1 / 13

RSA cryptosystem--preview

RSA cryptosystem--preview. Suppose n=p q and  ( n )=( p -1)( q -1), where p and q are big primes. Select (find) a and b , such that a  b= 1 mod  ( n ). K =( n ,p,q,a, b ), publicize n , b , but keep p,q,a secret. For any x,y  Z n , define

agatha
Télécharger la présentation

RSA cryptosystem--preview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. RSA cryptosystem--preview • Suppose n=pq and (n)=(p-1)(q-1), where p and q are big primes. • Select (find) a and b, such that ab=1 mod (n). • K=(n,p,q,a,b), publicize n,b, but keep p,q,a secret. • For any x,yZn , define • eK(x)= xb mod n (encryption) • dK(y)= ya mod n (decryption:(xb)a mod n=x) • Of course, from n,b, it is very difficult to get a (as well as p,q,(n)).

  2. RSA--implementation • Generate two large primes, p and q. • n pq and (n)  (p-1)(q-1) • Chose a random b (1< b < (n)) such that gcd(b, (n))=1 • a  b-1 mod (n) • The public key is (n,b) and the private key is (p,q,a). Could you raise any questions about RSA?

  3. Questions about RSA • How to generate large primes? • How to compute the modular-exponentiation (encryption & decryption) efficiently? • RSA attack: attempt to factor n and how? • RSA uses numbers, therefore need encoding for normal text.

  4. RSA—primality testing • How to generate large primes? • Select a random large number • Test whether or not the number is a prime. • How often a random selected number is a prime? • Let (N) be the number of primes  N. • Prime number theory: (N)  N/lnN • Therefore the probability of a random number being a prime is 1/lnN • Suppose n = pq is 1024 bits, so p and q are 512 bits, 1/ln2512 1/355.

  5. RSA—primality testing • (yes-biased) Monte Carlo algorithm: • For yes-no decision problem • Random algorithm (randomly choose a number) • If the algorithm gives answer “yes”, it is always correct • It the answer is “no”, it may be incorrect. Therefore, may try several times such that the probability of the incorrectness for “no” is extremely small. Las Vegas algorithm: may not give answer, but any answer it gives is correct. Probabilistic algorithms: the algorithms which can be wrong in some cases (i.e., probably, or with certain probability)

  6. RSA—primality testing • (yes-biased) Monte Carlo algorithm: • Solovay-Strassen algorithm • Miller-Rabin algorithm • A good news: confirmed primality testing algorithm • By three Indian scientists.

  7. a ( ) n Solovay-Strassen primality test • Given integer n, is n a composite? • Choose a random integer a ( 1 < a < n) • x • If x=0 then return “yes” (n is a composite) • y  a(n-1)/2 (mod n) • If x  y (mod n) • then return “no” (n is a prime) (of course maybe incorrect) • else return “yes” (n is a composite).

  8. a a ( ( ) ) n n Solovay-Strassen primality test • The proof of the algorithm • If n is a prime, the  a(n-1)/2 mod n for any a • If n is a composite, • then for some a,  a(n-1)/2 , Call n to be an Euler pseudo-prime to base a. For example, = -1  1045 mod 91. • but others not. • At most half of a Zn* , n is a pseudo-prime to a. • So error probability is at most ½. • Test k different a, (1/2)k. ( 10 ) 91

  9. RSA attacks • Computing (n)– no easier than factoring n. • Decryption Exponent a—no easier than factoring n • So the security of RSA is based on the difficulty of factorization of large numbers. • Factoring algorithms • Trial division– up to  n • Pollard p-1 algorithm

  10. RSA attack—Pollard p-1 algorithm • Given n, and select a random B (not too big) • a 2 • For j=2 to B • a aj mod n • d  gcd(a-1,n) • If d > 1 • then return d (d is a factor of n) • else return ‘failure’.

  11. The correctness of p-1 algorithm • Suppose p is a prime factor of n, • Assume for all q, q≤B, q is (power of) a prime factor of p-1. • Then p-1|B!, suppose B! = (p-1)t. • The final a2B! mod n, since p|n, so a2B! mod p • We know, 2p-11 mod p, so • a2B! mod p = 2(p-1)tmod p 1t mod p 1 mod p • So p | (a-1), thus p|gcd(a-1,n) Conclusion: if p or q of factors of n is not selected in a correct way, n will be easily factored.

  12. P-1 example • n=15770708441, B=180 • Then a = 11620221425, and d=135979. • As a result: 15770708441 =135979*115979 • Here 135978 =2*3*131*173

  13. RSA summary • RSA principle • RSA implementation • Generate large primes • Compute xc mod n – square-and-multiply • RSA attacks • Conclusion: p and q must be appropriately selected large primes.

More Related