Linear Algebra Review

advertisement
1
Chapter 8: RSA Ciphers
So far, we have primarily examined historical ciphers. In each of these ciphers, the
originator and receiver of an encrypted message had to agree on a common key, be it a
numerical parameter, keyword, etc. The logistics involved in the originator and receiver
agreeing on a common key can be cumbersome.
In this chapter, we introduce an idea that was revolutionary when it was developed in the
1970’s. In particular, we describe the idea of where the receiver can make part of the key
public knowledge without any pre-agreement with the message sender. The algorithms in
this chapter are part of several that we describe in upcoming chapters that are used to
transfer information securely in today’s computer age.
8.1 Introduction to Public-Key Ciphers
When we access the security of a cipher, normally we examine the difficulty (or lack
thereof) of the ability of the intruder to discover the cipher’s key. Normally, we assume
factors like the alphabet assignment and the algorithm being used to be public
knowledge. However, the encryption keys for a cipher must be kept secret in order to
prevent an outsider from acting as the intended recipient of a message, determining the
corresponding decryption keys, and decrypting the message.
However, this fact changed in 1976 with the discovery by Whitfield Diffie and Martin
Hellman.
Whitfield Diffie
Martin Hellman
Diffie and Hellman first explained to the world in their 1976 paper, the encryption keys
for a cipher need not always be kept secret. Such ciphers in which the encryption keys
need not be kept secret are called public-key ciphers, since the encryption keys can be
known publicly without ruining their security. The (tremendous) benefit to this is that a
public-key cipher can be used by two parties who have no way to secretly agree upon
encryption keys.
2
While Diffie and Hellman described the idea of public-key ciphers in their 1976 paper,
they did not actually provide a specific type of publickey cipher. The first specific type of
public-key cipher was revealed to the world two years later by Ron Rivest, Adi Shamir,
and Len Adleman, a trio of researchers at MIT.
Ron Rivest
Adi Shamir
Len Adelman
The purpose of this chapter is to describe the RSA algorithm, the background needed for
its implementation, and its implementation.
8.2 Introduction to RSA Ciphers
RSA ciphers use modular arithmetic with the mathematical operation of raising to
powers, or exponentiation. RSA ciphers also use prime numbers. A positive integer p > 1
is said to be prime if the only positive integers that divide p evenly are 1 and p. For
reference, the prime numbers less than 100 are 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37,
41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, and 97.
The following describes the setup of how encipherment and decipherment works for the
RSA Cryptosystem.
3
RSA Cryptosystem Setup
1. The intended recipient of the message chooses two primes p and q and computes the
quantities
m  pq
and
f  ( p  1)( q  1) .
Next, the recipient chooses a positive integer e (we refer to as the enciphering
exponent) where the gcd( e, f )  1 . The recipient then sends (or makes public) the
values of e and m to the originator of the message over the insecure communication
line.
2. Using an alphabet assignment to convert from English letters to numbers, we express
the plaintext as integers x less than m. Assuming that x  m , the originator of the
uses the enciphering exponent e and m to encipher the message by computing
y  x e mod m .
The originator then sends the resulting ciphertext integer(s) y to the intended recipient
over the insecure line of communication.
3. To decipher the message, the recipient calculates an integer d (we refer to as the
deciphering exponent) where
(e  d ) mod f  1 .
Note that d is the multiplicative inverse of e mod f , that is d  e 1 mod f .
Then for each ciphertext integer y, the recipient uses the deciphering exponent d and
m to reverse the process of step 2 by computing
x  y d mod m .
The alphabet assignment is used to recover the message.
4
Important Facts Concerning the RSA Cryptosystem
1. A common place that causes confusion when first learning the RSA is when to use m
and f computed in step 1. The integer m  pq is the modulus used in enciphering and
deciphering messages (to compute y  x e mod m in step 2 and x  y d mod m in
step 3). The integer f = (p -1)(q – 1) is only needed in step 3 and is the modulus
needed to find the multiplicative inverse of e mod f , that is d  e 1 mod f .
2. The reason that the encryption exponent e must be chosen so that gcd(e, f) = 1 is
because this guarantees the existence of a corresponding decryption exponent. Since
gcd(e, f) = 1, the multiplicative inverse e 1 mod f will exist, and this multiplicative
inverse d is the corresponding decryption exponent.
3. In practice, the recipient makes the modulus m and enciphering exponent e public
(everyone knows). The recipient keeps the primes p and q, f, and d secret.
4. When the ciphertext message is formed, the numerical results obtained are not
guaranteed to have a corresponding alphabet assignment letters for expressing the
ciphertext in terms of letters. The ciphertext is normally left in numerical form.
Example 1: Using the primes p = 3 and q = 11 with enciphering exponent e = 7 and
alphabet assignment A = 0, B = 1, C = 2, …, Z = 25, to create a RSA scheme to
encipher the message USA.
Solution:
5
6
Some Suggested Textbook Exercises for Practice for Section 8.2
p. 281: # 1-4
8.3 The Euclidean Algorithm
For an affine cipher with encryption calculation y = (ax + b) mod 26 that we studied in
Chapter 5, the multiplicative key a must be chosen so that gcd(a, 26) = 1. This is to
guarantee that the multiplicative inverse a 1 mod 26 will exist. For an affine cipher,
verifying that gcd(a, 26) = 1 was done by inspection and we will able to display all of the
positive integers less than 26 that have multiplicative inverses in a table because the
modulus 26 is so small. For an RSA cipher with primes p and q and f = (p−1)·(q−1), the
encryption exponent e must be chosen so that gcd(e, f) = 1, and e 1 mod f must be
determined. Since the modulus in an RSA cipher is typically much larger than 26, it is
often impractical to verify that gcd(e, f) = 1 and find e 1 mod f by trial and error.
However, an old, well known, and very efficient algorithm can be used to calculate the
greatest common divisor of two numbers and find multiplicative inverses, which we
examine in this section.
The algorithm we use is known as the Euclidean Algorithm, which we state next.
The Euclidean Algorithm
The Euclidean Algorithm makes repeated use of the division algorithm to find the greatest
common divisor of two numbers. Suppoe we are given two integers a and b where a  b .
If b divides a evenly, then gcd( a, b)  b . If not, we compute the following:
a  q1b  r1
b  q2 r1  r2
r1  q3r2  r3
r2  q4 r3  r4

rn 3  qn 1rn  2  rn 1
rn  2  qn rn 1  rn  gcd( a, b)
rn 1  qn 1rn  0
The last nonzero remainder, rn , is the greatest common divisor of a and b, that is,
gcd( a, b)  rn .
7
Example 2: Find the gcd(2299, 627).
Solution:
█
Example 3: Find the gcd(160, 17).
Solution:
█
8
Example 4: Find the gcd(52598, 2541).
Solution:
█
Theorem: For any pair of positive integers a and b, integers s and t exist such that
gcd(a, b) = sa + tb
9
Example 5: Find s and t where sa + tb = gcd(a, b), where a = 2299 and b = 627.
Solution:
█
10
Example 6: Find s and t where sa + tb = gcd(a, b), where a = 52598 and b = 2541.
Solution:
█
11
Why are we interested in solving for the remainders and producing s and t after using the
Euclidean Algorithm? For an RSA cipher with primes p and q and f = (p−1)·(q−1), the
encryption exponent e must be chosen so that gcd(e, f) = 1, and e 1 mod f must be
determined.
If gcd(e, f) = 1, then our previous theorem states that integers s and t will exist such that
sf  te  1  gcd( e, f )
Solving this equation for te gives
te  1  sf
Reducing this equation modulo f gives
te  (1  sf ) mod f
 (1  0) mod f
 1 mod f
Thus, assuming gcd(e, f) = 1, which we could verify using the initial part of the
Euclidean algorithm, to determine e 1 mod f , we can solve for the remainders
to find integers s and t such that sf  te  1  gcd( e, f ) . The value of t mod f will be
e 1 mod f (note if t  0 , taking t mod f will convert the result to an easier to use
positive result for the inverse)
Process for Finding Multiplicative Inverse
1. Use the Euclidean Algorithm to find gcd( e, f ). If gcd( e, f )  1 , the inverse will exist
and you can proceed to step 2. If gcd( e, f )  1 , the inverse will not exist and there is
nothing else to do.
2. If gcd( e, f )  1 , then solve for the reminders and find integers s and t such that
sf  te  1  gcd( e, f ) .
3. If t  0 , the resulting value of t will be the multiplicative inverse e 1 mod f . If
t  0 , take t mod f and use the resulting positive value for the multiplicative inverse.
e 1 mod f .
12
Example 7: Compute 131 mod 81.
Solution:
█
13
Example 8: Compute 171 mod 160 .
Solution:
█
14
Example 9: Compute 12 1 mod 40 .
Solution:
█
Some Suggested Textbook Exercises for Practice for Section 8.3
p. 286: # 1-3
8.4 Maplets for the Euclidean Algorithm
Some Suggested Textbook Exercises for Practice for Section 8.4
p. 290: # 1-2
15
8.5 Modular Exponentiation
When we introduced the RSA algorithm in Section 8.1, we saw that encryption
decryption was dependent on exponentiation. When the base and exponent are small, we
can do the exponentiation and then apply the modulus.
25 mod 32  32 mod 25  7
However, when the bases and/or exponents become larger, problems can occur. For
example, consider 19 47 mod 73 . Since 1947  1.3  1060 , computing the result directly
will cause roundoff (even one-digit of roundoff will lead to inaccurate results) or will
cause many calculators to overflow due to the large numbers required in the calculation.
Fortunately, however a method known as binary exponentiation or successive squaring
can be used to do modular exponentiation efficient. The method involves writing the
exponent as a sum powers of two less than or equal to it, from largest to smallest. The
base raised to these powers of two is then computed, where the next result is computed
by squaring the result of the previous answer. We illustrate the technique in the following
examples.
16
Example 10: Compute 19 47 mod 73 .
█
17
Example 11: Compute 77114683 mod 1010189
Solution: We first note that the exponent k  683 . We first determine the powers of 2
that are less than this exponent. Starting with 20 , we see that
20  1 , 21  2 , 22  4 , 23  8 , 24  16 , 25  32 , 26  64 , 2 7  128 , 28  256 , 2 9  512
We can stop at 210  1024 since 210  1024  683 . We now decompose the exponent k
into powers of 2.
683  512  171  512  128  43  512  128  32  11  512  128  32  8  3  512  128  32  8  2  1 .
We next write
77114 683 mod 1010189  77114 51212832821 mod 1010189  (77114 512  77114 128  77114 32  77114 8  77114 2  77114 1 ) mod 1010189
We next compute the needed powers of 77114 needed with respect to the modulus
1010189. The ones that we will need are indicated by . Note that arrows are used to
indicate the substitutions from the previous step.
771141 mod 1010189  77114 .
77114 2 mod 1010189  596542 .
771144 mod 1010189  (771142 ) 2 mod 1010189  (596542) 2 mod 1010189  48167 .
771148 mod 1010189  (771144 ) 2 mod 1010189  (48167) 2 mod 1010189  665945 .
7711416 mod 1010189  (771148 ) 2 mod 1010189  (665945) 2 (mod 1010189)  680324 .
7711432 mod 1010189  (7711416 ) 2 mod 1010189  (680324) 2 mod 1010189  430468 .
7711464 mod 1010189  (7711432 ) 2 mod 1010189  (430468) 2 (mod 1010189)  700187 .
77114128 mod 1010189  (7711464 ) 2 mod 1010189  (700187) 2 mod 1010189  950245 .
77114256 (mod 1010189)  (77114128 ) 2 (mod 1010189)  (950245) 2 (mod 1010189)  40863 .
77114512 mod 1010189  (77114512 ) 2 mod 1010189  (40863) 2 mod 1010189  952541 .
continued on next page
18
Hence,
77114 683 mod 1010189  77114 51212832821 mod 1010189
 (77114 512  77114 128  77114 32  77114 16  77114 2  77114 1 ) mod 1010189
 (952541  950245  430468  665945  596542  77114 ) mod 1010189
 (805332  618596  763295) mod 1010189
 (448522  763295) mod 1010189
 537701
Substituti ng from
(952541  950245) mod 1010189  805332
Note : (430468  665945) mod 1010189  618596
(596542  77114 ) mod 1010189  763295
Note : (805332  618596) mod 1010189  448522
Note : (448522  763295) mod 1010189  537701
Hence, 77114 563 mod 1010189  537701
█
Note: In Example 7, to compute 77114683 mod 1010189 by ordinary exponentiation, 682
multiplications are required. Using successive squares requires only 13 multiplications.
Some Suggested Textbook Exercises for Practice for Section 8.5
p. 295: # 1
8.6 Maplets for the Euclidean Algorithm
Some Suggested Textbook Exercises for Practice for Section 8.6
p. 297: # 1
' s above
19
8.7 ASCII
Recall that primarily we have used the correspondences A = 0, B = 1, C = 2, …, Z =
25, to convert characters to numbers. The RSA cryptosystem in practice is executed on
computers. The most common way for text to be stored on computers is through the
American Standard Code for Information Interchange, or ASCII for short. The ASCII
table for the computer keyboard characters is given as follows.
ASCII table for keyword characters
This table provides a much flexible alphabet, since it allows us to include not only capital
letters, but lower case letters, punctuation, the space characters, and numerical digits in
our messages as well. For example, the ASCII table to convert the characters of the
message THE RSA WAS INVENTED IN 1978 to numerical form, which is
displayed in the following table.
T H E
R S A
W A S
I
N V E N T E D
84 72 69 32 82 83 65 32 87 65 83 32 73 78 86 69 78 84 69 68 32
I
N V E N T E D
I N
1 9 7 8
.
73 78 86 69 78 84 69 68 32 73 78 32 49 57 55 56 46
For the rest of this book and all of the remaining sections, we will continue to use the ASCII
correspondences for our alphabet assignments.
20
8.8 RSA Ciphers
In this section, we extend the results of Section 8.2 and look at how more realistic
encryptions can be done with the RSA cryptosystem. Previously, in Example 1 in this
section we used small parameters to encrypt message characters one character at a time.
However, doing the encryption in this manner produces just a simple substitution cipher,
which can be broken by frequency analysis. However, this problem can be eliminated by
grouping our message into larger blocks. As long as the numerical plaintext numbers
representing the blocks are less than the modulus m, encryption and decryption can be
done properly.
Why is it necessary for the numerical plaintext to be less than m. To demonstrate why,
consider the parameters in Example 1 of m = 33 and f = 20 (produced using the primes p =
3 and q = 11). Using the encryption exponent e = 7 and decryption exponent d = 3, suppose
attempt to encipher the message RU as one block number and then attempt to recover the
message. Using the ASCII table to convert characters to numbers, we convert RU to the
block number 8285. Note that x = 8285 > 33 = m. To encrypt this message, we use e = 7
and compute
x e mod m  82857 mod 33  29  y .
To recover the message, we use the deciphering exponent d = 3 and compute
y d mod m  293 mod 33  2  8285 .
Hence, the message is completely lost. Of course, this stemmed from the fact that in
modulo m arithmetic, the only possible remainders are from 0, 1, …, m – 1, making it
impossible to recover any numerical plaintext larger of m or larger.
To alleviate this issue, we much create larger parameters. By creating our primes p and q
larger, hence making m larger, we can encrypt larger numerical plaintexts. We
demonstrate how the process works in the next example.
21
Example 12: Demonstrate using the ASCII table for converting from characters to
numbers, how to encrypt the message Mr. Ed using the primes p = 433 and q = 2333
with encryption exponent of e = 683.
Solution:
22
█
23
By creating our primes even larger, we can encrypt messages in even larger blocks.
Example 8.14 on p. 301 of your textbook demonstrates an example. There are Maplets,
which we will describe in the next section, which can also be used for this purpose.
Some Suggested Textbook Exercises for Practice for Section 8.8
p. 302: # 1-3
8.9 Maplets for RSA Ciphers
Some Suggested Textbook Exercises for Practice for Section 8.9
p. 310: # 1-5
8.10 Cryptanalysis of RSA Ciphers
Recall that when the RSA cipher was first developed, it represented the first commercial
public-key cryptosystem. This allows the message recipient to create their own key,
publish their e and m values, and have any number of message originator’s send them
encrypted messages. The information is kept secure as long as the message recipient can
keep the decryption exponent d secret from any potential intruders. The following
diagram illustrates this idea.
Recipient’s
Public e and m
Message
Originators
Person 1
x1e MOD m
Only
Receiver
“knows d”
x2 e MOD m
Person 2
x3e MOD m
Person 3
Figure 1: Public Key Cryptosystem Illustration\
24
So how does the recipient keep d secret? The security of the method is based on the
following comments.
Security of the RSA
The security of the method is based on the message recipient keeping the deciphering
exponent d secret. To keep d secret, the recipient must keep the primes p and q must
be kept secret. If p and q can be secret, f  ( p  1)( q  1) can be kept secret and
d  e 1 mod f cannot be computed.
It begs to differ, however, that if the recipient makes m  pq public so that the value of
m is known to the world, how does this prevent an intruder discovering what the primes
p and q are? Well, the answer comes down to this fact:
It is much easier to find primes p and q and form m  pq then it is to start
with m and factor it as m  pq .
This can be seen somewhat intuitively in that, for example, it is faster to see that p = 23 and
q = 31 are primes and find m  23  31  713 , than it is to start with say m  1333 , and as
quickly find the primes that produced it (the answer is that p = 31 and q = 43).
It turns out the same idea works for computers. Computer algorithms for generating
primes p and q and forming m  pq are astronomically faster than starting with m and
factoring to find the primes p and q that produced it. This assumes of course that the
primes p and q are sufficiently large. However, it turns out that the primes used in
practice, which are normally at least 100 digits in length, can easily be generated and m
can be quickly computed. However, the size of m produced by the product of two primes
does not nearly have to be as astronomically large for the best known computer
algorithms to fail to factor m as the product of its primes, at least in a reasonable amount
of time. The fact is, when implemented correctly, RSA ciphers have proved thus far to be
impregnable.
Example 13: Suppose the ciphertext 209 583, was produced with an RSA cipher
with public key values m = 943 and e = 139. Decipher the message.
Solution:
25
█
26
Public-key ciphers have obvious advantages over non-public-key ciphers, as we have
clearly discussed. However, there are disadvantages as well. One is that public-key
ciphers are in general slower than non-public-key ciphers, which can be especially
important for users who have a lot of information to transmit confidentially. Also, publickey ciphers can be exploited if message authentication (e.g., the assurance to the intended
recipient of a message that it actually came from the originator claiming to have sent it) is
compromised. We will consider this important aspect of public-key ciphers in Chapter
11.
Some Suggested Textbook Exercises for Practice for Section 8.10
p. 314: # 1
8.11 A Maplet for Cryptanalysis of RSA Ciphers
Some Suggested Textbook Exercises for Practice for Section 8.11
p. 318: # 1
27
8.12 Primality Testing
To create a secure RSA, it is necessary to generate large primes. One fact that is not
overly difficult to prove is that there are an infinite number of primes. Therefore, a
question one asks is that given a large positive integer, how do we determine if it is
prime. Of course, 2 is the only even prime, and hence, any even number larger than 2
cannot be prime. How about large positive odd integers? In this section, we examine
some elementary ways to determine if a number is prime or not, known as primality
testing.
Fact: A number m is prime if it has no prime factors less than the
trial divisions). Why?
n (this this is called
Example 14: Determine if 839 is prime.
Solution:
█
28
Example 15: Determine if 1073 is prime.
Solution:
█
Example 16: Determine if 1709 is prime.
Solution:
█
29
As the numbers tested get larger, trial divisions for primality testing does have
limitations. For example, to try to determine if 84308508309887 is prime by trial
divisions, we would begin by computing 84308508309887  9181966 , and there
would be many primes to test less than 9181966. In fact, is a number s is large, the
number of primes less than or equal to s, which is denoted by  (s ) , is approximated by
the following formula:
 ( s) 
s
ln s
Hence, the number of primes less than or equal to 84308508309887  9181966 is
approximately
9181966
 (9181966) 
 572701
ln( 9181966)
That would need to be tested to verify 84308508309887 is prime.
Hence, we need better tests. It turns out that most primality tests only allow with absolute
certainty the conclusion that a given positive integer is not prime. The conclusions that
can usually be drawn from a primality test are that a given positive integer either “fails”
the test and is definitely not prime, or “passes” the test and becomes more likely to be
prime, with likelihood depending on the test itself. One relatively simple and efficient
primality test is based on a very famous theorem in mathematics called Fermat’s Little
Theorem.
Theorem: (Fermat's Little Theorem) If p is a prime number and r is an integer with
gcd(r, p) = 1, then r p 1  1 mod p .
Therefore, if we can find a base r with gcd(r, p) = 1 and r p 1  1 mod p , Fermat's Little
Theorem says that p is not prime.
Example 17: Use Fermat’s Little Theorem to determine if 1234567 is prime.
Solution: By binary squaring, one can establish using the base r = 2 that
21234566 mod 1234567  899557  1 . Therefore, 1234567 is not prime. Note that
1234567  127  9721.
█
Note that since binary squaring is known to be an efficient algorithm, Fermat’s Little
Theorem provides a very efficient method for showing a number is not prime, much more
efficient than trial divisions as the number to be tested becomes larger.
30
Note: Fermat’s Little Theorem cannot be used to ascertain with absolute certainty. Just
because a modulus passes the criteria for the theorem for a given base does not mean it
passes for all bases.
Definition: A positive integer n is said to be pseudoprime to the base r if r n 1  1 mod n
but n is not prime.
For example, 2644 mod 645  1 , gcd( 2, 645)  1 , but 645 is obviously not prime. We say
that 645 is a pseudoprime to the base 2. However, if we choose another base, say r = 7,
where gcd(7, 645) = 1, we can use Fermat’s Little Theorem to verify 645 is not prime by
computing 7644 mod 645  436  1 .
There are even integers, known as Carmichael numbers, where r n 1  1 mod n for all
bases r where gcd( r, n )  1 but n is not prime. Therefore, Fermat’s Little Theorem is not
a reliable absolute test for establishing a number is prime. It can only establish absolutely
that a number is not prime. However there do exists test that can establish a number is
prime up to any desired degree of probability.l
As of now, the largest known prime (a special type of prime called a Mersenne prime)
was discovered in February of 2013, and is given by
257885161  1
This is a 17425170 digit long prime number discovered by Curtis Cooper (see his
personal page at http://www.math-cs.ucmo.edu/~curtisc/primes.html )
Some Suggested Textbook Exercises for Practice for Section 8.12
p. 321: # 1-4
31
8.13 Integer Factorization
Recall again that to break an RSA cipher, the only real difficulty an outsider should face
is in factoring m = p · q to find p and q. Therefore, techniques for factoring integers into
products of primes have for many years been a subject of intense research. Although
many of techniques used to factor integers are beyond the level of this course, we present
a couple of elementary techniques involved in factorization.
Prime Factorization using Trial Divisions
The Fundamental Theorem of Arithmetic guarantees that all positive integers have a
prime factorization, which is unique when the order of the primes in the factorization is
disregarded. Therefore, one of the methods for obtaining a prime factorization is, starting
with 2, to divide a given integer by arbitrary prime factors until the divisors are obtained.
When combined with the method of trial divisions described in the last section for
primality testing, this method can obtain the prime factors of an integer when the factors
are small.
Example 18: Factor 3267 into a product of prime factors.
Solution:
█
32
Example 19: Factor 429229 into a product of prime factors.
Solution:
█
Example 20: Factor 1511 into a product of prime factors.
Solution:
█
33
Fermat Factorization Method
Suppose m  pq , where p and q are primes. Given m, we can find p and q by using the
following process.
Let
x
Then
pq
pq
and y 
.
2
2
p  x  y and q  x  y
Write
m  p  q  ( x  y )( x  y )  x 2  y 2
Our goal is to find x and y using the following process.
Steps
1. Let x = the nearest integer greater than the
m.
2. For a fixed x, determine if y 2  m  x 2 has an integer solution for y (in other words,
look to see if y is a perfect square.
3. If no integer solution is found for y, then increase x by 1 and repeat step 2.
4. Continue repeating steps 1 and 2 until an integer solution is found for y. Using the
results for x and y, we have p  x  y and q  x  y .
Note: The basic Fermat’s method for factoring works well when the prime to be found
are relatively close together. Note, one should test whether the number m is prime
are not before using the method.
34
Example 21: Use the Fermat factorization process to factor m  103935290639 into a
product of primes.
Solution:
█
35
Some Suggested Textbook Exercises for Practice for Section 8.13
p. 325: # 1-2
8.14 The RSA Factoring Challenges
Shortly after developing their cipher, Rivest, Shamir, and Adelman, to encourage research
in the area of integer factorization, offered a cash prize for anyone who could a modulus
m = p · q that was 129 digits in length. It took 17 years for someone to find a
factorization, as both factorization and computing technology techniques improved.
By the end of the 1980s when the 129-digit value of m from their original challenge
remained unfactored, RSA Laboratories, as the RSA Data Security corporation formed by
Rivest, Shamir, and Adleman had come to be known, decided that the public needed a
little more encouragement. So on March 18, 1991, RSA Laboratories presented a broader
challenge, publishing a list of numbers that were each the product of a pair of distinct
extremely large primes, and offering larger cash prizes for their prime factorizations.
The smallest number published was 100 digits in length, and was factored within 14 days
by Arjen Lenstra, earning him $1000. The largest number published was 617 digits in
length, and was offered for a cash prize of $200,000. A listing of challenge numbers
published can be found at the link
http://www.rsa.com/rsalabs/node.asp?id=2093
In 2007, RSA Laboratories, citing advances in techniques and technology, declared the
broader challenge inactive. Before this time a total of 12 of the published numbers were
factored, the longest of which was 193 digits in length, earning Jens Franke $20,000
when it was factored in 2005. The longest of the published numbers to be factored was
232 digits in length, credited Thorsten Kleinjung, Peter Montgomery, and many others,
in 2009, too late for them to collect the retracted prize of $50,000.
Arjen Lenstra $1000
100 digit factorization
Jens Franke $20000
193 digit factorization
Peter Montgomery (no prize)
232 digit factorization
Download