ASC/X9 - ANSI X9.80
Prime Number Generation, Primality Testing, and Primality Certificates
|Publication Date:||9 April 2020|
In the current state of the art in public key cryptography, all methods require, in one way or another, the use of prime numbers as parameters to the various algorithms. This document presents a set of accepted techniques for generating prime numbers, often referred to as simply "primes".
It is intended that ASC X9 standards that require the use of primes will refer to this document rather than trying to define these techniques on a case-by-case basis. Standards, as they exist today, may differ in the methods they use for parameter generation from those specified in this document. It is anticipated that each existing ASC X9 standard will be modified to reference this document during its 5-year review instead of specifying its own techniques for generating primes.
This Standard defines methods for generating large prime numbers as needed by public key cryptographic algorithms. It also provides testing methods for testing candidate primes presented by a third party. Furthermore, the use of prime generation schemes described in the Digital Signature Standard (DSS), FIPS 186-4 (or later versions) are permitted by this Standard.
This Standard allows primes to be generated either deterministically or probabilistically, where:
- A number shall be accepted as prime when a probabilistic algorithm that declares it to be prime is in error with probability less than 2−100. 1
- A deterministic prime shall be generated using a method that guarantees that it is prime.
In addition to algorithms for generating primes, this Standard also provides methods for primality certificates where it is feasible to do so. The syntax for such certificates is beyond the scope of this document. Primality certificates are never required by this Standard. Primality certificates are not needed when a prime is generated and kept in a secure environment that is managed by the party that generated the prime.
A requirement placed upon the use of this Standard, but out of scope, is as follows:
- When a random or pseudo-random number generator is used to generate prime numbers, an ASC X9- approved random number (or bit) generator (e.g., one that is specified in an ASC X9 standard) shall be used. This requirement is necessary to ensure security.
NOTE The 2−100 failure probability is selected to be sufficiently small that errors are extremely unlikely ever to occur in normal practice. Moreover, even if an error were to occur when one party tests a prime, subsequent tests by the same or other parties would detect the error with overwhelming probability. Furthermore, the 2−100 probability is an upper bound on the worst-case probability that a test declares any non-prime candidate to be prime; not all non-primes may reach this bound, and the probability that a non-prime generated at random passes such a test is much lower. Accordingly, the 2−100 bound is considered appropriate independent of the size of the prime being generated and the intended security strength of the cryptosystem in which the prime is to be employed. For high-assurance applications, however, the deterministic methods may nevertheless be preferable.
1 FIPS 186-4 sets the error probability to the desired security strength. When using a 186-4 probabilistic prime generation method, the error probability set by that standard should be used.