MA/CSSE 473 Day 9. The algorithm (modified) N 1

Similar documents
Cryptography. 2. decoding is extremely difficult (for protection against eavesdroppers);

Fermat s little theorem. RSA.

Discrete Mathematics & Mathematical Reasoning Multiplicative Inverses and Some Cryptography

Data security (Cryptography) exercise book

Cryptography, Number Theory, and RSA

6. Find an inverse of a modulo m for each of these pairs of relatively prime integers using the method

Mathematics Explorers Club Fall 2012 Number Theory and Cryptography

Public Key Cryptography Great Ideas in Theoretical Computer Science Saarland University, Summer 2014

Math 319 Problem Set #7 Solution 18 April 2002

Number Theory and Security in the Digital Age

Xor. Isomorphisms. CS70: Lecture 9. Outline. Is public key crypto possible? Cryptography... Public key crypography.

The number theory behind cryptography

Number Theory/Cryptography (part 1 of CSC 282)

Linear Congruences. The solutions to a linear congruence ax b (mod m) are all integers x that satisfy the congruence.

Diffie-Hellman key-exchange protocol

CS70: Lecture 8. Outline.

Number Theory - Divisibility Number Theory - Congruences. Number Theory. June 23, Number Theory

Solutions for the Practice Final

Calculators will not be permitted on the exam. The numbers on the exam will be suitable for calculating by hand.

MAT 302: ALGEBRAIC CRYPTOGRAPHY. Department of Mathematical and Computational Sciences University of Toronto, Mississauga.

Application: Public Key Cryptography. Public Key Cryptography

L29&30 - RSA Cryptography

CHAPTER 2. Modular Arithmetic

Math 1111 Math Exam Study Guide

Cryptography CS 555. Topic 20: Other Public Key Encryption Schemes. CS555 Topic 20 1

Primitive Roots. Chapter Orders and Primitive Roots

Number Theory. Konkreetne Matemaatika

Modular Arithmetic. Kieran Cooney - February 18, 2016

Algorithmic Number Theory and Cryptography (CS 303)

SOLUTIONS TO PROBLEM SET 5. Section 9.1

MAT Modular arithmetic and number theory. Modular arithmetic

Calculators will not be permitted on the exam. The numbers on the exam will be suitable for calculating by hand.

Final exam. Question Points Score. Total: 150

PT. Primarity Tests Given an natural number n, we want to determine if n is a prime number.

Exam 1 7 = = 49 2 ( ) = = 7 ( ) =

To be able to determine the quadratic character of an arbitrary number mod p (p an odd prime), we. The first (and most delicate) case concerns 2

Problem Set 6 Solutions Math 158, Fall 2016

Math 127: Equivalence Relations

Introduction to Modular Arithmetic

Solutions for the Practice Questions

Math 1111 Math Exam Study Guide

Foundations of Cryptography

p 1 MAX(a,b) + MIN(a,b) = a+b n m means that m is a an integer multiple of n. Greatest Common Divisor: We say that n divides m.

SOLUTIONS FOR PROBLEM SET 4

DUBLIN CITY UNIVERSITY

Assignment 2. Due: Monday Oct. 15, :59pm

Discrete Mathematics and Probability Theory Spring 2018 Ayazifar and Rao Midterm 2 Solutions

Public Key Encryption

Cryptography Math 1580 Silverman First Hour Exam Mon Oct 2, 2017

NUMBER THEORY AMIN WITNO

Introduction to Cryptography CS 355

LECTURE 7: POLYNOMIAL CONGRUENCES TO PRIME POWER MODULI

Public-Key Cryptosystem Based on Composite Degree Residuosity Classes. Paillier Cryptosystem. Harmeet Singh

MAT199: Math Alive Cryptography Part 2

Practice Midterm 2 Solutions

Public Key Cryptography

Example Enemy agents are trying to invent a new type of cipher. They decide on the following encryption scheme: Plaintext converts to Ciphertext

Cryptography Lecture 1: Remainders and Modular Arithmetic Spring 2014 Morgan Schreffler Office: POT 902

An interesting class of problems of a computational nature ask for the standard residue of a power of a number, e.g.,

LECTURE 3: CONGRUENCES. 1. Basic properties of congruences We begin by introducing some definitions and elementary properties.

UNIVERSITY OF MANITOBA DATE: December 7, FINAL EXAMINATION TITLE PAGE TIME: 3 hours EXAMINER: M. Davidson

A4M33PAL, ZS , FEL ČVUT

The Chinese Remainder Theorem

Applications of Fermat s Little Theorem and Congruences

Public-key Cryptography: Theory and Practice

The Chinese Remainder Theorem

CMPSCI 250: Introduction to Computation. Lecture #14: The Chinese Remainder Theorem David Mix Barrington 4 October 2013

Classical Cryptography

Number Theory and Public Key Cryptography Kathryn Sommers

MA 111, Topic 2: Cryptography

Distribution of Primes

1 Introduction to Cryptology

CMath 55 PROFESSOR KENNETH A. RIBET. Final Examination May 11, :30AM 2:30PM, 100 Lewis Hall

Collection of rules, techniques and theorems for solving polynomial congruences 11 April 2012 at 22:02

Congruence. Solving linear congruences. A linear congruence is an expression in the form. ax b (modm)

MA/CSSE 473 Day 13. Student Questions. Permutation Generation. HW 6 due Monday, HW 7 next Thursday, Tuesday s exam. Permutation generation

6.2 Modular Arithmetic

Discrete Math Class 4 ( )

Wilson s Theorem and Fermat s Theorem

Solutions to Problem Set 6 - Fall 2008 Due Tuesday, Oct. 21 at 1:00

TMA4155 Cryptography, Intro

EE 418: Network Security and Cryptography

Lecture 32. Handout or Document Camera or Class Exercise. Which of the following is equal to [53] [5] 1 in Z 7? (Do not use a calculator.

ElGamal Public-Key Encryption and Signature

b) Find all positive integers smaller than 200 which leave remainder 1, 3, 4 upon division by 3, 5, 7 respectively.

DUBLIN CITY UNIVERSITY

Example Enemy agents are trying to invent a new type of cipher. They decide on the following encryption scheme: Plaintext converts to Ciphertext

Modular Arithmetic. claserken. July 2016

MTH 3527 Number Theory Quiz 10 (Some problems that might be on the quiz and some solutions.) 1. Euler φ-function. Desribe all integers n such that:

Solution: Alice tosses a coin and conveys the result to Bob. Problem: Alice can choose any result.

Cryptography Made Easy. Stuart Reges Principal Lecturer University of Washington

1.6 Congruence Modulo m

SESAME Modular Arithmetic. MurphyKate Montee. March 2018 IN,Z, We think numbers should satisfy certain rules, which we call axioms:

Goldbach Conjecture (7 th june 1742)

Math 255 Spring 2017 Solving x 2 a (mod n)

CMPSCI 250: Introduction to Computation. Lecture #14: The Chinese Remainder Theorem David Mix Barrington 24 February 2012

MATH 324 Elementary Number Theory Solutions to Practice Problems for Final Examination Monday August 8, 2005

Bivariate Polynomials Modulo Composites and Their Applications

Multiples and Divisibility

The congruence relation has many similarities to equality. The following theorem says that congruence, like equality, is an equivalence relation.

Transcription:

MA/CSSE 473 Day 9 Primality Testing Encryption Intro The algorithm (modified) To test N for primality Pick positive integers a 1, a 2,, a k < N at random For each a i, check for a N 1 i 1 (mod N) Use the Miller Rabin approach, (next slides) so that Carmichael numbers are unlikely to thwart us. If a N 1 i is not congruent to 1 (mod N), or Miller Rabin test produces a non trivial square root of 1 (mod N) return false return true Note that this algorithm may produce a false prime, but the probability is very low if k is large enough. 1

Miller Rabin test A Carmichael number N is a composite number that passes the Fermat test for all a with 1 a <N and gcd(a, N)=1. A way around the problem (Rabin and Miller): Note that for some t and u (u is odd), N 1 = 2 t u. As before, compute a N 1 (mod N), but do it this way: Calculate a u (mod N), then repeatedly square, to get the sequence a u (mod N), a 2u (mod N),, a 2t u (mod N) a N 1 (mod N) Suppose that at some point, a 2i u 1 (mod N), but a 2i 1 u is not congruent to 1 or to N 1 (mod N) then we have found a nontrivial square root of 1 (mod N). We will show that if 1 has a nontrivial square root (mod N), then N cannot be prime. Example (first Carmichael number) N = 561. We might randomly select a = 101. Then 560 = 2 4 35, so u=35, t=4 a u 101 35 560 (mod 561) which is 1 (mod 561) (we can stop here) a 2u 101 70 1 (mod 561) a 16u 101 560 1 (mod 561) So 101 is not a witness that 561 is composite (we say that 101 is a Miller Rabin liar for 561, if indeed 561 is composite) Try a = 83 a u 83 35 230 (mod 561) a 2u 83 70 166 (mod 561) a 4u 83 140 67 (mod 561) a 8u 83 280 1 (mod 561) So 83 is a witness that 561 is composite, because 67 is a nontrivial square root of 1 (mod 561). 2

Lemma: Modular Square Roots of 1 If there is an s which is neither 1 or 1 (mod N), but s 2 1 (mod N), then N is not prime Proof (by contrapositive): Suppose that N is prime and s 2 1 (mod N) s 2 1 0 (mod N) [subtract 1 from both sides] (s 1) (s + 1) 0 (mod N) [factor] So N divides (s 1) (s + 1) [def of congruence] Since N is prime, N divides (s 1) or N divides (s + 1) [def of prime] S is congruent to either 1 or 1 (mod N) [def of congruence] This proves the lemma, which validates the Miller Rabin test Accuracy of the Miller Rabin Test Rabin* showed that if N is composite, this test will demonstrate its non primality for at least ¾ of the numbers a that are in the range 1 N 1, even if a is a Carmichael number. Note that 3/4 is the worst case; randomly chosen composite numbers have a much higher percentage of witnesses to their non primeness. If we test several values of a, we have a very low chance of incorrectly flagging a composite number as prime. *Journal of Number Theory 12 (1980) no. 1, pp 128-138 3

Efficiency of the Test Testing a k bit number is Ѳ(k 3 ) If we use the fastest known integer multiplication techniques (based on Fast Fourier Transforms), this can be pushed to Ѳ(k 2 *log k * log log k) Testing "small" numbers From Wikipedia article on the Miller Rabin primality test: When the number N we want to test is small, smaller fixed sets of potential witnesses are known to suffice. For example, Jaeschke* has verified that if N < 9,080,191, it is sufficient to test a = 31 and 73 if N < 4,759,123,141, it is sufficient to test a = 2, 7, and 61 if N < 2,152,302,898,747, it is sufficient to test a = 2, 3, 5, 7, 11 if N < 3,474,749,660,383, it is sufficient to test a = 2, 3, 5, 7, 11, 13 if N < 341,550,071,728,321, it is sufficient to test a = 2, 3, 5, 7, 11, 13, 17 * Gerhard Jaeschke, On strong pseudoprimes to several bases, Mathematics of Computation 61 (1993) 4

Generating Random Primes For cryptography, we want to be able to quickly generate random prime numbers with a large number of bits Are prime numbers abundant among all integers? Fortunately, yes Lagrange's prime number theorem Let (N) be the number of primes that are N, then (N) N / ln N. Thus the probability that an k bit number is prime is approximately (2 k / ln (2 k ) )/ 2 k 1.44/ k Random Prime Algorithm To generate a random k bit prime: Pick a random k bit number N Run a primality test on N If it passes, output N Else repeat the process Expected number of iterations is Ѳ(k) 5

Interlude We'll only scratch the surface, but there is MA/CSSE 479 CRYPTOGRAPHY INTRODUCTION 6

Cryptography Scenario I want to transmit a message m to you in a form e(m) that you can readily decode by running d(e(m)), And that an eavesdropper has little chance of decoding Private key protocols You and I meet beforehand and agree on e and d. Public key protocols You publish an e for which you know the d, but it is very difficult for someone else to guess the d. Then I can use e to encode messages that only you* can decode * and anyone else who can figure out what d is if they know e. Messages can be integers Since a message is a sequence of bits We can consider the message to be a sequence of b bit integers (where b is fairly large), and encode each of those integers. Here we focus on encoding and decoding a single integer. 7

RSA Public key Cryptography Rivest Shamir Adleman (1977) A reference : Mark Weiss, Data Structures and Problem Solving Using Java, Section 7.4 Consider a message to be a number modulo N, an k bit number (longer messages can be broken up into k bit pieces) The encryption function will be a bijection on {0, 1,, N 1}, and the decryption function will be its inverse How to pick the N and the bijection? bijection: a function f from a set X to a set Y with the property that for every y in Y, there is exactly one x in X such that f(x) = y. In other words, f is both one-to-one and onto. N = p q Pick two large primes, p and q, and let N = pq. Property: If e is any number that is relatively prime to N' = (p 1)(q 1), then the mapping x x e mod N is a bijection on {0, 1,, N 1}, and If d is the inverse of e mod (p 1)(q 1), then for all x in {0, 1,, N 1}, (x e ) d x (mod N). We'll first apply this property, then prove it. 8

Public and Private Keys The first (bijection) property tells us that x x e mod N is a reasonable way to encode messages, since no information is lost If you publish (N, e) as your public key, anyone can encrypt and send messages to you The second tells how to decrypt a message When you receive a message m', you can decode it by calculating (m') d mod N. Example (from Wikipedia) p=61, q=53. Compute N = pq = 3233 (p 1)(q 1) = 60 52 = 3120 Choose e=17 (relatively prime to 3120) Compute multiplicative inverse of 17 (mod 3120) d = 2753 (evidence: 17 2753 = 46801 = 1 + 15 3120) To encrypt m=123, take 123 17 (mod 3233) = 855 To decrypt 855, take 855 2753 (mod 3233) = 123 In practice, we would use much larger numbers for p and q. On exams, smaller numbers 9

Recap: RSA Public key Cryptography Consider a message to be a number modulo N, n k bit number (longer messages can be broken up into n bit pieces) Pick any two large primes, p and q, and let N = pq. Property: If e is any number that is relatively prime to (p 1)(q 1), then the mapping x x e mod N is a bijection on {0, 1,, N 1} If d is the inverse of e mod (p 1)(q 1), then for all x in {0, 1,, N 1}, (x e ) d x (mod N) We have applied the property; we should prove it 10

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback