我个人对此了解不多,但我通过OpenSSL 源代码快速 grep,它提到了联邦信息处理标准出版物 186作为实现所依据的文档。
Saying that q divides p-1 is the same as saying that p ≡ 1 mod q.
The FIPS method essentially shifts and adds successive hash outputs to build a pseudorandom chunk of the correct size, and then subtracts a remainder such that p ≡ 1 mod 2q, and finally tests for primality. The only 'real' entropy in the process is the random seed.
Note also that the old FIPS-186 above is 'hardcoded' for 160 bit q
If you have plenty of entropy you can just as easily get a chunk of random from a good source, set the top and bottom bits to 1, subtract ((p mod q)-1) then test that for primality.
我不认为这是对的。如果您可以分解 p-1,那么您可以轻松分解公钥,这真的很糟糕。
通常的密钥生成需要两个相同位长的大素数 p 和 q;它们的乘积 n=pq 成为密码系统的模数。n 的总和计算为 phi(pq)=(p-1)(q-1)。然后选择两个密钥,加密密钥 e 和解密密钥 d,使得 de ≡ 1 (mod phi(pq)) 和 gcd(e, phi(pq)) = 1。E 必须是奇数,经常被选择为be prime 强制条件是它与 totient 互质,并且通常相当小;e=2^16+1=65537 很常见。
我在我的博客上为 RSA 编写了代码,包括密钥生成。