1 / 25

Cryptography

Cryptography. Lecture 7 : RSA Primality Testing Piotr Faliszewski. Number theory Euler’s phi function RSA Definition Correctness. Quiz Min = 14 Med = 21.75 Max = 30. Previous Class. Alice m – message to Bob m < n otherwise cut m in blocks

duena
Download Presentation

Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptography Lecture 7: RSAPrimality Testing Piotr Faliszewski

  2. Number theory Euler’s phi function RSA Definition Correctness Quiz Min = 14 Med = 21.75 Max = 30 Previous Class

  3. Alice m – message to Bob m < notherwise cut m in blocks Receives the public key (n, e) from Bob Computesc = me (mod n)sends it to Bob Bob p, q large primesn = pq choose e s.t.gcd(e, (pq) ) = 1 compute d s.t.de = 1 (mod (n)) Bob sends his public key (n,e) to Alice Bob decrypts the messagem = cd (mod n) The RSA Algorithm

  4. Security of RSA • How to attack RSA? • we have public key (n,e) • compute (n) and get d • Easier said than done!! • If we have n and (n) then we can factor n • If we have e and dthen we can factor n Adi Shamir

  5. Attacks on RSA • Various attacks on RSA • known digits attack • low exponent attack • short plaintext attack • timing attack • factoring Len Adleman

  6. Theorem n = pq – has m digits If we know the first or the last m/4 digits of either p or q, then we can efficiently factor n Theorem (n,e) – RSA public key n has m digits, and we know the last m/4 digits of d We can find d in time linear in eloge Known Digits Attack Conclusion: Need care about the choice of p and q!

  7. Low Exponent Attack • Theorem • p,q – RSA primes, q < p < 2q, n = pq • 1 ≤ d, e <(n) • de = 1 (mod (n)) • If d < ⅓n1/4 , then d can be calculated quickly • Consequences • cannot optimize decryption via small exponents • how to choose good d’s?

  8. Short Plaintext Attack • Scenario • DES – symmetric cipher, used in the past • Two banks exchange DES keys over RSA • DES key m: 56 bits (m < 256 < 1017) • RSA encryption • c = me (mod n) • m small, but c will have many digits

  9. Short Plaintext Attack • c = me (mod n)m <256 < 1017 • Eve prepares two lists: • cx-e (mod n), 1 ≤ x ≤ 109 • ye (mod n) 1 ≤ y ≤ 109 • If there is a match on the lists then • c = (xy)e (mod n) • thus: m = xy (mod n) • If m is a multiple of two numbers <109 then this attack will succeed

  10. Short Plaintext Attack • Defense: • do not use short messages! • pad with random bits • Optimal Assymetric Encryption Padding

  11. n – k bits k0, k1 – two numbers s.t. k0 + k1 < k Message can havek - k0 - k1 bits r – random string of k0 bits G: k0k-k0 H: k-k0k0 The method x1 = m0k1  G(r) x2 = r  H(x1) The message is x1x2 Bob decrypts and gets m0k1 = x1 G(H(x1)  x2) Optimal Assymetric Encryption Padding

  12. Timing Attack • Within RSA computation we do perform exponentiaiton • quick exponentiation procedure • multiplications occur for each bit of the exponent that is 1 • these multiplications take „random” amounts of time (variation) • Very hard in practice! • Initiated a big discussion

  13. Goal: yd (mod n) d = b1b2...bw (in binary left-to-right) Algorithm k = 1, s1 = 1 if bk = 1 then rk= sky (mod n)else rk = sk sk+1= rk2 (mod n) if k = w, stopelse set k to k+1, goto 2 output rw Exponentiation Algorithm

  14. Factoring and Primality Testing

  15. Factoring Input: n  N Output: nontrivial factor of n Primality testing Input n  N Output: the number is composite the number is probably prime Is there a difference? Yes! – primality testing much easier! You do not need to factor the number to see it is composite Factoring and Primality Testing

  16. Primality testing often need large primes n = pq in RSA p, q – large primes there are many primes (x)≈x/ln(x) to choose p,q – choose a number randomly and test if it is a prime increase if composite Factoring security of RSA = hardness of factoring quick factoring – allows us to break RSA studying factoring – tells us how to choose p and q for RSA  so pq is hard to factor Factoring and Primality Testing

  17. Fermat’s Theorem If: p – a prime numbera – a number s.t. p does not divide a Then: ap-1= 1 (mod p) Fermat’s Test • Fermat’s test: • n – input • randomly choose a s.t. 1 < a < n-1 • if an-1= 1 then probably prime • else certainly composite

  18. Fermat’s test is only probabilistic usually gives a good answer can give a wrong one! A composite number n s.t. an-1= 1 (mod n)is called pseudoprime for base a Example 2560= 1 (mod 561) 561 = 3 * 11 * 17 But... 3560= 375 (mod 561) Fermat’s Test

  19. Generalization of the Fermat’s test Principle if p is a prime thenx2= 1 (mod p)has only two solutions: x = 1 and x = -1 Why does the principle hold? Gist of the MR test find a number b such that b2= 1 (mod p) If b  {-1,1} then composite Miller-Rabin Test

  20. MR( int n ): let n-1 = 2km a  random in {2, 3, ..., n-2 } b0= am (mod n) if b0=±1 (mod n) then declare prime for j = 1 to k-1 do bj= bj-12 (mod n) if bj= 1 (mod n) then declare composite if bj= -1 (mod n) then declare prime declare composite Why this works? b0= am (mod n) b1= a2m (mod n) b2= a4m (mod n) ... bj= a2jm (mod n) ... bk-1 = a(n-1)/2 (mod n) Miller-Rabin Test

  21. n = 5*7*11 = 385 n -1 = 384 = 27*3 k = 7, m = 3 a = 9 b0= 93= 344 (mod 385) b1= 93*2= 141 (mod 385) b2= 93*22= 246 (mod 385) b3= 93*23= 71 (mod 385) b4= 93*24= 36 (mod 385) b5= 93*25= 141 (mod 385) n = 3*11*17 = 561 n -1 = 560 = 24*35 k = 4, m = 35 a = 2 b0= 235= 263 (mod 561) b1= 235*2= 166 (mod 561) b2= 235*22= 67 (mod 561) b3= 235*23= 1 (mod 561) Proof of compositeness! Miller-Rabin Test: Examples

  22. n = 401 n -1 = 400 = 24*25 k = 4, m = 25 a = 3 b0=325=268 (mod 401) b1=325*2=45 (mod 401) b2=325*22= 20 (mod 401) b3=325*23=400 (mod 401) = -1 (mod 401) n = 401 n -1 = 400 = 24*25 k = 4, m = 25 a = 2 b0= 225=356 (mod 401) b1= 225*2=20 (mod 401) b2= 225*22=400 (mod 401) Evidence of primality! Miller-Rabin Test: Examples

  23. if b0=±1 (mod n) all bi’s (i > 0) will be 1 can’t find nontrivial roots of 1 i  {1, ..., k-1} if bi= 1 (mod n) then bi-1 is neither 1 or -1 bi-12= 1 (mod n) we found a nontrivial root if bi= -1 (mod n) then bi+1 through bk are all 1 (mod n) can’t find nontrivial roots of 1 Why this works? b0= am (mod n) b1= a2m (mod n) b2= a4m (mod n) ... bj= a2jm (mod n) ... bk-1= a(n-1)/2 (mod n) Miller-Rabin Test

  24. MR test is probabilistic Answer composite – the number is certainly composite prime – the number is prime with high probability Errors MR(n) says prime but n is composite Pr[error] · ¼ Repeat the test to downgrade the prob. of error Miller-Rabin Test: Quality

  25. Solovay-Strassen Test similar in nature to MR uses so called Jacobi symbol fast in practice probabilistic Deterministic test Agrawal, Kayal, and Saxena 2002 extremely slow Tests that prove primality MR tests compositeness! fairly slow needed in very few cases Other Primality Tests

More Related