SLIDE 1
1
Generating random primes faster
- D. J. Bernstein
1
Generating random primes faster
- D. J. Bernstein
Generating random primes faster The standard algorithm to generate - - PowerPoint PPT Presentation
Generating random primes faster The standard algorithm to generate - - PowerPoint PPT Presentation
1 2 Generating random primes faster The standard algorithm to generate random primes: D. J. Bernstein proof.arithmetic(False) while True: pqRSA project team: p = randrange(2^(n-1),2^n) Daniel J. Bernstein p = ZZ(p) Josh Fried if
SLIDE 2
SLIDE 3
1
Generating random primes faster Bernstein project team:
- J. Bernstein
ried Heninger Lou alenta cr.yp.to/papers.html#pqrsa
2
The standard algorithm to generate random primes:
proof.arithmetic(False) while True: p = randrange(2^(n-1),2^n) p = ZZ(p) if p.is_prime(): print p
n1+o(1) iterations per prime. Standard speedup using wheels: e.g., force p mod 6 ∈ {1; 5}. Wheel using all primes q ≤ nO(1): n1+o(1) iterations per prime. Recall Q
q≤y
` 1 − 1
q
´ ∈ Θ `
1 log y
´ . 2007 Mihailescu: n3+o(1) bit
SLIDE 4
1
random primes faster team: Bernstein cr.yp.to/papers.html#pqrsa
2
The standard algorithm to generate random primes:
proof.arithmetic(False) while True: p = randrange(2^(n-1),2^n) p = ZZ(p) if p.is_prime(): print p
n1+o(1) iterations per prime. Standard speedup using wheels: e.g., force p mod 6 ∈ {1; 5}. Wheel using all primes q ≤ nO(1): n1+o(1) iterations per prime. Recall Q
q≤y
` 1 − 1
q
´ ∈ Θ `
1 log y
´ . 2007 Mihailescu: conjecturally n3+o(1) bit ops to
SLIDE 5
1
faster cr.yp.to/papers.html#pqrsa
2
The standard algorithm to generate random primes:
proof.arithmetic(False) while True: p = randrange(2^(n-1),2^n) p = ZZ(p) if p.is_prime(): print p
n1+o(1) iterations per prime. Standard speedup using wheels: e.g., force p mod 6 ∈ {1; 5}. Wheel using all primes q ≤ nO(1): n1+o(1) iterations per prime. Recall Q
q≤y
` 1 − 1
q
´ ∈ Θ `
1 log y
´ . 2007 Mihailescu: conjecturally n3+o(1) bit ops to prove p prime.
SLIDE 6
2
The standard algorithm to generate random primes:
proof.arithmetic(False) while True: p = randrange(2^(n-1),2^n) p = ZZ(p) if p.is_prime(): print p
n1+o(1) iterations per prime. Standard speedup using wheels: e.g., force p mod 6 ∈ {1; 5}. Wheel using all primes q ≤ nO(1): n1+o(1) iterations per prime. Recall Q
q≤y
` 1 − 1
q
´ ∈ Θ `
1 log y
´ .
3
2007 Mihailescu: conjecturally n3+o(1) bit ops to prove p prime.
SLIDE 7
2
The standard algorithm to generate random primes:
proof.arithmetic(False) while True: p = randrange(2^(n-1),2^n) p = ZZ(p) if p.is_prime(): print p
n1+o(1) iterations per prime. Standard speedup using wheels: e.g., force p mod 6 ∈ {1; 5}. Wheel using all primes q ≤ nO(1): n1+o(1) iterations per prime. Recall Q
q≤y
` 1 − 1
q
´ ∈ Θ `
1 log y
´ .
3
2007 Mihailescu: conjecturally n3+o(1) bit ops to prove p prime. 2010 Bernstein conjecture: correctly recognize primality using no(1) tests, total n2+o(1) bit ops. Fermat test, then Lucas test (as in 1980 Baillie–Wagstaff, 1980 Pomerance–Selfridge–Wagstaff), then cubic test (1995 Atkin), etc.;
- r some elliptic-curve tests.
SLIDE 8
2
The standard algorithm to generate random primes:
proof.arithmetic(False) while True: p = randrange(2^(n-1),2^n) p = ZZ(p) if p.is_prime(): print p
n1+o(1) iterations per prime. Standard speedup using wheels: e.g., force p mod 6 ∈ {1; 5}. Wheel using all primes q ≤ nO(1): n1+o(1) iterations per prime. Recall Q
q≤y
` 1 − 1
q
´ ∈ Θ `
1 log y
´ .
3
2007 Mihailescu: conjecturally n3+o(1) bit ops to prove p prime. 2010 Bernstein conjecture: correctly recognize primality using no(1) tests, total n2+o(1) bit ops. Fermat test, then Lucas test (as in 1980 Baillie–Wagstaff, 1980 Pomerance–Selfridge–Wagstaff), then cubic test (1995 Atkin), etc.;
- r some elliptic-curve tests.
Most iterations are much simpler: Fermat test rejects p. Fast reject by trial division/ECM? Still n3+o(1) bit ops per prime.
SLIDE 9
2
standard algorithm generate random primes:
proof.arithmetic(False) True: randrange(2^(n-1),2^n) ZZ(p) p.is_prime(): print p
(1) iterations per prime.
Standard speedup using wheels: rce p mod 6 ∈ {1; 5}. using all primes q ≤ nO(1):
(1) iterations per prime.
Q
q≤y
` 1 − 1
q
´ ∈ Θ `
1 log y
´ .
3
2007 Mihailescu: conjecturally n3+o(1) bit ops to prove p prime. 2010 Bernstein conjecture: correctly recognize primality using no(1) tests, total n2+o(1) bit ops. Fermat test, then Lucas test (as in 1980 Baillie–Wagstaff, 1980 Pomerance–Selfridge–Wagstaff), then cubic test (1995 Atkin), etc.;
- r some elliptic-curve tests.
Most iterations are much simpler: Fermat test rejects p. Fast reject by trial division/ECM? Still n3+o(1) bit ops per prime. New: n2 to generate
SLIDE 10
2
algorithm random primes:
proof.arithmetic(False) randrange(2^(n-1),2^n) p.is_prime(): print p
iterations per prime. eedup using wheels: d 6 ∈ {1; 5}. primes q ≤ nO(1): iterations per prime. − 1
q
´ ∈ Θ `
1 log y
´ .
3
2007 Mihailescu: conjecturally n3+o(1) bit ops to prove p prime. 2010 Bernstein conjecture: correctly recognize primality using no(1) tests, total n2+o(1) bit ops. Fermat test, then Lucas test (as in 1980 Baillie–Wagstaff, 1980 Pomerance–Selfridge–Wagstaff), then cubic test (1995 Atkin), etc.;
- r some elliptic-curve tests.
Most iterations are much simpler: Fermat test rejects p. Fast reject by trial division/ECM? Still n3+o(1) bit ops per prime. New: n2:5+o(1) bit to generate 2n0:5+o
SLIDE 11
2
rimes:
randrange(2^(n-1),2^n) p
e. wheels: }. nO(1): e. `
1 log y
´ .
3
2007 Mihailescu: conjecturally n3+o(1) bit ops to prove p prime. 2010 Bernstein conjecture: correctly recognize primality using no(1) tests, total n2+o(1) bit ops. Fermat test, then Lucas test (as in 1980 Baillie–Wagstaff, 1980 Pomerance–Selfridge–Wagstaff), then cubic test (1995 Atkin), etc.;
- r some elliptic-curve tests.
Most iterations are much simpler: Fermat test rejects p. Fast reject by trial division/ECM? Still n3+o(1) bit ops per prime. New: n2:5+o(1) bit ops per p to generate 2n0:5+o(1) primes.
SLIDE 12
3
2007 Mihailescu: conjecturally n3+o(1) bit ops to prove p prime. 2010 Bernstein conjecture: correctly recognize primality using no(1) tests, total n2+o(1) bit ops. Fermat test, then Lucas test (as in 1980 Baillie–Wagstaff, 1980 Pomerance–Selfridge–Wagstaff), then cubic test (1995 Atkin), etc.;
- r some elliptic-curve tests.
Most iterations are much simpler: Fermat test rejects p. Fast reject by trial division/ECM? Still n3+o(1) bit ops per prime.
4
New: n2:5+o(1) bit ops per prime to generate 2n0:5+o(1) primes.
SLIDE 13
3
2007 Mihailescu: conjecturally n3+o(1) bit ops to prove p prime. 2010 Bernstein conjecture: correctly recognize primality using no(1) tests, total n2+o(1) bit ops. Fermat test, then Lucas test (as in 1980 Baillie–Wagstaff, 1980 Pomerance–Selfridge–Wagstaff), then cubic test (1995 Atkin), etc.;
- r some elliptic-curve tests.
Most iterations are much simpler: Fermat test rejects p. Fast reject by trial division/ECM? Still n3+o(1) bit ops per prime.
4
New: n2:5+o(1) bit ops per prime to generate 2n0:5+o(1) primes. Recall: many n-bit integers, total ≥y bits batch smoothness detection: n(lg y)2+o(1) bit ops per integer
- largest y-smooth divisor
- f each integer
SLIDE 14
3
2007 Mihailescu: conjecturally n3+o(1) bit ops to prove p prime. 2010 Bernstein conjecture: correctly recognize primality using no(1) tests, total n2+o(1) bit ops. Fermat test, then Lucas test (as in 1980 Baillie–Wagstaff, 1980 Pomerance–Selfridge–Wagstaff), then cubic test (1995 Atkin), etc.;
- r some elliptic-curve tests.
Most iterations are much simpler: Fermat test rejects p. Fast reject by trial division/ECM? Still n3+o(1) bit ops per prime.
4
New: n2:5+o(1) bit ops per prime to generate 2n0:5+o(1) primes. Recall: many n-bit integers, total ≥y bits batch smoothness detection: n(lg y)2+o(1) bit ops per integer
- largest y-smooth divisor
- f each integer