The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p ． q, where p and q are distinct primes Proposed by Rivest, Shamir, and Adleman in 1977 and a paper was published in The Communications of ACM in 1978 A public-key cryptosystem

RSA Algorithm Bob chooses two primes p,q and compute n=pq Bob chooses e with gcd(e,(p-1)(q-1))= gcd(e, ψ(n))=1 Bob solves de≡1 (mod ψ(n)) Bob makes (e,n) public and (p,q,d) secret Alice encrypts M as C≡M e (mod n) Bob decrypts by computing M≡C d (mod n)

Proof for the RSA Algorithm C d ≡ (M e ) d ≡ M ed ≡ M 1+kφ(n) ≡M (mod n) by Euler’s theorem and Exercise 19 on p.192 p= , q= , n=p ． q= Let e=9007, ∴ d= M=“cat”=30120, C=

Another Example n=127x193=24511, φ(n)=24192 e=1307, d=10643 Encrypt “box” with M=21524, then C=? Encrypt the following message Formosa means a beautiful island

Selected Problems from P (1) n=11413=101x113, so p=101, q=113 ψ(n)=(p-1)x(q-1)=100x112=11200 Choose e=7467, then gcd(e, ψ(n))=1 Solve de≡1 (mod ψ(n)) to get d=3 If the ciphertext C=5859, then the plaintext M≡C d ≡ ≡1415 (mod 11413)

Fast Computation of x d (mod n) mod ≡ mod ≡ 310 (mod 511) ≡ 32 (mod 511) ≡ b ≡123 4 ×123 ≡ 359 (mod 511)

Fast Computation for x d (mod n) y=1; while (d != 0) { if ((d%2) != 0) { y=(y*x)%n; d--; } d>>1; x=(x*x)%n; /* x^(2 k ) */ }

Fast Computation for x d (mod n) Let t be the number of bits for integer d, e.g., If d=5=101 2, then t=3 y=1; for (i=t; i ≧ 0; i--) { y=(y*y)%n; if (d[i]==1) y=(y*x)%n; }

Two Claims Claim 1: Suppose n=pq is the product of two distinct primes. If we know n and φ(n), then we can quickly find p and q Hint: n － φ(n)+1=pq-(p-1)(q-1)+1=p+q, then p,q are solutions of x 2 － (n － φ(n)+1)x+n=0 Claim 2: If we know d and e, then we can probably factor n (The method of universal components could be applied)

References for Attacks on RSA D. Boneh, Twenty years of attacks on the RSA cryptosystem, American Math. Soc. Notices 46, , 1999 D. Boneh, G. Durfee, Y. Frankel, An attack on RSA given a fraction of the private key bits, Advances in Cryptology – ASIACRYPT’98, Lecture Notes in Computer Science 1514, 25-34, 1998

Primality Testing Trivial Division to test if N is a prime for (p=2; p<N 1/2 ; p++) { e=0; if (N%p ==0 ) { while (N%p ==0) { e++; N/=p;} printf(“factor %d, power %d\n”,p,e); }

Basic Principles for Testing n (1) Suppose x, y satisfy x 2 ≡y 2 (mod n) but x≡y (mod n) and x≡-y (mod n) do not hold. Then n is composite. Moreover, gcd(x-y,n) gives a nontrivial factor of n. (Proof) Let d=gcd(x-y,n) If d=1, n|(x-y)(x+y) → n|x+y →contradiction If d=n, then → n|x-y →contradiction (Example) 12 2 ≡2 2 (mod 35)

Basic Principles for Testing n (2) Fermat’s little theorem: a p-1 ≡1 (mod p) for a prime p if gcd(a,p)=1 a n-1 !≡ 1 (mod n) → n is composite, in particular, a=2 is used for testing a large n 2 34 ≡9 !≡ 1 (mod 35) → 35 is composite ≡1 (mod 341), but 341=11x ≡1 (mod 561), but 561=3x11x17

The Miller-Rabin Primality Test Let n>1 be odd with n-1=2 k m with an odd m. Choose a random integer a, 1<a<n-1. Compute b 0 ≡a m (mod n), if b 0 ≡±1 (mod n), then stop and n is probably prime, otherwise let b 1 ≡(b 0 ) 2 (mod n). If b 1 ≡1 (mod n), then n is composite and gcd(b 0 -1,n) is a nontrivial factor of n else if b 1 ≡-1 (mod n), stop and n is probably prime, otherwise let b 2 ≡(b 1 ) 2 (mod n). If b 2 ≡1 (mod n), then n is composite, else if b 2 ≡-1 (mod n), stop and n is probably prime. Continue in this way until stopping or reaching b k-1. If b k-1 !≡-1, then n is composite.

Pseudoprimes ♪ If a n-1 ≡1 (mod n), n is said to be a pseudoprime for the base a ♪ If a and n pass the Miller-Rabin test, we say that n is a strong pseudoprime for the base a ♪ ≡1 (mod 341), ≡1 (mod 561), so, 341 and 561 are all pseudoprimes

Test if n=341 is a prime n=341, n-1=340=2 2 ． 85, let k=2, m=85 b 0 = 2 85 ≡32 (mod 341) b 1 = (b 0 ) 2 ≡ 1 (mod 341) b k-1 ≡ 1 (mod 341), so n=341 is composite ≡1 (mod 341), but 341=11x31

Test if n=561 is a prime n=561, n-1=560=2 4 ． 35, let k=4, m=35 b 0 = 2 35 ≡263 (mod 561) b 1 = (b 0 ) 2 ≡166 (mod 561) b 2 = (b 1 ) 2 ≡ 67 (mod 561) b 3 = (b 2 ) 2 ≡ 1 (mod 561) b k-1 ≡ 1 (mod 561), so n=561 is composite ≡1 (mod 561), but 561=3x11x17

Miller-Rabin is better than Fermat’s Up to 10 10, there are primes. There are pseudoprimes for the base 2, and 3291 strong pseudoprimes for the base 2. Therefore, calculating 2 n-1 (mod n) will fail to recognize a composite in this range with probability less than 1 out of 30 thousand and using the Miller- Rabin test with a=2 will fail with probability lest than 1 out of 100 thousand

Factoring n into Product of Primes Fermat factorization by checking if there exist x, y such that n|(x-y)(x+y), |x-y|>1 Example 1: n= with n+3 2 =544 2, then n= 541 ． 547 Solution: check if n+k 2 is a complete square for k=1, 2, … Fermat’s method works well when n is the product that are very close together

Exponent Factorization Method Suppose there exists r>0 and an a such that a r ≡1 (mod n). Write r=2 k m with m odd. Let b 0 ≡a m (mod n), and successively define b u+1 ≡ (b u ) 2 (mod n) for 0 ≦ u ≦ k-1. If b 0 ≡1 (mod n), then stop; the procedure has failed to factor n. If for some u, b u ≡-1 (mod n), then stop; the procedure has failed to factor n. If for some u, b u+1 ≡1 (mod n) but b u !≡±1 (mod n), then gcd(b u -1,n) gives a nontrivial factor of n.

The Pollard’s p-1 Method (1974) Choose an integer a>1 (usually a=2) and choose a bound B. Compute b≡a B! (mod n) as follows. Let b 1 ≡a (mod n) and b j ≡(b j-1 ) j (mod n), then b B ≡b (mod n). If 1<d=gcd(b-1,n)<n, we have found a nontrivial factor of n

The Quadratic Sieve Suppose we want to factor n= n=1093 ． 3511

The Public Key Concept The RSA Algorithm Knapsack problems Discrete Logarithms by ElGamal Error Correcting Codes by McEliece Elliptic Curve Cryptosystem by Diffie- Hellman

The Concept and Criteria 1.E k (D k (m))=m and D k (E k (m))=m for every message m in M, the set of possible messages, every key k in K, the set of possible keys 2.For every m and every k, then values of E k (m) and D k (m) are easy to compute 3.For every k, if someone knows only the function E k, it is computationally infeasible to find an algorithm to compute D k 4.Given k, it’s easy to find the functions E k and D k