cs2 comp think - university of california, santa barbara an encrypted text: vnnc vn jc ljsn jc oxda...

44
Communication Security Cryptography Communication Security & Cryptography cs2: Computational Thinking for Scientists C ¸etin Kaya Ko¸c http://cs.ucsb.edu/ ~ koc/cs2 [email protected] The course was developed with input from: ¨ Omer Eˇ gecioˇglu (Computer Science), Maribel Bueno Cachadina (Mathematics/CCS), Rolf Christoffersen (MCDB), Richard Church (Geography), Wendy Meiring (PSTAT), Todd Oakley (EEMB), and Joan Shea (Chemistry) (http://cs.ucsb.edu/ ~ koc/cs2) cs2 comp think lecture13 - winter 2015 1 / 44

Upload: nguyenanh

Post on 19-Apr-2018

217 views

Category:

Documents


4 download

TRANSCRIPT

Communication Security Cryptography

Communication Security & Cryptography

cs2: Computational Thinking for Scientists

Cetin Kaya Kochttp://cs.ucsb.edu/~koc/cs2

[email protected]

The course was developed with input from:

Omer Egecioglu (Computer Science),Maribel Bueno Cachadina (Mathematics/CCS),Rolf Christoffersen (MCDB),Richard Church (Geography),Wendy Meiring (PSTAT),Todd Oakley (EEMB), andJoan Shea (Chemistry)

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 1 / 44

Communication Security Cryptography

Secure Communication over an Insecure Channel

Sender Receiver

Adversary

M

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 2 / 44

Communication Security Cryptography

Secret-Key Cryptography

Sender Receiver

Adversary

C

C=EKe(M) M=DKd(C)

secure

channel Kd

Encryption and decryption functions: E (·) & D(·)Encryption and decryption keys: Ke & Kd

Plaintext and ciphertext: M & C

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 3 / 44

Communication Security Cryptography

Secret-Key Cryptography

C = EKe(M) and M = DKd

(C )

Either E (·) = D(·) and Ke 6= Kd

Kd is easily deduced from Ke

Ke is easily deduced from Kd

Or E (·) 6= D(·) and Ke = Kd

D(·) is easily deduced from E (·)E (·) is easily deduced from D(·)

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 4 / 44

Communication Security Cryptography

First Example: Shift Cipher

Input/output: {a, b, . . . , z} with encoding {0, 1, . . . , 25}

a b c d e f g h i j k l m n o

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14

p q r s t u v w x y z

15 16 17 18 19 20 21 22 23 24 25

Encryption function: Ek(x) = x + k (mod 26)Decryption function: Dk(y) = y − k (mod 26)

The encryption or decryption key: k ∈ {0, 1, 2, . . . , 25}

Key space size: 26 (or 25, if you do not count k = 0)

Caesar cipher: Shift cipher with a constant encryption key k = 3

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 5 / 44

Communication Security Cryptography

Shift Cipher

For k = 15, hello is encrypted as wtaad sinceE15(h) = E15(7) = 7 + 15 = 22 (mod 26) → w

E15(e) = E15(4) = 4 + 15 = 19 (mod 26) → t

E15(l) = E15(11) = 11 + 15 = 26 = 0 (mod 26) → a

E15(o) = E15(14) = 14 + 15 = 29 = 3 (mod 26) → d

For k = 12, eqqw is decrypted as seek sinceD12(e) = D12(4) = 4− 12 = −8 = 18 (mod 26) → s

D12(q) = D12(16) = 16− 12 = 4 (mod 26) → e

D12(w) = D12(22) = 22− 12 = 10 (mod 26) → k

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 6 / 44

Communication Security Cryptography

Cryptanalysis of Shift Cipher

Ciphertext only

Exhaustive key search: a paragraph of ciphertext(in order to avoid ambiguity)Frequency analysis: a paragraph of ciphertext(in order to get statistically reliable frequency count)

Known plaintext: a single plaintext/ciphertext pair

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 7 / 44

Communication Security Cryptography

Exhaustive Key Search

Given an encrypted text: vnnc vn jc ljsn jc oxda yv

Decrypt the text with all possible keys:k=1−→ ummb um ib kirm ib nwcz xuk=2−→ tlla tl ha jhql ha mvby wt

· · ·k=8−→ nffu nf bu dbkf bu gpvs qnk=9−→ meet me at caje at four pm

A short encrypted text may have several “meaningful” decryptions:

vnnck=9−→ meet

vnnck=25−→ wood

For a sufficiently long encrypted text, there will not be ambiguity

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 8 / 44

Communication Security Cryptography

Frequency Analysis

The most frequently occurring ciphertext is the encryption of themost frequently occurring plaintext

In English: that would be the letter e, followed up by letters t and a

Letter frequencies (percentages) in English

a b c d e f g h i j

8.2 1.5 2.8 4.3 12.7 2.2 2.0 6.1 7.0 0.2

k l m n o p q r s t

0.8 4.0 2.4 6.7 7.5 1.9 0.1 6.0 6.3 9.1

u v w x y z

2.8 1.0 2.3 0.1 2.0 0.1

Compute the ciphertext letter frequencies, and find the mostfrequently occurring the letter: this must be the ciptertext for theletter e

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 9 / 44

Communication Security Cryptography

Occurrences of Letter e

Frequency: 54435 ≈ 12.4%

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 10 / 44

Communication Security Cryptography

Occurrences of Letter a

Frequency: 23435 ≈ 5.3%

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 11 / 44

Communication Security Cryptography

Unusual Texts

The novel “Gadsby” by E. V. Wright is written asa lipogram∗; it has 50,000 words in it without asingle occurrence of the letter e

“A Void”, translated from the original French “LaDisparition” (The Disappearance), is a 300-pagelipogrammatic novel, written in 1969 by GeorgesPerec, entirely without using the letter e (exceptfor the author’s name)

However, the probability of occurrence for such texts is very low

∗ A lipogram (leipogrammatos: leaving out a letter) is a kind of constrained

writing or word game consisting of writing paragraphs in which a particular letter

or group of letters is avoided

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 12 / 44

Communication Security Cryptography

Frequency Analysis

Given the short ciphertext: tbxqebo fp dobxq ebob

Frequency analysis finds the most frequently occurring letter as b

The letter b (most probably) is the ciphertext for the letter e

Ek(e) = b

Ek(4) = 4 + k = 1 (mod 26)

k = 1− 4 = − 3 = 23 (mod 26)

Indeed, if we decrypt the encrypted text using the key k = 23, weobtain:tbxqebo fp dobxq ebob

k=23−→ weather is great here

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 13 / 44

Communication Security Cryptography

Known Plaintext Scenario

Given a (any) single plaintext/ciphertext pair (x , y), we have

Ek(x) = x + k = y (mod 26)

k = y − x (mod 26)

Consider the encrypted message:zrrg zr ng bhe frperg ybpngvba

and the plaintext/ciphertext pair: m → z

Ek(m) = z

Ek(12) = 12 + k = 25 (mod 26)

k = 25− 12 = 13 (mod 26)

We find the key as k = 13; indeed this key decrypts the messagek=13−→ meet me at our secret location

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 14 / 44

Communication Security Cryptography

Second Example: Hill Algebra

Encoding: {a, b, . . . , z} −→ {0, 1, . . . , 25}

Select a d × d matrix A of integers and find its inverse A−1 mod 26

For example, for d = 2

A =

[

3 32 5

]

and A−1 =

[

15 1720 9

]

Verify:

[

3 32 5

] [

15 1720 9

]

=

[

105 78130 79

]

=

[

1 00 1

]

(mod 26)

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 15 / 44

Communication Security Cryptography

Hill Cipher

Encryption function: c = E (m) = Am (mod 26)

Decryption function: m = D(c) = A−1 c (mod 26)

m and c are d × 1 vectors of plaintext and ciphertext letter encodings

Encryption key Ke : A

Decryption key Kd : A−1 (mod 26)

A and A−1 are d × d matrices such that det(A) 6= 0 (mod 26) andA−1 is the inverse of A mod 26

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 16 / 44

Communication Security Cryptography

Hill Cipher Example

The plaintext: "help"

u1 =

[

"h"

"e"

]

=

[

74

]

; u2 =

[

"l"

"p"

]

=

[

1115

]

Encryption: v1 = A u1 and v2 = A u2

[

3 32 5

] [

74

]

=

[

3334

]

=

[

78

]

=

[

"h"

"i"

]

[

3 32 5

] [

1115

]

=

[

7897

]

=

[

019

]

=

[

"a"

"t"

]

The ciphertext: "hiat"

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 17 / 44

Communication Security Cryptography

Hill Cipher

To decrypt the ciphertext: "hiat", we need the vectors v1 and v2

Decryption: u1 = A−1 v1 and u2 = A

−1 v2

[

15 1720 9

] [

78

]

=

[

241212

]

=

[

74

]

=

[

"h"

"e"

]

[

15 1720 9

] [

019

]

=

[

323171

]

=

[

1115

]

=

[

"l"

"p"

]

The plaintext: "help"

The d -dimensional Hill cipher is poly-alphabetic on single letters,however, mono-alphabetic on words of length d

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 18 / 44

Communication Security Cryptography

Key Space Size for Hill Space

It was suggested by Overbey, Traves, and Wojdylo in Cryptologia,29(1), Jan 2005, that the number of d × d matrices invertible modulom is

i

(

p(ni−1)d2

i

d−1∏

k=0

(pdi − pki )

)

such that m =∏

pnii

When m = 26 = 21 · 131, we simplify this as

d−1∏

k=0

(2d−2k)(13d−13k) = 26d2

(1−1/2) · · · (1−1/2d)(1−1/13) · · · (1−1/13d)

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 19 / 44

Communication Security Cryptography

Key Space Size for Hill Cipher

We enumerate and find the number of keys for as follows:

d Number of Keys Power of 10

2 157,248 105.2

3 1,750,755,202,560 1012.2

4 13,621,827,326,505,327,820,800 1022.1

5 72,803,944,226,174,990,390,435,243,910,758,400 1034.9

Exhaustive key search is probably not feasible for 4-dimensional Hillciphers (requires significant resources), and definitely not feasible for5-dimensional (and beyond) Hill ciphers

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 20 / 44

Communication Security Cryptography

Frequency Analysis of the Hill Cipher

Frequency analysis is not applicable for single letters — a plaintextletter is encrypted to different ciphertext letter depending on whetherit is the first or second letter and what the other letter is

For example, for our example 2-dimensional Hill cipher, theencryption of x is as follows:"xy" → "lk" implies "x" → "l"

"xz" → "op" implies "x" → "o"

"zx" → "oj" implies "x" → "j"

However, digrams (2-letter words) are always encrypted to the sameciphertext bigrams for a 2-dimensional cipher"xyabcd" → "lkdfpt"

"abxycd" → "dflkpt"

"abcdxy" → "dfptlk"

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 21 / 44

Communication Security Cryptography

Digram Frequencies in English

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 22 / 44

Communication Security Cryptography

Frequency Analysis of the Hill Cipher

We can apply frequency attack to a d -dimensional Hill cipher if wehave “useful” (distinguishable) d -gram frequencies

As expected the digram "th" appears in English more often — somestudies have shown that the frequency of diagram "th" is about3.15%

Similarly the frequency of "the" is higher than most other trigrams,followed up by "and", "for" — however, these frequencies are toolow and too close to one another

As expected, as the word size increases the frequencies becomeindistinguishable from one another — we loose those useful frequencyvalues such as 12.7% for the single letter "e"

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 23 / 44

Communication Security Cryptography

Secret-Key versus Public-Key Cryptography

Secret-Key Cryptography:

Requires establishment of a secure channel for key exchangeTwo parties cannot start communication if they never metSecure communication of n parties requires n(n − 1)/2 keysKeys are “shared”, rather than “owned” (secret vs private)

Public-Key Cryptography:

No need for a secure channelMay require establishment of a public-key directoryTwo parties can start communication even if they never metSecure communication of n parties requires n keysKeys are “owned’, rather than “shared”Ability to “sign” digital data (secret vs private)

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 24 / 44

Communication Security Cryptography

Diffie-Hellman Key Exchange Method

Martin Hellman (1945): American cryptologist and co-inventor ofpublic key cryptography in cooperation with Whitfield Diffie andRalph Merkle at Stanford

Bailey Whitfield Diffie (1944) is an American cryptographer andco-inventor of public key cryptography

Diffie and Hellman’s paper “New Directions in Cryptography” waspublished IEEE Tran. Information Theory in Nov 1976

It introduced a radically new method of distributing cryptographickeys, that went far toward solving one of the fundamental problems ofcryptography, key distribution

It has become known as Diffie-Hellman key exchange.

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 25 / 44

Communication Security Cryptography

Diffie-Hellman Key Exchange Method

A and B agree on a prime p and a primitive element g of Z∗

p

This is accomplished in public: p and g are known to the adversary

A selects a ∈ Z∗

p , computes s = ga (mod p), and sends s to B

B selects b ∈ Z∗

p , computes r = gb (mod p), and sends r to A

A computes K = ra (mod p)

B computes K = sb (mod p)

K = ra = (gb)a = gab (mod p)

K = sb = (ga)b = gab (mod p)

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 26 / 44

Communication Security Cryptography

Diffie-Hellman Key Exchange Method

User A

a

ga

(gb

)a

K = gab

User B

b

gb

(ga

)b

K = gab

Adversary

p & g

ga

gb

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 27 / 44

Communication Security Cryptography

Discrete Logarithm Problem

The adversary knows the group: p and g

The adversary also sees (obtains copies of) s = ga and r = gb

The discrete logarithm problem (DLP):the computation of x ∈ Z∗

p in

y = gx (mod p)

given p, g , and y

Example: Given p = 23 and g = 5, find x such that

10 = 5x (mod 23)

Answer: x = 3

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 28 / 44

Communication Security Cryptography

Discrete Logarithm Problem

Given p = 158(2800 + 25) + 1 =

1053546280395016975304616582933958731948871814925913489342608734258717883575185867300386287737705577937382925873762451990450430661350859682697410256268271147283034897563214300237166369174066615907176472549470083113107138189921280884003892629359

and g = 3, find x ∈ Z∗

p such that

2 = 3x (mod p)

Answer: ?

How difficult is it to find x?

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 29 / 44

Communication Security Cryptography

Diffie-Hellman Key Exchange Method

The Diffie-Hellman algorithm allows two parties to agree on a key thatis known only to them, except that the adversary can solve the DLP

Once the secret key (shared key) is established, the parties can use asecret-key cryptographic algorithm to encrypt and decrypt

However, we still have the problem of establishing n(n− 1)/2 keysbetween n parties, and other difficulties of the secret-keycryptography also remain

But, we no longer need a (secret-key type) secure channel — theDiffie-Hellman algorithm gave us a secure channel, whose securitydepends on computational difficulty of the DLP

The Diffie-Hellman algorithm is not a public-key encryption method

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 30 / 44

Communication Security Cryptography

Public-Key Cryptography

The functions C (·) and D(·) are inverses of one another

C = EKe(M) and M = DKd

(C )

Encryption and decryption processes are asymmetric:

Ke 6= Kd

Ke is public, known to everyone

Kd is private, known only to the user

Ke may be easily deduced from Kd

However, Kd is NOT easily deduced from Ke

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 31 / 44

Communication Security Cryptography

Public-Key Cryptography

User2 User0

Adversary

C2

C3=EKe(M3)

M1=DKd(C1)

User1

User3

PK Directory

User0 Ke

C1

C3

C1=EKe(M1)

C2=EKe(M2)

M2=DKd(C2)

M3=DKd(C3)

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 32 / 44

Communication Security Cryptography

Public-Key Cryptography

The User publishes his/her own public key: Ke

Anyone can obtain the public key Ke and can encrypt a message M,and send the ciphertext to the User

C = EKe(M)

The private key is known only to the User: Kd

Only the User can decrypt the ciphertext to get the message

M = DKd(C )

The adversary may be able to block the ciphertext, but cannot decrypt

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 33 / 44

Communication Security Cryptography

Public-Key Cryptography

A public-key cryptographic algorithm is based on a function y = f (x)such thatGiven x , computing y is EASY: y = f (x)Given y , computing x is HARD: x = f −1(y)

x

easy

−−−−−−−−−−−−−−→←−−−−−−−−−−−−−−

hard

y = f (x)

Such functions are called one-way

In order to decide what is hard: Theory of complexity could help

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 34 / 44

Communication Security Cryptography

Well-Known One-Way Functions

Discrete Logarithm:Given p, g , and x , computing y in y = gx (mod p) is EASYGiven p, g , y , computing x in y = gx (mod p) is HARD

Factoring:Given p and q, computing n in n = p · q is EASYGiven n, computing p or q in n = p · q is HARD

Discrete Square Root:Given x and y , computing y in y = x2 (mod n) is EASYGiven y and n, computing x in y = x2 (mod n) is HARD

Discrete eth Root:Given x , n and e, computing y in y = xe (mod n) is EASYGiven y , n and e, computing x in y = xe (mod n) is HARD

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 35 / 44

Communication Security Cryptography

One-Way Functions for PKC

However, a one-way function is difficult for anyone to invert

What we need: a function easy to invert for the legitimate receiver ofthe encrypted message, but for everyone else: hard

Such functions are called one-way trapdoor functions

In order to build a public-key encryption algorithm, we need aone-way trapdoor function

Once that is understood (in around 1975-1976), researchers lookedfor such special functions which are either based on the knownone-way functions or some other constructions

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 36 / 44

Communication Security Cryptography

Rivest-Shamir-Adleman Algorithm

Invented by three young faculty members at MIT: Ronald Rivest(CS), Adi Shamir (Math), and Leonard Adleman (Math) in theSummer and Fall of 1976:“Ron and Adi would come up with ideas, and Len would try to shootthem down. Len was consistently successful; late one night, though,Ron came up with an algorithm that Len couldnt crack.”

Following the ideas of building a public-key encryption method usingtrapdoor one-way functions of Merkle and Hellman

It is based on the one-way functions factoring and discrete eth root

The paper was published in 1977 (Comm. of ACM)

The method was patented by MIT in 1983, which ended in 2000

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 37 / 44

Communication Security Cryptography

Rivest-Shamir-Adleman Algorithm

The User generates two large, approximately same size randomprimes: p and q

The modulus n is the product of these two primes: n = pq

Euler’s totient function of n is given by φ(n) = (p − 1)(q − 1)

The User selects a number 1 < e < φ(n) such that

gcd(e, φ(n)) = 1

and computes d with

d = e−1 (mod φ(n))

using the extended Euclidean algorithm

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 38 / 44

Communication Security Cryptography

Rivest-Shamir-Adleman Algorithm

e is the public exponent and d is the private exponent

The public key: The modulus n and the public exponent e

The private key: The private exponent d , the primes p and q, andφ(n) = (p − 1)(q − 1)

Encryption and decryption are performed by computing

C = Me (mod n)

M = Cd (mod n)

where M,C are the plaintext and ciphertext such that

0 ≤ M,C < n

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 39 / 44

Communication Security Cryptography

Example RSA

The primes p = 11 and q = 13, the modulus n = 11 · 13 = 143

φ(n) = φ(143) = (p − 1)(q − 1) = 10 · 12 = 120

Find e such that gcd(e, φ(n)) = φ(e, 120) = 1

Since 120 = 23 · 3 · 5, we select e = 7

d = e−1 (mod φ(n)) which gives d = 7−1 (mod 120) as d = 103

Encryption C = Me (mod n) gives C = 87 (mod 143) as C = 57Decryption D = Cd (mod n) gives M = 57103 (mod 143) as M = 8

Encryption C = Me (mod n) gives C = 117 (mod 143) as C = 132Decryption D = Cd (mod n) gives M = 132103 (mod 143) asM = 11

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 40 / 44

Communication Security Cryptography

Security of RSA

The public key (e, n) is publishedThe private key parameters p, q, φ(n), d are kept by the user

Breaking RSA:one or several or all instances → Computing M, given C and (e, n)all instances → Computing d , given (e, n)

Taking discrete eth Root → Computing M

Compute eth Root of Me (mod n) and obtain M

Factoring n ⇒ Computing d

Factor n = pq, compute d = e−1 mod (p − 1)(q − 1)

Computing φ(n) ⇒ Computing d

Compute d = e−1 mod φ(n)

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 41 / 44

Communication Security Cryptography

Knowing φ(n) ⇒ Factoring n

We know n = pq, we can also write:

n− φ(n) + 1 = pq − (p − 1)(q − 1) + 1 = p + q

Thus we have pq and p + q, and we can write a quadratic equationwhose roots are p and q

x2 − (p + q)x + pq = x2 − (n − φ(n) + 1) + n = 0

The roots of the equations are

1

2(n − φ(n) + 1±

(n − φ(n) + 1)2 − 4n )

Example: For n = 143 and φ(n) = 120, we writep, q = (1/2)(143− 120+1±

(143 − 120 + 1)2 − 4 · 143) = 11, 13

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 42 / 44

Communication Security Cryptography

Knowing d ⇒ (Probabilistically) Factoring n

Given d , we can write

d · e = 1 + Kφ(n)

since they are inverses of one another mod φ(n)

Since d · e − 1 is a multiple of φ(n), for gcd(a, n) = 1 we can write

ade−1 = (aφ(n))K = 1 (mod n)

If there is a universal exponent b such that ab = 1 (mod n) for all awith gcd(a, n), then there is exists a probabilistic method for factoringn

This probabilistic factorization algorithm is based on the Miller-Rabinprimality test

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 43 / 44

Communication Security Cryptography

Breaking RSA?⇒ Factoring

Factoring n indeed breaks the RSA encryption algorithm

However, does “Breaking RSA” mean that we can factor n ?

There is no general proof for such a claim — a lack of progress

A related result: Breaking the low-exponent RSA is not as hard asfactoring integers

Strong evidence: An RSA breaker cannot be used for factoringintegers

(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 44 / 44