-1

In key generation process GnuPG displays:

 We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Now I wonder: what would be the usage of this random data in prime generation ? I'm familiar with Erathosthénis's Sieve, but can't think of an application of such data into the sieve. I also know Rabin-Miller strong test that could use random data to use as mod n, but not sure if it's the case.

Giovanni Oliveira
  • 67
  • 1
  • 10

1 Answers1

1

The public modulus in 2048 bit RSA e.g. is a product of two 1024/1025 bit random primes, whose binary decomposition has the most and the least significant bit set as one. The rest are randomized and the whole number is tested for primality:

// to generate a 16-bit prime
// the MSB must be one, if the prime is to be 16-bit
// and the LSB must be one, because all primes (p > 2) are odd
a = rand();     // between 0 and MAX_INT
a &= 0x7ffe;    // Leave 14 middle bits as is
a |= 0x8001;    // Force MSB and LSB to one
while (!is_prime(a)) a += 2;

Thus we start at a random integer, then increase the candidate by two until we find one. The number of calls to is_prime is typically in the range of log2(N) (IIRC). This can be slightly improved by calculating a += N(a), where N uses SoE to skip multiples of few small primes.

Taking two of those random numbers could be used to produce a 31-32 bit RSA modulus.

In practice the primality test is carried with Rabin-Miller or other strong test, because SoE would have huge memory requirements and would require an incomprehensible number of steps to skip all primes in the range of sqrt(2^1024) ~= 2^512.

Aki Suihkonen
  • 19,144
  • 1
  • 36
  • 57