1 / 66

Integer Factoring in Cryptography

Integer Factoring in Cryptography. Dr. Jiun-Ming Chen jmchen@ntu.edu.tw. Basics in Cryptography Public-Key Cryptosystems Quadratic Sieve Number Field Sieve Factoring RSA-512. Outline. Historical Cipher. Gāius Jūlius Caesar (100 BC – 44 BC)

telma
Télécharger la présentation

Integer Factoring in Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Integer Factoring in Cryptography Dr. Jiun-Ming Chen jmchen@ntu.edu.tw

  2. Basics in Cryptography Public-Key Cryptosystems Quadratic Sieve Number Field Sieve Factoring RSA-512 Outline Math department at NTNU

  3. Historical Cipher • Gāius Jūlius Caesar (100 BC – 44 BC) • A Roman military and political leader and one of the most influential men in world history • He played a critical role in the transformation of the Roman Republic into the Roman Empire • Caesar Cipher • Example (Recall: A  0, B  1, C  2, …, Y  24, Z  25) • Plaintext: SPY (18 15 24) • Ciphertext: VSB (21 18 1) • Encryption: c = p + 3 mod 26 • Decryption: p = c 3 mod 26 Math department at NTNU

  4. Historical Cipher • Shift Cipher • Each letter we identify with a number • A = 0, B = 1, C = 2, …, Z = 25 • The key k is a number in the range 0 ~ 25 • Encryption is adding k onto each letter modulo 26 • Julius Caesar used the k = 3 • HELLO becomesKHOOR • We break a Shift cipher by using the statistics of the underlying language Math department at NTNU

  5. Historical Cipher • English Letter Frequencies • The most common bigrams are, in decreasing order • TH, HE, IN, ER, AN, RE, ED, ON, ES, ST, EN, AT, TO, NT, HA • The most common trigrams are, in decreasing order • THE, ING, AND, HER, ERE, ENT, THA, NTH, WAS, ETH, FOR • Useful cryptanalysis rarely mentioned in books: • Conditional probability  e.g., the letter with the highest frequency right after the letter H? Math department at NTNU

  6. Historical Cipher • Take the following example cipher text BPMZM WVKM EIA IV COTG LCKSTQVO EQBP NMIBPMZA ITT ABCJJG IVL JZWEV IVL BPM WBPMZ JQZLA AIQL QV AW UIVG EWZLA OMB WCB WIN BWEV OMB WCB, OMB WCB , OMB WCB WIN BWEV IVL PM EMVB EQBP I YCIKS IVL I EILLTM IVL I YCIKS QV I NTCZZG WN MQL MZLWEV BPIB XWWZ TQBBTM COTG LCKS TQVO EMVB EIVLMZQVO NIZ IVL VMIZ JCB IB MDMZG XTIKM BPMG AIQL BW PQA NIKM VWE OMB WCB, OMB WCB, OMB WCB WN PMZM IVL PM EMVB EQBP I YCIKS IVL I EILLTM IVL I YCIKS IVL I DMZG CVPIXXG BMIZ • We need to compare the frequency distribution of this text with standard English Math department at NTNU

  7. Historical Cipher • Underlying Plain Text • Cipher Text • The shift of E seems to be either 4, 8,17,18 or 23 • The shift of A seems to be either 1, 8,12,21 or 22 Math department at NTNU

  8. Historical Cipher • Hence the key is probably equal to 8 • We can now decrypt the cipher text to reveal There once was an ugly duckling With feathers all stubby and brown And the other birds said in so many words Get out of town Get out, get out, get out of town And he went with a quack and a waddle and a quack In a flurry of eiderdown That poor little ugly duckling Went wandering far and near But at every place they said to his face Now get out, get out, get out of here And he went with a quack and a waddle and a quack And a very unhappy tear Math department at NTNU

  9. 密碼系統運作基本原則 • 密碼系統 (cryptosystem)包括一套演算法 (algorithm),和所有可能的金鑰 (key)、明文 (plaintext)、以及密文 (ciphertext) • 它的安全性 (security)是基於其他人未知的私密金鑰,而非演算法 • 演算法公開,利於制定標準互通應用 Math department at NTNU

  10. 密碼系統的兩大類型 • 傳統式 • 對稱金鑰 • Symmetric Key • 公開金鑰 (Public-Key, 1976~) • 非對稱金鑰 • Asymmetric Key Math department at NTNU

  11. 傳統對稱式密碼系統 Encrypt 加密 ↗ △ ↘ Plaintext 明文Symmetric key Ciphertext密文 ↖ ▽ ↙ Decrypt 解密 DES (Data Encryption Standard) – 晶片金融卡 AES (Advanced Encryption Standard) Math department at NTNU

  12. 私密金鑰 與 公開金鑰 容易計算 私密金鑰 公開金鑰 Private Key非常困難    Public Key  藉由數學工具達成此目的        Math department at NTNU

  13. 公開金鑰密碼系統Public Key Cryptosystem Public key ▽ Plaintext 明文 →Encrypt 加密 ↖ ↘ Decrypt 解密←Ciphertext 密文  △ Private key 最廣泛使用的 PKC:RSA (Rivest – Shamir – Adleman 1977) 逐漸受重視的 PKC: ECC (橢圓曲線 Elliptic Curve Cryptosystem) Math department at NTNU

  14. 數位簽章 Digital Signature Public key ▽ Signature →Verify 驗章 ↖ ↘ Sign 簽章← Message △ Private key * 秘密性 (confidentiality) * 身份鑑別性 (Authentication) * 完整性 (Integrity) * 不可否認性 (Non-Repudiation) Math department at NTNU

  15. New Standard: AES • Standard FIPS-197 approved by NIST in 2001 • Official scope is limited: • US Federal Administration will use AES as Government standard from 26 May 2002 • Documents that are “sensitive but not classified” • Significance is huge: The successor of DES • Block size: 128 bits (16 bytes) • Key length: 128/192/256 bits (16/24/32 bytes) • Strong algebraic structure Math department at NTNU

  16. Basics in Cryptography Public-Key Cryptosystems Quadratic Sieve Number Field Sieve Factoring RSA-512 Outline Math department at NTNU

  17. RSA • Key generation (RSA-1024) • Generate large primes p and q of at least 512 bits • ComputeN=pqand(N)=(p)(q)=(p1)(q1) • Select randomewith 1<e<(N) and gcd(e,(N)) = 1 • Using XGCD, compute the unique integer dwith 1<d<(N) and e d  1 (mod (N)) • Public key : (N, e) which is published • Private key : (d, p, q) which is kept secret Math department at NTNU

  18. Encryption & Decryption • Encryption: If Bob wants to encrypt a message for Alice, he does the following • Obtain Alice’s authentic public key (N, e) • Represent the message as a number 0 < x < N • Compute y = xe mod N • Send the ciphertext yto Alice • Decryption: To recover x from y, Alice does the following • Use the private key d to recover x = y d mod N Math department at NTNU

  19. Elliptic Curve y2 = x3 + ax + b • R is determined by the line passing through P and Q Math department at NTNU

  20. Elliptic Curve y2 = x3 + ax + b • R is determined by the tangent line if P = Q • The slope is derived by implicit differentiation Math department at NTNU

  21. Discrete Logarithm Problem • On Zp • Given a and g, find x such that gx a (mod p) • On Elliptic Curve Groups • Given P and Q, find x such that xP = Q • Both are very hard computational problems, especially the latter, “ECDLP” • The security of RSA is based on the difficulty of large integer factoring Math department at NTNU

  22. Congruent Squares • To factor N = pq, try to find integers x and y such that x2 y2 (mod N) • If x y (mod N), then gcd(x  y, N) and gcd(x + y, N) are non-trivial factors of N • pq = N | (x2 y2) = (x+y)(xy) • This idea from Fermat inspired the factoring methods of Continued Fraction, Quadratic Sieve, and Number Field Sieve Math department at NTNU

  23. Integer Factoring Algorithms • Length of input = log2 N+1  log N • Trial Division Complexity: • Quadratic Sieve (1980’s) • Number Field Sieve (1990’s) • L(s) = • s = 1: exponential time • 0 < s < 1: sub-exponential time • s = 0: polynomial time (Shor’s quantum algorithm) Math department at NTNU

  24. RSA Challenge Numbers Math department at NTNU

  25. RSA-640 Factored Math department at NTNU

  26. RSA-640 Number Math department at NTNU

  27. RSA-1024 Number Math department at NTNU

  28. Basics in Cryptography Public-Key Cryptosystems Quadratic Sieve Number Field Sieve Factoring RSA-512 Outline Math department at NTNU

  29. Smooth Numbers • F = {p1, p2 , p3……., pm } is a factor base consisting of prime numbers • A number is smooth over Fif all of its prime factors are in F • We try to find smooth numbers ri = p1e1p2e2p3e3 …pmem and record ei in the exponent vector vi = (e1, e2 , e3……., em) Math department at NTNU

  30. Smooth Numbers • Assume we have enough smooth numbers • e.g. ksmooth numbers withk > m • By linear algebra modulo 2, we can find ai (= 0 or 1 for each i ) such that Math department at NTNU

  31. Smooth Numbers • Example • F = {2, 3, 5, 7} is a factor base • Some smooth numbers over F : r1= 105 = 357, r2= 140 = 2257, r3= 392 = 2372, r4 = 588 = 22372. • Corresponding exponent vectors: v1= (0, 1, 1, 1), v2= (2, 0, 1, 1), v3= (3, 0, 0, 2), v4= (2, 1, 0, 2). Math department at NTNU

  32. Smooth Numbers • 1 v1+ 1 v2 +0 v3+ 1 v4= (4, 2, 2, 4)  (0, 0, 0, 0) (mod 2) • We get a square: r1 r2 r4 = 24325274 • Recall: The goal is to find x2 y2 (mod N) • The question then becomes finding many smooth numbers over a factor base F Math department at NTNU

  33. Quadratic Sieve • To factor N, define g(x) = x2 N • xis an integer between and • note that g : Z → ZN preserves multiplications • We want to find enough smooth g(xi) • p | g(xi) implies p | g(xi+p) • If p | (xi2  N), then 0  xi2  N  xi2  N+2pxi + p2  (xi+ p)2  N (mod p) • “Sieve” g(xi) with every prime p in factor base Math department at NTNU

  34. Quadratic Sieve • Record g(xi) in an array G for each xi • If p | g(xi), G[xi] := G[xi] + log p • integer addition for speed • After sieving, check the smoothness of g(xi) whose G[xi] chosen threshold Math department at NTNU

  35. Quadratic Sieve • Use linear algebra to find appropriate xi’s such that  g(xi) = y2, thenx =  xi satisfies x2 =  xi2   g(xi) =y2 (mod N) • The problem of QS is that x2 N goes up quickly, hence the chance of smoothness decreases fast • Q: Can we find another algebraic structure with a homomorphism to Zn ? • A: Number Field Q() with the number field sieve Math department at NTNU

  36. Basics in Cryptography Public-Key Cryptosystems Quadratic Sieve Number Field Sieve Factoring RSA-512 Outline Math department at NTNU

  37. SNFS and GNFS • Special Number Field Sieve (SNFS) • Number of nice algebraic form • Record: 210391 (1039th Mersenne number) • 313 digits / 1039 bits, May 2007 • “A Kilobit Special Number Field Sieve Factorization”, Asiacrypt 2007 • General Number Field Sieve (GNFS) • No known nice algebraic form • Record: RSA-200 • 200 digits / 663 bits, 2005 Math department at NTNU

  38. Invention of SNFS • John Pollard had the interesting idea to factor the 7th Fermat number F7 = 227+1 by doing very clever computations in the number field Q() = Q[x] / <x3+2> • It was clear immediately that his idea could be used to factor any number of the formr e s for smallrands Math department at NTNU

  39. Invention of GNFS • Subsequently, many people contributed to making the basic algorithm work for integers without such a special form • General numbers can be factored with the same algorithm • The first step (polynomial selection) becomes much harder • The algorithm runs with much “worse” parameters than for numbers of special form Math department at NTNU

  40. Polynomial Selection • Find an irreducible polynomial f(x) such that f(m) ≡ 0 (mod N) • We can write N in the base of m first: N = cdm d + … + c1 m + c0 and take f(x) = cdx d + … + c1 x + c0 • A lot of research and deep theory has been developed to make f(x) “better” Math department at NTNU

  41. Number Field • Let be a complex root of f(x) • Q() is a finite field extension of Q • Q() is the number field associated to  • Q() can be viewed as a vector space over Q, with a basis {1, , 2, …. d1} • dis the degree of f(x) • [Q() : Q] = d Math department at NTNU

  42. Ring Homomorphism • A map h: A → B is a homomorphism if h(x + y) = h(x) + h(y) and h(x  y) = h(x)  h(y) for all x, yA • Define a ring homomorphism φ: Z[] → ZNby φ()  m (mod N) • φ is a homomorphism because f() = 0 and f(m)  0 (mod N) • φ(a  b) a  bm (mod N) Math department at NTNU

  43. Squares in Both Sides • Suppose there is a set Sconsisting of relatively prime pairs (a, b) satisfying both: (which is called the algebraic side) (which is called the rational side) Math department at NTNU

  44. Squares in Both Sides • Let x = φ(), then we have x2 = φ()2 = φ( 2) = φ( (a  b))  (a  bm) = y 2 (mod N) • Therefore we factor Nwith probability ½ Math department at NTNU

  45. Four Major Steps • Polynomial Selection • Choose a polynomial f(x) with a root m (mod N) and good properties • Sieving • Find enough pairs (a, b) such thata bm anda bare both smooth • Each smooth pair (a, b) is called a relation Math department at NTNU

  46. Four Major Steps • Matrix Reduction • Form a very large matrix after finding and simplifying enough relations • Solve the system of linear equations to obtain the required set Ssuch that Math department at NTNU

  47. Four Major Steps • Square Root • So far we havey2and2 • Compute their square rootsyand • Recall: x =φ() • Many methods to compute Z[], but all of them are sophisticated • Finally we get the congruent squares x2y2 (mod N) Math department at NTNU

  48. Observations • Each step is very complicated • algebraic number theory • large effort to implement • Sieving is the most time consuming • The sieving time can be reduced by selecting a good polynomial f(x) • i.e. finding a better polynomial can speed up the Number Field Sieve Math department at NTNU

  49. Basics in Cryptography Public-Key Cryptosystems Quadratic Sieve Number Field Sieve Factoring RSA-512 Outline Math department at NTNU

  50. Open Source GGNFS No polynomial file pol51m0 gnfs-lasieve4I matsolve pol51opt procrels sqrt Already have polynomial file makefb matbuild Factored! enough FF sieve NO YES Math department at NTNU

More Related