Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Lecture 7: RSA Primality Testing Piotr Faliszewski.

Published byJonah Rice Modified over 8 years ago

Similar presentations

Presentation on theme: "Cryptography Lecture 7: RSA Primality Testing Piotr Faliszewski."— Presentation transcript:

1 Cryptography Lecture 7: RSA Primality Testing Piotr Faliszewski

2 Previous Class Number theory  Euler’s phi function RSA  Definition  Correctness Quiz  Min = 14  Med = 21.75  Max = 30

3 The RSA Algorithm Alice  m – message to Bob  m < n otherwise cut m in blocks  Receives the public key (n, e) from Bob Computes c = m e (mod n) sends it to Bob Bob  p, q  large primes n = pq  choose e s.t. gcd(e,  (pq) ) = 1  compute d s.t. de = 1 (mod  (n))  Bob sends his public key (n,e) to Alice  Bob decrypts the message m = c d (mod n)

4 Security of RSA How to attack RSA?  we have public key (n,e)  compute  (n) and get d Easier said than done!!  If we have n and  n) then we can factor n  If we have e and d then we can factor n Adi Shamir

5 Attacks on RSA Various attacks on RSA  known digits attack  low exponent attack  short plaintext attack  timing attack  factoring Len Adleman

6 Known Digits Attack Theorem n = pq – has m digits If we know the first or the last m/4 digits of either p or q, then we can efficiently factor n Theorem (n,e) – RSA public key n has m digits, and we know the last m/4 digits of d We can find d in time linear in e log e Conclusion: Need care about the choice of p and q !

7 Low Exponent Attack Theorem  p,q – RSA primes, q < p < 2q, n = pq  1 ≤ d, e <  (n)  de = 1 (mod  (n))  If d < ⅓n 1/4, then d can be calculated quickly Consequences  cannot optimize decryption via small exponents  how to choose good d’s?

8 Short Plaintext Attack Scenario  DES – symmetric cipher, used in the past  Two banks exchange DES keys over RSA  DES key m: 56 bits (m < 2 56 < 10 17 )  RSA encryption c = m e (mod n) m small, but c will have many digits

9 Short Plaintext Attack c = m e (mod n) m < 2 56 < 10 17 Eve prepares two lists:  cx -e (mod n),1 ≤ x ≤ 10 9  y e (mod n)1 ≤ y ≤ 10 9 If there is a match on the lists then  c = (xy) e (mod n)  thus: m = xy (mod n) If m is a multiple of two numbers <10 9 then this attack will succeed

10 Short Plaintext Attack Defense:  do not use short messages!  pad with random bits  Optimal Assymetric Encryption Padding

11 Optimal Assymetric Encryption Padding n – k bits k 0, k 1 – two numbers s.t. k 0 + k 1 < k Message can have k - k 0 - k 1 bits r – random string of k 0 bits G:  k 0   k-k 0 H:  k-k 0   k 0 The method x 1 = m0 k 1  G(r) x 2 = r  H(x 1 ) The message is x 1 x 2 Bob decrypts and gets m0 k 1 = x 1  G(H(x 1 )  x 2 )

12 Timing Attack Within RSA computation we do perform exponentiaiton  quick exponentiation procedure  multiplications occur for each bit of the exponent that is 1  these multiplications take „random” amounts of time (variation) Very hard in practice!  Initiated a big discussion

13 Exponentiation Algorithm Goal: y d (mod n)  d = b 1 b 2...b w (in binary left-to-right) Algorithm 1. k = 1, s 1 = 1 2. if b k = 1 then r k = s k y (mod n) else r k = s k 3. s k+1 = r k 2 (mod n) 4. if k = w, stop else set k to k+1, goto 2 5. output r w

14 Factoring and Primality Testing

15 Factoring  Input: n  N  Output: nontrivial factor of n Primality testing  Input n  N  Output: the number is composite the number is probably prime Is there a difference?  Yes! – primality testing much easier!  You do not need to factor the number to see it is composite

16 Factoring and Primality Testing Primality testing  often need large primes n = pq in RSA p, q – large primes  there are many primes  (x) ≈ x/ln(x)  to choose p,q – choose a number randomly and test if it is a prime increase if composite Factoring  security of RSA = hardness of factoring  quick factoring – allows us to break RSA  studying factoring – tells us how to choose p and q for RSA  so pq is hard to factor

17 Fermat’s Test Fermat’s test:  n – input  randomly choose a s.t. 1 < a < n-1  if a n-1 = 1 then probably prime  else certainly composite Fermat’s Theorem If: p – a prime number a – a number s.t. p does not divide a Then: a p-1 = 1 (mod p)

18 Fermat’s Test Fermat’s test is only probabilistic  usually gives a good answer  can give a wrong one!  A composite number n s.t. a n-1 = 1 (mod n) is called pseudoprime for base a Example 2 560 = 1 (mod 561) 561 = 3 * 11 * 17 But... 3 560 = 375 (mod 561)

19 Miller-Rabin Test Generalization of the Fermat’s test Principle  if p is a prime then x 2 = 1 (mod p) has only two solutions: x = 1 and x = -1 Why does the principle hold? Gist of the MR test  find a number b such that b 2 = 1 (mod p)  If b  {-1,1} then composite

20 Miller-Rabin Test MR( int n ): let n-1 = 2 k m a  random in {2, 3,..., n-2 } b 0 = a m (mod n) if b 0 = ±1 (mod n) then declare prime for j = 1 to k-1 do b j = b j-1 2 (mod n) if b j = 1 (mod n) then declare composite if b j = -1 (mod n) then declare prime declare composite Why this works?  b 0 = a m (mod n)  b 1 = a 2m (mod n)  b 2 = a 4m (mod n) ...  b j = a 2 j m (mod n) ...  b k-1 = a (n-1)/2 (mod n)

21 Miller-Rabin Test: Examples n = 5*7*11 = 385 n -1 = 384 = 2 7 *3 k = 7, m = 3 a = 9 b 0 = 9 3 = 344 (mod 385) b 1 = 9 3*2 = 141 (mod 385) b 2 = 9 3*2 2 = 246 (mod 385) b 3 = 9 3*2 3 = 71 (mod 385) b 4 = 9 3*2 4 = 36 (mod 385) b 5 = 9 3*2 5 = 141 (mod 385) n = 3*11*17 = 561 n -1 = 560 = 2 4 *35 k = 4, m = 35 a = 2 b 0 = 2 35 = 263 (mod 561) b 1 = 2 35*2 = 166 (mod 561) b 2 = 2 35*2 2 = 67 (mod 561) b 3 = 2 35*2 3 = 1 (mod 561) Proof of compositeness!

22 Miller-Rabin Test: Examples n = 401 n -1 = 400 = 2 4 *25 k = 4, m = 25 a = 3 b 0 = 3 25 = 268 (mod 401) b 1 = 3 25*2 = 45 (mod 401) b 2 = 3 25*2 2 = 20 (mod 401) b 3 = 3 25*2 3 = 400 (mod 401) = -1 (mod 401) n = 401 n -1 = 400 = 2 4 *25 k = 4, m = 25 a = 2 b 0 = 2 25 = 356 (mod 401) b 1 = 2 25*2 = 20 (mod 401) b 2 = 2 25*2 2 = 400 (mod 401) Evidence of primality!

23 Miller-Rabin Test if b 0 = ±1 (mod n)  all b i ’s (i > 0) will be 1  can’t find nontrivial roots of 1 i  {1,..., k-1}  if b i = 1 (mod n) then b i-1 is neither 1 or -1 b i-1 2 = 1 (mod n) we found a nontrivial root  if b i = -1 (mod n) then b i+1 through b k are all 1 (mod n) can’t find nontrivial roots of 1 Why this works?  b 0 = a m (mod n)  b 1 = a 2m (mod n)  b 2 = a 4m (mod n) ...  b j = a 2 j m (mod n) ...  b k-1 = a (n-1)/2 (mod n)

24 Miller-Rabin Test: Quality MR test is probabilistic Answer  composite – the number is certainly composite  prime – the number is prime with high probability Errors  MR(n) says prime but n is composite  Pr[error] · ¼  Repeat the test to downgrade the prob. of error

25 Other Primality Tests Solovay-Strassen Test  similar in nature to MR  uses so called Jacobi symbol  fast in practice  probabilistic Deterministic test  Agrawal, Kayal, and Saxena 2002  extremely slow Tests that prove primality  MR tests compositeness!  fairly slow  needed in very few cases

Download ppt "Cryptography Lecture 7: RSA Primality Testing Piotr Faliszewski."

Similar presentations

Announcements: 1. Congrats on reaching the halfway point once again! 2. DES graded soon 3. Short “pop” quiz on Ch 3. (Thursday at earliest) 4. Reminder:

Announcements: 1. Congrats on reaching the halfway point once again! 2. DES graded soon 3. Short “pop” quiz on Ch 3. (Thursday at earliest) 4. Reminder:
Data encryption with big prime numbers

Data encryption with big prime numbers
BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.

BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.
Lecture 8: Primality Testing and Factoring Piotr Faliszewski

Lecture 8: Primality Testing and Factoring Piotr Faliszewski
Introduction to Modern Cryptography Lecture 6 1. Testing Primitive elements in Z p 2. Primality Testing. 3. Integer Multiplication & Factoring as a One.

Introduction to Modern Cryptography Lecture 6 1. Testing Primitive elements in Z p 2. Primality Testing. 3. Integer Multiplication & Factoring as a One.
Primality Testing By Ho, Ching Hei Cheung, Wai Kwok.

Primality Testing By Ho, Ching Hei Cheung, Wai Kwok.
COM 5336 Cryptography Lecture 7a Primality Testing

COM 5336 Cryptography Lecture 7a Primality Testing
22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.

22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.

1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
and Factoring Integers (I)

and Factoring Integers (I)
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
מבוא מורחב - שיעור 6 1 Lecture 6 High order procedures Primality testing The RSA cryptosystem.

מבוא מורחב - שיעור 6 1 Lecture 6 High order procedures Primality testing The RSA cryptosystem.
Cryptography Lecture 11: Oct 12. Cryptography AliceBob Cryptography is the study of methods for sending and receiving secret messages. adversary Goal:

Cryptography Lecture 11: Oct 12. Cryptography AliceBob Cryptography is the study of methods for sending and receiving secret messages. adversary Goal:
and Factoring Integers

and Factoring Integers
Public Encryption: RSA

Public Encryption: RSA
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
Cryptography & Number Theory

Cryptography & Number Theory

Similar presentations

Ads by Google