Simple DES DES Modes of operation Triple DES AES RSA Attacks Primality test factoring.

Transcription

1 UNIT II BLOCK CIPHER UNIT II Simple DES DES Modes of operation Triple DES AES RSA Attacks Primality test factoring. 2.1 SIMPLIFIED DATA ENCRYPTION STANDARD (S-DES) The overall structure of the simplified DES. The S-DES encryption algorithm takes an 8- bit block of plaintext (example: ) and a 10-bit key as input and produces an 8-bit block of ciphertext as output. The S-DES decryption algorithm takes an 8-bit block of ciphertext and the same 10-bit key used to produce that ciphertext as input and produces the original 8-bit block of plaintext. The encryption algorithm involves five functions: An initial permutation (IP) a complex function labeled f k, which involves both permutation and substitution operations and depends on a key input a simple permutation function that switches (SW) the two halves of the data the function f k again a permutation function that is the inverse of the initial permutation

2 The function f k takes as input not only the data passing through the encryption algorithm, but also an 8-bit key. Here a 10-bit key is used from which two 8-bit subkeys are generated. The key is first subjected to a permutation (P10). Then a shift operation is performed. The output of the shift operation then passes through a permutation function that produces an 8-bit output (P8) for the first subkey (K1). The output of the shift operation also feeds into another shift and another instance of P8 to produce the second subkey (K2). The encryption algorithm can be expressed as a composition composition1 of functions: IP -1 ο f K2 ο SW ο f k1 ο IP Which can also be written as Ciphertext = IP -1 (f K2 (SW (f k1 (IP (plaintext))))) Where K1 = P8 (Shift (P10 (Key))) K2 = P8 (Shift (shift (P10 (Key)))) Decryption can be shown as Plaintext = IP -1 (f K1 (SW (f k2 (IP (ciphertext))))) S-DES key generation Figure: key generation for S-DES

3 S-DES depends on the use of a 10-bit key shared between sender and receiver. From this key, two 8-bit subkeys are produced for use in particular stages of the encryption and decryption algorithm. First, permute the key in the following fashion. Let the 10-bit key be designated as (k1, K2, k3, k4, k5, k6, k7, k8, k9, k10). Then the permutation P10 is defined as: P10 (k1, K2, k3, k4, k5, k6, k7, k8, k9, k10) = (k3, k5, K2, k7, k4, k10 10, k1, k9, k8, k6) P10 can be concisely defined by the display: P This table is read from left to right; each position in the table gives the identity of the input bit that produces the output bit in that position. So the first output bit is bit 3 of the input; the second output bit is bit 5 of the input, and so on. For example, the key ( ) is permuted to ( ). Next, perform a circular left shift (LS-1), or rotation, separately on the first five bits and the second five bits. In our example, the result is ( ). Next we apply P8, which picks out and permutes 8 of the 10 bits according to the following rule: P The result is subkey 1 (K1). In our example, this yields ( ). We then go back to the pair of 5-bit strings produced by the two LS-1 functions and performs a circular left shift of 2 bit positions on each string. In our example, the value ( ) becomes ( ). Finally, P8 is applied again to produce K2. In our example, the result is ( ) S-DES encryption Encryption involves the sequential application of five functions. Initial and Final Permutations The input to the algorithm is an 8-bit block of plaintext, which we first permute using the IP function: IP This retains all 8 bits of the plaintext but mixes them up.

4 Consider the plaintext to be Permuted output = At the end of the algorithm, the inverse permutation is used: IP The Function f k The most complex component of S-DES is the function f k, which consists of a combination of permutation and substitution functions. The functions can be expressed as follows. Let L and R be the leftmost 4 bits and rightmost 4 bits of the 8-bit input to f K, and let F be a mapping (not necessarily one to one) from 4-bit strings to 4-bit strings. Then we let f k (L, R) = ( L F( R, SK), R) Where SK is a subkey and is the bit-by-bit exclusive-or function. e.g., permuted output = and suppose F (1101, SK) = (1110) for some key SK. Then f K( ) = , 1101 = We now describe the mapping F. The input is a 4-bit number (n1 n2 n3 n4). The first operation is an expansion/permutation operation: E/P e.g., R= 1101 E/P output = It is clearer to depict the result in this fashion: The 8-bit subkey K1 = (k11, k12 12, k13 13, k14 14, k15 15, k16 16, k17 17, k18) is added to this value using exclusive-or:

5 Let us rename these 8 bits: The first 4 bits (first row of the preceding matrix) are fed into the S-box S0 to produce a 2- bit output, and the remaining 4 bits (second row) are fed into S1 to produce another 2-bit output. These two boxes are defined as follows: The S-boxes operate as follows. The first and fourth input bits are treated as a 2-bit number that specify a row of the S-box, and the second and third input bits specify a column of the S-box. The entry in that row and column, in base 2, is the 2-bit output. For example, if (p0,0 p0,3) = ) (00) and ( p0,1 p0,2) = (10), then the output is from row 0, column 2 of S0, which is 3, or (11) in ) binary. Similarly, (p1,0 p1,3) and ( p1,1 p1,2) are used to index into a row and column of S1 to produce an additional 2 bits. Next, the 4 bits produced by S0 and S1 undergo a further permutation as follows: P The output of P4 is the output of the function F The Switch Function The function f K only alters the leftmost 4 bits of the input. The switch function (SW) interchanges the left and right 4 bits so that the second instance of f K operates on a different 4 bits. In this second instance, the E/P, S0, S1, and P4 functions are the same. The key input is K2. Finally apply inverse permutation to get the ciphertext.

6 2.2 BLOCK CIPHER PRINCIPLES Virtually, all symmetric block encryption algorithms in current use are based on a structure referred to as Fiestel block cipher. For that reason, it is important to examine the design principles of the Fiestel cipher. We begin with a comparison of stream cipher with block cipher. A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. E.g, vigenere cipher. A block cipher is one in which a block of plaintext is treated as a whole and used to produce a cipher text block of equal length. Typically a block size of 64 or 128 bits is used Block cipher principles most symmetric block ciphers are based on a Feistel Cipher Structure needed since must be able to decrypt ciphertext to recover messages efficiently block ciphers look like an extremely large substitution would need table of 264 entries for a 64-bit block instead create from smaller building blocks using idea of a product cipher in 1949 Claude Shannon introduced idea of substitution- permutation (S-P) networks called modern substitution-transposition product cipher these form the basis of modern block ciphers S-P networks are based on the two primitive cryptographic operations we have seen before: substitution (S-box) permutation (P-box) provide confusion and diffusion of message diffusion - dissipates statistical structure of plaintext over bulk of ciphertext confusion - makes relationship between ciphertext and key as complex as possible Feistel cipher structure The input to the encryption algorithm are a plaintext block of length 2w bits and a key K. the plaintext block is divided into two halves L 0 and R 0. The two halves of the data pass through n rounds of processing and then combine to produce the ciphertext block. Each round i has inputs L i-1 and R i-1, derived from the previous round, as well as the subkey K i, derived from the overall key K. in general, the subkeys K i are different from K and from each other.

7 All rounds have the same structure. A substitution is performed on the left half of the data (as similar to S-DES). This is done by applying a round function F to the right half of the data and then taking the XOR of the output of that function and the left half of the data. The round function has the same general structure for each round but is parameterized by the round subkey k i. Following this substitution, a permutation is performed that consists of the interchange of the two halves of the data. This structure is a particular form of the substitution-permutation network. The exact realization of a Feistel network depends on the choice of the following parameters and design features: Block size - Increasing size improves security, but slows cipher Key size - Increasing size improves security, makes exhaustive key searching harder, but may slow cipher Number of rounds - Increasing number improves security, but slows cipher Subkey generation - Greater complexity can make analysis harder, but slows cipher Round function - Greater complexity can make analysis harder, but slows cipher Fast software en/decryption & ease of analysis - are more recent concerns for practical use and testing. The process of decryption is essentially the same as the encryption process. The rule is as follows: use the cipher text as input to the algorithm, but use the subkey k i in reverse order. i.e., k n in the first round, k n-1 in second round and so on. For clarity, we use the notation LE i and RE i for data traveling through the decryption algorithm. The diagram below indicates that, at each round, the intermediate value of the decryption process is same (equal) to the corresponding value of the encryption process with two halves of the value swapped. i.e., RE i LE i (or) equivalently RD 16-i LD 16-i After the last iteration of the encryption process, the two halves of the output are swapped, so that the cipher text is RE 16 LE 16. The output of that round is the cipher text. Now take the cipher text and use it as input to the same algorithm. The input to the first round is RE 16 LE 16, which is equal to the 32-bit swap of the output of the sixteenth round of the encryption process.

8 Fig : Feistel encryption and decryption

9 Now we will see how the output of the first round of the decryption process is equal to a 32-bit swap of the input to the sixteenth round of the encryption process. First consider the encryption process, decryption side, LE 16 = RE 15 RE 16 = LE 15 F (RE 15, K 16 ) On the LD 1 =RD 0 = LE 16 =RE 15 RD 1 = LD 0 F (RD 0, K 16 ) = RE 16 F (RE 15, K 16 ) = [LE 15 F (RE 15, K 16 )] F (RE 15, K 16) = LE 15 Therefore, LD 1 = RE 15 RD 1 = LE 15 In general, for the i th iteration of the encryption algorithm, LE i = RE i-1 RE i = LE i-1 F (RE i-1, K i ) Finally, the output of the last round of the decryption process is RE 0 LE 0. A 32-bit swap recovers the original plaintext. MULTIPLE ENCRYPTION & DES clear a replacement for DES was needed theoretical attacks that can break it demonstrated exhaustive key search attacks AES is a new cipher alternative prior to this alternative was to use multiple encryption with DES implementations Triple-DES is the chosen form Double-DES could use 2 DES encrypts on each block C = E K2 (E K1 (P)) issue of reduction to single stage and have "meet-in-the-middle" attack works whenever use a cipher twice since X = E K1 (P) = D K2 (C) attack by encrypting P with all keys and store

10 then decrypt C with keys and match X value can show takes O(2 56 ) steps Triple-DES with Two-Keys hence must use 3 encryptions would seem to need 3 distinct keys but can use 2 keys with E-D-E sequence C = E K1 (D K2 (E K1 (P))) nb encrypt & decrypt equivalent in security if K1=K2 then can work with single DES standardized in ANSI X9.17 & ISO8732 no current known practical attacks Triple-DES with Three-Keys although are no practical attacks on two key Triple-DES have some indications can use Triple-DES with Three-Keys to avoid even these C = E K3 (D K2 (E K1 (P))) has been adopted by some Internet applications eg PGP, S/MIME 2.4 Modes of Operation block ciphers encrypt fixed size blocks eg. DES encrypts 64-bit blocks with 56-bit key need some way to en/decrypt arbitrary amounts of data in practise ANSI X Modes of Use (now FIPS 81) defines 4 possible modes subsequently 5 defined for AES & DES have block and stream modes Electronic Codebook Book (ECB) message is broken into independent blocks which are encrypted each block is a value which is substituted, like a codebook, hence name each block is encoded independently of the other blocks C i = DES K1 (P i ) uses: secure transmission of single values

11 Electronic Codebook Book (ECB) Advantages and Limitations of ECB message repetitions may show in ciphertext o o o if aligned with message block particularly with data such graphics or with messages that change very little, which become a code-book analysis problem weakness is due to the encrypted message blocks being independent main use is sending a few blocks of data Cipher Block Chaining (CBC) message is broken into blocks linked together in encryption operation each previous cipher blocks is chained with current plaintext block, hence name use Initial Vector (IV) to start process C i = DES K1 (P i XOR C i-1 ) C -1 = IV uses: bulk data encryption, authentication

12 Cipher Block Chaining (CBC) Message Padding at end of message must handle a possible last short block o which is not as large as blocksize of cipher o pad either with known non-data value (eg nulls) o or pad last block along with count of pad size eg. [ b1 b2 b ] means have 3 data bytes, then 5 bytes pad+count this may require an extra entire block over those in message there are other, more esoteric modes, which avoid the need for an extra block Advantages and Limitations of CBC a ciphertext block depends on all blocks before it any change to a block affects all following ciphertext blocks need Initialization Vector (IV) o which must be known to sender & receiver o if sent in clear, attacker can change bits of first block, and change IV to compensate o hence IV must either be a fixed value (as in EFTPOS) o or must be sent encrypted in ECB mode before rest of Message

13 2.4.4 Cipher FeedBack (CFB) message is treated as a stream of bits added to the output of the block cipher result is feed back for next stage (hence name) standard allows any number of bit (1,8, 64 or 128 etc) to be feed back denoted CFB-1, CFB-8, CFB-64, CFB-128 etc most efficient to use all bits in block (64 or 128) C i = P i XOR DES K1 (C i-1 ) C -1 = IV uses: stream data encryption, authentication Cipher FeedBack (CFB)

14 Advantages and Limitations of CFB appropriate when data arrives in bits/bytes most common stream mode limitation is need to stall while do block encryption after every n-bits note that the block cipher is used in encryption mode at both ends errors propogate for several blocks after the error Output FeedBack (OFB) message is treated as a stream of bits output of cipher is added to message output is then feed back (hence name) feedback is independent of message can be computed in advance C i = P i XOR O i O i = DES K1 (O i-1 ) O -1 = IV uses: stream encryption on noisy channels Output FeedBack (OFB)

15 Advantages and Limitations of OFB bit errors do not propagate more vulnerable to message stream modification a variation of a Vernam cipher hence must never reuse the same sequence (key+iv) sender & receiver must remain in sync originally specified with m-bit feedback subsequent research has shown that only full block feedback (ie CFB-64 or CFB-128) should ever be used Counter (CTR) a "new" mode, though proposed early on similar to OFB but encrypts counter value rather than any feedback value must have a different key & counter value for every plaintext block (never reused) C i = P i XOR O i Oi = DES K1 (i) uses: high-speed network encryptions

16 Advantages and Limitations of CTR efficiency o o o can do parallel encryptions in h/w or s/w can preprocess in advance of need good for bursty high speed links random access to encrypted data blocks modes) provable security (good as other but must ensure never reuse key/counter values, otherwise could break (cf OFB) Evaluation Criteria for AES The Origins of AES clear a replacement for DES was needed Key size is too small The variants are just patches can use Triple-DES but slow, has small blocks US NIST issued call for ciphers in candidates accepted in Jun 98 5 were shortlisted in Aug-99 AES Evaluation initial criteria: security effort for practical cryptanalysis cost in terms of computational efficiency algorithm & implementation characteristics final criteria: general security ease of software & hardware implementation implementation attacks restricted-space environments Attacks on implementations Encryption versus decryption Key agility Flexibility

17 Potential for instruction-level parallelism AES Cipher Rinjdael Rijndael was selected as the AES in Oct-2000 issued as FIPS PUB 197 standard in Nov-2001 designed by Joan Daemen and Vincent Rijmen in Belgium has 128/192/256 bit keys, 128 bit data an iterative rather than Feistel cipher processes data as block of 4 columns of 4 bytes operates on entire data block in every round Characteristics: resistant against known attacks speed and code compactness on many CPUs design simplicity

18 Shift Row Transformation a circular byte shift in each each 1 st row is unchanged 2 nd row does 1 byte circular shift to left 3rd row does 2 byte circular shift to left 4th row does 3 byte circular shift to left Mix Columns each column is processed separately each byte is replaced by a value dependent on all 4 bytes in the column effectively a matrix multiplication in GF(2 8 ) using prime poly m(x) =x 8 +x 4 +x 3 +x+1

19 Add Round Key The 128 bits of state are bitwise XORed with the 128 bits of the round key. The operation is viewed as a columnwise operation between the 4 bytes of a State column and one word of the round key. 2.7 PRINCIPLES OF PUBLIC KEY CRYPTOGRAPHY The concept of public key cryptography evolved from an attempt to attack two of the most difficult problems associated with symmetric encryption. Key distribution under symmetric key encryption requires either (1) that two communicants already share a key, which someone has been distributed to them or (2) the use of a key distribution center. Digital signatures Public key cryptosystems Public key algorithms rely on one key for encryption and a different but related key for decryption. These algorithms have the following important characteristics: It is computationally infeasible to determine the decryption key given only the knowledge of the cryptographic algorithm and the encryption key. In addition, some algorithms, such as RSA, also exhibit the following characteristic: Either of the two related keys can be used for encryption, with the other used for decryption.

20 The essential steps are the following: Each user generates a pair of keys to be used for encryption and decryption of messages. Each user places one of the two keys in a public register or other accessible file. This is the public key. The companion key is kept private. If A wishes to send a confidential message to B, A encrypts the message using B s public key. When B receives the message, it decrypts using its private key. No other recipient can decrypt the message because only B knows B s private key. With this approach, all participants have access to public keys and private keys are generated locally by each participant and therefore, need not be distributed. As long as a system controls its private key, its incoming communication is secure. Let the plaintext be X=[X1, X2, X3,,Xm] where m is the number of letters in some finite alphabets. Suppose A wishes to send a message to B. B generates a pair of keys: a public key KU b and a private key KR b. KR b is known only to B, whereas KU b is publicly available and therefore accessible by A. With the message X and encryption key KU b as input, A forms the cipher text Y=[Y1, Y2, Y3, Yn]., i.e., Y=E KU b (X) The receiver can decrypt it using the private key KR b. i.e., X=D KR b (). The encrypted message serves as a digital signature. It is important to emphasize that the encryption process just described does not provide confidentiality. There is no protection of confidentiality because any observer can decrypt the message by using the sender s public key. It is however, possible to provide both the authentication and confidentiality by a double use of the public scheme.

21 Fig Public Key Cryptosystem Ciphertext Z = EKU b [EKR a (X)] Plaintext X = EKU a [EKR b (Y)] Initially, the message is encrypted using the sender s private key. This provides the digital signature. Next, we encrypt again, using the receiver s public key. The final ciphertext can be decrypted only by the intended receiver, who alone has the matching private key. Thus confidentiality is provided Requirements for public key cryptography It is computationally easy for a party B to generate a pair [KU b, KR b ]. It is computationally easy for a sender A, knowing the public key and the message to be encrypted M, to generate the corresponding ciphertext: C=EKU b (M). It is computationally easy for the receiver B to decrypt the resulting ciphertext using the private key to recover the original message: M = DKR b (C) = DKR b [EKU b (M)] It is computationally infeasible for an opponent, knowing the public key KU b, to determine the private key KR b. It is computationally infeasible for an opponent, knowing the public key KU b, and a ciphertext C, to recover the original message M. The encryption and decryption functions can be applied in either order:

22 M = EKU b [DKR b (M) = DKU b [EKR b (M)] Public key cryptanalysis Public key encryption scheme is vulnerable to a brute force attack. The counter measure is to use large keys. 2.8 RSA Algorithm It was developed by Rivest, Shamir and Adleman. This algorithm makes use of an expression with exponentials. Plaintext is encrypted in blocks, with each block having a binary value less than some number n. That is, the block size must be less than or equal to log 2 (n); in practice, the block size is k-bits, where 2 k < n < 2 k+1. Encryption and decryption are of the following form, for some plaintext block M and ciphertext block C: C = M e mod n M = C d mod n = (M e mod n) mod n = (M e ) d mod n = M ed mod n Both the sender and receiver know the value of n. the sender knows the value of e and only the receiver knows the value of d. thus, this is a public key encryption algorithm with a public key of KU = {e, n} and a private key of KR = {d, n}. For this algorithm to be satisfactory for public key encryption, the following requirements must be met: It is possible to find values of e, d, n such that M ed = M mod n for all M<n. It is relatively easy to calculate M e and C d for all values of M<n. It is infeasible to determine d given e and n. Let us focus on the first requirement. We need to find the relationship of the form: M ed = M mod n A corollary to Euler s theorem fits t0068e bill: Given two prime numbers p and q and two integers, n and m, such that n=pq and 0<m<n, and arbitrary integer k, the following relationship holds kф(n) +1 m = m k(p-1)(q-1) +1 = m mod n where Ф(n) - Euler totient function, which is the number of positive integers less than n and relatively prime to n. we can achieve the desired relationship, if ed=kф(n)+1

23 This is equivalent to saying: ed 1 mod Ф(n) d = e -1 mod Ф(n) That is, e and d are multiplicative inverses mod Ф(n). According to the rule of modular arithmetic, this is true only if d (and therefore e) is relatively prime to Ф(n). Equivalently, gcd(ф(n), d) = 1. The steps involved in RSA algorithm for generating the key are Select two prime numbers, p = 17 and q = 11. Calculate n = p*q = 17*11 = 187 Calculate Ф(n) = (p-1)(q-1) = 16*10 = 160. Select e such that e is relatively prime to Ф(n) = 160 and less than Ф(n); we choose e = 7. Determine d such that ed 1 mod Ф(n) and d<160. the correct value is d = 23, because 23*7 = 161 = 1 mod The RSA algorithm: Key Generation Select p, q Calculate n = p x q Calculate (n) = (p -l)(q - 1) p,q both prime p q Select integer e gcd( (n), e) = 1; 1< e< (n) Calculate d d= e -1mod (n) Public key Private key KU = { e,n} KR = {d,n}

24 Encryption Plaintext M<n Ciphertext C = M e (mod n) Decryption Ciphertext C Plaintext M = C d (mod n) Encryption Decryption Plain Text Cipher text KU = 7,187 KR = 23, 187 Figure : Example of RSA Algorithm Security of RSA There are three approaches to attack the RSA: brute force key search (infeasible given size of numbers) mathematical attacks (based on difficulty of computing ø(n), by factoring modulus N) timing attacks (on running time of decryption) Factoring Problem Mathematical approach takes 3 forms: Factor n = p*q, hence find Ф(n) and then d. Determine Ф(n)directly without determining p and q and find d. Find d directly, without first determination Ф(n). Timing attacks It has been proved that the opponent can determine a private key by keeping track of how long a computer takes to decipher messages. Although the timing attack is a serious threat, there are simple countermeasures that can be used:

25 Constant exponentiation time - ensures that all exponentiations take the same amount of time before returning a result. Random delay - better performance could be achieved by adding a random delay to the exponentiation algorithm to confuse the timing attack. Blinding - multiply the ciphertext by a random number before performing exponentiation. Security of Hash functions and MACs Brute Force attacks Hash the security depends solely on the length of the hash code. for a code of length n the effort needed is proportional to the following depending on the properties required for the hash-function: Strong collision resistance 2 n/2 Weak collision resistance 2 n One way 2 n Brute Force attacks MAC requires known message-mac pairs computational resistance: Given text-mac pairs (x i, CK(x i )), it is computationallyu infeasible to compute any text-mac pair (x, C K (x)) for any new input x,x i Either the key-space or the MAC value can be attacked. By finding the secret key, attacker can produce a valid MAC for any message. The effort needed to find the key is 2 k. In attacking the MAC the goal is to generate a valit MAC for a specific message, or to find a message that matches a ginven MAC. The effort is comparable to Weak-collision resistant property of a hash-code, i.e. 2 n. Cryptanalytic attacks these attacks seek to exploit some property of the algorithm to perform an attack other than exhaustive search. Cryptanalytic attacks hash any hash-function based on CBC is vulnerable the resistance of the code against birthday attack is proportional to the block length of the used block-cipher (e.g. 64 bits in DES). Cryptanalytic attacks MAC little work has been done to develope these attacks resistance greater than the corresponding hash 2.9 PRIMALITY TESTING For many cryptographic functions it is necessary to select one or more very large prime numbers at random. Thus we are faced with the task of determining whether a given large number is prime. There is no simple yet efficient means of accomplishing this task.

26 Traditionally sieve for primes using trial division of all possible prime factors of some number, but this only works for small numbers. a generalisation of Fermat's Theorem a ø(n) = 1 (mod n) for any a,n where gcd(a,n)=1 eg. a=3;n=10; ø(10)=4; hence 3 4 = 81 = 1 mod 10 a=2;n=11; ø(11)=10; hence 2 10 = 1024 = 1 mod 11 also have: a ø(n)+1 = a (mod n) Alternatively can use repeated statistical primality tests based on properties of primes, and then for certainty, use a slower deterministic primality test, such as the AKS test Miller Rabin Algorithm The algorithm shown is due to Miller and Rabin is typically used to test a large number for primality. which relies on some properties of primes that result from Fermat s theorem. a test based on prime properties that result from Fermat s Theorem algorithm is: TEST (n) is: 1. Find integers k, q, k > 0, q odd, so that (n 1)=2 k q 2. Select a random integer a, 1<a<n 1 3. if a q mod n = 1 then return ( inconclusive"); 4. for j = 0 to k 1 do 5. if (a 2jq mod n = n-1) then return( inconclusive") 6. return ( composite") We use the Miller-Rabin algorithm to determine with a high degree of confidence whether or not an integer is prime? If Miller-Rabin returns composite the number is definitely not prime, otherwise it is either a prime or a pseudo-prime. The chance it detects a pseudoprime is < 1 / 4 So if apply test repeatedly with different values of a, the probabiility that the number is a pseudo-prime can be made as small as desired, eg after 10 tests have chance of error < If need certainty, then would now expend effort to run a deterministic primality proof such as AKS. Prior to 2002, there was no known method of efficiently proving the primality of very large numbers. All of the algorithms in use, including the most popular (Miller-Rabin), produced a probabilistic result. In 2002, Agrawal, Kayal, and Saxena [AGRA02] developed a relatively simple deterministic algorithm that efficiently determines whether a given large number is a prime. The algorithm, known as the AKS algorithm, does not appear to be as efficient as the Miller-Rabin algorithm. Thus far, it has not supplanted this older, probabilistic technique.

27 if Miller-Rabin returns composite the number is definitely not prime otherwise is a prime or a pseudo-prime chance it detects a pseudo-prime is < 1 / 4 hence if repeat test with different random a then chance n is prime after t tests is: Pr(n prime after t tests) = 1-4 -t eg. for t=10 this probability is > could then use the deterministic AKS test Prime Distribution prime number theorem states that primes occur roughly every (ln n) integers but can immediately ignore evens so in practice need only test 0.5 ln(n) numbers of size n to locate a prime note this is only the average sometimes primes are close together other times are quite far apart 2.10 Factoring Problem We can identify three approaches to attacking RSA mathematically, as shown. Mathematicians currently believe all equivalent to factoring. See Stallings Table 9.4 (next slide) for progress in factoring, where see slow improvements over the years, with the biggest improvements coming from improved algorithms. The best current algorithm is the Lattice Sieve (LS), which replaced the Generalized Number Field Sieve (GNFS), which replaced the Quadratic Sieve (QS). Have to assume computers will continue to get faster, and that better factoring algorithms may yet be found. Thus, we need to be careful in choosing a key size for RSA. For the near future, a key size in the range of 1024 to 2048 bits seems reasonable. In addition to specifying the size of n, a number of other constraints have been suggested by researchers. To avoid values of n that may be factored more easily, the algorithm's inventors suggest the following constraints on p and q: 1. p and q should differ in length by only a few digits. Thus, for a 1024-bit key (309 decimal digits), both p and q should be on order of to Both (p 1) and (q 1) should contain a large prime factor 3. gcd(p 1, q 1) should be small. mathematical approach takes 3 forms: factor n=p.q, hence compute ø(n) and then d determine ø(n) directly and compute d find d directly currently believe all equivalent to factoring have seen slow improvements over the years as of May-05 best is 200 decimal digits (663) bit with LS biggest improvement comes from improved algorithm cf QS to GHFS to LS currently assume bit RSA is secure ensure p, q of similar size and matching other constraints

28 2.10.1Progress in Factoring Table.5 shows the progress in factoring to date. The level of effort is measured in MIPSyears: a million-instructions-per-second processor running for one year, which is about 3 x instructions executed. A 1 GHz Pentium is about a 250-MIPS machine. The threat to larger key sizes is twofold: the continuing increase in computing power, and the continuing refinement of factoring algorithms. We have seen that the move to a different algorithm resulted in a tremendous speedup. We can expect further refinements in the GNFS, and the use of an even better algorithm is also a possibility. In fact, a related algorithm, the special number field sieve (SNFS), can factor numbers with a specialized form considerably faster than the generalized number field sieve. Stallings Figure 9.9 compares the performance of the two algorithms. It is reasonable to expect a breakthrough that would enable a general factoring performance in about the same time as SNFS, or even better.