Cryptography Lecture 8 Primality Testing and Factoring Piotr
- Slides: 28
Cryptography Lecture 8: Primality Testing and Factoring Piotr Faliszewski
Previous Class n Attacks on RSA ¡ ¡ Known digits attacks Low exponent attacks Short plaintext attacks Timing attacks n Practical RSA ¡ ¡ Exponentiation modulo n Primality testing
Factoring and Primality Testing n Factoring ¡ ¡ n Input: n N Output: nontrivial factor of n Primality testing ¡ ¡ n Input n N Output: n n the number is composite the number is probably prime Is there a difference? ¡ Yes! – primality testing much easier! ¡ You do not need to factor the number to see it is composite
Miller-Rabin Test n Generalization of the Fermat’s test n Why does the principle hold? n Principle n Gist of the MR test ¡ if p is a prime then x 2 = 1 (mod p) has only two solutions: x = 1 and x = -1 ¡ ¡ find a number b such that b 2 = 1 (mod p) If b {-1, 1} then composite
Miller-Rabin Test MR( int n ): let n-1 = 2 km a random in {2, 3, . . . , n-2 } b 0 = am (mod n) if b 0 = ± 1 (mod n) then declare prime for j = 1 to k-1 do bj = bj-12 (mod n) if bj = 1 (mod n) then declare composite if bj = -1 (mod n) then declare prime declare composite n What are we doing? ¡ ¡ ¡ ¡ b 0 = am (mod n) b 1 = a 2 m (mod n) b 2 = a 4 m (mod n). . . bj = a 2 jm (mod n). . . bk-1 = a(n-1)/2 (mod n)
Miller-Rabin Test: Examples n n = 5*7*11 = 385 n n = 3*11*17 = 561 n -1 = 384 = 27*3 k = 7, m = 3 a=9 n -1 = 560 = 24*35 k = 4, m = 35 a=2 b 0 = 93 = 344 (mod 385) b 1 = 93*2 = 141 (mod 385) 2 b 2 = 93*2 = 246 (mod 385) 3 b 3 = 93*2 = 71 (mod 385) 4 b 4 = 93*2 = 36 (mod 385) 5 b 5 = 93*2 = 141 (mod 385) b 0 = 235 = 263 (mod 561) b 1 = 235*2 = 166 (mod 561) 2 b 2 = 235*2 = 67 (mod 561) 3 b 3 = 235*2 = 1 (mod 561) Proof of compositeness!
Miller-Rabin Test: Examples n n = 401 n -1 = 400 = 24*25 k = 4, m = 25 a=3 n -1 = 400 = 24*25 k = 4, m = 25 a=2 b 0 = 325 = 268 (mod 401) b 1 = 325*2 = 45 (mod 401) 2 b 2 = 325*2 = 20 (mod 401) 3 b 3 = 325*2 = 400 (mod 401) = -1 (mod 401) b 0 = 225 = 356 (mod 401) b 1 = 225*2 = 20 (mod 401) 2 b 2 = 225*2 = 400 (mod 401) Evidence of primality!
Miller-Rabin Test n if b 0 = ± 1 (mod n) ¡ ¡ n n all bi’s (i > 0) will be 1 can’t find nontrivial roots of 1 i {1, . . . , k-1} ¡ if bi = 1 (mod n) then n ¡ bi-1 is neither 1 nor -1 bi-12 = 1 (mod n) we found a nontrivial root if bi = -1 (mod n) then n n bi+1 through bk are all 1 (mod n) can’t find nontrivial roots of 1 Why this works? ¡ n-1 = 2 km ¡ b 0 = am (mod n) b 1 = a 2 m (mod n) b 2 = a 4 m (mod n). . . j bj = a 2 m (mod n). . . bk-1 = a(n-1)/2 (mod n) ¡ ¡ ¡
Miller-Rabin Test: Quality n n MR test is probabilistic Answer ¡ ¡ composite – the number is certainly composite prime – the number is prime with high probability n Errors ¡ ¡ ¡ MR(n) says prime but n is composite Pr[error] ≤ ¼ Repeat the test to downgrade the prob. of error
Other Primality Tests n Solovay-Strassen Test ¡ ¡ similar in nature to MR uses so called Jacobi symbol fast in practice probabilistic n Deterministic test ¡ ¡ n Agrawal, Kayal, and Saxena 2002 extremely slow Tests that prove primality ¡ ¡ ¡ MR tests compositeness! fairly slow needed in very few cases
Factoring n Huge amount of work on factoring! ¡ n we look at some simple algorithms n Assumption ¡ ¡ ¡ Factor an odd integer produce one factor how to get all of them? Some best algorithms ¡ ¡ ¡ quadratic sieve elliptic curve number field sieve O(e(1+o(1))sqrt(lnn lnln n)) O(e(1+o(1))sqrt(lnp lnln p)) 1/3 2/3 O(e(1. 92+o(1))(lnn) (lnlnn) )
Factoring n Factoring ¡ ¡ n Input: n N Output: nontrivial factor of n There about (n) = n / ln n primes ≤ n n Trivial methods ¡ ¡ ¡ divide by all numbers in {2, . . . , n-1} or by all primes p p ≤ sqrt(n) These are exponential!
Fermat’s Method n The principle ¡ ¡ ¡ n express n as a difference of squares n = x 2 - y 2 n = (x-y)(x+y) The algorithm ¡ ¡ ¡ Compute: n + i 2 for i {1, 2, . . . } Stop when n + i 2 is a square (i. e. , x 2 = n+i 2) Then we have n = x 2 – i 2 n Examples 15 = 42 – 12 = (4 -1)(4+1) = 3*5 21 = 52 – 22 = 25 - 4 = (5 -2)(5+2) = 3*7
Fermat’s Method n The principle ¡ ¡ ¡ n n express n as a difference of squares n = x 2 - y 2 n = (x-y)(x+y) The algorithm ¡ ¡ ¡ i 2 Compute: n + for i 2 {1, 2, . . . } Stop when n + i 2 is a square (i. e. , x 2 = n+i 2) Then we have n = x 2 – i 2 Performance ¡ ¡ n depends on distance between x and y could be very slow! Conclusion for RSA ¡ p and q should differ by a large value
Pollard’s p-1 Method n The method n ¡ input: n choose a > 1 (e. g. , a = 2) choose B ¡ n let b = a. B! (mod n) d = gcd( b - 1, n ) d is a factor of n Goal of the method factor n = pq. . . provided p-1 has only small prime factors Example n = 7 * 11 = 77 a=2 B = 4, B! = 2*3*4 = 24 b = 224 = 71 (mod 77) gcd(b-1, n) = gcd(70, 77) = 7
Pollard’s p-1 Method n The method n ¡ input: n choose a > 1 (e. g. , a = 2) choose B ¡ n let b = a. B! (mod n) d = gcd( b - 1, n ) d is a factor of n Goal of the method factor n = pq. . . provided p-1 has only small prime factors Example n = 7 * 11 = 77 a=2 B = 2, B! = 2 b = 22 = 4 (mod 77) gcd(b-1, n) = gcd(3, 77) = 1
Pollard’s p-1 Method n The method n ¡ input: n choose a > 1 (e. g. , a = 2) choose B ¡ n let b = a. B! (mod n) d = gcd( b - 1, n ) d is a factor of n Goal of the method factor n = pq. . . provided p-1 has only small prime factors Example n = 7 * 11 = 77 a=2 B = 6, B! = 2*3*4*5*6 = 720 b = 2720 = 1 (mod 77) gcd(b-1, n) = gcd(0, 77) = 77
Pollard’s p-1 Method n How to compute a. B! ¡ B! – can be very big 5! = 120 6! = 720 10! = 3628800 20! = 2432902008176640000 ¡ n! – about n log 2 n bits ¡ ¡ n In symbols: ¡ ¡ ¡ b 1 = a (mod n) b 2 = b 12 (mod n). . . bi = bi-1 i. . .
Pollard’s p-1 Method n How to compute ¡ a = 2, b 1 = 2 ¡ b 2 = 2 2 ¡ b 3 = 4 3 ¡ b 4 = 644 = 71 ¡ a. B! n B = 4, n = 77 (mod 77) =4 (mod 77) = 64 (mod 77) = 1677721 (mod 77) In symbols: ¡ ¡ ¡ b 1 = a (mod n) b 2 = b 12 (mod n). . . bi = bi-1 i. . .
Pollard’s p-1 Method n The method n Why does it work? ¡ input: n choose a > 1 (e. g. , a = 2) choose B ¡ ¡ let b = a. B! (mod n) d = gcd( b - 1, n ) d is a factor of n ¡ p – prime factor of n suppose: p-1 has only small prime factors Then likely p-1 | B! Then B! = k(n-1) b = (ap-1)k (mod p) b = 1 (mod p) p|b-1
Pollard’s p-1 Method n Potential problems ¡ ¡ n = pq both p and q have small factors n n ¡ n b = 1 (mod p) b = 1 (mod q) Method fails Choice of B ¡ ¡ too small method won’t work too big works slowly or fails n Example n = 7 * 11 = 77 a=2 B = 2 to small B = 4 worked B = 6 to big 7 - 1 = 6 = 2*3 2! – does not contain 3 4! – contains 2 and 3 6! – contains 2, 3 and 5 covers both factors!
Pollard’s p-1 Method n Conclusions for RSA ¡ ¡ n = pq p-1 or q-1 has small prime factors? n then RSA can be broken n How to defend? ¡ p 0 chose a large prime n ¡ e. g. , p 0 > 1040 try numbers of the form: n n kp 0 + 1 k – needs to be even! k > 1060 test kp 0+1 for primality
Factoring n Relation to squares ¡ ¡ n – an integer x, y – to integers s. t. n n ¡ x 2 = y 2 (mod n) x y (mod n) if such x, y exist then n is composite n gcd( x-y, n ) is a nontrivial factor n Examples ¡ ¡ 112 = 121 = 1 (mod 12) 52 = 25 = 1 (mod 12) 11 5 (mod 12) gcd(11 -5, 12 ) = 6
Factoring n Relation to squares ¡ ¡ n – an integer x, y – to integers s. t. n n ¡ x 2 ´ y 2 (mod n) x y (mod n) if such x, y exist then n is composite n gcd( x-y, n ) is a nontrivial factor n Examples ¡ ¡ 52 = 25 = 7 (mod 9) 142 = 196 = 7 (mod 9) 14 = 9+5 = 5 (mod 9) gcd(14 -5, 9 ) = 9
Quadratic Sievie n Idea ¡ try to apply the principle from the previous slide ¡ finding such x, y not obvious ¡ find x, y such that ¡ Take “random” squares Reduce modulo n Factor (hope for small factors!) Try to build squares from what you get x 2 y 2 = (mod n) x y (mod n) x -y (mod n) ¡ ¡ ¡
Quadratic Sieve: Example n = 3837523 93982 190952 19642 170782 80772 33972 = = = 55 19 (mod n) 22 5 11 13 19 (mod n) 32 133 (mod n) 26 32 11 (mod n) 2 19 ( mod n) 25 5 132 (mod n) 142622 = 52 72 13 (mod n) (9398 19095 1964 17078)2 19)2 (mod n) = 28 32 56 112 134 192 = (24 3 53 11 132 22303872 = 25867052 (mod n) gcd( 2230387 – 2586705, 3837523) = 1093
Quadratic Sieve: Example n = 3837523 93982 190952 19642 170782 80772 33972 = = = 55 19 (mod n) 22 5 11 13 19 (mod n) 32 133 (mod n) 26 32 11 (mod n) 2 19 ( mod n) 25 5 132 (mod n) 142622 = 52 72 13 (mod n) (9398 8077 3397)2 = 26 56 132 192 = (23 53 19)2 (mod n) 35905232 = 2470002 (mod n) BUT: n – 247000 = 3590523 = -247000 (mod n)
How to Find the Squares? n What squares to use? ¡ ¡ we want small prime factors? so x 2 should be slightly above n n Idea: Try integers close to: ¡ ¡ sqrt(i n) + j small j, various i (sqrt(i n) + j)2 ≈ in + 2 j sqrt(in) +j 2 approx: 2 j sqrt(in) + j 2 (mod n)