factoring integers producing primes and the rsa
play

Factoring integers, Producing primes and the RSA cryptosystem - PowerPoint PPT Presentation

Apr 06, 2023 •221 likes •1.92k views

HRI, Allahabad, February, 2005 0 RSA cryptosystem Factoring integers, Producing primes and the RSA cryptosystem Harish-Chandra Research Institute Allahabad (UP), INDIA February, 2005 Universit` a Roma Tre HRI, Allahabad, February, 2005 1

  1. HRI, Allahabad, February, 2005 8 RSA cryptosystem ✞ ☎ Contemporary Factoring ✝ ✆ ❶ 1994, Quadratic Sieve (QS): (8 months, 600 voluntaries, 20 countries) D.Atkins, M. Graff, A. Lenstra, P. Leyland RSA 129 = 114381625757888867669235779976146612010218296721242362562561842935706 935245733897830597123563958705058989075147599290026879543541 = = 3490529510847650949147849619903898133417764638493387843990820577 × 32769132993266709549961988190834461413177642967992942539798288533 Universit` a Roma Tre

  2. HRI, Allahabad, February, 2005 8 RSA cryptosystem ✞ ☎ Contemporary Factoring ✝ ✆ ❶ 1994, Quadratic Sieve (QS): (8 months, 600 voluntaries, 20 countries) D.Atkins, M. Graff, A. Lenstra, P. Leyland RSA 129 = 114381625757888867669235779976146612010218296721242362562561842935706 935245733897830597123563958705058989075147599290026879543541 = = 3490529510847650949147849619903898133417764638493387843990820577 × 32769132993266709549961988190834461413177642967992942539798288533 ❷ (February 2 1999), Number Fields Sieve (NFS): (160 Sun, 4 months) RSA 155 = 109417386415705274218097073220403576120037329454492059909138421314763499842 88934784717997257891267332497625752899781833797076537244027146743531593354333897 = = 102639592829741105772054196573991675900716567808038066803341933521790711307779 × 106603488380168454820927220360012878679207958575989291522270608237193062808643 Universit` a Roma Tre

  3. HRI, Allahabad, February, 2005 8 RSA cryptosystem ✞ ☎ Contemporary Factoring ✝ ✆ ❶ 1994, Quadratic Sieve (QS): (8 months, 600 voluntaries, 20 countries) D.Atkins, M. Graff, A. Lenstra, P. Leyland RSA 129 = 114381625757888867669235779976146612010218296721242362562561842935706 935245733897830597123563958705058989075147599290026879543541 = = 3490529510847650949147849619903898133417764638493387843990820577 × 32769132993266709549961988190834461413177642967992942539798288533 ❷ (February 2 1999), Number Fields Sieve (NFS): (160 Sun, 4 months) RSA 155 = 109417386415705274218097073220403576120037329454492059909138421314763499842 88934784717997257891267332497625752899781833797076537244027146743531593354333897 = = 102639592829741105772054196573991675900716567808038066803341933521790711307779 × 106603488380168454820927220360012878679207958575989291522270608237193062808643 ❸ (December 3, 2003) (NFS): J. Franke et al. (174 decimal digits) RSA 576 = 1881988129206079638386972394616504398071635633794173827007633564229888597152346 65485319060606504743045317388011303396716199692321205734031879550656996221305168759307650257059 = = 398075086424064937397125500550386491199064362342526708406385189575946388957261768583317 × 472772146107435302536223071973048224632914695302097116459852171130520711256363590397527 Universit` a Roma Tre

  4. HRI, Allahabad, February, 2005 8 RSA cryptosystem ✞ ☎ Contemporary Factoring ✝ ✆ ❶ 1994, Quadratic Sieve (QS): (8 months, 600 voluntaries, 20 countries) D.Atkins, M. Graff, A. Lenstra, P. Leyland RSA 129 = 114381625757888867669235779976146612010218296721242362562561842935706 935245733897830597123563958705058989075147599290026879543541 = = 3490529510847650949147849619903898133417764638493387843990820577 × 32769132993266709549961988190834461413177642967992942539798288533 ❷ (February 2 1999), Number Fields Sieve (NFS): (160 Sun, 4 months) RSA 155 = 109417386415705274218097073220403576120037329454492059909138421314763499842 88934784717997257891267332497625752899781833797076537244027146743531593354333897 = = 102639592829741105772054196573991675900716567808038066803341933521790711307779 × 106603488380168454820927220360012878679207958575989291522270608237193062808643 ❸ (December 3, 2003) (NFS): J. Franke et al. (174 decimal digits) RSA 576 = 1881988129206079638386972394616504398071635633794173827007633564229888597152346 65485319060606504743045317388011303396716199692321205734031879550656996221305168759307650257059 = = 398075086424064937397125500550386491199064362342526708406385189575946388957261768583317 × 472772146107435302536223071973048224632914695302097116459852171130520711256363590397527 ❹ Elliptic curves factoring: introduced by da H. Lenstra. suitable to find prime factors with 50 digits (small) Universit` a Roma Tre

  5. HRI, Allahabad, February, 2005 8 RSA cryptosystem ✞ ☎ Contemporary Factoring ✝ ✆ ❶ 1994, Quadratic Sieve (QS): (8 months, 600 voluntaries, 20 countries) D.Atkins, M. Graff, A. Lenstra, P. Leyland RSA 129 = 114381625757888867669235779976146612010218296721242362562561842935706 935245733897830597123563958705058989075147599290026879543541 = = 3490529510847650949147849619903898133417764638493387843990820577 × 32769132993266709549961988190834461413177642967992942539798288533 ❷ (February 2 1999), Number Fields Sieve (NFS): (160 Sun, 4 months) RSA 155 = 109417386415705274218097073220403576120037329454492059909138421314763499842 88934784717997257891267332497625752899781833797076537244027146743531593354333897 = = 102639592829741105772054196573991675900716567808038066803341933521790711307779 × 106603488380168454820927220360012878679207958575989291522270608237193062808643 ❸ (December 3, 2003) (NFS): J. Franke et al. (174 decimal digits) RSA 576 = 1881988129206079638386972394616504398071635633794173827007633564229888597152346 65485319060606504743045317388011303396716199692321205734031879550656996221305168759307650257059 = = 398075086424064937397125500550386491199064362342526708406385189575946388957261768583317 × 472772146107435302536223071973048224632914695302097116459852171130520711256363590397527 ❹ Elliptic curves factoring: introduced by da H. Lenstra. suitable to find prime factors with 50 digits (small) Universit` a Roma Tre

  6. HRI, Allahabad, February, 2005 9 RSA cryptosystem All: ”sub–exponential running time” Universit` a Roma Tre

  7. HRI, Allahabad, February, 2005 10 RSA cryptosystem RSA Adi Shamir, Ron L. Rivest, Leonard Adleman (1978) Universit` a Roma Tre

  8. HRI, Allahabad, February, 2005 11 RSA cryptosystem ✞ ☎ The RSA cryptosystem ✝ ✆ Universit` a Roma Tre

  9. HRI, Allahabad, February, 2005 11 RSA cryptosystem ✞ ☎ The RSA cryptosystem ✝ ✆ 1978 R. L. Rivest, A. Shamir, L. Adleman (Patent expired in 1998) Universit` a Roma Tre

  10. HRI, Allahabad, February, 2005 11 RSA cryptosystem ✞ ☎ The RSA cryptosystem ✝ ✆ 1978 R. L. Rivest, A. Shamir, L. Adleman (Patent expired in 1998) Problem: Alice wants to send the message P to Bob so that Charles cannot read it Universit` a Roma Tre

  11. HRI, Allahabad, February, 2005 11 RSA cryptosystem ✞ ☎ The RSA cryptosystem ✝ ✆ 1978 R. L. Rivest, A. Shamir, L. Adleman (Patent expired in 1998) Problem: Alice wants to send the message P to Bob so that Charles cannot read it A ( Alice ) − − − − − − → B ( Bob ) ↑ C ( Charles ) Universit` a Roma Tre

  12. HRI, Allahabad, February, 2005 11 RSA cryptosystem ✞ ☎ The RSA cryptosystem ✝ ✆ 1978 R. L. Rivest, A. Shamir, L. Adleman (Patent expired in 1998) Problem: Alice wants to send the message P to Bob so that Charles cannot read it A ( Alice ) − − − − − − → B ( Bob ) ↑ C ( Charles ) ❶ ❷ ❸ ❹ Universit` a Roma Tre

  13. HRI, Allahabad, February, 2005 11 RSA cryptosystem ✞ ☎ The RSA cryptosystem ✝ ✆ 1978 R. L. Rivest, A. Shamir, L. Adleman (Patent expired in 1998) Problem: Alice wants to send the message P to Bob so that Charles cannot read it A ( Alice ) − − − − − − → B ( Bob ) ↑ C ( Charles ) ❶ Key generation Bob has to do it ❷ ❸ ❹ Universit` a Roma Tre

  14. HRI, Allahabad, February, 2005 11 RSA cryptosystem ✞ ☎ The RSA cryptosystem ✝ ✆ 1978 R. L. Rivest, A. Shamir, L. Adleman (Patent expired in 1998) Problem: Alice wants to send the message P to Bob so that Charles cannot read it A ( Alice ) − − − − − − → B ( Bob ) ↑ C ( Charles ) ❶ Key generation Bob has to do it ❷ Encryption Alice has to do it ❸ ❹ Universit` a Roma Tre

  15. HRI, Allahabad, February, 2005 11 RSA cryptosystem ✞ ☎ The RSA cryptosystem ✝ ✆ 1978 R. L. Rivest, A. Shamir, L. Adleman (Patent expired in 1998) Problem: Alice wants to send the message P to Bob so that Charles cannot read it A ( Alice ) − − − − − − → B ( Bob ) ↑ C ( Charles ) ❶ Key generation Bob has to do it ❷ Encryption Alice has to do it ❸ Decryption Bob has to do it ❹ Universit` a Roma Tre

  16. HRI, Allahabad, February, 2005 11 RSA cryptosystem ✞ ☎ The RSA cryptosystem ✝ ✆ 1978 R. L. Rivest, A. Shamir, L. Adleman (Patent expired in 1998) Problem: Alice wants to send the message P to Bob so that Charles cannot read it A ( Alice ) − − − − − − → B ( Bob ) ↑ C ( Charles ) ❶ Key generation Bob has to do it ❷ Encryption Alice has to do it ❸ Decryption Bob has to do it ❹ Attack Charles would like to do it Universit` a Roma Tre

  17. HRI, Allahabad, February, 2005 12 RSA cryptosystem ✞ ☎ Bob: Key generation ✝ ✆ Universit` a Roma Tre

  18. HRI, Allahabad, February, 2005 12 RSA cryptosystem ✞ ☎ Bob: Key generation ✝ ✆ ✍ ✍ ✍ ✍ ✍ Universit` a Roma Tre

  19. HRI, Allahabad, February, 2005 12 RSA cryptosystem ✞ ☎ Bob: Key generation ✝ ✆ ( p, q ≈ 10 100 ) ✍ He chooses randomly p and q primes ✍ ✍ ✍ ✍ Universit` a Roma Tre

  20. HRI, Allahabad, February, 2005 12 RSA cryptosystem ✞ ☎ Bob: Key generation ✝ ✆ ( p, q ≈ 10 100 ) ✍ He chooses randomly p and q primes ✍ He computes M = p × q , ϕ ( M ) = ( p − 1) × ( q − 1) ✍ ✍ ✍ Universit` a Roma Tre

  21. HRI, Allahabad, February, 2005 12 RSA cryptosystem ✞ ☎ Bob: Key generation ✝ ✆ ( p, q ≈ 10 100 ) ✍ He chooses randomly p and q primes ✍ He computes M = p × q , ϕ ( M ) = ( p − 1) × ( q − 1) ✍ He chooses an integer e s.t. ✍ ✍ Universit` a Roma Tre

  22. HRI, Allahabad, February, 2005 12 RSA cryptosystem ✞ ☎ Bob: Key generation ✝ ✆ ( p, q ≈ 10 100 ) ✍ He chooses randomly p and q primes ✍ He computes M = p × q , ϕ ( M ) = ( p − 1) × ( q − 1) ✍ He chooses an integer e s.t. 0 ≤ e ≤ ϕ ( M ) and gcd( e, ϕ ( M )) = 1 ✍ ✍ Universit` a Roma Tre

  23. HRI, Allahabad, February, 2005 12 RSA cryptosystem ✞ ☎ Bob: Key generation ✝ ✆ ( p, q ≈ 10 100 ) ✍ He chooses randomly p and q primes ✍ He computes M = p × q , ϕ ( M ) = ( p − 1) × ( q − 1) ✍ He chooses an integer e s.t. 0 ≤ e ≤ ϕ ( M ) and gcd( e, ϕ ( M )) = 1 Note. One could take e = 3 and p ≡ q ≡ 2 mod 3 ✍ ✍ Universit` a Roma Tre

  24. HRI, Allahabad, February, 2005 12 RSA cryptosystem ✞ ☎ Bob: Key generation ✝ ✆ ( p, q ≈ 10 100 ) ✍ He chooses randomly p and q primes ✍ He computes M = p × q , ϕ ( M ) = ( p − 1) × ( q − 1) ✍ He chooses an integer e s.t. 0 ≤ e ≤ ϕ ( M ) and gcd( e, ϕ ( M )) = 1 Note. One could take e = 3 and p ≡ q ≡ 2 mod 3 Experts recommend e = 2 16 + 1 ✍ ✍ Universit` a Roma Tre

  25. HRI, Allahabad, February, 2005 12 RSA cryptosystem ✞ ☎ Bob: Key generation ✝ ✆ ( p, q ≈ 10 100 ) ✍ He chooses randomly p and q primes ✍ He computes M = p × q , ϕ ( M ) = ( p − 1) × ( q − 1) ✍ He chooses an integer e s.t. 0 ≤ e ≤ ϕ ( M ) and gcd( e, ϕ ( M )) = 1 Note. One could take e = 3 and p ≡ q ≡ 2 mod 3 Experts recommend e = 2 16 + 1 ✍ He computes arithmetic inverse d of e modulo ϕ ( M ) ✍ Universit` a Roma Tre

  26. HRI, Allahabad, February, 2005 12 RSA cryptosystem ✞ ☎ Bob: Key generation ✝ ✆ ( p, q ≈ 10 100 ) ✍ He chooses randomly p and q primes ✍ He computes M = p × q , ϕ ( M ) = ( p − 1) × ( q − 1) ✍ He chooses an integer e s.t. 0 ≤ e ≤ ϕ ( M ) and gcd( e, ϕ ( M )) = 1 Note. One could take e = 3 and p ≡ q ≡ 2 mod 3 Experts recommend e = 2 16 + 1 ✍ He computes arithmetic inverse d of e modulo ϕ ( M ) (i.e. d ∈ N (unique ≤ ϕ ( M )) s.t. e × d ≡ 1 (mod ϕ ( M ))) ✍ Universit` a Roma Tre

  27. HRI, Allahabad, February, 2005 12 RSA cryptosystem ✞ ☎ Bob: Key generation ✝ ✆ ( p, q ≈ 10 100 ) ✍ He chooses randomly p and q primes ✍ He computes M = p × q , ϕ ( M ) = ( p − 1) × ( q − 1) ✍ He chooses an integer e s.t. 0 ≤ e ≤ ϕ ( M ) and gcd( e, ϕ ( M )) = 1 Note. One could take e = 3 and p ≡ q ≡ 2 mod 3 Experts recommend e = 2 16 + 1 ✍ He computes arithmetic inverse d of e modulo ϕ ( M ) (i.e. d ∈ N (unique ≤ ϕ ( M )) s.t. e × d ≡ 1 (mod ϕ ( M ))) ✍ Publishes ( M, e ) public key and hides secret key d Universit` a Roma Tre

  28. HRI, Allahabad, February, 2005 12 RSA cryptosystem ✞ ☎ Bob: Key generation ✝ ✆ ( p, q ≈ 10 100 ) ✍ He chooses randomly p and q primes ✍ He computes M = p × q , ϕ ( M ) = ( p − 1) × ( q − 1) ✍ He chooses an integer e s.t. 0 ≤ e ≤ ϕ ( M ) and gcd( e, ϕ ( M )) = 1 Note. One could take e = 3 and p ≡ q ≡ 2 mod 3 Experts recommend e = 2 16 + 1 ✍ He computes arithmetic inverse d of e modulo ϕ ( M ) (i.e. d ∈ N (unique ≤ ϕ ( M )) s.t. e × d ≡ 1 (mod ϕ ( M ))) ✍ Publishes ( M, e ) public key and hides secret key d Problem: How does Bob do all this?- We will go came back to it! Universit` a Roma Tre

  29. HRI, Allahabad, February, 2005 13 RSA cryptosystem ✞ ☎ Alice: Encryption ✝ ✆ Universit` a Roma Tre

  30. HRI, Allahabad, February, 2005 13 RSA cryptosystem ✞ ☎ Alice: Encryption ✝ ✆ Represent the message P as an element of Z /M Z Universit` a Roma Tre

  31. HRI, Allahabad, February, 2005 13 RSA cryptosystem ✞ ☎ Alice: Encryption ✝ ✆ Represent the message P as an element of Z /M Z (for example) A ↔ 1 B ↔ 2 C ↔ 3 . . . Z ↔ 26 AA ↔ 27 . . . Universit` a Roma Tre

  32. HRI, Allahabad, February, 2005 13 RSA cryptosystem ✞ ☎ Alice: Encryption ✝ ✆ Represent the message P as an element of Z /M Z (for example) A ↔ 1 B ↔ 2 C ↔ 3 . . . Z ↔ 26 AA ↔ 27 . . . Sukumar ↔ 19 · 26 6 + 21 · 26 5 + 11 · 26 4 + 21 · 26 3 + 12 · 26 2 + 1 · 26 + 18 = 6124312628 Note. Better if texts are not too short. Otherwise one performs some padding Universit` a Roma Tre

  33. HRI, Allahabad, February, 2005 13 RSA cryptosystem ✞ ☎ Alice: Encryption ✝ ✆ Represent the message P as an element of Z /M Z (for example) A ↔ 1 B ↔ 2 C ↔ 3 . . . Z ↔ 26 AA ↔ 27 . . . Sukumar ↔ 19 · 26 6 + 21 · 26 5 + 11 · 26 4 + 21 · 26 3 + 12 · 26 2 + 1 · 26 + 18 = 6124312628 Note. Better if texts are not too short. Otherwise one performs some padding C = E ( P ) = P e (mod M ) Universit` a Roma Tre

  34. HRI, Allahabad, February, 2005 13 RSA cryptosystem ✞ ☎ Alice: Encryption ✝ ✆ Represent the message P as an element of Z /M Z (for example) A ↔ 1 B ↔ 2 C ↔ 3 . . . Z ↔ 26 AA ↔ 27 . . . Sukumar ↔ 19 · 26 6 + 21 · 26 5 + 11 · 26 4 + 21 · 26 3 + 12 · 26 2 + 1 · 26 + 18 = 6124312628 Note. Better if texts are not too short. Otherwise one performs some padding C = E ( P ) = P e (mod M ) Example: p = 9049465727, q = 8789181607, M = 79537397720925283289, e = 2 16 + 1 = 65537, P = Sukumar : Universit` a Roma Tre

  35. HRI, Allahabad, February, 2005 13 RSA cryptosystem ✞ ☎ Alice: Encryption ✝ ✆ Represent the message P as an element of Z /M Z (for example) A ↔ 1 B ↔ 2 C ↔ 3 . . . Z ↔ 26 AA ↔ 27 . . . Sukumar ↔ 19 · 26 6 + 21 · 26 5 + 11 · 26 4 + 21 · 26 3 + 12 · 26 2 + 1 · 26 + 18 = 6124312628 Note. Better if texts are not too short. Otherwise one performs some padding C = E ( P ) = P e (mod M ) Example: p = 9049465727, q = 8789181607, M = 79537397720925283289, e = 2 16 + 1 = 65537, P = Sukumar : E ( Sukumar ) = 6124312628 65537 (mod79537397720925283289) = 25439695120356558116 = C = JGEBNBAUYTCOFJ Universit` a Roma Tre

  36. HRI, Allahabad, February, 2005 14 RSA cryptosystem ✞ ☎ Bob: Decryption ✝ ✆ Universit` a Roma Tre

  37. HRI, Allahabad, February, 2005 14 RSA cryptosystem ✞ ☎ Bob: Decryption ✝ ✆ P = D ( C ) = C d (mod M ) Universit` a Roma Tre

  38. HRI, Allahabad, February, 2005 14 RSA cryptosystem ✞ ☎ Bob: Decryption ✝ ✆ P = D ( C ) = C d (mod M ) Note. Bob decrypts because he is the only one that knows d . Universit` a Roma Tre

  39. HRI, Allahabad, February, 2005 14 RSA cryptosystem ✞ ☎ Bob: Decryption ✝ ✆ P = D ( C ) = C d (mod M ) Note. Bob decrypts because he is the only one that knows d . Theorem. (Euler) If a, m ∈ N , gcd( a, m ) = 1, a ϕ ( m ) ≡ 1 (mod m ) . If n 1 ≡ n 2 mod ϕ ( m ) then a n 1 ≡ a n 2 mod m . Universit` a Roma Tre

  40. HRI, Allahabad, February, 2005 14 RSA cryptosystem ✞ ☎ Bob: Decryption ✝ ✆ P = D ( C ) = C d (mod M ) Note. Bob decrypts because he is the only one that knows d . Theorem. (Euler) If a, m ∈ N , gcd( a, m ) = 1, a ϕ ( m ) ≡ 1 (mod m ) . If n 1 ≡ n 2 mod ϕ ( m ) then a n 1 ≡ a n 2 mod m . Therefore ( ed ≡ 1 mod ϕ ( M )) D ( E ( P )) = P ed ≡ P mod M Universit` a Roma Tre

  41. HRI, Allahabad, February, 2005 14 RSA cryptosystem ✞ ☎ Bob: Decryption ✝ ✆ P = D ( C ) = C d (mod M ) Note. Bob decrypts because he is the only one that knows d . Theorem. (Euler) If a, m ∈ N , gcd( a, m ) = 1, a ϕ ( m ) ≡ 1 (mod m ) . If n 1 ≡ n 2 mod ϕ ( m ) then a n 1 ≡ a n 2 mod m . Therefore ( ed ≡ 1 mod ϕ ( M )) D ( E ( P )) = P ed ≡ P mod M Example(cont.): d = 65537 − 1 mod ϕ (9049465727 · 8789181607) = 57173914060643780153 D ( JGEBNBAUYTCOFJ ) = 25439695120356558116 57173914060643780153 (mod79537397720925283289) = Sukumar Universit` a Roma Tre

  42. HRI, Allahabad, February, 2005 15 RSA cryptosystem RSA at work Universit` a Roma Tre

  43. HRI, Allahabad, February, 2005 16 RSA cryptosystem ✞ ☎ Repeated squaring algorithm ✝ ✆ Universit` a Roma Tre

  44. HRI, Allahabad, February, 2005 16 RSA cryptosystem ✞ ☎ Repeated squaring algorithm ✝ ✆ Problem: How does one compute a b mod c ? Universit` a Roma Tre

  45. HRI, Allahabad, February, 2005 16 RSA cryptosystem ✞ ☎ Repeated squaring algorithm ✝ ✆ Problem: How does one compute a b mod c ? 25439695120356558116 57173914060643780153 (mod79537397720925283289) Universit` a Roma Tre

  46. HRI, Allahabad, February, 2005 16 RSA cryptosystem ✞ ☎ Repeated squaring algorithm ✝ ✆ Problem: How does one compute a b mod c ? 25439695120356558116 57173914060643780153 (mod79537397720925283289) ✍ ✍ ✍ Universit` a Roma Tre

  47. HRI, Allahabad, February, 2005 16 RSA cryptosystem ✞ ☎ Repeated squaring algorithm ✝ ✆ Problem: How does one compute a b mod c ? 25439695120356558116 57173914060643780153 (mod79537397720925283289) [log 2 b ] � ǫ j 2 j ✍ Compute the binary expansion b = j =0 ✍ ✍ Universit` a Roma Tre

  48. HRI, Allahabad, February, 2005 16 RSA cryptosystem ✞ ☎ Repeated squaring algorithm ✝ ✆ Problem: How does one compute a b mod c ? 25439695120356558116 57173914060643780153 (mod79537397720925283289) [log 2 b ] � ǫ j 2 j ✍ Compute the binary expansion b = j =0 57173914060643780153= 110001100101110010100010111110101011110011011000100100011000111001 ✍ ✍ Universit` a Roma Tre

  49. HRI, Allahabad, February, 2005 16 RSA cryptosystem ✞ ☎ Repeated squaring algorithm ✝ ✆ Problem: How does one compute a b mod c ? 25439695120356558116 57173914060643780153 (mod79537397720925283289) [log 2 b ] � ǫ j 2 j ✍ Compute the binary expansion b = j =0 57173914060643780153= 110001100101110010100010111110101011110011011000100100011000111001 ✍ Compute recursively a 2 j mod c, j = 1 , . . . , [log 2 b ]: ✍ Universit` a Roma Tre

  50. HRI, Allahabad, February, 2005 16 RSA cryptosystem ✞ ☎ Repeated squaring algorithm ✝ ✆ Problem: How does one compute a b mod c ? 25439695120356558116 57173914060643780153 (mod79537397720925283289) [log 2 b ] � ǫ j 2 j ✍ Compute the binary expansion b = j =0 57173914060643780153= 110001100101110010100010111110101011110011011000100100011000111001 ✍ Compute recursively a 2 j mod c, j = 1 , . . . , [log 2 b ]: a 2 j mod c = a 2 j − 1 mod c � 2 � mod c ✍ Universit` a Roma Tre

  51. HRI, Allahabad, February, 2005 16 RSA cryptosystem ✞ ☎ Repeated squaring algorithm ✝ ✆ Problem: How does one compute a b mod c ? 25439695120356558116 57173914060643780153 (mod79537397720925283289) [log 2 b ] � ǫ j 2 j ✍ Compute the binary expansion b = j =0 57173914060643780153= 110001100101110010100010111110101011110011011000100100011000111001 ✍ Compute recursively a 2 j mod c, j = 1 , . . . , [log 2 b ]: a 2 j mod c = a 2 j − 1 mod c � 2 � mod c ✍ Multiply the a 2 j mod c with ǫ j = 1 Universit` a Roma Tre

  52. HRI, Allahabad, February, 2005 16 RSA cryptosystem ✞ ☎ Repeated squaring algorithm ✝ ✆ Problem: How does one compute a b mod c ? 25439695120356558116 57173914060643780153 (mod79537397720925283289) [log 2 b ] � ǫ j 2 j ✍ Compute the binary expansion b = j =0 57173914060643780153= 110001100101110010100010111110101011110011011000100100011000111001 ✍ Compute recursively a 2 j mod c, j = 1 , . . . , [log 2 b ]: a 2 j mod c = a 2 j − 1 mod c � 2 � mod c ✍ Multiply the a 2 j mod c with ǫ j = 1 j =0 ,ǫ j =1 a 2 j mod c �� [log 2 b ] � a b mod c = mod c Universit` a Roma Tre

  53. HRI, Allahabad, February, 2005 17 RSA cryptosystem ✞ ☎ # { oper. in Z /c Z to compute a b mod c } ≤ 2 log 2 b ✝ ✆ Universit` a Roma Tre

  54. HRI, Allahabad, February, 2005 17 RSA cryptosystem ✞ ☎ # { oper. in Z /c Z to compute a b mod c } ≤ 2 log 2 b ✝ ✆ JGEBNBAUYTCOFJ is decrypted with 131 operations in Z / 79537397720925283289 Z Universit` a Roma Tre

  55. HRI, Allahabad, February, 2005 17 RSA cryptosystem ✞ ☎ # { oper. in Z /c Z to compute a b mod c } ≤ 2 log 2 b ✝ ✆ JGEBNBAUYTCOFJ is decrypted with 131 operations in Z / 79537397720925283289 Z Pseudo code: e c ( a, b ) = a b mod c Universit` a Roma Tre

  56. HRI, Allahabad, February, 2005 17 RSA cryptosystem ✞ ☎ # { oper. in Z /c Z to compute a b mod c } ≤ 2 log 2 b ✝ ✆ JGEBNBAUYTCOFJ is decrypted with 131 operations in Z / 79537397720925283289 Z Pseudo code: e c ( a, b ) = a b mod c e c ( a, b ) b = 1 a mod c = if then 2 ) 2 mod c e c ( a, b 2 | b if then 2 ) 2 mod c a ∗ e c ( a, b − 1 else Universit` a Roma Tre

  57. HRI, Allahabad, February, 2005 17 RSA cryptosystem ✞ ☎ # { oper. in Z /c Z to compute a b mod c } ≤ 2 log 2 b ✝ ✆ JGEBNBAUYTCOFJ is decrypted with 131 operations in Z / 79537397720925283289 Z Pseudo code: e c ( a, b ) = a b mod c e c ( a, b ) b = 1 a mod c = if then 2 ) 2 mod c e c ( a, b 2 | b if then 2 ) 2 mod c a ∗ e c ( a, b − 1 else To encrypt with e = 2 16 + 1, only 17 operations in Z /M Z are enough Universit` a Roma Tre

  58. HRI, Allahabad, February, 2005 18 RSA cryptosystem ✞ ☎ Key generation ✝ ✆ Universit` a Roma Tre

  59. HRI, Allahabad, February, 2005 18 RSA cryptosystem ✞ ☎ Key generation ✝ ✆ Problem. Produce a random prime p ≈ 10 100 Probabilistic algorithm (type Las Vegas) Let p = Random (10 100 ) 1. If isprime ( p )=1 then Output = p else goto 1 2. Universit` a Roma Tre

  60. HRI, Allahabad, February, 2005 18 RSA cryptosystem ✞ ☎ Key generation ✝ ✆ Problem. Produce a random prime p ≈ 10 100 Probabilistic algorithm (type Las Vegas) Let p = Random (10 100 ) 1. If isprime ( p )=1 then Output = p else goto 1 2. subproblems: Universit` a Roma Tre

  61. HRI, Allahabad, February, 2005 18 RSA cryptosystem ✞ ☎ Key generation ✝ ✆ Problem. Produce a random prime p ≈ 10 100 Probabilistic algorithm (type Las Vegas) Let p = Random (10 100 ) 1. If isprime ( p )=1 then Output = p else goto 1 2. subproblems: A. How many iterations are necessary? (i.e. how are primes distributes?) Universit` a Roma Tre

  62. HRI, Allahabad, February, 2005 18 RSA cryptosystem ✞ ☎ Key generation ✝ ✆ Problem. Produce a random prime p ≈ 10 100 Probabilistic algorithm (type Las Vegas) Let p = Random (10 100 ) 1. If isprime ( p )=1 then Output = p else goto 1 2. subproblems: A. How many iterations are necessary? (i.e. how are primes distributes?) B. How does one check if p is prime? (i.e. how does one compute isprime ( p )?) � Primality test Universit` a Roma Tre

  63. HRI, Allahabad, February, 2005 18 RSA cryptosystem ✞ ☎ Key generation ✝ ✆ Problem. Produce a random prime p ≈ 10 100 Probabilistic algorithm (type Las Vegas) Let p = Random (10 100 ) 1. If isprime ( p )=1 then Output = p else goto 1 2. subproblems: A. How many iterations are necessary? (i.e. how are primes distributes?) B. How does one check if p is prime? (i.e. how does one compute isprime ( p )?) � Primality test False Metropolitan Legend: Check primality is equivalent to factoring Universit` a Roma Tre

  64. HRI, Allahabad, February, 2005 19 RSA cryptosystem ✞ ☎ A. Distribution of prime numbers ✝ ✆ Universit` a Roma Tre

  65. HRI, Allahabad, February, 2005 19 RSA cryptosystem ✞ ☎ A. Distribution of prime numbers ✝ ✆ π ( x ) = # { p ≤ x t. c. p is prime } Universit` a Roma Tre

  66. HRI, Allahabad, February, 2005 19 RSA cryptosystem ✞ ☎ A. Distribution of prime numbers ✝ ✆ π ( x ) = # { p ≤ x t. c. p is prime } Theorem. (Hadamard - de la vallee Pussen - 1897) x π ( x ) ∼ log x Universit` a Roma Tre

  67. HRI, Allahabad, February, 2005 19 RSA cryptosystem ✞ ☎ A. Distribution of prime numbers ✝ ✆ π ( x ) = # { p ≤ x t. c. p is prime } Theorem. (Hadamard - de la vallee Pussen - 1897) x π ( x ) ∼ log x Quantitative version: Theorem. (Rosser - Schoenfeld) if x ≥ 67 x x log x − 1 / 2 < π ( x ) < log x − 3 / 2 Universit` a Roma Tre

  68. HRI, Allahabad, February, 2005 19 RSA cryptosystem ✞ ☎ A. Distribution of prime numbers ✝ ✆ π ( x ) = # { p ≤ x t. c. p is prime } Theorem. (Hadamard - de la vallee Pussen - 1897) x π ( x ) ∼ log x Quantitative version: Theorem. (Rosser - Schoenfeld) if x ≥ 67 x x log x − 1 / 2 < π ( x ) < log x − 3 / 2 Therefore ( Random (10 100 ) = prime � ✁ 0 . 0043523959267 < Prob < 0 . 004371422086 Universit` a Roma Tre

  69. HRI, Allahabad, February, 2005 20 RSA cryptosystem If P k is the probability that among k random numbers ≤ 10 100 there is a prime one, then Universit` a Roma Tre

  70. HRI, Allahabad, February, 2005 20 RSA cryptosystem If P k is the probability that among k random numbers ≤ 10 100 there is a prime one, then � k 1 − π (10 100 ) � P k = 1 − 10 100 Universit` a Roma Tre

  71. HRI, Allahabad, February, 2005 20 RSA cryptosystem If P k is the probability that among k random numbers ≤ 10 100 there is a prime one, then � k 1 − π (10 100 ) � P k = 1 − 10 100 Therefore 0 . 663942 < P 250 < 0 . 66554440 Universit` a Roma Tre

  72. HRI, Allahabad, February, 2005 20 RSA cryptosystem If P k is the probability that among k random numbers ≤ 10 100 there is a prime one, then � k 1 − π (10 100 ) � P k = 1 − 10 100 Therefore 0 . 663942 < P 250 < 0 . 66554440 To speed up the process: One can consider only odd random numbers not divisible by 3 nor by 5. Universit` a Roma Tre

Recommend

Factoring integers and Producing primes Francesco Pappalardi Universit` a Roma Tre Erbil,

Factoring integers and Producing primes Francesco Pappalardi Universit` a Roma Tre Erbil,

Erbil, Kurdistan 0 Factoring integers,..., RSA Lecture in Number Theory College of Sciences Department of Mathematics University of Salahaddin Debember 4, 2014 Factoring integers and Producing primes Francesco Pappalardi Universit` a Roma

749 views • 30 slides
Factoring integers, Producing primes and the RSA cryptosystem Francesco Pappalardi Universit` a

Factoring integers, Producing primes and the RSA cryptosystem Francesco Pappalardi Universit` a

College of Science for Women 0 Factoring integers,..., RSA Lecture in Number Theory College of Science for Women Baghdad University March 31, 2014 Factoring integers, Producing primes and the RSA cryptosystem Francesco Pappalardi

2.06k views • 192 slides
Factoring into large primes with P-1, P+1 and ECM Alexander Kruppa LORIA CADO workshop Nancy,

Factoring into large primes with P-1, P+1 and ECM Alexander Kruppa LORIA CADO workshop Nancy,

Factoring into large primes with P-1, P+1 and ECM Alexander Kruppa LORIA CADO workshop Nancy, 9. October 2008 Using P-1, P+1 and ECM in NFS For large factoring projects, memory becomes a limiting resource. Large factor base bound B requires

385 views • 21 slides
Quantum algorithms for computing short discrete logarithms and factoring RSA integers PQCrypto

Quantum algorithms for computing short discrete logarithms and factoring RSA integers PQCrypto

Quantum algorithms for computing short discrete logarithms and factoring RSA integers PQCrypto 2017, 8th International Workshop, Utrecht, June 26-28, 2017 Martin Eker 1 , 2 Johan Hstad 1 1 KTH Royal Institute of Technology, SE-100 44

728 views • 31 slides
Factoring Integers by CVP Algorithms for the Prime Number Lattice Claus P . Schnorr Department

Factoring Integers by CVP Algorithms for the Prime Number Lattice Claus P . Schnorr Department

Factoring Integers by CVP Algorithms for the Prime Number Lattice Claus P . Schnorr Department of Computer Science and Mathematics Goethe-University Frankfurt Main Quantum Cryptanalysis, Schloss Dagstuhl 1.-6. Oct. 2017 The prime number

379 views • 14 slides
Number Theory Divisibility and Primes Definition. If a and b are integers and there is some

Number Theory Divisibility and Primes Definition. If a and b are integers and there is some

Number Theory Divisibility and Primes Definition. If a and b are integers and there is some integer c such that a = b c , then we say that b divides a or is a factor or divisor of a and write b | a . Definition (Prime Number). A prime number is

381 views • 24 slides
Factoring and RSA Nadia Heninger University of Pennsylvania September 18, 2017 *Some slides

Factoring and RSA Nadia Heninger University of Pennsylvania September 18, 2017 *Some slides

Factoring and RSA Nadia Heninger University of Pennsylvania September 18, 2017 *Some slides joint with Dan Bernstein and Tanja Lange Textbook RSA [Rivest Shamir Adleman 1977] Public Key Private Key N = pq modulus p , q primes e encryption

1.39k views • 95 slides
Shors Algorithm for Factoring: Background Quantum Algorithms In 1994, Peter Shor came up with O

Shors Algorithm for Factoring: Background Quantum Algorithms In 1994, Peter Shor came up with O

Shors Algorithm for Factoring: Background Quantum Algorithms In 1994, Peter Shor came up with O ( n 3 ) -time algorithm DPV Chapter 10 for factoring n -bit integers on a quantum algorithm. Why is this a big deal? O ( e n 1/3 ( log n )

712 views • 5 slides
Factors 2 12 Factors Factors 3 13 and Unique Unique 14 4 to 10 to 15 Greatest Common

Factors 2 12 Factors Factors 3 13 and Unique Unique 14 4 to 10 to 15 Greatest Common

Slide 1 / 128 Slide 2 / 128 Table of Contents Factors and GCF Factoring out GCF's Polynomials Factoring Trinomials x 2 + bx + c Factoring Using Special Patterns Factoring Trinomials ax 2 + bx + c Factoring 4 Term Polynomials

472 views • 22 slides
8. Factoring polynomials over finite fields CS-E4500 Advanced Course on Algorithms Spring 2018

8. Factoring polynomials over finite fields CS-E4500 Advanced Course on Algorithms Spring 2018

8. Factoring polynomials over finite fields CS-E4500 Advanced Course on Algorithms Spring 2018 Peteri Kaski Department of Computer Science Aalto University Lecture schedule Tue 16 Jan: 1. Polynomials and integers Tue 23 Jan: 2. The fast

661 views • 41 slides
RSA Parameter Generation Bob needs to: - find 2 large primes p,q - find e s.t. gcd(e, (pq))=1

RSA Parameter Generation Bob needs to: - find 2 large primes p,q - find e s.t. gcd(e, (pq))=1

RSA Parameter Generation Bob needs to: - find 2 large primes p,q - find e s.t. gcd(e, (pq))=1 Good news: - primes are fairly common: there are about N/ln N primes N Exercise: If looking for a 512-bit prime, how many randomly generated

358 views • 10 slides
CS 4803 If a, N are integers with N &gt; 0 then there are unique integers r , q such that a = Nq

CS 4803 If a, N are integers with N &gt; 0 then there are unique integers r , q such that a = Nq

Let Z = {. . . , 2, 1, 0, 1, 2, . . .} denote the set of integers. Let Z+ = {1, 2, . . .} denote the set of positive integers and N = {0, 1, 2, . . .} the set of non-negative integers. CS 4803 If a, N are integers with N &gt; 0 then there

166 views • 4 slides
FACTORING WITH JUDGMENTS w w w . g u t i e r r e z g r o u p . c o m . c o What is it about?

FACTORING WITH JUDGMENTS w w w . g u t i e r r e z g r o u p . c o m . c o What is it about?

F A C T O R I N G W I T H J U D G M E N T S FACTORING WITH JUDGMENTS w w w . g u t i e r r e z g r o u p . c o m . c o What is it about? FACTORING It is precisely after the judgment is won by This out-of-the-box product uses the - the

199 views • 7 slides
Public-key cryptography Q sieve Daniel J. Bernstein Sieving small integers i &gt; 0 Tanja Lange

Public-key cryptography Q sieve Daniel J. Bernstein Sieving small integers i &gt; 0 Tanja Lange

1 2 Public-key cryptography Q sieve Daniel J. Bernstein Sieving small integers i &gt; 0 Tanja Lange using primes 2 ; 3 ; 5 ; 7: 1 Part II: 2 2 3 3 Factorization 4 2 2 5 5 6 2 3 15 August 2017 7 7 8 2 2 2 9 3 3 10 2 5 Sage

1.93k views • 161 slides
Number Theory A bit more depth. . . modular arithmetic primes Euclids algorithm

Number Theory A bit more depth. . . modular arithmetic primes Euclids algorithm

1 Number Theory A bit more depth. . . modular arithmetic primes Euclids algorithm Chinese remainder theorem Eulers totient function Eulers theorem 2 Modular Arithmetic m; n integers, n &gt; 0

2.23k views • 15 slides
Generating random primes faster The standard algorithm to generate random primes: D. J.

Generating random primes faster The standard algorithm to generate random primes: D. J.

1 2 Generating random primes faster The standard algorithm to generate random primes: D. J. Bernstein proof.arithmetic(False) while True: pqRSA project team: p = randrange(2^(n-1),2^n) Daniel J. Bernstein p = ZZ(p) Josh Fried if

826 views • 14 slides
2015 Difference set of primes and related problems Wen Huang Difference set of primes and

2015 Difference set of primes and related problems Wen Huang Difference set of primes and

2015 Difference set of primes and related problems Wen Huang Difference set of primes and related problems 1.Background 2.A conjecture 3. Higher order Bohr Wen Huang problem 1).Furstenberg Joint work with Xiaosheng Wu correspondence

679 views • 41 slides
PRIMES Barry Mazur April 26, 2014 (A discussion of Primes: What is Riemanns

PRIMES Barry Mazur April 26, 2014 (A discussion of Primes: What is Riemanns

PRIMES Barry Mazur April 26, 2014 (A discussion of Primes: What is Riemanns Hypothesis?, the book Im currently writing with William Stein) William: https://vimeo.com/90380011 Figure: William The impact of the Riemann Hypothesis

961 views • 53 slides
Discrete Mathematics &amp; Mathematical Reasoning Arithmetic Modulo m , Primes Colin Stirling

Discrete Mathematics &amp; Mathematical Reasoning Arithmetic Modulo m , Primes Colin Stirling

Discrete Mathematics &amp; Mathematical Reasoning Arithmetic Modulo m , Primes Colin Stirling Informatics Colin Stirling (Informatics) Discrete Mathematics (Chap 4) Today 1 / 12 Division Definition If a and b are integers with a = 0,

732 views • 47 slides
Long arithmetic progressions in the primes Australian Mathematical Society Meeting 26 September

Long arithmetic progressions in the primes Australian Mathematical Society Meeting 26 September

Long arithmetic progressions in the primes Australian Mathematical Society Meeting 26 September 2006 Terence Tao (UCLA) 1 Additive patterns in the primes Many classical questions concerning additive patterns in the primes remain unsolved,

395 views • 25 slides
Primes in arithmetic progressions to large moduli James Maynard University of Oxford Second

Primes in arithmetic progressions to large moduli James Maynard University of Oxford Second

Primes in arithmetic progressions to large moduli James Maynard University of Oxford Second Symposium in Analytic Number Theory, Cetraro July 2019 James Maynard Primes in arithmetic progressions to large moduli Introduction How many primes

734 views • 34 slides
Algorithms for primes D. J. Bernstein University of Illinois at Chicago Some literature:

Algorithms for primes D. J. Bernstein University of Illinois at Chicago Some literature:

Algorithms for primes D. J. Bernstein University of Illinois at Chicago Some literature: Recognizing primes: 1982 AtkinLarson On a primality test of Solovay and Strassen; 1995 Atkin Intelligent primality test offer Proving

1.18k views • 71 slides
Hardware- -Based Implementations Based Implementations Hardware of Factoring Algorithms of

Hardware- -Based Implementations Based Implementations Hardware of Factoring Algorithms of

Hardware- -Based Implementations Based Implementations Hardware of Factoring Algorithms of Factoring Algorithms Factoring Large Numbers with the TWIRL Device Factoring Large Numbers with the TWIRL Device Adi Shamir, Eran Tromer Adi

469 views • 42 slides
ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys University of Colorado

ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys University of Colorado

Primes Groups, Rings, Fields Ring of Integers Modulo n ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys University of Colorado Spring 2008 Peter Mathys ECEN 5022 Cryptography Primes Groups, Rings, Fields Ring of

633 views • 50 slides

More recommend