## Are `Strong' Primes Needed for RSA? (1999)

### Cached

### Download Links

Venue: | In The 1997 RSA Laboratories Seminar Series, Seminars Proceedings |

Citations: | 6 - 1 self |

### BibTeX

@INPROCEEDINGS{Rivest99are`strong',

author = {Ronald L. Rivest and Robert D. Silverman},

title = {Are `Strong' Primes Needed for RSA?},

booktitle = {In The 1997 RSA Laboratories Seminar Series, Seminars Proceedings},

year = {1999},

pages = {accepted.}

}

### OpenURL

### Abstract

We review the arguments in favor of using so-called "strong primes" in the RSA public-key cryptosystem. There are two types of such arguments: those that say that strong primes are needed to protect against factoring attacks, and those that say that strong primes are needed to protect against "cycling" attacks (based on repeated encryption).

### Citations

8523 |
Introduction to Algorithms
- Cormen, Leiserson, et al.
- 2001
(Show Context)
Citation Context ...n 10 closes with some recommendations. We assume that the reader is familiar with elementary number theory, such as presented by Niven and Zuckerman [38], LeVeque [30], or Chapter 33 of Cormen et al. =-=[8]-=-. For surveys of factoring and number-theoretic algorithms, see Bach [2], Bressoud [6], Buell [7], Dixon [10], Guy [14], Knuth [22], Lenstra and Lenstra [26], Montgomery [37] Pomerance [41], and Riese... |

529 |
Uses of elliptic curves in cryptography
- Miller
- 1986
(Show Context)
Citation Context ... an alternative exposition of this method, and Montgomery [34], [36] describes some implementation details and improvements. For additional background, note that Koblitz [23], Kaliski [21] and Miller =-=[33] propose s-=-ome ways that elliptic curves can be useful in cryptography. 14 Based on "elliptic curves," this method generalizes the p \Gamma 1 method even further, by replacing the multiplicative group ... |

233 |
Factoring Integers with Elliptic Curves
- Lenstra
- 1987
(Show Context)
Citation Context ...tain factoring attacks, known as the "p \Sigma 1" attacks. Indeed, key sizes being proposed at that time were amenable to attack by these methods. The development of Lenstra's "elliptic=-= curve method" [29]-=- of factoring in 1985 is seen, however, to remove the motivation for using strong primes as a protection against the p \Sigma 1 factoring attacks. We shall present tables which give the probability of... |

206 |
Riemann’s hypothesis and tests for primality
- Miller
- 1976
(Show Context)
Citation Context ...for some integer a \Gamma\Gamma . This can be accomplished by trying a \Gamma\Gamma = 2; 4; 6; : : : until a prime p \Gamma is found. A probabilistic test for primality, such as the Miller-Rabin test =-=[32, 44]-=-, can be used to test each candidate p \Gamma for primality. 3. Compute p as the least prime of the form p = a \Gamma p \Gamma + 1 (10) for some integer a \Gamma , in a similar manner. The time requir... |

148 |
Pseudorandomness and Cryptographic Applications
- Luby
- 1996
(Show Context)
Citation Context ...rit" for an attack method: the expected amount of effort required for the adversary to find his first solution. Such measures have appeared in the literature before; for example, see Luby's monog=-=raph [31]. (Luby ca-=-lls the measure the "time-success ratio," and defines it as the ratio of the running time of the special-purpose method to its probability of success.) We imagine that the adversary is given... |

144 |
Seminumerical Algorithms, volume 2 of The Art of Computer Programming
- Knuth
- 1998
(Show Context)
Citation Context ...iven and Zuckerman [38], LeVeque [30], or Chapter 33 of Cormen et al. [8]. For surveys of factoring and number-theoretic algorithms, see Bach [2], Bressoud [6], Buell [7], Dixon [10], Guy [14], Knuth =-=[22]-=-, Lenstra and Lenstra [26], Montgomery [37] Pomerance [41], and Riesel [45]. We assume that the reader is familiar with the elementary notions of cryptography (encryption, decryption, keys, etc.), as ... |

98 |
The Book of Numbers
- Conway, Guy
- 1996
(Show Context)
Citation Context ...esented by Niven and Zuckerman [38], LeVeque [30], or Chapter 33 of Cormen et al. [8]. For surveys of factoring and number-theoretic algorithms, see Bach [2], Bressoud [6], Buell [7], Dixon [10], Guy =-=[14]-=-, Knuth [22], Lenstra and Lenstra [26], Montgomery [37] Pomerance [41], and Riesel [45]. We assume that the reader is familiar with the elementary notions of cryptography (encryption, decryption, keys... |

78 |
Fundamentals of Number Theory
- LeVeque
- 1996
(Show Context)
Citation Context ...e unlikely to succeed. Finally, Section 10 closes with some recommendations. We assume that the reader is familiar with elementary number theory, suchas presented by Niven and Zuckerman [38], LeVeque =-=[30]-=-, or Chapter 33 of Cormen et al. [8]. For surveys of factoring and number-theoretic algorithms, see Bach [2], Bressoud [6], Buell [7], Dixon [10], Guy [14], Knuth [22], Lenstra and Lenstra [26], Montg... |

69 | The Number Field Sieve - Lenstra, Jr, et al. - 1990 |

57 | Disquisitiones arithmeticae - Gauss - 1966 |

32 |
Algorithms in number theory
- Lenstra, Lenstra
- 1990
(Show Context)
Citation Context ...eVeque [30], or Chapter 33 of Cormen et al. [8]. For surveys of factoring and number-theoretic algorithms, see Bach [2], Bressoud [6], Buell [7], Dixon [10], Guy [14], Knuth [22], Lenstra and Lenstra =-=[26]-=-, Montgomery [37] Pomerance [41], and Riesel [45]. We assume that the reader is familiar with the elementary notions of cryptography (encryption, decryption, keys, etc.), as given, for example, in Dav... |

31 |
Security for Computer Networks: An Introduction to Data Security in Teleprocessing and Electronics Funds Transfer, Second Edition
- Davies, Price
- 1984
(Show Context)
Citation Context ...37] Pomerance [41], and Riesel [45]. We assume that the reader is familiar with the elementary notions of cryptography (encryption, decryption, keys, etc.), as given, for example, in Davies and Price =-=[9]-=-. An understanding of cryptography is not essential, except as motivation for this paper. For discussions of the relationship between number theory and cryptography, see Kranakis [24], Pomerance [43],... |

22 |
Primality and Cryptography
- Kranakis
- 1986
(Show Context)
Citation Context ... Davies and Price [9]. An understanding of cryptography is not essential, except as motivation for this paper. For discussions of the relationship between number theory and cryptography, see Kranakis =-=[24], Pomeranc-=-e [43], and Rivest [48]. 2 2 Weak keys In this section we review the notion of a "weak key," and attempt to characterize this notion more formally. When a cryptographer selects a cryptograph... |

21 | Factoring Numbers Using Singular Integers - Adleman - 1991 |

16 |
Strong primes are easy to find
- Gordon
- 1985
(Show Context)
Citation Context ... difficult than merely finding large primes.) Nonetheless, this procedure is quite usable and effective for finding strong primes. 5.2 Gordon's algorithm for finding strong primes In 1984 John Gordon =-=[12, 13]-=- proposed another procedure for finding strong primes. (It is not clear whether Gordon was aware of the previously published algorithm of Williams and Schmid.) Gordon argues that finding strong primes... |

13 |
Elliptic Curves and Cryptography: A Pseudorandom Bit Generator and Other Tools
- Kaliski
- 1988
(Show Context)
Citation Context ...phens [54] gives an alternative exposition of this method, and Montgomery [34], [36] describes some implementation details and improvements. For additional background, note that Koblitz [23], Kaliski =-=[21] and Mille-=-r [33] propose some ways that elliptic curves can be useful in cryptography. 14 Based on "elliptic curves," this method generalizes the p \Gamma 1 method even further, by replacing the multi... |

10 |
Sums of divisors, perfect numbers and factoring
- Bach, Miller, et al.
- 1986
(Show Context)
Citation Context ...of an adversary to compute d from the public key (e; n). The problem of computing d from (e; n) is equivalent to the problem of factoring n into its prime factors p and q, as is proven by Bach et al. =-=[3]. Therefor-=-e it is important for the RSA user to select primes p and q in such a way that the problem of factoring n = pq is computationally infeasible for an adversary. Choosing p and q as "strong" pr... |

10 |
Factorization and Primality Tests
- Dixon
- 1984
(Show Context)
Citation Context ...such as presented by Niven and Zuckerman [38], LeVeque [30], or Chapter 33 of Cormen et al. [8]. For surveys of factoring and number-theoretic algorithms, see Bach [2], Bressoud [6], Buell [7], Dixon =-=[10]-=-, Guy [14], Knuth [22], Lenstra and Lenstra [26], Montgomery [37] Pomerance [41], and Riesel [45]. We assume that the reader is familiar with the elementary notions of cryptography (encryption, decryp... |

9 |
Rivest-Shamir-Adleman Public Key Cryptosystems Do Not Always Conceal Messages
- Blakley, Borosh
- 1979
(Show Context)
Citation Context ...nomial equation to generate possible exponents. Rivest [47] argued that the generalization is no more e ective than the original attack, when p and q are both p ; -strong. In 1979, Blakley and Borosh =-=[5]-=- consider the number of messages M that are left unencrypted by RSA. That is, they consider messages that satisfy the equation M e M (mod n) : For any modulus n there are at least 9 such messages (1, ... |

8 |
the SMO algorithm
- Bach, Lanckriet, et al.
(Show Context)
Citation Context ...liar with elementary number theory, such as presented by Niven and Zuckerman [38], LeVeque [30], or Chapter 33 of Cormen et al. [8]. For surveys of factoring and number-theoretic algorithms, see Bach =-=[2]-=-, Bressoud [6], Buell [7], Dixon [10], Guy [14], Knuth [22], Lenstra and Lenstra [26], Montgomery [37] Pomerance [41], and Riesel [45]. We assume that the reader is familiar with the elementary notion... |

8 |
Strong RSA keys
- Gordon
- 1984
(Show Context)
Citation Context ... find a random prime of the same size. Clearly, a prime p computed using the above procedure is p \Gamma\Gamma -strong. It may not be p + - strong, however, and so Williams and Schmid [57] and Gordon =-=[12]-=- have suggested algorithms for finding primes that are p + -strong as well (i.e., strong primes). We now give the algorithms for finding strong primes proposed by Williams and Schmid, and by Gordon. 8... |

5 |
Lenstra (eds.), The development of the number field sieve
- Lenstra, W
- 1993
(Show Context)
Citation Context ... and q are prime. 1. Algorithms whose running time depends mainly on the size of n. The most notable algorithms in this class are the quadratic sieve algorithm [42] and the general number field sieve =-=[27]-=-. 2. Algorithms whose running time depends on the size of p and the size of q. These algorithms are particularly good at factoring numbers when one of p or q is small. The naive heuristic of trial div... |

4 |
Factoring via superencryption
- Berkovits
- 1982
(Show Context)
Citation Context ...suggests checking to ensure that neither p + 1 nor q + 1 has only small prime factors. Knuth also describes a slight improvement to Pollard's p \Gamma 1 method in exercise 4.5.4-19. In 1982 Berkovits =-=[4]-=- apparently rediscovered the generalization of the Simmons/Norris attack given by Williams and Schmid. (He was apparently unaware of the Williams/Schmid paper, since he didn't reference it.) He conclu... |

4 |
Rivest-Shamir-Adleman public key cryptosystems do not always conceal messages
- Blakey, Borosh
- 1979
(Show Context)
Citation Context ... equation to generate possible exponents. Rivest [47] argued that the generalization is no more effective than the original attack, when p and q are both p \Gamma -strong. In 1979, Blakley and Borosh =-=[5]-=- consider the number of messages M that are left unencrypted by RSA. That is, they consider messages that satisfy the equation M e j M (mod n) : For any modulus n there are at least 9 such messages (1... |

4 |
Factoring: algorithms, computations, and computers
- Buell
- 1987
(Show Context)
Citation Context ...er theory, such as presented by Niven and Zuckerman [38], LeVeque [30], or Chapter 33 of Cormen et al. [8]. For surveys of factoring and number-theoretic algorithms, see Bach [2], Bressoud [6], Buell =-=[7]-=-, Dixon [10], Guy [14], Knuth [22], Lenstra and Lenstra [26], Montgomery [37] Pomerance [41], and Riesel [45]. We assume that the reader is familiar with the elementary notions of cryptography (encryp... |

3 |
Je rey Shallit. Sums of divisors, perfect numbers, and factoring
- Bach, Miller
- 1986
(Show Context)
Citation Context ...tyofanadversary to compute d from the public key (e� n). The problem of computing d from (e� n) is equivalent to the problem of factoring n into its prime factors p and q, as is proven by Bach et al. =-=[3]-=-. Therefore it is important for the RSA user to select primes p and q in such a way that the problem of factoring n = pq is computationally infeasible for an adversary. Choosing p and q as \strong" pr... |

3 | The number eld sieve - Lenstra, Lenstra, et al. - 1990 |

2 |
Method and apparatus for use in public-key data encryption system
- Hellman, Bach
- 1986
(Show Context)
Citation Context ...pecifying that we must have a \Gamma = 2 (or a \Gamma\Gamma = 2, or a + = 2, etc.). We call such primes p \Gamma -superstrong (or p \Gamma\Gamma -superstrong, p + -superstrong, etc.) Hellman and Bach =-=[15]-=- have also recommended that p + \Gamma 1 contain a large prime factor (which we would call p +\Gamma ). 5 Finding Strong Primes Strong primes are somewhat rare. In practice, however, one can find stro... |

2 |
Annex C { the RSA public key cryptosystem
- ISO
- 1989
(Show Context)
Citation Context ...he first author supposes he should admit that he was the referee; this paper fleshes out his earlier suggestion to Jamnig.) Most recently, the X.509 standards committee has published a draft standard =-=[19]-=- recommending the use of strong primes. Their motivation for this recommendation is Gordon's article [12], which references Knuth [22] and Rivest et al. [50] as justification. We remark that both of t... |

2 |
Elliptic curve cryptosytems
- Koblitz
- 1987
(Show Context)
Citation Context ...g primes." Stephens [54] gives an alternative exposition of this method, and Montgomery [34], [36] describes some implementation details and improvements. For additional background, note that Kob=-=litz [23], Kaliski -=-[21] and Miller [33] propose some ways that elliptic curves can be useful in cryptography. 14 Based on "elliptic curves," this method generalizes the p \Gamma 1 method even further, by repla... |

2 |
Lehman Factoring Large Integers
- S
- 1974
(Show Context)
Citation Context ... p \Gamma 1 and p + 1 methods of factoring are the most notable members of this class. 4. Algorithms whose running time depends on the `closeness' of p and q. Fermat's method [22] and Lehman's method =-=[25]-=- fall into this category. At the moment, for factoring large numbers the most effective algorithms seem to be Lenstra's elliptic curve method [29], [52], which is especially good if the number has sma... |

1 |
Bressoud Factorization and Primality Testing. Springer-Verlag Undergraduate Texts
- M
- 1989
(Show Context)
Citation Context ...entary number theory, such as presented by Niven and Zuckerman [38], LeVeque [30], or Chapter 33 of Cormen et al. [8]. For surveys of factoring and number-theoretic algorithms, see Bach [2], Bressoud =-=[6]-=-, Buell [7], Dixon [10], Guy [14], Knuth [22], Lenstra and Lenstra [26], Montgomery [37] Pomerance [41], and Riesel [45]. We assume that the reader is familiar with the elementary notions of cryptogra... |

1 |
Some critical remarks on public-key cryptosystems
- Herlestam
- 1978
(Show Context)
Citation Context ...e product of two p \Gamma\Gamma -strong primes, and (b) arguing that this attack is really a factoring algorithm in disguise, and should be compared with other factoring attacks. 10 In 1978 Herlestam =-=[16]-=- proposed a generalization of Simmons and Norris's attack, which can be viewed as a search for a multiple of the order of M , modulo n, using a trinomial equation to generate possible exponents. Rives... |

1 |
On a secure public-key cryptosystem
- Hoogendoorn
- 1982
(Show Context)
Citation Context ...p \Gamma -superstong primes, then the attack is unlikely to succeed. He asserts that while the attack "is not much worse than guessing factors of n, it is not much better either." In 1982 Ho=-=ogendoorn [17]-=- recounted and summarized the above arguments and recommendations. In 1983 Williams [56] suggested that n should be the product of two p \Gamma -strong, p + -strong primes p and q, to prevent n from b... |

1 |
Elkenbracht-Huizing An implementation of the Number Field Sieve Experimental Mathematics
- unknown authors
(Show Context)
Citation Context ...t did not become faster than QS until between 130 and 150 decimal digits. More recent work by Montgomery and Huizing has shown than the crossover point is somewhere between 100 and 110 decimal digits =-=[18]-=-, although the exact crossover point will always be machine and implementation dependent. We begin with a review of the factoring attacks that motivate the recommendation for strong primes, beginning ... |

1 |
Securing the RSA-cryptosystem against cycling attacks
- Jamnig
- 1988
(Show Context)
Citation Context ..." In 1984 Hellman and Bach [15] recommended that p + \Gamma 1 contain a large prime factor (which we would call p +\Gamma ). They do not, however, give a justification for this recommendation. Ja=-=mnig [20]-=- studies the Berkovits [4] attack, and recommends that a \Gamma be small (on the order of log(p)) and that b \Gamma (the cofactor of q \Gamma in q \Gamma 1) be similarly small. On the basis of his ana... |

1 |
Davies andW.L.Price.Security for Computer Networks: An Introduction to Data Security in Teleprocessing and Electronic Funds Transfer
- W
- 1984
(Show Context)
Citation Context ...37] Pomerance [41], and Riesel [45]. We assume that the reader is familiar with the elementary notions of cryptography (encryption, decryption, keys, etc.), as given, for example, in Davies and Price =-=[9]-=-. An understanding of cryptography is not essential, except as motivation for this paper. For discussions of the relationship between number theory and cryptography, see Kranakis [24], Pomerance [43],... |

1 |
Strong primes are easy to nd
- Gordon
- 1985
(Show Context)
Citation Context ...much more di cult than merely nding large primes.) Nonetheless, this procedure is quite usable and e ective for nding strong primes. 5.2 Gordon's algorithm for nding strong primes In 1984 John Gordon =-=[12, 13]-=- proposed another procedure for nding strong primes. (It is not clear whether Gordon was aware of the previously published algorithm of Williams and Schmid.) Gordon argues that nding strong primes is ... |