Cryptography and Primality Testing, Study notes of Algorithms and Programming

This document covers topics related to cryptography and primality testing. It includes RSA, attacks on plain RSA, discrete log/DDH, polynomial time algorithms, GCD, multiplicative inverse, power mod, uniform sampling, Chinese remainder theorem, Bertrand's postulate, Miller-Rabin test, and more. the probability of failure in generating random primes and the Miller-Rabin primality test. It can be useful as study notes, lecture notes, summary, or exam for a course on cryptography or number theory.

Typology: Study notes

2021/2022

Uploaded on 05/11/2023

ekansh
ekansh 🇺🇸

4.3

(20)

266 documents

1 / 102

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Cryptography
CS 555
Week 10:
RSA
Attacks on Plain RSA
Discrete Log/DDH
Readings: Katz and Lindell Chapter 8.2-8.3,11.5.1
1
Spring 2021
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Partial preview of the text

Download Cryptography and Primality Testing and more Study notes Algorithms and Programming in PDF only on Docsity!

Cryptography

CS 555

Week 10:

  • RSA
  • Attacks on Plain RSA
  • Discrete Log/DDH

Readings: Katz and Lindell Chapter 8.2-8.3,11.5.

Spring 2021^1

Recap

  • Polynomial time algorithms (in bit lengths 𝒂𝒂 , 𝒃𝒃 and 𝐍𝐍 ) to do important computations on integers - GCD( a , b ) - Find multiplicative inverse a -1^ of a such that 1=[ aa -1^ mod N ] (if it exists) - PowerMod: [ a b^ mod N ] - Draw uniform sample from ℤ (^) 𝑁𝑁∗^ = 𝑥𝑥 ∈ ℤ (^) 𝑁𝑁 gcd 𝑁𝑁, 𝑥𝑥 = 1
  • Fact: 𝑔𝑔 𝑥𝑥mod N = 𝑔𝑔[𝑥𝑥 𝑚𝑚𝑚𝑚𝑚𝑚 𝝓𝝓 𝑵𝑵^ ]^ mod N where 𝝓𝝓 𝑵𝑵 = ℤ𝑁𝑁∗
    • Proof: Group Theory
  • Chinese Remainder Theorem

RSA Key-Generation

KeyGeneration (1 n^ )

Step 1: Pick two random n-bit primes p and q Step 2: Let N=pq, 𝜙𝜙 𝑁𝑁 = (𝑝𝑝 − 1)(𝑞𝑞 − 1) Step 3: …

Question : How do we accomplish step one?

Bertrand’s Postulate

Theorem 8.32. For any n > 1 the fraction of n-bit integers that are prime is at least 1 ⁄3𝑛𝑛.

GenerateRandomPrime (1 n^ )

For i=1 to 3n 2 :

p’ {0,1}n- p 1 ‖𝑝𝑝𝑝 if isPrime(p) then return p

return fail

Can we do this in polynomial time?

isPrime(p): Miller-Rabin Test

  • We can check for primality of p in polynomial time in 𝑝𝑝.

Theory : Deterministic algorithm to test for primality.

  • See breakthrough paper “Primes is in P”
  • https://www.cse.iitk.ac.in/users/manindra/algebra/primality_v6.pdf

Practice: Miller-Rabin Test (randomized algorithm)

  • Guarantee 1: If p is prime then the test outputs YES
  • Guarantee 2: If p is not prime then the test outputs NO (except with negligible probability).

The “Almost” Miller-Rabin Test

Input : Integer N and parameter 1t

Output : “prime” or “composite”

for i=1 to t:

a  {1,…,N-1} if 𝑎𝑎 𝑁𝑁−1^ ≠ 1 mod N then return “composite”

Return “prime”

Claim: If N is prime then algorithm always outputs “prime”

Proof: For any a ∈ {1,…,N−1} we have 𝑎𝑎 𝑁𝑁−1^ = 𝑎𝑎 𝜙𝜙 𝑁𝑁^ = 1 𝑚𝑚𝑚𝑚𝑚𝑚 𝑁𝑁

𝜙𝜙 𝑁𝑁 = 𝑁𝑁 − 1 for primes N

Miller-Rabin Primality Test

Input : Integer N and parameter 1t

Output : “prime” or “composite”

If Even(N) or PerfectPower(N ) return “composite”

Else find 𝑢𝑢 (odd) and 𝑟𝑟 ≥ 1 s.t. N − 1 = 2𝑟𝑟^ 𝑢𝑢

for j=1 to t:

pick 𝑎𝑎 in [2,N-2] randomly if 𝑎𝑎 𝑢𝑢^ ≠ ±1 mod N and 𝑎𝑎 2

𝑖𝑖 (^) 𝑢𝑢 ≠ −1 mod N for all 1 ≤ 𝑖𝑖 ≤ 𝑟𝑟 − 1 return “composite”

Return “prime”

Miller-Rabin Primality Test

Input : Integer N and parameter 1 t

Output : “prime” or “composite”

If Even(N) or PerfectPower(N ) return “composite”

Else find 𝑢𝑢 (odd) and 𝑟𝑟 ≥ 1 s.t. N − 1 = 2𝑟𝑟^ 𝑢𝑢

for j=1 to t:

pick 𝑎𝑎 in [2,N-2] randomly if 𝑎𝑎 𝑢𝑢^ ≠ ±1 mod N and 𝑎𝑎 2

𝑖𝑖 (^) 𝑢𝑢 ≠ −1 mod N for all 1 ≤ 𝑖𝑖 ≤ 𝑟𝑟 − 1 return “composite”

Return “prime”

Lemma: If p is prime and 𝑥𝑥 2 = 1 mod p then 𝑥𝑥 = ±1 mod p

Miller-Rabin Primality Test

Input : Integer N and parameter 1t

Output : “prime” or “composite”

If Even(N) or PerfectPower(N ) return “composite”

Else find 𝑢𝑢 (odd) and 𝑟𝑟 ≥ 1 s.t. N − 1 = 2𝑟𝑟^ 𝑢𝑢

for j=1 to t:

pick 𝑎𝑎 in [2,N-2] randomly if 𝑎𝑎 𝑢𝑢^ ≠ ±1 mod N and 𝑎𝑎 2

𝑖𝑖 (^) 𝑢𝑢 ≠ −1 mod N for all 1 ≤ 𝑖𝑖 ≤ 𝑟𝑟 − 1 return “composite”

Return “prime”

If N is prime we won’t return composite 𝟎𝟎 = 𝑎𝑎 2

𝑟𝑟 (^) 𝑢𝑢 − 𝟏𝟏 = 𝑎𝑎 2

𝑟𝑟−1 (^) 𝑢𝑢 − 𝟏𝟏 𝑎𝑎 2

𝑟𝑟−1 (^) 𝑢𝑢

  • 𝟏𝟏 = ⋯ = 𝑎𝑎 2

𝑟𝑟−2 (^) 𝑢𝑢 − 𝟏𝟏 𝑎𝑎 2

𝑟𝑟−2 (^) 𝑢𝑢

  • 𝟏𝟏 𝑎𝑎 2

𝑟𝑟−1 (^) 𝑢𝑢

  • 𝟏𝟏

𝑎𝑎 2

𝑖𝑖 (^) 𝑢𝑢 − 𝟏𝟏 = 𝑎𝑎 2

𝑖𝑖−1 (^) 𝑢𝑢 − 𝟏𝟏 𝑎𝑎 2

𝑖𝑖−1 (^) 𝑢𝑢

  • 𝟏𝟏

Miller-Rabin Primality Test

Input : Integer N and parameter 1t

Output : “prime” or “composite”

If Even(N) or PerfectPower(N ) return “composite”

Else find 𝑢𝑢 (odd) and 𝑟𝑟 ≥ 1 s.t. N − 1 = 2𝑟𝑟^ 𝑢𝑢

for j=1 to t:

pick 𝑎𝑎 in [2,N-2] randomly if 𝑎𝑎 𝑢𝑢^ ≠ ±1 mod N and 𝑎𝑎 2

𝑖𝑖 (^) 𝑢𝑢 ≠ −1 mod N for all 1 ≤ 𝑖𝑖 ≤ 𝑟𝑟 − 1 return “composite”

Return “prime” 𝑎𝑎^2

𝑖𝑖 (^) 𝑢𝑢 − 𝟏𝟏 = 𝑎𝑎 2

𝑖𝑖−1 (^) 𝑢𝑢 − 𝟏𝟏 𝑎𝑎 2

𝑖𝑖−1 (^) 𝑢𝑢

  • 𝟏𝟏

If N is prime we won’t return composite

𝑟𝑟 (^) 𝑢𝑢 − 𝟏𝟏 = ⋯ = 𝑎𝑎 𝑢𝑢^ − 𝟏𝟏 � 𝒊𝒊=𝟎𝟎

𝒓𝒓−𝟏𝟏 𝑎𝑎 2

𝑖𝑖 (^) 𝑢𝑢

  • 𝟏𝟏

Miller-Rabin Primality Test

Input : Integer N and parameter 1t

Output : “prime” or “composite”

If Even(N) or PerfectPower(N ) return “composite”

Else find 𝑢𝑢 (odd) and 𝑟𝑟 ≥ 1 s.t. N − 1 = 2𝑟𝑟^ 𝑢𝑢

for j=1 to t:

if 𝑎𝑎 𝑢𝑢^ ≠ ±1 mod N and 𝑎𝑎 2

𝑖𝑖 (^) 𝑢𝑢 ≠ −1 mod N for all 1 ≤ 𝑖𝑖 ≤ 𝑟𝑟 − 1 return “composite”

Return “prime”

Claim: If N is composite then at most ¼ choices of random value a in [2,n-1] will pass the test

Miller-Rabin Primality Test

Input : Integer N and parameter 1t

Output : “prime” or “composite”

If Even(N) or PerfectPower(N ) return “composite”

Else find 𝑢𝑢 (odd) and 𝑟𝑟 ≥ 1 s.t. N − 1 = 2𝑟𝑟^ 𝑢𝑢

for j=1 to t:

if 𝑎𝑎 𝑢𝑢^ ≠ ±1 mod N and 𝑎𝑎 2

𝑖𝑖 (^) 𝑢𝑢 ≠ −1 mod N for all 1 ≤ 𝑖𝑖 ≤ 𝑟𝑟 − 1 return “composite”

Return “prime”

Claim: If N is composite then we return prime with probability at most 𝟒𝟒 −𝐭𝐭 Proof: (See textbook )

Back to RSA Key-Generation

KeyGeneration (1 n^ )

Step 1: Pick two random n-bit primes p and q Step 2: Let N=pq, 𝜙𝜙 𝑁𝑁 = (𝑝𝑝 − 1)(𝑞𝑞 − 1) Step 3: Pick e > 1 such that gcd(e, 𝜙𝜙 𝑁𝑁 )= Step 4: Set d=[e-1^ mod 𝜙𝜙 𝑁𝑁 ] (secret key) Return: N, e, d

  • What is the probability that e-1mod 𝜙𝜙 𝑁𝑁 exists when we pick e randomly?
  • Hint: 𝜙𝜙 𝜙𝜙 𝑁𝑁 choices of e in ℤ (^) 𝜙𝜙 𝑁𝑁 have a multiplicative inverse mod 𝜙𝜙 𝑁𝑁.

Be Careful Where You Get Your “Random Bits!”

  • RSA Keys Generated with weak PRG
    • Implementation Flaw
    • Unfortunately Commonplace
  • Resulting Keys are Vulnerable
    • Sophisticated Attack
    • Coppersmith’s Method

The Return of Coppersmith's Attack: Practical Factorization of Widely Used RSA Moduli (CCS 2017)^22