Details of generating primes for cryptography
RSA public key cryptography begins by finding a couple large primes. You essentially do this by testing random numbers until you find primes, but not quite.
Filippo Valsorda just posted a good article on this.
Suppose you're looking for a 1024-bit prime number. You generate random 1024-bit numbers and then test until you find one that's prime. You can immediately make this process twice as fast by setting the last bit to 1: it would be wasteful to generate a new number every time you happened to draw an even number.
A little less obvious is that it's common to set the top bit as well. When you're generating a number between 0 and 21024 - 1, it's possible that you could generate a small number. It's possible that you generate a very small number, like 59, but extremely unlikely. But it's not so unlikely that you'd generate a number on the order of 21020, for example. By setting the top bit, you know you're generating a number between 21023 and 21024.
Most composite numbers have small factors, so you check for divisibility by 3, 5, 7 etc. before running more time-consuming tests. Probabilistic tests are far more efficient than deterministic tests, so in practice everyone uses probable primes in RSA. For details of how you apply these tests, and how many tests to run, see Filippo Valsorda's article.
Should you be concerned about setting the top bit of prime candidates? There are naive and sophisticated reasons not work worry, and an intermediate reason to at least think about it.
The naive response is that you're just losing one bit of randomness. How much could that hurt? But in other contexts, such as losing one bit of randomness in an AES key, people do worry about such losses.
The bits in the prime factors of an RSA modulus do not correspond directly to bits of security. A 2048-bit modulus, the product of two 1024-bit primes, has about 112 bits of security. (See NIST SP 800-57.) You could set several bits in your prime factors before losing a bit of security. If this bothers you, move up to using a 3072-bit modulus rather than worrying that you 2048-bit modulus is in a sense a 2046-bit modulus.
More cryptography posts- Security by obscurity
- RNG, PRNG, and CSPRNG
- Public key fingerprints
- Homomorphic encryption
- Breach safe harbor