cs2 comp think - university of california, santa barbara an encrypted text: vnnc vn jc ljsn jc oxda...
TRANSCRIPT
Communication Security Cryptography
Communication Security & Cryptography
cs2: Computational Thinking for Scientists
Cetin Kaya Kochttp://cs.ucsb.edu/~koc/cs2
The course was developed with input from:
Omer Egecioglu (Computer Science),Maribel Bueno Cachadina (Mathematics/CCS),Rolf Christoffersen (MCDB),Richard Church (Geography),Wendy Meiring (PSTAT),Todd Oakley (EEMB), andJoan Shea (Chemistry)
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 1 / 44
Communication Security Cryptography
Secure Communication over an Insecure Channel
Sender Receiver
Adversary
M
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 2 / 44
Communication Security Cryptography
Secret-Key Cryptography
Sender Receiver
Adversary
C
C=EKe(M) M=DKd(C)
secure
channel Kd
Encryption and decryption functions: E (·) & D(·)Encryption and decryption keys: Ke & Kd
Plaintext and ciphertext: M & C
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 3 / 44
Communication Security Cryptography
Secret-Key Cryptography
C = EKe(M) and M = DKd
(C )
Either E (·) = D(·) and Ke 6= Kd
Kd is easily deduced from Ke
Ke is easily deduced from Kd
Or E (·) 6= D(·) and Ke = Kd
D(·) is easily deduced from E (·)E (·) is easily deduced from D(·)
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 4 / 44
Communication Security Cryptography
First Example: Shift Cipher
Input/output: {a, b, . . . , z} with encoding {0, 1, . . . , 25}
a b c d e f g h i j k l m n o
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
p q r s t u v w x y z
15 16 17 18 19 20 21 22 23 24 25
Encryption function: Ek(x) = x + k (mod 26)Decryption function: Dk(y) = y − k (mod 26)
The encryption or decryption key: k ∈ {0, 1, 2, . . . , 25}
Key space size: 26 (or 25, if you do not count k = 0)
Caesar cipher: Shift cipher with a constant encryption key k = 3
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 5 / 44
Communication Security Cryptography
Shift Cipher
For k = 15, hello is encrypted as wtaad sinceE15(h) = E15(7) = 7 + 15 = 22 (mod 26) → w
E15(e) = E15(4) = 4 + 15 = 19 (mod 26) → t
E15(l) = E15(11) = 11 + 15 = 26 = 0 (mod 26) → a
E15(o) = E15(14) = 14 + 15 = 29 = 3 (mod 26) → d
For k = 12, eqqw is decrypted as seek sinceD12(e) = D12(4) = 4− 12 = −8 = 18 (mod 26) → s
D12(q) = D12(16) = 16− 12 = 4 (mod 26) → e
D12(w) = D12(22) = 22− 12 = 10 (mod 26) → k
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 6 / 44
Communication Security Cryptography
Cryptanalysis of Shift Cipher
Ciphertext only
Exhaustive key search: a paragraph of ciphertext(in order to avoid ambiguity)Frequency analysis: a paragraph of ciphertext(in order to get statistically reliable frequency count)
Known plaintext: a single plaintext/ciphertext pair
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 7 / 44
Communication Security Cryptography
Exhaustive Key Search
Given an encrypted text: vnnc vn jc ljsn jc oxda yv
Decrypt the text with all possible keys:k=1−→ ummb um ib kirm ib nwcz xuk=2−→ tlla tl ha jhql ha mvby wt
· · ·k=8−→ nffu nf bu dbkf bu gpvs qnk=9−→ meet me at caje at four pm
A short encrypted text may have several “meaningful” decryptions:
vnnck=9−→ meet
vnnck=25−→ wood
For a sufficiently long encrypted text, there will not be ambiguity
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 8 / 44
Communication Security Cryptography
Frequency Analysis
The most frequently occurring ciphertext is the encryption of themost frequently occurring plaintext
In English: that would be the letter e, followed up by letters t and a
Letter frequencies (percentages) in English
a b c d e f g h i j
8.2 1.5 2.8 4.3 12.7 2.2 2.0 6.1 7.0 0.2
k l m n o p q r s t
0.8 4.0 2.4 6.7 7.5 1.9 0.1 6.0 6.3 9.1
u v w x y z
2.8 1.0 2.3 0.1 2.0 0.1
Compute the ciphertext letter frequencies, and find the mostfrequently occurring the letter: this must be the ciptertext for theletter e
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 9 / 44
Communication Security Cryptography
Occurrences of Letter e
Frequency: 54435 ≈ 12.4%
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 10 / 44
Communication Security Cryptography
Occurrences of Letter a
Frequency: 23435 ≈ 5.3%
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 11 / 44
Communication Security Cryptography
Unusual Texts
The novel “Gadsby” by E. V. Wright is written asa lipogram∗; it has 50,000 words in it without asingle occurrence of the letter e
“A Void”, translated from the original French “LaDisparition” (The Disappearance), is a 300-pagelipogrammatic novel, written in 1969 by GeorgesPerec, entirely without using the letter e (exceptfor the author’s name)
However, the probability of occurrence for such texts is very low
∗ A lipogram (leipogrammatos: leaving out a letter) is a kind of constrained
writing or word game consisting of writing paragraphs in which a particular letter
or group of letters is avoided
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 12 / 44
Communication Security Cryptography
Frequency Analysis
Given the short ciphertext: tbxqebo fp dobxq ebob
Frequency analysis finds the most frequently occurring letter as b
The letter b (most probably) is the ciphertext for the letter e
Ek(e) = b
Ek(4) = 4 + k = 1 (mod 26)
k = 1− 4 = − 3 = 23 (mod 26)
Indeed, if we decrypt the encrypted text using the key k = 23, weobtain:tbxqebo fp dobxq ebob
k=23−→ weather is great here
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 13 / 44
Communication Security Cryptography
Known Plaintext Scenario
Given a (any) single plaintext/ciphertext pair (x , y), we have
Ek(x) = x + k = y (mod 26)
k = y − x (mod 26)
Consider the encrypted message:zrrg zr ng bhe frperg ybpngvba
and the plaintext/ciphertext pair: m → z
Ek(m) = z
Ek(12) = 12 + k = 25 (mod 26)
k = 25− 12 = 13 (mod 26)
We find the key as k = 13; indeed this key decrypts the messagek=13−→ meet me at our secret location
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 14 / 44
Communication Security Cryptography
Second Example: Hill Algebra
Encoding: {a, b, . . . , z} −→ {0, 1, . . . , 25}
Select a d × d matrix A of integers and find its inverse A−1 mod 26
For example, for d = 2
A =
[
3 32 5
]
and A−1 =
[
15 1720 9
]
Verify:
[
3 32 5
] [
15 1720 9
]
=
[
105 78130 79
]
=
[
1 00 1
]
(mod 26)
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 15 / 44
Communication Security Cryptography
Hill Cipher
Encryption function: c = E (m) = Am (mod 26)
Decryption function: m = D(c) = A−1 c (mod 26)
m and c are d × 1 vectors of plaintext and ciphertext letter encodings
Encryption key Ke : A
Decryption key Kd : A−1 (mod 26)
A and A−1 are d × d matrices such that det(A) 6= 0 (mod 26) andA−1 is the inverse of A mod 26
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 16 / 44
Communication Security Cryptography
Hill Cipher Example
The plaintext: "help"
u1 =
[
"h"
"e"
]
=
[
74
]
; u2 =
[
"l"
"p"
]
=
[
1115
]
Encryption: v1 = A u1 and v2 = A u2
[
3 32 5
] [
74
]
=
[
3334
]
=
[
78
]
=
[
"h"
"i"
]
[
3 32 5
] [
1115
]
=
[
7897
]
=
[
019
]
=
[
"a"
"t"
]
The ciphertext: "hiat"
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 17 / 44
Communication Security Cryptography
Hill Cipher
To decrypt the ciphertext: "hiat", we need the vectors v1 and v2
Decryption: u1 = A−1 v1 and u2 = A
−1 v2
[
15 1720 9
] [
78
]
=
[
241212
]
=
[
74
]
=
[
"h"
"e"
]
[
15 1720 9
] [
019
]
=
[
323171
]
=
[
1115
]
=
[
"l"
"p"
]
The plaintext: "help"
The d -dimensional Hill cipher is poly-alphabetic on single letters,however, mono-alphabetic on words of length d
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 18 / 44
Communication Security Cryptography
Key Space Size for Hill Space
It was suggested by Overbey, Traves, and Wojdylo in Cryptologia,29(1), Jan 2005, that the number of d × d matrices invertible modulom is
∏
i
(
p(ni−1)d2
i
d−1∏
k=0
(pdi − pki )
)
such that m =∏
pnii
When m = 26 = 21 · 131, we simplify this as
d−1∏
k=0
(2d−2k)(13d−13k) = 26d2
(1−1/2) · · · (1−1/2d)(1−1/13) · · · (1−1/13d)
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 19 / 44
Communication Security Cryptography
Key Space Size for Hill Cipher
We enumerate and find the number of keys for as follows:
d Number of Keys Power of 10
2 157,248 105.2
3 1,750,755,202,560 1012.2
4 13,621,827,326,505,327,820,800 1022.1
5 72,803,944,226,174,990,390,435,243,910,758,400 1034.9
Exhaustive key search is probably not feasible for 4-dimensional Hillciphers (requires significant resources), and definitely not feasible for5-dimensional (and beyond) Hill ciphers
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 20 / 44
Communication Security Cryptography
Frequency Analysis of the Hill Cipher
Frequency analysis is not applicable for single letters — a plaintextletter is encrypted to different ciphertext letter depending on whetherit is the first or second letter and what the other letter is
For example, for our example 2-dimensional Hill cipher, theencryption of x is as follows:"xy" → "lk" implies "x" → "l"
"xz" → "op" implies "x" → "o"
"zx" → "oj" implies "x" → "j"
However, digrams (2-letter words) are always encrypted to the sameciphertext bigrams for a 2-dimensional cipher"xyabcd" → "lkdfpt"
"abxycd" → "dflkpt"
"abcdxy" → "dfptlk"
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 21 / 44
Communication Security Cryptography
Digram Frequencies in English
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 22 / 44
Communication Security Cryptography
Frequency Analysis of the Hill Cipher
We can apply frequency attack to a d -dimensional Hill cipher if wehave “useful” (distinguishable) d -gram frequencies
As expected the digram "th" appears in English more often — somestudies have shown that the frequency of diagram "th" is about3.15%
Similarly the frequency of "the" is higher than most other trigrams,followed up by "and", "for" — however, these frequencies are toolow and too close to one another
As expected, as the word size increases the frequencies becomeindistinguishable from one another — we loose those useful frequencyvalues such as 12.7% for the single letter "e"
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 23 / 44
Communication Security Cryptography
Secret-Key versus Public-Key Cryptography
Secret-Key Cryptography:
Requires establishment of a secure channel for key exchangeTwo parties cannot start communication if they never metSecure communication of n parties requires n(n − 1)/2 keysKeys are “shared”, rather than “owned” (secret vs private)
Public-Key Cryptography:
No need for a secure channelMay require establishment of a public-key directoryTwo parties can start communication even if they never metSecure communication of n parties requires n keysKeys are “owned’, rather than “shared”Ability to “sign” digital data (secret vs private)
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 24 / 44
Communication Security Cryptography
Diffie-Hellman Key Exchange Method
Martin Hellman (1945): American cryptologist and co-inventor ofpublic key cryptography in cooperation with Whitfield Diffie andRalph Merkle at Stanford
Bailey Whitfield Diffie (1944) is an American cryptographer andco-inventor of public key cryptography
Diffie and Hellman’s paper “New Directions in Cryptography” waspublished IEEE Tran. Information Theory in Nov 1976
It introduced a radically new method of distributing cryptographickeys, that went far toward solving one of the fundamental problems ofcryptography, key distribution
It has become known as Diffie-Hellman key exchange.
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 25 / 44
Communication Security Cryptography
Diffie-Hellman Key Exchange Method
A and B agree on a prime p and a primitive element g of Z∗
p
This is accomplished in public: p and g are known to the adversary
A selects a ∈ Z∗
p , computes s = ga (mod p), and sends s to B
B selects b ∈ Z∗
p , computes r = gb (mod p), and sends r to A
A computes K = ra (mod p)
B computes K = sb (mod p)
K = ra = (gb)a = gab (mod p)
K = sb = (ga)b = gab (mod p)
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 26 / 44
Communication Security Cryptography
Diffie-Hellman Key Exchange Method
User A
a
ga
(gb
)a
K = gab
User B
b
gb
(ga
)b
K = gab
Adversary
p & g
ga
gb
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 27 / 44
Communication Security Cryptography
Discrete Logarithm Problem
The adversary knows the group: p and g
The adversary also sees (obtains copies of) s = ga and r = gb
The discrete logarithm problem (DLP):the computation of x ∈ Z∗
p in
y = gx (mod p)
given p, g , and y
Example: Given p = 23 and g = 5, find x such that
10 = 5x (mod 23)
Answer: x = 3
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 28 / 44
Communication Security Cryptography
Discrete Logarithm Problem
Given p = 158(2800 + 25) + 1 =
1053546280395016975304616582933958731948871814925913489342608734258717883575185867300386287737705577937382925873762451990450430661350859682697410256268271147283034897563214300237166369174066615907176472549470083113107138189921280884003892629359
and g = 3, find x ∈ Z∗
p such that
2 = 3x (mod p)
Answer: ?
How difficult is it to find x?
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 29 / 44
Communication Security Cryptography
Diffie-Hellman Key Exchange Method
The Diffie-Hellman algorithm allows two parties to agree on a key thatis known only to them, except that the adversary can solve the DLP
Once the secret key (shared key) is established, the parties can use asecret-key cryptographic algorithm to encrypt and decrypt
However, we still have the problem of establishing n(n− 1)/2 keysbetween n parties, and other difficulties of the secret-keycryptography also remain
But, we no longer need a (secret-key type) secure channel — theDiffie-Hellman algorithm gave us a secure channel, whose securitydepends on computational difficulty of the DLP
The Diffie-Hellman algorithm is not a public-key encryption method
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 30 / 44
Communication Security Cryptography
Public-Key Cryptography
The functions C (·) and D(·) are inverses of one another
C = EKe(M) and M = DKd
(C )
Encryption and decryption processes are asymmetric:
Ke 6= Kd
Ke is public, known to everyone
Kd is private, known only to the user
Ke may be easily deduced from Kd
However, Kd is NOT easily deduced from Ke
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 31 / 44
Communication Security Cryptography
Public-Key Cryptography
User2 User0
Adversary
C2
C3=EKe(M3)
M1=DKd(C1)
User1
User3
PK Directory
User0 Ke
C1
C3
C1=EKe(M1)
C2=EKe(M2)
M2=DKd(C2)
M3=DKd(C3)
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 32 / 44
Communication Security Cryptography
Public-Key Cryptography
The User publishes his/her own public key: Ke
Anyone can obtain the public key Ke and can encrypt a message M,and send the ciphertext to the User
C = EKe(M)
The private key is known only to the User: Kd
Only the User can decrypt the ciphertext to get the message
M = DKd(C )
The adversary may be able to block the ciphertext, but cannot decrypt
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 33 / 44
Communication Security Cryptography
Public-Key Cryptography
A public-key cryptographic algorithm is based on a function y = f (x)such thatGiven x , computing y is EASY: y = f (x)Given y , computing x is HARD: x = f −1(y)
x
easy
−−−−−−−−−−−−−−→←−−−−−−−−−−−−−−
hard
y = f (x)
Such functions are called one-way
In order to decide what is hard: Theory of complexity could help
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 34 / 44
Communication Security Cryptography
Well-Known One-Way Functions
Discrete Logarithm:Given p, g , and x , computing y in y = gx (mod p) is EASYGiven p, g , y , computing x in y = gx (mod p) is HARD
Factoring:Given p and q, computing n in n = p · q is EASYGiven n, computing p or q in n = p · q is HARD
Discrete Square Root:Given x and y , computing y in y = x2 (mod n) is EASYGiven y and n, computing x in y = x2 (mod n) is HARD
Discrete eth Root:Given x , n and e, computing y in y = xe (mod n) is EASYGiven y , n and e, computing x in y = xe (mod n) is HARD
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 35 / 44
Communication Security Cryptography
One-Way Functions for PKC
However, a one-way function is difficult for anyone to invert
What we need: a function easy to invert for the legitimate receiver ofthe encrypted message, but for everyone else: hard
Such functions are called one-way trapdoor functions
In order to build a public-key encryption algorithm, we need aone-way trapdoor function
Once that is understood (in around 1975-1976), researchers lookedfor such special functions which are either based on the knownone-way functions or some other constructions
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 36 / 44
Communication Security Cryptography
Rivest-Shamir-Adleman Algorithm
Invented by three young faculty members at MIT: Ronald Rivest(CS), Adi Shamir (Math), and Leonard Adleman (Math) in theSummer and Fall of 1976:“Ron and Adi would come up with ideas, and Len would try to shootthem down. Len was consistently successful; late one night, though,Ron came up with an algorithm that Len couldnt crack.”
Following the ideas of building a public-key encryption method usingtrapdoor one-way functions of Merkle and Hellman
It is based on the one-way functions factoring and discrete eth root
The paper was published in 1977 (Comm. of ACM)
The method was patented by MIT in 1983, which ended in 2000
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 37 / 44
Communication Security Cryptography
Rivest-Shamir-Adleman Algorithm
The User generates two large, approximately same size randomprimes: p and q
The modulus n is the product of these two primes: n = pq
Euler’s totient function of n is given by φ(n) = (p − 1)(q − 1)
The User selects a number 1 < e < φ(n) such that
gcd(e, φ(n)) = 1
and computes d with
d = e−1 (mod φ(n))
using the extended Euclidean algorithm
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 38 / 44
Communication Security Cryptography
Rivest-Shamir-Adleman Algorithm
e is the public exponent and d is the private exponent
The public key: The modulus n and the public exponent e
The private key: The private exponent d , the primes p and q, andφ(n) = (p − 1)(q − 1)
Encryption and decryption are performed by computing
C = Me (mod n)
M = Cd (mod n)
where M,C are the plaintext and ciphertext such that
0 ≤ M,C < n
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 39 / 44
Communication Security Cryptography
Example RSA
The primes p = 11 and q = 13, the modulus n = 11 · 13 = 143
φ(n) = φ(143) = (p − 1)(q − 1) = 10 · 12 = 120
Find e such that gcd(e, φ(n)) = φ(e, 120) = 1
Since 120 = 23 · 3 · 5, we select e = 7
d = e−1 (mod φ(n)) which gives d = 7−1 (mod 120) as d = 103
Encryption C = Me (mod n) gives C = 87 (mod 143) as C = 57Decryption D = Cd (mod n) gives M = 57103 (mod 143) as M = 8
Encryption C = Me (mod n) gives C = 117 (mod 143) as C = 132Decryption D = Cd (mod n) gives M = 132103 (mod 143) asM = 11
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 40 / 44
Communication Security Cryptography
Security of RSA
The public key (e, n) is publishedThe private key parameters p, q, φ(n), d are kept by the user
Breaking RSA:one or several or all instances → Computing M, given C and (e, n)all instances → Computing d , given (e, n)
Taking discrete eth Root → Computing M
Compute eth Root of Me (mod n) and obtain M
Factoring n ⇒ Computing d
Factor n = pq, compute d = e−1 mod (p − 1)(q − 1)
Computing φ(n) ⇒ Computing d
Compute d = e−1 mod φ(n)
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 41 / 44
Communication Security Cryptography
Knowing φ(n) ⇒ Factoring n
We know n = pq, we can also write:
n− φ(n) + 1 = pq − (p − 1)(q − 1) + 1 = p + q
Thus we have pq and p + q, and we can write a quadratic equationwhose roots are p and q
x2 − (p + q)x + pq = x2 − (n − φ(n) + 1) + n = 0
The roots of the equations are
1
2(n − φ(n) + 1±
√
(n − φ(n) + 1)2 − 4n )
Example: For n = 143 and φ(n) = 120, we writep, q = (1/2)(143− 120+1±
√
(143 − 120 + 1)2 − 4 · 143) = 11, 13
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 42 / 44
Communication Security Cryptography
Knowing d ⇒ (Probabilistically) Factoring n
Given d , we can write
d · e = 1 + Kφ(n)
since they are inverses of one another mod φ(n)
Since d · e − 1 is a multiple of φ(n), for gcd(a, n) = 1 we can write
ade−1 = (aφ(n))K = 1 (mod n)
If there is a universal exponent b such that ab = 1 (mod n) for all awith gcd(a, n), then there is exists a probabilistic method for factoringn
This probabilistic factorization algorithm is based on the Miller-Rabinprimality test
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 43 / 44
Communication Security Cryptography
Breaking RSA?⇒ Factoring
Factoring n indeed breaks the RSA encryption algorithm
However, does “Breaking RSA” mean that we can factor n ?
There is no general proof for such a claim — a lack of progress
A related result: Breaking the low-exponent RSA is not as hard asfactoring integers
Strong evidence: An RSA breaker cannot be used for factoringintegers
(http://cs.ucsb.edu/~koc/cs2) cs2 comp think lecture13 - winter 2015 44 / 44