Primes, Factoring, and RSA A Return to Cryptography. Table of contents



Similar documents
The application of prime numbers to RSA encryption

An Introduction to the RSA Encryption Method

Public Key Cryptography: RSA and Lots of Number Theory

Factoring & Primality

Lecture 13 - Basic Number Theory.

Lecture 3: One-Way Encryption, RSA Example

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

Elements of Applied Cryptography Public key encryption

CIS 5371 Cryptography. 8. Encryption --

Primality Testing and Factorization Methods

Public Key Cryptography and RSA. Review: Number Theory Basics

Lecture 13: Factoring Integers

ALGEBRAIC APPROACH TO COMPOSITE INTEGER FACTORIZATION

RSA Encryption. Tom Davis October 10, 2003

FACTORING. n = fall in the arithmetic sequence

Primality - Factorization

Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and

Advanced Cryptography

MACs Message authentication and integrity. Table of contents

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, Notes on Algebra

Cryptography and Network Security

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

Embedding more security in digital signature system by using combination of public key cryptography and secret sharing scheme

RSA Attacks. By Abdulaziz Alrasheed and Fatima

Lecture 2: Complexity Theory Review and Interactive Proofs

Discrete Mathematics, Chapter 4: Number Theory and Cryptography

Factoring Algorithms

Quantum Computing Lecture 7. Quantum Factoring. Anuj Dawar

RSA and Primality Testing

RSA Question 2. Bob thinks that p and q are primes but p isn t. Then, Bob thinks Φ Bob :=(p-1)(q-1) = φ(n). Is this true?

A New Generic Digital Signature Algorithm

Ch.9 Cryptography. The Graduate Center, CUNY.! CSc Theoretical Computer Science Konstantinos Vamvourellis

Improved Online/Offline Signature Schemes

Alternative machine models

Cryptography and Network Security Chapter 8

Number Theory. Proof. Suppose otherwise. Then there would be a finite number n of primes, which we may

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Post-Quantum Cryptography #4

Primes in Sequences. Lee 1. By: Jae Young Lee. Project for MA 341 (Number Theory) Boston University Summer Term I 2009 Instructor: Kalin Kostadinov

Secure Network Communication Part II II Public Key Cryptography. Public Key Cryptography

Mathematics of Internet Security. Keeping Eve The Eavesdropper Away From Your Credit Card Information

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay

2.1 Complexity Classes

Lukasz Pater CMMS Administrator and Developer

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Faster deterministic integer factorisation

The Mathematics of the RSA Public-Key Cryptosystem

8 Primes and Modular Arithmetic

Digital Signature Standard (DSS)

Notes on Factoring. MA 206 Kurt Bryan

Digital Signatures. What are Signature Schemes?

Some practice problems for midterm 2

A Factoring and Discrete Logarithm based Cryptosystem

The Bit Security of Paillier s Encryption Scheme and its Applications

Computing exponents modulo a number: Repeated squaring

Math 319 Problem Set #3 Solution 21 February 2002

Fast Batch Verification for Modular Exponentiation and Digital Signatures

2 Primality and Compositeness Tests

Introduction to Cryptography CS 355

Factoring integers, Producing primes and the RSA cryptosystem Harish-Chandra Research Institute

Study of algorithms for factoring integers and computing discrete logarithms

Computer Security: Principles and Practice

Determining the Optimal Combination of Trial Division and Fermat s Factorization Method

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Integer Factorization using the Quadratic Sieve

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

How To Solve The Prime Factorization Of N With A Polynomials

Network Security. Chapter 6 Random Number Generation. Prof. Dr.-Ing. Georg Carle

Concrete Security of the Blum-Blum-Shub Pseudorandom Generator

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

Overview of Public-Key Cryptography

Is n a Prime Number? Manindra Agrawal. March 27, 2006, Delft. IIT Kanpur

Factoring a semiprime n by estimating φ(n)

Public Key (asymmetric) Cryptography

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Cryptography and Network Security Chapter 9

On Generalized Fermat Numbers 3 2n +1

Number Theory and the RSA Public Key Cryptosystem

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Computational Complexity: A Modern Approach

The Mathematical Cryptography of the RSA Cryptosystem

CHAPTER 5. Number Theory. 1. Integers and Division. Discussion

Factoring. Factoring 1

Arithmetic algorithms for cryptology 5 October 2015, Paris. Sieves. Razvan Barbulescu CNRS and IMJ-PRG. R. Barbulescu Sieves 0 / 28

Digital Signatures. Prof. Zeph Grunschlag

CSCE 465 Computer & Network Security

An Overview of Integer Factoring Algorithms. The Problem

Applied Cryptography Public Key Algorithms

Index Calculation Attacks on RSA Signature and Encryption

Basic Algorithms In Computer Algebra

ARCHIVED PUBLICATION

Elementary factoring algorithms

On Factoring Integers and Evaluating Discrete Logarithms

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Number Theory and Cryptography using PARI/GP

Efficient Modular Exponentiation-based Puzzles for Denial-of-Service Protection

Network Security. Chapter 6 Random Number Generation

1. The RSA algorithm In this chapter, we ll learn how the RSA algorithm works.

Transcription:

Primes, Factoring, and RSA A Return to Cryptography Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Generating Primes RSA Assumption

A classic hard problem Given a composite integer N, thefactoring problem is to find positive integers p, q such that pq = N. This problem can be solved in O( N polylog(n))* time using trial division. Algorithms with better running time are known, but none that run in polynomial-time.** *polylog(n) =(logn) c for some constant c. **This is not for lack of trying. Experiment in factoring The weak factoring experiment w-factor A (n): 1. Choose two n-bit numbers x 1, x 2 at random. 2. Compute N := x 1 x 2. 3. A is given N, and outputs x 1, x 2. 4. The output N of the experiment is defined to be 1 if x 1 x 2 = N. We said that the factoring problem is believed to be hard. Does this mean that for any PPT algorithm A we have Pr[w-Factor A (n) = 1] negl(n) for some negligible function negl?

Making the adversaries task harder The hardest numbers to factor seem to be those having only large prime factors. This suggest re-defining the above experiment so that x 1, x 2 are random n-bit primes. Of course, it will be necessary to generate random n-bit primes efficiently. An algorithm for generating random primes Algorithm 7.31. Generating a random prime Input: Length n; parameter t Output: A random n-bit prime for i =1tot : { p {0, 1} n 1 p := 1p if p is prime return p } return fail

The distribution of primes Theorem 7.32 There exists a constant c such that, for any n > 1, the number of n-bit primes is at least c 2 n 1 /n. This implies that the probability that a random n-bit integer is prime is at least c 2 n 1 /n 2 n 1 = c n. The implication for Algorithm 7.31 is that if we set t = n 2 /c then the probability that a prime is not chosen in all t iterations of the algorithm is at most 1 c t = 1 c n/c n (e 1 ) n = e n n n *Recall that for all x 1itholdsthat(1 1/x) x e 1. Primality testing The problem of efficiently determining whether a given number is prime is quite old. It wasn t until the 1970s that the first efficient probabilistic algorithms for testing primality were developed. A deterministic polynomial-time algorithm for testing primality was demonstrated in 2002, but slower in practice than the above.

One of the classics Developed in the 1970s, the Miller-Rabin algorithm is a commonly-used. The algorithm inputs two numbers N and parameter t. It runs in time polynomial in N and t, andsatisfies: Theorem 7.3. If N is prime, then the Miller-Rabin test always outputs prime. If N is composite, then the algorithm outputs prime with probability at most 2 t (and outputs the correct answer composite with probability 1 2 t ). Putting it all together Algorithm 7.34. Generating a random prime Input: Length n; parameter t Output: A random n-bit prime for i =1ton 2 /c { p {0, 1} n 1 p := 1p run the Miller-Rabin test on input p and parameter n if the output is prime return p } return fail

The factoring assumption Let GenModulus be a polynomial-time algorithm that, on input 1 n, outputs (N, p, q) wheren = pq and p are q are n-bit primes except with negligible probability. The factoring experiment Factor A,GenModulus (n): 1. Run GenModulus to obtain (N, p, q). 2. A is given N, and outputs p, q. 3. The output of the experiment is defined to be 1 if p q = N and 0 otherwise. Definition 7.45. We say that the factoring problem is hard relative to GenModulus if for all PPT A there exists a negligible function negl such that Pr[Factor A,GenModulus (n) = 1] negl(n) Hard problems: The search continues Although the factoring assumption does yield a one-way function, in the form we have described it is not known to yield a practical cryptographic construction. The search goes on for other problems whose difficulty is related to the hardness of factoring. To date, one of the best finds were made by Rivist, Shamir, and Adleman, and is known as the RSA problem.

The RSA problem Recall for N = pq, the product of two primes, Z N is a group of order φ(n) =(p 1)(q 1). If p, q are known, it is easy to compute φ(n) and so computations modulo N can be done by working in the exponent modulo φ(n). If p, q are not known, then it is difficult to compute φ(n) (in fact, computing φ(n) is as hard as factoring N) and working in the exponent modulo φ(n) is not an option. RSA exploits this asymmetry. It is easy to solve when φ(n) is known and believed difficult otherwise. Algorithm 7.47. GenRSA GenRSA Input: Length n; parameter t Output: N, e, d as described below (N, p, q) GenModulus(1 n )* φ(n) :=(p 1)(q 1) find e such that gcd(e, φ(n)) = 1 compute d := [e 1 mod φ(n)]** return N, e, d *N = pq with p, qn-bit primes. **Such an integer d exists since e is invertible modulo φ(n).

RSA is hard relative to GenRSA The RSA experiment RSA-inv A,GenRSA (n): 1. Run GenRSA(1 n ) to obtain (N, e, d). 2. Choose y Z N. 3. A is given N, e, y, and outputs x Z N. 4. The output of the experiment is defined to be 1 if x e = y mod N, and 0 otherwise. Definition 7.46. We say that the RSA problem is hard relative to GenRSA if for all probabilistic polynomial-time algorithms A there exists a negligible function negl such that Pr[RSA-inv A,GenRSA (n) = 1] negl(n). So is RSA really hard? If the RSA problem is hard relative to GenRSA, then the factoring problem must be hard relative to GenModulus. What about the converse? In other words, suppose the factoring problem is hard relative to GenModulus, is the RSA problem hard relative to GenRSA? Bad news on this front; We have no proof that this is the case.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information