Updated: 2022/Sep/29

Please read Privacy Policy. It's for your privacy.

BN_generate_prime(3)                OpenSSL               BN_generate_prime(3)

       BN_generate_prime_ex, BN_is_prime_ex, BN_is_prime_fasttest_ex,
       BN_GENCB_call, BN_GENCB_new, BN_GENCB_free, BN_GENCB_set_old,
       BN_GENCB_set, BN_GENCB_get_arg, BN_generate_prime, BN_is_prime,
       BN_is_prime_fasttest - generate primes and test for primality

       libcrypto, -lcrypto

        #include <openssl/bn.h>

        int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add,
                                 const BIGNUM *rem, BN_GENCB *cb);

        int BN_is_prime_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx, BN_GENCB *cb);

        int BN_is_prime_fasttest_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx,
                                    int do_trial_division, BN_GENCB *cb);

        int BN_GENCB_call(BN_GENCB *cb, int a, int b);

        BN_GENCB *BN_GENCB_new(void);

        void BN_GENCB_free(BN_GENCB *cb);

        void BN_GENCB_set_old(BN_GENCB *gencb,
                              void (*callback)(int, int, void *), void *cb_arg);

        void BN_GENCB_set(BN_GENCB *gencb,
                          int (*callback)(int, int, BN_GENCB *), void *cb_arg);

        void *BN_GENCB_get_arg(BN_GENCB *cb);


        #if OPENSSL_API_COMPAT < 0x00908000L
        BIGNUM *BN_generate_prime(BIGNUM *ret, int num, int safe, BIGNUM *add,
                                  BIGNUM *rem, void (*callback)(int, int, void *),
                                  void *cb_arg);

        int BN_is_prime(const BIGNUM *a, int checks,
                        void (*callback)(int, int, void *), BN_CTX *ctx, void *cb_arg);

        int BN_is_prime_fasttest(const BIGNUM *a, int checks,
                                 void (*callback)(int, int, void *), BN_CTX *ctx,
                                 void *cb_arg, int do_trial_division);

       BN_generate_prime_ex() generates a pseudo-random prime number of at
       least bit length bits. The returned number is probably prime with a
       negligible error. If add is NULL the returned prime number will have
       exact bit length bits with the top most two bits set.

       If ret is not NULL, it will be used to store the number.

       If cb is not NULL, it is used as follows:

       ⊕ BN_GENCB_call(cb, 0, i) is called after generating the i-th potential
         prime number.

       ⊕ While the number is being tested for primality, BN_GENCB_call(cb, 1,
         j) is called as described below.

       ⊕ When a prime has been found, BN_GENCB_call(cb, 2, i) is called.

       ⊕ The callers of BN_generate_prime_ex() may call BN_GENCB_call(cb, i,
         j) with other values as described in their respective man pages; see
         "SEE ALSO".

       The prime may have to fulfill additional requirements for use in
       Diffie-Hellman key exchange:

       If add is not NULL, the prime will fulfill the condition p % add == rem
       (p % add == 1 if rem == NULL) in order to suit a given generator.

       If safe is true, it will be a safe prime (i.e. a prime p so that
       (p-1)/2 is also prime). If safe is true, and rem == NULL the condition
       will be p % add == 3.  It is recommended that add is a multiple of 4.

       The random generator must be seeded prior to calling
       BN_generate_prime_ex().  If the automatic seeding or reseeding of the
       OpenSSL CSPRNG fails due to external circumstances (see RAND(7)), the
       operation will fail.

       BN_is_prime_ex() and BN_is_prime_fasttest_ex() test if the number p is
       prime.  The following tests are performed until one of them shows that
       p is composite; if p passes all these tests, it is considered prime.

       BN_is_prime_fasttest_ex(), when called with do_trial_division == 1,
       first attempts trial division by a number of small primes; if no
       divisors are found by this test and cb is not NULL, BN_GENCB_call(cb,
       1, -1) is called.  If do_trial_division == 0, this test is skipped.

       Both BN_is_prime_ex() and BN_is_prime_fasttest_ex() perform a Miller-
       Rabin probabilistic primality test with nchecks iterations. If nchecks
       == BN_prime_checks, a number of iterations is used that yields a false
       positive rate of at most 2^-64 for random input.  The error rate
       depends on the size of the prime and goes down for bigger primes.  The
       rate is 2^-80 starting at 308 bits, 2^-112 at 852 bits, 2^-128 at 1080
       bits, 2^-192 at 3747 bits and 2^-256 at 6394 bits.

       When the source of the prime is not random or not trusted, the number
       of checks needs to be much higher to reach the same level of assurance:
       It should equal half of the targeted security level in bits (rounded up
       to the next integer if necessary).  For instance, to reach the 128 bit
       security level, nchecks should be set to 64.

       If cb is not NULL, BN_GENCB_call(cb, 1, j) is called after the j-th
       iteration (j = 0, 1, ...). ctx is a preallocated BN_CTX (to save the
       overhead of allocating and freeing the structure in a loop), or NULL.

       BN_GENCB_call() calls the callback function held in the BN_GENCB
       structure and passes the ints a and b as arguments. There are two types
       of BN_GENCB structure that are supported: "new" style and "old" style.
       New programs should prefer the "new" style, whilst the "old" style is
       provided for backwards compatibility purposes.

       A BN_GENCB structure should be created through a call to
       BN_GENCB_new(), and freed through a call to BN_GENCB_free().

       For "new" style callbacks a BN_GENCB structure should be initialised
       with a call to BN_GENCB_set(), where gencb is a BN_GENCB *, callback is
       of type int (*callback)(int, int, BN_GENCB *) and cb_arg is a void *.
       "Old" style callbacks are the same except they are initialised with a
       call to BN_GENCB_set_old() and callback is of type void
       (*callback)(int, int, void *).

       A callback is invoked through a call to BN_GENCB_call. This will check
       the type of the callback and will invoke callback(a, b, gencb) for new
       style callbacks or callback(a, b, cb_arg) for old style.

       It is possible to obtain the argument associated with a BN_GENCB
       structure (set via a call to BN_GENCB_set or BN_GENCB_set_old) using

       BN_generate_prime() (deprecated) works in the same way as
       BN_generate_prime_ex() but expects an old-style callback function
       directly in the callback parameter, and an argument to pass to it in
       the cb_arg. BN_is_prime() and BN_is_prime_fasttest() can similarly be
       compared to BN_is_prime_ex() and BN_is_prime_fasttest_ex(),

       BN_generate_prime_ex() return 1 on success or 0 on error.

       BN_is_prime_ex(), BN_is_prime_fasttest_ex(), BN_is_prime() and
       BN_is_prime_fasttest() return 0 if the number is composite, 1 if it is
       prime with an error probability of less than 0.25^nchecks, and -1 on

       BN_generate_prime() returns the prime number on success, NULL

       BN_GENCB_new returns a pointer to a BN_GENCB structure on success, or
       NULL otherwise.

       BN_GENCB_get_arg returns the argument previously associated with a
       BN_GENCB structure.

       Callback functions should return 1 on success or 0 on error.

       The error codes can be obtained by ERR_get_error(3).

       As of OpenSSL 1.1.0 it is no longer possible to create a BN_GENCB
       structure directly, as in:

        BN_GENCB callback;

       Instead applications should create a BN_GENCB structure using

        BN_GENCB *callback;
        callback = BN_GENCB_new();
        if (!callback)
            /* error */

       DH_generate_parameters(3), DSA_generate_parameters(3),
       RSA_generate_key(3), ERR_get_error(3), RAND_bytes(3), RAND(7)

       The BN_GENCB_new(), BN_GENCB_free(), and BN_GENCB_get_arg() functions
       were added in OpenSSL 1.1.0.

       Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.

       Licensed under the OpenSSL license (the "License").  You may not use
       this file except in compliance with the License.  You can obtain a copy
       in the file LICENSE in the source distribution or at

1.1.1i                            2020-12-10              BN_generate_prime(3)