Primes, Factoring, And RSA A Return To Cryptography - Wellesley College
Introduction Generating Primes RSA Assumption Primes, Factoring, and RSA A Return to Cryptography Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Introduction Generating Primes Table of contents Introduction Generating Primes RSA Assumption RSA Assumption
Introduction Generating Primes RSA Assumption A classic hard problem Given a composite integer N, the factoring problem is to find integers p, q 1 such that pq N. This problem can be solved p in O( N · polylog(N))* time using trial division. Algorithms with better running time are known, but none that run in polynomial-time.** * polylog(N) (log N)c for some constant c. **This is not for lack of trying. Introduction Generating Primes RSA Assumption Experiment in factoring The weak factoring experiment w-FactorA (n): 1. Choose two n-bit numbers x1 , x2 at random. 2. Compute N : x1 · x2 . 3. A is given N, and outputs x10 , x20 1. 4. The output N of the experiment is defined to be 1 if x10 · x20 N. We said that the factoring problem is believed to be hard. Does this mean that for any PPT algorithm A we have Pr[w-FactorA (n) 1] negl(n) for some negligible function negl?
Introduction Generating Primes RSA Assumption Making the adversaries task harder The ”hardest” numbers to factor seem to be those having only large prime factors. This suggest re-defining the above experiment so that x1 , x2 are random n-bit primes. Of course, it will be necessary to generate random n-bit primes efficiently. Introduction Generating Primes RSA Assumption An algorithm for generating random primes Algorithm 8.31. Generating a random prime Input: Length n; parameter t Output: A random n-bit prime for i 1 to t : { p0 {0, 1}n 1 p : 1kp 0 if p is prime return p } return fail
Introduction Generating Primes RSA Assumption The distribution of primes Theorem 8.32 For any n 1, the fraction of n-bit integers that are prime is at least 1/3n. The implication for Algorithm 8.31 is that if we set t 3n2 then the probability that a prime is not chosen in all t iterations of the algorithm is at most t 3n !n 1 1 1 1 (e 1 )n e n 3n 3n *Recall that for all x Introduction 1 it holds that (1 1/x)x e Generating Primes Primality testing The problem of efficiently determining whether a given number is prime is quite old. It wasn’t until the 1970s that the first efficient probabilistic algorithms for testing primality were developed. A deterministic polynomial-time algorithm for testing primality was demonstrated in 2002, but slower in practice than the above. 1 . RSA Assumption
Introduction Generating Primes RSA Assumption One of the classics Developed in the 1970s, the Miller-Rabin algorithm is a commonly-used. The algorithm inputs two numbers N and parameter t. It runs in time polynomial in kNk and t, and satisfies: Theorem 8.33. If N is prime, then the Miller-Rabin test always outputs ”prime”. If N is composite, then the algorithm outputs ”prime” with probability at most 2 t (and outputs the correct answer ”composite” with probability 1 2 t ). Introduction Generating Primes RSA Assumption Putting it all together Algorithm 8.34. Generating a random prime Input: Length n; parameter t Output: A random n-bit prime for i 1 to 3n2 { p0 {0, 1}n 1 p : 1kp 0 run the Miller-Rabin test on input p and parameter t if the output is ”prime” return p } return fail
Introduction Generating Primes RSA Assumption The factoring assumption Let GenModulus be a polynomial-time algorithm that, on input 1n , outputs (N, p, q) where N pq and p are q are n-bit primes except with negligible probability. The factoring experiment FactorA,GenModulus (n): 1. Run GenModulus to obtain (N, p, q). 2. A is given N, and outputs p 0 , q 0 1. 3. The output of the experiment is defined to be 1 if p 0 · q 0 N and 0 otherwise. Definition 8.45. We say that the factoring problem is hard relative to GenModulus if for all PPT A there exists a negligible function negl such that Pr[FactorA,GenModulus (n) 1] negl(n) Introduction Generating Primes Hard problems: The search continues Although the factoring assumption does yield a one-way function, in the form we have described it is not known to yield a practical cryptographic construction. The search goes on for other problems whose difficulty is related to the hardness of factoring. To date, one of the best finds were made by Rivist, Shamir, and Adleman, and is known as the RSA problem. RSA Assumption
Introduction Generating Primes RSA Assumption The RSA problem Recall for N pq, the product of two primes, Z N is a group of order (N) (p 1)(q 1). If p, q are known, it is easy to compute (N) and so computations modulo N can be done by ”working in the exponent modulo (N)”. If p, q are not known, then it is difficult to compute (N) (in fact, computing (N) is as hard as factoring N) and ”working in the exponent modulo (N)” is not an option. RSA exploits this asymmetry. It is easy to solve when (N) is known and believed difficult otherwise. Introduction Generating Primes GenRSA Algorithm 8.47. GenRSA Input: Length n; parameter t Output: N, e, d as described below (N, p, q) GenModulus(1n )* (N) : (p 1)(q 1) find e such that gcd(e, (N)) 1 compute d : [e 1 mod (N)]** return N, e, d *N pq with p, q n-bit primes. **Such an integer d exists since e is invertible modulo (N). RSA Assumption
Introduction Generating Primes RSA Assumption RSA is hard relative to GenRSA The RSA experiment RSA-invA,GenRSA (n): 1. Run GenRSA(1n ) to obtain (N, e, d). 2. Choose y Z N . 3. A is given N, e, y , and outputs x 2 Z N . 4. The output of the experiment is defined to be 1 if x e y mod N, and 0 otherwise. Definition 8.46. We say that the RSA problem is hard relative to GenRSA if for all probabilistic polynomial-time algorithms A there exists a negligible function negl such that Pr[RSA-invA,GenRSA (n) 1] negl(n). Introduction Generating Primes So is RSA really hard? If the RSA problem is hard relative to GenRSA, then the factoring problem must be hard relative to GenModulus. What about the converse? In other words, suppose the factoring problem is hard relative to GenModulus, is the RSA problem hard relative to GenRSA? Bad news on this front; We have no proof that this is the case. RSA Assumption
RSA is hard relative to GenRSA The RSA experiment RSA-invA,GenRSA(n): 1. Run GenRSA(1n) to obtain (N,e,d). 2. Choose y Z N. 3. A is given N,e,y, and outputs x 2 Z N. 4. The output of the experiment is defined to be 1 if xe y mod N, and 0 otherwise. Definition 8.46. We say that the RSA problem is hard relative to
There is no known efficient algorithm for doing this!Factoring problem: given positive integer n, find primes p 1, , p k such that n p 1 e1p 2 e2 p k ek!If factoring is easy, then RSA problem is easy, but there is no known reduction from factoring to RSA It may be possible to break RSA without factoring n Henric Johnson 16 Other .
Each RSA number is a semiprime. (A nu mber is semiprime if it is the product of tw o primes.) There are two labeling schemes. by the number of decimal digits: RSA-100, . RSA Numbers x x., RSA-500, RSA-617. by the number of bits: RSA-576, 640, 704, 768, 896, , 151024 36, 2048.
Factoring . Factoring. Factoring is the reverse process of multiplication. Factoring polynomials in algebra has similar role as factoring numbers in arithmetic. Any number can be expressed as a product of prime numbers. For example, 2 3. 6 Similarly, any
- RSA Archer eGRC Suite: Out-of-the-box GRC solutions for integrated policy, risk, compliance, enterprise, incident, vendor, threat, business continuity and audit management - RSA Policy Workflow Manager: RSA Data Loss Prevention and RSA Archer eGRC Platform - RSA Risk Remediation Manager: RSA Data Loss Prevention and RSA Archer
241 Algebraic equations can be used to solve a large variety of problems involving geometric relationships. 5.1 Factoring by Using the Distributive Property 5.2 Factoring the Difference of Two Squares 5.3 Factoring Trinomials of the Form x2 bx c 5.4 Factoring Trinomials of the Form ax2 bx c 5.5 Factoring, Solving Equations, and Problem Solving
Factoring Polynomials Martin-Gay, Developmental Mathematics 2 13.1 – The Greatest Common Factor 13.2 – Factoring Trinomials of the Form x2 bx c 13.3 – Factoring Trinomials of the Form ax 2 bx c 13.4 – Factoring Trinomials of the Form x2 bx c by Grouping 13.5 – Factoring Perfect Square Trinomials and Difference of Two Squares
Grouping & Case II Factoring Factoring by Grouping: A new type of factoring is factoring by grouping. This type of factoring requires us to see structure in expressions. We usually factor by grouping when we have a polynomial that has four or more terms. Example Steps x3 2x2 3x 6 1. _ terms together that have
Studies have shown veterinary surgeons do not feel they receive adequate training in small animal nutrition during veterinary school. In a 1996 survey among veterinarians in the United States, 70% said their nutrition education was inadequate. 3. In a 2013 survey in the UK, 50% of 134 veterinarians felt their nutrition education in veterinary school was insufficient and a further 34% said it .
