Date post: | 04-Jun-2018 |
Category: |
Documents |
Upload: | strokenfilled |
View: | 217 times |
Download: | 0 times |
of 81
8/13/2019 Lecture Number
1/81
COMP202Complexity of Algorithms
Number Theory and Cryptography
[See relevant Sections ofChapter 10 in Goodrich and Tamassia.]
http://find/8/13/2019 Lecture Number
2/81
Learning Outcomes
At the conclusion of this set of lecture notes, you should:
1. Be familiar with the basic ideas of cryptography.
2. Have comfortable knowledge of the RSAencryption/decryption method.
3. Understand the mathematical background that underlies
the RSA method, including the Euclidean algorithm, etc.
http://find/http://goback/8/13/2019 Lecture Number
3/81
Cryptographic communications
Throughout history there has often been the need (or desire) to
securelytransmit information throughinsecurechannels. Such
applications include communications for military purposes and
business reasons (to keep proprietary information secure), and
most recently, transactions through the Internet.
http://find/8/13/2019 Lecture Number
4/81
Cryptographic communications
Throughout history there has often been the need (or desire) to
securelytransmit information throughinsecurechannels. Such
applications include communications for military purposes and
business reasons (to keep proprietary information secure), and
most recently, transactions through the Internet.
A variety ofcryptographicmethods have been developed to
facilitate this type of communication.
These methods include encryption/decryption transformations
and digital signatures.
http://find/8/13/2019 Lecture Number
5/81
Encryption schemes
Confidentially in communication can be achieved byencryption
schemes, orciphers.
http://find/8/13/2019 Lecture Number
6/81
Encryption schemes
Confidentially in communication can be achieved byencryption
schemes, orciphers.
The general idea behind these schemes is that the messageM
to be sent, often referred to as the plaintext, is encrypted(before transmission) into an unrecognizable string (we hope!)
of charactersC, theciphertext.
http://find/8/13/2019 Lecture Number
7/81
Encryption schemes
Confidentially in communication can be achieved byencryption
schemes, orciphers.
The general idea behind these schemes is that the messageM
to be sent, often referred to as the plaintext, is encrypted(before transmission) into an unrecognizable string (we hope!)
of charactersC, theciphertext.
The ciphertextCis then transmitted to the recipient who
decryptsCto recover the original messageM.
http://find/8/13/2019 Lecture Number
8/81
Alice
Message M
"Eve is nosey"Message M
"Eve is nosey"
Eve
ciphertextC
decryptionencryption
(xrjf%kjs*43s)
Bob
http://find/8/13/2019 Lecture Number
9/81
Symmetric encryption schemes and secret keys
In a traditional encryption scheme a common secret key, K, is
shared by Alice and Bob.
http://find/8/13/2019 Lecture Number
10/81
Symmetric encryption schemes and secret keys
In a traditional encryption scheme a common secret key, K, is
shared by Alice and Bob.
This common keyKis used for both encryption and decryption
of messages.
http://find/8/13/2019 Lecture Number
11/81
Symmetric encryption schemes and secret keys
In a traditional encryption scheme a common secret key, K, is
shared by Alice and Bob.
This common keyKis used for both encryption and decryption
of messages.
Such an encryption scheme is called symmetricsince the
recipient and receiver both have access to the same secret key,
and it is used for both the encryption and decryption processes.
http://find/8/13/2019 Lecture Number
12/81
Substitution ciphers
A classic example of a symmetric cipher is a substitutioncipher.
In this case the secret key is a permutation of the charactersof the alphabet. (For example, each A gets replaced by the
letter D, eachBgets replaced by the letterH, etc.)
http://find/8/13/2019 Lecture Number
13/81
Substitution ciphers
A classic example of a symmetric cipher is a substitutioncipher.
In this case the secret key is a permutation of the charactersof the alphabet. (For example, each A gets replaced by the
letter D, eachBgets replaced by the letterH, etc.)
Encryption of the plaintext M is accomplished by mapping each
characterxwith its corresponding charactery=(x).
http://find/8/13/2019 Lecture Number
14/81
Substitution ciphers
A classic example of a symmetric cipher is a substitutioncipher.
In this case the secret key is a permutation of the charactersof the alphabet. (For example, each A gets replaced by the
letter D, eachBgets replaced by the letterH, etc.)
Encryption of the plaintext M is accomplished by mapping each
characterxwith its corresponding charactery=(x).
Decrypting the ciphertextCis easily accomplished with
knowledge of the permutation, i.e. each characteryofC isreplaced withx=1(y).
http://find/8/13/2019 Lecture Number
15/81
The Caesar cipher
TheCaesar cipheris an early example of a substitution cipher
wherein each characterx is replaced by the character
y= (x+ k) mod n, wherenis the size of the alphabet and the
integerk, 1k
8/13/2019 Lecture Number
16/81
The Caesar cipher
TheCaesar cipheris an early example of a substitution cipher
wherein each characterx is replaced by the character
y= (x+ k) mod n, wherenis the size of the alphabet and the
integerk, 1k
8/13/2019 Lecture Number
17/81
Breaking substitution ciphers
While very easy to use, substitution ciphers are not secure.
B ki b tit ti i h
http://find/8/13/2019 Lecture Number
18/81
Breaking substitution ciphers
While very easy to use, substitution ciphers are not secure.
The secret key of a substitution cipher is very easily broken by
using frequency analysis, based on knowledge of the frequency
of the various letters, or groups of letters, in the alphabet beingused.
For example, e is the most common letter in the English
language, followed by t, etc.
Th O ti d
http://find/http://goback/8/13/2019 Lecture Number
19/81
The One-time pad
Secure symmetric ciphers do exist!
The One time pad
http://find/8/13/2019 Lecture Number
20/81
The One-time pad
Secure symmetric ciphers do exist!
In fact, the most secure cipher known is the symmetric cipher
thats referred to as theone-time pad.
The One time pad
http://find/8/13/2019 Lecture Number
21/81
The One-time pad
Secure symmetric ciphers do exist!
In fact, the most secure cipher known is the symmetric cipher
thats referred to as theone-time pad.
For this encryption scheme Alice and Bob share arandombit
stringKthat is as long as any message that they are going to
send.
This keyKis the symmetric key that is used for the encryption
and decryption process.
The One time pad (encryption)
http://find/8/13/2019 Lecture Number
22/81
The One-time pad (encryption)
To encrypt the messageM, Alice computesC=M K, wherethesymbol denotes the bitwise exclusive-or operation.
(Note: 0 0= 1 1= 0 and 0 1=1 0=1.)
Alice then sendsCto Bob on any reliable communicationschannel.
The One time pad (encryption)
http://find/8/13/2019 Lecture Number
23/81
The One-time pad (encryption)
To encrypt the messageM, Alice computesC=M K, wherethesymbol denotes the bitwise exclusive-or operation.
(Note: 0 0= 1 1= 0 and 0 1=1 0=1.)
Alice then sendsCto Bob on any reliable communicationschannel.
The communication is secure because Cis computationally
indistinguishable from arandombit string. (This relies highly on
the fact thatKwas selected randomly!!)
The One time pad (decryption)
http://find/8/13/2019 Lecture Number
24/81
The One-time pad (decryption)
Bob can easily decrypt the ciphertextCto recoverM in the
following fashion:
C K = (M K) K =M (K K) =M 0= M
where 0represents the all-zero string with the same length as
M.
This is clearly a symmetric scheme as Alice and Bob use the
same keyK for encryption and decryption.
The One-time pad (analysis)
http://goforward/http://find/http://goback/8/13/2019 Lecture Number
25/81
The One-time pad (analysis)
Advantages:
Computationally efficient since the bitwise exclusive-or iseasy to perform.
Very secure (providedK is chosen randomly)!!
The One-time pad (analysis)
http://find/8/13/2019 Lecture Number
26/81
The One-time pad (analysis)
Advantages:
Computationally efficient since the bitwise exclusive-or iseasy to perform.
Very secure (providedK is chosen randomly)!!
Disadvantages:
Alice and Bob must share a very long keyK. Security depends on the fact that the key is usedonly
once!!
The One-time pad (analysis)
http://find/8/13/2019 Lecture Number
27/81
The One time pad (analysis)
Advantages:
Computationally efficient since the bitwise exclusive-or iseasy to perform.
Very secure (providedK is chosen randomly)!!
Disadvantages:
Alice and Bob must share a very long keyK. Security depends on the fact that the key is usedonly
once!!
In practice, we prefer secret keys that can be reused, and that
the keys we use are much shorter than the messages that we
must transmit.
How can we do this?
Public-key cryptography
http://find/8/13/2019 Lecture Number
28/81
Public key cryptography
A major problem with symmetric encryption schemes iskey
distribution, or how tosecurely distributethe secret keys.
One idea is to dispense with using symmetricencryption
schemes and seek another method for generating (anddeciphering) the ciphertexts.
Public-key cryptography
http://find/8/13/2019 Lecture Number
29/81
Public key cryptography
A major problem with symmetric encryption schemes iskey
distribution, or how tosecurely distributethe secret keys.
One idea is to dispense with using symmetricencryption
schemes and seek another method for generating (anddeciphering) the ciphertexts.
In 1976 Diffie and Hellman described an abstractsystem that
overcomes the problem of key distribution Public-key
cryptosystems.
Public-key cryptosystems
http://find/8/13/2019 Lecture Number
30/81
Public key cryptosystems
Apublic-key cryptosystemconsists of an encryption function E
and a decryption functionD. For any messageM, the following
properties must hold:
D(E(M)) =M. BothEandDare easy to compute.
It iscomputationally infeasibleto deriveDfromE.
E(D(M)) =M.
Public-key cryptosystems (cont.)
http://find/8/13/2019 Lecture Number
31/81
Public key cryptosystems (cont.)
The third property is the particularly important one. It means
that knowledge of the encryption method gives no information
about the decryption scheme. Anybody can send a privatemessage to the holder of the function D, butonly that person
knows how to decrypt it.
Public-key cryptosystems (cont.)
http://find/8/13/2019 Lecture Number
32/81
y yp y ( )
The third property is the particularly important one. It means
that knowledge of the encryption method gives no information
about the decryption scheme. Anybody can send a privatemessage to the holder of the function D, butonly that person
knows how to decrypt it.
For this reasonEis referred to as a one-wayfunction, or
sometimes atrapdoor function.
Public-key cryptosystems (cont.)
http://find/8/13/2019 Lecture Number
33/81
y yp y ( )
The third property is the particularly important one. It means
that knowledge of the encryption method gives no information
about the decryption scheme. Anybody can send a privatemessage to the holder of the function D, butonly that person
knows how to decrypt it.
For this reasonEis referred to as a one-wayfunction, or
sometimes atrapdoor function.
In this kind of encryption methodE is madepublicandDis
keptprivate.
Public-key cryptosystems (cont.)
http://find/8/13/2019 Lecture Number
34/81
y yp y ( )
The third property is the particularly important one. It means
that knowledge of the encryption method gives no information
about the decryption scheme. Anybody can send a privatemessage to the holder of the function D, butonly that person
knows how to decrypt it.
For this reasonEis referred to as a one-wayfunction, or
sometimes atrapdoor function.
In this kind of encryption methodE is madepublicandDis
keptprivate.
The fourth property allows fordigital signatures. This can allowsomeone to send a message to another person and the
recipient can verify that it came from the sender, assuming that
the sender is the only person who has the private key. (More on
this later.)
The RSA encryption scheme
http://find/8/13/2019 Lecture Number
35/81
yp
Diffie and Hellmans idea was ingenious, but it was an abstractconcept about how such a system would operate.
The RSA encryption scheme
http://find/8/13/2019 Lecture Number
36/81
Diffie and Hellmans idea was ingenious, but it was an abstractconcept about how such a system would operate.
Rivest, Shamir, and Adleman proposed a public-key encryption
method that is probably the most well-known, and is still in use
today for communications via web-browsers, etc.
Their method is tied to the difficulty of factoringlarge numbers.
The RSA encryption scheme
http://find/8/13/2019 Lecture Number
37/81
Diffie and Hellmans idea was ingenious, but it was an abstractconcept about how such a system would operate.
Rivest, Shamir, and Adleman proposed a public-key encryption
method that is probably the most well-known, and is still in use
today for communications via web-browsers, etc.
Their method is tied to the difficulty of factoringlarge numbers.
Before we can get into the details of the RSA method, we must
first discuss some concepts from the branch of mathematicscalled number theory.
Elementary number theory - Divisibility
http://find/8/13/2019 Lecture Number
38/81
Given integersaandb, we use the notation a|bto denote thatadividesb, i.e.bis a multiple of a.
Ifa|bthen there is another integerksuch thatb=a k.
http://find/8/13/2019 Lecture Number
39/81
Prime numbers and composite numbers
8/13/2019 Lecture Number
40/81
An integern2 is said to be primeif the only divisors ofnarethe trivial divisors 1 andn.
An integern2 that is not prime is said to becomposite.
Prime numbers and composite numbers
http://find/8/13/2019 Lecture Number
41/81
An integern2 is said to be primeif the only divisors ofnarethe trivial divisors 1 andn.
An integern2 that is not prime is said to becomposite.
For example, 11, 107, and 98711 are prime, but 25,69, and10403= 101 103 are composite.
Fundamental Theorem of Arithmetic
http://find/8/13/2019 Lecture Number
42/81
Theorem: Letn>1 be an integer. Then there is a unique setof prime numbers{p1, . . . , pk}and positive integers{e1, . . . , ek}such that
n=p
e1
1 p
ek
k .
The productpe11 p
ekk is known as theprime decompositionof
n. It is unique, up to the ordering of the primes in the
factorization.
Greatest common divisor (GCD)
http://goforward/http://find/http://goback/8/13/2019 Lecture Number
43/81
Letaandbdenote positive integers. Thegreatest common
divisorofaandb, denoted gcd(a,b), is thelargestinteger that
divides bothaandb.
Greatest common divisor (GCD)
http://goforward/http://find/http://goback/8/13/2019 Lecture Number
44/81
Letaandbdenote positive integers. Thegreatest common
divisorofaandb, denoted gcd(a,b), is thelargestinteger that
divides bothaandb.
If gcd(a,b) =1, then we say that aandbarerelatively prime.
Greatest common divisor (GCD)
http://find/8/13/2019 Lecture Number
45/81
Letaandbdenote positive integers. Thegreatest common
divisorofaandb, denoted gcd(a,b), is thelargestinteger that
divides bothaandb.
If gcd(a,b) =1, then we say that aandbarerelatively prime.
The definition of the GCD can be extended in a natural fashion:
Ifa>0, then gcd(a,0) =gcd(0,a) =a.
gcd(a,b) =gcd(|a|, |b|)ifaand/orbis negative.
For example, gcd(56,24) =8,gcd(25,31) =1,gcd(45, 25) =5,
and gcd(27, 51) =3.
Greatest common divisor (GCD)
http://find/8/13/2019 Lecture Number
46/81
Letaandbdenote positive integers. Thegreatest common
divisorofaandb, denoted gcd(a,b), is thelargestinteger that
divides bothaandb.
If gcd(a,b) =1, then we say that aandbarerelatively prime.
The definition of the GCD can be extended in a natural fashion:
Ifa>0, then gcd(a,0) =gcd(0,a) =a.
gcd(a,b) =gcd(|a|, |b|)ifaand/orbis negative.
For example, gcd(56,24) =8,gcd(25,31) =1,gcd(45, 25) =5,
and gcd(27, 51) =3.
Note that gcd(0, 0)is undefined (as, of course, there is nolargest integer that divides 0).
Greatest common divisor (cont.)
http://find/8/13/2019 Lecture Number
47/81
We note the following important fact:
Theorem: Ifd=gcd(a,b), then there exist (unique) integers jandksuch that
d=j a+ k b.
In other words, the greatest common divisor of aandbisexpressible as alinear combinationof aandb.
Greatest common divisor (cont.)
http://find/8/13/2019 Lecture Number
48/81
We note the following important fact:
Theorem: Ifd=gcd(a,b), then there exist (unique) integers jandksuch that
d=j a+ k b.
In other words, the greatest common divisor of aandbisexpressible as alinear combinationof aandb.
gcd(56,24) =8 8=1 56 + (2) (24)
gcd(25,31) =1 1=5 25 + (4) 31
gcd(45,25) =5 5= (1) 45 + 2 25
gcd(57,363) =3 3= 57 51 + (8) 363
The modulo operator and congruences
The mod lo operator denoted b a mod b defines the
http://find/8/13/2019 Lecture Number
49/81
The modulo operator, denoted byamod b, defines the
remainder ofawhen divided byb. That isr=amod bmeansthatr=a
an
n.
In other words,ris always an integer in the set
{0,1,2, . . . b 1}(even whenais negative), and there is anintegerqsuch that
a= q b+ r.
The modulo operator and congruences
The modulo operator denoted by a mod b defines the
http://find/8/13/2019 Lecture Number
50/81
The modulo operator, denoted byamod b, defines the
remainder ofawhen divided byb. That isr=amod bmeansthatr=a
an
n.
In other words,ris always an integer in the set
{0,1,2, . . . b 1}(even whenais negative), and there is anintegerqsuch that
a= q b+ r.
Sometimes we find it convenient to talk about congruence
modulon. If
a mod n=b mod n,
we say thataiscongruent to b modulo nand write
ab (mod n).
Ifa b(mod n), thena b=knfor some integerk.
http://find/8/13/2019 Lecture Number
51/81
Euclids algorithm
8/13/2019 Lecture Number
52/81
Euclids algorithm is a method to find the greatest common
divisor of two integersaandb.
http://find/8/13/2019 Lecture Number
53/81
Euclids algorithm (cont.)
8/13/2019 Lecture Number
54/81
EUCLIDGCD(a,b)Input: Nonnegative integersaandb(not both zero).
Output: gcd(a,b).1 whileb=0 do2 (a,b)(b,amod b)
3 returna
Note: Ifb=0, this routine will return the value of a(which, byour assumption on the input, is not zero), giving the correct
result.
Examples of Euclids algorithm
http://find/8/13/2019 Lecture Number
55/81
1 2 3 4 5 6 7a 412 260 152 108 44 20 4
b 260 152 108 44 20 4 0
Hence, gcd(412,260) =4.
1 2 3 4 5
a 408 162 84 78 6
b 162 84 78 6 0
Thus, gcd(408,162) =6.
Euclids algorithm - Complexity
http://goforward/http://find/http://goback/8/13/2019 Lecture Number
56/81
Fori>0, letaidenote the first element of the ordered pairduring theith step in the while loop in Euclids algorithm. The
second argument is equal toai+1. So
ai+2 =ai mod ai+1.
This implies that, after the first time through the loop, the
sequence ai is strictly decreasing.
Euclids algorithm - Complexity
http://find/8/13/2019 Lecture Number
57/81
Fori>0, letaidenote the first element of the ordered pairduring theith step in the while loop in Euclids algorithm. The
second argument is equal toai+1. So
ai+2 =ai mod ai+1.
This implies that, after the first time through the loop, the
sequence ai is strictly decreasing.
We can show thatai+2< 12 ai.
This leads to the following result:
Theorem: Leta, bbe two positive integers. Euclids algorithmcomputes gcd(a, b)by executingO(log(max{a,b}))arithmeticoperations.
The Extended Euclidean Algorithm
http://goforward/http://find/http://goback/8/13/2019 Lecture Number
58/81
As mentioned earlier, ifd=gcd(a,b), there are integersjandksuch thatd=j a+ k b.
We can modify Euclids algorithm to find these numbers jandkwhile we compute gcd(a,b). This is the so-called ExtendedEuclidean algorithm.
The Extended Euclidean Algorithm (cont.)
http://goforward/http://find/http://goback/8/13/2019 Lecture Number
59/81
EXTENDEDEUCLIDGCD(a,b)
Input: Nonnegative integersaandb(not both zero).
Output:d=gcd(a,b), integersj, kwhered=j a+ k b.1 ifb=0 then
2 return(a, 1,0)3 r amod b4 Letqbe the integer such that a=q b+ r(that is,q=
ab
).
5 (d,j, k)ExtendedEuclidGCD(b, r)6 return(d, k,j kq)
Extended Euclidean Algorithm examples
http://find/8/13/2019 Lecture Number
60/81
Note that by the recursive nature of the algorithm, the values of
a,b,q,andrare filled in the table from left-to-right, but those of
jandkare filled in from right-to-left.
To find gcd(412, 260)we have these values:
1 2 3 4 5 6 7
a 412 260 152 108 44 20 4b 260 152 108 44 20 4 0
q=
ab
1 1 1 2 2 5 *
r=amod b 152 108 44 20 4 0 *
j 12 -7 5 -2 1 0 1k -19 12 -7 5 -2 1 0
As can be checked, we have 12 412 + (19) 260=4.
Extended Euclidean Algorithm examples (cont.)
http://goforward/http://find/http://goback/8/13/2019 Lecture Number
61/81
Finding gcd(408,162)gives this table:
1 2 3 4 5
a 408 162 84 78 6
b 162 84 78 6 0
q 2 1 1 13 *
r 84 78 6 0 *j 2 -1 1 0 1
k -5 2 -1 1 0
We see that 2 408 + (5) 162= 6, as guaranteed previously.
The Extended Euclidean algorithm is useful for the RSA
encryption method, as we will soon see.
The RSA method
http://find/8/13/2019 Lecture Number
62/81
Given the previous information (review?) about same very
basic number theory, we are now ready to describe the basic
method of the RSA encryption/decryption method.
http://find/8/13/2019 Lecture Number
63/81
The RSA method
8/13/2019 Lecture Number
64/81
Given the previous information (review?) about same very
basic number theory, we are now ready to describe the basic
method of the RSA encryption/decryption method.
Recall that this is a public-key encryption method. So this is a
non-symmetricencryption scheme, where there is an
encryption function and a separate decryption function.
The main idea of the RSA method is that I can publish my
encryption function (i.e. make it freely available to anyone who
wishes to use it to send a message to me), but only I know thedecryption function.
The RSA method (cont.)
http://find/8/13/2019 Lecture Number
65/81
Letpandqdenote two (large) prime numbers.
Letn=p qand define(n) = (p 1)(q 1).
The RSA method (cont.)
http://find/8/13/2019 Lecture Number
66/81
Letpandqdenote two (large) prime numbers.
Letn=p qand define(n) = (p 1)(q 1).
We then choose two numbers eanddsuch that
1. eand(n)are relatively prime, i.e. gcd(e, (n)) =1, and
2. ed1 (mod (n)).
(We can use the Extended Euclidean algorithm to findd,
givene.)
http://find/8/13/2019 Lecture Number
67/81
Encryption via RSA
8/13/2019 Lecture Number
68/81
Let us assume that the message Mis an integer and that
0< M
8/13/2019 Lecture Number
69/81
Let us assume that the message Mis an integer and that
0< M
8/13/2019 Lecture Number
70/81
Decryption of the received ciphertext,C, is again handled bymodular exponentiation:
MCd mod n.
Decryption with RSA
http://find/8/13/2019 Lecture Number
71/81
Decryption of the received ciphertext,C, is again handled bymodular exponentiation:
MCd mod n.
The correctness of the RSA method is guaranteed because it
can be shown that with the choices of e, n, andd(with theproperties listed earlier), then for every integer 0
8/13/2019 Lecture Number
72/81
Digital signatures
As mentioned earlier, the RSA cryptosystem supports digital
signatures Suppose that Bob sends a message M to Alice and
8/13/2019 Lecture Number
73/81
signatures. Suppose that Bob sends a message Mto Alice and
that Alice wants toverifythat it was Bob who sent it. Bob can
create asignatureusing the decryption function applied to M:
SMd mod n.
Alice verifies the digital signature using the encryption function,
that is by checking that
MSe (mod n).
Digital signaturesAs mentioned earlier, the RSA cryptosystem supports digital
signatures Suppose that Bob sends a message M to Alice and
http://find/8/13/2019 Lecture Number
74/81
signatures. Suppose that Bob sends a message Mto Alice and
that Alice wants toverifythat it was Bob who sent it. Bob can
create asignatureusing the decryption function applied to M:
SMd mod n.
Alice verifies the digital signature using the encryption function,
that is by checking that
MSe (mod n).
Since only Bob knows the decryption function, this will verifythat it was indeed Bob who sent the message. (Of course, any
person can use the encryption function as well to reconstruct
the messageM, so this is not a method to secretlypass
information from Bob to Alice.)
The difficulty of breaking RSA
Note that even knowingedoesnt allow us to figure outd,
nless e kno ( )
http://find/8/13/2019 Lecture Number
75/81
unless we know(n).
http://find/8/13/2019 Lecture Number
76/81
The difficulty of breaking RSA
Note that even knowingedoesnt allow us to figure outd,
unless we know (n)
8/13/2019 Lecture Number
77/81
unless we know(n).
Most cryptographers believe that breaking RSA requires thecomputation of(n), which in turn requires factoring n.
Factoring hasnotbeenprovento be difficult, but many (many!)
people have worked on this problem over the last several
hundred years.
For example, it took some heavy duty mathematics and a
network of 700 computers (including one supercomputer) four
months to factor the number 2512
1 which is 155 digits long.
As the ability to factor larger numbers increases, we simply
have to choose larger primes pandqso thatn=p q isoutside of the current factoring capabilities.
Fast exponentiation
http://goforward/http://find/http://goback/8/13/2019 Lecture Number
78/81
A possible bottleneck in the RSA algorithm is computing
expressions of the form
xk mod n.
The naive approach is to calculatex2 mod n, then use that to
getx3 mod n, thenx4 mod n, etc.
Fast exponentiation (cont.)
http://find/8/13/2019 Lecture Number
79/81
We can do much better with an algorithm based on repeated
squaring. For example, if we wanted to compute x16, we could
first findx2, then(x2)2 =x4, then(x4)2 =x8, and finally(x8)2 =x16. This requires only four multiplications instead of
fifteen with the naive method.
If we are performing modular exponentiation as in RSA, after
each step we can findxi mod nto keep the results small
(between 0 andn 1).
Fast exponentiation (cont.)
http://find/8/13/2019 Lecture Number
80/81
FASTEXPONENTIATION(x, k,n)
Input: Integersx, k0, andn>0.Output: r=xk mod n.
1 r 12 tx
3 whilek=0 do4 ifk is odd then
5 rr t mod n6 tt2 mod n7 k k/28 returnr
Complexity of RSA
http://find/8/13/2019 Lecture Number
81/81
Using the FASTEXPONENTIATION(x, k,n)algorithm, thesizeofthe operands is never more thanO(log n)bits, and it takesO(log k)arithmetic operationsto findxk mod n.
This leads to the following result:Theorem: Letnbe the modulus of the RSA algorithm. Then
RSA encryption, decryption, signature, and verification each
takeO(log n)arithmetic operations (per block).
http://goforward/http://find/http://goback/