nist关于rsa中p,q的要求

NIST.FIPS.186-4

美国国家标准与技术研究院（National Institute of Standards and Technology，NIST）

FIPS,美国联邦信息处理标准（Federal Information Processing Standard）

B.3.1 Criteria for IFC Key Pairs

Key pairs for IFC consist of a public key ( n , e ), and a private key ( n , d ), where n is the modulus

and is the product of two prime numbers p and q . The security of IFC depends on the quality and

secrecy of these primes and the private exponent d . The primes p and q shall be generated using 51

one of the following methods:

A. Both p and q are randomly generated prime numbers (Random Primes), where p and q

shall both be either :

1. Provable primes (see Appendix B.3.2), or

2. Probable primes (see Appendix B.3.3).

Using methods 1 and 2, p and q with lengths of 1024 or 1536 bits may be generated; p

and q with lengths of 512 bits shall not be generated using these methods. Instead, p

and q with lengths of 512 bits shall be generated using the conditions based on auxiliary

primes (see Appendices B.3.4, B.3.5, or B.3.6).

B. Both p and q are randomly generated prime numbers that satisfy the following additional

conditions (Primes with Conditions):

• ( p –1) has a prime factor p 1

• ( p +1) has a prime factor p 2

• ( q –1) has a prime factor q 1

• ( q +1) has a prime factor q 2

where p 1 , p 2 , q 1 and q 2 are called auxiliary primes of p and q .

Using this method, one of the following cases shall apply:

1. The primes p 1 , p 2 , q 1 , q 2 , p and q shall all be provable primes (see Appendix

B.3.4),

2. The primes p 1 , p 2 , q 1 and q 2 shall be provable primes, and the primes p and q

shall be probable primes (see Appendix B.3.5), or

3 The primes p 1 , p 2 , q 1 , q 2 , p and q shall all be probable primes (see Appendix

B.3.6).

The minimum lengths for each of the auxiliary primes p 1 , p 2 , q 1 and q 2 are dependent on

nlen , where nlen is the length of the modulus n in bits. Note that nlen is also called the

key size. The lengths of the auxiliary primes may be fixed or randomly chosen, subject to

the restrictions in Table B.1. The maximum length is determined by nlen (the sum of the

length of each auxiliary prime pair) and whether the primes p and q are probable primes

or provable primes (e.g., for the auxiliary prime pair p 1 and p 2 , len ( p 1 ) + len ( p 2 ) shall be

less than a value determined by nlen , whether p 1 and p 2 are generated to be probable or

provable primes) 3 .

3

In addition, all IFC keys shall meet the following criteria in order to conform to FIPS 186-4:

1. The public exponent e shall be selected with the following constraints:

(a) The public verification exponent e shall be selected prior to generating the primes

p and q , and the private signature exponent d .

(b) The exponent e shall be an odd positive integer such that:

2 16 < e < 2 256 .

Note that the value of e may be any value that meets constraint 1(b), i.e., e may be

either a fixed value or a random value.

2. The primes p and q shall be selected with the following constraints:

(a) ( p –1) and ( q –1) shall be relatively prime to the public exponent e .

(b) The private prime factor p shall be selected randomly and shall satisfy

and len ( q ). In each case, len ( p ) = len ( q ) = nlen /2. 53

( 2 )(2 ( nlen / 2) – 1 ) ≤ p ≤ (2 nlen / 2 – 1), where nlen is the appropriate length for the

desired security_strength .

(c) The private prime factor q shall be selected randomly and shall satisfy

( 2 )(2 ( nlen / 2) – 1 ) ≤ q ≤ (2 nlen / 2 – 1), where nlen is the appropriate length for the

desired security_strength .

(d) | p – q | > 2 ( nlen / 2) – 100 .

3. The private signature exponent d shall be selected with the following constraints after the

generation of p and q :

(a) The exponent d shall be a positive integer value such that

2 nlen / 2 < d < LCM( p –1, q –1), and

(b) d = e^  –1 mod (LCM( p –1, q –1)).

That is, the inequality in (a) holds, and 1 ≡ ( ed ) (mod LCM( p –1, q –1)).

In the extremely rare event that d ≤ 2 nlen / 2 , then new values for p , q and d shall be

determined. A different value of e may be used, although this is not required.

Any hash function used during the generation of the key pair shall be approved (i.e., specified in

FIPS 180).

 1,