Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How many iterations of Rabin-Miller should I use for cryptographic safe primes?

I am generating a 2048-bit safe prime for a Diffie-Hellman-type key, p such that p and (p-1)/2 are both prime.

How few iterations of Rabin-Miller can I use on both p and (p-1)/2 and still be confident of a cryptographically strong key? In the research I've done I've heard everything from 6 to 64 iterations for 1024-bit ordinary primes, so I'm a little confused at this point. And once that's established, does the number change if you are generating a safe prime rather than an ordinary one?

Computation time is at a premium, so this is a practical question - I'm basically wondering how to find out the lowest possible number of tests I can get away with while at the same time maintaining pretty much guaranteed security.

like image 774
jnm2 Avatar asked Jun 13 '11 00:06

jnm2


People also ask

Why is Miller Rabin better than Fermat?

The Miller-Rabin Primality Test is significantly more accurate than the Fermat Primality Test. There exist an infinite number of composite integers known as Carmichael numbers, which satisfy the property that ∀n, where n is a Carmichael number, if (a, n) = 1, then an−1 ≡ 1 (mod n) [4].

For what purpose Rabin-Miller algorithm is used?

Miller Rabin is a fast approach to test primality of the large numbers. This algorithm is called a Rabin-miller primality test and this algorithm decides whether number is prime which is same to other tests including Fermat primality Test and Solovay- Strassen primality test.

Where is the Miller Rabin algorithm is used?

Miller Rabin is a fast way to test primality of the large numbers. This algorithm is also known as Rabin-miller primality test and this algorithm determines whether number is prime which is similar to other tests such as Fermat primality Test and Solovay-Strassen primality test.

How accurate is Miller Rabin test?

There is no reason to run the M-R test for less than 64 iterations (a 1 in 2^128 chance of error). Most examples will fail in the first few iterations, so only the actual primes will be thoroughly tested. Use 128 iterations for a 1 in 2^256 chance of error.


2 Answers

Let's assume that you select a prime p by selecting random values until you hit one for which Miller-Rabin says: that one looks like a prime. You use n rounds at most for the Miller-Rabin test. (For a so-called "safe prime", things are are not changed, except that you run two nested tests.)

The probability that a random 1024-bit integer is prime is about 1/900. Now, you do not want to do anything stupid so you generate only odd values (an even 1024-bit integer is guaranteed non-prime), and, more generally, you run the Miller-Rabin test only if the value is not "obviously" non-prime, i.e. can be divided by a small prime. So you end up with trying about 300 values with Miller-Rabin before hitting a prime (on average). When the value is non-prime, Miller-Rabin will detect it with probability 3/4 at each round, so the number of Miller-Rabin rounds you will run on average for a single non-prime value is 1+(1/4)+(1/16)+... = 4/3. For the 300 values, this means about 400 rounds of Miller-Rabin, regardless of what you choose for n.

So if you select n to be, e.g., 40, then the cost implied by n is less than 10% of the total computational cost. The random prime selection process is dominated by the test on non-primes, which are not impacted by the value of n you choose. I talked here about 1024-bit integers; for bigger numbers the choice of n is even less important since primes become sparser as size increases (for 2048-bit integers, the "10%" above become "5%").

Hence you can choose n=40 and be happy with it (or at least know that reducing n will not buy you much anyway). On the other hand, using a n greater than 40 is meaningless, because this would get you to probabilities lower than the risk of a simple miscomputation. Computers are hardware, they can have random failures. For instance, a primality test function could return "true" for a non-prime value because a cosmic ray (a high-energy particle hurtling through the Universe at high speed) happens to hit just the right transistor at the right time, flipping the return value from 0 ("false") to 1 ("true"). This is very unlikely -- but no less likely than probability 2-80. See this stackoverflow answer for a few more details. The bottom line is that regardless of how you make sure that an integer is prime, you still have an unavoidable probabilistic element, and 40 rounds of Miller-Rabin already give you the best that you can hope for.

To sum up, use 40 rounds.

like image 117
Thomas Pornin Avatar answered Sep 19 '22 10:09

Thomas Pornin


The paper Average case error estimates for the strong probable prime test by Damgard-Landrock-Pomerance points out that, if you randomly select k-bit odd number n and apply t independent Rabin-Miller tests in succession, the probability that n is a composite has much stronger bounds.

In fact for 3 <= t <= k/9 and k >= 21,

enter image description here

For a k=1024 bit prime, t=6 iterations give you an error rate less than 10^(-40).

like image 20
Warren MacEvoy Avatar answered Sep 21 '22 10:09

Warren MacEvoy