Safe prime
It has been suggested that this article be merged into Sophie Germain prime. (Discuss) Proposed since April 2019. |
A safe prime is a prime number of the form 2p + 1, where p is also a prime. (Conversely, the prime p is a Sophie Germain prime.) The first few safe primes are
- 5, 7, 11, 23, 47, 59, 83, 107, 167, 179, 227, 263, 347, 359, 383, 467, 479, 503, 563, 587, 719, 839, 863, 887, 983, 1019, 1187, 1283, 1307, 1319, 1367, 1439, 1487, 1523, 1619, 1823, 1907, ... (sequence A005385 in the OEIS)
With the exception of 7, a safe prime q is of the form 6k − 1 or, equivalently, q ≡ 5 (mod 6) — as is p > 3 (c.f. Sophie Germain prime, second paragraph). Similarly, with the exception of 5, a safe prime q is of the form 4k − 1 or, equivalently, q ≡ 3 (mod 4) — trivially true since (q − 1) / 2 must evaluate to an odd natural number. Combining both forms using lcm(6,4) we determine that a safe prime q > 7 also must be of the form 12k−1 or, equivalently, q ≡ 11 (mod 12). It follows that 3 (also 12) is a quadratic residue mod q for any safe prime q > 7. (Thus, 12 is not a primitive root of any safe prime q > 7, and the only safe primes that are also full reptend primes in base 12 are 5 and 7)
Applications
These primes are called "safe" because of their relationship to strong primes. A prime number q is a strong prime if q + 1 and q − 1 both have some large prime factors. For a safe prime q = 2p + 1, the number q − 1 naturally has a large prime factor, namely p, and so a safe prime q meets part of the criteria for being a strong prime. The running times of some methods of factoring a number with q as a prime factor depend partly on the size of the prime factors of q − 1. This is true, for instance, of the p−1 method.
Safe primes are also important in cryptography because of their use in discrete logarithm-based techniques like Diffie–Hellman key exchange. If 2p + 1 is a safe prime, the multiplicative group of numbers modulo 2p + 1 has a subgroup of large prime order. It is usually this prime-order subgroup that is desirable, and the reason for using safe primes is so that the modulus is as small as possible relative to p.
Safe primes obeying certain congruences can be used to generate pseudo-random numbers of use in Monte Carlo simulation.
Safe primes are more time-consuming to search for than strong primes, and for this reason they have been less used. However, as computers get faster, safe primes are being used more. Finding a 500-digit safe prime, like is now quite practical. The problem is that safe primes conjecturally have the same low density as twin primes. For example, the smallest k such that 225 + k is a safe prime is k = 1989, which means that finding it requires testing approximately 1989 numbers for primality. Apart from their low density, they are easier to find than strong primes, in that the programs are much simpler. It is not necessary to attempt the factorization of p − 1. (If p − 1 is difficult to factor, then p is rejected, and p + 2 is tried. This is repeated until p − 1 factors easily. This will happen sooner than p would become a safe prime, on average, because primes p for which p − 1 factors easily are fairly dense.) All of this is made possible by the fact that there are extremely fast probabilistic tests for primality, such as the Miller–Rabin primality test.
Further properties
There is no special primality test for safe primes the way there is for Fermat primes and Mersenne primes. However, Pocklington's criterion can be used to prove the primality of 2p+1 once one has proven the primality of p.
With the exception of 5, there are no Fermat primes that are also safe primes. Since Fermat primes are of the form F = 2n + 1, it follows that (F − 1)/2 is a power of two.
With the exception of 7, there are no Mersenne primes that are also safe primes. This follows from the statement above that all safe primes except 7 are of the form 6k − 1. Mersenne primes are of the form 2m − 1, but 2m − 1 = 6k − 1 would imply that 2m is divisible by 6, which is impossible.
Just as every term except the last one of a Cunningham chain of the first kind is a Sophie Germain prime, so every term except the first of such a chain is a safe prime. Safe primes ending in 7, that is, of the form 10n + 7, are the last terms in such chains when they occur, since 2(10n + 7) + 1 = 20n + 15 is divisible by 5.
If a safe prime q is congruent to 7 modulo 8, then it is a divisor of the Mersenne number with its matching Sophie Germain prime as exponent.
If q > 7 is a safe prime, then q divides 3(q-1)/2 - 1 (This follows from the fact that 3 is a Quadratic residue mod q).
Records
As of 2017[update], the largest known safe prime is 2618163402417 · 21290000 - 1, followed by 18543637900515 × 2666668 − 1. These primes and the corresponding largest known Sophie Germain prime were found in October 2016 and April 2012, respectively.[1]
On 16 June 2016, Thorsten Kleinjung, Claus Diem, Arjen K. Lenstra, Christine Priplata, and Colin Stahlke announced the computation of a discrete logarithm modulo a 232-digit (768-bit) safe prime using a number field sieve algorithm. See Discrete logarithm records.
References
- ^ "The Top Twenty Sophie Germain". The Prime Pages. Retrieved 31 December 2017.
External links
- Safe prime at PlanetMath.
- M. Abramowitz, I. A. Stegun, ed. (1972). Handbook of Mathematical Functions. Applied Math. Series. Vol. 55 (Tenth Printing ed.). National Bureau of Standards. p. 870.