2); p2mn1 = p2-1; //Check f a_kp1 == -1 mod p2 f(a_kp1 == p2-1){ prmefound = true; cout<<"prme found: "<<endl<<p2<<endl<<endl; break; a = NextBase(a); k = GenerateRandomK(d, d1); 3.3 Performance Ths algorthm trades certanty for speed. Usng the methods mentoned n secton 3.2.1, one should be able to generate 100-dgt prme numbers wthn a few seconds, or even less than that. The algorthm was mplemented n C++, usng the BgNum lbrary for multple precson nteger representaton [1]. When run on a Sun Sparc Ultra 10, the generaton of a 100-dgt prme ranged from 1 to 31 mnutes, wth an average of mnutes n 100 runs. Ths result was obtaned by checkng only the frst condton, snce the second one could not be mplemented. Moreover, the program was expermentally modfed so as to generate a 160-dgt prme and t took about 1 day of contnuous executon, before t managed to come up wth one. Up to date, there s no formal proof that the frst condton mples the second, or vce versa. However, gven the fact that f p s not prme then p +1 wll not be prme ether, together wth the results obtaned, deduces that condton (1) (page 3) s a strong condton for prmalty testng. Therefore, snce condton (2) (page 3) exhbts some mplementaton dffculty, t may be possble to replace t wth a prmalty-provng method (the Ellptc Curve Method [2], for nstance). The reason for dong so, s because once a number n has passed condton (1), t s almost defnte that t s a prme, snce each number s generated so as to be of a certan form that has a hgh probablty of beng a prme. Furthermore, ths s renforced by the expermental results. However, the algorthm s performance n the second case rases an nterestng pont: Does the mplementaton of Pocklngton s theorem have an expraton date? If, for nstance, two 160-dgt prmes - 5 -

6 are needed for generatng a secure key n the near future, usng ths method s totally mpractcal, snce t s a very tme-consumng process. 3.4 Examples The followng two examples exhbt the generaton of a prme, by showng the ntermedate results as well Frst Example Startng from p 1 = 97711, the followng have been produced: a 1 = 5 k 1 = p 2 = a 2 = 5 k 2 = p 3 = a 3 = 3 k 3 = p 4 = a 4 = 5 k 4 = p 5 = a 5 = 3 k 5 = p 6 = Second Example Startng from p 1 = 97711, the followng have been produced: a 1 = 5 k 1 = p 2 = a 2 = 3 k 2 = p 3 = a 3 = 3 k 3 = p 4 = a 4 = 5 k 4 = p 5 = a 5 = 5 k 5 =

7 p 6 = CONCLUSION Most publc-key cryptosystems base ther securty on the propertes of prme numbers. Knowng two large prmes p and q (of 100 dgts each, for example), means that ther product, n, can easly be calculated. Nevertheless, the reverse s very dffcult to do, gven the current factorsaton technques and exstng computatonal power. Nowadays, the most popular method for generatng prme numbers s by generatng a random, odd number, n and then testng ts prmalty. Qute a few algorthms for testng the prmalty of a number are avalable, most of whch are very fast, snce they do not requre any knd of factorsaton. However, they trade certanty for speed (hgher certanty usually ncreases mplementaton complexty), whch means that there stll exsts the probablty although a very low one of a pseudoprme to be produced. Producng a pseudoprme nstead of a true prme reduces the degree of securty on most cryptosystems. One of the avalable ways of producng a prme wth 100 percent certanty s to mplement Pocklngton s theorem. On the one hand, the mplementaton s farly smple. On the other, t has the drawback of qute a long executon tme. Ths lmts the scope of applcaton to securty-crtcal cases where tme s of not much mportance

8 References [1] A. Dommsfos. BgNum C Avalable on the Internet at: [2] S. Goldwasser and J. Klan. Prmalty testng usng ellptc curves. Journal of ACM, 46(4): , [3] M. Herkommer. Number Theory: A Programmer s Gude. McGraw Hll, [4] D. J. Lehmann. On prmalty tests. SIAM Journal on Computng, 11(2): , May [5] B. Schneer. Appled Cryptography: Protocols, Algorthms, and Source Code n C. John Wley & Sons, second edton, [6] S. Y. Yan. Number Theory for Computng. Sprnger-Verlag, March