U.M. Maurer, "Fast Generation of Prime Numbers and Secure Public-Key Cryptographic Parameters", J. Cryptology, vol.8 no.3 (1995), 123-156.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....to nd protocol failures [20] and the other one is to directly attack the underpinning crypto algorithm. The cycling attack and its generalizations fall into the second category. So, it is important to carefully analyze the signi cance of this attack. For RSA, Rivest and Silverman [25] see also [16]) concluded that the chance that a cycling attack will succeed is negligible, whatever the form of the public modulus n. For elliptic curve based systems, the analysis is more dicult because the underlying group is not always cyclic. We will actually give some results valid for groups of any rank, ....

U.M. Maurer. Fast generation of prime numbers and secure public-key cryptographic parameters. Journal of Cryptology, 8(3):123-155, 1995. An earlier version appeared in [15].

....The verification of ephemeral group parameter is based on heuristics. There still remains some degree of freedom for the opponent to find (pseudo) primes through pre computational search. A safer alternative might be to use provable primes generated from Maurer s provable prime number generation [25]. The server generates p based on Maurer s algorithm. The primality The order of elements in ## # # leaks too much information. This leads easily to an algorithm which distinguishes with high probability between ## # and a triple of random elements. of q can then be shown as part of ....

U. M. Maurer. Fast generation of prime numbers and secure public-key cryptographic parameters. Journal of Cryptology, 8(3):123--155, 1995.

....therefore beyond the scope of these notes. See [8, 64] or [3, 14, 23, 24, 42, 82] for more details. It is also possible to generate primes uniformly in such a way that very simple primality proofs (based on Pocklington s theorem and generalizations thereof [8, 14, 64] can be applied to them. See [73] for details. 3.5.6 Prime generation with trial division. Most random odd numbers have a small factor. Therefore, most wrong guesses in 3.5.4 can be cast out much faster by nding their smallest prime factor than by attempting to nd a witness. This can, for instance, conveniently be done by ....

U. Maurer, Fast generation of prime numbers and secure public-key cryptographic parameters, Journal of Cryptology 8 (1995) 123-155.

....(2 52 ; 2 53 ) Because P is small enough, the primality of P can be quickly verified using one of a number of procedures described in Bleichenbacher s thesis [5, Chapter 3] which are correct for primes up to 10 16 2 53 . For example, one of Bleichenbacher s results, as reported in [15], states that the Miller Rabin test for the bases 2; 3; 5; 7; 11; 13 and 23 is a correct primality test for numbers in this range. Next, we repeatedly choose integers R in the interval ( 2 160 Gamma 1) 2P; 2 161 Gamma 1) 2P ) until e = 2PR 1 is prime. The following lemma, which is a ....

....of such repetitions is bounded by a constant, but in practice, the primality of e is almost always determined by the base a = 2. Proof of Lemma 1. We first show that if the three conditions hold, then e is prime. The other implication is left to the reader. Our proof follows the arguments in [15]. Condition (i) in the lemma implies that every prime divisor of e is of the form 2Pm 1 for some positive integer m. Given the relative sizes of P and R, e can have at most three such prime divisors. If we have e = Q 3 i=1 (2Pm i 1) then we must have 8P 3 m 1 m 2 m 3 e, which implies ....

U. Maurer. Fast generation of prime numbers and secure public-key cryptographic parameters. J. Cryptology, 8:123--155, 1995.

....The verification of ephemeral group parameter is based on heuristics. There still remains some degree of freedom for the opponent to find (pseudo) primes through pre computational search. A safer alternative might be to use provable primes generated from Maurer s provable prime number generation [25]. The server generates based on Maurer s algorithm. The primality 4 The order of elements in leaks too much information. This leads easily to an algorithm which distinguishes with high probability between 0 6 and a triple of random elements. of h can then be shown as part of the ....

U. M. Maurer. Fast generation of prime numbers and secure public-key cryptographic parameters. Journal of Cryptology, 8(3):123--155, 1995.

....(2 52 ; 2 53 ) Because P is small enough, the primality of P can be quickly veri ed using one of a number of procedures described in Bleichenbacher s thesis [Ble96, Chapter 3] which are correct for primes up to 10 16 2 53 . For example, one of Bleichenbacher s results, as reported in [Mau95], states that the Miller Rabin test for the bases 2; 3; 5; 7; 11; 13 and 23 is a correct primality test for numbers in this range. Next, we repeatedly choose integers R in the interval ( 2 160 1) 2P; 2 161 1) 2P ) until e = 2PR 1 is prime. The following lemma, which is a variant of a ....

....of such repetitions is bounded by a constant, but in practice, the primality of e is almost always determined by the base a = 2. Proof of Lemma 2. We rst show that if the three conditions hold, then e is prime. The other implication is left to the reader. Our proof follows the arguments in [Mau95]. Condition (i) in the lemma implies that every prime divisor of e is of the form 2Pm 1 for some positive integer m. Given the relative sizes of P and R, e can have at most three such prime divisors. If we have e = Q 3 i=1 (2Pm i 1) then we must have 8P 3 m 1 m 2 m 3 e, which implies ....

U. Maurer. Fast generation of prime numbers and secure public-key cryptographic parameters. J. Cryptology, 8:123-155, 1995.

....at most min t p , t l iterations this attack may produce a complete factorization of m. Indeed, it is very likely that gcd u t p u 0 , m = p and gcd (u t l u 0 , m) l. This attack, as well as various ways of protecting against it, have been discussed in the literature, see [3, 17, 21, 23]. In particular, so called safe primes have been introduced. R. L. Rivest and R. D. Silverman [23] present heuristic arguments which show that randomly selected primes p and l are already likely to be strong against this attack so that it is not so necessary to make special choices. Theorem 2.3 ....

U. M. Maurer, Fast generation of prime numbers and secure public-key cryptographic parameters, J. Cryptology, 8 (1995), 123--155

....is very likely that the periods t p and t l of this sequence modulo p and l are distinct, after at most min t p , t l 1 iterations this attack may produce a complete factorization of m. This attack, as well as various ways of protecting against it, have been discussed in the literature, see [5, 18, 22, 24]. In particular, the so called safe primes have been introduced. Rivest and Silverman [24] present arguments which show that randomly selected primes p and l are likely to be strong against this attack. Our results imply a more precise statement which basically means that for a random selection ....

U. M. Maurer, `Fast generation of prime numbers and secure public-key cryptographic parameters', J. Cryptology, 8 (1995), 123--155.

....The verification of ephemeral group parameter is based on heuristics. There still remains some degree of freedom for the opponent to find (pseudo) primes through pre computational search. A safer alternative might be to use provable primes generated from Maurer s provable prime number generation [25]. The server generates p based on Maurer s algorithm. The primality 4 The order of elements in ZZ p leaks too much information. This leads easily to an algorithm which distinguishes with high probability between (g x ; g y ; g xy ) and a triple of random elements. of q can then be ....

U. M. Maurer. Fast generation of prime numbers and secure public-key cryptographic parameters. Journal of Cryptology, 8(3):123--155, 1995.

....to find protocol failures [20] and the other one is to directly attack the underpinning crypto algorithm. The cycling attack and its generalizations fall into the second category. So, it is important to carefully analyze the significance of this attack. For RSA, Rivest and Silverman [25] see also [16]) concluded that the chance that a cycling attack will succeed is negligible, whatever the form of the public modulus n. For elliptic curve based systems, the analysis is more difficult because the underlying group is not always cyclic. We will actually give some results valid for groups of any ....

U.M. Maurer. Fast generation of prime numbers and secure public-key cryptographic parameters. Journal of Cryptology, 8(3):123--155, 1995. An earlier version appeared in [15].

....(2 52 ; 2 53 ) Because P is small enough, the primality of P can be quickly verified using one of a number of procedures described in Bleichenbacher s thesis [5, Chapter 3] which are correct for primes up to 10 16 2 53 . For example, one of Bleichenbacher s results, as reported in [14], states that the Miller Rabin test for the bases 2; 3; 5; 7; 11; 13 and 23 is a correct primality test for numbers in this range. Next, we repeatedly choose integers R in the interval ( 2 160 Gamma 1) 8P; 2 161 Gamma 1) 8P ) until e = 8RP 1 is prime. Lemma 2 in [14] provides an extremely ....

....results, as reported in [14] states that the Miller Rabin test for the bases 2; 3; 5; 7; 11; 13 and 23 is a correct primality test for numbers in this range. Next, we repeatedly choose integers R in the interval ( 2 160 Gamma 1) 8P; 2 161 Gamma 1) 8P ) until e = 8RP 1 is prime. Lemma 2 in [14] provides an extremely efficient probabilistic algorithm for generating a certificate of primality for numbers of this form, requiring essentially just a single exponentiation on average to certify a prime; our choice of parameters ensures that 4P e 1=3 , as required by that lemma. Lemma 1 ....

U. Maurer. Fast generation of prime numbers and secure public-key cryptographic parameters. J. Cryptology, 8:123--155, 1995.

....primes that is primes whose properties avoid these fast, special purpose algorithms. The most common restriction is that both (p Gamma 1) and (p 1) have at least one large prime factor. Traditionally it has been recommended that strong primes are used to generate RSA moduli. However, Maurer[18] has recently shown this choice of strong primes is unnecessary; a viewpoint reinforced in a publication of RSA Laboratories[11] 5.3.2 Attack of Piper and Stephens When the DSS was first published, there was criticism that the scheme was not well enough known, and that it may contain weaknesses. ....

U. M. Maurer. Fast generation of prime numbers and secure public-key cryptographic parameters. To appear in Journal of Cryptology.

....equal to the probability that a random integer close to p (not exactly p Gamma 1 or p 1) is completely factored into only small primes. This observation shows that it seems to make little sense to require that p Gamma 1 and p 1 should each have at least one large prime factor (see also [26, 28]) Nevertheless, if desired, it is possible to make both p Gamma 1 and q Gamma 1 to have a prime factor of arbitrary size, at the cost of decrease in the number of bits that can be predetermined. Suppose that we want q Gamma 1 to have a prime factor r. In the method of Section 3.1, we can find ....

.... the number of b s satisfying this recurrence relation is equal to (1 gcd(e k Gamma 1; p Gamma 1) 1 gcd(e k Gamma 1; q Gamma 1) Thus, if p Gamma 1 and q Gamma 1 each have a very large prime factor, the fraction of these k th order fixed points will be negligible for any k (see also [26] for further discussions on this topic) The special number field sieve [22] applies to numbers of the special form n = r c Sigma s for small integers r and s. In any modulus generated by our methods, however, the size of s is unlikely to be smaller than l n 2 (e.g. even if we take f as f = ....

U.M.Maurer, Fast generation of prime numbers and secure public-key cryptographic parameters, J. Cryptology, 8(3), 1995, pp.123-156.

....for the 245 810 column matrix from [2] extrapolate to 4 Delta(524 339=245 810) 3 39 hours. attack. The large prime factors of p Gamma 1 and q Gamma 1 might have been based on the widespread belief that they would be necessary to prevent a decryption attempt using iterated encryption [17]. The resistance of r against a Pollard p 1 attack, which had not yet been published by 1977, was probably a coincidence: p 1 = 2 Delta 1 376 164 939 307 949 996 650 933 Delta p40, and q 1 = 2 Delta 3 4 Delta 11 Delta 79 Delta 197 Delta 227 Delta p55, with pj denoting a j digit ....

U. M. Maurer, Fast generation of prime numbers and secure public-key cryptographic parameters, Journal of Cryptology, to appear.

No context found.

U. M. Maurer. Fast generation of prime numbers and secure publickey cryptographic parameters. Journal of Cryptology, 8(3):123-155, 1995.

....paragraphs describe the system set up by a trusted authority, the user registration phase and the user communication phase, respectively. To set up the system we suggest that a trusted authority choose the primes p i such that the numbers (p i Gamma 1) 2 are odd and pairwise relatively prime [16]. Preferably, p i Gamma 1) 2 are chosen to be primes themselves. The primes p i are chosen small enough such that computing discrete logarithms modulo each prime is feasible (though not trivial) using for instance the algorithm of [3] but such that factoring the product, even with the best known ....

U.M. Maurer, Fast generation of prime numbers and secure public-key cryptographic parameters, to appear in Journal of Cryptology, 1995.

No context found.

U.M. Maurer, "Fast Generation of Prime Numbers and Secure Public-Key Cryptographic Parameters", J. Cryptology, vol.8 no.3 (1995), 123-156.

No context found.

U.M. Maurer. Fast generation of prime numbers and secure public-key cryptographic parameters. Journal of Cryptology, 8(3):123--155, 1995. An earlier version appeared in [15].

No context found.

U.M. Maurer. Fast generation of prime numbers and secure public-key cryptographic parameters. Journal of Cryptology, 8(3):123--155, 1995. An earlier version appeared in [15].

No context found.

U.M. Maurer. Fast generation of prime numbers and secure public-key cryptographic parameters. Journal of Cryptology, 8(3):123--155, 1995. An earlier version appeared in [15].

No context found.

Ueli Maurer. Fast generation of prime numbers and secure public-key cryptographic parameters. Journal of Cryptology, 8(3):123--155, 1995.

No context found.

U. Maurer. Fast Generation of Prime Numbers and Secure Public-Key Cryptographic Parameters. J. of Crypt. 8(3):123--156, Springer 1995.

No context found.

U.M. Maurer. Fast generation of prime numbers and secure public-key cryptographic parameters. Journal of Cryptology, 8(3):123--155, 1995. An earlier version appeared in [15].

No context found.

U. M. Maurer, `Fast generation of prime numbers and secure public-key cryptographic parameters', J. Cryptology , 8 (1995), 123--155.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC