3

NIST 800-89 Recommendation for Obtaining Assurances for Digital Signature Applications has recommendations for (Explicit) Partial Public Key Validation for RSA which include an example method. It's step e reads

Not a power of a prime: Check that $n$ is not a power of a prime, i.e., there are no integers $b≥2$, $c≥2$ such that $n=b^{\,c}$. This can be done by obtaining an output of COMPOSITE AND NOT A POWER OF A PRIME using the enhanced Miller-Rabin primality test in FIPS 186-3.

The first sentence is wrong:

  • The condition «Not a power of a prime» would be:
    «there are no prime $b$ and integer $c≥2$ such that $n=b^{\,c}$» (A).
  • The condition «there are no integers $b≥2$, $c≥2$ such that $n=b^{\,c}$» (B) is a stronger condition, that could be described as «Not a power of an integer (implicitly: at least 2)».

For example, $225=3^2\cdot5^2$ matches condition (A) but not condition (B).

The second sentence is thus unclear: we are left wondering if «This» refers to (A) or (B).

Questions:

  • Is that second sentence correct when «This» is taken to mean (B)? Equivalently: when the enhanced Miller-Rabin primality test returns COMPOSITE AND NOT A POWER OF A PRIME for some odd $n≥9$, does that demonstrate that there are no integers $b≥2$, $c≥2$ such that $n=b^{\,c}$?
  • If no, what's a counterexample?
  • Does this error in NIST 800-89 matter in practice to security?
  • How efficiently can we test condition (A)?
  • How efficiently can we test the stronger condition (B)?
  • How efficiently can we test the even stronger (and desirable) condition
    «1 is the only square divisor» (C) [update: better known as «square-free» ]?

For example, $45=3^2\cdot5$ matches conditions (A) and (B) but not (C).

fgrieu
  • 149,326
  • 13
  • 324
  • 622

1 Answers1

6

Is that second sentence correct when "This" is taken to mean (B)?

You are correct - they meant (A). If you drop the "i.e." statement (which isn't equivalent to $n$ being the power of a prime, as you pointed out), then it becomes correct.

when the enhanced Miller-Rabin primality test returns COMPOSITE AND NOT A POWER OF A PRIME for some (large) integer $n$, does that demonstrate that there are no integers $b \ge 2, c \ge 2$ such that $n=b^c$? If no, what's a counterexample?

A counterexample would be $n = (31 \cdot 37)^2 = 1315609$ and $b=2$. Running through the algorithm, we find it returns in this case "COMPOSITE AND NOT A POWER OF A PRIME"

Does this error in NIST 800-89 matter in practice to security?

It doesn't appear significant; I suspect that the main reason they threw it in is to catch the odd case that the RSA key generation just happened to pick the same prime for both $p$ and $q$...

How efficiently can we test condition (A)?

The enhanced MR test they gave appears to be quite efficient

How efficiently can we test the stronger condition (B)?

It's not that difficult. At worse, we can just take $k$-th roots of $n$ over the integers and see if that results in an integer (incrementing $k$ until we get a $k$-th root which is less than 2). It looks more expensive than the first step, but still would be feasible.

How efficiently can we test the even stronger (and desirable) condition «1 is the only square divisor» (C) ?

I know of no efficient test (and condition (C) is more commonly known as $n$ being squarefree). This math overflow link suggests that the larger community also doesn't know an efficient test.

poncho
  • 154,064
  • 12
  • 239
  • 382