JPH0237383A - Prime number generating system - Google Patents

Abstract

PURPOSE:To effectively generate a prime number (p) by denoting a large prime factor contained in p-1 and a large prime factor contained in P+1 as (r) and (s), respectively, inputting (r) and (s) and using a computer. CONSTITUTION:A large prime factor to be contained in p-1 and a large prime factor to be contained in p+1 are denoted as (r) and (s), respectively, and by inputting (r) and (s), (g) which becomes s.g=1(mod r) is derived, and (p) which becomes p=U+2m.r.s is derived by setting U=-1+2.s.g (mod r s). In such a manner, a prime number candidate (p) in which p-1 contains the large prime factor (r), and also, p+1 contains the large prime factor (s) is generated. As a result the prime number candidate (p) being strong against a (p+ or -1) method prime factorization can be obtained effectively.

Description

[Detailed Description of the Invention] [Field of Industrial Application] The present invention relates to a prime number generation technology that is also strong against (p±1) modulus prime factorization, and is used to generate keys for public key cryptography. .

[Conventional technology]

As the era of business communications begins, in which meetings and various transactions are conducted electronically via communication networks, the need for information security is increasing. R3A encryption method and RAB, which are one of the encryption technologies to ensure information security.
The IN encryption method is considered to be a useful encryption method because it not only protects data but also has the function of authenticating the other party.

Furthermore, the long encryption processing time, which had been considered a practical bottleneck, has now been speeded up due to advances in hardware and software, and it is thought that the R3A encryption method will attract more and more attention in the future.

[Problem to be solved by the invention]

The R8A encryption system requires a private key and a public key as an encryption key, but it is said to be computationally difficult to estimate the private key from the public key. In other words.

The security of the R8A encryption method is based on the public key n=p×q(
p+q is a prime number) depends on the difficulty of factoring into prime factors. However, (p±1) modulus factorization is (p−1)
Alternatively, if (p + 1) consists only of products of small prime numbers, this indicates that there is an effective prime factorization method. Therefore, in order to avoid the attack of prime factorization using the (p±1) method, a method is needed that satisfies the condition that (P±1) and (q±1) include large prime numbers.

Furthermore, in generating the prime number P+'T, prime number candidates that satisfy the above conditions are set, and whether or not they are prime numbers is determined. Fermat's theorem, which requires exponent calculation, is used to determine primality, so determining large primality requires calculation time.

For primality testing, the Solovey-Stratsen method, which uses Fermat's theorem, is generally used. An outline of the determination method for Soloveystratus is shown below.

Let m be the number you want to judge, gcd(a + m) =
Select a random number a (1≦a≦m−1) that satisfies 1.

If m is a prime number, the following equation holds.

J (a, m) = a”-1)/2(nod m
) ・= (1) The Jacobian function is a recursive function of first order 6J (a, m) = If a is 1, 1 If a is even, J (a / 2, m) x (-1) (”1)/8a
If is an odd number, J(m(lIlod a), a))X(1)(a-”(
I-1) If 74m is a sufficiently large integer, m is determined to be a prime number if formula 1) holds true for some prime numbers 8, but as seen from the above formula, there are too many It takes time because it requires index calculation.

Therefore, by determining whether the number is a multiple of a known small prime number, the selection of numbers to be prime number candidates can be carefully considered in advance, and prime number generation can be sped up.

Regarding R8A encryption key generation including these prime number generation,
Patent Application Publication No. 57-502145 described above has been published, but the problem is that it does not take into account the condition for p that simultaneously satisfies the condition that (p - 1) and (p + 1) each contain a large prime number. There is.

Furthermore, in the publication of the above patent application, the selection of prime number candidates is
This is done by evaluating the product of known prime numbers and the greatest common divisor of prime number candidates, but there is also the problem that the optimal value of the range of known prime numbers is not evaluated. In R8A encryption, RABIN encryption, etc., 128 bits, 2
Since a multiple-precision prime number such as 56 bits is required, it is necessary to select prime number candidates in particular.Since the product of known prime numbers increases rapidly, there is a limit to the number of known prime numbers that can be set. Since there are program constraints due to double-length calculations, range evaluation of known prime numbers is essential for practical use in key generation.

[Means to solve the problem]

In order to solve the above-mentioned interlayer, the following means are used.

1. Efficiency of prime candidates that are strong against ±1 modulus solutions based on the country's remainder series Let r be the large prime factor that p−i should contain, S be the large prime factor that p+1 should contain, and with r and S as inputs, p− 1 produces a prime number p containing a large prime factor r, and p+1 contains a large prime factor S.

P-1 contains a large prime factor r.

9 p = 1 (mad r)
-(2) p+1 includes a large prime factor S.

a p = −1 (mod s )
-(3C Find p that satisfies equations (2) and (3) using the following lemma of the Chinese remainder theorem.

Since s and r are mutually connected, there is a backlight g of S in the modulus r. That is, Seg=1 (IIIOd r)
...(4) Here, in the above lemma, x==-1,
If y=1, U=x+(y-x)+s+ g(mod rs)=-1
+2+ S ″ g (IIlOdrS), p=U+2mr s...
(5), p satisfies equations (2) and (3). Here, m is any integer except O. Conversely, equation (4).

(3) Any p that satisfies equation (3) under the modulus rs.

It becomes equivalent to equation (5). Therefore, by calculating equations (4) and (5), p that satisfies one condition (2) and (3) is determined.

Set as a prime number candidate.

Optimize the setting range of the known prime number group {3, 5, 7, ..., i(h)} by performing one expectation value evaluation. .

In a method for generating a prime number of order n, initial data k is given as input data, and an odd number r that is a prime number candidate is set based on k.

On the other hand, a group of known prime numbers {3, 5, 7, . . . , i(h)) is set. Here, m i (h) indicates the h-th prime number counting from prime number 3, and the prime number setting time and processing preparation time for determining whether r is a multiple of a known prime number are to( h), and let ta(h) be the time for determining whether r is a multiple of a known prime number.

Let tb be the time for determining whether an odd number r is a prime number or not by a method using Fermat's theorem. If it is not a prime number, the next prime number candidate r is set and the above procedure is repeated to generate a prime number.

At this time, if M = 3, 5, 7...1 (h),
Probability that the odd number r is not a multiple of any prime number (3, 5, 7..., i(h)): Z(h) is the following formula% However, φ(M) is It is Euler's function.

The average time it takes to obtain an odd number r that is not a multiple of any prime number (3, 5, 7..., i(h)}: ta'(h
) becomes , and the interval W of scattering of prime numbers around order n
is given by a linear equation.

dn In n (in n)2 The probability of obtaining a prime number candidate that is not a multiple of a known prime number: p(h) is given by the following equation.

p(h)=...(
9) z(h)・-・W The expected time T(h) until a prime number is obtained is T(h)=
to(b)+P(h) (ta(h)+tb)+(I
P(h))'P(h) ・2 ・(t a(h)+t
b) + (1-P(h))2・P(h) ・3 ・(t,
a (h)+t b)+・・・・・・・・・ +(1-P(h))'P(h)(j+1)(t a(h
) 10t b)+・・・・・・・・・=to(h)+(t b+t a (h))”F!(h
)...(10) Find in advance h such that the value of 5 expected value T(h) is small, and find the optimal prime number group (3, 5, 7...white, i(h
)}.

[Effect]

The technical means described above result in the following effects.

The large prime factor that P-1 should contain is r, the large prime factor that p+l should contain is S, and r and S are separated to find g such that s-g=1 (+10d r), and U=-1
+2 ・sg(+iod r s) and p=U
By finding p such that +2m + r -s, p-1 becomes a large prime factor r
and P+1 is a prime number candidate p containing a large prime factor S
generate.

Conventionally, the calculation formula for calculating U that was shown by J. The amount of calculation is large compared to

Therefore, it is possible to effectively obtain a prime number candidate p that is strong against (P+1) prime factorization.

2. Speeding up prime number generation Using the evaluation formula given by equation (10) above, it is possible to set the optimal prime number group (3, 5, 7, . . . , i(h)).

As a result, in prime number generation, before performing primality test using Felmer's theorem, the prime number (3, 5, 7..., i
(h)} By determining whether or not the number is a multiple of }, it is possible to optimally narrow down the number of prime number candidates, thereby realizing efficiency of prime number generation.

〔Example〕

The present invention will be explained in detail with reference to FIGS. 1 to 5.

FIG. 1 shows a hardware configuration for implementing the optimal prime number group setting method according to the present invention. generates an asymmetric encryption key. Since the generated asymmetric key is a private key and a public key, it is necessary to manage the key adequately.

Therefore, the private key (8) is stored on the floppy disk 105 through the floppy disk reader/writer 106, or stored on the IC card 107 through the IC card reader/writer 108, and is not stored in the memory 104. The public keys (d, n) are temporarily stored in the memory 104 and distributed online, or stored and distributed in a floppy disk or IC card separate from the one used for storing the private key.

Below, referring to FIG. 2, the RAS encryption key generation processing procedure performed on the computer 101 will be explained.

5step201: Beginning.

5top202: Generates a prime p that is strong against (p±1) modulo prime factorization.

5tep203: Generate a prime number q that is strong against (P±1) modulo prime factorization.

5step 204: Generate key d.

5tap205: Generate keys e and n from Pp C1*d.

5 top 206: End.

In the above procedure, n is the product of prime number p and prime number q. The conditions that prime numbers p and q should have, that is, (p±1)
Generation process of prime numbers p and q that are difficult to factorize (s
The detailed procedure of steps 2 Q 2 and 5 tep 2 Q 3 will be explained with reference to the flowchart of FIG.

Here, the large prime numbers that (p-1) and (p + 1) should have are assumed to be r and s, respectively, and the same process is performed for q, which is shown in relation to the generation of the prime number p.

5step301: Beginning.

5step 302: Generate a prime number r.

5tap303: Generate prime number S.

5tep304: Find the inverse element g of S in sod r from the prime numbers r and s.

5tep305 :U=-1+2 Ts jg (+a
od rs), find U.

5tep306: Generate random number m. (However, m>
Step 307: Find p as p=:U'+2mrs.

5tep308: Known prime number group {3, 5, 7, −, i(
h) }.

5tep309: P is a prime number {3, 5, 7, ・=i(
Determine whether or not it is a multiple of h)). If it is a multiple of 6, proceed to 5tap 311; if it is not a multiple, proceed to 5tap 310.

5tep310: Determine whether P is a prime number or not.

If it is a prime number, go to 5tap312, if it is not a prime number, go to 5tap312.
Proceed to tap311.

5tap311: Add 2rs to P, 5tep30
Proceed to step 9.

5tap312: Finished.

Next, in FIG. 3, the generation process of prime numbers r and S (s
The detailed procedure of tep3 Q 2 and 5tap303 processing will be explained with reference to flowchart 1- in FIG. 4. Here, the generation of the prime number r will be described, but the same applies to S.

5 step 401: Beginning.

5tep402: Set the initial value k for random number generation and the bit length m of the generated prime number.

5tep403: Generate a random number based on k and m and set a prime number candidate r.

5top4 Q4: Set a small group of known prime numbers.

5tep405: Determine whether r is a multiple of a known prime number. If r is a multiple of a known prime number, 5top4 Q 7, otherwise 5
Proceed to top 406.

5tep406: Determine whether r is a prime number.

If it is a prime number, 5tap408, if it is not a prime number, 5tap408
Proceed to step 407.

5tep407: Set the next prime number candidate r, 5tep
Proceed to 405.

5top408: Outputs 14 number r and ends.

In the above procedure, 5tap404, 5tep405
, or by adding the processing of 5tap308 and 5tep309, 5tep406 or 5top
The number of times 310 is processed can be reduced. Therefore, 5t
The optimal size of the small group of known prime numbers in step ep404 or step ρ308 is evaluated in advance.

Next, with reference to the flowchart of FIG. 5, the range evaluation of the known prime number group for setting the known production number group in FIGS. 3 and 4 (processing in steps 308 and 5step 404) will be described.

5step501: Beginning.

5tsp502: Set the initial value for random number generation and the bit length m' of the generated prime number.

5tep503: Generate random numbers based on k' and m'.

Set prime number candidate n'.

5tep504: Find the interval W of scattering of prime numbers around n using the following formula.

i n'lnn', -1dn in
n' (in n')"5tap505: h
, Set the initial value of T(h).

5tsp506: Add 1 to h.

5tap507: Set a group of h known prime numbers starting with 3. Also, 5top 309 or 5tap
Processing necessary for the necessary preprocessing is also performed in step 405, and the processing time here is assumed to be to(h).

step 508: Determine whether r is a multiple of a known prime number. The processing time here is assumed to be ta()1).

5tap509: Determine whether r is a prime number.

The processing time here is assumed to be tb.

step 510: Find the expected value time until prime number generation using the following procedure.

(1) The probability z(h) of an odd number n becoming a prime 11 candidate is M=
3.5.7...1(h) is given by equation (6).

(2) The above 5tep 311, that is, the average time ta'(h) until obtaining A that is not a multiple of any of the prime numbers for multiple removal is given by equation (7).

(3) The probability p(h) that n' is a prime number at the end of 5tep 311 is given by equation (9).

(4) The expected value time T(h) until a prime number is obtained is (1
0) is given by Eq.

5tep511: T(h-1) T(h)>0
If so, return to step 506 and calculate T(h −1)−T
If (h)≦0, the process advances to step 512.

5top512: T(h) becomes the minimum value. Output h prime numbers starting from 3 as the optimal prime number group.

5tap513: Finished.

Modification 1 of the Embodiment In FIG. 3, 5top 304 and 5tep 305 are replaced with the following equations to set the prime number candidate U. Similar processing is performed for q.

5tep304: Find the backlight g' of r at lll0ds from the prime numbers r and s.

5tep305: U=1-2 +r referenceg' (n
od rs), find U.

Modification 2 of Embodiment Although expected value calculation is performed in Step 510, the evaluation method is not limited to this.

For example, in the above embodiment, T(h) in step 510 is replaced with the following formula.

Modification 3 of Example The value of h shown in the Example and Modification 1 is set depending on the size of the prime number to be generated and the computer. Since a certain amount of processing time is required to evaluate h, after determining the operational equipment,
h is evaluated in advance on the computer 102 by a program stored in the memory 104, and the relationship between the size of the generated prime number and h is stored in the memory.

Modification 4 of Embodiment RABIN encryption key generation is performed in the same procedure as in the above embodiment.

The RABIN encryption key is two large prime numbers p.

Select q and calculate its product n''p' q. Next, O≦
Define b to be b (n. At this time, the public key is (n, b
), and the secret key is (p, q).

Therefore, 5tep 204 to 5tep 206 in FIG.
are the following 5tep204', 5tep205'
, and generate a RABIN encryption key.

5tep204': Generate random numbers.

5tep205': End.

Modified example 5 of the embodiment Generate each random number (step 306, step 403), taking into consideration the bit length of the prime number to be generated to match the request.
, selection of prime number candidates (step 307 + 5step
311, 5tep407), a bit length adjustment function is added.

Modified example 6 of the embodiment The above is based on the premise that processing is performed by a program on a computer, but it may also be realized by implementing some or all of the calculations in Figures 2 to 5 to dedicated hardware. can.

〔effect〕

According to the present invention, there are the following effects.

(1) Previously announced J. Gordon formula U = sr″″” −r”−”
Compared to (mad r s ), the amount of calculation is small, and it is possible to efficiently obtain a prime number candidate p that is resistant to (p±1) private factorization.

(2) Is it a multiple of a prime number (3, 5, 7, etc., i(h)) before performing primality test using Fulmer's theorem?

The efficiency of prime number generation can be improved by optimally narrowing down the number of prime number candidates by determining whether or not this is the case.

[Brief explanation of the drawing]

FIG. 1 is a hardware configuration diagram implementing the optimal manufacturing number group setting method according to the present invention, and FIG. 2 is a diagram of the R8A including the present invention.
FIG. 3 is a flowchart of the encryption key generation procedure. FIG. 3 is a flowchart of the present invention's (p±1) prime number generation process that is strong against private factorization. The known prime number group of the present invention shown in FIGS. 3 and 4.

Claims (1)

[Claims] 1. Prime numbers r and s (r is (
In a system in which a prime number p is generated using a computer by inputting a large prime factor s that should be included in (p-1) is a large prime factor that should be included in (p+1), i,
j is an integer, m is a positive integer, and the inverse element g of s in the modulus r,
In other words, find g such that s・g=1 (mod r), and get U=(-1+i・s)+(2+j・r−i・s)s・g
(mod rs), and outputs p such that P=U+2mr s as a prime number candidate. 2. Prime numbers r and s (r is (
In this method, a prime number p is generated using a computer by inputting a large prime factor that p-1) should contain, and s a large prime factor that (p+1) should contain, where i and j are integers, m is a positive integer, and Find the inverse element g' of r in s, that is, g' such that r・g′=1 (mod s), and obtain U=(1+j・r)+(−2+i・s−j・r)s・g
'(mod rs), and p=U+2mr s is used as a prime number candidate. 3. A method of generating prime numbers with the same size as a predetermined odd number n using a computer, starting from the prime number 3, a set of h prime numbers arranged in ascending order, that is, {3, 5,
7, ..., i(h)} on the calculator, and
Let to(h) be the processing time required for the preparation process to determine whether n is a multiple of each prime number of {3, 5, 7, ..., i(h)}, and the odd number n For, n is {3, 5
, 7, . Let tb be the time to judge by computer, Z(h)=2/3・4/5・
...・i(h)-1/i(h)ta'(h)=ta(h
)/Z(h), ▲There are mathematical formulas, chemical formulas, tables, etc.▼, ▲Mathematical formulas, chemical formulas,
There are tables etc. ▼ When , T(h)=t_0(h)+(tb+ta'(h))・{
As P(h)-1+[1/P(h)}, for the value of h that makes the value of T(h) small, find a set of h prime numbers in advance, starting from prime number 3. , when determining whether an odd prime number candidate R having the same size as the n is a prime number, first, the R is the prime number {3, 5, 7, . . . , i(h)}. A prime number generation method characterized by determining whether the number is not a multiple of any one of the following, and after determining that it is not a multiple of any of the numbers, performing a primality test using the Fulmer theorem. 4. The above T(h) is T(h)=t_0(h)+ta(h)・1/2W+tb
・3rd term prime generation method where z(h)・1/2・W. 5. The odd prime number candidate R is the prime number {3, 5, 7, .
. . , i(h)}, the third term determines that R is not a prime number. 6. The odd prime number candidate R is the prime number {3, 5, 7, .
. rear,
The third term prime number generation method is set as a new R. 7. The odd prime number candidate R is the prime number {3, 5, 7, .
. . , i(h)}, the third
Prime number generation method for terms.