130 likes | 379 Views
RSA cryptosystem--preview. Suppose n=p q and ( n )=( p -1)( q -1), where p and q are big primes. Select (find) a and b , such that a b= 1 mod ( n ). K =( n ,p,q,a, b ), publicize n , b , but keep p,q,a secret. For any x,y Z n , define
E N D
RSA cryptosystem--preview • Suppose n=pq and (n)=(p-1)(q-1), where p and q are big primes. • Select (find) a and b, such that ab=1 mod (n). • K=(n,p,q,a,b), publicize n,b, but keep p,q,a secret. • For any x,yZn , define • eK(x)= xb mod n (encryption) • dK(y)= ya mod n (decryption:(xb)a mod n=x) • Of course, from n,b, it is very difficult to get a (as well as p,q,(n)).
RSA--implementation • Generate two large primes, p and q. • n pq and (n) (p-1)(q-1) • Chose a random b (1< b < (n)) such that gcd(b, (n))=1 • a b-1 mod (n) • The public key is (n,b) and the private key is (p,q,a). Could you raise any questions about RSA?
Questions about RSA • How to generate large primes? • How to compute the modular-exponentiation (encryption & decryption) efficiently? • RSA attack: attempt to factor n and how? • RSA uses numbers, therefore need encoding for normal text.
RSA—primality testing • How to generate large primes? • Select a random large number • Test whether or not the number is a prime. • How often a random selected number is a prime? • Let (N) be the number of primes N. • Prime number theory: (N) N/lnN • Therefore the probability of a random number being a prime is 1/lnN • Suppose n = pq is 1024 bits, so p and q are 512 bits, 1/ln2512 1/355.
RSA—primality testing • (yes-biased) Monte Carlo algorithm: • For yes-no decision problem • Random algorithm (randomly choose a number) • If the algorithm gives answer “yes”, it is always correct • It the answer is “no”, it may be incorrect. Therefore, may try several times such that the probability of the incorrectness for “no” is extremely small. Las Vegas algorithm: may not give answer, but any answer it gives is correct. Probabilistic algorithms: the algorithms which can be wrong in some cases (i.e., probably, or with certain probability)
RSA—primality testing • (yes-biased) Monte Carlo algorithm: • Solovay-Strassen algorithm • Miller-Rabin algorithm • A good news: confirmed primality testing algorithm • By three Indian scientists.
a ( ) n Solovay-Strassen primality test • Given integer n, is n a composite? • Choose a random integer a ( 1 < a < n) • x • If x=0 then return “yes” (n is a composite) • y a(n-1)/2 (mod n) • If x y (mod n) • then return “no” (n is a prime) (of course maybe incorrect) • else return “yes” (n is a composite).
a a ( ( ) ) n n Solovay-Strassen primality test • The proof of the algorithm • If n is a prime, the a(n-1)/2 mod n for any a • If n is a composite, • then for some a, a(n-1)/2 , Call n to be an Euler pseudo-prime to base a. For example, = -1 1045 mod 91. • but others not. • At most half of a Zn* , n is a pseudo-prime to a. • So error probability is at most ½. • Test k different a, (1/2)k. ( 10 ) 91
RSA attacks • Computing (n)– no easier than factoring n. • Decryption Exponent a—no easier than factoring n • So the security of RSA is based on the difficulty of factorization of large numbers. • Factoring algorithms • Trial division– up to n • Pollard p-1 algorithm
RSA attack—Pollard p-1 algorithm • Given n, and select a random B (not too big) • a 2 • For j=2 to B • a aj mod n • d gcd(a-1,n) • If d > 1 • then return d (d is a factor of n) • else return ‘failure’.
The correctness of p-1 algorithm • Suppose p is a prime factor of n, • Assume for all q, q≤B, q is (power of) a prime factor of p-1. • Then p-1|B!, suppose B! = (p-1)t. • The final a2B! mod n, since p|n, so a2B! mod p • We know, 2p-11 mod p, so • a2B! mod p = 2(p-1)tmod p 1t mod p 1 mod p • So p | (a-1), thus p|gcd(a-1,n) Conclusion: if p or q of factors of n is not selected in a correct way, n will be easily factored.
P-1 example • n=15770708441, B=180 • Then a = 11620221425, and d=135979. • As a result: 15770708441 =135979*115979 • Here 135978 =2*3*131*173
RSA summary • RSA principle • RSA implementation • Generate large primes • Compute xc mod n – square-and-multiply • RSA attacks • Conclusion: p and q must be appropriately selected large primes.