The Miller–Rabin test with randomized exponents
暂无分享,去创建一个
Abstract We analyze a variant of the well-known Miller–Rabin test, that may be useful in preventing side-channel attacks to the random prime generation on smart cards: In the Miller–Rabin primality test for a positive integer n, one computes repeatedly the expression aω (mod n) for random bases a ∈ ℕ and exponents ω such that ω divides n – 1 and (n – 1)/ω is a power of 2. In each round one chooses, at random, a different base a, and uses binary exponentiation to compute aω (mod n). ‘Listening’ to many rounds, it seems at least plausible that an outside spy could retrieve the integer n – 1. In the variant we consider, one chooses in each round two positive random integers a and ρ and applies the test with base a and exponents ωρ, ω as above. This increases the safety against side-channel attacks. However at the same time, it decreases the performance of the Miller–Rabin test. In this article we use elementary means to analyze this variant. We will not be able to obtain results as strong as those by Damgård, Landrock and Pomerance on prime generation using the original Miller–Rabin test. However by imposing restrictions on the random parameter ρ, we obtain satisfactory estimates on the variant described here which justify practical implementation.
[1] Louis Monier,et al. Evaluation and Comparison of Two Efficient Probabilistic Primality Testing Algorithms , 1980, Theor. Comput. Sci..
[2] M. Rabin. Probabilistic algorithm for testing primality , 1980 .
[3] I. Damgård,et al. Average case error estimates for the strong probable prime test , 1993 .
[4] Ronald Joseph Burthe. Further investigations with the strong probable prime test , 1996, Math. Comput..
[5] Kazuya Kato,et al. Number Theory 1 , 1999 .