It seems that this is pretty difficult to find large (above 1024 bits) strong primes, or at least such primes $p$ where $(p-1)$ has a very large prime factor. Is there any information regarding the distribution of strong primes vs. other primes? The GNU library generates strong primes for RSA?
Asked
Active
Viewed 2,483 times
2 Answers
5
Quoth Messrs. Rivest, Shamir, and Adleman in 1978:
To find a prime number $p$ such that $(p - 1)$ has a large prime factor, generate a large random prime number $u$, then let $p$ be the first prime in the sequence $i \cdot u + 1$, for $i = 2, 4, 6, \dots$. (This shouldn't take too long). Additional security is provided by ensuring that $(u - 1)$ also has a large prime factor.
A high-speed computer can determine in several seconds whether a 100-digit number is prime, and can find the first prime after a given point in a minute or two.
Quoth Messrs. Rivest and Silverman two decades later in 1999:
We argue that, contrary to common belief, it is unnecessary to use strong primes in the RSA cryptosystem. That is, by using strong primes one gains a negligible increase in security over what is obtained merely by using ‘random’ primes of the same size.
The latter reference also contains a handful of citations on methods for generating strong primes and their expected performance—admittedly, for numbers of somewhat smaller magnitudes, but the paper should explain why everyone may have been sapped of the motivation for more recent studies on the subject. Specifically, citing John Gordon in 1984 (whose primitive typography renders the original paper nigh illegible), they summarize:
The naive algorithm for finding a $k$-bit prime by testing random $k$-bit numbers for primality thus requires time $\Theta(k\,T(k))$. Gordon's algorithm requires finding one $k$-bit prime after finding three $k/2$-bit primes, taking a total time of $$k\,T(k) + 3(k/2)\,T(k/2) = 1.1875 (k\,T(k)).$$ This justifies Gordon's claim that finding strong primes requires only 19% more work than the naive algorithm for finding strong primes.
Gordon's analysis assumes there is nothing remarkable about the distribution of strong primes among all primes. While that's not a priori clear, any interesting properties of that distribution would likely be a remarkable result worthy of publication in a mathematics journal, at least, even if cryptographers don't care any more.
How to weigh the lack of interest of practical cryptographers against the excitement of pure mathematicians about completely useless but difficult trivia in number theory in the fine tradition of G.H. Hardy is a question I leave to the sociologists.
Squeamish Ossifrage
- 49,816
- 3
- 122
- 230
5
It is not very difficult to find large strong primes.
The original RSA article recommended, for some vague definition of large, that
- $p$ is a large prime,
- $p-1$ has a large prime factor $p^-$ (as a protection against Pollard's p-1 factoring),
- and $p^--1$ has a large prime factor $p^{--}$ (as a protection against the cycling attack).
Later it was added that $p+1$ has a large prime factor $p^+$ (as a protection against Williams's p+1 factoring), and a few other obscure criteria (see Ronald L. Rivest and Robert D. Silverman's Are Strong Primes Needed for RSA?).
Modern practice (in particular, FIPS 186-4) has only kept the requirements of large $p^-$ and $p^+$, or dropped them altogether because they do not guard against the generally faster algorithms that later emerged (ECM, GNFS..). It seems these large $p^-$ and $p^+$ requirements remain sensible for primes less than some bound like 512-bit, or/and multiprime RSA, but only when an adversary would be content with factoring one of extremely many public moduli (the requirements do not sizably protect one particular RSA key, only a large set of keys).
Finding such strong RSA primes requires marginally more computational effort than finding "normal" random primes, but the code is more complex. A basic method is to first choose $p^-$ and $p^+$ randomly, of the desired order of magnitude; then search odd $p$ with $p\equiv1\pmod{p^-}$ and $p\equiv-1\pmod{p^+}$. A first candidate is found using the Chinese Remainder Theorem, and others are spaced by $2\,p^-\,p^+$. A sieve can efficiently eliminate those divisible by small primes.
fgrieu
- 149,326
- 13
- 324
- 622