Number-Theoretic Algorithms (RSA and related algorithms) Chapter - - PowerPoint PPT Presentation

p1.

Number-Theoretic Algorithms (RSA and related algorithms)

Chapter 31, CLRS book

p2.

Outline

• Modular arithmetic
• RSA encryption scheme
• Miller-Rabin algorithm (a probabilistic algorithm)

p3.

Modular Arithmetic

p4.

| : divides , is a divisor of . gcd( , ): greatest common divisor of and . Coprime or relatively prime: gcd( , ) 1. Euclid's algorithm: compute gcd( , ). Extented Eucli

Integers

a b a b a b a b a b a b a b       d's algorithm: compute integers and such that gcd( , ). x a b a y x y b  

p5.

Let 2 be an integer. Definition: is congruent to modulo , written , if | ( ), i.e., and have the same remainder when divided by . mo Note: d mo

Integers modulo

n a b n n a b a b a n b a b n

n

      

 

and are different. Definition: [ ] : mod . [ ] is called a residue class modulo , and is a representative of that d mo class. d

n n

a x n a Z x a n n n b a a      

p6.

There are exactly residue classes modulo : [0], [1], [2], , [ 1]. If [ ], [ ], then [ ] and [ ]. Define addition and multiplication for residue classes: [ ] [

n

n n n x a y b x y a b x y a b a              ] [ ] [ ] [ ] [ ].

n

b a b a b a b     

p7.

A group, denoted by ( , ), is a set with a binary operation such that 1. , , (closure) 1. ( ) ( ) (associativity) 2. s.t. , ( ) identi 3. y t

Group

G G x y G x y e G x y z x y z e G x G x e x x                     , s.t. ( ) A group ( , ) is if , , . Examples: invers ( , ), ( , ), ( \{0}, ), ( , ), ( \{0}, abel a e ). i n x G y G x y y x G x y G x y y x Z Q Q R R e                     

p8.

     

Define [0], [1], ..., [ 1] . Or, more conveniently, 0, 1, ..., 1 . , forms an abelian group. For , , additiv ( )mod . (Or, [ ] [ ] [ ] [ mod ].) 0 is e th

n n n n

Z n Z n Z a b Z a b a b n a b a b a b n                  

10

e identity element. The inverse of , denoted by , is . When doing addition/substraction in , just do the regular addition/substraction and reduce the result modulo . In , 5

n

a a n a Z n Z    5 9 4 6 2 8 3 ?        

p9.

 

 

1 1 1

, is not a group, because 0 does not exist. Even if we exclude 0 and consider only \{0}, , is not necessarily a group; some may not exist. For , exists if and on

n n n n n

Z Z Z Z a a Z a

    

       ly if gcd( , ) 1. a n 

p10.

   

* 1

Let : gcd( , ) 1 . , is an abelian multiplicative group. mod . mod . 1 is the identity elemen t. The inverse of , written , can be computed by

n n n

Z a Z a n Z a b ab n a b ab n a a           

 

* 12 *

the Extended Euclidean Algorithm. For example, 1,5,7, Q: How many e 11 . 5 7 35 lements ar mod12 1 e there in ? 1.

n

Z Z      

p11.

 

* 1

Euler's totient function: Fac ( ) = : and gcd( , ) 1

• 1. (

) ( 1) for prime

• 2. (

) ( ) ( ) if gc ts: d( , ) 1

n n e e

n Z a a Z a n p p p p ab a b a b     



        

p12.

* | | mod

Let be a (multiplicative) group. Lagrange's theorem: For any element , Co . rollary: For any element , Euler's theorem: If (for any f inite 1), the . n

G m G m n

G a G a G a Z e a a a n a



         

( ) * * ( ) 1 *

1 in . Fermat's little theorem: If ( a prime), then 1 in .

n n p p p p

Z a Z p a a Z

 

    

p13.

 

* 15 * 15 * 15 ( ) 8 816243240481

= 1, 2, 4, 7, 8, 11, 13, 14 (15) (3) (5) 2 4 8 : 1 2 4 7 8 11 13 14

• rd( ) :

1 4 2 4 4 2 4 2

• rd( ) : smallest integer such that

1. 1 13 ?

Example: 15

k n

Z Z a Z a a k a a a

n



                   



p14.

Algorithms

 

 

1 3

gcd , mod mod Running time: log Here we assume , .

k n

a b a n a n O n a b Z



     

p15.

Given 0, compute gcd( , ). Theorem: If 0, gcd( , ) . If 0, gcd( , ) gcd( , mod ) Euclid( , ) if then ( , retur )

Euclid's Algorithm

n

n a b a b b a b a b a b b a b Z a b a b b            

 

2

n( ) return Euclid( , mod ) The number of recursive calls to Euclid is (log ). Computing mo d takes (l els

• g

e ) . a b a b O n a b O n  

15

p16.

Example: gcd(299,221) Given 0, compute , such that gcd( , ) . 1 78 2 65 1 13 65 5 13 gcd(229,221) 13 299 221 221 78 78 65 78 65 78 221 78 78 2 ( 2 ) 3 21 3 ?

Extended Euclidean Algorithm

a b x y d a b ax by                               299 221) 221 299 221 ( 1 3 4       

p17.

Given 0, compute , , such that gcd( , ) . Extende if d - Euclid( , ) 0 t return( ,1,0) ( , , ) Extended -Eucl hen els e i

Extended Euclidean Algorithm

a b d x y a b a b a b b a d x d x y y           



 

d( , mod ) ( , , ) , , return( , , ) b a b d x y d y x a b y d x y          

p18.

 

If 0, gcd( , ) . The returned answer is correct. If ( , , ) is correct, 1 ( ,1,0) gcd( , mod ) ( mod ) gcd( , mod )

Correctness Proof

b a b a b d x y b a b d b x a b y b a b d b x a a a b b y a                                   

   

gcd( , ) ( , , ) , , is correct a b a b d x y d y x a d y y y x a b b                          

p19.

1 1 * 1

Compute in . exists if and only if gcd( , ) 1. Use extended Euclidean algorithm to find , such that gcd( , ) 1 (in ) mod [ ] ?

How to compute

n

a Z a a n x y ax ny a n a n Z a

  

       

1

[ ] [ ][ ] [1] [ ][ ] [1] (since [ ] [0]) [ ] [ ]. Note: may omit [ ], but reduce everything modulo . x n y a x n a x n



       

p20.

1 1 1 * 47

Compute 15 mod 47. Using extended Euclidean algorithm, we obtain gcd(15,47) 1 15 47 7 15 mod 47 22 2 That is, 15 22 in 2

Example

Z

  

        

p21.

 

1 2

Comment: compute mod , where in binary. 1 for downto 0 do mod if 1 then mod

Algorithm: Square-and-Multiply( , , )

c k k i

x n c c c c z i k z z n c z z x n

x c n



      

   

2 2 2 2

if c i retu s even Note: if is rn (

• )

dd

c c c

x x x x z c

       

      

p22.

2 2 2 2 3 2

23 10111 1 11 mod 187 11 (square and multiply) mod 187 121 (square) 11 mod 187 44 (square and multiply) 11 mod 187 165 (square and 11 mod187 mu

Example:

b

z z z z z z z z z             

2

ltiply) 11 mod 187 88 (square and multiply) z z   

p23.

RSA Encryption

p24.

m c E D Bob Alice m

Alice’s Alice’s public key secret key

Public-key Encryption

plaintext encryption ciphertext decryption algorithm algorithm

p25.

By ivest, hamir & dleman of MIT in 1977. Best known and most widely used public-key scheme. Based on the

• ne-way property
• f mo

R S du lar powering: A assumed

The RSA Cryptosystem

  

1

: mod (easy) : mod In turn based on the hardness (hard)

• f integer factorization.

e e

f x x n f x x n



  

p26.

1 1

RSA RSA RSA * *

Encryption (easy): Decryption It works in group . Let be (hard): Decryption (easy with "trapdoor"): a messa Lookin ge g .

Idea behind RSA

e n e e n

x x x x x x Z x Z

 

       

 

( ) 1 ( )

for a "trapdoor": ( ) . If is a number such that 1mod ( ), then ( ) 1 for some , and ( ) 1 .

e k e d n k d ed n

x x d ed n ed k n k x x x x x x x

 

 



          

p27.

1

(a) Choose large primes and , and let : . (b) Choose (1 ( )) coprime to ( ), and compute : mod ( ). ( .) (c) Public ke Key generation: 1 mod ( )

RSA Cryptosystem

p q n pq e e n n d n n ed e    



     

* *

y: . Secret key: . ( ) : mod , w ( , ) ( , ) here . ( ) : mod , where . E ncryption: Decryptio n:

e pk n d sk n

E x x n x Z D y y n y pk n e sk n d Z        

p28.

Select two primes: 17, 11. Compute the modulus 187. Compute ( ) ( 1)( 1) 160. Select between 0 and 160 such that gcd( ,160) 1. Say 7. Compute

RSA Example: Key Setup

p q n pq n p q e e e d                

1 1

mod ( ) 7 mod160 23 (using extended Euclid's algorithm). Public key: . Secret ke ( , y: ) (7, 187) ( , ) (23 . , 7 18 ) pk e n e s n n k d 

 

        

p29.

7 23 23 23

Suppose 88. Encryption: mod 88 mod187 11. Decryption: mod 11 mod187 88. When computing 11 mod187, we first compute 11 and d the

• n
• t

n

RSA Example: Encryption & Decryption

e d

m c m n m c n            reduce it modulo 187. Rather, use , and reduce intermediate results modulo 187 whenever they g square-a et bigge nd-mult r than iply 187. 

p30.

Attacks on RSA

p31.

There are many attacks on RSA: brute-force key search mathematical attacks timing attacks chosen ciphertext attack s The m

• st important one is intege

Attacks on RSA

 

1

r factorization: If the adversary can Then he can calculate ( ) ( 1)( 1) and the secret key m factor into . d ( ).

• n

p q n pq d e n  



   

p32.

A difficult problem. More and more efficient algorithms have been developed. In 1977, RSA challenged researchers to decode a ciphertext encrypted with a modulus of 129

Integer Factorization

n    digits (428 bits). Prize: $100. RSA thought it would take quadrillion years to break the code using fastest algorithms and computers

• f that time. Solved in 1994.

In 1991, RSA put forw  ard more challenges (called RSA numbers), with prizes, to encourage research on factorization.

p33.

Each RSA number is a semiprime. (A number is semiprime if it is the product of two primes.) There are two labeling schemes. by the number of decimal digits: RSA-100, .

RSA Numbers

  .., RSA-500, RSA-617. by the number of bits: RSA-576, 640, 704, 768, 896, , 1536, 2 10 . 24 048

p34.

RSA-100 ( bits), 1991, 7 MIPS-year, Quadratic Sieve. RSA-110 ( bits), 1992, 75 MIPS-year, QS. RSA-120 332 365 3 ( bits), 1993, 830 MIPS-year, QS. RSA-129 98 4 (

RSA Numbers which have been factored

    bits), 1994, 5000 MIPS-year, QS. RSA-130 ( bits), 1996, 1000 MIPS-year, GNFS. RSA-140 ( bits), 1999, 2000 MIPS-year, GNFS. RSA-155 ( bits), 1999, 8000 MIPS-year, GNFS. 28 4 31 465 5 RSA-16 1 0 ( 2 530     576 6 bits), 2003, Lattice Sieve. RSA- (174 digits), 2003, Lattice Sieve. RSA- (193 digits), 2005, Lattice Sieve. RSA-200 ( bits), 2005, Lattice 40 663 Sieve.   

p35.

RSA-200 =

27,997,833,911,221,327,870,829,467,638, 722,601,621,070,446,786,955,428,537,560, 009,929,326,128,400,107,609,345,671,052, 955,360,856,061,822,351,910,951,365,788, 637,105,954,482,006,576,775,098,580,557, 613,579,098,734,950,144,178,863,178,946, 295,187,237,869,221,823,983.

p36.

In light of current factorization technologies, RSA recommends using an of 1024-2048 bits.

Remark

n 

p37.

Generating large primes

To set up an RSA cryptosystem, we need two large primes p and q.

p38.

Generate a random odd number of desired size. Test if is prime. If not, discard it and try a different number.

How to generate a large prime number?

n n   

p39.

 

 

 

 

12 10.5

Can it be solved in polynomial time? A long standing open problem until 2002. AKS(Agrawal, Kayal, Saxena) : log . Later improved by others to log ,

Primality test: Is a prime?

O n O n

n

 

  

 

 

 

 

6 3

and then to log . In practice, Miller-Rabin's probabilistic algorithm is still the most popular --- much faster, log . O n O n

 



p40.

Using some characteristic property of prime numbers: is prime 2.. , does not divide . Miller-Rabin's idea: look for some property ( ) s

Miller-Rabin primality test: Is a prime?

n a n a n P a

n

    

* * *

.t. is prime For , ( ) not prime For a portion

• f elements

, ( ) Algorithm: Randomly pick a elements ll at most 1 .

n n n

n a Z P a true n a Z P a true k t a Z        

 

If ( ) is true for all of them then return else return . A "prime" answer may be incorrect with prime compos probabilit ite y 1

t

P a k  

p41.

* n

Z

*

If is prime, then for all , ( ) is true.

n

n a Z P a 

( ) P a true 

p42.

* n

Z

* *

If is , then there are which are elements s.t not prime strong . Say, at most 1

• f

are witnesse bl . , a s ( ) ck

n n

P a fa a ls k Z e n Z  

( ) P a true 

p43.

2 1

2 2 2 2

Write 1 2 , where is odd. 1 mod Let ( ) 1 mod for some , 0 1 Consider the sequence , , , , r

• The property ( )

i k

k u u u u u u

n u u a n P a a n i i k a a a a

P a



                

p44.

*

If is prime, then ( ) for all . If is an odd composite and not a prime power, then

• f the elements

are black (i.e., ( ) ). A composite num at most one h be f al r

n n

n P a true a Z n a Z P a true n



       is a if for some prime and integer 2; a if prime power perfect power for some integer and . 2 )

e e

n p p e n k k e    

p45.

Input: integer 2 and parameter Output: a decision as to whether is prime or if is even, return "composit composite 1. e" if is a per 2 . fect

Algorithm: Miller-Rabin primality test

n t n n n  power, return "composite" for : 1 to do choose a random integer , 2 1 if gcd( , ) 1, return "composite" if is a strong witness, ret 3 urn "com . i t a a n a n a      posite" return ("pri 4. me")

p46.

If the algorithm answers "composite", it is always correct. If the algorithm answers "prime", it may or may not be correct. The algorithm gives a wrong answ

Analysis: Miller-Rabin primality test

   er if is composite but the algorithm fails to find a strong witness in iterations. This may happen with probability at most 2 . Actually, at most 4 , by a more sophisticated analysis.

t t

n t

 

 

p47.

A is a probabilistic algorithm which always gives an answer but sometimes the answer may be inco Mo rr nte ect. Carlo a A lgorithm Monte Carlo algorithm for a decisi

Monte Carlo algorithms

 

• n problem is

if its “yes” answer is always correct but a “no” answer may be incorrect with some error probability. A -iteration Miller-Rabin is a “composite”-biased Mon yes-bias te Carl ed

• t

 algorithm with error probability at most 1 4 .

t

p48.

A is a probabilistic algorithm which may sometimes fail to give an answer but never gives an incorrect Las Ve

• ne

gas algori A Las Vegas algorithm can be conver thm

Las Vegas algorithms

  ted into a Monte Carlo algorithm.