Presentation is loading. Please wait.

Presentation is loading. Please wait.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen."— Presentation transcript:

1 The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen

2 p2. OUTLINE  [1] Modular Arithmetic Algorithms  [2] The RSA Cryptosystem  [3] Quadratic Residues  [4] Primality Testing [5] Square Roots Modulo n [6] Factoring Algorithms [7] Other Attacks on RSA [8] The Rabin Cryptosystem [9] Semantics Security of RSA

3 p3. [5] Square Roots Modulo n 1. Fact Suppose that p is an odd prime and gcd(a,n)=1. Then the congruence y 2 =a (mod n) has no solutions if (a/p)=-1, and two solutions (mod n) if (a/p)=1. 2. Theorem Suppose that p is an odd prime, e is a positive integer, and gcd(a,p)=1. Then the congruence y 2 =a (mod p e ) has no solutions if (a/p)=-1, and two solutions (mod p e ) if (a/p)=1.

4 p4. 3. Theorem Suppose that n > 1 is an odd integer having factorization where the p i ’s are distinct primes and the e i ’s are positive integers, Suppose further that gcd(a,n)=1. Then the congruence y 2 =a (mod n) has 2 l solutions modulo n if (a/p i )=1 for all i in {1, …, l }, and no solutions, otherwise.

5 p5. [6] Factoring Algorithms 1. The Pollard’s p-1 algorithm input : an integer n, and a prespecified “bound” B output : factors of n

6 p6. Why? Suppose p is a prime divisor of n, and suppose that q <= B for every prime power q|(p-1). Then (p-1)|B! At the end of for loop, we have a=2 B! mod n Now 2 p-1 =1 mod p (by Fermat’s little Thm) Since (p-1)|B!, it follows a=2 B! =1 mod p and hence p|(a-1). Since we also have p|n, d=gcd(a-1, n) will be a non-trivial divisor of n (unless a=1).

7 p7. E.g. n=15770708441, B=180 a = 2 180! = 11620221425 D = gcd(a-1, n) = 135979 In fact, the complete factorization of n into primes is 15770708441 = 135979 x 115979 The factorization succeeds because 135978 has only “small” prime factors: 135978 = 2 x 3 x 131 x 173

8 p8. 2. The Pollard’s rho algorithm input : an integer n output : factors of n (1) Selecting a “random” function f with integer coefficients, and any Begin with x=x 0 and y=y 0. (2) Repeat the two calculations until d=gcd(x-y,n)>1. (3) Do the following compare 3.1 If d<n, we have succeeded. 3.2 If d=n, the method is failed. Goto (1). (*) A typical choice of f(x)=x 2 +1, with a seed x 0 =2.

9 p9. Complexity of rho method We expect this method to use the function f at most E.g : n=551, f(x)=x 2 +1 mod 551 and x 0 =2. 5 26 126 26 449 240 1 1 19

10 p10. 3. Dixon’s random squares algorithm The idea is to locate with if gcd(x+y,n) is a nontrivial factor of n. (Why?) since n|(x-y)(x+y) but neither of x-y or x+y is divisible by n. Eg. n=15, x=2, y=7 (2 2 =7 2 mod 15) => gcd(2+7,15)=3 is a nontrivial factor of n. Eg. n=77, x=10, y=32 (10 2 =32 2 mod 77) => gcd(10+32,77)=7 is a nontrivial factor of n.

11 p11. factor base and p t -smooth A factor base B={p 1, p 2,…,p t } consisting of the first t primes is selected. If b factors over B, b is said to be p t -smooth. Eg : B={2,3,5}, b=2 3 *5 6 is 5-smooth; b=2 3 *7 6 is not 5-smooth. We may include -1 in B to handle the negative b B={p 0, p 1, p 2,…,p t }, with p 0 =-1.

12 p12. Algorithm input : a composite integer n and factor base B= {p 1, p 2,…,p t } output : factors of n (1) Suppose t+1 pairs (a i, b i =a i 2 mod n) are obtained, where b i is p t -smooth over B and the factorizations are given by (2) A set S is to be selected so that has only even powers of primes appearing. (3) Let, and do the following compare 3.1 If 3.2 If

13 p13. Eg : n=10057, t=5, B={2,3,5,7,11} 1 1 2 2311018 968 2*509 (discard!) 2 3 *11 2 2 5 *3 2 *11 105 1153168 3 4 5 10066336 8800 2 6 *3 2 *11 2 5 *5 2 *11 2*3 2 *7 2 3010 4014882 62 8 *1140232816 If S={4,5,6}, then x=3010*4014*4023 mod n=2748 y=2 7 *3*5*7*11 mod n=7042 Since, we obtain a nontrivial factor gcd(x+y,n)=89, and 10057=89*113. If S={1,5}, then x=105*4014 mod n=9133 and y=2 2 *3*7*11=924. Unfortunately,, and no useful information is obtained.

14 p14. Eg : n=15770708441, t=6, B={2,3,5,7,11, 13} 8340934156 2 = 3*7 (mod n) 12044942944 2 = 2*7*13 (mod n) 2773700011 2 = 2*3*13 (mod n) (8340934156*12044942944*2773700011) 2 = (2*3*7*13) 2 (mod n) 9503435785 2 = 546 2 (mod n) gcd(9503435785–546, 15770708441)=115759 to find the factor 115759 of n

15 p15. Improvements: We may include -1 in B to handle the negative b B={p 0, p 1, p 2,…,p t }, with p 0 =-1. Define Let a i =z+m and b i = q(z) = a i 2 - kn for z=0,1,-1,2,-2, … k=1,2, …

16 p16. Quadratic sieve algorithm (simple version) input : a composite integer n output : factors of n (1) choose a suitable P and construct a factor base (2) Define (3) Let a i =z+m and b i =q(z)=a i 2 -n for z=0,1,-1,2,-2,… A set S is to be selected so that has only even powers of primes appearing. (4) Let, and do the following

17 p17.

18 p18. Eg : n=10057 0 1 100-57 -256 -3*19 -2 8 2 4 *3 2 99 101144 -3 5 97-648 968 -2 3 *3 4 2 3 *11 2 105 If S={1}, then x=101 and y= =2 2 *3. Since, we obtain a nontrivial factor gcd(x+y,n)=113, and 10057=89*113. If S={-1,-3, 5}, then x=99*97*105 and y=2 7 *3 2 *11. Unfortunately,, and no useful information is obtained.

19 p19. 4. Factoring algorithms in practice (Asymptotic running times) 1. Quadratic sieve 2. Elliptic curve (p is the smallest prime factor of n) 3. Number field sieve

20 p20. [7] Other Attacks on RSA Are there possible attacks on RSA other than factoring n? (Yes, see 2. 3.) 1. Computing  (n) Computing  (n) is no easier than factoring n For, if n and  (n) are known, and n is the product of two primes p, q, then n can be easily factored by solving n=pq  (n)=(p-1)(q-1) for the two unknowns p and q. Substituting q=n/p into the 2nd eq., We have P 2 -(n-  (n)+1)p + n = 0. The two roots will be p and q.

21 p21. 2. The Decryption Exponent (See sec. 5.7.2) 3. Wiener’s Low Decryption Exponent Attack (See sec. 5.7.3)

22 p22. [8] The Rabin Cryptosystem 1. Rabin scheme Let p, q be large primes, n=pq (p,q) be the private key Encryption: c=m 2 mod n Decryption: find the four square roots and one is m 2. Example Consider p=31, q=41, so n=pq=1271 Assume message m=814 so c = m 2 mod n = 814 2 mod 1271 = 405 Decryption Solving m 2  405  2 (mod 31) and m 2  405  36 (mod 41) obtain m   8 (mod 31) and m   6 (mod 41) four possible roots: {  240,  457} (mod 1271)

23 p23. 3. How to find square roots of a  Q n where n=pq ? Factor n as pq Let x and y satisfy following congruences x = a p (mod p) and y = -a p (mod p) x = a q (mod q) y = a q (mod q) where a r denotes a square root of a modulo r The square roots are x, -x, y, -y

24 p24. 4. How to find square roots of a  Q p ? In general, there is an efficient polynomial randomized algo For p=3 (mod 4) there is a deterministic algo: By Euler’s criterion if a  Q p then a (p-1)/2 =1 (mod p), and (a (p+1)/4 ) 2 = a (p-1)/2 a= a (mod p). Hence two roots of a modulo p are  a (p+1)/4. n is called Blum integer if n = pq and p=3 (mod 4), q=3 (mod 4)

25 p25. 5. Definition RABIN: Given n=pq and c=m 2 mod n, find x, s.t. c  x 2 (mod n) 6. Theorem RABIN = FACTOR (1) RABIN  FACTOR Given an oracle for FACTOR 1. Factor n and obtain p,q 2. Solve the square root problems c  x 2 (mod p) c  x 2 (mod q) 3. Apply CRT and get four roots of RABIN

26 p26. (2) FACTOR  RABIN Given an oracle for RABIN 1. Query RABIN oracle twice, get two roots x and y 2. With prob. ½, we can successfully get the factor of n by gcd(x+y, n)

27 p27. [9] Semantic Security of RSA 1. Potential 3 adversarial goals: Total break The adversary is able to determine Bob’s private key (in the case of a public-key cryptosystem) or the secret key (in the case of a symmetric-key cryptosystem). Partial break The adversary is able to decrypt a previously unseen ciphertext (without knowing the key). Or the adversarial can determine some specific information about the plaintext, given the ciphertext.

28 p28. Distinguishability of ciphertexts With some prob. > 0.5, the adversary is able to distinguish between encryptions of 2 given plaintexts, or between an encryption of a given plaintext and a random string. 2. Semantic security A public-key cryptosystem is said to achieve semantic security if the adversary cannot (in polynomial time) distinguish ciphertexts, provided that certain computational assumptions hold.

29 p29. 3. Partial information concerning plaintext bits (See sec. 5.9.1) 4. Optimal Asymmetric encryption padding (See sec. 5.9.2)

Download ppt "The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen."

Similar presentations

Number Theory Algorithms and Cryptography Algorithms Prepared by John Reif, Ph.D. Analysis of Algorithms.

Number Theory Algorithms and Cryptography Algorithms Prepared by John Reif, Ph.D. Analysis of Algorithms.
Prime recognition and factorization

Prime recognition and factorization
Agrawal-Kayal-Saxena Presented by: Xiaosi Zhou

Agrawal-Kayal-Saxena Presented by: Xiaosi Zhou
Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)

Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)
Data encryption with big prime numbers

Data encryption with big prime numbers
22C:19 Discrete Structures Integers and Modular Arithmetic

22C:19 Discrete Structures Integers and Modular Arithmetic
BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.

BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.
Lecture 8: Primality Testing and Factoring Piotr Faliszewski

Lecture 8: Primality Testing and Factoring Piotr Faliszewski
22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.

22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
7. Asymmetric encryption-

7. Asymmetric encryption-
CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.

CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.
and Factoring Integers (I)

and Factoring Integers (I)
1 Chapter 7– Introduction to Number Theory Instructor: 孫宏民 Room: EECS 6402, Tel:03- 5742968, Fax : 886-3-572-3694.

1 Chapter 7– Introduction to Number Theory Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
CS470, A.SelcukPublic Key Cryptography1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukPublic Key Cryptography1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
and Factoring Integers

and Factoring Integers
Cryptography & Number Theory

Cryptography & Number Theory
Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.

Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.
Factoring Algorithms Ref: D. Stinson, Cryptography - Theory and Practice, 2001.

Factoring Algorithms Ref: D. Stinson, Cryptography - Theory and Practice, 2001.
Public Key Algorithms 4/17/2017 M. Chatterjee.

Public Key Algorithms 4/17/2017 M. Chatterjee.

Similar presentations

Ads by Google