Download Prime Numbers, Diffie Hellman and RSA

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
Document related concepts

Addition wikipedia , lookup

Fermat's Last Theorem wikipedia , lookup

Proofs of Fermat's little theorem wikipedia , lookup

Quadratic reciprocity wikipedia , lookup

List of prime numbers wikipedia , lookup

Transcript 
Prime numbers for Cryptography
What this is going to cover
● Primes, products of primes and factorisation
● How to win a million dollars
● Generating small primes quickly
● How many primes are there and how many very
large numbers are prime ?
● Generating and testing very large primes
● Fermat primality testing
● Rabin Miller primality testing
● Rabin Miller software
●
What we're going to cover and why
Understanding how RSA asymmetric cryptography works requires some mathematics and computations involving prime
numbers. This concerns how large prime numbers can be generated, how many primes there are, and what we need to do in
order to find large prime numbers. It concerns whether it is
feasible for products of 2 large unknown prime numbers to be
factorised. We will make some use of modular arithmetic operations covered previously, particularly modular exponentiation.
As with modular arithmetic, prime number arithmetic is to do
with whole numbers, and not numbers with fractions.
Primes, products of primes and factorisation
A prime number has no factors other than itself and 1. A factor
F of N divides N exactly such that the remainder you get on
dividing N by F is zero, or N mod F = 0. The word mod
means the remaindering or modulus operation.
RSA considered secure because it is thought hard or impossible to factor products of 2 large prime numbers. Large
here means binary numbers with between 1024 and 4096 digits. A number with 1000 binary digits would have just over
300 decimal or 250 hexadecimal digits.
Multiplying large integers
Not having fractions simplifies the storage of these numbers
in computer memory.
To multiply 2 very large primes we will use the hardware binary integer multiplication instructions in our CPU combined
with long multiplication, to multiply two large binary prime
numbers together. This needs a programming library which
can handle large integers, because the 32 or 64 bit integer
types directly supported by hardware (or most programming
languages) are much too small. Long multiplication isn't as
fast as multiplying two 32 bit numbers together directly in
hardware to make a 64 bit one, but is fast enough.
Factorisation
How do we factorise a number N made by multiplying large
primes P and Q together ? One approach involves trying every
number I smaller or equal to the square root of N, starting with
2, and seeing if N mod I = 0. We add one to I each time we try
this, printing out any factors we find . We could speed this up
if we try dividing N by prime numbers starting with 2, and
stopping after the square root of N. This is because e.g. if 2
and 3 are not factors of N, then multiples of 2 or 3 can't be
either.
If we have a list of primes <= sqrt(N) to start with, this procedure can be made faster. This wouldn't help factorise products
of large primes, because we don't have enough computer
memory to store all primes greater than a few hundred billion.
How to make $1,000,000
All you have to do is work out how to factor the product of 2
randomly chosen primes each about 1024 bits long. The security of Internet commerce depends upon you not succeeding.
Your fame would enable you to earn this and more through
book sales and public speaking engagements. Anyone who
knew how to do this would have to be offered more than the
rewards of making a method public to keep it secret.
There is a prize on offer for this sum for whoever proves the Reimann hypothesis from the Clay Mathematical institute, which
might perhaps lead to a method of solving this problem.
Generating small primes using
Eratothenes Sieve
N = number to stop at e.g. 1000
Create list of numbers PP from 2 to N all possibly prime
X=2
While X <= √N :
A=X
While A.X <= N:
PP[A.X] = not prime
A = A+1
Find next prime X in PP (first item not marked not prime)
Print all items in PP except those marked not prime.
Eratothenes Sieve Animation
Try to get this list using the animation on
http://www.hbmeyer.de/eratclass.htm
The sieve function in Python
Running the sieve, printing results
Eratothenes program output
An infinity of prime numbers
Euclid proved the existence of an infinite number of primes in
300 BC as follows: Imagine there is a highest prime P. We
could then generate a product of all the primes 2.3.5.7 ... P = M
But then, either M+1 would be prime ( because M+1 mod 2 =
M+1 mod 3 = M+1 mod 5 ... = M+1 mod P = 1 ) or M+1
would have to be the product of 1 or more primes Q, R > P.
Either way primes higher than P must logically exist once we
imagine a highest prime P to exist. Therefore there is no highest
prime so an infinite number of prime numbers must exist.
We can't generate primes of infinite size. So the next question
concerns how easily can we find a prime of a size we choose by
generating random numbers.
How many primes exist below a given number ?
Source:http://en.wikipedia.org/wiki/Prime_number#Counting_the_number_of_prime_numbers_below_a_given_number
Even though the total number of primes is infinite, one could still
ask "Approximately how many primes are there below 100,000?",
or "How likely is a random 20-digit number to be prime?".
The prime-counting function π(x) is defined as the number of
primes up to x. There are known algorithms to compute exact values of π(x) faster than it would be possible to compute each prime
up to x. Values as large as π(1020) can be calculated quickly and
accurately with modern computers. Thus, e.g., π(100,000) =
9592, and π(1020) = 2,220,819,602,560,918,840.
For larger values of x, beyond the reach of modern equipment, the
prime number theorem provides a good estimate: π(x) is approximately x/ln(x). Even better estimates are known.
Prime frequency table
source: http://en.wikipedia.org/wiki/Prime_number_theorem
The column on the
right gives average gaps
between primes
of size x.
How to generate a large prime
To obtain a prime of about 300 decimal digits, generate 1024
random bits and append a 1 to the right hand end to ensure it is
odd. Test whether it is prime using a primality test e.g. Fermat
or Rabin Miller. If it isn't prime add 2 and try again. Repeat
until the number tests prime.
Extrapolating from the prime frequency table we expect one
odd number in 330 to be prime in this range, (because average
prime gaps are about 660). Or we could generate a new random number each time and try on average 330 times before
we find one, or if we are short of trusted entropy use a secure
pseudo-random generator seeded by the first random number.
The Fermat Primality Test
Based on Fermat's Little Theorem if p is prime and 1 <= a < p, then
ap-1 mod p = 1
To test if p is prime, pick random a's between 1 and p-1 and see if
this is true. If it isn't for any value of a, then p is definitely composite.
If it's true for many values of a, p is probably prime.
We might find no value of a where the test fails. Any a such that
an-1 mod n = 1 when n is composite is called a Fermat liar.
Some composites called Carmichael numbers will pass many of
these tests. They risk us thinking we have a prime which isn't one.
But these numbers occur so infrequently that generating the random
number locally reduces this risk to a tiny and known level. PGP uses
this test and has a risk of 1 in 1050 of finding such a non-prime randomly.
Source: https://en.wikipedia.org/wiki/Fermat_primality_test
Fermat Primality Algorithm
Inputs: n: a value to test for primality; k: a parameter that
determines the number of times to test for primality
Output: composite if n is composite, otherwise probably
prime
repeat k times:
pick a randomly in the range [1, n − 1]
if an-1 mod n != 1 then
return composite
return probably prime
source: https://en.wikipedia.org/wiki/Fermat_primality_test
This simple algorithm is adopted by PGP because Fermat's Little Theorem
is very well understood and proven. But other RSA implementations are
likely to use the more complex Rabin Miller test due to the lower risk of
finding composites which pass many such probabilistic tests.
The Rabin Miller primality test
This and the Fermat test are probabilistic and are run a number
of times to reduce the probability of a candidate prime being
composite to a very small level. Each Rabin Miller test reduces the probability of a candidate prime being composite to
1/4 of the previous value. A small witness number is used for
each cycle. Passing 64 tests reduces the probability of a random number being composite to 1/2128 . In practice most
composites report as such in a single pass.
The proof of this requires more advanced mathematics than is
needed to understand Fermat's Little Theorem. Proving either
of these ideas is beyond the scope of these notes.
Rabin Miller primality test pseudocode
source: http://en.wikipedia.org/wiki/Miller-Rabin_test
Input: n > 2, an odd integer to be tested for primality;
k, a parameter that determines the accuracy of the test
Output: composite if n is composite, otherwise probably prime
Write n − 1 as 2s·d with d odd by factoring powers of 2 from n − 1
LOOP: repeat k times:
pick a randomly in the range [2, n − 2]
x ← ad mod n
if x = 1 or x = n − 1 then do next LOOP
for r = 1 .. s − 1
x ← x2 mod n
if x = 1 then return composite
if x = n − 1 then do next LOOP
return composite
return probably prime
Rabin Miller Test software. rabinmiller.py
Sources for this and next slide obtained from: http://en.literateprograms.org/Miller-Rabin_primality_test_%28Python%29
With added comments and light modifications including extended test code Richard Kay, 22 November 2012
Miller Rabin test if n prime
Some Miller Rabin automated tests
Test Results
Using OpenSSL to confirm and provide
test data
The openssl command line tool used in the lab provides an alternative Rabin Miller test implementation. We can use this
reputable and much peer reviewed tool in order to generate
data for testing a new RM implementation. Example:
rich@saturn:~$ openssl prime
9293898234234219834721398723721342391419238424139728349
8234172139942317423921392173428317519
2D9FE6C6431358699F8490E1B3F2DF525DF375B5FC788690DF09B96E219DC46ED86CA74611D4F is not prime
rich@saturn:~$ openssl prime
9293898234234219834721398723721342391419238424139728349
8234172139942317423921392173428317521
2D9FE6C6431358699F8490E1B3F2DF525DF375B5FC788690DF09B96E219DC46ED86CA74611D51 is prime
The RSA protocol in brief 1
source: http://en.wikipedia.org/wiki/RSA
Here is an example of RSA encryption and decryption. The parameters
used here are artificially small, but one can also use OpenSSL to generate and examine a real keypair.
The RSA protocol 2
source: http://en.wikipedia.org/wiki/RSA
That's a very quick summary. We will be looking at these
RSA calculations in more detail next lecture, and considering some possible attacks.
Further Reading
The recommended text (Ferguson, N. & Schneier, B.
(2003) Practical Cryptography, John Wiley & Sons.)
is suitable for more thorough study.
Links as starting points for on-line exploration:
https://en.wikipedia.org/wiki/Fermat_primality_test
http://en.literateprograms.org/Miller-Rabin_primality_test_%28Python%29
https://en.wikipedia.org/wiki/RSA_%28algorithm%29
https://en.wikipedia.org/wiki/Primes
Related documents
Year 7 Fractions Pretest
Year 7 Fractions Pretest
HELP SHEET 3.3 PRIME FACTORIZATION 24 3 4 2 2 X 2 X
HELP SHEET 3.3 PRIME FACTORIZATION 24 3 4 2 2 X 2 X
94 Ninety-Four XCIV
94 Ninety-Four XCIV
Factors, Multiples, Primes, Prime Factors, LCM and HCF
Factors, Multiples, Primes, Prime Factors, LCM and HCF
PDF
PDF
0 - Research 2
0 - Research 2
Lemma 2.8. Let p and q 1,q2, ..., qn all be primes and let k be a
Lemma 2.8. Let p and q 1,q2, ..., qn all be primes and let k be a
HW5ASOL
HW5ASOL
LCM - Wsfcs
LCM - Wsfcs
ᴧ ᴧ ᴧ ᴧ ᴧ ᴧ ᴧ ᴧ ᴧ ᴧ
ᴧ ᴧ ᴧ ᴧ ᴧ ᴧ ᴧ ᴧ ᴧ ᴧ
Lesson #05 Prime Factorization
Lesson #05 Prime Factorization
Investigation
Investigation