Because both the system’s privacy and the security of digital money depend on encryption, a breakthrough in mathematics or computer science that defeats the cryptographic system could be a disaster. The obvious mathematical breakthrough would be development of an easy way to factor large prime numbers. Any person or organization possessing this power could counterfeit money, penetrate any personal, corporate, or government file, and possibly even undermine the security of nations. Bill Gates, The Road Ahead David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 9: Security of RSA THE MAGIC WORDS ARE SQUEAMISH OSSIFRAGE.

26 Sept 2001University of Virginia CS 5882 Menu Finding Big Pseudo Primes Security of RSA –Factoring

26 Sept 2001University of Virginia CS 5883 Properties of E and D Trap-door one way function: 1. D (E (M)) = M 2. E and D are easy to compute. 3.Revealing E doesn’t reveal an easy way to compute D Trap-door one way permutation: also 4. E (D (M)) = M

26 Sept 2001University of Virginia CS 5884 Property 2: Easy to Compute We need large “random” primes p and q Are there enough primes? How can we find them?

26 Sept 2001University of Virginia CS 5885 How many prime numbers? Infinite (proved by Euclid, 300BC) Proof by contradiction: Suppose that there exist only finitely many primes p 1 < p 2 <... < p r. Let N = (p 1 )(p 2 )...(p r ) + 1 N > p r so it is composite, N = p * M If p = p i for some 1 … r, then, N = p i * M = p i * (p 1 )(p 2 )...(p i-1 ) (p i+1 )...(p r ) + 1 p i ( M - (p 1 )(p 2 )...(p i-1 ) (p i+1 )...(p r ) ) = 1 Contradiction: p i > 1 Hence, there must be infinitely many primes.

26 Sept 2001University of Virginia CS 5886 Density of Primes From  (x) is the number of primes  x

26 Sept 2001University of Virginia CS 5887 Approximating  (x) The Prime Number Theorem:  (x) ~ x/ln x –Difficult to prove (first conjectured by Legendre in 1798 by looking at table of values) How many guesses to find a prime bigger than x ? –About ln x/2 guesses (Naïvely) Each guess requires sqrt( x) work For 200 digits: 230 guesses * –More work than breaking 3DES!

26 Sept 2001University of Virginia CS 5888 Need a faster prime test There are several fast probabilistic prime tests Can quickly test a prime with high probability, with a small amount of work If we pick a non-prime, its not a disaster (exercise for reader, will be on PS3)

26 Sept 2001University of Virginia CS 5889 Fermat Test Recall Fermat’s Little Theorem: If n is prime and a is not divisible by n then a n-1  1 mod n Prove n is composite by finding a n-1  1 mod n Showing a n-1  1 mod n does not prove it is prime But if it holds for many a’ s it is likely than n is prime –Holds for all a’ s for some non-primes known as Carmichael Numbers: 561, 645, 1105, …) Better prime test: Miller-Rabin –Probability n is prime  1 – ¼ k

26 Sept 2001University of Virginia CS Properties of E and D Trap-door one way function: 1. D (E (M)) = M 2. E and D are easy to compute. 3.Revealing E doesn’t reveal an easy way to compute D Trap-door one way permutation: also 4. E (D (M)) = M  

26 Sept 2001University of Virginia CS Property 4: E (D (M)) = M D(M) = M d mod n E(D(M)) = (M d mod n) e mod n = M de mod n = M ed mod n = M (from the property 1 proof)

26 Sept 2001University of Virginia CS Properties of E and D Trap-door one way function: 1. D (E (M)) = M 2. E and D are easy to compute. 3.Revealing E doesn’t reveal an easy way to compute D Trap-door one way permutation: also 4. E (D (M)) = M Are there other functions that have properties 1, 2 and 4?

26 Sept 2001University of Virginia CS RSA E(M) = M e mod n D(C) = C d mod n n = pqp, q are prime d is relatively prime to (p – 1)(q – 1) ed  1 (mod (p – 1)(q – 1))

26 Sept 2001University of Virginia CS Revealing E doesn’t reveal D Revealing E : e, n. Can attacker find D ? If attacker factors n = p * q ed  1 mod (p – 1)(q – 1) Easy to find d  e -1 mod (p – 1)(q – 1) Use experience to argue factoring is hard. Argue all other attacks are at least as hard as factoring n.

26 Sept 2001University of Virginia CS Gardner’s Column: Original RSA challenge ($100) n (RSA-129) = e = 9007 C = Scientific American, August 1977

26 Sept 2001University of Virginia CS  17 Ron Rivest (1977): factoring n (129 digits) would require at least 40 quadrillion years if you could do a * b mod c in one nanosecond. Derek Atkins (April 1994): We are happy to announce that RSA-129 = *

26 Sept 2001University of Virginia CS Trial and Error Factoring Guess x, if 1 < gcd (x, n) < n then x is an interesting factor If p and q are similar size, lowest factor is around  n. –Requires O (  n ) divisions. –For RSA-129 = 1.1 * divisions, 1 per nanosecond = 3.4 * years

26 Sept 2001University of Virginia CS Pollard’s Rho Method Fastest known in 1977 [Pollard75] To find factor p, requires 4  p modular multiplies Worst case: lowest p is  n, we need 4  n multiplies For RSA-129 = 1.3 * = 4 * years Rivest probably used this, but made a math error (4 quadrilllion  40 quadrilllion)

26 Sept 2001University of Virginia CS How so Fast Better factoring algorithms Distributed computation Still can’t do a * b mod c in one nanosecond (not faster processors) –1ns = s –Best Pentium 4 today: 2 GHz (cycle =.5ns) –But, multiplying 100 digit numbers takes many cycles

26 Sept 2001University of Virginia CS Fermat Factoring Factor 8051 Hint: (½ (a + b)) 2 – (½(a – b)) 2 = ¼ (a 2 + 2ab + b 2 ) - ¼ (a 2 - 2ab + b 2 ) = ½ ab + ½ ab = ab 8051 = 8100 – 49 = 90 2 – = 97  83 ½ ( ) = 90 ½ (83 – 97) = 7

26 Sept 2001University of Virginia CS Fermat Factoring Any odd composite integer can be written as n = u 2 - v 2 To factor n, start looking for u and v around  n Is this less work than trial and error division? No, only in lucky cases where factor is near  n

26 Sept 2001University of Virginia CS Kraitchik’s Enhancement Instead of looking for u and v such that n = u 2 - v 2 look for any multiple of n : n = ( u 2 - v 2 ) k or: u 2  v 2 mod n Some solutions uninteresting: u   v mod n Others (½) are interesting: u  v mod n n divides u 2 - v 2 = ( u – v) ( u + v) but not ( u – v) or ( u + v) gcd (u – v, n) and gcd (u + v, n) are factors of n

26 Sept 2001University of Virginia CS Kraitchik, cont. For x’s near  n Q(x) = x 2 – n Try to find x’s where: Q(x 1 ) Q(x 2 ) …Q(x k ) = v 2 x 1 x 2 …x k = u Then, x 1 2 x 2 2 …x k 2 = u 2  ( x 1 2 – n) … ( x k 2 – n) mod n  v 2 mod n But, how do we find the x’s?

26 Sept 2001University of Virginia CS Finding the x’s Some of the Q(x)’s are easy to factor From these, find products that are squares n = = 2116 Q(46) = 75 = 3  5 2 Q(47) = 168 = 2 3  3  7 Q(48) = 263 (hard to factor) Q(49) = 360 = 2 3  3 2  5 Q(50) = 459 = 3 3  17 Q(51) = 560 = 2 4  5  7 Q(46) Q(47) Q(49) Q(51) =  3 4  5 4  7 2 = (2 5  3 2  5 2  7) 2 Example from [Pomerance96] Looking for: Q(x 1 ) Q(x 2 ) …Q(x k ) = v 2 x 1 x 2 …x k = u

26 Sept 2001University of Virginia CS Finding the Factors Q(46) Q(47) Q(49) Q(51) = (2 5  3 2  5 2  7) 2  v 2 u = 46  47  49  51 = 311 mod 2041 v = 2 5  3 2  5 2  7 = 1416 mod 2041 u 2 = v 2 mod  1416 mod 2041 So, gcd (1416 – 311, 2041) is a factor of gcd (1105, 2041) = gcd (2041, 1105) = gcd (2041, 1105 mod 2041) = gcd (1105, 2041 mod 1105) = gcd (1105, 936) = gcd (936, 1105 mod 936) = gcd (936, 169) = gcd (169, 936 mod 169) = gcd (169, 91) = gcd (91, 169 mod 91) = gcd (91, 78) = gcd (78, 91 mod 78) = gcd (78, 13) = gcd (13, 78 mod 13) = gcd (13, 13) = 13

26 Sept 2001University of Virginia CS Factoring Pragmatics Conjectured to take e sqrt(2 log n log log n) steps to factor n. Quadratic Sieve Factoring –Improved Kraitchik’s algorithm to choose likely good values for x ’s –Complexity: e sqrt(log n log log n) –How much bigger numbers can it factor? Twice as many digits in same time!

26 Sept 2001University of Virginia CS Breaking RSA-129 Organized by Derek Atkins and others, 1994 Quadratic Sieve algorithm Memory-limited (1994 – most workstations 16MB RAM), used 10M to hold.5M primes Recruited volunteers from Internet 1600 machines Used 5000 MIPS years over 8 months

26 Sept 2001University of Virginia CS To factor r [RSA-129] we assembled the largest collaboration yet seen in computational number theory and, possibly, performed the largest single computation ever completed. In several important respects, the resources we had available were barely adequate for the task. Consequently, ingenuity and diplomacy were required for the successful completion of the project. Derek Atkins, Michael Graff, et. al., The Magic Words Are Squeamish Ossifrage, AsiaCrypt 1994.

26 Sept 2001University of Virginia CS Recent Factoring Algorithms Team from CWI (Amsterdam) factored RSA-155 (512 bits), August 1999 Number Field Sieve (Sneakers) ~8000 MIPS years (36 CPU years) 7 months on ~300 machines Lecture 1: factor 300 digit number for automatic A. How much harder is this?

26 Sept 2001University of Virginia CS RSA Security Factoring is hard (except in Sneakers) Is this enough to know RSA is secure? Can you compute D without factoring n ? –Probably not, but can’t prove it. –But, can prove other obvious mathematical attacks are equivalent to factoring.

26 Sept 2001University of Virginia CS  (n) without factoring Calculate  (n) without factoring n. ed  1 mod  (n) Equivalent to factoring:  (n) = (p – 1)(q – 1) = n – (p + q) + 1 p + q = n –  (n) – 1 p – q = sqrt ((p + q) 2 – 4n) [next slide] 2p = sqrt ((n –  (n) –1) 2 – 4n) + n –  (n) –1 If we know  (n) we can calculate p and q easily.

26 Sept 2001University of Virginia CS p – q = sqrt ((p + q) 2 – 4n) (p – q) 2 = p 2 – 2pq + q 2 = p 2 + q 2 – 2n (p + q) 2 = p 2 + q 2 + 2n (p – q) 2 = (p + q) 2 – 4n p – q = sqrt ((p + q) 2 – 4n)

26 Sept 2001University of Virginia CS Determine d without  (n) Brute force: m digits long, amount of work is 10 m. –Try 1T/second (special purpose hardware) –Will take 3*10 30 years for m = 50. –For factoring difficulty, m > 100. (Bigger than AES key) Non-brute force: knowing d enables factoring.

26 Sept 2001University of Virginia CS Determining d  factoring ed = 1 mod  (n) k *  (n) = ed – 1 Already showed, finding  (n) is same as factoring. Also true for multiple of  (n).

26 Sept 2001University of Virginia CS Properties of RSA’s E and D Trap-door one way function: D (E (M)) = M E and D are easy to compute. Revealing E doesn’t reveal an easy way to compute D Trap-door one way permutation: also E (D (M)) = M

26 Sept 2001University of Virginia CS Applications of RSA Privacy: –Bob encrypts message to Alice using E A –Only Alice knows D A Signatures: –Alice encrypts a message to Alice using D A –Bob decrypts using E A –Knows it was from Alice, since only Alice knows D A Things you use every day: ssh, SSL, DNS, etc. More than 400,000,000 copies of the RSA algorithm are currently installed

26 Sept 2001University of Virginia CS Two “Questionable” Statements in RSA Paper “(The NBS scheme (DES) is probably somewhat faster if special-purposed hardware encryption devices are used; our scheme may be faster on a general-purpose computer since multiprecision arithmetic operations are simpler to implement than complicated bit manipulations.)” (p. 4)

26 Sept 2001University of Virginia CS Two “Questionable” Statements in RSA Paper “The need for a courier between every pair of users has thus been replaced by the requirement for a single secure meeting between each user and the public file manager when the user joins the system.” (p. 6)

26 Sept 2001University of Virginia CS Who really invented RSA? General Communications HQ, Cheltenham (formed from Bletchley Park after WWII) 1969 – James Ellis asked to work on key distribution problem Secure telephone conversations by adding “noise” to line: –Receiver could add the noise and subtract it –No need for sender to have key! Late 1969 – idea for PK, but no function Clifford Cocks invented function (RSA)

26 Sept 2001University of Virginia CS Charge Next time: what to do about all those couriers! Project Pre-Proposals due Monday They should include: –Clear topic description and plan: the more details you can provide on what you plan to do, the better feedback I can provide –Related Work Summary of what you have found so far Reading list: things you plan to read next