Security of Number Theoretic Public Key Cryptosystems against Random Attack

1 / 23

# Security of Number Theoretic Public Key Cryptosystems against Random Attack - PowerPoint PPT Presentation

Security of Number Theoretic Public Key Cryptosystems against Random Attack Paper by: Rob Blakley and G.R. Blakley Presentation by: Jason Bourg Historical Aspect Paper written in 1978 Then 0 < log(p) < 19,937 4.3 x 10 6001 Now 0 < log(p) < 13,466,917 2 144000 = 2.0 x 10 43348

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## Security of Number Theoretic Public Key Cryptosystems against Random Attack

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### Security of Number Theoretic Public Key Cryptosystems against Random Attack

Paper by: Rob Blakley and G.R. Blakley

Presentation by: Jason Bourg

Historical Aspect
• Paper written in 1978
• Then
• 0 < log(p) < 19,937
• 4.3 x 106001
• Now
• 0 < log(p) < 13,466,917
• 2144000 = 2.0 x 1043348
Overview
• Introduction
• The RSA number theoretic method
• The background in modular arithmetic
• Coding moduli which are products of distinct safe primes
• Complementarity properties of safe primes
Overview
• The directorate and the message receiver in an RSA public key cryptosystem
• The cryptanalyst and the sender in an RSA public key cryptosystem
• Summary
1. Introduction

Public Key Cryptosystems

• Concentrate on RSA
• Produce lists (c, d, m) of three positive integers where xcd = x mod(m) holds for every integer x
• c and d > 1 exist if and only if m is square free
• What is square free?
• A positive integer m is square free if and only if it is the product of distinct primes belonging to some finite set T of primes.
2. The RSA number theoretic method
• Same stuff we talked about in class
3. The background in modular arithmetic
• Let Y be a finite set of pairwise relatively prime positive integers. Let m be the product of the members of Y. Then cyc[x,m] = LCM {cyc[x,y] | y € Y}
• 9 lemma’s
• 6 theorem’s
• 3 corollary’s
4. Coding moduli which are products of distinct safe primes
• p – 1 and q – 1 should have large prime factors
• Safe primes
• p is safe if there is an odd prime a such that 2a + 1 = p
• 2 lemma’s
• 5 theorem’s
• 2 corollary’s
5. Complementarity properties of safe primes
• Suppose p and q are safe primes whose product is m
• Find one nontrivial pair x, e such that

xe = x mod(m) can factor m

• If x is small then e must be large, and conversely
• If the directorate chooses a width w > 2
• It allows every message receiver N to pick primes p(N) and q(N) at random such that

q < log(p(N)) < g + 1 < g + w / 2 < g + w < log(q(N)) < g + 3w / 2

6. cont.
• This guarantees that

2g < 2g + w < log(p(N)q(N)) < 2g + 2w

and

2p(N) < q(N)

• Whence random search for factors of m = p(N)q(N) new sqrt(m) becomes expensive if g gets large
6. cont.
• Assuming w > 2 the directorate will
• Choose at random an odd positive integer a such that g – 1 < log(a) < g + w / 2 – 1
• Form
• GCD (r ,a) and GCD (r, 2a+1) for every prime r <= u.
• GCD (a, (u-1)/2)

If either of these numbers is unequal to 1, forget a and return to step 1

6. cont.
• Test whether a and 2a+1 are both prime to all intents and purposes. If either is demonstrably composite, forget a and return to step 1.
• Choose at random an off positive integer b such that:

g + w – 1 < log(b) < g + 3w / 2 - 1

6. cont.
• Form
• GCD{r,b} and GCD{r,2b+1} for every prime r <= u.
• GCD{b, (u-1) / 2}

If any of these numbers is unequal to 1, forget b and return to step 4.

• Test whether b and 2b+1 are both prime to all intents and purposes. If either is demonstrably composite, forget b and return to step 4.
6. cont.
• Form
• GCD{a,b}
• GCD{a, 2b+1}
• GCD{2a+1,b}
• GCD{2a+1, 2b+1}

If any of these numbers is unequal to 1, forget a and b and return to step 1.

6. cont.
• Solve the six pairs of simultaneous linear congruences
• A  0 mod(2a + 1) and A  1 mod(2b + 1)
• B  1 mod(2a + 1) and B  0 mod(2b + 1)
• C  0 mod(2a + 1) and C  -1 mod(2b + 1)
• D  -1 mod(2a + 1) and D  0 mod(2b + 1)
• E  1 mod(2a + 1) and E  -1 mod(2b + 1)
• F  -1 mod(2a + 1) and F  1 mod(2b + 1)
6. cont.
• cont.
• Examine the Hollerith character typescripts which correspond to A, B, C, D, E, and F.
• If all six of these typescripts are hopeless gibberish, go on to step 9. Otherwise forget a and b and go back to step 1.
6. cont.
• Let
• p(N) = 2a + 1
• q(N) = 2b + 1
• m(N) = p(N)q(N) = (2a + 1)(2b + 1)
• a(p(N)) = a
• a(q(N)) = b
• v = 2ab
6. cont.
• The receiver N now knows that m(N) is square free if both p(N) and q(N) are square free.
• The receiver believes that the integers a(p(N)), a(q(N)), p(N), q(N) are all primes.
• This belief need not be correct.
6. cont.
• Solve the linear congruence ud  1 mod(v) for d.
• Call its smallest positive integer solution d(N)
• Send the list (N, m(N)) to the directorate for inclusion as a listing in the directory.
• Keep p(N), q(N), and d(N) secret.
• Eve needs to factor m….hard.
• Same as in class, nice and secure.
8. Summary
• RSA is strong because it is hard to factor m.
• Essential you pick your numbers correctly.
• These guys must have known what they were talking about since RSA is still strong today.

Questions?