Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 8: Primality Testing and Factoring Piotr Faliszewski

Published byRosalyn Mason Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 8: Primality Testing and Factoring Piotr Faliszewski"— Presentation transcript:

1 Lecture 8: Primality Testing and Factoring Piotr Faliszewski
Cryptography Lecture 8: Primality Testing and Factoring Piotr Faliszewski

2 Previous Class Attacks on RSA Practical RSA Known digits attacks
Low exponent attacks Short plaintext attacks Timing attacks Practical RSA Exponentiation modulo n Primality testing

3 Factoring and Primality Testing
Input: n  N Output: nontrivial factor of n Primality testing Input n  N Output: the number is composite the number is probably prime Is there a difference? Yes! – primality testing much easier! You do not need to factor the number to see it is composite

4 Miller-Rabin Test Generalization of the Fermat’s test
Principle if p is a prime then x2 = 1 (mod p) has only two solutions: x = 1 and x = -1 Why does the principle hold? Gist of the MR test find a number b such that b2 = 1 (mod p) If b  {-1,1} then composite

5 Miller-Rabin Test What are we doing? b0 = am (mod n) b1 = a2m (mod n)
MR( int n ): let n-1 = 2km a  random in {2, 3, ..., n-2 } b0 = am (mod n) if b0 = ±1 (mod n) then declare prime for j = 1 to k-1 do bj = bj-12 (mod n) if bj = 1 (mod n) then declare composite if bj = -1 (mod n) then declare prime declare composite What are we doing? b0 = am (mod n) b1 = a2m (mod n) b2 = a4m (mod n) ... bj = a2jm (mod n) bk-1 = a(n-1)/2 (mod n)

6 Miller-Rabin Test: Examples
k = 7, m = 3 a = 9 b0 = 93 = 344 (mod 385) b1 = 93*2 = 141 (mod 385) b2 = 93*22 = 246 (mod 385) b3 = 93*23 = 71 (mod 385) b4 = 93*24 = 36 (mod 385) b5 = 93*25 = 141 (mod 385) n = 3*11*17 = 561 n -1 = 560 = 24*35 k = 4, m = 35 a = 2 b0 = 235 = 263 (mod 561) b1 = 235*2 = 166 (mod 561) b2 = 235*22 = 67 (mod 561) b3 = 235*23 = 1 (mod 561) Proof of compositeness!

7 Miller-Rabin Test: Examples
k = 4, m = 25 a = 3 b0 = 325 = 268 (mod 401) b1 = 325*2 = 45 (mod 401) b2 = 325*22 = 20 (mod 401) b3 = 325*23 = 400 (mod 401) = -1 (mod 401) n = 401 n -1 = 400 = 24*25 k = 4, m = 25 a = 2 b0 = 225 = 356 (mod 401) b1 = 225*2 = 20 (mod 401) b2 = 225*22 = 400 (mod 401) Evidence of primality!

8 Miller-Rabin Test if b0 = ±1 (mod n) i  {1, ..., k-1} Why this works?
all bi’s (i > 0) will be 1 can’t find nontrivial roots of 1 i  {1, ..., k-1} if bi = 1 (mod n) then bi-1 is neither 1 nor -1 bi-12 = 1 (mod n) we found a nontrivial root if bi = -1 (mod n) then bi+1 through bk are all 1 (mod n) Why this works? n-1 = 2km b0 = am (mod n) b1 = a2m (mod n) b2 = a4m (mod n) ... bj = a2jm (mod n) bk-1 = a(n-1)/2 (mod n)

9 Miller-Rabin Test: Quality
MR test is probabilistic Answer composite – the number is certainly composite prime – the number is prime with high probability Errors MR(n) says prime but n is composite Pr[error] ≤ ¼ Repeat the test to downgrade the prob. of error

10 Other Primality Tests Solovay-Strassen Test Deterministic test
similar in nature to MR uses so called Jacobi symbol fast in practice probabilistic Deterministic test Agrawal, Kayal, and Saxena 2002 extremely slow Tests that prove primality MR tests compositeness! fairly slow needed in very few cases

11 Factoring Huge amount of work on factoring! Some best algorithms
we look at some simple algorithms Some best algorithms quadratic sieve elliptic curve number field sieve Assumption Factor an odd integer produce one factor how to get all of them? O(e(1+o(1))sqrt(lnn lnln n)) O(e(1+o(1))sqrt(lnp lnln p)) O(e(1.92+o(1))(lnn)1/3(lnlnn)2/3)

12 Factoring Factoring There are about (n) = n / ln n primes ≤ n
Input: n  N Output: nontrivial factor of n There are about (n) = n / ln n primes ≤ n Trivial methods divide by all numbers in {2, ... , n-1} or by all primes p p ≤ sqrt(n) These are exponential!

13 Fermat’s Method The principle The algorithm Examples
express n as a difference of squares n = x2 - y2 n = (x-y)(x+y) The algorithm Compute: n + i2 for i  {1,2, ... } Stop when n + i2 is a square (i.e., x2 = n+i2) Then we have n = x2 – i2 Examples 15 = 42 – 12 = (4-1)(4+1) = 3*5 21 = 52 – 22 = = (5-2)(5+2) = 3*7

14 Fermat’s Method The principle The algorithm Performance
express n as a difference of squares n = x2 - y2 n = (x-y)(x+y) The algorithm Compute: n + i2 for i 2 {1,2, ... } Stop when n + i2 is a square (i.e., x2 = n+i2) Then we have n = x2 – i2 Performance depends on distance between x and y could be very slow! Conclusion for RSA p and q should differ by a large value

15 Pollard’s p-1 Method The method Goal of the method Example input: n
choose a > 1 (e.g., a = 2) choose B let b = aB! (mod n) d = gcd( b - 1, n ) d is a factor of n Goal of the method factor n = pq... provided p-1 has only small prime factors Example n = 7 * 11 = 77 a = 2 B = 4, B! = 2*3*4 = 24 b = 224 = 71 (mod 77) gcd(b-1, n) = gcd(70,77) = 7

16 Pollard’s p-1 Method The method Goal of the method Example input: n
choose a > 1 (e.g., a = 2) choose B let b = aB! (mod n) d = gcd( b - 1, n ) d is a factor of n Goal of the method factor n = pq... provided p-1 has only small prime factors Example n = 7 * 11 = 77 a = 2 B = 2, B! = 2 b = 22 = 4 (mod 77) gcd(b-1, n) = gcd(3,77) = 1

17 Pollard’s p-1 Method The method Goal of the method Example input: n
choose a > 1 (e.g., a = 2) choose B let b = aB! (mod n) d = gcd( b - 1, n ) d is a factor of n Goal of the method factor n = pq... provided p-1 has only small prime factors Example n = 7 * 11 = 77 a = 2 B = 6, B! = 2*3*4*5*6 = 720 b = 2720 = 1 (mod 77) gcd(b-1, n) = gcd(0,77) = 77

18 Pollard’s p-1 Method In symbols: How to compute aB! b1 = a (mod n)
b2 = b12 (mod n) ... bi = bi-1i How to compute aB! B! – can be very big 5! = 120 6! = 720 10! = 20! = n! – about n log2 n bits

19 Pollard’s p-1 Method In symbols: How to compute aB! b1 = a (mod n)
b2 = b12 (mod n) ... bi = bi-1i How to compute aB! a = 2, B = 4, n = 77 b1 = 2 (mod 77) b2 = 22 = 4 (mod 77) b3 = 43 = 64 (mod 77) b4 = 644 = = 71 (mod 77)

20 Pollard’s p-1 Method The method Why does it work? input: n
choose a > 1 (e.g., a = 2) choose B let b = aB! (mod n) d = gcd( b - 1, n ) d is a factor of n Why does it work? p – prime factor of n suppose: p-1 has only small prime factors Then likely p-1 | B! Then B! = k(n-1) b = (ap-1)k (mod p) b = 1 (mod p) p | b - 1

21 Pollard’s p-1 Method Potential problems Choice of B n = pq
both p and q have small factors b = 1 (mod p) b = 1 (mod q) Method fails Choice of B too small  method won’t work too big  works slowly or fails Example n = 7 * 11 = 77 a = 2 B = 2  to small B = 4  worked B = 6  to big 7 - 1 = 6 = 2*3 2! – does not contain 3 4! – contains 2 and 3 6! – contains 2,3 and 5  covers both factors!

22 Pollard’s p-1 Method Conclusions for RSA How to defend? n = pq
p-1 or q-1 has small prime factors? then RSA can be broken How to defend? p0  chose a large prime e.g., p0 > 1040 try numbers of the form: kp0 + 1 k – needs to be even! k > 1060 test kp0+1 for primality

23 Factoring Relation to squares Examples n – an integer
x,y – to integers s.t. x2 = y2 (mod n) x  y (mod n) if such x, y exist then n is composite gcd( x-y, n ) is a nontrivial factor Examples 112 = 121 = 1 (mod 12) 52 = 25 = 1 (mod 12) 11  5 (mod 12) gcd(11-5, 12 ) = 6

24 Factoring Relation to squares Examples n – an integer
x,y – to integers s.t. x2 ´ y2 (mod n) x  y (mod n) if such x, y exist then n is composite gcd( x-y, n ) is a nontrivial factor Examples 52 = 25 = 7 (mod 9) 142 = 196 = 7 (mod 9) 14 = 9+5 = 5 (mod 9) gcd(14-5, 9 ) = 9

25 Quadratic Sievie Idea try to apply the principle from the previous slide find x,y such that x2 = y2 (mod n) x  y (mod n) x  -y (mod n) finding such x, y  not obvious Take “random” squares Reduce modulo n Factor (hope for small factors!) Try to build squares from what you get

26 Quadratic Sieve: Example
n = = 55  19 (mod n) = 22  5  11  13  19 (mod n) = 32  133 (mod n) = 26  32  11 (mod n) 80772 = 2  19 ( mod n) = 25  5  132 (mod n) = 52  72  13 (mod n) (9398   1964  17078)2 = 28  32  56  112  134  192 = (24  3  53  11  132  19)2 (mod n) = (mod n) gcd( – , ) = 1093

27 Quadratic Sieve: Example
n = = 55  19 (mod n) = 22  5  11  13  19 (mod n) = 32  133 (mod n) = 26  32  11 (mod n) 80772 = 2  19 ( mod n) = 25  5  132 (mod n) = 52  72  13 (mod n) (9398  8077  3397)2 = 26  56  132  192 = (23  53  13  19)2 (mod n) = (mod n) BUT: n – =  = (mod n)

28 How to Find the Squares? What squares to use?
we want small prime factors? so x2 should be slightly above n Idea: Try integers close to: sqrt(i  n) + j small j, various i (sqrt(i  n) + j)2 ≈ in + 2j sqrt(in) +j2 approx: 2j sqrt(in) + j2 (mod n)

Download ppt "Lecture 8: Primality Testing and Factoring Piotr Faliszewski"

Similar presentations

Prime recognition and factorization

Prime recognition and factorization
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Primality Testing) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Primality Testing) Prof. Dr. Th. Ottmann.
Cryptography and Network Security

Cryptography and Network Security
Chapter 8 – Introduction to Number Theory. Prime Numbers prime numbers only have divisors of 1 and self –they cannot be written as a product of other.

Chapter 8 – Introduction to Number Theory. Prime Numbers prime numbers only have divisors of 1 and self –they cannot be written as a product of other.
MS 101: Algorithms Instructor Neelima Gupta

MS 101: Algorithms Instructor Neelima Gupta
Agrawal-Kayal-Saxena Presented by: Xiaosi Zhou

Agrawal-Kayal-Saxena Presented by: Xiaosi Zhou
Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)

Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)
Announcements: 1. Congrats on reaching the halfway point once again! 2. DES graded soon 3. Short “pop” quiz on Ch 3. (Thursday at earliest) 4. Reminder:

Announcements: 1. Congrats on reaching the halfway point once again! 2. DES graded soon 3. Short “pop” quiz on Ch 3. (Thursday at earliest) 4. Reminder:
Chapter 8 More Number Theory. Prime Numbers Prime numbers only have divisors of 1 and itself They cannot be written as a product of other numbers Prime.

Chapter 8 More Number Theory. Prime Numbers Prime numbers only have divisors of 1 and itself They cannot be written as a product of other numbers Prime.
Introduction to Modern Cryptography Lecture 6 1. Testing Primitive elements in Z p 2. Primality Testing. 3. Integer Multiplication & Factoring as a One.

Introduction to Modern Cryptography Lecture 6 1. Testing Primitive elements in Z p 2. Primality Testing. 3. Integer Multiplication & Factoring as a One.
COM 5336 Cryptography Lecture 7a Primality Testing

COM 5336 Cryptography Lecture 7a Primality Testing
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Announcements: 1. Term project groups and topics due tomorrow midnight Waiting for posts from most of you. Questions? This week: Primality testing, factoring.

Announcements: 1. Term project groups and topics due tomorrow midnight Waiting for posts from most of you. Questions? This week: Primality testing, factoring.
and Factoring Integers (I)

and Factoring Integers (I)
Announcements: 1. Pass in Homework 5 now. 2. Term project groups and topics due by Friday 1.Can use discussion forum to find teammates 3. HW6 posted, due.

Announcements: 1. Pass in Homework 5 now. 2. Term project groups and topics due by Friday 1.Can use discussion forum to find teammates 3. HW6 posted, due.
1 Fingerprint 2 Verifying set equality Verifying set equality v String Matching – Rabin-Karp Algorithm.

1 Fingerprint 2 Verifying set equality Verifying set equality v String Matching – Rabin-Karp Algorithm.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.

Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.
מבוא מורחב - שיעור 6 1 Lecture 6 High order procedures Primality testing The RSA cryptosystem.

מבוא מורחב - שיעור 6 1 Lecture 6 High order procedures Primality testing The RSA cryptosystem.

Similar presentations

Ads by Google