Transcript Document
RSA cryptosystem--preview
• Suppose n=pq and (n)=(p-1)(q-1), where p and q are
big primes.
• Select (find) a and b, such that ab=1 mod (n).
• K=(n,p,q,a,b), publicize n,b, but keep p,q,a secret.
• For any x,yZn , define
– eK(x)= xb mod n (encryption)
– dK(y)= ya mod n (decryption: (xb)a mod n=x)
• Of course, from n,b, it is very difficult to get a (as well as
p,q,(n)).
RSA--implementation
1. Generate two large primes, p and q.
2. n pq and (n) (p-1)(q-1)
3. Chose a random b (1< b < (n)) such that
gcd(b, (n))=1
4. a b-1 mod (n)
5. The public key is (n,b) and the private key
is (p,q,a).
Could you raise any questions about RSA?
Questions about RSA
• How to generate large primes?
• How to compute the modular-exponentiation
(encryption & decryption) efficiently?
• RSA attack: attempt to factor n and how?
• RSA uses numbers, therefore need encoding
for normal text.
RSA—primality testing
• How to generate large primes?
– Select a random large number
– Test whether or not the number is a prime.
• How often a random selected number is a prime?
– Let (N) be the number of primes N.
– Prime number theory: (N) N/lnN
– Therefore the probability of a random number being a
prime is 1/lnN
– Suppose n = pq is 1024 bits, so p and q are 512 bits,
1/ln2512 1/355.
RSA—primality testing
• (yes-biased) Monte Carlo algorithm:
– For yes-no decision problem
– Random algorithm (randomly choose a
number)
– If the algorithm gives answer “yes”, it is
always correct
– It the answer is “no”, it may be incorrect.
Therefore, may try several times such that the probability of
the incorrectness for “no” is extremely small.
Las Vegas algorithm: may not give answer, but any answer it gives is correct.
Probabilistic algorithms: the algorithms which can be wrong in
some cases (i.e., probably, or with certain probability)
RSA—primality testing
• (yes-biased) Monte Carlo algorithm:
– Solovay-Strassen algorithm
– Miller-Rabin algorithm
• A good news: confirmed primality testing
algorithm
– By three Indian scientists.
Solovay-Strassen primality test
• Given integer n, is n a composite?
–
–
–
–
–
Choose a random integer a ( 1 < a < n)
x ( a )
n
If x=0 then return “yes” (n is a composite)
y a(n-1)/2 (mod n)
If x y (mod n)
• then return “no” (n is a prime) (of course maybe incorrect)
• else return “yes” (n is a composite).
Solovay-Strassen primality test
• The proof of the algorithm
a
– If n is a prime, the( n ) a(n-1)/2 mod n for any a
– If n is a composite,
a
• then for some a, ( n ) a(n-1)/2 , Call n to be an Euler
45
pseudo-prime to base a. For example, ( 10
=
-1
10
)
91
mod 91.
• but others not.
• At most half of a Zn* , n is a pseudo-prime to a.
• So error probability is at most ½.
– Test k different a, (1/2)k.
RSA attacks
• Computing (n)– no easier than factoring n.
• Decryption Exponent a—no easier than
factoring n
• So the security of RSA is based on the
difficulty of factorization of large numbers.
• Factoring algorithms
– Trial division– up to n
– Pollard p-1 algorithm
RSA attack—Pollard p-1 algorithm
• Given n, and select a random B (not too big)
–a2
– For j=2 to B
• a aj mod n
– d gcd(a-1,n)
– If d > 1
• then return d (d is a factor of n)
• else return ‘failure’.
The correctness of p-1 algorithm
1.
2.
3.
4.
5.
6.
7.
Suppose p is a prime factor of n,
Assume for all q, q≤B, q is (power of) a prime factor of p-1.
Then p-1| B!, suppose B! = (p-1)t.
The final a2B! mod n, since p|n, so a2B! mod p
We know, 2p-1 1 mod p, so
a2B! mod p = 2(p-1)t mod p 1t mod p 1 mod p
So p | (a-1), thus p|gcd(a-1,n)
Conclusion: if p or q of factors of n is not selected in a correct way,
n will be easily factored.
P-1 example
•
•
•
•
n=15770708441, B=180
Then a = 11620221425, and d=135979.
As a result: 15770708441 =135979*115979
Here 135978 =2*3*131*173
RSA summary
• RSA principle
• RSA implementation
– Generate large primes
– Compute xc mod n – square-and-multiply
• RSA attacks
• Conclusion: p and q must be appropriately
selected large primes.