Use of BigInteger.isProbablePrime() to generate cryptographically secure primes

问题

Can you use BigInteger.isProbablePrime() to generate cryptographically secure primes? What certainty is necessary for them to be "secure"?

回答1:

I do not hold a degree in crypto, so take this with a grain of salt.

You have two major areas of concern here:

1. Your primes need to be unpredictably random. This means that you need to use a source such as SecureRandom to generate your primes. No matter how sure of your primality, if they are predictable, the entire cryptosystem fails to meet its goal. If you are using the BigInteger(int bitLength, int certainty, Random rnd) constructor, you can pass in your SecureRandom as it subclasses Random.

2. Your potential primes need to be reasonably certain of being primes (I'm assuming that you are using an algorithm that relies on the hardness of factoring). If you get a probable prime, but an attacker can, with a good probability, factor it within 5 minutes because it had a factor that never got noticed by the primality test you ran, you are somewhat out of luck with your algorithm. Rabin-Miller is generally used, and this answer states that a certainty of 15 is sufficient for 32-bit integers. A value up to 40 is recommended, and anything beyond that is meaningless.

回答2:

this is the way i generated a secure BigInteger for my cryptographic application.

Here's my code:

        BigInteger b = new BigInteger(25, new SecureRandom());

Since you also need it for a crypto application, in my opinion, getting a BigInteger is this way is right. Note: Remember that SecureRandom objects are preformance-wise costly. So You should not initialize them many times.

After reading comments, it worked out further Here's a way which assures you more certainity of getting a prime number.

 BigInteger b =BigInteger.probablePrime(25, new SecureRandom(););

回答3:

As @hexafraction says, you need to use SecureRandom() to generate a cryptographic quality random number. The Javadoc says that the generated prime is 2^-100 secure. If you want more security (say to 2^-128 for AES equivalent security) then run more iterations of the Miller-Rabin test on it. Each iteration gives you an extra 2^-2 security, so fourteen iterations would get you to 2^-128.

来源：https://stackoverflow.com/questions/23144236/use-of-biginteger-isprobableprime-to-generate-cryptographically-secure-primes