Method of generating proven prime numbers suitable for being implemented in a smart card

US 9,577,826 B2
Filed: 12/12/2012
Issued: 02/21/2017
Est. Priority Date: 12/15/2011
Status: Active Grant

First Claim

Patent Images

1. A cryptographic method implemented in an electronic device, the method comprising operations of:

(a) generating a candidate prime number from another prime number in accordance with;

Pr=2P·

R +1,where Pr is the candidate prime number, P is a prime number having a number of bits lower than a desired number of bits of the candidate prime number, and R is an integer, wherein a size in number of bits of the candidate prime number is equal to a margin of one bit to three times a size of the prime number;

(b) calculating a quotient of an integer division of the integer by the prime number;

(c) rejecting the generated candidate prime number in response to detecting that the quotient of the integer division of the integer by the prime number is even;

(d) applying the Pocklington primality test to the candidate prime number;

(e) storing, in a memory of the electronic device, the candidate prime number as a proven prime number in response to passing the Pocklington primality test, else generating a new candidate prime number and performing operations (b) to (e) again with the new candidate prime number;

(f) generating, from the proven prime number, a cryptographic key; and

(g) performing, by the electronic device using the cryptographic key, a cryptographic operation on data, the cryptographic operation being one of an encryption operation, a decryption operation, or a verification of a digital signature included in the data.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to a method for generating a prime number, implemented in an electronic device, the method including steps of generating a prime number from another prime number using the formula Pr=2P·R+1, where P is a prime number having a number of bits lower than that of the candidate prime number, and R is an integer, and applying the Pocklington primality test to the candidate prime number, the candidate prime number being proven if it passes the Pocklington test. According to the invention, the size in number of bits of the candidate prime number is equal to three times the size of the prime number, to within one unit, the generated candidate prime number being retained as candidate prime number only if the quotient of the integer division of the integer by the prime number is odd.

Citations

33 Claims

1. A cryptographic method implemented in an electronic device, the method comprising operations of:
- (a) generating a candidate prime number from another prime number in accordance with;
  
  Pr=2P·
  
  R +1,where Pr is the candidate prime number, P is a prime number having a number of bits lower than a desired number of bits of the candidate prime number, and R is an integer, wherein a size in number of bits of the candidate prime number is equal to a margin of one bit to three times a size of the prime number;
  
  (b) calculating a quotient of an integer division of the integer by the prime number;
  
  (c) rejecting the generated candidate prime number in response to detecting that the quotient of the integer division of the integer by the prime number is even;
  
  (d) applying the Pocklington primality test to the candidate prime number;
  
  (e) storing, in a memory of the electronic device, the candidate prime number as a proven prime number in response to passing the Pocklington primality test, else generating a new candidate prime number and performing operations (b) to (e) again with the new candidate prime number;
  
  (f) generating, from the proven prime number, a cryptographic key; and
  
  (g) performing, by the electronic device using the cryptographic key, a cryptographic operation on data, the cryptographic operation being one of an encryption operation, a decryption operation, or a verification of a digital signature included in the data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein, if the candidate prime number is rejected or if the candidate prime number does not pass the Pocklington primality test, the method further comprises:
    - incrementing the integer by one or a certain quantity as a function of parity of the quotient so that the quotient is odd;
      
      modifying the candidate prime number by adding twice the prime number thereto; and
      
      applying the Pocklington primality test to the modified candidate prime number.
  - 3. The method of claim 1, further comprising testing divisibility of the generated candidate prime number by small prime numbers, the generated candidate prime number being retained as the candidate prime number only if it is not divisible by the small prime numbers.
  - 4. The method of claim 1, wherein generating the proven prime number includes iteratively generating the proven prime number, the iteratively generating including a plurality of prime number generation operations, a first prime number generation operation of the plurality of prime number generation operations including generating a first candidate prime number from the prime number P,each subsequent prime number generation operation of the plurality of prime number generation operations including generating another candidate prime number from the candidate prime number obtained in an immediately preceding prime number generation operation, the iteratively generating continuing until a prime number having the desired number of bits is obtained, each prime number generation operation including applying the Pocklington primality test to a respective candidate prime number.
  - 5. The method of claim 4, further comprising, for each prime number generation operation:
    - storing as first remainders, remainders of integer divisions of a respective candidate prime number by each small prime number of a group of small prime numbers, the respective candidate prime number being divisible by one of the small prime numbers if a corresponding remainder is equal to zero;
      
      storing as second remainders, remainders of integer divisions, by each of the small prime numbers, of twice the prime number P, for the first prime number generation operation, or twice the candidate prime number obtained in the immediately preceding prime number generation operation, for each of the subsequent prime number generation operations; and
      
      if a new candidate prime number is calculated from the respective candidate prime number by adding twice the prime number P, for the first prime number generation operation, or twice the candidate prime number obtained in the immediately preceding prime number generation operation, for each of the subsequent prime number generation operations thereto, updating each of the first remainders by respectively adding thereto the second remainder corresponding to the same small prime number.
  - 6. The method of claim 5, wherein each subsequent prime number generation operation includes:
    - randomly choosing a new integer; and
      
      updating each of the second remainders with double of the first remainder corresponding to a same small prime number obtained in a previous prime number generation operation.
  - 7. The method of claim 1, wherein the integer is randomly chosen in an interval of [I+1, 2I], wherein:
8. The method of claim 1, further comprising generating the integer from an invertible number belonging to a set of invertible elements modulo a product of numbers belonging to a group of small prime numbers greater than 2, so that the candidate prime number is not divisible by any number of the group, the prime number P having a number of bits equal to within one bit to a third of a desired number of bits of the candidate prime number.
9. The method of claim 8, wherein the integer is chosen as being equal to:
- R=X−
  
  ((2P)^−
  
  1mod Π
  
  v)+Z·
  
  Π
  
  v,X being an invertible number modulo the product of the numbers of the group of small prime numbers greater than 2, P being the prime number, and Z being an integer chosen so that the integer R has a size such that the candidate prime number has a desired number of bits.
10. The method of claim 8, wherein the integer is chosen so as to be even and so that a remainder of its integer division by the prime number is odd.
11. The method of claim 8, wherein the integer is chosen to be equal to:
- R=K+(K mod
  
  2)P·
  
  Π
  
  v+2P·
  
  Z·
  
  Π
  
  v,where K=(((X−
  
  (2P)^−
  
  1−
  
  S)/P) mod Π
  
  v)P+S, S being a remainder of the integer division of the integer R by the prime number P, X being an invertible number modulo the product Π
  
  v of the prime numbers of the group, P being the prime number, and Z being an integer chosen so that the integer R has a size such that the candidate prime number has the desired number of bits.
12. The method of claim 8, wherein if the candidate prime number does not pass the Pocklington primality test, the method further comprises generating a new candidate prime number by adding to the candidate prime number a multiple of the invertible number modulo the product, the multiple not being divisible by one of the numbers forming the product, and applying the Pocklington primality test to the new candidate prime number.
13. The method of claim 8, wherein the invertible number is generated by searching for an invertible candidate number X lower than the product Π
- v verifying the following equation;
  
  Xλ
  
  Π
  
  v=1 mod Π
  
  v,λ
  
  Π
  
  v being the Carmichael number of the set of invertible elements modulo the product Π
  
  v.
14. The method of claim 13, wherein an invertible candidate number is randomly chosen at a value lower than the product Π
- v and incremented by one or a quantity B (1−
  
  Xλ
  
  Π
  
  v mod Π
  
  v) until it verifies the equation;
  
  Xλ
  
  Π
  
  v=1 mod Π
  
  v,B being an integer randomly chosen between one and the product Π
  
  v.
15. The method of claim 14, wherein the generation of a first prime number includes:
- randomly choosing a number that includes a number of bits that is less than a maximum number of bits; and
  
  applying, to the chosen number, a limited set of Miller-Rabin tests (MRA, A=2, 7, 61;
  
  3, 5, 7, 11, 13,
  
  17) in different bases, until the chosen number passes the set of Miller-Rabin tests, the maximum number of bits and values of the bases being chosen to prove primality of the first prime number.
16. The method of claim 15, wherein the Miller-Rabin tests applied to the randomly chosen number are performed in bases 2, 7 and 61 with the maximum number of bits, chosen lower than or equal to 32, or in bases 2, 3, 5, 7, 11, 13 and 17, with the maximum number of bits chosen lower than or equal to 48.

17. An electronic device comprising a calculation block to execute multiplications of large numbers and/or modular exponentiation operations, wherein the electronic device is configured to:
- (a) generate a candidate prime number from another prime number in accordance with;
  
  Pr=2P·
  
  R+1,where Pr is the candidate prime number, P is a prime number having a number of bits lower than a desired number of bits of the candidate prime number, and R is an integer, wherein a size in number of bits of the candidate prime number is equal to a margin of one bit to three times a size of the prime number;
  
  (b) calculate a quotient of an integer division of the integer by the prime number;
  
  (c) reject the generated candidate prime number in response to detecting that the quotient of the integer division of the integer by the prime number is even;
  
  (d) apply the Pocklington primality test to the candidate prime number;
  
  (e) store, in a memory of the electronic device, the candidate prime number as a proven prime number in response to passing the Pocklington primality test, else generating a new candidate prime number and performing operations (b) to (e) again with the new candidate prime number;
  
  (f) generate, from the proven prime number, a cryptographic key; and
  
  (g) perform, by the electronic device using the cryptographic key, a cryptographic operation on data, the cryptographic operation being one of an encryption operation, a decryption operation, or a verification of a digital signature included in the data.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 18. An integrated circuit on a semiconductor chip, the integrated circuit comprising a device according to claim 17.
  - 19. The device of claim 17, wherein the device is further configured to, if the candidate prime number is rejected or if the candidate prime number does not pass the Pocklington primality test:
    - increment the integer by one or a certain quantity as a function of parity of the quotient so that the quotient is odd;
      
      modify the candidate prime number by adding twice the prime number thereto; and
      
      apply the Pocklington primality test to the modified candidate prime number.
  - 20. The device of claim 17, wherein the device is further configured to test divisibility of the generated candidate prime number by small prime numbers, the generated candidate prime number being retained as the candidate prime number only if it is not divisible by the small prime numbers.
  - 21. The device of claim 17, wherein generating the proven prime number includes iteratively generating the proven prime number, the iteratively generating including a plurality of prime number generation operations, a first prime number generation operation of the plurality of prime number generation operations including generating a first candidate prime number from the prime number P,each subsequent prime number generation operation of the plurality of prime number generation operations including generating another candidate prime number from the candidate prime number obtained in an immediately preceding prime number generation operation, the iteratively generating continuing until a prime number having the desired number of bits is obtained, each prime number generation operation including applying the Pocklington primality test to a respective candidate prime number.
  - 22. The device of claim 21, wherein the device is further configured to, for each prime number generation operation:
    - store, as first remainders, remainders of integer divisions of a respective candidate prime number by each small prime number of a group of small prime numbers, the respective candidate prime number being divisible by one of the small prime numbers if a corresponding remainder is equal to zero;
      
      store, as second remainders, remainders of integer divisions, by each of the small prime numbers, of twice the prime number P, for the first prime number generation operation, or twice the candidate prime number obtained in the immediately preceding prime number generation operation, for each of the subsequent prime number generation operations; and
      
      if a new candidate prime number is calculated from the respective candidate prime number by adding twice the prime number P, for the first prime number generation operation, or twice the candidate prime number obtained in the immediately preceding prime number generation operation, for each of the subsequent prime number generation operations thereto, update each of the first remainders by respectively adding thereto the second remainder corresponding to the same small prime number.
  - 23. The device of claim 22, wherein each subsequent prime number generation operation includes:
    - randomly choosing a new integer; and
      
      updating each of the second remainders with double of the first remainder corresponding to a same small prime number obtained in a previous prime number generation operation.
  - 24. The device of claim 17, wherein the integer is randomly chosen in an interval of [I+1, 2I], wherein:
25. The device of claim 17, wherein the device is further configured to generate the integer from an invertible number belonging to a set of invertible elements modulo a product of numbers belonging to a group of small prime numbers greater than 2, so that the candidate prime number is not divisible by any number of the group, the prime number P having a number of bits equal to within one bit to a third of a desired number of bits of the candidate prime number.
26. The device of claim 25, wherein the integer is chosen as being equal to:
- R=X−
  
  ((2P)^−
  
  1mod Π
  
  v)+Z·
  
  Π
  
  v,X being an invertible number modulo the product of the numbers of the group of small prime numbers greater than 2, P being the prime number, and Z being an integer chosen so that the integer R has a size such that the candidate prime number has a desired number of bits.
27. The device of claim 25, wherein the integer is chosen so as to be even and so that a remainder of its integer division by the prime number is odd.
28. The device of claim 25, wherein the integer is chosen to be equal to:
- R=K+(K mod
  
  2)P·
  
  Π
  
  v +2P·
  
  Z·
  
  Π
  
  v, where K=(((X −
  
  (2P)^−
  
  1−
  
  S)/P) mod Π
  
  v)P+S, S being a remainder of the integer division of the integer R by the prime number P, X being an invertible number modulo the product flv of the prime numbers of the group, P being the prime number, and Z being an integer chosen so that the integer R has a size such that the candidate prime number has the desired number of bits.
29. The device of claim 25, wherein if the candidate prime number does not pass the Pocklington primality test, the device is further configured to generate a new candidate prime number by adding to the candidate prime number a multiple of the invertible number modulo the product, the multiple not being divisible by one of the numbers forming the product, and applying the Pocklington primality test to the new candidate prime number.
30. The device of claim 25, wherein the invertible number is generated by searching for an invertible candidate number X lower than the product Π
- v verifying the following equation;
  
  Xλ
  
  Π
  
  v=1 mod Π
  
  v,λ
  
  Π
  
  v being the Carmichael number of the set of invertible elements modulo the product Π
  
  v.
31. The device of claim 30, wherein an invertible candidate number is randomly chosen at a value lower than the product Π
- v and incremented by one or a quantity B (1−
  
  Xλ
  
  Π
  
  v mod Π
  
  v) until it verifies the equation;
  
  Xλ
  
  Π
  
  v=1 mod Π
  
  v,B being an integer randomly chosen between one and the product Π
  
  v.
32. The device of claim 31, wherein the generation of a first prime number includes:
- randomly choosing a number that includes a number of bits that is less than a maximum number of bits; and
  
  applying, to the chosen number, a limited set of Miller-Rabin tests (MRA, A=2, 7, 61;
  
  3, 5, 7, 11, 13,
  
  17) in different bases, until the chosen number passes the set of Miller-Rabin tests, the maximum number of bits and values of the bases being chosen to prove primality of the first prime number.
33. The device of claim 32, wherein the Miller-Rabin tests applied to the randomly chosen number are performed in bases 2, 7 and 61 with the maximum number of bits chosen lower than or equal to 32, or in bases 2, 3, 5, 7, 11, 13 and 17, with the maximum number of bits chosen lower than or equal to 48.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rambus Inc.
Original Assignee
Inside Secure SA
Inventors
Feix, Benot, Clavier, Christophe, Paillier, Pascal, Thierry, Loc
Primary Examiner(s)
Ngo, Chuong D

Application Number

US14/365,671
Publication Number

US 20140358980A1
Time in Patent Office

1,532 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 17/11   for solving equations , e.g...

G06F 2207/7204   Prime number generation or ...

G06F 7/58   Random or pseudo-random num...

G06F 7/72   using residue arithmetic

H04L 2209/24   Key scheduling, i.e. genera...

H04L 9/0816   Key establishment, i.e. cry...

H04L 9/0869   involving random numbers or...

Method of generating proven prime numbers suitable for being implemented in a smart card

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Method of generating proven prime numbers suitable for being implemented in a smart card

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links