Higher-Order Safe Primes with Negative Signature: an Algorithmic Approach1

International Journal on Information Technologies & Security, No 1, 2009 1

HIGHER-ORDER SAFE PRIMES WITH NEGATIVE SIGNATURE: AN ALGORITHMIC APPROACH1

R. Durán Díaz1, L. Hernández Encinas2, J. Muñoz Masqué2

1Departamento de Automática, Universidad de Alcalá 2Instituto de Física Aplicada, CSIC e-mail(s): [email protected], [email protected], [email protected] Spain

Abstract: First, the definition and basic properties of higher-order safe primes are presented along with an explicit formula to compute the density of this class of primes in the set of the integers. Then the concept of generalised safe primes is presented and formulae are introduced to compute the density of this type of primes for the special case of the negative signatures. Key words: Distribution of safe primes; safe-prime signature; chains of primes; Hardy-Littlewood and Bateman-Horn conjectures; Public Key Cryptography.

1. INTRODUCTION Several popular public-key cryptosystems base their security on the problem of factorising a (typically) two-factor number. The ubiquitous RSA has been extensively analysed in this regard (see, for example, [1]) and several results have been reported. For example, the equivalence between breaking the cryptosystem and factorising the modulus has been proved to be definitely not true when the private exponent is low (see [2], [3]). In fact, it has been recently proved that the knowledge of RSA ()e,d parameters yields the factorisation of the modulus n in deterministic polynomial time (see [4]), a result much longed for. The quest for improved and new factorisation methods has been very active as well. It is obvious that if these improved or new algorithms prove eventually to be effective, they could pose a severe drawback for the practical use of this type of cryptosystems.

1 Partially supported by CDTI, Ministerio de Industria, Turismo y Comercio (Spain) in collaboration with Telefónica I+D, Project SEGUR@ with reference CENIT-2007 2004 and Ministerio de Ciencia e Innovación of Spain under MTM2008-01386. 2 International Journal on Information Technologies & Security, No 1, 2009

Factorisation algorithms can be broadly divided into two groups: General Number Field Sieve, Quadratic Sieve, Elliptic Curve, etc., and the so-called p ±1 algorithms, which try to factor p + 1 or p − 1 for some factor p of the number n under test. Among this type of algorithms, Pollard’s ([5]) and Williams’ ([6]) algorithms are the most remarkable ones. While no precise analysis exists about their running times, the p ± 1 algorithms are particularly useful when 1. all the prime factors of p ± 1 are small; 2. all the prime factors of p ± 1 are small but for one factor q, such that q +1 or q − 1 has small prime factors. Primes not fulfilling the conditions above might be called “strong”, since they are resilient to this kind of factorisation attack, but authors fail to agree on a precise definition. While several authors have used the definition above, such as Gordon ([7], [8]), or Shawe-Taylor ([9],[10]), one can find other authors who give a more restricted definition for “strong” primes, such as Ogiwara ([11]), or Laih et al ([12]). Closely related to the notion of “strong” prime, there exists also the notion of “safe” prime, for which a lot of literature can be found as well: see, for example, [13], [14], [15], [16]. The use of safe primes for certain applications has been recommended: For example, for the “modulus” of RSA ([17]), in order to avoid the attacks of the p ±1 algorithms. Safe primes are also interesting for the BBS generator ([18]), since to obtain the longest cycle lengths for this generator, it suffices to have n = p ⋅q , where both p and q are safe primes and n is the modulus for BBS. (see also [19]). In a forthcoming section, we will present the concept of signature and we will explain that positive signature is the only case that has received a detailed attention in the literature (see, for example, [20], [21], [22], [23]). For this reason, in this paper we will deal more profoundly with negative signatures, since they have not been considered, as far as we know. We have advanced some of our results in previous publications ([24]) but they did not include formal proofs, which we do offer in this work. The paper is organised as follows. First of all, we discuss the definition and basic properties of higher-order safe primes, and we give an explicit formula to compute the density of this type of primes, which depends on the conjectures of Bateman-Horn [25], which in turn depend on those of Hardy-Littlewood [26]. We also revisit the concept of chains of safe primes and report on the most recent records. We then focus our attention on negative signatures following the more relaxed definition given in [21] for safe primes. This definition can be seen as a certain generalisation of the “classical” prime chains. For this type of primes, we provide International Journal on Information Technologies & Security, No 1, 2009 3 explicit conditions to find primes fulfilling a particular set of conditions and give some examples.

2. SAFE PRIMES In this Section we introduce the definition of safe primes and some elementary properties.

2.1. Definition and elementary properties DEFINITION 1 An odd prime integer p is said to be k-safe with signature

()ε1 ,K,ε k , with ε1,K,ε k ∈{+1,−1 } , if k odd prime integers p1,K, pk exist such that p = 2 p1 + ε1, p1 = 2 p2 + ε 2 ,K, pk −1 = 2 pk + ε k .The integer k is termed the order of the signature. NOTATION 2 The set of prime numbers is denoted by . For every k > 0 , the set of k-safe prime integers with signature (ε1,K,ε k ) is denoted by ()ε1,K,ε k . + − We set k = (ε1,K,ε k ) when ε1 = K = ε k = + 1 , and k = (ε1,K,ε k ) when ε1 = K = ε k = −1 . PROPOSITION 3 If p > 5 is a k-safe prime integer with signature ()ε1,K,ε k , then k k h−1 k +1 p ≡ 2 + ∑ε h 2 ()mod 2 . h=1

Proof We proceed by induction on k. Remark that p1 is a (k −1)-safe prime with signature ε1′ = ε 2 ,K,ε k′ −1 = ε k . For k = 1, p1 is odd since p > 5 ; hence 2 p1 = 2q +1, and then p = 2 + ε1 + 2 q , which is equivalent to the formula in the statement. Assuming k > 1 and by the induction hypothesis applied to p1 , we have k −1 p = 2k −1 + ε 2i−1 + 2k m , for some integer m. Therefore, 1 ∑i=1 i+1 ⎛ k−1 ⎞ k−1 ⎜ k−1 i−1 k ⎟ k i k+1 p = 2 p1 + ε1 = 2⎜2 + ∑ε i+1 2 + 2 m⎟ + ε1 = 2 + ∑ε i+12 + ε1 + 2 m ⎝ i=1 ⎠ i=1 (h=i+1) k k k h−1 k+1 k h−1 k+1 = 2 + ∑ε h 2 + 2 m ≡ 2 + ∑ε h 2 ()mod 2 , h=1 h=1 thus concluding. ■ COROLLARY 4 The sets of k-safe prime integers with distinct signatures are disjoint, namely, ()ε1,K,ε k I (ε1′,K,ε k′ ) = ∅ , if (ε1,K,ε k ) ≠ (ε1′,K,ε k′ ). Proof Let 1≤ i1 < K < il ≤ k be the values of the index h for which ε h = + 1. It suffices to take into account that when (ε1,K,ε k ) run all possible values, the 4 International Journal on Information Technologies & Security, No 1, 2009

k k l numbers 2k + ε 2h−1 = 1+ 1+ ε 2h−1 = 1+ 2i j run all the odd ∑h=1 h ∑h=1()h ∑ j=1 integers less than 2k +1 only once. We conclude by virtue of PROPOSITION 3. ■

COROLLARY 5 If ()ε1,K,ε k = ∅ , then (ε1,K,ε l ) = ∅ for l > k . REMARK 6 The order of the components in the signature is relevant, because it can occur that ()ε1,K,ε k ≠ (επ ()1 ,K,επ (k )) for a given permutationπ of {}1,K,k . For example, 7∈ (+1,−1) and 7∉ (−1,+1), as follows from COROLLARY 4.

2.2 Chains of safe primes The definition of safe primes that we have given above, see DEFINITION 1, is related to the concept of “chain of primes”. In the literature, there exist a number of different kinds of prime chains: Cunningham chains, Shanks chains, etc. Only Cunningham chains are closely related to our notion of safe prime chains. A Cunningham chain (see, for example, [27,A7], [28]) is a sequence of k ≥ 2 prime integers p1,K, pk such that pi+1 = 2 pi + ε , i =1,K,k −1, ε ∈{}−1,+1 . Observe that if k = 2 , then a Cunningham chain of length 2 is simply a pair ()q,2q +1 and, therefore, q is a Sophie Germain prime (see [29], [30]). Recent records for Cunningham chains have been obtained by P. Carmody and P. Jobling, for ε = 1, and by T. Forbes (see [31]) for ε = −1. In both cases, the length of the longest chain is k = 16 , and the first terms are

p1 = 810433818265726529159 for ε = 1 and p1 = 3203000719597029781 for ε = −1. Both results are reported in [32].

3. DENSITY OF k-SAFE PRIMES NOTATION 7 The counting function for k-safe primes is defined as ± ± π k =#{p ∈ k : p ≤ x}

LEMMA 8 Suppose f1, f2 ,K, fs are distinct irreducible polynomials with integral coefficients and positive leading coefficients, and suppose F is their product. Let QF ()N be the number of positive integers j between 1 and N inclusive

such that f1()j , f2 ()j ,K, fs ()j are all primes. Then for large N we have s −s −s QF ()N ≤ 2 s!C(F )N(log N ) + o(N(log N ) ). Moreover the constant C()F is given by −s ⎛ 1 ⎞ ⎛ ω()p ⎞ C()F = ∏⎜1− ⎟ ⎜1− ⎟, (1) p ⎝ p ⎠ ⎝ p ⎠ International Journal on Information Technologies & Security, No 1, 2009 5 and ω()p denotes the number of solutions of the congruence F(X )(≡ 0 mod p ). The proof can be found in the reference above. As a result, the reference [25] states the following conjecture: CONJECTURE 9 With the same assumptions and notation as in LEMMA 8, the following formula is conjectured: N Q N ≅ h−1h−1 h−1C F logu −s du, F ()1 2 L s ()(∫ ) (2) 2 where h1,h2 ,K,hs stand for the degrees of the polynomials f1, f2 ,K, fs . This conjecture has not been proved so far, but it has been confirmed by many numerical experiments, such as those supplied by the same authors in [25] for the particular case of the polynomials x, x2 + x +1. Obviously this result is applicable to the case of the k-safe primes. THEOREM 10 Under the CONJECTURE 9, the following asymptotic expression is obtained: −k −1 1 x ⎛ 1 ⎞ π ± x ≅ C F ln t 2k −1 dt, k () ()k+1 k ⎜ ()m ()⎟ 2k ∫2 ±2 −1⎝ 2k ⎠ where C()F is as in formula (1). ± Proof In fact, if x∈ k , then the following conditions must hold simultaneously: 1. x is a prime integer,

2. x1 = 1 2()x m1 is a prime integer, 3. x2 = 1 2()x1 m1 = 1 4(x m 3) is a prime integer, … k k k +1. xk = 1 2()xk −1 m1 = 1 2 (x m 2 −1) is a prime integer.

Let y = xk in the previous expressions. If we solve for xi in (1)– ()k +1 , we k k k k obtain, f1()y = y, f2 ()y = 2y ±1,K, fk +1 = 2 y ± (2 −1). Then, x = 2 y ± (2 −1) ± will belong to k if all the polynomials fi (y) for 1 ≤ i ≤ k +1 take on a prime value for some integer y (that must be also a prime, since f1(y) = y ).

The k-safe prime counting function is related to the function QF defined in ± k k LEMMA 8, as follows: QF ()y = π k (2 y ± (2 −1)), or, equivalently,

⎛ 1 k ⎞ ± QF ⎜ k (x m (2 −1))⎟ = π k ()x . ⎝ 2 ⎠ By simply applying the formula (2), we have 6 International Journal on Information Technologies & Security, No 1, 2009

1 k (xm(2 −1)) ± ⎛ 1 k ⎞ 2k −k −1 π k = QF ⎜ ()x m ()2 −1 ⎟ ≈ C()F (lnu ) du. ⎝ 2k ⎠ ∫2 k k k If we set u =1 2 (t m (2 −1)), du =1 2 dt, then we obtain −k −1 1 x ⎛ 1 ⎞ π ± x ≅ C F ln t 2k −1 dt. k () k ()k +1 k ⎜ k ()m ()⎟ 2 ∫2 ±2 −1⎝ 2 ⎠ Hence, it only remains to compute the value of the constant C(F ) as defined in the formula (1). In order to compute ω(p), we first define the following sets: i−h Vh ()k, p = {i : p | 2 −1, h +1 ≤ i ≤ k}, h = 0,K,k −1. Then, we have ⎧1, if p = 2 ⎪ ⎪ ⎛ k −1 ⎞ k ω( p) = ⎨k +1−#⎜ Vh ()k, p ⎟, if 2 < p ≤2 −1 ⎝Uh=0 ⎠ ⎪ k ⎩⎪k +1, if p > 2 −1 ■

4. CHAINS OF GENERALISED SAFE PRIMES The case of positive signatures has received a detailed attention in the literature; see [20], [21], [22], [23], where even more general results than those of THEOREM 10 above, have been obtained. The negative signatures, however, have not been studied as far as we know, and, consequently, we shall deal with them below. Following [21] basically, we first relax the requirement in DEFINITION 1 of chains of safe primes by considering chains of the form

p = 2a1 p1 + ε1, p1 = 2a2 p2 + ε 2 ,K, pk −1 = 2ak pk + ε k (3) for some positive integers a = (a1,K,ak ), which are assumed to be small enough with respect to the sizes of the prime integers p1,K, pk . ε DEFINITION 11 The counting function π a for k-safe prime numbers of

signature ε = (ε1,K,ε k ) and vector a = (a1,K,ak ) is defined to be the number ε π a ()x of p ∈ such that p ≤ x , and equation (3) holds.

4.1 Vector with equal components a First, let us state the following result:

THEOREM 12 Under the CONJECTURE 9, if pa is the least prime divisor of 2a −1, then the density of the chains in the equation (3) for the vector with equal International Journal on Information Technologies & Security, No 1, 2009 7 components a1 = K = ak = a , and for ε1 = K = ε k = − 1 , vanishes for all

k ≥ pa −1. In particular, this holds if 2a −1 is a prime. Proof From formula (1), it becomes apparent that it suffices to prove

ω()pa = pa . In fact, as a computation shows, we have h f ()y = (2a )h y − (2a )h−1, 0 ≤ h ≤ k . h+1 ∑l =1 Hence k F()y = f ()y ≡ y (y −1 ) (y − k )(mod p ). ∏h=0 h+1 L a

As k ≥ pa −1, the result follows.

THEOREM 13 Let a1 = K = ak = a , ε1 = K = ε k = −1 and pa be as in THEOREM 12, and let D()a = {p ∈ : p | a} be the set of prime divisors of a ∈ .

Assume k ≤ pa − 2. Then, −k −1 k x ⎛ ⎛ ⎡ ⎤⎞⎞ ε C()F ⎜ ⎜ k ()2a −1 ⎟⎟ π a ()x ≈ k ln ()2a ⎢t + ⎥ dt, ∫la,k ⎜ ⎜ 2a −1 ⎟⎟ ()2a ⎝ ⎝ ⎣⎢ ⎦⎥⎠⎠ 2(2a)()k +1 − 3 2a k +1 where l = , a,k 2a −1 −k −k ⎛ 1 ⎞ ⎛ k +1⎞ ⎛ 1 ⎞ C(F) = ∏ ⎜1− ⎟ ⎜1− ⎟× ∏ ⎜1− ⎟ p∈D()2a−1 ⎝ p ⎠ ⎝ p ⎠ p∈{2}∪D(a) ⎝ p ⎠ −k ⎛ 1 ⎞ ⎛ min()k +1,e()2a, p ⎞ × ∏ ⎜1− ⎟ ⎜1− ⎟ p∉D(2a−1) ⎝ p ⎠ ⎝ p ⎠ gcd(a, p)=1 ∗ e()2a, p being the order of 2a in p . Proof First of all, let us compute C(F ). 1. If p ∉ D()2a −1 , then 2,a −1 = r + pl 1 ≤ r ≤ p −1, l ∈ . Hence h+1 h (1+ r) −1 2a ≡1+ r()mod p , and f ()y = (1+ r )y − ()mod p , h+1 r 0 ≤ h ≤ k.

a. If r = p −1, then fh+1(y) = −1(mod p) for every 0 ≤ h ≤ k ; k hence, F()y = f ()y = (−1 )k +1 (mod p ) , and ∏h=0 h+1 consequently ω(p) = 0 . This case occurs when either p = 2 or p | a. 8 International Journal on Information Technologies & Security, No 1, 2009

b. If p > 2 and gcd(p,a) =1, then 1 ≤ r ≤ p − 2 and F()y decomposes into k + 1 linear factors, i.e., k F()y = (y − y ), with ∏h=0 h

1+ r (1+ r)−h y = − ()mod p , 0 ≤ h ≤ k. h r r

Then, yh = yh′ , 0 ≤ h < h′ ≤ k, if and only if ()1+ r h′−h = 1(mod p). Hence h′ = h + e()2a, p μ, ⎢ k − h ⎥ μ = 1,K,⎢ ⎥. Accordingly, ⎣e()2a, p ⎦ ⎪⎧k +1, if k +1≤ e(2a, p) ω( p) = ⎨ ⎩⎪e(2a, p), if k ≥ e(2a, p) 2. If p ∈ D()2a −1 , then k ≤ p − 2 . Hence the number of roots of the k congruence F()y = (y − h )(mod p ) is k + 1, thus implying that ∏h=0 ω(p) = k +1. With the same notations as in the previous sections we obtain ⎛ 1 ⎞ Q ⎜ x + 2a k −1 ⎟ = π ε x . F ⎜ k ()() ⎟ a () ⎝ ()2a ⎠ Hence, ⎛ ()2a k −1 ⎞ ()2a −k ⎜ x+ ⎟ ε ⎜ 2a−1 ⎟ −k −1 π a ()x ≅ ⎝ ⎠ (lnu ) du ∫2 k −k ⎛ (2a) −1⎞ and, finally, letting u = 2a ⎜t + ⎟ , the result follows. ■ ()⎜ ⎟ ⎝ 2a −1 ⎠

4.2 Vector with unequal components a

In the case of a vector with unequal components a = (a1,K,ak ) the results are not so concrete as those in the previous section. First of all, we introduce some notations: k − j α = 2h− j a , 1 ≤ h ≤ k, 0 ≤ j ≤ h, (4) hj ∏l =k −h+1 l h−1 βh = ∑αhl +1, 1 ≤ h ≤ k, (5) l =1 k −1 ∗ N p =#({}0 ∪ {αh0βh (mod p):αh0 ∈ p ,1 ≤ h ≤ k}) (6) International Journal on Information Technologies & Security, No 1, 2009 9

THEOREM 14 Let p be a prime number. We consider the notations in equations

(4)–(6). If either an index 1 ≤ h ≤ k exists such that αh0 ≡ 0()mod p and k βh ≡ 0()mod p , or N p = p , then ω(p) = p , and hence C(F ) = 0. Proof The proof runs similarly to the previous cases just taking into account the following expressions:

f1()y = y, fh+1(y) = αh0 y − βh , 1 ≤ h ≤ k. REMARK 15 Let p = D(α ) . If p ≥ p +1, then α ≡ 0()mod p for a U1≤h≤k h0 a h0 every 1≤ h ≤ k. THEOREM 16 With the same assumptions and notations as in Theorem 14 and REMARK 15, if {p ∈ : 2 ≤ k +1}⊆ (D(α )\ D(β )) U1≤h≤k h0 h then ω()p < p for every p ∈ and hence, C(F ) > 0. EXAMPLE 17 For k = 6 if we consider all the subsets

{}{a1,K,a6 ⊂ 2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 }, then the exact number of vectors a = (a1,K,a6 ) fulfilling the hypotheses of THEOREM 16 is 304. This result has been computed using MAPLE, a mathematical software package. From the possible 6-tuples obtained above, we supply, as an example, the case when ar = ()5,6,14,15,18,19 . We, then, have

D(){}α10 = 2,19 , D(α 20 ) = {2,3,19}, D(α30 ) = {2,3,5,19},

D()α 40 = D(α50 ) = D(α60 ) = {2,3,5,7,19}. Similarly,

D()β1 = ∅, D ()β2 = {37}, D(β3 ) = {11,101}, D(β4 ) = {13,2393},

D()β5 = {241,1549}, D(β6 ) = {41,83,1097}.

Hence {}p∈ P : 2 ≤ p ≤ 7 ⊆ (D(α h0 )− D(βh )) = {2,3,5,7,19}. For such values 1≤Uh≤6 of a the following ten numbers are safe primes of length k = 6 and negative signature: 157213815390109, 448585785745309, 1025803746270109, 3371555445649309, 3933752569182109, 3948661711710109, 6787362449041309, 7090927318033309, 7228241182609309, 8204853725406109.

5. CONCLUSION In this paper, we introduce the definition of higher-order safe primes and discuss their basic properties. We revisit the concept of chains of safe primes and 10 International Journal on Information Technologies & Security, No 1, 2009 report on the most recent records. We then focus our attention on negative following the more relaxed definition given in [21] for safe primes. This definition can be seen as a certain generalisation of the “classical” prime chains. For this type of primes, and based on the conjectures of Bateman-Horn ([25])—which in turn depend on those of Hardy-Littlewood ([26])—we provide explicit conditions to find primes fulfilling a particular set of conditions, thus allowing the design of algorithms to find them. Finally, we give some examples, obtained using algorithms implemented in MAPLE.

REFERENCES [1] Boneh, D. Twenty years of attacks on the RSA cryptosystem. Notices of the AMS, 2 (vol. 46), 1999, pp. 203-213. [2] Boneh, D., G. Durfee. Cryptanalysis of RSA with private key d less than n0.292 . Proceedings of EUROCRYPT '99, Lecture Notes in Computer Science, (vol. 1592), 1999, pp. 1-11. [3] Boneh, D., R. Venkatesan. Breaking RSA may not be equivalent to factoring. Proceedings of EUROCRYPT '98, Lecture Notes in Computer Science, (vol. 1233), 1998, pp. 59-71. [4] Coron, J.-S., A. May. Deterministic polynomial-time equivalence of computing the RSA secret key and factoring. Journal of Cryptology, 1 (vol. 20), 2007, pp. 39- 50. [5] Pollard, J. Theorems on factorization and primality testing. Mathematical Proceedings of the Cambridge Philosophical Society, (vol. 76), 1974, pp. 521-528. [6] Williams, H. A p + 1 method of factoring. Mathematics of Computation, (vol. 39), 1982, pp. 225-234. [7] Gordon, J. Strong primes are easy to find. Proceedings of EUROCRYPT '84, Lecture Notes in Computer Science, (vol. 209), 1984, pp. 216-223. [8] Gordon, J. Strong RSA keys. Electronics Letters, (vol. 20), 1984, pp. 514-516. [9] Shawe-Taylor, J. Generating strong primes. Electronics Letters, (vol. 22), 1986, pp. 875-877. [10] Shawe-Taylor, J. Proportion of primes generated by strong primes methods. Electronics Letters, (vol. 28), 1992, pp. 135-137. [11] Ogiwara, M. A method for generating cryptographically strong primes. IEICE Transactions on Communications, Electronics, Information, and Systems, (vol. E73), 1990, pp. 985-994. International Journal on Information Technologies & Security, No 1, 2009 11

[12] Laih, C. et al. Efficient method for generating strong primes with constraint of bit length. Electronics Letters, (vol. 27), 1991, pp. 1807-1808. [13] Cai, Y. On the distribution of safe-primes. Journal of Shandong University, (vol. 29), 1994, pp. 388-392. [14] Camenisch, J., M. Michels. Proving in zero-knowledge that a number is the product of two safe primes. Proceedings of EUROCRYPT '99, Lecture Notes in Computer Science, (vol. 1592), 1999, pp. 107-122. [15] Naccache, D. Double-speed safe prime generation. Cryptology ePrint Archive: Report 2003/175, http://eprint.iacr.org/2003/175, 2003. [16] Wiener, M.J. Safe prime generation with a combined sieve. Cryptology ePrint Archive: Report 2003/186, http://eprint.iacr.org/2003/186, 2003. [17] Menezes, A. et al. Handbook of Applied Cryptography, CRC Press, Inc., Boca Raton, Florida, USA, 1997. [18] Blum, L. et al. A simple unpredictable pseudo-random number generator. SIAM Journal on Computing, (vol. 15), 1986, pp. 364-383. [19] Hernández Encinas, L., et al. Maximal period of orbits of the BBS generator. Proceedings of the 1998 International Congress on Information Security and Cryptology (ICISC 98), 1998, pp. 71-80. [20] Maurer, U.M. Fast generation of secure RSA-moduli with almost maximal diversity. Proceedings of EUROCRYPT '89, Lecture Notes in Computer Science, (vol. 434), 1990, pp. 636-647. [21] Maurer, U.M. Some number-theoretic conjectures and their relation to the generation of cryptographic primes. Cryptography and Coding II, Clarendon Press, Oxford, 1992, pp. 173-191. [22] Maurer, U.M. Fast generation of prime numbers and secure public-key cryptographic parameters. Journal of Cryptology, 3 (vol. 8), 1995, pp. 123-155. [23] Mihailescu, P. Fast generation of provable primes using search in arithmetic progressions, Proceedings of CRYPTO '94, Lecture Notes in Computer Science, (vol. 839), 1994, pp. 282-293. [24] Durán Díaz, R. et al. Computational Aspects in the Generation of Higher- Order Safe Primes. Proceedings of the International Conference on Information Technologies (InfoTech-2008), (vol. 2), 2008, pp. 33-40. [25] Bateman, P., R. Horn. A heuristic asymptotic formula concerning the distribution of prime numbers. Mathematics of Computation (vol. 16), 1962, pp. 363-367. 12 International Journal on Information Technologies & Security, No 1, 2009

[26] Hardy, G., E. Littlewood. Some problems of ‘partitio numerorum’; III: On the expression of a number as a sum of primes. Acta Mathematica, (vol. 44), 1922, pp. 1-70. [27] Guy, R. Unsolved Problems in Number Theory, Springer-Verlag, Berlin, Germany, 1994. [28] Teske, E., H. Williams. A Note on Shanks’ Chains of Primes. Proceedings of Algorithmic Number Theory Seminar, ANTS IV, Lecture Notes in Computer Science, (vol. 1838), 2000, pp. 563-580. [29] Ribenboim, P. The little book of big primes, Springer-Verlag, New York, USA, 1991. [30] Dubner, H. Large Sophie Germain Primes. Mathematics of Computation, (vol. 65), 1996, pp. 393-396. [31] Forbes, T. Prime Clusters and Cunningham Chains. Mathematics of Computation, (vol. 68), 1999, pp. 1739-1747. [32] C. Caldwell, The prime pages, http://primes.utm.edu/, 2005.

Information about author(s): Raúl Durán Díaz obtained his Ph.D. in Physics at the Universidad Politécnica de Madrid in 2003. He is an Associate Professor at the Universidad de Alcalá, Spain, since 2004. His research interests include Public Key Cryptography, (primality testing, prime number generation), and High Performance Computer Architecture (load balancing in heterogenous systems). Luis Hernández Encinas obtained his Ph.D. in Mathematics from the University of Salamanca, in 1992. He is a researcher at the Department of Information Processing and Coding, Spanish Council for Scientific Research (CSIC). His current research interests include cryptography, algebraic curve cryptosystems, image processing, and number theory. Jaime Muñoz Masqué obtained the University degree in Mathematics at the Universidad Central de Barcelona, Spain, in 1973 and the Ph.D. in Science at the Universidad de Salamanca, Spain, in 1983. Currently he holds the position of Scientific Researcher at the Spanish Council for Scientific Research (CSIC). His research topics include Applied Mathematics, Computer Science, Information Systems, and Mathematical Physics.