Optimal strong primes

Information Processing Letters 93 (2005) 47–52 www.elsevier.com/locate/ipl

Optimal strong primes R. Durán Díaz ∗ , J. Muñoz Masqué Instituto de Física Aplicada, CSIC, C/ Serrano 144, 28006-Madrid, Spain Received 28 December 2001; received in revised form 26 December 2003

Communicated by Y. Desmedt

Abstract We clarify the notion of a strong prime by supplying a precise definition and a characterization for an optimal strong prime. We present a conjecture regarding the distribution and density of optimal strong primes, allowing one to predict in advance the time needed to compute one optimal strong prime of a given bit length. Based on these results, we develop an algorithm to compute optimal strong primes. Some experimental results are also included.  2004 Elsevier B.V. All rights reserved. Keywords: Strong prime; Computational complexity; Public key cryptosystem; Cryptography

1. Introduction and preliminaries The goal of this paper is to provide a precise notion of optimality for the strong primes typically deployed in public key cryptosystems and to obtain a characterization for such primes. From the seminal paper [29], the use of strong primes for the factors of the RSA modulus n = p · q was encouraged in order to thwart Pollard’s and Williams’s algorithms [26,36] and their improvements [23,27], as well as the cycling attacks to RSA. We should mention however that strong primes do not necessarily thwart Φk (p) factoring algorithm for k > 2 * Corresponding author.

E-mail addresses: [email protected] (R. Durán Díaz), [email protected] (J. Muñoz Masqué). 0020-0190/$ – see front matter  2004 Elsevier B.V. All rights reserved. doi:10.1016/j.ipl.2004.09.015

(see [1]), and the elliptic curve method for a “lucky” choice of parameters. See [15] for a detailed survey on the topic but also see the recent papers [7,10,11], where strong criticisms have been raised against the efficiency of these attacks. Throughout this paper, we will use the notion of a strong prime employed in the classical Gordon’s algorithm [12–14,21], also called ‘Gordon secure primes’ [22]. More precisely, a prime number p is said to be strong if: (1) p − 1 has a large prime factor r, say p − 1 = ra; (2) p + 1 has a large prime factor s, say p + 1 = sb; and (3) r − 1 has a large prime factor t, say r − 1 = tc. Other more restrictive notions of a strong prime have been proposed, in order to avoid more sophisti-

48

R. Durán Díaz, J. Muñoz Masqué / Information Processing Letters 93 (2005) 47–52

cated versions of Pollard’s and Williams’s algorithms: In [17] the notion of a “4-way” strong prime is introduced. Furthermore in [15, Section 4], [24] even a more restrictive notion of a “6-way” strong prime is analyzed. There has been considerable discussion about the necessity or convenience of using strong primes for RSA. Some authors—remarkably [30]—argue that ‘strength’ is not necessary; their arguments fall into two classes: (i) using prime numbers satisfying the conditions (1)–(3) adds very little to the system security because, for the RSA key sizes proposed now, the probability of success of Pollard’s and Williams’s factorization algorithms is lower than that of Lenstra’s algorithm of the elliptic curve [20], let alone the newer Number Field Sieve algorithm (e.g., see [5]), which is claimed to succeed almost surely in less time than the other methods; (ii) the cyclic attacks are slow and extremely unlikely to be effective, as a set of recent papers, based on group-theoretic arguments, report (cf. [7,10,11]). As for the point (i) above, it is noticeable that, in [30], no estimate of the probability that conditions (1)–(3) be fulfilled in a purely random selection, is provided. Besides, one must be sure that p and q do not belong to the classes of prime numbers for which p ± 1 algorithms are very efficient. Finally, the elliptic curve algorithm does not work efficiently for the current lengths of the prime factors of the modulus. As for the point (ii), it should be noted that if p or q are carelessly chosen so that the largest prime factor of r − 1 happens to be small, then the cyclic attack becomes efficient. According to [10], the likelihood of success for a cycling attack is asymptotically nil. The authors of [10] also show that if we set the modulus n = p · q, and we choose e as the public exponent, m as a message, and c = me mod n then for almost all choices of p, q, e, and m, the smallest cycling value k−1 mod n) is k (i.e., the value of k such that m = ce as nearly large as n itself. However, it could be more interesting to provide a precise characterization of the parameters that will prove a system to be invulnerable against cycling attacks. Other authors (e.g., see [21]), though sharing the idea that using strong primes is debatable, still recommend them since they offer an enhanced security at almost no extra cost. Actually, Gordon estimates in [13] that finding a strong prime is only 19% harder in

time than finding a mere random prime. There is also a number of other proposals to generate strong primes endowed with certain properties; see for instance, [18, 24,33,34], where a discussion on their efficiency and running time may also be found. Irrespective of the final outcome of this discussion, the subject gives rise to some interesting mathematical results, as we will show later on.

2. Strong primes optimality Proposition 1. Let p be a prime. Assume there exist odd prime numbers r, s, and t (not necessarily the largest ones) such that: (1) r|p − 1, (2) s|p + 1, and (3) t|r − 1. Then p−1 p+1 r −1 + +
12. r s t Proof. Observe that for any prime p larger than 3, p2 − 1 is always divisible by 24. Besides, remark that the integers a = (p − 1)/r, b = (p + 1)/s both are even, as r and s are odd primes. Since t is also an odd prime, we must have r
7; hence p = 1 + ar > 15. Assume that s is larger than 3. Thus, as ab is divisible by 24, it follows that a + b is at least 4 + 6 or 6 + 4, i.e., at least 10. Since c = (r − 1)/t is at least 2, we can conclude in this case. If s = 3, then b = (p + 1)/3 > 16 3 ; hence b
6. As ab is divisible by 8 in the present case, we deduce that a
4 when b = 6, and the proof is complete. 2 The remaining cases are covered by the following Proposition 2. If p does not satisfy the hypothesis of Proposition 1, then either p is a Fermat or Mersenne prime, or all of the odd prime factors of p − 1 are Fermat primes. According to [8, §1.3.1], the heuristic asymptotic expression for the number of Mersenne prime exponents up to x is c ln x, c = exp γ / ln 2, where γ is Euler’s constant. In turn, [8, §1.3.2] states that a rough probability for Fn to be prime, is n/2n . Proof of Proposition 2. If p is such that r is even, then it must be p − 1 = 2α ; hence p is a Fermat prime, since any integer n such that n = 1 + 2α is prime only

R. Durán Díaz, J. Muñoz Masqué / Information Processing Letters 93 (2005) 47–52

if it is a Fermat prime. If p is such that s is even, then p + 1 = 2β , hence p is a Mersenne prime, since, again, any integer n such that n = −1 + 2β is prime only if it is a Mersenne prime. Finally, if p is such that t is even but r is odd, this means that all of the odd prime factors of p − 1 are Fermat primes, i.e., α p − 1 = 2α π1α1 π2α2 . . . πk k where each πi is a Fermat prime. 2 For a given prime p satisfying (1)–(3), the sum a + b + c takes the lowest value when r, s, t are chosen to be the largest prime factors of p − 1, p + 1, r − 1, respectively. Accordingly, let S(n) be the largest prime factor of an integer n, and S(1) = 1. This function is usually called the ‘smoothness’ of n (e.g., see [31]). We define a function σ : P \ {2} → N as p+1 S(p − 1) − 1 p−1 + + , σ (p) = S(p − 1) S(p + 1) S(S(p − 1) − 1) where P denotes the subset of prime numbers. An odd prime number p
23 is said to be an optimal strong prime if σ (p) takes its minimal value. Theorem 3. For every prime number p
23, σ (p)
12. Hence a strong prime is optimal if and only if σ (p) = 12. Proof. If p satisfies the assumptions in Proposition 1, then the statement follows. If p does not satisfy these assumptions, then from Proposition 2 we are led to distinguish the following cases: a If p = 1 + 22 , then S(p − 1) = 2; hence σ (p)
a 1 22 −1 + 2 = 2 (p − 1) + 2
12. If p = 2b − 1, then S(p + 1) = 2; hence σ (p)
b−1 2 + 2 = 12 (p + 1) + 2
12. If p − 1 is such that all of its odd prime factors are c Fermat primes, then necessarily S(p − 1) = 1 + 22 ; therefore, S(S(p − 1) − 1) = 2, and S(p − 1) − 1 c = 22 −1 . S(S(p − 1) − 1) As the smallest Fermat prime is 3, it is also clear that (p + 1)/S(p + 1)
2, and hence p−1 2c −1
12. c +2+2 1 + 22 It can be readily seen that this statement holds for any c
0 provided that p
41. We conclude using the following list, where the pair of values (p, σ (p)) σ (p)


49

have been computed for the primes 23  p < 41: (23, 12), (29, 12), (31, 24), (37, 15). 2 Remark 4. For the odd prime numbers less than 23, we have σ (3) = 4, σ (5) = 5, σ (7) = 7, σ (11) = 8, σ (13) = 7, σ (17) = 15, and σ (19) = 11. We exclude these cases from the definition of an optimal strong prime since they display an erratic behavior. Definition 5. An odd prime p is said to be 1-safe if and only if (p − 1)/2 is also a prime. Theorem 6. A prime p > 29 is an optimal strong prime if and only if the following conditions hold: (I) p−1 6 is 1-safe, (II) S(p − 1) = p−1 6 , (III) S(p + 1) = p+1 4 . Proof. Since p > 29, we can assert that it is always possible to choose r and s in such a way that r > 3 and s > 3. To show this, let us assume otherwise, so that either p − 1 = 3α or p − 1 = 2β , with α
3, β
5. In either case, we will have the following bound for σ (p): σ (p)


p−1 + 4 = 3α−1 + 4
32 + 4 = 13, S(p − 1)

or σ (p)


p−1 + 4 = 2β−1 + 4
24 + 4 = 20. S(p − 1)

But then, it becomes apparent that a prime p admitting such factorization cannot be an optimal strong prime. The same conclusion can be reached if we consider the factor s, assuming now that either p + 1 = 3α or p + 1 = 2β with α
3 and β
5. Therefore, it is safe to assume that both r > 3 and s > 3. We know from the proof of Proposition 1 that either a = 4, b = 6, c = 2, or a = 6, b = 4, c = 2. Now, the first case cannot occur. Actually, let us assume p = 1 + 4r, p = −1 + 6s, r = 1 + 2t. Hence, by substitution, p = 1 + 4r = 1 + 4(1 + 2t) = 5 + 8t = −1 + 6s, and so 8t = 6(s − 1). If t = 3, then s = 5 and p = −1 + 6s = 29, which is impossible by hypothesis; therefore t > 3 and this leads us to a contradiction, since 8t is not divisible by 3. 2

50

R. Durán Díaz, J. Muñoz Masqué / Information Processing Letters 93 (2005) 47–52

Corollary 7. A prime p > 29 is an optimal strong prime if and only if p = 12t + 7, with t, 2t + 1, and 3t + 2 also prime. Remark 8. From the previous corollary, it is clear that the task of generating an optimal strong prime can be performed by finding a number t such that t, 2t + 1, 3t + 2, 12t + 7 are all simultaneously prime. Remark 9. One important issue when generating special primes is to control their bit lengths. But, when using the algorithm in Remark 8 it is obvious that, in this case, the bit length of p is automatically controlled as long as the bit length of t is also controlled. Remark 10. Using the terminology coined by Ogiwara in [24], we could term p as a “level-1” prime; and, in the same way, r as a “level-2” prime and t as a “level-3” prime.

3. Optimal strong prime density Let us begin this section with some known results related to our problem. Recall, to begin with, that p is a Sophie Germain prime if 2p + 1 is also a prime. On the other hand, p is 1-safe if p = 2q + 1, q being a prime, that is, if q is a Sophie Germain prime. In [6], Cai has conjectured that the Sophie Germain prime counting function, i.e., the number of Sophie Germain primes less than or equal to x, is
 x x log log x + O , (1) πSG (x) = 2C2 (log x)2 (log x)3 where 
C2 = 1− p>2

1 (p − 1)2



is the twin-prime constant; for example, see [16, (4.12)] or [28, p. 147], where its value, as reported by Wrench [37], is 0.66016 . . .. Although Eq. (1) is just a conjecture, it is in good agreement with the well-known result stating that πSG (x)  Cx/(log x)2 , where C is a constant; again see [28, 5.II]. The same upper bound follows directly from [4, Lemma 3]. In [2] (also see [32]), the authors give a heuristic formula for the number Q(f1 , . . . , fk ; N) of integers n  N such that f1 (n), . . . , fk (n) are all primes,

where fi (x) ∈ Z[x] are polynomials whose leading coefficients are positive. These results are an extension of those obtained in [16], and also of those in [9], which discusses the existence of primes in the case in which all the fi (x) are linear. According to Remark 8, generating an optimal strong prime p = 12t + 7 is equivalent to finding a number t such that t, 2t + 1, 3t + 2, 12t + 7 are all prime numbers. We can thus apply the results in [2] by setting f1 (x) = x, f2 (x) = 2x + 1, f3 (x) = 3x + 2, f4 (x) = 12x + 7. Hence, from the formula (1) in [2], in our particular case, we obtain N Q(f1 , . . . , f4 ; N) ∼ C

du , (log u)4

(2)

2

where
 1 7 3 C= 3 2 =

343 24



 1 −4 4 1− 1− p p



p=2,3,7 prime

 p=2,3,7 prime

p3 (p − 4) . (p − 1)4

(3)

Now, the expression for the counting function of optimal strong primes πσ (x), i.e., the number of optimal strong primes equal to or less than x, can be obtained by applying Eqs. (2) and (3) and remembering that p = 12t + 7, C πσ (x) ∼ 12

x 31

du 4 (log u−7 12 )

.

(4)

A numerical computation shows that C  5.5349. It is worth noting, as shown by the formula (3) in [3], that for small values of x, the following expression for πσ (x) is more accurate: C 12

x 31

du log u · log

u−1 6

u−7 · log u+1 4 · log 12

,

(5)

though (4) and (5) are asymptotically equivalent.

4. An algorithm and its running time To find an optimal strong prime, one proceeds as follows: A random integer t of a given bit length is

R. Durán Díaz, J. Muñoz Masqué / Information Processing Letters 93 (2005) 47–52

51

Fig. 1. Number of trials vs. number of bits (Lehmer test).

Fig. 3. Ratio xi /(log(2i ))4 (Lehmer test).

Fig. 2. Number of trials vs. number of bits (Tausworthe test).

Fig. 4. Ratio xi /(log(2i ))4 (Tausworthe test).

chosen; such choice is termed ‘a trial’. If t satisfies the conditions in Remark 8, then p = 7 + 12t is an optimal strong prime such that bit length(p)  4 + bit length(t). In this case, the algorithm has finished successfully; otherwise, another integer t is selected and the procedure is repeated. From formula (4), the expected number of trials necessary to obtain an optimal strong prime of a given bit length L is O(L4 ), or, more accurately, (L4 ). In order to check our results, we have set up numerical experiments using the algorithm just described. We have computed optimal strong primes for different ranges of bit lengths. To generate the random number n for the required bit length, we have resorted to two well-known pseudo-random bit generators, namely, those of Lehmer and Tausworthe (for the latter, see [35]) that we have implemented following [25] and [19], respectively; for the primality test, we have used

the probabilistic Miller–Rabin test with a security parameter equal to 10: this ensures that the probability of the test declaring ‘prime’ a composite number n is less than 2−20 (see, for example, [21, 4.2.3]). We have computed 20 optimal strong probable primes for bit lengths of t between 21 and 120 bits. In Figs. 1 and 2, we show the mean values xi , 21  i  120 of the number of trials versus the intended bit length for the Lehmer and Tausworthe generators, respectively. Hence, any point in these graphs represents an experimental approximation of the number of trials needed to obtain an optimal strong probable prime of a given bit length. For both graphs, we also depict an approximating degree-four monomial ax 4 , computed using the M APLE package CurveFitting[LeastSquares]. M APLE estimates that a  0.042 for both cases. According to formula (2), the expected number of trials to find an optimal strong probable prime

52

R. Durán Díaz, J. Muñoz Masqué / Information Processing Letters 93 (2005) 47–52

p = 12t + 7 should be (log t)4 /C. To test this theoretical estimate, we depict the ratio xi / log(2i )4 in Figs. 3 and 4. The observed value is approximately 0.18, which is very close to the expected constant 1 C  0.1807, also shown as a solid line in the graphs. Acknowledgements We wish to thank the referees for their valuable suggestions, specially in clarifying the deduction of the formula for the optimal strong prime density function. Supported by Ministerio de Ciencia y Tecnología (Spain) under grant TIC2001–0586. References [1] E. Bach, J. Shallit, Factoring with cyclotomic polynomials, Math. Comp. 52 (1989) 201–219. [2] P.T. Bateman, R.A. Horn, A heuristic asymptotic formula concerning the distribution of prime numbers, Math. Comp. 16 (1962) 363–367. [3] P.T. Bateman, R.A. Horn, Primes represented by irreducible polynomials in one variable, in: Proceedings of Symposia in Pure Mathematics VIII, AMS, Providence, RI, 1965, pp. 119– 132. [4] P.T. Bateman, R.M. Stemmler, Waring’s problem for algebraic number fields and primes of the form (p r − 1)/(p d − 1), Illinois J. Math. 6 (1962) 142–156. [5] J.P. Buhler, H.W. Lenstra, C. Pomerance, Factoring integers with the number field sieve, in: A.K. Lenstra, H.W. Lenstra Jr. (Eds.), The Development of the Number Field Sieve, in: Lecture Notes in Mathematics, vol. 1554, Springer-Verlag, New York, 1993, pp. 50–94. [6] Y. Cai, On the distribution of safe-primes, J. Shandong University, Nat. Sci. Ed. 29 (1994) 388–392. [7] B.A. Cipra, Safe against cycling: researchers confirm invulnerability of RSA cryptosystem, SIAM News 34 (2001). [8] R. Crandall, C. Pomerance, Prime Numbers. A Computational Perspective, Springer-Verlag, New York, 2001. [9] L.E. Dickson, A new extension of Dirichlet’s theorem on prime numbers, Messenger Math. 33 (1904) 155–161. [10] J.B. Friedlander, C. Pomerance, I.E. Shparlinski, Period of the power generator and small values of Carmichael’s function, Math. Comp. 70 (2001) 1591–1605; Corrigendum, Math. Comp. 71 (2002) 1803–1806. [11] J.B. Friedlander, I.E. Shparlinski, On the distribution of the power generator, Math. Comp. 70 (2001) 1575–1589. [12] M.J. Ganley, Note on the generation of p0 for RSA keysets, Electron. Lett. 26 (1990) 369. [13] J. Gordon, Strong RSA keys, Electron. Lett. 20 (1984) 514– 516. [14] J. Gordon, Strong primes are easy to find, in: Advances in Cryptology: EUROCRYPT’84, in: Lecture Notes in Comput. Sci., vol. 209, Springer-Verlag, Berlin, 1984, pp. 216–223.

[15] M. Gysin, J. Seberry, Generalised cycling attacks on RSA and strong RSA primes, in: J. Pieprzyk, et al. (Eds.), Information Security and Privacy, 4th Australian Conference, ACISP’99, Wollongong, Australia, in: Lecture Notes in Comput. Sci., vol. 1587, Springer-Verlag, Berlin, 1999, pp. 149–163. [16] G.H. Hardy, E. Littlewood, Some problems of ‘Partitio numerorum’; III: On the expression of a number as a sum of primes, Acta Math. 44 (1922) 1–70. [17] M.E. Hellman, C.E. Bach, Method and apparatus for use in public-key data encryption system, U.S. Patent #4,633,036, 30 Dec. 1986. [18] C.S. Laih, W.C. Yang, C.H. Chen, Efficient method for generating strong primes with constraint of bit length, Electron. Lett. 27 (1991) 1807–1808. [19] P. L’Ecuyer, Maximally equidistributed combined Tausworthe generators, Math. Comp. 65 (1996) 203–213. [20] H.W. Lenstra, Factoring integers with elliptic curves, Ann. of Math. 126 (1987) 649–673. [21] A.J. Menezes, P.C. Oorschot, S.A. Vanstone, Handbook of Applied Cryptography, CRC Press, Inc., Boca Raton, FL, 1997. [22] P. Mihailescu, Fast generation of provable primes using search in arithmetic progressions, in: Advances in Cryptology: CRYPTO’94, in: Lecture Notes in Comput. Sci., vol. 839, Springer-Verlag, Berlin, 1994, pp. 282–293. [23] P.L. Montgomery, R.D. Silverman, An FFT extension to the p − 1 algorithm, Math. Comp. 54 (1990) 839–854. [24] M. Ogiwara, A method for generating cryptographically strong primes, Trans. IEICE E 73 (1990) 985–994. [25] W.H. Payne, J.R. Rabung, T.P. Bogyo, Coding the Lehmer pseudo-random number generator, Comm. ACM 12 (1969) 85–86. [26] J.M. Pollard, Theorems on factorization and primality testing, Math. Proc. Cambridge Philos. Soc. 76 (1974) 521–528. [27] C. Pomerance, J. Sorenson, Counting the integers factorable via cyclotomic methods, J. Algorithms 19 (1995) 250–265. [28] P. Ribenboim, The Little Book of Big Primes, Springer-Verlag, New York, 1991. [29] R.L. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Comm. ACM 21 (1978) 120–126. [30] R.L. Rivest, R.D. Silvermann, Are “strong” primes needed for RSA?, Cryptology ePrint Archive, Report 2001/007, http: //eprint.iacr.org/, pp. 1–23. [31] L. Ronyai, Factoring polynomials modulo special primes, Combinatorica 9 (1989) 199–206. [32] A. Schinzel, A remark on a paper of Bateman and Horn, Math. Comp. 17 (1963) 445–447. [33] J. Shawe-Taylor, Generating strong primes, Electron. Lett. 22 (1986) 875–877. [34] J. Shawe-Taylor, Proportion of primes generated by strong prime methods, Electron. Lett. 28 (1992) 135–137. [35] R.C. Tausworthe, Random numbers generated by linear recurrence modulo two, Math. Comp. 19 (1965) 201–209. [36] H.C. Williams, A p + 1 method of factoring, Math. Comp. 39 (1982) 225–239. [37] J.W. Wrench, Evaluation of Artin’s constant and the twinprime constant, Math. Comp. 15 (1961) 396–398.