RSA (Rivest Shamir Adleman) public key cryptosystem: Key generation: Pick two large prime Ô Õ ¾ numbers È.

Transcription

1 RSA (Rivest Shamir Adleman) public key cryptosystem: Key generation: Pick two large prime Ô Õ ¾ numbers È. Let Ò Ô Õ. Pick ¾ ½ ³ Òµ ½ so, that ³ Òµµ ½. Let ½ ÑÓ ³ Òµµ. Public key: Ò µ. Secret key Ò µ. Message space: ¼ Ò ½. Encryption: Òµ ѵ Ñ ÑÓ Ò. Decryption: Òµ µ ÑÓ Ò. Note that ³ Òµ Ô ½µ Õ ½µ.

2 Example: let s pick Ô, Õ. Then Ò ¾¼¾½ and ³ Òµ ½ ¾. Pick ½. Then ½¾. Let us encrypt the Ñ message ¼. ¼ Then ÑÓ ½ ½¾. ¾¼¾½ ½¾ Decryption: ÑÓ ¾¼¾½ ¼. ½¾

3 Exponentiation by repeated squaring: ½ if b=0 ¾ µ ¾ if is even ¾ ½ ¾ if is odd µ Computation of requires up to ¾ ÐÓ multiplications. When doing RSA encryption or decryption, all computations are done in Ò. Hence the maximum length of intermediate results is twice the length of Ò.

4 Decryption can be done faster: During key generation, compute additionally Ô Ô ½ ÑÓ Õµ; ¼ Õ ¼ Õ ½ ÑÓ Ôµ. Store Ô Ô Ô ¼ µ Õ Õ Õ ¼ µ in the secret key. To decrypt, compute Ñ ÑÓ Ô Ô; Ñ Õ ÑÓ Õ. Use chinese remainder theorem to find ÑÓ Ò: ÑÓ Ò Õ Õ ¼ µ Ñ Ô Ô Ô ¼ µ Ñ Õ µ ÑÓ Ò

5 Computing ÑÓ Ô is four times faster than computing ÑÓ Ò. Indeed, the numbers involved are only half as long and multiplication has quadratic complexity. Hence the method is twice as fast than the previous one.

6 Typical sizes of the key: RSA Ò is usually taken bits long. Ô and Õ have then half that length. The suggested lengths of a key in a knapsack cryptosystem was about 300, the elements of the superincreasing knapsack should be from ¾ ¼¼ to ¾ ¼¼. The key is much longer than for RSA. But the operations are faster. Modern symmetric cryptosystems use bit keys.

7 As asymmetric cryptosystems usually work much slower, the following hybrid method is usually used to encrypt a plaintext Ü with a public key Ô. Let a symmetric cryptosystem be fixed. It may be a block cipher with a fixed mode of operation. 1. Generate a new key of the symmetric cryptosystem. 2. Ý Let ܵ. ÝÑÑ 3. Let ÝÑÑ ¼ Ô µ. 4. The cryptotext is ¼ ݵ. The asymmetric cryptosystem is usually also a block cipher. The message is usually short enough to fit into a single block.

8 Why does RSA work? Theorem (Euler). Òµ ½ If then ½ ÑÓ Òµ. ³ Òµ ¾ Proof. Ò. Ò ³ Òµ. Corollary (Fermat little theorem). If ¾ È does not Ô divide then ½ ½ ÑÓ Ôµ. Ô

9 Let Ò µ and Ò µ be the RSA public and secret keys. We have ½ ÑÓ ³ Òµµ. I.e. ³ Òµ ½ for some ¾ Æ. Let Ñ ¾ ¼ Ñ then ½ be a message. If Ñ Òµ ½ Òµ Òµ ѵµ Ñ µ Ñ Ñ ³ Òµ ½ Ñ ³ Òµ µ Ñ ½ Ñ ÑÓ Òµ Ñ Ñ ¼ If then Ñ also µ ¼. If Ñ ¼ and Ñ Òµ ½ then Ñ Òµ ¾ Ô Õ. In this case we have managed to factor Ò.

10 Ò Òµ Ò ÐÒ Òµ ÐÒ Ò ÐÑ Ò Ò½ To generate a RSA key, we need to generate two large primes. How? Theorem (Chebyshev). Let Òµ Ƚ Ò. Then and ½ prime. ÐÒ ¾ ½¾. I.e. about every 355th 512-bit number is I.e. about every 177th 512-bit odd number is a prime. A viable strategy to generate a prime is to generate random odd numbers and test their primality.

11 Primality testing is doable in polynomial time (in length of the number). But the degree of the polynomial is high. Fortunately, there exist efficient Monte-Carlo algorithms. A probabilistic algorithm A for testing whether a bit string Ü belongs to some set È ¼ ½ is a Monte-Carlo algorithm if ¼ Ü ¾ ¼ ½ : If Ü ¾ È then ÈÖA ܵ true ½. If Ü ¾ È then ÈÖA ܵ false. If Ü ¾ È and we execute A ܵ Ò times then the probability of getting true all times is at most ½ µ Ò.

12 Ô ½ ½ Fermat little theorem said: ÑÓ Ôµ if Ôµ ½ So, is the following a Monte-Carlo algorithm for testing the primality of odd Ò? 1. Generate a random Û ¾ ½ Ò ½, such that Û Òµ ½. If Û Òµ ½ then Ò is definitely composite. Return no. 2. If Û Ò ½ ½ ÑÓ Òµ then return yes else return no. If Ò ¾ È then the algorithm always returns yes.

13 Let Û ¾ Ò. Ò is a pseudoprime to base Û if Û Ò ½ ½ ÑÓ Òµ. In this case Û is a witness for the primality of Ò. Otherwise it is a witness for the compositeness of Ò. Lemma. If Ò has witnesses for compositeness then at least half of the elements of Ò are witnesses for the compositeness of Ò.

14 Proof. Let Ï Ô Ò be the set of witnesses for the primality of Ò. Let Û ¾ ÒÒÏ Ô. We have Û Ò ½ ½ ÑÓ Òµ. Consider the set Û Û Ô Û Ô ¾ Ï Ô Ï Ï Then Ï Ô. We have Û Ô µ Ò ½ Û Ò ½ Û Ò ½ Ô Û Ò ½ ½ ½ ÑÓ Òµ Û Hence all the elements Ï of witness the compositeness of Ò.

15 Hence for a Ò ¾ Æ there are three possible cases: 1. Ò is prime and all elements of Ò witness that; Ò 2. is composite, but all elements of Ò witness for the primality of Ò; Ò 3. is composite and at least half of the elements of Ò witness that. If the second case were impossible then the presented algorithm would be a Monte-Carlo algorithm for primality.

16 Unfortunately, there exist composite numbers Ò, such that Û Ò ½ ½ ÑÓ Òµ for all Û ¾ Ò. They are called Carmichael numbers. There are infinitely many of them, the smallest is 561. Still, the presented test is suitable if numbers from a trusted source are tested.

17 Let Ô ¾ È and ¾ Ô. Then is a quadratic residue (ruutjääk) if there exists ¾ Ô such that ¾ ÑÓ Ôµ. Half of the elements of Ô are quadratic residues and half are non-residues. The Legendre symbol for Ô ¾ Ô is defined by if Ô divides Ô if is a quadratic residue modulo Ô ½ if is a quadratic non-residue modulo Ô. ¼ ½

18 Ô ½ ¾ ÑÓ Ôµ The Legendre symbol satisfies Ô and hence also Ô Ô Ô In the following, we do not prove some number-theoretic claims. The proofs are given in the Number Theory course (MTPM ).

19 ¾ ½µ Ò¾ ½ ½ ½µ Ò ½µ Ñ Ò ½ ¾ ½µ Generalization: Ô ½ let Ò ½ Ô ¾ Let. The Jacobi symbol where Ô ½ Ô ¾ ÈÒ¾. Ò is defined by Ò ½ ½ Ô Ô It satisfies the following: Ò Ò ½ Ò Ò Ò Ñ Ò Ò Ñ ½ if Ñ Ò are odd numbers. ½µ Ò

20 ¾ ½ Ñ Ò otherwise The second row of identities once more: Ò ÑÓ ¾ ½ if if Ò ÑÓ ¾ ½ Ò Ñ Ò if ÑÓ Ò ÑÓ Ñ Ñ Ò These identities allow us to compute Ò without factoring Ò. The algorithm resembles Euclid s algorithm.

21 Solovay-Strassen primality test (for an odd Ò): 1. Generate a random Û ¾ ½ Ò ½. Ò ½ ¾ Ò Û ÑÓ 2. Let Ò. Let. 3. If ÑÓ Òµ then return yes, otherwise no. We ll show that this primality test is a Monte-Carlo algorithm with ½ ¾.

22 Û Ò ½ Û Ò ½ ¾ Û ¾ µ Ò ¾ ½ ÑÓ Òµ If Û witnesses Ò s primality according to S-S s test then it also witnesses Ò s primality according to Fermat s test. Indeed if ½ ¾ Ò Û Ò ÑÓ Òµ Û and Ò Û ¾ then ¾ ½ ¾ ½µ

23 Theorem. If Ò is odd composite then at least half of the elements of Ò witness the compositeness of Ò. Proof. First we show that there exists a Û ¾ Ò witnessing the compositeness of Ò. There are two cases: 1. case. Ò Ô ½ Ô where Ô ½ Ô ¾ È are all different. Let Ù be a quadratic non-residue modulo Ô ½. Let Û satisfy Ù ÑÓ Ô ½ µ Û ½ ÑÓ Ô ¾ Ô µ Û (use CRT to find Û ¾ such Ò). Then Û Ò Û Û ½ Ô Ô ½ ½ Ù ¾ Ô ½ Ô Ô ½

24 Ò ÕÒ To Û get ½ ¾ Ò ½ Òµ we need ½ Ò ¾ ½ ÑÓ Ô µ ÑÓ Û for ½. Û But ½ ¾ Ò ½ ÑÓ Ô µ for ¾. 2. case. There Ô ¾ È exists a and ¾, Ô such that divides Ô (and does not divide Ò). Ò ½ ½ Let ÒÔ. Û ½ ÑÓ Õµ Then for Õ ¾ È any Û dividing Ò. Û Û Õ ½ Ò ÕÒ ½ Õ¾È Õ¾È Ò

25 To Û get ½ ¾ Ò ½ Òµ we need ½ Ò ¾ ½ ÑÓ Õ ÒÕÒ µ ÑÓ Û ¾ È for all Õ dividing Ò. Û Consider. The order of the group is Ò ½ ¾ Ô Ô ÑÓ Ô ½ Ô ½µ, hence the order of Û in Ô can be Ö or Ô or Ô Ö ¾ ½ ½ Ö Ô for some and ½µ. We show that Ô ½ Ô µ Û ÑÓ hence Û the order of in is Ô. As Ô does not divide, Ò ½ ¾ Ô we Û cannot have ½ Ò ½ ÑÓ Ô µ. ¾

26 Û Ô ½ ÐÔ ½ µ Ô Ô Ô Ô Ð Ô ½µ ½µ ½ ½ ÑÓ Ô µ Ô ½ µ ÐÔ ¼ Ô Ô Ô ½µ ½µ ½ Ð ½ Ô Ð Ô ½ ¾ Ô ½ Ô Ð ¾

27 Ò ½ Ô µ ¾ Û Û Ò ½ ¾ Û Ò ½ ÛÔ ¾ Û ÛÔ Û ÛÔ We have found a Û ¾ witness Ò for the compositeness of Ò. I.e. Ò ½ ¾ Û Ò ÑÓ Û Òµ. We continue as before: Let Ï Ô Ò be the set of witnesses for the primality of Ò. Consider the set Û Û Ô Û Ô ¾ Ï Ô Ï Ï Then Ï Ô. We have Ò ½ ¾ Ô Û Ò Û Ò ÑÓ Òµ Hence all the elements of Ï witness the compositeness of Ò. Ò Ò

28 Let Ü be a random -bit odd integer. Consider the following events: A Ü is composite; B the S-S test returns Ü is prime Ñ times in a row. We have determined that ÈÖBA ¾ Ñ. Our confidence after running the S-S test Ñ times is better reflected by the probability ÈÖAB.

29 ÈÖBA ÈÖA ÈÖBA ÈÖA ÐÒ ¾ The complementary event A denotes that Ü is prime. ¾ µ ¾ ½ µ ÈÖA ½ ½ ½ ¾ ¾ ¾ ÐÒ ¾ ¾ ½ ½µ ÐÒ ¾ ¾ ½µ ÐÒ ¾ ½ ÈÖA ÈÖBA ÈÖAB ÈÖB ÈÖA ÈÖBA ÈÖBA ÈÖA ÈÖBA ÈÖA ½ ÐÒ ¾ ÐÒ ¾ ½ ÐÒ ¾ ½ ¾ Ñ ÈÖA ½ º ½ ÐÒ ¾ ¾Ñ ½ ÐÒ ¾ ½ I.e. ÈÖAB may be somewhat larger than ÈÖBA.

30 The idea of the Miller-Rabin primality test (for an odd Ò) is to find a square root ½ of modulo Ò. Ò If is prime then ½ ÑÓ Òµ has two values ½. We call these values the trivial square roots of ½. Ô Ò If is not prime then ½ ÑÓ Òµ has more values. If we have found Ô ¾ ½ ½, such that Ü ¾ ½ ÑÓ Òµ Ü Ò then must be composite. Let Ö and be defined Ò ½ ¾ by Ö, where Ö is odd.

31 Miller-Rabin primality test for Ò ¾ Ö ½ where ½ and Ö is odd: 1. Generate a random Û ¾ ½ Ò ½. 2. Compute the values Ù Û ¾Ö ÑÓ Ò for ¼ ½. ÑÓ Ò. Compute Ù ¼ Û Ö ÑÓ Ò and Ù ½ Ù ¾ 3. If one of the following holds Ù ¼ ½ ÑÓ Òµ; for some, Ù ½ ÑÓ Òµ; then return yes else return no. We ll show that this primality test is a Monte-Carlo algorithm with.

32 What is going on? Define also Ù Û Ò ½ ÑÓ Ò. For all ¾ ½, Ù ½ is one of the square roots of Ù. If Ù ½ then Ò is composite. Then also none of the Ù -s can be ½. In this case Ò has just failed Fermat test. If Û Fermat-witnesses the compositeness of Ò then it also MR-witnesses the compositeness of Ò.

33 Assume Ù that ½. Ù If ½ then the Ù elements Ù ½ must all be ½. Then we have ½ found as the square root of ½. Ù If ½ ¼ then we have only ½ found as the square root of ½. Ù Otherwise ½ Ù ½, ½ for ¾ ½ some. Then we have found a nontrivial square root of ½.

34 Lemma. Let be a cyclic group, Ñ. Ü Then ½ has exactly ѵ solutions in. Proof. Let be a generator of. Then is a solution to Ü ½ iff Ñ. Among ¼ Ñ ½, there are exactly ѵ such values for.

35 Lemma. Ô ¾ Let ÈÒ¾, Ô ½ ¾ let Ö where Ö is odd. Consider the equation ¾ÙØ ½ where Ø is odd. In Ô, it Ü has the following number of solutions: ¼, if Ù ; ¾ Ù Ö Øµ if Ù. Proof. Let be a generator of Ô. We are looking for the number of Ô ¾ -s in µ satisfying Ô ½ ¾ ¼ ¾ÙØ or ÑÓ ¾ Öµ ¾ Ù Ø ¾ ½ Ö

36 If Ù then we divide the equation and the modulus by ¾ ½ and obtain ¾ Ù ½ Ø Ö ÑÓ ¾Öµ here the left hand side is even, but the right hand side is odd. As the modulus is also even, there can be no solutions. Otherwise let Ö Øµ, then ¾ Ù Ø ¾ ½ Öµ ¾ Ù. Divide everything by ¾ Ù and get Ù Öµ ÑÓ ¾ Ù Öµµ ص ¾ ½ This has ¾ a unique solution modulo (because Ù Öµ Ù Öµ). Hence it has ¾ Ù solutions modulo ¾ Ö. ¾ ص

37 Theorem. Ò Let be an odd composite number. Then at most one quarter of Û ¾ ½ Ò ½ elements witness the primality Ò of according to M-R test. Proof. Ò ½ ¾ Let Ö with Ö odd. If Û witnesses the primality of then Ù ½ ÑÓ Òµ. Ò Consider the following three cases: Ô 1. Ò for some odd prime Ô; ¾ Ò ÔÕ 2. for distinct Ô primes and Õ; Ò Ô 3. Ô ½ for distinct primes.

38 Ò ¾ Ô Ô ½ ½ 1. Û case. Let witness the primality of Ù Ò, then ½ ½ ÑÓ Òµ. Then also Û Ò ½ ½ ÑÓ Ô µ. ¾ Ò Û Consider the Û equation ½ ½. In the cyclic group Ò ¾ Ô has Ò ½ Ô Ô ½µµ exactly solutions. As Ô Ò ½, we must have Ô ½. Modulo Ò, the number of solutions is at most ÒÔ ¾ µ. The fraction of the solutions is at most it ½ Ò ½ Ò Ô ¾ Ò Ô ¾ ½ Ò ¾ Ô ½ Ò ½ Ô ½ ½ Ô ¾ ½ Ô because Ô is an odd prime.

39 2. case. Let Ô ½ ¾ ¼ Ö ¼ and Õ ½ ¾ ¼¼ Ö ¼¼ with Ö ¼ Ö ¼¼ odd. Assume w.l.o.g. that ¼ ¼¼. If Û is a witness for the primality of Ò then one of the following holds: 1. Û Ö ½ ÑÓ Ôµ and Û Ö ½ ÑÓ Õµ. 2. Û ¾Ö ½ ÑÓ Ôµ and Û ¾Ö ½ ÑÓ Õµ for some ¾ ¼ ½. Indeed, using the chinese remainder theorem we get ½ Òµ in the first case and ½ ÑÓ Òµ in the ÑÓ second.

40 Ö ¼ Ö ¼¼ ½ ¼ Ò ½ Ô ½µ Õ ½µ Ö ¼ Ö ¼¼ ½ ¼ ¼ ¾ These cases have the following number of solutions: 1. Ö Ô ½µ Ö Õ ½µ Ö Ö ¼ µ Ö Ö ¼¼ µ Ö ¼ Ö ¼¼. 2. ¾ Ö Ö ¼ µ ¾ Ö Ö ¼¼ µ Ö ¼ Ö ¼¼ (for each where ÑÒ ¼ ¼¼ µ ¼ ). The total Ö is Ö at most ¼ È ½ ¼ ¼¼ ¼ Their fraction is Ö ¼ Ö ¼¼ Ö ¼ Ö ¼¼ ½ ¼ ½ µ. ½ ½ µ µ Ö¼ Ö ¼¼ ½ ¼ ½ µ ¼ ¼¼ Ö ¼ Ö ¼¼ ½ ¾ ¼ ¼¼ ¾

41 ¼ ¾ Either ¼ ¼¼ or ¼ ¼¼. If ¼ ¼¼ then ¾ ¼ ¼¼ ½ ¾ ¼ ½ ¼ ¾ ¾ ½ ¼ ¾ ¼ ½ ¾ ¾ ¾ ¼ ½ ¾ ½ ¾ ½ ¾ ¼ ½ ½ ¾ ½¾ ½

42 Ò ½ ¾ Ö ÔÕ ½ Ô ½µÕ Õ ½µ If ¼ ¼¼ then either Ö Ö ¼ µ Ö ¼ or Ö Ö ¼¼ µ Ö ¼¼. Indeed, assume the contrary, i.e. Ö ¼ Ö and Ö ¼¼ Ö. Then ¼ ¼ Õ Õ ½µ Õ ½ ÑÓ Ö ¼ µ ¾ Ö We ¾ also Ö ¼ ÑÓ Ö have µ, hence Õ ½ ¼ ÑÓ Ö µ, ¼ ¼ i.e. Ö ¼ Õ ½µ. We got Ö ¼ ¾ ¼¼ Ö ¼¼. As Ö ¼ ¾ ¼¼, we must have Ö ¼ Ö ¼¼. Analogously we can get Ö ¼¼ Ö ¼. I.e. Ö ¼ Ö ¼¼ and Ô Õ. This contradicts our premises.

43 Ö¼ Ö ¼¼ ¼ ¾ We have Ö Ö ¼ µ Ö Ö ¼¼ µ Ö ¼ Ö ¼¼. As all prime factors are odd, we can estimate Ö Ö ¼ µ Ö Ö ¼¼ µ Ö¼ Ö ¼¼. Our two cases for Û witnessing the primality of Ò have at most ¼ ½ Ö ¼ Ö ¼¼ solutions. Their fraction is at most ¼ Ö¼ Ö ¼¼ ¼ Ö ¼¼ ¼ ¾ Ö ¾ ¼ Ö ¼ Ö ¼¼ ½ ¾ ¾ ¾ ¼ ¾ ½ ½ ½ ½

44 3. case. Ô Let ½ ¾ Ö Ö where is odd. Assume w.l.o.g. that ÑÒ ½ ½ µ. Ê Ö Denote Ö ½. Û If witnesses the primality Ò of then one of the following holds: 1. Û Ö ½ ÑÓ Ô µ for ½. Û 2. ½ ÑÓ Ô ¾Ö µ for ¾ ½ all and for some ¾ ¼ ½ ½.

45 ¾ Ê Ê ½ ¾ ½ ½ These two cases have at most the following number of solutions: ½ 1. Ô ½µ É ½ Ö Ö µ É ½ Ö Ê. Ö É ½ 2. Ö Ö É µ ¾ Ê (for ¾ ¼ each ½ ¾ ½). And the total is at most ½ ½ Ê ¼ ¾ ½

46 ¾ ½ ½ ¾ ½ ½ Ê Ò ½ É ½ Ô ½µ ¾ ½ ½ ¾ ½ ½ Ê ¾ ½ And the fraction is at most Ê ¾ ½ ½ ¾ ½ ½ ¾ ½ Ê ¾ ½ ½ ¾ ½ ½ ½ ¾ ½ ¾ ¾ ¾ ½ ¾ ¾ ½ ¾ ¾ ¾ ½ ¾ ½ ½ ¾ ¾ ½ ¾ ¾ ½ ¾½ ¾ ½ ½ The M-R test requires only half as many trials as the S-S test to achieve the same level of confidence.

47 How could we try to break RSA? Ò Given µ, we could try to do one of the following: 1. factor Ò; 2. find ³ Òµ; 3. find ÑÓ ³ Òµµ; ½ 4. devise a method that, Ñ given ÑÓ Ò produces Ñ. 1 3 are equivalent. 4 is not known to be equivalent to factoring (but we ll come back to it). 4 is the RSA problem given Ò, Ñ, ÑÓ Ò, find Ñ.

48 Ü ¾ If we could find ³ Òµ then we could factor Ò. We d have the system of equations ÔÕ Ò From Ô Õ Ò ½ which ³ Òµ. Ô Then Õ and are the solutions of the following quadratic equation Ê (over ): Ô ½µ Õ ½µ ³ Òµ Ò ½ ³ ÒµµÜ Ò ¼

49 Given Ò, and, we can factor Ò as follows. We have ³ Òµ ½ for some ¾. We try to find a non-trivial square root of ½ modulo Ò. If Ü ¾ ½ ÑÓ Òµ, but Ü ½ ÑÓ Òµ then ¼ Ü ¾ ½ Ü ½µ Ü ½µ ÑÓ Òµ. We have Ò Ü ½µ Ü ½µ, but Ü ¾ ¾ Ò ¾. Hence neither Ü ½µ nor Ü ½µ is a multiple of Ò. We must have Ü ½µ ¼ Ô and Ü ½µ ¼¼ Õ (or vice versa). We ll find Ô and Õ by computing Ü ½ Òµ and Ü ½ Òµ.

50 Let ½ ¾ Ö where Ö is odd. Pick a Û ¾ ½ Ò random we have factored Ò. ½. If Û Òµ ½ then Otherwise let Ù Û ¾Ö ÑÓ Ò. (¼ ) If there exists an, such Ù that ½ Ù and ½ ½ ÑÓ Òµ then we have found a non-trivial square root of ½. What is the fraction of Û-s that give us a non-trivial square root of ½? Note that we certainly Ù have ½ ÑÓ Òµ.

51 If Û does not give a non-trivial square root of Ò then one of the following holds: Û Ö ½ ÑÓ Ôµ and Û Ö ½ ÑÓ Õµ. Û ¾Ö ½ ÑÓ Ôµ and Û ¾Ö ½ ÑÓ Õµ for some ¾ ¼ ½. We have already counted that the fraction of such Û-s is at most ½. Hence the fraction of Û-s giving us a non-trivial square root of Ò is at least.

52 Let us review some factoring algorithms. Trial division to factor Ò, we try to divide it with all prime numbers not larger than Ò. Feasible only if Ò is small. Ô In the following Ò let (the number to factor) be odd. Our task is to find a non-trivial factor of Ò.

53 Pollard s Ô ½ algorithm: Let ¾ Æ be a parameter ( upper bound ). 1. Let ¾ ÑÓ Ò for ½. ÑÓ Ò. Compute: ½ ¾ and ½ 2. Let ½ Òµ. 3. If ½ Ò for some then return else fail.

54 The method works if Ò has a prime factor Ô, such that Ô ½µ has only small factors. An integer with only small prime factors is called smooth. If Õ Ô ½µ and Õ is a prime power then Õ must hold. In this case Ô ½µ. We have ¾ also ¾ ÑÓ Ôµ. ÑÓ Òµ, hence This, together with ¾ Ô ½ ½ ÑÓ Ôµ and Ô ½µ gives us ½ ÑÓ Ôµ and Ô ½µ. Together with Ô Ò we get Ô a non-trivial factor of Ò. ½ Òµ. This gcd is

55 To protect the RSA modulus Ò ÔÕ from factoring with the Pollard s Ô ½ algorithm we must ensure that Ô ½ and Õ ½ have large factors. A common way to do this is to let Ô ¼ and Õ ¼ be prime numbers of appropriate size and define Ô ¾Ô ¼ ½, Õ ¾Õ ¼ ½. A prime Ô is safe is Ô ½ is also prime. ¾

56 Dixon s algorithm attempts to find numbers Ü Ý ¾ Ò, such that Ü ¾ Ý ¾, but Ü Ý. Then Ü Ý Òµ and Ü Ý Òµ are non-trivial factors of Ò. 1. Somehow fix a set B È of small primes. 2. Search for elements Ü Ô Ò, such that all prime factors of Ü ¾ ÑÓ Ò are inb. Letd Ü Ôµ be the degree of Ô ¾ B in the prime factorization of Ü ¾ ÑÓ Ò. 3. Choose Ü elements Ü ½, such that È ½ d Ü Ôµ is even for Ô ¾ all B. 4. We have Ü ½ Ü µ ¾ É ¾ ¾ Ô¾B Ô these two numbers µ under negations of each other. ¾ Òµ. Hopefully ÑÓ are neither equal nor

57 The set B will simply contain the first primes for some. There is a trade-off: If is small then we need less different Ü-s to come up with a Ü set Ü ½ whose product is a square, but Ü ¾ ÑÓ Ò has all prime factors in B for less Ü-s. If is large then a larger fraction of Ü ¾ ÑÓ Ò-s has all prime factors in B but we need more different Ü-s to come up with the set Ü ½ Ü. The search for Ü-s will typically just consider the numbers Ô Ò, where ¾ Æ. A variant of the Dixon s algorithm is the quadratic sieve.

58 An RSA modulus Ò ÔÕ will be factored using this method if Ô Õ. In this case Ô Õ ¾ be considered. is just a little bit larger than Ô Ò, so it will Also, Ô Õ Ô Õµ¾ ¾ number (hence it is likely that all its factors are in B) and ¾ ÑÓ Ò Ô Õµ ¾ moreover a perfect square. Ò which is a small The Ü set of -s can then be a single number. Ô Õ ¾ To thwart this attack, the lengths of Ô and Õ should differ by a few bits.

59 Quadratic sieve optimizes the finding of Ü-s, such that ܵ Ü ¾ ÑÓ Ò is smooth. If Ü ² Ô Ò, then ܵ Ü ¾ Ò. Ü Ü ½ Ü ¾ Ü Ü Ü Ü... To sieve modulo Ô ¾ B, select only numbers congruent to Ò ÑÓ Ôµ. Ô Select Ô into B only if Ô Ò ÑÓ Ôµ exists. Do trial division only for selected Ü-s and Ô-s.

60 We may try to solve the RSA problem (find Ñ from Ò,, Ñ ÑÓ Ò) as follows (cycling attack): Compute ÑÓ Ò, ¾ ÑÓ Ò, ÑÓ Ò, ÑÓ Ò etc. until ÑÓ Òµ for some. Compute: ÑÓ Ò ½ ÑÓ Ò. Then is a suitable Ñ. ½ Generalization of the attack: find the smallest, such that ½. If this gcd Ò is then we have solved the Òµ RSA problem, otherwise we have factored Ò. The second case supposedly appears much more frequently, hence this attack is equivalent to factoring.

61 But factoring is no harder than solving the RSA-problem using a generic algorithm. A generic algorithm A accesses an oracle O to perform the operations in Ò. The internal state ofois Ä a list of elements of Ò (initially ). A can give O commands Æ Æ, where is an arithmetic operation. O Ä then Æ Ä computes and appends it to Ä. A can also ask Ä O whether Ä and are equal. Finally, A must output an index, Ä such that.

62 Let ¼ ½ ¼ ½ be a function. ܵ contains partial information about Ü. Is it possible to extracting some non-trivial partial information about Ñ from Ò,, Ñ ÑÓ Ò? I.e. given Ò,,, compute ѵ. We show that for some interesting -s, extracting partial information is as hard as finding the message Ñ. We consider functions ÔÖØÝ Ñµ Ñ ÑÓ ¾ Ð Ò Ñµ Ñ Ò¾

63 Suppose that there exists an efficient algorithm O, such that O Ò µ Ð Ò Ñµ, where Ñ ÑÓ Òµ. We can compute Ñ from, Ò, as follows: Let O ¾ ÑÓ Ò Ò µ. ¾ Compute: ¾, and ¾ ¾ ½µ µ ¾. ¼... everything modulo Ò Return Ò ÐÓ Ò ½ ¾ ¼

64 By querying O Ò µ we ll know whether ¼ Ñ or Ò¾ Ñ Ò. Ò¾ Note ¾ ¾Ñµ that. By querying O ¾ Ò µ we ll know Ò whether is smaller or larger than Ò¾. ¾Ñ ÑÓ I.e. we ll know whether ¼ Ñ Ò Ò¾ Ñ Òµ or Ò Ñ Ò¾ Ò Ñ Òµ The answer to the first query picks the left or the right side of. We have now fixed a quarter of the interval ¼ Òµ where Ñ must lay.

65 The query O ¾ ¾ Ò µ O ѵ Ò µ allows us to fix an 8th of the ¼ Òµ interval Ñ where must lay. The query O ¾ Ò µ O ѵ Ò µ allows us to fix a 16th of the ¼ Òµ interval Ñ where must lay. etc. In ÐÓ Ò queries the length of the permissible interval will be at most ½.

66 Suppose that there exists an efficient algorithm Q, such that Q Ò µ ÔÖØÝ Ñµ, where Ñ ÑÓ Òµ. Then we can implement O: O Ò µ Q ¾ Ò µ. I.e. to compute the size of Ñ, we consider the parity of ¾Ñ ÑÓ Ò. If Ñ Ò¾ then ¾Ñ Ò and ¾Ñ ÑÓ Ò ¾Ñ which is even. If Ñ Ò¾ then ¾Ñ Ò and ¾Ñ ÑÓ Ò ¾Ò is odd. Ñ which

67 Other tests of whether the plaintext has a particular shape can be used to factor Ò. For example, the RSA Laboratories Public Key Cryptography Standard #1 v. 1.5 specified that to encrypt a message Å, it has to be padded as follows: ¼¼¼¾ÈË ¼¼Å where ÈË is a random sequence of at least 8 non-zero bytes. In 1998 it was shown how to use a subroutine for checking the PKCS #1 v. 1.5 conformance of the plaintext to factor Ò.

68 Let Ò ÔÕ be the product of two large primes. We saw that if we knew a non-trivial square root of ½ modulo Ò then we could factor Ò. In general, if we know Ü and Ý, such that Ü Ý ÑÓ Òµ, but Ü ¾ Ý ¾ ÑÓ Òµ then we can factor Ò. Indeed, then Ü ¾ Ý ¾ Ü Ýµ Ü Ýµ ¼ ÑÓ Òµ, implying Ò Ü Ýµ Ü Ýµ, but Ò divides neither Ü Ý nor Ü Ý. We have Ò Ü Ýµ Ô and Ò Ü Ýµ Õ (or vice versa).

69 Ò ÔÕ If Ñ ¾ and Ò is a quadratic residue modulo Ñ then has exactly four different square roots (modulo Ò). Ñ If one of them is Ü ½ then the other three are the solutions of Ü ¾ Ü ½ ÑÓ Ôµ Ü ¾ Ü ½ ÑÓ Õµ Ü Ü ½ ÑÓ Ôµ Ü Ü ½ ÑÓ Õµ Ü Ü ½ ÑÓ Ôµ Ü Ü ½ ÑÓ Õµ Here Ü ½ Ü ÑÓ Òµ and Ü ¾ Ü ÑÓ Òµ.

70 Consider the family of functions Ò Ò¾Æ defined by Ò Üµ Ü ¾ ÑÓ Ò and the distribution of Ò is such that Ò ÔÕ for randomly chosen primes Ô and Õ of certain (large) size. is a family of one-way functions unless factoring is easy.

71 Assume that there exists an efficient algorithm A, such that A Ò Ñµ ¾ Ñ ÑÓ Òµ If we want to factorize some Ò ÔÕ then we Randomly generate Ü ¾ Ò. Check Ü Òµ whether ½... Let Ý A Ò Ü ¾ ÑÓ Òµ. If Ü Ý ÑÓ Òµ then Ò Ü let ݵ, return Òµ else fail. Success probability is ¼± because A does not know Ü.

72 Rabin s cryptosystem: let Ò ÔÕ where Ô Õ ¾ È and Ô Õ ÑÓ µ. Public key: Ò. Private key: Ô Õµ. Encryption: Ò Ñµ Ñ ¾ ÑÓ Ò. Decryption: ÔÕµ µ Ô ÑÓ Òµ. Decryption is not unique. The message Ñ is assumed to contain enough redundancy, such that one of the four possible values of Ô can be selected. Later schemes overcome this non-uniqueness.

73 Ô ½ Ô ½ ¾ Ô ½ How to take square roots modulo Ò? Compute Ô ÑÓ Ôµ and Ô ÑÓ Õµ and use the Chinese Remainder Theorem. How to take square roots modulo Ô? Ô ½ is one of the square roots of modulo Ô. ¾ because Ô ÑÓ µ. Indeed, ¾ Ô ½ ¾ ÑÓ Ôµ Ô And the other square Ô root modulo is. Ô ½ If Ô ½ ÑÓ µ then finding square roots modulo Ô is feasible, but more complex.

74 Rabin s cryptosystem is provably secure against chosenplaintext attacks. As long as ÔÕµ randomly chooses one of four possibilites. But it is insecure against chosen-ciphertext attacks. As long as ÔÕµ randomly chooses one of four possibilites. If redundancy is taken into account, ÔÕµ Ü ¾ ÑÓ Òµ returns Ü with overwhelming probability. Other three values of Ô Ü ¾ are not valid plaintexts.