The aim of this paper is to describe the theory and implementation of the Elliptic Curve Primality Proving algorithm.

A very efficient recursive algorithm for generating nearly random provable primes is presented. The expected time for generating a prime is only slightly greater than the expected time required for generating a pseudo-prime of the same size that passes the Miller-Rabin test for only one base. Therefore our algorithm is even faster than presently-used algorithms for generating only pseudo-primes because several Miller-Rabin tests with independent bases must be applied for achieving a sufficient confidence level. Heuristic arguments suggest that the generated primes are close to uniformly distributed over the set of primes in the specified interval. Security constraints on the prime parameters of certain cryptographic systems are discussed, and in particular a detailed analysis of the iterated encryption attack on the RSA public-key cryptosystem is presented. The prime generation algorithm can easily be modified to generate nearly random primes or RSA-moduli that satisfy t...

. Monier and Rabin proved that an odd composite can pass the Strong Probable Prime Test for at most 1 4 of the possible bases. In this paper, a probable prime test is developed using quadratic polynomials and the Frobenius automorphism. The test, along with a fixed number of trial divisions, ensures that a composite n will pass for less than 1 7710 of the polynomials x 2 \Gamma bx \Gamma c with i b 2 +4c n j = \Gamma1 and \Gamma \Gammac n \Delta = 1. The running time of the test is asymptotically 3 times that of the Strong Probable Prime Test. x1 Background Perhaps the most common method for determining whether or not a number is prime is the Strong Probable Prime Test. Given an odd integer n, let n = 2 r s + 1 with s odd. Choose a random integer a with 1 a n \Gamma 1. If a s j 1 mod n or a 2 j s j \Gamma1 mod n for some 0 j r \Gamma 1, then n passes the test. An odd prime will pass the test for all a. The test is very fast; it requires no more than (1 +...

. We describe a primality testing algorithm, due essentially to Atkin, that uses elliptic curves over finite fields and the theory of complex multiplication. In particular, we explain how the use of class fields and genus fields can speed up certain phases of the algorithm. We sketch the actual implementation of this test and its use on testing large primes, the records being two numbers of more than 550 decimal digits. Finally, we give a precise answer to the question of the reliability of our computations, providing a certificate of primality for a prime number. IMPLEMENTATION DU TEST DE PRIMALITE D' ATKIN, GOLDWASSER, ET KILIAN R'esum'e. Nous d'ecrivons un algorithme de primalit'e, principalement du `a Atkin, qui utilise les propri'et'es des courbes elliptiques sur les corps finis et la th'eorie de la multiplication complexe. En particulier, nous expliquons comment l'utilisation du corps de classe et du corps de genre permet d'acc'el'erer les calculs. Nous esquissons l'impl'ementati...

this document, authentication will generally refer to the use of digital signatures, which play a function for digital documents similar to that played by handwritten signatures for printed documents: the signature is an unforgeable piece of data asserting that a named person wrote or otherwise agreed to the document to which the signature is attached. The recipient, as well as a third party, can verify both that the document did indeed originate from the person whose signature is attached and that the document has not been altered since it was signed. A secure digital signature system thus consists of two parts: a method of signing a document such that forgery is infeasible, and a method of verifying that a signature was actually generated by whomever it represents. Furthermore, secure digital signatures cannot be repudiated; i.e., the signer of a document cannot later disown it by claiming it was forged.

So-called "perfect" or "unpredictable" pseudorandom generators have been proposed recently by people from the area of cryptology. Many people got aware of them from an optimistic article in the New York Times (Gleick (1988)). These generators are usually based on nonlinear recurrences modulo some integer m. Under some (yet unproven) complexity assumptions, it has been proven that no polynomial-time statistical test can distinguish a sequence of bits produced by such a generator from a sequence of truly random bits. In this paper, we give some theoretical background concerning this class of generators and we look at the practicality of using them for simulation applications. We examine in particular their ease of implementation, their efficiency, periodicity, the ease of jumping ahead in the sequence, the minimum size of modulus that should be used, etc. 1. INTRODUCTION In the recent years, a growing interest has raised for "cryptographically strong" (or "perfect", or "unpredictable "...

e theory also suggests that pseudoprimes are rare. On the basis of extensive experience and analysis, Pomerance [5, 8] conjectures that the number of pseudoprimes less than n is at most n=L(n) 1+o(1) (2) where L(n) = exp log n log log log n log log n ! : Supported by NSF grant CCR-8914428, and RSA Data Security. email address: rivest@theory.lcs.mit.edu If this conjecture is correct, and we make the (unjustied) additional assumption that the o(1) in conjecture (2) can be ignored, then the number of pseudoprimes less than 2 256 is conjectured to be at most 4 10 52 whereas the number of 256-bit primes is approximately 6:5 10 74 : Thus, if Pomerance's conjecture

Abstract. Recently, Damg˚ard, Landrock and Pomerance described a procedure in which a k-bit odd number is chosen at random and subjected to t random strong probable prime tests. If the chosen number passes all t tests, then the procedure will return that number; otherwise, another k-bit odd integer is selected and then tested. The procedure ends when a number that passes all t tests is found. Let pk,t denote the probability that such a number is composite. The authors above have shown that pk,t ≤ 4 −t when k ≥ 51 and t ≥ 1. In this paper we will show that this is in fact valid for all k ≥ 2 and t ≥ 1. 1.

We make an attempt to compare the speed of eeme primality testing algorithms for certifying loo-digit prime numbers. 1. Introduction. The

We explain how the Elliptic Curve Primality Proving algorithm can be implemented in a distributed way. Applications are given to the certification of large primes (more than 500 digits). As a result, we describe the successful attempt at proving the primality of the lO65-digit (2^3539+ l)/3, the first ordinary Titanic prime.