Finding Prime Numbers, RSA, Summaries of Algorithms and Programming

Theory: Deterministic algorithm to test for primality. • See breakthrough paper “Primes is in P”. Practice: Miller-Rabin Test (randomized algorithm).

Typology: Summaries

2022/2023

Uploaded on 05/11/2023

conney
conney 🇺🇸

4.6

(34)

233 documents

1 / 20

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Cryptography
CS 555
Topic 24: Finding Prime Numbers, RSA
1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14

Partial preview of the text

Download Finding Prime Numbers, RSA and more Summaries Algorithms and Programming in PDF only on Docsity!

Cryptography

CS 555

Topic 24: Finding Prime Numbers, RSA

Recap

  • Number Theory Basics
  • Abelian Groups
  • 𝜙𝜙 𝑝𝑝𝑝𝑝 = 𝑝𝑝 − 1 𝑝𝑝 − 1 for distinct primes p and q
  • 𝜙𝜙 𝑁𝑁 = ℤN∗

𝑔𝑔 𝑥𝑥mod N = 𝑔𝑔[𝑥𝑥 𝑚𝑚𝑚𝑚𝑚𝑚 𝝓𝝓 𝑵𝑵^ ]^ mod N

Bertrand’s Postulate

Theorem 8.32. For any n > 1 the fraction of n-bit integers that are prime is at least 1 ⁄3𝑛𝑛.

GenerateRandomPrime (1 n^ )

For i=1 to 3n 2 :

p’ {0,1}n- p 1 ‖𝑝𝑝𝑝 if isPrime(p) then return p

return fail

Can we do this in

polynomial time?

Bertrand’s Postulate

Theorem 8.32. For any n > 1 the fraction of n-bit integers that are prime is at least (^1) ⁄3𝑛𝑛.

GenerateRandomPrime (1 n^ )

For i=1 to 3n 2 :

p’ {0,1}n- p 1 ‖𝑝𝑝𝑝 if isPrime(p) then return p

return fail

Assume for now that we can run isPrime(p). What are the odds that the algorithm fails?

On each iteration the probability that p is not a prime is 1 − (^) 3𝑛𝑛^1

We fail if we pick a non-prime in all 3n 2 iterations. The probability is

1 −

1 3𝑛𝑛

3𝑛𝑛 2 = 1 −

1 3𝑛𝑛

3𝑛𝑛 𝑛𝑛 ≤ 𝑒𝑒 −𝑛𝑛

The “Almost” Miller-Rabin Test

Input : Integer N and parameter 1t

Output : “prime” or “composite”

for i=1 to t:

a  {1,…,N-1} if 𝑎𝑎 𝑁𝑁−1^ ≠ mod N then return “composite”

Return “prime”

Claim: If N is prime then algorithm always outputs “prime”

Proof: For any a ∈ {1,…,N−1} we have 𝑎𝑎 𝑁𝑁−1^ = 𝑎𝑎 𝜙𝜙 𝑁𝑁^ = 1 𝑚𝑚𝑚𝑚𝑚𝑚 𝑁𝑁

The “Almost” Miller-Rabin Test

Input : Integer N and parameter 1 t

Output : “prime” or “composite”

for i=1 to t:

a  {1,…,N-1} if 𝑎𝑎 𝑁𝑁−1^ ≠ 1 mod N then return “composite”

Return “prime”

Fact: If N is composite and not a Carmichael number then the algorithm outputs “composite” with probability 1 − 2 −𝑡𝑡

Need a bit of extra work to

handle Carmichael

numbers.

(Plain) RSA Encryption

  • Public Key: PK=(N,e)
  • Message m ∈ ℤN Enc (^) PK( m ) = 𝑚𝑚 𝑒𝑒^ mod N
  • Remark: Encryption is efficient if we use the power mod algorithm.

(Plain) RSA Decryption

  • Public Key: SK=(N,d)
  • Ciphertext c ∈ ℤ (^) N De c (^) SK ( c ) = 𝑐𝑐𝑚𝑚^ mod N
  • Remark 1: Decryption is efficient if we use the power mod algorithm.
  • Remark 2: Suppose that m ∈ ℤ (^) N∗^ and let c= Enc (^) PK ( m ) = 𝑚𝑚 𝑒𝑒^ mod N

De cSK ( c ) = 𝑚𝑚 𝑒𝑒^ 𝑚𝑚^ mod N = 𝑚𝑚 𝑒𝑒𝑚𝑚^ mod N = 𝑚𝑚[𝑒𝑒𝑚𝑚^ 𝑚𝑚𝑚𝑚𝑚𝑚 𝝓𝝓 𝑵𝑵^ ]^ mod N = 𝑚𝑚^1 mod N = 𝑚𝑚

Factoring Assumption

Let GenModulus (1n^ ) be a randomized algorithm that outputs (N=pq,p,q) where p and q are n-bit primes (except with negligible probability negl (n)).

Experiment FACTOR (^) A,n

  1. (N=pq,p,q)  GenModulus (1n^ )
  2. Attacker A is given N as input
  3. Attacker A outputs p’ > 1 and q’ > 1
  4. Attacker A wins if N=p’q’.

Factoring Assumption

Experiment FACTOR (^) A,n

  1. (N=pq,p,q)  GenModulus (1n^ )
  2. Attacker A is given N as input
  3. Attacker A outputs p’ > 1 and q’ > 1
  4. Attacker A wins (FACTOR (^) A,n = 1) if and only if N=p’q’.

∀𝑃𝑃𝑃𝑃𝑃𝑃 𝐴𝐴 ∃𝜇𝜇 (negligible) s. t Pr FACTOR (^) A,n = 1 ≤ 𝜇𝜇(𝑛𝑛)

  • Necessary for security of RSA.
  • Not known to be sufficient.

(Plain) RSA Discussion

  • We have not introduced security models like CPA-Security or CCA-security for Public Key Cryptosystems
  • However, notice that (Plain) RSA Encryption is stateless and deterministic.

Plain RSA is not secure against chosen-plaintext attacks

  • Plain RSA is also highly vulnerable to chosen-ciphertext attacks
    • Attacker intercepts ciphertext c of secret message m
    • Attacker generates ciphertext c’ for secret message 2m
    • Attacker asks for decryption of c’ to obtain 2m
    • Divide by 2 to recover original message m

(Plain) RSA Discussion

  • However, notice that (Plain) RSA Encryption is stateless and deterministic.

Plain RSA is not secure against chosen-plaintext attacks

  • In a public key setting the attacker does have access to an encryption oracle
  • Encrypted messages with low entropy are vulnerable to a brute-force attack

Mathematica Demo

https://www.cs.purdue.edu/homes/jblocki/courses/555_Spring17/slid es/Lecture24Demo.nb

Note : Online version of mathematica available at https://sandbox.open.wolframcloud.com (reduced functionality, but can be used to solve homework bonus problems)

Next Class

  • Read Katz and Lindell 8.3, 11.5.
  • Discrete Log, DDH + Attacks on Plain RSA