Factoring Algorithms and Other Attacks on the RSA 1/12

Similar documents
Math 609/597: Cryptography 1

An extension of the RSA trapdoor in a KEM/DEM framework

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Review of Elementary Cryptography. For more material, see my notes of CSE 5351, available on my webpage

Math 4400/6400 Homework #7 solutions

Solutions to Math 347 Practice Problems for the final

The picture in figure 1.1 helps us to see that the area represents the distance traveled. Figure 1: Area represents distance travelled

Trial division, Pollard s p 1, Pollard s ρ, and Fermat s method. Christopher Koch 1. April 8, 2014

Primality Test. Rong-Jaye Chen

The Structure of Z p when p is Prime

Exam 2 CMSC 203 Fall 2009 Name SOLUTION KEY Show All Work! 1. (16 points) Circle T if the corresponding statement is True or F if it is False.

Seunghee Ye Ma 8: Week 5 Oct 28

1 Summary: Binary and Logic

Quantum Computing Lecture 7. Quantum Factoring

Simon Blackburn. Sean Murphy. Jacques Stern. Laboratoire d'informatique, Ecole Normale Superieure, Abstract

CSE 1400 Applied Discrete Mathematics Number Theory and Proofs

A Simple Derivation for the Frobenius Pseudoprime Test

Mini Lecture 10.1 Radical Expressions and Functions. 81x d. x 4x 4

PROBLEM SET 5 SOLUTIONS. Solution. We prove that the given congruence equation has no solutions. Suppose for contradiction that. (x 2) 2 1 (mod 7).

NICK DUFRESNE. 1 1 p(x). To determine some formulas for the generating function of the Schröder numbers, r(x) = a(x) =

Polynomial reduction. Outline Lecture. Non deterministic polynomial time. Example 1 : discrete log. Lecture: Polynomial reduction.

Estimating the φ(n) of Upper/Lower Bound in its RSA Cryptosystem

3.2.4 Integer and Number Theoretical Functions

Markov Decision Processes

The multiplicative structure of finite field and a construction of LRC

Oblivious Transfer using Elliptic Curves

Complex Numbers Solutions

End-of-Year Contest. ERHS Math Club. May 5, 2009

7. Modern Techniques. Data Encryption Standard (DES)

MATH 304: MIDTERM EXAM SOLUTIONS

Wrap of Number Theory & Midterm Review. Recall: Fundamental Theorem of Arithmetic

Induction: Solutions

Fermat s Little Theorem. mod 13 = 0, = }{{} mod 13 = 0. = a a a }{{} mod 13 = a 12 mod 13 = 1, mod 13 = a 13 mod 13 = a.

The Paillier Cryptosystem

International Journal of Advanced Research in Computer Science and Software Engineering

Message Authentication Codes. Reading: Chapter 4 of Katz & Lindell

Injections, Surjections, and the Pigeonhole Principle

PROPERTIES OF THE POSITIVE INTEGERS

A Provably Secure Signature Scheme based on Factoring and Discrete Logarithms

Recurrence Relations

Polynomials with Rational Roots that Differ by a Non-zero Constant. Generalities

A Block Cipher Using Linear Congruences

and each factor on the right is clearly greater than 1. which is a contradiction, so n must be prime.

Different kinds of Mathematical Induction

Math 155 (Lecture 3)

Recursive Algorithms. Recurrences. Recursive Algorithms Analysis

In number theory we will generally be working with integers, though occasionally fractions and irrationals will come into play.

Zeros of Polynomials

RADICAL EXPRESSION. If a and x are real numbers and n is a positive integer, then x is an. n th root theorems: Example 1 Simplify

Polynomial and Rational Functions. Polynomial functions and Their Graphs. Polynomial functions and Their Graphs. Examples

Properties and Tests of Zeros of Polynomial Functions

3.2 Properties of Division 3.3 Zeros of Polynomials 3.4 Complex and Rational Zeros of Polynomials

First selection test, May 1 st, 2008

ORTHOGONAL MATRIX IN CRYPTOGRAPHY

Lecture 9: Pseudo-random generators against space bounded computation,

Homework 3. = k 1. Let S be a set of n elements, and let a, b, c be distinct elements of S. The number of k-subsets of S is

Solutions to Final Exam Review Problems

Mathematical Induction

LESSON 2: SIMPLIFYING RADICALS

Independence of the Miller-Rabin and Lucas Probable Prime Tests

ACO Comprehensive Exam 9 October 2007 Student code A. 1. Graph Theory

(b) What is the probability that a particle reaches the upper boundary n before the lower boundary m?

Q-BINOMIALS AND THE GREATEST COMMON DIVISOR. Keith R. Slavin 8474 SW Chevy Place, Beaverton, Oregon 97008, USA.

Random Models. Tusheng Zhang. February 14, 2013

Last time, we talked about how Equation (1) can simulate Equation (2). We asserted that Equation (2) can also simulate Equation (1).

sin(n) + 2 cos(2n) n 3/2 3 sin(n) 2cos(2n) n 3/2 a n =

FLC Ch 8 & 9. Evaluate. Check work. a) b) c) d) e) f) g) h) i) j) k) l) m) n) o) 3. p) q) r) s) t) 3.

14.1 Understanding Rational Exponents and Radicals

Fourier Analysis, Stein and Shakarchi Chapter 8 Dirichlet s Theorem

CSI 2101 Discrete Structures Winter Homework Assignment #4 (100 points, weight 5%) Due: Thursday, April 5, at 1:00pm (in lecture)

AN IMPROVEMENT OF ARTIN S CONJECTURE ON AVERAGE FOR COMPOSITE MODULI. 1. Introduction

Solutions to Problem Set 8

Chapter 4. Fourier Series

11. FINITE FIELDS. Example 1: The following tables define addition and multiplication for a field of order 4.

CS 5150/6150: Assignment 1 Due: Sep 23, 2010

CS / MCS 401 Homework 3 grader solutions

Introduction to Public-Key Cryptosystems:

MATH 324 Summer 2006 Elementary Number Theory Solutions to Assignment 2 Due: Thursday July 27, 2006

Unit 4: Polynomial and Rational Functions

The Binomial Theorem

MA541 : Real Analysis. Tutorial and Practice Problems - 1 Hints and Solutions

CS 270 Algorithms. Oliver Kullmann. Growth of Functions. Divide-and- Conquer Min-Max- Problem. Tutorial. Reading from CLRS for week 2

TEACHER CERTIFICATION STUDY GUIDE

PROBLEM SET 5 SOLUTIONS 126 = , 37 = , 15 = , 7 = 7 1.

-BENT FUNCTIONS. Abstract

Order doesn t matter. There exists a number (zero) whose sum with any number is the number.

[ 11 ] z of degree 2 as both degree 2 each. The degree of a polynomial in n variables is the maximum of the degrees of its terms.

COMP4109 : Applied Cryptography

( ) 2 + k The vertex is ( h, k) ( )( x q) The x-intercepts are x = p and x = q.

The 4-Nicol Numbers Having Five Different Prime Divisors

THE ASYMPTOTIC COMPLEXITY OF MATRIX REDUCTION OVER FINITE FIELDS

3sin A 1 2sin B. 3π x is a solution. 1. If A and B are acute positive angles satisfying the equation 3sin A 2sin B 1 and 3sin 2A 2sin 2B 0, then A 2B

THE KENNESAW STATE UNIVERSITY HIGH SCHOOL MATHEMATICS COMPETITION PART II Calculators are NOT permitted Time allowed: 2 hours

[ 47 ] then T ( m ) is true for all n a. 2. The greatest integer function : [ ] is defined by selling [ x]

UNIT #8 QUADRATIC FUNCTIONS AND THEIR ALGEBRA REVIEW QUESTIONS

Introduction to Cybersecurity Cryptography (Part 5)

CHAPTER 5. Theory and Solution Using Matrix Techniques

Section 4.1. Properties of Exponents

XT - MATHS Grade 12. Date: 2010/06/29. Subject: Series and Sequences 1: Arithmetic Total Marks: 84 = 2 = 2 1. FALSE 10.

Chapter 2. Periodic points of toral. automorphisms. 2.1 General introduction

Transcription:

Factorig Algorithms ad Other Attacks o the RSA T-79550 Cryptology Lecture 8 April 8, 008 Kaisa Nyberg Factorig Algorithms ad Other Attacks o the RSA /

The Pollard p Algorithm Let B be a positive iteger ad p a factor of The Pollard p algorithm works if all prime power divisors of p B are less tha Set a For j a B! mod B compute a a j mod, that is, compute Compute d gcd a If d, the retur d; else retur failure The complexity of the algorithm is BlogB log log 3 Factorig Algorithms ad Other Attacks o the RSA /

Why It Works If q divides B! B for every prime power q that divides p, the p Sice p divides, it must be that a B! mod p Sice p mod p, it follows that a mod p The p divides a ad therefore p divides d = gcd a d is a o-trivial divisor of uless a If a the algorithm ca be repeated usig some other value tha to iitialize a Factorig Algorithms ad Other Attacks o the RSA 3/

Dixo s Radom Squares Suppose that we ca fid itegers x ad y such that x x y mod The divides either x The gcd x y For example, 0 y or x y is a o-trivial divisor of 3 mod 77 o-trivial divisor of 77, which ideed holds It follows that gcd 3 y mod 0 77 is a ad The algorithm uses a factor base which is a set of small primes The geerate several itegers z such that the prime factors of z mod are i the set Fid a subset z zs of these itegers such that the total umber of occureces of each prime factor i the squares of these umbers is eve The z umbers from z s is equivalet modulo to a square of a product of Factorig Algorithms ad Other Attacks o the RSA 4/

3 7 Radom Squares Example 577070844 ad 5 3 Select z 834093456, the z 3 7 mod z 04494944, the z 7 3 mod z 3 7737000, the z 3 3 3 mod z z z 3 9503435785 3 7 3 546 mod gcd 9503435785 546 577070844 5759 Curret state of factorig algorithms, see: LENSTRA Arje, Update o Factorig A kilobit special umber field sieve factorizatio at http://wikiuilu/esc/docs/a+kilobit+special+umber+field +sieve+factorizatioppt Factorig Algorithms ad Other Attacks o the RSA 5/

Computig φ If we ca compute φ Give φ, the oe ca factor oe ca solve p from the system of equatios φ pq p q By substitutig q p to the secod equatio, oe gets p φ p 0 The two solutios p of this quadratic equatio are the factors of Factorig Algorithms ad Other Attacks o the RSA 6/

The Private Expoet If we ca compute the private expoet the we ca factor with at least probability / Repeatig m times gives success probability Las Vegas algorithm is a radomized algorithm which may fail to give a aswer, but if it gives a aswer, the aswer is correct m Give a, b ad, with ab mod φ The idea is to fid a o-trivial square root of modulo write ab s r, where r is odd Choose w at radom such that ot, a o-trivial factor of has bee foud!) Compute v Else fid k If v 0 Else compute d w r mod If v s such that v 0 mod gcd w Check that gcd, the retur failure v k, the retur failure v 0 mod ad v 0 v k w mod (If Retur d, which is a o-trivial factor of Factorig Algorithms ad Other Attacks o the RSA 7/

Wieer s Small Private Expoet Attack If 3a 4, where pq ad q p q, the there is a efficiet determiistic algorithm for computig a ad the factorizatio of See separate power poit slides Factorig Algorithms ad Other Attacks o the RSA 8/

p p The Rabi Cryptosystem Let q 3 pq, where p ad q are distict primes ad p mod 4 Let a, ad defie q For K q, defie e K x x mod, ad d K y y mod The value is the public key, while p ad q comprise the private key a Testbook restricts plaitexts ad ciphertexts to Factorig Algorithms ad Other Attacks o the RSA 9/

Security of the Rabi Cryptosystem Theorem: Decryptig i the Rabi Cryptosystem is as hard as factorig the modulus Trivially, if factorig is easy the decryptig is easy It remais to prove the coverse Assume we have a efficiet algorithm for computig decryptios i the Rabi Cryptosystem The ca be used as a basis of a Las Vegas algorithm for factorig the modulus The failure probability of this algorithm is / Select x ad compute y x mod Give y to, which returs u which is oe of the four possible square roots of y modulo If u x mod (the probability that this happes is equal to /) the we ca compute a otrivial divisor of as gcd x u (or as gcd x u ) Factorig Algorithms ad Other Attacks o the RSA 0/

The Isecurity of the Rabi Cryptosystem The same proof shows that the Rabi Cryptosystem is completely isecure agaist Chose Plaitext Attack I the Chose Plaitext Attack the attacker is assumed to have access to a Decryptio Oracle Factorig Algorithms ad Other Attacks o the RSA /

Bleichebacher s Attack ad OAEP Bleichebacher s attack agaist RSA with PKC# paddig shows the importace of resistace agaist Chose Ciphertext Attack (CCA) I the CCA the attacker has access to a oracle which gives some partial iformatio about the plaitext The Optimal Asymmetric Ecryptio Paddig (OAEP) has bee desiged to provide plaitext awareess Factorig Algorithms ad Other Attacks o the RSA /

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback