Factoring integers, Producing primes and the RSA cryptosystem Harish-Chandra Research Institute

Similar documents

How To Factoring

Factoring integers and Producing primes

Primality - Factorization

Primality Testing and Factorization Methods

Is n a Prime Number? Manindra Agrawal. March 27, 2006, Delft. IIT Kanpur

Discrete Mathematics, Chapter 4: Number Theory and Cryptography

Elements of Applied Cryptography Public key encryption

Public Key Cryptography and RSA. Review: Number Theory Basics

Mathematics of Internet Security. Keeping Eve The Eavesdropper Away From Your Credit Card Information

Shor s algorithm and secret sharing

Public Key Cryptography: RSA and Lots of Number Theory

Secure Network Communication Part II II Public Key Cryptography. Public Key Cryptography

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay

Recent Breakthrough in Primality Testing

RSA and Primality Testing

How To Solve The Prime Factorization Of N With A Polynomials

MATH 168: FINAL PROJECT Troels Eriksen. 1 Introduction

Cryptography and Network Security

Lecture 13 - Basic Number Theory.

Arithmetic algorithms for cryptology 5 October 2015, Paris. Sieves. Razvan Barbulescu CNRS and IMJ-PRG. R. Barbulescu Sieves 0 / 28

Faster deterministic integer factorisation

Cryptography and Network Security Chapter 9

An Overview of Integer Factoring Algorithms. The Problem

The application of prime numbers to RSA encryption

Basic Algorithms In Computer Algebra

Applied Cryptography Public Key Algorithms

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

Cryptography and Network Security

Notes on Network Security Prof. Hemant K. Soni

The Mathematics of the RSA Public-Key Cryptosystem

How To Know If A Message Is From A Person Or A Machine

Overview of Public-Key Cryptography

RSA Attacks. By Abdulaziz Alrasheed and Fatima

CS549: Cryptography and Network Security

Public-Key Cryptanalysis 1: Introduction and Factoring

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, Notes on Algebra

Cryptography and Network Security Chapter 8

Cryptography and Network Security Number Theory

Integer Factorization

Factoring & Primality

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

CIS 5371 Cryptography. 8. Encryption --

Number Theory. Proof. Suppose otherwise. Then there would be a finite number n of primes, which we may

Communications security

Study of algorithms for factoring integers and computing discrete logarithms

RSA Question 2. Bob thinks that p and q are primes but p isn t. Then, Bob thinks Φ Bob :=(p-1)(q-1) = φ(n). Is this true?

PRIMES is in P. Manindra Agrawal Neeraj Kayal Nitin Saxena

A Factoring and Discrete Logarithm based Cryptosystem

A Comparison Of Integer Factoring Algorithms. Keyur Anilkumar Kanabar

Public-key cryptography RSA

3. Computational Complexity.

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

On Factoring Integers and Evaluating Discrete Logarithms

Number Theory and Cryptography using PARI/GP

Advanced Cryptography

Primes in Sequences. Lee 1. By: Jae Young Lee. Project for MA 341 (Number Theory) Boston University Summer Term I 2009 Instructor: Kalin Kostadinov

An Introduction to the RSA Encryption Method

The Future of Digital Signatures. Johannes Buchmann

EXAM questions for the course TTM Information Security June Part 1

Cryptography: Authentication, Blind Signatures, and Digital Cash

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

Determining the Optimal Combination of Trial Division and Fermat s Factorization Method

7! Cryptographic Techniques! A Brief Introduction

A SOFTWARE COMPARISON OF RSA AND ECC

Integer Factorization using the Quadratic Sieve

Computer and Network Security

Software Implementation of Gong-Harn Public-key Cryptosystem and Analysis

Table of Contents. Bibliografische Informationen digitalisiert durch

Factoring. Factoring 1

Runtime and Implementation of Factoring Algorithms: A Comparison

Computer Security: Principles and Practice

Public Key (asymmetric) Cryptography

CRYPTOG NETWORK SECURITY

Symmetric Key cryptosystem

The science of encryption: prime numbers and mod n arithmetic

Number Theory and the RSA Public Key Cryptosystem

Textbooks: Matt Bishop, Introduction to Computer Security, Addison-Wesley, November 5, 2004, ISBN

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Lukasz Pater CMMS Administrator and Developer

Integer Factorization

Integer Factorization: Solution via Algorithm for Constrained Discrete Logarithm Problem

CRYPTOGRAPHY IN NETWORK SECURITY

IT IS EASY TO DETERMINE WHETHER A GIVEN INTEGER IS PRIME

Two Integer Factorization Methods

Network Security. Chapter 2 Basics 2.2 Public Key Cryptography. Public Key Cryptography. Public Key Cryptography

Index Calculation Attacks on RSA Signature and Encryption

CSCE 465 Computer & Network Security

Lecture 13: Factoring Integers

Factoring Algorithms

2 Primality and Compositeness Tests

On Generalized Fermat Numbers 3 2n +1

LUC: A New Public Key System

FACTORING LARGE NUMBERS, A GREAT WAY TO SPEND A BIRTHDAY

Continued Fractions. Darren C. Collins

Transcription:

RSA cryptosystem HRI, Allahabad, February, 2005 0 Factoring integers, Producing primes and the RSA cryptosystem Harish-Chandra Research Institute Allahabad (UP), INDIA February, 2005

RSA cryptosystem HRI, Allahabad, February, 2005 1

RSA cryptosystem HRI, Allahabad, February, 2005 2 RSA 2048 = 25195908475657893494027183240048398571429282126204 032027777137836043662020707595556264018525880784406918290641249 515082189298559149176184502808489120072844992687392807287776735 971418347270261896375014971824691165077613379859095700097330459 748808428401797429100642458691817195118746121515172654632282216 869987549182422433637259085141865462043576798423387184774447920 739934236584823824281198163815010674810451660377306056201619676 256133844143603833904414952634432190114657544454178424020924616 515723350778707749817125772467962926386356373289912154831438167 899885040445364023527381951378636564391212010397122822120720357

RSA cryptosystem HRI, Allahabad, February, 2005 2 RSA 2048 = 25195908475657893494027183240048398571429282126204 032027777137836043662020707595556264018525880784406918290641249 515082189298559149176184502808489120072844992687392807287776735 971418347270261896375014971824691165077613379859095700097330459 748808428401797429100642458691817195118746121515172654632282216 869987549182422433637259085141865462043576798423387184774447920 739934236584823824281198163815010674810451660377306056201619676 256133844143603833904414952634432190114657544454178424020924616 515723350778707749817125772467962926386356373289912154831438167 899885040445364023527381951378636564391212010397122822120720357 RSA 2048 is a 617 (decimal) digit number

RSA cryptosystem HRI, Allahabad, February, 2005 2 RSA 2048 = 25195908475657893494027183240048398571429282126204 032027777137836043662020707595556264018525880784406918290641249 515082189298559149176184502808489120072844992687392807287776735 971418347270261896375014971824691165077613379859095700097330459 748808428401797429100642458691817195118746121515172654632282216 869987549182422433637259085141865462043576798423387184774447920 739934236584823824281198163815010674810451660377306056201619676 256133844143603833904414952634432190114657544454178424020924616 515723350778707749817125772467962926386356373289912154831438167 899885040445364023527381951378636564391212010397122822120720357 RSA 2048 is a 617 (decimal) digit number http://www.rsa.com/rsalabs/challenges/factoring/numbers.html/

RSA cryptosystem HRI, Allahabad, February, 2005 3 RSA 2048 =p q, p, q 10 308

RSA cryptosystem HRI, Allahabad, February, 2005 3 RSA 2048 =p q, p, q 10 308 PROBLEM: Compute p and q

RSA cryptosystem HRI, Allahabad, February, 2005 3 RSA 2048 =p q, p, q 10 308 PROBLEM: Compute p and q Price: 200.000 US$ ( 87, 36, 000 Indian Rupee)!!

RSA cryptosystem HRI, Allahabad, February, 2005 3 RSA 2048 =p q, p, q 10 308 PROBLEM: Compute p and q Price: 200.000 US$ ( 87, 36, 000 Indian Rupee)!! Theorem. If a N! p 1 < p 2 < < p k primes s.t. a = p α 1 1 pα k k

RSA cryptosystem HRI, Allahabad, February, 2005 3 RSA 2048 =p q, p, q 10 308 PROBLEM: Compute p and q Price: 200.000 US$ ( 87, 36, 000 Indian Rupee)!! Theorem. If a N! p 1 < p 2 < < p k primes s.t. a = p α 1 1 pα k k Regrettably: RSAlabs believes that factoring in one year requires: number computers memory RSA 1620 1.6 10 15 120 Tb RSA 1024 342, 000, 000 170 Gb RSA 760 215,000 4Gb.

RSA cryptosystem HRI, Allahabad, February, 2005 4 http://www.rsa.com/rsalabs/challenges/factoring/numbers.html

RSA cryptosystem HRI, Allahabad, February, 2005 4 http://www.rsa.com/rsalabs/challenges/factoring/numbers.html Challenge Number Prize ($US) RSA 576 $10,000 RSA 640 $20,000 RSA 704 $30,000 RSA 768 $50,000 RSA 896 $75,000 RSA 1024 $100,000 RSA 1536 $150,000 RSA 2048 $200,000

RSA cryptosystem HRI, Allahabad, February, 2005 4 http://www.rsa.com/rsalabs/challenges/factoring/numbers.html Challenge Number Prize ($US) Status RSA 576 $10,000 Factored December 2003 RSA 640 $20,000 Not Factored RSA 704 $30,000 Not Factored RSA 768 $50,000 Not Factored RSA 896 $75,000 Not Factored RSA 1024 $100,000 Not Factored RSA 1536 $150,000 Not Factored RSA 2048 $200,000 Not Factored

RSA cryptosystem HRI, Allahabad, February, 2005 5 History of the Art of Factoring

RSA cryptosystem HRI, Allahabad, February, 2005 5 History of the Art of Factoring 220 BC Greeks (Eratosthenes of Cyrene )

RSA cryptosystem HRI, Allahabad, February, 2005 5 History of the Art of Factoring 220 BC Greeks (Eratosthenes of Cyrene ) 1730 Euler 2 25 + 1 = 641 6700417

RSA cryptosystem HRI, Allahabad, February, 2005 5 History of the Art of Factoring 220 BC Greeks (Eratosthenes of Cyrene ) 1730 Euler 2 25 + 1 = 641 6700417 1750 1800 Fermat, Gauss (Sieves - Tables)

RSA cryptosystem HRI, Allahabad, February, 2005 5 History of the Art of Factoring 220 BC Greeks (Eratosthenes of Cyrene ) 1730 Euler 2 25 + 1 = 641 6700417 1750 1800 Fermat, Gauss (Sieves - Tables) 1880 Landry & Le Lasseur: 2 26 + 1 = 274177 67280421310721

RSA cryptosystem HRI, Allahabad, February, 2005 5 History of the Art of Factoring 220 BC Greeks (Eratosthenes of Cyrene ) 1730 Euler 2 25 + 1 = 641 6700417 1750 1800 Fermat, Gauss (Sieves - Tables) 1880 Landry & Le Lasseur: 2 26 + 1 = 274177 67280421310721 1919 Pierre and Eugène Carissan (Factoring Machine)

RSA cryptosystem HRI, Allahabad, February, 2005 5 History of the Art of Factoring 220 BC Greeks (Eratosthenes of Cyrene ) 1730 Euler 2 25 + 1 = 641 6700417 1750 1800 Fermat, Gauss (Sieves - Tables) 1880 Landry & Le Lasseur: 2 26 + 1 = 274177 67280421310721 1919 Pierre and Eugène Carissan (Factoring Machine) 1970 Morrison & Brillhart 2 27 + 1 = 59649589127497217 5704689200685129054721

RSA cryptosystem HRI, Allahabad, February, 2005 5 History of the Art of Factoring 220 BC Greeks (Eratosthenes of Cyrene ) 1730 Euler 2 25 + 1 = 641 6700417 1750 1800 Fermat, Gauss (Sieves - Tables) 1880 Landry & Le Lasseur: 2 26 + 1 = 274177 67280421310721 1919 Pierre and Eugène Carissan (Factoring Machine) 1970 Morrison & Brillhart 2 27 + 1 = 59649589127497217 5704689200685129054721 1982 Quadratic Sieve QS (Pomerance) Number Fields Sieve NFS

RSA cryptosystem HRI, Allahabad, February, 2005 5 History of the Art of Factoring 220 BC Greeks (Eratosthenes of Cyrene ) 1730 Euler 2 25 + 1 = 641 6700417 1750 1800 Fermat, Gauss (Sieves - Tables) 1880 Landry & Le Lasseur: 2 26 + 1 = 274177 67280421310721 1919 Pierre and Eugène Carissan (Factoring Machine) 1970 Morrison & Brillhart 2 27 + 1 = 59649589127497217 5704689200685129054721 1982 Quadratic Sieve QS (Pomerance) Number Fields Sieve NFS 1987 Elliptic curves factoring ECF (Lenstra)

RSA cryptosystem HRI, Allahabad, February, 2005 6 Carissan s ancient Factoring Machine

RSA cryptosystem HRI, Allahabad, February, 2005 6 Carissan s ancient Factoring Machine Figure 1: Conservatoire Nationale des Arts et Métiers in Paris

RSA cryptosystem HRI, Allahabad, February, 2005 6 Carissan s ancient Factoring Machine Figure 1: Conservatoire Nationale des Arts et Métiers in Paris http://www.math.uwaterloo.ca/ shallit/papers/carissan.html

RSA cryptosystem HRI, Allahabad, February, 2005 7 Figure 2: Lieutenant Eugène Carissan

RSA cryptosystem HRI, Allahabad, February, 2005 7 Figure 2: Lieutenant Eugène Carissan 225058681 = 229 982789 2 minutes 3450315521 = 1409 2418769 3 minutes 3570537526921 = 841249 4244329 18 minutes

RSA cryptosystem HRI, Allahabad, February, 2005 8 Contemporary Factoring

RSA cryptosystem HRI, Allahabad, February, 2005 8 Contemporary Factoring ❶ 1994, Quadratic Sieve (QS): (8 months, 600 voluntaries, 20 countries) D.Atkins, M. Graff, A. Lenstra, P. Leyland RSA 129 = 114381625757888867669235779976146612010218296721242362562561842935706 935245733897830597123563958705058989075147599290026879543541 = = 3490529510847650949147849619903898133417764638493387843990820577 32769132993266709549961988190834461413177642967992942539798288533

RSA cryptosystem HRI, Allahabad, February, 2005 8 Contemporary Factoring ❶ 1994, Quadratic Sieve (QS): (8 months, 600 voluntaries, 20 countries) D.Atkins, M. Graff, A. Lenstra, P. Leyland RSA 129 = 114381625757888867669235779976146612010218296721242362562561842935706 935245733897830597123563958705058989075147599290026879543541 = = 3490529510847650949147849619903898133417764638493387843990820577 32769132993266709549961988190834461413177642967992942539798288533 ❷ (February 2 1999), Number Fields Sieve (NFS): (160 Sun, 4 months) RSA 155 = 109417386415705274218097073220403576120037329454492059909138421314763499842 88934784717997257891267332497625752899781833797076537244027146743531593354333897 = = 102639592829741105772054196573991675900716567808038066803341933521790711307779 106603488380168454820927220360012878679207958575989291522270608237193062808643

RSA cryptosystem HRI, Allahabad, February, 2005 8 Contemporary Factoring ❶ 1994, Quadratic Sieve (QS): (8 months, 600 voluntaries, 20 countries) D.Atkins, M. Graff, A. Lenstra, P. Leyland RSA 129 = 114381625757888867669235779976146612010218296721242362562561842935706 935245733897830597123563958705058989075147599290026879543541 = = 3490529510847650949147849619903898133417764638493387843990820577 32769132993266709549961988190834461413177642967992942539798288533 ❷ (February 2 1999), Number Fields Sieve (NFS): (160 Sun, 4 months) RSA 155 = 109417386415705274218097073220403576120037329454492059909138421314763499842 88934784717997257891267332497625752899781833797076537244027146743531593354333897 = = 102639592829741105772054196573991675900716567808038066803341933521790711307779 106603488380168454820927220360012878679207958575989291522270608237193062808643 ❸ (December 3, 2003) (NFS): J. Franke et al. (174 decimal digits) RSA 576 = 1881988129206079638386972394616504398071635633794173827007633564229888597152346 65485319060606504743045317388011303396716199692321205734031879550656996221305168759307650257059 = = 398075086424064937397125500550386491199064362342526708406385189575946388957261768583317 472772146107435302536223071973048224632914695302097116459852171130520711256363590397527

RSA cryptosystem HRI, Allahabad, February, 2005 8 Contemporary Factoring ❶ 1994, Quadratic Sieve (QS): (8 months, 600 voluntaries, 20 countries) D.Atkins, M. Graff, A. Lenstra, P. Leyland RSA 129 = 114381625757888867669235779976146612010218296721242362562561842935706 935245733897830597123563958705058989075147599290026879543541 = = 3490529510847650949147849619903898133417764638493387843990820577 32769132993266709549961988190834461413177642967992942539798288533 ❷ (February 2 1999), Number Fields Sieve (NFS): (160 Sun, 4 months) RSA 155 = 109417386415705274218097073220403576120037329454492059909138421314763499842 88934784717997257891267332497625752899781833797076537244027146743531593354333897 = = 102639592829741105772054196573991675900716567808038066803341933521790711307779 106603488380168454820927220360012878679207958575989291522270608237193062808643 ❸ (December 3, 2003) (NFS): J. Franke et al. (174 decimal digits) RSA 576 = 1881988129206079638386972394616504398071635633794173827007633564229888597152346 65485319060606504743045317388011303396716199692321205734031879550656996221305168759307650257059 = = 398075086424064937397125500550386491199064362342526708406385189575946388957261768583317 472772146107435302536223071973048224632914695302097116459852171130520711256363590397527 ❹ Elliptic curves factoring: introduced by da H. Lenstra. suitable to find prime factors with 50 digits (small)

RSA cryptosystem HRI, Allahabad, February, 2005 8 Contemporary Factoring ❶ 1994, Quadratic Sieve (QS): (8 months, 600 voluntaries, 20 countries) D.Atkins, M. Graff, A. Lenstra, P. Leyland RSA 129 = 114381625757888867669235779976146612010218296721242362562561842935706 935245733897830597123563958705058989075147599290026879543541 = = 3490529510847650949147849619903898133417764638493387843990820577 32769132993266709549961988190834461413177642967992942539798288533 ❷ (February 2 1999), Number Fields Sieve (NFS): (160 Sun, 4 months) RSA 155 = 109417386415705274218097073220403576120037329454492059909138421314763499842 88934784717997257891267332497625752899781833797076537244027146743531593354333897 = = 102639592829741105772054196573991675900716567808038066803341933521790711307779 106603488380168454820927220360012878679207958575989291522270608237193062808643 ❸ (December 3, 2003) (NFS): J. Franke et al. (174 decimal digits) RSA 576 = 1881988129206079638386972394616504398071635633794173827007633564229888597152346 65485319060606504743045317388011303396716199692321205734031879550656996221305168759307650257059 = = 398075086424064937397125500550386491199064362342526708406385189575946388957261768583317 472772146107435302536223071973048224632914695302097116459852171130520711256363590397527 ❹ Elliptic curves factoring: introduced by da H. Lenstra. suitable to find prime factors with 50 digits (small)

RSA cryptosystem HRI, Allahabad, February, 2005 9 All: sub exponential running time

RSA cryptosystem HRI, Allahabad, February, 2005 10 RSA Adi Shamir, Ron L. Rivest, Leonard Adleman (1978)

RSA cryptosystem HRI, Allahabad, February, 2005 11 The RSA cryptosystem

RSA cryptosystem HRI, Allahabad, February, 2005 11 The RSA cryptosystem 1978 R. L. Rivest, A. Shamir, L. Adleman (Patent expired in 1998)

RSA cryptosystem HRI, Allahabad, February, 2005 11 The RSA cryptosystem 1978 R. L. Rivest, A. Shamir, L. Adleman (Patent expired in 1998) Problem: Alice wants to send the message P to Bob so that Charles cannot read it

RSA cryptosystem HRI, Allahabad, February, 2005 11 The RSA cryptosystem 1978 R. L. Rivest, A. Shamir, L. Adleman (Patent expired in 1998) Problem: Alice wants to send the message P to Bob so that Charles cannot read it A (Alice) B (Bob) C (Charles)

RSA cryptosystem HRI, Allahabad, February, 2005 11 The RSA cryptosystem 1978 R. L. Rivest, A. Shamir, L. Adleman (Patent expired in 1998) Problem: Alice wants to send the message P to Bob so that Charles cannot read it ❶ ❷ ❸ ❹ A (Alice) B (Bob) C (Charles)

RSA cryptosystem HRI, Allahabad, February, 2005 11 The RSA cryptosystem 1978 R. L. Rivest, A. Shamir, L. Adleman (Patent expired in 1998) Problem: Alice wants to send the message P to Bob so that Charles cannot read it A (Alice) B (Bob) C (Charles) ❶ Key generation Bob has to do it ❷ ❸ ❹

RSA cryptosystem HRI, Allahabad, February, 2005 11 The RSA cryptosystem 1978 R. L. Rivest, A. Shamir, L. Adleman (Patent expired in 1998) Problem: Alice wants to send the message P to Bob so that Charles cannot read it A (Alice) B (Bob) C (Charles) ❶ Key generation ❷ Encryption Bob has to do it Alice has to do it ❸ ❹

RSA cryptosystem HRI, Allahabad, February, 2005 11 The RSA cryptosystem 1978 R. L. Rivest, A. Shamir, L. Adleman (Patent expired in 1998) Problem: Alice wants to send the message P to Bob so that Charles cannot read it A (Alice) B (Bob) C (Charles) ❶ Key generation ❷ Encryption ❸ Decryption Bob has to do it Alice has to do it Bob has to do it ❹

RSA cryptosystem HRI, Allahabad, February, 2005 11 The RSA cryptosystem 1978 R. L. Rivest, A. Shamir, L. Adleman (Patent expired in 1998) Problem: Alice wants to send the message P to Bob so that Charles cannot read it A (Alice) B (Bob) C (Charles) ❶ Key generation ❷ Encryption ❸ Decryption ❹ Attack Bob has to do it Alice has to do it Bob has to do it Charles would like to do it

RSA cryptosystem HRI, Allahabad, February, 2005 12 Bob: Key generation

RSA cryptosystem HRI, Allahabad, February, 2005 12 Bob: Key generation

RSA cryptosystem HRI, Allahabad, February, 2005 12 Bob: Key generation He chooses randomly p and q primes (p, q 10 100 )

RSA cryptosystem HRI, Allahabad, February, 2005 12 Bob: Key generation He chooses randomly p and q primes (p, q 10 100 ) He computes M = p q, ϕ(m) = (p 1) (q 1)

RSA cryptosystem HRI, Allahabad, February, 2005 12 Bob: Key generation He chooses randomly p and q primes (p, q 10 100 ) He computes M = p q, ϕ(m) = (p 1) (q 1) He chooses an integer e s.t.

RSA cryptosystem HRI, Allahabad, February, 2005 12 Bob: Key generation He chooses randomly p and q primes (p, q 10 100 ) He computes M = p q, ϕ(m) = (p 1) (q 1) He chooses an integer e s.t. 0 e ϕ(m) and gcd(e, ϕ(m)) = 1

RSA cryptosystem HRI, Allahabad, February, 2005 12 Bob: Key generation He chooses randomly p and q primes (p, q 10 100 ) He computes M = p q, ϕ(m) = (p 1) (q 1) He chooses an integer e s.t. 0 e ϕ(m) and gcd(e, ϕ(m)) = 1 Note. One could take e = 3 and p q 2 mod 3

RSA cryptosystem HRI, Allahabad, February, 2005 12 Bob: Key generation He chooses randomly p and q primes (p, q 10 100 ) He computes M = p q, ϕ(m) = (p 1) (q 1) He chooses an integer e s.t. 0 e ϕ(m) and gcd(e, ϕ(m)) = 1 Note. One could take e = 3 and p q 2 mod 3 Experts recommend e = 2 16 + 1

RSA cryptosystem HRI, Allahabad, February, 2005 12 Bob: Key generation He chooses randomly p and q primes (p, q 10 100 ) He computes M = p q, ϕ(m) = (p 1) (q 1) He chooses an integer e s.t. 0 e ϕ(m) and gcd(e, ϕ(m)) = 1 Note. One could take e = 3 and p q 2 mod 3 Experts recommend e = 2 16 + 1 He computes arithmetic inverse d of e modulo ϕ(m)

RSA cryptosystem HRI, Allahabad, February, 2005 12 Bob: Key generation He chooses randomly p and q primes (p, q 10 100 ) He computes M = p q, ϕ(m) = (p 1) (q 1) He chooses an integer e s.t. 0 e ϕ(m) and gcd(e, ϕ(m)) = 1 Note. One could take e = 3 and p q 2 mod 3 Experts recommend e = 2 16 + 1 He computes arithmetic inverse d of e modulo ϕ(m) (i.e. d N (unique ϕ(m)) s.t. e d 1 (mod ϕ(m)))

RSA cryptosystem HRI, Allahabad, February, 2005 12 Bob: Key generation He chooses randomly p and q primes (p, q 10 100 ) He computes M = p q, ϕ(m) = (p 1) (q 1) He chooses an integer e s.t. 0 e ϕ(m) and gcd(e, ϕ(m)) = 1 Note. One could take e = 3 and p q 2 mod 3 Experts recommend e = 2 16 + 1 He computes arithmetic inverse d of e modulo ϕ(m) (i.e. d N (unique ϕ(m)) s.t. e d 1 (mod ϕ(m))) Publishes (M, e) public key and hides secret key d

RSA cryptosystem HRI, Allahabad, February, 2005 12 Bob: Key generation He chooses randomly p and q primes (p, q 10 100 ) He computes M = p q, ϕ(m) = (p 1) (q 1) He chooses an integer e s.t. 0 e ϕ(m) and gcd(e, ϕ(m)) = 1 Note. One could take e = 3 and p q 2 mod 3 Experts recommend e = 2 16 + 1 He computes arithmetic inverse d of e modulo ϕ(m) (i.e. d N (unique ϕ(m)) s.t. e d 1 (mod ϕ(m))) Publishes (M, e) public key and hides secret key d Problem: How does Bob do all this?- We will go came back to it!

RSA cryptosystem HRI, Allahabad, February, 2005 13 Alice: Encryption

RSA cryptosystem HRI, Allahabad, February, 2005 13 Alice: Encryption Represent the message P as an element of Z/MZ

RSA cryptosystem HRI, Allahabad, February, 2005 13 Alice: Encryption Represent the message P as an element of Z/MZ (for example) A 1 B 2 C 3... Z 26 AA 27...

RSA cryptosystem HRI, Allahabad, February, 2005 13 Alice: Encryption Represent the message P as an element of Z/MZ (for example) A 1 B 2 C 3... Z 26 AA 27... Sukumar 19 26 6 + 21 26 5 + 11 26 4 + 21 26 3 + 12 26 2 + 1 26 + 18 = 6124312628 Note. Better if texts are not too short. Otherwise one performs some padding

RSA cryptosystem HRI, Allahabad, February, 2005 13 Alice: Encryption Represent the message P as an element of Z/MZ (for example) A 1 B 2 C 3... Z 26 AA 27... Sukumar 19 26 6 + 21 26 5 + 11 26 4 + 21 26 3 + 12 26 2 + 1 26 + 18 = 6124312628 Note. Better if texts are not too short. Otherwise one performs some padding C = E(P) = P e (mod M)

RSA cryptosystem HRI, Allahabad, February, 2005 13 Alice: Encryption Represent the message P as an element of Z/MZ (for example) A 1 B 2 C 3... Z 26 AA 27... Sukumar 19 26 6 + 21 26 5 + 11 26 4 + 21 26 3 + 12 26 2 + 1 26 + 18 = 6124312628 Note. Better if texts are not too short. Otherwise one performs some padding C = E(P) = P e (mod M) Example: p = 9049465727, q = 8789181607, M = 79537397720925283289, e = 2 16 + 1 = 65537, P = Sukumar:

RSA cryptosystem HRI, Allahabad, February, 2005 13 Alice: Encryption Represent the message P as an element of Z/MZ (for example) A 1 B 2 C 3... Z 26 AA 27... Sukumar 19 26 6 + 21 26 5 + 11 26 4 + 21 26 3 + 12 26 2 + 1 26 + 18 = 6124312628 Note. Better if texts are not too short. Otherwise one performs some padding C = E(P) = P e (mod M) Example: p = 9049465727, q = 8789181607, M = 79537397720925283289, e = 2 16 + 1 = 65537, P = Sukumar: E(Sukumar) = 6124312628 65537 (mod79537397720925283289) = 25439695120356558116 = C = JGEBNBAUYTCOFJ

RSA cryptosystem HRI, Allahabad, February, 2005 14 Bob: Decryption

RSA cryptosystem HRI, Allahabad, February, 2005 14 Bob: Decryption P = D(C) = C d (mod M)

RSA cryptosystem HRI, Allahabad, February, 2005 14 Bob: Decryption P = D(C) = C d (mod M) Note. Bob decrypts because he is the only one that knows d.

RSA cryptosystem HRI, Allahabad, February, 2005 14 Bob: Decryption P = D(C) = C d (mod M) Note. Bob decrypts because he is the only one that knows d. Theorem. (Euler) If a, m N, gcd(a, m) = 1, a ϕ(m) 1 (mod m). If n 1 n 2 mod ϕ(m) then a n 1 a n 2 mod m.

RSA cryptosystem HRI, Allahabad, February, 2005 14 Bob: Decryption P = D(C) = C d (mod M) Note. Bob decrypts because he is the only one that knows d. Theorem. (Euler) If a, m N, gcd(a, m) = 1, a ϕ(m) 1 (mod m). If n 1 n 2 mod ϕ(m) then a n 1 a n 2 mod m. Therefore (ed 1 mod ϕ(m)) D(E(P)) = P ed P mod M

RSA cryptosystem HRI, Allahabad, February, 2005 14 Bob: Decryption P = D(C) = C d (mod M) Note. Bob decrypts because he is the only one that knows d. Therefore (ed 1 mod ϕ(m)) Theorem. (Euler) If a, m N, gcd(a, m) = 1, a ϕ(m) 1 (mod m). If n 1 n 2 mod ϕ(m) then a n 1 a n 2 mod m. D(E(P)) = P ed P mod M Example(cont.):d = 65537 1 mod ϕ(9049465727 8789181607) = 57173914060643780153 D(JGEBNBAUYTCOFJ) = 25439695120356558116 57173914060643780153 (mod79537397720925283289) = Sukumar

RSA cryptosystem HRI, Allahabad, February, 2005 15 RSA at work

RSA cryptosystem HRI, Allahabad, February, 2005 16 Repeated squaring algorithm

RSA cryptosystem HRI, Allahabad, February, 2005 16 Repeated squaring algorithm Problem: How does one compute a b mod c?

RSA cryptosystem HRI, Allahabad, February, 2005 16 Repeated squaring algorithm Problem: How does one compute a b mod c? 25439695120356558116 57173914060643780153 (mod79537397720925283289)

RSA cryptosystem HRI, Allahabad, February, 2005 16 Repeated squaring algorithm Problem: How does one compute a b mod c? 25439695120356558116 57173914060643780153 (mod79537397720925283289)

RSA cryptosystem HRI, Allahabad, February, 2005 16 Repeated squaring algorithm Problem: How does one compute a b mod c? 25439695120356558116 57173914060643780153 (mod79537397720925283289) Compute the binary expansion b = [log 2 b] j=0 ɛ j 2 j

RSA cryptosystem HRI, Allahabad, February, 2005 16 Repeated squaring algorithm Problem: How does one compute a b mod c? 25439695120356558116 57173914060643780153 (mod79537397720925283289) Compute the binary expansion b = [log 2 b] j=0 ɛ j 2 j 57173914060643780153=110001100101110010100010111110101011110011011000100100011000111001

RSA cryptosystem HRI, Allahabad, February, 2005 16 Repeated squaring algorithm Problem: How does one compute a b mod c? 25439695120356558116 57173914060643780153 (mod79537397720925283289) Compute the binary expansion b = [log 2 b] j=0 ɛ j 2 j 57173914060643780153=110001100101110010100010111110101011110011011000100100011000111001 Compute recursively a 2j mod c, j = 1,..., [log 2 b]:

RSA cryptosystem HRI, Allahabad, February, 2005 16 Repeated squaring algorithm Problem: How does one compute a b mod c? 25439695120356558116 57173914060643780153 (mod79537397720925283289) Compute the binary expansion b = [log 2 b] j=0 ɛ j 2 j 57173914060643780153=110001100101110010100010111110101011110011011000100100011000111001 Compute recursively a 2j mod c, j = 1,..., [log 2 b]: ( 2 a 2j mod c = a 2j 1 mod c) mod c

RSA cryptosystem HRI, Allahabad, February, 2005 16 Repeated squaring algorithm Problem: How does one compute a b mod c? 25439695120356558116 57173914060643780153 (mod79537397720925283289) Compute the binary expansion b = [log 2 b] j=0 ɛ j 2 j 57173914060643780153=110001100101110010100010111110101011110011011000100100011000111001 Compute recursively a 2j mod c, j = 1,..., [log 2 b]: ( 2 a 2j mod c = a 2j 1 mod c) mod c Multiply the a 2j mod c with ɛ j = 1

RSA cryptosystem HRI, Allahabad, February, 2005 16 Repeated squaring algorithm Problem: How does one compute a b mod c? 25439695120356558116 57173914060643780153 (mod79537397720925283289) Compute the binary expansion b = [log 2 b] j=0 ɛ j 2 j 57173914060643780153=110001100101110010100010111110101011110011011000100100011000111001 Compute recursively a 2j mod c, j = 1,..., [log 2 b]: ( 2 a 2j mod c = a 2j 1 mod c) mod c Multiply the a 2j mod c with ɛ j = 1 ) a b mod c = mod c ( [log2 b] j=0,ɛ j =1 a2j mod c

RSA cryptosystem HRI, Allahabad, February, 2005 17 #{oper. in Z/cZ to compute a b mod c} 2 log 2 b

RSA cryptosystem HRI, Allahabad, February, 2005 17 #{oper. in Z/cZ to compute a b mod c} 2 log 2 b JGEBNBAUYTCOFJ is decrypted with 131 operations in Z/79537397720925283289Z

RSA cryptosystem HRI, Allahabad, February, 2005 17 #{oper. in Z/cZ to compute a b mod c} 2 log 2 b JGEBNBAUYTCOFJ is decrypted with 131 operations in Z/79537397720925283289Z Pseudo code: e c (a, b) = a b mod c

RSA cryptosystem HRI, Allahabad, February, 2005 17 #{oper. in Z/cZ to compute a b mod c} 2 log 2 b JGEBNBAUYTCOFJ is decrypted with 131 operations in Z/79537397720925283289Z Pseudo code: e c (a, b) = a b mod c e c (a, b) = if b = 1 then a mod c if 2 b then e c (a, b 2 )2 mod c else a e c (a, b 1 2 )2 mod c

RSA cryptosystem HRI, Allahabad, February, 2005 17 #{oper. in Z/cZ to compute a b mod c} 2 log 2 b JGEBNBAUYTCOFJ is decrypted with 131 operations in Z/79537397720925283289Z Pseudo code: e c (a, b) = a b mod c e c (a, b) = if b = 1 then a mod c if 2 b then e c (a, b 2 )2 mod c else a e c (a, b 1 2 )2 mod c To encrypt with e = 2 16 + 1, only 17 operations in Z/MZ are enough

RSA cryptosystem HRI, Allahabad, February, 2005 18 Key generation

RSA cryptosystem HRI, Allahabad, February, 2005 18 Key generation Problem. Produce a random prime p 10 100 Probabilistic algorithm (type Las Vegas) 1. Let p = Random(10 100 ) 2. If isprime(p)=1 then Output=p else goto 1

RSA cryptosystem HRI, Allahabad, February, 2005 18 Key generation Problem. Produce a random prime p 10 100 Probabilistic algorithm (type Las Vegas) 1. Let p = Random(10 100 ) 2. If isprime(p)=1 then Output=p else goto 1 subproblems:

RSA cryptosystem HRI, Allahabad, February, 2005 18 Key generation Problem. Produce a random prime p 10 100 Probabilistic algorithm (type Las Vegas) 1. Let p = Random(10 100 ) 2. If isprime(p)=1 then Output=p else goto 1 subproblems: A. How many iterations are necessary? (i.e. how are primes distributes?)

RSA cryptosystem HRI, Allahabad, February, 2005 18 Key generation Problem. Produce a random prime p 10 100 Probabilistic algorithm (type Las Vegas) 1. Let p = Random(10 100 ) 2. If isprime(p)=1 then Output=p else goto 1 subproblems: A. How many iterations are necessary? (i.e. how are primes distributes?) B. How does one check if p is prime? (i.e. how does one compute isprime(p)?) Primality test

RSA cryptosystem HRI, Allahabad, February, 2005 18 Key generation Problem. Produce a random prime p 10 100 Probabilistic algorithm (type Las Vegas) 1. Let p = Random(10 100 ) 2. If isprime(p)=1 then Output=p else goto 1 subproblems: A. How many iterations are necessary? (i.e. how are primes distributes?) B. How does one check if p is prime? (i.e. how does one compute isprime(p)?) Primality test False Metropolitan Legend: Check primality is equivalent to factoring

RSA cryptosystem HRI, Allahabad, February, 2005 19 A. Distribution of prime numbers

RSA cryptosystem HRI, Allahabad, February, 2005 19 A. Distribution of prime numbers π(x) = #{p x t. c. p is prime}

RSA cryptosystem HRI, Allahabad, February, 2005 19 A. Distribution of prime numbers π(x) = #{p x t. c. p is prime} Theorem. (Hadamard - de la vallee Pussen - 1897) π(x) x log x

RSA cryptosystem HRI, Allahabad, February, 2005 19 A. Distribution of prime numbers Quantitative version: π(x) = #{p x t. c. p is prime} Theorem. (Hadamard - de la vallee Pussen - 1897) π(x) x log x Theorem. (Rosser - Schoenfeld) if x 67 x log x 1/2 < π(x) < x log x 3/2

RSA cryptosystem HRI, Allahabad, February, 2005 19 A. Distribution of prime numbers Quantitative version: Therefore π(x) = #{p x t. c. p is prime} Theorem. (Hadamard - de la vallee Pussen - 1897) π(x) x log x Theorem. (Rosser - Schoenfeld) if x 67 x log x 1/2 < π(x) < x log x 3/2 0.0043523959267 < P rob (Random(10 100 ) = prime < 0.004371422086

RSA cryptosystem HRI, Allahabad, February, 2005 20 If P k is the probability that among k random numbers 10 100 there is a prime one, then

RSA cryptosystem HRI, Allahabad, February, 2005 20 If P k is the probability that among k random numbers 10 100 there is a prime one, then P k = 1 ( ) k 1 π(10100 ) 10 100

RSA cryptosystem HRI, Allahabad, February, 2005 20 If P k is the probability that among k random numbers 10 100 there is a prime one, then P k = 1 ( ) k 1 π(10100 ) 10 100 Therefore 0.663942 < P 250 < 0.66554440

RSA cryptosystem HRI, Allahabad, February, 2005 20 If P k is the probability that among k random numbers 10 100 there is a prime one, then P k = 1 ( ) k 1 π(10100 ) 10 100 Therefore 0.663942 < P 250 < 0.66554440 To speed up the process: One can consider only odd random numbers not divisible by 3 nor by 5.

RSA cryptosystem HRI, Allahabad, February, 2005 20 If P k is the probability that among k random numbers 10 100 there is a prime one, then P k = 1 ( ) k 1 π(10100 ) 10 100 Therefore 0.663942 < P 250 < 0.66554440 To speed up the process: One can consider only odd random numbers not divisible by 3 nor by 5. Let Ψ(x, 30) = # {n x s.t. gcd(n, 30) = 1}

RSA cryptosystem HRI, Allahabad, February, 2005 21 To speed up the process: One can consider only odd random numbers not divisible by 3 nor by 5.

RSA cryptosystem HRI, Allahabad, February, 2005 21 To speed up the process: One can consider only odd random numbers not divisible by 3 nor by 5. Let Ψ(x, 30) = # {n x s.t. gcd(n, 30) = 1} then

RSA cryptosystem HRI, Allahabad, February, 2005 21 To speed up the process: One can consider only odd random numbers not divisible by 3 nor by 5. Let Ψ(x, 30) = # {n x s.t. gcd(n, 30) = 1} then 4 15 x 4 < Ψ(x, 30) < 4 15 x + 4

RSA cryptosystem HRI, Allahabad, February, 2005 21 To speed up the process: One can consider only odd random numbers not divisible by 3 nor by 5. Let Ψ(x, 30) = # {n x s.t. gcd(n, 30) = 1} then 4 15 x 4 < Ψ(x, 30) < 4 15 x + 4 Hence, if P k is the probability that among k random numbers 10100 coprime with 30, there is a prime one, then

RSA cryptosystem HRI, Allahabad, February, 2005 21 To speed up the process: One can consider only odd random numbers not divisible by 3 nor by 5. Let Ψ(x, 30) = # {n x s.t. gcd(n, 30) = 1} then 4 15 x 4 < Ψ(x, 30) < 4 15 x + 4 Hence, if P k is the probability that among k random numbers 10100 coprime with 30, there is a prime one, then P k = 1 ( ) k 1 π(10100 ) Ψ(10 100, 30)

RSA cryptosystem HRI, Allahabad, February, 2005 21 To speed up the process: One can consider only odd random numbers not divisible by 3 nor by 5. Let Ψ(x, 30) = # {n x s.t. gcd(n, 30) = 1} then 4 15 x 4 < Ψ(x, 30) < 4 15 x + 4 Hence, if P k is the probability that among k random numbers 10100 coprime with 30, there is a prime one, then P k = 1 ( ) k 1 π(10100 ) Ψ(10 100, 30)

RSA cryptosystem HRI, Allahabad, February, 2005 22 and 0.98365832 < P 250 < 0.98395199

RSA cryptosystem HRI, Allahabad, February, 2005 23 B. Primality test

RSA cryptosystem HRI, Allahabad, February, 2005 23 B. Primality test Fermat Little Theorem. If p is prime, p a N a p 1 1 mod p

RSA cryptosystem HRI, Allahabad, February, 2005 23 B. Primality test Fermat Little Theorem. If p is prime, p a N a p 1 1 mod p NON-primality test M Z, 2 M 1 1 mod M => Mcomposite!

RSA cryptosystem HRI, Allahabad, February, 2005 23 B. Primality test Fermat Little Theorem. If p is prime, p a N a p 1 1 mod p NON-primality test M Z, 2 M 1 1 mod M => Mcomposite! Example: 2 RSA 2048 1 1 mod RSA 2048 Therefore RSA 2048 is composite!

RSA cryptosystem HRI, Allahabad, February, 2005 23 B. Primality test Fermat Little Theorem. If p is prime, p a N a p 1 1 mod p NON-primality test M Z, 2 M 1 1 mod M => Mcomposite! Example: 2 RSA 2048 1 1 mod RSA 2048 Therefore RSA 2048 is composite! Fermat little Theorem does not invert. Infact

RSA cryptosystem HRI, Allahabad, February, 2005 23 B. Primality test Fermat Little Theorem. If p is prime, p a N a p 1 1 mod p NON-primality test M Z, 2 M 1 1 mod M => Mcomposite! Example: 2 RSA 2048 1 1 mod RSA 2048 Therefore RSA 2048 is composite! Fermat little Theorem does not invert. Infact 2 93960 1 (mod 93961) but 93961 = 7 31 433

RSA cryptosystem HRI, Allahabad, February, 2005 24 Strong pseudo primes

RSA cryptosystem HRI, Allahabad, February, 2005 24 Strong pseudo primes From now on m 3 mod 4 (just to simplify the notation)

RSA cryptosystem HRI, Allahabad, February, 2005 24 Strong pseudo primes From now on m 3 mod 4 (just to simplify the notation) Definition. m N, m 3 mod 4, composite is said strong pseudo prime (SPSP) in base a if a (m 1)/2 ±1 (mod m).

RSA cryptosystem HRI, Allahabad, February, 2005 24 Strong pseudo primes From now on m 3 mod 4 (just to simplify the notation) Definition. m N, m 3 mod 4, composite is said strong pseudo prime (SPSP) in base a if a (m 1)/2 ±1 (mod m). Note. If p > 2 prime => a (p 1)/2 ±1 (mod p) Let S = {a Z/mZ s.t. gcd(m, a) = 1, a (m 1)/2 ±1 (mod m)}

RSA cryptosystem HRI, Allahabad, February, 2005 24 Strong pseudo primes From now on m 3 mod 4 (just to simplify the notation) Definition. m N, m 3 mod 4, composite is said strong pseudo prime (SPSP) in base a if a (m 1)/2 ±1 (mod m). Note. If p > 2 prime => a (p 1)/2 ±1 (mod p) Let S = {a Z/mZ s.t. gcd(m, a) = 1, a (m 1)/2 ±1 (mod m)} ➀ ➁ ➂ ➃

RSA cryptosystem HRI, Allahabad, February, 2005 24 Strong pseudo primes From now on m 3 mod 4 (just to simplify the notation) Definition. m N, m 3 mod 4, composite is said strong pseudo prime (SPSP) in base a if a (m 1)/2 ±1 (mod m). Note. If p > 2 prime => a (p 1)/2 ±1 (mod p) Let S = {a Z/mZ s.t. gcd(m, a) = 1, a (m 1)/2 ±1 (mod m)} ➀ S (Z/mZ) subgroup ➁ ➂ ➃

RSA cryptosystem HRI, Allahabad, February, 2005 24 Strong pseudo primes From now on m 3 mod 4 (just to simplify the notation) Definition. m N, m 3 mod 4, composite is said strong pseudo prime (SPSP) in base a if a (m 1)/2 ±1 (mod m). Note. If p > 2 prime => a (p 1)/2 ±1 (mod p) Let S = {a Z/mZ s.t. gcd(m, a) = 1, a (m 1)/2 ±1 (mod m)} ➀ S (Z/mZ) subgroup ➁ If m is composite => proper subgroup ➂ ➃

RSA cryptosystem HRI, Allahabad, February, 2005 24 Strong pseudo primes From now on m 3 mod 4 (just to simplify the notation) Definition. m N, m 3 mod 4, composite is said strong pseudo prime (SPSP) in base a if a (m 1)/2 ±1 (mod m). Note. If p > 2 prime => a (p 1)/2 ±1 (mod p) Let S = {a Z/mZ s.t. gcd(m, a) = 1, a (m 1)/2 ±1 (mod m)} ➀ S (Z/mZ) subgroup ➁ If m is composite => proper subgroup ➂ If m is composite => ➃ #S ϕ(m) 4

RSA cryptosystem HRI, Allahabad, February, 2005 24 Strong pseudo primes From now on m 3 mod 4 (just to simplify the notation) Definition. m N, m 3 mod 4, composite is said strong pseudo prime (SPSP) in base a if a (m 1)/2 ±1 (mod m). Note. If p > 2 prime => a (p 1)/2 ±1 (mod p) Let S = {a Z/mZ s.t. gcd(m, a) = 1, a (m 1)/2 ±1 (mod m)} ➀ S (Z/mZ) subgroup ➁ If m is composite => proper subgroup ➂ If m is composite => #S ϕ(m) 4 ➃ If m is composite => P rob(m PSPF in base a) 0, 25

RSA cryptosystem HRI, Allahabad, February, 2005 25 Miller Rabin primality test

RSA cryptosystem HRI, Allahabad, February, 2005 25 Let m 3 mod 4 Miller Rabin primality test

RSA cryptosystem HRI, Allahabad, February, 2005 25 Let m 3 mod 4 Miller Rabin primality test Miller Rabin algorithm with k iterations N = (m 1)/2 for j = 0 to k do a =Random(m) if a N ±1 mod m then OUPUT=(m composite): endfor OUTPUT=(m prime) END

RSA cryptosystem HRI, Allahabad, February, 2005 25 Let m 3 mod 4 Miller Rabin primality test Miller Rabin algorithm with k iterations N = (m 1)/2 for j = 0 to k do a =Random(m) if a N ±1 mod m then OUPUT=(m composite): endfor OUTPUT=(m prime) END Monte Carlo primality test

RSA cryptosystem HRI, Allahabad, February, 2005 25 Let m 3 mod 4 Miller Rabin primality test Miller Rabin algorithm with k iterations N = (m 1)/2 for j = 0 to k do a =Random(m) if a N ±1 mod m then OUPUT=(m composite): endfor OUTPUT=(m prime) END Monte Carlo primality test P rob(miller Rabin says m prime and m is composite) 1 4 k

RSA cryptosystem HRI, Allahabad, February, 2005 25 Let m 3 mod 4 Miller Rabin primality test Miller Rabin algorithm with k iterations N = (m 1)/2 for j = 0 to k do a =Random(m) if a N ±1 mod m then OUPUT=(m composite): endfor OUTPUT=(m prime) END Monte Carlo primality test P rob(miller Rabin says m prime and m is composite) 1 4 k In the real world, software uses Miller Rabin with k = 10

RSA cryptosystem HRI, Allahabad, February, 2005 26 Deterministic primality tests

RSA cryptosystem HRI, Allahabad, February, 2005 26 Deterministic primality tests Theorem. (Miller, Bach) If m is composite, then GRH => a 2 log 2 m s.t. a (m 1)/2 ±1 (mod m). (i.e. m is not SPSP in base a.)

RSA cryptosystem HRI, Allahabad, February, 2005 26 Deterministic primality tests Theorem. (Miller, Bach) If m is composite, then GRH => a 2 log 2 m s.t. a (m 1)/2 ±1 (mod m). (i.e. m is not SPSP in base a.) Consequence: Miller Rabin de randomizes on GRH (m 3 mod 4)

RSA cryptosystem HRI, Allahabad, February, 2005 26 Deterministic primality tests Theorem. (Miller, Bach) If m is composite, then GRH => a 2 log 2 m s.t. a (m 1)/2 ±1 (mod m). (i.e. m is not SPSP in base a.) Consequence: Miller Rabin de randomizes on GRH (m 3 mod 4) for a = 2 to 2 log 2 m do if a (m 1)/2 ±1 mod m then OUPUT=(m composite): endfor OUTPUT=(m prime) END

RSA cryptosystem HRI, Allahabad, February, 2005 26 Deterministic primality tests Theorem. (Miller, Bach) If m is composite, then GRH => a 2 log 2 m s.t. a (m 1)/2 ±1 (mod m). (i.e. m is not SPSP in base a.) Consequence: Miller Rabin de randomizes on GRH (m 3 mod 4) for a = 2 to 2 log 2 m do if a (m 1)/2 ±1 mod m then OUPUT=(m composite): endfor OUTPUT=(m prime) END Deterministic Polynomial time algorithm

RSA cryptosystem HRI, Allahabad, February, 2005 26 Deterministic primality tests Theorem. (Miller, Bach) If m is composite, then GRH => a 2 log 2 m s.t. a (m 1)/2 ±1 (mod m). (i.e. m is not SPSP in base a.) Consequence: Miller Rabin de randomizes on GRH (m 3 mod 4) for a = 2 to 2 log 2 m do if a (m 1)/2 ±1 mod m then OUPUT=(m composite): endfor OUTPUT=(m prime) END Deterministic Polynomial time algorithm It runs in O(log 5 m) operations in Z/mZ.

RSA cryptosystem HRI, Allahabad, February, 2005 27 Certified prime records

RSA cryptosystem HRI, Allahabad, February, 2005 27 Certified prime records

RSA cryptosystem HRI, Allahabad, February, 2005 27 Certified prime records 2 20996011 1, 6320430 digits (discovered in 2003)

RSA cryptosystem HRI, Allahabad, February, 2005 27 Certified prime records 2 20996011 1, 6320430 digits (discovered in 2003) 2 13466917 1, 4053946 digits (discovered in 2001)

RSA cryptosystem HRI, Allahabad, February, 2005 27 Certified prime records 2 20996011 1, 6320430 digits (discovered in 2003) 2 13466917 1, 4053946 digits (discovered in 2001) 2 6972593 1, 2098960 digits (discovered in 1999)

RSA cryptosystem HRI, Allahabad, February, 2005 27 Certified prime records 2 20996011 1, 6320430 digits (discovered in 2003) 2 13466917 1, 4053946 digits (discovered in 2001) 2 6972593 1, 2098960 digits (discovered in 1999) 5359 2 5054502 + 1, 1521561 digits (discovered in 2003)

RSA cryptosystem HRI, Allahabad, February, 2005 27 Certified prime records 2 20996011 1, 6320430 digits (discovered in 2003) 2 13466917 1, 4053946 digits (discovered in 2001) 2 6972593 1, 2098960 digits (discovered in 1999) 5359 2 5054502 + 1, 1521561 digits (discovered in 2003) 2 3021377 1, 909526 digits (discovered in 1998)

RSA cryptosystem HRI, Allahabad, February, 2005 27 Certified prime records 2 20996011 1, 6320430 digits (discovered in 2003) 2 13466917 1, 4053946 digits (discovered in 2001) 2 6972593 1, 2098960 digits (discovered in 1999) 5359 2 5054502 + 1, 1521561 digits (discovered in 2003) 2 3021377 1, 909526 digits (discovered in 1998) 2 2976221 1, 895932 digits (discovered in 1997)

RSA cryptosystem HRI, Allahabad, February, 2005 27 Certified prime records 2 20996011 1, 6320430 digits (discovered in 2003) 2 13466917 1, 4053946 digits (discovered in 2001) 2 6972593 1, 2098960 digits (discovered in 1999) 5359 2 5054502 + 1, 1521561 digits (discovered in 2003) 2 3021377 1, 909526 digits (discovered in 1998) 2 2976221 1, 895932 digits (discovered in 1997) 1372930 131072 + 1, 804474 digits (discovered in 2003)

RSA cryptosystem HRI, Allahabad, February, 2005 27 Certified prime records 2 20996011 1, 6320430 digits (discovered in 2003) 2 13466917 1, 4053946 digits (discovered in 2001) 2 6972593 1, 2098960 digits (discovered in 1999) 5359 2 5054502 + 1, 1521561 digits (discovered in 2003) 2 3021377 1, 909526 digits (discovered in 1998) 2 2976221 1, 895932 digits (discovered in 1997) 1372930 131072 + 1, 804474 digits (discovered in 2003) 1176694 131072 + 1, 795695 digits (discovered in 2003)

RSA cryptosystem HRI, Allahabad, February, 2005 28 The AKS deterministic primality test

RSA cryptosystem HRI, Allahabad, February, 2005 28 The AKS deterministic primality test Department of Computer Science & Engineering, I.I.T. Kanpur, Agost 8, 2002.

RSA cryptosystem HRI, Allahabad, February, 2005 28 The AKS deterministic primality test Department of Computer Science & Engineering, I.I.T. Kanpur, Agost 8, 2002. Nitin Saxena, Neeraj Kayal and Manindra Agarwal

RSA cryptosystem HRI, Allahabad, February, 2005 28 The AKS deterministic primality test Department of Computer Science & Engineering, I.I.T. Kanpur, Agost 8, 2002. Nitin Saxena, Neeraj Kayal and Manindra Agarwal New deterministic, polynomial time, primality test.

RSA cryptosystem HRI, Allahabad, February, 2005 28 The AKS deterministic primality test Department of Computer Science & Engineering, I.I.T. Kanpur, Agost 8, 2002. Nitin Saxena, Neeraj Kayal and Manindra Agarwal New deterministic, polynomial time, primality test. Solves #1 open question in computational number theory

RSA cryptosystem HRI, Allahabad, February, 2005 28 The AKS deterministic primality test Department of Computer Science & Engineering, I.I.T. Kanpur, Agost 8, 2002. Nitin Saxena, Neeraj Kayal and Manindra Agarwal New deterministic, polynomial time, primality test. Solves #1 open question in computational number theory http://www.cse.iitk.ac.in/news/primality.html

RSA cryptosystem HRI, Allahabad, February, 2005 29 How does the AKS work?

RSA cryptosystem HRI, Allahabad, February, 2005 29 How does the AKS work? Theorem. (AKS) Let n N. Assume q, r primes, S N finite: q r 1; n (r 1)/q mod r {0, 1}; gcd(n, b b ) = 1, b, b S (distinct); ( ) q+#s 1 #S n 2 r ; (x + b) n = x n + b in Z/nZ[x]/(x r 1), b S; Then n is a power of a prime Bernstein formulation

RSA cryptosystem HRI, Allahabad, February, 2005 29 How does the AKS work? Theorem. (AKS) Let n N. Assume q, r primes, S N finite: q r 1; n (r 1)/q mod r {0, 1}; gcd(n, b b ) = 1, b, b S (distinct); ( ) q+#s 1 #S n 2 r ; (x + b) n = x n + b in Z/nZ[x]/(x r 1), b S; Then n is a power of a prime Bernstein formulation Fouvry Theorem (1985) => r log 6 n, s log 4 n

RSA cryptosystem HRI, Allahabad, February, 2005 29 How does the AKS work? Theorem. (AKS) Let n N. Assume q, r primes, S N finite: q r 1; n (r 1)/q mod r {0, 1}; gcd(n, b b ) = 1, b, b S (distinct); ( ) q+#s 1 #S n 2 r ; (x + b) n = x n + b in Z/nZ[x]/(x r 1), b S; Then n is a power of a prime Bernstein formulation Fouvry Theorem (1985) => r log 6 n, s log 4 n => AKS runs in O(log 17 n) operations in Z/nZ.

RSA cryptosystem HRI, Allahabad, February, 2005 29 How does the AKS work? Theorem. (AKS) Let n N. Assume q, r primes, S N finite: q r 1; n (r 1)/q mod r {0, 1}; gcd(n, b b ) = 1, b, b S (distinct); ( ) q+#s 1 #S n 2 r ; (x + b) n = x n + b in Z/nZ[x]/(x r 1), b S; Then n is a power of a prime Bernstein formulation Fouvry Theorem (1985) => r log 6 n, s log 4 n => AKS runs in O(log 17 n) operations in Z/nZ. Many simplifications and improvements: Bernstein, Lenstra, Pomerance...

RSA cryptosystem HRI, Allahabad, February, 2005 30 Why is RSA safe?

RSA cryptosystem HRI, Allahabad, February, 2005 30 Why is RSA safe?

RSA cryptosystem HRI, Allahabad, February, 2005 30 Why is RSA safe? It is clear that if Charles can factor M,

RSA cryptosystem HRI, Allahabad, February, 2005 30 Why is RSA safe? It is clear that if Charles can factor M, then he can also compute ϕ(m) and then also d so to decrypt messages

RSA cryptosystem HRI, Allahabad, February, 2005 30 Why is RSA safe? It is clear that if Charles can factor M, then he can also compute ϕ(m) and then also d so to decrypt messages Computing ϕ(m) is equivalent to completely factor M. In fact

RSA cryptosystem HRI, Allahabad, February, 2005 30 Why is RSA safe? It is clear that if Charles can factor M, then he can also compute ϕ(m) and then also d so to decrypt messages Computing ϕ(m) is equivalent to completely factor M. In fact p, q = M ϕ(m) + 1 ± (M ϕ(m) + 1) 2 4M 2

RSA cryptosystem HRI, Allahabad, February, 2005 30 Why is RSA safe? It is clear that if Charles can factor M, then he can also compute ϕ(m) and then also d so to decrypt messages Computing ϕ(m) is equivalent to completely factor M. In fact p, q = M ϕ(m) + 1 ± (M ϕ(m) + 1) 2 4M 2 RSA Hypothesis. The only way to compute efficiently

RSA cryptosystem HRI, Allahabad, February, 2005 30 Why is RSA safe? It is clear that if Charles can factor M, then he can also compute ϕ(m) and then also d so to decrypt messages Computing ϕ(m) is equivalent to completely factor M. In fact p, q = M ϕ(m) + 1 ± (M ϕ(m) + 1) 2 4M 2 RSA Hypothesis. The only way to compute efficiently x 1/e mod M, x Z/MZ

RSA cryptosystem HRI, Allahabad, February, 2005 30 Why is RSA safe? It is clear that if Charles can factor M, then he can also compute ϕ(m) and then also d so to decrypt messages Computing ϕ(m) is equivalent to completely factor M. In fact p, q = M ϕ(m) + 1 ± (M ϕ(m) + 1) 2 4M 2 RSA Hypothesis. The only way to compute efficiently x 1/e mod M, x Z/MZ (i.e. decrypt messages) is to factor M

RSA cryptosystem HRI, Allahabad, February, 2005 30 Why is RSA safe? It is clear that if Charles can factor M, then he can also compute ϕ(m) and then also d so to decrypt messages Computing ϕ(m) is equivalent to completely factor M. In fact p, q = M ϕ(m) + 1 ± (M ϕ(m) + 1) 2 4M 2 RSA Hypothesis. The only way to compute efficiently x 1/e mod M, x Z/MZ (i.e. decrypt messages) is to factor M In other words

RSA cryptosystem HRI, Allahabad, February, 2005 30 Why is RSA safe? It is clear that if Charles can factor M, then he can also compute ϕ(m) and then also d so to decrypt messages Computing ϕ(m) is equivalent to completely factor M. In fact p, q = M ϕ(m) + 1 ± (M ϕ(m) + 1) 2 4M 2 RSA Hypothesis. The only way to compute efficiently x 1/e mod M, x Z/MZ (i.e. decrypt messages) is to factor M In other words The two problems are polynomially equivalent

RSA cryptosystem HRI, Allahabad, February, 2005 31 Two kinds of Cryptography

RSA cryptosystem HRI, Allahabad, February, 2005 31 Two kinds of Cryptography Private key (or symmetric) Lucifer DES AES

RSA cryptosystem HRI, Allahabad, February, 2005 31 Two kinds of Cryptography Private key (or symmetric) Lucifer DES AES Public key RSA Diffie Hellmann Knapsack NTRU