number-theoretic algorithms (rsa and related...
TRANSCRIPT
p1.
Number-Theoretic Algorithms(RSA and related algorithms)
Chapter 31, CLRS book
p2.
Outline
• Modular arithmetic
• RSA encryption scheme
• Miller-Rabin algorithm (a probabilistic algorithm)
p3.
Modular Arithmetic
p4.
| : divides , is a divisor of .
gcd( , ): greatest common divisor of and .
Coprime or relatively prime: gcd( , ) 1.
Euclid's algorithm: compute gcd( , ).
Extented Eucli
Integers
a b a b a b
a b a b
a b
a b
d's algorithm: compute integers
and such that gcd( , ).x a b ay x y b
p5.
Let 2 be an integer.
Definition: is congruent to modulo , written
, if | ( ), i.e., and have the
same remainder when divided by .
mo
Note:
d
mo
Integers modulo
n
a b n
n a b a ba
n
b
a b
n
n
and are different.
Definition: [ ] : mod .
[ ] is called a residue class modulo , and is a
representative of that
d mo
class.
d
n
n
a x
n a
Z x a n
n
n
b
a a
p6.
There are exactly residue classes modulo :
[0], [1], [2], , [ 1].
If [ ], [ ], then [ ] and [ ].
Define addition and multiplication for residue classes:
[ ] [n
n n
n
x a y b x y a b x y a b
a
] [ ]
[ ] [ ] [ ].n
b a b
a b a b
p7.
A group, denoted by ( , ), is a set with a
binary operation such that
1. , , (closure)
1. ( ) ( ) (associativity)
2. s.t. , ( )
identi
3.
y
t
Group
G G
x y G x y
e
G
x y z x y z
e G x G x ex x
, s.t. ( )
A group ( , ) is if , , .
Examples:
invers
( , ), ( , ), ( \{0}, ), ( , ),
( \{0},
abel a
e
).
i n
x G y G x y y x
G x y G x y y x
Z Q Q R
R
e
p8.
Define [0], [1], ..., [ 1] .
Or, more conveniently, 0, 1, ..., 1 .
, forms an abelian group.
For ,
,
additiv
( ) mod . (Or, [ ] [ ] [ ] [ mod ].)
0 is
e
th
n
n
n
n
Z n
Z n
Z
a b Z
a b a b n a b a b a b n
10
e identity element.
The inverse of , denoted by , is .
When doing addition/substraction in , just do the regular
addition/substraction and reduce the result modulo .
In , 5
n
a a n a
Z
n
Z
5 9 4 6 2 8 3 ?
p9.
1
1
1
, is not a group, because 0 does not exist.
Even if we exclude 0 and consider only \ {0},
, is not necessarily a group; some may not exist.
For , exists if and on
n
n n
n
n
Z
Z Z
Z a
a Z a
ly if gcd( , ) 1.a n
p10.
*
1
Let : gcd( , ) 1 .
, is an abelian multiplicative group.
mod .
mod .
1 is the identity elemen
t.
The inverse of , written , can be computed by
n n
n
Z a Z a n
Z
a b ab n
a b ab n
a a
*
12
*
the
Extended Euclidean Algorithm.
For example, 1,5,7,
Q: How many e
11 . 5 7 35
lements ar
mod12 1
e there in ?
1.
n
Z
Z
p11.
*
1
Euler's totient function:
Fac
( )
= : and gcd( , ) 1
1. ( ) ( 1) for prime
2. ( ) ( ) ( ) if gc
ts:
d( , ) 1
n
n
e e
n Z
a a Z a n
p p p p
ab a b a b
p12.
*
| |
mod
Let be a (multiplicative) group.
Lagrange's theorem: For any element ,
Co
.
rollary: For any element ,
Euler's theorem:
If (for any
f
inite
1), the
.
n
G
m Gm
n
G
a G
a G
a Z
e
a
a
a
n
a
( ) *
* ( ) 1 *
1 in .
Fermat's little theorem:
If ( a prime), then 1 in .
n
n
p p
p p
Z
a Z p a a Z
p13.
*
15
*
15
*
15
( ) 8
816243240481
= 1, 2, 4, 7, 8, 11, 13, 14
(15) (3) (5) 2 4 8
: 1 2 4 7 8 11 13 14
ord( ) : 1 4 2 4 4 2 4 2
ord( ) : smallest integer such that 1.
1
13
?
Example: 15
k
n
Z
Z
a Z
a
a k a
a a
n
p14.
Algorithms
1
3
gcd ,
mod
mod
Running time: log
Here we assume , .
k
n
a b
a n
a n
O n
a b Z
p15.
Given 0, compute gcd( , ).
Theorem: If 0, gcd( , ) .
If 0, gcd( , ) gcd( , mod )
Euclid( , )
0
if
then
( ,
retur
)
Euclid's Algorithm
nn a b a b
b a b a
b a b b
a b Z
a b
a b
b
2
n( )
return Euclid( , mod )
The number of recursive calls to Euclid is (log ).
Computing mo
d takes (l
els
og
e
) .
a
b a b
O n
a b O n
15
p16.
Example: gcd(299,221)
Given 0, compute , such that gcd( , ) .
1 78
2 65
1 13
65 5 13 0
gcd(229,221) 13
299 221
221 78
78 65
78 65
78 221 78 78 2( 2 ) 3
21
3
?
Extended Euclidean Algorithm
a b x y d a b ax by
299 221) 221
299 221
( 1
3 4
p17.
Given 0, compute , , such that gcd( , ) .
Extende
if
d - Euclid( , )
0 t
return( ,1,0)
( , , ) Extended - Eucl
hen
els
e
i
Extended Euclidean Algorithm
a b d x y a b a b
a b
b
a
d x
d x y
y
d( , mod )
( , , ) , ,
return( , , )
b a b
d x y d y x a b y
d x y
p18.
If 0, gcd( , ) .
The returned answer is correct.
If ( , , ) is correct,
1 0
( ,1,0)
gcd( , mod ) ( mod )
gcd( , mod )
Correctness Proof
b a b a b
d x y
b a b d b x a b y
b a b d b x a a
a
b b y
a
gcd( , )
( , , ) , , is correct
a b a b
d x y d y x a
d y y
y
x a b
b
p19.
1
1 *
1
Compute in .
exists if and only if gcd( , ) 1.
Use extended Euclidean algorithm to find ,
such that gcd( , ) 1 (in )
mod
[ ]
?How to compute
na Z
a a n
x y
ax ny a n
a n
Z
a
1
[ ] [ ][ ] [1]
[ ][ ] [1] (since [ ] [0])
[ ] [ ].
Note: may omit [ ], but reduce everything modulo .
x n y
a x n
a x
n
p20.
1
1
1 *
47
Compute 15 mod 47.
Using extended Euclidean algorithm, we obtain
gcd(15,47) 1 15 47 7
15 mod 47 22
2
That is, 15 22 in
2
Example
Z
p21.
1 0
2
Comment: compute mod , where in binary.
1
for downto 0 do
mod
if 1 then mod
Algorithm: Square-and-Multiply( , , )
c
k k
i
x n c c c c
z
i k
z z n
c z z x n
x c n
22
22
if c i
retu
s even Note:
if is
rn (
o
)
dd
c
c
c
xx
x x
z
c
p22.
2
2
2
2
3
2
23 10111
1
11 mod 187 11 (square and multiply)
mod 187 121 (square)
11 mod 187 44 (square and multiply)
11 mod 187 165 (square and
11 mod187
mu
Example:
b
z
z z
z z
z z
z z
2
ltiply)
11 mod 187 88 (square and multiply)z z
p23.
RSA Encryption
p24.
mcE D
Bob Alice
m
Alice’s Alice’s
public key secret key
Public-key Encryption
plaintext encryption ciphertext decryption
algorithm algorithm
p25.
By ivest, hamir & dleman of MIT in 1977.
Best known and most widely used public-key scheme.
Based on the one-way property
of mo
R S
du
lar
powering:
A
assumed
The RSA Cryptosystem
1
: mod (easy)
: mod
In turn based on the hardness
(hard)
of integer factorization.
e
e
f x x n
f x x n
p26.
1
1
RSA
RSA
RSA
* *
Encryption (easy):
Decryption
It works in group . Let be
(hard):
Decryption (easy with "trapdoor"):
a messa
Lookin
ge
g
.
Idea behind RSA
e
n
e
e
n
x x
x x
x x
Z x Z
( ) 1 ( )
for a "trapdoor": ( ) .
If is a number such that 1mod ( ), then
( ) 1 for some , and
( ) 1 .
e
ke d n k
d
ed n
x x
d ed n
ed k n k
x x x x x x x
p27.
1
(a) Choose large primes and , and let : .
(b) Choose (1 ( )) coprime to ( ), and
compute : mod ( ). ( .)
(c) Public ke
Key generation:
1 mod ( )
RSA Cryptosystem
p q n pq
e e n n
d nn ede
*
*
y: . Secret key: .
( ) : mod , w
( , ) ( , )
here .
( ) : mod , where .
E
ncryption:
Decryptio
n:
e
pk n
d
sk n
E x x n x Z
D y y n y
pk n e sk n d
Z
p28.
Select two primes: 17, 11.
Compute the modulus 187.
Compute ( ) ( 1)( 1) 160.
Select between 0 and 160 such that gcd( ,160) 1.
Say 7.
Compute
RSA Example: Key Setup
p q
n pq
n p q
e e
e
d
1 1mod ( ) 7 mod160 23
(using extended Euclid's algorithm).
Public key: .
Secret ke
( ,
y:
) (7, 187)
( , ) (23 ., 7 18 )
pk e n
e
s n
n
k d
p29.
7
23
23
23
Suppose 88.
Encryption: mod 88 mod187 11.
Decryption: mod 11 mod187 88.
When computing 11 mod187, we first
compute 11 and
d
the
o
n
ot
n
RSA Example: Encryption & Decryption
e
d
m
c m n
m c n
reduce it modulo 187.
Rather, use , and reduce intermediate
results modulo 187 whenever they g
square-a
et bigge
nd-mult
r than
iply
187.
p30.
Attacks on RSA
p31.
There are many attacks on RSA:
brute-force key search
mathematical attacks
timing attacks
chosen ciphertext attack
s
The
m
ost important one is intege
Attacks on RSA
1
r factorization:
If the adversary can Then he can
calculate ( ) ( 1)( 1) and the secret key
m
factor into .
d ( ). o
n p q
n pq
d e n
p32.
A difficult problem.
More and more efficient algorithms have been developed.
In 1977, RSA challenged researchers to decode a
ciphertext encrypted with a modulus of 129
Integer Factorization
n
digits (428 bits).
Prize: $100. RSA thought it would take quadrillion years
to break the code using fastest algorithms and computers
of that time. Solved in 1994.
In 1991, RSA put forw ard more challenges (called RSA numbers),
with prizes, to encourage research on factorization.
p33.
Each RSA number is a semiprime. (A number is
semiprime if it is the product of two primes.)
There are two labeling schemes.
by the number of decimal digits:
RSA-100, .
RSA Numbers
.., RSA-500, RSA-617.
by the number of bits:
RSA-576, 640, 704, 768, 896, , 1536, 210 .24 048
p34.
RSA-100 ( bits), 1991, 7 MIPS-year, Quadratic Sieve.
RSA-110 ( bits), 1992, 75 MIPS-year, QS.
RSA-120
332
365
3 ( bits), 1993, 830 MIPS-year, QS.
RSA-129
98
4(
RSA Numbers which have been factored
bits), 1994, 5000 MIPS-year, QS.
RSA-130 ( bits), 1996, 1000 MIPS-year, GNFS.
RSA-140 ( bits), 1999, 2000 MIPS-year, GNFS.
RSA-155 ( bits), 1999, 8000 MIPS-year, GNFS.
28
4
31
465
5
RSA-16
1
0 (
2
530
576
6
bits), 2003, Lattice Sieve.
RSA- (174 digits), 2003, Lattice Sieve.
RSA- (193 digits), 2005, Lattice Sieve.
RSA-200 ( bits), 2005, Lattice
40
663 Sieve.
p35.
RSA-200 =
27,997,833,911,221,327,870,829,467,638,
722,601,621,070,446,786,955,428,537,560,
009,929,326,128,400,107,609,345,671,052,
955,360,856,061,822,351,910,951,365,788,
637,105,954,482,006,576,775,098,580,557,
613,579,098,734,950,144,178,863,178,946,
295,187,237,869,221,823,983.
p36.
In light of current factorization technologies,
RSA recommends using an of 1024-2048 bits.
Remark
n
p37.
Generating large primes
To set up an RSA cryptosystem,
we need two large primes p and q.
p38.
Generate a random odd number of desired size.
Test if is prime.
If not, discard it and try a different number.
How to generate a large prime number?
n
n
p39.
12
10.5
Can it be solved in polynomial time?
A long standing open problem until 2002.
AKS(Agrawal, Kayal, Saxena) : log .
Later improved by others to log ,
Primality test : Is a prime?
O n
O n
n
6
3
and then
to log .
In practice, Miller-Rabin's probabilistic algorithm is still
the most popular --- much faster, log .
O n
O n
p40.
Using some characteristic property of prime numbers:
is prime 2.. , does not divide .
Miller-Rabin's idea: look for some property ( ) s
Miller-Rabin primality test : Is a prime?
n a n a n
P a
n
*
*
*
.t.
is prime For , ( )
not prime For a portion of elements
, ( )
Algorithm: Randomly pick
a
elements
ll
at most 1
.
n
n
n
n a Z P a true
n
a Z P a true
k
t a Z
If ( ) is true for all of them then return
else return .
A "prime" answer may be incorrect with
prime
compos
probabilit
ite
y
1t
P a
k
p41.
*
nZ
*If is prime, then for all , ( ) is true.nn a Z P a
( )P a true
p42.
*
nZ
*
*
If is , then there are
which are elements s.t
not prime strong
.
Say, at most 1 of are
witnesse
bl .
,
a
s
( )
ck
n
n
P a faa ls
k Z
e
n
Z
( )P a true
p43.
2 1
2
2 2 2
Write 1 2 , where is odd.
1 mod Let ( )
1 mod for some , 0 1
Consider the sequence
, , , ,
r
o
The property ( )
i
k
k
u
u
u u u u
n u u
a nP a
a n i i k
a a a a
P a
p44.
*
If is prime, then ( ) for all .
If is an odd composite and not a prime power,
then of the elements are
black (i.e., ( ) ).
A composite num
at most one h
be
f
al
r
n
n
n P a true a Z
n
a Z
P a true
n
is a if
for some prime and integer 2; a
if
prime power
perfect power
for some integer and . 2 )
e
e
n p
p e
n k k e
p45.
Input: integer 2 and parameter
Output: a decision as to whether is prime or
if is even, return "composit
composite
1. e"
if is a per2
. fect
Algorithm: Miller-Rabin primality test
n t
n
n
n
power, return "composite"
for : 1 to do
choose a random integer , 2 1
if gcd( , ) 1, return "composite"
if is a strong witness, ret
3
urn "com
. i t
a a n
a n
a
posite"
return ("pri4. me")
p46.
If the algorithm answers "composite", it is always correct.
If the algorithm answers "prime", it may or may not be correct.
The algorithm gives a wrong answ
Analysis: Miller-Rabin primality test
er if is composite but
the algorithm fails to find a strong witness in iterations.
This may happen with probability at most 2 .
Actually, at most 4 , by a more sophisticated analysis.
t
t
n
t
p47.
A is a probabilistic algorithm
which always gives an answer
but sometimes the answer may be inco
Mo
rr
nte
ect.
Carlo a
A
lgorithm
Monte Carlo algorithm for a decisi
Monte Carlo algorithms
on problem is
if its “yes” answer is always correct but a “no” answer may
be incorrect with some error probability.
A -iteration Miller-Rabin is a “composite”-biased Mon
yes-bias
te Carl
ed
o
t
algorithm with error probability at most 1 4 .t
p48.
A is a probabilistic algorithm
which may sometimes fail to give an answer
but never gives an incorrect
Las Ve
one
gas algori
A Las Vegas algorithm can be conver
thm
Las Vegas algorithms
ted into a
Monte Carlo algorithm.