Вы находитесь на странице: 1из 2

RSA Cryptosystem 6/8/2002 2:20 PM

Outline
Euler’s theorem (§10.1.3)
RSA cryptosystem (§10.2.3)
RSA Cryptosystem „ Definition
„ Example
Bits PCs Memory „ Security
430 1 128MB „ Correctness
760 215,000 4GB
Algorithms for RSA
1,020 342×106 170GB
„ Modular power (§10.1.4)
1,620 1.6×1015 120TB
„ Modular inverse (§10.1.5)
„ Randomized primality testing (§10.1.6)

6/8/2002 2:20 PM RSA Cryptosystem 1 6/8/2002 2:20 PM RSA Cryptosystem 2

Euler’s Theorem RSA Cryptosystem


The multiplicative group for Zn, denoted with Z*n, is the subset of Setup: Example
elements of Zn relatively prime with n „ n = pq, with p and q „ Setup:
The totient function of n, denoted with φ(n), is the size of Z*n primes Š p = 7, q = 17
Example „ e relatively prime to Š n = 7⋅17 = 119
φ(n) = (p − 1) (q − 1) Š φ(n) = 6⋅16 = 96
Z*10 = { 1, 3, 7, 9 } φ(10) = 4
„ d inverse of e in Zφ(n) Še=5
If p is prime, we have
Keys: Š d = 77
Z*p = {1, 2, …, (p − 1)} φ(p) = p − 1
„ Public key: KE = (n, e) „ Keys:
Euler’s Theorem Š public key: (119, 5)
„ Private key: KD = d
For each element x of Z*n, we have xφ(n) mod n = 1 Š private key: 77
Example (n = 10) Encryption: „ Encryption:
3φ(10) mod 10 = 34 mod 10 = 81 mod 10 = 1 „ Plaintext M in Zn Š M = 19
7φ(10) mod 10 = 74 mod 10 = 2401 mod 10 = 1 „ C = Me mod n Š C = 195 mod 119 = 66
9φ(10) mod 10 = 94 mod 10 = 6561 mod 10 = 1 Decryption: „ Decryption:
„ M = Cd mod n Š C = 6677 mod 119 = 19
6/8/2002 2:20 PM RSA Cryptosystem 3 6/8/2002 2:20 PM RSA Cryptosystem 4

Complete RSA Example Security


Setup: Encryption The security of the RSA In 1999, a 512-bit number was
cryptosystem is based on the factored in 4 months using the
„ p = 5, q = 11 „ C = M3 mod 55 widely believed difficulty of following computers:
„ n = 5⋅11 = 55 Decryption factoring large numbers
„160 175-400 MHz SGI and Sun
„ φ(n) = 4⋅10 = 40 „ M = C27 mod 55 „ The best known factoring
algorithm (general number „ 8 250 MHz SGI Origin
„e = 3
field sieve) takes time „ 120 300-450 MHz Pentium II
„ d = 27 (3⋅27 = 81 = 2⋅40 + 1)
exponential in the number of „ 4 500 MHz Digital/Compaq
bits of the number to be
factored Estimated resources needed to
M 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 factor a number within one year
The RSA challenge, sponsored
C 1 8 27 9 15 51 13 17 14 10 11 23 52 49 20 26 18 2 by RSA Security, offers cash Bits PCs Memory
M 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 prizes for the factorization of
430 1 128MB
C 39 25 21 33 12 19 5 31 48 7 24 50 36 43 22 34 30 16 given large numbers
In April 2002, prizes ranged 760 215,000 4GB
M 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54
C 53 37 29 35 6 3 32 44 45 41 38 42 4 40 46 28 47 54 from $10,000 (576 bits) to 1,020 342×106 170GB
$200,000 (2048 bits) 1,620 1.6×1015 120TB
6/8/2002 2:20 PM RSA Cryptosystem 5 6/8/2002 2:20 PM RSA Cryptosystem 6

1
RSA Cryptosystem 6/8/2002 2:20 PM

Correctness Algorithmic Issues


We show the correctness of Thus, we obtain The implementation of Setup
the RSA cryptosystem for the (Me)d mod n = the RSA cryptosystem „Generation of random
case when the plaintext M Med mod n = requires various numbers with a given
does not divide n Mkφ(n) + 1 mod n = number of bits (to generate
algorithms
Namely, we show that MMkφ(n) mod n = candidates p and q)
M (Mφ(n))k mod n = Overall „Primality testing (to check
(Me)d mod n = M
M (Mφ(n) mod n)k mod n = „ Representation of integers that candidates p and q are
Since ed mod φ(n) = 1, there is of arbitrarily large size and
M (1)k mod n = prime)
an integer k such that arithmetic operations on „Computation of the GCD (to
ed = kφ(n) + 1 M mod n = them verify that e and φ(n) are
Since M does not divide n, by M Encryption relatively prime)
Euler’s theorem we have See the book for the proof of „ Modular power „Computation of the
correctness in the case when multiplicative inverse (to
Mφ(n) mod n = 1 the plaintext M divides n Decryption compute d from e)
„ Modular power

6/8/2002 2:20 PM RSA Cryptosystem 7 6/8/2002 2:20 PM RSA Cryptosystem 8

Modular Power Modular Inverse


The repeated squaring Example Theorem Given positive integers a and b,
algorithm speeds up the 3 mod 19 (18 = 10010)
„ 18 Given positive integers a the extended Euclid’s algorithm
computation of a modular and b, let d be the smallest computes a triplet (d,i,j) such that
„ Q1 = 31 mod 19 = 3
power ap mod n d = gcd(a,b)
„ Q2 = (32 mod 19)30 mod 19 = 9 positive integer such that „
Write the exponent p in binary d = ia + jb
„ Q3 = (92 mod 19)30 mod 19 = d = ia + jb „
p = pb − 1 pb − 2 … p1 p0 To test the existence of and
81 mod 19 = 5 for some integers i and j.
Start with „ Q4 = (52 mod 19)31 mod 19 = We have compute the inverse of x ∈ Zn, we
Q1 = apb − 1 mod n (25 mod 19)3 mod 19 =
execute the extended Euclid’s
d = gcd(a,b) algorithm on the input pair (x,n)
Repeatedly compute 18 mod 19 = 18
Example Let (d,i,j) be the triplet returned
Qi = ((Qi − 1)2 mod n)apb − i mod n „ Q5 = (182 mod 19)30 mod 19 =
a = 21 „ d = ix + jn
„
We obtain (324 mod 19) mod 19 =
„ b = 15
17⋅19 + 1 mod 19 = 1 Case 1: d = 1
Qb = ap mod n „ d=3
i is the inverse of x in Zn
The repeated squaring p5 − 1 1 0 0 1 0 „ i = 3, j = −4
Case 2: d > 1
algorithm performs O (log p) 2 p5 − i 3 1 1 3 1 „ 3 = 3⋅21 + (−4)⋅15 =
arithmetic operations 63 − 60 = 3 x has no inverse in Zn
Qi 3 9 5 18 1
6/8/2002 2:20 PM RSA Cryptosystem 9 6/8/2002 2:20 PM RSA Cryptosystem 10

Pseudoprimality Testing Randomized Primality Testing


The number of primes less than or equal to n is about n / ln n Compositeness witness function
witness(x, n) with error probability Algorithm RandPrimeTest(n, k)
Thus, we expect to find a prime among, O(b) randomly generated
q for a random variable x Input integer n,confidence
numbers with b bits each parameter k and composite
Case 1: n is prime
Testing whether a number is prime (primality testing) is believed witness function witness(x,n)
witness w(x, n) = false with error probability q
to be a hard problem Case 2: n is composite Output an indication of
An integer n ≥ 2 is said to be a base-x pseudoprime if witness w(x, n) = false with whether n is composite or prime
„ xn − 1 mod n = 1 (Fermat’s little theorem) probability q < 1 with probability 2−k
Composite base-x pseudoprimes are rare: Algorithm RandPrimeTest tests
whether n is prime by repeatedly t ← k/log2(1/q)
„ A random 100-bit integer is a composite base-2 pseudoprime with for i ← 1 to t
evaluating witness(x, n)
probability less than 10-13
A variation of base- x x ← random()
„ The smallest composite base-2 pseudoprime is 341
pseudoprimality provides a if witness(x,n)= true
Base-x pseudoprimality testing for an integer n: suitable compositeness witness return “n is composite”
„ Check whether xn − 1 mod n = 1 function for randomized primality return “n is prime”
„ Can be performed efficiently with the repeated squaring algorithm testing (Rabin-Miller algorithm)
6/8/2002 2:20 PM RSA Cryptosystem 11 6/8/2002 2:20 PM RSA Cryptosystem 12

Вам также может понравиться