37.3.5.3 Probable Prime Generation (Using Rabin-Miller)
Purpose
This service is used to perform probable prime generation or test. This service processes integers in GF(p) only.
The options available for this service are:
- Choice of the number of iterations of the Rabin-Miller test
- Generation or Test of a probable prime number
- Fast Implementation
- Regular Implementation
- Exponent Window Size
Additional Information
The Rabin-Miller test is a probable-primality testing algorithm. As a consequence, the primality of the generated number is not guaranteed at 100%, however, numerous publications have been issued explaining how to estimate the probability of getting a composite number, giving the size of the number and the number of iterations (the T parameter).
Useful information can be found in the “Handbook of Applied Cryptography (Discrete Mathematics and Its Applications” by Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone, in the following sections:
- 4.2.3. “Rabin-Miller Test”
- 4.4. “Prime Number Generation”
How to Use the Service
Description
This service processes a test for probable primality or a generation of a probable prime number.
This service processes one of the following operations: CheckProbablePrimality(N)
or
N = GenerateProbablePrimeFromSeed (NSeed)
In this computation, the following parameters need to be provided:
- N the input number (pointed by {nu1NBase,u2NLength +4})
- If the requested operation is a test, it is untouched after the operation.
- If the requested operation is a generation and a probable prime number was found before reaching the Maximum Increment, it contains the resulting probable prime after the operation.
- If the requested operation was a generation and Maximum Increment was reached before a probable prime number was found, it contains no relevant information.
- Cns as a workspace (pointed by {nu1CnsBase,u2NLength +12})
- Rnd as a workspace (pointed by {nu1RndBase,u2NLength +16})
- Precomp the precomputation workspace (pointed by{nu1PrecompBase,PrecompLen})
- Exp as a workspace (pointed by {pfu1ExpBase,u2ExpLength +4})
- u1MillerRabinIterations the number of Miller Rabin Iterations requested
- u2MaxIncrement, maximum increment of the number in case of probable prime generation
The length PrecompLen depends on the lengths and options chosen; its calculus is detailed in Options below.
The service name for this operation is
PrimeGen
.
Parameters Definition
Parameter | Type | Direction | Location | Data Length | Before Executing the Service | After Executing the Service |
---|---|---|---|---|---|---|
nu1NBase(1) | nu1 | I | Crypto RAM | u2NLength + 4 |
Base of N Number to test or Seed for the generation | Base of N unchanged if test or generation result(2) |
nu1CnsBase | nu1 | I | Crypto RAM | u2NLength + 12 | Base of Cns as a workspace | Base of Cns workspace corrupted |
u2NLength | u2 | I | – | – | Length of N | Length of N |
nu1RndBase | nu1 | I | Crypto RAM | Max (u2NLength + 16,64) | Internal Workspace | Internal Workspace corrupted |
nu1PrecompBase | nu1 | I | Crypto RAM | See Options below | Base of Precomp workspace | Base of Precomp workspace corrupted |
nu1RBase(2) | nu1 | – | Crypto RAM | – | – | – |
nu1ExpBase(3) | nu1 | I | Crypto RAM | u2NLength + 4 | Base of Exponent (R) | Base of Exponent (R) |
u1MillerRabin-Iterations | u1 | I | – | – | Miller Rabin’s T parameter | Miller Rabin’s T parameter |
u2MaxIncrement | u2 | I | – | – | Maximum Increment(4) | Maximum Increment |
- This zone contains the number to be either tested or used as a seed for generation. It has to be provided with one zero word on the MSB side. This area has supplementary constraints (see the following Important note).
- This parameter does not have to be provided and is used as an internal value for computing the reduction’s constant.
- The area {nu1ExpBase, u2NLength + 4} must be entirely in the Crypto RAM.
- The generation starts from the number in {nu1NBase,u2NLength + 4} and increments it until a number is found as probable prime. However, the generation may stop for two reasons: The number has been incremented in a way it is bigger than <u2NLength> bytes, or the original number has been incremented by more than <u2MaxIncrement>.
In case of probable prime generation, ensure that the addition of NSeed and Maximum Increment is not a number with more bytes than u2NLength, as this would produce an overflow.
One additional word is used on the LSB side of the NBase parameter; this word is restored at the end of the calculus. As a consequence, the parameter nu1NBase must never be at the beginning of the Crypto RAM, but at least at one word from the beginning.
One additional word is used on the MSB side of the NBase parameter; this word is not corrupted. As a consequence the Area {nu1NBase, u2NLength} must not be at the end of the Crypto RAM but at least at one word from the end.
Prime numbers of a size lower than 96 bits (three 32-bit words) cannot be generated or tested by this service.
Options
Some of the Prime Generation options configure the Modular Exponentiation steps and so are very similar to the Modular Exponentiation options.
The options are set by the u2Options input parameter, which is composed of:
- the mandatory Operation Option described in Table 37-57
- the mandatory Calculus Mode Option described in Table 37-58
- the mandatory Window Size Option described in Table 37-59
The u2Options number is calculated by an “Inclusive OR” of the options. Some Examples in C language are:
- Operation:
Probable Prime Testing with Fast Modular Exponentiation and
the window size equal to 1
PUKCL(u2Options) = PUKCL_PRIMEGEN_TEST | PUKCL_EXPMOD_FASTRSA | PUKCL_EXPMOD_WINDOWSIZE_1;
- Operation:
Probable Prime Generate with Regular Modular Exponentiation
and the window size equal to 2
PUKCL(u2Options) = PUKCL_EXPMOD_REGULARRSA | PUKCL_EXPMOD_WINDOWSIZE_2;
The following table describes the PrimeGen service features available from the various options.
Option | Method Used |
---|---|
PUKCL_PRIMEGEN_TEST |
This option is used to specify that only tests will be made on the provided number. When this option is not specified, a prime generation algorithm is selected, starting from the given seed and incrementing it. |
PUKCL_EXPMOD_WINDOWSIZE_1,2,3 or 4 | Depending on this option, different bit-window sizes will be used. For long exponents, the bigger the window, the faster the computation. However, this has also an impact on the size of the precomputations table. |
For this service, two exclusive Calculus Modes are possible. The following table describes the Calculus Mode Options.
Option | Explanation |
---|---|
PUKCL_EXPMOD_FASTRSA | Perform a Fast computation. |
PUKCL_EXPMOD_REGULARRSA | Performs a Regular computation, slower than the Fast version, but using regular calculus methods. |
The length of the Precomp area depends on the window size W and u2NLength. The Precomp area length is:
PrecompLen = max( 2*(u2NLength + 4) + 2W-1 * (u2NLength + 4), u2NLength + 8 + 64) + 8
max()
macro, which takes a maximum of two
values.The following table shows the size of the precomputation workspace (PrecompLen), depending on the chosen window size option.
Option Specified | Size of the PrecompBase Workspace (bytes) | Content of the Workspace |
---|---|---|
PUKCL_EXPMOD_WINDOWSIZE_1 | max( 3*(u2NLength + 4), u2NLength + 72) + 8 | x |
PUKCL_EXPMOD_WINDOWSIZE_2 | max( 4*(u2NLength + 4), u2NLength + 72) + 8 | x x3 |
PUKCL_EXPMOD_WINDOWSIZE_3 | max( 6*(u2NLength + 4), u2NLength + 72) + 8 | x x3 x5 x7 |
PUKCL_EXPMOD_WINDOWSIZE_4 | max( 10*(u2NLength + 4) u2NLength + 72) + 8 | x x3 x5 x7 x9 x11 x13 x15 |
The following table provides the maximum sizes for the Prime Generation depending on the window size.
Characteristics of the Operation | Maximum Prime Sizes (bits) |
---|---|
1 bit window | 4608 |
2 bits window | 4032 |
3 bits window | 3200 |
4 bits window | 2272 |
Code Example
PUKCL_PARAM PUKCLParam;
PPUKCL_PARAM pvPUKCLParam = &PUKCLParam;
// ! The Random Number Generator must be initialized and started
// ! following the directives given for the RNG on the chip PUKCL(u2Option) =...;
// Depending on the option specified, not all fields must be filled
PUKCL_PrimeGen(nu1NBase) = <Base of the ram location of N>;
PUKCL_PrimeGen(u2NLength) = <Length of N>;
PUKCL_PrimeGen(nu1CnsBase) = <Base of the ram location of Cns>;
PUKCL_PrimeGen(nu1PrecompBase) = <Base of the ram location of Precomp>;
PUKCL_PrimeGen(pfu1ExpBase) = <Base of the location of Exp>;
PUKCL_PrimeGen(u2ExpLength) = <Length of Exp>;
PUKCL_PrimeGen(u1MillerRabinIterations) = <Number of iterations>;
PUKCL_PrimeGen(u2MaxIncrement) = <Maximum Increment>;
...
// vPUKCL_Process() is a macro command, which populates the service name
// and then calls the library...
vPUKCL_Process(PrimeGen, pvPUKCLParam);
if (PUKCL_Param.Status == PUKCL_NUMBER_IS_PRIME)
{
// The number is probably prime
...
}
else if (PUKCL_Param.Status == PUKCL_NUMBER_IS_NOT_PRIME)
{
// The number is not prime
...
}
else // Manage the error
Constraints
The following combinations of input values must be avoided in the case of a modular reduction ‘alone’, meaning that it has not been requested as an option of any other service:
- nu1NBase,nu1CnsBase, nu1RndBase,nu1PrecompBase,nu1ExpBase are not aligned on 32-bit boundaries
- {nu1NBase, u2NLength + 4}, {nu1CnsBase, u2NLength + 12}, {nu1RndBase, u2NLength +12},{nu1PrecompBase, <PrecompLength>} are not in Crypto RAM
- u2NLength is either: < 12, > 0xffc or not a 32-bit length
- Both PUKCL_EXPMOD_REGULARRSA and PUKCL_EXPMOD_FASTRSA are specified.
- {nu1PrecompBase,<PrecompLength>} overlaps with either: {nu1NBase, u2NLength + 4},{nu1CnsBase, u2NLength + 12} {nu1RndBase, u2NLength + 12} or {nu1ExpBase, u2ExpLength + 4}
- {nu1RndBase,3*u2NLength + 24} overlaps with either: {nu1NBase, u2NLength + 4},{nu1CnsBase, u2NLength + 12} {nu1XBase, u2NLength + 12} or {nu1ExpBase, u2ExpLength + 4}
- {nu1NBase, u2NLength + 4} overlaps {nu1CnsBase, u2NLength +12}
Status Returned Values
Returned Status | Importance | Meaning |
---|---|---|
PUKCL_NUMBER_IS_PRIME | Information | The generated or tested number has been detected as probably prime. |
PUKCL_NUMBER_IS_NOT_PRIME | Information | The generated or tested number has been detected as composite. |