MATEC Web of Conferences 44, 001 32 (2016) DOI: 10.1051/matecconf/201644001 32 C Owned by the authors, published by EDP Sciences, 2016 An RSA Scheme based on Improved AKS Primality Testing Algorithm Han Wei Wu a , Cai Mao Li , Hong Lei Li, Jie Ding , Xiao Ming Yao College of Information Science and Technology, Hainan University, Haikou ,China 570228 Abstract. In applied cryptography, RSA is a typical asymmetric algorithm, which is used in electronic transaction and many other security scenarios. RSA needs to generate large random primes. Currently, primality test mostly depends on probabilistic algorithms, such as the Miller-Rabin primality testing algorithm. In 2002, Agrawal et al. published the Agrawal–Kayal–Saxena (AKS) primality testing algorithm, which is the first generic, polynomial, deterministic and non-hypothetical algorithm for primality test. This paper proves the necessary and sufficient condition for AKS primality test. An improved AKS algorithm is proposed using Fermat's Little Theorem. The improved algorithm becomes an enhanced Miller-Rabin probabilistic algorithm, which can generate primes as fast as the Miller-Rabin algorithm does. Keywords: RSA, Miller-Rabin, AKS algorithm, Primality testing 1 Introduction probabilistic Miller-Rabin test method [3], Solovay-Strass test method [8], and the Lucas-Lehmer N-1 and N+1 The RSA algorithm is a typical asymmetric algorithm, deterministic test methods [10][11]. Agrawal, Kayal and which is used for security applications in the information Saxena [4] successfully addressed the worldwide problem society, including ID authentication and electronic of testing primality in polynomial time by proposing an transaction in electronic transaction scenarios [1]. algorithm called AKS. Their algorithm determines the Compared with other public key algorithms, RSA is slow input integer is a prime or a composite number. It is the but its strength is its ability to be used for encryption and first published generic, polynomial, deterministic and digital signature. Its key generation principle states that it non-hypothetical algorithm for primality test. All of the should first choose two large primes P and Q, computing previous primality test algorithms can have at most three n=P*Q. Then, it will calculate the Euler function of the four properties above. &(͢) = (−1) ∗(͋−1), and randomly select a Despite its ability to perform primality test in positive integer e so that 1<͙<(͢). Meanwhile, polynomial time, the overheads that it incurs during operation in terms of transport and storage complexity are . they need to be coprime, i.e. ͛͗͘(&(͢),͙) =1 Later so large that it is infeasible in practice. Major on, the private key d needs to be computed via ͘∗͙= improvements achieved include the improved algorithm 1 ͣ͘͡ (͢) , where n and e are public keys. The by Bernstein [5] and the optimized algorithm by Jin security of RSA depends on the difficulty in Zhengping based on that of Bernstein [6]. The algorithm decomposing the large integer n. by Bernstein is more efficient. For positive integers From the procedures above, it can be seen that the 3640471 and 4295884871, the running time of the RSA key scheduling algorithm needs to generate two original AKS and Bernstein algorithms is dozens or large primes. To ensure security strength, the two hundreds of hours. The improved algorithm by Bernstein generated large primes are usually longer than 512 bits. still costs tens of seconds. For primes as long as 40 plus In December 12, 2009, the large integer with a number of digits, the improved version still requires several hours. RSA-768 (768-bit key) was decomposed successfully [2]. After a thorough analysis of the improved version by This event poses threats against the security of existing Bernstein, Jin Zhengping et al. demonstrated not only 1024-bit key, highlighting the need for general users to enormous improvements over other algorithms but also upgrade to keys of 2048- or longer bits. Rapid generation some problems that it has. Meanwhile, they stated that it of large primes is essential for RSA. The current needs to be further improved for practical applications of approach for generation of large primes is to randomly primality test. None of existing AKS algorithms are generate a large integer, and then perform the primality useful for practical security applications, because test. Common approaches for primality test include the algorithm completeness cannot be achieved without enormous computing and storage overheads. a Corresponding author: [email protected] This work is supported by National Natural Science Foundation of China (No. 61462023), Natural Science Foundation of Hainan Province (No. 614231, 613158, 20156250 ). This is an Open Access article distributed under the terms of the Creative Commons Attribution License 4.0, which permits distribution, and reproduction in any medium, provided the original work is properly cited. Article available at http://www.matec-conferences.org or http://dx.doi.org/10.1051/matecconf/20164401032 MATEC Web of Conferences This paper begins with the necessary and sufficient (−1) ⋯ (−ͥ+1) gcd ʦ͡ ,qʧ=1 condition for AKS primality test, and does not compute (ͥ−1)! the congruent polynomial as the original algorithm does. & ) The proposed algorithm is rendered non-deterministic by Hence, we have ͥ ∤ʠ,ʡ . The largest common choosing smaller test sets. It is proved strictly that the divisor of n and a can be obtained quickly using the proposed algorithm is equal to the strong-constraint extended Euclidean algorithm. If the two numbers are not Miller-Rabin test. Prime generation of the proposed coprime, then it can be inferred directly that n is algorithm achieves a substantial speedup. A complete composite. Thus, gcd(=ͥ&,͕)=1 is requested. Then, example of RSA based on the improved AKS test the coefficient module of ͬ, is not zero. (ͬ − ͕)) − algorithm is implemented on computer using Python (64- (ͬ) −͕) modulo n is not always equal to zero. (1) is bit Windows 7, Python 3.4.3, 8G memory, AMD false and contradictory to the original condition. [email protected], 256 G solid-state drives). Comparison Therefore, if (1) is true, then n is prime. shows that the executing efficiency of the improved AKS Although the primality test can be done based on the algorithm can rival the industry-standard Miller-Rabin defined formulation, the time needed increases algorithm. Therefore, the proposed algorithm is useful for exponentially. To reduce computational complexity, AKS practical applications. switches to the following congruent polynomial. The steps of the algorithm are as follows: 2 Common Primality Testing Algorithms Input: integer n>1 ķ If there exist a > 0 and b > 1, and =͕; then output the composite number. 2.1 Fundamental concepts and principles of AKS 2 ĸ Find the smallest r such that ordr(n) > log (n). Ĺ If 1 < gcd(a,n) < n is true for some a ≤ r, then AKS primality test is mainly based on the following output the composite number. (gcd represents the largest theorem: the integer n (≥2) is a prime when and only when common divisor of a and n.)DŽ (ͬ − ͕)) ≡ (ͬ) −͕) (ͣ͘͡ ) (1) ĺ If n ≤ r, output the prime number. This congruent polynomial is true for all integers a Ļ For all a from 1 to⌊ǭ(ͦ)ͣ͛͠ ()⌋, if (x+a)n≠ which are coprime with n. This theorem is a generic xn+a (mod n, xr − 1), output the composite number. representation of Fermat's Little Theorem. ļ Output the prime number. Proof: Here, ordr(n) is the order of n mod r. In addition, log 1. First prove that (1) holds when n is a prime. represents the logarithm with 2 as the base, (ͦ) Based on Fermat's Little Theorem ͕)ͯͥ ≡ represents the Euler function of r. If n is prime, then the 1 (ͣ͘͡ ), where n is a prime, it can be deduced that algorithm can always return prime number. Due to (ͬ − ͕)) ≡(ͬ−͕))ͯͥ ∙ (ͬ−͕) ≡ (ͬ−͕) ͣ͘͡ primality of n, Steps 1 and 3 will never return composite (ͬ) −͕) ≡(ͬ)ͯͥ ∙ͬ−͕)≡(ͬ−͕) ͣ͘͡ number. Neither will Step 5, because (2) is true for all Therefore, (1) is true. primes n. Hence, there is no doubt the algorithm steps 4 2. Proceed to prove that if (1) holds, then n is a prime. and 6 will return prime number. Correspondingly, if n is For each 0<͝<, we have composite, then the algorithm will undoubtedly return )ͯͥ composite number. If the algorithm returns prime number, ͢ (ͬ − ͕)) =ͬ) +ȕʠ ʡ ͬ$(−͕))ͯ$ +(−͕)) then it is returned from Steps 4 or 6. In the former case, ͝ considering n ≤ r, it is certain that n has divisor a ≤ r such $Ͱͥ The number of interest, n, is either composite or prime. that 1 < gcd(a, n) < n. So composite number will be returned. The remaining case is Step 6, which is If n is prime, then |Ƴ)Ʒ, 0 < ͝ < ͢. The conclusion is $ impossible, because the several equations tested in Step 5 true. can ensure that the output number is composite. If n is composite, then there must exist a prime divisor Many works have been done later to propose variants & & of n, denoted with q. Consider that ͥ ∥, i.e. ͥ |. But of the original algorithm. The best examples of improved ͥ&ͮͥ ∤. Then, it can be proved that ͥ& ∤ʠ)ʡ , algorithms include the method by Bernstein in [5]. Its , ͨͮΝ(ͥ) )()ͯͥ)⋯()ͯ,ͮͥ) complexity is ͉(͠o͛ (͢)). A large prime number of whereʠ)ʡ= . , ,! n is requested for practical applications. In RSA, n )()ͯͥ)⋯()ͯ,ͮͥ) Because ʠ)ʡ= , we can let =ͥ&͡ usually has a binary length of over 1024 bits.