RSA cryptosystem--preview Suppose n=p  q and  (n)=(p-1)(q-1), where p and q are big primes. Select (find) a and b, such that a  b=1 mod  (n). K=(n,p,q,a,b), publicize n,b, but keep p,q,a secret. For any x,y  Z n, define –e K (x)= x b mod n (encryption) –d K (y)= y a mod n (decryption: (x b ) a mod n=x) Of course, from n,b, it is very difficult to get a (as well as p,q,  (n)).

RSA--implementation 1.Generate two large primes, p and q. 2.n  pq and  (n)  (p-1)(q-1) 3.Chose a random b (1< b <  (n)) such that gcd(b,  (n))=1 4.a  b -1 mod  (n) 5.The public key is (n,b) and the private key is (p,q,a). Could you raise any questions about RSA?

Questions about RSA How to generate large primes? How to compute the modular-exponentiation (encryption & decryption) efficiently? RSA attack: attempt to factor n and how? RSA uses numbers, therefore need encoding for normal text.

RSA—primality testing How to generate large primes? –Select a random large number –Test whether or not the number is a prime. How often a random selected number is a prime? –Let  (N) be the number of primes  N. –Prime number theory:  (N)  N/lnN –Therefore the probability of a random number being a prime is 1/lnN –Suppose n = pq is 1024 bits, so p and q are 512 bits, 1/ln2 512  1/355.

(yes-biased) Monte Carlo algorithm: –For yes-no decision problem –Random algorithm (randomly choose a number) –If the algorithm gives answer “yes”, it is always correct –It the answer is “no”, it may be incorrect. RSA—primality testing Therefore, may try several times such that the probability of the incorrectness for “no” is extremely small. Las Vegas algorithm: may not give answer, but any answer it gives is correct. Probabilistic algorithms: the algorithms which can be wrong in some cases (i.e., probably, or with certain probability)

RSA—primality testing (yes-biased) Monte Carlo algorithm: –Solovay-Strassen algorithm –Miller-Rabin algorithm A good news: confirmed primality testing algorithm –By three Indian scientists.

Solovay-Strassen primality test Given integer n, is n a composite? –Choose a random integer a ( 1 < a < n) –x  –If x=0 then return “yes” (n is a composite) –y  a (n-1)/2 (mod n) –If x  y (mod n) then return “no” (n is a prime) ( of course maybe incorrect ) else return “yes” (n is a composite). a n ()

The proof of the algorithm –If n is a prime, the  a (n-1)/2 mod n for any a –If n is a composite, then for some a,  a (n-1)/2, Call n to be an Euler pseudo-prime to base a. For example, = -1  mod 91. but others not. At most half of a  Z n *, n is a pseudo-prime to a. So error probability is at most ½. –Test k different a, (1/2) k. Solovay-Strassen primality test a n () a n () ()

RSA attacks Computing  (n)– no easier than factoring n. Decryption Exponent a—no easier than factoring n So the security of RSA is based on the difficulty of factorization of large numbers. Factoring algorithms –Trial division– up to  n –Pollard p-1 algorithm

RSA attack—Pollard p-1 algorithm Given n, and select a random B (not too big) –a  2 –For j=2 to B a  a j mod n –d  gcd(a-1,n) –If d > 1 then return d (d is a factor of n) else return ‘failure’.

The correctness of p-1 algorithm 1.Suppose p is a prime factor of n, 2.Assume for all q, q≤B, q is (power of) a prime factor of p-1. 3.Then p-1| B!, suppose B! = (p-1)t. 4.The final a  2 B! mod n, since p|n, so a  2 B! mod p 5.We know, 2 p-1  1 mod p, so 6.a  2 B! mod p = 2 (p-1)t mod p  1 t mod p  1 mod p 7.So p | (a-1), thus p|gcd(a-1,n) Conclusion: if p or q of factors of n is not selected in a correct way, n will be easily factored.

P-1 example n= , B=180 Then a = , and d= As a result: =135979* Here =2*3*131*173

RSA summary RSA principle RSA implementation –Generate large primes –Compute x c mod n – square-and-multiply RSA attacks Conclusion: p and q must be appropriately selected large primes.