Cryptographic techniques

The public key cryptosystem published by Diffie and Hellman in 1976 is still of great interest today. Of the public key systems that have been proposed the RSA scheme of Rivest, Shamir and Adelman is of most current interest. We shall briefly describe this system (more can be found in references 2 and 7) and then describe a method to obtain suitable primes for use in the scheme. Disciplines Physical Sciences and Mathematics Publication Details Seberry, J, Cryptographic techniques, Security Data Communication Workshop, Digest of Papers, IEEE, Melbourne, September, 1989. This conference paper is available at Research Online: http://ro.uow.edu.au/infopapers/1043 Cryptographic Techniques Jennifer Seberry Department of Computer Science University'College University of New South Wales Centre for Communications Security Research Australian Defence Fnrce Academy Canberra, ACT, 2600 AUSTRAUA The public key cryptosystem published by Diffie and Hellman in 1976 is still of great interest today. Of the public key systems that have been proposed the RSA scheme of Rivest, Shamir and Adelman is of most current interest. We shall briefly describe this system (more can be found in references 2 and 7) and then describe a method to obtain suitable primes for use in the scheme. The RSA Scheme To implement this scheme a person (traditionally Bob) makes himself a set of three large numbers: m, E andD, (the modulus, public key and secret key respectively) with the following properties ify =x E (modm) then X= yD (modm) for all numbers x in the range (0, m ~ 1). The numbers E and m are published, and someone else (traditionally Alice) who wishes to send a secret message x (regarded for the purposes of encryption as a large integer) to Bob, calculates y from x and sends to Bob the cryptogram y. Since Bob knows D he can recover the message. Anyone else wishing to eavesdrop must find D • or else discover x some other way. Both of these recourses appear to be computationally infeasible for suitable choices of parameters. Bob makes m ,E and D as follows. He chooses two very large primes p and q with p and q of roughly equal size (of say 500-600 bits each). This choice ofp and q is what will concern us here. Bob chooses E at random, relatively prime to gcd(p 1. q 1), and then finds D by solving ED = 1 (mod(p -1)(q -1)) which he can do easily and quickly using Euclid's algorithm (see reference 7). Finally he fonns m by choosing m = pq. A potential eavesdropper must, it seems, first findD. which appears to require the determination of p and q ,which in turn seems to imply that he must be able to factorize m. To factorize m = pq where p and q are very large primes of say 500-600 bits each is one of the hardest known common problems (see references 2 and 3). Strong primes give more cryptographic security The advanced techniques a cryptanalyst might use (see references 2, 3 and 6) break down when p (and similarly q) is not only prime but has the property that p I has a large prime factor, say r , and p + 1 has a large prime factor, say s (see reference 6). The cryptanalyst's task is made even more difficult if r 1 should have a large prime factor, say t, as well. For logistical reasons it is also necessary to be able choose p in some sense at random but with a given number of bits. Thus there is considerable urgency to solve the problem of rmding primes with these desirable properties. However very little has been published on the way to do so. The method we describe is due to John Gordon (reference 5). It fmds the large prime factors r, s and t separately and incorporates them in the construction. The extra conditions imposed on p and q add only 19% to the task of finding p and q . A prime p will be called a strong prime if it satisfies the following seven conditions: (i) P is large (li) p is prime (iii) P is chosen at random in response to a seed (iv) p has a given number of bits (v) p I has a large prime factor, say r (vi) p + 1 has a large prime factor, say s (vii) r 1 has a large prime factor, say t. Since we wish p, rand s all to be large we are only interested in odd primes p whose properties are p =2jr +1 (or p = I (mod2r)) p =2ks -1 (or p =(s -1 )(mod2s)) r=2Lt+1 (or pr=1 (mod2t)) for some j, k and L where r, s and t are primes. Gordon's technique Gordon proposes the following steps: (i) choose random seeds a and b (ii) from a and b generate random primes s and t (iii) from t construct r (iv) from r and s construct p . Find r and s,' Finding random primes r and s which are of a specified number of bits (n ) and greater than a given seed is relatively straightforward. Starting with a random seed a , we fmd the first prime s (or t ) greater than a. The time to rmd s (or t ) in this way using Knuth's Algorithm P (see reference 3), is dominated by the time to perform modular exponentiations which take, on average, approximately Texp In) = eTn 3 Iw seconds where c is a constant of size about 8, T is the time (in seconds) for one instruction and w is the word size in bits. If we quickly eliminate by trial division all multiples of primes less than, say, 256 it is necessary to examine only about 0.07n numbers on average before fmding a prime (see reference 5), and so the time needed to find s (or t ) (ignoring the time for quick eliminations) is about 0.07n times cTn 3 /w • i.e. about Tprime (n) = evTn 4 Iw when we have found s (or t ) it is unlikely to have more bits than the seed a. We can virtually ensure this by picking our value of a in the range (2n-1• 2n-l +2n-2 1). This ensures a starts with the two binary digits 10 which leaves a run of 2n-2 integers in which to find a prime before increasing the number of bits. Find r: We now wish to find a prime of the form 2Lt +1. We search through (2Lt + I)-space for successive values of L. We are likely to exhaust about nLn(2)/2 = 0.35n sucessive values of L before finding r (see reference 5). Every time L doubles another bit is added to 2Lt + 1. A naive search will almost certainly result in a prime of too many bits. A more sophisticated approach is to choose 21 to be, say, dIn) = log 2 (n ) bits shorter than the desired length of r (see below). then starting with unity. to add in successive multiples of 2t until the desired length of r is achieved and then to begin checking primality at each subsequent addition of 2t. In this way, L is unlikely to double during the search for primes. This certainty of success can be increased by using a larger d(n). Find p: We now wish, given primes r and s • to find a prime p , close in size to a given number of bits, and satisfying p =2jr +1 =2ks -I for some j and k or p =1(mod2r) =(2s -1)(mod2s) The key to fmding primes with these properties is the following theorem. Theorem: If r and s are odd primes, then p satisfies p = I (mod 2r ) = (s -1)(mod 2s) if and only if p is of the form p = PO +2krs