RSA cryptosystem--preview

1
RSA cryptosystem--preview

• Suppose np?q and ?(n)(p-1)(q-1), where p and q
  are big primes.
• Select (find) a and b, such that a?b1 mod ?(n).
• K(n,p,q,a,b), publicize n,b, but keep p,q,a
  secret.
• For any x,y?Zn , define
• eK(x) xb mod n (encryption)
• dK(y) ya mod n (decryption (xb)a mod nx)
• Of course, from n,b, it is very difficult to get
  a (as well as p,q,?(n)).

2
RSA--implementation

1. Generate two large primes, p and q.
2. n ? pq and ?(n) ? (p-1)(q-1)
3. Chose a random b (1lt b lt ?(n)) such that gcd(b,
   ?(n))1
4. a ? b-1 mod ?(n)
5. The public key is (n,b) and the private key is
   (p,q,a).

Could you raise any questions about RSA?
3
Questions about RSA

• How to generate large primes?
• How to compute the modular-exponentiation
  (encryption decryption) efficiently?
• RSA attack attempt to factor n and how?
• RSA uses numbers, therefore need encoding for
  normal text.

4
RSAprimality testing

• How to generate large primes?
• Select a random large number
• Test whether or not the number is a prime.
• How often a random selected number is a prime?
• Let ?(N) be the number of primes ? N.
• Prime number theory ?(N) ? N/lnN
• Therefore the probability of a random number
  being a prime is 1/lnN
• Suppose n pq is 1024 bits, so p and q are 512
  bits, 1/ln2512 ? 1/355.

5
RSAprimality testing

• (yes-biased) Monte Carlo algorithm
• For yes-no decision problem
• Random algorithm (randomly choose a number)
• If the algorithm gives answer yes, it is always
  correct
• It the answer is no, it may be incorrect.

Therefore, may try several times such that the
probability of the incorrectness for no is
extremely small.
Las Vegas algorithm may not give answer, but any
answer it gives is correct.
Probabilistic algorithms the algorithms which
can be wrong in some cases (i.e., probably, or
with certain probability)
6
RSAprimality testing

• (yes-biased) Monte Carlo algorithm
• Solovay-Strassen algorithm
• Miller-Rabin algorithm
• A good news confirmed primality testing
  algorithm
• By three Indian scientists.

7
Solovay-Strassen primality test

• Given integer n, is n a composite?
• Choose a random integer a ( 1 lt a lt n)
• x?
• If x0 then return yes (n is a composite)
• y ? a(n-1)/2 (mod n)
• If x ? y (mod n)
• then return no (n is a prime) (of course maybe
  incorrect)
• else return yes (n is a composite).

8
Solovay-Strassen primality test

• The proof of the algorithm
• If n is a prime, the ? a(n-1)/2 mod n for
  any a
• If n is a composite,
• then for some a, ? a(n-1)/2 , Call n to
  be an Euler pseudo-prime to base a. For example,
  -1 ? 1045 mod 91.
• but others not.
• At most half of a ? Zn , n is a pseudo-prime to
  a.
• So error probability is at most ½.
• Test k different a, (1/2)k.

10
(
)
91
9
RSA attacks

• Computing ?(n) no easier than factoring n.
• Decryption Exponent ano easier than factoring n
• So the security of RSA is based on the difficulty
  of factorization of large numbers.
• Factoring algorithms
• Trial division up to ? n
• Pollard p-1 algorithm

10
RSA attackPollard p-1 algorithm

• Given n, and select a random B (not too big)
• a ? 2
• For j2 to B
• a ? aj mod n
• d ? gcd(a-1,n)
• If d gt 1
• then return d (d is a factor of n)
• else return failure.

11
The correctness of p-1 algorithm

1. Suppose p is a prime factor of n,
2. Assume for all q, qB, q is (power of) a prime
   factor of p-1.
3. Then p-1 B!, suppose B! (p-1)t.
4. The final a?2B! mod n, since pn, so a?2B! mod p
5. We know, 2p-1 ?1 mod p, so
6. a?2B! mod p 2(p-1)t mod p ?1t mod p ?1 mod p
7. So p (a-1), thus pgcd(a-1,n)

Conclusion if p or q of factors of n is not
selected in a correct way, n will be easily
factored.
12
P-1 example

• n15770708441, B180
• Then a 11620221425, and d135979.
• As a result 15770708441 135979115979
• Here 135978 23131173

13
RSA summary

• RSA principle
• RSA implementation
• Generate large primes
• Compute xc mod n square-and-multiply
• RSA attacks
• Conclusion p and q must be appropriately
  selected large primes.