Upload
rosalyn-mason
View
222
Download
3
Tags:
Embed Size (px)
Citation preview
Cryptography
Lecture 8: Primality Testing and Factoring
Piotr Faliszewski
Previous Class Attacks on RSA
Known digits attacks Low exponent attacks Short plaintext attacks Timing attacks
Practical RSA Exponentiation modulo n Primality testing
Factoring and Primality Testing
Factoring Input: n N Output: nontrivial factor of n
Primality testing Input n N Output:
the number is composite the number is probably
prime
Is there a difference? Yes! – primality testing
much easier!
You do not need to factor the number to see it is composite
Miller-Rabin Test Generalization of the
Fermat’s test
Principle if p is a prime then
x2 = 1 (mod p)
has only two solutions:
x = 1 and x = -1
Why does the principle hold?
Gist of the MR test find a number b such
that b2 = 1 (mod p) If b {-1,1} then
composite
Miller-Rabin Test
MR( int n ):let n-1 = 2kma random in {2, 3, ..., n-2 }
b0 = am (mod n)
if b0 = ±1 (mod n) then declare primefor j = 1 to k-1 do
bj = bj-12 (mod n)
if bj = 1 (mod n) then declare composite
if bj = -1 (mod n) thendeclare prime
declare composite
What are we doing?
b0 = am (mod n)
b1 = a2m (mod n)
b2 = a4m (mod n) ... bj = a2jm (mod n) ... bk-1 = a(n-1)/2 (mod n)
Miller-Rabin Test: Examples n = 5*7*11 = 385
n -1 = 384 = 27*3
k = 7, m = 3
a = 9
b0 = 93 = 344 (mod 385)
b1 = 93*2 = 141 (mod 385)
b2 = 93*22 = 246 (mod 385)
b3 = 93*23 = 71 (mod 385)
b4 = 93*24 = 36 (mod 385)
b5 = 93*25 = 141 (mod 385)
n = 3*11*17 = 561n -1 = 560 = 24*35
k = 4, m = 35
a = 2
b0 = 235 = 263 (mod 561)
b1 = 235*2 = 166 (mod 561)
b2 = 235*22 = 67 (mod 561)
b3 = 235*23 = 1 (mod 561)
Proof of compositeness!
Miller-Rabin Test: Examples n = 401
n -1 = 400 = 24*25
k = 4, m = 25
a = 3
b0 = 325 = 268 (mod 401)
b1 = 325*2 = 45 (mod 401)
b2 = 325*22 = 20 (mod 401)
b3 = 325*23 = 400 (mod 401)= -1
(mod 401)
n = 401n -1 = 400 = 24*25
k = 4, m = 25
a = 2
b0 = 225 = 356 (mod 401)
b1 = 225*2 = 20 (mod 401)
b2 = 225*22 = 400 (mod 401)
Evidence of primality!
Miller-Rabin Test
if b0 = ±1 (mod n) all bi’s (i > 0) will be 1 can’t find nontrivial roots of 1
i {1, ..., k-1} if bi = 1 (mod n) then
bi-1 is neither 1 nor -1 bi-1
2 = 1 (mod n) we found a nontrivial root
if bi = -1 (mod n) then bi+1 through bk are all 1 (mod
n) can’t find nontrivial roots of 1
Why this works?
n-1 = 2km
b0 = am (mod n) b1 = a2m (mod n) b2 = a4m (mod n) ... bj = a2jm (mod n) ... bk-1 = a(n-1)/2 (mod n)
Miller-Rabin Test: Quality MR test is probabilistic Answer
composite – the number is certainly composite
prime – the number is prime with high probability
Errors MR(n) says prime but n
is composite Pr[error] ≤ ¼ Repeat the test to
downgrade the prob. of error
Other Primality Tests Solovay-Strassen Test
similar in nature to MR uses so called Jacobi
symbol fast in practice probabilistic
Deterministic test Agrawal, Kayal, and
Saxena 2002 extremely slow
Tests that prove primality MR tests
compositeness! fairly slow needed in very few
cases
Factoring Huge amount of work
on factoring! we look at some simple
algorithms
Some best algorithms quadratic sieve elliptic curve number field sieve
Assumption Factor an odd integer produce one factor how to get all of them?
O(e(1+o(1))sqrt(lnn lnln n))
O(e(1+o(1))sqrt(lnp lnln p))
O(e(1.92+o(1))(lnn)1/3(lnlnn)2/3)
Factoring Factoring
Input: n N Output: nontrivial factor
of n
There are about(n) = n / ln n
primes ≤ n
Trivial methods divide by all numbers in
{2, ... , n-1} or by all primes p
p ≤ sqrt(n)
These are exponential!
Fermat’s Method The principle
express n as a difference of squares
n = x2 - y2
n = (x-y)(x+y)
The algorithm Compute: n + i2
for i {1,2, ... } Stop when n + i2 is a square
(i.e., x2 = n+i2) Then we have n = x2 – i2
Examples
15 = 42 – 12
= (4-1)(4+1)
= 3*5
21 = 52 – 22
= 25 - 4
= (5-2)(5+2)
= 3*7
Fermat’s Method The principle
express n as a difference of squares
n = x2 - y2
n = (x-y)(x+y)
The algorithm Compute: n + i2
for i 2 {1,2, ... } Stop when n + i2 is a square
(i.e., x2 = n+i2) Then we have n = x2 – i2
Performance depends on
distance between x and y
could be very slow!
Conclusion for RSA p and q should
differ by a large value
Pollard’s p-1 Method The method
input: n
choose a > 1 (e.g., a = 2)
choose B
let b = aB! (mod n)
d = gcd( b - 1, n )
d is a factor of n
Goal of the method factor n = pq... provided p-1 has only
small prime factors
Examplen = 7 * 11 = 77a = 2B = 4, B! = 2*3*4 = 24
b = 224 = 71 (mod 77)gcd(b-1, n) = gcd(70,77) = 7
Pollard’s p-1 Method The method
input: n
choose a > 1 (e.g., a = 2)
choose B
let b = aB! (mod n)
d = gcd( b - 1, n )
d is a factor of n
Goal of the method factor n = pq... provided p-1 has only
small prime factors
Examplen = 7 * 11 = 77a = 2B = 2, B! = 2
b = 22 = 4 (mod 77)gcd(b-1, n) = gcd(3,77) = 1
Pollard’s p-1 Method The method
input: n
choose a > 1 (e.g., a = 2)
choose B
let b = aB! (mod n)
d = gcd( b - 1, n )
d is a factor of n
Goal of the method factor n = pq... provided p-1 has only
small prime factors
Examplen = 7 * 11 = 77a = 2B = 6, B! = 2*3*4*5*6 = 720
b = 2720 = 1 (mod 77)gcd(b-1, n) = gcd(0,77) = 77
Pollard’s p-1 Method In symbols:
b1 = a (mod n)
b2 = b12 (mod n)
... bi = bi-1
i
...
How to compute aB!
B! – can be very big 5! = 120 6! = 720 10! = 3628800 20! = 2432902008176640000
n! – about n log2 n bits
Pollard’s p-1 Method In symbols:
b1 = a (mod n)
b2 = b12 (mod n)
... bi = bi-1
i
...
How to compute aB!
a = 2, B = 4, n = 77
b1 = 2 (mod 77)
b2 = 22 = 4 (mod 77)
b3 = 43 = 64 (mod 77)
b4 = 644 = 1677721 = 71 (mod 77)
Pollard’s p-1 Method The method
input: n
choose a > 1 (e.g., a = 2)
choose B
let b = aB! (mod n)
d = gcd( b - 1, n )
d is a factor of n
Why does it work? p – prime factor of n suppose:
p-1 has only small prime factors
Then likelyp-1 | B!
ThenB! = k(n-1)b = (ap-1)k
(mod p)b = 1 (mod p)p | b - 1
Pollard’s p-1 Method Potential problems
n = pq both p and q have
small factors b = 1 (mod p) b = 1 (mod q)
Method fails
Choice of B too small method
won’t work too big works slowly
or fails
Examplen = 7 * 11 = 77a = 2
B = 2 to smallB = 4 workedB = 6 to big
7 - 1 = 6 = 2*32! – does not contain 34! – contains 2 and 36! – contains 2,3 and 5 covers
both factors!
Pollard’s p-1 Method Conclusions for RSA
n = pq p-1 or q-1 has small
prime factors? then RSA can be
broken
How to defend? p0 chose a large
prime e.g., p0 > 1040
try numbers of the form: kp0 + 1 k – needs to be even! k > 1060
test kp0+1 for primality
Factoring
Relation to squares n – an integer x,y – to integers s.t.
x2 = y2 (mod n) x y (mod n)
if such x, y exist then n is composite gcd( x-y, n ) is a
nontrivial factor
Examples
112 = 121 = 1 (mod 12) 52 = 25 = 1 (mod 12) 11 5 (mod 12) gcd(11-5, 12 ) = 6
Factoring
Relation to squares n – an integer x,y – to integers s.t.
x2 ´ y2 (mod n) x y (mod n)
if such x, y exist then n is composite gcd( x-y, n ) is a
nontrivial factor
Examples
52 = 25 = 7 (mod 9) 142 = 196 = 7 (mod 9) 14 = 9+5 = 5 (mod 9) gcd(14-5, 9 ) = 9
Quadratic Sievie Idea
try to apply the principle from the previous slide
find x,y such that
x2 = y2 (mod n)
x y (mod n)
x -y (mod n)
finding such x, y not obvious
Take “random” squares Reduce modulo n Factor (hope for small
factors!) Try to build squares
from what you get
Quadratic Sieve: Examplen = 3837523
93982 = 55 19 (mod n)
190952 = 22 5 11 13 19 (mod n)
19642 = 32 133 (mod n)
170782 = 26 32 11 (mod n)
80772 = 2 19 ( mod n)
33972 = 25 5 132 (mod n)
142622 = 52 72 13 (mod n)
(9398 19095 1964 17078)2 = 28 32 56 112 134 192 = (24 3 53 11 132 19)2 (mod n)
22303872 = 25867052 (mod n)
gcd( 2230387 – 2586705, 3837523) = 1093
Quadratic Sieve: Examplen = 3837523
93982 = 55 19 (mod n)
190952 = 22 5 11 13 19 (mod n)
19642 = 32 133 (mod n)
170782 = 26 32 11 (mod n)
80772 = 2 19 ( mod n)
33972 = 25 5 132 (mod n)
142622 = 52 72 13 (mod n)
(9398 8077 3397)2 = 26 56 132 192 = (23 53 13 19)2 (mod n)
35905232 = 2470002 (mod n)
BUT: n – 247000 = 3590523 3590523 = -247000 (mod n)
How to Find the Squares? What squares to use?
we want small prime factors?
so x2 should be slightly above n
Idea: Try integers close to: sqrt(i n) + j small j, various i
(sqrt(i n) + j)2 ≈ in + 2j sqrt(in) +j2
approx: 2j sqrt(in) + j2 (mod n)