Download presentation

1
**and Factoring Integers (I)**

The RSA Cryptosystem and Factoring Integers (I) Rong-Jaye Chen

2
**OUTLINE [1] Modular Arithmetic Algorithms [2] The RSA Cryptosystem**

[3] Quadratic Residues [4] Primality Testing [5] Square Roots Modulo n [6] Factoring Algorithms [7] Other Attacks on RSA [8] The Rabin Cryptosystem [9] Semantics Security of RSA

3
**[1] Modular Arithmetic Algorithms**

1. The integers a divides b a|b If b has a divisor , then a is said to be nontrivial. a is prime if it has no nontrivial divisors; otherwise, a is composite. The prime theorem： If c|a and c|b, then c is common divisor of a and b. If d is a great common divisor of a and b, then we write d=gcd(a,b).

4
**Euclidean algorithm(a,b)**

(for great common divisor) input： output： (1) Set r0=a and r1=b (2) Determine the first so that rn+1=0, where ri+1=ri-1 mod ri (3) Return (rn) Extended Euclidean algorithm(a,b) input：a>0, b>0 output: (r, s, t) with r=gcd(a,b) and sa+tb=r (Omitted)

5
Example ：gcd(299,221)=?

6
**If gcd(a,b)=1, then a and b are said to be**

relatively prime. Phi function：

7
2. The integers modulo n a is congruent to b modulo n, written , if n|a-b. Zn={0,1,…,n-1} Given , if , then a is said to be invertible and its inverse x is denoted a-1.

8
**Use Extended Euclidean Algo to calculate a-1 mod n**

Example：a=7 and n=9 Euclidean algorithm to find gcd(a,n) Extended Euclidean algorithm to write gcd(a,b)=sa+tn

9
**Zn*={a|gcd(a,n)=1 and 0<a<n}**

For example, Z12*={1,5,7,11}, Z15*={1,2,4,7,8,11,13,14} (Zn*, *) forms a multiplication group

10
**Fermat’s little theorem：**

Euler’s theorem： The order of , written ord(a), as the least positive integer t such that If , has , then a is said to be a generator of Zn*; in this case,

11
**Example ：n=15 Z15*={1,2,4,7,8,11,13,14} ψ(15)= ψ(3) ψ(5)=2*4=8 1 2 4 7**

12
**3. Chinese remainder theorem**

If the integers n1,…,nk are pairwise relatively prime, then the system of congruences has a unique solution modulo n=n1*n2*…*n k

13
**Algorithm：Gauss algorithm**

(1) Input k , ni , ai , for i=1,2,…,k (2) Compute for i=1,2,…,k (3) Compute inverse for i =1,2,…,k (4) Compute

14
Example

15
4. Square-and-Multiply Algorithm: Square-and-Multiply(x, c, n) Input： , c with binary representation Output：

16
i ci z 11 1 12x9726=9726 10 97262x9726=2659 9 26592=5634 8 56342x9726=9167 7 91672x9726=4958 6 49582x9726=7783 5 77832=6298 4 62982=4629 3 46292x9726=10185 2 101852x9726=105 1052=11025 110252x9726=5761 Example : mode 11413=?

17
**[2] The RSA Cryptosystem**

Proposed by Rivest, Shamir, and Adleman (1977) Used for encryption and signature schemes Based on the intractability of the integer factorization problem Key generation Let p, q be large prime, n=pq and (n)=(p-1)(q-1) Choose randomly b s.t. gcd(b,(n))=1 Compute a b-1 mod (n) Public-key: (n, b) Private-key: (n, a) or (p, q, a)

18
RSA Cryptosystem Let n=pq, where p and q are primes. Let P = C = Zn , and define K ={(n,p,q,a,b): ab=1 (mod (n))}. For K= (n,p,q,a,b), define eK(x)=xb mod n and dK(y)=ya mod n Public-key: (n, b) Private-key: (n, a) or (p, q, a)

19
**Verify the encryption and decryption are inverse operations**

ab=1 (mod (n)), we have ab = t(n)+1, for t>=1 Suppose that x in Zn*; then we have (xb)a = xt(n)+1 (mod n) = (x(n))tx = 1tx (mod n) = x (mod n) As desired. For x in Zn but not in Zn*, (do exercise)

20
**Eg. p=7, q=13, n=91, (n)=(p-1)(q-1)=72**

Choose b=5, compute a=b-1=29 Public-key: (91,5) Private-key: (7,13,29) Assume message m=23 So cipher-text c = me mod n = 235 mod 91 = 4 and can be decrypted by m = cd mod n = 429 mod 91 = 23

21
**Encryption Decryption M E C KUBob EKUBob(M)= Mb (mod n) D KRBob**

n = pq b*a = 1 (mod ø(n)) Private key KRBob = (n, a) Public key KUBob = (n, b) RSA encryption Alice Bob Encryption Decryption M E C KUBob EKUBob(M)= Mb (mod n) D KRBob DKRBob(C)= Ca (mod n)

22
**Signing Verification M H E A KRAlice EKRAlice(H(M))= H(M)a (mod n) D**

n = pq b*a = 1 (mod ø(n)) Signing key KRAlice = (n, a) Verification key KUAlice = (n, b) RSA signature scheme Alice Hash Bob Signing Verification M H E A KRAlice EKRAlice(H(M))= H(M)a (mod n) D KUAlice Compare DKUAlice(A)= Ab (mod n)

23
**[3] Quadratic Residue 1. Quadratic residue modulo n**

Let , then a is a quadratic residue modulo n if there exists with In this case, x is a square root of a modulo n. Otherwise, a is a quadratic nonresidue modulo n. Qn：the set of quadratic residues modulo n. ：the set of quadratic nonresidues modulo n.

24
**2. Theorem ：p > 2 is prime and α is a generator of Zp***

25
**3. Corollary ： p > 2 is prime and α is a generator of Zp***

(1) (2) (3) (4) 4. Legendre symbol ：p > 2 is prime and

26
**5. Theorem ：Euler’s criterion**

6. E.g ： use Square-and-Multiply

27
7. Jacobi symbol ： n > 2 is an odd integer, pi is prime and

28
**8. Properties of Jacobi symbol：m, n > 2 are odd integers**

(1) (2) (3) (4) (5) (6)

29
**9. E.g ：calculate Jacobi symbol without factoring n**

(property 2) (property 6) (property 3) (property 4)

30
**10. Jacobi symbol V.S. Quadratic residue modulo n**

The element of are called psedosquares modulo n.

31
**11. E.g ：n=15 The Jacobi symbol are calculated in the following table：**

2 -1 4 7 8 11 13 14

32
**12. Quadratic residuosity problem(QRP)**

Determine if a given is a quadratic residue or pseudosquare modulo n

33
**[4] Primality Testing (1) Prime numbers**

1. How to generate large prime numbers? (1) Generate as candidate a random odd number n of appropriate size. (2) Test n for primality. (3) If n is composite, return to the first step.

34
**2. Distribution of prime numbers**

(1) prime number theorem Let Π(x) denote the number of prime numbers ≦x. Π(x) ~ x/ln(x) when n∞. (2)Dirichlet theorem If gcd(a, n)=1, then there are infinitely many primes congruent to a mod n.

35
(3) Let Π(x, n, a) denote the number of primes in the interval [2, x] which are congruent to a modulo n, where gcd(a, n)=1 . Then Π(x, n, a) ~ The prime numbers are roughly uniformly distributed among the φ(n) congruence classes in Zn* (4) Approximation for the nth prime number pn

36
**(2) Solovay-Strassen primality test**

1. Trial method for testing n is prime or composite 2. Definition ：Euler witness Let n be an odd composite integer and (1) If then a is an Euler witness (to compositeness) for n.

37
(2) Otherwise, if then n is said to be an Euler pseudoprime to the base a. The integer a is called an Euler liar (to primality) for n.

38
**3. Example (Euler pseudoprime)**

Consider n = 91 (= 7x13) Since 945 =1 mod 91, and so 91 is an Euler pseudoprime to the base 9. 4. Fact At most Φ(n)/2 of all the numbers a, are Euler liars for n.

39
**5. Algorithm ：Solovay-Strassen(n, t)**

INPUT: n is odd, n ≧3, t ≧1 OUTPUT: “prime” or “composite” 1. for i = 1 to t do : 1.1 choose a random integer a, 2 ≦ a≦n if gcd(a,n) ≠1 then return ( “composite” ) 1.2 compute r=a(n-1)/2 mod n (use square-and-multiply) if r ≠ 1 and r ≠ n-1 then return ( “composite” ) 1.3 compute Jacobi symbol s= if r ≠ s then return ( “composite” ) 2. return ( “prime” )

40
**6. Solovay-Strassen error-probability bound**

For any odd composite integer n, the probability that Solovay-Strassen (n, t) declares n to be “prime” is less than (1/2)t

41
**(3) Miller-Rabin primality test**

1. Fact P : odd prime p-1 = 2sr, where r is odd , gcd (a, p) = 1 then ar = 1 (mod n) or a2jr = -1 (mod n) for some j, 0≦ j≦s-1 Why ? (1) Fermat’s little theorem, ap-1 = 1 mod p (2) 1, -1 are the only two square roots of 1 in Zp*

42
2. Definition n : odd composite integer n-1 = 2sr, where r is odd 1≦a ≦n-1 a is a strong witness to compositeness for n if ar ≠ 1 (mod n), and a2jr ≠ -1 (mod n) for all j, 0≦ j≦s-1 n is a strong pseudoprime to the base a if ar = 1 (mod n) or a2jr = -1 (mod n) for some j, 0≦ j≦s-1 (a is called a strong liar to primality for n)

43
**3. Algorithm: Miller-Rabin (n, t) INPUT: n is odd, n ≧3, t ≧1 **

OUTPUT: “prime” or “composite” 1. write n-1 = 2sr such that r is odd. 2. for i = 1 to t do : 2.1 choose a random integer a, 2 ≦ a≦n compute y=ar mod n (use square-and-multiply) 2.3 if y ≠ 1 and y ≠ n-1 do : j 1 while j ≦ s-1 and y ≠n-1 do : y y2 mod n if y = 1 then return ( “composite” ) j j+1 if y ≠ n-1 then return ( “composite” ) 3. return ( “prime” )

44
**4. Example (strong pseudoprime)**

Consider n = 91 (= 7x13) 91-1 = 2*45, s=1, r=45 Since 9r = 945 =1 mod 91, 91 is a strong pseudoprime to the base 9. The set of all strong liars for 91 is {1, 9, 10, 12, 16, 17, 22, 29, 38, 53, 62, 69, 74, 75, 79, 81, 82, 90} The number of strong liars of for 91 is 18 = Φ(91)/4

45
5. Fact If n is an odd composite integer, then at most ¼ of all the numbers a, 1 ≦a ≦n-1 are strong liars for n. In fact if n=!9, then number of strong liars for n is at most Φ(n)/4.

46
**6. Miller-Rabin error-probability bound**

For any odd composite integer n, the probability that Miller-Rabin (n, t) declares n to be “prime” is less than (1/4)t 7. Remark For most composite integers n, the number of strong liars for n is actually much smaller than the upper bound of Φ(n)/4. Miller-Rabin error-probability bound is much smaller than (1/4)t .

Similar presentations

© 2019 SlidePlayer.com Inc.

All rights reserved.

To make this website work, we log user data and share it with processors. To use this website, you must agree to our Privacy Policy, including cookie policy.

Ads by Google