The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen

p2. OUTLINE  [1] Modular Arithmetic Algorithms  [2] The RSA Cryptosystem  [3] Quadratic Residues  [4] Primality Testing [5] Square Roots Modulo n [6] Factoring Algorithms [7] Other Attacks on RSA [8] The Rabin Cryptosystem [9] Semantics Security of RSA

p3. [5] Square Roots Modulo n 1. Fact Suppose that p is an odd prime and gcd(a,n)=1. Then the congruence y 2 =a (mod n) has no solutions if (a/p)=-1, and two solutions (mod n) if (a/p)=1. 2. Theorem Suppose that p is an odd prime, e is a positive integer, and gcd(a,p)=1. Then the congruence y 2 =a (mod p e ) has no solutions if (a/p)=-1, and two solutions (mod p e ) if (a/p)=1.

p4. 3. Theorem Suppose that n > 1 is an odd integer having factorization where the p i ’s are distinct primes and the e i ’s are positive integers, Suppose further that gcd(a,n)=1. Then the congruence y 2 =a (mod n) has 2 l solutions modulo n if (a/p i )=1 for all i in {1, …, l }, and no solutions, otherwise.

p5. [6] Factoring Algorithms 1. The Pollard’s p-1 algorithm input ： an integer n, and a prespecified “bound” B output ： factors of n

p6. Why? Suppose p is a prime divisor of n, and suppose that q <= B for every prime power q|(p-1). Then (p-1)|B! At the end of for loop, we have a=2 B! mod n Now 2 p-1 =1 mod p (by Fermat’s little Thm) Since (p-1)|B!, it follows a=2 B! =1 mod p and hence p|(a-1). Since we also have p|n, d=gcd(a-1, n) will be a non-trivial divisor of n (unless a=1).

p7. E.g. n= , B=180 a = 2 180! = D = gcd(a-1, n) = In fact, the complete factorization of n into primes is = x The factorization succeeds because has only “small” prime factors: = 2 x 3 x 131 x 173

p8. 2. The Pollard’s rho algorithm input ： an integer n output ： factors of n (1) Selecting a “random” function f with integer coefficients, and any Begin with x=x 0 and y=y 0. (2) Repeat the two calculations until d=gcd(x-y,n)>1. (3) Do the following compare 3.1 If d<n, we have succeeded. 3.2 If d=n, the method is failed. Goto (1). (*) A typical choice of f(x)=x 2 +1, with a seed x 0 =2.

p9. Complexity of rho method We expect this method to use the function f at most E.g ： n=551, f(x)=x 2 +1 mod 551 and x 0 =

p Dixon’s random squares algorithm The idea is to locate with if gcd(x+y,n) is a nontrivial factor of n. (Why?) since n|(x-y)(x+y) but neither of x-y or x+y is divisible by n. Eg. n=15, x=2, y=7 (2 2 =7 2 mod 15) => gcd(2+7,15)=3 is a nontrivial factor of n. Eg. n=77, x=10, y=32 (10 2 =32 2 mod 77) => gcd(10+32,77)=7 is a nontrivial factor of n.

p11. factor base and p t -smooth A factor base B={p 1, p 2,…,p t } consisting of the first t primes is selected. If b factors over B, b is said to be p t -smooth. Eg ： B={2,3,5}, b=2 3 *5 6 is 5-smooth; b=2 3 *7 6 is not 5-smooth. We may include -1 in B to handle the negative b B={p 0, p 1, p 2,…,p t }, with p 0 =-1.

p12. Algorithm input ： a composite integer n and factor base B= {p 1, p 2,…,p t } output ： factors of n (1) Suppose t+1 pairs (a i, b i =a i 2 mod n) are obtained, where b i is p t -smooth over B and the factorizations are given by (2) A set S is to be selected so that has only even powers of primes appearing. (3) Let, and do the following compare 3.1 If 3.2 If

p13. Eg ： n=10057, t=5, B={2,3,5,7,11} *509 (discard!) 2 3 * *3 2 * *3 2 * *5 2 *11 2*3 2 * * If S={4,5,6}, then x=3010*4014*4023 mod n=2748 y=2 7 *3*5*7*11 mod n=7042 Since, we obtain a nontrivial factor gcd(x+y,n)=89, and 10057=89*113. If S={1,5}, then x=105*4014 mod n=9133 and y=2 2 *3*7*11=924. Unfortunately,, and no useful information is obtained.

p14. Eg ： n= , t=6, B={2,3,5,7,11, 13} = 3*7 (mod n) = 2*7*13 (mod n) = 2*3*13 (mod n) ( * * ) 2 = (2*3*7*13) 2 (mod n) = (mod n) gcd( –546, )= to find the factor of n

p15. Improvements: We may include -1 in B to handle the negative b B={p 0, p 1, p 2,…,p t }, with p 0 =-1. Define Let a i =z+m and b i = q(z) = a i 2 - kn for z=0,1,-1,2,-2, … k=1,2, …

p16. Quadratic sieve algorithm (simple version) input ： a composite integer n output ： factors of n (1) choose a suitable P and construct a factor base (2) Define (3) Let a i =z+m and b i =q(z)=a i 2 -n for z=0,1,-1,2,-2,… A set S is to be selected so that has only even powers of primes appearing. (4) Let, and do the following

p17.

p18. Eg ： n= * * * * If S={1}, then x=101 and y= =2 2 *3. Since, we obtain a nontrivial factor gcd(x+y,n)=113, and 10057=89*113. If S={-1,-3, 5}, then x=99*97*105 and y=2 7 *3 2 *11. Unfortunately,, and no useful information is obtained.

p Factoring algorithms in practice (Asymptotic running times) 1. Quadratic sieve 2. Elliptic curve (p is the smallest prime factor of n) 3. Number field sieve

p20. [7] Other Attacks on RSA Are there possible attacks on RSA other than factoring n? (Yes, see 2. 3.) 1. Computing  (n) Computing  (n) is no easier than factoring n For, if n and  (n) are known, and n is the product of two primes p, q, then n can be easily factored by solving n=pq  (n)=(p-1)(q-1) for the two unknowns p and q. Substituting q=n/p into the 2nd eq., We have P 2 -(n-  (n)+1)p + n = 0. The two roots will be p and q.

p The Decryption Exponent (See sec ) 3. Wiener’s Low Decryption Exponent Attack (See sec )

p22. [8] The Rabin Cryptosystem 1. Rabin scheme Let p, q be large primes, n=pq (p,q) be the private key Encryption: c=m 2 mod n Decryption: find the four square roots and one is m 2. Example Consider p=31, q=41, so n=pq=1271 Assume message m=814 so c = m 2 mod n = mod 1271 = 405 Decryption Solving m 2  405  2 (mod 31) and m 2  405  36 (mod 41) obtain m   8 (mod 31) and m   6 (mod 41) four possible roots: {  240,  457} (mod 1271)

p How to find square roots of a  Q n where n=pq ? Factor n as pq Let x and y satisfy following congruences x = a p (mod p) and y = -a p (mod p) x = a q (mod q) y = a q (mod q) where a r denotes a square root of a modulo r The square roots are x, -x, y, -y

p How to find square roots of a  Q p ? In general, there is an efficient polynomial randomized algo For p=3 (mod 4) there is a deterministic algo: By Euler’s criterion if a  Q p then a (p-1)/2 =1 (mod p), and (a (p+1)/4 ) 2 = a (p-1)/2 a= a (mod p). Hence two roots of a modulo p are  a (p+1)/4. n is called Blum integer if n = pq and p=3 (mod 4), q=3 (mod 4)

p Definition RABIN: Given n=pq and c=m 2 mod n, find x, s.t. c  x 2 (mod n) 6. Theorem RABIN = FACTOR (1) RABIN  FACTOR Given an oracle for FACTOR 1. Factor n and obtain p,q 2. Solve the square root problems c  x 2 (mod p) c  x 2 (mod q) 3. Apply CRT and get four roots of RABIN

p26. (2) FACTOR  RABIN Given an oracle for RABIN 1. Query RABIN oracle twice, get two roots x and y 2. With prob. ½, we can successfully get the factor of n by gcd(x+y, n)

p27. [9] Semantic Security of RSA 1. Potential 3 adversarial goals: Total break The adversary is able to determine Bob’s private key (in the case of a public-key cryptosystem) or the secret key (in the case of a symmetric-key cryptosystem). Partial break The adversary is able to decrypt a previously unseen ciphertext (without knowing the key). Or the adversarial can determine some specific information about the plaintext, given the ciphertext.

p28. Distinguishability of ciphertexts With some prob. > 0.5, the adversary is able to distinguish between encryptions of 2 given plaintexts, or between an encryption of a given plaintext and a random string. 2. Semantic security A public-key cryptosystem is said to achieve semantic security if the adversary cannot (in polynomial time) distinguish ciphertexts, provided that certain computational assumptions hold.

p Partial information concerning plaintext bits (See sec ) 4. Optimal Asymmetric encryption padding (See sec )