factoring and rsa
play

Factoring and RSA Nadia Heninger University of Pennsylvania - PowerPoint PPT Presentation

Aug 28, 2023 •430 likes •1.39k views

Factoring and RSA Nadia Heninger University of Pennsylvania September 18, 2017 *Some slides joint with Dan Bernstein and Tanja Lange Textbook RSA [Rivest Shamir Adleman 1977] Public Key Private Key N = pq modulus p , q primes e encryption

  1. Factoring and RSA Nadia Heninger University of Pennsylvania September 18, 2017 *Some slides joint with Dan Bernstein and Tanja Lange

  3. Textbook RSA [Rivest Shamir Adleman 1977] Public Key Private Key N = pq modulus p , q primes e encryption exponent d decryption exponent ( d = e − 1 mod ( p − 1)( q − 1)) Encryption public key = ( N , e ) ciphertext = message e mod N message = ciphertext d mod N

  4. Textbook RSA [Rivest Shamir Adleman 1977] Public Key Private Key N = pq modulus p , q primes e encryption exponent d decryption exponent ( d = e − 1 mod ( p − 1)( q − 1)) Signing public key = ( N , e ) signature = message d mod N message = signature e mod N

  5. Computational problems Factoring Problem: Given N , compute its prime factors. ◮ Computationally equivalent to computing private key d . ◮ Factoring is in NP and coNP → not NP-complete (unless P=NP or similar).

  6. Computational problems e th roots mod N Problem: Given N , e , and c , compute x such that x e ≡ c mod N . ◮ Equivalent to decrypting an RSA-encrypted ciphertext. ◮ Equivalent to selective forgery of RSA signatures. ◮ Unknown whether it reduces to factoring: ◮ “Breaking RSA may not be equivalent to factoring” [Boneh Venkatesan 1998] “an algebraic reduction from factoring to breaking low-exponent RSA can be converted into an efficient factoring algorithm” ◮ “Breaking RSA generically is equivalent to factoring” [Aggarwal Maurer 2009] “a generic ring algorithm for breaking RSA in Z N can be converted into an algorithm for factoring” ◮ “RSA assumption”: This problem is hard.

  7. A garden of attacks on textbook RSA Unpadded RSA encryption is homomorphic under multiplication. Let’s have some fun! Attack: Malleability Given a ciphertext c = Enc( m ) = m e mod N , attacker can forge ciphertext Enc( ma ) = ca e mod N for any a . Attack: Chosen ciphertext attack Given a ciphertext c = Enc( m ) for unknown m , attacker asks for Dec( ca e mod N ) = d and computes m = da − 1 mod N . Attack: Signature forgery Attacker wants Sign( x ). Attacker computes z = xy e mod N for some y and asks signer for s = Sign( z ) = z d mod N . Attacker computes Sign( z ) = sy − 1 mod N . So in practice always use padding on messages .

  8. http://xkcd.com/538/

  9. Preliminaries: Using Sage Working code examples will be given in Sage. Sage is free open source mathematics software. Download from http://www.sagemath.org/ . Sage is based on Python sage: 2*3 6

  10. Preliminaries: Using Sage Working code examples will be given in Sage. Sage is free open source mathematics software. Download from http://www.sagemath.org/ . Sage is based on Python, but there are a few differences: ˆ is exponentiation, not xor sage: 2^3 8

  11. Preliminaries: Using Sage Working code examples will be given in Sage. Sage is free open source mathematics software. Download from http://www.sagemath.org/ . Sage is based on Python, but there are a few differences: ˆ is exponentiation, not xor sage: 2^3 8 It has lots of useful libraries: sage: factor(15) 3 * 5

  12. Preliminaries: Using Sage Working code examples will be given in Sage. Sage is free open source mathematics software. Download from http://www.sagemath.org/ . Sage is based on Python, but there are a few differences: ˆ is exponentiation, not xor sage: 2^3 8 It has lots of useful libraries: sage: factor(15) sage: factor(x^2-1) 3 * 5 (x - 1) * (x + 1)

  13. Practicing Sage and Textbook RSA Key generation: sage: p = random_prime(2^512); q = random_prime(2^512) sage: N = p*q sage: e = 65537 sage: d = inverse_mod(e,(p-1)*(q-1)) Encryption: sage: m = Integer(’helloworld’,base=35) sage: c = pow(m,65537,N) Decryption: sage: Integer(pow(c,d,N)).str(base=35) ’helloworld’

  14. So how hard is factoring?

  15. So how hard is factoring? sage: time factor(random_prime(2^32)*random_prime(2^32))

  16. So how hard is factoring? sage: time factor(random_prime(2^32)*random_prime(2^32)) CPU times: user 1.63 ms, sys: 37 s, total: 1.67 ms Wall time: 1.66 ms 1235716393 * 4051767059

  17. So how hard is factoring? sage: time factor(random_prime(2^32)*random_prime(2^32)) CPU times: user 1.63 ms, sys: 37 s, total: 1.67 ms Wall time: 1.66 ms 1235716393 * 4051767059 sage: time factor(random_prime(2^64)*random_prime(2^64))

  18. So how hard is factoring? sage: time factor(random_prime(2^32)*random_prime(2^32)) CPU times: user 1.63 ms, sys: 37 s, total: 1.67 ms Wall time: 1.66 ms 1235716393 * 4051767059 sage: time factor(random_prime(2^64)*random_prime(2^64)) CPU times: user 92.5 ms, sys: 16.3 ms, total: 109 ms Wall time: 163 ms 12072631544896004447 * 13285534720168965833

  19. So how hard is factoring? sage: time factor(random_prime(2^32)*random_prime(2^32)) CPU times: user 1.63 ms, sys: 37 s, total: 1.67 ms Wall time: 1.66 ms 1235716393 * 4051767059 sage: time factor(random_prime(2^64)*random_prime(2^64)) CPU times: user 92.5 ms, sys: 16.3 ms, total: 109 ms Wall time: 163 ms 12072631544896004447 * 13285534720168965833 sage: time factor(random_prime(2^96)*random_prime(2^96))

  20. So how hard is factoring? sage: time factor(random_prime(2^32)*random_prime(2^32)) CPU times: user 1.63 ms, sys: 37 s, total: 1.67 ms Wall time: 1.66 ms 1235716393 * 4051767059 sage: time factor(random_prime(2^64)*random_prime(2^64)) CPU times: user 92.5 ms, sys: 16.3 ms, total: 109 ms Wall time: 163 ms 12072631544896004447 * 13285534720168965833 sage: time factor(random_prime(2^96)*random_prime(2^96)) CPU times: user 6.03 s, sys: 145 ms, total: 6.18 s Wall time: 6.35 s 39863518068977786560464995143 * 40008408160629540866839699141

  21. So how hard is factoring? sage: time factor(random_prime(2^32)*random_prime(2^32)) CPU times: user 1.63 ms, sys: 37 s, total: 1.67 ms Wall time: 1.66 ms 1235716393 * 4051767059 sage: time factor(random_prime(2^64)*random_prime(2^64)) CPU times: user 92.5 ms, sys: 16.3 ms, total: 109 ms Wall time: 163 ms 12072631544896004447 * 13285534720168965833 sage: time factor(random_prime(2^96)*random_prime(2^96)) CPU times: user 6.03 s, sys: 145 ms, total: 6.18 s Wall time: 6.35 s 39863518068977786560464995143 * 40008408160629540866839699141 sage: time factor(random_prime(2^128)*random_prime(2^128))

  22. So how hard is factoring? sage: time factor(random_prime(2^32)*random_prime(2^32)) CPU times: user 1.63 ms, sys: 37 s, total: 1.67 ms Wall time: 1.66 ms 1235716393 * 4051767059 sage: time factor(random_prime(2^64)*random_prime(2^64)) CPU times: user 92.5 ms, sys: 16.3 ms, total: 109 ms Wall time: 163 ms 12072631544896004447 * 13285534720168965833 sage: time factor(random_prime(2^96)*random_prime(2^96)) CPU times: user 6.03 s, sys: 145 ms, total: 6.18 s Wall time: 6.35 s 39863518068977786560464995143 * 40008408160629540866839699141 sage: time factor(random_prime(2^128)*random_prime(2^128)) CPU times: user 7min 56s, sys: 5.38 s, total: 8min 2s Wall time: 8min 12s 71044139867382099583965064084826540441 * 95091214714150393464646264945135836937

  23. Factoring in practice Two families of factoring algorithms: 1. Algorithms whose running time depends on the size of the factor to be found. ◮ Good for factoring small numbers, and finding small factors of big numbers. 2. Algorithms whose running time depends on the size of the number to be factored. ◮ Good for factoring big numbers with big factors.

  24. Trial Division Good for finding very small factors Takes p / log p trial divisions to find a prime factor p .

  25. Pollard rho Good for finding slightly larger prime factors Intuition ◮ Try to take a random walk among elements mod N . ◮ If p divides N , there will be a cycle of length p . ◮ Expect a collision after searching about √ p random elements.

  26. Pollard rho Good for finding slightly larger prime factors Intuition ◮ Try to take a random walk among elements mod N . ◮ If p divides N , there will be a cycle of length p . ◮ Expect a collision after searching about √ p random elements. Details ◮ “Random” function: f ( x ) = x 2 + c mod N for random c . ◮ For random starting point a , compute a , f ( a ) , f ( f ( a )) , . . . ◮ Naive implementation uses √ p memory, O (1) lookup time. ◮ To reduce memory: ◮ Floyd cycle-finding algorithm: Store two pointers, and move one twice as fast as the other until they coincide. ◮ Method of distinguished points: Store points satisfying easily tested property like k leading zeros.

  27. Why is it called the rho algorithm?

  28. Pollard rho in Sage def rho(n): a = 98357389475943875; c=10 # some random values f = lambda x: (x^2+c)%n a1 = f(a) ; a2 = f(a1) while gcd(n, a2-a1)==1: a1 = f(a1); a2 = f(f(a2)) return gcd(n, a2-a1) sage: N = 698599699288686665490308069057420138223871 sage: rho(N) 2053

  29. Reminders: Orders and groups Theorem (Fermat’s Little Theorem) a p − 1 ≡ 1 mod p for any 0 < a < p. Let ord( a ) p be the order of a mod p . (Smallest positive integer such that a ord( a ) p ≡ 1 mod p .) Theorem (Lagrange) ord( a ) p divides p − 1 .

  30. Pollard’s p − 1 method Good for finding special small factors Intuition ◮ If a r ≡ 1 mod p then ord( a ) p | r and p | gcd( a r − 1 , N ). ◮ Don’t know p , pick very smooth number r , hoping for ord( a ) p to divide it. Definition: An integer is B-smooth if all its prime factors are ≤ B .

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Factors 2 12 Factors Factors 3 13 and Unique Unique 14 4 to 10 to 15 Greatest Common

Factors 2 12 Factors Factors 3 13 and Unique Unique 14 4 to 10 to 15 Greatest Common

Slide 1 / 128 Slide 2 / 128 Table of Contents Factors and GCF Factoring out GCF's Polynomials Factoring Trinomials x 2 + bx + c Factoring Using Special Patterns Factoring Trinomials ax 2 + bx + c Factoring 4 Term Polynomials

472 views • 22 slides
FACTORING WITH JUDGMENTS w w w . g u t i e r r e z g r o u p . c o m . c o What is it about?

FACTORING WITH JUDGMENTS w w w . g u t i e r r e z g r o u p . c o m . c o What is it about?

F A C T O R I N G W I T H J U D G M E N T S FACTORING WITH JUDGMENTS w w w . g u t i e r r e z g r o u p . c o m . c o What is it about? FACTORING It is precisely after the judgment is won by This out-of-the-box product uses the - the

199 views • 7 slides
Hardware- -Based Implementations Based Implementations Hardware of Factoring Algorithms of

Hardware- -Based Implementations Based Implementations Hardware of Factoring Algorithms of

Hardware- -Based Implementations Based Implementations Hardware of Factoring Algorithms of Factoring Algorithms Factoring Large Numbers with the TWIRL Device Factoring Large Numbers with the TWIRL Device Adi Shamir, Eran Tromer Adi

469 views • 42 slides
Factoring integers and Producing primes Francesco Pappalardi Universit` a Roma Tre Erbil,

Factoring integers and Producing primes Francesco Pappalardi Universit` a Roma Tre Erbil,

Erbil, Kurdistan 0 Factoring integers,..., RSA Lecture in Number Theory College of Sciences Department of Mathematics University of Salahaddin Debember 4, 2014 Factoring integers and Producing primes Francesco Pappalardi Universit` a Roma

749 views • 30 slides
Factoring into large primes with P-1, P+1 and ECM Alexander Kruppa LORIA CADO workshop Nancy,

Factoring into large primes with P-1, P+1 and ECM Alexander Kruppa LORIA CADO workshop Nancy,

Factoring into large primes with P-1, P+1 and ECM Alexander Kruppa LORIA CADO workshop Nancy, 9. October 2008 Using P-1, P+1 and ECM in NFS For large factoring projects, memory becomes a limiting resource. Large factor base bound B requires

385 views • 21 slides
Factoring integers, Producing primes and the RSA cryptosystem Francesco Pappalardi Universit` a

Factoring integers, Producing primes and the RSA cryptosystem Francesco Pappalardi Universit` a

College of Science for Women 0 Factoring integers,..., RSA Lecture in Number Theory College of Science for Women Baghdad University March 31, 2014 Factoring integers, Producing primes and the RSA cryptosystem Francesco Pappalardi

2.06k views • 192 slides
Integer factoring and compositeness witnesses Jacek Pomykaa &amp; Maciej Radziejewski June 26,

Integer factoring and compositeness witnesses Jacek Pomykaa &amp; Maciej Radziejewski June 26,

Integer factoring and compositeness witnesses Jacek Pomykaa &amp; Maciej Radziejewski June 26, 2019 Integer factoring and compositeness witnesses 1 Objective: Factorization of a large integer n Oracles Techniques How many hard numbers are

514 views • 22 slides
Shors Algorithm for Factoring: Background Quantum Algorithms In 1994, Peter Shor came up with O

Shors Algorithm for Factoring: Background Quantum Algorithms In 1994, Peter Shor came up with O

Shors Algorithm for Factoring: Background Quantum Algorithms In 1994, Peter Shor came up with O ( n 3 ) -time algorithm DPV Chapter 10 for factoring n -bit integers on a quantum algorithm. Why is this a big deal? O ( e n 1/3 ( log n )

712 views • 5 slides
POLYNOMIAL CONSTRAINED FACTORING IN P-NARX IDENTIFICATION KIA N A KA R A M I, D A V ID W ES

POLYNOMIAL CONSTRAINED FACTORING IN P-NARX IDENTIFICATION KIA N A KA R A M I, D A V ID W ES

Nonlinear System Identification Benchmarks POLYNOMIAL CONSTRAINED FACTORING IN P-NARX IDENTIFICATION KIA N A KA R A M I, D A V ID W ES TW IC K April, 2019 NARX MODEL T he No nline ar Auto re g re ssive e Xo g e no us I nput Mo de l

253 views • 23 slides
Factoring Polynomials over Local Fields II Sebastian Pauli Department of Mathematics and

Factoring Polynomials over Local Fields II Sebastian Pauli Department of Mathematics and

Factoring Polynomials over Local Fields II Sebastian Pauli Department of Mathematics and Statistics University of North Carolina at Greensboro Sebastian Pauli (UNC Greensboro) Factoring Polynomials over Local Fields II 1 / 20 Polynomial

765 views • 44 slides
Computability Theory at Work: Factoring Polynomials and Finding Roots Russell Miller Queens

Computability Theory at Work: Factoring Polynomials and Finding Roots Russell Miller Queens

Computability Theory at Work: Factoring Polynomials and Finding Roots Russell Miller Queens College &amp; CUNY Graduate Center New York, NY MAA MathFest Portland, OR 7 August 2014 Russell Miller (CUNY) Factoring and Finding Roots MathFest

489 views • 30 slides
The complexity of factoring univariate polynomials over the rationals Mark van Hoeij Florida

The complexity of factoring univariate polynomials over the rationals Mark van Hoeij Florida

The complexity of factoring univariate polynomials over the rationals Mark van Hoeij Florida State University ISSAC2013 June 26, 2013 Papers [Zassenhaus 1969]. Usually fast, but can be exp-time. [LLL 1982]. Lattice reduction (LLL

766 views • 43 slides
The state of factoring algorithms and other cryptanalytic threats to RSA Daniel J. Bernstein

The state of factoring algorithms and other cryptanalytic threats to RSA Daniel J. Bernstein

The state of factoring algorithms and other cryptanalytic threats to RSA Daniel J. Bernstein University of Illinois at Chicago Technische Universiteit Eindhoven Nadia Heninger Microsoft Research New England Tanja Lange Technische

1.53k views • 130 slides
Factoring RSA Modulus using Prime Reconstruction from Random Known Bits S. Maitra, S. Sarkar and

Factoring RSA Modulus using Prime Reconstruction from Random Known Bits S. Maitra, S. Sarkar and

Factoring RSA Modulus using Prime Reconstruction from Random Known Bits S. Maitra, S. Sarkar and S. Sen Gupta Cryptology Research Group, ASU Indian Statistcal Institute, Kolkata May 3, 2010 Background Slide 2 of 31 RSA Framework Key-Gen

607 views • 58 slides
Non-Resource Factoring Presentation Introduction to SNI Capital Advisors SNI Capital is a

Non-Resource Factoring Presentation Introduction to SNI Capital Advisors SNI Capital is a

SNI CAPITAL ADVISORS Non-Resource Factoring Presentation Introduction to SNI Capital Advisors SNI Capital is a leading financial/business consulting firm having a strong global presence directly or indirectly through its network partners &amp;

313 views • 10 slides
Special Purpose Hardware for Factoring: Special Purpose Hardware for Factoring: the NFS Sieving

Special Purpose Hardware for Factoring: Special Purpose Hardware for Factoring: the NFS Sieving

Special Purpose Hardware for Factoring: Special Purpose Hardware for Factoring: the NFS Sieving Step the NFS Sieving Step Adi Shamir Eran Tromer Adi Shamir Eran Tromer Weizmann Institute of Science Weizmann Institute of Science 1

824 views • 47 slides
Re Real-tim time e Dis istr trib ibuted ed MIM IMO Sy Systems Hariharan Rahul Ezzeldin

Re Real-tim time e Dis istr trib ibuted ed MIM IMO Sy Systems Hariharan Rahul Ezzeldin

Re Real-tim time e Dis istr trib ibuted ed MIM IMO Sy Systems Hariharan Rahul Ezzeldin Hamed, Mohammed A. Abdelghany, Dina Katabi De Dense W Wir irele less Ne Networks Stadiums Concerts Airports Malls In Interf

563 views • 39 slides
Assignment 1 SCUBA-2 Data Reduction Dr. Steve Mairs (ASTR351L Spring 2019)

Assignment 1 SCUBA-2 Data Reduction Dr. Steve Mairs (ASTR351L Spring 2019)

Assignment 1 SCUBA-2 Data Reduction Dr. Steve Mairs (ASTR351L Spring 2019) Overview 1. Signal vs Noise 2. Data Reduction Methodology 3. Point Spread Function: Submillimetre Style 4. Units and Calibration

678 views • 23 slides
Searching for Muon to electron conversion: The Mu2e experiment at Fermilab Richie Bonventre

Searching for Muon to electron conversion: The Mu2e experiment at Fermilab Richie Bonventre

This document was prepared by Mu2e collaboration using the resources of the Fermi National FERMILAB-SLIDES-19-078-ND Accelerator Laboratory (Fermilab), a U.S. Department of Energy, Office of Science, HEP User Facility. Fermilab is managed by

878 views • 66 slides
THMP Calibration Miriam K ummel Ruhr-Universit at Bochum Institut f ur

THMP Calibration Miriam K ummel Ruhr-Universit at Bochum Institut f ur

, THMP Calibration Miriam K ummel Ruhr-Universit at Bochum Institut f ur Experimentalphysik I PANDA-Collaboration Meeting March 2016 1 , Why Do We Measure Temperatures? PWO-II: LY depends on T with d ( LY ) = 3 %/ at -25

366 views • 9 slides
Clean M Miles Standar ard W Workshop 2018 B Base Y Year Emission ons I Inventor ory

Clean M Miles Standar ard W Workshop 2018 B Base Y Year Emission ons I Inventor ory

Clean M Miles Standar ard W Workshop 2018 B Base Y Year Emission ons I Inventor ory September 25, 2019 1 Purpose Establish 2018 base year emissions inventory Discuss data sources, methodology and assumptions Present

781 views • 44 slides
Equivalent Axle Loads Mazda Miata Curb weight = 2300 lb 1 ( ) = d consumption per passage

Equivalent Axle Loads Mazda Miata Curb weight = 2300 lb 1 ( ) = d consumption per passage

Equivalent Axle Loads Mazda Miata Curb weight = 2300 lb 1 ( ) = d consumption per passage M N M Ford Excursion Curb weight = 6300 lb 1 ( ) = d consumption per passage F N F Standard Vehicle Curb weight = 4000 lb 1 (

681 views • 29 slides
R Basics / Course Business l Well be using a sample dataset in class today: l CourseWeb: Course

R Basics / Course Business l Well be using a sample dataset in class today: l CourseWeb: Course

R Basics / Course Business l Well be using a sample dataset in class today: l CourseWeb: Course Documents Sample Data Week 2 l Can download to your computer before class l Thanks for answering CourseWeb background survey! l If sitting in

1.05k views • 71 slides
The COMET Experiment Status and Prospects Matthias Dubouchet High Energy Physics Group Imperial

The COMET Experiment Status and Prospects Matthias Dubouchet High Energy Physics Group Imperial

The COMET Experiment Status and Prospects Matthias Dubouchet High Energy Physics Group Imperial College London February 26, 2019 The COMET experiment COMET Dubouchet M. 2 Source: Google Source: AAPPS The COMET experiment COMET

239 views • 13 slides

More recommend