Prime numbers for Cryptography

Transcription

1 Prime numbers for Cryptography What this is going to cover Primes, products of primes and factorisation How to win a million dollars Generating small primes quickly How many primes are there and how many very large numbers are prime? Generating and testing very large primes Fermat primality testing Rabin Miller primality testing Rabin Miller software

2 What we're going to cover and why Understanding how RSA asymmetric cryptography works requires some mathematics and computations involving prime numbers. This concerns how large prime numbers can be generated, how many primes there are, and what we need to do in order to find large prime numbers. It concerns whether it is feasible for products of 2 large unknown prime numbers to be factorised. We will make some use of modular arithmetic operations covered previously, particularly modular exponentiation. As with modular arithmetic, prime number arithmetic is to do with whole numbers, and not numbers with fractions.

3 Primes, products of primes and factorisation A prime number has no factors other than itself and 1. A factor F of N divides N exactly such that the remainder you get on dividing N by F is zero, or N mod F = 0. The word mod means the remaindering or modulus operation. RSA considered secure because it is thought hard or impossible to factor products of 2 large prime numbers. Large here means binary numbers with between 1024 and 4096 digits. A number with 1000 binary digits would have just over 300 decimal or 250 hexadecimal digits.

4 Multiplying large integers Not having fractions simplifies the storage of these numbers in computer memory. To multiply 2 very large primes we will use the hardware binary integer multiplication instructions in our CPU combined with long multiplication, to multiply two large binary prime numbers together. This needs a programming library which can handle large integers, because the 32 or 64 bit integer types directly supported by hardware (or most programming languages) are much too small. Long multiplication isn't as fast as multiplying two 32 bit numbers together directly in hardware to make a 64 bit one, but is fast enough.

5 Factorisation How do we factorise a number N made by multiplying large primes P and Q together? One approach involves trying every number I smaller or equal to the square root of N, starting with 2, and seeing if N mod I = 0. We add one to I each time we try this, printing out any factors we find. We could speed this up if we try dividing N by prime numbers starting with 2, and stopping after the square root of N. This is because e.g. if 2 and 3 are not factors of N, then multiples of 2 or 3 can't be either. If we have a list of primes <= sqrt(n) to start with, this procedure can be made faster. This wouldn't help factorise products of large primes, because we don't have enough computer memory to store all primes greater than a few hundred billion.

6 How to make $1,000,000 All you have to do is work out how to factor the product of 2 randomly chosen primes each about 1024 bits long. The security of Internet commerce depends upon you not succeeding. Your fame would enable you to earn this and more through book sales and public speaking engagements. Anyone who knew how to do this would have to be offered more than the rewards of making a method public to keep it secret. There is a prize on offer for this sum for whoever proves the Reimann hypothesis from the Clay Mathematical institute, which might perhaps lead to a method of solving this problem.

7 Generating small primes using Eratothenes Sieve N = number to stop at e.g Create list of numbers PP from 2 to N all possibly prime X = 2 While X <= N : A=X While A.X <= N: PP[A.X] = not prime A = A+1 Find next prime X in PP (first item not marked not prime) Print all items in PP except those marked not prime.

8 Eratothenes Sieve Animation Try to get this list using the animation on

9 The sieve function in Python

10 Running the sieve, printing results

11 Eratothenes program output

12 An infinity of prime numbers Euclid proved the existence of an infinite number of primes in 300 BC as follows: Imagine there is a highest prime P. We could then generate a product of all the primes P = M But then, either M+1 would be prime ( because M+1 mod 2 = M+1 mod 3 = M+1 mod 5... = M+1 mod P = 1 ) or M+1 would have to be the product of 1 or more primes Q, R > P. Either way primes higher than P must logically exist once we imagine a highest prime P to exist. Therefore there is no highest prime so an infinite number of prime numbers must exist. We can't generate primes of infinite size. So the next question concerns how easily can we find a prime of a size we choose by generating random numbers.

13 How many primes exist below a given number? Source: Even though the total number of primes is infinite, one could still ask "Approximately how many primes are there below 100,000?", or "How likely is a random 20-digit number to be prime?". The prime-counting function π(x) is defined as the number of primes up to x. There are known algorithms to compute exact values of π(x) faster than it would be possible to compute each prime up to x. Values as large as π(10 20 ) can be calculated quickly and accurately with modern computers. Thus, e.g., π(100,000) = 9592, and π(10 20 ) = 2,220,819,602,560,918,840. For larger values of x, beyond the reach of modern equipment, the prime number theorem provides a good estimate: π(x) is approximately x/ln(x). Even better estimates are known.

14 Prime frequency table source: The column on the right gives average gaps between primes of size x.

15 How to generate a large prime To obtain a prime of about 300 decimal digits, generate 1024 random bits and append a 1 to the right hand end to ensure it is odd. Test whether it is prime using a primality test e.g. Fermat or Rabin Miller. If it isn't prime add 2 and try again. Repeat until the number tests prime. Extrapolating from the prime frequency table we expect one odd number in 330 to be prime in this range, (because average prime gaps are about 660). Or we could generate a new random number each time and try on average 330 times before we find one, or if we are short of trusted entropy use a secure pseudo-random generator seeded by the first random number.

16 The Fermat Primality Test Based on Fermat's Little Theorem if p is prime and 1 <= a < p, then a p-1 mod p = 1 To test if p is prime, pick random a's between 1 and p-1 and see if this is true. If it isn't for any value of a, then p is definitely composite. If it's true for many values of a, p is probably prime. We might find no value of a where the test fails. Any a such that a n-1 mod n = 1 when n is composite is called a Fermat liar. Some composites called Carmichael numbers will pass many of these tests. They risk us thinking we have a prime which isn't one. But these numbers occur so infrequently that generating the random number locally reduces this risk to a tiny and known level. PGP uses this test and has a risk of 1 in of finding such a non-prime randomly. Source:

17 Fermat Primality Algorithm Inputs: n: a value to test for primality; k: a parameter that determines the number of times to test for primality Output: composite if n is composite, otherwise probably prime repeat k times: pick a randomly in the range [1, n 1] if a n-1 mod n!= 1 then return composite return probably prime source: This simple algorithm is adopted by PGP because Fermat's Little Theorem is very well understood and proven. But other RSA implementations are likely to use the more complex Rabin Miller test due to the lower risk of finding composites which pass many such probabilistic tests.

18 The Rabin Miller primality test This and the Fermat test are probabilistic and are run a number of times to reduce the probability of a candidate prime being composite to a very small level. Each Rabin Miller test reduces the probability of a candidate prime being composite to 1/4 of the previous value. A small witness number is used for each cycle. Passing 64 tests reduces the probability of a random number being composite to 1/ In practice most composites report as such in a single pass. The proof of this requires more advanced mathematics than is needed to understand Fermat's Little Theorem. Proving either of these ideas is beyond the scope of these notes.

19 Rabin Miller primality test pseudocode source: Input: n > 2, an odd integer to be tested for primality; k, a parameter that determines the accuracy of the test Output: composite if n is composite, otherwise probably prime Write n 1 as 2 s d with d odd by factoring powers of 2 from n 1 LOOP: repeat k times: pick a randomly in the range [2, n 2] x a d mod n if x = 1 or x = n 1 then do next LOOP for r = 1.. s 1 x x 2 mod n if x = 1 then return composite if x = n 1 then do next LOOP return composite return probably prime

20 Rabin Miller Test software. rabinmiller.py Sources for this and next slide obtained from: With added comments and light modifications including extended test code Richard Kay, 22 November 2012

21 Miller Rabin test if n prime

22 Some Miller Rabin automated tests

23 Test Results

24 Using OpenSSL to confirm and provide test data The openssl command line tool used in the lab provides an alternative Rabin Miller test implementation. We can use this reputable and much peer reviewed tool in order to generate data for testing a new RM implementation. Example: rich@saturn:~$ openssl prime D9FE6C F8490E1B3F2DF525DF375B5FC788690D- F09B96E219DC46ED86CA74611D4F is not prime rich@saturn:~$ openssl prime D9FE6C F8490E1B3F2DF525DF375B5FC788690D- F09B96E219DC46ED86CA74611D51 is prime

25 The RSA protocol in brief 1 source: Here is an example of RSA encryption and decryption. The parameters used here are artificially small, but one can also use OpenSSL to generate and examine a real keypair.

26 The RSA protocol 2 source: That's a very quick summary. We will be looking at these RSA calculations in more detail next lecture, and considering some possible attacks.

27 Further Reading The recommended text (Ferguson, N. & Schneier, B. (2003) Practical Cryptography, John Wiley & Sons.) is suitable for more thorough study. Links as starting points for on-line exploration: