Study of algorithms for factoring integers and computing discrete logarithms



Similar documents
Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

Elements of Applied Cryptography Public key encryption

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, Notes on Algebra

Primality Testing and Factorization Methods

Arithmetic algorithms for cryptology 5 October 2015, Paris. Sieves. Razvan Barbulescu CNRS and IMJ-PRG. R. Barbulescu Sieves 0 / 28

Table of Contents. Bibliografische Informationen digitalisiert durch

FACTORING LARGE NUMBERS, A GREAT WAY TO SPEND A BIRTHDAY

Public-Key Cryptanalysis 1: Introduction and Factoring

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay

RSA Question 2. Bob thinks that p and q are primes but p isn t. Then, Bob thinks Φ Bob :=(p-1)(q-1) = φ(n). Is this true?

Faster deterministic integer factorisation

Integer Factorization using the Quadratic Sieve

Factoring. Factoring 1

Overview of Public-Key Cryptography

MATH 168: FINAL PROJECT Troels Eriksen. 1 Introduction

Factorization Methods: Very Quick Overview

The Mathematics of the RSA Public-Key Cryptosystem

Implementation of Elliptic Curve Digital Signature Algorithm

FACTORING. n = fall in the arithmetic sequence

ALGEBRAIC APPROACH TO COMPOSITE INTEGER FACTORIZATION

CIS 5371 Cryptography. 8. Encryption --

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

A Factoring and Discrete Logarithm based Cryptosystem

Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and

RSA and Primality Testing

Factoring & Primality

Discrete Mathematics, Chapter 4: Number Theory and Cryptography

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

RSA Attacks. By Abdulaziz Alrasheed and Fatima

Primality - Factorization

An Overview of Integer Factoring Algorithms. The Problem

Cryptography and Network Security

On Factoring Integers and Evaluating Discrete Logarithms

Public Key Cryptography. Performance Comparison and Benchmarking

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Cryptography and Network Security Chapter 10

Cryptography and Network Security Chapter 8

Factoring Algorithms

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University

The Quadratic Sieve Factoring Algorithm

Digital Signature. Raj Jain. Washington University in St. Louis

Is n a Prime Number? Manindra Agrawal. March 27, 2006, Delft. IIT Kanpur

A New Generic Digital Signature Algorithm

Notes on Factoring. MA 206 Kurt Bryan

I. GROUPS: BASIC DEFINITIONS AND EXAMPLES

Cryptography and Network Security Number Theory

Secure Network Communication Part II II Public Key Cryptography. Public Key Cryptography

Computer and Network Security

Public-Key Cryptanalysis

Smooth numbers and the quadratic sieve

ELEMENTARY THOUGHTS ON DISCRETE LOGARITHMS. Carl Pomerance

Lukasz Pater CMMS Administrator and Developer

NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES

CHAPTER 5. Number Theory. 1. Integers and Division. Discussion

Index Calculation Attacks on RSA Signature and Encryption

How To Solve The Prime Factorization Of N With A Polynomials

2. Cryptography 2.4 Digital Signatures

Library (versus Language) Based Parallelism in Factoring: Experiments in MPI. Dr. Michael Alexander Dr. Sonja Sewera.

Public Key Cryptography. c Eli Biham - March 30, Public Key Cryptography

Signature Schemes. CSG 252 Fall Riccardo Pucella

Elliptic Curve Cryptography

Improved Online/Offline Signature Schemes

Network Security. Chapter 2 Basics 2.2 Public Key Cryptography. Public Key Cryptography. Public Key Cryptography

ECE 842 Report Implementation of Elliptic Curve Cryptography

Public Key Cryptography: RSA and Lots of Number Theory

Notes on Network Security Prof. Hemant K. Soni

LUC: A New Public Key System

STUDY ON ELLIPTIC AND HYPERELLIPTIC CURVE METHODS FOR INTEGER FACTORIZATION. Takayuki Yato. A Senior Thesis. Submitted to

Advanced Cryptography

Introduction. Digital Signature

Lecture 3: One-Way Encryption, RSA Example

Lecture 13: Factoring Integers

A new probabilistic public key algorithm based on elliptic logarithms

Public Key Cryptography and RSA. Review: Number Theory Basics

Public Key (asymmetric) Cryptography

Lecture 13 - Basic Number Theory.

Factoring and Discrete Log

Factoring Algorithms

k, then n = p2α 1 1 pα k

Cryptography and Network Security

Determining the Optimal Combination of Trial Division and Fermat s Factorization Method

Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures

On the generation of elliptic curves with 16 rational torsion points by Pythagorean triples

Number Theory and Cryptography using PARI/GP

Quotient Rings and Field Extensions

How To Know If A Message Is From A Person Or A Machine

Cryptography and Network Security Chapter 9

Ch.9 Cryptography. The Graduate Center, CUNY.! CSc Theoretical Computer Science Konstantinos Vamvourellis

3. Computational Complexity.

HYPERELLIPTIC CURVE METHOD FOR FACTORING INTEGERS. 1. Thoery and Algorithm

EMBEDDING DEGREE OF HYPERELLIPTIC CURVES WITH COMPLEX MULTIPLICATION

Cryptographic Algorithms and Key Size Issues. Çetin Kaya Koç Oregon State University, Professor

Mathematics of Internet Security. Keeping Eve The Eavesdropper Away From Your Credit Card Information

CS 758: Cryptography / Network Security

Computer Security: Principles and Practice

Transcription:

Study of algorithms for factoring integers and computing discrete logarithms First Indo-French Workshop on Cryptography and Related Topics (IFW 2007) June 11 13, 2007 Paris, France Dr. Abhijit Das Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Kharagpur 721302, India Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 1

The integer factorization problem (IFP) Given a positive composite integer n, compute all the prime divisors of n. The IFP is known to be a problem in the complexity class NP conp. The input size is measured by the minimum number of bits needed to encode n, which is log 2 n + 1 = O(log n). No polynomial-time algorithms are known to solve the IFP. The best known algorithms to solve the IFP run in subexponential time. These subexponential algorithms are probabilistic in nature, and their running times often lack rigorous proofs. Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 2

The discrete logarithm problem (DLP) Let G be a finite cyclic group of size n, and let g be a generator of G. Given a G, compute an integer x = ind g a satisfying a = g x. The index or discrete logarithm x is unique modulo n. There are certain groups where computing indices is computationally difficult. Multiplicative groups of finite fields Groups of rational points on elliptic curves defined over finite fields Jacobians of hyperelliptic curves defined over finite fields Class groups of (algebraic) number fields The finite field discrete logarithm problem is historically of similar complexity as the IFP. The subexponential algorithms for DLP are often adaptations of algorithms for factoring integers. Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 3

The Diffie-Hellman problem (DHP) Let G be a finite cyclic group, and g a generator of G. Given g x and g y, compute g xy. If the DLP can be solved easily, the DHP can be solved easily too. The converse implication is not proved. The DHP is relevant for groups where computing discrete logarithms is difficult. Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 4

Relevance to cryptography Public-key cryptography is based on the apparent intractability of solving some computational problems. The IFP, DLP and DHP are widely used in public-key systems. These problems lead to trapdoor one-way functions. The one-way-ness cannot be proved, but only believed. NP-complete problems are not found suitable for building public-key systems. Problems belonging to the class UP (unambiguous polynomial-time) are suitable. We have P UP NP. Both the inclusions are believed to be proper. Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 5

Cryptography examples RSA is related to the IFP. Inverting RSA keys is probabilistic polynomial-time equivalent to IFP. However, RSA decryption (without the private key) may be easier than solving the IFP. Rabin s encryption algorithm is based on the square-root problem which is probabilistic polynomial-time equivalent to the IFP. The Diffie-Hellman key exchange problem is based on the DHP. ElGamal encryption is based on the DHP. Many other encryption and signature algorithms (like ElGamal signature, DSA) are based on the DLP. IFP and DLP find applications in designing authentication schemes too. Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 6

Efficient implementation of modular arithmetic An old, yet interesting problem. A cryptography toolkit being developed in IIT Kharagpur runs 5 10% faster than GP/PARI for performing modular exponentiation of integers of cryptographic sizes. Exponentiation based on addition chains has been studied by my team. The goal is to generate crypto-grade exponents which lead to faster key operations than pseudorandom exponents. These works have not been published yet. Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 7

Fermat s method of factoring integers Let n be an odd (positive) composite integer. Given v Z n, there exist at least two u Z n such that u 2 v 2 (mod n) and u ±v (mod n). For any such pair (u,v), we obtain the non-trivial factor gcd(u v, n) of n. Examples 899 = 900 1 = 30 2 1 2, and gcd(30 1, 899) = 29 is a nontrivial factor of 899. 3 833 = 50 2 1 2, and gcd(50 1, 833) = 49 is a non-trivial factor of 833. Most modern subexponential algorithms are based on locating such pairs (u, v). Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 8

Modern factoring algorithms Subexponential running time L(n,γ, c) = exp [ (c + o(1))(ln n) γ (ln lnn) 1 γ], 0 < γ < 1, c > 0. Algorithms with running time L[c] = L(n, 1/2, c) CFRAC (Continued fraction method) SQUFOF (Square-form factorization) QSM (Quadratic sieve method) CSM (Cubic sieve method) ECM (Elliptic curve method not based on Fermat s method) Algorithms with running time L(n, 1/3, c) SNFSM (Special number field sieve method) GNFSM (General number field sieve method) Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 9

A naive algorithm Choose a in the range 1 a < n and take T(a) = a 2 (mod n), 1 T(a) < n. Try to factor T(a) as T(a) = q e 1 1 q e 2 2 q e t t, where q 1, q 2,...,q t are the first t primes. If all e i are even, take u = a and v = q e 1/2 1 q e 2/2 2 q e t/2 t. In general, it is unreasonable to expect that all e i are even. Collect many such relations and combine the relations to arrive at a congruence of the form u 2 v 2 (mod n). This leads to a linear system modulo 2. The expected value of T(a) is O(n). Instead of T(a), we can also try to factor T(a) + kn for small integers k. One can use sieving while considering different values of k. Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 10

Quadratic sieve method (QSM) Let H = n, J = H 2 n. For a small integer a, we have (H +a) 2 T(a) (mod n), where T(a) = J +2aH +a 2. Try to factor T(a) over small primes. We have T(a) = O( n). So we get smooth candidates more frequently than in the naive method. Use sieving for running through all values of a. Running time is L[1]. We have studied some variants which reduce T(a) by small constant factors. Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 11

Cubic sieve method (CSM) Let the integers x,y, z satisfy x 3 y 2 z (mod n) with x 3 y 2 z as integers. For integers a,b,c with a + b + c = 0, one has (x + ay)(x + by)(x + cy) y 2 T(a, b,c) (mod n), where T(a,b,c) = z + (ab + ac + bc)x + (abc)y = b(b + c)(x + cy) + (z c 2 x). If x,y, z are O(n ξ ), then T(a,b,c) is O(n ξ ) for small values of a,b,c. The best value for ξ is 1/3. In this case T(a, b,c) is O(n 1/3 ). Use sieving for running through all triples (a, b, c) with a + b + c = 0. The best running time is L[ 2/3] = L[0.816]. Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 12

Our study of the CSM A heuristic idea was proposed to increase the sieving interval by 20 30%. The resulting increase in the running time of the sieving step is nominal (less than 1%). The congruence x 3 y 2 z (mod n) with x 3 y 2 z is studied. It is an open question whether one can obtain x, y, z of the order O(n ξ ) for ξ < 1/2. We proposed some heuristic counting argument to conclude that the number of solutions of the congruence with 1 x,y, z n ξ is O(n 3ξ 1 ). For ξ slightly bigger than 1/3, we expect to get a solution. It remains open how one can compute such a solution for a general value of n. Publication: Abhijit Das and C E Veni Madhavan, On the cubic sieve method for computing discrete logarithms over prime fields, International Journal of Computer Mathematics, Volume 82, Number 12, December 2005, Taylor & Francis, 1481 1495. Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 13

The number field sieve method (NFSM) Take n = 12797. Choose a polynomial f(x) Z[x] and m Z such that f(m) 0 (mod n). For example, take f(x) = x 4 2x + 3 and m = 14. For this choice, f(m) = 38391 = 3n. We have (x 3 ) 2 2x 3 3x 2 (mod f(x)). This implies (14 3 ) 2 2 14 3 3 14 2 70 2 (mod n). A non-trivial factor of n is gcd(14 3 70, n) = 191. Indeed, we have n = 191 67. Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 14

Future directions of research Efficient implementation efforts (for cryptographic and cryptanalytic algorithms). Study of the cubic sieve method, particularly, the congruence x 3 y 2 z (mod n). Study of the number field sieve method. Effective parallelization attempts, pertaining most importantly to the linear system solving stage. A high ambition: designing new subexponential algorithms (with smaller values of the exponent γ and/or the constant c). A dream: arriving at polynomial-time algorithms (possibly randomized) for the IFP and/or the DLP, or proving that no such algorithm can exist. (Note that polynomialtime quantum algorithms are known for both these problems.) Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 15

Thank you! Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information