Safe and Sophie Germain primes

The first few Sophie Germain primes (those less than 1000) are :2, 3, 5, 11, 23, 29, 41, 53, 83, 89, 113, 131, 173, 179, 191, 233, 239, 251, 281, 293, 359, 419, 431, 443, 491, 509, 593, 641, 653, 659, 683, 719, 743, 761, 809, 911, 953, ... Hence, the first few safe primes are :5, 7, 11, 23, 47, 59, 83, 107, 167, 179, 227, 263, 347, 359, 383, 467, 479, 503, 563, 587, 719, 839, 863, 887, 983, 1019, 1187, 1283, 1307, 1319, 1367, 1439, 1487, 1523, 1619, 1823, 1907, ... In cryptography, much larger Sophie Germain primes like 1,846,389,521,368 + 11600 are required. Two distributed computing projects, PrimeGrid and Twin Prime Search, include searches for large Sophie Germain primes. Some of the largest known Sophie Germain primes are given in the following table. On 2 Dec 2019, Fabrice Boudot, Pierrick Gaudry, Aurore Guillevic, Nadia Heninger, Emmanuel Thomé, and Paul Zimmermann announced the computation of a discrete logarithm modulo the 240-digit (795 bit) prime RSA-240 + 49204 (the first safe prime above RSA-240) using a number field sieve algorithm; see Discrete logarithm records. ==Properties==

There is no special primality test for safe primes, the way there is for Fermat primes and Mersenne primes. However, Pocklington's criterion can be used to prove the primality of 2p + 1 once one has proven the primality of p. Just as every term except the last one of a Cunningham chain of the first kind is a Sophie Germain prime, so every term except the first of such a chain is a safe prime. Safe primes ending in 7, that is, of the form 10n + 7, are the last terms in such chains when they occur, since 2(10n + 7) + 1 = 20n + 15 is divisible by 5. For a safe prime, every quadratic nonresidue, except −1 (if nonresidue), is a primitive root. It follows that for a safe prime, the least positive primitive root is a prime number. Modular restrictions With the exception of 7, a safe prime q is of the form 6k − 1 or, equivalently, q ≡ 5 (mod 6) – as is p > 3. Similarly, with the exception of 5, a safe prime q is of the form 4k − 1 or, equivalently, q ≡ 3 (mod 4) — trivially true since (q − 1) / 2 must evaluate to an odd natural number. Combining both forms using lcm(6, 4) we determine that a safe prime q > 7 also must be of the form 12k − 1 or, equivalently, q ≡ 11 (mod 12). It follows that, for any safe prime q > 7: • both 3 and 12 are quadratic residues mod q (per law of quadratic reciprocity) • neither 3 nor 12 is a primitive root of q • the only safe primes that are also full reptend primes in base 12 are 5 and 7 • q divides 3(q−1)/2 − 1 and 12(q−1)/2 − 1, same as 3(q−1)/2 ≡ 1 mod q and 12(q−1)/2 ≡ 1 mod q (per Euler's criterion) • q − 3, q − 4, q − 9, q − 12 are quadratic nonresidues • q − 3, q − 4, q − 9, and, for q > 11, q − 12 are primitive roots If p is a Sophie Germain prime greater than 3, then p must be congruent to 2 mod 3. For, if not, it would be congruent to 1 mod 3 and 2p + 1 would be congruent to 3 mod 3, impossible for a prime number. Similar restrictions hold for larger prime moduli, and are the basis for the choice of the "correction factor" 2C in the Hardy–Littlewood estimate on the density of the Sophie Germain primes. It can be used to generate the largest Mersenne numbers (with prime indices) that are known to be composite. ==Infinitude and density==

It is conjectured that there are infinitely many Sophie Germain primes, but this has not been proven. Several other famous conjectures in number theory generalize this and the twin prime conjecture; they include Dickson's conjecture, Schinzel's hypothesis H, and the Bateman–Horn conjecture. A heuristic estimate for the number of Sophie Germain primes less than n is A sequence (p, 2p + 1, 2(2p + 1) + 1, ...) in which all of the numbers are prime is called a Cunningham chain of the first kind. Every term of such a sequence except the last is a Sophie Germain prime, and every term except the first is a safe prime. Extending the conjecture that there exist infinitely many Sophie Germain primes, it has also been conjectured that arbitrarily long Cunningham chains exist, although infinite chains are known to be impossible. ==Strong primes==

A prime number q is a strong prime if and both have some large (around 500 digits) prime factors. For a safe prime , the number naturally has a large prime factor, namely p, and so a safe prime q meets part of the criteria for being a strong prime. The running times of some methods of factoring a number with q as a prime factor depend partly on the size of the prime factors of . This is true, for instance, of the p − 1 method. ==Applications==

Cryptography Safe primes are also important in cryptography because of their use in discrete logarithm-based techniques like Diffie–Hellman key exchange. If is a safe prime, the multiplicative group of integers modulo has a subgroup of large prime order. It is usually this prime-order subgroup that is desirable, and the reason for using safe primes is so that the modulus is as small as possible relative to p. A prime number p = 2q + 1 is called a safe prime if q is prime. Thus, p = 2q + 1 is a safe prime if and only if q is a Sophie Germain prime, so finding safe primes and finding Sophie Germain primes are equivalent in computational difficulty. The notion of a safe prime can be strengthened to a strong prime, for which both p − 1 and p + 1 have large prime factors. Safe and strong primes were useful as the factors of secret keys in the RSA cryptosystem, because they prevent the system being broken by some factorization algorithms such as Pollard's p − 1 algorithm. However, with the current factorization technology, the advantage of using safe and strong primes appears to be negligible. Similar issues apply in other cryptosystems as well, including Diffie–Hellman key exchange and similar systems that depend on the security of the discrete logarithm problem rather than on integer factorization. For this reason, key generation protocols for these methods often rely on efficient algorithms for generating strong primes, which in turn rely on the conjecture that these primes have a sufficiently high density. In Sophie Germain Counter Mode, it was proposed to use the arithmetic in the finite field of order equal to the safe prime 2128 + 12451, to counter weaknesses in Galois/Counter Mode using the binary finite field GF(2128). However, SGCM has been shown to be vulnerable to many of the same cryptographic attacks as GCM. Primality testing In the first version of the AKS primality test paper, a conjecture about Sophie Germain primes is used to lower the worst-case complexity from to . A later version of the paper is shown to have time complexity which can also be lowered to using the conjecture. Later variants of AKS have been proven to have complexity of without any conjectures or use of Sophie Germain primes. Pseudorandom number generation Safe primes obeying certain congruences can be used to generate pseudo-random numbers of use in Monte Carlo simulation. Similarly, Sophie Germain primes may be used in the generation of pseudo-random numbers. The decimal expansion of 1/q will produce a stream of q − 1 pseudo-random digits, if q is the safe prime of a Sophie Germain prime p, with p congruent to 3, 9, or 11 modulo 20. Thus "suitable" prime numbers q are 7, 23, 47, 59, 167, 179, etc. () (corresponding to p = 3, 11, 23, 29, 83, 89, etc.) (). The result is a stream of length q − 1 digits (including leading zeros). So, for example, using q = 23 generates the pseudo-random digits 0, 4, 3, 4, 7, 8, 2, 6, 0, 8, 6, 9, 5, 6, 5, 2, 1, 7, 3, 9, 1, 3. Note that these digits are not appropriate for cryptographic purposes, as the value of each can be derived from its predecessor in the digit-stream. ==In popular culture==

Sophie Germain primes are mentioned in the stage play Proof and the subsequent film. ==Notes==