FR2984547A1 - Cryptographic key generating method for e.g. integrated circuit of chip card, involves keeping generated candidate prime number as candidate prime number only if quotient calculated from integer division of integer by prime number is odd - Google Patents

Abstract

The method involves generating a candidate prime number by adding one to a value obtained from twice the product of a prime number and an integer, and using Pocklington primality test on the candidate prime number (S36). The candidate prime number is proven to be prime when passing the test, where the size in number of bits of the candidate prime number is equal to three times the size of the prime number to a nearest whole unit. The generated number is kept as a candidate prime number (S35) only if the quotient calculated (S33) from integer division of the integer by the prime number is odd. An independent claim is also included for an electronic device.

Description

The present invention relates to cryptography and in particular to the generation of prime numbers. It also relates to integrated circuits such as those fitted to smart cards, and the generation of prime numbers in such integrated circuits.

Since the invention of Diffie and Hellman in 1976, public key cryptography has grown considerably. Today, it is used in many applications, such as payment, e-commerce, and identification applications, as well as for encrypting and signing data, and in many devices such as smart cards, USB sticks and many microprocessors and computers. Most cryptographic systems like RSA (Rivest, Shamir, Adleman), DSA (Digital Signature Algorithm) and DH (Diffie Hellman Key Exchange) are based on the use of large prime numbers to generate cryptographic keys, or more generally secret data that can be used in transactions requiring a certain degree of security. The security of these cryptographic systems is therefore directly related to the size of the prime numbers used. Due to the constant evolution of technology and in particular computing capabilities of computers, cryptographic systems use increasingly larger cryptographic keys and therefore also larger prime numbers. Thus, some banking organizations today recommend using prime numbers of 1024 bits, or even in some applications, of 2048 bits.

Usually, the generation of a prime number is to randomly select a number and verify that it is prime, for example by applying a primality test such as the Miller-Rabin test. If the chosen number does not satisfy the primality test, a new number is chosen. The choice of a new number differs from one method to another. It turns out that the generation of a prime number is the heavier calculation task to implement in the cryptography systems commonly used today. Ten years ago, it was unthinkable to have this task of generating prime numbers performed in a smart card microcircuit because of its low computing and storage capacities. This task was therefore performed by a powerful computer, and the secret data generated from the prime number was securely transmitted to the microcircuit during a circuit initialization step in the factory. Current smart card microcircuits are generally equipped with cryptographic coprocessors to accelerate certain operations such as large number multiplications and modular exponentiation operations, and have an increasing storage capacity. These improvements make it possible to consider generating large prime numbers directly in the smart card. This approach provides greater security since it eliminates the risk of piracy of the computer that generated the secret data, or piracy of the transmission of the latter to the smart card. In addition, thanks to this approach, the issuer of the smart card can not know the secret data if it is generated in the card. This approach also allows the microcircuit to regenerate a prime number, as well as secret data based on that prime number, where necessary. However, the smart card microcircuit calculation and storage capabilities remain small compared to those of a desktop computer, and in operational mode, the key generation time must remain below an acceptable limit for the chip. 'user. It therefore seems desirable to develop a method of generating large prime numbers which requires low computing and storage means, compatible with those equipping smart cards. Conventional methods of generating prime numbers rely on the use of probabilistic primality tests such as the Miller-Rabin and Lucas tests. However a probabilistic test does not offer by definition an absolute certainty that a generated number is prime and therefore does not allow to obtain proven prime numbers. Yet such certainty would provide a higher level of security, which is generally sought in cryptographic systems. The confidence level of such a test can be increased by performing several iterations of the test. Thus, generating a prime number of 1024 bits with a sufficient level of confidence requires 40 iterations of the Miller-Rabin test. This number of iterations can be reduced to 3 when the Miller-Rabin test is followed by the Lucas test. The Lucas test, however, is not very compatible with the capabilities of smart cards. Moreover, in spite of the significant improvements made to microcircuits integrated in smart cards, the development of a software adapted to such a microcircuit remains delicate. Smart card microcircuits are an environment with multiple constraints compared to desktop computers or microprocessors on multimedia devices. Indeed, the capacity of the memories present in these microcircuits remains reduced. Some cryptographic operations implemented by cryptographic algorithms such as DES (Digital Encryption System), AES (Advanced Encryption System), RSA (Rivest, Shamir, Adleman) and ECC (Elliptic Curve Cryptography) require to be deported in a coprocessor for be performed efficiently enough. Thus, modular exponentiation operations are the most expensive operations in cryptographic systems such as RSA and DSA (Digital Signature Algorithm) embedded in a smart card microcircuit. Such exponentiation operations may also be necessary for the generation of prime numbers. It is also necessary that the microcircuit remains protected against attacks to discover the secret data stored or manipulated by the microcircuit. In recent years there have been many types of attacks, so the development of a microcircuit protected against all types of known attacks is a challenge for manufacturers of embedded security products. However, it may be desirable to generate prime numbers by a method and which can be embedded in a smart card microcircuit.

For this purpose, there are iterative methods of generating large prime numbers proved from a proved prime number of relatively small size which may be smaller than 32 bits. Thus, publications [3] and [4] describe such methods. However, these methods use the Eratosthene sieve technique to generate a first small prime number. This technique involves randomly selecting a prime candidate number of the desired size and testing the divisibility of the candidate number by all prime numbers less than the square root of the prime candidate number. Even if it is applied to first candidate numbers of size between 16 and 32 bits, this technique proves to be unsuited to the calculation and memorization capabilities of the microcircuits fitted to the current smart cards. It may therefore be desirable to be able to generate a proved prime number of small size, less than 50 bits, by a method that can be implemented in a chip card microcircuit. Embodiments provide an iterative method for generating a prime number implemented in an electronic device, the method comprising the steps of: generating a first prime number consisting of a reduced number of bits less than a number of maximum bits, and execute several steps of generating a new prime number, from a prime number obtained at a preceding generation step, until a prime number of a desired number of bits is obtained, each new number first obtained being formed of a number of bits greater than the number of bits of the prime number obtained in the preceding generation step. According to one embodiment, the first prime number is obtained by randomly selecting a number formed from the reduced number of bits and successively applying to it a limited number of primality tests comprising several Miller-Rabin tests applied to different bases, up to obtaining a number having successfully passed the Miller-Rabin tests, the maximum number of bits and the values of the bases being chosen to prove the primality of the first prime number, each of the process steps comprising modular exponentiation operations executed by means of a computing block of the electronic device.

According to one embodiment, the Miller-Rabin tests applied to the randomly chosen number are performed in bases 2, 7 and 61, and the maximum number of bits is chosen less than or equal to 32. According to one embodiment, the tests of Miller-Rabin are preceded by a base 2 Fermat test. According to one embodiment, the Miller-Rabin tests applied to the randomly selected number are performed in bases 2, 3, 5, 7, 11, 13 and 17, and the maximum number of bits is chosen to be less than or equal to 48. According to one embodiment, the Miller-Rabin tests applied to the randomly selected number are preceded by a divisibility test of the number randomly selected by numbers. a list of the smallest prime numbers. According to one embodiment, the generation of a new prime number comprises steps of: calculating a first candidate number Pr 15 by the following formula: Pr = 2P.R +1 P being the prime number obtained in step of previous generation, and R being an integer selected in the range [I + 1, 21] with: 2L-1 2P 20 L being the number of bits of the new prime number to be generated, and application of the Pocklington primality test to the first candidate number Pr, the first candidate number being the new prime number if he checks the Pocklington test. According to one embodiment, if the first candidate number is not verified by the Pocklington test, a new prime candidate number is calculated from a new integer selected in the range [I + 1, 21]. According to one embodiment, the new integer is randomly selected or by incrementing the integer used to calculate the first preceding candidate number not verifying the Pocklington test. According to one embodiment, the number of bits of the next prime candidate number is twice the size of the prime number generated in the previous generation step, to one unit. According to one embodiment, the bit size of the next prime candidate number is equal to three times the size of the prime number generated in the preceding generation step, to one unit, the number I = first candidate generated 'being retained only if the quotient of the integer division of the integer by the prime number generated in the previous generation step is odd. Embodiments also relate to a cryptographic method implemented in an electronic device and comprising steps of: generating prime numbers, generating cryptographic keys from prime numbers, the prime numbers being generated by the method as above defined. Embodiments also relate to an electronic device comprising a calculation block for executing large number multiplications and / or modular exponentiation operations, and configured to implement the method of generating a prime number, such as than previously defined. Embodiments also relate to a semiconductor chip integrated circuit, comprising a device as defined above. Exemplary embodiments of the invention will be described in the following, without limitation in connection with the accompanying figures, in which: FIG. 1 represents a sequence of steps configured to generate a large first number, according to a mode FIG. 2 shows a sequence of steps configured to generate a small prime number, according to one embodiment, FIG. 3 represents a sequence of steps configured to generate a prime number from a prime number. 4, a smaller size, according to one embodiment, represents a sequence of steps implementing a deterministic primality test, according to one embodiment. FIG. 5 represents a sequence of steps configured to generate a first small prime number, according to another embodiment, FIGS. 6 and 7 represent sequences of steps configured to generate a prime number from a number first of smaller size, according to other embodiments, Figure 8 shows a sequence of steps configured to test the divisibility of a number by a list of prime numbers, Figure 9 shows a sequence of steps implementing a deterministic test of primality, according to another embodiment. FIG. 10 represents a sequence of steps configured to generate a large prime number, according to another embodiment, FIG. 11 represents a sequence of steps configured to generate a prime number from a prime number of size. lower, adapted to the sequence of steps of Figure 9, Figures 12 and 13 show sequences of steps configured to generate a large prime number, according to other embodiments, Figure 14 shows schematically an example As an electronic device capable of implementing the various sequence sequences shown in FIGS. 1 to 13, FIGS. 15 and 16 show sequences of cryptographic key generation steps, using prime numbers. According to one embodiment, it is proposed to generate a prime number of a certain size in number of bits based on a theorem derived from the Pocklington theorem, which is formulated as follows: Let P be a prime number greater than 2 and R an integer less than P, the number N obtained by the following equation: N = 2R.P + 1 (1) is prime if there is an integer A greater than or equal to 2 and less than N such that: AN-1 = 1 mod N, and (2) GCD (A2R -1, N) = 1, (3) mod representing the operation modulo and GCD (x, y) being a function giving the greatest common number divisor x and y. This theorem makes it possible to obtain a prime number from a prime number of smaller size. This theorem can therefore be applied in several iterations, starting from a prime number of small size obtained by another process, then starting from the prime number obtained during the previous iteration, until obtaining a number first of the desired size. Given the relationship between the numbers N and P, a simple choice of the size of the number R can make it possible to obtain a new prime number having a size substantially equal to twice the size of the prime number P. It is It should be noted that the prime character of the numbers obtained by applying this theorem is proved, as opposed to the probabilistic nature of prime numbers obtained by certain known methods, for example based on the Fermat or Miller-Rabin test. Thus, FIG. 1 represents steps S1 to S9 of a GNLP procedure for generating a large number of primes. The GNLP procedure receives as an input parameter the size Ln in number of bits of the prime number to be generated. Steps S1 to S3 make it possible to determine the size L (in number of bits) of a first prime number to be generated from the size Ln of the prime number to be generated. In step S1, the size Ln received as a parameter is loaded into a local variable L. In step S2, the variable L received at the input of the procedure is compared with a maximum value LL of the first prime number, for example equal to 32 or 48 bits. In steps S2 and S3, as long as the variable L is larger than the maximum size LL, the value of the variable L is divided by 2 (receives the quotient of the entire division of L by 2). When the variable L is less than the maximum size LL, the size L is incremented by one at step S4. It should be noted that if the memory of the circuit intended to execute the GNLP procedure allows it, the steps S2 to S4 can be replaced by reading a table indexed by size Ln of prime number to be generated and giving the size LO of the first number to generate. Indeed, the size Ln is generally limited to a reduced number of possible values, in particular powers of 2. An example of this table when the maximum value LL is equal to 32 is given by the following table 1: Table 1 Ln In step S5 following step S4, is called an INTP procedure for determining a first proved prime number having the size L. The procedure receives as a parameter input variable L and optionally the product Ilv v smaller prime numbers, for example less than 100 or 200 (including between 25 and 46). The INTP procedure provides a prime number Pr of the size L. In step S6, the variable L is compared with the size Ln of the prime number to be generated. This step marks the entry of a processing loop in which steps S7 to S9 are executed at each iteration of the processing loop, until the size Ln of the prime number to be generated is reached. The values of k provided in table 1 represent the number of iterations performed by the GNLP procedure, as a function of the size Ln of the prime number to be generated. In step S6, if the variable L is smaller than the size Ln, the steps S7 to S9 are executed, otherwise the GNLP procedure terminates by providing the last number Pr obtained which is a prime number proved of Ln bits. In step S7, a variable P receives the last prime number Pr obtained. In step S8, the value of the variable L is doubled to one unit (= 2L-1) without exceeding the size Ln of the prime number to be generated. Calculation of the size L of the next prime number to be generated, performed in step S8, makes it possible to carry out the condition R <P of the theorem previously stated. In step S9, a GNSP procedure is invoked with the P and L variables as input parameters. The GNSP procedure provides a proved prime number Pr having the size L from the smaller prime number P input provided. For this purpose, the GNSP procedure is based on the Pocklington theorem or the derived theorem previously stated. According to one embodiment, the first proved small prime number provided by the INTP procedure is obtained by randomly choosing a number having a size less than 32 bits, and applying the Miller-Rabin probabilistic test, successively in base 2, 7 and 61. Indeed, Pomerance et al. (see publication [1]) and Jaechke (see publication [2]) have shown that any integer with a size smaller than 32 bits is definitely prime, if it passes the Miller-Rabin test in the first place. bases 2, 7 and 61. The parameter LL in the GNLP procedure is then set to 32 and represents the maximum size in number of bits that can have the prime number generated by the INTP procedure. The Miller-Rabin test consists in decomposing a prime candidate number N to be tested, minus 1, in the following manner: N -1 = 2S x D, (4) S being an integer, D being an odd number, and by verifying that for a number A called "base", lower and prime with N, one of the following equations is satisfied: AD = 1 mod N, (5) A2 RD 1 mod N, (6) R being an integer between 0 and S-1. Thus, according to the Miller-Rabin test, the number N is probably prime if either of the equations (4) and (5) is satisfied. The first prime number is thus obtained by successively applying the Miller-Rabin test three times, with the number A chosen successively equal to 2, 7 and 61, and discarding the candidate numbers N not satisfying the test in base 2, 7 or 61. According to another embodiment, the application of the Miller-Rabin tests in bases 2, 7 and 11 is preceded by a step of testing the divisibility of the prime candidate number by the v smaller prime numbers, v being between 10 and 30. In other words, a candidate number N is discarded if it is divisible by one of the v smaller prime numbers. According to another embodiment, the application of the Miller-Rabin test in bases 2, 7 and 11 is preceded by a step of applying the Fermat probabilistic test in base 2. According to the Fermat test, the number N is probably prime if the following condition is satisfied: AN-1 = 1 mod N, (7) where A is an integer representing the base (chosen to be 2). According to one embodiment, the first small first number is obtained by executing a sequence of steps as shown in FIG. 2. FIG. 2 represents an INTP procedure receiving as input parameter the size L of the first number to generating and the product Ilv of v smaller prime numbers, and providing a prime number Pr of the size L, L being less than 32. The INTP procedure comprises steps S21 to S24b. In step S21, an odd number Pr of size L is randomly selected using a random or pseudo-random function RND. The steps S22 to S24b are primality tests successively applied to the number Pr. In step S22, it is searched if the number Pr is divisible by one of the v prime numbers of the product Ilv and the test fails if the number Pr is divisible by one of the v numbers of the product 11v. This test can be carried out by looking for the greatest common divisor GCD of the number Pr and the product, the number Pr not being divisible by any of the v smaller prime numbers if the greatest common divisor thus calculated is equal to 1. The product 11v may not understand the number 2 if the number Pr is odd selected in step S21. Instead of receiving the product 11v, the procedure can receive the first v prime numbers in the form of the Q list, and step 22 can consist of successively testing the divisibility of the number Pr by each of the prime numbers of the Q list. In step S23, the Fermat test in base 2 is applied to the number Pr. In steps S24, S24a and S24b, the Miller-Rabin tests in bases 2, 7 and 61 are respectively and successively applied to the number Pr. one of the tests fails, the step S21 is again executed to choose another number Pr. If one of the tests is executed successfully at one of the steps S22 to S24a, the next step S23 to S24b is executed. If the last primality test executed in step S24b is successfully executed, the INTP procedure terminates providing the number Pr whose primality is thus proved. Instead of randomly choosing a new number Pr in step S21 if one of the tests performed in steps S23 to S24b fails, the number Pr can be incremented by two. Fig. 3 shows steps S31 to S34 of the GNSP procedure, according to one embodiment. Steps S31 to S34 are executed successively. In step S31, a number I is calculated by the following formula: 2L-1 (8) 2P P being a prime number, L being the size of a new prime number to be generated, P and L being received as parameters input of the GNSP procedure, and -x representing the quotient of the integer division of x by y. In step S32, an integer R is chosen using a random or pseudo-random RND function in the interval [1 + 1, 2I]. In step S33, a prime candidate number Pr is calculated by the formula (1). In step S34, a procedure for applying the Pocklington PCKT test is called. This procedure receives the number Pr to be tested and the number R used to calculate the number Pr in step S33, as well as, optionally, the number-of-bits size of the number Pr. This procedure returns a boolean variable to " True "(" T ":" True ") if the number Pr has successfully passed the Pocklington test, and to" False "(" F ":" False ") in the opposite case. If the PCKT procedure returns "True", the number Pr is definitively prime and the GNSP procedure ends by returning the number Pr. If the PCKT procedure returns "False", the steps S32 to S34 are executed again. Fig. 4 shows steps S52 to S56 of the PCKT procedure, according to one embodiment. This procedure successively applies to the numbers P and R received at the input by the PCKT procedure the tests corresponding to the equations (2) and (3). If the numbers P and R pass both tests, the PCKT procedure returns "True" ("T"), otherwise "False" ("F"). In step S52, an integer A is selected using a random or pseudo-random RND function in the interval [2, P-2]. In step S53, if the number P satisfies in equation (2), step S54 is executed, otherwise step S55 is executed. In step S54, if the numbers P and R satisfy equation (3), step S56 is executed, otherwise step S55 is executed. In step S55, a Boolean variable TST is set to "False". In step S56, the TST variable 20 is set to "true". The PCKT procedure terminates after step S55 or S56 by returning the variable TST. It should be noted that the equation (3) tested in step S54 can be implemented by first calculating the quantity B = A2R-1 mod P, then by calculating GCD (B, P). FIG. 5 shows an INTP1 procedure for generating a first proved small prime number, according to another embodiment. This procedure is based on the fact that a number of less than 48 bits that has been successfully tested by Miller-Rabin tests in bases 2, 3, 5, 7, 11, 13 and 17, is definitely a prime number. . The INTP1 procedure differs from the INTP procedure in that the Miller-Rabin primality tests in bases 7 and 61 are replaced by Miller-Rabin tests in bases 3, 5, 7, 11, 13 and 17, and in the first number obtained can be up to 48 bits in size. The maximum size LL in the GNLP procedure can then be set to a value less than or equal to 48.

Thus, the procedure INTP1 comprises the steps S21, S22 and S24 of the INTP procedure (FIG. 3). Then the INTP1 procedure comprises steps S24c to S24h of application of the Miller-Rabin test in bases 3, 5, 7, 11, 13 and 17. If the first candidate number Pr chosen in step S21 succeeds one of the tests executed at one of the steps S22, S24, S24c to S24g, the next step S24, S24c to S24h is executed. If the prime number Pr fails one of the tests, a new prime candidate number Pr is selected in step S21. If the first candidate candidate number Pr checks all the tests and in particular the base 17 Miller-Rabin test executed in step S24g, the INTP1 procedure ends by supplying the number Pr as a proved prime number. Since the INTP1 procedure can provide a prime number close to 48 bits instead of a prime number close to 32 bits for the INTP procedure, this procedure can reduce the number of iterations of the GNLP procedure.

It should be noted that step S22 in the INTP and INTP1 procedures is intended to eliminate prime candidate numbers more easily (using less resource-intensive and time-consuming operations) than a Fermat or from Miller-Rabin. Step S22 can therefore be omitted without affecting the primality of the number Pr provided by the INTP procedure, INTP1.

The Fermat test performed at step S23 of the INTP procedure is also intended to eliminate prime candidate numbers faster than the Miller-Rabin test. This step can also be removed if the computing means used to implement this procedure can effectively perform (in a time permissible for the user) the Miller-Rabin tests. The choice of the value of the number v of the smallest prime numbers used in step S22 can be done according to the overall duration of execution of the procedure INTP or INTP1, knowing that the greater the value y, the longer the duration the execution time of step S22 increases, and the overall execution time (number of executions) of the tests performed in steps S23 to S24b or S24 to S24h decreases. Figure 6 shows another GNSP1 embodiment of the GNSP procedure of Figure 4. The GNSP1 procedure differs from the GNSP procedure in that it comprises three additional steps S35 to S37. Steps S35 to S37 are executed instead of step S32 if the PCKT procedure called in step S34 returns "False". In step S35, the number R is incremented by 1. In step S36, the number R is compared with the number 21, so that R remains in the interval [I +1, 2I]. If the number R is greater than the number 21, the steps S32 to S34 are again executed to choose a new number R randomly in the interval [I +1, 2I], to calculate a new candidate number first Pr and to test the latter. . If in step S36, the number R is less than or equal to the number 21, step S37, then the execution of the GNSP1 procedure is continued in step S33. In step S37, the number Pr is simply incremented by twice the prime number P. This calculation results from the incrementation of the number R carried out in step S38 and of formula (1). In this way, the number Pr can be updated simply by a binary shift of the number P followed by an addition, instead of a multiplication of large integers as in the formula (1) implemented at step S33. Step S34 is executed after step S37. Thus, steps S34 to S37 form a first processing loop in which the number R varies from the value assigned to it in step S33 to the value 21, if any, and in which the primality of number Pr corresponding to the number R is tested in a proven way. Steps S32 to S37 form a second processing loop for executing the first loop with a new value of R randomly selected in the range [1 + 1.21]. Fig. 7 shows another GNSP2 embodiment of the GNSP1 procedure of Fig. 6. The GNSP2 procedure differs from the GNSP1 procedure in that prior to applying the Pocklington test to the prime candidate number Pr in step S34, it first checks that the number Pr is not divisible by any of the prime numbers of the Q-list. For this purpose, the GNSP2 procedure receives the Q-list in addition to the parameters P and L. The GNSP2 procedure comprises steps S31 to S37 of Fig. 6, as well as additional steps S38 to S40. Steps S31 to S33 are first executed successively. Steps S38 and S39 are executed following step S33. In step S38, is called a DVT procedure for testing the divisibility of the number Pr by the prime numbers of the list Q. The DVT procedure receives in input parameters the number Pr and the list Q and provides a Boolean variable TST to "True" if the number Pr is not divisible by the numbers of the list Q and to "False" ("False") in the opposite case. In step S39, the variable TST is tested. If the variable TST is "True", step S34 is executed, otherwise the execution of the GNSP2 procedure is continued in step S35. According to the result of the comparison made in step S36, the GNSP2 procedure continues as in the GNSP1 procedure, ie in step S32 to randomly choose a new value of R, or in step S35 to calculate a new candidate number first Pr. If in step S39 the variable TST is "True", step S34 is executed to apply the Pocklington test to the number Pr by calling the procedure PCKT. If the number Pr verifies the Pocklington test, and therefore is definitely a prime number, the GNSP2 procedure ends by returning the number Pr. Otherwise, the variable TST is set to "False" in step S40, and execution of the GNSP2 procedure is continued in step S35. Fig. 8 shows steps S61 to S66 of the DVT procedure, according to one embodiment. In step S61, a loop index j is initialized to 0 and a Boolean variable TST is initialized to "True". Step S62 which forms the entry point of a loop comprising steps S63 to S66, compares the index j with the number v of prime numbers in the list Q. This loop makes it possible to test the divisibility of the number Pr received in input parameter of the DVT procedure, by each of the numbers Qj of the list Q. It is not necessary for the list Q to include the number 2 since, taking into account equation (1), the number Pr is necessarily odd. If the index j is less than the number v in step S62, a loop iteration starting at step S63 is executed, otherwise the DVT procedure terminates providing the variable TST. In step S63, a variable w receives the remainder of the integer division of the number Pr by the number Qj, calculated by the following formula: W = Pr mod Qj (9) At step S64, the value w is compared with O. If the value w is zero, meaning that the candidate number Pr is divisible by the number Qj, the steps S65 and S66 are executed, otherwise only the step S66 is executed. In step S65, the TST variable is set to "False", to indicate that the number Pr is not a prime number. In step S66, the index j is incremented by one. Step S62 is executed after step S66. The choice of the value of the number v of the smallest prime numbers used in the step S53 can also be done according to the overall duration of execution of the GNLP procedure calling the GNSP2 procedure, knowing that the more the value y is increased. , the longer the execution time of the steps S52 to S56 increases, and the overall duration of execution of the tests performed in step 34 decreases. FIG. 9 shows another embodiment PCKT1 of the PCKT procedure of FIG. 4. The PCKT1 procedure differs from the PCKT procedure in that it comprises additional steps S50 and S51 making it possible to force the number A to 2 (step S51) if the size L of the number P received as an input parameter of the procedure is greater than or equal to a certain value, for example equal to 129 (step S50). Forcing the number 15 A to 2 makes it possible to perform the modular exponentiation operations more quickly in steps S53 and S54 when the numbers P and R are large. Indeed, when the number A is fixed at 2, it is then a question of calculating numbers of the form 2 "which can be carried out by simple bit offsets in a binary word, which makes it possible to accelerate the execution Pocklington tests by a microcircuit If it is assumed that the proportion of prime numbers rejected by fixing the value of the number A does not change according to this value, setting the value of A to a constant value 2 has a negligible impact on the distribution of the prime numbers generated when the size of the number P to be tested is sufficiently large (for example greater than 128 bits), since it has been shown that the probability that the choice of if a certain value of A results in the rejection of a prime number in step S53 is equal to 1 / P. Therefore, the larger the number P, the lower the probability, starting from L = 128. which corresponds to a 64-bit number P, this 30 probability becomes negligible. Figure 10 shows another embodiment of the GNLP1 procedure of the GNLP procedure of Figure 1. The procedure GNLP1 differs from the GNLP procedure in that the steps S3, S8 and S9 are replaced by steps S3 ', S_' and S9 ' . In step S3 ', the value of variable L is divided by 3 instead of 2. At step S8', the value of variable L is tripled to one unit (= 3L-1) without exceeding size Ln of the prime number to generate. In step S9 ', a GNSP3 procedure is called with P and L variables as input parameters. The GNSP3 procedure provides a prime number Pr having the size L from the lower prime number P.

The GNLP1 procedure is based on a theorem derived from the theorem demonstrated by JLS (see publication [6]). The derived theorem is formulated as follows: Let P be a prime number greater than 2 and R an integer less than P2 + 1, the number N = 2R.P + 1 is prime if there is a whole number A greater than or equal to at 2 and less than or equal to N such that: (i) A, N and R satisfy equations (2) and (3), (ii) the quotient of the integer division of R by P,, is odd, the condition R <P2 + 1 is satisfied substantially by the operation performed in step S8 to determine the size of the next prime to be generated. It should be noted that if the memory of the circuit intended to execute the GNLP procedure allows it, the steps S2, S3 'and S4 can be replaced by reading a table indexed by size Ln of prime number to generate and giving the size LO of the first number to generate. An example of this table when the maximum size LL is 32 is given by the following table 2: Table 2 Ln 512 768 1024 2048 LO 20 29 14 26 k 3 3 4 4 Table 2 also provides the values of the number iterations executed by the procedure GNLP1 from step S6. If Tables 1 and 2 are compared, the GNLP1 procedure allows to obtain a prime number of the desired size in a number of iterations reduced by 2 or 3 iterations compared to the GNLP procedure. Figure 11 shows the GNSP3 procedure called by the GNLP1 procedure of Figure 10. The GNSP3 procedure differs from the GNSP procedure in that it comprises two additional steps S41 and S42, to implement the theorem test (ii). stated above, knowing that the test (i) is implemented by step S34. Steps S41 and S42 are executed between steps S32 and S33. In step S41, the quotient U of the integer division of the number R by the number P is calculated. In step S42, if the quotient U is even, step S32 is executed to generate a new value of R, otherwise step S33 is executed. Furthermore, the GNSP3 procedure can be modified in the same way as the GNSP procedure in FIGS. 6 and 7. FIG. 12 represents another GNM iterative procedure for generating a large first number Ln. This procedure corresponds substantially to the Maurer procedure (see publication [3]). In Fig. 12, this procedure receives as an input parameter a prime number size L to generate and provides a prime number Pr. This procedure comprises steps S80 to S89. In step S80, the size L is compared to a maximum number first LL size below which a procedure for generating a first proved prime number can be used without requiring excessive time and computation resources. If the size L is greater than the size LL, the step S81 is executed, otherwise the step S82 is executed. In step S81, a prime number Pr smaller than the size LL is obtained. The GNM procedure then ends with the number Pr.

According to one embodiment, the INTP (or INTP1) procedure is called in step S81 to obtain a prime number Pr of size less than the size LL. Steps S82 to S87 make it possible to determine a sequence of intermediate prime number sizes between the initial size of the first prime number and the size of the prime number to be generated provided as an input parameter of the GNM procedure. In step S82, the size L is compared to twice the size LL (2LL). If the size L is greater than 2LL, in other words, for the large values of L, the steps S83 to S85 and S87 are executed, otherwise only the steps S86 and S87 are executed. In step S83, a real number s between 0 and 1 is chosen randomly or pseudo-randomly. In step S84, a real number r is calculated by raising 2 to the power s -1. Thus, the number r is between 1/2 and 1. At step S85, the size L multiplied by the real number (1 - r) is compared to the size LL. If the quantity L (1 - r) is greater than the size LL, step S87 is executed, otherwise steps S83 to S85 are executed again. In other words, step S83 marks the input of a processing loop comprising steps S83 to S85 in which a new value of r is computed until the condition of the step S85 be verified. In step S86, for the values of L between LL and 2LL, the real number r is set to 0.5. In step S87, a new size L is calculated by multiplying the current value of L by the real number r, taking the integer part of the result obtained, and adding 1 to the integer part. In step S88, the GNM procedure is called with the new value of size L obtained in step S87. Thus, the GNM procedure is a recursive procedure. In step S89, the GNSP procedure (or one of the variants GNSP1 and GNSP2) is called to obtain a prime number Pr of size L, from the prime number P obtained in step S88. The GNM procedure terminates at the end of step S89 by providing the prime number Pr provided by the GNSP procedure (or GNSP1 or GNSP2) called in step S89. Figure 13 shows another GNST iterative procedure for generating a large prime number Ln. This procedure corresponds substantially to the Shawe-Taylor procedure (see publication [4] or [5]). In FIG. 13, this procedure receives as an input parameter the size L of the prime number to be generated, and provides a prime number Pr. This procedure comprises steps S71 to S75. In step S71, the size L is compared to a first number maximum size LL below which a procedure for generating a first proved prime number can be used without requiring excessive time and computation resources. If the size L is greater than the size LL, the steps S73 to S75 are executed, otherwise the step S72 is executed. In step S72, a small prime number Pr smaller than the size LL is generated and the procedure terminates by providing the prime number Pr. According to one embodiment, the INTP (or INTP1) procedure is called the step S72 to obtain a prime number Pr smaller than the size LL. In step S73, the size L is decreased by adding 1 to the smallest integer greater than or equal to the size L divided by two. In step S74, the GNST procedure is called with the new value of L to obtain a prime number P of size L. The GNST procedure is therefore also recursive. In step S75, the GNSP procedure (or one of the variants GNSP1 and GNSP2) is called to obtain a prime number Pr of size L with, as the input parameter, the previous prime number P provided by the call of the GNST procedure in step S74, and the size L obtained in step S73. The prime number Pr obtained in step S75 is outputted from the GNST procedure that ends at the end of this step. Fig. 14 shows an example of an electronic device DV in which the various embodiments of the first-number generation method described above can be implemented. The DV device may be a semiconductor chip integrated circuit, generally forming a microprocessor. The chip may for example be arranged on a support such as a plastic card, the assembly forming a smart card. The device DV comprises a processing unit UC, a cryptographic calculation block CRU, and one or more memories MEM which can comprise a volatile memory and a non-volatile memory. The electronic device DV also comprises a communication interface 101 with or without contact, for example an RF or UHF circuit operating by inductive coupling or by electrical coupling. The CRU block may be a coprocessor equipped with a programmable state machine type central control unit, a fully hardware coprocessor, or subroutines executed by the CPU. According to one embodiment, the calculation block CRU can be configured to perform on request of the unit UC multiplications of large numbers, for example of size between 32 bits and 2048 bits, and in particular that carried out at the same time. Step S33 of the GNSP procedures, GNSP1 to GNSP3, as well as those involved in the modular exponentiation calculations of the Fermat and Miller-Rabin tests performed in the INTP, INTP1, and Pocklington tests performed in the PCKT and PCKT1. According to another embodiment, the calculation block can also be configured to perform on request of the CPU processing unit, directly the modular exponentiation operations of the Fermat and Miller-Rabin tests executed in the INTP, INTP1 procedures. , and the Pocklington test performed in the PCKT and PCKT1 procedures.

The DV device may also include a random or pseudo-random RGN generator of M bit bits for performing steps S21, S32, S42 and S85. The unit UC can thus comprise a PGN prime number generation module implementing one of the GNLP, GNLP1, GNM and GNST procedures. The unit UC may also comprise a KGN cryptographic data generation module such as cryptographic keys, and SGN signature and ENC encryption modules using cryptographic data generated by the KGN module.

Each of the PGN, KGN, ENC, SGN modules may use the CRU to perform complex operations, such as large number multiplications or modular exponentiations. The cryptographic data generated are stored in the memory MEM. For example, the KGN, SGN and ENC modules can implement the RSA algorithm by generating two prime numbers of 512 or 1024 bits using the PGN module. FIG. 15 represents a KGEN1 procedure for generating a secret and public key pair, in accordance with the RSA algorithm, executed by the KGN module. The KGEN1 procedure comprises steps S101 to S106. In steps S101 and S102, two prime numbers P and Q are generated using a PRGN procedure receiving as input parameter the size L of the prime numbers to be generated. The PRGN procedure corresponds to one of the GNLP, GNLP1, GNM, GNST procedures performed by the PGN module. In step S103, the numbers P and Q are multiplied by each other to obtain a number N. In step S104, an odd number E is randomly selected within a certain range, for example between 3 and 21- - 1. In step S105, if the selected number E is not invertible modulo the quantity (P-1) (Q-1), a new number E is chosen in step S104, otherwise the step S106 is executed to choose a number D such that E x D is equal to 1 modulo (P-1) (Q-1). The KGEN1 procedure terminates after step S106 by providing as a private key the pair of numbers (N, D) and as the public key the pair of numbers (N, E). The DSA algorithm can also be implemented by the KGN, SGN and ENC modules, by generating two prime numbers of different sizes, for example 256 and 2048 bits. Figure 16 shows a KGEN2 procedure for generating a secret and public key pair, conforming to the DSA algorithm, executed by the KGN module. The KGEN2 procedure comprises steps S111 to S115. In steps S111 and S112, two prime numbers P and Q are generated using a PRGN procedure receiving as input parameter successively the sizes L1, L2 of the prime numbers P and Q to be generated. The sizes L1 and L2 are for example equal to 2048 and 256 bits respectively. In step S113, a GGEN procedure is called to generate a number G which constitutes a generating number of the modulo P subgroup P. In step S14, a secret key SK is randomly selected in the interval [1 , Q-1]. In step S115, a public key PK is computed by raising the number G to the power SK modulo P. The procedure KGEN2 ends after the step S115 by providing the private and public key pair (SK, PK). It will be clear to those skilled in the art that the present invention is capable of various alternative embodiments and various applications, including various other forms of algorithms and devices implementing such algorithms. Thus, the invention covers all possible combinations of the various embodiments described. The invention also covers all possible combinations of maximum size of the first generated prime number and Miller-Rabin test bases, to prove the primality of this number, knowing that the ability of such combinations to prove the primality of a number , can be demonstrated by simple exhaustive tests. List of previously cited publications: [1] C. Pomerance, C. Selfridge, and J. L. Wagstaff. "The pseudoprimes to 25x10e9", Mathematics of Computation, 35: 1003-1026, 1990. [2] G. Jaechke, "On strong pseudoprimes to several bases", Mathematics of Computation, 61: 915-926, 1993. [3] UM Maurer, "Fast generation of prime numbers and secure public-key cryptographic parameters", J. Cryptology, 8 (3): 123-155, 1995. [4] J. Shawe-Taylor, "Generating Strong Premiums", Electronic Letters , 22 (16): 875-877, 1986. [5] FIPS PUB 186-3, "Digital Signature Standard," National Institute of Standards and Technology, October 2009. [6] J. Brillhart, DH Lehmer, JL Selfridge, B. Tuckerman, and Jr. SS Wagstaff, "Factorization of b" ± 1, b = 2; 3; 5; 7; 10; 11; 12 Up to High Powers, "22, American Mathematical Society, 1988.

Claims (13)

REVENDICATIONS1. A method of cryptography in an electronic device (DV), the method comprising the steps of: generating a first prime number (Pr) consisting of a reduced number of bits (L) less than a maximum number of bits (LL), and executing several steps of generating a new prime number, from a prime number obtained at a preceding generation step, until a prime number formed of a desired number of bits is obtained, each new first number obtained being formed a number of bits greater than the number of bits of the prime number obtained in the preceding generation step, characterized in that the generation of the first prime number (Pr) comprises the steps of: randomly selecting a number (P) formed of the reduced number of bits, and apply to the selected number a limited set of Miller-Rabin primality tests (MRA, A = 2, 7, 61; 3, 5, 7, 11, 13, 17) in different bases (A ), until the name The selected one successfully passes the Miller-Rabin test set, the maximum number of bits and the base values being chosen to prove the primality of the first prime number, each of the process steps including modular exponentiation operations performed at the same time. means of a calculation block (CRU) of the electronic device. The method of claim 1, wherein the Miller-Rabin (MRA) tests applied to the randomly selected number (P) are performed at bases 2, 7 and 61, and the maximum number of bits (LL) is chosen lower than or equal to 32. The method of claim 2, wherein the Miller-Rabin (MR) tests are preceded by a Fermat (F2) base 2 test. The method of claim 1, wherein the Miller-Rabin (MRA) tests applied to the randomly selected number (P) are performed in bases 2, 3, 5, 7, 11, 13 and 17, and the number of bits. maximum (LL) is chosen less than or equal to 48. 5. Method according to one of claims 1 to 4, wherein the Miller-Rabin tests (MRA) applied to the randomly selected number are preceded by a random number divisibility test (P) randomly selected by numbers of a list (Q) of the smallest prime numbers. 6. Method according to one of claims 1 to 5, wherein the generation of a new prime number comprises steps of: calculating a first candidate number Pr by the following formula: Pr = 2P.R +1 P being the prime number obtained in the preceding generation step, and R being an integer selected in the interval [I +1, 21] with: [2L-1 '5 I - 2P L being the number of bits of the new first number to be generated, and application of the Pocklington primality test to the first candidate number Pr, the first candidate number being the new prime number if it checks the Pocklington test. The method according to claim 6, comprising a step of calculating a new first candidate number from a new integer number (R) selected in the range [1+ 1, 21] if the first candidate number (Pr. ) does not check the Pocklington test. The method of claim 7, wherein the new integer number (R) is randomly selected or incrementing the integer used to calculate the first preceding candidate number not verifying the Pocklington test (Pr). 9. Method according to one of claims 1 to 8, wherein the size (L) in number of bits of the first candidate number (Pr) following is equal to twice the size of the prime number (P) generated in step previous generation, to a single unit. 20 25 30 10. Method according to one of claims 1 to 8, wherein the size (L) in number of bits of the first candidate number (Pr) following is equal to three times the size of the prime number (P) generated in step previous generation, to a single unit, the method comprising steps of calculating a quotient (U) of an integer division of the integer (R) by the prime number generated in the preceding generation step, and of rejection of the first candidate number generated if the quotient is even. 11. Method according to one of claims 1 to 10, comprising steps of generating a cryptographic key from the prime number formed by the desired number of bits. An electronic device comprising a calculation block (CRU) for executing large number multiplications and / or modular exponentiation operations, characterized in that it is configured to implement the method according to one of the following: Claims 1 to 11. A semiconductor chip integrated circuit, comprising a device according to claim 12.