Can I select a large random prime using this procedure?

Question

Say I want a random 1024-bit prime $p$. The obviously-correct way to do this is select a random 1024-bit number and test its primality with the usual well-known tests.

But suppose instead that I do this:

select random odd 1024-bit number $n$
if $n$ is prime, return $n$
$n \leftarrow n+2$
goto 2

(This approach allows faster selection of primes via sieving.)

Since primes are not uniformly distributed on the number line, it would seem that this algorithm prefers primes that lie after long runs of composites. Take a piece of the number line around $2^{1024}$ with x denoting a prime:

---x-x----------------------------x------------------------x---x

Clearly our algorithm above is much more likely to find the 3rd prime above than to find the 2nd one.

Question: Is this a problem?

The question is that a problem can be sidestepped by replacing n<-n+2 by n<-n+m for some even m, drawn at random at the beginning of the procedure. This still allows fast selection of primes via sieving. It is sometime done with m=2*p for some random prime p, and allows to enumerate only those n such that p divides n-1. — fgrieu, Sep 16 '11 at 01:48

score 16 · Accepted Answer · answered Sep 15 '11 at 16:56

This procedure is known as incremental search and his described in the Handbook of Applied Cryptography (note 4.51, page 148). Although some primes are being selected with higher probability than others, this allows no known attacks on RSA; roughly speaking, incremental search selects primes which could have been selected anyway and there are still gazillions of them. OpenSSL uses this prime generation technique.

score 7 · Answer 2 · edited May 26 '19 at 23:29

7

No, it is not believed to be a problem, probably because:

No known factoring method can take advantage of the bias
The bias really isn't that large, at least, when you compare it to the number of primes. Given the density of primes around $2^{1024}$, there are likely primes that come immediately after $2000$ consecutive odd composites; such a prime would have a probability of about $2000/2^{1022} \approx 2^{-1011}$ of being chosen. On the other extreme, a prime that comes immediately after another prime (a twin prime) would have a probability of $2^{-1022}$ of being chosen. There wouldn't appear to be that much difference between $2^{-1011}$ and $2^{-1022}$.

In addition, the existing standards for finding primes (X9.31, X9.80) endorse the above type of linear search (even if they differ in some of the details, such as having the increment not being two, but some other even number).

edited May 26 '19 at 23:29

forest

15,253
2
48
103

answered Sep 15 '11 at 16:48

poncho

147,019
11
229
360

That 'detail' you mention in the final paragraph is important -- see fgrieu's comment to the OP. – TonyK May 27 '19 at 14:57
@TonyK: actually, I'm not sure if it's all that important; larger step sizes won't yield uniformity (however, the same reasoning implies - we still don't know how to exploit it). In fact, if you are deliberately selecting primes $m$ such that $m-1$ has a prime factor of a fixed size, then you will never generate primes for which $m-1$ doesn't have such a prime factor, and hence is arguably a larger deviation from uniformity – poncho May 27 '19 at 22:04
Does anybody do that these days? I mean selecting primes $n$ such that $n-1$ has a large prime factor. (BTW, larger step sizes do improve uniformity if the step size is chosen at random.) – TonyK May 28 '19 at 07:07
@TonyK: I believe FIPS still insists on it, and so I suspect a lot of implementations do (albeit for reasons that have nothing to do with uniformity) – poncho May 28 '19 at 12:06
This seems to be the latest FIPS publication on the subject. It allows the use of provable primes (in which case you are right), and probable primes (in which case no condition is attached to the factors of $n-1$). – TonyK May 28 '19 at 13:53
@TonyK: I just glanced through it (it was updated since the last time I had to implement it); I went through the provable prime section, and saw it was still a requirement. I assumed they made it mandatory everywhere (as I can't see any reason why the requirements would be different in the two cases...) – poncho May 28 '19 at 14:13
The reason, I think, is that if you only allow provable primes, you lose uniformity; but if you only allow probable primes, you lose perfectly respectable legacy systems that would otherwise have to be junked. – TonyK May 30 '19 at 12:38
@TonyK: actually, you could do provable primes with uniformity (by either using ECPP or AKS); however either could be considerably slower than the current nonuniform FIPS method. I also note that, with their current method, provable primes always have a large prime factor of p-1 (over half the size of p); however they still insist on having a second large prime factor of p-1 (which has nothing to do with what you're saying; it's just something that has bugged me for a while...) – poncho May 30 '19 at 13:21

Can I select a large random prime using this procedure?

2 Answers2

Linked

Related