1 / 67

Public key ciphers 1

Public key ciphers 1. Session 5. Contents. Intractability and NP- completness Primality testing Factoring large composite numbers Complexity of RSA Security of RSA. Intractability and NP- completness. A problem A general question that must be answered

esteban-ivarra
Télécharger la présentation

Public key ciphers 1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Public key ciphers 1 Session 5

  2. Contents • Intractability and NP-completness • Primality testing • Factoring large composite numbers • Complexity of RSA • Security of RSA

  3. Intractability and NP-completness • A problem • A general question that must be answered • Usually possesses several parameters, whose values are generally unspecified • Described by giving • A general description of all the parameters • A statement of those properties that the answer (the solution) must satisfy

  4. Intractability and NP-completness • An instance of a problem • Obtained by listing a particular set of values for all the problem parameters

  5. Intractability and NP-completness • Example – solving polynomial equations over GF(2) (1) • The parameters • A set of polynomials fi(x1,...,xn), 1im, over GF(2) • An instance of the problem • Formulated by stating particular choices for the polynomials

  6. Intractability and NP-completness • Example – solving polynomial equations over GF(2) (2) • A solution • A set u1,...,un of elements in GF(2) such that fi(u1,...,un)=0 for each 1im • This problem is known as AN9 • 9th in the Garey and Johnson’s list of Algebra and Number Theory problems

  7. Intractability and NP-completness • Algorithm • A step-by-step procedure for solving a problem • An algorithm is said to solve a problem if it can be applied to any instance of the problem and is guaranteed to produce a solution • For any problem there may be many possible algorithms • It is of interest to find the most efficient one (in the sense of speed)

  8. Intractability and NP-completness • The size of an instance of a problem • Intended to measure the amount of input necessary to describe an instance of a problem • It should take into account all the parameters of the problem • Example • AN9 with n=3, m=3 • The size of the problem is the number of variables, n=3

  9. Intractability and NP-completness • The time complexity function • Expresses time requirements of an algorithm by giving, for each possible size of an instance of a problem, the maximum time that might be needed to use the algorithm to solve it

  10. Intractability and NP-completness • Deterministic computer • The next instruction is uniquely determined by the current state and the input • Non-deterministic computer • There are many choices for the next instruction, regardless of the current state and the input (random choice) • Can execute arbitrarily many operations in parallel

  11. Intractability and NP-completness • (Deterministic) Turing machine • A machine that possesses basic properties shared by all deterministic computers • Equipped with an infinite paper tape divided into squares • Capable of moving the tape, writing or erasing marks on the tape and halting

  12. Intractability and NP-completness • (Deterministic) Turing machine • It can be shown that if a problem is solvable by the Turing machine, it is solvable by any deterministic computer

  13. Intractability and NP-completness • Polynomial-time algorithm • There is a polynomial p(r) in the problem instance size r and a constant k such that the time complexity function f(r) is always less than kp(r) • Exponential-time algorithm • The time complexity function f(r) is not bounded by a polynomial

  14. Intractability and NP-completness • Example (1) • Suppose we need 10-5 seconds to solve an instance of a problem whose size is r=10 • Then for an algorithm, whose time complexity function is linear in r we have, for the time needed to solve a problem of size r=10 • t=10-5 s • If we increase r to r=60, we get • t=610-5 s

  15. Intractability and NP-completness • Example (2) • For an algorithm, whose time complexity function is quadratic in r we have, for the time needed to solve a problem of size r=10 • r2=102=100=1010  t=1010-5=10-4 s • If we increase r to r=60, we get • r2=602=3600=36010  t=36010-5 = 3,610-3 s

  16. Intractability and NP-completness • Example (3) • For an algorithm, whose time complexity function is 2r we have, for the time needed to solve a problem of size r=10 • 2r=210=1024=102,410  t=102,410-510-3 s • If we increase r to r=60, we get • 2r=260= 1152921504606846976 =115292150460684697,610  t= 115292150460684697,6 10-5 = 1152921504606,846976 s  366 centuries

  17. Intractability and NP-completness • In practice, most exponential time algorithms are merely variations of an exhaustive search • A problem is called intractable if no polynomial time algorithm can solve it on a deterministic computer • Time complexity measures are essentially a measure of the time needed to solve the worst case instance

  18. Intractability and NP-completness • Only decision problems are considered • The answer is of type “yes” or “no” • It is easy to convert any problem into a decision problem • The original problem is then at least as difficult as the corresponding decision problem

  19. Intractability and NP-completness • Class P decision problems • There is a polynomial time deterministic Turing machine, which solves the problem • Class NP decision problems • There is a polynomial time non-deterministic Turing machine, which solves the problem • Any problem in the class P is automatically in the class NP

  20. Intractability and NP-completness • So far, nobody has found a problem proved to be in the class NP and not in the class P • Finding such a problem would mean that there is a problem for which a polynomial-time algorithm does not exist

  21. Intractability and NP-completness • Such problem(s) may exist; then we would know that PNP • We only assume (without proof) that PNP; whole cryptographic security relies on this assumption

  22. Intractability and NP-completness • The satisfiability problem (SAT) • Given a Boolean formula, is there an interpretation (i.e. the values assigned to each variable present in the formula) that evaluates TRUE? • For any problem in the class NP, there is a polynomial-time algorithm that reduces this particular problem to SAT

  23. Intractability and NP-completness • If a polynomial-time algorithm is ever found for SAT, this will imply that every problem in the class NP is also in the class P, i.e. P=NP • On the other hand, if there is any intractable problem in the class NP, then SAT must be one of them

  24. Intractability and NP-completness • There are many other problems that share this property of SAT (i.e. reducibility of NP to SAT in polynomial time) • They are called NP-complete • The class of NP-complete problems is a subset of the class NP

  25. Intractability and NP-completness • Proving that a problem from the class NP-complete is in P would prove that each problem from NP is in P, i.e. P=NP • Proving that one NP-complete problem is intractable would prove that all the problems from NP are intractable, i.e. PNP • Cook’s theorem (1971) • SAT is NP-complete

  26. Intractability and NP-completness Class NP Class P NP-complete

  27. Intractability and NP-completness • Example 1 • The problem AN9 is in P if the functions involved are linear • Otherwise it is NP-complete – can be reduced to SAT in polynomial time • Since in general the functions are not linear, AN9 is NP-complete

  28. Intractability and NP-completness • Example 2 • The problem of determining whether an integer is a prime is not NP-complete • In 2002, Agrawal, Kayal and Saxena proved that it is in P • Since this problem is not NP-complete, this proof does not mean that P=NP

  29. Intractability and NP-completness • The “big O” notation • Let f and g be two functions defined over the positive integers, which take on real values that are always positive from some point onwards • We then define the asymptotic upper bound • f(n) = O(g(n)) if there exists a positive constant c and a positive integer n0such that 0f(n)cg(n) for all nn0

  30. Primality testing • In order to set up the RSA public key cipher, we need large primes (2 large primes p and q of approximately the same size) • Large means the order of magnitude of 200 decimal digits (663 bits, factored in 2005) and more • Typical RSA keys are 1024 to 2048 bits long • How do we generate such large primes?

  31. Primality testing • The random prime generator • Generate a random integer n • If n is even, replace n by n +1 • Test if n is prime • If n is not prime, test if n + 2 is prime, etc. • The key step is 3: primality testing

  32. Primality testing • Let n be a large odd integer • Naïve algorithm 1 • Let m be an odd integer such that 0 < m < • For all m test if m | n • Naïve algorithm 2 (Sieve of Eratosthenes) • List all integers from 1 to n • Sieve out all the multiples of known primes less than

  33. Primality testing • The problem • If we have a 100 (decimal) digit integer n (i.e. it can take values up to 10100), then there are primes less than n

  34. Primality testing • Possible solution – use probabilistic algorithms • Many primality tests are based on Fermat’s little theorem • If n is a prime and if (b, n) = 1 then bn−1 1 (mod n) (*) • So, try all b for which (b,n)=1 and check whether (*) holds • The problem is that this is a necessary but not a sufficient condition

  35. Primality testing • The expression (*) may hold (not very likely) if n is not a prime • If n is not a prime and the expression (*) holds, n is called a pseudoprime in the base b • Example 91 is a pseudoprime in the base 3, as 390 1 (mod 91) • In the base 2, we find 290 64 (mod 91), so 91 is not a prime (91 = 7 × 13)

  36. Primality testing • Quadratic residue (1) • Let p be an odd prime, and a an integer • a is defined to be a quadratic residue modulo p, or a square modulo p, if there exists an integer x such that x2 a (mod p) • If that is the case we say that aQp, if not

  37. Primality testing • Quadratic residue (2) • Example • Let p=7 • We see that 1, 2 and 4 are quadratic residues

  38. Primality testing • Quadratic residue (3) • If p is an odd prime and if  is a generator of Zp*, then a is a quadratic residue if and only if a = i(mod p), where i =0,2,4,...,p-3 • Example • Let p=7, 3 is a generator of Z7* • We see again that 1, 2 and 4 are quadratic residues

  39. Primality testing • Quadratic residue (4) • If p is a prime, then there are exactly (p-1)/2 quadratic residues in Zp* • Theorem (Euler’s criterion) • Let p be an odd prime. Then a is a quadratic residue modulo p if and only if

  40. Primality testing • Quadratic residue (5) • Example • p=7, (p-1)/2=3 • Again, we see that 1, 2 and 4 are quadratic residues

  41. Primality testing • The Legendre symbol (1) • Let p be an odd prime • For any integer a, we define the Legendre symbol as follows

  42. Primality testing • The Legendre symbol (2) • By the Euler’s criterion if and only if aQp • If a is a multiple of p, it is obvious that

  43. Primality testing • The Legendre symbol (3) • It can be shown that if then • Then

  44. Primality testing • The Jacobi symbol (1) • Let n be an odd positive integer with factorization • Let a be an integer. The Jacobi symbol is defined as follows

  45. Primality testing • The Jacobi symbol (2) • Example • Given that 9975=352719, we evaluate the Jacobi symbol as follows • Observe that we used the fact

  46. Primality testing • The Jacobi symbol (3) • Theorem (1) • Let n be an odd positive integer and let a,b0. Then the following identities hold

  47. Primality testing • The Jacobi symbol (4) • Theorem (2) • If ab (mod n) then

  48. Primality testing • The Jacobi symbol (5) • Theorem (3) 5. Quadratic reciprocity (Gauss). If a is odd, then

  49. Primality testing • The Jacobi symbol (6) • Example • Note that we successively apply rules 5, 3, 4, 2

  50. Primality testing • Yes-biased Monte Carlo algorithm (1) • A yes-biased Monte Carlo Algorithm is a randomized algorithm for a decision problem in which a “yes” answer is always correct, but a “no” answer may be incorrect • Let n be an odd integer greater than 1 • If n is prime we have for all a • If n is composite, it may or may not be the case that holds • If it holds we say that n is an Euler pseudo-prime

More Related