and Factoring Integers (I) The RSA Cryptosystem and Factoring Integers (I) Rong-Jaye Chen

OUTLINE [1] Modular Arithmetic Algorithms [2] The RSA Cryptosystem [3] Quadratic Residues [4] Primality Testing [5] Square Roots Modulo n [6] Factoring Algorithms [7] Other Attacks on RSA [8] The Rabin Cryptosystem [9] Semantics Security of RSA

[1] Modular Arithmetic Algorithms 1. The integers a divides b a|b If b has a divisor , then a is said to be nontrivial. a is prime if it has no nontrivial divisors; otherwise, a is composite. The prime theorem： If c|a and c|b, then c is common divisor of a and b. If d is a great common divisor of a and b, then we write d=gcd(a,b).

Euclidean algorithm(a,b) (for great common divisor) input： output： (1) Set r0=a and r1=b (2) Determine the first so that rn+1=0, where ri+1=ri-1 mod ri (3) Return (rn) Extended Euclidean algorithm(a,b) input：a>0, b>0 output: (r, s, t) with r=gcd(a,b) and sa+tb=r (Omitted)

Example ：gcd(299,221)=?

If gcd(a,b)=1, then a and b are said to be relatively prime. Phi function：

2. The integers modulo n a is congruent to b modulo n, written , if n|a-b. Zn={0,1,…,n-1} Given , if , then a is said to be invertible and its inverse x is denoted a-1.

Use Extended Euclidean Algo to calculate a-1 mod n Example：a=7 and n=9 Euclidean algorithm to find gcd(a,n) Extended Euclidean algorithm to write gcd(a,b)=sa+tn

Zn*={a|gcd(a,n)=1 and 0<a<n} For example, Z12*={1,5,7,11}, Z15*={1,2,4,7,8,11,13,14} (Zn*, *) forms a multiplication group

Fermat’s little theorem： Euler’s theorem： The order of , written ord(a), as the least positive integer t such that If , has , then a is said to be a generator of Zn*; in this case,

Example ：n=15 Z15*={1,2,4,7,8,11,13,14} ψ(15)= ψ(3) ψ(5)=2*4=8 1 2 4 7

3. Chinese remainder theorem If the integers n1,…,nk are pairwise relatively prime, then the system of congruences has a unique solution modulo n=n1*n2*…*n k

Algorithm：Gauss algorithm (1) Input k , ni , ai , for i=1,2,…,k (2) Compute for i=1,2,…,k (3) Compute inverse for i =1,2,…,k (4) Compute

Example

4. Square-and-Multiply Algorithm: Square-and-Multiply(x, c, n) Input： , c with binary representation Output：

i ci z 11 1 12x9726=9726 10 97262x9726=2659 9 26592=5634 8 56342x9726=9167 7 91672x9726=4958 6 49582x9726=7783 5 77832=6298 4 62982=4629 3 46292x9726=10185 2 101852x9726=105 1052=11025 110252x9726=5761 Example : 97263533 mode 11413=?

[2] The RSA Cryptosystem Proposed by Rivest, Shamir, and Adleman (1977) Used for encryption and signature schemes Based on the intractability of the integer factorization problem Key generation Let p, q be large prime, n=pq and (n)=(p-1)(q-1) Choose randomly b s.t. gcd(b,(n))=1 Compute a  b-1 mod (n) Public-key: (n, b) Private-key: (n, a) or (p, q, a)

RSA Cryptosystem Let n=pq, where p and q are primes. Let P = C = Zn , and define K ={(n,p,q,a,b): ab=1 (mod (n))}. For K= (n,p,q,a,b), define eK(x)=xb mod n and dK(y)=ya mod n Public-key: (n, b) Private-key: (n, a) or (p, q, a)

Verify the encryption and decryption are inverse operations ab=1 (mod (n)), we have ab = t(n)+1, for t>=1 Suppose that x in Zn*; then we have (xb)a = xt(n)+1 (mod n) = (x(n))tx = 1tx (mod n) = x (mod n) As desired. For x in Zn but not in Zn*, (do exercise)

Eg. p=7, q=13, n=91, (n)=(p-1)(q-1)=72 Choose b=5, compute a=b-1=29 Public-key: (91,5) Private-key: (7,13,29) Assume message m=23 So cipher-text c = me mod n = 235 mod 91 = 4 and can be decrypted by m = cd mod n = 429 mod 91 = 23

Encryption Decryption M E C KUBob EKUBob(M)= Mb (mod n) D KRBob n = pq b*a = 1 (mod ø(n)) Private key KRBob = (n, a) Public key KUBob = (n, b) RSA encryption Alice Bob Encryption Decryption M E C KUBob EKUBob(M)= Mb (mod n) D KRBob DKRBob(C)= Ca (mod n)

Signing Verification M H E A KRAlice EKRAlice(H(M))= H(M)a (mod n) D n = pq b*a = 1 (mod ø(n)) Signing key KRAlice = (n, a) Verification key KUAlice = (n, b) RSA signature scheme Alice Hash Bob Signing Verification M H E A KRAlice EKRAlice(H(M))= H(M)a (mod n) D KUAlice Compare DKUAlice(A)= Ab (mod n)

[3] Quadratic Residue 1. Quadratic residue modulo n Let , then a is a quadratic residue modulo n if there exists with In this case, x is a square root of a modulo n. Otherwise, a is a quadratic nonresidue modulo n. Qn：the set of quadratic residues modulo n. ：the set of quadratic nonresidues modulo n.

2. Theorem ：p > 2 is prime and α is a generator of Zp*

3. Corollary ： p > 2 is prime and α is a generator of Zp* (1) (2) (3) (4) 4. Legendre symbol ：p > 2 is prime and

5. Theorem ：Euler’s criterion 6. E.g ： use Square-and-Multiply

7. Jacobi symbol ： n > 2 is an odd integer, pi is prime and

8. Properties of Jacobi symbol：m, n > 2 are odd integers (1) (2) (3) (4) (5) (6)

9. E.g ：calculate Jacobi symbol without factoring n (property 2) (property 6) (property 3) (property 4)

10. Jacobi symbol V.S. Quadratic residue modulo n The element of are called psedosquares modulo n.

11. E.g ：n=15 The Jacobi symbol are calculated in the following table： 2 -1 4 7 8 11 13 14

12. Quadratic residuosity problem(QRP) Determine if a given is a quadratic residue or pseudosquare modulo n

[4] Primality Testing (1) Prime numbers 1. How to generate large prime numbers? (1) Generate as candidate a random odd number n of appropriate size. (2) Test n for primality. (3) If n is composite, return to the first step.

2. Distribution of prime numbers (1) prime number theorem Let Π(x) denote the number of prime numbers ≦x. Π(x) ~ x/ln(x) when n∞. (2)Dirichlet theorem If gcd(a, n)=1, then there are infinitely many primes congruent to a mod n.

(3) Let Π(x, n, a) denote the number of primes in the interval [2, x] which are congruent to a modulo n, where gcd(a, n)=1 . Then Π(x, n, a) ~ The prime numbers are roughly uniformly distributed among the φ(n) congruence classes in Zn* (4) Approximation for the nth prime number pn

(2) Solovay-Strassen primality test 1. Trial method for testing n is prime or composite 2. Definition ：Euler witness Let n be an odd composite integer and . (1) If then a is an Euler witness (to compositeness) for n.

(2) Otherwise, if then n is said to be an Euler pseudoprime to the base a. The integer a is called an Euler liar (to primality) for n.

3. Example (Euler pseudoprime) Consider n = 91 (= 7x13) Since 945 =1 mod 91, and so 91 is an Euler pseudoprime to the base 9. 4. Fact At most Φ(n)/2 of all the numbers a, are Euler liars for n.

5. Algorithm ：Solovay-Strassen(n, t) INPUT: n is odd, n ≧3, t ≧1 OUTPUT: “prime” or “composite” 1. for i = 1 to t do : 1.1 choose a random integer a, 2 ≦ a≦n-2 if gcd(a,n) ≠1 then return ( “composite” ) 1.2 compute r=a(n-1)/2 mod n (use square-and-multiply) if r ≠ 1 and r ≠ n-1 then return ( “composite” ) 1.3 compute Jacobi symbol s= if r ≠ s then return ( “composite” ) 2. return ( “prime” )

6. Solovay-Strassen error-probability bound For any odd composite integer n, the probability that Solovay-Strassen (n, t) declares n to be “prime” is less than (1/2)t

(3) Miller-Rabin primality test 1. Fact P : odd prime p-1 = 2sr, where r is odd , gcd (a, p) = 1 then ar = 1 (mod n) or a2jr = -1 (mod n) for some j, 0≦ j≦s-1 Why ? (1) Fermat’s little theorem, ap-1 = 1 mod p (2) 1, -1 are the only two square roots of 1 in Zp*

2. Definition n : odd composite integer n-1 = 2sr, where r is odd 1≦a ≦n-1 a is a strong witness to compositeness for n if ar ≠ 1 (mod n), and a2jr ≠ -1 (mod n) for all j, 0≦ j≦s-1 n is a strong pseudoprime to the base a if ar = 1 (mod n) or a2jr = -1 (mod n) for some j, 0≦ j≦s-1 (a is called a strong liar to primality for n)

3. Algorithm: Miller-Rabin (n, t) INPUT: n is odd, n ≧3, t ≧1 OUTPUT: “prime” or “composite” 1. write n-1 = 2sr such that r is odd. 2. for i = 1 to t do : 2.1 choose a random integer a, 2 ≦ a≦n-2 2.2 compute y=ar mod n (use square-and-multiply) 2.3 if y ≠ 1 and y ≠ n-1 do : j  1 while j ≦ s-1 and y ≠n-1 do : y  y2 mod n if y = 1 then return ( “composite” ) j  j+1 if y ≠ n-1 then return ( “composite” ) 3. return ( “prime” )

4. Example (strong pseudoprime) Consider n = 91 (= 7x13) 91-1 = 2*45, s=1, r=45 Since 9r = 945 =1 mod 91, 91 is a strong pseudoprime to the base 9. The set of all strong liars for 91 is {1, 9, 10, 12, 16, 17, 22, 29, 38, 53, 62, 69, 74, 75, 79, 81, 82, 90} The number of strong liars of for 91 is 18 = Φ(91)/4

5. Fact If n is an odd composite integer, then at most ¼ of all the numbers a, 1 ≦a ≦n-1 are strong liars for n. In fact if n=!9, then number of strong liars for n is at most Φ(n)/4.

6. Miller-Rabin error-probability bound For any odd composite integer n, the probability that Miller-Rabin (n, t) declares n to be “prime” is less than (1/4)t 7. Remark For most composite integers n, the number of strong liars for n is actually much smaller than the upper bound of Φ(n)/4. Miller-Rabin error-probability bound is much smaller than (1/4)t .