Project ’Primes and generators’ ∗

Course on Information Security (http://www.re.mipt.ru/infsec) Faculty of Radio Engineering Moscow Institute of Physics and Technology February 26, 2006

1 About

In this project, you may not use any built-in procedures for primality testing, generation, or generator discovery. You can assume you have a source of randomness. If you borrow any code, cite the appropriate authors. Moreover, you must explain how and why any borrowed code works with inline comments. At the end of each problem, tell us how each person contributed (writing, designing, coding, proof reading, never showed up, etc). You may use any programming language you like, though we recommend Java because of its BigInteger package 1. The numbers you will be working with are quite large – plain old long or integer types won’t be large enough. If you use C or C++, you could try the GNU MP package. If you use this package, you are on your own though. You could also try www.google.com to look for other wide-spread multiprecision libraries. You must demonstrate the code and the compiled program on the seminar. There will be a Windows 2000 environment with Java 1.5 and ssh client. Please, compile the program with static libraries. If you will use non-Windows compilator, you should demonstrate the results from a remote machine via ssh. You must provide a written or typed answers to all questions of the problem set. We recommend you read [SLN], [Seminar]. The material concerning , primes number, primality tests can also be found in [Handbook]. An original description of Agrawal-Kayal-Saxena can be found in [AKS]. There is a fair amount of freestyle programming involved; start early!

∗The course "Network and Computer Security" of Massachusetts Institute of Technology was used to prepare the project. 1Java releases 1.3 and 1.4 are as efficient for numerical calculations as Fortran and C, http://math.nist.gov/scimark.

1 2 All your PRIMES belong to us.

You are a new technical lead at PRIMES Computer, Inc. Your job is to manufacture groovy primes. Your boss, Austin M. Powers, has generated a special task for your group. ∗ In the seminar, you learned about primality testing and generators of a group Zp where p is prime. Austin has assigned you the task of generating such values.

2.1 Generation of pseudo primes: Miller-Rabin primality test Write a function for probabilistic primality test of Miller-Rabin. Write a function to generate a b-bit prime given parameter b. Your function should produce a b-bit number that has an overwhelming probability (< 2−20) of being prime. You should involve table-lookup of 10000 first primes in the . Write a program that given a number b, produces a b-bit prime number p. As a result, you should provide:

• A code with comments. Please make sure there are no line-wrap problems.

• A compiled program with interface description. An input parameter of the program is b, the output is a prime, elapsed time in seconds, number of trials of Miller-Rabin tests.

• Three random primes: 512-bit, 1024-bit, 2048-bit.

• Number of trials of Miller-Rabin tests for these primes.

• Time of generation of these primes in seconds.

2.2 : Agrawal-Kayal-Saxena primality test Write a function for deterministic polynomial-time primality test of Agrawal-Kayal-Saxena. Write a function to generate a b-bit prime given parameter b. In this function you should first test the random number by table-lookup of 10000 first primes. Write a program that given a number b, produces a b-bit prime number p. As a result, you should provide:

• A code with comments. Please make sure there are no line-wrap problems.

• A compiled program with interface description. An input parameter of the program is b, the output is a prime, elapsed time in seconds.

• Three random (pseudo) primes: 512-bit, 1024-bit, 2048-bit.

• Time of generation of these (pseudo) primes in seconds for each method.

2.3 Expected amount of work to find primes and generators For a random prime number p, what is the approximate probability of a random element ∗ ∗ g ∈ Zp being a generator of Zp? You can assume p is large.

2 ∗ 2.4 co-Sophie-Germain primes and generators of Zp A number q is a Sophie-Germain prime if 2q + 1 is also prime. We then call the value 2q + 1 a co-Sophie-Germain prime (or sometimes a safe prime). While we know there are an infinite number of primes, it’s an open problem whether there are an infinite number of Sophie-Germain primes. It turns out that in practice, however, Sophie-Germain primes are not too rare. In seminar, you learned that it’s often necessary to produce a prime p and a generator g ∗ ∗ of Zp in public key cryptosystems. We do not, however, know how to find a generator of Zp without also knowing the factorization of p − 1. While it’s not proven whether there are an infinite number of Sophie-Germain primes, it’s widely believed that the probability of p and q being prime in p = 2q + 1 is independent. Write a function for generating a b-bit random co-Sophie-Germain prime p of the form p = 2q + 1, q - prime. Write a second function that given a number g and a co-Sophie-Germain prime p tests ∗ whether the element g is a generator of Zp. Using these functions, write a program that given a number b produces a b-bit co-Sophie- ∗ Germain prime p and a (b − 1)-bit random generator of Zp . As a result, you should provide:

• A code with comments. Please make sure there are no line-wrap problems.

• A compiled program with interface description. An input parameter of the program is b, the output is primes (q, p), generator g, result of exponentiation of g into power (p − 1) modulo p, elapsed time in seconds.

• Three random co-Sophie-Germain primes (512-bit, 1024-bit, 2048-bit 2) and generators ∗ of Zp. • Time of generation of these primes in seconds.

2.5 Finding co-Sophie-Germain primes (optional) Assuming that the likelihood of q being prime and 2q + 1 being prime is independent, approximately how many 1024-bit Sophie-Germain primes would you expect to exist?

3 Uniformly selected primes and factorization of p − 1

In seminar, you learned that it’s often necessary to produce a prime p and a generator g ∗ of Zp in public key cryptosystems. We do not, however, know how to find a generator of ∗ Zp without also knowing the factorization of p − 1. In previous problem, you generated co-Sophie-Germain primes of the form p = 2q + 1 where p − 1 has the prime factors 2 and q. While it’s not proven whether there are an infinite number of Sophie-Germain primes, it’s widely believed that the probability of p and q being prime in p = 2q + 1 is independent. There are other ways to generate a prime p and the prime factors of p − 1. This problem will explore this exciting realm!

2If it will take more than hour to generate a 2048-bit Sophie-Germain prime on your machine, don’t do it.

3 Ben Bitdiddle is the director of the factory floor at PRIMES Computers, Inc. where they produce primes p and the factorization of p − 1. They currently produce co-Sophie-Germain primes since the algorithm is straightforward. The CEO asked Ben for assistance on computing the the next quarter’s financial estimates. Because PRIMES Computers, Inc. makes money by selling special primes, it’s important to have many primes to sell. That night, Ben had a vision. He saw a future where the number of Sophie-Germain primes is finite! Yikes. This is contrary to what most smart cryptographers believe. Nevertheless, Ben takes drastic measures to improve the quarterly outlook. He decides to take market factors into consideration by diversifying his prime portfolio. Ben looks for a different algorithm to produce a prime p and the factorization of p − 1. He turns to the following algorithm and experts. Adam Kalai explains a relatively new and simple method for efficiently generating uni- formly a random number r (not necessarily prime) along with its prime factorization 3. Input: Integer n > 0. Output: A random number r and its prime factorization where r is selected uniformly between 1 and n inclusively (1 ≤ r ≤ n).

1. Generate a sequence of primes {si : n ≥ s1 ≥ s2 ≥ ... ≥ si = 1} by choosing s1 : 1 ≤ s1 ≤ n and si+1 : 1 ≤ si+1 ≤ si, until reaching 1.

2. Let r be the product of the prime si.

3. If r < n, output r and the set of si’s with probability r/n. 4. Otherwise, restart by going to step 1. Attention: The return from the algorithm with the probability r/n is required for uniformity of generated n. Note: In the original Kalai’s algorithm numbers si are not prime. The original algorithm outputs uniformly random r with its possibly non-prime factorization in si. But we are interested in prime factorization. So, we modified the algorithm, claiming the primality of si. It now outputs uniformly random number r from 1 to n, such that any prime occurs only once in r.

3.1 Implement the random number generator Being a manager, Ben turns to you to implement the scheme. Can you save your company from a disappointing financial quarter?! Implement the uniform random number generator described above. Now layer a prime number generator on top of this algorithm. That is, write a new prime number generator that uses the above algorithm as a subroutine. Your new generator takes as input a bit size b and outputs a prime p and the prime factors of p − 1 = r such that 2b−1 ≤ p ≤ 2b − 1 and p − 1 is a uniformly random number between 2b−1 − 1 and 2b − 2 inclusive. Submit your pretty-printed code.

3.2 Generate ’em Generate a 512-bit prime using both your new algorithm and your old algorithm. (1) What are the two primes p1 and p2 and the prime factors of p1 − 1 and p2 − 2? (2) Give the actual number of calls you made to the primality testing function for both .

3See "Generating Random Factored Numbers, Easily – Adam Kalai.ps" in project files.

4 As a result, you should provide:

• A code with comments. Please make sure there are no line-wrap problems.

• A compiled program with interface description. An input parameter of the program is b, the output is primes p, r, qi, elapsed time in seconds. • Three random co-Sophie-Germain primes (512-bit, 1024-bit, 2048-bit).

• Time of generation of these primes in seconds.

3.3 Compare to your co-Sophie-Germain prime generator (optional) Ben is also concerned about the running time of the new prime number generator. Calm his nerves by presenting the performance analysis described below. You have now implemented a more general prime number generator than the co-Sophie-Germain generator. There are possibly several factors of p − 1 instead of just two factors. If a call to your primality testing code constitutes a single unit of work, (1) how many units of work do you expect to exert to find a 512-bit prime with your new prime generator? (2) How many units of work do you expect to exert to find a 512-bit prime with your old co-Sophie-Germain prime generator?

References

[Handbook] A. Menezes, P. van Ooscort, S. Vanstone, Handbook of Applied Cryptography, CRC Press, 1996.

[SLN] Abstract Algebra and Number Theory, Short Lecture Notes.

[AKS] M. Agrawal, N. Kayal, N. Saxena , PRIMES is in P, 2002.

[Seminar] Seminar Notes.

5