Presentation is loading. Please wait.

Presentation is loading. Please wait.

Announcements: 1. Pass in Homework 5 now. 2. Term project groups and topics due by Friday 1.Can use discussion forum to find teammates 3. HW6 posted, due.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Announcements: 1. Pass in Homework 5 now. 2. Term project groups and topics due by Friday 1.Can use discussion forum to find teammates 3. HW6 posted, due."— Presentation transcript:

1 Announcements: 1. Pass in Homework 5 now. 2. Term project groups and topics due by Friday 1.Can use discussion forum to find teammates 3. HW6 posted, due date next week Questions? This week: Primality testing, factoring Primality testing, factoring Discrete Logs Discrete Logs DTTF/NB479: DszquphsbqizDay 22

2 The Square Root Compositeness Theorem gives a way to factor certain composite numbers Given integers n, x, and y: Then n is composite, and gcd(x-y, n) is a non-trivial factor Proof: on board Toy example showing 21 is composite using x=2 and y=16. 1

3 The Miller-Rabin Compositeness Test just reorders the Fermat test’s powermod to catch pseudoprimes Observe: n is odd and n>1 Trick: write n-1=2 k m, where k >=1 b0b0 ? ? We’ll compute powers from inside out, checking if the result is +1 or -1 at each step

4 It uses the Square Root Compositeness Theorem to catch most pseudoprimes Given odd n>1, write n-1=2 k m, where k >=1. Choose a base a randomly (or just pick a=2) Let b 0 =a m (mod n) If b 0 =+/-1, stop. n is probably prime by Fermat For i = 1..k-1 Compute b i =b i-1 2. If b i =1(mod n), stop. n is composite by SRCT, and gcd(b i-1 -1,n) is a factor. If b i =-1(mod n), stop. n is probably prime by Fermat. If b k =1 (mod n), stop. n is composite by SRCT Else n is composite by Fermat. k b0b0 b1b1 bkbk b0b0 2

5 Examples of Miller-Rabin Given odd n>1, write n-1=2 k m, where k >=1. Choose a base a randomly (or just pick a=2) Let b 0 =a m (mod n) If b 0 =+/-1, stop. n is probably prime by Fermat For i = 1..k-1 Compute b i =b i-1 2. If b i =1(mod n), stop. n is composite by SRCT, and gcd(b i-1 -1,n) is a factor. If b i =-1(mod n), stop. n is probably prime by Fermat. If b k =1 (mod n), stop. n is composite by SRCT Else n is composite by Fermat. 1.n=189 2.n=561 (recall Fermat says prob prime) 3.Complete the table on your quiz 3-4

6 Even? div by other small primes? Prime by Factoring/ advanced techn.? n no yes prime Fermat’s contrapositive is OK, but Miller-Rabin is better!

7 Finding large probable primes #primes < x = #primes < x = Density of primes: ~1/ln(x) For 100-digit numbers, ~1/230. So ~1/115 of odd 100-digit numbers are prime Can start with a random large odd number and iterate, applying M-R to remove composites. We’ll soon find one that is a likely prime. Can repeat with different bases to improve probability that it’s prime. Maple’s nextprime() appears to do this, but also runs the Lucas test: http://www.mathpages.com/home/k math473.htm http://www.mathpages.com/home/k math473.htm http://www.mathpages.com/home/k math473.htm Even? div by other small primes? Prime by Factoring/ advanced techn.? n no yes prime Pass M-R? Fermat’s contrapositive is OK, but Miller-Rabin is better!

8 Using within a primality testing scheme Finding large probable primes #primes < x = #primes < x = Density of primes: ~1/ln(x) For 100-digit numbers, ~1/230. So ~1/115 of odd 100-digit numbers are prime Can start with a random large odd number and iterate, applying M-R to remove composites. We’ll soon find one that is a likely prime. Can repeat with different bases to improve probability that it’s prime. Maple’s nextprime() appears to do this, but also runs the Lucas test: http://www.mathpages.com/home/k math473.htm http://www.mathpages.com/home/k math473.htm http://www.mathpages.com/home/k math473.htm Odd? div by other small primes? Prime by Factoring/ advanced techn.? n no yes prime Pass M-R?

9 Factoring If you are trying to factor n=pq and know that p~q, use Fermat factoring: Compute n + 1 2, n + 2 2, n + 3 2, until you reach a perfect square, say r 2 = n + k 2 Compute n + 1 2, n + 2 2, n + 3 2, until you reach a perfect square, say r 2 = n + k 2 Then n = r 2 - k 2 = (r+k)(r-k) Then n = r 2 - k 2 = (r+k)(r-k) Example: factor 2405597 The moral of the story? Choose p and q such that _____ Choose p and q such that _____

10 (p-1) Algorithm Useful if p|n and (p-1) has only small factors Choose any a>1 (like a=2) and bound B Compute b=a B! (mod n) (How?) Then compute d=gcd(b-1, n) If 1<d<n, then d is a non-trivial factor If 1<d<n, then d is a non-trivial factor Matlab example: n=5183. We’ll use a=2, B=6. Why does it work?

11 Moral of this story? To get a 100-digit number n=pq resistant to this attack: Make sure (p-1) has at least 1 large prime factor: Make sure (p-1) has at least 1 large prime factor: Pick p 0 = nextprime(10 40 ) Pick p 0 = nextprime(10 40 ) Choose k~10 60 such that p=(kp 0 +1) is prime Choose k~10 60 such that p=(kp 0 +1) is prime How to test? Repeat for q. Repeat for q.

12 Example Factor n = 3837523 Concepts we will learn also apply to factoring really big numbers. They are the basis of the best current methods All you have to do to win $30,000 is factor a 212 digit number. This is the RSA Challenge: http://www.rsa.com/rsalabs/node.asp?id=2093#RSA704 http://www.rsa.com/rsalabs/node.asp?id=2093#RSA704

13 Quadratic Sieve (1) Factor n = 3837523 Want x,y:  gcd(x-y, n) is a factor Step 1: Pick a factor base, just a set of small factors. In our examples, we’ll use those < 20. In our examples, we’ll use those < 20. There are 8: 2, 3, 5, 7, 11, 13, 17, 19 There are 8: 2, 3, 5, 7, 11, 13, 17, 19

14 Factor n = 3837523 Want x,y:  gcd(x-y, n) is a factor Step 2: We want squares that are congruent to products of factors in the factor base. Our hope: Reasonably small numbers are more likely to be products of factors in the factor base. 1. Thenwhich is small as long as k isn’t too big 2. Loop over small , lots of k. 3. A newer technique, the number field sieve, is somewhat faster Quadratic Sieve (2a)

15 Factor n = 3837523 Want x,y:  gcd(x-y, n) is a factor Step 2: We want squares that are congruent to products of factors in the factor base. Our hope: Reasonably small numbers are more likely to be products of factors in the factor base. Examples: Quadratic Sieve (2b)

16 Factor n = 3837523 Want x,y:  gcd(x-y, n) is a factor Step 3: Want two non-congruent perfect squares Example: This is close, but all factors need to be paired Recall: Quadratic Sieve (3)

17 Factor n = 3837523 Want x,y:  gcd(x-y, n) is a factor Step 3: Want two non-congruent perfect squares Example: This is close, but all factors need to be paired Generate lots of # and experiment until all factors are paired. Quadratic Sieve (3b) So what? gcd(1147907-17745, n)=1093 Other factor = n/1093=3511

18 Factor n = 3837523 Want x,y:  gcd(x-y, n) is a factor Step 4: Want to get 2 non-congruent perfect squares Example: This is close, but all factors need to be paired Generate lots of # and experiment until all factors are paired. To automate this search: Can write each example are a row in a matrix, where each column is a prime in number base Then search for dependencies among rows mod 2. May need extra rows, since sometimes we get x=+/-y. Quadratic Sieve (3b)

19 Factor n = 3837523 To automate this search: Each row in the matrix is a square Each column is a prime in the number base Search for dependencies among rows mod 2. For last one (green) So we can’t use the square root compositeness theorem My code Sum: 0 2 2 2 0 4 0 0 Sum: 8 4 6 0 2 4 0 2 Sum: 6 0 6 0 0 2 0 2

Download ppt "Announcements: 1. Pass in Homework 5 now. 2. Term project groups and topics due by Friday 1.Can use discussion forum to find teammates 3. HW6 posted, due."

Similar presentations

WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Primality Testing) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Primality Testing) Prof. Dr. Th. Ottmann.
Cryptography and Network Security

Cryptography and Network Security
Chapter 8 – Introduction to Number Theory. Prime Numbers prime numbers only have divisors of 1 and self –they cannot be written as a product of other.

Chapter 8 – Introduction to Number Theory. Prime Numbers prime numbers only have divisors of 1 and self –they cannot be written as a product of other.
Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)

Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)
Announcements: 1. Congrats on reaching the halfway point once again! 2. DES graded soon 3. Short “pop” quiz on Ch 3. (Thursday at earliest) 4. Reminder:

Announcements: 1. Congrats on reaching the halfway point once again! 2. DES graded soon 3. Short “pop” quiz on Ch 3. (Thursday at earliest) 4. Reminder:
Public Key Cryptosystems - RSA Receiver Sender Eavesdroppe r 175753411947 p q p q p q p and q prime.

Public Key Cryptosystems - RSA Receiver Sender Eavesdroppe r p q p q p q p and q prime.
Lecture 8: Primality Testing and Factoring Piotr Faliszewski

Lecture 8: Primality Testing and Factoring Piotr Faliszewski
Introduction to Modern Cryptography Lecture 6 1. Testing Primitive elements in Z p 2. Primality Testing. 3. Integer Multiplication & Factoring as a One.

Introduction to Modern Cryptography Lecture 6 1. Testing Primitive elements in Z p 2. Primality Testing. 3. Integer Multiplication & Factoring as a One.
COM 5336 Cryptography Lecture 7a Primality Testing

COM 5336 Cryptography Lecture 7a Primality Testing
Announcements: 1. Term project groups and topics due midnight 2. HW6 due next Tuesday. Questions? This week: Primality testing, factoring Primality testing,

Announcements: 1. Term project groups and topics due midnight 2. HW6 due next Tuesday. Questions? This week: Primality testing, factoring Primality testing,
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Announcements: See schedule for weeks 8 and 9 See schedule for weeks 8 and 9 Project workdays, due dates, exam Project workdays, due dates, exam Projects:

Announcements: See schedule for weeks 8 and 9 See schedule for weeks 8 and 9 Project workdays, due dates, exam Project workdays, due dates, exam Projects:
Announcements: 1. Term project groups and topics due tomorrow midnight Waiting for posts from most of you. Questions? This week: Primality testing, factoring.

Announcements: 1. Term project groups and topics due tomorrow midnight Waiting for posts from most of you. Questions? This week: Primality testing, factoring.
and Factoring Integers (I)

and Factoring Integers (I)
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Announcements: 1. Presentations start Friday 2. Cem Kaner presenting O167 10 th block today. Questions? This week: DSA, Digital Cash DSA, Digital Cash.

Announcements: 1. Presentations start Friday 2. Cem Kaner presenting O th block today. Questions? This week: DSA, Digital Cash DSA, Digital Cash.
Announcements: 1. Short “pop” quiz on Ch 3 (today?) 2. Term project groups and topics due midnight 3. HW6 due Tuesday. Questions? This week: Primality.

Announcements: 1. Short “pop” quiz on Ch 3 (today?) 2. Term project groups and topics due midnight 3. HW6 due Tuesday. Questions? This week: Primality.
Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.

Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.
Announcements:Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 30.

Announcements:Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 30.
Announcements: 1. Short “pop” quiz on Ch 3 (not today) 2. Term project groups and topics due tomorrow midnight Waiting for posts from 22 of you. 3. HW6:

Announcements: 1. Short “pop” quiz on Ch 3 (not today) 2. Term project groups and topics due tomorrow midnight Waiting for posts from 22 of you. 3. HW6:

Similar presentations

Ads by Google