[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Lucky primes--third time's the charm?
-----BEGIN PGP SIGNED MESSAGE-----
The algorithm I posted the second time works, (nice improvement, eh?) but
is likely to take several thousand years to complete. And when it does, we
can expect weak primes. The enhancement I propose should fix that.
As I recall, PGP uses 0x10001 for its e. It does so in order to be able to
easily determine that e is a primitive root of unity in Fp. Since we are
assuming that the p we actually work with is prime, we have: n^p = n mod p
ie: n^((p-1)*i+1) = n mod p. So we want ed = (p-1)*i+1, ie:
((ed-1)/i)+1 = p.
Let 2*x be the target number of bits in the modulous. We then look for two
primes with approximately x digits such than d (for each prime in turn) is
small. We know that ed = (p-1)*i+1, so we search for small i's that work.
d = ((p-1)*i+1)/e, so for a given p, d will be small iff i is small.
But in general, the calculation to invert e is long. We therefore fix ed--
that is our n1--and hope for a small i that works. If none work, we
increment d and try again.
Once we have a p that gives us a small d, we then count the 0's in d,
hoping for a high count. If we don't get it, we increment d.
***
That is what my previous algorithm did. Of course, we can expect a halt
exactly when d ends with a bunch of 0's, followed by a few spare bits.
B-A-D bad.
The solution, though, is easy: pick a random high-0 d. Multiply it by
0x10001 to get ed, and search for small i's. If you fail, increment d.
Doing so won't affect the number of 0's in d by much, and we expect a prime
fast enough that cumlatives won't be a problem, either.
***
Let 2*x be the target number of bits in the modulous.
GetPrime twice.
GetPrime:
Let d be a large random number with x-15 bits.
If d has too many 1's, pick digits at random and 0 them until d is
sufficiently 0-rich. This would include room for extra 1s to appear as d
is incremented.
Let n1 = d * 0x10001
Let t2 be n1 mod 8, t3 be n1 mod 9, t5 be n1 mod 25, t7 be n1 mod 49.
Loop:
For i = 2 to 7
If n1 = 1 mod i and (n1-1)/i + 1 is not a multiple of {2,3,5,7}
/* This can be done very fast, and eliminates most canidates. */
If (n1-1)/i + 1 is prime, record and exit Loop.
/* This would be the long test in RSAREF, or Miller-Rabin. */
EndIf
EndIf
Next
d++
n1 += 0x10001
EndLoop
EndGetPrime
By keeping track of various quantities, we can eliminate all multiprecision
divisions except for the original one needed to get the t's and the first
n1/i's, and doing increments instead.
Nathan
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQEVAwUBLzmnanmgMs8UcStNAQECpQf6Ag8PUhiHySvv/lK8dIsmJhknKCuDR0Fi
dVT0oVnTijmz1mdX0a6tlhnXyrj+oO4sYLCsej03e+685HZSd5orCYMsMXI/12SU
f8PUVbKK7g/tDFYFah0se7cFL4kvQXwnOYDdzmfVnguW82QDDuS0iSssG42mqUKD
e0QH1jZKxMK+usRF53P0Bui7goNfk7MkN2hI/ShMQggywcDQHYRX/d3QHkhZp6iG
P7rJrW2aRxHYQT9MtiSpOv64Ae1JvmJk4DLXYMhXOSQet8xntRTnm4FIoVStBRmb
dTnOj0d//dHyYWWEVKKFz0GoepnglxjQ0/k3PAKvVgPV5DWzn3xFJQ==
=PzTo
-----END PGP SIGNATURE-----