Safe and Sophie Germain primes

From HandWiki
(Redirected from Safe prime)
Short description: A prime pair (p, 2p+1)

In number theory, a prime number p is a Sophie Germain prime if 2p + 1 is also prime. The number 2p + 1 associated with a Sophie Germain prime is called a safe prime. For example, 11 is a Sophie Germain prime and 2 × 11 + 1 = 23 is its associated safe prime. Sophie Germain primes are named after French mathematician Sophie Germain, who used them in her investigations of Fermat's Last Theorem.[1] One attempt by Germain to prove Fermat’s Last Theorem was to let p be a prime number of the form 8k + 7 and to let n = p – 1. In this case, [math]\displaystyle{ x^n + y^n = z^n }[/math] is unsolvable. Germain’s proof, however, remained unfinished.[2][3] Through her attempts to solve Fermat's Last Theorem, Germain developed a result now known as Germain's Theorem which states that if p is an odd prime and 2p + 1 is also prime, then p must divide x, y, or z. Otherwise, [math]\displaystyle{ x^n + y^n \neq z^n }[/math]. This case where p does not divide x, y, or z is called the first case. Sophie Germain’s work was the most progress achieved on Fermat’s last theorem at that time.[2] Later work by Kummer and others always divided the problem into first and second cases. Sophie Germain primes and safe primes have applications in public key cryptography and primality testing. It has been conjectured that there are infinitely many Sophie Germain primes, but this remains unproven.

Individual numbers

The first few Sophie Germain primes (those less than 1000) are

2, 3, 5, 11, 23, 29, 41, 53, 83, 89, 113, 131, 173, 179, 191, 233, 239, 251, 281, 293, 359, 419, 431, 443, 491, 509, 593, 641, 653, 659, 683, 719, 743, 761, 809, 911, 953, ... OEISA005384

Hence, the first few safe primes are

5, 7, 11, 23, 47, 59, 83, 107, 167, 179, 227, 263, 347, 359, 383, 467, 479, 503, 563, 587, 719, 839, 863, 887, 983, 1019, 1187, 1283, 1307, 1319, 1367, 1439, 1487, 1523, 1619, 1823, 1907, ... OEISA005385

In cryptography much larger Sophie Germain primes like 1,846,389,521,368 + 11600 are required.

Two distributed computing projects, PrimeGrid and Twin Prime Search, include searches for large Sophie Germain primes. Some of the largest known Sophie Germain primes are given in the following table.[4]

Value Number of digits Time of discovery Discoverer
2618163402417 × 21290000 − 1 388342 February 2016 Dr. James Scott Brown in a distributed PrimeGrid search using the programs TwinGen and LLR[5]
18543637900515 × 2666667 − 1 200701 April 2012 Philipp Bliedung in a distributed PrimeGrid search using the programs TwinGen and LLR[6]
183027 × 2265440 − 1 79911 March 2010 Tom Wu using LLR[7]
648621027630345 × 2253824 − 1 and 620366307356565 × 2253824 − 1 76424 November 2009 Zoltán Járai, Gábor Farkas, Tímea Csajbók, János Kasza and Antal Járai[8][9]
1068669447 × 2211088 − 1 63553 May 2020 Michael Kwok[10]
99064503957 × 2200008 − 1 60220 April 2016 S. Urushihata[11]
607095 × 2176311 − 1 53081 September 2009 Tom Wu[12]
48047305725 × 2172403 − 1 51910 January 2007 David Underbakke using TwinGen and LLR[13]
137211941292195 × 2171960 − 1 51780 May 2006 Járai et al.[14]

On 2 Dec 2019, Fabrice Boudot, Pierrick Gaudry, Aurore Guillevic, Nadia Heninger, Emmanuel Thomé, and Paul Zimmermann announced the computation of a discrete logarithm modulo the 240-digit (795 bit) prime RSA-240 + 49204 (the first safe prime above RSA-240) using a number field sieve algorithm; see Discrete logarithm records.

Properties

There is no special primality test for safe primes the way there is for Fermat primes and Mersenne primes. However, Pocklington's criterion can be used to prove the primality of 2p + 1 once one has proven the primality of p.

Just as every term except the last one of a Cunningham chain of the first kind is a Sophie Germain prime, so every term except the first of such a chain is a safe prime. Safe primes ending in 7, that is, of the form 10n + 7, are the last terms in such chains when they occur, since 2(10n + 7) + 1 = 20n + 15 is divisible by 5.

Modular restrictions

With the exception of 7, a safe prime q is of the form 6k − 1 or, equivalently, q ≡ 5 (mod 6) – as is p > 3. Similarly, with the exception of 5, a safe prime q is of the form 4k − 1 or, equivalently, q ≡ 3 (mod 4) — trivially true since (q − 1) / 2 must evaluate to an odd natural number. Combining both forms using lcm(6, 4) we determine that a safe prime q > 7 also must be of the form 12k − 1 or, equivalently, q ≡ 11 (mod 12).

It follows that, for any safe prime q > 7:

If p is a Sophie Germain prime greater than 3, then p must be congruent to 2 mod 3. For, if not, it would be congruent to 1 mod 3 and 2p + 1 would be congruent to 3 mod 3, impossible for a prime number.[15] Similar restrictions hold for larger prime moduli, and are the basis for the choice of the "correction factor" 2C in the Hardy–Littlewood estimate on the density of the Sophie Germain primes.[16]

If a Sophie Germain prime p is congruent to 3 (mod 4) (OEISA002515, Lucasian primes), then its matching safe prime 2p + 1 (congruent to 7 modulo 8) will be a divisor of the Mersenne number 2p − 1. Historically, this result of Leonhard Euler was the first known criterion for a Mersenne number with a prime index to be composite.Cite error: Closing </ref> missing for <ref> tag Several other famous conjectures in number theory generalize this and the twin prime conjecture; they include the Dickson's conjecture, Schinzel's hypothesis H, and the Bateman–Horn conjecture.

A heuristic estimate for the number of Sophie Germain primes less than n is[16]

[math]\displaystyle{ 2C \frac{n}{(\ln n)^2} \approx 1.32032\frac{n}{(\ln n)^2} }[/math]

where

[math]\displaystyle{ C=\prod_{p\gt 2} \frac{p(p-2)}{(p-1)^2}\approx 0.660161 }[/math]

is Hardy–Littlewood's twin prime constant. For n = 104, this estimate predicts 156 Sophie Germain primes, which has a 20% error compared to the exact value of 190. For n = 107, the estimate predicts 50822, which is still 10% off from the exact value of 56032. The form of this estimate is due to G. H. Hardy and J. E. Littlewood, who applied a similar estimate to twin primes.[17]

A sequence (p, 2p + 1, 2(2p + 1) + 1, ...) in which all of the numbers are prime is called a Cunningham chain of the first kind. Every term of such a sequence except the last is a Sophie Germain prime, and every term except the first is a safe prime. Extending the conjecture that there exist infinitely many Sophie Germain primes, it has also been conjectured that arbitrarily long Cunningham chains exist,[18] although infinite chains are known to be impossible.[19]

Strong primes

A prime number q is a strong prime if q + 1 and q − 1 both have some large (around 500 digits) prime factors. For a safe prime q = 2p + 1, the number q − 1 naturally has a large prime factor, namely p, and so a safe prime q meets part of the criteria for being a strong prime. The running times of some methods of factoring a number with q as a prime factor depend partly on the size of the prime factors of q − 1. This is true, for instance, of the p − 1 method.

Applications

Cryptography

Safe primes are also important in cryptography because of their use in discrete logarithm-based techniques like Diffie–Hellman key exchange. If 2p + 1 is a safe prime, the multiplicative group of integers modulo 2p + 1 has a subgroup of large prime order. It is usually this prime-order subgroup that is desirable, and the reason for using safe primes is so that the modulus is as small as possible relative to p.

A prime number p = 2q + 1 is called a safe prime if q is prime. Thus, p = 2q + 1 is a safe prime if and only if q is a Sophie Germain prime, so finding safe primes and finding Sophie Germain primes are equivalent in computational difficulty. The notion of a safe prime can be strengthened to a strong prime, for which both p − 1 and p + 1 have large prime factors. Safe and strong primes were useful as the factors of secret keys in the RSA cryptosystem, because they prevent the system being broken by some factorization algorithms such as Pollard's p − 1 algorithm. However, with the current factorization technology, the advantage of using safe and strong primes appears to be negligible.[20]

Similar issues apply in other cryptosystems as well, including Diffie–Hellman key exchange and similar systems that depend on the security of the discrete logarithm problem rather than on integer factorization.[21] For this reason, key generation protocols for these methods often rely on efficient algorithms for generating strong primes, which in turn rely on the conjecture that these primes have a sufficiently high density.[22]

In Sophie Germain Counter Mode, it was proposed to use the arithmetic in the finite field of order equal to the safe prime 2128 + 12451, to counter weaknesses in Galois/Counter Mode using the binary finite field GF(2128). However, SGCM has been shown to be vulnerable to many of the same cryptographic attacks as GCM.[23]

Primality testing

In the first version of the AKS primality test paper, a conjecture about Sophie Germain primes is used to lower the worst-case complexity from O(log12n) to O(log6n). A later version of the paper is shown to have time complexity O(log7.5n) which can also be lowered to O(log6n) using the conjecture.[24] Later variants of AKS have been proven to have complexity of O(log6n) without any conjectures or use of Sophie Germain primes.

Pseudorandom number generation

Safe primes obeying certain congruences can be used to generate pseudo-random numbers of use in Monte Carlo simulation.

Similarly, Sophie Germain primes may be used in the generation of pseudo-random numbers. The decimal expansion of 1/q will produce a stream of q − 1 pseudo-random digits, if q is the safe prime of a Sophie Germain prime p, with p congruent to 3, 9, or 11 modulo 20.[25] Thus "suitable" prime numbers q are 7, 23, 47, 59, 167, 179, etc. (OEISA000353) (corresponding to p = 3, 11, 23, 29, 83, 89, etc.) (OEISA000355). The result is a stream of length q − 1 digits (including leading zeros). So, for example, using q = 23 generates the pseudo-random digits 0, 4, 3, 4, 7, 8, 2, 6, 0, 8, 6, 9, 5, 6, 5, 2, 1, 7, 3, 9, 1, 3. Note that these digits are not appropriate for cryptographic purposes, as the value of each can be derived from its predecessor in the digit-stream.[citation needed]

In popular culture

Sophie Germain primes are mentioned in the stage play Proof[26] and the subsequent film.[27]

References

  1. Specifically, Germain proved that the first case of Fermat's Last Theorem, in which the exponent divides one of the bases, is true for every Sophie Germain prime, and she used similar arguments to prove the same for all other primes up to 100. For details see Edwards, Harold M. (2000), Fermat's Last Theorem: A Genetic Introduction to Algebraic Number Theory, Graduate Texts in Mathematics, 50, Springer, pp. 61–65, ISBN 9780387950020 .
  2. 2.0 2.1 Dalmedico, Amy (1991). "Sophie Germain". Scientific American 265 (6): 116–123. doi:10.1038/scientificamerican1291-116. https://www.jstor.org/stable/24938838. 
  3. Laubenbacher, Reinhard; Pengelley, David (2010-11-01). ""Voici ce que j'ai trouvé:" Sophie Germain's grand plan to prove Fermat's Last Theorem" (in en). Historia Mathematica 37 (4): 641–692. doi:10.1016/j.hm.2009.12.002. ISSN 0315-0860. 
  4. The Top Twenty Sophie Germain Primes — from the Prime Pages. Retrieved 17 May 2020.
  5. "PrimeGrid's Sophie Germain Prime Search". PrimeGrid. https://www.primegrid.com/download/SGS_2618163402417_1290000.pdf. 
  6. "PrimeGrid's Sophie Germain Prime Search". PrimeGrid. http://www.primegrid.com/download/SGS_666667.pdf. 
  7. The Prime Database: 183027*2^265440-1. From The Prime Pages.
  8. The Prime Database: 648621027630345*2^253824-1.
  9. The Prime Database: 620366307356565*2^253824-1
  10. The Prime Database: 1068669447*2^211088-1 From The Prime Pages.
  11. The Prime Database: 99064503957*2^200008-1 From The Prime Pages.
  12. The Prime Database: 607095*2^176311-1.
  13. The Prime Database: 48047305725*2^172403-1.
  14. The Prime Database: 137211941292195*2^171960-1.
  15. Krantz, Steven G. (2010), An Episodic History of Mathematics: Mathematical Culture Through Problem Solving, Mathematical Association of America, p. 206, ISBN 9780883857663, https://books.google.com/books?id=ulmAH-6IzNoC&pg=PA206 .
  16. 16.0 16.1 Cite error: Invalid <ref> tag; no text was provided for refs named shoup
  17. Ribenboim, Paulo (1999), Fermat's Last Theorem for Amateurs, Springer, p. 141, ISBN 9780387985084, https://books.google.com/books?id=XPrQmE5trIgC&pg=PA141 .
  18. Wells, David (2011), Prime Numbers: The Most Mysterious Figures in Math, John Wiley & Sons, p. 35, ISBN 9781118045718, https://books.google.com/books?id=1MTcYrbTdsUC&pg=PA35, "If the strong prime k-tuples conjecture is true, then Cunningham chains can reach any length." 
  19. Löh, Günter (1989), "Long chains of nearly doubled primes", Mathematics of Computation 53 (188): 751–759, doi:10.1090/S0025-5718-1989-0979939-8 .
  20. Rivest, Ronald L.; Silverman, Robert D. (November 22, 1999), Are 'strong' primes needed for RSA?, https://people.csail.mit.edu/rivest/pubs/RS01.version-1999-11-22.pdf 
  21. "Security analysis of the strong Diffie–Hellman problem", 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT'06), St. Petersburg, Russia, May 28 – June 1, 2006, Proceedings, Lecture Notes in Computer Science, 4004, Springer-Verlag, 2006, pp. 1–11, doi:10.1007/11761679_1, http://www.iacr.org/cryptodb/archive/2006/EUROCRYPT/2143/2143.pdf .
  22. Gordon, John A. (1985), "Strong primes are easy to find", Proceedings of EUROCRYPT 84, A Workshop on the Theory and Application of Cryptographic Techniques, Paris, France, April 9–11, 1984, Lecture Notes in Computer Science, 209, Springer-Verlag, pp. 216–223, doi:10.1007/3-540-39757-4_19 .
  23. Yap, Wun-She; Yeo, Sze Ling; Heng, Swee-Huay; Henricksen, Matt (2013), "Security analysis of GCM for communication", Security and Communication Networks 7 (5): 854–864, doi:10.1002/sec.798 .
  24. Agrawal, Manindra; Kayal, Neeraj; Saxena, Nitin (2004), "PRIMES is in P", Annals of Mathematics 160 (2): 781–793, doi:10.4007/annals.2004.160.781, http://www.cse.iitk.ac.in/users/manindra/algebra/primality_v6.pdf 
  25. Matthews, Robert A. J. (1992), "Maximally periodic reciprocals", Bulletin of the Institute of Mathematics and Its Applications 28 (9–10): 147–148 .
  26. Peterson, Ivars (Dec 21, 2002), "Drama in numbers: putting a passion for mathematics on stage", Science News, doi:10.2307/4013968, http://www.thefreelibrary.com/Drama+in+numbers%3A+putting+a+passion+for+mathematics+on+stage.-a096417274, "[Jean E.] Taylor pointed out that the example of a Germain prime given in the preliminary text was missing the term "+ 1." "When I first went to see 'Proof' and that moment came up in the play, I was happy to hear the 'plus one' clearly spoken," Taylor says." 
  27. Ullman, Daniel (2006), "Movie Review: Proof", Notices of the AMS 53 (3): 340–342, http://www.ams.org/notices/200603/rev-ullman.pdf, "There are a couple of breaks from realism in Proof where characters speak in a way that is for the benefit of the audience rather than the way mathematicians would actually talk among themselves. When Hal (Harold) remembers what a Germain prime is, he speaks to Catherine in a way that would be patronizing to another mathematician." 

External links