Safe prime

From Wikipedia, the free encyclopedia
Jump to: navigation, search

A safe prime is a prime number of the form 2p + 1, where p is also a prime. (Conversely, the prime p is a Sophie Germain prime.) The first few safe primes are

5, 7, 11, 23, 47, 59, 83, 107, 167, 179, 227, 263, 347, 359, 383, 467, 479, 503, 563, 587, 719, 839, 863, 887, 983, 1019, 1187, 1283, 1307, 1319, 1367, 1439, 1487, 1523, 1619, 1823, 1907, ... (sequence A005385 in OEIS)

With the exception of 7, a safe prime q is of the form 6k − 1 or, equivalently, q ≡ 5 (mod 6) — as is p > 3 (c.f. Sophie Germain prime, second paragraph). Similarly, with the exception of 5, a safe prime q is of the form 4k − 1 or, equivalently, q ≡ 3 (mod 4) — trivially true since (q − 1) / 2 must evaluate to an odd natural number. Combining both forms using lcm(6,4) we determine that a safe prime q > 7 also must be of the form 12k−1 or, equivalently, q ≡ 11 (mod 12).

Applications[edit]

These primes are called "safe" because of their relationship to strong primes. A prime number q is a strong prime if q + 1 and q − 1 both have some large prime factors. For a safe prime q = 2p + 1, the number q − 1 naturally has a large prime factor, namely p, and so a safe prime q meets part of the criteria for being a strong prime. The running times of some methods of factoring a number with q as a prime factor depend partly on the size of the prime factors of q − 1. This is true, for instance, of the Pollard rho, +1 and −1 methods. Although the most efficient known integer factorization methods do not depend on the size of the prime factors of q + 1, this is nonetheless considered important in cryptography: for instance, the ANSI X9.31 standard [1] mandates that strong primes (not safe primes) be used for RSA moduli.

Safe primes are also important in cryptography because of their use in discrete logarithm-based techniques like Diffie-Hellman key exchange. If 2p + 1 is a safe prime, the multiplicative group of numbers modulo 2p + 1 has a subgroup of large prime order. It is usually this prime-order subgroup that is desirable, and the reason for using safe primes is so that the modulus is as small as possible relative to p.

Safe primes obeying certain congruences can be used to generate pseudo-random numbers of use in Monte Carlo simulation.

Safe primes are more time consuming to search for than strong primes, and for this reason they have been less used. However, as computers get faster safe primes are being used more. Finding a random 500-digit safe prime is now quite practical. The problem is that safe primes have the same low density as twin primes. For example, the smallest k such that 225 + k is a safe prime is k = 1989, which means that finding it requires testing approximately 1989 numbers for primality. Apart from their low density, they are easier to find than strong primes, in that the programs are much simpler. It is not necessary to attempt the factorization of p-1. (If p-1 is difficult to factor, then p is rejected, and p + 2 is tried. This is repeated until p-1 factors easily. This will happen sooner than p would become a safe prime, on average, because primes p for which p-1 factors easily are fairly dense.) All of this is made possible by the fact that there are extremely fast probabilistic tests for primality, such as the Miller–Rabin primality test.

Further properties[edit]

There is no special primality test for safe primes the way there is for Fermat primes and Mersenne primes. However, Pocklington's criterion can be used to prove the primality of 2p+1 once one has proven the primality of p.

With the exception of 5, there are no Fermat primes that are also safe primes. Since Fermat primes are of the form F = 2n + 1, it follows that (F − 1)/2 is a power of two.

With the exception of 7, there are no Mersenne primes that are also safe primes. This follows from the statement above that all safe primes except 7 are of the form 6k − 1. Mersenne primes are of the form 2m − 1, but 2m − 1 = 6k − 1 would imply that 2m is divisible by 6, which is impossible.

Just as every term except the last one of a Cunningham chain of the first kind is a Sophie Germain prime, so every term except the first of such a chain is a safe prime. Safe primes ending in 7, that is, of the form 10n + 7, are the last terms in such chains when they occur, since 2(10n + 7) + 1 = 20n + 15 is divisible by 5.

If a safe prime q is congruent to 7 modulo 8, then it is a divisor of the Mersenne number with its matching Sophie Germain prime as exponent.

Records[edit]

As of October 2012, the largest known safe prime is 18543637900515 × 2666668 − 1. This prime and the corresponding largest known Sophie Germain prime were found in April 2012.[2]

On 5 February 2007, a discrete logarithm modulo a 160-digit (530-bit) safe prime was computed. See Discrete logarithm records.

References[edit]

External links[edit]