1 / 28

Cryptography

Cryptography. Lecture 8 : Primality Testing and Factoring Piotr Faliszewski. Attacks on RSA Known digits attacks Low exponent attacks Short plaintext attacks Timing attacks. Practical RSA Exponentiation modulo n Primality testing. Previous Class. Factoring Input: n  N

dotty
Télécharger la présentation

Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptography Lecture 8: Primality Testing and Factoring Piotr Faliszewski

  2. Attacks on RSA Known digits attacks Low exponent attacks Short plaintext attacks Timing attacks Practical RSA Exponentiation modulo n Primality testing Previous Class

  3. Factoring Input: n  N Output: nontrivial factor of n Primality testing Input n  N Output: the number is composite the number is probably prime Is there a difference? Yes! – primality testing much easier! You do not need to factor the number to see it is composite Factoring and Primality Testing

  4. Generalization of the Fermat’s test Principle if p is a prime thenx2= 1 (mod p)has only two solutions: x = 1 and x = -1 Why does the principle hold? Gist of the MR test find a number b such that b2= 1 (mod p) If b  {-1,1} then composite Miller-Rabin Test

  5. MR( int n ): let n-1 = 2km a  random in {2, 3, ..., n-2 } b0= am (mod n) if b0=±1 (mod n) then declare prime for j = 1 to k-1 do bj= bj-12 (mod n) if bj= 1 (mod n) then declare composite if bj= -1 (mod n) then declare prime declare composite What are we doing? b0= am (mod n) b1= a2m (mod n) b2= a4m (mod n) ... bj= a2jm (mod n) ... bk-1 = a(n-1)/2 (mod n) Miller-Rabin Test

  6. n = 5*7*11 = 385 n -1 = 384 = 27*3 k = 7, m = 3 a = 9 b0= 93= 344 (mod 385) b1= 93*2= 141 (mod 385) b2= 93*22= 246 (mod 385) b3= 93*23= 71 (mod 385) b4= 93*24= 36 (mod 385) b5= 93*25= 141 (mod 385) n = 3*11*17 = 561 n -1 = 560 = 24*35 k = 4, m = 35 a = 2 b0= 235= 263 (mod 561) b1= 235*2= 166 (mod 561) b2= 235*22= 67 (mod 561) b3= 235*23= 1 (mod 561) Proof of compositeness! Miller-Rabin Test: Examples

  7. n = 401 n -1 = 400 = 24*25 k = 4, m = 25 a = 3 b0=325=268 (mod 401) b1=325*2=45 (mod 401) b2=325*22= 20 (mod 401) b3=325*23=400 (mod 401) = -1 (mod 401) n = 401 n -1 = 400 = 24*25 k = 4, m = 25 a = 2 b0= 225=356 (mod 401) b1= 225*2=20 (mod 401) b2= 225*22=400 (mod 401) Evidence of primality! Miller-Rabin Test: Examples

  8. if b0=±1 (mod n) all bi’s (i > 0) will be 1 can’t find nontrivial roots of 1 i  {1, ..., k-1} if bi= 1 (mod n) then bi-1 is neither 1 nor -1 bi-12= 1 (mod n) we found a nontrivial root if bi= -1 (mod n) then bi+1 through bk are all 1 (mod n) can’t find nontrivial roots of 1 Why this works? n-1 = 2km b0= am (mod n) b1= a2m (mod n) b2= a4m (mod n) ... bj= a2jm (mod n) ... bk-1= a(n-1)/2 (mod n) Miller-Rabin Test

  9. MR test is probabilistic Answer composite – the number is certainly composite prime – the number is prime with high probability Errors MR(n) says prime but n is composite Pr[error] ≤ ¼ Repeat the test to downgrade the prob. of error Miller-Rabin Test: Quality

  10. Solovay-Strassen Test similar in nature to MR uses so called Jacobi symbol fast in practice probabilistic Deterministic test Agrawal, Kayal, and Saxena 2002 extremely slow Tests that prove primality MR tests compositeness! fairly slow needed in very few cases Other Primality Tests

  11. Huge amount of work on factoring! we look at some simple algorithms Some best algorithms quadratic sieve elliptic curve number field sieve Assumption Factor an odd integer produce one factor how to get all of them? O(e(1+o(1))sqrt(lnn lnln n)) O(e(1+o(1))sqrt(lnp lnln p)) O(e(1.92+o(1))(lnn)1/3(lnlnn)2/3) Factoring

  12. Factoring Input: n  N Output: nontrivial factor of n There are about(n) = n / ln n primes ≤ n Trivial methods divide by all numbers in {2, ... , n-1} or by all primes p p ≤ sqrt(n) These are exponential! Factoring

  13. The principle express n as a difference of squares n = x2 - y2 n = (x-y)(x+y) The algorithm Compute: n + i2for i  {1,2, ... } Stop when n + i2 is a square (i.e., x2 = n+i2) Then we have n = x2 – i2 Examples 15 = 42 – 12 = (4-1)(4+1) = 3*5 21 = 52 – 22 = 25 - 4 = (5-2)(5+2) = 3*7 Fermat’s Method

  14. The principle express n as a difference of squares n = x2 - y2 n = (x-y)(x+y) The algorithm Compute: n + i2for i 2 {1,2, ... } Stop when n + i2 is a square (i.e., x2 = n+i2) Then we have n = x2 – i2 Performance depends on distance between x and y could be very slow! Conclusion for RSA p and q should differ by a large value Fermat’s Method

  15. The method input: n choose a > 1 (e.g., a = 2) choose B let b = aB! (mod n) d = gcd( b - 1, n ) d is a factor of n Goal of the method factor n = pq... provided p-1 has only small prime factors Example n = 7 * 11 = 77 a = 2 B = 4, B! = 2*3*4 = 24 b = 224= 71 (mod 77) gcd(b-1, n) = gcd(70,77) = 7 Pollard’s p-1 Method

  16. The method input: n choose a > 1 (e.g., a = 2) choose B let b = aB! (mod n) d = gcd( b - 1, n ) d is a factor of n Goal of the method factor n = pq... provided p-1 has only small prime factors Example n = 7 * 11 = 77 a = 2 B = 2, B! = 2 b = 22= 4 (mod 77) gcd(b-1, n) = gcd(3,77) = 1 Pollard’s p-1 Method

  17. The method input: n choose a > 1 (e.g., a = 2) choose B let b = aB! (mod n) d = gcd( b - 1, n ) d is a factor of n Goal of the method factor n = pq... provided p-1 has only small prime factors Example n = 7 * 11 = 77 a = 2 B = 6, B! = 2*3*4*5*6 = 720 b = 2720= 1 (mod 77) gcd(b-1, n) = gcd(0,77) = 77 Pollard’s p-1 Method

  18. In symbols: b1= a (mod n) b2= b12 (mod n) ... bi= bi-1i ... How to compute aB! B! – can be very big 5! = 120 6! = 720 10! = 3628800 20! = 2432902008176640000 n! – about n log2n bits Pollard’s p-1 Method

  19. In symbols: b1= a (mod n) b2= b12 (mod n) ... bi= bi-1i ... How to compute aB! a = 2, B = 4, n = 77 b1= 2 (mod 77) b2= 22= 4 (mod 77) b3= 43= 64 (mod 77) b4= 644= 1677721=71 (mod 77) Pollard’s p-1 Method

  20. The method input: n choose a > 1 (e.g., a = 2) choose B let b = aB! (mod n) d = gcd( b - 1, n ) d is a factor of n Why does it work? p – prime factor of n suppose: p-1 has only small prime factors Then likely p-1 | B! Then B! = k(n-1) b = (ap-1)k (mod p) b = 1 (mod p) p | b - 1 Pollard’s p-1 Method

  21. Potential problems n = pq both p and q have small factors b = 1 (mod p) b = 1 (mod q) Method fails Choice of B too small  method won’t work too big  works slowly or fails Example n = 7 * 11 = 77 a = 2 B = 2  to small B = 4  worked B = 6  to big 7 - 1 = 6 = 2*3 2! – does not contain 3 4! – contains 2 and 3 6! – contains 2,3 and 5  covers both factors! Pollard’s p-1 Method

  22. Conclusions for RSA n = pq p-1 or q-1 has small prime factors? then RSA can be broken How to defend? p0 chose a large prime e.g., p0 > 1040 try numbers of the form: kp0 + 1 k – needs to be even! k > 1060 test kp0+1 for primality Pollard’s p-1 Method

  23. Relation to squares n – an integer x,y – to integers s.t. x2= y2 (mod n) x  y (mod n) if such x, y exist then n is composite gcd( x-y, n ) is a nontrivial factor Examples 112= 121 = 1 (mod 12) 52= 25 = 1 (mod 12) 11  5 (mod 12) gcd(11-5, 12 ) = 6 Factoring

  24. Relation to squares n – an integer x,y – to integers s.t. x2´ y2 (mod n) x  y (mod n) if such x, y exist then n is composite gcd( x-y, n ) is a nontrivial factor Examples 52= 25 = 7 (mod 9) 142= 196 = 7 (mod 9) 14 = 9+5 = 5 (mod 9) gcd(14-5, 9 ) = 9 Factoring

  25. Idea try to apply the principle from the previous slide find x,y such that x2= y2 (mod n) x  y (mod n) x  -y (mod n) finding such x, y  not obvious Take “random” squares Reduce modulo n Factor (hope for small factors!) Try to build squares from what you get Quadratic Sievie

  26. Quadratic Sieve: Example n = 3837523 93982= 55 19 (mod n) 190952= 22 5  11  13  19 (mod n) 19642= 32 133 (mod n) 170782= 26 32 11 (mod n) 80772= 2  19 ( mod n) 33972= 25 5  132 (mod n) 142622= 52 72 13 (mod n) (9398  19095  1964  17078)2 =28 32 56  112 134 192 =(24 3  53  11  132 19)2 (mod n) 22303872 = 25867052 (mod n) gcd( 2230387 – 2586705, 3837523) = 1093

  27. Quadratic Sieve: Example n = 3837523 93982= 55 19 (mod n) 190952= 22 5  11  13  19 (mod n) 19642= 32 133 (mod n) 170782= 26 32 11 (mod n) 80772= 2  19 ( mod n) 33972= 25 5  132 (mod n) 142622= 52 72 13 (mod n) (9398 8077  3397)2 =26 56  132 192 =(23 53 13  19)2 (mod n) 35905232= 2470002 (mod n) BUT: n – 247000 = 3590523  3590523 = -247000 (mod n)

  28. What squares to use? we want small prime factors? so x2 should be slightly above n Idea: Try integers close to: sqrt(i  n) + j small j, various i (sqrt(i  n) + j)2≈ in + 2j sqrt(in) +j2 approx: 2j sqrt(in) + j2 (mod n) How to Find the Squares?

More Related