1 / 23

Security of Number Theoretic Public Key Cryptosystems against Random Attack

Security of Number Theoretic Public Key Cryptosystems against Random Attack Paper by: Rob Blakley and G.R. Blakley Presentation by: Jason Bourg Historical Aspect Paper written in 1978 Then 0 < log(p) < 19,937 4.3 x 10 6001 Now 0 < log(p) < 13,466,917 2 144000 = 2.0 x 10 43348

Jeffrey
Download Presentation

Security of Number Theoretic Public Key Cryptosystems against Random Attack

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security of Number Theoretic Public Key Cryptosystems against Random Attack Paper by: Rob Blakley and G.R. Blakley Presentation by: Jason Bourg

  2. Historical Aspect • Paper written in 1978 • Then • 0 < log(p) < 19,937 • 4.3 x 106001 • Now • 0 < log(p) < 13,466,917 • 2144000 = 2.0 x 1043348

  3. Overview • Introduction • The RSA number theoretic method • The background in modular arithmetic • Coding moduli which are products of distinct safe primes • Complementarity properties of safe primes

  4. Overview • The directorate and the message receiver in an RSA public key cryptosystem • The cryptanalyst and the sender in an RSA public key cryptosystem • Summary

  5. 1. Introduction Public Key Cryptosystems • Concentrate on RSA • Goal of receiver: • Produce lists (c, d, m) of three positive integers where xcd = x mod(m) holds for every integer x

  6. Square Free m Please • c and d > 1 exist if and only if m is square free • What is square free? • A positive integer m is square free if and only if it is the product of distinct primes belonging to some finite set T of primes.

  7. 2. The RSA number theoretic method • Same stuff we talked about in class

  8. 3. The background in modular arithmetic • Let Y be a finite set of pairwise relatively prime positive integers. Let m be the product of the members of Y. Then cyc[x,m] = LCM {cyc[x,y] | y € Y} • 9 lemma’s • 6 theorem’s • 3 corollary’s

  9. 4. Coding moduli which are products of distinct safe primes • p – 1 and q – 1 should have large prime factors • Safe primes • p is safe if there is an odd prime a such that 2a + 1 = p • More bad math • 2 lemma’s • 5 theorem’s • 2 corollary’s

  10. 5. Complementarity properties of safe primes • Suppose p and q are safe primes whose product is m • Find one nontrivial pair x, e such that xe = x mod(m) can factor m • If x is small then e must be large, and conversely

  11. 6. The directorate and the message receiver in an RSA public cryptosystem • If the directorate chooses a width w > 2 • It allows every message receiver N to pick primes p(N) and q(N) at random such that q < log(p(N)) < g + 1 < g + w / 2 < g + w < log(q(N)) < g + 3w / 2

  12. 6. cont. • This guarantees that 2g < 2g + w < log(p(N)q(N)) < 2g + 2w and 2p(N) < q(N) • Whence random search for factors of m = p(N)q(N) new sqrt(m) becomes expensive if g gets large

  13. 6. cont. • Assuming w > 2 the directorate will • Choose at random an odd positive integer a such that g – 1 < log(a) < g + w / 2 – 1 • Form • GCD (r ,a) and GCD (r, 2a+1) for every prime r <= u. • GCD (a, (u-1)/2) If either of these numbers is unequal to 1, forget a and return to step 1

  14. 6. cont. • Test whether a and 2a+1 are both prime to all intents and purposes. If either is demonstrably composite, forget a and return to step 1. • Choose at random an off positive integer b such that: g + w – 1 < log(b) < g + 3w / 2 - 1

  15. 6. cont. • Form • GCD{r,b} and GCD{r,2b+1} for every prime r <= u. • GCD{b, (u-1) / 2} If any of these numbers is unequal to 1, forget b and return to step 4. • Test whether b and 2b+1 are both prime to all intents and purposes. If either is demonstrably composite, forget b and return to step 4.

  16. 6. cont. • Form • GCD{a,b} • GCD{a, 2b+1} • GCD{2a+1,b} • GCD{2a+1, 2b+1} If any of these numbers is unequal to 1, forget a and b and return to step 1.

  17. 6. cont. • Solve the six pairs of simultaneous linear congruences • A  0 mod(2a + 1) and A  1 mod(2b + 1) • B  1 mod(2a + 1) and B  0 mod(2b + 1) • C  0 mod(2a + 1) and C  -1 mod(2b + 1) • D  -1 mod(2a + 1) and D  0 mod(2b + 1) • E  1 mod(2a + 1) and E  -1 mod(2b + 1) • F  -1 mod(2a + 1) and F  1 mod(2b + 1)

  18. 6. cont. • cont. • Examine the Hollerith character typescripts which correspond to A, B, C, D, E, and F. • If all six of these typescripts are hopeless gibberish, go on to step 9. Otherwise forget a and b and go back to step 1.

  19. 6. cont. • Let • p(N) = 2a + 1 • q(N) = 2b + 1 • m(N) = p(N)q(N) = (2a + 1)(2b + 1) • a(p(N)) = a • a(q(N)) = b • v = 2ab

  20. 6. cont. • Comments on Step 9 • The receiver N now knows that m(N) is square free if both p(N) and q(N) are square free. • The receiver believes that the integers a(p(N)), a(q(N)), p(N), q(N) are all primes. • This belief need not be correct.

  21. 6. cont. • Solve the linear congruence ud  1 mod(v) for d. • Call its smallest positive integer solution d(N) • Send the list (N, m(N)) to the directorate for inclusion as a listing in the directory. • Keep p(N), q(N), and d(N) secret.

  22. 7. The cryptanalyst and the sender in an RSA public key cryptosystem. • Eve needs to factor m….hard. • Same as in class, nice and secure.

  23. 8. Summary • RSA is strong because it is hard to factor m. • Essential you pick your numbers correctly. • These guys must have known what they were talking about since RSA is still strong today. Questions?

More Related