factoring and rsa
play

Factoring and RSA Nadia Heninger University of Pennsylvania - PowerPoint PPT Presentation

Aug 28, 2023 •430 likes •1.39k views

Factoring and RSA Nadia Heninger University of Pennsylvania September 18, 2017 *Some slides joint with Dan Bernstein and Tanja Lange Textbook RSA [Rivest Shamir Adleman 1977] Public Key Private Key N = pq modulus p , q primes e encryption

  1. Factoring and RSA Nadia Heninger University of Pennsylvania September 18, 2017 *Some slides joint with Dan Bernstein and Tanja Lange

  3. Textbook RSA [Rivest Shamir Adleman 1977] Public Key Private Key N = pq modulus p , q primes e encryption exponent d decryption exponent ( d = e − 1 mod ( p − 1)( q − 1)) Encryption public key = ( N , e ) ciphertext = message e mod N message = ciphertext d mod N

  4. Textbook RSA [Rivest Shamir Adleman 1977] Public Key Private Key N = pq modulus p , q primes e encryption exponent d decryption exponent ( d = e − 1 mod ( p − 1)( q − 1)) Signing public key = ( N , e ) signature = message d mod N message = signature e mod N

  5. Computational problems Factoring Problem: Given N , compute its prime factors. ◮ Computationally equivalent to computing private key d . ◮ Factoring is in NP and coNP → not NP-complete (unless P=NP or similar).

  6. Computational problems e th roots mod N Problem: Given N , e , and c , compute x such that x e ≡ c mod N . ◮ Equivalent to decrypting an RSA-encrypted ciphertext. ◮ Equivalent to selective forgery of RSA signatures. ◮ Unknown whether it reduces to factoring: ◮ “Breaking RSA may not be equivalent to factoring” [Boneh Venkatesan 1998] “an algebraic reduction from factoring to breaking low-exponent RSA can be converted into an efficient factoring algorithm” ◮ “Breaking RSA generically is equivalent to factoring” [Aggarwal Maurer 2009] “a generic ring algorithm for breaking RSA in Z N can be converted into an algorithm for factoring” ◮ “RSA assumption”: This problem is hard.

  7. A garden of attacks on textbook RSA Unpadded RSA encryption is homomorphic under multiplication. Let’s have some fun! Attack: Malleability Given a ciphertext c = Enc( m ) = m e mod N , attacker can forge ciphertext Enc( ma ) = ca e mod N for any a . Attack: Chosen ciphertext attack Given a ciphertext c = Enc( m ) for unknown m , attacker asks for Dec( ca e mod N ) = d and computes m = da − 1 mod N . Attack: Signature forgery Attacker wants Sign( x ). Attacker computes z = xy e mod N for some y and asks signer for s = Sign( z ) = z d mod N . Attacker computes Sign( z ) = sy − 1 mod N . So in practice always use padding on messages .

  8. http://xkcd.com/538/

  9. Preliminaries: Using Sage Working code examples will be given in Sage. Sage is free open source mathematics software. Download from http://www.sagemath.org/ . Sage is based on Python sage: 2*3 6

  10. Preliminaries: Using Sage Working code examples will be given in Sage. Sage is free open source mathematics software. Download from http://www.sagemath.org/ . Sage is based on Python, but there are a few differences: ˆ is exponentiation, not xor sage: 2^3 8

  11. Preliminaries: Using Sage Working code examples will be given in Sage. Sage is free open source mathematics software. Download from http://www.sagemath.org/ . Sage is based on Python, but there are a few differences: ˆ is exponentiation, not xor sage: 2^3 8 It has lots of useful libraries: sage: factor(15) 3 * 5

  12. Preliminaries: Using Sage Working code examples will be given in Sage. Sage is free open source mathematics software. Download from http://www.sagemath.org/ . Sage is based on Python, but there are a few differences: ˆ is exponentiation, not xor sage: 2^3 8 It has lots of useful libraries: sage: factor(15) sage: factor(x^2-1) 3 * 5 (x - 1) * (x + 1)

  13. Practicing Sage and Textbook RSA Key generation: sage: p = random_prime(2^512); q = random_prime(2^512) sage: N = p*q sage: e = 65537 sage: d = inverse_mod(e,(p-1)*(q-1)) Encryption: sage: m = Integer(’helloworld’,base=35) sage: c = pow(m,65537,N) Decryption: sage: Integer(pow(c,d,N)).str(base=35) ’helloworld’

  14. So how hard is factoring?

  15. So how hard is factoring? sage: time factor(random_prime(2^32)*random_prime(2^32))

  16. So how hard is factoring? sage: time factor(random_prime(2^32)*random_prime(2^32)) CPU times: user 1.63 ms, sys: 37 s, total: 1.67 ms Wall time: 1.66 ms 1235716393 * 4051767059

  17. So how hard is factoring? sage: time factor(random_prime(2^32)*random_prime(2^32)) CPU times: user 1.63 ms, sys: 37 s, total: 1.67 ms Wall time: 1.66 ms 1235716393 * 4051767059 sage: time factor(random_prime(2^64)*random_prime(2^64))

  18. So how hard is factoring? sage: time factor(random_prime(2^32)*random_prime(2^32)) CPU times: user 1.63 ms, sys: 37 s, total: 1.67 ms Wall time: 1.66 ms 1235716393 * 4051767059 sage: time factor(random_prime(2^64)*random_prime(2^64)) CPU times: user 92.5 ms, sys: 16.3 ms, total: 109 ms Wall time: 163 ms 12072631544896004447 * 13285534720168965833

  19. So how hard is factoring? sage: time factor(random_prime(2^32)*random_prime(2^32)) CPU times: user 1.63 ms, sys: 37 s, total: 1.67 ms Wall time: 1.66 ms 1235716393 * 4051767059 sage: time factor(random_prime(2^64)*random_prime(2^64)) CPU times: user 92.5 ms, sys: 16.3 ms, total: 109 ms Wall time: 163 ms 12072631544896004447 * 13285534720168965833 sage: time factor(random_prime(2^96)*random_prime(2^96))

  20. So how hard is factoring? sage: time factor(random_prime(2^32)*random_prime(2^32)) CPU times: user 1.63 ms, sys: 37 s, total: 1.67 ms Wall time: 1.66 ms 1235716393 * 4051767059 sage: time factor(random_prime(2^64)*random_prime(2^64)) CPU times: user 92.5 ms, sys: 16.3 ms, total: 109 ms Wall time: 163 ms 12072631544896004447 * 13285534720168965833 sage: time factor(random_prime(2^96)*random_prime(2^96)) CPU times: user 6.03 s, sys: 145 ms, total: 6.18 s Wall time: 6.35 s 39863518068977786560464995143 * 40008408160629540866839699141

  21. So how hard is factoring? sage: time factor(random_prime(2^32)*random_prime(2^32)) CPU times: user 1.63 ms, sys: 37 s, total: 1.67 ms Wall time: 1.66 ms 1235716393 * 4051767059 sage: time factor(random_prime(2^64)*random_prime(2^64)) CPU times: user 92.5 ms, sys: 16.3 ms, total: 109 ms Wall time: 163 ms 12072631544896004447 * 13285534720168965833 sage: time factor(random_prime(2^96)*random_prime(2^96)) CPU times: user 6.03 s, sys: 145 ms, total: 6.18 s Wall time: 6.35 s 39863518068977786560464995143 * 40008408160629540866839699141 sage: time factor(random_prime(2^128)*random_prime(2^128))

  22. So how hard is factoring? sage: time factor(random_prime(2^32)*random_prime(2^32)) CPU times: user 1.63 ms, sys: 37 s, total: 1.67 ms Wall time: 1.66 ms 1235716393 * 4051767059 sage: time factor(random_prime(2^64)*random_prime(2^64)) CPU times: user 92.5 ms, sys: 16.3 ms, total: 109 ms Wall time: 163 ms 12072631544896004447 * 13285534720168965833 sage: time factor(random_prime(2^96)*random_prime(2^96)) CPU times: user 6.03 s, sys: 145 ms, total: 6.18 s Wall time: 6.35 s 39863518068977786560464995143 * 40008408160629540866839699141 sage: time factor(random_prime(2^128)*random_prime(2^128)) CPU times: user 7min 56s, sys: 5.38 s, total: 8min 2s Wall time: 8min 12s 71044139867382099583965064084826540441 * 95091214714150393464646264945135836937

  23. Factoring in practice Two families of factoring algorithms: 1. Algorithms whose running time depends on the size of the factor to be found. ◮ Good for factoring small numbers, and finding small factors of big numbers. 2. Algorithms whose running time depends on the size of the number to be factored. ◮ Good for factoring big numbers with big factors.

  24. Trial Division Good for finding very small factors Takes p / log p trial divisions to find a prime factor p .

  25. Pollard rho Good for finding slightly larger prime factors Intuition ◮ Try to take a random walk among elements mod N . ◮ If p divides N , there will be a cycle of length p . ◮ Expect a collision after searching about √ p random elements.

  26. Pollard rho Good for finding slightly larger prime factors Intuition ◮ Try to take a random walk among elements mod N . ◮ If p divides N , there will be a cycle of length p . ◮ Expect a collision after searching about √ p random elements. Details ◮ “Random” function: f ( x ) = x 2 + c mod N for random c . ◮ For random starting point a , compute a , f ( a ) , f ( f ( a )) , . . . ◮ Naive implementation uses √ p memory, O (1) lookup time. ◮ To reduce memory: ◮ Floyd cycle-finding algorithm: Store two pointers, and move one twice as fast as the other until they coincide. ◮ Method of distinguished points: Store points satisfying easily tested property like k leading zeros.

  27. Why is it called the rho algorithm?

  28. Pollard rho in Sage def rho(n): a = 98357389475943875; c=10 # some random values f = lambda x: (x^2+c)%n a1 = f(a) ; a2 = f(a1) while gcd(n, a2-a1)==1: a1 = f(a1); a2 = f(f(a2)) return gcd(n, a2-a1) sage: N = 698599699288686665490308069057420138223871 sage: rho(N) 2053

  29. Reminders: Orders and groups Theorem (Fermat’s Little Theorem) a p − 1 ≡ 1 mod p for any 0 < a < p. Let ord( a ) p be the order of a mod p . (Smallest positive integer such that a ord( a ) p ≡ 1 mod p .) Theorem (Lagrange) ord( a ) p divides p − 1 .

  30. Pollard’s p − 1 method Good for finding special small factors Intuition ◮ If a r ≡ 1 mod p then ord( a ) p | r and p | gcd( a r − 1 , N ). ◮ Don’t know p , pick very smooth number r , hoping for ord( a ) p to divide it. Definition: An integer is B-smooth if all its prime factors are ≤ B .

Recommend

Factors 2 12 Factors Factors 3 13 and Unique Unique 14 4 to 10 to 15 Greatest Common

Factors 2 12 Factors Factors 3 13 and Unique Unique 14 4 to 10 to 15 Greatest Common

Slide 1 / 128 Slide 2 / 128 Table of Contents Factors and GCF Factoring out GCF's Polynomials Factoring Trinomials x 2 + bx + c Factoring Using Special Patterns Factoring Trinomials ax 2 + bx + c Factoring 4 Term Polynomials

472 views • 22 slides
FACTORING WITH JUDGMENTS w w w . g u t i e r r e z g r o u p . c o m . c o What is it about?

FACTORING WITH JUDGMENTS w w w . g u t i e r r e z g r o u p . c o m . c o What is it about?

F A C T O R I N G W I T H J U D G M E N T S FACTORING WITH JUDGMENTS w w w . g u t i e r r e z g r o u p . c o m . c o What is it about? FACTORING It is precisely after the judgment is won by This out-of-the-box product uses the - the

199 views • 7 slides
Hardware- -Based Implementations Based Implementations Hardware of Factoring Algorithms of

Hardware- -Based Implementations Based Implementations Hardware of Factoring Algorithms of

Hardware- -Based Implementations Based Implementations Hardware of Factoring Algorithms of Factoring Algorithms Factoring Large Numbers with the TWIRL Device Factoring Large Numbers with the TWIRL Device Adi Shamir, Eran Tromer Adi

469 views • 42 slides
Factoring integers and Producing primes Francesco Pappalardi Universit` a Roma Tre Erbil,

Factoring integers and Producing primes Francesco Pappalardi Universit` a Roma Tre Erbil,

Erbil, Kurdistan 0 Factoring integers,..., RSA Lecture in Number Theory College of Sciences Department of Mathematics University of Salahaddin Debember 4, 2014 Factoring integers and Producing primes Francesco Pappalardi Universit` a Roma

749 views • 30 slides
Factoring into large primes with P-1, P+1 and ECM Alexander Kruppa LORIA CADO workshop Nancy,

Factoring into large primes with P-1, P+1 and ECM Alexander Kruppa LORIA CADO workshop Nancy,

Factoring into large primes with P-1, P+1 and ECM Alexander Kruppa LORIA CADO workshop Nancy, 9. October 2008 Using P-1, P+1 and ECM in NFS For large factoring projects, memory becomes a limiting resource. Large factor base bound B requires

385 views • 21 slides
Factoring integers, Producing primes and the RSA cryptosystem Francesco Pappalardi Universit` a

Factoring integers, Producing primes and the RSA cryptosystem Francesco Pappalardi Universit` a

College of Science for Women 0 Factoring integers,..., RSA Lecture in Number Theory College of Science for Women Baghdad University March 31, 2014 Factoring integers, Producing primes and the RSA cryptosystem Francesco Pappalardi

2.06k views • 192 slides
Integer factoring and compositeness witnesses Jacek Pomykaa &amp; Maciej Radziejewski June 26,

Integer factoring and compositeness witnesses Jacek Pomykaa &amp; Maciej Radziejewski June 26,

Integer factoring and compositeness witnesses Jacek Pomykaa &amp; Maciej Radziejewski June 26, 2019 Integer factoring and compositeness witnesses 1 Objective: Factorization of a large integer n Oracles Techniques How many hard numbers are

514 views • 22 slides
Shors Algorithm for Factoring: Background Quantum Algorithms In 1994, Peter Shor came up with O

Shors Algorithm for Factoring: Background Quantum Algorithms In 1994, Peter Shor came up with O

Shors Algorithm for Factoring: Background Quantum Algorithms In 1994, Peter Shor came up with O ( n 3 ) -time algorithm DPV Chapter 10 for factoring n -bit integers on a quantum algorithm. Why is this a big deal? O ( e n 1/3 ( log n )

712 views • 5 slides
POLYNOMIAL CONSTRAINED FACTORING IN P-NARX IDENTIFICATION KIA N A KA R A M I, D A V ID W ES

POLYNOMIAL CONSTRAINED FACTORING IN P-NARX IDENTIFICATION KIA N A KA R A M I, D A V ID W ES

Nonlinear System Identification Benchmarks POLYNOMIAL CONSTRAINED FACTORING IN P-NARX IDENTIFICATION KIA N A KA R A M I, D A V ID W ES TW IC K April, 2019 NARX MODEL T he No nline ar Auto re g re ssive e Xo g e no us I nput Mo de l

253 views • 23 slides
Factoring Polynomials over Local Fields II Sebastian Pauli Department of Mathematics and

Factoring Polynomials over Local Fields II Sebastian Pauli Department of Mathematics and

Factoring Polynomials over Local Fields II Sebastian Pauli Department of Mathematics and Statistics University of North Carolina at Greensboro Sebastian Pauli (UNC Greensboro) Factoring Polynomials over Local Fields II 1 / 20 Polynomial

765 views • 44 slides
Computability Theory at Work: Factoring Polynomials and Finding Roots Russell Miller Queens

Computability Theory at Work: Factoring Polynomials and Finding Roots Russell Miller Queens

Computability Theory at Work: Factoring Polynomials and Finding Roots Russell Miller Queens College &amp; CUNY Graduate Center New York, NY MAA MathFest Portland, OR 7 August 2014 Russell Miller (CUNY) Factoring and Finding Roots MathFest

489 views • 30 slides
The complexity of factoring univariate polynomials over the rationals Mark van Hoeij Florida

The complexity of factoring univariate polynomials over the rationals Mark van Hoeij Florida

The complexity of factoring univariate polynomials over the rationals Mark van Hoeij Florida State University ISSAC2013 June 26, 2013 Papers [Zassenhaus 1969]. Usually fast, but can be exp-time. [LLL 1982]. Lattice reduction (LLL

766 views • 43 slides
The state of factoring algorithms and other cryptanalytic threats to RSA Daniel J. Bernstein

The state of factoring algorithms and other cryptanalytic threats to RSA Daniel J. Bernstein

The state of factoring algorithms and other cryptanalytic threats to RSA Daniel J. Bernstein University of Illinois at Chicago Technische Universiteit Eindhoven Nadia Heninger Microsoft Research New England Tanja Lange Technische

1.53k views • 130 slides
Factoring RSA Modulus using Prime Reconstruction from Random Known Bits S. Maitra, S. Sarkar and

Factoring RSA Modulus using Prime Reconstruction from Random Known Bits S. Maitra, S. Sarkar and

Factoring RSA Modulus using Prime Reconstruction from Random Known Bits S. Maitra, S. Sarkar and S. Sen Gupta Cryptology Research Group, ASU Indian Statistcal Institute, Kolkata May 3, 2010 Background Slide 2 of 31 RSA Framework Key-Gen

607 views • 58 slides
Non-Resource Factoring Presentation Introduction to SNI Capital Advisors SNI Capital is a

Non-Resource Factoring Presentation Introduction to SNI Capital Advisors SNI Capital is a

SNI CAPITAL ADVISORS Non-Resource Factoring Presentation Introduction to SNI Capital Advisors SNI Capital is a leading financial/business consulting firm having a strong global presence directly or indirectly through its network partners &amp;

313 views • 10 slides
Special Purpose Hardware for Factoring: Special Purpose Hardware for Factoring: the NFS Sieving

Special Purpose Hardware for Factoring: Special Purpose Hardware for Factoring: the NFS Sieving

Special Purpose Hardware for Factoring: Special Purpose Hardware for Factoring: the NFS Sieving Step the NFS Sieving Step Adi Shamir Eran Tromer Adi Shamir Eran Tromer Weizmann Institute of Science Weizmann Institute of Science 1

824 views • 47 slides
Factoring Large Numbers Factoring Large Numbers with the TWIRL Device with the TWIRL Device Adi

Factoring Large Numbers Factoring Large Numbers with the TWIRL Device with the TWIRL Device Adi

Factoring Large Numbers Factoring Large Numbers with the TWIRL Device with the TWIRL Device Adi Shamir, Eran Tromer Adi Shamir, Eran Tromer Bicycle chain sieve [D. H. Lehmer, 1928] Bicycle chain sieve [D. H. Lehmer, 1928]

466 views • 24 slides
Factoring Elements in G -Algebras with ncfactor.lib ICMS 2016 Berlin Germany Albert

Factoring Elements in G -Algebras with ncfactor.lib ICMS 2016 Berlin Germany Albert

Factoring Elements in G -Algebras with ncfactor.lib ICMS 2016 Berlin Germany Albert Heinle Symbolic Computation Group David R. Cheriton School of Computer Science University of Waterloo Canada 20160712 1 / 26 Introduction The

416 views • 37 slides
Discovering the roots: Uniform closure results for algebraic classes under factoring 1.

Discovering the roots: Uniform closure results for algebraic classes under factoring 1.

To appear at STOC 2018 Pranjal Dutta (CMI) Nitin Saxena (IIT Kanpur) Amit Sinhababu (IIT Kanpur) WACT18, Universit Paris Diderot Discovering the roots: Uniform closure results for algebraic classes under factoring 1. Introduction 2.

2.06k views • 172 slides
Factoring RSA keys from certified smart cards: Coppersmith in the wild Daniel J. Bernstein,

Factoring RSA keys from certified smart cards: Coppersmith in the wild Daniel J. Bernstein,

Factoring RSA keys from certified smart cards: Coppersmith in the wild Daniel J. Bernstein, Yun-An Chang, Chen-Mou Cheng, Li-Ping Chou, Nadia Heninger, Tanja Lange, Nicko van Someren 5 December 2013 Problems with non-randomness 2012

545 views • 50 slides
Factoring RSA keys from certified smart cards: Coppersmith in the wild Daniel J. Bernstein,

Factoring RSA keys from certified smart cards: Coppersmith in the wild Daniel J. Bernstein,

Factoring RSA keys from certified smart cards: Coppersmith in the wild Daniel J. Bernstein, Yun-An Chang, Chen-Mou Cheng, Li-Ping Chou, Nadia Heninger, Tanja Lange, Nicko van Someren September 16, 2013 Problems with non-randomness 2012

810 views • 32 slides
Factoring using 2n+2 qubits with Toffoli based modular multiplication aner 1 , 2 Martin Roetteler

Factoring using 2n+2 qubits with Toffoli based modular multiplication aner 1 , 2 Martin Roetteler

Factoring using 2n+2 qubits with Toffoli based modular multiplication aner 1 , 2 Martin Roetteler 2 Krysta M. Svore 2 Thomas H 1 Institute for Theoretical Physics ETH Z urich, Switzerland 2 Quantum Architectures and Computation Group

686 views • 42 slides
Cryptography: RSA and Factoring; Digital Signatures; Ssh Greg Plaxton Theory in Programming

Cryptography: RSA and Factoring; Digital Signatures; Ssh Greg Plaxton Theory in Programming

Cryptography: RSA and Factoring; Digital Signatures; Ssh Greg Plaxton Theory in Programming Practice, Fall 2005 Department of Computer Science University of Texas at Austin The Hardness of Breaking RSA One approach to breaking RSA is to

274 views • 15 slides
Learning objectives Appreciate the purpose of test automation Factoring repetitive,

Learning objectives Appreciate the purpose of test automation Factoring repetitive,

Learning objectives Appreciate the purpose of test automation Factoring repetitive, mechanical tasks from creative, human design tasks in testing Test Execution Recognize main kinds and components of test scaffolding

195 views • 4 slides

More recommend