52 Things: Number 10: What is the difference between the RSA and strong-RSA problem?
52 件事: 数字 10:RSA 和强 RSA 问题有什么区别? This is the latest in a series of blog posts to address the list of '52 Things Every PhD Student Should Know To Do Cryptography': a set of questions compiled to give PhD candidates a sense of what they should know by the end of their first year. This blog post introduces the RSA and Strong-RSA problems and highlights the differences between the two.这是一系列博客文章中的最新一篇,旨在解决“每个博士生都应该知道的 52 件事来做密码学”列表:一组问题,旨在让博士生在第一年结束时了解他们应该知道什么。这篇博文介绍了 RSA 和 Strong-RSA 问题,并重点介绍了两者之间的区别。
Cryptography relies heavily on the assumption that certain mathematical problems are hard to solve in a realistic amount of time. When looking at Public-Key (Asymmetric) Cryptography, which is what we'll be focusing on in this blog post we use the assumed existence of One-Way functions, i.e. functions that are easy to compute one way but are difficult to invert. We use problems from algorithmic number theory to produce these functions.
密码学在很大程度上依赖于这样的假设,即某些数学问题很难在现实的时间内解决。在查看公钥(非对称)密码学时,我们将在本博客文章中重点介绍的内容,我们使用单向函数的假设存在,即易于单向计算但难以反转的函数。我们使用算法数论中的问题来产生这些函数。 Factoring 保 理 The first difficult problem from number theory to talk about is factoring. Given a composite integer <span id="MathJax-Span-2" class="mrow"><span id="MathJax-Span-3" class="mi">N the factoring problem is to find positive integers <span id="MathJax-Span-5" class="mrow"><span id="MathJax-Span-6" class="mi">p<span id="MathJax-Span-7" class="mo">,<span id="MathJax-Span-8" class="mi">q such that <span id="MathJax-Span-10" class="mrow"><span id="MathJax-Span-11" class="mi">N<span id="MathJax-Span-12" class="mo">=<span id="MathJax-Span-13" class="mi">p<span id="MathJax-Span-14" class="mi">q. Although on the face of it this seems like a very simple problem, this is in fact a very tough, well studied problem. This can be solved in exponential time by checking all the numbers <span id="MathJax-Span-16" class="mrow"><span id="MathJax-Span-17" class="mi">p<span id="MathJax-Span-18" class="mo">=<span id="MathJax-Span-19" class="mn">2<span id="MathJax-Span-20" class="mo">,<span id="MathJax-Span-21" class="mo">…<span id="MathJax-Span-22" class="mo">,<span id="MathJax-Span-23" class="msqrt"><span id="MathJax-Span-24" class="mrow"><span id="MathJax-Span-25" class="mi">N−−√. However, solving a problem in exponential time is not fast enough. No polynomial time algorithm has been developed to solve the factoring problem, despite many years of research. Clearly there are examples of <span id="MathJax-Span-27" class="mrow"><span id="MathJax-Span-28" class="mi">N for which this is very easy to solve, for example whenever <span id="MathJax-Span-30" class="mrow"><span id="MathJax-Span-31" class="mi">N is even. Therefore, when starting to think about using this in a Cryptographic construction we consider <span id="MathJax-Span-33" class="mrow"><span id="MathJax-Span-34" class="mi">N as very large and being constructed by 2 large primes <span id="MathJax-Span-36" class="mrow"><span id="MathJax-Span-37" class="mi">p<span id="MathJax-Span-38" class="mo">,<span id="MathJax-Span-39" class="mi">q.
数论中要讨论的第一个难题是因式分解。给定一个复合整数 <span id="MathJax-Span-2" class="mrow"><span id="MathJax-Span-3" class="mi">N ,分解问题是找到 <span id="MathJax-Span-5" class="mrow"><span id="MathJax-Span-6" class="mi">p<span id="MathJax-Span-7" class="mo">,<span id="MathJax-Span-8" class="mi">q 正整数,使得 <span id="MathJax-Span-10" class="mrow"><span id="MathJax-Span-11" class="mi">N<span id="MathJax-Span-12" class="mo">=<span id="MathJax-Span-13" class="mi">p<span id="MathJax-Span-14" class="mi">q .虽然从表面上看,这似乎是一个非常简单的问题,但实际上这是一个非常棘手、经过充分研究的问题。这可以通过检查所有数字 <span id="MathJax-Span-16" class="mrow"><span id="MathJax-Span-17" class="mi">p<span id="MathJax-Span-18" class="mo">=<span id="MathJax-Span-19" class="mn">2<span id="MathJax-Span-20" class="mo">,<span id="MathJax-Span-21" class="mo">…<span id="MathJax-Span-22" class="mo">,<span id="MathJax-Span-23" class="msqrt"><span id="MathJax-Span-24" class="mrow"><span id="MathJax-Span-25" class="mi">N−−√ 在指数时间内解决。然而,在指数时间内解决问题还不够快。尽管进行了多年的研究,但尚未开发出多项式时间算法来解决因式分解问题。显然,有一些例子 <span id="MathJax-Span-27" class="mrow"><span id="MathJax-Span-28" class="mi">N 很容易解决,例如,只要 <span id="MathJax-Span-30" class="mrow"><span id="MathJax-Span-31" class="mi">N 是偶数。因此,当开始考虑在加密结构中使用它时,我们认为 <span id="MathJax-Span-33" class="mrow"><span id="MathJax-Span-34" class="mi">N 它非常大,并且由 2 个大素数构造 <span id="MathJax-Span-36" class="mrow"><span id="MathJax-Span-37" class="mi">p<span id="MathJax-Span-38" class="mo">,<span id="MathJax-Span-39" class="mi">q 。 The RSA Problem RSA 问题
In RSA public-key encryption [1] Alice encrypts a plaintext <span id="MathJax-Span-41" class="mrow"><span id="MathJax-Span-42" class="mi">M using Bob's public key <span id="MathJax-Span-44" class="mrow"><span id="MathJax-Span-45" class="mo">(<span id="MathJax-Span-46" class="mi">n<span id="MathJax-Span-47" class="mo">,<span id="MathJax-Span-48" class="mi">e<span id="MathJax-Span-49" class="mo">) to ciphertext <span id="MathJax-Span-51" class="mrow"><span id="MathJax-Span-52" class="mi">C by <span id="MathJax-Span-54" class="mrow"><span id="MathJax-Span-55" class="mi">C<span id="MathJax-Span-56" class="mo">=<span id="MathJax-Span-57" class="msubsup"><span id="MathJax-Span-58" class="mi">M<span id="MathJax-Span-59" class="mi">e<span id="MathJax-Span-60" class="mo">(<span id="MathJax-Span-61" class="texatom"><span id="MathJax-Span-62" class="mrow"><span id="MathJax-Span-63" class="mtext">mod <span id="MathJax-Span-64" class="mi">n<span id="MathJax-Span-65" class="mo">) where <span id="MathJax-Span-67" class="mrow"><span id="MathJax-Span-68" class="mi">n is the product of two large primes and <span id="MathJax-Span-70" class="mrow"><span id="MathJax-Span-71" class="mi">e<span id="MathJax-Span-72" class="mo">≥<span id="MathJax-Span-73" class="mn">3 is an odd integer that is coprime to the order of <span id="MathJax-Span-75" class="mrow"><span id="MathJax-Span-76" class="msubsup"><span id="MathJax-Span-77" class="texatom"><span id="MathJax-Span-78" class="mrow"><span id="MathJax-Span-79" class="mi">Z<span id="MathJax-Span-80" class="texatom"><span id="MathJax-Span-81" class="mrow"><span id="MathJax-Span-82" class="mo">∗<span id="MathJax-Span-83" class="mi">n, the group of invertible elements of <span id="MathJax-Span-85" class="mrow"><span id="MathJax-Span-86" class="msubsup"><span id="MathJax-Span-87" class="texatom"><span id="MathJax-Span-88" class="mrow"><span id="MathJax-Span-89" class="mi">Z<span id="MathJax-Span-90" class="mi">n. Bob knows the private key <span id="MathJax-Span-92" class="mrow"><span id="MathJax-Span-93" class="mo">(<span id="MathJax-Span-94" class="mi">n<span id="MathJax-Span-95" class="mo">,<span id="MathJax-Span-96" class="mi">d<span id="MathJax-Span-97" class="mo">) where <span id="MathJax-Span-99" class="mrow"><span id="MathJax-Span-100" class="mi">d<span id="MathJax-Span-101" class="mi">e<span id="MathJax-Span-102" class="mo">=<span id="MathJax-Span-103" class="mn">1<span id="MathJax-Span-104" class="mo">(<span id="MathJax-Span-105" class="texatom"><span id="MathJax-Span-106" class="mrow"><span id="MathJax-Span-107" class="mtext"> mod <span id="MathJax-Span-108" class="mo">(<span id="MathJax-Span-109" class="mi">p<span id="MathJax-Span-110" class="mo">−<span id="MathJax-Span-111" class="mn">1<span id="MathJax-Span-112" class="mo">)<span id="MathJax-Span-113" class="mo">(<span id="MathJax-Span-114" class="mi">q<span id="MathJax-Span-115" class="mo">−<span id="MathJax-Span-116" class="mn">1<span id="MathJax-Span-117" class="mo">)<span id="MathJax-Span-118" class="mo">) meaning he can compute <span id="MathJax-Span-120" class="mrow"><span id="MathJax-Span-121" class="mi">M<span id="MathJax-Span-122" class="mo">=<span id="MathJax-Span-123" class="msubsup"><span id="MathJax-Span-124" class="mi">C<span id="MathJax-Span-125" class="mi">d<span id="MathJax-Span-126" class="mo">(<span id="MathJax-Span-127" class="texatom"><span id="MathJax-Span-128" class="mrow"><span id="MathJax-Span-129" class="mtext">mod <span id="MathJax-Span-130" class="mi">n<span id="MathJax-Span-131" class="mo">). An adversary can eavesdrop <span id="MathJax-Span-133" class="mrow"><span id="MathJax-Span-134" class="mi">C and can know the public key <span id="MathJax-Span-136" class="mrow"><span id="MathJax-Span-137" class="mo">(<span id="MathJax-Span-138" class="mi">n<span id="MathJax-Span-139" class="mo">,<span id="MathJax-Span-140" class="mi">e<span id="MathJax-Span-141" class="mo">) however to calculate <span id="MathJax-Span-143" class="mrow"><span id="MathJax-Span-144" class="mi">M the adversary must find the factors of <span id="MathJax-Span-146" class="mrow"><span id="MathJax-Span-147" class="mi">n. Therefore, this means the RSA problem is no harder than integer factorisation but is still a very hard problem to solve provided a suitable <span id="MathJax-Span-149" class="mrow"><span id="MathJax-Span-150" class="mi">n is chosen.
在 RSA 公钥加密 [1] 中,Alice 使用 Bob 的公钥 <span id="MathJax-Span-44" class="mrow"><span id="MathJax-Span-45" class="mo">(<span id="MathJax-Span-46" class="mi">n<span id="MathJax-Span-47" class="mo">,<span id="MathJax-Span-48" class="mi">e<span id="MathJax-Span-49" class="mo">) 对明 <span id="MathJax-Span-51" class="mrow"><span id="MathJax-Span-52" class="mi">C 文 <span id="MathJax-Span-41" class="mrow"><span id="MathJax-Span-42" class="mi">M 进行加密, <span id="MathJax-Span-54" class="mrow"><span id="MathJax-Span-55" class="mi">C<span id="MathJax-Span-56" class="mo">=<span id="MathJax-Span-57" class="msubsup"><span id="MathJax-Span-58" class="mi">M<span id="MathJax-Span-59" class="mi">e<span id="MathJax-Span-60" class="mo">(<span id="MathJax-Span-61" class="texatom"><span id="MathJax-Span-62" class="mrow"><span id="MathJax-Span-63" class="mtext">mod <span id="MathJax-Span-64" class="mi">n<span id="MathJax-Span-65" class="mo">) 其中 <span id="MathJax-Span-67" class="mrow"><span id="MathJax-Span-68" class="mi">n 是两个大素数的乘积, <span id="MathJax-Span-70" class="mrow"><span id="MathJax-Span-71" class="mi">e<span id="MathJax-Span-72" class="mo">≥<span id="MathJax-Span-73" class="mn">3 是一个奇数整数,与 的 <span id="MathJax-Span-75" class="mrow"><span id="MathJax-Span-76" class="msubsup"><span id="MathJax-Span-77" class="texatom"><span id="MathJax-Span-78" class="mrow"><span id="MathJax-Span-79" class="mi">Z<span id="MathJax-Span-80" class="texatom"><span id="MathJax-Span-81" class="mrow"><span id="MathJax-Span-82" class="mo">∗<span id="MathJax-Span-83" class="mi">n 顺序是 的互质数,是 的 <span id="MathJax-Span-85" class="mrow"><span id="MathJax-Span-86" class="msubsup"><span id="MathJax-Span-87" class="texatom"><span id="MathJax-Span-88" class="mrow"><span id="MathJax-Span-89" class="mi">Z<span id="MathJax-Span-90" class="mi">n 可逆元素组。Bob 知道私钥 <span id="MathJax-Span-92" class="mrow"><span id="MathJax-Span-93" class="mo">(<span id="MathJax-Span-94" class="mi">n<span id="MathJax-Span-95" class="mo">,<span id="MathJax-Span-96" class="mi">d<span id="MathJax-Span-97" class="mo">) , <span id="MathJax-Span-99" class="mrow"><span id="MathJax-Span-100" class="mi">d<span id="MathJax-Span-101" class="mi">e<span id="MathJax-Span-102" class="mo">=<span id="MathJax-Span-103" class="mn">1<span id="MathJax-Span-104" class="mo">(<span id="MathJax-Span-105" class="texatom"><span id="MathJax-Span-106" class="mrow"><span id="MathJax-Span-107" class="mtext"> mod <span id="MathJax-Span-108" class="mo">(<span id="MathJax-Span-109" class="mi">p<span id="MathJax-Span-110" class="mo">−<span id="MathJax-Span-111" class="mn">1<span id="MathJax-Span-112" class="mo">)<span id="MathJax-Span-113" class="mo">(<span id="MathJax-Span-114" class="mi">q<span id="MathJax-Span-115" class="mo">−<span id="MathJax-Span-116" class="mn">1<span id="MathJax-Span-117" class="mo">)<span id="MathJax-Span-118" class="mo">) 这意味着他可以计算 <span id="MathJax-Span-120" class="mrow"><span id="MathJax-Span-121" class="mi">M<span id="MathJax-Span-122" class="mo">=<span id="MathJax-Span-123" class="msubsup"><span id="MathJax-Span-124" class="mi">C<span id="MathJax-Span-125" class="mi">d<span id="MathJax-Span-126" class="mo">(<span id="MathJax-Span-127" class="texatom"><span id="MathJax-Span-128" class="mrow"><span id="MathJax-Span-129" class="mtext">mod <span id="MathJax-Span-130" class="mi">n<span id="MathJax-Span-131" class="mo">) 。攻击者可以窃听 <span id="MathJax-Span-133" class="mrow"><span id="MathJax-Span-134" class="mi">C 并可以知道公钥 <span id="MathJax-Span-136" class="mrow"><span id="MathJax-Span-137" class="mo">(<span id="MathJax-Span-138" class="mi">n<span id="MathJax-Span-139" class="mo">,<span id="MathJax-Span-140" class="mi">e<span id="MathJax-Span-141" class="mo">) ,但是要计算 <span id="MathJax-Span-143" class="mrow"><span id="MathJax-Span-144" class="mi">M 攻击者必须找到 <span id="MathJax-Span-146" class="mrow"><span id="MathJax-Span-147" class="mi">n 的因子。因此,这意味着 RSA 问题并不比整数分解更难,但只要选择合适的 <span id="MathJax-Span-149" class="mrow"><span id="MathJax-Span-150" class="mi">n 问题,它仍然是一个非常难以解决的问题。
The Strong RSA Assumption
强大的 RSA 假设
The strong RSA assumption differs from the RSA assumption in that the adversary can choose the (odd) public exponent <span id="MathJax-Span-152" class="mrow"><span id="MathJax-Span-153" class="mi">e<span id="MathJax-Span-154" class="mo">≥<span id="MathJax-Span-155" class="mn">3. The adversary's task is to compute the plaintext <span id="MathJax-Span-157" class="mrow"><span id="MathJax-Span-158" class="mi">M from the ciphertext given that <span id="MathJax-Span-160" class="mrow"><span id="MathJax-Span-161" class="mi">C<span id="MathJax-Span-162" class="mo">=<span id="MathJax-Span-163" class="msubsup"><span id="MathJax-Span-164" class="mi">M<span id="MathJax-Span-165" class="mi">e<span id="MathJax-Span-166" class="mo">(<span id="MathJax-Span-167" class="texatom"><span id="MathJax-Span-168" class="mrow"><span id="MathJax-Span-169" class="mtext">mod <span id="MathJax-Span-170" class="mi">n<span id="MathJax-Span-171" class="mo">). This is at least as easy as the RSA problem meaning that the strong RSA assumption is, unsurprisingly, a stronger assumption. The RSA problem is now over a quarter of a century old. Public key encryption schemes have been developed that derive their strength fully from the RSA problem.
强 RSA 假设与 RSA 假设的不同之处在于,攻击者可以选择(奇数)公共指数 <span id="MathJax-Span-152" class="mrow"><span id="MathJax-Span-153" class="mi">e<span id="MathJax-Span-154" class="mo">≥<span id="MathJax-Span-155" class="mn">3 。攻击者的任务是从密文中计算明文 <span id="MathJax-Span-157" class="mrow"><span id="MathJax-Span-158" class="mi">M ,因为 <span id="MathJax-Span-160" class="mrow"><span id="MathJax-Span-161" class="mi">C<span id="MathJax-Span-162" class="mo">=<span id="MathJax-Span-163" class="msubsup"><span id="MathJax-Span-164" class="mi">M<span id="MathJax-Span-165" class="mi">e<span id="MathJax-Span-166" class="mo">(<span id="MathJax-Span-167" class="texatom"><span id="MathJax-Span-168" class="mrow"><span id="MathJax-Span-169" class="mtext">mod <span id="MathJax-Span-170" class="mi">n<span id="MathJax-Span-171" class="mo">) .这至少和 RSA 问题一样简单,这意味着不出所料,强 RSA 假设是一个更强的假设。RSA问题现在已经有四分之一个世纪的历史了。已经开发了公钥加密方案,这些方案完全从RSA问题中获得了优势。 标签:10,What,RSA,52,nbsp,problem,minus,mod From: https://www.cnblogs.com/3cH0-Nu1L/p/18104691