Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the...
Transcript of Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the...
![Page 1: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/1.jpg)
p1.
Number-Theoretic Algorithms
(RSA and related algorithms)
Chapter 31, CLRS book
![Page 2: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/2.jpg)
p2.
Outline
• Modular arithmetic
• RSA encryption scheme
• Miller-Rabin algorithm (a probabilistic algorithm)
![Page 3: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/3.jpg)
p3.
Modular Arithmetic
![Page 4: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/4.jpg)
p4.
| : divides , is a divisor of .
gcd( , ): greatest common divisor of and .
Coprime or relatively prime: gcd( , ) 1.
Euclid's algorithm: compute gcd( , ).
Extented Eucli
Integers
a b a b a b
a b a b
a b
a b
d's algorithm: compute integers
and such that gcd( , ).x a b ay x y b
![Page 5: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/5.jpg)
p5.
Let 2 be an integer.
Definition: is congruent to modulo , written
, if | ( ), i.e., and have the
same remainder when divided by .
mo
Note:
d
mo
Integers modulo
n
a b n
n a b a ba
n
b
a b
n
n
and are different.
Definition: [ ] : mod .
[ ] is called a residue class modulo , and is a
representative of that
d mo
class.
d
n
n
a x
n a
Z x a n
n
n
b
a a
![Page 6: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/6.jpg)
p6.
There are exactly residue classes modulo :
[0], [1], [2], , [ 1].
If [ ], [ ], then [ ] and [ ].
Define addition and multiplication for residue classes:
[ ] [n
n n
n
x a y b x y a b x y a b
a
] [ ]
[ ] [ ] [ ].n
b a b
a b a b
![Page 7: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/7.jpg)
p7.
A group, denoted by ( , ), is a set with a
binary operation such that
1. , , (closure)
1. ( ) ( ) (associativity)
2. s.t. , ( )
identi
3.
y
t
Group
G G
x y G x y
e
G
x y z x y z
e G x G x ex x
, s.t. ( )
A group ( , ) is if , , .
Examples:
invers
( , ), ( , ), ( \{0}, ), ( , ),
( \{0},
abel a
e
).
i n
x G y G x y y x
G x y G x y y x
Z Q Q R
R
e
![Page 8: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/8.jpg)
p8.
Define [0], [1], ..., [ 1] .
Or, more conveniently, 0, 1, ..., 1 .
, forms an abelian group.
For ,
,
additiv
( ) mod . (Or, [ ] [ ] [ ] [ mod ].)
0 is
e
th
n
n
n
n
Z n
Z n
Z
a b Z
a b a b n a b a b a b n
10
e identity element.
The inverse of , denoted by , is .
When doing addition/substraction in , just do the regular
addition/substraction and reduce the result modulo .
In , 5
n
a a n a
Z
n
Z
5 9 4 6 2 8 3 ?
![Page 9: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/9.jpg)
p9.
1
1
1
, is not a group, because 0 does not exist.
Even if we exclude 0 and consider only \ {0},
, is not necessarily a group; some may not exist.
For , exists if and on
n
n n
n
n
Z
Z Z
Z a
a Z a
ly if gcd( , ) 1.a n
![Page 10: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/10.jpg)
p10.
*
1
Let : gcd( , ) 1 .
, is an abelian multiplicative group.
mod .
mod .
1 is the identity elemen
t.
The inverse of , written , can be computed by
n n
n
Z a Z a n
Z
a b ab n
a b ab n
a a
*12
*
the
Extended Euclidean Algorithm.
For example, 1,5,7,
Q: How many e
11 . 5 7 35
lements ar
mod12 1
e there in ?
1.
n
Z
Z
![Page 11: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/11.jpg)
p11.
*
1
Euler's totient function:
Fac
( )
= : and gcd( , ) 1
1. ( ) ( 1) for prime
2. ( ) ( ) ( ) if gc
ts:
d( , ) 1
n
n
e e
n Z
a a Z a n
p p p p
ab a b a b
![Page 12: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/12.jpg)
p12.
*
| |
mod
Let be a (multiplicative) group.
Lagrange's theorem: For any element ,
Co
.
rollary: For any element ,
Euler's theorem:
If (for any
f
inite
1), the
.
n
G
m Gm
n
G
a G
a G
a Z
e
a
a
a
n
a
( ) *
* ( ) 1 *
1 in .
Fermat's little theorem:
If ( a prime), then 1 in .
n
n
p p
p p
Z
a Z p a a Z
![Page 13: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/13.jpg)
p13.
*15
*15
*15
( ) 8
816243240481
= 1, 2, 4, 7, 8, 11, 13, 14
(15) (3) (5) 2 4 8
: 1 2 4 7 8 11 13 14
ord( ) : 1 4 2 4 4 2 4 2
ord( ) : smallest integer such that 1.
1
13
?
Example: 15
k
n
Z
Z
a Z
a
a k a
a a
n
![Page 14: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/14.jpg)
p14.
Algorithms
1
3
gcd ,
mod
mod
Running time: log
Here we assume , .
k
n
a b
a n
a n
O n
a b Z
![Page 15: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/15.jpg)
p15.
Given 0, compute gcd( , ).
Theorem: If 0, gcd( , ) .
If 0, gcd( , ) gcd( , mod )
Euclid( , )
0
if
then
( ,
retur
)
Euclid's Algorithm
nn a b a b
b a b a
b a b b
a b Z
a b
a b
b
2
n( )
return Euclid( , mod )
The number of recursive calls to Euclid is (log ).
Computing mo
d takes (l
els
og
e
) .
a
b a b
O n
a b O n
15
![Page 16: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/16.jpg)
p16.
Example: gcd(299,221)
Given 0, compute , such that gcd( , ) .
1 78
2 65
1 13
65 5 13 0
gcd(229,221) 13
299 221
221 78
78 65
78 65
78 221 78 78 2( 2 ) 3
21
3
?
Extended Euclidean Algorithm
a b x y d a b ax by
299 221) 221
299 221
( 1
3 4
![Page 17: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/17.jpg)
p17.
Given 0, compute , , such that gcd( , ) .
Extende
if
d - Euclid( , )
0 t
return( ,1,0)
( , , ) Extended - Eucl
hen
els
e
i
Extended Euclidean Algorithm
a b d x y a b a b
a b
b
a
d x
d x y
y
d( , mod )
( , , ) , ,
return( , , )
b a b
d x y d y x a b y
d x y
![Page 18: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/18.jpg)
p18.
If 0, gcd( , ) .
The returned answer is correct.
If ( , , ) is correct,
1 0
( ,1,0)
gcd( , mod ) ( mod )
gcd( , mod )
Correctness Proof
b a b a b
d x y
b a b d b x a b y
b a b d b x a a
a
b b y
a
gcd( , )
( , , ) , , is correct
a b a b
d x y d y x a
d y y
y
x a b
b
![Page 19: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/19.jpg)
p19.
1
1 *
1
Compute in .
exists if and only if gcd( , ) 1.
Use extended Euclidean algorithm to find ,
such that gcd( , ) 1 (in )
mod
[ ]
?How to compute
na Z
a a n
x y
ax ny a n
a n
Z
a
1
[ ] [ ][ ] [1]
[ ][ ] [1] (since [ ] [0])
[ ] [ ].
Note: may omit [ ], but reduce everything modulo .
x n y
a x n
a x
n
![Page 20: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/20.jpg)
p20.
1
1
1 *47
Compute 15 mod 47.
Using extended Euclidean algorithm, we obtain
gcd(15,47) 1 15 47 7
15 mod 47 22
2
That is, 15 22 in
2
Example
Z
![Page 21: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/21.jpg)
p21.
1 0
2
Comment: compute mod , where in binary.
1
for downto 0 do
mod
if 1 then mod
Algorithm: Square-and-Multiply( , , )
c
k k
i
x n c c c c
z
i k
z z n
c z z x n
x c n
22
22
if c i
retu
s even Note:
if is
rn (
o
)
dd
c
c
c
xx
x x
z
c
![Page 22: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/22.jpg)
p22.
2
2
2
2
3
2
23 10111
1
11 mod 187 11 (square and multiply)
mod 187 121 (square)
11 mod 187 44 (square and multiply)
11 mod 187 165 (square and
11 mod187
mu
Example:
b
z
z z
z z
z z
z z
2
ltiply)
11 mod 187 88 (square and multiply)z z
![Page 23: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/23.jpg)
p23.
RSA Encryption
![Page 24: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/24.jpg)
p24.
mcE D
Bob Alice
m
Alice’s Alice’spublic key secret key
Public-key Encryption
plaintext encryption ciphertext decryption
algorithm algorithm
![Page 25: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/25.jpg)
p25.
By ivest, hamir & dleman of MIT in 1977.
Best known and most widely used public-key scheme.
Based on the one-way property
of mo
R S
du
lar
powering:
A
assumed
The RSA Cryptosystem
1
: mod (easy)
: mod
In turn based on the hardness
(hard)
of integer factorization.
e
e
f x x n
f x x n
![Page 26: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/26.jpg)
p26.
1
1
RSA
RSA
RSA
* *
Encryption (easy):
Decryption
It works in group . Let be
(hard):
Decryption (easy with "trapdoor"):
a messa
Lookin
ge
g
.
Idea behind RSA
e
n
e
e
n
x x
x x
x x
Z x Z
( ) 1 ( )
for a "trapdoor": ( ) .
If is a number such that 1mod ( ), then
( ) 1 for some , and
( ) 1 .
e
ke d n k
d
ed n
x x
d ed n
ed k n k
x x x x x x x
![Page 27: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/27.jpg)
p27.
1
(a) Choose large primes and , and let : .
(b) Choose (1 ( )) coprime to ( ), and
compute : mod ( ). ( .)
(c) Public ke
Key generation:
1 mod ( )
RSA Cryptosystem
p q n pq
e e n n
d nn ede
*
*
y: . Secret key: .
( ) : mod , w
( , ) ( , )
here .
( ) : mod , where .
E
ncryption:
Decryptio
n:
e
pk n
d
sk n
E x x n x Z
D y y n y
pk n e sk n d
Z
![Page 28: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/28.jpg)
p28.
Select two primes: 17, 11.
Compute the modulus 187.
Compute ( ) ( 1)( 1) 160.
Select between 0 and 160 such that gcd( ,160) 1.
Say 7.
Compute
RSA Example: Key Setup
p q
n pq
n p q
e e
e
d
1 1mod ( ) 7 mod160 23
(using extended Euclid's algorithm).
Public key: .
Secret ke
( ,
y:
) (7, 187)
( , ) (23 ., 7 18 )
pk e n
e
s n
n
k d
![Page 29: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/29.jpg)
p29.
7
23
23
23
Suppose 88.
Encryption: mod 88 mod187 11.
Decryption: mod 11 mod187 88.
When computing 11 mod187, we first
compute 11 and
d
the
o
n
ot
n
RSA Example: Encryption & Decryption
e
d
m
c m n
m c n
reduce it modulo 187.
Rather, use , and reduce intermediate
results modulo 187 whenever they g
square-a
et bigge
nd-mult
r than
iply
187.
![Page 30: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/30.jpg)
p30.
Attacks on RSA
![Page 31: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/31.jpg)
p31.
There are many attacks on RSA:
brute-force key search
mathematical attacks
timing attacks
chosen ciphertext attack
s
The
m
ost important one is intege
Attacks on RSA
1
r factorization:
If the adversary can Then he can
calculate ( ) ( 1)( 1) and the secret key
m
factor into .
d ( ). o
n p q
n pq
d e n
![Page 32: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/32.jpg)
p32.
A difficult problem.
More and more efficient algorithms have been developed.
In 1977, RSA challenged researchers to decode a
ciphertext encrypted with a modulus of 129
Integer Factorization
n
digits (428 bits).
Prize: $100. RSA thought it would take quadrillion years
to break the code using fastest algorithms and computers
of that time. Solved in 1994.
In 1991, RSA put forw ard more challenges (called RSA numbers),
with prizes, to encourage research on factorization.
![Page 33: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/33.jpg)
p33.
Each RSA number is a semiprime. (A number is
semiprime if it is the product of two primes.)
There are two labeling schemes.
by the number of decimal digits:
RSA-100, .
RSA Numbers
.., RSA-500, RSA-617.
by the number of bits:
RSA-576, 640, 704, 768, 896, , 1536, 210 .24 048
![Page 34: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/34.jpg)
p34.
RSA-100 ( bits), 1991, 7 MIPS-year, Quadratic Sieve.
RSA-110 ( bits), 1992, 75 MIPS-year, QS.
RSA-120
332
365
3 ( bits), 1993, 830 MIPS-year, QS.
RSA-129
98
4(
RSA Numbers which have been factored bits), 1994, 5000 MIPS-year, QS.
RSA-130 ( bits), 1996, 1000 MIPS-year, GNFS.
RSA-140 ( bits), 1999, 2000 MIPS-year, GNFS.
RSA-155 ( bits), 1999, 8000 MIPS-year, GNFS.
28
4
31
465
5
RSA-16
1
0 (
2
530
576
6
bits), 2003, Lattice Sieve.
RSA- (174 digits), 2003, Lattice Sieve.
RSA- (193 digits), 2005, Lattice Sieve.
RSA-200 ( bits), 2005, Lattice
40
663 Sieve.
![Page 35: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/35.jpg)
p35.
RSA-200 =
27,997,833,911,221,327,870,829,467,638,
722,601,621,070,446,786,955,428,537,560,
009,929,326,128,400,107,609,345,671,052,
955,360,856,061,822,351,910,951,365,788,
637,105,954,482,006,576,775,098,580,557,
613,579,098,734,950,144,178,863,178,946,
295,187,237,869,221,823,983.
![Page 36: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/36.jpg)
p36.
In light of current factorization technologies,
RSA recommends using an of 1024-2048 bits.
Remark
n
![Page 37: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/37.jpg)
p37.
Generating large primes
To set up an RSA cryptosystem,
we need two large primes p and q.
![Page 38: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/38.jpg)
p38.
Generate a random odd number of desired size.
Test if is prime.
If not, discard it and try a different number.
How to generate a large prime number?
n
n
![Page 39: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/39.jpg)
p39.
12
10.5
Can it be solved in polynomial time?
A long standing open problem until 2002.
AKS(Agrawal, Kayal, Saxena) : log .
Later improved by others to log ,
Primality test : Is a prime?
O n
O n
n
6
3
and then
to log .
In practice, Miller-Rabin's probabilistic algorithm is still
the most popular --- much faster, log .
O n
O n
![Page 40: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/40.jpg)
p40.
Using some characteristic property of prime numbers:
is prime 2.. , does not divide .
Miller-Rabin's idea: look for some property ( ) s
Miller-Rabin primality test : Is a prime?
n a n a n
P a
n
*
*
*
.t.
is prime For , ( )
not prime For a portion of elements
, ( )
Algorithm: Randomly pick
a
elements
ll
at most 1
.
n
n
n
n a Z P a true
n
a Z P a true
k
t a Z
If ( ) is true for all of them then return
else return .
A "prime" answer may be incorrect with
prime
compos
probabilit
ite
y
1 t
P a
k
![Page 41: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/41.jpg)
p41.
*n
Z
*If is prime, then for all , ( ) is true.nn a Z P a
( )P a true
![Page 42: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/42.jpg)
p42.
*n
Z
*
*
If is , then there are
which are elements s.t
not prime strong
.
Say, at most 1 of are
witnesse
bl .
,
a
s
( )
ck
n
n
P a faa ls
k Z
e
n
Z
( )P a true
![Page 43: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/43.jpg)
p43.
2 1
2
2 2 2
Write 1 2 , where is odd.
1 mod Let ( )
1 mod for some , 0 1
Consider the sequence
, , , ,
r
o
The property ( )
i
k
k
u
u
u u u u
n u u
a nP a
a n i i k
a a a a
P a
![Page 44: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/44.jpg)
p44.
*
If is prime, then ( ) for all .
If is an odd composite and not a prime power,
then of the elements are
black (i.e., ( ) ).
A composite num
at most one h
be
f
al
r
n
n
n P a true a Z
n
a Z
P a true
n
is a if
for some prime and integer 2; a
if
prime power
perfect power
for some integer and . 2 )
e
e
n p
p e
n k k e
![Page 45: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/45.jpg)
p45.
Input: integer 2 and parameter
Output: a decision as to whether is prime or
if is even, return "composit
composite
1. e"
if is a per2
. fect
Algorithm: Miller-Rabin primality testn t
n
n
n
power, return "composite"
for : 1 to do
choose a random integer , 2 1
if gcd( , ) 1, return "composite"
if is a strong witness, ret
3
urn "com
. i t
a a n
a n
a
posite"
return ("pri4. me")
![Page 46: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/46.jpg)
p46.
If the algorithm answers "composite", it is always correct.
If the algorithm answers "prime", it may or may not be correct.
The algorithm gives a wrong answ
Analysis: Miller-Rabin primality test
er if is composite but
the algorithm fails to find a strong witness in iterations.
This may happen with probability at most 2 .
Actually, at most 4 , by a more sophisticated analysis.
t
t
n
t
![Page 47: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/47.jpg)
p47.
A is a probabilistic algorithm
which always gives an answer
but sometimes the answer may be inco
Mo
rr
nte
ect.
Carlo a
A
lgorithm
Monte Carlo algorithm for a decisi
Monte Carlo algorithms
on problem is
if its “yes” answer is always correct but a “no” answer may be incorrect with some error probability.
A -iteration Miller-Rabin is a “composite”-biased Mon
yes-bias
te Carl
ed
o
t
algorithm with error probability at most 1 4 .t
![Page 48: Number-Theoretic Algorithms (RSA and related algorithms)...Attacks on RSA 1 r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into](https://reader035.fdocuments.net/reader035/viewer/2022071213/602c3671d4af2801bc30a289/html5/thumbnails/48.jpg)
p48.
A is a probabilistic algorithm
which may sometimes fail to give an answer
but never gives an incorrect
Las Ve
one
gas algori
A Las Vegas algorithm can be conver
thm
Las Vegas algorithms
ted into a
Monte Carlo algorithm.