[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Lucky primes--third time's the charm?

The algorithm I posted the second time works, (nice improvement, eh?) but
is likely to take several thousand years to complete.  And when it does, we
can expect weak primes.  The enhancement I propose should fix that.
As I recall, PGP uses 0x10001 for its e.  It does so in order to be able to
easily determine that e is a primitive root of unity in Fp.  Since we are
assuming that the p we actually work with is prime, we have: n^p = n mod p
ie: n^((p-1)*i+1) = n mod p.  So we want ed = (p-1)*i+1, ie: 
((ed-1)/i)+1 = p.
Let 2*x be the target number of bits in the modulous.  We then look for two
primes with approximately x digits such than d (for each prime in turn) is
small.  We know that ed = (p-1)*i+1, so we search for small i's that work.
d = ((p-1)*i+1)/e, so for a given p, d will be small iff i is small.
But in general, the calculation to invert e is long.  We therefore fix ed--
that is our n1--and hope for a small i that works.  If none work, we
increment d and try again.
Once we have a p that gives us a small d, we then count the 0's in d,
hoping for a high count.  If we don't get it, we increment d.
That is what my previous algorithm did.  Of course, we can expect a halt
exactly when d ends with a bunch of 0's, followed by a few spare bits.
B-A-D bad.
The solution, though, is easy: pick a random high-0 d.  Multiply it by
0x10001 to get ed, and search for small i's.  If you fail, increment d.
Doing so won't affect the number of 0's in d by much, and we expect a prime
fast enough that cumlatives won't be a problem, either.
Let 2*x be the target number of bits in the modulous.
GetPrime twice.
Let d be a large random number with x-15 bits.
If d has too many 1's, pick digits at random and 0 them until d is
sufficiently 0-rich.  This would include room for extra 1s to appear as d
is incremented.
Let n1 = d * 0x10001
Let t2 be n1 mod 8, t3 be n1 mod 9, t5 be n1 mod 25, t7 be n1 mod 49.
For i = 2 to 7
 If n1 = 1 mod i and (n1-1)/i + 1 is not a multiple of {2,3,5,7}
/* This can be done very fast, and eliminates most canidates. */
    If (n1-1)/i + 1  is prime, record and exit Loop.
/* This would be the long test in RSAREF, or Miller-Rabin. */
n1 += 0x10001
By keeping track of various quantities, we can eliminate all multiprecision
divisions except for the original one needed to get the t's and the first
n1/i's, and doing increments instead.
Version: 2.6.2