The RSA Cryptosystemand Factoring Integers (II)

Rong-Jaye Chen

p2.

OUTLINE

[1] Modular Arithmetic Algorithms [2] The RSA Cryptosystem

[3] Quadratic Residues

[4] Primality Testing [5] Square Roots Modulo n [6] Factoring Algorithms [7] Other Attacks on RSA [8] The Rabin Cryptosystem [9] Semantics Security of RSA

p3.

[5] Square Roots Modulo n

1. Fact Suppose that p is an odd prime and gcd(a,n)=1. Then the congruence y2=a (mod n) has no solutions if (a/p)=-1, and two solutions (mod n) if (a/p)=1.

2. Theorem Suppose that p is an odd prime, e is a positive integer, and gcd(a,p)=1. Then the congruence y2=a (mod pe) has no solutions if (a/p)=-1, and two solutions (mod pe) if (a/p)=1.

p4.

3. Theorem

Suppose that n > 1 is an odd integer having factorization

where the pi’s are distinct primes and the ei’s are positive

integers, Suppose further that gcd(a,n)=1. Then the congruence y2=a (mod n) has 2l solutions modulo n if (a/pi)=1 for all i in {1, …, l }, and no solutions,

otherwise.

l

i

eiipn

1

p5.

[6] Factoring Algorithms 1. The Pollard’s p-1 algorithm

input ： an integer n , and a prespecified “bound” B

output ： factors of n

)"("return else

)(return then

1 if

),1gcd(

mod do

to2for

2

failure

d

nd

nad

naa

Bj

a

j

p6.

Why?

Suppose p is a prime divisor of n, and suppose that

q <= B for every prime power q|(p-1). Then

(p-1)|B!

At the end of for loop, we have

a=2B! mod n

Now

2p-1=1 mod p (by Fermat’s little Thm)

Since (p-1)|B!, it follows

a=2B! =1 mod p

and hence p|(a-1). Since we also have p|n,

d=gcd(a-1, n) will be a non-trivial divisor of n

(unless a=1).

p7.

E.g. n=15770708441, B=180

a = 2180! = 11620221425

D = gcd(a-1, n) = 135979

In fact, the complete factorization of n into primes is

15770708441 = 135979 x 115979

The factorization succeeds because 135978 has only

“small” prime factors:

135978 = 2 x 3 x 131 x 173

p8.

2. The Pollard’s rho algorithminput ： an integer n output ： factors of n

(1) Selecting a “random” function f with integer coefficients , and

any

Begin with x=x0 and y=y0.

(2) Repeat the two calculations

until d=gcd(x-y,n)>1.

(3) Do the following compare

3.1 If d<n, we have succeeded.

3.2 If d=n, the method is failed. Goto (1).

(*) A typical choice of f(x)=x2+1, with a seed x0=2.

.0 nZx

nyffynxfx mod))(( and mod)(

0x

)( 01 xfx

)( 12 xfx

tx ctx

1ctx

1tx

p9.

Complexity of rho methodWe expect this method to use the function f at

most

E.g ： n=551, f(x)=x2+1 mod 551 and x0=2.

).()(2/3 4/1nOpOp

)(xfx

5

26

126

))(( yffy

26

449

240

)551,gcd( yxd

1

1

19

p10.

3. Dixon’s random squares algorithm

The idea is to locate with

if

gcd(x+y,n) is a nontrivial

factor of n.

(Why?) since n|(x-y)(x+y) but neither of x-y or

x+y is divisible by n.

Eg. n=15, x=2, y=7 (22=72 mod 15) =>

gcd(2+7,15)=3 is a nontrivial factor of n.

Eg. n=77, x=10, y=32 (102=322 mod 77) =>

gcd(10+32,77)=7 is a nontrivial factor of n.

nZyx , );(mod22 nyx

then ),(modnyx

p11.

factor base and pt-smooth

A factor base B={p1, p2,…,pt} consisting of the

first t primes is selected. If b factors over B, b

is said to be pt-smooth.

Eg ： B={2,3,5}, b=23*56 is 5-smooth; b=23*76 is not 5-smooth.

We may include -1 in B to handle the negative b

B={p0, p1, p2,…,pt}, with p0=-1.

p12.

Algorithminput ： a composite integer n and factor base B= {p1, p2,

…,pt}

output ： factors of n

(1) Suppose t+1 pairs (ai, bi=ai2 mod n) are obtained, where

bi is pt-smooth over B and the factorizations are given by

(2) A set S is to be selected so that has only even

powers of primes appearing.

(3) Let , and do the following compare

3.1 If

3.2 If

.11 ,1

tipbt

j

ejiij

Si

ib

and

Sii

Sii byax

).,gcd(return then ),(mod nyxnyx

.factoring"not "return then ),(modnyx

p13.

Eg ： n=10057, t=5, B={2,3,5,7,11}

i

112

ia

231 1018968

nab ii mod2

2*509 (discard!)23*112

25*32*11105115

ionfactorizat

3168345

1006 63368800

26*32*1125*52*112*32*72

30104014 882

6 28*114023 2816

If S={4,5,6}, then x=3010*4014*4023 mod n=2748

y=27*3*5*7*11 mod n=7042

Since , we obtain a nontrivial factor gcd(x+y,n)=89, and 10057=89*113.

)(mod70422748 n

If S={1,5}, then x=105*4014 mod n=9133 and y=22*3*7*11=924.

Unfortunately, , and no useful information is obtained. )(mod9249133 n

p14.

Eg ： n=15770708441, t=6, B={2,3,5,7,11, 13}

83409341562 = 3*7 (mod n) 120449429442 = 2*7*13 (mod n) 27737000112 = 2*3*13 (mod n)

(8340934156*12044942944*2773700011)2 = (2*3*7*13)2 (mod n) 95034357852 = 5462 (mod n)

gcd(9503435785–546, 15770708441)=115759

to find the factor 115759 of n

p15.

Improvements:

We may include -1 in B to handle the negative b

B={p0, p1, p2,…,pt}, with p0=-1.

Define

Let ai=z+m and bi= q(z) = ai2 - kn

for z=0,1,-1,2,-2, … k=1,2, …

knmzzqknm 2)()( ,

p16.

Quadratic sieve algorithm (simple version)input ： a composite integer noutput ： factors of n

(1) choose a suitable P and construct a factor base

(2) Define

(3) Let ai=z+m and bi=q(z)=ai2-n for z=0,1,-1,2,-2,… A set S is to

be

selected so that has only even powers of primes

appearing.

(4) Let , and do the following

{-1} 1} and prime, is |{

iiii p

nPpppB

nmzzqnm 2)()( ,

Si

ib

and

Sii

Sii byax

).,gcd( return then),(mod nyxnyx

p17.

B. basefactor in the 1p

n with s'p thoseincludeonly weSo

. 1p

n is that ;p mod m)(zn i.e.

,p mod 0n-m)(z

then n,-m)(z|p if Since

B? basefactor in the usednot are 1p

n with s'p Why those

ii

ii

2

i2

2i

ii

p18.

Eg ： n=10057

z

0-11

mza

100 -57-256

)(zqb

-3*19-28

24*32

99101

ionfactorizat

144-35

97 -648968

-23*34

23*112105

If S={1}, then x=101 and y= =22*3.

Since , we obtain a nontrivial factor gcd(x+y,n)=113, and 10057=89*113.

100 nm

If S={-1,-3, 5}, then x=99*97*105 and y=27*32*11.

Unfortunately, , and no useful information is obtained. )(modnyx

10057)100()( 2 zzq

}1{}19,11,3,2{ B

)(modnyx

p19.

4. Factoring algorithms in practice

(Asymptotic running times)

1. Quadratic sieve

2. Elliptic curve (p is the smallest prime factor of n)

3. Number field sieve

))lnln ln ))1(1(exp(( nnoO

)))lnln ()ln ))(1(92.1(exp(( 3/23/1 nnoO

))lnln ln 2))1(1(exp(( ppoO

p20.

[7] Other Attacks on RSA Are there possible attacks on RSA other than factoring n? (Yes, see 2. 3.) 1. Computing (n)

Computing (n) is no easier than factoring nFor, if n and (n) are known, and n is the product of two

primesp, q, then n can be easily factored by solving n=pq (n)=(p-1)(q-1)for the two unknowns p and q. Substituting q=n/p into the 2nd

eq.,We have

P2-(n- (n)+1)p + n = 0.The two roots will be p and q.

p21.

2. The Decryption Exponent (See sec. 5.7.2) 3. Wiener’s Low Decryption Exponent Attack (See sec.

5.7.3)

p22.

[8] The Rabin Cryptosystem 1. Rabin scheme

Let p, q be large primes, n=pq (p,q) be the private key Encryption: c=m2 mod n Decryption: find the four square roots and one is m

2. Example Consider p=31, q=41, so n=pq=1271 Assume message m=814

so c = m2 mod n = 8142 mod 1271 = 405 Decryption

Solving m2 405 2 (mod 31) and m2 405 36 (mod 41)obtain m 8 (mod 31) and m 6 (mod 41)four possible roots: {240, 457} (mod 1271)

p23.

3. How to find square roots of a Qn where n=pq ?

Factor n as pq Let x and y satisfy following congruences

x = ap (mod p) and y = -ap (mod p)

x = aq (mod q) y = aq (mod q)

where ar denotes a square root of a modulo r

The square roots are x, -x, y, -y

p24.

4. How to find square roots of a Qp ?

In general, there is an efficient polynomial randomized algo

For p=3 (mod 4) there is a deterministic algo:

By Euler’s criterion if a Qp then a(p-1)/2=1 (mod p),

and (a(p+1)/4)2 = a(p-1)/2a= a (mod p).

Hence two roots of a modulo p are a(p+1)/4 .

n is called Blum integer if n = pq and p=3 (mod 4), q=3 (mod 4)

p25.

5. DefinitionRABIN: Given n=pq and c=m2 mod n, find x, s.t. c x2 (mod n)

6. Theorem RABIN = FACTOR <pf>

(1) RABIN FACTORGiven an oracle for FACTOR1. Factor n and obtain p,q2. Solve the square root problems

c x2 (mod p) c x2 (mod q)

3. Apply CRT and get four roots of RABIN

p26.

(2) FACTOR RABIN

Given an oracle for RABIN1. Query RABIN oracle twice, get two roots x and y2. With prob. ½, we can successfully get the factor of n by gcd(x+y, n)

p27.

[9] Semantic Security of RSA 1. Potential 3 adversarial goals:

Total break The adversary is able to determine Bob’s private

key (in the case of a public-key cryptosystem) or the secret key (in the case of a symmetric-key cryptosystem).

Partial break The adversary is able to decrypt a previously

unseen ciphertext (without knowing the key). Or the adversarial can determine some specific information about the plaintext, given the ciphertext.

p28.

Distinguishability of ciphertexts With some prob. > 0.5, the adversary is able to

distinguish between encryptions of 2 given plaintexts, or between an encryption of a given plaintext and a random string.

2. Semantic security A public-key cryptosystem is said to achieve

semantic security if the adversary cannot (in polynomial time) distinguish ciphertexts, provided that certain computational assumptions hold.

p29.

3. Partial information concerning plaintext bits (See sec. 5.9.1) 4. Optimal Asymmetric encryption padding (See sec. 5.9.2)