Primality Testing - Lecture Slides | COMP 7120, Study notes of Computer Science

Material Type: Notes; Professor: Deng; Class: Cryptgrphy/Data Securty; Subject: COMP Computer Science; University: University of Memphis; Term: Spring 2002;

Typology: Study notes

Pre 2010

Uploaded on 07/28/2009

koofers-user-x3o
koofers-user-x3o 🇺🇸

5

(1)

10 documents

1 / 9

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
Primality testing
Let π(N) be number of prime numbers that
are less than or equal to N.
Prime number theorem: π(N) N/ln(N)
If n 17, N/ln(N) < π(N) < 1.26 N/ln(N)
e. g. N = p or q in n=p q. p q2512.
Pr(N is a prime| odd N 2512 ) 1/ln(2512) =
1/355.
Easier to prove “N” is composite than to
prove “N” is a prime. (why ?)
Definition 5.1
yes-biased Monte Carlo algorithm: a
randomized algorithm in which “yes” is
always correct, “no” may be incorrect.
“yes” or “no” is a decision by an algorithm
for a problem (e.g. Is N composite ?)
pr(incorrect answer| “yes”) = 0.
If pr(incorrect answer| “no”) ≤ε, then
the algorithm has error probability of ε.
Problem 5.1 (page 179)
Q: Is N a composite ?
If we answer “yes” because a factor
found (or other method), then it is
definitely composite.
for yes-biased Monte Carlo algorithm
pr(composite|”yes”) = 1.
error probability pr(composite|“no”) ≤ε.
pr(prime|”no”) > 1-ε.
pf3
pf4
pf5
pf8
pf9

Partial preview of the text

Download Primality Testing - Lecture Slides | COMP 7120 and more Study notes Computer Science in PDF only on Docsity!

Primality testing

„ Let π(N) be number of prime numbers that are less than or equal to N. „ Prime number theorem: π(N) ≈ N/ln(N) „ If n ≥ 17, N/ln(N) < π(N) < 1.26 N/ln(N) „ e. g. N = p or q in n=p q. p ≈ q≈ 2 512. „ Pr(N is a prime| odd N ≈ 2512 ) ≈ 1/ln(2^512 ) = 1/355. „ Easier to prove “N” is composite than to prove “N” is a prime. (why ?)

Definition 5.

„ yes-biased Monte Carlo algorithm: a

randomized algorithm in which “yes” is

always correct, “no” may be incorrect.

„ “yes” or “no” is a decision by an algorithm for a problem (e.g. Is N composite ?) „ pr(incorrect answer| “yes”) = 0.

„ If pr(incorrect answer| “no”) ≤ ε, then

the algorithm has error probability of ε.

Problem 5.1 (page 179)

„ Q: Is N a composite?

„ If we answer “yes” because a factor

found (or other method), then it is

definitely composite.

„ for yes-biased Monte Carlo algorithm pr(composite|”yes”) = 1.

„ error probability pr(composite|“no”) ≤ε.

„ pr(prime|”no”) > 1-ε.

Primality test for a large

integer

„ probabilistic test:

„ can be highly efficient „ tiny probability of making an error

„ deterministic test:

„ no general polynomial-time algorithm available until Agrawal, Kayal, and Saxena (2002) [AKS algorithm] „ AKS algorithm is still not yet practical for a large prime number.

Probabilistic composite tests

„ Solovay-Strassen Algorithm (Algorithm 5.6, page 182) is a yes-biased algorithm with error probability at most 1/2.

„ Miller-Rabin Algorithm (Algorithm 5.7, page

  1. is a yes-biased algorithm with error probability at most 1/4.

„ We can perform several independent random tests to drastically reduce the error probability.

Miller-Rabin Algorithm

„ Let n-1 = 2k^ m, m is odd.

„ Choose “a” randomly between 1 to n-1.

„ b Å a m^ mod n.

„ if b = 1, then return (“prime”)

„ for i=0 to k-1 do „ if b=-1 mod n, then return (“prime”) „ else b Å b^2 mod n.

„ return (“composite”)

Pollard rho Algorithm (n,x 1 )

„ Choose a initial sees x 1 and f(x)=x^2 +

„ x Å x 1 , x’ Å f(x) mod n,

„ p Å gcd(x-x’, n).

„ while (p=1) do

„ x Å f(x) mod n, „ x’ Å f(x’) mod n, x’ Å f(x’) mod n „ p Å gcd(x-x’, n)

„ if(p<n) return (p) else return (“fail”)

Factoring Algorithm in Practice

O(exp[(1.92+o(1)) (ln n)1/3^ [ln ln(n)]2/3])

number field sieve

O(exp[(1+o(1)) [ln p ln ln(p)]0.5])

elliptic curve (p is smallest prime | n)

O(exp[(1+o(1)) [(ln n) ln ln(n)]0.5^ ])

quadratic sieve

Asymptotic Running Time

Factoring Algorithms

RSA Challenges

„ Early 1990s. RSA-d, d=#of digits in

n=pq. RSA-100, RSA-110, …, RSA-500.

„ RSA-160 found in 2003.

„ Since 2001. RSA-b, b=#of bits in n=pq.

„ RSA-576, RSA-640, RSA-704, RSA-768,

RSA-896, RSA-1024, RSA-1576.

„ Prizes: from $10,000 to $200,000. „ http://mathworld.wolfram.com/

Other Attacks on RSA

„ computing φ(n)

„ find decryption exponent (d) of RSA

„ Wiener’s low decryption exponent

attack.

Computing φ(n)

„ If both n and φ(n) are known, then we

can find the factorization of n. why?

„ n=pq, φ(n) =(p-1)(q-1).

„ Plug q=n/p in the equation for φ(n),

„ p 2 – (n- φ(n)+1) p + n = 0.

„ we can then easily solve the quadratic

equation of p.

Example 5.13 (page 201)

„ n=84773093,

„ φ(n) = 84754668.

„ n- φ(n) = 18425.

„ quadratic equation for p is

„ p 2 – (n- φ(n)+1) p + n = 0.

„ p 2 – 18426 p + 84773093 = 0.

„ Solutions (how ?) are: 9539 and 8887.

Algorithm 5.2 (Rabin)

„ Let n=p q, p=3 mod 4, q=3 mod 4.

„ P=C=Z n*. K={(n,p,q)}. n is public key.

„ Encryption:

„ e (^) K (x) = x^2 mod n

„ Decryption:

„ d (^) K (y) = y 1/2^ mod n (how ?)

Find y 1/2^ mod n?

„ Require n=pq, p=3 mod 4 and q=3 mod n. „ Recall y (p-1)^ = 1 mod p (and y(q-1)^ = 1 mod q) „ Since y=x^2 mod p, we have y (p-1)/2^ = 1 mod p.

„ We can show that x= ±y (p+1)/4^ mod p satisfies x^2 = y mod p.

„ Likewise, x= ±y (q+1)/4^ mod q satisfies x^2 = y mod q. „ We can find four solutions using Chinese Remainder Theorem.

Example 5.

„ Choose small n=77= 7 x 11.

„ eK(x)= x^2 mod 77, d K(y)= y1/2^ mod 77.

„ Suppose y=23 received. Find x?

„ x = 23(7+1)/4^ mod 7 = 2^2 mod 7 = 4. „ x = 23(11+1)/4^ mod 11 = 1^3 mod 11 = 1.

„ Use CRT, x= ±4 mod 7, x= ±1 mod 11,

we find x= ±10 and ±32 mod 77

„ x= 10, 32, 45, 67.

Security of Rabin Cryptosystem

„ Rabin Cryptosystem can be proved

using “Turing reduction”. (page 213)

„ Factorization <T Rabin decryption.

„ if we can solve Rabin decryption in polynomial time, then we can solve factorization problem in polynomial time.

„ factorization is hard, so is Rabin

decryption.

Sematic Security of RSA

„ total break: the private key is known to

your adversary.

„ partial break: some unseen ciphertexts

can be decrypted by your adversary.

„ distinguishability of ciphertexts: >1/

chance to distinguish between

encryption of two plaintexts.

Multi-precision arithmetic

software packages

„ Modular arithmetic operations are provided to compute residues, perform exponentiation, and compute multiplicative inverses: „ BigInteger class in Java: „ http://java.sun.com/j2se/1.4.2/docs/api/java/mat h/BigInteger.html „ NTL (for C++): http://www.shoup.net/ „ GMP (for C): http://www.swox.com/gmp/ „ MAPLE or MATHEMATICA.