JP2007218997A - Prime number generation device, program and method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a prime number generation device, a program and a method, in which a second prime number having a form of polynomial of a first prime number, which is not limited to the prime number of a safe prime, is generated at high speed. <P>SOLUTION: The first prime number p and the second prime number f(p) having the form of the polynomial f(p)(=a<SB>n</SB>×p<SP>n</SP>+a<SB>n-1</SB>×p<SP>n-1</SP>+...+a<SB>2</SB>×p<SP>2</SP>+a<SB>1</SB>×p+a<SB>0</SB>), where a constant term (a<SB>0</SB>) is not 0, which is calculated from the first prime number, are generated, and thereby, the second prime number f(p) having the form of the polynomial of the first prime number is generated without being limited by the prime number (2p+1) of the safe prime form. In addition to that, a percentage of performing a full-scale prime number judgment method which takes time is decreased by performing the full-scale prime number judgment including Fermats small theorem, after performing trial division which is calculated at high speed beforehand, and thereby, the first and the second prime numbers p and f(p) are generated at high speed. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a prime number generating apparatus, a program, and a method for generating a prime number. For example, the present invention is not limited to a prime number of a safe prime type, and can generate a second prime number having a polynomial form of a first prime number at high speed. The present invention relates to a prime number generation device, a program, and a method.

  In the cryptographic field, when p is a prime number, a prime number of the form 2p + 1 is used to increase the security of the encryption. This form of prime number is called a safe prime. Safe prime is used in many cryptographic communication protocols, including Diffie-Hellman key exchange.

  An efficient method for generating this safe prime is not known so far. In a general prime number generation method, a prime prime number 2p + 1 is generated by determining a prime number of a prime candidate random number p and, if it is a prime number, further determining a prime number of a safe prime candidate number 2p + 1.

  FIG. 8 is a flowchart for explaining a general prime number generation method. This prime number generation method includes simple prime number determination of the prime candidate p (ST1 to ST4), full-scale prime number determination of the prime number candidate p (ST5), simple prime number determination of the safe prime candidate 2p + 1 (ST6 to ST9), and the safe prime candidate 2p + 1. It consists of full-scale prime number determination (ST10). Specifically, this prime number determination method is executed by a prime number generation device including, for example, a computer.

  First, the prime number generating apparatus initializes the divisor identification information i as i = 0 (ST1). Subsequently, the prime number generation device generates a random number p as a prime number candidate (ST2). Note that the order of steps ST1 and ST2 may be reversed.

  Next, the prime number generation apparatus sequentially performs trial division from the divisor identification information i = 1 using the divisor table held in advance for the prime number candidate p (ST3).

  Here, the divisor identification information i is used to read the divisor primes [i] from the divisor table. In the divisor table, divisor identification information i and divisor primes [i] are described in association with each other. The divisor identification information i is a natural number such as 1, 2,..., PRIMES_NUM−1, PRIMES_NUM.

  The prime number generation device has finished division when the remainder obtained by dividing the prime candidate p by the divisor primes [i] is 0 (p ÷ primes [i] = 0) or when the divisor identification information i is the maximum value PRIMES_NUM (I = PRIMES_NUM), the trial division in step ST3 ends.

  The prime number generation apparatus determines whether or not the divisor identification information i when the trial division in step ST3 ends is the maximum value PRIMES_NUM (ST4). If not (if trial division fails), Return to step ST1.

  On the other hand, if the result of the determination in step ST4 is that the divisor identification information i is the maximum value PRIMES_NUM (when the trial division is successful), the prime number generation device uses the Fermat method, Miller-Rabin ( Miller-Rabin) method and other full-scale prime number determination is performed (ST5).

  As a result of the prime number determination in step ST5, if the prime candidate p is not a prime number (in the case of NG), the process returns to step ST1.

  As a result of the prime number determination in step ST5, when the prime number candidate p is a prime number (in the case of OK), the prime number generation device initializes the divisor identification information i as i = 0 (ST6). Subsequently, the prime number generation device calculates the number 2p + 1 as a safe prime candidate (ST7). Note that the order of steps ST6 and ST7 may be reversed.

  Next, the prime number generating apparatus performs trial division on the safe prime candidate 2p + 1 using the divisor table as described above (ST8). The prime number generation device is used when the remainder obtained by dividing the safe prime candidate 2p + 1 by the divisor primes [i] is 0 ((2p + 1) ÷ primes [i] = 0), or when the divisor identification information i is the maximum value PRIMES_NUM. When the division is finished (i = PRIMES_NUM), the trial division in step ST8 is finished.

  The prime number generation apparatus determines whether or not the divisor identification information i when the trial division in step ST8 is completed is the maximum value PRIMES_NUM (ST9). If not (if the trial division fails), Return to step ST1.

  On the other hand, when the divisor identification information i is the maximum value PRIMES_NUM as a result of the determination in step ST9 (when the trial division is successful), the prime number generation device performs the Fermat (Fermat) method, Miller-Rabin on the safe prime candidate 2p + 1. Full-fledged prime number determination such as (Miller-Rabin) method is performed (ST10).

  As a result of the prime number determination in step ST10, when the safe prime candidate 2p + 1 is not a prime number (in the case of NG), the process returns to step ST1.

  If the result of the prime number determination in step ST10 is that the safe prime candidate 2p + 1 is a prime number (in the case of OK), the prime number generation device outputs a safe prime type prime number 2p + 1 and a prime number p.

  In addition to the general prime number generation method as described above, there are various methods for generating a safe prime (see, for example, Non-Patent Documents 1 and 2). Here, in Non-Patent Document 1, in order to generate a safe prime q, (q-1) / 2 is generated as a random number, this random number is subjected to prime number determination, and if the prime number determination is passed, q is determined to be a prime number. A scheme is disclosed.

In Non-Patent Document 2, in order to generate the safe prime q, (q-1) / 2 is generated as a random number, and for a small odd number r less than a certain constant, (q-1) / 2≡ ( R-1) / 2 (mod r) random number (q-1) / 2 is removed, the remaining random number (q-1) / 2 is primed, and if the prime number judgment is passed, q is primed Is disclosed.
“Handbook of applied cryptography p.164” http://www.cacr.math.uwaterloo.ca/hac/about/chap4.pdf “Safe Prime Generation with a Combined Sieve” http://eprint.iacr.org/2003/186.pdf

However, the above prime number generation method has the following problems.
For example, the method shown in FIG. 8 has a problem that as the value of the random number p increases, the time required to generate the safe prime type prime number 2p + 1 greatly increases. For this reason, in an information device equipped with a prime number generation device or an information system (hereinafter referred to as an information device) provided with a plurality of such information devices, the calculation load of the prime number generation device is increased, and the system operation rate is increased. There is a problem to lower.

  From the viewpoint of solving such a problem, a method for generating and holding a safe prime in advance and a method for performing cryptographic communication using a general prime number that is not a safe prime are known in information equipment and the like. However, since these methods may lower the security level of information equipment and the like, it cannot be said that the above problem has actually been solved. The method described in Non-Patent Document 1 is considered to have the same problem as the method shown in FIG.

  On the other hand, since the method described in Non-Patent Document 2 uses the odd prime number r as a modulus in advance and removes random numbers congruent to (r−1) / 2 from the safe prime candidates, the remaining prime prime candidates are determined as prime numbers. The calculation load of the prime number generator can be reduced.

  Supplementally, the calculation load of the prime number generation device is much larger for the full-scale prime number determination than for the trial division. Therefore, the method described in Non-Patent Document 2 removes a simple composite number before full-scale prime number determination, so that the calculation load of the prime number generator can be reduced. According to the method described in Non-Patent Document 2, the above problem can be solved.

  However, although the method described in Non-Patent Document 2 is not particularly problematic, it is considered that there is an inconvenience limited to the safe prime type prime number 2p + 1 according to the study of the present inventor.

  The present invention has been made in consideration of the above circumstances, and is not limited to a prime number of a safe prime type, and a prime number generating apparatus, program, and method capable of generating a second prime number having a polynomial form of a first prime number at high speed are provided. The purpose is to provide.

  The first invention is the first prime number for an integer coefficient polynomial f (X) ∈Z [X] whose constant term is not 0 (where X is an arbitrary integer and Z is a set whose element is X). A prime number generation device that generates p (∈Z) and a second prime number f (p) (∈Z) that can be calculated from the first prime number p, and a divisor in which a divisor is stored in advance for each divisor identification information Storage means; random number generation means for generating random numbers as the first prime candidate p; and second prime number candidate calculation for calculating the second prime number candidate f (p) based on the first prime number candidate p. Means, trial division execution means for individually executing trial division by divisor for each divisor identification information in the divisor storage means for each prime number candidate p, f (p), and in the divisor storage means When the result of all the trial divisions by all the divisors has a remainder, for each prime number candidate p, f (p) Fermat's little theorem is a prime number generator with a prime number judging means for performing a primality test including.

  The second invention is a first prime number for a polynomial f (X) ∈Z [X] of integer coefficients whose constant term is not 0 (where X is an arbitrary integer and Z is an element whose element is X). A prime number generation device that generates p (∈Z) and a second prime number f (p) (∈Z) that can be calculated from the first prime number p, and a divisor is stored in advance for each divisor identification information. A divisor storage means for storing the remainder of the trial division result in association with the divisor identification information, a random number generating means for generating a random number as the first prime number candidate p, and the first prime number candidate p. When the result of trial division by the first division execution means and the first division execution means for executing trial division individually by the divisor for each divisor identification information in the divisor storage means has a remainder k, A remainder writing means for writing the remainder k to the divisor storage means and writing by the remainder writing means A polynomial calculation means for calculating the polynomial f (k) based on the remainder k, and a trial division for the polynomial f (k) by the divisor for each divisor identification information in the divisor storage means And the second prime number candidate p and the second prime number candidate f (p) when the result of all trial divisions by all the divisors in the divisor storage means has a remainder. On the other hand, it is a prime number generating device provided with a prime number judging means for executing a prime number judging method including Fermat's little theorem.

(Function)
According to the first aspect of the present invention, a safe prime is generated by generating the first prime number p and the second prime number f (p) having a polynomial form that can be calculated from the first prime number p and whose constant term is not 0. The second prime number having the form of a polynomial of the first prime number can be generated without being limited to the prime number of the shape.

  In addition to this, according to the first invention, after performing trial division that can be calculated at high speed first, a full-fledged prime number determination method (prime number determination method including Fermat's small theorem) is used. Therefore, the first and second prime numbers p and f (p) described above can be generated at high speed.

  According to the second invention, in addition to the effects of the first invention, the trial division related to the second prime candidate f (p) is performed by the trial division related to the polynomial f (k) of the remainder k. Unlike the prior art, trial division can be performed in word size, so that the first and second prime numbers p and f (p) can be generated even faster.

  The first and second inventions are expressed as “devices”, but are not limited thereto, and may be expressed as “programs”, “methods”, or “computer-readable storage media”.

  As described above, according to the present invention, the second prime number having a polynomial form of the first prime number can be generated at high speed without being limited to the prime number of the safe prime type.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. In the following description, terms such as random numbers, prime numbers, prime candidates, constant terms, integer coefficients, polynomials, divisors, and remainders are used. These are random number data, prime number data, prime candidate data, constant term data, integers, etc. The term “data” may be added and read as coefficient data, polynomial data, divisor data, remainder data, or the like.

(First embodiment)
FIG. 1 is a schematic diagram showing a configuration of a prime number generating apparatus according to the first embodiment of the present invention. The prime number generation apparatus 10 is configured to calculate an integer coefficient polynomial f (X) ∈Z [X] whose constant term is not 0 (where X is an arbitrary integer, Z is a set having the integer X as an element), One prime number p (εZ) and a second prime number f (p) (εZ) that can be calculated from the first prime number p are generated. Here, the second prime number f (p), for example the degree of the polynomial is n, the integer coefficients for each order _{a n, a n-1,} ..., and a _2, a _1, a constant term was a ₀ Is calculated as shown in the following equation.

f (p) = a _n · p ⁿ + a _n−1 · p ⁿ⁻¹ +... + a ₂ · p ² + a ₁ · p + a ₀
Such a second prime number f (p) is safe prime 2p + 1 when the order n = 1, the integer coefficient a ₁ = 2 and the constant term a ₀ = 1. However, the second prime number f (p) is not limited to the safe prime 2p + 1.

  Specifically, the prime number generation device 10 is configured as a prime number generation unit of a computing machine such as a mobile phone or a smart card, and performs prime number generation processing by a combination of hardware and software.

  For example, in the prime number generation device 10, a program storage unit 11, a table storage unit 12, a RAM 13, an input / output I / F 14, a CPU (central processing unit) 15, a random number generation unit 16, and a calculation unit 17 are connected to each other via a bus. ing.

  The program storage unit 11 is a memory as a hardware resource in which a program executed by the CPU 15 is stored. For example, a ROM (read only memory) can be used. Here, the program is for realizing the prime number generation function shown in FIG. 3 or FIG. 4, for example. As this prime number generation function, for example, the following functions (f11-1) to (f11-5) are included.

(f11-1) A function of previously storing a divisor table T in which a divisor is stored for each divisor identification information in the table storage unit 12.
(f11-2) A function for generating a random number as the first prime candidate p under the control of the random number generator 16.
(f11-3) A second prime number candidate calculation function for calculating the second prime number candidate f (p) based on the first prime number candidate p under the control of the calculation unit 17.
(f11-4) Trial division execution function for performing trial division individually for each prime number candidate p, f (p) by divisor for each divisor identification information in the divisor table T under the control of the arithmetic unit 17 .
(f11-5) When the result of all the trial divisions by all the divisors in the divisor table T has a remainder under the control of the arithmetic unit 17, Fermat's small is obtained for each prime candidate p, f (p). Prime number judgment function that executes prime number judgment methods including theorems.

  Such a program may be installed in the program storage unit 11 in advance from an external storage medium or a network.

  The table storage unit 12 is a RAM (Random Access Memory) as a hardware resource that can be read / written from the CPU 15. The table storage unit 12 stores a divisor table T in advance, and the CPU 15 stores data necessary for calculation, data being calculated, and the like. As shown in FIG. 2, the divisor table T is a table in which divisor primes [i] is described in advance for each divisor identification information i.

  The divisor identification information i is a natural number such as 1, 2,..., PRIMES_NUM-1, PRIMES_NUM, as described above. Here, the maximum value PRIMES_NUM of the divisor identification information i is set to 6542.

  The divisor primes [i] is the i-th prime number counted in ascending order. An explanation of such divisor sequences is given in the literature (D. E. Knuth (translated by Keisuke Nakagawa), “KNUTH 4th Volume Quasi-Numerical Arithmetic / Arithmetic Operations”, Science, p. 205, 1986.). Here, the maximum value of the divisor in the divisor table T is “65521”. The divisor table T may be included in advance in the program in the program storage unit 11.

  The non-volatile memory 13 is a memory as a hardware resource in which generated prime numbers p, f (p), etc. are stored so as to be readable / writable from the CPU 15, for example, an EEPROM (Electric Erasable Programmable ROM) is used. It is possible. However, the nonvolatile memory 13 is not essential and may be omitted.

  The input / output I / F 14 is an interface device between the prime number generation device 10 and an information device that holds the prime number generation device 10. For example, the prime number generation command is input and the prime numbers p, f (p ) Is output.

  As the information equipment here, any device can be applied as long as it performs some kind of cryptographic processing. Some encryption processing is, for example, encryption processing, decryption processing, signature generation processing, or signature verification processing in a public key cryptosystem. Examples of the information equipment include devices that can be carried by each user, such as smart cards or mobile phones. The usage of the information device is arbitrary, and examples thereof include non-anonymous or anonymous user authentication.

  The CPU 15 has a function of executing the prime number generation process by controlling the units 12 to 17 by executing the program in the program storage unit 11, for example, according to the procedure shown in FIG.

  The random number generation unit 16 is a random number generation circuit as a hardware resource that is controlled by the CPU 15 to generate a random number p and sends the random number p to a bus. Here, the random number p generated by the random number generation unit 16 may be a true random number or a pseudo-random number.

  Note that the random number generation unit 16 is not limited to being realized by independent hardware resources, but may be realized by the CPU 15 and a program. Alternatively, the random number generation unit 16 may be omitted and the random number p may be input from the outside.

  The arithmetic unit 17 is an arithmetic circuit as a hardware resource that is controlled by the CPU 15 and executes an arithmetic operation based on, for example, data input from the CPU 15 and outputs an arithmetic result to a bus. Note that the arithmetic unit 17 is provided as an independent hardware circuit from the viewpoint of improving the processing speed, and can perform multiple-length arithmetic such as a coprocessor, but is not limited to the hardware circuit. Instead, it may be realized by the CPU 15 and a program.

  Note that such a prime number generation device 10 is not limited to a combination of hardware and software, and may be configured by either hardware or software.

  Next, a prime number generation method by the prime number generation apparatus configured as described above will be described with reference to the flowcharts of FIGS. First, a large difference from the prior art will be briefly described with reference to FIG. 3, and then a prime number generation method will be described with reference to FIG. Note that the description of FIG. 4 can be read as the description of FIG. 3 when the polynomial f (p) is defined in the form of 2p + 1.

  The difference from the prior art is that, as shown in FIG. 3, the full prime number determination step ST5 of the first prime number candidate p is changed to the simple prime number determination steps (ST1 to ST4 and ST and ST) of the first and second prime number candidates p and f (p). This is to be executed after ST6 to ST9). In addition, as shown in FIG. 4, in order to generate the second prime number f (p) instead of the conventional second prime number 2p + 1, steps ST7 ′, ST8 ′, ST10 relating to the second prime number f (p) are generated. 'Is a dash. Hereinafter, this will be described in sequence with reference to FIG.

  First, it is assumed that an information device (not shown) needs to generate a first prime number p and a second prime number f (p) during some cryptographic processing. Here, in the information device, a prime number generation command is input to the held prime number generation device 10 via the input / output I / F 14.

  In the prime number generation device 10, upon receiving a prime number generation command, the CPU 15 initializes the divisor identification information i as i = 0 (ST1).

  Subsequently, in the prime number generation device 10, the CPU 15 controls the random number generation unit 16, and the random number generation unit 16 generates a random number p as a first prime number candidate (ST2). Note that the order of steps ST1 and ST2 may be reversed.

  Next, the prime number generation apparatus 10 performs trial division sequentially from the divisor identification information i = 1 using the divisor table T held in advance for the first prime number candidate p (ST3).

  Specifically, the CPU 15 inputs the first prime candidate p and the divisor primes [i] for each divisor identification information i in the divisor table T to the computing unit 17 via the bus. The arithmetic unit 17 divides the first prime number candidate p by the divisor primes [i] and outputs the obtained remainder to the bus.

  When the remainder obtained by dividing the first prime candidate p by the divisor primes [i] is 0 (p ÷ primes [i] = 0), or when the division when the divisor identification information i is the maximum value PRIMES_NUM is finished (I = PRIMES_NUM), the trial division in step ST3 ends.

  The CPU 15 determines whether or not the divisor identification information i when the trial division in step ST3 ends is the maximum value PRIMES_NUM (ST4). If not (if trial division fails), step ST1 is performed. Return to.

  On the other hand, as a result of the determination in step ST4, when the divisor identification information i is the maximum value PRIMES_NUM (when the trial division is successful), the CPU 15 initializes the divisor identification information i as i = 0 (ST6).

Subsequently, in the prime number generation device 10, the CPU 15 controls the calculation unit 17, and the calculation unit 17 calculates the polynomial f (p) as the second prime number candidate (ST7 '). Specifically, CPU 15 includes a first prime candidate p, based on the shape of a predetermined polynomial f (X), the order n, n-1, ..., integer coefficient for each 2,1 and order a _n, a _n−1 ,..., a ₂ , a ₁ are sequentially input to the arithmetic unit 17 via the bus. The computing unit 17 calculates the power of the degree for the first prime candidate p based on the first prime candidate p, the order of the polynomial f (X), and the integer coefficient for each order, and the obtained power result And the integer coefficient are written, and the variable term of the obtained polynomial is written to the RAM (table storage unit 12) via the bus. Further, the CPU 15 obtains the variable terms a _n · p ⁿ , a _n-1 · p ^n-1 , ..., a ₂ · p ² , a ₁ · p and the constant term a ₀ from the nth order to the first order. It inputs to the calculating part 17 via a bus | bath. The arithmetic unit 17 adds the variable term and the constant term, and writes the obtained polynomial f (p) to the RAM (table storage unit 12) via the bus. Note that the order of steps ST6 and ST7 ′ may be reversed.

  Next, the prime number generating apparatus 10 performs trial division on the second prime number candidate f (p) composed of the polynomial f (p) using the divisor table T as described above (ST8 ').

  When the remainder obtained by dividing the second prime candidate f (p) by the divisor primes [i] is 0 (f (p) ÷ primes [i] = 0), the CPU 15 of the prime number generation apparatus 10 or the divisor identification information i is When the division for the maximum value PRIMES_NUM is completed (i = PRIMES_NUM), the trial division in step ST8 ′ is terminated.

  The CPU 15 determines whether or not the divisor identification information i when the trial division in step ST8 ′ is completed is the maximum value PRIMES_NUM (ST9). If not (step trial division fails), the step is performed. Return to ST1.

  On the other hand, when the divisor identification information i is the maximum value PRIMES_NUM as a result of the determination in step ST9 (when the trial division is successful), the CPU 15 determines simple prime numbers p and f (p) (ST1 to ST4 and ST6 to ST9). ) Ends. In other words, the CPU 15 ends the simple prime number determination (ST1 to ST4, ST6 to ST9) of p and f (p) when the result of all the trial divisions by all the divisors in the divisor table T has a remainder. .

  Next, the prime number generation device 10 executes a full-scale prime number determination method including Fermat's small theorem, such as the Fermat method, for the first prime number candidate p (ST5). Specifically, the CPU 15 controls the arithmetic unit 17 according to a predetermined prime number determination algorithm to execute the prime number determination.

  Here, as a predetermined prime number judgment method, from the viewpoint of high-speed judgment, the prime number judgment method using Fermat's small theorem is improved, and if it is investigated to some extent, the prime number candidate is a prime number. It uses what can be determined probabilistically or deterministically. Among such prime number determination methods, examples of the probabilistic prime number determination method include the Fermat method, the Solovay-Strassen method, and the Rabin method. Examples of deterministic prime number determination methods include the Miller method, the Adleman-Rumely method, the Cohen-Lenstra method, and the like. The explanation of the prime number judgment method described here is described in literature (Shinichi Ikeno and Kenji Koyama, “Contemporary Cryptography”, The Institute of Electronics, Information and Communication Engineers, Corona, p240-241, 1986).

  As a result of the prime number determination in step ST5, when the first prime number candidate p is not a prime number (in the case of NG), the prime number generation apparatus 10 returns to step ST1.

  As a result of the prime number determination in step ST5, when the first prime number candidate p is a prime number (in the case of OK), the prime number generation device 10 applies the Fermat method or the second prime number candidate f (p) as described above. Full-fledged prime number determination such as the Miller-Rabin method is performed (ST10 ').

  As a result of the prime number determination in step ST10 ', if the second prime number candidate f (p) is not a prime number (in the case of NG), the prime number generation apparatus 10 returns to step ST1.

  As a result of the prime number determination in step ST10 ′, when the second prime number candidate f (p) is a prime number (in the case of OK), the prime number generation device 10 generates the second prime number f (p), the first prime number p, Are output from the input / output I / F 14.

According to the present embodiment as described above, the first prime number p, the calculation can be constant term from the first prime number p (a ₀₎ is not zero polynomial _{f (p) (= a n} · p n + a _n-1 · p ^n-1 +... + a ₂ · p ² + a ₁ · p + a ₀ The second prime number f (p) having the polynomial form of the first prime number p can be generated.

  In addition to this, according to the present embodiment, after performing trial division that can be calculated at high speed, a configuration for performing a full-fledged prime number determination method (a prime number determination method including Fermat's little theorem) is used. Since the execution rate of such a full prime number determination method can be reduced, the first and second prime numbers p and f (p) described above can be generated at high speed.

(Second Embodiment)
Next, a second embodiment of the present invention will be described with reference to FIG. That is, this embodiment is a modification of the first embodiment, and from the viewpoint of reducing the size of trial division and speeding up prime generation, trial division related to the second prime number candidate f (p). Is performed by trial division with respect to the polynomial f (k) of the remainder k.

  Accordingly, as shown in FIG. 5, the divisor table T stores divisor primes [i] for each divisor identification information i in advance, and the remainder k [i] of the trial division result is stored in the divisor identification information i. It is associated and stored.

The program in the program storage unit 11 includes the following functions (f11-1 ′) to (f11-5).
(f11-1 ′) A function of writing a divisor table T in which a divisor is stored in advance for each divisor identification information and the remainder of the trial division result is stored in association with the divisor identification information in the table storage unit 12.
(f11-2) A function for generating a random number as the first prime candidate p under the control of the random number generator 16.
(f11-6) A first division execution function for performing trial division individually on the first prime candidate p by the divisor for each divisor identification information in the divisor table T under the control of the arithmetic unit 17.
(f11-7) A remainder writing function for writing the remainder k to the divisor table T when the result of the trial division by the first division execution function has the remainder k under the control of the computing unit 17.
(f11-8) A polynomial calculation function for calculating the polynomial f (k) based on the remainder k written by the remainder writing function under the control of the calculation unit 17.
(f11-9) A second division execution function for individually performing trial division on the polynomial f (k) by the divisor for each divisor identification information in the divisor table T under the control of the calculation unit 17.
(f11-5) When the result of all trial divisions by all divisors in the divisor table T has a remainder under the control of the arithmetic unit 17, the first prime candidate p and the second prime candidate f (p) On the other hand, a prime number judgment function that executes a prime number judgment method including Fermat's little theorem.

  Next, a prime number generation method by the prime number generation apparatus configured as described above will be described with reference to the flowcharts of FIGS. First, a large difference from the prior art will be briefly described with reference to FIG. 6, and then a prime number generation method will be described with reference to FIG. The description with reference to FIG. 7 can be read as the description with reference to FIG. 6 when the polynomial f (p) is defined in the form of 2p + 1 as described above.

  The difference from the prior art is that, as shown in FIG. 6, the full prime number determination step ST5 of the first prime number candidate p is executed immediately before the full prime number judgment step ST10 of the second prime number candidate f (p), Instead of simple prime number determination steps (ST1 to ST4 and ST6 to ST9) with multiple precision (twice the prime candidate p), simple prime number determination steps of word size (twice the remainder k, divisor primes [i]) (ST20) is executed. In addition, as shown in FIG. 7, in order to generate the polynomial f (p) or f (k) instead of the conventional second prime number 2p + 1, step ST10 related to the polynomials f (p) and f (k) is generated. ', ST23' and ST24 'are given a dash symbol. Hereinafter, description will be made sequentially with reference to FIG.

  Now, as described above, in the prime number generating apparatus 10, it is assumed that the divisor identification information i is initialized as i = 0 (ST1) and the random number p as the first prime number candidate is generated (ST2). As described above, the order of steps ST1 and ST2 may be reversed.

  Next, the prime number generation apparatus 10 executes trial division including the following steps ST21 to ST25 (ST20 ').

  That is, the prime number generation apparatus 10 obtains the remainder k by performing trial division sequentially from the divisor identification information i = 1 using the divisor table T held in advance for the first prime number candidate p (ST21). ). Specifically, the CPU 15 inputs the first prime candidate p and the divisor primes [i] for each divisor identification information i in the divisor table T to the computing unit 17 via the bus. The arithmetic unit 17 divides the first prime candidate p by the divisor primes [i], and outputs the obtained remainder k (= p ÷ primes [i]) to the bus.

  The CPU 15 determines whether or not the remainder k is not zero (k ≠ 0) (ST22). If not (if k = 0), the CPU 15 returns to step ST1.

  On the other hand, if the result of the determination in step ST22 is that the remainder k is not zero (when k ≠ 0), the CPU 15 writes the remainder k in the divisor table T in association with the corresponding divisor identification information i.

Thereafter, in the prime number generating apparatus 10, the CPU 15 controls the calculation unit 17, and the calculation unit 17 calculates the polynomial f (k) based on the remainder k (ST23 '). Specifically, CPU 15 includes a remainder k, on the basis of the shape of a predetermined polynomial f (X), the order n, n-1, ..., integer coefficient for each 2,1 and order a _n, a _{n- 1} ,..., A ₂ , a ₁ are sequentially input to the arithmetic unit 17 via the bus. The computing unit 17 calculates the power of the degree with respect to the remainder k based on the remainder k, the order of the polynomial f (X), and the integer coefficient for each order, and multiplies the obtained power result and the integer coefficient. Then, the obtained polynomial variable term is written to the RAM (table storage unit 12) via the bus. Further, CPU 15 is variable term a _n · k ⁿ from the n-th order to first ^{_{order, a n-1 · k n}} -1, ..., and ^{_{a 2 · k 2, a 1}} · k, a constant term a ₀ The data is input to the arithmetic unit 17 via the bus. The arithmetic unit 17 adds the variable term and the constant term, and writes the obtained polynomial f (k) to the RAM (table storage unit 12) via the bus.

  Next, the prime number generation apparatus 10 performs trial division on the polynomial f (k) using the divisor table T as described above. The remainder obtained by trial division of the polynomial f (k) is the same value as the remainder obtained by trial division of the polynomial f (p) described above. For this reason, the trial division of this embodiment has an advantage that the calculation size can be reduced.

  After the trial division, the CPU 15 of the prime number generation apparatus 10 determines whether the remainder obtained by dividing the polynomial f (k) by the divisor primes [i] is not zero (f (k) ÷ primes [i] ≠ 0). (ST24 ').

  If the result of determination in step ST24 'is negative (if f (k) ÷ primes [i] = 0), the process returns to step ST1.

  On the other hand, if the result of determination in step ST24 ′ is not zero (if f (k) ÷ primes [i] ≠ 0), the CPU 15 updates the divisor identification information i by +1 (ST25), and proceeds to step ST21. Return and continue processing.

  The process (ST20 ') from step ST21 to ST25 is continued until the process of ST24' when the divisor identification information i is the maximum value PRIMES_NUM is completed.

  When the divisor identification information i when the process of step ST24 'is completed is the maximum value PRIMES_NUM, the CPU 15 ends the process of step ST20'. In other words, the CPU 15 ends the simple prime number determination (ST20 ') of p and f (p) when the result of all the trial divisions by all the divisors in the divisor table T has a remainder.

  Subsequently, the prime number generation device 10 executes a full-scale prime number determination method including Fermat's small theorem, such as the Fermat method, for the first prime number candidate p (ST5). Specifically, the CPU 15 executes the prime number determination by controlling the arithmetic unit 17 according to the algorithm of the predetermined prime number determination method described above.

  As a result of the prime number determination in step ST5, when the first prime number candidate p is not a prime number (in the case of NG), the prime number generation apparatus 10 returns to step ST1.

  As a result of the prime number determination in step ST5, when the first prime number candidate p is a prime number (in the case of OK), the prime number generation device 10 calculates the second prime number candidate f (p). Thereafter, the prime number generating apparatus 10 executes a full-fledged prime number determination method such as Fermat method or Miller-Rabin method on the second prime number candidate f (p) as described above (ST10 ').

  As a result of the prime number determination in step ST10 ', if the second prime number candidate f (p) is not a prime number (in the case of NG), the prime number generation apparatus 10 returns to step ST1.

  As a result of the prime number determination in step ST10 ′, when the second prime number candidate f (p) is a prime number (in the case of OK), the prime number generation device 10 generates the second prime number f (p), the first prime number p, Are output from the input / output I / F 14.

  As described above, according to the present embodiment, in addition to the effects of the first embodiment, the trial division for the second prime candidate f (p) is performed by the trial division for the polynomial f (k) of the remainder k. Unlike the conventional multiple precision trial division, the configuration allows execution of word size trial division, so that the first and second prime numbers p and f (p) can be generated even faster. .

  Note that the method described in the above embodiment includes a magnetic disk (floppy (registered trademark) disk, hard disk, etc.), an optical disk (CD-ROM, DVD, etc.), a magneto-optical disk (MO) as programs that can be executed by a computer. ), And can be distributed in a storage medium such as a semiconductor memory.

  In addition, as long as the storage medium can store a program and can be read by a computer, the storage format may be any form.

  In addition, an OS (operating system) running on a computer based on an instruction of a program installed in the computer from a storage medium, MW (middleware) such as database management software, network software, and the like realize the above-described embodiment. A part of each process may be executed.

  Further, the storage medium in the present invention is not limited to a medium independent of a computer, but also includes a storage medium in which a program transmitted via a LAN, the Internet, or the like is downloaded and stored or temporarily stored.

  Further, the number of storage media is not limited to one, and the case where the processing in the above embodiment is executed from a plurality of media is also included in the storage media in the present invention, and the media configuration may be any configuration.

  The computer according to the present invention executes each process in the above-described embodiment based on a program stored in a storage medium, and is a single device such as a personal computer or a system in which a plurality of devices are connected to a network. Any configuration may be used.

  In addition, the computer in the present invention is not limited to a personal computer, but includes an arithmetic processing device, a microcomputer, and the like included in an information processing device, and is a generic term for devices and devices that can realize the functions of the present invention by a program. .

  Note that the present invention is not limited to the above-described embodiment as it is, and can be embodied by modifying the constituent elements without departing from the scope of the invention in the implementation stage. In addition, various inventions can be formed by appropriately combining a plurality of components disclosed in the embodiment. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, constituent elements over different embodiments may be appropriately combined.

It is a schematic diagram which shows the structure of the prime number generator which concerns on the 1st Embodiment of this invention. It is a schematic diagram for demonstrating the structure of the divisor table in the embodiment. It is a flowchart for demonstrating the prime number generation method in the embodiment. It is a flowchart for demonstrating the prime number generation method in the embodiment. It is a schematic diagram for demonstrating the structure of the divisor table in the 2nd Embodiment of this invention. It is a flowchart for demonstrating the prime number generation method in the embodiment. It is a flowchart for demonstrating the prime number generation method in the embodiment. It is a flowchart for demonstrating the general prime number generation method.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 10 ... Prime number generator, 11 ... Program storage part, 12 ... Table storage part, 13 ... Non-volatile memory, 14 ... Input-output I / F, 15 ... CPU, 16 ... Random number generation part, 17 ... Calculation part, T ... Division table.

Claims (6)

For an integer coefficient polynomial f (X) ∈Z [X] where the constant term is not 0 (where X is an arbitrary integer, Z is a set whose elements are X), the first prime number p (∈Z) and A prime number generating device for generating a second prime number f (p) (εZ) that can be calculated from the first prime number p,
A divisor storage means in which a divisor is stored in advance for each divisor identification information;
Random number generating means for generating a random number as the first prime number candidate p;
Second prime number candidate calculating means for calculating the second prime number candidate f (p) based on the first prime number candidate p;
Trial division execution means for individually performing trial division for each prime number candidate p, f (p) by a divisor for each divisor identification information in the divisor storage means;
A prime number for executing a prime number determination method including Fermat's small theorem for each prime number candidate p, f (p) when the result of all trial divisions by all divisors in the divisor storage means has a remainder A determination means;
A prime number generating apparatus comprising: For an integer coefficient polynomial f (X) ∈Z [X] where the constant term is not 0 (where X is an arbitrary integer, Z is a set whose elements are X), the first prime number p (∈Z) and A prime number generating device for generating a second prime number f (p) (εZ) that can be calculated from the first prime number p,
A divisor is stored in advance for each divisor identification information, and a divisor storage means for storing a remainder of the trial division result in association with the divisor identification information;
Random number generating means for generating a random number as the first prime number candidate p;
First division execution means for individually performing trial division on the first prime number candidate p by a divisor for each divisor identification information in the divisor storage means;
When the result of trial division by the first division execution means has a remainder k, a remainder writing means for writing the remainder k into the divisor storage means;
Polynomial calculation means for calculating the polynomial f (k) based on the remainder k written by the remainder writing means;
Second division execution means for individually performing trial division on the polynomial f (k) by a divisor for each divisor identification information in the divisor storage means;
When the result of all trial divisions by all divisors in the divisor storage means has a remainder, Fermat's little theorem is included for the first prime number candidate p and the second prime number candidate f (p). A prime number judging means for executing a prime number judging method;
A prime number generating apparatus comprising: For an integer coefficient polynomial f (X) ∈Z [X] where the constant term is not 0 (where X is an arbitrary integer, Z is a set whose elements are X), the first prime number p (∈Z) and A program of a prime number generating device for generating a second prime number f (p) (εZ) that can be calculated from the first prime number p,
A computer of the prime number generating device;
A divisor storage means in which a divisor is stored in advance for each divisor identification information;
Random number generating means for generating a random number as the first prime candidate p,
Second prime number candidate calculating means for calculating the second prime number candidate f (p) based on the first prime number candidate p;
Trial division execution means for individually performing trial division for each prime number candidate p, f (p) by a divisor for each divisor identification information in the divisor storage means;
A prime number for executing a prime number determination method including Fermat's small theorem for each prime number candidate p, f (p) when the result of all trial divisions by all divisors in the divisor storage means has a remainder Determination means,
Program to function as. For an integer coefficient polynomial f (X) ∈Z [X] where the constant term is not 0 (where X is an arbitrary integer, Z is a set whose elements are X), the first prime number p (∈Z) and A program of a prime number generating device for generating a second prime number f (p) (εZ) that can be calculated from the first prime number p,
A computer of the prime number generating device;
A divisor storage unit in which a divisor is stored in advance for each divisor identification information, and a remainder of the trial division result is stored in association with the divisor identification information;
Random number generating means for generating a random number as the first prime candidate p,
First division execution means for individually performing trial division on the first prime number candidate p by a divisor for each divisor identification information in the divisor storage means;
When the result of trial division by the first division execution means has a remainder k, a remainder writing means for writing the remainder k to the divisor storage means;
Polynomial calculating means for calculating the polynomial f (k) based on the remainder k written by the remainder writing means;
Second division execution means for individually performing trial division on the polynomial f (k) by a divisor in the divisor storage means;
When the result of all trial divisions by all divisors in the divisor storage means has a remainder, Fermat's little theorem is included for the first prime number candidate p and the second prime number candidate f (p). A prime number judging means for executing a prime number judging method;
Program to function as. For an integer coefficient polynomial f (X) ∈Z [X] where the constant term is not 0 (where X is an arbitrary integer, Z is a set whose elements are X), the first prime number p (∈Z) and A prime number generation method executed by a prime number generation device that generates a second prime number f (p) (εZ) that can be calculated from the first prime number p,
A divisor storage step for storing a divisor in memory for each divisor identification information in advance;
A random number generation step of generating a random number as the first prime candidate p;
A second prime number candidate calculating step of calculating the second prime number candidate f (p) based on the first prime number candidate p;
A trial division execution step of individually performing trial division on each prime candidate p, f (p) by a divisor for each divisor identification information in the memory;
A prime number determining step of executing a prime number determination method including Fermat's little theorem for each prime number candidate p, f (p) when the result of all trial divisions by all divisors in the memory has a remainder When,
A prime number generation method characterized by comprising: For an integer coefficient polynomial f (X) ∈Z [X] where the constant term is not 0 (where X is an arbitrary integer, Z is a set whose elements are X), the first prime number p (∈Z) and A prime number generation method executed by a prime number generation device that generates a second prime number f (p) (εZ) that can be calculated from the first prime number p,
A divisor storage step for storing a divisor in memory for each divisor identification information in advance;
A random number generation step of generating a random number as the first prime candidate p;
A first division execution step of individually performing trial division on the first prime number candidate p by a divisor for each divisor identification information in the memory;
When the result of the trial division by the first division execution step has a remainder k, a remainder writing step of writing the remainder k in the memory in association with the divisor identification information;
A polynomial calculation step of calculating the polynomial f (k) based on the remainder k written in the memory;
A second division execution step of individually performing trial division on the polynomial f (k) by a divisor for each divisor identification information in the memory;
When the result of all trial divisions by all the divisors in the memory has a remainder, the prime number determination including Fermat's small theorem for the first prime number candidate p and the second prime number candidate f (p) A prime number determining step for executing the method;
A prime number generation method characterized by comprising:

Images