440 likes | 1.6k Vues
The RSA Algorithm. Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed by R ivest, S hamir, and A dleman in 1977 and a paper was published in The Communications of ACM in 1978
E N D
The RSA Algorithm • Based on the idea that factorization of integers into their prime factors is hard. ★ n=p.q, where p and q are distinct primes • Proposed by Rivest, Shamir, and Adleman in 1977 and a paper was published in The Communications of ACM in 1978 • A public-key cryptosystem
RSA Algorithm • Bob chooses two primes p,q and compute n=pq • Bob chooses e with gcd(e,(p-1)(q-1))= gcd(e, ψ(n))=1 • Bob solves de≡1 (mod ψ(n)) • Bob makes (e,n) public and (p,q,d) secret • Alice encrypts M as C≡Me (mod n) • Bob decrypts by computing M≡Cd (mod n)
Proof for the RSA Algorithm • Cd ≡ (Me)d ≡ Med ≡ M1+kφ(n) ≡M (mod n) by Euler’s theorem and Exercise 19 on p.192 • p=885320963, q=238855417, • n=p.q=211463707796206571 • Let e=9007, ∴ d=116402471153538991 • M=“cat”=30120, C=113535859035722866
Another Example • n=127x193=24511, φ(n)=24192 • e=1307, d=10643 • Encrypt “box” with M=21524, then C=? Encrypt the following message Formosa means a beautiful island
Selected Problems fromP.192-200 (1) n=11413=101x113, so p=101, q=113 ψ(n)=(p-1)x(q-1)=100x112=11200 Choose e=7467, then gcd(e, ψ(n))=1 Solve de≡1 (mod ψ(n)) to get d=3 If the ciphertext C=5859, then the plaintext M≡Cd ≡58593 ≡1415 (mod 11413)
Fast Computation of xd (mod n) • 1235 mod 511 • 1235 ≡ 28153056843 mod 511 • 1232 ≡ 310 (mod 511) • 1234 ≡ 32 (mod 511) • 1235 ≡ 123101b ≡1234 ×123 ≡ 359 (mod 511)
Fast Computation for xd (mod n) y=1; while (d != 0) { if ((d%2) != 0) { y=(y*x)%n; d--; } d>>1; x=(x*x)%n; /* x^(2k) */ }
Fast Computation for xd (mod n) Let t be the number of bits for integer d, e.g., If d=5=1012 , then t=3 y=1; for (i=t; i≧0; i--) { y=(y*y)%n; if (d[i]==1) y=(y*x)%n; }
Two Claims • Claim 1: Suppose n=pq is the product of two distinct primes. If we know n and φ(n), then we can quickly find p and q Hint: n-φ(n)+1=pq-(p-1)(q-1)+1=p+q, then p,q are solutions of x2 -(n-φ(n)+1)x+n=0 • Claim 2: If we know d and e, then we can probably factor n (The method of universal components could be applied)
References for Attacks on RSA • D. Boneh, Twenty years of attacks on the RSA cryptosystem, American Math. Soc. Notices 46, 203-213, 1999 • D. Boneh, G. Durfee, Y. Frankel, An attack on RSA given a fraction of the private key bits, Advances in Cryptology – ASIACRYPT’98, Lecture Notes in Computer Science 1514, 25-34, 1998
Primality Testing • Trivial Division to test if N is a prime • for (p=2; p<N1/2; p++) { e=0; if (N%p ==0 ) { while (N%p ==0) { e++; N/=p;} printf(“factor %d, power %d\n”,p,e); } }
Basic Principles for Testing n (1) Suppose x, y satisfy x2≡y2 (mod n) but x≡y (mod n) and x≡-y (mod n) do not hold. Then n is composite. Moreover, gcd(x-y,n) gives a nontrivial factor of n. (Proof) Let d=gcd(x-y,n) If d=1, n|(x-y)(x+y) → n|x+y →contradiction If d=n, then → n|x-y →contradiction (Example) 122 ≡22 (mod 35)
Basic Principles for Testing n (2) • Fermat’s little theorem: ap-1 ≡1 (mod p) for a prime p if gcd(a,p)=1 • an-1 !≡ 1 (mod n) → n is composite, in particular, a=2 is used for testing a large n • 234 ≡9 !≡ 1 (mod 35) → 35 is composite • 2340 ≡1 (mod 341), but 341=11x31 • 2560 ≡1 (mod 561), but 561=3x11x17
The Miller-Rabin Primality Test Let n>1 be odd with n-1=2km with an odd m. Choose a random integer a, 1<a<n-1. Compute b0≡am (mod n), if b0≡±1 (mod n), then stop and n is probably prime, otherwise let b1≡(b0)2 (mod n). If b1≡1 (mod n), then n is composite and gcd(b0-1,n) is a nontrivial factor of n else if b1≡-1 (mod n), stop and n is probably prime, otherwise let b2≡(b1)2 (mod n). If b2≡1 (mod n), then n is composite, else if b2 ≡-1 (mod n), stop and n is probably prime. Continue in this way until stopping or reaching bk-1. If bk-1 !≡-1, then n is composite.
Pseudoprimes ♪ If an-1 ≡1 (mod n), n is said to be a pseudoprime for the base a ♪ If a and n pass the Miller-Rabin test, we say that n is a strongpseudoprime for the base a ♪2340 ≡1 (mod 341), 2560 ≡1 (mod 561), so,341 and 561 are all pseudoprimes
Test if n=341 is a prime • n=341, n-1=340=22.85, let k=2, m=85 • b0 = 285 ≡32 (mod 341) • b1 = (b0)2 ≡ 1 (mod 341) • bk-1 ≡ 1 (mod 341), so n=341 is composite • 2340 ≡1 (mod 341), but 341=11x31
Test if n=561 is a prime • n=561, n-1=560=24.35, let k=4, m=35 • b0 = 235 ≡263 (mod 561) • b1 = (b0)2 ≡166 (mod 561) • b2 = (b1)2 ≡ 67 (mod 561) • b3 = (b2)2 ≡ 1 (mod 561) • bk-1 ≡ 1 (mod 561), so n=561 is composite • 2560 ≡1 (mod 561), but 561=3x11x17
Miller-Rabin is better than Fermat’s • Up to 1010, there are 455052511 primes. There are 14884 pseudoprimes for the base 2, and 3291 strong pseudoprimes for the base 2. Therefore, calculating 2n-1 (mod n) will fail to recognize a composite in this range with probability less than 1 out of 30 thousand and using the Miller-Rabin test with a=2 will fail with probability lest than 1 out of 100 thousand
Factoring n into Product of Primes • Fermat factorization by checking if there exist x, y such that n|(x-y)(x+y), |x-y|>1 Example 1: n=295927 with n+32 =5442 , then n= 541.547 Solution: check if n+k2 is a complete square for k=1, 2, … Fermat’s method works well when n is the product that are very close together
Exponent Factorization Method Suppose there exists r>0 and an a such that ar ≡1 (mod n). Write r=2km with m odd. Let b0≡am (mod n), and successively define bu+1 ≡ (bu)2 (mod n) for 0≦u≦k-1. If b0 ≡1 (mod n), then stop; the procedure has failed to factor n. If for some u, bu≡-1 (mod n), then stop; the procedure has failed to factor n. If for some u, bu+1≡1 (mod n) but bu !≡±1 (mod n), then gcd(bu-1,n) gives a nontrivial factor of n.
The Pollard’s p-1 Method (1974) Choose an integer a>1 (usually a=2) and choose a bound B. Compute b≡aB! (mod n) as follows. Let b1≡a (mod n) and bj ≡(bj-1)j (mod n), then bB≡b (mod n). If 1<d=gcd(b-1,n)<n, we have found a nontrivial factor of n
The Quadratic Sieve • Suppose we want to factor n=3837523 n=1093.3511
The Public Key Concept • The RSA Algorithm • Knapsack problems • Discrete Logarithms by ElGamal • Error Correcting Codes by McEliece • Elliptic Curve Cryptosystem by Diffie-Hellman
The Concept and Criteria • Ek(Dk(m))=m and Dk(Ek(m))=m for every message m in M, the set of possible messages, every key k in K, the set of possible keys • For every m and every k, then values of Ek(m) and Dk(m) are easy to compute • For every k, if someone knows only the function Ek, it is computationally infeasible to find an algorithm to compute Dk • Given k, it’s easy to find the functions Ek and Dk