43.3.5.3 Probable Prime Generation (Using Rabin-Miller)

Purpose

This service is used to perform probable prime generation or test. This service processes integers in GF(p) only.

The options available for this service are:

Choice of the number of iterations of the Rabin-Miller test
Generation or Test of a probable prime number
Fast Implementation
Regular Implementation
Exponent Window Size

Additional Information

The Rabin-Miller test is a probable-primality testing algorithm. As a consequence, the primality of the generated number is not guaranteed at 100%, however, numerous publications have been issued explaining how to estimate the probability of getting a composite number, giving the size of the number and the number of iterations (the T parameter).

Useful information can be found in the “Handbook of Applied Cryptography (Discrete Mathematics and Its Applications” by Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone, in the following sections:

4.2.3. “Rabin-Miller Test”
4.4. “Prime Number Generation”

How to Use the Service

Description

This service processes a test for probable primality or a generation of a probable prime number.

Note: When using this service be sure to follow the directives given for the RNG on the chip you use (particularly initialization, seeding) and compulsorily start the RNG.

This service processes one of the following operations: CheckProbablePrimality(N)

or

N = GenerateProbablePrimeFromSeed (NSeed)

In this computation, the following parameters need to be provided:

N the input number (pointed by {nu1NBase,u2NLength +4})
- If the requested operation is a test, it is untouched after the operation.
- If the requested operation is a generation and a probable prime number was found before reaching the Maximum Increment, it contains the resulting probable prime after the operation.
- If the requested operation was a generation and Maximum Increment was reached before a probable prime number was found, it contains no relevant information.
Cns as a workspace (pointed by {nu1CnsBase,u2NLength +12})
Rnd as a workspace (pointed by {nu1RndBase,u2NLength +16})
Precomp the precomputation workspace (pointed by{nu1PrecompBase,PrecompLen})
Exp as a workspace (pointed by {pfu1ExpBase,u2ExpLength +4})
u1MillerRabinIterations the number of Miller Rabin Iterations requested
u2MaxIncrement, maximum increment of the number in case of probable prime generation

The length PrecompLen depends on the lengths and options chosen; its calculus is detailed in Options below.

The service name for this operation is PrimeGen.

Parameters Definition

Table 43-56. PrimeGen Service Parameters
Parameter	Type	Direction	Location	Data Length	Before Executing the Service	After Executing the Service
nu1NBase (see Note 1)	nu1	I	Crypto RAM	u2NLength + 4	Base of N Number to test or Seed for the generation	Base of N unchanged if test or generation result ( see Note 1)
nu1CnsBase	nu1	I	Crypto RAM	u2NLength + 12	Base of Cns as a workspace	Base of Cns workspace corrupted
u2NLength	u2	I	–	–	Length of N	Length of N
nu1RndBase	nu1	I	Crypto RAM	Max (u2NLength + 16,64)	Internal Workspace	Internal Workspace corrupted
nu1PrecompBase	nu1	I	Crypto RAM	See Options below	Base of Precomp workspace	Base of Precomp workspace corrupted
nu1RBase (see Note 2)	nu1	–	Crypto RAM	–	–	–
nu1ExpBase (see Note 3)	nu1	I	Crypto RAM	u2NLength + 4	Base of Exponent (R)	Base of Exponent (R)
u1MillerRabin-Iterations	u1	I	–	–	Miller Rabin’s T parameter	Miller Rabin’s T parameter
u2MaxIncrement	u2	I	–	–	Maximum Increment (see Note 4)	Maximum Increment

Note:

This zone contains the number to be either tested or used as a seed for generation. It has to be provided with one zero word on the MSB side. This area has supplementary constraints (see the following Important note).

This parameter does not have to be provided and is used as an internal value for computing the reduction’s constant.
The area {nu1ExpBase, u2NLength + 4} must be entirely in the Crypto RAM.
The generation starts from the number in {nu1NBase,u2NLength + 4} and increments it until a number is found as probable prime. However, the generation may stop for two reasons: The number has been incremented in a way it is bigger than <u2NLength> bytes, or the original number has been incremented by more than <u2MaxIncrement>.

In case of probable prime generation, ensure that the addition of NSeed and Maximum Increment is not a number with more bytes than u2NLength, as this would produce an overflow.

Important:

One additional word is used on the LSB side of the NBase parameter; this word is restored at the end of the calculus. As a consequence, the parameter nu1NBase must never be at the beginning of the Crypto RAM, but at least at one word from the beginning.

One additional word is used on the MSB side of the NBase parameter; this word is not corrupted. As a consequence the Area {nu1NBase, u2NLength} must not be at the end of the Crypto RAM but at least at one word from the end.

Prime numbers of a size lower than 96 bits (three 32-bit words) cannot be generated or tested by this service.

Options

Some of the Prime Generation options configure the Modular Exponentiation steps and so are very similar to the Modular Exponentiation options.

The options are set by the u2Options input parameter, which is composed of:

the mandatory Operation Option described in Table 43-57
the mandatory Calculus Mode Option described in Table 43-58
the mandatory Window Size Option described in Table 43-59

The u2Options number is calculated by an “Inclusive OR” of the options. Some Examples in C language are:

Operation: Probable Prime Testing with Fast Modular Exponentiation and the window size equal to 1
PUKCL(u2Options) = PUKCL_PRIMEGEN_TEST | PUKCL_EXPMOD_FASTRSA | PUKCL_EXPMOD_WINDOWSIZE_1;
Operation: Probable Prime Generate with Regular Modular Exponentiation and the window size equal to 2
PUKCL(u2Options) = PUKCL_EXPMOD_REGULARRSA | PUKCL_EXPMOD_WINDOWSIZE_2;

The following table describes the PrimeGen service features available from the various options.

Table 43-57. PrimeGen Service Options
Option	Method Used
PUKCL_PRIMEGEN_TEST	This option is used to specify that only tests will be made on the provided number. When this option is not specified, a prime generation algorithm is selected, starting from the given seed and incrementing it.
PUKCL_EXPMOD_WINDOWSIZE_1,2,3 or 4	Depending on this option, different bit-window sizes will be used. For long exponents, the bigger the window, the faster the computation. However, this has also an impact on the size of the precomputations table.

For this service, two exclusive Calculus Modes are possible. The following table describes the Calculus Mode Options.

Table 43-58. PrimeGen Service Calculus Mode Options
Option	Explanation
PUKCL_EXPMOD_FASTRSA	Perform a Fast computation.
PUKCL_EXPMOD_REGULARRSA	Performs a Regular computation, slower than the Fast version, but using regular calculus methods.

The length of the Precomp area depends on the window size W and u2NLength. The Precomp area length is:

PrecompLen = max( 2*(u2NLength + 4) + 2W-1 * (u2NLength + 4), u2NLength + 8 + 64) + 8

Note: Please calculate precisely the length PrecompLen with the formula and the max() macro, which takes a maximum of two values.

The following table shows the size of the precomputation workspace (PrecompLen), depending on the chosen window size option.

Table 43-59. PrimeGen Service Precomputation Space Size
Option Specified	Size of the PrecompBase Workspace (bytes)	Content of the Workspace
PUKCL_EXPMOD_WINDOWSIZE_1	max( 3*(u2NLength + 4), u2NLength + 72) + 8	x
PUKCL_EXPMOD_WINDOWSIZE_2	max( 4*(u2NLength + 4), u2NLength + 72) + 8	x x³
PUKCL_EXPMOD_WINDOWSIZE_3	max( 6*(u2NLength + 4), u2NLength + 72) + 8	x x³ x⁵ x⁷
PUKCL_EXPMOD_WINDOWSIZE_4	max( 10*(u2NLength + 4) u2NLength + 72) + 8	x x³ x⁵ x⁷ x⁹ x¹¹ x¹³ x¹⁵

The following table provides the maximum sizes for the Prime Generation depending on the window size.

Table 43-60. PrimeGen Service Maximum Sizes
Characteristics of the Operation	Maximum Prime Sizes (bits)
1 bit window	4608
2 bits window	4032
3 bits window	3200
4 bits window	2272

Code Example

PUKCL_PARAM PUKCLParam;
PPUKCL_PARAM pvPUKCLParam = &PUKCLParam;

// ! The Random Number Generator must be initialized and started
// ! following the directives given for the RNG on the chip PUKCL(u2Option) =...;
// Depending on the option specified, not all fields should be filled 
PUKCL_PrimeGen(nu1NBase) = <Base of the ram location of N>; 
PUKCL_PrimeGen(u2NLength)  =  <Length  of  N>; 
PUKCL_PrimeGen(nu1CnsBase) = <Base of the ram location of Cns>;
PUKCL_PrimeGen(nu1PrecompBase) = <Base of the ram location of Precomp>; 
PUKCL_PrimeGen(pfu1ExpBase) = <Base of the location of Exp>; 
PUKCL_PrimeGen(u2ExpLength) = <Length of Exp>; 
PUKCL_PrimeGen(u1MillerRabinIterations) = <Number of iterations>; 
PUKCL_PrimeGen(u2MaxIncrement) = <Maximum Increment>;
...

// vPUKCL_Process() is a macro command, which populates the service name
// and then calls the library... 
vPUKCL_Process(PrimeGen, pvPUKCLParam);
if (PUKCL_Param.Status == PUKCL_NUMBER_IS_PRIME)
            {
            // The number is probably prime
            ...
            }
else if (PUKCL_Param.Status == PUKCL_NUMBER_IS_NOT_PRIME)
            {
            // The number is not prime
            ...
            }
else // Manage the error

Constraints

The following combinations of input values should be avoided in the case of a modular reduction ‘alone’, meaning that it has not been requested as an option of any other service:

nu1NBase,nu1CnsBase, nu1RndBase,nu1PrecompBase,nu1ExpBase are not aligned on 32-bit boundaries
{nu1NBase, u2NLength + 4}, {nu1CnsBase, u2NLength + 12}, {nu1RndBase, u2NLength +12},{nu1PrecompBase, <PrecompLength>} are not in Crypto RAM
u2NLength is either: < 12, > 0xffc or not a 32-bit length
Both PUKCL_EXPMOD_REGULARRSA and PUKCL_EXPMOD_FASTRSA are specified.
{nu1PrecompBase,<PrecompLength>} overlaps with either: {nu1NBase, u2NLength + 4},{nu1CnsBase, u2NLength + 12} {nu1RndBase, u2NLength + 12} or {nu1ExpBase, u2ExpLength + 4}
{nu1RndBase,3*u2NLength + 24} overlaps with either: {nu1NBase, u2NLength + 4},{nu1CnsBase, u2NLength + 12} {nu1XBase, u2NLength + 12} or {nu1ExpBase, u2ExpLength + 4}
{nu1NBase, u2NLength + 4} overlaps {nu1CnsBase, u2NLength +12}

Status Returned Values

Table 43-61. PrimeGen Service Return Codes
Returned Status	Importance	Meaning
PUKCL_NUMBER_IS_PRIME	Information	The generated or tested number has been detected as probably prime.
PUKCL_NUMBER_IS_NOT_PRIME	Information	The generated or tested number has been detected as composite.