Announcements: 1. Pass in Homework 5 now. 2. Term project groups and topics due by Friday 1.Can use discussion forum to find teammates 3. HW6 posted, due.

Slides:



Advertisements
Similar presentations
WS Algorithmentheorie 03 – Randomized Algorithms (Primality Testing) Prof. Dr. Th. Ottmann.
Advertisements

Cryptography and Network Security
Chapter 8 – Introduction to Number Theory. Prime Numbers prime numbers only have divisors of 1 and self –they cannot be written as a product of other.
Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)
Announcements: 1. Congrats on reaching the halfway point once again! 2. DES graded soon 3. Short “pop” quiz on Ch 3. (Thursday at earliest) 4. Reminder:
Public Key Cryptosystems - RSA Receiver Sender Eavesdroppe r p q p q p q p and q prime.
Lecture 8: Primality Testing and Factoring Piotr Faliszewski
Introduction to Modern Cryptography Lecture 6 1. Testing Primitive elements in Z p 2. Primality Testing. 3. Integer Multiplication & Factoring as a One.
COM 5336 Cryptography Lecture 7a Primality Testing
Announcements: 1. Term project groups and topics due midnight 2. HW6 due next Tuesday. Questions? This week: Primality testing, factoring Primality testing,
Great Theoretical Ideas in Computer Science.
Announcements: See schedule for weeks 8 and 9 See schedule for weeks 8 and 9 Project workdays, due dates, exam Project workdays, due dates, exam Projects:
Announcements: 1. Term project groups and topics due tomorrow midnight Waiting for posts from most of you. Questions? This week: Primality testing, factoring.
and Factoring Integers (I)
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Announcements: 1. Presentations start Friday 2. Cem Kaner presenting O th block today. Questions? This week: DSA, Digital Cash DSA, Digital Cash.
Announcements: 1. Short “pop” quiz on Ch 3 (today?) 2. Term project groups and topics due midnight 3. HW6 due Tuesday. Questions? This week: Primality.
Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.
Announcements:Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 30.
Announcements: 1. Short “pop” quiz on Ch 3 (not today) 2. Term project groups and topics due tomorrow midnight Waiting for posts from 22 of you. 3. HW6:
Pass in HW6 now Can use up to 2 late days Can use up to 2 late days But one incentive not to burn them all: teams will get to pick their presentation day.
Announcements: 1. Congrats on reaching the halfway point once again! 2. Reminder: HW5 due tomorrow, HW6 due Tuesday after break 3. Term project groups.
Administrative HW1 due Th, Sep. 20, before class HW2 due Today, before class QUIZ1 Tu, Sep. 18 number theory/cryptography, pages 1-44 of DPV problem session:
and Factoring Integers
Announcements: HW3 updated. Due next Thursday HW3 updated. Due next Thursday Written quiz tomorrow on chapters 1-2 (next slide) Written quiz tomorrow on.
Announcements: 1. Pass in worksheet on using RSA now. 2. DES graded soon 3. Short “pop” quiz on Ch 3 (Thursday at earliest) 4. Term project groups and.
Chapter 8 – Introduction to Number Theory Prime Numbers  prime numbers only have divisors of 1 and self they cannot be written as a product of other numbers.
implementations in a functional language
Factoring Algorithms Ref: D. Stinson, Cryptography - Theory and Practice, 2001.
Chapter 8 – Introduction to Number Theory Prime Numbers
DTTF/NB479: Dszquphsbqiz Day 9 Announcements: Homework 2 due now Homework 2 due now Computer quiz Thursday on chapter 2 Computer quiz Thursday on chapter.
Chapter 8 – Introduction to Number Theory Prime Numbers  prime numbers only have divisors of 1 and self they cannot be written as a product of other numbers.
Announcements: 1. Pass in HW7 now. 2. Project rubrics posted (peruse together) 3. Teams choose presentation dates now Questions? This week: Birthday attacks,
Announcements: Homework 2 due now Homework 2 due now Quiz this Friday on concepts from chapter 2 Quiz this Friday on concepts from chapter 2 Practical.
RSA Question 2 Bob thinks that p and q are primes but p isn’t. Then, Bob thinks ©Bob:=(p-1)(q-1) = Á(n). Is this true ? Bob chooses a random e (1 < e
The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.
Topic 18: RSA Implementation and Security
CSE 321 Discrete Structures Winter 2008 Lecture 10 Number Theory: Primality.

HW6 due tomorrow Teams T will get to pick their presentation day in the order Teams T will get to pick their presentation day in the order Teams mostly.
CS 312: Algorithm Analysis Lecture #4: Primality Testing, GCD This work is licensed under a Creative Commons Attribution-Share Alike 3.0 Unported License.Creative.
RSA Parameter Generation Bob needs to: - find 2 large primes p,q - find e s.t. gcd(e, Á (pq))=1 Good news: - primes are fairly common: there are about.
Prabhas Chongstitvatana 1 Primality Testing Is a given odd integer prime or composite ? No known algorithm can solve this problem with certainty in a reasonable.
MA/CSSE 473 Day 08 Randomized Primality Testing Carmichael Numbers Miller-Rabin test.
Prabhas Chongstitvatana1 Factorizing large integers Finding the unique decomposition of n into a product of prime factors. Factorize(n) if n is prime done.
MA/CSSE 473 Day 11 Primality testing summary Data Encryption RSA.
Cryptography Lecture 7: RSA Primality Testing Piotr Faliszewski.
Remaining course content Remote, fair coin flipping Remote, fair coin flipping Presentations: Protocols, Elliptic curves, Info Theory, Quantum Crypto,
CS 312: Algorithm Analysis Lecture #4: Primality Testing, GCD This work is licensed under a Creative Commons Attribution-Share Alike 3.0 Unported License.Creative.
6.4 Factoring.
Fall 2002CS 395: Computer Security1 Chapters 4 and 8: The Mathematics Required for Public Key Cryptography In case you’re beginning to worry that this.
CSE 20: Discrete Mathematics for Computer Science Prof. Shachar Lovett.
CSE 311: Foundations of Computing Fall 2014 Lecture 12: Primes, GCD.
Ch1 - Algorithms with numbers Basic arithmetic Basic arithmetic Addition Addition Multiplication Multiplication Division Division Modular arithmetic Modular.
RSA cryptosystem--preview Suppose n=p  q and  (n)=(p-1)(q-1), where p and q are big primes. Select (find) a and b, such that a  b=1 mod  (n). K=(n,p,q,a,b),
6.3 Primality Testing. p2. (1) Prime numbers 1. How to generate large prime numbers? (1) Generate as candidate a random odd number n of appropriate size.
Week 4 - Wednesday.  What did we talk about last time?  Finished DES  AES.
CS 312: Algorithm Analysis Lecture #4: Primality Testing, GCD This work is licensed under a Creative Commons Attribution-Share Alike 3.0 Unported License.Creative.
Chapter 1 Algorithms with Numbers. Bases and Logs How many digits does it take to represent the number N >= 0 in base 2? With k digits the largest number.
MA/CSSE 473 Day 10 Primality Testing. MA/CSSE 473 Day 10 In-class exam: Friday, Sept 28 –You may bring a two-sided 8.5x11 inch piece of paper containing.
MA/CSSE 473 Day 09 Modular Division Revisited Fermat's Little Theorem Primality Testing.
MA/CSSE 473 Day 9 Primality Testing Encryption Intro.
RSA Encryption Greg Gronn Laura Trimmer. RSA Encryption  Requires two 30 digit prime numbers to create an encoding/decryption key.  Goal: analyze different.
MA/CSSE 473 Day 08 Randomized Primality Testing Carmichael Numbers
Public Key Encryption Major topics The RSA scheme was devised in 1978
DTTF/NB479: Dszquphsbqiz Day 22
Randomness and Computation: Some Prime Examples
Public Key Cryptosystems - RSA
Number Theory (Chapter 7)
Presentation transcript:

Announcements: 1. Pass in Homework 5 now. 2. Term project groups and topics due by Friday 1.Can use discussion forum to find teammates 3. HW6 posted, due date next week Questions? This week: Primality testing, factoring Primality testing, factoring Discrete Logs Discrete Logs DTTF/NB479: DszquphsbqizDay 22

The Square Root Compositeness Theorem gives a way to factor certain composite numbers Given integers n, x, and y: Then n is composite, and gcd(x-y, n) is a non-trivial factor Proof: on board Toy example showing 21 is composite using x=2 and y=16. 1

The Miller-Rabin Compositeness Test just reorders the Fermat test’s powermod to catch pseudoprimes Observe: n is odd and n>1 Trick: write n-1=2 k m, where k >=1 b0b0 ? ? We’ll compute powers from inside out, checking if the result is +1 or -1 at each step

It uses the Square Root Compositeness Theorem to catch most pseudoprimes Given odd n>1, write n-1=2 k m, where k >=1. Choose a base a randomly (or just pick a=2) Let b 0 =a m (mod n) If b 0 =+/-1, stop. n is probably prime by Fermat For i = 1..k-1 Compute b i =b i-1 2. If b i =1(mod n), stop. n is composite by SRCT, and gcd(b i-1 -1,n) is a factor. If b i =-1(mod n), stop. n is probably prime by Fermat. If b k =1 (mod n), stop. n is composite by SRCT Else n is composite by Fermat. k b0b0 b1b1 bkbk b0b0 2

Examples of Miller-Rabin Given odd n>1, write n-1=2 k m, where k >=1. Choose a base a randomly (or just pick a=2) Let b 0 =a m (mod n) If b 0 =+/-1, stop. n is probably prime by Fermat For i = 1..k-1 Compute b i =b i-1 2. If b i =1(mod n), stop. n is composite by SRCT, and gcd(b i-1 -1,n) is a factor. If b i =-1(mod n), stop. n is probably prime by Fermat. If b k =1 (mod n), stop. n is composite by SRCT Else n is composite by Fermat. 1.n=189 2.n=561 (recall Fermat says prob prime) 3.Complete the table on your quiz 3-4

Even? div by other small primes? Prime by Factoring/ advanced techn.? n no yes prime Fermat’s contrapositive is OK, but Miller-Rabin is better!

Finding large probable primes #primes < x = #primes < x = Density of primes: ~1/ln(x) For 100-digit numbers, ~1/230. So ~1/115 of odd 100-digit numbers are prime Can start with a random large odd number and iterate, applying M-R to remove composites. We’ll soon find one that is a likely prime. Can repeat with different bases to improve probability that it’s prime. Maple’s nextprime() appears to do this, but also runs the Lucas test: math473.htm math473.htm math473.htm Even? div by other small primes? Prime by Factoring/ advanced techn.? n no yes prime Pass M-R? Fermat’s contrapositive is OK, but Miller-Rabin is better!

Using within a primality testing scheme Finding large probable primes #primes < x = #primes < x = Density of primes: ~1/ln(x) For 100-digit numbers, ~1/230. So ~1/115 of odd 100-digit numbers are prime Can start with a random large odd number and iterate, applying M-R to remove composites. We’ll soon find one that is a likely prime. Can repeat with different bases to improve probability that it’s prime. Maple’s nextprime() appears to do this, but also runs the Lucas test: math473.htm math473.htm math473.htm Odd? div by other small primes? Prime by Factoring/ advanced techn.? n no yes prime Pass M-R?

Factoring If you are trying to factor n=pq and know that p~q, use Fermat factoring: Compute n + 1 2, n + 2 2, n + 3 2, until you reach a perfect square, say r 2 = n + k 2 Compute n + 1 2, n + 2 2, n + 3 2, until you reach a perfect square, say r 2 = n + k 2 Then n = r 2 - k 2 = (r+k)(r-k) Then n = r 2 - k 2 = (r+k)(r-k) Example: factor The moral of the story? Choose p and q such that _____ Choose p and q such that _____

(p-1) Algorithm Useful if p|n and (p-1) has only small factors Choose any a>1 (like a=2) and bound B Compute b=a B! (mod n) (How?) Then compute d=gcd(b-1, n) If 1<d<n, then d is a non-trivial factor If 1<d<n, then d is a non-trivial factor Matlab example: n=5183. We’ll use a=2, B=6. Why does it work?

Moral of this story? To get a 100-digit number n=pq resistant to this attack: Make sure (p-1) has at least 1 large prime factor: Make sure (p-1) has at least 1 large prime factor: Pick p 0 = nextprime(10 40 ) Pick p 0 = nextprime(10 40 ) Choose k~10 60 such that p=(kp 0 +1) is prime Choose k~10 60 such that p=(kp 0 +1) is prime How to test? Repeat for q. Repeat for q.

Example Factor n = Concepts we will learn also apply to factoring really big numbers. They are the basis of the best current methods All you have to do to win $30,000 is factor a 212 digit number. This is the RSA Challenge:

Quadratic Sieve (1) Factor n = Want x,y:  gcd(x-y, n) is a factor Step 1: Pick a factor base, just a set of small factors. In our examples, we’ll use those < 20. In our examples, we’ll use those < 20. There are 8: 2, 3, 5, 7, 11, 13, 17, 19 There are 8: 2, 3, 5, 7, 11, 13, 17, 19

Factor n = Want x,y:  gcd(x-y, n) is a factor Step 2: We want squares that are congruent to products of factors in the factor base. Our hope: Reasonably small numbers are more likely to be products of factors in the factor base. 1. Thenwhich is small as long as k isn’t too big 2. Loop over small , lots of k. 3. A newer technique, the number field sieve, is somewhat faster Quadratic Sieve (2a)

Factor n = Want x,y:  gcd(x-y, n) is a factor Step 2: We want squares that are congruent to products of factors in the factor base. Our hope: Reasonably small numbers are more likely to be products of factors in the factor base. Examples: Quadratic Sieve (2b)

Factor n = Want x,y:  gcd(x-y, n) is a factor Step 3: Want two non-congruent perfect squares Example: This is close, but all factors need to be paired Recall: Quadratic Sieve (3)

Factor n = Want x,y:  gcd(x-y, n) is a factor Step 3: Want two non-congruent perfect squares Example: This is close, but all factors need to be paired Generate lots of # and experiment until all factors are paired. Quadratic Sieve (3b) So what? gcd( , n)=1093 Other factor = n/1093=3511

Factor n = Want x,y:  gcd(x-y, n) is a factor Step 4: Want to get 2 non-congruent perfect squares Example: This is close, but all factors need to be paired Generate lots of # and experiment until all factors are paired. To automate this search: Can write each example are a row in a matrix, where each column is a prime in number base Then search for dependencies among rows mod 2. May need extra rows, since sometimes we get x=+/-y. Quadratic Sieve (3b)

Factor n = To automate this search: Each row in the matrix is a square Each column is a prime in the number base Search for dependencies among rows mod 2. For last one (green) So we can’t use the square root compositeness theorem My code Sum: Sum: Sum:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.