Questions tagged [safe-prime]

A safe prime is a prime number of the form 2q + 1, where q is also a prime.

A safe prime is a prime number of the form $p = 2q + 1$, where $q$ is also prime. In this case, the related prime $q$ is sometimes known as a Sophie Germain prime.

Safe primes are useful because the multiplicative group of integers modulo $p$, sometimes written $(\mathbb Z/p\mathbb Z)^\times$, has order $2q$, which is the closest to a prime-order group that can be achieved in modular integer arithmetic. Cryptosystems based on the difficulty of computing discrete logarithms, such as Diffie–Hellman or Schnorr signatures, are often designed under the assumption of a prime-order group, and require extra care when cast in composite-order groups.

Specifically, cryptosystems that allow an attacker to learn $g^x$ for attacker-controlled $g$ and secret $x$ may be vulnerable to Lim–Lee active small-subgroup attacks, which easily reveal $x \bmod n$ for each small factor $n$ of the group order. When the group is $(\mathbb Z/p\mathbb Z)^\times$ for a safe prime $p$, the attacker can only learn $x \bmod 2$ this way, since the only other factor is the large prime $q$.

Cryptosystems that do not expose an oracle giving $g \mapsto g^x$ for secret $x$ do not need to use safe primes, such as Diffie–Hellman with single-use key pairs only, Schnorr signatures, and DSA, and may be satisfied instead with Schnorr groups of the more general form $p = kq + 1$, where $q$ is also prime but may be much smaller than $(p - 1)/2$.

52 questions

votes

3 answers

Are safe primes $p=2^k \pm s$ with $s$ small less recommandable than others as a discrete log modulus?

I take the definition of safe prime as: a prime $p$ is safe when $(p-1)/2$ is prime. Safe primes of appropriate size are the standard choice for the modulus of cryptosystems related to the discrete logarithm problem, such as Diffie-Hellman. A…

discrete-logarithm prime-numbers safe-prime

asked Dec 01 '11 at 06:21

fgrieu

149,326
13
324
622

votes

2 answers

Safe primes in RSA

It's my understanding that there's no longer a requisite of safe primes for $q$ and $p$ when choosing a RSA modulus. How is it that this does not change the hardness of factoring $N$?

rsa factoring safe-prime

asked May 26 '17 at 11:42

boran

votes

2 answers

How to efficiently generate a random safe prime of given length?

A prime $p$ is said to be safe prime if $(p-1)/2$ is also a prime. How to efficiently generate a safe prime? I have written the following code in sagemath which generates a random safe prime of 1536 bits. This code took 426 seconds to generate a…

rsa prime-numbers safe-prime

asked Dec 24 '18 at 14:25

satya

1,484
10
32

votes

1 answer

When to use safe prime or Schnorr group

Protocols that use $\mathbb{Z}_{p}^*$ arithmetic often choose $p$ to be a safe prime ($p = 2q + 1$, for prime $q$) or to have the Schnorr group form ($p = rq + 1$, for prime $q$). I understand that the reason for this is to prevent the…

diffie-hellman dsa finite-field group-theory safe-prime

asked Sep 04 '17 at 20:09

Conrado

6,614
1
30
45

votes

1 answer

Malicious DH groups

Can an attacker construct a DH group, large enough to be considered secure (say, a modulus of 2048-bits), such that the group appears safe, but the attacker is able to solve the DLP in the group easily? A lot of applications of DH either use a well…

diffie-hellman safe-prime

asked Nov 18 '14 at 13:08

xnyhps

votes

1 answer

Finding large devious primes

Call a prime $p$ devious if $(p-1)/2$ is a Carmichael number. They are called devious since they superficially look like safe primes but are not. In particular, Diffie-Hellman using such a prime could be vulnerable to the Pohlig Hellman…

discrete-logarithm prime-numbers safe-prime

asked Nov 11 '21 at 17:00

John Coleman

votes

1 answer

What is the best strategy to avoid getting even orders in Shor's algorithm?

I do understand Shor's algorithm wants the order of an element to be even so that it can use the factoring identity and find a non-trivial factor. But is there a relationship between safe primes and the order of an element being even? In other…

factoring safe-prime shors-algorithm

asked Jul 15 '19 at 23:02

user45491

votes

2 answers

Prime numbers of the form $(2^k)p+1$, for a given prime $p$

Let $p$ be a prime. (say 256 bit) Does there a exist a prime $q$ such that $q = (2^k)p + 1$, for a large $k$ (something like 256), if it does exist, is there a way to find out for which all $k$ such a $q$ exist. [I know it exists for k =1, I am…

prime-numbers group-theory safe-prime

asked May 08 '20 at 09:15

MeV

votes

1 answer

Complexity of solving the discrete logarithm problem for the group formed from product of 2 safe primes

The complexity of solving the discrete logarithm problem depends on the choice of the group $G$. A popular choice is $Z_p^*$ where $p$ is a safe prime (${p=2p' +1}$ and $p'$ is also prime). In this case, $G$ is a group of prime order so every…

discrete-logarithm safe-prime

asked Aug 24 '18 at 14:28

omnomnom

votes

1 answer

Checking if discrete logarithm is $\geq\frac{\varphi(p)}2$ in polynomial time?

Given $p$ a prime, $g$ generator of $\Bbb Z_p^*$, and $h\in\Bbb Z_p^*$, that uniquely defines some $z\in[0,\varphi(p)[$ such that $g^z\equiv h\pmod p$. Is it possible to determine in polynomial time if $\displaystyle z\geq\frac{\varphi(p)}2$ ?

discrete-logarithm prime-numbers group-theory safe-prime

asked Feb 22 '18 at 04:54

Turbo

1,045
6
15

votes

3 answers

Finding strong primes

Wikipedia lists the following conditions for a prime to be strong: $p-1$ has large prime factors. That is, $p = a_1 q_1 + 1$ for some integer $a_1$ and large prime $q_1$. $q_1-1$ has large prime factors. That is, $q_1 = a_2 q_2 + 1$ for some integer…

prime-numbers safe-prime

asked Jan 23 '15 at 17:34

Mints97

votes

4 answers

Why $n=pq$ with $p=2p'+1$ and $q=2q'+1$ instead of just $n=p'q'$ for RSA crypto?

For RSA cryptography, we know that the modulo $n$ is a product of two big prime numbers(say $p$ and $q$). However, in some documents I see an extension of $p=2p'+1$ and $q=2q'+1$ with $q'$ and $p'$ being huge prime numbers. Why is it necessary to…

rsa cryptanalysis reference-request safe-prime threshold-cryptography

asked Nov 03 '13 at 14:42

eskoba

votes

2 answers

DDH hardness with shared public parameters

DDH is believed hard for subgroup of $ℤ^*_p$ with order $q=(p-1)/2$ when $p$ is a safe prime chosen randomly. What if $p$ isn't random: When parameters are shared, $p$ mightn't have been chosen randomly—primality can be tested, random sampling…

diffie-hellman randomness safe-prime domain-parameters

asked Jan 26 '23 at 07:39

bs-

votes

0 answers

Source of very large prime numbers

The RSA cryptosystem makes use of $n=pq$ where $p, q$ are large prime numbers. With quantum computing, factorization might become easier, so it will probably be useful to use much much bigger $p$, $q$ in the future. If I remember correctly, the…

rsa prime-numbers safe-prime

asked Oct 05 '20 at 10:24

Basj

votes

1 answer

Efficient algorithm for finding Sophie Germain primes

What's the industry standard for an efficient finding large Sophie Germain primes? As a part of request handling in my application, I need to generate Paillier key. My current approach is to generate a pseudorandom probably prime number q backed up…

prime-numbers safe-prime

asked Jun 26 '18 at 15:52

omnomnom

2 3 4 Next