The security of the RSA algorithm is based on the difficulty of factorizing very large numbers. The setup of an RSA cryptosystem involves the generation of two large primes, say p and q, from which, the RSA modulus is calculated as n = p * q. The greater the modulus size, the higher is the security level of the RSA system. The recommended RSA modulus size for most settings is 2048 bits to 4096 bits. Thus, the primes to be generated need to be 1024 bit to 2048 bit long. For the synthesis of such large primes, instead of depending on deterministic methods, we rely on finding numbers that are prime with a satisfactorily high level of probability.
Large Prime Generation Procedure:
- The goal is to efficiently compute very large random prime numbers with a specified bit-size. The standard method of manually implementing a random prime number generator which can generate prime values with a satisfactory level of accuracy is given as follows:
- Preselect a random number with the desired bit-size
- Ensure the chosen number is not divisible by the first few hundred primes (these are pre-generated)
- Apply a certain number of Rabin Miller Primality Test iterations, based on acceptable error rate, to get a number which is probably a prime
Below are the steps to implement the above procedure:
1. Picking a Random Prime Candidate
- The generation of a random number with n-bits means the random number is in the range 0 and
. Some considerations when generating the random number are: - Picking of small primes, such as 3, 5, 7…, must be avoided as the factorization of RSA modulus would become trivial. Thus, care must be taken to not have too many leading zeroes. This may be done by always making the highest order bit = 1
- Since all primes (> 2) are odd, for better performance, just odd number may be picked
- Thus, we pick any random number in the range
C++
#include <bits/stdc++.h>using namespace std;
long nBitRandom(int n)
{ // Returns a random number
// between 2**(n-1)+1 and 2**n-1'''
long max = (long)powl(2, n) - 1;
long min = (long)powl(2, n - 1) + 1;
return min + (rand() % ( max - min + 1 ) );
}// This code is contributed by phasing17. |
Java
import java.util.concurrent.ThreadLocalRandom;
class GFG
{ static long nBitRandom(int n)
{
// Returns a random number
// between 2**(n-1)+1 and 2**n-1'''
int max = (int)Math.pow(2, n) - 1;
int min = (int)Math.pow(2, n - 1) + 1;
return ThreadLocalRandom.current().nextInt(min, max + 1);
}
}// This code is contributed by phasing17. |
Python3
def nBitRandom(n):
# Returns a random number
# between 2**(n-1)+1 and 2**n-1'''
return(random.randrange(2**(n-1)+1, 2**n-1))
|
C#
using System;
using System.Collections.Generic;
class GFG
{ static long nBitRandom(int n)
{
var rand = new Random();
// Returns a random number
// between 2**(n-1)+1 and 2**n-1'''
int max = (int)Math.Pow(2, n) - 1;
int min = (int)Math.Pow(2, n - 1) + 1;
return rand.Next(min, max + 1);
}
}// This code is contributed by phasing17. |
Javascript
function nBitRandom(n)
{ // Returns a random number
// between 2**(n-1)+1 and 2**n-1'''
let max = 2**n-1
let min = 2**(n-1)+1
return Math.floor(Math.random() * (max - min) + min)
}// This code is contributed by phasing17. |
2. Division with First Primes (Low-Level Primality Test)
- This step is a low level primality test which requires the pre-calculation of the first few hundred primes (using Sieve of Eratosthenes).
- The prime candidate is divided by the pre-generated primes to check for divisibility. If the prime candidate is perfectly divisible by any of these pre-generated primes, the test fails and a new prime candidate must be picked and tested. This is repeated as long as a value which is coprime to all the primes in our generated primes list is found
C++
// C++ Program to implement the approachint getLowLevelPrime(int n)
{ // Generate a prime candidate divisible
// by first primes
// Repeat until a number satisfying
// the test isn't found
while (true)
{
// Obtain a random number
int prime_candidate = nBitRandom(n)
for (int divisor : first_primes_list)
{
if (prime_candidate % divisor == 0
&& divisor**2 <= prime_candidate)
break
// If no divisor found, return value
else
return prime_candidate
}
}
}// This code is contributed by phasing17. |
Java
static int getLowLevelPrime(int n)
{ // Generate a prime candidate divisible
// by first primes
// Repeat until a number satisfying
// the test isn't found
while (true) {
// Obtain a random number
int prime_candidate = nBitRandom(n);
for (int divisor : first_primes_list)
{
if (prime_candidate % divisor == 0
&& divisor * divisor <= prime_candidate)
break;
// If no divisor found, return value
else
return prime_candidate;
}
}
}// This code is contributed by phasing17. |
Python3
def getLowLevelPrime(n):
'''Generate a prime candidate divisible
by first primes'''
# Repeat until a number satisfying
# the test isn't found
while True:
# Obtain a random number
prime_candidate = nBitRandom(n)
for divisor in first_primes_list:
if prime_candidate % divisor == 0
and divisor**2 <= prime_candidate:
break
# If no divisor found, return value
else: return prime_candidate
|
C#
static int getLowLevelPrime(int n)
{ // Generate a prime candidate divisible
// by first primes
// Repeat until a number satisfying
// the test isn't found
while (true) {
// Obtain a random number
int prime_candidate = nBitRandom(n);
foreach(int divisor in first_primes_list)
{
if (prime_candidate % divisor == 0
&& divisor * divisor <= prime_candidate)
break;
// If no divisor found, return value
else
return prime_candidate;
}
}
}// This code is contributed by phasing17. |
Javascript
function getLowLevelPrime(n)
{ // Generate a prime candidate divisible
// by first primes
// Repeat until a number satisfying
// the test isn't found
while (true)
{
// Obtain a random number
prime_candidate = nBitRandom(n)
for (let divisor of first_primes_list)
{
if (prime_candidate % divisor == 0
&& divisor**2 <= prime_candidate)
break
// If no divisor found, return value
else
return prime_candidate
}
}
}// This code is contributed by phasing17. |
3. Rabin Miller Primality Test (High-Level Primality Test)
- A prime candidate passing the low-level test is then tested again using the Rabin Miller Primality Test.
- For extremely large numbers, such as ones used in RSA, deterministic testing of whether the chosen value is prime or not is highly impractical as it requires an unreasonable amount of computing resources.
- A probabilistic approach is preferred as such. If an inputted value passes a single iteration of the Rabin Miller test, the probability of the number being prime is 75%.
- Thus, a candidate passing the test, an adequate number of times, can be considered to be a prime with a satisfactory level of probability.
- Usually, in commercial applications, we require error probabilities to be less than
.
C++
// This function calculates (base ^ exp) % modint expmod(int base, int exp, int mod ){
if (exp == 0) return 1;
if (exp % 2 == 0){
return (int)pow( expmod( base, (exp / 2), mod), 2) % mod;
}
else {
return (base * expmod( base, (exp - 1), mod)) % mod;
}
}bool trialComposite(int round_tester, int evenComponent, int miller_rabin_candidate, int maxDivisionsByTwo)
{ if (expmod(round_tester, evenComponent, miller_rabin_candidate) == 1 )
return false;
for (int i = 0; i < maxDivisionsByTwo; i++)
{
if (expmod(round_tester, (1 << i) * evenComponent, miller_rabin_candidate) == miller_rabin_candidate - 1)
return false;
}
return true;
}bool isMillerRabinPassed(int miller_rabin_candidate)
{ // Run 20 iterations of Rabin Miller Primality test
int maxDivisionsByTwo = 0;
int evenComponent = miller_rabin_candidate-1;
while (evenComponent % 2 == 0)
{
evenComponent >>= 1;
maxDivisionsByTwo += 1;
}
// Set number of trials here
int numberOfRabinTrials = 20;
for (int i = 0; i < (numberOfRabinTrials) ; i++)
{
int round_tester = rand() * (miller_rabin_candidate - 2) + 2;
if (trialComposite(round_tester, evenComponent, miller_rabin_candidate, maxDivisionsByTwo))
return false;
}
return true;
}// This code is contributed by phasing17. |
Java
import java.util.concurrent.ThreadLocalRandom;
// This function calculates (base ^ exp) % modstatic int expmod(int base, int exp, int mod ){
if (exp == 0) return 1;
if (exp % 2 == 0){
return (int)Math.pow( expmod( base, (exp / 2), mod), 2) % mod;
}
else {
return (base * expmod( base, (exp - 1), mod)) % mod;
}
}static bool trialComposite(int round_tester, int evenComponent,
int miller_rabin_candidate, int maxDivisionsByTwo)
{ if (expmod(round_tester, evenComponent, miller_rabin_candidate) == 1 )
return false;
for (int i = 0; i < maxDivisionsByTwo; i++)
{
if (expmod(round_tester, (1 << i) * evenComponent,
miller_rabin_candidate) == miller_rabin_candidate - 1)
return false;
}
return true;
}static bool isMillerRabinPassed(int miller_rabin_candidate)
{ // Run 20 iterations of Rabin Miller Primality test
int maxDivisionsByTwo = 0;
int evenComponent = miller_rabin_candidate-1;
while (evenComponent % 2 == 0)
{
evenComponent >>= 1;
maxDivisionsByTwo += 1;
}
// Set number of trials here
int numberOfRabinTrials = 20;
for (int i = 0; i < (numberOfRabinTrials) ; i++)
{
int round_tester = ThreadLocalRandom.current().nextInt(2, miller_rabin_candidate + 1);
if (trialComposite(round_tester, evenComponent,
miller_rabin_candidate, maxDivisionsByTwo))
return false;
}
return true;
}// This code is contributed by phasing17. |
Python3
def isMillerRabinPassed(miller_rabin_candidate):
'''Run 20 iterations of Rabin Miller Primality test'''
maxDivisionsByTwo = 0
evenComponent = miller_rabin_candidate-1
while evenComponent % 2 == 0:
evenComponent >>= 1
maxDivisionsByTwo += 1
assert(2**maxDivisionsByTwo * evenComponent == miller_rabin_candidate-1)
def trialComposite(round_tester):
if pow(round_tester, evenComponent,
miller_rabin_candidate) == 1:
return False
for i in range(maxDivisionsByTwo):
if pow(round_tester, 2**i * evenComponent,
miller_rabin_candidate)
== miller_rabin_candidate-1:
return False
return True
# Set number of trials here
numberOfRabinTrials = 20
for i in range(numberOfRabinTrials):
round_tester = random.randrange(2,
miller_rabin_candidate)
if trialComposite(round_tester):
return False
return True
|
C#
// This function calculates (base ^ exp) % modstatic int expmod(int base, int exp, int mod ){
if (exp == 0) return 1;
if (exp % 2 == 0){
return (int)Math.Pow( expmod( base, (exp / 2), mod), 2) % mod;
}
else {
return (base * expmod( base, (exp - 1), mod)) % mod;
}
}static bool trialComposite(int round_tester, int evenComponent,
int miller_rabin_candidate, int maxDivisionsByTwo)
{ if (expmod(round_tester, evenComponent, miller_rabin_candidate) == 1 )
return false;
for (int i = 0; i < maxDivisionsByTwo; i++)
{
if (expmod(round_tester, (1 << i) * evenComponent,
miller_rabin_candidate) == miller_rabin_candidate - 1)
return false;
}
return true;
}static bool isMillerRabinPassed(int miller_rabin_candidate)
{ // Run 20 iterations of Rabin Miller Primality test
int maxDivisionsByTwo = 0;
int evenComponent = miller_rabin_candidate-1;
while (evenComponent % 2 == 0)
{
evenComponent >>= 1;
maxDivisionsByTwo += 1;
}
// Set number of trials here
int numberOfRabinTrials = 20;
for (int i = 0; i < (numberOfRabinTrials) ; i++)
{
Random rand = new Random();
int round_tester = rand.Next(2, miller_rabin_candidate);
if (trialComposite(round_tester, evenComponent,
miller_rabin_candidate, maxDivisionsByTwo))
return false;
}
return true;
}// This code is contributed by phasing17. |
Javascript
// This function calculates (base ^ exp) % modfunction expmod( base, exp, mod ){
if (exp == 0) return 1;
if (exp % 2 == 0){
return Math.pow( expmod( base, (exp / 2), mod), 2) % mod;
}
else {
return (base * expmod( base, (exp - 1), mod)) % mod;
}
}function isMillerRabinPassed(miller_rabin_candidate)
{ // Run 20 iterations of Rabin Miller Primality test
let maxDivisionsByTwo = 0
let evenComponent = miller_rabin_candidate-1
while (evenComponent % 2 == 0)
{
evenComponent >>= 1
maxDivisionsByTwo += 1
}
function trialComposite(round_tester)
{
if (expmod(round_tester, evenComponent,
miller_rabin_candidate) == 1 )
return false
for (var i = 0; i < (maxDivisionsByTwo); i++)
{
if (expmod(round_tester, 2**i * evenComponent,
miller_rabin_candidate)
== miller_rabin_candidate-1)
return false
}
return true
}
// Set number of trials here
let numberOfRabinTrials = 20
for (var i = 0; i < (numberOfRabinTrials) ; i++)
{
let round_tester = Math.random() * (miller_rabin_candidate - 2) + 2;
if (trialComposite(round_tester))
return false
}
return true
} |
4. Combining the above steps to generate the code
- Finally, we can combine the above functions to create a three-step process to generate large primes. The steps would be
- Random number generation by calling nBitRandom(bitsize)
- Basic division test by calling getLowLevelPrime(prime_candidate)
- Rabin Miller Test by calling isMillerRabinPassed(prime_candidate)
- If the chosen random value passes all primality tests, it is returned as the n-bit prime number. Otherwise, in the case of test-failure, a new random value is picked and tested for primality. The process is repeated until the desired prime is found.
Below is the complete implementation of the above approach
Python3
# Large Prime Generation for RSAimport random
# Pre generated primesfirst_primes_list = [2, 3, 5, 7, 11, 13, 17, 19, 23, 29,
31, 37, 41, 43, 47, 53, 59, 61, 67,
71, 73, 79, 83, 89, 97, 101, 103,
107, 109, 113, 127, 131, 137, 139,
149, 151, 157, 163, 167, 173, 179,
181, 191, 193, 197, 199, 211, 223,
227, 229, 233, 239, 241, 251, 257,
263, 269, 271, 277, 281, 283, 293,
307, 311, 313, 317, 331, 337, 347, 349]
def nBitRandom(n):
return random.randrange(2**(n-1)+1, 2**n - 1)
def getLowLevelPrime(n):
'''Generate a prime candidate divisible
by first primes'''
while True:
# Obtain a random number
pc = nBitRandom(n)
# Test divisibility by pre-generated
# primes
for divisor in first_primes_list:
if pc % divisor == 0 and divisor**2 <= pc:
break
else:
return pc
def isMillerRabinPassed(mrc):
'''Run 20 iterations of Rabin Miller Primality test'''
maxDivisionsByTwo = 0
ec = mrc-1
while ec % 2 == 0:
ec >>= 1
maxDivisionsByTwo += 1
assert(2**maxDivisionsByTwo * ec == mrc-1)
def trialComposite(round_tester):
if pow(round_tester, ec, mrc) == 1:
return False
for i in range(maxDivisionsByTwo):
if pow(round_tester, 2**i * ec, mrc) == mrc-1:
return False
return True
# Set number of trials here
numberOfRabinTrials = 20
for i in range(numberOfRabinTrials):
round_tester = random.randrange(2, mrc)
if trialComposite(round_tester):
return False
return True
if __name__ == '__main__':
while True:
n = 1024
prime_candidate = getLowLevelPrime(n)
if not isMillerRabinPassed(prime_candidate):
continue
else:
print(n, "bit prime is: \n", prime_candidate)
break
|
C++
// 64 bits is maximum you can get in c++ so it's implemented to do so// you can edit constexpr var in getRandom64() to get lower amount of bits#include <iostream>#include <cstdint>#include <vector>#include <random>#include <bitset>uint64_t mulmod(uint64_t a, uint64_t b, uint64_t m) { int64_t res = 0;
while (a != 0) {
if (a & 1) {
res = (res + b) % m;
}
a >>= 1;
b = (b << 1) % m;
}
return res;
}uint64_t powMod(uint64_t a, uint64_t b, uint64_t n) { uint64_t x = 1;
a %= n;
while (b > 0) {
if (b % 2 == 1) {
x = mulmod(x, a, n); // multiplying with base
}
a = mulmod(a, a, n); // squaring the base
b >>= 1;
}
return x % n;
}std::vector<int> first_primes = { 2, 3, 5, 7, 11, 13, 17, 19, 23, 29,
31, 37, 41, 43, 47, 53, 59, 61, 67,
71, 73, 79, 83, 89, 97, 101, 103,
107, 109, 113, 127, 131, 137, 139,
149, 151, 157, 163, 167, 173, 179,
181, 191, 193, 197, 199, 211, 223,
227, 229, 233, 239, 241, 251, 257,
263, 269, 271, 277, 281, 283, 293,
307, 311, 313, 317, 331, 337, 347, 349 };
// going through all 64 bits and placing randomly 0s and 1s// setting first and last bit to 1 to get 64 odd number uint64_t getRandom64() { // the value need to be 63 bits because you can not using 64 bit values do a^2 which is needed
constexpr int bits = 63;
std::bitset<bits> a;
std::random_device rd;
std::mt19937 gen(rd());
std::uniform_int_distribution<short> distr(0, 1);
for (int i = 0; i < bits; i++) {
a[i] = distr(gen);
}
a[0] = 1;
a[bits - 1] = 1;
return a.to_ullong();
}uint64_t getLowLevelPrime() { while (true) {
uint64_t candidate = getRandom64();
bool is_prime = true;
for (int i = 0; i < first_primes.size(); i++) {
if (candidate == first_primes[i])
return candidate;
if (candidate % first_primes[i] == 0) {
is_prime = false;
break;
}
}
if (is_prime)
return candidate;
}
}bool trialComposite(uint64_t a, uint64_t evenC, uint64_t to_test, int max_div_2) {
if (powMod(a, evenC, to_test) == 1)
return false;
for (int i = 0; i < max_div_2; i++) {
uint64_t temp = static_cast<uint64_t>(1) << i;
if (powMod(a, temp * evenC, to_test) == to_test - 1)
return false;
}
return true;
}bool MillerRabinTest(uint64_t to_test) {
constexpr int accuracy = 20;
int max_div_2 = 0;
uint64_t evenC = to_test - 1;
while (evenC % 2 == 0) {
evenC >>= 1;
max_div_2++;
}
// random numbers init
std::random_device rd;
std::mt19937 gen(rd());
std::uniform_int_distribution<uint64_t> distr(2, to_test);
for (int i = 0; i < accuracy; i++) {
uint64_t a = distr(gen);
if (trialComposite(a, evenC, to_test, max_div_2)) {
return false;
}
}
return true;
}uint64_t getBigPrime() { while (true) {
uint64_t candidate = getLowLevelPrime();
if (MillerRabinTest(candidate))
return candidate;
}
}int main(){
std::cout<<getBigPrime()<<std::endl;
} |
Output
1024 bit prime is: 170154366828665079503315635359566390626153860097410117673698414542663355444709893966571750073322692712277666971313348160841835991041384679700511912064982526249529596585220499141442747333138443745082395711957231040341599508490720584345044145678716964326909852653412051765274781142172235546768485104821112642811
Note: Library Generation of Large Primes in Python
The pycrypto library is a comprehensive collection of secure hash functions and various encryption algorithms. It also includes basic functions commonly required in encryption/decryption setups such as random number generation and random prime number generation. The goal of generating a random prime number with a specified bit-size can be achieved using the pycrypto getPrime module.
The syntax for generating a random n-bit prime number is:
Python3
from Crypto.Util import number
number.getPrime(n) |