公钥密码学与RSA(PPT-38).pptVIP

* Before the application of the public-key cryptosystem, each participant must generate a pair of keys, which requires finding primes and computing inverses. Both the prime generation and the derivation of a suitable pair of inverse exponents may involve trying a number of alternatives. Typically make random guesses for a possible p or q, and check using a probabalistic primality test whether the guessed number is indeed prime. If not, try again. Note that the prime number theorem shows that the average number of guesses needed is not too large. Then compute decryption exponent d using Euclid’s Inverse Algorithm, which is quite efficient. * Note some possible possible approaches to attacking the RSA algorithm, as shown. The defense against the brute-force approach is the same for RSA as for other cryptosystems, namely, use a large key space. Thus the larger the number of bits in d, the better. However because the calculations involved both in key generation and in encryption/decryption are complex, the larger the size of the key, the slower the system will run. Will now review the other possible types of attacks. * We can identify three approaches to attacking RSA mathematically, as shown. Mathematicians currently believe all equivalent to factoring. See Stallings Table 9.4 for progress in factoring, where see slow improvements over the years, with the biggest improvements coming from improved algorithms. The best current algorithm is the “Lattice Sieve” (LS), which replaced the “Generalized Number Field Sieve” (GNFS), which replaced the “Quadratic Sieve”(QS). Have to assume computers will continue to get faster, and that better factoring algorithms may yet be found. Numbers of size 1024-2048 bits look reasonable at present, provided the factors meet other constraints. * Had a new category of attacks developed by Paul Kocher in mid-1990’s, based on observing how long it takes to compute the cryptographic operations. Timing attacks are applicable not just to RSA, b