# Study of algorithms for factoring integers and computing discrete logarithms

Save this PDF as:

Size: px
Start display at page:

## Transcription

1 Study of algorithms for factoring integers and computing discrete logarithms First Indo-French Workshop on Cryptography and Related Topics (IFW 2007) June 11 13, 2007 Paris, France Dr. Abhijit Das Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Kharagpur , India Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 1

2 The integer factorization problem (IFP) Given a positive composite integer n, compute all the prime divisors of n. The IFP is known to be a problem in the complexity class NP conp. The input size is measured by the minimum number of bits needed to encode n, which is log 2 n + 1 = O(log n). No polynomial-time algorithms are known to solve the IFP. The best known algorithms to solve the IFP run in subexponential time. These subexponential algorithms are probabilistic in nature, and their running times often lack rigorous proofs. Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 2

3 The discrete logarithm problem (DLP) Let G be a finite cyclic group of size n, and let g be a generator of G. Given a G, compute an integer x = ind g a satisfying a = g x. The index or discrete logarithm x is unique modulo n. There are certain groups where computing indices is computationally difficult. Multiplicative groups of finite fields Groups of rational points on elliptic curves defined over finite fields Jacobians of hyperelliptic curves defined over finite fields Class groups of (algebraic) number fields The finite field discrete logarithm problem is historically of similar complexity as the IFP. The subexponential algorithms for DLP are often adaptations of algorithms for factoring integers. Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 3

4 The Diffie-Hellman problem (DHP) Let G be a finite cyclic group, and g a generator of G. Given g x and g y, compute g xy. If the DLP can be solved easily, the DHP can be solved easily too. The converse implication is not proved. The DHP is relevant for groups where computing discrete logarithms is difficult. Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 4

5 Relevance to cryptography Public-key cryptography is based on the apparent intractability of solving some computational problems. The IFP, DLP and DHP are widely used in public-key systems. These problems lead to trapdoor one-way functions. The one-way-ness cannot be proved, but only believed. NP-complete problems are not found suitable for building public-key systems. Problems belonging to the class UP (unambiguous polynomial-time) are suitable. We have P UP NP. Both the inclusions are believed to be proper. Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 5

6 Cryptography examples RSA is related to the IFP. Inverting RSA keys is probabilistic polynomial-time equivalent to IFP. However, RSA decryption (without the private key) may be easier than solving the IFP. Rabin s encryption algorithm is based on the square-root problem which is probabilistic polynomial-time equivalent to the IFP. The Diffie-Hellman key exchange problem is based on the DHP. ElGamal encryption is based on the DHP. Many other encryption and signature algorithms (like ElGamal signature, DSA) are based on the DLP. IFP and DLP find applications in designing authentication schemes too. Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 6

7 Efficient implementation of modular arithmetic An old, yet interesting problem. A cryptography toolkit being developed in IIT Kharagpur runs 5 10% faster than GP/PARI for performing modular exponentiation of integers of cryptographic sizes. Exponentiation based on addition chains has been studied by my team. The goal is to generate crypto-grade exponents which lead to faster key operations than pseudorandom exponents. These works have not been published yet. Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 7

8 Fermat s method of factoring integers Let n be an odd (positive) composite integer. Given v Z n, there exist at least two u Z n such that u 2 v 2 (mod n) and u ±v (mod n). For any such pair (u,v), we obtain the non-trivial factor gcd(u v, n) of n. Examples 899 = = , and gcd(30 1, 899) = 29 is a nontrivial factor of = , and gcd(50 1, 833) = 49 is a non-trivial factor of 833. Most modern subexponential algorithms are based on locating such pairs (u, v). Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 8

9 Modern factoring algorithms Subexponential running time L(n,γ, c) = exp [ (c + o(1))(ln n) γ (ln lnn) 1 γ], 0 < γ < 1, c > 0. Algorithms with running time L[c] = L(n, 1/2, c) CFRAC (Continued fraction method) SQUFOF (Square-form factorization) QSM (Quadratic sieve method) CSM (Cubic sieve method) ECM (Elliptic curve method not based on Fermat s method) Algorithms with running time L(n, 1/3, c) SNFSM (Special number field sieve method) GNFSM (General number field sieve method) Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 9

10 A naive algorithm Choose a in the range 1 a < n and take T(a) = a 2 (mod n), 1 T(a) < n. Try to factor T(a) as T(a) = q e 1 1 q e 2 2 q e t t, where q 1, q 2,...,q t are the first t primes. If all e i are even, take u = a and v = q e 1/2 1 q e 2/2 2 q e t/2 t. In general, it is unreasonable to expect that all e i are even. Collect many such relations and combine the relations to arrive at a congruence of the form u 2 v 2 (mod n). This leads to a linear system modulo 2. The expected value of T(a) is O(n). Instead of T(a), we can also try to factor T(a) + kn for small integers k. One can use sieving while considering different values of k. Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 10

11 Quadratic sieve method (QSM) Let H = n, J = H 2 n. For a small integer a, we have (H +a) 2 T(a) (mod n), where T(a) = J +2aH +a 2. Try to factor T(a) over small primes. We have T(a) = O( n). So we get smooth candidates more frequently than in the naive method. Use sieving for running through all values of a. Running time is L[1]. We have studied some variants which reduce T(a) by small constant factors. Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 11

12 Cubic sieve method (CSM) Let the integers x,y, z satisfy x 3 y 2 z (mod n) with x 3 y 2 z as integers. For integers a,b,c with a + b + c = 0, one has (x + ay)(x + by)(x + cy) y 2 T(a, b,c) (mod n), where T(a,b,c) = z + (ab + ac + bc)x + (abc)y = b(b + c)(x + cy) + (z c 2 x). If x,y, z are O(n ξ ), then T(a,b,c) is O(n ξ ) for small values of a,b,c. The best value for ξ is 1/3. In this case T(a, b,c) is O(n 1/3 ). Use sieving for running through all triples (a, b, c) with a + b + c = 0. The best running time is L[ 2/3] = L[0.816]. Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 12

13 Our study of the CSM A heuristic idea was proposed to increase the sieving interval by 20 30%. The resulting increase in the running time of the sieving step is nominal (less than 1%). The congruence x 3 y 2 z (mod n) with x 3 y 2 z is studied. It is an open question whether one can obtain x, y, z of the order O(n ξ ) for ξ < 1/2. We proposed some heuristic counting argument to conclude that the number of solutions of the congruence with 1 x,y, z n ξ is O(n 3ξ 1 ). For ξ slightly bigger than 1/3, we expect to get a solution. It remains open how one can compute such a solution for a general value of n. Publication: Abhijit Das and C E Veni Madhavan, On the cubic sieve method for computing discrete logarithms over prime fields, International Journal of Computer Mathematics, Volume 82, Number 12, December 2005, Taylor & Francis, Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 13

14 The number field sieve method (NFSM) Take n = Choose a polynomial f(x) Z[x] and m Z such that f(m) 0 (mod n). For example, take f(x) = x 4 2x + 3 and m = 14. For this choice, f(m) = = 3n. We have (x 3 ) 2 2x 3 3x 2 (mod f(x)). This implies (14 3 ) (mod n). A non-trivial factor of n is gcd( , n) = 191. Indeed, we have n = Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 14

15 Future directions of research Efficient implementation efforts (for cryptographic and cryptanalytic algorithms). Study of the cubic sieve method, particularly, the congruence x 3 y 2 z (mod n). Study of the number field sieve method. Effective parallelization attempts, pertaining most importantly to the linear system solving stage. A high ambition: designing new subexponential algorithms (with smaller values of the exponent γ and/or the constant c). A dream: arriving at polynomial-time algorithms (possibly randomized) for the IFP and/or the DLP, or proving that no such algorithm can exist. (Note that polynomialtime quantum algorithms are known for both these problems.) Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 15

16 Thank you! Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 16

### Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

Principles of Public Key Cryptography Chapter : Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter : Security on Network and Transport

### CHAPTER 3 THE NEW MMP CRYPTO SYSTEM. mathematical problems Hidden Root Problem, Discrete Logarithm Problem and

79 CHAPTER 3 THE NEW MMP CRYPTO SYSTEM In this chapter an overview of the new Mixed Mode Paired cipher text Cryptographic System (MMPCS) is given, its three hard mathematical problems are explained, and

### Elements of Applied Cryptography Public key encryption

Network Security Elements of Applied Cryptography Public key encryption Public key cryptosystem RSA and the factorization problem RSA in practice Other asymmetric ciphers Asymmetric Encryption Scheme Let

### Cryptography: RSA and the discrete logarithm problem

Cryptography: and the discrete logarithm problem R. Hayden Advanced Maths Lectures Department of Computing Imperial College London February 2010 Public key cryptography Assymmetric cryptography two keys:

### Primality Testing and Factorization Methods

Primality Testing and Factorization Methods Eli Howey May 27, 2014 Abstract Since the days of Euclid and Eratosthenes, mathematicians have taken a keen interest in finding the nontrivial factors of integers,

### U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009. Notes on Algebra

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009 Notes on Algebra These notes contain as little theory as possible, and most results are stated without proof. Any introductory

### Arithmetic algorithms for cryptology 5 October 2015, Paris. Sieves. Razvan Barbulescu CNRS and IMJ-PRG. R. Barbulescu Sieves 0 / 28

Arithmetic algorithms for cryptology 5 October 2015, Paris Sieves Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Sieves 0 / 28 Starting point Notations q prime g a generator of (F q ) X a (secret) integer

Advanced Maths Lecture 3 Next generation cryptography and the discrete logarithm problem for elliptic curves Richard A. Hayden rh@doc.ic.ac.uk EC crypto p. 1 Public key cryptography Asymmetric cryptography

1 Introduction to Cryptography and Data Security 1 1.1 Overview of Cryptology (and This Book) 2 1.2 Symmetric Cryptography 4 1.2.1 Basics 4 1.2.2 Simple Symmetric Encryption: The Substitution Cipher...

### FACTORING LARGE NUMBERS, A GREAT WAY TO SPEND A BIRTHDAY

FACTORING LARGE NUMBERS, A GREAT WAY TO SPEND A BIRTHDAY LINDSEY R. BOSKO I would like to acknowledge the assistance of Dr. Michael Singer. His guidance and feedback were instrumental in completing this

### RSA Question 2. Bob thinks that p and q are primes but p isn t. Then, Bob thinks Φ Bob :=(p-1)(q-1) = φ(n). Is this true?

RSA Question 2 Bob thinks that p and q are primes but p isn t. Then, Bob thinks Φ Bob :=(p-1)(q-1) = φ(n). Is this true? Bob chooses a random e (1 < e < Φ Bob ) such that gcd(e,φ Bob )=1. Then, d = e -1

### Public-Key Cryptanalysis 1: Introduction and Factoring

Public-Key Cryptanalysis 1: Introduction and Factoring Nadia Heninger University of Pennsylvania July 21, 2013 Adventures in Cryptanalysis Part 1: Introduction and Factoring. What is public-key crypto

### Public-Key Cryptography. Oregon State University

Public-Key Cryptography Çetin Kaya Koç Oregon State University 1 Sender M Receiver Adversary Objective: Secure communication over an insecure channel 2 Solution: Secret-key cryptography Exchange the key

### Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY Sourav Mukhopadhyay Cryptography and Network Security - MA61027 Modern/Public-key cryptography started in 1976 with the publication of the following paper. W. Diffie

### Faster deterministic integer factorisation

David Harvey (joint work with Edgar Costa, NYU) University of New South Wales 25th October 2011 The obvious mathematical breakthrough would be the development of an easy way to factor large prime numbers

### Overview of Public-Key Cryptography

CS 361S Overview of Public-Key Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.1-6 slide 2 Public-Key Cryptography public key public key? private key Alice Bob Given: Everybody knows

### Factoring. Factoring 1

Factoring Factoring 1 Factoring Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and RSA is broken o Rabin cipher also based on factoring Factoring like

### 3. Applications of Number Theory

3. APPLICATIONS OF NUMBER THEORY 163 3. Applications of Number Theory 3.1. Representation of Integers. Theorem 3.1.1. Given an integer b > 1, every positive integer n can be expresses uniquely as n = a

### Factorization Methods: Very Quick Overview

Factorization Methods: Very Quick Overview Yuval Filmus October 17, 2012 1 Introduction In this lecture we introduce modern factorization methods. We will assume several facts from analytic number theory.

### Integer Factorization using the Quadratic Sieve

Integer Factorization using the Quadratic Sieve Chad Seibert* Division of Science and Mathematics University of Minnesota, Morris Morris, MN 56567 seib0060@morris.umn.edu March 16, 2011 Abstract We give

### ALGEBRAIC APPROACH TO COMPOSITE INTEGER FACTORIZATION

ALGEBRAIC APPROACH TO COMPOSITE INTEGER FACTORIZATION Aldrin W. Wanambisi 1* School of Pure and Applied Science, Mount Kenya University, P.O box 553-50100, Kakamega, Kenya. Shem Aywa 2 Department of Mathematics,

### MATH 168: FINAL PROJECT Troels Eriksen. 1 Introduction

MATH 168: FINAL PROJECT Troels Eriksen 1 Introduction In the later years cryptosystems using elliptic curves have shown up and are claimed to be just as secure as a system like RSA with much smaller key

### The Mathematics of the RSA Public-Key Cryptosystem

The Mathematics of the RSA Public-Key Cryptosystem Burt Kaliski RSA Laboratories ABOUT THE AUTHOR: Dr Burt Kaliski is a computer scientist whose involvement with the security industry has been through

### Elementary Number Theory We begin with a bit of elementary number theory, which is concerned

CONSTRUCTION OF THE FINITE FIELDS Z p S. R. DOTY Elementary Number Theory We begin with a bit of elementary number theory, which is concerned solely with questions about the set of integers Z = {0, ±1,

### UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering. Introduction to Cryptography ECE 597XX/697XX

UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 6 Introduction to Public-Key Cryptography Israel Koren ECE597/697 Koren Part.6.1

### The RSA Algorithm: A Mathematical History of the Ubiquitous Cryptological Algorithm

The RSA Algorithm: A Mathematical History of the Ubiquitous Cryptological Algorithm Maria D. Kelly December 7, 2009 Abstract The RSA algorithm, developed in 1977 by Rivest, Shamir, and Adlemen, is an algorithm

### CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

### FACTORING. n = 2 25 + 1. fall in the arithmetic sequence

FACTORING The claim that factorization is harder than primality testing (or primality certification) is not currently substantiated rigorously. As some sort of backward evidence that factoring is hard,

### A Factoring and Discrete Logarithm based Cryptosystem

Int. J. Contemp. Math. Sciences, Vol. 8, 2013, no. 11, 511-517 HIKARI Ltd, www.m-hikari.com A Factoring and Discrete Logarithm based Cryptosystem Abdoul Aziz Ciss and Ahmed Youssef Ecole doctorale de Mathematiques

### International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

FACTORING CRYPTOSYSTEM MODULI WHEN THE CO-FACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II Mohammedia-Casablanca,

### RSA and Primality Testing

and Primality Testing Joan Boyar, IMADA, University of Southern Denmark Studieretningsprojekter 2010 1 / 81 Correctness of cryptography cryptography Introduction to number theory Correctness of with 2

### Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and

Breaking The Code Ryan Lowe Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and a minor in Applied Physics. As a sophomore, he took an independent study

### Discrete Mathematics, Chapter 4: Number Theory and Cryptography

Discrete Mathematics, Chapter 4: Number Theory and Cryptography Richard Mayr University of Edinburgh, UK Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 1 / 35 Outline 1 Divisibility

### Factoring & Primality

Factoring & Primality Lecturer: Dimitris Papadopoulos In this lecture we will discuss the problem of integer factorization and primality testing, two problems that have been the focus of a great amount

### Implementation of Elliptic Curve Digital Signature Algorithm

Implementation of Elliptic Curve Digital Signature Algorithm Aqeel Khalique Kuldip Singh Sandeep Sood Department of Electronics & Computer Engineering, Indian Institute of Technology Roorkee Roorkee, India

### Cryptography and Network Security

Cryptography and Network Security Fifth Edition by William Stallings Chapter 9 Public Key Cryptography and RSA Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared

### Primality - Factorization

Primality - Factorization Christophe Ritzenthaler November 9, 2009 1 Prime and factorization Definition 1.1. An integer p > 1 is called a prime number (nombre premier) if it has only 1 and p as divisors.

### An Overview of Integer Factoring Algorithms. The Problem

An Overview of Integer Factoring Algorithms Manindra Agrawal IITK / NUS The Problem Given an integer n, find all its prime divisors as efficiently as possible. 1 A Difficult Problem No efficient algorithm

### RSA Attacks. By Abdulaziz Alrasheed and Fatima

RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.

### Public Key Cryptography. Performance Comparison and Benchmarking

Public Key Cryptography Performance Comparison and Benchmarking Tanja Lange Department of Mathematics Technical University of Denmark tanja@hyperelliptic.org 28.08.2006 Tanja Lange Benchmarking p. 1 What

### Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

### On Factoring Integers and Evaluating Discrete Logarithms

On Factoring Integers and Evaluating Discrete Logarithms A thesis presented by JOHN AARON GREGG to the departments of Mathematics and Computer Science in partial fulfillment of the honors requirements

### SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

www.arpapress.com/volumes/vol8issue1/ijrras_8_1_10.pdf SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES Malek Jakob Kakish Amman Arab University, Department of Computer Information Systems, P.O.Box 2234,

### Cryptography and Network Security Chapter 10

Cryptography and Network Security Chapter 10 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 10 Other Public Key Cryptosystems Amongst the tribes of Central

### Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The Diffie-Hellman key-exchange protocol may naturally be extended to k > 2

### Prime Numbers The generation of prime numbers is needed for many public key algorithms:

CA547: CRYPTOGRAPHY AND SECURITY PROTOCOLS 1 7 Number Theory 2 7.1 Prime Numbers Prime Numbers The generation of prime numbers is needed for many public key algorithms: RSA: Need to find p and q to compute

### Cryptography and Network Security Chapter 8

Cryptography and Network Security Chapter 8 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 8 Introduction to Number Theory The Devil said to Daniel Webster:

### QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University

QUANTUM COMPUTERS AND CRYPTOGRAPHY Mark Zhandry Stanford University Classical Encryption pk m c = E(pk,m) sk m = D(sk,c) m??? Quantum Computing Attack pk m aka Post-quantum Crypto c = E(pk,m) sk m = D(sk,c)

### Homework 5 Solutions

Homework 5 Solutions 4.2: 2: a. 321 = 256 + 64 + 1 = (01000001) 2 b. 1023 = 512 + 256 + 128 + 64 + 32 + 16 + 8 + 4 + 2 + 1 = (1111111111) 2. Note that this is 1 less than the next power of 2, 1024, which

### Factoring Algorithms

Factoring Algorithms The p 1 Method and Quadratic Sieve November 17, 2008 () Factoring Algorithms November 17, 2008 1 / 12 Fermat s factoring method Fermat made the observation that if n has two factors

### PUBLIC KEY ENCRYPTION

PUBLIC KEY ENCRYPTION http://www.tutorialspoint.com/cryptography/public_key_encryption.htm Copyright tutorialspoint.com Public Key Cryptography Unlike symmetric key cryptography, we do not find historical

### Digital Signature. Raj Jain. Washington University in St. Louis

Digital Signature Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/

### I. GROUPS: BASIC DEFINITIONS AND EXAMPLES

I GROUPS: BASIC DEFINITIONS AND EXAMPLES Definition 1: An operation on a set G is a function : G G G Definition 2: A group is a set G which is equipped with an operation and a special element e G, called

### Is n a Prime Number? Manindra Agrawal. March 27, 2006, Delft. IIT Kanpur

Is n a Prime Number? Manindra Agrawal IIT Kanpur March 27, 2006, Delft Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 1 / 47 Overview 1 The Problem 2 Two Simple, and Slow, Methods

### The Quadratic Sieve Factoring Algorithm

The Quadratic Sieve Factoring Algorithm Eric Landquist MATH 488: Cryptographic Algorithms December 14, 2001 1 Introduction Mathematicians have been attempting to find better and faster ways to factor composite

### A New Generic Digital Signature Algorithm

Groups Complex. Cryptol.? (????), 1 16 DOI 10.1515/GCC.????.??? de Gruyter???? A New Generic Digital Signature Algorithm Jennifer Seberry, Vinhbuu To and Dongvu Tonien Abstract. In this paper, we study

### Chapter 9. Computational Number Theory. 9.1 The basic groups Integers mod N Groups

Chapter 9 Computational Number Theory 9.1 The basic groups We let Z = {..., 2, 1,0,1,2,...} denote the set of integers. We let Z + = {1,2,...} denote the set of positive integers and N = {0,1,2,...} the

### Introduction to Security Proof of Cryptosystems

Introduction to Security Proof of Cryptosystems D. J. Guan November 16, 2007 Abstract Provide proof of security is the most important work in the design of cryptosystems. Problem reduction is a tool to

### Cryptography and Network Security Number Theory

Cryptography and Network Security Number Theory Xiang-Yang Li Introduction to Number Theory Divisors b a if a=mb for an integer m b a and c b then c a b g and b h then b (mg+nh) for any int. m,n Prime

### Public-Key Cryptanalysis

To appear in Recent Trends in Cryptography, I. Luengo (Ed.), Contemporary Mathematics series, AMS-RSME, 2008. Public-Key Cryptanalysis Phong Q. Nguyen Abstract. In 1976, Diffie and Hellman introduced the

### Factoring Report. MEC Consulting (communicated via RSA Security) Dr.Preda Mihailescu

Factoring Report 2001 12 4 MEC Consulting (communicated via RSA Security) Dr.Preda Mihailescu Factoring Report Dr. Preda Mihailescu MEC Consulting Seestr. 78, 8700 Erlenbach Zürich Email: preda@upb.de

### MA2C03 Mathematics School of Mathematics, Trinity College Hilary Term 2016 Lecture 59 (April 1, 2016) David R. Wilkins

MA2C03 Mathematics School of Mathematics, Trinity College Hilary Term 2016 Lecture 59 (April 1, 2016) David R. Wilkins The RSA encryption scheme works as follows. In order to establish the necessary public

### Notes on Factoring. MA 206 Kurt Bryan

The General Approach Notes on Factoring MA 26 Kurt Bryan Suppose I hand you n, a 2 digit integer and tell you that n is composite, with smallest prime factor around 5 digits. Finding a nontrivial factor

### Secure Network Communication Part II II Public Key Cryptography. Public Key Cryptography

Kommunikationssysteme (KSy) - Block 8 Secure Network Communication Part II II Public Key Cryptography Dr. Andreas Steffen 2000-2001 A. Steffen, 28.03.2001, KSy_RSA.ppt 1 Secure Key Distribution Problem

### CHAPTER 5. Number Theory. 1. Integers and Division. Discussion

CHAPTER 5 Number Theory 1. Integers and Division 1.1. Divisibility. Definition 1.1.1. Given two integers a and b we say a divides b if there is an integer c such that b = ac. If a divides b, we write a

### Index Calculation Attacks on RSA Signature and Encryption

Index Calculation Attacks on RSA Signature and Encryption Jean-Sébastien Coron 1, Yvo Desmedt 2, David Naccache 1, Andrew Odlyzko 3, and Julien P. Stern 4 1 Gemplus Card International {jean-sebastien.coron,david.naccache}@gemplus.com

### Factoring pq 2 with Quadratic Forms: Nice Cryptanalyses

Factoring pq 2 with Quadratic Forms: Nice Cryptanalyses Phong Nguyễn http://www.di.ens.fr/~pnguyen & ASIACRYPT 2009 Joint work with G. Castagnos, A. Joux and F. Laguillaumie Summary Factoring A New Factoring

### MA257: INTRODUCTION TO NUMBER THEORY LECTURE NOTES

MA257: INTRODUCTION TO NUMBER THEORY LECTURE NOTES 2016 47 4. Diophantine Equations A Diophantine Equation is simply an equation in one or more variables for which integer (or sometimes rational) solutions

### Computer and Network Security

MIT 6.857 Computer and Networ Security Class Notes 1 File: http://theory.lcs.mit.edu/ rivest/notes/notes.pdf Revision: December 2, 2002 Computer and Networ Security MIT 6.857 Class Notes by Ronald L. Rivest

### Lukasz Pater CMMS Administrator and Developer

Lukasz Pater CMMS Administrator and Developer EDMS 1373428 Agenda Introduction Why do we need asymmetric ciphers? One-way functions RSA Cipher Message Integrity Examples Secure Socket Layer Single Sign

### Smooth numbers and the quadratic sieve

Algorithmic Number Theory MSRI Publications Volume 44, 2008 Smooth numbers and the quadratic sieve CARL POMERANCE ABSTRACT. This article gives a gentle introduction to factoring large integers via the

### Network Security. Chapter 2 Basics 2.2 Public Key Cryptography. Public Key Cryptography. Public Key Cryptography

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Encryption/Decryption using Public Key Cryptography Network Security Chapter 2 Basics 2.2 Public Key Cryptography

### NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES

NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES Ounasser Abid 1, Jaouad Ettanfouhi 2 and Omar Khadir 3 1,2,3 Laboratory of Mathematics, Cryptography and Mechanics, Department of Mathematics, Fstm,

### 2. Cryptography 2.4 Digital Signatures

DI-FCT-UNL Computer and Network Systems Security Segurança de Sistemas e Redes de Computadores 2010-2011 2. Cryptography 2.4 Digital Signatures 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures

### Public Key Cryptography: RSA and Lots of Number Theory

Public Key Cryptography: RSA and Lots of Number Theory Public vs. Private-Key Cryptography We have just discussed traditional symmetric cryptography: Uses a single key shared between sender and receiver

### Number theory Harald Hanche-Olsen

TMA4155 Cryptography, intro 2010 Number theory Harald Hanche-Olsen http://www.math.ntnu.no/~hanche/ Congruences, or modular arithmetic Arithmetic modulo 12 or 24 is familiar to anyone using a clock, though

### Is this number prime? Berkeley Math Circle Kiran Kedlaya

Is this number prime? Berkeley Math Circle 2002 2003 Kiran Kedlaya Given a positive integer, how do you check whether it is prime (has itself and 1 as its only two positive divisors) or composite (not

### Public Key Cryptography. c Eli Biham - March 30, 2011 258 Public Key Cryptography

Public Key Cryptography c Eli Biham - March 30, 2011 258 Public Key Cryptography Key Exchange All the ciphers mentioned previously require keys known a-priori to all the users, before they can encrypt

### Elliptic Curve Cryptography

Elliptic Curve Cryptography Elaine Brow, December 2010 Math 189A: Algebraic Geometry 1. Introduction to Public Key Cryptography To understand the motivation for elliptic curve cryptography, we must first

### ECE 842 Report Implementation of Elliptic Curve Cryptography

ECE 842 Report Implementation of Elliptic Curve Cryptography Wei-Yang Lin December 15, 2004 Abstract The aim of this report is to illustrate the issues in implementing a practical elliptic curve cryptographic

### Signature Schemes. CSG 252 Fall 2006. Riccardo Pucella

Signature Schemes CSG 252 Fall 2006 Riccardo Pucella Signatures Signatures in real life have a number of properties They specify the person responsible for a document E.g. that it has been produced by

### THE MATHEMATICS OF PUBLIC KEY CRYPTOGRAPHY.

THE MATHEMATICS OF PUBLIC KEY CRYPTOGRAPHY. IAN KIMING 1. Forbemærkning. Det kan forekomme idiotisk, at jeg som dansktalende og skrivende i et danskbaseret tidsskrift med en (formentlig) primært dansktalende

### Library (versus Language) Based Parallelism in Factoring: Experiments in MPI. Dr. Michael Alexander Dr. Sonja Sewera.

Library (versus Language) Based Parallelism in Factoring: Experiments in MPI Dr. Michael Alexander Dr. Sonja Sewera Talk 2007-10-19 Slide 1 of 20 Primes Definitions Prime: A whole number n is a prime number

### Improved Online/Offline Signature Schemes

Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion

### UOSEC Week 2: Asymmetric Cryptography. Frank IRC kee Adam IRC xe0 IRC: irc.freenode.net #0x4f

UOSEC Week 2: Asymmetric Cryptography Frank farana@uoregon.edu IRC kee Adam pond2@uoregon.edu IRC xe0 IRC: irc.freenode.net #0x4f Agenda HackIM CTF Results GITSC CTF this Saturday 10:00am Basics of Asymmetric

### Primality - Factorization

Primality - Factorization Christophe Ritzenthaler February 8, 2016 1 Primality Definition 1.1. An integer p > 1 is called a prime number if it has only 1 and p as divisors. Example 1. There are infinitely

### ELEMENTARY THOUGHTS ON DISCRETE LOGARITHMS. Carl Pomerance

ELEMENTARY THOUGHTS ON DISCRETE LOGARITHMS Carl Pomerance Given a cyclic group G with generator g, and given an element t in G, the discrete logarithm problem is that of computing an integer l with g l

### Problem Set 7 - Fall 2008 Due Tuesday, Oct. 28 at 1:00

18.781 Problem Set 7 - Fall 2008 Due Tuesday, Oct. 28 at 1:00 Throughout this assignment, f(x) always denotes a polynomial with integer coefficients. 1. (a) Show that e 32 (3) = 8, and write down a list

### Introduction. Digital Signature

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

### Public Key Cryptography and RSA. Review: Number Theory Basics

Public Key Cryptography and RSA Murat Kantarcioglu Based on Prof. Ninghui Li s Slides Review: Number Theory Basics Definition An integer n > 1 is called a prime number if its positive divisors are 1 and

### Cryptography. Course 2: attacks against RSA. Jean-Sébastien Coron. September 26, Université du Luxembourg

Course 2: attacks against RSA Université du Luxembourg September 26, 2010 Attacks against RSA Factoring Equivalence between factoring and breaking RSA? Mathematical attacks Attacks against plain RSA encryption

### 9 Modular Exponentiation and Cryptography

9 Modular Exponentiation and Cryptography 9.1 Modular Exponentiation Modular arithmetic is used in cryptography. In particular, modular exponentiation is the cornerstone of what is called the RSA system.

### Lecture 13 - Basic Number Theory.

Lecture 13 - Basic Number Theory. Boaz Barak March 22, 2010 Divisibility and primes Unless mentioned otherwise throughout this lecture all numbers are non-negative integers. We say that A divides B, denoted

### LUC: A New Public Key System

LUC: A New Public Key System Peter J. Smith a and Michael J. J. Lennon b a LUC Partners, Auckland UniServices Ltd, The University of Auckland, Private Bag 92019, Auckland, New Zealand. b Department of

### Faster Cryptographic Key Exchange on Hyperelliptic Curves

Faster Cryptographic Key Exchange on Hyperelliptic Curves No Author Given No Institute Given Abstract. We present a key exchange procedure based on divisor arithmetic for the real model of a hyperelliptic

Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

### Cryptography and Network Security

Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 7: Public-key cryptography and RSA Ion Petre Department of IT, Åbo Akademi University 1 Some unanswered questions

### Factoring and Discrete Log

Factoring and Discrete Log Nadia Heninger University of Pennsylvania June 1, 2015 Textbook RSA [Rivest Shamir Adleman 1977] Public Key N = pq modulus e encryption exponent Private Key p, q primes d decryption