Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
RSA cryptosystem--preview • Suppose n=pq and (n)=(p-1)(q-1), where p and q are big primes. • Select (find) a and b, such that ab=1 mod (n). • K=(n,p,q,a,b), publicize n,b, but keep p,q,a secret. • For any x,yZn , define – eK(x)= xb mod n (encryption) – dK(y)= ya mod n (decryption: (xb)a mod n=x) • Of course, from n,b, it is very difficult to get a (as well as p,q,(n)). RSA--implementation 1. Generate two large primes, p and q. 2. n pq and (n) (p-1)(q-1) 3. Chose a random b (1< b < (n)) such that gcd(b, (n))=1 4. a b-1 mod (n) 5. The public key is (n,b) and the private key is (p,q,a). Could you raise any questions about RSA? Questions about RSA • How to generate large primes? • How to compute the modular-exponentiation (encryption & decryption) efficiently? • RSA attack: attempt to factor n and how? • RSA uses numbers, therefore need encoding for normal text. RSA—primality testing • How to generate large primes? – Select a random large number – Test whether or not the number is a prime. • How often a random selected number is a prime? – Let (N) be the number of primes N. – Prime number theory: (N) N/lnN – Therefore the probability of a random number being a prime is 1/lnN – Suppose n = pq is 1024 bits, so p and q are 512 bits, 1/ln2512 1/355. RSA—primality testing • (yes-biased) Monte Carlo algorithm: – For yes-no decision problem – Random algorithm (randomly choose a number) – If the algorithm gives answer “yes”, it is always correct – It the answer is “no”, it may be incorrect. Therefore, may try several times such that the probability of the incorrectness for “no” is extremely small. Las Vegas algorithm: may not give answer, but any answer it gives is correct. Probabilistic algorithms: the algorithms which can be wrong in some cases (i.e., probably, or with certain probability) RSA—primality testing • (yes-biased) Monte Carlo algorithm: – Solovay-Strassen algorithm – Miller-Rabin algorithm • A good news: confirmed primality testing algorithm – By three Indian scientists. Solovay-Strassen primality test • Given integer n, is n a composite? – – – – – Choose a random integer a ( 1 < a < n) x ( a ) n If x=0 then return “yes” (n is a composite) y a(n-1)/2 (mod n) If x y (mod n) • then return “no” (n is a prime) (of course maybe incorrect) • else return “yes” (n is a composite). Solovay-Strassen primality test • The proof of the algorithm a – If n is a prime, the( n ) a(n-1)/2 mod n for any a – If n is a composite, a • then for some a, ( n ) a(n-1)/2 , Call n to be an Euler 45 pseudo-prime to base a. For example, ( 10 = -1 10 ) 91 mod 91. • but others not. • At most half of a Zn* , n is a pseudo-prime to a. • So error probability is at most ½. – Test k different a, (1/2)k. RSA attacks • Computing (n)– no easier than factoring n. • Decryption Exponent a—no easier than factoring n • So the security of RSA is based on the difficulty of factorization of large numbers. • Factoring algorithms – Trial division– up to n – Pollard p-1 algorithm RSA attack—Pollard p-1 algorithm • Given n, and select a random B (not too big) –a2 – For j=2 to B • a aj mod n – d gcd(a-1,n) – If d > 1 • then return d (d is a factor of n) • else return ‘failure’. The correctness of p-1 algorithm 1. 2. 3. 4. 5. 6. 7. Suppose p is a prime factor of n, Assume for all q, q≤B, q is (power of) a prime factor of p-1. Then p-1| B!, suppose B! = (p-1)t. The final a2B! mod n, since p|n, so a2B! mod p We know, 2p-1 1 mod p, so a2B! mod p = 2(p-1)t mod p 1t mod p 1 mod p So p | (a-1), thus p|gcd(a-1,n) Conclusion: if p or q of factors of n is not selected in a correct way, n will be easily factored. P-1 example • • • • n=15770708441, B=180 Then a = 11620221425, and d=135979. As a result: 15770708441 =135979*115979 Here 135978 =2*3*131*173 RSA summary • RSA principle • RSA implementation – Generate large primes – Compute xc mod n – square-and-multiply • RSA attacks • Conclusion: p and q must be appropriately selected large primes.