RSA cryptosystem--preview• Suppose n=pq and (n)=(p-1)(q-1), where p and q are

big primes.• Select (find) a and b, such that ab=1 mod (n).• K=(n,p,q,a,b), publicize n,b, but keep p,q,a secret.

• For any x,yZn , define

– eK(x)= xb mod n (encryption)

– dK(y)= ya mod n (decryption: (xb)a mod n=x)

• Of course, from n,b, it is very difficult to get a (as well as p,q,(n)).

RSA--implementation1. Generate two large primes, p and q.2. n pq and (n) (p-1)(q-1)3. Chose a random b (1< b < (n)) such that

gcd(b, (n))=14. a b-1 mod (n)5. The public key is (n,b) and the private key

is (p,q,a).

Could you raise any questions about RSA?

Questions about RSA

• How to generate large primes?

• How to compute the modular-exponentiation (encryption & decryption) efficiently?

• RSA attack: attempt to factor n and how?

• RSA uses numbers, therefore need encoding for normal text.

RSA—primality testing• How to generate large primes?

– Select a random large number – Test whether or not the number is a prime.

• How often a random selected number is a prime?– Let (N) be the number of primes N.– Prime number theory: (N) N/lnN– Therefore the probability of a random number being a

prime is 1/lnN– Suppose n = pq is 1024 bits, so p and q are 512 bits,

1/ln2512 1/355.

• (yes-biased) Monte Carlo algorithm:– For yes-no decision problem– Random algorithm (randomly choose a

number)– If the algorithm gives answer “yes”, it is

always correct– It the answer is “no”, it may be incorrect.

RSA—primality testing

Therefore, may try several times such that the probability ofthe incorrectness for “no” is extremely small.

Las Vegas algorithm: may not give answer, but any answer it gives is correct.

Probabilistic algorithms: the algorithms which can be wrong insome cases (i.e., probably, or with certain probability)

RSA—primality testing

• (yes-biased) Monte Carlo algorithm:– Solovay-Strassen algorithm– Miller-Rabin algorithm

• A good news: confirmed primality testing algorithm– By three Indian scientists.

Solovay-Strassen primality test

• Given integer n, is n a composite?– Choose a random integer a ( 1 < a < n)– x– If x=0 then return “yes” (n is a composite)– y a(n-1)/2 (mod n) – If x y (mod n)

• then return “no” (n is a prime) (of course maybe incorrect)

• else return “yes” (n is a composite).

an( )

• The proof of the algorithm – If n is a prime, the a(n-1)/2 mod n for any a– If n is a composite,

• then for some a, a(n-1)/2 , Call n to be an Euler pseudo-prime to base a. For example, = -1 1045 mod 91.

• but others not. • At most half of a Zn

* , n is a pseudo-prime to a.

• So error probability is at most ½. – Test k different a, (1/2)k.

Solovay-Strassen primality test

an( )

an( )

1091( )

RSA attacks

• Computing (n)– no easier than factoring n.• Decryption Exponent a—no easier than

factoring n• So the security of RSA is based on the

difficulty of factorization of large numbers.• Factoring algorithms

– Trial division– up to n– Pollard p-1 algorithm

RSA attack—Pollard p-1 algorithm

• Given n, and select a random B (not too big)– a 2– For j=2 to B

• a aj mod n

– d gcd(a-1,n)– If d > 1

• then return d (d is a factor of n)

• else return ‘failure’.

The correctness of p-1 algorithm 1. Suppose p is a prime factor of n,2. Assume for all q, q≤B, q is (power of) a prime factor of p-1. 3. Then p-1| B!, suppose B! = (p-1)t.4. The final a2B! mod n, since p|n, so a2B! mod p5. We know, 2p-1 1 mod p, so 6. a2B! mod p = 2(p-1)t mod p 1t mod p 1 mod p 7. So p | (a-1), thus p|gcd(a-1,n)

Conclusion: if p or q of factors of n is not selected in a correct way,n will be easily factored.

P-1 example

• n=15770708441, B=180

• Then a = 11620221425, and d=135979.

• As a result: 15770708441 =135979*115979

• Here 135978 =2*3*131*173

RSA summary

• RSA principle

• RSA implementation– Generate large primes– Compute xc mod n – square-and-multiply

• RSA attacks

• Conclusion: p and q must be appropriately selected large primes.