【国外标准】 Prime Number Generation, Primality Testing, and Primality Certificates

In the current state of the art in public key cryptography, all methods require, in one way or another, the use of prime numbers as parameters to the various algorithms. This document presents a set of accepted techniques for generating primes. It is intended that ASC X9 standards that require the use of primes will refer to this document, rather than trying to define these techniques on a case-by-case basis. Standards, as they exist today, may differ in the methods they use for parameter generation from those specified in this document. It is anticipated that as each existing ASC X9 standard comes up for its 5-year review, it will be modified to reference this document instead of specifying its own techniques for generating primes. This standard defines methods for generating large prime numbers as needed by public key cryptographic algorithms. It also provides testing methods for testing candidate primes presented by a third party. This standard allows primes to be generated either deterministically or probabilistically, where:?A number shall be accepted as prime when a probabilistic algorithm that declares it to be prime is in error with probability less than 2?00.?A deterministic prime shall be generated using a method that guarantees that it is prime. In addition to algorithms for generating primes, this standard also presents primality certificates for some of the algorithms where it is feasible to do so. The syntax for such certificates is beyond the scope of this document. Primality certificates are never required by this standard. Primality certificates are not needed when a prime is generated and kept in a secure environment that is managed by the party that generated the prime. A requirement placed upon the use of this standard, but out of scope, is as follows:?When a random or pseudo-random number generator is used to generate prime numbers, an ANSI approved random number (or bit) generator (i.e., one that is specified in an ANSI X9 standard) shall be used. This requirement is necessary to ensure security. NOTE鵗he 2-100 failure probability is selected to be sufficiently small that errors are extremely unlikely ever to occur in normal practice. Moreover, even if an error were to occur when one party tests a prime, subsequent tests by the same or other parties would detect the error with overwhelming probability. Furthermore, the 2-100 probability is an upper bound on the worst-case probability that a test declares any non-prime candidate to be prime; not all non-primes may reach this bound, and the probability that a non-prime generated at random passes such a test is much lower. Accordingly, the 2-100 bound is considered appropriate independent of the size of the prime being generated and the intended security level of the cryptosystem in which the prime is to be employed. For high-assurance applications, however, the deterministic methods may nevertheless be preferable.