1 / 46

The RSA Cryptosystem and Factoring Integers (I)

The RSA Cryptosystem and Factoring Integers (I). Rong-Jaye Chen. OUTLINE. [1] Modular Arithmetic Algorithms [2] The RSA Cryptosystem [3] Quadratic Residues [4] Primality Testing [5] Square Roots Modulo n [6] Factoring Algorithms [7] Other Attacks on RSA [ 8] The Rabin Cryptosystem

mariam-carver
Télécharger la présentation

The RSA Cryptosystem and Factoring Integers (I)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The RSA Cryptosystem and Factoring Integers (I) Rong-Jaye Chen

  2. OUTLINE • [1] Modular Arithmetic Algorithms • [2] The RSA Cryptosystem • [3] Quadratic Residues • [4] Primality Testing • [5] Square Roots Modulo n • [6] Factoring Algorithms • [7] Other Attacks on RSA • [8] The Rabin Cryptosystem • [9] Semantics Security of RSA

  3. [1] Modular Arithmetic Algorithms • 1. The integers • a divides b a|b • If b has a divisor , then a is said to be nontrivial. • a is prime if it has no nontrivial divisors; otherwise, a is composite. • The prime theorem: • If c|a and c|b, then c is common divisor of a and b. • If d is a great common divisor of a and b, then we write d=gcd(a,b).

  4. Euclidean algorithm(a,b) (for great common divisor) input: output: (1) Set r0=a and r1=b (2) Determine the first so that rn+1=0, where ri+1=ri-1 mod ri (3) Return (rn) • Extended Euclidean algorithm(a,b) input:a>0, b>0 output: (r, s, t) with r=gcd(a,b) and sa+tb=r (Omitted)

  5. Example :gcd(299,221)=?

  6. If gcd(a,b)=1, then a and b are said to be relatively prime. • Phi function:

  7. 2. The integers modulo n • a is congruent to b modulo n, written , if n|a-b. • Zn={0,1,…,n-1} • Given , if , then a is said to be invertible and its inverse x is denoted a-1.

  8. Euclidean algorithm to find gcd(a,n) Extended Euclidean algorithm to write gcd(a,b)=sa+tn • Use Extended Euclidean Algo to calculate a-1 mod n • Example:a=7 and n=9

  9. Zn*={a|gcd(a,n)=1 and 0<a<n} • For example, Z12*={1,5,7,11}, Z15*={1,2,4,7,8,11,13,14} • (Zn*, *) forms a multiplication group

  10. Fermat’s little theorem: • Euler’s theorem: • The order of , written ord(a), as the least positive integer t such that • If , has , then a is said to be a generator of Zn*; in this case,

  11. 1 2 4 7 8 11 13 14 1 4 2 4 2 2 4 2 • Example :n=15 Z15*={1,2,4,7,8,11,13,14} ψ(15)= ψ(3) ψ(5)=2*4=8

  12. 3. Chinese remainder theorem If the integers n1,…,nk are pairwise relatively prime, then the system of congruences has a unique solution modulo n=n1*n2*…*n k

  13. Algorithm:Gauss algorithm (1) Input k , ni , ai , for i=1,2,…,k (2) Compute for i=1,2,…,k (3) Compute inverse for i =1,2,…,k (4) Compute

  14. Example

  15. 4. Square-and-Multiply • Algorithm: Square-and-Multiply(x, c, n) Input: , c with binary representation Output:

  16. Example : 97263533 mode 11413=?

  17. [2] The RSA Cryptosystem • Proposed by Rivest, Shamir, and Adleman (1977) • Used for encryption and signature schemes • Based on the intractability of the integer factorization problem • Key generation • Let p, q be large prime, n=pq and (n)=(p-1)(q-1) • Choose randomly b s.t. gcd(b,(n))=1 • Compute a  b-1 mod (n) • Public-key: (n, b) • Private-key: (n, a) or (p, q, a)

  18. RSA Cryptosystem Let n=pq, where p and q are primes. Let P = C = Zn, and define K ={(n,p,q,a,b): ab=1 (mod (n))}. For K= (n,p,q,a,b), define eK(x)=xb mod n and dK(y)=ya mod n • Public-key: (n, b) • Private-key: (n, a) or (p, q, a)

  19. Verify the encryption and decryption are inverse operations ab=1 (mod (n)), we have ab = t(n)+1, for t>=1 Suppose that x in Zn*; then we have (xb)a = xt(n)+1 (mod n) = (x(n))tx = 1tx (mod n) = x (mod n) As desired. For x in Zn but not in Zn*, (do exercise)

  20. Eg. p=7, q=13, n=91, (n)=(p-1)(q-1)=72 • Choose b=5, compute a=b-1=29 • Public-key: (91,5) • Private-key: (7,13,29) • Assume message m=23 So cipher-text c = me mod n = 235 mod 91 = 4 and can be decrypted by m = cd mod n = 429 mod 91 = 23

  21. n = pq b*a = 1 (mod ø(n)) Private key KRBob = (n, a) Public key KUBob = (n, b) KUBob KRBob M C M E D EKUBob(M)= Mb (mod n) DKRBob(C)= Ca (mod n) Encryption Decryption • RSA encryption Alice Bob

  22. n = pq b*a = 1 (mod ø(n)) Signing key KRAlice = (n, a) Verification key KUAlice = (n, b) M M H Compare KRAlice KUAlice A H E D EKRAlice(H(M))= H(M)a (mod n) DKUAlice(A)= Ab (mod n) Signing Verification • RSA signature scheme Alice Hash Bob

  23. [3] Quadratic Residue • 1. Quadratic residue modulo n • Let , then a is a quadratic residue modulo n if there exists with In this case, x is a square root of a modulo n. Otherwise, a is a quadratic nonresidue modulo n. • Qn:the set of quadratic residues modulo n. • :the set of quadratic nonresidues modulo n.

  24. 2. Theorem :p > 2 is prime and α is a generator of Zp*

  25. 3. Corollary : p > 2 is prime and α is a generator of Zp* • (1) • (2) • (3) • (4) • 4. Legendre symbol :p > 2 is prime and

  26. 5. Theorem :Euler’s criterion • 6. E.g : use Square-and-Multiply

  27. 7. Jacobi symbol : n > 2 is an odd integer, pi is prime and

  28. 8. Properties of Jacobi symbol:m, n > 2 are odd integers • (1) • (2) • (3) • (4) • (5) • (6)

  29. 9. E.g :calculate Jacobi symbol without factoring n (property 2) (property 6) (property 3) (property 4)

  30. 10. Jacobi symbol V.S. Quadratic residue modulo n • The element of are called psedosquares modulo n.

  31. 1 2 4 7 8 11 13 14 1 -1 1 1 -1 -1 1 -1 1 -1 1 -1 -1 1 -1 1 1 1 1 -1 1 -1 -1 -1 • 11. E.g :n=15 The Jacobi symbol are calculated in the following table:

  32. 12. Quadratic residuosity problem(QRP) Determine if a given is a quadratic residue or pseudosquare modulo n

  33. [4] Primality Testing (1)Prime numbers • 1. How to generate large prime numbers? (1) Generate as candidate a random odd number n of appropriate size. (2) Test n for primality. (3) If n is composite, return to the first step.

  34. 2. Distribution of prime numbers (1) prime number theorem Let Π(x) denote the number of prime numbers ≦x. Π(x) ~ x/ln(x) when n∞. (2)Dirichlet theorem If gcd(a, n)=1, then there are infinitely many primes congruent to a mod n.

  35. (3) Let Π(x, n, a) denote the number of primes in the interval [2, x] which are congruent to a modulo n, where gcd(a, n)=1 . Then Π(x, n, a) ~ The prime numbers are roughly uniformly distributed among the φ(n) congruence classes in Zn* (4) Approximation for the nth prime number pn

  36. (2) Solovay-Strassen primality test • 1. Trial method for testing n is prime or composite • 2. Definition :Euler witness Let n be an odd composite integer and . (1) If then a is an Euler witness (to compositeness) for n.

  37. (2) Otherwise, if then n is said to be an Euler pseudoprime to the base a. The integer a is called an Euler liar (to primality) for n.

  38. 3. Example (Euler pseudoprime) • Consider n = 91 (= 7x13) Since 945 =1 mod 91, and so 91 is an Euler pseudoprime to the base 9. • 4. Fact At most Φ(n)/2 of all the numbers a, are Euler liars for n.

  39. 5. Algorithm :Solovay-Strassen(n, t) • INPUT: n is odd, n ≧3, t ≧1 • OUTPUT: “prime” or “composite” • 1. for i = 1 to t do :1.1 choose a random integer a, 2 ≦ a≦n-2 if gcd(a,n) ≠1 then return ( “composite” ) 1.2 compute r=a(n-1)/2 mod n (use square-and-multiply) if r ≠ 1 and r ≠ n-1 then return ( “composite” ) 1.3 compute Jacobi symbol s= if r ≠ s then return ( “composite” ) • 2. return ( “prime” )

  40. 6.Solovay-Strassen error-probability bound • For any odd composite integer n, the probability that Solovay-Strassen (n, t) declares n to be “prime” is less than (1/2)t

  41. (3) Miller-Rabin primality test • 1. Fact • P : odd primep-1 = 2sr, where r is odd , gcd (a, p) = 1then ar = 1 (mod n)or a2jr = -1 (mod n) for some j, 0≦ j≦s-1 • Why ?(1)Fermat’s little theorem, ap-1 = 1 mod p(2) 1, -1 are the only two square roots of 1 in Zp*

  42. 2. Definition • n : odd composite integern-1 = 2sr, where r is odd 1≦a ≦n-1 • a is a strong witness to compositeness for nif ar ≠ 1 (mod n), and a2jr ≠ -1 (mod n) for all j, 0≦ j≦s-1 • n is a strong pseudoprime to the base aif ar = 1 (mod n)or a2jr = -1 (mod n) for some j, 0≦ j≦s-1(a is called astrong liar to primality for n)

  43. 3. Algorithm: Miller-Rabin (n, t) • INPUT: n is odd, n ≧3, t ≧1 • OUTPUT: “prime” or “composite” • 1. write n-1 = 2sr such that r is odd. • 2. for i = 1 to t do :2.1 choose a random integer a, 2 ≦ a≦n-22.2 compute y=ar mod n (use square-and-multiply)2.3 if y ≠ 1 and y ≠ n-1 do : j  1 while j ≦ s-1 and y ≠n-1 do : y  y2 mod n if y = 1 then return ( “composite” ) j  j+1 if y ≠ n-1 then return ( “composite” ) • 3. return ( “prime” )

  44. 4. Example (strong pseudoprime) • Consider n = 91 (= 7x13) • 91-1 = 2*45, s=1, r=45 • Since 9r = 945 =1 mod 91, 91 is a strong pseudoprime to the base 9. • The set of all strong liars for 91 is {1, 9, 10, 12, 16, 17, 22, 29, 38, 53, 62, 69, 74, 75, 79, 81, 82, 90} • The number of strong liars of for 91 is 18 = Φ(91)/4

  45. 5. Fact • If n is an odd composite integer, then at most ¼ of all the numbers a, 1 ≦a ≦n-1 are strong liars for n. In fact if n=!9, then number of strong liars for n is at most Φ(n)/4.

  46. 6.Miller-Rabin error-probability bound • For any odd composite integer n, the probability that Miller-Rabin (n, t) declares n to be “prime” is less than (1/4)t • 7. Remark • For most composite integers n, the number of strong liars for n is actually much smaller than the upper bound of Φ(n)/4. • Miller-Rabin error-probability bound is much smaller than (1/4)t.

More Related