The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard....
-
Upload
norman-austin -
Category
Documents
-
view
225 -
download
2
Transcript of The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard....
![Page 1: The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.](https://reader036.fdocuments.net/reader036/viewer/2022062308/56649dba5503460f94aaad63/html5/thumbnails/1.jpg)
The RSA Algorithm
• Based on the idea that factorization of integers into their prime factors is hard.
★ n=p. q, where p and q are distinct primes
• Proposed by Rivest, Shamir, and Adleman
in 1977 and a paper was published in The Communications of ACM in 1978
• A public-key cryptosystem
![Page 2: The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.](https://reader036.fdocuments.net/reader036/viewer/2022062308/56649dba5503460f94aaad63/html5/thumbnails/2.jpg)
RSA Algorithm
• Bob chooses two primes p,q and compute n=pq
• Bob chooses e with gcd(e,(p-1)(q-1))= gcd(e, ψ(n))=1• Bob solves de≡1 (mod ψ(n))• Bob makes (e,n) public and (p,q,d) secret• Alice encrypts M as C≡Me (mod n)• Bob decrypts by computing M≡Cd (mod n)
![Page 3: The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.](https://reader036.fdocuments.net/reader036/viewer/2022062308/56649dba5503460f94aaad63/html5/thumbnails/3.jpg)
Proof for the RSA Algorithm
• Cd ≡ (Me)d ≡ Med ≡ M1+kφ(n) ≡M (mod n) by Euler’s theorem and Exercise 19 on p.192
• p=885320963, q=238855417,
• n=p. q=211463707796206571
• Let e=9007, d=116402471153538991∴• M=“cat”=30120, C=113535859035722866
![Page 4: The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.](https://reader036.fdocuments.net/reader036/viewer/2022062308/56649dba5503460f94aaad63/html5/thumbnails/4.jpg)
Another Example
• n=127x193=24511, φ(n)=24192
• e=1307, d=10643
• Encrypt “box” with M=21524, then
C=?
Encrypt the following message
Formosa means a beautiful island
![Page 5: The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.](https://reader036.fdocuments.net/reader036/viewer/2022062308/56649dba5503460f94aaad63/html5/thumbnails/5.jpg)
Selected Problems from P.192-200
(1) n=11413=101x113, so p=101, q=113
ψ(n)=(p-1)x(q-1)=100x112=11200
Choose e=7467, then gcd(e, ψ(n))=1
Solve de≡1 (mod ψ(n)) to get d=3
If the ciphertext C=5859, then the plaintext
M≡Cd ≡58593 ≡1415 (mod 11413)
![Page 6: The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.](https://reader036.fdocuments.net/reader036/viewer/2022062308/56649dba5503460f94aaad63/html5/thumbnails/6.jpg)
Fast Computation of xd (mod n)
• 1235 mod 511
• 1235 ≡ 28153056843 mod 511
• 1232 ≡ 310 (mod 511)
• 1234 ≡ 32 (mod 511)
• 1235 ≡ 123101b ≡1234 ×123
≡ 359 (mod 511)
![Page 7: The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.](https://reader036.fdocuments.net/reader036/viewer/2022062308/56649dba5503460f94aaad63/html5/thumbnails/7.jpg)
Fast Computation for xd (mod n)
y=1;
while (d != 0) {
if ((d%2) != 0) { y=(y*x)%n; d--; }
d>>1;
x=(x*x)%n; /* x^(2k) */
}
![Page 8: The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.](https://reader036.fdocuments.net/reader036/viewer/2022062308/56649dba5503460f94aaad63/html5/thumbnails/8.jpg)
Fast Computation for xd (mod n)
Let t be the number of bits for integer d, e.g.,
If d=5=1012 , then t=3
y=1; for (i=t; i 0; i--) {≧ y=(y*y)%n; if (d[i]==1) y=(y*x)%n;}
![Page 9: The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.](https://reader036.fdocuments.net/reader036/viewer/2022062308/56649dba5503460f94aaad63/html5/thumbnails/9.jpg)
Two Claims
• Claim 1: Suppose n=pq is the product of two distinct primes. If we know n and φ(n), then we can quickly find p and q
Hint: n - φ(n)+1=pq-(p-1)(q-1)+1=p+q, then p,q are solutions of x2 - (n - φ(n)+1)x+n=0
• Claim 2: If we know d and e, then we can probably factor n (The method of universal components could be applied)
![Page 10: The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.](https://reader036.fdocuments.net/reader036/viewer/2022062308/56649dba5503460f94aaad63/html5/thumbnails/10.jpg)
References for Attacks on RSA
• D. Boneh, Twenty years of attacks on the RSA cryptosystem, American Math. Soc. Notices 46, 203-213, 1999
• D. Boneh, G. Durfee, Y. Frankel,
An attack on RSA given a fraction of the private key bits, Advances in Cryptology –
ASIACRYPT’98, Lecture Notes in Computer Science 1514, 25-34, 1998
![Page 11: The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.](https://reader036.fdocuments.net/reader036/viewer/2022062308/56649dba5503460f94aaad63/html5/thumbnails/11.jpg)
Primality Testing
• Trivial Division to test if N is a prime• for (p=2; p<N1/2; p++) { e=0; if (N%p ==0 ) { while (N%p ==0) { e++; N/=p;} printf(“factor %d, power %d\n”,p,e); } }
![Page 12: The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.](https://reader036.fdocuments.net/reader036/viewer/2022062308/56649dba5503460f94aaad63/html5/thumbnails/12.jpg)
Basic Principles for Testing n (1)
Suppose x, y satisfy x2≡y2 (mod n) butx≡y (mod n) and x≡-y (mod n) do not hold.Then n is composite. Moreover, gcd(x-y,n)gives a nontrivial factor of n.(Proof) Let d=gcd(x-y,n)If d=1, n|(x-y)(x+y) → n|x+y →contradictionIf d=n, then → n|x-y →contradiction(Example) 122 ≡22 (mod 35)
![Page 13: The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.](https://reader036.fdocuments.net/reader036/viewer/2022062308/56649dba5503460f94aaad63/html5/thumbnails/13.jpg)
Basic Principles for Testing n (2)
• Fermat’s little theorem: ap-1 ≡1 (mod p) for a prime p if gcd(a,p)=1
• an-1 !≡ 1 (mod n) → n is composite, in particular, a=2 is used for testing a large n
• 234 ≡9 !≡ 1 (mod 35) → 35 is composite
• 2340 ≡1 (mod 341), but 341=11x31
• 2560 ≡1 (mod 561), but 561=3x11x17
![Page 14: The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.](https://reader036.fdocuments.net/reader036/viewer/2022062308/56649dba5503460f94aaad63/html5/thumbnails/14.jpg)
The Miller-Rabin Primality Test
Let n>1 be odd with n-1=2km with an odd m.Choose a random integer a, 1<a<n-1.
Compute b0≡am (mod n), if b0≡±1 (mod n), then stop and
n is probably prime, otherwise let b1≡(b0)2 (mod n). If b1≡1
(mod n), then n is composite and gcd(b0-1,n) is a nontrivial
factor of n else if b1≡-1 (mod n), stop and n is probably
prime, otherwise let b2≡(b1)2 (mod n). If b2≡1 (mod n),
then n is composite, else if b2 ≡-1 (mod n), stop and n isprobably prime. Continue in this way until stopping or
reaching bk-1. If bk-1 !≡-1, then n is composite.
![Page 15: The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.](https://reader036.fdocuments.net/reader036/viewer/2022062308/56649dba5503460f94aaad63/html5/thumbnails/15.jpg)
Pseudoprimes
♪ If an-1 ≡1 (mod n), n is said to be a pseudoprime for the base a
♪ If a and n pass the Miller-Rabin test, we say that n is a strong pseudoprime for the base a
♪ 2340 ≡1 (mod 341), 2560 ≡1 (mod 561), so, 341 and 561 are all pseudoprimes
![Page 16: The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.](https://reader036.fdocuments.net/reader036/viewer/2022062308/56649dba5503460f94aaad63/html5/thumbnails/16.jpg)
Test if n=341 is a prime
• n=341, n-1=340=22. 85, let k=2, m=85
• b0 = 285 ≡32 (mod 341)
• b1 = (b0)2 ≡ 1 (mod 341)
• bk-1 ≡ 1 (mod 341), so n=341 is composite
• 2340 ≡1 (mod 341), but 341=11x31
![Page 17: The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.](https://reader036.fdocuments.net/reader036/viewer/2022062308/56649dba5503460f94aaad63/html5/thumbnails/17.jpg)
Test if n=561 is a prime
• n=561, n-1=560=24. 35, let k=4, m=35• b0 = 235 ≡263 (mod 561)• b1 = (b0)2 ≡166 (mod 561)• b2 = (b1)2 ≡ 67 (mod 561)• b3 = (b2)2 ≡ 1 (mod 561)• bk-1 ≡ 1 (mod 561), so n=561 is composite
• 2560 ≡1 (mod 561), but 561=3x11x17
![Page 18: The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.](https://reader036.fdocuments.net/reader036/viewer/2022062308/56649dba5503460f94aaad63/html5/thumbnails/18.jpg)
Miller-Rabin is better than Fermat’s
• Up to 1010, there are 455052511 primes. There are 14884 pseudoprimes for the base 2, and 3291 strong pseudoprimes for the base 2. Therefore, calculating 2n-1 (mod n) will fail to recognize a composite in this range with probability less than 1 out of 30 thousand and using the Miller-Rabin test with a=2 will fail with probability lest than 1 out of 100 thousand
![Page 19: The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.](https://reader036.fdocuments.net/reader036/viewer/2022062308/56649dba5503460f94aaad63/html5/thumbnails/19.jpg)
Factoring n into Product of Primes
• Fermat factorization by checking if there exist x, y such that n|(x-y)(x+y), |x-y|>1
Example 1: n=295927 with n+32 =5442 ,
then n= 541. 547Solution: check if n+k2 is a complete square for k=1, 2, …Fermat’s method works well when n is the product that are very close together
![Page 20: The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.](https://reader036.fdocuments.net/reader036/viewer/2022062308/56649dba5503460f94aaad63/html5/thumbnails/20.jpg)
Exponent Factorization Method
Suppose there exists r>0 and an a such that ar ≡1 (mod n).
Write r=2km with m odd. Let b0≡am (mod n), and
successively define bu+1 ≡ (bu)2 (mod n) for 0 u k-1.≦ ≦If b0 ≡1 (mod n), then stop; the procedure has failed to factor n.
If for some u, bu≡-1 (mod n), then stop; the procedure has failed to factor n.
If for some u, bu+1≡1 (mod n) but bu !≡±1 (mod n), then
gcd(bu-1,n) gives a nontrivial factor of n.
![Page 21: The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.](https://reader036.fdocuments.net/reader036/viewer/2022062308/56649dba5503460f94aaad63/html5/thumbnails/21.jpg)
The Pollard’s p-1 Method (1974)
Choose an integer a>1 (usually a=2) and
choose a bound B. Compute b≡aB! (mod n)
as follows.
Let b1≡a (mod n) and bj ≡(bj-1)j (mod n),
then bB≡b (mod n).
If 1<d=gcd(b-1,n)<n, we have found a nontrivial factor of n
![Page 22: The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.](https://reader036.fdocuments.net/reader036/viewer/2022062308/56649dba5503460f94aaad63/html5/thumbnails/22.jpg)
The Quadratic Sieve
• Suppose we want to factor n=3837523
n=1093. 3511
![Page 23: The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.](https://reader036.fdocuments.net/reader036/viewer/2022062308/56649dba5503460f94aaad63/html5/thumbnails/23.jpg)
The Public Key Concept
• The RSA Algorithm
• Knapsack problems
• Discrete Logarithms by ElGamal
• Error Correcting Codes by McEliece
• Elliptic Curve Cryptosystem by Diffie-Hellman
![Page 24: The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.](https://reader036.fdocuments.net/reader036/viewer/2022062308/56649dba5503460f94aaad63/html5/thumbnails/24.jpg)
The Concept and Criteria
1. Ek(Dk(m))=m and Dk(Ek(m))=m for every message m in M, the set of possible messages, every key k in K, the set of possible keys
2. For every m and every k, then values of Ek(m) and Dk(m) are easy to compute
3. For every k, if someone knows only the function Ek, it is computationally infeasible to find an algorithm to compute Dk
4. Given k, it’s easy to find the functions Ek and Dk