* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Lecture 9 - MyCourses
Lateral computing wikipedia , lookup
Genetic algorithm wikipedia , lookup
Computational complexity theory wikipedia , lookup
Multiplication algorithm wikipedia , lookup
K-nearest neighbors algorithm wikipedia , lookup
Selection algorithm wikipedia , lookup
Simplex algorithm wikipedia , lookup
Diffie–Hellman key exchange wikipedia , lookup
Smith–Waterman algorithm wikipedia , lookup
Sieve of Eratosthenes wikipedia , lookup
Fast Fourier transform wikipedia , lookup
Fisher–Yates shuffle wikipedia , lookup
Algorithm characterizations wikipedia , lookup
Expectation–maximization algorithm wikipedia , lookup
Dijkstra's algorithm wikipedia , lookup
Polynomial greatest common divisor wikipedia , lookup
Euclidean algorithm wikipedia , lookup
Time complexity wikipedia , lookup
Factorization of polynomials over finite fields wikipedia , lookup
Cryptology T-79.5501 Lecture 9 Kaisa Nyberg Department of Computer Science Aalto University School of Science 3 March 2016 Lecture 9 Jacobi Symbol Tests for Composites Factoring Algorithms Other Attacks on RSA Wiener’s Attack T-79.5501 Cryptology Spring 2016 2/27 Legendre Symbol ◮ Definition: (Legendre Symbol) Suppose p is an odd For prime. a any integer a ≥ 0, we define the Legendre symbol p as follows: 0 if a ≡ 0 (mod p) a 1 if a is a quadratic residue mod p = p −1 if a is a quadratic non-residue mod p. ◮ Putting together this definition and Euler’s criterion we get ◮ Theorem: Suppose p is an odd prime. Then p−1 a ≡a 2 (mod p) for all a, 0 ≤ a. p T-79.5501 Cryptology Spring 2016 3/27 Jacobi Symbol and Euler-Jacobi Pseudo-Prime ◮ Definition: (Jacobi symbol) Suppose n is an odd positive integer with prime power factorization p1e1 · · · pkek . Let a ≥ 0 be an a integer. The Jacobi symbol n is defined to be a n = e k Y a i i=1 pi . ◮ The Jacobi symbol can be evaluated efficiently without factorization of n using 4 properties (see the next slide). ◮ Suppose n is composite. Given integer a ≥ 0, Euler’s criterion a n−1 (mod n) ≡a 2 n may or may not hold. If it holds, then n is called Euler-Jacobi pseudoprime to the base a. T-79.5501 Cryptology Spring 2016 4/27 Computing Jacobi Symbol Four properties (Stinson): m 1 1. If n is a positive odd integer and m1 ≡ m2 (mod n), then: 2. If n is a positive odd integer, then: 3. ( 2 1 = −1 n n = m 2 n . if n ≡ ±1 (mod 8) if n ≡ ±3 (mod 8). m m m m 1 2 1 2 = . n n n k m t 2 . = In particular, if m = 2k t and t odd, then: n n n If n is a positive odd integer, then: 4. Suppose(m and n are positive odd integers. Then: m n − m if m ≡ n ≡ 3 (mod 4) = n otherwise. n m Property 4 is also known as Gaussian reciprocity law. Example: 129 151 T-79.5501 Cryptology Spring 2016 5/27 Decision Problem: COMPOSITES ◮ COMPOSITES: Given a positive integer n ≥ 2, is n composite? ◮ The problem COMPOSITES (and PRIMES) is in ∈ P. The best known algorithm is not efficient enough for practical applications. ◮ A Monte Carlo Algorithm: a non-deterministic algorithm, which always gives an answer (in polynomial time). ◮ A Monte Carlo algorithm is yes-biased if the “yes” answer is always correct, but the “no” answer may be incorrect. ◮ A Monte Carlo algorithm is no-biased if the “no” answer is always correct, but the “yes” answer may be incorrect. ◮ The error probability is computed over all possible random choices made by the algorithm when it is run. ◮ Next two yes-biased Monte Carlo algorithm for solving the COMPOSITES problem will be presented. T-79.5501 Cryptology Spring 2016 6/27 The Solovay-Strassen Primality Test ◮ Choose a random integer a, 1 ≤ a ≤ n − 1 ◮ ◮ if a ≡a n−1 2 n then answer “n is prime” else answer “n is composite”. (mod n) ◮ The Solovay-Strassen algorithm is a yes-biased Monte Carlo Algorithm for COMPOSITES-problem, that is, the answer “n is composite” is always correct but the answer “n is prime” may or may not be correct. ◮ The error probability is less than 12 . T-79.5501 Cryptology Spring 2016 7/27 A simple algorithm for testing compositeness A still simpler test (see T-79.4202 Principles of Algorithmic Techniques 2010 Lecture 4 p. 6-7) based on Fermat’s theorem: Algorithm 1: An algorithm for testing compositeness 1 2 3 4 5 6 7 function compositeness (N); Input: Positive integer N Output: yes/no Pick a positive integer a < N at random; if aN−1 ≡ 1 (mod N) then return no; else return yes; end The answer ”yes” is always correct by Fermat’s little theorem. The answer ”no” may be not be correct. T-79.5501 Cryptology Spring 2016 8/27 The Miller-Rabin Primality Test ◮ Write n − 1 = 2k m, where m is odd. ◮ Choose a random integer a, 1 ≤ a ≤ n − 1. ◮ Compute b = am mod n. ◮ If b ≡ 1 mod n then answer “n is prime”. ◮ For i = 0 to k − 1 do ◮ ◮ if b ≡ −1 (mod n) then answer “n is prime”. else b = b2 mod n. ◮ Answer “n is composite”. ◮ The tests does not detect compositeness of n if the trivial square root -1 of 1 is i encountered when computing a2 m , i = 1, . . . , k − 1. If -1 is not encountered i then some of a2 m is a non-trivial square root of 1 proving that n is composite. ◮ The Miller-Rabin primality test is a yes-biased Monte Carlo algorithm for COMPOSITES-problem. The error probability can be shown to be at most 14 . T-79.5501 Cryptology Spring 2016 9/27 PRIMES-problem ◮ Problem: Given a positive integer n, answer the question: is n prime? ◮ Clearly PRIMES ∈ coN P, as compositeness of an integer can be checked in polynomial time given the factors. ◮ Solovay-Strassen, Miller-Rabin: PRIMES ∈ coPP (the negative answer can be given in polynomial time using a probabilistic polynomial-time algorithm) ◮ Miller (1976): Generalised Riemann Hypothesis (if it holds) would imply that PRIMES ∈ P ◮ Agrawal, M., N. Kayal, and N. Saxena (2002) PRIMES ∈ P. Available at ✇✇✇✳❝s❡✳✐✐t❦✳❛❝✳✐♥✴✉s❡rs✴♠❛♥✐♥❞r❛✴❛❧❣❡❜r❛✴ ♣r✐♠❛❧✐t②❴✈✻✳♣❞❢ The resulting algorithm still not practical. ◮ Further Readings: ❤tt♣✿✴✴❝r✳②♣✳t♦✴♣❛♣❡rs✴❛❦s✳♣❞❢ T-79.5501 Cryptology Spring 2016 10/27 The Pollard p − 1 Algorithm ◮ Let B be a positive integer and p a factor of n. The Pollard p − 1 algorithm works if all prime power divisors of p − 1 are less than or equal to B. ◮ Set a = 2. ◮ For j = 2, . . . , B compute a = aj mod n, that is, compute a = 2B! mod n. ◮ Compute d = gcd(a − 1, n). ◮ If 1 < d < n, then return d; else return “failure”. ◮ The complexity of the algorithm is O B log B(log n)2 + (log n)3 . T-79.5501 Cryptology Spring 2016 11/27 Why Pollard p − 1 Works ◮ a = 2B! (mod n) ◮ If w ≤ B for every prime power w that divides p − 1, then p − 1 divides B!. ◮ Since p divides n, it must be that a ≡ 2B! (mod p). ◮ Since 2p−1 ≡ 1 (mod p), it follows that a ≡ 1 (mod p). ◮ Then p divides a − 1 and therefore p divides d = gcd(a − 1, n). ◮ d is a non-trivial divisor of n unless a = 1. ◮ If a = 1 the algorithm can be repeated using some other value than 2 to initialize a. T-79.5501 Cryptology Spring 2016 12/27 Dixon’s Random Squares ◮ ◮ ◮ ◮ Suppose that we can find integers x and y such that x 6= ±y (mod n) and x 2 ≡ y 2 (mod n). Then n divides neither x − y nor x + y . Then gcd(x − y , n) is a non-trivial divisor of n. For example, 102 ≡ 322 (mod 77). It follows that gcd(32 − 10, 77) is a non-trivial divisor of 77, which indeed holds. ◮ The algorithm uses a factor base B which is a set of small primes. ◮ Then generate several integers z such that the prime factors of z 2 mod n are in the set B. ◮ Find a subset z1 , . . . , zs of these integers such that the total number of occurrences of each prime factor in the squares of these numbers is even. ◮ Then z12 × . . . × zs2 is equivalent modulo n to a square of a product of numbers from B. T-79.5501 Cryptology Spring 2016 13/27 Random Squares Example ◮ n = 15770708441 and B = {2, 3, 5, 7, 11, 13}. ◮ Select z1 z2 = = z3 = 8340934156 , then z12 ≡ 3 × 7 (mod n) 12044942944 , then z22 ≡ 2 × 7 × 13 (mod n) 2773700011 , then z32 ≡ 2 × 3 × 13 (mod n). ◮ (z1 z2 z3 )2 ≡ 95034357852 ≡ (2 × 3 × 7 × 13)2 = 5462 (mod n). ◮ gcd(9503435785 − 546, 15770708441) = 115759. ◮ Factoring algorithms, see: LENSTRA Arjen, Update on Factoring “A kilobit special number field sieve factorization” at ❤tt♣✿✴✴✇✐❦✐✳✉♥✐✳❧✉✴❡s❝✴❞♦❝s✴❆✰❦✐❧♦❜✐t✰s♣❡❝✐❛❧✰♥✉♠❜❡r✰ ❢✐❡❧❞✰s✐❡✈❡✰❢❛❝t♦r✐③❛t✐♦♥✳♣♣t ◮ See also ❤tt♣s✿✴✴❡♥✳✇✐❦✐♣❡❞✐❛✳♦r❣✴✇✐❦✐✴❘❙❆❴♥✉♠❜❡rs T-79.5501 Cryptology Spring 2016 14/27 Computing φ(n) ◮ If we can compute φ(n), then one can factor n. ◮ Given φ(n) one can solve p from the system of equations n φ(n) ◮ = = pq (p − 1)(q − 1) By substituting q = n/p to the second equation, one gets p2 − (n − φ(n) + 1)p + n = 0. ◮ The two solutions p of this quadratic equation are the factors of n. T-79.5501 Cryptology Spring 2016 15/27 The Private Exponent ◮ If we can compute the private exponent then we can factor n with at least probability 1/2. Repeating m times gives success probability 1 − (1/2)m . ◮ Las Vegas algorithm is a randomized algorithm which may fail to give an answer, but if it gives an answer, the answer is correct. ◮ Given a, b and n, with ab ≡ 1 (mod φ(n)). ◮ The idea is to find a non-trivial square root of 1 modulo n. ◮ write ab − 1 = 2s r , where r is odd. ◮ Choose w at random such that 1 ≤ w ≤ n − 1. Check that gcd(w, n) = 1. (If not, a non-trivial factor of n has been found!) ◮ Compute v = w r mod n. If v = 1, then return “failure”. k −1 k ◮ Else find k ≤ s such that v0 = v 2 6= 1(modn) and v02 = v 2 ≡ 1(modn). ◮ If v0 ≡ −1 (mod n), then return “failure”. ◮ Else compute d = gcd(v0 + 1, n). Return d, which is a non-trivial factor of n. T-79.5501 Cryptology Spring 2016 16/27 The Private Exponent – Example ◮ (Stinson 5.30) Suppose that Bob has carelessly revealed his decryption exponent to be a = 14039 in an RSA Cryptosystem with public key n = 36581 and b = 4679. Implement the randomized algorithm to factor n given this information. Test your algorithm with the “random” choices w = 9983 and w = 13461. ◮ We have a = 14039, b = 4679, n = 36581 and write ab − 1 = 2s r = 25 × 2052765. We choose w = 2. ◮ ◮ ◮ v ← w r mod n = 22052765 mod 36581 = 12117 6= 1, continue. 2 v0 ← v 2 mod n = 22136 6= ±1, v02 ≡ v 2 ≡ 1 (mod n) and k = 2. d ← gcd(v0 + 1, n) = gcd(22137, 36581) = 157. Thus we have 36581 = 157 × 233. T-79.5501 Cryptology Spring 2016 17/27 Wiener’s Small Private Exponent Attack √ If 3a < 4 n, where n = pq and q < p < 2q, then there is an efficient deterministic algorithm for computing a and the factorization of n. Note. Assumption q < p < 2q typically holds. When q < p, then for security, one should select p ≥ 2q. For efficiency, p and q are usually selected to satisfy p ≈ 2q. T-79.5501 Cryptology Spring 2016 18/27 RSA Equation ab − k φ(pq) = 1 (1) for some k , where only b is known. Additional information: pq = n is known and q < p < 2q. Then we have √ n > φ(n) = (p − 1)(q − 1) = pq − p − q + 1 ≥ n − 3 n. Also we know that b < φ(n), hence k < a. Wiener (1989) showed how to exploit this information to solve (1) for the private exponent a and all other parameters k , p and q provided that a is sufficiently small. Wiener’s method is based on continued fractions. T-79.5501 Cryptology Spring 2016 19/27 Continued Fractions Every positive rational number t has a unique representation as a finite chain of fractions q1 + 1 q2 + 1 q3 +···+ , 1 qm−1 + 1 qm where qi , i = 1, 2, . . . , m, are positive integers and qm > 1. Then we write t = [q1 , q2 , q3 , . . . , qm ]. T-79.5501 Cryptology Spring 2016 20/27 Convergent Let t = [q1 , q2 , q3 , . . . , qm ] be a rational number. For each j, 1 ≤ j ≤ m, the rational number tj = [q1 , q2 , q3 , . . . , qj ] is called the jth convergent of t. For t = vu , just run the Euclidean algorithm on u and v to find the integers qi , i = 1, 2, . . . , m. We state without proof: Theorem 5.14 Suppose that gcd(u, v ) = gcd(c, d) = 1 and Then of vu . c d u 1 c . − < v d 2d 2 is one of the convergents of the continued fraction expansion T-79.5501 Cryptology Spring 2016 21/27 Solving the RSA Equation Recall the RSA equation: ab − k φ(n) = 1. Write it as: b k 1 − = . φ(n) a aφ(n) By Thm 5.14, if 2a < φ(n), then k /a is a convergent of b/φ(n). But we do not know φ(n). Wiener used the fact that φ(n) ≈ n and showed that ka can be computed as a convergent of bn . T-79.5501 Cryptology Spring 2016 22/27 Wiener’s Theorem Theorem. If in the RSA cryptosystem a< 1√ 4 n, 3 that is, the length of the private exponent a is less than about one fourth of the length of n, then a can be computed in polynomial time with respect to the length of n. Proof. We show that k /a is a convergent of b/n. If this is the case, then k /a can be computed in polynomial time using Euclid’s algorithm. We estimate: b k ab − kn 1 + k φ(n) − kn 3 1 = ≤ 3k − = a√n < √n < 2a2 . n a an an The claim follows from Thm 5.14. T-79.5501 Cryptology Spring 2016 23/27 Wiener’s Algorithm (1) First the convergents cj b = [q1 , q2 , q3 , . . . , qj ] of dj n j = 1, 2, . . ., are computed by Euclid’s algorithm by setting r0 = b and r1 = n as follows. Set c0 = 1, c1 = q1 , d0 = 0, d1 = 1. Given qj such that rj−1 = qj rj + rj+1 set cj = qj cj−1 + cj−2 dj = qj dj−1 + dj−2 . T-79.5501 Cryptology Spring 2016 24/27 Wiener’s Algorithm (2) For the correct convergent k /a = cj /dj it holds that bdj − cj φ(n) = 1. To find it, we compute for each convergent n′ = dj b − 1 cj and check if n′ = φ(n). The check is based on the fact that if n′ = φ(n) then the equation x 2 − (n − n′ + 1)x + n = 0 has two positive integer solutions p and q. T-79.5501 Cryptology Spring 2016 25/27 Wiener’s Algorithm – Example ◮ Stinson, Problem 5.32: Suppose that n = 317940011 and b = 77537081 in the RSA Cryptosystem. Using Wiener’s Algorithm, attempt to factor n. If you succeed, determine the secret exponent a and φ(n). ◮ Running Wiener’s algorithm we get: j 0 1 2 3 4 5 6 .. . rj 77537081 317940011 77537081 7791687 7411898 379789 195907 .. . qj 0 0 4 9 1 19 1 .. . cj 1 0 1 9 10 199 209 .. . dj 0 1 4 37 41 816 857 .. . n′ 310148323 318763555.111 317902032 317940995.452 .. . T-79.5501 Cryptology Spring 2016 26/27 Example Continued ◮ j = 2 no solution, since n′ is odd (φ(n) is divisible by 4). ◮ j = 3 no solution, since n′ is not integer. ◮ j = 4 looks promising. Substitute n = 317940011 and n′ = 317902032 to equation x 2 − (n − n′ + 1)x + n = 0 and get x 2 − 37980x + 317940011 = 0, from where we get solutions for p and q, which are x = 18990 ± 6533. Then a = d4 = 41, and φ(n) = n′ = 317902032. T-79.5501 Cryptology Spring 2016 27/27