מבוא מורחב - שיעור 6 1 Lecture 6 High order procedures Primality testing The RSA cryptosystem.

Slides:



Advertisements
Similar presentations
COMP 170 L2 Page 1 L06: The RSA Algorithm l Objective: n Present the RSA Cryptosystem n Prove its correctness n Discuss related issues.
Advertisements

WS Algorithmentheorie 03 – Randomized Algorithms (Primality Testing) Prof. Dr. Th. Ottmann.
Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)
22C:19 Discrete Structures Integers and Modular Arithmetic
BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.
Introduction to Modern Cryptography Lecture 6 1. Testing Primitive elements in Z p 2. Primality Testing. 3. Integer Multiplication & Factoring as a One.
Primality Testing By Ho, Ching Hei Cheung, Wai Kwok.
מבוא מורחב 1 Lecture #6. מבוא מורחב 2 Primality testing (application) Know how to test whether n is prime in  (log n) time => Can easily find very large.
PPL Lecture 3 Slides by Dr. Daniel Deutch, based on lecture notes by Prof. Mira Balaban.
מבוא מורחב 1 Lecture 4 Material in the textbook on Pages 44-46, of 2nd Edition Sections and Hanoy towers.
22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.
Notation Intro. Number Theory Online Cryptography Course Dan Boneh
7. Asymmetric encryption-
1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.
Great Theoretical Ideas in Computer Science.
1 Fingerprint 2 Verifying set equality Verifying set equality v String Matching – Rabin-Karp Algorithm.
מבוא מורחב - שיעור 6 1 Lecture 6 High order procedures Primality testing The RSA cryptosystem.
Cryptography Lecture 11: Oct 12. Cryptography AliceBob Cryptography is the study of methods for sending and receiving secret messages. adversary Goal:
WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
CSE 321 Discrete Structures Winter 2008 Lecture 8 Number Theory: Modular Arithmetic.
Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.
WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
Codes, Ciphers, and Cryptography-RSA Encryption
Lecture 6: Public Key Cryptography
The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.
1 CIS 5371 Cryptography 8. Asymmetric encryption-.
Topic 18: RSA Implementation and Security
Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.
Prime Numbers Prime numbers only have divisors of 1 and self

1 Network Security Lecture 6 Public Key Algorithms Waleed Ejaz
Great Theoretical Ideas in Computer Science.
RSA Parameter Generation Bob needs to: - find 2 large primes p,q - find e s.t. gcd(e, Á (pq))=1 Good news: - primes are fairly common: there are about.
MA/CSSE 473 Day 08 Randomized Primality Testing Carmichael Numbers Miller-Rabin test.
The Complexity of Primality Testing. What is Primality Testing? Testing whether an integer is prime or not. – An integer p is prime if the only integers.
Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer.
MA/CSSE 473 Day 11 Primality testing summary Data Encryption RSA.
PRIMES is in P Manindra Agrawal NUS Singapore / IIT Kanpur.
Cryptography Lecture 7: RSA Primality Testing Piotr Faliszewski.
Introduction to Algorithms Second Edition by Cormen, Leiserson, Rivest & Stein Chapter 31.
Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.
22C:19 Discrete Structures Integers and Modular Arithmetic Fall 2014 Sukumar Ghosh.
Cryptography and Network Security Public Key Cryptography and RSA.
Chapter 3 – Public Key Cryptography and RSA (A). Private-Key Cryptography traditional private/secret/single-key cryptography uses one key shared by both.
Scott CH Huang COM 5336 Cryptography Lecture 6 Public Key Cryptography & RSA Scott CH Huang COM 5336 Cryptography Lecture 6.
Public Key Cryptosystems RSA Diffie-Hellman Department of Computer Engineering Sharif University of Technology 3/8/2006.
ENCRYPTION TAKE 2: PRACTICAL DETAILS David Kauchak CS52 – Spring 2015.
9/22/15UB Fall 2015 CSE565: S. Upadhyaya Lec 7.1 CSE565: Computer Security Lecture 7 Number Theory Concepts Shambhu Upadhyaya Computer Science & Eng. University.
CS Modular Division and RSA1 RSA Public Key Encryption To do RSA we need fast Modular Exponentiation and Primality generation which we have shown.
Ch1 - Algorithms with numbers Basic arithmetic Basic arithmetic Addition Addition Multiplication Multiplication Division Division Modular arithmetic Modular.
Introduction to Cryptography Lecture 9. Public – Key Cryptosystems Each participant has a public key and a private key. It should be infeasible to determine.
Week 4 - Wednesday.  What did we talk about last time?  Finished DES  AES.
Primality Testing. Introduction The primality test provides the probability of whether or not a large number is prime. Several theorems including Fermat’s.
9.1 Primes and Related Congruence Equations 23 Sep 2013.
מבוא מורחב 1 Lecture 4 Material in the textbook on Pages 44-46, of 2nd Edition Sections and Hanoy towers.
Chapter 1 Algorithms with Numbers. Bases and Logs How many digits does it take to represent the number N >= 0 in base 2? With k digits the largest number.
MA/CSSE 473 Day 10 Primality Testing. MA/CSSE 473 Day 10 In-class exam: Friday, Sept 28 –You may bring a two-sided 8.5x11 inch piece of paper containing.
מבוא מורחב - שיעור 5 1 Lecture 5 Higher-order procedures.
CSEN 1001 Computer and Network Security Amr El Mougy Mouaz ElAbsawi.
MA/CSSE 473 Day 9 Primality Testing Encryption Intro.
Lecture #5 מבוא מורחב.
Public Key Encryption Major topics The RSA scheme was devised in 1978
High order procedures Primality testing The RSA cryptosystem
Material in the textbook on pages
Number Theory (Chapter 7)
Lecture #5 מבוא מורחב.
Lecture #6 מבוא מורחב.
Material in the textbook on
Lecture 5 Higher-order procedures מבוא מורחב - שיעור 5.
Presentation transcript:

מבוא מורחב - שיעור 6 1 Lecture 6 High order procedures Primality testing The RSA cryptosystem

מבוא מורחב - שיעור 6 22 Fixed Points x 0 is a fixed point of F(x) if F(x 0 ) = x 0 Example: x 0 = a is a fixed point of F(x) = a/x

מבוא מורחב - שיעור 6 3 מבוא מורחב - שיעור 5 3 Finding fixed points for f(x) Start with an arbitrary first guess x 1 Each time: try the guess, f(x) ~ x ?? If it’s not a good guess try the next guess x i+1 = f(x i ) (define (fixed-point f first-guess) (define tolerance ) (define (close-enough? v1 v2) (< (abs (- v1 v2)) tolerance)) (define (try guess) (let ((next (f guess))) (if (close-enough? guess next) guess (try next)))) (try first-guess))

מבוא מורחב - שיעור 6 4 מבוא מורחב - שיעור 5 4 An example: f(x) = 1+1/x (define (f x) (+ 1 (/ 1 x))) (fixed-point f 1.0) X 1 = 1.0 X 2 = f(x 1 ) = 2 X 3 = f(x 2 ) = 1.5 X 4 = f(x 3 ) = X 5 = f(x 4 ) = 1.6 X 6 = f(x 5 ) = X 7 = f(x 6 ) = … Exact fixed-point: … Note how odd guesses underestimate And even guesses Overestimate.

מבוא מורחב - שיעור 6 5 מבוא מורחב - שיעור 5 5 Another example: f(x) = 2/x (define (f x) (/ 2 x)) (fixed-point f 1.0) x 1 = 1.0 x 2 = f(x 1 ) = 2 x 3 = f(x 2 ) = 1 x 4 = f(x 3 ) = 2 x 5 = f(x 4 ) = 1 x 6 = f(x 5 ) = 2 x 7 = f(x 6 ) = 1 Exact fixed-point: …

מבוא מורחב - שיעור 6 6 מבוא מורחב - שיעור 5 6 How do we deal with oscillation? Consider f(x)=2/x. If guess is a number such that guess sqrt(2) So the average of guess and 2/guess is always an even Better guess. So, we will try to find a fixed point of g(x)= (x + f(x))/2 For f(x)=2/x this gives: g(x)= (x + 2/x)/2 Notice that g(x) = (x +f(x)) /2 has the same fixed points as f.

מבוא מורחב - שיעור 6 7 מבוא מורחב - שיעור 5 7 X = 2G = 1 X/G = 2G = ½ (1+ 2) = 1.5 X/G = 4/3G = ½ (3/2 + 4/3) = 17/12 = X/G = 24/17G = ½ (17/ /17) = 577/408 = To find an approximation of x: Make a guess G Improve the guess by averaging G and x/G Keep improving the guess until it is good enough

מבוא מורחב - שיעור 6 8 מבוא מורחב - שיעור 5 8 Extracting the common pattern: average-damp (define (average-damp f) ;outputs g(x)=(x+f(x))/2 (lambda (x) (average x (f x)))) average-damp: (number  number)  (number  number) ((average-damp square) 10) ((lambda (x) (average x (square x))) 10) (average 10 (square 10)) 55

מבוא מורחב - שיעור 6 9 מבוא מורחב - שיעור 5 9 … which gives us a clean version of sqrt (define (sqrt x) (fixed-point (average-damp (lambda (y) (/ x y))) 1)) Compare this to our previous implementation of sqrt – same process. For the cubic root of x, fixed point of f(y) = x/y 2 (define (cubert x) (fixed-point (average-damp (lambda (y) (/ x (square y)))) 1))

מבוא מורחב - שיעור 6 10 מבוא מורחב - שיעור 5 10 Further abstraction (define (osc-fixed-point f first-guess) (fixed-point (average-damp f) first-guess)) (define (sqrt x) (osc-fixed-point (lambda (y) (/ x y)) 1.0) (define (cubert x) (osc-fixed-point (lambda (y) (/ x (square y))) 1.0)

מבוא מורחב - שיעור 6 11 מבוא מורחב - שיעור 5 11 Newton’s method A solution to the equation: F(x) = 0 is a fixed point of: G(x) = x - F(x)/F’(x) (define (newton-transform f) (lambda (x) (- x (/ (f x) ((deriv f) x))))) (define (newton-method f guess) (fixed-point (newton-transform f) guess)) (define (sqrt x) (newton-method (lambda (y) (- (square y) x)) 1.0))

מבוא מורחב - שיעור 6 12 מבוא מורחב - שיעור 5 12 Further abstraction (define (fixed-point-of-transform f transform guess) (fixed-point (transform f) guess)) (define (osc-fixed-point f guess) (fixed-point-of-transform f average-damp guess)) (define (newton-method f guess) (fixed-point-of-transform f newton-transform guess))

מבוא מורחב - שיעור 6 13 Primality testing A natural number n is prime iff the only natural numbers dividing n are 1 and n. The following are prime: 2, 3, 5, 7, 11, 13, … and so are , , , … There are an infinite number of prime numbers. Is = prime? How do we check whether a number is prime? How do we generate huge prime numbers? Why do we care?

מבוא מורחב - שיעור 6 14 Naïve solution: Finding the smallest divisor (define (prime? n) (= n (find-smallest-divisor n 2))) (define (divides? a b) (= (remainder b a) 0)) (define (find-smallest-divisor n i) (cond ((divides? i n) i) (else (find-smallest-divisor n (+ i 1))))) Space complexity is:  (1) For prime n we have time complexity n. If n is a 100 digit number we will wait “for ever”.

מבוא מורחב - שיעור 6 15 An improvement (define (prime? n) (= n (find-smallest-divisor n 2))) (define (divides? a b) (= (remainder b a) 0)) (define (find-smallest-divisor n i) (cond ((> (square i) n) n) ((divides? i n) i) (else (find-smallest-divisor n (+ i 1))))) For prime n we have time complexity:  (  n) Worst case space complexity:  (1) Still, if n is a 100 digit number, it is completely infeasible.

מבוא מורחב - שיעור 6 16 We can prove that a number is not prime without explicitly finding a divisor of it. Randomness is useful in computations! Is there a more efficient way of checking primality? Yes! At least if we are willing to accept a tiny probability of error.

מבוא מורחב - שיעור 6 17 The Fermat Primality Test Fermat’s little theorem: If n is a prime number then: a n = a (mod n), for every integer a The Fermat Test: Repeat 100 times: Pick a random 1<a<n and compute a n (mod n). If a n  a (mod n), then n is not a prime. If all 100 tests passed, declare n to be a prime. Corollary: If a n ≠  a (mod n), for some a, then n is not a prime! Such an a is a witness to the compositeness of n. a n = a (mod n) means a n mod n = a mod n 4 3 mod 3 = 64 mod 3 = 1 = 4 mod mod 3 = 125 mod 3 = 2 = 5 mod mod 3 = … etc

מבוא מורחב - שיעור 6 18 Fast computation of modular exponentiation a b mod m (define (expmod a b m) (cond ((= b 0) 1) ((even? b) (remainder (expmod (remainder (* a a) m) (/ b 2) m) m)) (else (remainder (* a (expmod a (- b 1) m)) m))))

מבוא מורחב - שיעור 6 19 Implementing Fermat test (define (test a n)(= (expmod a n n) a)) (define (rand-test n) (test (+ 1 (random (- n 1))) n)) ; note - (random m)  0..m-1 and thus ; we test numbers in range 1 to n-2+1 (define (fermat-test n k); (cond ((= k 0) #t) ((rand-test n) (fermat-test n (- k 1))) (else #f))) Worst-case time complexity:  (log n) if k is constant Even if n is a 1000 digit number, it is still okay!

מבוא מורחב - שיעור 6 20 Is the Fermat test correct? If the Fermat test says that a number n is composite, then the number n is indeed a composite number. If n is a prime number, the Fermat test will always say that n is prime. However, The Fermat test can mistakenly say that a composite number is prime What is the probability that this will happen?

מבוא מורחב - שיעור 6 21 Carmichael numbers A composite number n is a Carmichael number iff a n = a (mod n) for every integer a. The first Carmichael numbers are: 561, 1105, 1729, 2465, 2821, 6601, 8911, 10585, 15841, … Theorem: n is a Carmichael number iff n=p 1 p 2 …p k, where p 1, p 2, …, p k are primes and p i -1 divides n-1, for i=1,…,k. On Carmichael numbers, the Fermat test is always wrong! Carmichael numbers are fairly rare. (There are 255 Carmichael numbers smaller than 100,000,000).

מבוא מורחב - שיעור 6 22 Theorem: (Rabin ’77) If n is a composite number that is not a Carmichael number, then at least half of the numbers between 1 and n are witnesses to the compositeness of n. Corollary: Let n be a composite number that is not a Carmichael number. If we pick a random a, 1<a<n, then a is a witness with a probability of at least a 1/2 !

מבוא מורחב - שיעור 6 23 “Correctness” of the Fermat test If n is prime, the Fermat test is always right. If n is a Carmichael number, the Fermat test is always wrong! If n is composite number that is not a Carmichael number, the Fermat test is wrong with a probability of at most Is an error probability of acceptable? Yes…Chances of being hit by lightening: Chances of winning lottery: 2 -20

מבוא מורחב - שיעור 6 24 The Rabin-Miller test A fairly simple modification of the Fermat test that is correct with a probability of at least also on Carmichael numbers. Will not be covered in this course.

מבוא מורחב - שיעור 6 25 Probabilistic algorithms An algorithm that uses random choices but outputs the correct result, with high probability, for every input! Randomness is a very useful algorithmic tool. Until the year 2002, there were no efficient deterministic primality testing algorithms. In 2002, Agarwal, Kayal and Saxena found a fast deterministic primality testing algorithm.

מבוא מורחב - שיעור 6 26 Finding large prime numbers The prime number Theorem: The number of prime numbers smaller than n is asymptotically n / ln n. Thus, for every number n, there is “likely” to be a prime number between n and n + ln n. To find a prime number roughly the size of (odd) n, simply test n, n+2, n+4, … for primality. (define (find-prime n t) (if (fermat-test n t) n (find-prime (+ n 2) t)))

מבוא מורחב - שיעור 6 27 > (find-prime (+ (exp 2 200) 1) 20) > (find-prime (+ (exp 2 500) 1) 20) > (find-prime (+ (exp ) 1) 20)

מבוא מורחב - שיעור 6 28 Primality testing versus Factoring Fast primality testing algorithms determine that a number n is composite without finding any of its factors. No efficient factoring algorithms are known. Factoring a number is believed to be a much harder task. Primality testing - Easy Factoring - Hard Lets make use of the ease of primality and hardness of factoring An effort concluded 2010 by several researchers factored a 232-digit number utilizing hundreds of machines over a span of 2 years.

מבוא מורחב - שיעור 6 29 Cryptography Eve Bob Alice

מבוא מורחב - שיעור 6 30 Traditional solution: classical cryptography Eve Bob Alice Encryption Decryption Encryption key Decryption key Hi Bob! #$%&*()

מבוא מורחב - שיעור 6 31 In classical cryptography: The two parties (Alice and Bob) should agree in advance on the encryption/decryption key. The encryption and decryption keys are either identical or easily derived from one another.

מבוא מורחב - שיעור 6 32 The internet age Eve Bob Alice Calvin Donald Felix

מבוא מורחב - שיעור 6 33 Public key cryptography [Diffie and Hellman] A system in which it is infeasible to deduce the decryption key from the encryption key. Each user publishes an encryption key that should be used for sending messages to her, but keeps her decryption key private. Is it possible to construct secure public key cryptosystems?

מבוא מורחב - שיעור 6 34 The RSA public key cryptosystem [Rivest, Shamir, Adleman (1977)] Alice: Picks two huge primes p and q. Calculates n=pq, and announces n. Chooses an integer e prime to (p-1)(q-1), announces e. Calculates the unique d such that de = 1 (mod (p-1)(q-1)) It is believed that computing d, without knowing p and q, is hard.

מבוא מורחב - שיעור 6 35 The RSA cryptosystem (cont.) To send a message m (0≤m<n) to Alice, Bob computes c=E Alice (m) and sends it to Alice. To decipher the message, Alice computes m=D Alice (c) E Alice (m) = m e (mod n) D Alice (m) = m d (mod n) Lemma: D Alice (E Alice (m)) = m

Summary מבוא מורחב - שיעור 6 36 High level procedures make programming patterns re-uasable Primality is an example of an algorithm that can be made highly efficient using randomness Sometimes the fact that a problem is very hard (like factoring) is useful rather than depressing..