Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
✬ ✩ A. Jurišić: CACS 232 For a nonnegative integer a the Jacobi symbol is defined by � a � ei �a� k . := Πi=1 n pi An Euler pseudo-prime: 91 = 7. 13 and there is still such an integer a = 10 that � 10 � 91 = −1 = 1045 mod 91. ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ ✫ ▲ HW: Show that for an arbitrary composite number n, n is an Euler pseudo-prime to the base a for at most half of integers from the interval (0, n) (see the Exercise 5.22). ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 233 A YES-biased Monte Carlo algorithm is a randomized algorithm for a decision problem (i.e., YES/NO-problem), where a “YES ” answer is (always) correct, while a “NO” answer may be incorrect. ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ ✫ ▲ The error probability for a YES-biased Monte Carlo algorithm is ε, if for any instance in which the answer is “YES” the algorithm will give the (incorrect) answer “NO” with probability at most ε. ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 234 The Solovay-Strassen Algorithm 1. Choose a random integer a ∈ Zn , x := �a� . n 2. if x = 0 then return (“n is a composite number”). 3. y := a(n−1)/2 mod n, if x ≡ y (mod n) then return (“n is a prime”) else return (“n is a composite integer”). ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ ✫ ▲ This is a YES-biased Monte Carlo algorithm with error probability 1/2 (see Stinson, problem 5.22). ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 235 Suppose that we have generated a random integer n and tested it for primality using a Monte Carlo probabilistic algorithm for the decision problem, if n is composite: the test is repeated m times with random values a. The probability that the answer will be incorrect each time is εm , but we cannot conclude from this that the probability that n is a prime equals 1 − εm . The event A: “a random odd integer n of a specified size is composite” and the event B: ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ Then we certainly have P (B/A) ≤ εm , however, the probability P (A/B) is usually not the same. ✫ ▲ “the algorithm answers ‘n is a prime’ m times in succession.” ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 236 Let N ≤ n ≤ 2N . By the PNT: 2N N N n − ≈ ≈ . log 2N log N log N log n Thus P (A) ≈ 1 − 2/ log n. The Bayes rule states: P (A/B) = P (B/A)P (A) . P (B) Since P (B) = P (B/A)P (A) + P (B/A)P (A) and P (B/A) = 1, we have P (B/A)(log n − 2) ≤ P (A/B) = P (B/A)(log n − 2) + 2 ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ which means that P (A/B) tends to 0 exponentially fast. ✫ ▲ 2−m (log n−2) (log n−2) ≤ −m = , m+1 2 (log n−2) + 2 log n−2 + 2 ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 237 The Monte Carlo probabilistic algorithm for a decision problem if an integer is composite: We repeat the test k times with distinct random values a. The probability that the reply is incorrect each time is for us estimated by εk . ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ ✫ ▲ HW: Use the following theorem to show that we do not need the prime factorization of n in order to calculate the Jacobi symbol. ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 238 The Gauss Theorem The Law of Quadratic Reciprocity (1796) Suppose p and q are distinct odd primes. Then � p �� q � p−1 q−1 = (−1) 2 · 2 q p ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ ✫ . ▲ p = (−1) p2 −1 8 ▲ �2� ▲ and for a prime 2 ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 239 Why is this theorem so important? It enables us to answer when a quadratic congruence has a solution, since the multiplicative rule holds: � ab � � a �� b � = . p p p ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ ✫ ▲ It is a surprising connection between primes (a rule that regulates primes). ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 240 The Eisenstein lemma. A prime p > 2, p � | q ∈ N. Set A := {2, 4, 6, . . . , p − 1} and ra := qa mod p for a ∈ A. Then �q� p � = (−1)a∈A ra . Proof: For a, a� ∈ A, a �= a� , we cannot have ra (−1)ra = ra� (−1)ra� , i.e., qa ≡ ±qa� (mod p), since in this case a = ±a� , which is not possible. ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ ✫ ▲ Let us point out that all the integers ra (−1)ra mod p are even, so they coincide with all the elements of the set A. ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 241 Therefore, we have � a ≡ (−1) � r � r (mod p), and directly from the definition also � p−1 � a≡ r (mod p). q 2 ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana (mod p) and by the Euler criterion also �q� p−1 ≡ q 2 (mod p). p r ▲ ✫ ≡ (−1) � ▲ It follows q p−1 2 ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 242 Let us now present Eisenstein’s proof of the Gauss law of quadratic reciprocity. Obviously we have � qa = p �� qa � p + � r. Since all the elements a are even and p is odd, we derive � �� qa � r≡ (mod 2) p ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ ✫ ▲ and, by the Eisenstein lemma, also �q� �� qa � p = (−1) . p ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 243 y q q/2 A F L J H K p/2 B y=(q/p)x D p x �� qa � The sum is equal to the number of integer points with the even p x-coordinate, that lie inside the triangle ABD. ▲ ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ Let us now consider the points with x-coordinate greater than p/2. � qa � Since the integer q − 1 is even, the parity of p points with the same x-coordinate under the diagonal AB is equal to the number of points with the same even x-coordinate above the diagonal AB. ✫ ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 244 On the other hand, this is equal to the number of points under the diagonal AB with odd x-coordinate of the integer p − a (a bijective correspondence between the points with even x-coordinate in the ΔBHJ and odd x-coordinate in the ΔAHK). �� qa � Therefore, the sum p has the same parity as the number µ of integer points inside the ΔAHK, i.e., �q� = (−1)µ . p If we substitute p and q, we obtain that the number ν of the integer points inside the ΔAHL, which means �p� = (−1)ν q ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ ✫ ▲ and together with the previous relation we have proven the Gauss theorem. ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 245 Another Monte Carlo algorithm for testing of composite integers. Miller-Rabin Test: we test and odd integer n. 1. n − 1 = 2k m, where m is an odd integer, 2. choose a random integer a ∈ (0, n), 3. calculate b ≡ am (mod n), 4. if b ≡ 1 (mod n) then exit(n is a prime) 5. for i = 0 to k − 1 do if b ≡ −1 (mod n) then exit(n is a prime) else b ≡ b2 (mod n), ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ ✫ ▲ 7. The integer n is composite. ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 246 From x2 ≡ 1 (mod n), i.e., n | x2 − 1 = (x − 1)(x + 1) it follows x≡1 i.e., in our case a 2k−1 m (mod n) or x ≡ −1 (mod n) ≡ 1 (mod n). In the same way we obtain am ≡ 1 (mod n), which is a contradiction, since the algorithm in this case replies “n is prime”. ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ ✫ ▲ Let us conclude without the proof, that the error probability of the Miller-Rabin algoritem is 1/4. ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 247 Attacks on RSA An excellent survey paper “Twenty Years of Attacks on the RSA cryptosystem” was published by Dan Boneh in Notices of AMS, Feb. 1999, pp. 203–212. We will mention only a few basic attacks. If one knows ϕ(n) and n, we can obtain p, q from the following system of equations ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ϕ(n) = (p − 1)(q − 1). ▲ ✫ and ▲ n = pq ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 248 Decryption exponent of the RSA cryptosystem Proposition: An algorithm A, which can find the decryption exponent d, can be used as a subroutine in a probabilistic algorithm that factors n. This implies that searching for the decryption exponent is not easier that the problem factorization. ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ ✫ ▲ Warning: if we “lose” d, then we have to replace, beside the encryption exponent, also the new modulus n. ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 249 Let ε ∈ [0, 1). The Las Vegas algorithm is a probabilistic algorithm, which may fail to given an answer with probability ε (so it can stop with the message “no answer”), however, if the algorithm does give an an answer, then the answer must be correct. HW: Show that the expected number of the algorithm steps until we obtain an answer equal to 1/(1 − ε) (see Stinson, Problem 5.23). ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ ✫ ▲ If a Las Vegas algorithm factorizes an integer n with probability at least ε and we repeat it m times, then the integer n will be factorized with probability at least 1 − εm . ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 250 The statement follows from the following facts: for n = pq, where p and q are odd primes: x2 ≡ 1 (mod n), i.e., pq | (x − 1)(x + 1), one obtains four solutions, two (trivial) as solutions of the following equations x≡1 (mod n) in x ≡ −1 (mod n) and two more, by applying CRT, x≡1 (mod p), x ≡ −1 (mod q) x≡1 (mod q) (mod p), ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ A more difficult part is to prove that the algorithm succeeds with probability ≥ 1/2. ✫ ▲ x ≡ −1 ▲ and ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 251 Factoring Algorithm, given the decryption exponent d 1. choose an integer w at random s.t. 0 < w < n, 2. calculate x = gcd(w, n), 3. if 1 < x < n then exit(success: x = p or x = q) 4. calculate d = A(e, n) and write de − 1 = 2s r, r odd, 5. calculate v = wr mod n, 6. if v ≡ 1 (mod n) then exit(failure) 7. while v �≡ 1 (mod n) do v0 = v, v = v 2 mod n ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ ✫ ▲ 8. if v0 ≡ −1 (mod n) then exit(failure) else calculate x = gcd(v0 + 1, n) (success: x = p or x = q) . ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 252 Random errors (Boneh, DeMillo in Lipton, 1997) If we apply CRT and an error occures only in calculations of one of Cp and Cq , for example Cp is correct, while Ĉq is not, then Ĉ = tp Cp + tq Ĉq is obviously an incorrect signature, since Ĉ e �= m mod n. However, Ĉ e = m mod p, while Ĉ e �= m mod q ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ ✫ ▲ and gcd(n, Ĉ e −m) reveals a nontrivial factor of n. ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 253 The Rabin Cryptosystem It is based on the difficuly of factorizing the product of two big primes. n = pq, p �= q, p, q ≡ 3 (mod 4), P = C = Zn K = {(n, p, q, B); 0 ≤ B ≤ n − 1} For a chosen key K = (n, p, q, B), define eK (x) dK (y) = x(x + B) mod n, = � y + B 2 /4 − B/2. ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ ✫ ▲ The public key is (n, B), while the private key is (p, q). ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 254 Proposition: Let ω 2 ≡ 1 (mod n) be a nontrivial root (the congruence has 4 solutions: 1, −1 and two nontrivial). For x ∈ Zn we have: eK (ω(x + B/2) − B/2) = eK (x). We have 4 plaintexts, that correspond to the ciphertext eK (x) : � � � � B B in − ω x + . x, −x − B, ω x + 2 2 ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ ✫ ▲ In general we cannot determine which one is the correct one. ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 255 Decryption For a given ciphertext y we search for x s.t. x2 + Bx ≡ y (mod n). Simplify: x = x1 − B/2, x21 ≡ y + B 2 /4 (mod n), Set C = y + B 2 /4 and search for a square root of C, i.e., solve the equation ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ ✫ ▲ x21 ≡ C (mod n) . ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 256 This is equivalent to the system: By Euler’s criterion: x21 ≡ C (mod p) x21 ≡ C (mod q) C (p−1)/2 ≡ 1 (mod p) ↓ ⇒ x1 ≡ x1,2 (mod p) x1 ≡ x3,4 (mod q) ⇓ CRT ⇒ We assumed: p ≡ 3 (mod 4) (±C (p+1)/4 )2 ≡ C (mod p) the roots of the first congruence are: x1,2 = ±C (p+1)/4 , while the roots of the second one are: : x3,4 = ±C (q+1)/4 . ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ Remark: For p ≡ 1 (mod 4) there is no known polynomial-time deterministic algorithm to compute square roots of quadratic residue mod p (but there is a polynomial-time Las Vegas algorithm). ✫ ▲ four solutions ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 257 Example: n = 77 = 7 · 11, B=9 eK (x) = x2 + 9x mod 77 � � 2 dK (y) = y + B /4 − B/2 = 1 + y − 43 (mod 77) The ciphertext: y = 22. We need to find solutions: x2 ≡ 23 (mod 7) x2 ≡ 23 (mod 11) (x ≡ ±4 (mod 7)) (x ≡ ±1 (mod 11)) We obtain four systems with two unknowns, e.g.: ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana (mod 11) ▲ ✫ (mod 7), x ≡ 1 ▲ x≡4 ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 258 By CRT, x = 4 · 11 · (11−1 mod 7) + 1 · 7 · (7−1 mod 11). All solutions are: x1 ≡ 67 (mod 77), x2 ≡ 10 (mod 77), x3 ≡ 32 (mod 77), x4 ≡ −32 (mod 77). The deciphered text is: dK (y) = 67 − 43 mod 77 = 24 32 − 43 mod 77 = 66 10 − 43 mod 77 = 44 45 − 43 mod 77 = 2, ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ ✫ ▲ and all solutions encrypt to 22. ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 259 Security of the Rabin Cryptosystem A hypothetical decryption algorithm A for the Rabin cryptosystem can be used as a subroutine in an algorithm of type Las Vegas for factorizaion of an integer n with probability at least 1/2: 1. choose a random r ∈ (0, n), 2. compute y := r2 − B 2 /4 mod n (y = eK (r − B/2)), 3. x := A(y), 4. x1 := x + B/2 (x21 ≡ r2 (mod n)), ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ ✫ ▲ 5. if x1 ≡ ±r (mod n) then quit(failure) else (x1 ≡ ±ω · r (mod n), where ω ≡ 1 (mod n) is the nontrivial root) gcd(x1 + r1 , n) = p (or q). ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 260 In the last case n | (x1 − r)(x1 + r), however, n� | (x1 − r) and n� | (x1 + r) ⇒ gcd(x1 + r, n) �= 1. The probability of success in one step: For r1 , r2 �= 0, define r1 ∼ r2 ⇔ r12 ≡ r22 (mod n) This is an equivalence relation, and the equivalence classes in Zn \{0} have 4 elements: [r] = {±r, ±ωr}. Each element in [r] gives us the same value y. The subroutine A returns y, [y] = {±y, ±ωy}, If r = ±y the algorithm fails, while it succeeds if r = ±ωy. ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ ✫ ▲ When we choose r randomly, each of these posibilities is equally probable ⇒ the probability of success is 1/2. ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 261 Algorithms for integer factorization Trial division We divide the integer n with all positive odd integers until √ n: i := 3, √ until i ≤ n repeat if i | n, then we found a factor, else i := i + 2. Algorithm is practical for smaller integers n (e.g. n ≤ 1012 ). ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ ✫ ▲ Time complexity for k bits is 2k/2−1 divisions. ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 262 The p − 1 Method (Pollard 1974) Input: n (odd, to be factorized) and B (a bound) The algorithm is based on the following simple fact: if p is a prime that divides n and if for all prime powers q that divide p − 1 we have q ≤ B, then (p − 1) | B! Example: B = 9, p = 37, p − 1 = 36 = 22 · 32 ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ ✫ ▲ 22 ≤ B, 32 ≤ B ⇒ 22 · 32 | 1 · 2 · 3 · 4 · 5 · 6 · 7 · 8 · 9 ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 263 Algorithm Input: n, B 1. a := 2 2. j = 2, ..., B a := aj mod n 3. d = gcd(a − 1, n) (a ≡ 2B! (mod n)) (⇒ a ≡ 2B! (mod p)) (Fermat: 2p−1 ≡ 1 (mod p)) 4. If 1 < d < n, then d is a factor of n (since p | d) otherwise no success (this happens when d = 1). ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ ✫ n, we always succeed, but the algorithm is not efficient. ▲ If B ≥ √ ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 264 Time complexity • B − 1 exponentitions mod n, for each we need 2 log2 B multiplications mod n, • the gcd with Euclid algorithm: O((log n)2 ). Together O(B log B(log n)2 ), which means that for B ≈ (log n)i the algorithm is polynomial. Example: n = 143, B = 4, a ≡ 22·3·4 ≡ 131 (mod 143). So a − 1 = 130 and thus gcd(130, 143) = 13. ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ where p1 and q1 are primes. ✫ ▲ In order to make the RSA system secure, we choose p = 2p1 + 1 and q = 2q1 + 1, ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 265 The Pollard ρ Algorithm Let p be the smallest divisor of n. Suppose ∃x, x� ∈ Zn , s.t. x �= x� and x ≡ x� (mod p). Then p ≤ gcd(x − x� , n) < n, so we obtain a non-trivial factor of n by computing the gcd and not knowing p ahead. Suppose we choose X ⊆ Zn and then compute gcd(x − x� , n) for all distinct values x, x� ∈ X. This can be analyzed using the birthday paradox: √ if |X| ≈ 1.17 p, then Pr[at least one collision] > 1/2. �|X|� ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ ✫ ▲ To aviod computing 2 > p/2 gcd’s before finding a factor of n, we often use a polynomial f (x) = x2 + a (commonly use a = 1) and assume it behaves like a random mapping (heuristic analysis). For x1 ∈ Zn we define a sequence x1 , x2 , . . . by xj = f (xj−1 ) mod n. ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 266 Pollard ρ Factoring Algoritem Data: n, x1 external f x ← x1 x� ← f (x) mod n p ← gcd(x − x� , n) while p = 1 x ← f (x) mod n � x ← f (x� ) mod n do � � ← f (x ) mod n x p ← gcd(x − x� , n) if p = n ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ else return (p) ✫ ▲ then return (“failure”) ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 267 Dixon’s Algorithm and the Quadratic Sieve (x �≡ ±y (mod n), x2 ≡ y 2 (mod n) =⇒ gcd(x − y, n) �= 1) We put together a base of factors B = {p1 , . . . , pB }, where pi are “small” primes. Let C be a slightly larger than B (e.g. C = B + 10). We find C congruences: α α α x2j ≡ p1 1,j × p2 2,j × · · · × pBB,j (mod n), 1 ≤ j ≤ C Denote aj := (α1,j mod 2, . . . , αB,j mod 2). If we find a subset {a1 , . . . , aC }, in which the vectors sum to ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ then the product xj uses each factor from B even number of times. ✫ ▲ (0, 0, · · · , 0) mod 2, ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 268 Example: n = 15770708441, B = {2, 3, 5, 7, 11, 13} 83409341562 27737000112 120449429442 ≡ 3×7 (mod n) ≡ 2×7×13 (mod n), ≡ 2×3×13 (mod n), a1 = (0,1,0,1,0,0) a2 = (1,0,0,1,0,1) a3 = (1,1,0,0,0,1) From a1 + a2 + a3 = (0,0,0,0,0,0) mod 2 it follows (8340934156 × 2773700011 × 12044942944)2 ≡ ● ❙ ▲ ❙ ▲ gcd(9503435785 − 546, 15770708441) = 115979. ▲ University of Ljubljana (mod n) ▲ ✫ 95034357852 ≡ 5462 ▲ and (mod n) ▲ i.e., ≡ (2 × 3 × 7 × 13)2 ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 269 • Linear dependency among vectors {a1 , a2 , . . . , aC } can be determined by the Gauss elimination. • C ≥ B + 1, however, we prefer more distinct dependencies, so that at least one will provide a factorization. • Integers xj , for which x2j mod n can be factorized in B, √ are searched in the set {xj = j + � n� | j = 1, 2, ...} with the method quadratic sieve (Pomerance). • If B is big, then there is a higher chance that some integer can be factorized in B, however, we need more congruences to find � ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ln n ln ln n ). ▲ ✫ e ▲ a linear dependency (|B| ≈ √ ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 270 Factoring Algorithms in Practice √ (1+o(1)) ln n ln ln n quadratic sieve O(e elliptic curves O(e number field sieve O(e(1.92+o(1))(ln n) √ (1+o(1)) ln p ln ln p 1/3 ) ) (ln ln n)2/3 ) o(1) → 0, when n → ∞ p denotes the smallest prime factor of n ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ ✫ ▲ √ In the worst case, when p ≈ n, the quadratic sieve and elliptic curves have aproximate the same time complexity, otherwise the quadratic sieve is better. ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 271 Factorizations of large integers with quadratic sieve: (n = p · q, p ≈ q) year integer bits 1903 267 − 1 67 250 QS 100’s PCs, “factoring by e-mail” 1994 RSA-129 425 QS 1600 PCs, 8 months 1999 RSA-155 512 NFS 300 working station+Cray; 5 months 2002 RSA-158 524 NFS 30 working station+Cray; 3 months 2003 RSA-174 576 NFS 2005 RSA-200 663 NFS ▲ ● ❙ ▲ ❙ ▲ (55 years on one working station) ▲ University of Ljubljana F. Cole (3 years during the Sundays) ▲ ✫ remarks ▲ 1988 method ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 272 Fermat numbers: 22 11 −1 9 22 − 1 elliptic curves: 1988 (Brent) number field sieve: 1990 (Lenstra, Lenstra, Manasse, Pollard) In 1997 Prof. Vidav asked the following question (most probably in order to verifiy current computing power of the desktops): find prime factors of 1064 + 1 ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ ✫ ▲ and gave a hint that all of them (if there are any) are of the form 128k + 1. ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 273 Most PC’s have found using Mathematica/Maple at least one factor: 1265011073 the 55-digit remainder was causing the problems. In Waterloo they had a fast machine (CACR: Alpha ???) and good library (see http://www.informatik.th-darmstadt.de/TI/LiDIA/), that found the remaining factors in 10 minutes: 15343168188889137818369 ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ ✫ ▲ 515217525265213267447869906815873. ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 274 5. Other Public-key cryptosystems ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ ✫ ▲ ElGamal Cryptosystems and Massey-Omura Scheme Discrete Logarithm Problem (DLP) and Attacks on it Giant Step Baby Step Method The Pohlig-Hellman Algorithm The Index Calculus Method Security of Bits in DLP Finite Fields and Elliptic Curves The Elliptic Curve Cryptosystems The Merkle-Hellman Knapsack Cryptosystem The McEliece Cryptosystem ▲ • • • • • • • • • • ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 275 Public-Key Cryptography In 1976 Whitfield Diffie and Martin Hellman introduced the concept of public-key cryptography (see the Institute of Electrical and Electronics Engineers Journal). ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ Taher ElGamal (1985): encryption with public keys. ✫ ▲ In contrast with symmetric system this one uses two distinct keys: the private and the public ones (in Ch. 4 we introduced RSA from 1978). ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 276 Discrete Logarithm Problem (DLP) (in a finite group G) for given elements α, β ∈ G, where the order of element α is n, find x ∈ {0, . . . , n − 1}, such that αx = β. The integer x is called the discrete logarithm with the base α of the element β. The label logα β or Indα β. While DLP is most probably difficult to calculate (in general), we can calculate the power (an example of one way function). ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ ✫ ▲ Right now we do not known any polynomial algorithm for DLP in Zp . ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 277 ElGamal Protocols They are divided into three classes: protocols for 1. a key-exchange, 2. a system of public keys, 3. a digital signature. In cryptography we work with finite sets, like on our watches (e.g. prime field Zp ). ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ ✫ 4+5 = 2 and 5×4 = 6. ▲ Example: for p = 7 we have ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 278 The main two reasons for use of different groups is: • calculation in some groups can be done faster in software (or in hardware) than in other groups, • the discrete logarithm problem in one group may be harder than in other groups. ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ ✫ ▲ Let α ∈ G and a positive integer n the order of α (i.e., αn = 1 and αk �= 1 for all k < n). ☛ ✖ ✪ ✬ ✩ A. Jurišić: CACS 279 1. Key agreement (Diffie-Hellman) private a b a (α ) Alice α ✛ a ✲ αb private b a b (α ) Bob Alice and Bob are sharing a common element of the group: ▲ ▲ ● ❙ ▲ ❙ ▲ University of Ljubljana ▲ ✫ ▲ (αa )b = (αb )a = αab . ☛ ✖ ✪