## Fast Generation of Prime Numbers and Secure Public-Key Cryptographic Parameters (1995)

### Cached

### Download Links

- [ftp.inf.ethz.ch]
- [ftp.cert.dfn.de]
- [www.mathmagic.cn]
- DBLP

### Other Repositories/Bibliography

Citations: | 26 - 0 self |

### BibTeX

@MISC{Maurer95fastgeneration,

author = {Ueli M. Maurer},

title = {Fast Generation of Prime Numbers and Secure Public-Key Cryptographic Parameters},

year = {1995}

}

### Years of Citing Articles

### OpenURL

### Abstract

A very efficient recursive algorithm for generating nearly random provable primes is presented. The expected time for generating a prime is only slightly greater than the expected time required for generating a pseudo-prime of the same size that passes the Miller-Rabin test for only one base. Therefore our algorithm is even faster than presently-used algorithms for generating only pseudo-primes because several Miller-Rabin tests with independent bases must be applied for achieving a sufficient confidence level. Heuristic arguments suggest that the generated primes are close to uniformly distributed over the set of primes in the specified interval. Security constraints on the prime parameters of certain cryptographic systems are discussed, and in particular a detailed analysis of the iterated encryption attack on the RSA public-key cryptosystem is presented. The prime generation algorithm can easily be modified to generate nearly random primes or RSA-moduli that satisfy t...

### Citations

3006 | New Directions in Cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...ry. 1 Some results of this paper were presented at EUROCRYPT'89, Houthalen, Belgium, April 10-13, 1989. 1 1. Introduction A variety of cryptographic systems, including public-key distribution systems =-=[28]-=-, [45], [58], public-key cryptosystems [30], [36], [47], [79], digital signature schemes [30], [79], [80], [82], [90] and identification protocols [32], [39], and a large number of variations of some ... |

2573 |
The design and analysis of computer algorithms
- Aho, Hopcroft, et al.
- 1974
(Show Context)
Citation Context ...er. A straight-forward implementation of integer multiplication has running time M(k; l) = O(kl). In contrast, a sophisticated but not practical algorithm due to Schonhage and Strassen [81] (see also =-=[3]-=-, pp. 270-274) has an asymptotic running time M(k; k) = O(k \Delta log k \Delta log log k) for multiplying two k-bit integers. This is only slightly better than for FFT-based methods which, in contras... |

1255 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...t EUROCRYPT'89, Houthalen, Belgium, April 10-13, 1989. 1 1. Introduction A variety of cryptographic systems, including public-key distribution systems [28], [45], [58], public-key cryptosystems [30], =-=[36]-=-, [47], [79], digital signature schemes [30], [79], [80], [82], [90] and identification protocols [32], [39], and a large number of variations of some of these systems have recently been proposed. The... |

1246 | Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
- ElGamal, “A
- 1985
(Show Context)
Citation Context ...nted at EUROCRYPT'89, Houthalen, Belgium, April 10-13, 1989. 1 1. Introduction A variety of cryptographic systems, including public-key distribution systems [28], [45], [58], public-key cryptosystems =-=[30]-=-, [36], [47], [79], digital signature schemes [30], [79], [80], [82], [90] and identification protocols [32], [39], and a large number of variations of some of these systems have recently been propose... |

896 | How to prove yourself: Practical solutions to identification and signature problems, proceeding
- Fiat, Shamir
- 1987
(Show Context)
Citation Context ...stems, including public-key distribution systems [28], [45], [58], public-key cryptosystems [30], [36], [47], [79], digital signature schemes [30], [79], [80], [82], [90] and identification protocols =-=[32]-=-, [39], and a large number of variations of some of these systems have recently been proposed. The security of most public-key schemes is based on the (conjectured) difficulty of certain number-theore... |

627 |
How to generate cryptographically strong sequences of pseudo random bits
- Blum, Micali
- 1984
(Show Context)
Citation Context ...e discrete logarithm problem in a finite group. Most proposals are based on the multiplicative group of GF (p) or a subgroup thereof, i.e. on computations modulo a large publicly-known prime p (e.g., =-=[15]-=-, [28], [30], [39], [80], [90]). The fastest known general algorithm for computing discrete logarithms modulo p is based on the number-field sieve and has asymptotic running time O i e c(log p) 1=3 (l... |

274 |
New directions in cryptography
- Die, Hellman
- 1976
(Show Context)
Citation Context ...ory. 1 Some results of this paper were presented at EUROCRYPT'89, Houthalen, Belgium, April 10-13, 1989. 1s1. Introduction Avariety of cryptographic systems, including public-key distribution systems =-=[28]-=-, [45], [58], public-key cryptosystems [30], [36], [47], [79], digital signature schemes [30], [79], [80], [82], [90] and identi cation protocols [32], [39], and a large number of variations of some o... |

217 |
A Course in Number Theory and Cryptography
- Koblitz
- 1987
(Show Context)
Citation Context ...Some results of this paper were presented at EUROCRYPT'89, Houthalen, Belgium, April 10-13, 1989. 1 1. Introduction A variety of cryptographic systems, including public-key distribution systems [28], =-=[45]-=-, [58], public-key cryptosystems [30], [36], [47], [79], digital signature schemes [30], [79], [80], [82], [90] and identification protocols [32], [39], and a large number of variations of some of the... |

210 |
A practical zero-knowledge protocol fitted to security microprocessor minimizing both trasmission and memory
- Guillou, Quisquater
(Show Context)
Citation Context ... including public-key distribution systems [28], [45], [58], public-key cryptosystems [30], [36], [47], [79], digital signature schemes [30], [79], [80], [82], [90] and identification protocols [32], =-=[39]-=-, and a large number of variations of some of these systems have recently been proposed. The security of most public-key schemes is based on the (conjectured) difficulty of certain number-theoretic pr... |

151 |
Some Problems of ’Partitio Numerorum.’ III. On the Expression of a Number as a Sum of Primes
- Hardy, Littlewood
- 1922
(Show Context)
Citation Context ... [56]. Further results supporting the idea that when p is prime, the factorization pattern of p \Gamma 1 does not differ greatly from that of a "random" number can be found in [10], [31], [3=-=3], [34], [40]-=-, [41], [46], [72], [74] and [89]. 3.2. Description of the procedure RandomPrime A listing of the PROCEDURE RandomPrime is shown in Figure 1. It is intended to serve as a guideline rather than a bluep... |

123 |
R.S.: On distinguishing prime numbers from composite numbers
- Adleman, Pomerance, et al.
- 1983
(Show Context)
Citation Context ...tic polynomial time, Miller [62] proved that the Riemann hypothesis for Dirichlet L-functions implied that the primes were recognizable in deterministic polynomial time, Adleman, Pomerance and Rumely =-=[2]-=- showed that the primes were recognizable in deterministic time O((log n) c log log log n ) for some constant c, and finally Adleman and Huang proved in a seminal report [1] that the primes were recog... |

75 | Almost All Primes Can Be Quickly Certified
- Goldwasser, Kilian
- 1986
(Show Context)
Citation Context ... and finally Adleman and Huang proved in a seminal report [1] that the primes were recognizable in random polynomial time. A significant step towards this result was achieved by Goldwasser and Kilian =-=[35]-=-. It is interesting to note that the primality tests used in practice [20], [64] appear to have super-polynomial running time and hat the algorithm of 2 [1] is superior only for very large numbers tha... |

51 |
On the frequency of numbers containing prime factors of a certain relative magnitude
- DICKMAN
- 1930
(Show Context)
Citation Context ...x) are tabulated in [44]. A few more values of F 1 are F 1 (0:25) = 0:00491, F 1 (1=3) = 0:0486 and F 1 (0:4) = 0:130. The function x 7! F 1 (1=x) is also known as the rho-function studied by Dickman =-=[27]-=-. A good algorithm for computing the Dickman rho-function is described in [24]. Consider the following process, suggested to the author by Eric Bach [5] (see also [6]) for generating real-valued rando... |

49 |
Primality testing and Abelian varieties over finite fields, volume 1512 of Lecture notes in mathematics
- Adleman, Huang
- 1992
(Show Context)
Citation Context ...eman, Pomerance and Rumely [2] showed that the primes were recognizable in deterministic time O((log n) c log log log n ) for some constant c, and finally Adleman and Huang proved in a seminal report =-=[1]-=- that the primes were recognizable in random polynomial time. A significant step towards this result was achieved by Goldwasser and Kilian [35]. It is interesting to note that the primality tests used... |

40 |
Factorization and Primality Testing
- Bressoud
- 1989
(Show Context)
Citation Context ...ive orders is that for every x 2 Z m , njm =) ord n (x)jord m (x): (1) The following lemma, which is a key fact used in our algorithm, is a special case of a theorem due to Pocklington [69] (see also =-=[16]-=- or [48]). Lemma 1. Let n = 2RF + 1 where the prime factorization of F is F = q fi 1 1 q fi 2 2 \Delta \Delta \Delta q fi r r . If there exists an integer a satisfying a n\Gamma1 j 1 (mod n) and (a (n... |

39 |
The recognition problem for the set of perfect squares
- Cobham
- 1966
(Show Context)
Citation Context ...l. The expected number of Legendre symbol computations for proving that a given integer is not a square is on the order of 2. The problem of proving a number is not a perfect square was considered in =-=[19]-=-. For related results and more references we refer to [9]. Results that are similar to this lemma are described in [17] and [22], but the proofs appear to be more complicated. Note that Lemmas 1 and 2... |

33 |
How to generate factored random numbers
- Bach
- 1988
(Show Context)
Citation Context ... for several bases. In this paper we consider the problem of generating random primes together with a certificate of primality. Our results draw on Pocklington's, Pratt's and on Bach's work [69],[75],=-=[4]-=-: the certificate for a prime p contains a partial factorization of p \Gamma 1. However, in contrast to Bach's algorithm [4] for generating (truly) random factored integers, our algorithm does not mak... |

33 |
Average Case Error Estimates for the Strong Probable Prime Test
- Damgård, Landrock, et al.
- 1993
(Show Context)
Citation Context ... an aside that it does not follow from the described bound that p k;ts(1=4) t [11] because p k;t depends on the density of primes. However, Kim and Pomerance [43] and Damgard, Landrock, and Pomerance =-=[23]-=- proved much stronger bounds on p k;t . For instance, p 256;6s2 \Gamma52 [23]. While for large enough t the error probability p k;t can be made sufficiently small for all practical purposes, the prima... |

28 |
Implementation of a new primality test
- Cohen, Lenstra
- 1987
(Show Context)
Citation Context ... than or equal to p n, but this approach is completely infeasible when the length of n exceeds 15-20 decimal digits. There exist several sophisticated general-purpose algorithms for testing primality =-=[20]-=-, [64] (see also [49]). According to [66], the current record in primality testing is held by F. Morain [65] who proved the primality of a 1505-digit number of a general form using massive parallel co... |

25 |
Algorithmic Number Theory, Volume I: Efficient Algorithms
- Bach, Shallit
- 1996
(Show Context)
Citation Context ...on based on the Karatsuba-Ofman algorithm we obtain E[t pp (k)] = O(k 3:585 = log k): A straight-forward implementation of integer arithmetic would result in E[t pp (k)] = O(k 4 = log k). We refer to =-=[8]-=- and [11] for further analyses of prime generation algorithms. 5. Security Constraints for Public-key Cryptographic Parameters The security of many cryptographic systems is based on the conjectured di... |

25 |
Primality of the number of points on an elliptic curve over a finite field
- Koblitz
- 1988
(Show Context)
Citation Context ...er results supporting the idea that when p is prime, the factorization pattern of p \Gamma 1 does not differ greatly from that of a "random" number can be found in [10], [31], [33], [34], [4=-=0], [41], [46]-=-, [72], [74] and [89]. 3.2. Description of the procedure RandomPrime A listing of the PROCEDURE RandomPrime is shown in Figure 1. It is intended to serve as a guideline rather than a blueprint for an ... |

22 | The Generation of Random Numbers that are Probably Prime
- Beauchemin, Brassard, et al.
- 1988
(Show Context)
Citation Context ...e selected at random until one of them passes t consecutive independent Miller-Rabin tests, this integer is prime. Note as an aside that it does not follow from the described bound that p k;ts(1=4) t =-=[11]-=- because p k;t depends on the density of primes. However, Kim and Pomerance [43] and Damgard, Landrock, and Pomerance [23] proved much stronger bounds on p k;t . For instance, p 256;6s2 \Gamma52 [23].... |

21 |
Factoring with Cyclotomic Polynomials
- Bach, Shallit
- 1985
(Show Context)
Citation Context ...nds factors p for which p \Gamma 1 has only relatively small prime factors. This algorithm was generalized by Williams [87] to primes for which p + 1 has no large prime factor and by Bach and Shallit =-=[7]-=- to primes for which any cyclotomic polynomial evaluated at p has no large prime factor, i.e., for which either p \Gamma 1; p + 1; p 2 \Sigma p + 1, p 4 + p 3 + p 2 + p + 1, etc., has no large prime f... |

20 |
Shifted primes without large prime factors’, Number Theory
- Friedlander
- 1989
(Show Context)
Citation Context ...are given in [56]. Further results supporting the idea that when p is prime, the factorization pattern of p \Gamma 1 does not differ greatly from that of a "random" number can be found in [1=-=0], [31], [33]-=-, [34], [40], [41], [46], [72], [74] and [89]. 3.2. Description of the procedure RandomPrime A listing of the PROCEDURE RandomPrime is shown in Figure 1. It is intended to serve as a guideline rather ... |

18 | On strong pseudoprimes to several bases
- Jaeschke
- 1993
(Show Context)
Citation Context ...ich passes the test for all basess100. One of the results proved in [14] is that the Miller-Rabin test for the bases 2; 3; 5; 7; 11; 13 and 23 is a correct primality test for numberss10 16 . Jaeschke =-=[42]-=- has also derived correctness bounds for the Miller-Rabin test when applied for several bases. In this paper we consider the problem of generating random primes together with a certificate of primalit... |

17 |
Massively parallel elliptic curve factoring
- Dixon, Lenstra
- 1993
(Show Context)
Citation Context ...ctoring algorithms. There exist many special-purpose factoring algorithms. Lenstra's elliptic curve algorithm [54] is successful in finding "small" factors having (at present) up to 40 decim=-=al digits [29]-=-. Pollard's algorithm [71] finds factors p for which p \Gamma 1 has only relatively small prime factors. This algorithm was generalized by Williams [87] to primes for which p + 1 has no large prime fa... |

16 |
Elementary methods in the study of the distribution of prime numbers
- Diamond
- 1982
(Show Context)
Citation Context ...is sum by a Stieltjes integral and using (15) and (16) we obtains2 (N; fl) N Z p N N fl d(x) x log(N=x) +O ` 1 log 2 N ' : (17) Using (x) = R x 2 dt=(log t) + ffl(x) where ffl(x) = O(x= log 2 x) (see =-=[26]-=-), we obtain Z p N N fl d(x) x log(N=x) = Z p N N fl dx x log x log(N=x) + Z p N N fl dffl(x) x log(N=x) : (18) The first integral can be computed by using the variable substitution y = (log x)=(log N... |

15 |
Trabb Pardo, Analysis of a simple factorization algorithm, Theoret
- Knuth, L
- 1976
(Show Context)
Citation Context ...rs must be chosen according to the appropriate probability distributions. The 7 distributions of the sizes of the largest prime factors of a randomly selected large integer 2 has been investigated in =-=[44]-=-. For instance, the probability that the relative size 3 of the largest prime factor is at most ff is for 1=2sffs1 given by 1 + log ff (cf. Appendix 1). 4 For example, the probability that the largest... |

14 |
On composite numbers p which satisfy the Fermat congruence aPe 1- p
- CARMICHAEL
- 1912
(Show Context)
Citation Context ... On the other hand, if n is composite, then virtually every base a will satisfy a n\Gamma1 6j 1 (mod n) and hence be a witness for the compositeness of n, unless n is of a very special form (see [11],=-=[18]-=-). (Of course, in a reasonable implementation, n is first tested for small prime divisors before applying a modular exponentiation.) Instead of choosing F and R sufficiently large at the beginning, th... |

14 |
An Introduction to Fast Generation of Large Prime Numbers
- Couvreur, Quisquater
- 1983
(Show Context)
Citation Context ...first. In other words, avoiding the use of such a test while nevertheless obtaining provable primes is one of the goals of this paper. The generation of provable primes has previously been considered =-=[22]-=-,[68],[83], but the major advantages of our algorithm are that it is faster and that the diversity of primes that can be generated is much larger. Heuristic arguments suggest that a generated prime is... |

10 |
Sieve algorithms for perfect power testing
- Bach, Sorenson
- 1993
(Show Context)
Citation Context ... proving that a given integer is not a square is on the order of 2. The problem of proving a number is not a perfect square was considered in [19]. For related results and more references we refer to =-=[9]-=-. Results that are similar to this lemma are described in [17] and [22], but the proofs appear to be more complicated. Note that Lemmas 1 and 2 can easily be generalized to allow a to be different for... |

10 |
On the numerical solution of a differential-difference equation arising in analytic number theory
- LUNE, WATTEL
(Show Context)
Citation Context ... 1 (1=3) = 0:0486 and F 1 (0:4) = 0:130. The function x 7! F 1 (1=x) is also known as the rho-function studied by Dickman [27]. A good algorithm for computing the Dickman rho-function is described in =-=[24]-=-. Consider the following process, suggested to the author by Eric Bach [5] (see also [6]) for generating real-valued random variables s 1 ; s 2 ; : : :. We make use of auxiliary random variables u 1 ;... |

9 |
New primality criteria and factorizations of 2 m 1
- Brillhart, Lehmer, et al.
- 1975
(Show Context)
Citation Context ...er of 2. The problem of provinganumber is not a perfect square was considered in [19]. For related results and more references we refer to [9]. Results that are similar to this lemma are described in =-=[17]-=- and [22], but the proofs appear to be more complicated. Note that Lemmas 1 and 2 can easily be generalized to allow a to be di erent for each qj [16], but we will only make use of the special case be... |

8 |
Analysis and Design of Computer Algorithms
- Aho, Hopcroft, et al.
- 1974
(Show Context)
Citation Context ...eger. A straight-forward implementation of integer multiplication has running time M(k� l)=O(kl). In contrast, a sophisticated but not practical algorithm due to Schonhage and Strassen [81] (see also =-=[3]-=-, pp. 270-274) has an asymptotic running time M(k� k) =O(k log k log log k) formultiplying two k-bit integers. This is only slightly better than for FFT-based methods which, in contrast to the Schonha... |

7 |
The probability that a random probable prime is composite
- Kim, Pomerance
- 1989
(Show Context)
Citation Context ...abin tests, this integer is prime. Note as an aside that it does not follow from the described bound that p k;ts(1=4) t [11] because p k;t depends on the density of primes. However, Kim and Pomerance =-=[43]-=- and Damgard, Landrock, and Pomerance [23] proved much stronger bounds on p k;t . For instance, p 256;6s2 \Gamma52 [23]. While for large enough t the error probability p k;t can be made sufficiently s... |

7 |
Almost All Primes Can Be Quickly Certi ed
- Goldwasser, Kilian
- 1986
(Show Context)
Citation Context ...t c, and nally Adleman and Huang proved in a seminal report [1] that the primes were recognizable in random polynomial time. A signi cant steptowards this result was achieved by Goldwasser and Kilian =-=[35]-=-. It is interesting to note that the primality tests used in practice [20], [64] appear to have super-polynomial running time and hat the algorithm of 2s[1] is superior only for very large numbers tha... |

6 |
personal communication
- Bach
- 1997
(Show Context)
Citation Context ...o known as the rho-function studied by Dickman [27]. A good algorithm for computing the Dickman rho-function is described in [24]. Consider the following process, suggested to the author by Eric Bach =-=[5]-=- (see also [6]) for generating real-valued random variables s 1 ; s 2 ; : : :. We make use of auxiliary random variables u 1 ; u 2 ; : : :. First, u 1 is chosen uniformly from the interval [0; 1], the... |

6 |
Primality Testing and Carmichael Numbers
- Granville
- 1992
(Show Context)
Citation Context ...er cannot be proved by a feasible number of such compositeness tests. However, such a proof would follow from the unproven extended Riemann hypothesis (see [62]). Alford, Granville and Pomerance (cf. =-=[38]-=-) proved that for every given finite set of bases there exist composite numbers that pass the Miller-Rabin test for these bases. Bleichenbacher [13] exhibits a 55-digit composite number which passes t... |

6 |
On the normal number of prime factors of p&1 and some related problems concerning Euler's ,-function
- Erdos
- 1935
(Show Context)
Citation Context ...istribution are given in [56]. Further results supporting the idea that when p is prime, the factorization pattern of p ; 1 does not di er greatly from that of a \random" number can be found in [10], =-=[31]-=-, [33], [34], [40], [41], [46], [72], [74] and [89]. 3.2. Description of the procedure RandomPrime A listing of the PROCEDURE RandomPrime is shown in Figure 1. It is intended to serve as a guideline r... |

4 |
New primality criteria and factorizations of m \Sigma 1
- Brillhart, Lehmer, et al.
- 1975
(Show Context)
Citation Context ... of 2. The problem of proving a number is not a perfect square was considered in [19]. For related results and more references we refer to [9]. Results that are similar to this lemma are described in =-=[17]-=- and [22], but the proofs appear to be more complicated. Note that Lemmas 1 and 2 can easily be generalized to allow a to be different for each q j [16], but we will only make use of the special case ... |

4 |
A practical zero-knowledge protocol tted to security microprocessors minimizing both transmission and memory
- Guillou, Quisquater
- 1988
(Show Context)
Citation Context ..., including public-key distribution systems [28], [45], [58], public-key cryptosystems [30], [36], [47], [79], digital signature schemes [30], [79], [80], [82], [90] and identi cation protocols [32], =-=[39]-=-, and a large number of variations of some of these systems have recently been proposed. The security of most public-key schemes is based on the (conjectured) di culty of certain number-theoretic prob... |

3 |
Exact analysis of a priority queue algorithm for random variate generation
- Bach
- 1994
(Show Context)
Citation Context ...actor exceeds 95% of the length of the integer is only \Gamma log 0:95 = 0:051. The distributions of the sizes of the prime factors of a large random integer as well as a simple algorithm due to Bach =-=[6]-=- for sampling according to these distributions are discussed in Appendix 1. Note that one would actually have to use the conditional distribution of the relative sizes of the prime factors of an integ... |

3 |
Primality testing and Abelian varieties over ®nite ®elds
- Adleman, Huang
- 1992
(Show Context)
Citation Context ...dleman, Pomerance and Rumely [2] showed that the primes were recognizable in deterministic time O((log n) c log log log n ) for some constant c, and nally Adleman and Huang proved in a seminal report =-=[1]-=- that the primes were recognizable in random polynomial time. A signi cant steptowards this result was achieved by Goldwasser and Kilian [35]. It is interesting to note that the primality tests used i... |

3 |
How toproveyourself: practical solutions to identi cation and signature problems
- Fiat, Shamir
- 1986
(Show Context)
Citation Context ...ystems, including public-key distribution systems [28], [45], [58], public-key cryptosystems [30], [36], [47], [79], digital signature schemes [30], [79], [80], [82], [90] and identi cation protocols =-=[32]-=-, [39], and a large number of variations of some of these systems have recently been proposed. The security of most public-key schemes is based on the (conjectured) di culty of certain number-theoreti... |

3 | Security of number theoretic cryptosystems against random attacks - Blakley, Blakley - 1978 |

2 |
Strong RSA
- Gordon
- 1984
(Show Context)
Citation Context ...ith p 0 = 2bp 00 + 1 where p 0 and p 00 are also primes and a and b are very small integers (e.g., a = b = 1), or it is suggested to choose primes p such that p + 1 contains a very large prime factor =-=[37]-=-, [67]. However, it is conceivable (though not likely) that there exist special-purpose algorithms for efficiently solving instances in such a severely restricted parameter space, while the general pr... |

2 |
On the largest prime factor of p
- Hooley
- 1973
(Show Context)
Citation Context ... Further results supporting the idea that when p is prime, the factorization pattern of p \Gamma 1 does not differ greatly from that of a "random" number can be found in [10], [31], [33], [3=-=4], [40], [41]-=-, [46], [72], [74] and [89]. 3.2. Description of the procedure RandomPrime A listing of the PROCEDURE RandomPrime is shown in Figure 1. It is intended to serve as a guideline rather than a blueprint f... |

2 |
Algorithmic number theory, Volume I: e cient algorithms
- Bach, Shallit
- 1992
(Show Context)
Citation Context ...tation based on the Karatsuba-Ofman algorithm we obtain E[tpp(k)] = O(k 3:585 = log k): A straight-forward implementation of integer arithmetic would result in E[tpp(k)] = O(k 4 = log k). We refer to =-=[8]-=- and [11] for further analyses of prime generation algorithms. 5. Security Constraints for Public-key Cryptographic Parameters The security ofmany cryptographic systems is based on the conjectured di ... |

2 |
Implementation of a new primality test,Mathematics
- Cohen, Lenstra
- 1987
(Show Context)
Citation Context ... than or equal to p n, but this approach is completely infeasible when the length of n exceeds 15-20 decimal digits. There exist several sophisticated general-purpose algorithms for testing primality =-=[20]-=-, [64] (see also [49]). According to [66], the current record in primality testing is held by F.Morain [65] who proved the primality of a 1505-digit number of a general form using massive parallel com... |

2 |
On the numerical solution of a di erential-di erence equation arising in analytic number theory
- Lune, Wattel
- 1969
(Show Context)
Citation Context ..., F 1(1=3) = 0:0486 and F 1(0:4) = 0:130. The function x 7! F 1(1=x) is also known as the rho-function studied by Dickman [27]. A good algorithm for computing the Dickman rho-function is described in =-=[24]-=-. Consider the following process, suggested to the author by Eric Bach [5] (see also [6]) for generating real-valued random variables s 1�s 2�:::.We make use of auxiliary random variables u 1�u 2�:::.... |