The RSA Cryptosystem and Factoring Integers (I)
-
Upload
mariam-carver -
Category
Documents
-
view
56 -
download
1
description
Transcript of The RSA Cryptosystem and Factoring Integers (I)
The RSA Cryptosystemand Factoring Integers (I)
Rong-Jaye Chen
p2.
OUTLINE
[1] Modular Arithmetic Algorithms [2] The RSA Cryptosystem
[3] Quadratic Residues
[4] Primality Testing
[5] Square Roots Modulo n
[6] Factoring Algorithms
[7] Other Attacks on RSA
[8] The Rabin Cryptosystem
[9] Semantics Security of RSA
p3.
[1] Modular Arithmetic Algorithms 1. The integers
a divides b a|b If b has a divisor , then a is said to be
nontrivial. a is prime if it has no nontrivial divisors;
otherwise, a is composite. The prime theorem :
If c|a and c|b, then c is common divisor of a and b.
If d is a great common divisor of a and b, then we write d=gcd(a,b).
},1{ ba
xxxxaa log/~)(]},2[|prime is {
p4.
Euclidean algorithm(a,b) (for great common divisor) input : output : (1) Set r0=a and r1=b
(2) Determine the first so that rn+1=0,
where ri+1=ri-1 mod ri
(3) Return (rn)
Extended Euclidean algorithm(a,b) input : a>0, b>0 output: (r, s, t) with r=gcd(a,b) and sa+tb=r (Omitted)
0ba),gcd( bad
0n
p5.
Example : gcd(299,221)=?
)78,1( 782211299 22 rq
)65,2( 65782221 33 rq
)13,1( 1365178 44 rq
)0,5( 013565 55 rq
657813)221,299gcd( 4 r
221783)782221(78
22142993221)2211299(3
p6.
If gcd(a,b)=1, then a and b are said to be relatively prime. Phi function :
}1 and 1),gcd(|{#)( nanaan
1),gcd(for )()()( .2
p rimefor )1()( 1. 1
babaab
pppp ee
p7.
2. The integers modulo n
a is congruent to b modulo n, written ,
if n|a-b.
Zn={0,1,…,n-1}
Given , if , then a is
said to be invertible and its inverse x is denoted a-1.
)(mod nba
nZa ) (mod 1 s.t. naxZx n
p8.
Use Extended Euclidean Algo to calculate a-1 mod n
Example : a=7 and n=9
Euclidean algorithmto find gcd(a,n)
Extended Euclidean algorithm to write gcd(a,b)=sa+tn
2719 1237 0122
2371 9374)719(37
9 mod 47 1
p9.
Zn*={a|gcd(a,n)=1 and 0<a<n}
For example, Z12*={1,5,7,11},
Z15*={1,2,4,7,8,11,13,14}
(Zn*, *) forms a multiplication group
* as defined is )( nZn
p10.
Fermat’s little theorem :
Euler’s theorem :
The order of , written ord(a), as the least
positive integer t such that
If , has , then a is said
to be a generator of Zn*; in this case,
)(mod 1 then , prime) is ( If 1* papZa pp
)(mod 1 then , If )(* naZa nn
*nZa
).(mod1 nat *nZa )()( * nZaord n
)}.(0|{* niaZ in
p11.
Example : n=15
Z15*={1,2,4,7,8,11,13,14}
ψ(15)= ψ(3) ψ(5)=2*4=8
1*15Za
)(aord
2 4 7 8 11 13 14
1 4 2 4 2 2 4 2
p12.
3. Chinese remainder theorem
If the integers n1,…,nk are pairwise relatively prime,
then the system of congruences
has a unique solution modulo n=n1*n2*…*n k
)(mod 11 nax )(mod 22 nax
)(mod kk nax
p13.
Algorithm : Gauss algorithm
(1) Input k , ni , ai , for i=1,2,…,k
(2) Compute for i=1,2,…,k
(3) Compute inverse for i =1,2,…,k
(4) Compute
n
ijjji nN
,1
iii nNM mod1
k
iiii nMNax
1
mod
p14.
Example
118 210 mod 958
1218 4306 1701
)10mod1(218 )7mod2(306 )3mod1(701
)10mod21(218 )7mod30(306 )3mod70(701
algorithm, Gauss toAccording
10mod 8
7mod 6
3mod 1
111
111
x
x
x
x
p15.
4. Square-and-Multiply
Algorithm: Square-and-Multiply(x, c, n)
Input : , c with binary
representation
Output :
nxc modnZx
1
0
2l
i
iicc
)(return
mod then
1 if
mod do
0 downto 1 for
1
2
z
nx)(zz
c
nzz
li
z
i
p16.
Example :
97263533 mode 11413=?
i ci z
11 1 12x9726=9726
10 1 97262x9726=2659
9 0 26592=5634
8 1 56342x9726=9167
7 1 91672x9726=4958
6 1 49582x9726=7783
5 0 77832=6298
4 0 62982=4629
3 1 46292x9726=10185
2 1 101852x9726=105
1 0 1052=11025
0 1 110252x9726=5761
p17.
[2] The RSA Cryptosystem Proposed by Rivest, Shamir, and Adleman (1977) Used for encryption and signature schemes Based on the intractability of the integer factorization
problem Key generation
Let p, q be large prime, n=pq and (n)=(p-1)(q-1)
Choose randomly b s.t. gcd(b,(n))=1 Compute a b-1 mod (n) Public-key: (n, b) Private-key: (n, a) or (p, q, a)
p18.
RSA Cryptosystem
Let n=pq, where p and q are primes.
Let P = C = Zn , and define
K ={(n,p,q,a,b): ab=1 (mod (n))}.
For K= (n,p,q,a,b), define eK(x)=xb mod n
and dK(y)=ya mod n
Public-key: (n, b) Private-key: (n, a) or (p, q, a)
p19.
Verify the encryption and decryption are inverse operations
ab=1 (mod (n)),we have ab = t(n)+1, for t>=1Suppose that x in Zn*; then we have
(xb)a = xt(n)+1 (mod n) = (x(n))tx = 1tx (mod n) = x (mod n)
As desired. For x in Zn but not in Zn*, (do exercise)
p20.
Eg. p=7, q=13, n=91, (n)=(p-1)(q-1)=72
Choose b=5, compute a=b-1=29 Public-key: (91,5) Private-key: (7,13,29) Assume message m=23
So cipher-text c = me mod n = 235 mod 91 = 4
and can be decrypted by
m = cd mod n = 429 mod 91 = 23
p21.
RSA encryption
Alice
Bob
n = pqb*a = 1 (mod ø(n))
Private keyKRBob = (n, a)
Public keyKUBob = (n, b)
Encryption Decryption
M E C
KUBob
EKUBob(M)=Mb (mod n)
D
KRBob
DKRBob(C)=Ca (mod n)
M
p22.
RSA signature scheme
Alice
Hash Bob
Signing Verification
M
H E
M
AKRAlice
EKRAlice(H(M))=H(M)a (mod n)
H
D
KUAliceCompare
DKUAlice(A)=Ab (mod n)
n = pqb*a = 1 (mod ø(n))
Signing keyKRAlice = (n, a)
Verification keyKUAlice = (n, b)
p23.
[3] Quadratic Residue 1. Quadratic residue modulo n
Let , then a is a quadratic residue modulo n
if there exists with In this case,
x is a square root of a modulo n. Otherwise, a is a
quadratic nonresidue modulo n.
Qn: the set of quadratic residues modulo n. : the set of quadratic nonresidues modulo n.
*nZx
*nZa
).(mod2 nax
nQ
nnn QQZ *
p24.
2. Theorem : p > 2 is prime and α is a generator of Zp*
)(mod p modulo residue quadratica is 2* pZ s.t. aiZa ip
p25.
3. Corollary : p > 2 is prime and α is a generator of Zp*
(1)
(2)
(3)
(4)
4. Legendre symbol : p > 2 is prime and
}20 even, |mod{ piipQ ip
}20 odd, |mod{ piipQ ip
2/)1( pQQ pp
solutions. woexactly t has )(mod then, If 2 paxQa p
)(mod12
1
pp
p
a Za
p
a0
1
1
ap |
pQpa mod
pQpa mod
p26.
5. Theorem : Euler’s criterion
6. E.g :
use Square-and-Multiply
)(mod then, and prime is 2
1
pap
a Zap
p
?23
3
232
123
3 so ,123 mod323
3 Q
210112
1-32
p27.
7. Jacobi symbol :
n > 2 is an odd integer, pi is prime and
n
a
ke
k
e
p
a
p
a
n
a
1
1
kee ppn 111
p28.
8. Properties of Jacobi symbol : m, n > 2 are odd integers (1)
(2)
(3)
(4)
(5)
(6)
1)(gcd 0 and },1,0,1{
a,nn
a
n
a
and
n
a
m
a
mn
a
n
b
n
a
n
ab
n
b
n
anba then )mod( If
)4(mod3 ,1
)4(mod1 1, )1(
1 and 1
1 2
1
n
n
nn
n
)8(mod3 ,1
)8(mod1 1, )1(
2 8
12
n
n
n
n
(-1) 2
1
2
1 n-m-
m
n
n
m
p29.
9. E.g : calculate Jacobi symbol without factoring n
55
7
55
2
55
282
55,28 na
(property 2)
2
17
2
155
)1(7
55
(property 6)
7
6
7
55 (property 3)
1)1(7
1 2
17
(property 4)
p30.
10. Jacobi symbol V.S. Quadratic residue modulo n
The element of are called psedosquares modulo
n.
nQan
a
1
}1|{ definition *
n
aZaJ nn
nnn QJQ \~
prime. is case thein and,~
nJQJQ nnnn
p31.
11. E.g : n=15
The Jacobi symbol are calculated in the following table :
and 5315
aaa
),3(mod2 ,1
),3(mod1 1,
3
a
aa
).5(mod2 ,1
),5(mod1 1,
5
a
aa
n
a
1*15Za
3
a
2
1
1
1
5
a
15
a
-1
-1
1
4
1
1
1
7 8
1
-1
-1
-1
-1
1
11 13
-1
1
-1
1
-1
-1
14
-1
1
-1
}8,2{\ then },4,1{that verfied be canIt }.8,4,2,1{ Hence, 151515
~
1515 QJQQJ
p32.
12. Quadratic residuosity problem(QRP)
Determine if a given is a quadratic residue or
pseudosquare modulo n
nJa
p33.
[4] Primality Testing (1) Prime numbers
1. How to generate large prime numbers?
(1) Generate as candidate a random odd number n of appropriate size. (2) Test n for primality. (3) If n is composite, return to the first step.
p34.
2. Distribution of prime numbers
(1) prime number theorem
Let Π(x) denote the number of prime numbers ≦x.
Π(x) ~ x/ln(x) when n∞.
(2)Dirichlet theorem
If gcd(a, n)=1, then there are infinitely many primes congruent to a mod n.
p35.
(3) Let Π(x, n, a) denote the number of primes in the interval [2, x] which are congruent to a modulo n, where gcd(a, n)=1 . Then
Π(x, n, a) ~
The prime numbers are roughly uniformly distributed among the φ(n) congruence classes in Zn
*
(4) Approximation for the nth prime number pn
xn
x
ln)(
6nfor lnlnlnln n)nn(pnn n
p36.
(2) Solovay-Strassen primality test
1. Trial method for testing n is prime or composite
2. Definition : Euler witness
Let n be an odd composite integer and .
(1) If
then a is an Euler witness (to compositeness) for n.
na 1
prime is dividenot does if ,],2[ nnana
or 1),gcd( na )(mod 2/)1( nn
aa n
p37.
(2) Otherwise, if
then n is said to be an Euler pseudoprime to
the base a. The integer a is called an Euler
liar
(to primality) for n.
and 1),gcd( na )(mod 2/)1( nn
aa n
p38.
3. Example (Euler pseudoprime) Consider n = 91 (= 7x13) Since 945 =1 mod 91, and
so 91 is an Euler pseudoprime to the base 9.
4. Fact At most Φ(n)/2 of all the numbers a, are Euler liars for n.
191
9
p39.
5. Algorithm : Solovay-Strassen(n, t) INPUT: n is odd, n ≧3, t ≧1 OUTPUT: “prime” or “composite”
1. for i = 1 to t do :1.1 choose a random integer a, 2 ≦ a≦n-
2 if gcd(a,n) ≠1 then return
( “composite” )
1.2 compute r=a(n-1)/2 mod n (use square-and-multiply)
if r ≠ 1 and r ≠ n-1 then return ( “composite” )
1.3 compute Jacobi symbol s= if r ≠ s then return ( “composite” )
2. return ( “prime” )
n
a
p40.
6. Solovay-Strassen error-probability bound For any odd composite integer n, the
probability that Solovay-Strassen (n, t) declares n to be “prime” is less than (1/2)t
p41.
(3) Miller-Rabin primality test 1. Fact
P : odd primep-1 = 2sr, where r is odd , gcd (a, p) = 1then ar = 1 (mod n)or a2jr = -1 (mod n) for some j, 0≦ j≦s-1
Why ?(1) Fermat’s little theorem, ap-1 = 1 mod p(2) 1, -1 are the only two square roots of 1 in Zp*
a N
p42.
2. Definition n : odd composite integer
n-1 = 2sr, where r is odd 1≦a ≦n-1 a is a strong witness to compositeness for
nif ar ≠ 1 (mod n), and
a2jr ≠ -1 (mod n) for all j, 0≦ j≦s-1
n is a strong pseudoprime to the base a
if ar = 1 (mod n)or a2jr = -1 (mod n) for some j, 0≦ j≦s-1(a is called a strong liar to primality for n)
p43.
3. Algorithm: Miller-Rabin (n, t) INPUT: n is odd, n ≧3, t ≧1 OUTPUT: “prime” or “composite”
1. write n-1 = 2sr such that r is odd. 2. for i = 1 to t do :
2.1 choose a random integer a, 2 ≦ a≦n-2
2.2 compute y=ar mod n (use square-and-multiply)
2.3 if y ≠ 1 and y ≠ n-1 do :j 1while j ≦ s-1 and y ≠n-1 do :
y y2 mod nif y = 1 then return
( “composite” )j j+1
if y ≠ n-1 then return ( “composite” )
3. return ( “prime” )
p44.
4. Example (strong pseudoprime) Consider n = 91 (= 7x13) 91-1 = 2*45, s=1, r=45 Since 9r = 945 =1 mod 91, 91 is a strong
pseudoprime to the base 9. The set of all strong liars for 91 is {1,
9, 10, 12, 16, 17, 22, 29, 38, 53, 62, 69, 74, 75, 79, 81, 82, 90}
The number of strong liars of for 91 is 18 = Φ(91)/4
p45.
5. Fact If n is an odd composite integer, then
at most ¼ of all the numbers a, 1 ≦a ≦n-1 are strong liars for n. In fact if n=!9, then number of strong liars for n is at most Φ(n)/4.
p46.
6. Miller-Rabin error-probability bound For any odd composite integer n, the
probability that Miller-Rabin (n, t) declares n to be “prime” is less than (1/4)t
7. Remark For most composite integers n, the
number of strong liars for n is actually much smaller than the upper bound of Φ(n)/4.
Miller-Rabin error-probability bound is much smaller than (1/4)t .