Download For a nonnegative integer a the Jacobi symbol is defined by an := Π

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
Document related concepts

Eisenstein's criterion wikipedia , lookup

Factorization wikipedia , lookup

Polynomial greatest common divisor wikipedia , lookup

Fisher–Yates shuffle wikipedia , lookup

Factorization of polynomials over finite fields wikipedia , lookup

Transcript 
✬
✩
A. Jurišić: CACS
232
For a nonnegative integer a
the Jacobi symbol is defined by
� a � ei
�a�
k
.
:= Πi=1
n
pi
An Euler pseudo-prime: 91 = 7. 13
and there is still such an integer a = 10 that
� 10 �
91
= −1 = 1045
mod 91.
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
HW: Show that for an arbitrary composite number n,
n is an Euler pseudo-prime to the base a
for at most half of integers from the interval (0, n)
(see the Exercise 5.22).
☛ ✖
✪
✬
✩
A. Jurišić: CACS
233
A YES-biased Monte Carlo algorithm is a randomized algorithm
for a decision problem (i.e., YES/NO-problem),
where a “YES ” answer is (always) correct,
while a “NO” answer may be incorrect.
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
The error probability for a YES-biased Monte Carlo algorithm is ε,
if for any instance in which the answer is “YES”
the algorithm will give the (incorrect) answer “NO”
with probability at most ε.
☛ ✖
✪
✬
✩
A. Jurišić: CACS
234
The Solovay-Strassen Algorithm
1. Choose a random integer a ∈ Zn , x :=
�a�
.
n
2. if x = 0 then return (“n is a composite number”).
3. y := a(n−1)/2 mod n,
if x ≡ y (mod n)
then return (“n is a prime”)
else return (“n is a composite integer”).
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
This is a YES-biased Monte Carlo algorithm with error probability 1/2
(see Stinson, problem 5.22).
☛ ✖
✪
✬
✩
A. Jurišić: CACS
235
Suppose that we have generated a random integer n
and tested it for primality using a Monte Carlo probabilistic algorithm
for the decision problem, if n is composite:
the test is repeated m times with random values a.
The probability that the answer will be incorrect each time is εm ,
but we cannot conclude from this that the probability that n is a prime
equals 1 − εm .
The event A: “a random odd integer n of a specified size is composite”
and the event B:
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
Then we certainly have P (B/A) ≤ εm ,
however, the probability P (A/B) is usually not the same.
✫
▲
“the algorithm answers ‘n is a prime’ m times in succession.”
☛ ✖
✪
✬
✩
A. Jurišić: CACS
236
Let N ≤ n ≤ 2N . By the PNT:
2N
N
N
n
−
≈
≈
.
log 2N
log N
log N
log n
Thus P (A) ≈ 1 − 2/ log n. The Bayes rule states:
P (A/B) =
P (B/A)P (A)
.
P (B)
Since P (B) = P (B/A)P (A) + P (B/A)P (A) and P (B/A) = 1, we have
P (B/A)(log n − 2)
≤
P (A/B) =
P (B/A)(log n − 2) + 2
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
which means that P (A/B) tends to 0 exponentially fast.
✫
▲
2−m (log n−2)
(log n−2)
≤ −m
=
,
m+1
2 (log n−2) + 2
log n−2 + 2
☛ ✖
✪
✬
✩
A. Jurišić: CACS
237
The Monte Carlo probabilistic algorithm for a decision problem
if an integer is composite:
We repeat the test k times with distinct random values a.
The probability that the reply is incorrect each time
is for us estimated by εk .
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
HW: Use the following theorem to show that we do not need
the prime factorization of n in order to calculate the Jacobi symbol.
☛ ✖
✪
✬
✩
A. Jurišić: CACS
238
The Gauss Theorem
The Law of Quadratic Reciprocity (1796)
Suppose p and q are distinct odd primes. Then
� p �� q �
p−1 q−1
= (−1) 2 · 2
q p
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
.
▲
p
= (−1)
p2 −1
8
▲
�2�
▲
and for a prime 2
☛ ✖
✪
✬
✩
A. Jurišić: CACS
239
Why is this theorem so important?
It enables us to answer when a quadratic congruence has a solution,
since the multiplicative rule holds:
� ab � � a �� b �
=
.
p
p p
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
It is a surprising connection between primes
(a rule that regulates primes).
☛ ✖
✪
✬
✩
A. Jurišić: CACS
240
The Eisenstein lemma. A prime p > 2, p � | q ∈ N.
Set A := {2, 4, 6, . . . , p − 1} and ra := qa mod p for a ∈ A.
Then
�q�
p
�
= (−1)a∈A
ra
.
Proof: For a, a� ∈ A, a �= a� , we cannot have
ra (−1)ra = ra� (−1)ra� , i.e., qa ≡ ±qa� (mod p),
since in this case a = ±a� , which is not possible.
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
Let us point out that all the integers ra (−1)ra mod p are even,
so they coincide with all the elements of the set A.
☛ ✖
✪
✬
✩
A. Jurišić: CACS
241
Therefore, we have
�
a ≡ (−1)
�
r
�
r (mod p),
and directly from the definition also
�
p−1 �
a≡
r (mod p).
q 2
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
(mod p) and by the Euler criterion also
�q�
p−1
≡ q 2 (mod p).
p
r
▲
✫
≡ (−1)
�
▲
It follows q
p−1
2
☛ ✖
✪
✬
✩
A. Jurišić: CACS
242
Let us now present Eisenstein’s proof of
the Gauss law of quadratic reciprocity.
Obviously we have
�
qa = p
�� qa �
p
+
�
r.
Since all the elements a are even and p is odd, we derive
�
�� qa �
r≡
(mod 2)
p
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
and, by the Eisenstein lemma, also
�q�
�� qa �
p
= (−1)
.
p
☛ ✖
✪
✬
✩
A. Jurišić: CACS
243
y
q
q/2
A
F
L
J
H
K
p/2
B
y=(q/p)x
D
p
x
�� qa �
The sum
is equal to the number of integer points with the even
p
x-coordinate, that lie inside the triangle ABD.
▲
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
Let us now consider the points with x-coordinate greater than p/2.
� qa �
Since the integer q − 1 is even, the parity of p points with the same
x-coordinate under the diagonal AB is equal to the number of points
with the same even x-coordinate above the diagonal AB.
✫
☛ ✖
✪
✬
✩
A. Jurišić: CACS
244
On the other hand, this is equal to the number of points
under the diagonal AB with odd x-coordinate of the integer p − a
(a bijective correspondence between the points with even x-coordinate
in the ΔBHJ and odd x-coordinate in the ΔAHK).
�� qa �
Therefore, the sum
p has the same parity as the number µ
of integer points inside the ΔAHK, i.e.,
�q�
= (−1)µ .
p
If we substitute p and q, we obtain that the number ν
of the integer points inside the ΔAHL, which means
�p�
= (−1)ν
q
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
and together with the previous relation we have proven the Gauss theorem.
☛ ✖
✪
✬
✩
A. Jurišić: CACS
245
Another Monte Carlo algorithm for testing of composite integers.
Miller-Rabin Test: we test and odd integer n.
1. n − 1 = 2k m, where m is an odd integer,
2. choose a random integer a ∈ (0, n),
3. calculate b ≡ am (mod n),
4. if b ≡ 1 (mod n) then exit(n is a prime)
5. for i = 0 to k − 1 do
if b ≡ −1 (mod n)
then exit(n is a prime)
else b ≡ b2 (mod n),
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
7. The integer n is composite.
☛ ✖
✪
✬
✩
A. Jurišić: CACS
246
From x2 ≡ 1 (mod n), i.e., n | x2 − 1 = (x − 1)(x + 1) it follows
x≡1
i.e., in our case a
2k−1 m
(mod n) or x ≡ −1
(mod n)
≡ 1 (mod n). In the same way we obtain
am ≡ 1 (mod n),
which is a contradiction, since the algorithm in this case replies
“n is prime”.
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
Let us conclude without the proof, that
the error probability of the Miller-Rabin algoritem is 1/4.
☛ ✖
✪
✬
✩
A. Jurišić: CACS
247
Attacks on RSA
An excellent survey paper “Twenty Years of Attacks
on the RSA cryptosystem” was published by Dan Boneh
in Notices of AMS, Feb. 1999, pp. 203–212.
We will mention only a few basic attacks.
If one knows ϕ(n) and n, we can obtain p, q
from the following system of equations
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
ϕ(n) = (p − 1)(q − 1).
▲
✫
and
▲
n = pq
☛ ✖
✪
✬
✩
A. Jurišić: CACS
248
Decryption exponent of the RSA cryptosystem
Proposition: An algorithm A, which can find the decryption exponent d,
can be used as a subroutine in a probabilistic algorithm that factors n.
This implies that searching for the decryption exponent
is not easier that the problem factorization.
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
Warning: if we “lose” d,
then we have to replace,
beside the encryption exponent,
also the new modulus n.
☛ ✖
✪
✬
✩
A. Jurišić: CACS
249
Let ε ∈ [0, 1).
The Las Vegas algorithm is a probabilistic algorithm,
which may fail to given an answer with probability ε
(so it can stop with the message “no answer”),
however, if the algorithm does give an an answer,
then the answer must be correct.
HW: Show that the expected number of the algorithm steps
until we obtain an answer equal to 1/(1 − ε)
(see Stinson, Problem 5.23).
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
If a Las Vegas algorithm factorizes an integer n with probability at least ε
and we repeat it m times, then the integer n will be factorized
with probability at least 1 − εm .
☛ ✖
✪
✬
✩
A. Jurišić: CACS
250
The statement follows from the following facts:
for n = pq, where p and q are odd primes:
x2 ≡ 1
(mod n), i.e., pq | (x − 1)(x + 1),
one obtains four solutions, two (trivial) as solutions
of the following equations
x≡1
(mod n) in x ≡ −1
(mod n)
and two more, by applying CRT,
x≡1
(mod p),
x ≡ −1
(mod q)
x≡1
(mod q)
(mod p),
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
A more difficult part is to prove that the algorithm succeeds
with probability ≥ 1/2.
✫
▲
x ≡ −1
▲
and
☛ ✖
✪
✬
✩
A. Jurišić: CACS
251
Factoring Algorithm, given the decryption exponent d
1. choose an integer w at random s.t. 0 < w < n,
2. calculate x = gcd(w, n),
3. if 1 < x < n then exit(success: x = p or x = q)
4. calculate d = A(e, n) and write de − 1 = 2s r, r odd,
5. calculate v = wr mod n,
6. if v ≡ 1 (mod n) then exit(failure)
7. while v �≡ 1 (mod n) do v0 = v, v = v 2 mod n
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
8. if v0 ≡ −1 (mod n) then exit(failure)
else calculate x = gcd(v0 + 1, n)
(success: x = p or x = q) .
☛ ✖
✪
✬
✩
A. Jurišić: CACS
252
Random errors
(Boneh, DeMillo in Lipton, 1997)
If we apply CRT and an error occures only
in calculations of one of Cp and Cq ,
for example Cp is correct, while Ĉq is not,
then
Ĉ = tp Cp + tq Ĉq
is obviously an incorrect signature, since Ĉ e �= m mod n.
However,
Ĉ e = m mod p, while Ĉ e �= m mod q
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
and gcd(n, Ĉ e −m) reveals a nontrivial factor of n.
☛ ✖
✪
✬
✩
A. Jurišić: CACS
253
The Rabin Cryptosystem
It is based on the difficuly of factorizing the product of two big primes.
n = pq, p �= q,
p, q ≡ 3 (mod 4), P = C = Zn
K = {(n, p, q, B); 0 ≤ B ≤ n − 1}
For a chosen key K = (n, p, q, B), define
eK (x)
dK (y)
=
x(x + B) mod n,
=
�
y + B 2 /4 − B/2.
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
The public key is (n, B), while the private key is (p, q).
☛ ✖
✪
✬
✩
A. Jurišić: CACS
254
Proposition: Let ω 2 ≡ 1 (mod n) be a nontrivial root
(the congruence has 4 solutions: 1, −1 and two nontrivial).
For x ∈ Zn we have:
eK (ω(x + B/2) − B/2) = eK (x).
We have 4 plaintexts, that correspond to the ciphertext eK (x) :
�
�
�
�
B
B
in − ω x +
.
x, −x − B, ω x +
2
2
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
In general we cannot determine which one is the correct one.
☛ ✖
✪
✬
✩
A. Jurišić: CACS
255
Decryption
For a given ciphertext y we search for x s.t.
x2 + Bx ≡ y
(mod n).
Simplify: x = x1 − B/2,
x21 ≡ y + B 2 /4
(mod n),
Set C = y + B 2 /4 and search for a square root of C,
i.e., solve the equation
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
x21 ≡ C (mod n) .
☛ ✖
✪
✬
✩
A. Jurišić: CACS
256
This is equivalent to the system:
By Euler’s criterion:
x21 ≡ C (mod p)
x21 ≡ C (mod q)
C (p−1)/2 ≡ 1 (mod p)
↓
⇒
x1 ≡ x1,2 (mod p)
x1 ≡ x3,4 (mod q)
⇓
CRT
⇒
We assumed: p ≡ 3 (mod 4)
(±C (p+1)/4 )2 ≡ C (mod p)
the roots of the first congruence are:
x1,2 = ±C (p+1)/4 ,
while the roots of the second one are: :
x3,4 = ±C (q+1)/4 .
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
Remark: For p ≡ 1 (mod 4) there is no known polynomial-time
deterministic algorithm to compute square roots of quadratic residue
mod p (but there is a polynomial-time Las Vegas algorithm).
✫
▲
four solutions
☛ ✖
✪
✬
✩
A. Jurišić: CACS
257
Example: n = 77 = 7 · 11,
B=9
eK (x) = x2 + 9x mod 77
�
�
2
dK (y) = y + B /4 − B/2 = 1 + y − 43
(mod 77)
The ciphertext: y = 22. We need to find solutions:
x2 ≡ 23 (mod 7)
x2 ≡ 23 (mod 11)
(x ≡ ±4 (mod 7))
(x ≡ ±1 (mod 11))
We obtain four systems with two unknowns, e.g.:
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
(mod 11)
▲
✫
(mod 7), x ≡ 1
▲
x≡4
☛ ✖
✪
✬
✩
A. Jurišić: CACS
258
By CRT,
x = 4 · 11 · (11−1 mod 7) + 1 · 7 · (7−1 mod 11).
All solutions are:
x1 ≡ 67 (mod 77), x2 ≡ 10 (mod 77),
x3 ≡ 32 (mod 77), x4 ≡ −32 (mod 77).
The deciphered text is:
dK (y) =
67 − 43 mod 77
= 24
32 − 43 mod 77
= 66
10 − 43 mod 77
= 44
45 − 43 mod 77
= 2,
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
and all solutions encrypt to 22.
☛ ✖
✪
✬
✩
A. Jurišić: CACS
259
Security of the Rabin Cryptosystem
A hypothetical decryption algorithm A for the Rabin cryptosystem
can be used as a subroutine in an algorithm of type Las Vegas
for factorizaion of an integer n with probability at least 1/2:
1. choose a random r ∈ (0, n),
2. compute y := r2 − B 2 /4 mod n (y = eK (r − B/2)),
3. x := A(y),
4. x1 := x + B/2
(x21 ≡ r2 (mod n)),
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
5. if x1 ≡ ±r (mod n) then quit(failure)
else (x1 ≡ ±ω · r (mod n),
where ω ≡ 1 (mod n) is the nontrivial root)
gcd(x1 + r1 , n) = p (or q).
☛ ✖
✪
✬
✩
A. Jurišić: CACS
260
In the last case n | (x1 − r)(x1 + r),
however, n� | (x1 − r) and n� | (x1 + r)
⇒ gcd(x1 + r, n) �= 1.
The probability of success in one step:
For r1 , r2 �= 0, define r1 ∼ r2 ⇔ r12 ≡ r22 (mod n)
This is an equivalence relation,
and the equivalence classes in Zn \{0} have 4 elements: [r] = {±r, ±ωr}.
Each element in [r] gives us the same value y.
The subroutine A returns y, [y] = {±y, ±ωy},
If r = ±y the algorithm fails, while it succeeds if r = ±ωy.
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
When we choose r randomly, each of these posibilities is equally probable
⇒ the probability of success is 1/2.
☛ ✖
✪
✬
✩
A. Jurišić: CACS
261
Algorithms for integer factorization
Trial division
We divide the integer n with all positive odd integers until
√
n:
i := 3,
√
until i ≤ n repeat
if i | n, then we found a factor,
else i := i + 2.
Algorithm is practical for smaller integers n (e.g. n ≤ 1012 ).
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
Time complexity for k bits is 2k/2−1 divisions.
☛ ✖
✪
✬
✩
A. Jurišić: CACS
262
The p − 1 Method (Pollard 1974)
Input: n (odd, to be factorized) and B (a bound)
The algorithm is based on the following simple fact:
if p is a prime that divides n and
if for all prime powers q that divide p − 1
we have q ≤ B, then (p − 1) | B!
Example: B = 9, p = 37, p − 1 = 36 = 22 · 32
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
22 ≤ B, 32 ≤ B ⇒ 22 · 32 | 1 · 2 · 3 · 4 · 5 · 6 · 7 · 8 · 9
☛ ✖
✪
✬
✩
A. Jurišić: CACS
263
Algorithm
Input: n, B
1. a := 2
2. j = 2, ..., B
a := aj mod n
3. d = gcd(a − 1, n)
(a ≡ 2B! (mod n))
(⇒ a ≡ 2B! (mod p))
(Fermat: 2p−1 ≡ 1 (mod p))
4. If 1 < d < n, then d is a factor of n (since p | d)
otherwise no success (this happens when d = 1).
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
n, we always succeed, but the algorithm is not efficient.
▲
If B ≥
√
☛ ✖
✪
✬
✩
A. Jurišić: CACS
264
Time complexity
• B − 1 exponentitions mod n,
for each we need 2 log2 B multiplications mod n,
• the gcd with Euclid algorithm: O((log n)2 ).
Together O(B log B(log n)2 ), which means that for B ≈ (log n)i the
algorithm is polynomial.
Example: n = 143, B = 4, a ≡ 22·3·4 ≡ 131 (mod 143).
So a − 1 = 130 and thus gcd(130, 143) = 13.
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
where p1 and q1 are primes.
✫
▲
In order to make the RSA system secure,
we choose
p = 2p1 + 1 and q = 2q1 + 1,
☛ ✖
✪
✬
✩
A. Jurišić: CACS
265
The Pollard ρ Algorithm
Let p be the smallest divisor of n. Suppose ∃x, x� ∈ Zn , s.t.
x �= x�
and
x ≡ x�
(mod p).
Then p ≤ gcd(x − x� , n) < n, so we obtain a non-trivial factor of n
by computing the gcd and not knowing p ahead.
Suppose we choose X ⊆ Zn and
then compute gcd(x − x� , n) for all distinct values x, x� ∈ X.
This can be analyzed using the birthday paradox:
√
if |X| ≈ 1.17 p, then Pr[at least one collision] > 1/2.
�|X|�
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
To aviod computing 2 > p/2 gcd’s before finding a factor of n,
we often use a polynomial f (x) = x2 + a (commonly use a = 1)
and assume it behaves like a random mapping (heuristic analysis).
For x1 ∈ Zn we define a sequence x1 , x2 , . . . by xj = f (xj−1 ) mod n.
☛ ✖
✪
✬
✩
A. Jurišić: CACS
266
Pollard ρ Factoring Algoritem
Data: n, x1
external f
x ← x1
x� ← f (x) mod n
p ← gcd(x − x� , n)
while p = 1



x ← f (x) mod n


 �
x ← f (x� ) mod n
do
�
�

←
f
(x
) mod n
x



 p ← gcd(x − x� , n)
if p = n
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
else return (p)
✫
▲
then return (“failure”)
☛ ✖
✪
✬
✩
A. Jurišić: CACS
267
Dixon’s Algorithm and the Quadratic Sieve
(x �≡ ±y (mod n), x2 ≡ y 2 (mod n) =⇒ gcd(x − y, n) �= 1)
We put together a base of factors B = {p1 , . . . , pB },
where pi are “small” primes.
Let C be a slightly larger than B (e.g. C = B + 10).
We find C congruences:
α
α
α
x2j ≡ p1 1,j × p2 2,j × · · · × pBB,j (mod n), 1 ≤ j ≤ C
Denote aj := (α1,j mod 2, . . . , αB,j mod 2).
If we find a subset {a1 , . . . , aC }, in which the vectors sum to
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
then the product xj uses each factor from B even number of times.
✫
▲
(0, 0, · · · , 0) mod 2,
☛ ✖
✪
✬
✩
A. Jurišić: CACS
268
Example: n = 15770708441, B = {2, 3, 5, 7, 11, 13}
83409341562
27737000112
120449429442
≡ 3×7 (mod n)
≡ 2×7×13 (mod n),
≡ 2×3×13 (mod n),
a1 = (0,1,0,1,0,0)
a2 = (1,0,0,1,0,1)
a3 = (1,1,0,0,0,1)
From a1 + a2 + a3 = (0,0,0,0,0,0) mod 2 it follows
(8340934156 × 2773700011 × 12044942944)2 ≡
● ❙
▲
❙
▲
gcd(9503435785 − 546, 15770708441) = 115979.
▲
University of Ljubljana
(mod n)
▲
✫
95034357852 ≡ 5462
▲
and
(mod n)
▲
i.e.,
≡ (2 × 3 × 7 × 13)2
☛ ✖
✪
✬
✩
A. Jurišić: CACS
269
• Linear dependency among vectors {a1 , a2 , . . . , aC }
can be determined by the Gauss elimination.
• C ≥ B + 1, however, we prefer more distinct dependencies,
so that at least one will provide a factorization.
• Integers xj , for which x2j mod n can be factorized in B,
√
are searched in the set {xj = j + � n� | j = 1, 2, ...}
with the method quadratic sieve (Pomerance).
• If B is big, then there is a higher chance that
some integer can be factorized in B,
however, we need more congruences
to find
�
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
ln n ln ln n ).
▲
✫
e
▲
a linear dependency (|B| ≈
√
☛ ✖
✪
✬
✩
A. Jurišić: CACS
270
Factoring Algorithms in Practice
√
(1+o(1)) ln n ln ln n
quadratic sieve
O(e
elliptic curves
O(e
number field sieve
O(e(1.92+o(1))(ln n)
√
(1+o(1)) ln p ln ln p
1/3
)
)
(ln ln n)2/3
)
o(1) → 0, when n → ∞
p denotes the smallest prime factor of n
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
√
In the worst case, when p ≈ n, the quadratic sieve and elliptic curves
have aproximate the same time complexity, otherwise
the quadratic sieve is better.
☛ ✖
✪
✬
✩
A. Jurišić: CACS
271
Factorizations of large integers with quadratic sieve:
(n = p · q, p ≈ q)
year
integer
bits
1903
267 − 1
67
250
QS
100’s PCs, “factoring by e-mail”
1994
RSA-129
425
QS
1600 PCs, 8 months
1999
RSA-155
512
NFS
300 working station+Cray; 5 months
2002
RSA-158
524
NFS
30 working station+Cray; 3 months
2003
RSA-174
576
NFS
2005
RSA-200
663
NFS
▲
● ❙
▲
❙
▲
(55 years on one working station)
▲
University of Ljubljana
F. Cole (3 years during the Sundays)
▲
✫
remarks
▲
1988
method
☛ ✖
✪
✬
✩
A. Jurišić: CACS
272
Fermat numbers:
22
11
−1
9
22 − 1
elliptic curves: 1988 (Brent)
number field sieve:
1990 (Lenstra, Lenstra, Manasse, Pollard)
In 1997 Prof. Vidav asked the following question
(most probably in order to verifiy current computing power of the desktops):
find prime factors of
1064 + 1
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
and gave a hint that all of them (if there are any) are of the form 128k + 1.
☛ ✖
✪
✬
✩
A. Jurišić: CACS
273
Most PC’s have found using Mathematica/Maple at least one factor:
1265011073
the 55-digit remainder was causing the problems.
In Waterloo they had a fast machine
(CACR: Alpha ???) and good library
(see http://www.informatik.th-darmstadt.de/TI/LiDIA/),
that found the remaining factors in 10 minutes:
15343168188889137818369
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
515217525265213267447869906815873.
☛ ✖
✪
✬
✩
A. Jurišić: CACS
274
5. Other Public-key cryptosystems
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
ElGamal Cryptosystems and Massey-Omura Scheme
Discrete Logarithm Problem (DLP) and Attacks on it
Giant Step Baby Step Method
The Pohlig-Hellman Algorithm
The Index Calculus Method
Security of Bits in DLP
Finite Fields and Elliptic Curves
The Elliptic Curve Cryptosystems
The Merkle-Hellman Knapsack Cryptosystem
The McEliece Cryptosystem
▲
•
•
•
•
•
•
•
•
•
•
☛ ✖
✪
✬
✩
A. Jurišić: CACS
275
Public-Key Cryptography
In 1976 Whitfield Diffie and Martin Hellman
introduced the concept of public-key cryptography
(see the Institute of Electrical and Electronics Engineers Journal).
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
Taher ElGamal (1985): encryption with public keys.
✫
▲
In contrast with symmetric system this one uses two distinct keys:
the private and the public ones (in Ch. 4 we introduced RSA from 1978).
☛ ✖
✪
✬
✩
A. Jurišić: CACS
276
Discrete Logarithm Problem (DLP) (in a finite group G)
for given elements α, β ∈ G, where the order of element α is n,
find x ∈ {0, . . . , n − 1}, such that αx = β.
The integer x is called the discrete logarithm
with the base α of the element β.
The label logα β or Indα β.
While DLP is most probably difficult to calculate (in general),
we can calculate the power (an example of one way function).
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
Right now we do not known any polynomial algorithm for DLP in Zp .
☛ ✖
✪
✬
✩
A. Jurišić: CACS
277
ElGamal Protocols
They are divided into three classes: protocols for
1. a key-exchange,
2. a system of public keys,
3. a digital signature.
In cryptography we work with finite sets,
like on our watches (e.g. prime field Zp ).
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
4+5 = 2 and 5×4 = 6.
▲
Example: for p = 7 we have
☛ ✖
✪
✬
✩
A. Jurišić: CACS
278
The main two reasons for use of different groups is:
• calculation in some groups can be done faster in
software (or in hardware) than in other groups,
• the discrete logarithm problem in one group
may be harder than in other groups.
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
Let α ∈ G and a positive integer n the order of α
(i.e., αn = 1 and αk �= 1 for all k < n).
☛ ✖
✪
✬
✩
A. Jurišić: CACS
279
1. Key agreement
(Diffie-Hellman)
private
a
b a
(α )
Alice
α
✛
a
✲
αb
private
b
a b
(α )
Bob
Alice and Bob are sharing a common element of the group:
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
(αa )b = (αb )a = αab .
☛ ✖
✪
Related documents
REVIEW SENTENCE, FRAGMENT, RUN
REVIEW SENTENCE, FRAGMENT, RUN
Name: Math 4150 – Introduction to Number Theory Spring 2010 Test
Name: Math 4150 – Introduction to Number Theory Spring 2010 Test
Problem Set 8 The getting is
Problem Set 8 The getting is
TEST #2 Directions: Solve five of the following eight problems: three
TEST #2 Directions: Solve five of the following eight problems: three
Solving Linear Congruence
Solving Linear Congruence
[Part 2]
[Part 2]
MAS144 – Computational Mathematics and Statistics A (Statistics)
MAS144 – Computational Mathematics and Statistics A (Statistics)
Name: Math 111 - Midterm 1 Review Problems
Name: Math 111 - Midterm 1 Review Problems
Math 4707 Intro to combinatorics and graph theory
Math 4707 Intro to combinatorics and graph theory
Fall 2016 Midterm
Fall 2016 Midterm