cryptography lecture 7: rsa primality testing piotr faliszewski
TRANSCRIPT
Cryptography
Lecture 7: RSAPrimality Testing
Piotr Faliszewski
Previous Class Number theory
Euler’s phi function
RSA Definition Correctness
Quiz Min = 14 Med = 21.75 Max = 30
The RSA Algorithm
Alice m – message to Bob m < n
otherwise cut m in blocks
Receives the public key (n, e) from Bob
Computesc = me (mod
n)
sends it to Bob
Bob p, q large primes
n = pq choose e s.t.
gcd(e, (pq) ) = 1 compute d s.t.
de = 1 (mod (n)) Bob sends his public
key (n,e) to Alice Bob decrypts the
messagem = cd
(mod n)
Security of RSA How to attack RSA?
we have public key (n,e) compute (n) and get d
Easier said than done!!
If we have n and n) then we can factor n
If we have e and dthen we can factor n
Adi Shamir
Attacks on RSA Various attacks on RSA
known digits attack low exponent attack short plaintext attack timing attack factoring
Len Adleman
Known Digits Attack Theorem
n = pq – has m digits
If we know the first or the last m/4 digits of either p or q, then we can efficiently factor n
Theorem(n,e) – RSA public keyn has m digits, and we know the last m/4 digits of d
We can find d in time linear in e log e
Conclusion: Need care about the choice of p and q!
Low Exponent Attack Theorem
p,q – RSA primes, q < p < 2q, n = pq 1 ≤ d, e < (n) de = 1 (mod (n)) If d < ⅓n1/4 , then d can be calculated quickly
Consequences cannot optimize decryption via small exponents how to choose good d’s?
Short Plaintext Attack Scenario
DES – symmetric cipher, used in the past Two banks exchange DES keys over RSA DES key m: 56 bits (m < 256 < 1017) RSA encryption
c = me (mod n) m small, but c will have many digits
Short Plaintext Attack c = me (mod n)
m < 256 < 1017
Eve prepares two lists: cx-e (mod n), 1 ≤ x ≤ 109
ye (mod n) 1 ≤ y ≤ 109
If there is a match on the lists then c = (xy)e (mod n) thus: m = xy (mod n)
If m is a multiple of two numbers <109 then this attack will succeed
Short Plaintext Attack Defense:
do not use short messages! pad with random bits Optimal Assymetric Encryption Padding
Optimal Assymetric Encryption Padding n – k bits k0, k1 – two numbers
s.t. k0 + k1 < k Message can have
k - k0 - k1 bits
r – random string of k0 bits
G: k0 k-k
0
H: k-k0 k
0
The method
x1 = m0k1 G(r)
x2 = r H(x1)
The message is x1x2
Bob decrypts and gets
m0k1 = x1 G(H(x1) x2)
Timing Attack Within RSA computation we do perform
exponentiaiton quick exponentiation procedure multiplications occur for each bit of the exponent
that is 1 these multiplications take „random” amounts of
time (variation)
Very hard in practice! Initiated a big discussion
Exponentiation Algorithm
Goal: yd (mod n) d = b1b2...bw
(in binary left-to-right) Algorithm
1. k = 1, s1 = 1
2. if bk = 1 then rk = sky (mod n)else rk = sk
3. sk+1 = rk2 (mod n)
4. if k = w, stopelse set k to k+1, goto 2
5. output rw
Factoring and Primality Testing
Factoring and Primality Testing
Factoring Input: n N Output: nontrivial factor of n
Primality testing Input n N Output:
the number is composite the number is probably
prime
Is there a difference? Yes! – primality testing
much easier!
You do not need to factor the number to see it is composite
Factoring and Primality Testing
Primality testing often need large primes
n = pq in RSA p, q – large primes
there are many primes (x) ≈ x/ln(x)
to choose p,q – choose a number randomly and test if it is a prime increase if composite
Factoring security of RSA =
hardness of factoring
quick factoring – allows us to break RSA
studying factoring – tells us how to choose p and q for RSA so pq is hard to factor
Fermat’s Test Fermat’s test:
n – input randomly choose a s.t.
1 < a < n-1 if an-1 = 1 then probably prime else certainly composite
Fermat’s Theorem
If:
p – a prime numbera – a number s.t. p does not divide a
Then:
ap-1 = 1 (mod p)
Fermat’s Test Fermat’s test is only
probabilistic usually gives a good
answer can give a wrong one!
A composite number n s.t.
an-1 = 1 (mod n)
is called pseudoprime for base a
Example2560 = 1 (mod 561)
561 = 3 * 11 * 17
But...3560 = 375 (mod 561)
Miller-Rabin Test Generalization of the
Fermat’s test
Principle if p is a prime then
x2 = 1 (mod p)
has only two solutions:
x = 1 and x = -1
Why does the principle hold?
Gist of the MR test find a number b such
that b2 = 1 (mod p) If b {-1,1} then
composite
Miller-Rabin Test
MR( int n ):let n-1 = 2kma random in {2, 3, ..., n-2 }
b0 = am (mod n)
if b0 = ±1 (mod n) then declare primefor j = 1 to k-1 do
bj = bj-12 (mod n)
if bj = 1 (mod n) then declare composite
if bj = -1 (mod n) thendeclare prime
declare composite
Why this works?
b0 = am (mod n)
b1 = a2m (mod n)
b2 = a4m (mod n) ... bj = a2jm (mod n) ... bk-1 = a(n-1)/2 (mod n)
Miller-Rabin Test: Examples n = 5*7*11 = 385
n -1 = 384 = 27*3
k = 7, m = 3
a = 9
b0 = 93 = 344 (mod 385)
b1 = 93*2 = 141 (mod 385)
b2 = 93*22 = 246 (mod 385)
b3 = 93*23 = 71 (mod 385)
b4 = 93*24 = 36 (mod 385)
b5 = 93*25 = 141 (mod 385)
n = 3*11*17 = 561n -1 = 560 = 24*35
k = 4, m = 35
a = 2
b0 = 235 = 263 (mod 561)
b1 = 235*2 = 166 (mod 561)
b2 = 235*22 = 67 (mod 561)
b3 = 235*23 = 1 (mod 561)
Proof of compositeness!
Miller-Rabin Test: Examples n = 401
n -1 = 400 = 24*25
k = 4, m = 25
a = 3
b0 = 325 = 268 (mod 401)
b1 = 325*2 = 45 (mod 401)
b2 = 325*22 = 20 (mod 401)
b3 = 325*23 = 400 (mod 401)= -1
(mod 401)
n = 401n -1 = 400 = 24*25
k = 4, m = 25
a = 2
b0 = 225 = 356 (mod 401)
b1 = 225*2 = 20 (mod 401)
b2 = 225*22 = 400 (mod 401)
Evidence of primality!
Miller-Rabin Test
if b0 = ±1 (mod n) all bi’s (i > 0) will be 1 can’t find nontrivial roots of 1
i {1, ..., k-1} if bi = 1 (mod n) then
bi-1 is neither 1 or -1 bi-1
2 = 1 (mod n) we found a nontrivial root
if bi = -1 (mod n) then bi+1 through bk are all 1 (mod
n) can’t find nontrivial roots of 1
Why this works?
b0 = am (mod n) b1 = a2m (mod n) b2 = a4m (mod n) ... bj = a2jm (mod n) ... bk-1 = a(n-1)/2 (mod n)
Miller-Rabin Test: Quality MR test is probabilistic Answer
composite – the number is certainly composite
prime – the number is prime with high probability
Errors MR(n) says prime but n
is composite Pr[error] · ¼ Repeat the test to
downgrade the prob. of error
Other Primality Tests Solovay-Strassen Test
similar in nature to MR uses so called Jacobi
symbol fast in practice probabilistic
Deterministic test Agrawal, Kayal, and
Saxena 2002 extremely slow
Tests that prove primality MR tests
compositeness! fairly slow needed in very few
cases