Вы находитесь на странице: 1из 7

RSA

RSA

RSA, (Ron Rivest), (Adi Shamir) (Len Adleman), Scientific American 1977 . , , . RSA
, ,
-
. , ,
. , RSA ,
.
RSA
. 20 ,
.
RSA. , , RSA .
, .
. , ,
.

RSA.
N = pq ( n/2 ). N n = 1024 , 309
, 512 .
N = p q; p, q P; p, q ' 2n/2 .
e d ,
ed 1 (mod (N )),

1 RSA

(N ) = (p 1)(q 1) ZN .
N RSA, e , d
.
e, d Z : ed 1 (mod (N )), (N ) = (p 1)(q 1) = |ZN |
< N, e > (public) .
, .
< N, d > ( , private) ,
.
.
M ZN 1 . M , C = M ed M (mod N ). ,
C d (mod N ). ,
C d = M ed M (mod N ), .
: C = M e mod N - .
: C d = M ed = M (mod N )
RSA : x 7 xe (mod N ). d , , . d , . RSA, d
; RSA. ,
< N, e, C > , e
C N = pq, N .
ZN , ZN ,
M . ,
N ,
( log2 N ).
, , nc , n = log2 N ,
c (, ). .
.
RSA, . , RSA
, < N, e, C > M .
, ,
M (.. , semantic security).
, RSA .
< N, e, C > , , M N , C.
1 , , ,

1 RSA

, M
.
RSA : x 7 xe
(trapdoor one-way function). , ( )
d ( ).
. M, < N, d >
M S = M d mod N . ,
< M, S > : S e = M mod N .
: M : S = M d (mod N ).
< M, S > : S e (mod N ) = M , .. S
.
, RSA, N . ,
, , .
? ,
d M .
1. < N, e > RSA.
< N, d > N = pq ,
N , d.
.
=:
N (N ). ,
d.
=:
, d N . d, k = de 1.
d e , k (N ),
:
(N ) = (p1 1)(p2 1) . . . (pj 1) > 2, pi P.

.
k = 2t r, r 6 ..2, t 1.

g ZN g k = 1 g k/2 1 N . , 1 N = pq: 1
x, x 1 (mod p) x 1 (mod q). , N ,
(x 1, N ).
g ZN 1/2 (
)
t

g k/2 , g k/4 , . . . , g k/2

(mod N )

1.
O(n3 ), n = log2 N .

. RSA. , .
2
N = pq , N . ,
i- ei , di ,
< N, ei >
< N, di >.
, : C =
M ea (mod N ), ,
, da . ,
. 1 , eb , db , N . ,
ea .
, RSA
.
3 < N, d > , < N, e >
. ,
M ZN ;
M . : r ZN
M 0 = re M mod N , () . S 0
M 0 . S = S 0 /r
mod N S M :
S 0 = (M 0 )d

mod N

S e = (S 0 )e /re = (M 0 )ed /re M 0 /re = M

(mod N ).

, (blinding), :
"", ,
. ,
"
M 0 M . ,
, RSA
: " " ,
.
2 Common
3 Blinding

modulus

3 LOW PRIVATE EXPONENT

Low Private Exponent


( ), d, . (modular exponentiation) log2 d, d ,
, 10 ( 1024- ). ,
. (M. Wiener), d
.
(. ). N = pq, q < p < 2q, d < 31 N 1/4 .
< N, e >, ed 1 (mod (N )),
d.
. . .. ed 1 (mod (N )), k, . ed k(N ) = 1.
:


e
1
k

(N ) d = d(N ) .
e
, kd (N
) . (N ),
N . , ..

(N ) = N p q + 1

p + q 1 < 3 N,

|N (N )| < 3 N.

N (N ):



e
k = edk(N )kN +k(N ) = 1k(N (N )) 3k N =
N
d
Nd
Nd
Nd

3k

.
d N

k(N ) = ed 1 < ed
e < (N )
k<d<

1 1/4
N .
3

:


e

k 1 < 1 .
N
d d 4 N
2d2
. kd , d < N , Ne , log2 N .
Ne , .

4 LOW PUBLIC EXPONENT

, log N
Ne . kd . ed (N ) = 1, (k, d) = 1
kd .
d .
.. N 1024 , ,
d 512 , .
, , .
e. < N, e0 >,
0
e = e + t(N ), t - . , e0 e . k
, d ( e0 > N 1.5 ),
. , e .
. d, .
dp dq (, 128 ):
dp = d (mod p 1)
dq = d

(mod q 1).

C :
1) Mp = C dp mod p, Mq = C dq mod q;
2) M ZN , .
M = Mp mod p M = Mq mod q. M = C d mod N , .
, dp dq , d mod (N )
, .. (N ). .

Low Public Exponent


, e. 3,
e = 216 + 1 = 65537 (
). 216 + 1 17 (e (N ) 1000).
, , e .
4
, ,
(Hastad).
4 Coppersmiths

Theorem

4 LOW PUBLIC EXPONENT

1. N Z f Z[x]
1
d. X = N d , 0. < N, f >
|x0 | < X|, . f (x0 ) = 0 mod N .
. , M P1 , P2 , . . . , Pk . < Ni , ei >.
, M Ni -. M , i- Pi -
. , ei = 3. M , k 3.
, C1 , C2 , C3 ,
C1 = M 3

mod N1

C2 = M 3

mod N2

mod N3 .

C3 = M

C 0 = M 3 mod (N1 N2 N3 ).

M 3 < N1 N2 N3 , , , 3
C 0 , M .
. :
fi (M ) = (i 2i + M ) mod N.

Ci = (fi (M ))e

mod N.