Presentation is loading. Please wait.

Presentation is loading. Please wait.

The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.

Published byNorman Austin Modified over 8 years ago

Similar presentations

Presentation on theme: "The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed."— Presentation transcript:

1 The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed by Rivest, Shamir, and Adleman in 1977 and a paper was published in The Communications of ACM in 1978 A public-key cryptosystem

2 RSA Algorithm Bob chooses two primes p,q and compute n=pq Bob chooses e with gcd(e,(p-1)(q-1))= gcd(e, ψ(n))=1 Bob solves de≡1 (mod ψ(n)) Bob makes (e,n) public and (p,q,d) secret Alice encrypts M as C≡M e (mod n) Bob decrypts by computing M≡C d (mod n)

3 Proof for the RSA Algorithm C d ≡ (M e ) d ≡ M ed ≡ M 1+kφ(n) ≡M (mod n) by Euler’s theorem and Exercise 19 on p.192 p=885320963, q=238855417, n=p . q=211463707796206571 Let e=9007, ∴ d=116402471153538991 M=“cat”=30120, C=113535859035722866

4 Another Example n=127x193=24511, φ(n)=24192 e=1307, d=10643 Encrypt “box” with M=21524, then C=? Encrypt the following message Formosa means a beautiful island

5 Selected Problems from P.192-200 (1) n=11413=101x113, so p=101, q=113 ψ(n)=(p-1)x(q-1)=100x112=11200 Choose e=7467, then gcd(e, ψ(n))=1 Solve de≡1 (mod ψ(n)) to get d=3 If the ciphertext C=5859, then the plaintext M≡C d ≡5859 3 ≡1415 (mod 11413)

6 Fast Computation of x d (mod n) 123 5 mod 511 123 5 ≡ 28153056843 mod 511 123 2 ≡ 310 (mod 511) 123 4 ≡ 32 (mod 511) 123 5 ≡ 123 101b ≡123 4 ×123 ≡ 359 (mod 511)

7 Fast Computation for x d (mod n) y=1; while (d != 0) { if ((d%2) != 0) { y=(y*x)%n; d--; } d>>1; x=(x*x)%n; /* x^(2 k ) */ }

8 Fast Computation for x d (mod n) Let t be the number of bits for integer d, e.g., If d=5=101 2, then t=3 y=1; for (i=t; i ≧ 0; i--) { y=(y*y)%n; if (d[i]==1) y=(y*x)%n; }

9 Two Claims Claim 1: Suppose n=pq is the product of two distinct primes. If we know n and φ(n), then we can quickly find p and q Hint: n - φ(n)+1=pq-(p-1)(q-1)+1=p+q, then p,q are solutions of x 2 - (n - φ(n)+1)x+n=0 Claim 2: If we know d and e, then we can probably factor n (The method of universal components could be applied)

10 References for Attacks on RSA D. Boneh, Twenty years of attacks on the RSA cryptosystem, American Math. Soc. Notices 46, 203-213, 1999 D. Boneh, G. Durfee, Y. Frankel, An attack on RSA given a fraction of the private key bits, Advances in Cryptology – ASIACRYPT’98, Lecture Notes in Computer Science 1514, 25-34, 1998

11 Primality Testing Trivial Division to test if N is a prime for (p=2; p<N 1/2 ; p++) { e=0; if (N%p ==0 ) { while (N%p ==0) { e++; N/=p;} printf(“factor %d, power %d\n”,p,e); }

12 Basic Principles for Testing n (1) Suppose x, y satisfy x 2 ≡y 2 (mod n) but x≡y (mod n) and x≡-y (mod n) do not hold. Then n is composite. Moreover, gcd(x-y,n) gives a nontrivial factor of n. (Proof) Let d=gcd(x-y,n) If d=1, n|(x-y)(x+y) → n|x+y →contradiction If d=n, then → n|x-y →contradiction (Example) 12 2 ≡2 2 (mod 35)

13 Basic Principles for Testing n (2) Fermat’s little theorem: a p-1 ≡1 (mod p) for a prime p if gcd(a,p)=1 a n-1 !≡ 1 (mod n) → n is composite, in particular, a=2 is used for testing a large n 2 34 ≡9 !≡ 1 (mod 35) → 35 is composite 2 340 ≡1 (mod 341), but 341=11x31 2 560 ≡1 (mod 561), but 561=3x11x17

14 The Miller-Rabin Primality Test Let n>1 be odd with n-1=2 k m with an odd m. Choose a random integer a, 1<a<n-1. Compute b 0 ≡a m (mod n), if b 0 ≡±1 (mod n), then stop and n is probably prime, otherwise let b 1 ≡(b 0 ) 2 (mod n). If b 1 ≡1 (mod n), then n is composite and gcd(b 0 -1,n) is a nontrivial factor of n else if b 1 ≡-1 (mod n), stop and n is probably prime, otherwise let b 2 ≡(b 1 ) 2 (mod n). If b 2 ≡1 (mod n), then n is composite, else if b 2 ≡-1 (mod n), stop and n is probably prime. Continue in this way until stopping or reaching b k-1. If b k-1 !≡-1, then n is composite.

15 Pseudoprimes ♪ If a n-1 ≡1 (mod n), n is said to be a pseudoprime for the base a ♪ If a and n pass the Miller-Rabin test, we say that n is a strong pseudoprime for the base a ♪ 2 340 ≡1 (mod 341), 2 560 ≡1 (mod 561), so, 341 and 561 are all pseudoprimes

16 Test if n=341 is a prime n=341, n-1=340=2 2 . 85, let k=2, m=85 b 0 = 2 85 ≡32 (mod 341) b 1 = (b 0 ) 2 ≡ 1 (mod 341) b k-1 ≡ 1 (mod 341), so n=341 is composite 2 340 ≡1 (mod 341), but 341=11x31

17 Test if n=561 is a prime n=561, n-1=560=2 4 . 35, let k=4, m=35 b 0 = 2 35 ≡263 (mod 561) b 1 = (b 0 ) 2 ≡166 (mod 561) b 2 = (b 1 ) 2 ≡ 67 (mod 561) b 3 = (b 2 ) 2 ≡ 1 (mod 561) b k-1 ≡ 1 (mod 561), so n=561 is composite 2 560 ≡1 (mod 561), but 561=3x11x17

18 Miller-Rabin is better than Fermat’s Up to 10 10, there are 455052511 primes. There are 14884 pseudoprimes for the base 2, and 3291 strong pseudoprimes for the base 2. Therefore, calculating 2 n-1 (mod n) will fail to recognize a composite in this range with probability less than 1 out of 30 thousand and using the Miller- Rabin test with a=2 will fail with probability lest than 1 out of 100 thousand

19 Factoring n into Product of Primes Fermat factorization by checking if there exist x, y such that n|(x-y)(x+y), |x-y|>1 Example 1: n=295927 with n+3 2 =544 2, then n= 541 . 547 Solution: check if n+k 2 is a complete square for k=1, 2, … Fermat’s method works well when n is the product that are very close together

20 Exponent Factorization Method Suppose there exists r>0 and an a such that a r ≡1 (mod n). Write r=2 k m with m odd. Let b 0 ≡a m (mod n), and successively define b u+1 ≡ (b u ) 2 (mod n) for 0 ≦ u ≦ k-1. If b 0 ≡1 (mod n), then stop; the procedure has failed to factor n. If for some u, b u ≡-1 (mod n), then stop; the procedure has failed to factor n. If for some u, b u+1 ≡1 (mod n) but b u !≡±1 (mod n), then gcd(b u -1,n) gives a nontrivial factor of n.

21 The Pollard’s p-1 Method (1974) Choose an integer a>1 (usually a=2) and choose a bound B. Compute b≡a B! (mod n) as follows. Let b 1 ≡a (mod n) and b j ≡(b j-1 ) j (mod n), then b B ≡b (mod n). If 1<d=gcd(b-1,n)<n, we have found a nontrivial factor of n

22 The Quadratic Sieve Suppose we want to factor n=3837523 n=1093 . 3511

23 The Public Key Concept The RSA Algorithm Knapsack problems Discrete Logarithms by ElGamal Error Correcting Codes by McEliece Elliptic Curve Cryptosystem by Diffie- Hellman

24 The Concept and Criteria 1.E k (D k (m))=m and D k (E k (m))=m for every message m in M, the set of possible messages, every key k in K, the set of possible keys 2.For every m and every k, then values of E k (m) and D k (m) are easy to compute 3.For every k, if someone knows only the function E k, it is computationally infeasible to find an algorithm to compute D k 4.Given k, it’s easy to find the functions E k and D k

Download ppt "The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed."

Similar presentations

RSA and Public Key Cryptography Oct. 2002 Nathanael Paul.

RSA and Public Key Cryptography Oct Nathanael Paul.
Announcements: 1. Congrats on reaching the halfway point once again! 2. DES graded soon 3. Short “pop” quiz on Ch 3. (Thursday at earliest) 4. Reminder:

Announcements: 1. Congrats on reaching the halfway point once again! 2. DES graded soon 3. Short “pop” quiz on Ch 3. (Thursday at earliest) 4. Reminder:
Data encryption with big prime numbers

Data encryption with big prime numbers
Public Key Encryption Algorithm

Public Key Encryption Algorithm
Lecture 8: Primality Testing and Factoring Piotr Faliszewski

Lecture 8: Primality Testing and Factoring Piotr Faliszewski
7. Asymmetric encryption-

7. Asymmetric encryption-
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
and Factoring Integers (I)

and Factoring Integers (I)
Announcements: 1. Pass in Homework 5 now. 2. Term project groups and topics due by Friday 1.Can use discussion forum to find teammates 3. HW6 posted, due.

Announcements: 1. Pass in Homework 5 now. 2. Term project groups and topics due by Friday 1.Can use discussion forum to find teammates 3. HW6 posted, due.
Public Key Crytography1 From: Introduction to Algorithms Cormen, Leiserson and Rivest.

Public Key Crytography1 From: Introduction to Algorithms Cormen, Leiserson and Rivest.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Cryptography Lecture 11: Oct 12. Cryptography AliceBob Cryptography is the study of methods for sending and receiving secret messages. adversary Goal:

Cryptography Lecture 11: Oct 12. Cryptography AliceBob Cryptography is the study of methods for sending and receiving secret messages. adversary Goal:
Announcements: 1. Congrats on reaching the halfway point once again! 2. Reminder: HW5 due tomorrow, HW6 due Tuesday after break 3. Term project groups.

Announcements: 1. Congrats on reaching the halfway point once again! 2. Reminder: HW5 due tomorrow, HW6 due Tuesday after break 3. Term project groups.
and Factoring Integers

and Factoring Integers
Public Encryption: RSA

Public Encryption: RSA
Public Key Cryptography and the RSA Algorithm

Public Key Cryptography and the RSA Algorithm
Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.

Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.
Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.

Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.
Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.

Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Similar presentations

Ads by Google