transcrypto 1.2.0__py3-none-any.whl → 1.4.0__py3-none-any.whl

transcrypto/dsa.py

@@ -12,26 +12,31 @@ In the future we will design a proper DSA+Hash implementation.
 
 from __future__ import annotations
 
+import concurrent.futures
 import dataclasses
 import logging
+import multiprocessing
+import os
 # import pdb
 from typing import Self
 
-from . import base, modmath
+import gmpy2  # type:ignore
+
+from . import base, constants, modmath
 
 __author__ = 'balparda@github.com'
 __version__: str = base.__version__  # version comes from base!
 __version_tuple__: tuple[int, ...] = base.__version_tuple__
 
 
-_PRIME_MULTIPLE_SEARCH = 4096  # how many multiples of q to try before restarting
 _MAX_KEY_GENERATION_FAILURES = 15
 
 # fixed prefixes: do NOT ever change! will break all encryption and signature schemes
 _DSA_SIGNATURE_HASH_PREFIX = b'transcrypto.DSA.Signature.1.0\x00'
 
 
-def NBitRandomDSAPrimes(p_bits: int, q_bits: int, /) -> tuple[int, int, int]:
+def NBitRandomDSAPrimes(
+    p_bits: int, q_bits: int, /, *, serial: bool = True) -> tuple[int, int, int]:
   """Generates 2 random DSA primes p & q with `x_bits` size and (p-1)%q==0.
 
   Uses an aggressive small-prime wheel sieve:
@@ -41,10 +46,29 @@ def NBitRandomDSAPrimes(p_bits: int, q_bits: int, /) -> tuple[int, int, int]:
     m_forbidden ≡ -q⁻¹ (mod r) (because (m·q + 1) % r == 0 ⇔ m ≡ -q⁻¹ (mod r))
   • When we iterate m, we skip values that hit any forbidden residue class.
 
+  Method will decide if executes on one thread or many.
+
+  $ poetry run profiler -s -n 100 -b 1000,11000,1000 -c 98 dsa  # single-thread, Mac M2 Max, 2025
+  1000 → 101.069 ms ± 19.714 ms [81.354 ms … 120.783 ms]98%CI@100
+  2000 → 471.038 ms ± 98.810 ms [372.229 ms … 569.848 ms]98%CI@100
+  3000 → 1.45 s ± 253.462 ms [1.20 s … 1.70 s]98%CI@100
+  4000 → 3.09 s ± 592.267 ms [2.50 s … 3.69 s]98%CI@100
+  5000 → 5.52 s ± 1.22 s [4.30 s … 6.74 s]98%CI@100
+  6000 → 8.33 s ± 2.02 s [6.31 s … 10.35 s]98%CI@100
+  7000 → 15.76 s ± 3.55 s [12.21 s … 19.31 s]98%CI@100
+  8000 → 25.66 s ± 6.66 s [18.99 s … 32.32 s]98%CI@100
+  9000 → 35.02 s ± 8.68 s [26.34 s … 43.70 s]98%CI@100
+  10000 → 1.01 min ± 13.64 s [47.13 s … 1.24 min]98%CI@100
+
+  Rule of thumb: double the bits requires ~10x execution time
+
   Args:
     p_bits (int): Number of guaranteed bits in `p` prime representation,
         p_bits ≥ q_bits + 11
     q_bits (int): Number of guaranteed bits in `q` prime representation, ≥ 11
+    serial (bool, optional): True (default) will force one thread; False will allow parallelism;
+       we have temporarily disabled parallelism with a default of True because it is not making
+       things faster...
 
   Returns:
     random primes tuple (p, q, m), with p-1 a random multiple m of q, such
@@ -59,14 +83,59 @@ def NBitRandomDSAPrimes(p_bits: int, q_bits: int, /) -> tuple[int, int, int]:
   if p_bits < q_bits + 11:
     raise base.InputError(f'invalid p_bits length: {p_bits=}')
   # make q
-  q: int = modmath.NBitRandomPrime(q_bits)
+  q: int = modmath.NBitRandomPrimes(q_bits).pop()
+  # get number of CPUs and decide if we do parallel or not
+  n_workers: int = min(4, os.cpu_count() or 1)
+  pr: int | None = None
+  m: int | None = None
+  if serial or n_workers <= 1 or p_bits < 200:
+    # do one worker
+    while pr is None or m is None or pr.bit_length() != p_bits:
+      pr, m = _PrimePSearchShard(q, p_bits)
+    return (pr, q, m)
+  # parallel: keep a small pool of bounded shards; stop on first hit
+  multiprocessing.set_start_method('fork', force=True)
+  with concurrent.futures.ProcessPoolExecutor(max_workers=n_workers) as pool:
+    workers: set[concurrent.futures.Future[tuple[int | None, int | None]]] = {
+        pool.submit(_PrimePSearchShard, q, p_bits) for _ in range(n_workers)}
+    while workers:
+      done: set[concurrent.futures.Future[tuple[int | None, int | None]]] = concurrent.futures.wait(
+          workers, return_when=concurrent.futures.FIRST_COMPLETED)[0]
+      for worker in done:
+        workers.remove(worker)
+        pr, m = worker.result()
+        if pr is not None and m is not None and pr.bit_length() == p_bits:
+          return (pr, q, m)
+        # no hit in that shard: keep the pool full with a fresh shard
+        workers.add(pool.submit(_PrimePSearchShard, q, p_bits))  # pragma: no cover
+  # can never reach this point, but leave this here; remove line from coverage
+  raise base.Error(f'could not find prime with {p_bits=}/{q_bits=} bits')  # pragma: no cover
+
+
+def _PrimePSearchShard(q: int, p_bits: int) -> tuple[int | None, int | None]:
+  """Search for a `p_bits` random prime, starting from a random point, for ~6× expected prime gap.
+
+  Args:
+    q (int): Prime `q` for DSA
+    p_bits (int): Number of guaranteed bits in prime `p` representation
+
+  Returns:
+    tuple[int | None, int | None]: either the prime `p` and multiple `m` or None if no prime found
+  """
+  q_bits: int = q.bit_length()
+  shard_len: int = max(2000, 6 * int(0.693 * p_bits))  # ~6× expected prime gap ~2^k (≈ 0.693*k)
+  # find range of multiples to use
+  min_p: int = 2 ** (p_bits - 1)
+  max_p: int = 2 ** p_bits - 1
+  min_m: int = min_p // q + 2
+  max_m: int = max_p // q - 2
+  assert max_m - min_m > 1000  # make sure we'll have options!
   # make list of small primes to use for sieving
   approx_q_root: int = 1 << (q_bits // 2)
-  forbidden: dict[int, int] = {}  # (modulus: forbidden residue)
-  for r in modmath.PrimeGenerator(3):
-    forbidden[r] = (-modmath.ModInv(q % r, r)) % r
-    if r > 100000 or r > approx_q_root:
-      break
+  pr: int
+  forbidden: dict[int, int] = {  # (modulus: forbidden residue)
+      pr: ((-modmath.ModInv(q % pr, pr)) % pr)
+      for pr in constants.FIRST_5K_PRIMES_SORTED[1:min(1000, approx_q_root)]}  # skip pr==2
 
   def _PassesSieve(m: int) -> bool:
     for r, f in forbidden.items():
@@ -74,35 +143,23 @@ def NBitRandomDSAPrimes(p_bits: int, q_bits: int, /) -> tuple[int, int, int]:
         return False
     return True
 
-  # find range of multiples to use
-  min_p, max_p = 2 ** (p_bits - 1), 2 ** p_bits - 1
-  min_m, max_m = min_p // q + 2, max_p // q - 2
-  assert max_m - min_m > 1000  # make sure we'll have options!
-  # start searching from a random multiple
-  failures: int = 0
-  window: int = max(_PRIME_MULTIPLE_SEARCH, 2 * p_bits)
-  while True:
-    # try searching starting here
-    m: int = base.RandInt(min_m, max_m)
-    if m % 2:
-      m += 1  # make even
-    for _ in range(window):
-      p: int = q * m + 1
-      if p >= max_p:
-        break
-      # first do a quick sieve test
-      if not _PassesSieve(m):
-        m += 2
-        continue
-      # passed sieve, do full test
-      if modmath.IsPrime(p):
-        return (p, q, m)  # found a suitable prime set!
-      m += 2  # next multiple
-    # after _PRIME_MULTIPLE_SEARCH we declare this range failed
-    failures += 1
-    if failures >= _MAX_KEY_GENERATION_FAILURES:
-      raise base.CryptoError(f'failed primes generation {failures} times')
-    logging.warning(f'failed primes search: {failures}')
+  # try searching starting here
+  m: int = base.RandInt(min_m, max_m)
+  if m % 2:
+    m += 1  # make even
+  count: int = 0
+  pr = 0
+  while count < shard_len:
+    pr = q * m + 1
+    if pr > max_p:
+      break
+    # first do a quick sieve test
+    if _PassesSieve(m):
+      if modmath.IsPrime(pr):  # passed sieve, do full test
+        return (pr, m)  # found a suitable prime set!
+    count += 1
+    m += 2  # next even number
+  return (None, None)
 
 
 @dataclasses.dataclass(kw_only=True, slots=True, frozen=True, repr=False)
@@ -203,7 +260,7 @@ class DSASharedPublicKey(base.CryptoKey):
     g: int = 0
     while g < 2:
       h: int = base.RandBits(p_bits - 1)
-      g = modmath.ModExp(h, m, p)
+      g = int(gmpy2.powmod(h, m, p))  # type:ignore  # pylint:disable=no-member
     return cls(prime_modulus=p, prime_seed=q, group_base=g)
 
 
@@ -278,10 +335,10 @@ class DSAPublicKey(DSASharedPublicKey, base.Verifier):
       raise base.InputError(f'invalid signature: {signature=}')
     # verify
     inv: int = modmath.ModInv(signature[1], self.prime_seed)
-    a: int = modmath.ModExp(
-        self.group_base, (message * inv) % self.prime_seed, self.prime_modulus)
-    b: int = modmath.ModExp(
-        self.individual_base, (signature[0] * inv) % self.prime_seed, self.prime_modulus)
+    a: int = int(gmpy2.powmod(  # type:ignore  # pylint:disable=no-member
+        self.group_base, (message * inv) % self.prime_seed, self.prime_modulus))
+    b: int = int(gmpy2.powmod(  # type:ignore  # pylint:disable=no-member
+        self.individual_base, (signature[0] * inv) % self.prime_seed, self.prime_modulus))
     return ((a * b) % self.prime_modulus) % self.prime_seed == signature[0]
 
   def Verify(
@@ -353,8 +410,7 @@ class DSAPrivateKey(DSAPublicKey, base.Signer):  # pylint: disable=too-many-ance
     if (not 2 < self.decrypt_exp < self.prime_seed or
         self.decrypt_exp in (self.group_base, self.individual_base)):
       raise base.InputError(f'invalid decrypt_exp: {self}')
-    if modmath.ModExp(
-        self.group_base, self.decrypt_exp, self.prime_modulus) != self.individual_base:
+    if gmpy2.powmod(self.group_base, self.decrypt_exp, self.prime_modulus) != self.individual_base:  # type:ignore  # pylint:disable=no-member
       raise base.CryptoError(f'inconsistent g**d % p == i: {self}')
 
   def __str__(self) -> str:
@@ -387,10 +443,11 @@ class DSAPrivateKey(DSAPublicKey, base.Signer):  # pylint: disable=too-many-ance
     if not 0 < message < self.prime_seed:
       raise base.InputError(f'invalid message: {message=}')
     # sign
-    a, b = 0, 0
+    a: int = 0
+    b: int = 0
     while a < 2 or b < 2:
       ephemeral_key, ephemeral_inv = self._MakeEphemeralKey()
-      a = modmath.ModExp(self.group_base, ephemeral_key, self.prime_modulus) % self.prime_seed
+      a = int(gmpy2.powmod(self.group_base, ephemeral_key, self.prime_modulus) % self.prime_seed)  # type:ignore  # pylint:disable=no-member
       b = (ephemeral_inv * ((message + a * self.decrypt_exp) % self.prime_seed)) % self.prime_seed
     return (a, b)
 
@@ -460,8 +517,8 @@ class DSAPrivateKey(DSAPublicKey, base.Signer):  # pylint: disable=too-many-ance
             prime_modulus=shared_key.prime_modulus,
             prime_seed=shared_key.prime_seed,
             group_base=shared_key.group_base,
-            individual_base=modmath.ModExp(
-                shared_key.group_base, decrypt_exp, shared_key.prime_modulus),
+            individual_base=int(gmpy2.powmod(  # type:ignore  # pylint:disable=no-member
+                shared_key.group_base, decrypt_exp, shared_key.prime_modulus)),
             decrypt_exp=decrypt_exp)
       except base.InputError as err:
         failures += 1

transcrypto/elgamal.py

@@ -23,6 +23,8 @@ import logging
 # import pdb
 from typing import Self
 
+import gmpy2  # type:ignore
+
 from . import base, modmath, aes
 
 __author__ = 'balparda@github.com'
@@ -122,7 +124,7 @@ class ElGamalSharedPublicKey(base.CryptoKey):
     if bit_length < 11:
       raise base.InputError(f'invalid bit length: {bit_length=}')
     # generate random prime and number, create object (should never fail)
-    p: int = modmath.NBitRandomPrime(bit_length)
+    p: int = modmath.NBitRandomPrimes(bit_length).pop()
     g: int = 0
     while not 2 < g < p - 1:
       g = base.RandBits(bit_length)
@@ -203,8 +205,8 @@ class ElGamalPublicKey(ElGamalSharedPublicKey, base.Encryptor, base.Verifier):
     b: int = 0
     while a < 2 or b < 2:
       ephemeral_key: int = self._MakeEphemeralKey()[0]
-      a = modmath.ModExp(self.group_base, ephemeral_key, self.prime_modulus)
-      s: int = modmath.ModExp(self.individual_base, ephemeral_key, self.prime_modulus)
+      a = int(gmpy2.powmod(self.group_base, ephemeral_key, self.prime_modulus))            # type:ignore  # pylint:disable=no-member
+      s: int = int(gmpy2.powmod(self.individual_base, ephemeral_key, self.prime_modulus))  # type:ignore  # pylint:disable=no-member
       b = (message * s) % self.prime_modulus
     return (a, b)
 
@@ -278,9 +280,9 @@ class ElGamalPublicKey(ElGamalSharedPublicKey, base.Encryptor, base.Verifier):
         not 2 <= signature[1] < self.prime_modulus - 1):
       raise base.InputError(f'invalid signature: {signature=}')
     # verify
-    a: int = modmath.ModExp(self.group_base, message, self.prime_modulus)
-    b: int = modmath.ModExp(signature[0], signature[1], self.prime_modulus)
-    c: int = modmath.ModExp(self.individual_base, signature[0], self.prime_modulus)
+    a: int = int(gmpy2.powmod(self.group_base, message, self.prime_modulus))            # type:ignore  # pylint:disable=no-member
+    b: int = int(gmpy2.powmod(signature[0], signature[1], self.prime_modulus))          # type:ignore  # pylint:disable=no-member
+    c: int = int(gmpy2.powmod(self.individual_base, signature[0], self.prime_modulus))  # type:ignore  # pylint:disable=no-member
     return a == (b * c) % self.prime_modulus
 
   def Verify(
@@ -351,8 +353,7 @@ class ElGamalPrivateKey(ElGamalPublicKey, base.Decryptor, base.Signer):  # pylin
     if (not 2 < self.decrypt_exp < self.prime_modulus - 1 or
         self.decrypt_exp in (self.group_base, self.individual_base)):
       raise base.InputError(f'invalid decrypt_exp: {self}')
-    if modmath.ModExp(
-        self.group_base, self.decrypt_exp, self.prime_modulus) != self.individual_base:
+    if gmpy2.powmod(self.group_base, self.decrypt_exp, self.prime_modulus) != self.individual_base:  # type:ignore  # pylint:disable=no-member
       raise base.CryptoError(f'inconsistent g**e % p == i: {self}')
 
   def __str__(self) -> str:
@@ -385,8 +386,8 @@ class ElGamalPrivateKey(ElGamalPublicKey, base.Decryptor, base.Signer):  # pylin
         not 2 <= ciphertext[1] < self.prime_modulus):
       raise base.InputError(f'invalid message: {ciphertext=}')
     # decrypt
-    csi: int = modmath.ModExp(
-        ciphertext[0], self.prime_modulus - 1 - self.decrypt_exp, self.prime_modulus)
+    csi: int = int(
+        gmpy2.powmod(ciphertext[0], self.prime_modulus - 1 - self.decrypt_exp, self.prime_modulus))  # type:ignore  # pylint:disable=no-member
     return (ciphertext[1] * csi) % self.prime_modulus
 
   def Decrypt(self, ciphertext: bytes, /, *, associated_data: bytes | None = None) -> bytes:
@@ -450,7 +451,7 @@ class ElGamalPrivateKey(ElGamalPublicKey, base.Decryptor, base.Signer):  # pylin
     p_1: int = self.prime_modulus - 1
     while a < 2 or b < 2:
       ephemeral_key, ephemeral_inv = self._MakeEphemeralKey()
-      a = modmath.ModExp(self.group_base, ephemeral_key, self.prime_modulus)
+      a = int(gmpy2.powmod(self.group_base, ephemeral_key, self.prime_modulus))  # type:ignore  # pylint:disable=no-member
       b = (ephemeral_inv * ((message - a * self.decrypt_exp) % p_1)) % p_1
     return (a, b)
 
@@ -519,8 +520,8 @@ class ElGamalPrivateKey(ElGamalPublicKey, base.Decryptor, base.Signer):  # pylin
         return cls(
             prime_modulus=shared_key.prime_modulus,
             group_base=shared_key.group_base,
-            individual_base=modmath.ModExp(
-                shared_key.group_base, decrypt_exp, shared_key.prime_modulus),
+            individual_base=int(gmpy2.powmod(  # type:ignore  # pylint:disable=no-member
+                shared_key.group_base, decrypt_exp, shared_key.prime_modulus)),
             decrypt_exp=decrypt_exp)
       except base.InputError as err:
         failures += 1

transcrypto/modmath.py

@@ -6,39 +6,22 @@
 
 from __future__ import annotations
 
+import concurrent.futures
 import math
+import multiprocessing
+import os
 # import pdb
 from typing import Generator, Reversible
 
-from . import base
+import gmpy2  # type:ignore
+
+from . import base, constants
 
 __author__ = 'balparda@github.com'
 __version__: str = base.__version__  # version comes from base!
 __version_tuple__: tuple[int, ...] = base.__version_tuple__
 
 
-_FIRST_60_PRIMES: set[int] = {
-    2, 3, 5, 7, 11, 13, 17, 19, 23, 29,
-    31, 37, 41, 43, 47, 53, 59, 61, 67, 71,
-    73, 79, 83, 89, 97, 101, 103, 107, 109, 113,
-    127, 131, 137, 139, 149, 151, 157, 163, 167, 173,
-    179, 181, 191, 193, 197, 199, 211, 223, 227, 229,
-    233, 239, 241, 251, 257, 263, 269, 271, 277, 281,
-}
-_FIRST_60_PRIMES_SORTED: list[int] = sorted(_FIRST_60_PRIMES)
-_COMPOSITE_60: int = math.prod(_FIRST_60_PRIMES_SORTED)
-_PRIME_60: int = _FIRST_60_PRIMES_SORTED[-1]
-assert len(_FIRST_60_PRIMES) == 60 and _PRIME_60 == 281, f'should never happen: {_PRIME_60=}'
-_FIRST_49_MERSENNE: set[int] = {  # <https://oeis.org/A000043>
-    2, 3, 5, 7, 13, 17, 19, 31, 61, 89,
-    107, 127, 521, 607, 1279, 2203, 2281, 3217, 4253, 4423,
-    9689, 9941, 11213, 19937, 21701, 23209, 44497, 86243, 110503, 132049,
-    216091, 756839, 859433, 1257787, 1398269, 2976221, 3021377, 6972593, 13466917, 20996011,
-    24036583, 25964951, 30402457, 32582657, 37156667, 42643801, 43112609, 57885161, 74207281,
-}
-_FIRST_49_MERSENNE_SORTED: list[int] = sorted(_FIRST_49_MERSENNE)
-assert len(_FIRST_49_MERSENNE) == 49 and _FIRST_49_MERSENNE_SORTED[-1] == 74207281, f'should never happen: {_FIRST_49_MERSENNE_SORTED[-1]}'
-
 _MAX_PRIMALITY_SAFETY = 100  # this is an absurd number, just to have a max
 
 
@@ -176,6 +159,7 @@ def ModExp(x: int, y: int, m: int, /) -> int:
     return x
   # now both x > 1 and y > 1
   z: int = 1
+  odd: int
   while y:
     y, odd = divmod(y, 2)
     if odd:
@@ -316,7 +300,7 @@ def FermatIsPrime(n: int, /, *, safety: int = 10, witnesses: set[int] | None = N
   for w in sorted(witnesses):
     if not 2 <= w <= (n - 2):
       raise base.InputError(f'out of bounds witness: 2 ≤ {w=} ≤ {n - 2}')
-    if ModExp(w, n - 1, n) != 1:
+    if gmpy2.powmod(w, n - 1, n) != 1:  # type:ignore  # pylint:disable=no-member
       # number is proved to be composite
       return False
   # we declare the number PROBABLY a prime to the limits of this test
@@ -353,19 +337,19 @@ def _MillerRabinWitnesses(n: int, /) -> set[int]:  # pylint: disable=too-many-re
   if n < 4759123141:
     return {2, 7, 61}                        # "safety" 3, but 100% coverage
   if n < 2152302898747:
-    return set(_FIRST_60_PRIMES_SORTED[:5])   # "safety" 5, but 100% coverage
+    return set(constants.FIRST_5K_PRIMES_SORTED[:5])   # "safety" 5, but 100% coverage
   if n < 341550071728321:
-    return set(_FIRST_60_PRIMES_SORTED[:7])   # "safety" 7, but 100% coverage
-  if n < 18446744073709551616:               # 2 ** 64
-    return set(_FIRST_60_PRIMES_SORTED[:12])  # "safety" 12, but 100% coverage
-  if n < 3317044064679887385961981:          # > 2 ** 81
-    return set(_FIRST_60_PRIMES_SORTED[:13])  # "safety" 13, but 100% coverage
+    return set(constants.FIRST_5K_PRIMES_SORTED[:7])   # "safety" 7, but 100% coverage
+  if n < 18446744073709551616:                         # 2 ** 64
+    return set(constants.FIRST_5K_PRIMES_SORTED[:12])  # "safety" 12, but 100% coverage
+  if n < 3317044064679887385961981:                    # > 2 ** 81
+    return set(constants.FIRST_5K_PRIMES_SORTED[:13])  # "safety" 13, but 100% coverage
   # here n should be greater than 2 ** 81, so safety should be 34 or less
   n_bits: int = n.bit_length()
   assert n_bits >= 82, f'should never happen: {n=} -> {n_bits=}'
   safety: int = int(math.ceil(0.375 + 1.59 / (0.000590 * n_bits))) if n_bits <= 1700 else 2
   assert 1 < safety <= 34, f'should never happen: {n=} -> {n_bits=} ; {safety=}'
-  return set(_FIRST_60_PRIMES_SORTED[:safety])
+  return set(constants.FIRST_5K_PRIMES_SORTED[:safety])
 
 
 def _MillerRabinSR(n: int, /) -> tuple[int, int]:
@@ -427,7 +411,7 @@ def MillerRabinIsPrime(n: int, /, *, witnesses: set[int] | None = None) -> bool:
   for w in sorted(witnesses if witnesses else _MillerRabinWitnesses(n)):
     if not 2 <= w <= (n - 2):
       raise base.InputError(f'out of bounds witness: 2 ≤ {w=} ≤ {n - 2}')
-    x: int = ModExp(w, r, n)
+    x: int = int(gmpy2.powmod(w, r, n))  # type:ignore  # pylint:disable=no-member
     if x not in n_limits:
       for _ in range(s):  # s >= 1 so will execute at least once
         y = (x * x) % n
@@ -452,10 +436,13 @@ def IsPrime(n: int, /) -> bool:
   Raises:
     InputError: invalid inputs
   """
-  # is number divisible by (one of the) first 60 primes? test should eliminate 80%+ of candidates
-  if n > _PRIME_60 and base.GCD(n, _COMPOSITE_60) != 1:
-    return False
-  # do the (more expensive) Miller-Rabin primality test
+  # is number divisible by (one of the) first 20000 primes? test should eliminate 90%+ of candidates
+  if n in constants.FIRST_20K_PRIMES:
+    return True
+  for r in constants.FIRST_20K_PRIMES_SORTED:
+    if not n % r:
+      return False  # we already checked: it is not one of the 20k first primes, so not prime
+  # do the (much much more expensive) Miller-Rabin primality test
   return MillerRabinIsPrime(n)
 
 
@@ -486,18 +473,38 @@ def PrimeGenerator(start: int, /) -> Generator[int, None, None]:
       yield n  # found a prime
 
 
-def NBitRandomPrime(n_bits: int, /) -> int:
+def NBitRandomPrimes(n_bits: int, /, *, serial: bool = True, n_primes: int = 1) -> set[int]:
   """Generates a random prime with (guaranteed) `n_bits` size (i.e., first bit == 1).
 
   The fact that the first bit will be 1 means the entropy is ~ (n_bits-1) and
   because of this we only allow for a byte or more prime bits generated. This drawback
   is negligible for the large primes a crypto library will work with, in practice.
 
+  Method will decide if executes on one thread or many.
+
+  $ poetry run profiler -s -n 100 -b 1000,11000,1000 -c 98 primes  # single-thread, Mac M2 Max, 2025
+  1000 → 84.233 ms ± 18.853 ms [65.380 ms … 103.085 ms]98%CI@100
+  2000 → 406.900 ms ± 91.575 ms [315.325 ms … 498.475 ms]98%CI@100
+  3000 → 1.20 s ± 291.105 ms [907.331 ms … 1.49 s]98%CI@100
+  4000 → 2.42 s ± 490.241 ms [1.93 s … 2.91 s]98%CI@100
+  5000 → 4.78 s ± 1.02 s [3.76 s … 5.80 s]98%CI@100
+  6000 → 7.63 s ± 1.57 s [6.06 s … 9.20 s]98%CI@100
+  7000 → 13.66 s ± 3.00 s [10.66 s … 16.66 s]98%CI@100
+  8000 → 20.71 s ± 5.05 s [15.67 s … 25.76 s]98%CI@100
+  9000 → 33.12 s ± 7.61 s [25.51 s … 40.73 s]98%CI@100
+  10000 → 52.91 s ± 11.73 s [41.18 s … 1.08 min]98%CI@100
+
+  Rule of thumb: double the bits requires ~10x execution time
+
   Args:
     n_bits (int): Number of guaranteed bits in prime representation, n ≥ 8
+    serial (bool, optional): True (default) will force one thread; False will allow parallelism;
+       we have temporarily disabled parallelism with a default of True because it is not making
+       things faster...
+    n_primes (int, optional): Number of required primes in the return set[int], default is 1
 
   Returns:
-    random prime with `n_bits` bits
+    set[int]: `n_primes` random primes with `n_bits` bits
 
   Raises:
     InputError: invalid inputs
@@ -505,11 +512,69 @@ def NBitRandomPrime(n_bits: int, /) -> int:
   # test inputs
   if n_bits < 8:
     raise base.InputError(f'invalid n: {n_bits=}')
-  # get a random number with guaranteed bit size
-  prime: int = 0
-  while prime.bit_length() != n_bits:
-    prime = next(PrimeGenerator(base.RandBits(n_bits)))
-  return prime
+  n_primes = 1 if n_primes < 1 else n_primes
+  # get number of CPUs and decide if we do parallel or not
+  n_workers: int = min(4, os.cpu_count() or 1)
+  pr_set: set[int] = set()
+  pr: int | None = None
+  if serial or n_workers <= 1 or n_bits < 200:
+    # do one worker
+    while len(pr_set) < n_primes:
+      while pr is None or pr.bit_length() != n_bits:
+        pr = _PrimeSearchShard(n_bits)
+      pr_set.add(pr)
+      pr = None
+    return pr_set
+  # parallel: keep a small pool of bounded shards; stop on first hit
+  multiprocessing.set_start_method('fork', force=True)
+  with concurrent.futures.ProcessPoolExecutor(max_workers=n_workers) as pool:
+    workers: set[concurrent.futures.Future[int | None]] = {
+        pool.submit(_PrimeSearchShard, n_bits) for _ in range(n_workers)}
+    while workers:
+      done: set[concurrent.futures.Future[int | None]] = concurrent.futures.wait(
+          workers, return_when=concurrent.futures.FIRST_COMPLETED)[0]
+      for worker in done:
+        workers.remove(worker)
+        pr = worker.result()
+        if pr is not None and pr.bit_length() == n_bits:
+          pr_set.add(pr)
+          pr = None
+          if len(pr_set) >= n_primes:
+            return pr_set
+        # no hit in that shard: keep the pool full with a fresh shard
+        workers.add(pool.submit(_PrimeSearchShard, n_bits))
+  # can never reach this point, but leave this here; remove line from coverage
+  raise base.Error(f'could not find prime with {n_bits=} bits')  # pragma: no cover
+
+
+def _PrimeSearchShard(n_bits: int) -> int | None:
+  """Search for a `n_bits` random prime, starting from a random point, for ~6× expected prime gap.
+
+  Args:
+    n_bits (int): Number of guaranteed bits in prime representation
+
+  Returns:
+    int | None: either the prime int or None if no prime found in this shard
+  """
+  shard_len: int = max(2000, 6 * int(0.693 * n_bits))  # ~6× expected prime gap ~2^k (≈ 0.693*k)
+  pr: int = base.RandBits(n_bits) | 1  # random position; make ODD
+  count: int = 0
+  while count < shard_len and pr.bit_length() == n_bits:
+    if IsPrime(pr):
+      return pr
+    count += 1
+    pr += 2
+  return None
+
+
+def FirstNPrimesSorted(n: int) -> list[int]:
+  """Returns list of `n` first primes in a sorted list."""
+  primes: list[int] = []
+  for i, pr in enumerate(PrimeGenerator(0)):
+    if i >= n:
+      break
+    primes.append(pr)
+  return primes
 
 
 def MersennePrimesGenerator(start: int, /) -> Generator[tuple[int, int, int], None, None]: