Download Lecture 9 - MyCourses

Cryptology T-79.5501
Lecture 9
Kaisa Nyberg
Department of Computer Science
Aalto University School of Science
3 March 2016
Lecture 9
Jacobi Symbol
Tests for Composites
Factoring Algorithms
Other Attacks on RSA
Wiener’s Attack
T-79.5501 Cryptology
Spring 2016
2/27
Legendre Symbol
◮
Definition: (Legendre Symbol) Suppose p is an odd
For
prime.
a
any integer a ≥ 0, we define the Legendre symbol p as
follows:

 0 if a ≡ 0 (mod p)
a
1 if a is a quadratic residue mod p
=

p
−1 if a is a quadratic non-residue mod p.
◮
Putting together this definition and Euler’s criterion we get
◮
Theorem: Suppose p is an odd prime. Then
p−1
a
≡a 2
(mod p) for all a, 0 ≤ a.
p
T-79.5501 Cryptology
Spring 2016
3/27
Jacobi Symbol and Euler-Jacobi Pseudo-Prime
◮
Definition: (Jacobi symbol) Suppose n is an odd positive
integer with prime power factorization
p1e1 · · · pkek . Let a ≥ 0 be an
a
integer. The Jacobi symbol n is defined to be
a
n
=
e
k Y
a i
i=1
pi
.
◮
The Jacobi symbol can be evaluated efficiently without
factorization of n using 4 properties (see the next slide).
◮
Suppose n is composite. Given integer a ≥ 0, Euler’s criterion
a
n−1
(mod n)
≡a 2
n
may or may not hold. If it holds, then n is called Euler-Jacobi
pseudoprime to the base a.
T-79.5501 Cryptology
Spring 2016
4/27
Computing Jacobi Symbol
Four properties (Stinson):
m 1
1. If n is a positive odd integer and m1 ≡ m2 (mod n), then:
2. If n is a positive odd integer, then:
3.
(
2
1
=
−1
n
n
=
m 2
n
.
if n ≡ ±1 (mod 8)
if n ≡ ±3 (mod 8).
m m m m 1 2
1
2
=
.
n
n n k
m
t
2
.
=
In particular, if m = 2k t and t odd, then:
n
n
n
If n is a positive odd integer, then:
4. Suppose(m and n are positive odd integers. Then:
m
n
− m
if m ≡ n ≡ 3 (mod 4)
=
n
otherwise.
n
m
Property 4 is also known as Gaussian reciprocity law. Example:
129
151
T-79.5501 Cryptology
Spring 2016
5/27
Decision Problem: COMPOSITES
◮
COMPOSITES: Given a positive integer n ≥ 2, is n composite?
◮
The problem COMPOSITES (and PRIMES) is in ∈ P. The best
known algorithm is not efficient enough for practical applications.
◮
A Monte Carlo Algorithm: a non-deterministic algorithm, which
always gives an answer (in polynomial time).
◮
A Monte Carlo algorithm is yes-biased if the “yes” answer is
always correct, but the “no” answer may be incorrect.
◮
A Monte Carlo algorithm is no-biased if the “no” answer is
always correct, but the “yes” answer may be incorrect.
◮
The error probability is computed over all possible random
choices made by the algorithm when it is run.
◮
Next two yes-biased Monte Carlo algorithm for solving the
COMPOSITES problem will be presented.
T-79.5501 Cryptology
Spring 2016
6/27
The Solovay-Strassen Primality Test
◮
Choose a random integer a, 1 ≤ a ≤ n − 1
◮
◮
if
a
≡a
n−1
2
n
then answer “n is prime”
else answer “n is composite”.
(mod n)
◮
The Solovay-Strassen algorithm is a yes-biased Monte Carlo
Algorithm for COMPOSITES-problem, that is, the answer “n is
composite” is always correct but the answer “n is prime” may or
may not be correct.
◮
The error probability is less than 12 .
T-79.5501 Cryptology
Spring 2016
7/27
A simple algorithm for testing compositeness
A still simpler test (see T-79.4202 Principles of Algorithmic
Techniques 2010 Lecture 4 p. 6-7) based on Fermat’s theorem:
Algorithm 1: An algorithm for testing compositeness
1
2
3
4
5
6
7
function compositeness (N);
Input: Positive integer N
Output: yes/no
Pick a positive integer a < N at random;
if aN−1 ≡ 1 (mod N) then
return no;
else
return yes;
end
The answer ”yes” is always correct by Fermat’s little theorem. The
answer ”no” may be not be correct.
T-79.5501 Cryptology
Spring 2016
8/27
The Miller-Rabin Primality Test
◮ Write n − 1 = 2k m, where m is odd.
◮ Choose a random integer a, 1 ≤ a ≤ n − 1.
◮ Compute b = am mod n.
◮ If b ≡ 1 mod n then answer “n is prime”.
◮ For i = 0 to k − 1 do
◮
◮
if b ≡ −1 (mod n) then answer “n is prime”.
else b = b2 mod n.
◮ Answer “n is composite”.
◮ The tests does not detect compositeness of n if the trivial square root -1 of 1 is
i
encountered when computing a2 m , i = 1, . . . , k − 1. If -1 is not encountered
i
then some of a2 m is a non-trivial square root of 1 proving that n is composite.
◮ The Miller-Rabin primality test is a yes-biased Monte Carlo algorithm for
COMPOSITES-problem. The error probability can be shown to be at most 14 .
T-79.5501 Cryptology
Spring 2016
9/27
PRIMES-problem
◮
Problem: Given a positive integer n, answer the question: is n
prime?
◮
Clearly PRIMES ∈ coN P, as compositeness of an integer can
be checked in polynomial time given the factors.
◮
Solovay-Strassen, Miller-Rabin: PRIMES ∈ coPP (the negative
answer can be given in polynomial time using a probabilistic
polynomial-time algorithm)
◮
Miller (1976): Generalised Riemann Hypothesis (if it holds)
would imply that PRIMES ∈ P
◮
Agrawal, M., N. Kayal, and N. Saxena (2002) PRIMES ∈ P.
Available at ✇✇✇✳❝s❡✳✐✐t❦✳❛❝✳✐♥✴✉s❡rs✴♠❛♥✐♥❞r❛✴❛❧❣❡❜r❛✴
♣r✐♠❛❧✐t②❴✈✻✳♣❞❢ The resulting algorithm still not practical.
◮
Further Readings: ❤tt♣✿✴✴❝r✳②♣✳t♦✴♣❛♣❡rs✴❛❦s✳♣❞❢
T-79.5501 Cryptology
Spring 2016
10/27
The Pollard p − 1 Algorithm
◮
Let B be a positive integer and p a factor of n. The Pollard p − 1
algorithm works if all prime power divisors of p − 1 are less than
or equal to B.
◮
Set a = 2.
◮
For j = 2, . . . , B compute a = aj mod n, that is, compute
a = 2B! mod n.
◮
Compute d = gcd(a − 1, n).
◮
If 1 < d < n, then return d; else return “failure”.
◮
The complexity of the algorithm is O B log B(log n)2 + (log n)3 .
T-79.5501 Cryptology
Spring 2016
11/27
Why Pollard p − 1 Works
◮
a = 2B! (mod n)
◮
If w ≤ B for every prime power w that divides p − 1, then p − 1
divides B!.
◮
Since p divides n, it must be that a ≡ 2B! (mod p).
◮
Since 2p−1 ≡ 1 (mod p), it follows that a ≡ 1 (mod p).
◮
Then p divides a − 1 and therefore p divides d = gcd(a − 1, n).
◮
d is a non-trivial divisor of n unless a = 1.
◮
If a = 1 the algorithm can be repeated using some other value
than 2 to initialize a.
T-79.5501 Cryptology
Spring 2016
12/27
Dixon’s Random Squares
◮
◮
◮
◮
Suppose that we can find integers x and y such that x 6= ±y
(mod n) and x 2 ≡ y 2 (mod n).
Then n divides neither x − y nor x + y .
Then gcd(x − y , n) is a non-trivial divisor of n.
For example, 102 ≡ 322 (mod 77). It follows that
gcd(32 − 10, 77) is a non-trivial divisor of 77, which indeed holds.
◮
The algorithm uses a factor base B which is a set of small
primes.
◮
Then generate several integers z such that the prime factors of
z 2 mod n are in the set B.
◮
Find a subset z1 , . . . , zs of these integers such that the total
number of occurrences of each prime factor in the squares of
these numbers is even.
◮
Then z12 × . . . × zs2 is equivalent modulo n to a square of a
product of numbers from B.
T-79.5501 Cryptology
Spring 2016
13/27
Random Squares Example
◮
n = 15770708441 and B = {2, 3, 5, 7, 11, 13}.
◮
Select
z1
z2
=
=
z3
=
8340934156 , then z12 ≡ 3 × 7 (mod n)
12044942944 , then z22 ≡ 2 × 7 × 13 (mod n)
2773700011 , then z32 ≡ 2 × 3 × 13 (mod n).
◮
(z1 z2 z3 )2 ≡ 95034357852 ≡ (2 × 3 × 7 × 13)2 = 5462 (mod n).
◮
gcd(9503435785 − 546, 15770708441) = 115759.
◮
Factoring algorithms, see: LENSTRA Arjen, Update on
Factoring “A kilobit special number field sieve factorization” at
❤tt♣✿✴✴✇✐❦✐✳✉♥✐✳❧✉✴❡s❝✴❞♦❝s✴❆✰❦✐❧♦❜✐t✰s♣❡❝✐❛❧✰♥✉♠❜❡r✰
❢✐❡❧❞✰s✐❡✈❡✰❢❛❝t♦r✐③❛t✐♦♥✳♣♣t
◮
See also ❤tt♣s✿✴✴❡♥✳✇✐❦✐♣❡❞✐❛✳♦r❣✴✇✐❦✐✴❘❙❆❴♥✉♠❜❡rs
T-79.5501 Cryptology
Spring 2016
14/27
Computing φ(n)
◮
If we can compute φ(n), then one can factor n.
◮
Given φ(n) one can solve p from the system of equations
n
φ(n)
◮
=
=
pq
(p − 1)(q − 1)
By substituting q = n/p to the second equation, one gets
p2 − (n − φ(n) + 1)p + n = 0.
◮
The two solutions p of this quadratic equation are the factors of
n.
T-79.5501 Cryptology
Spring 2016
15/27
The Private Exponent
◮ If we can compute the private exponent then we can factor n with at least
probability 1/2. Repeating m times gives success probability 1 − (1/2)m .
◮ Las Vegas algorithm is a randomized algorithm which may fail to give an answer,
but if it gives an answer, the answer is correct.
◮ Given a, b and n, with ab ≡ 1 (mod φ(n)).
◮ The idea is to find a non-trivial square root of 1 modulo n.
◮ write ab − 1 = 2s r , where r is odd.
◮ Choose w at random such that 1 ≤ w ≤ n − 1. Check that gcd(w, n) = 1. (If
not, a non-trivial factor of n has been found!)
◮ Compute v = w r mod n. If v = 1, then return “failure”.
k −1
k
◮ Else find k ≤ s such that v0 = v 2
6= 1(modn) and v02 = v 2 ≡ 1(modn).
◮ If v0 ≡ −1 (mod n), then return “failure”.
◮ Else compute d = gcd(v0 + 1, n). Return d, which is a non-trivial factor of n.
T-79.5501 Cryptology
Spring 2016
16/27
The Private Exponent – Example
◮
(Stinson 5.30) Suppose that Bob has carelessly revealed his
decryption exponent to be a = 14039 in an RSA Cryptosystem
with public key n = 36581 and b = 4679. Implement the
randomized algorithm to factor n given this information. Test your
algorithm with the “random” choices w = 9983 and w = 13461.
◮
We have a = 14039, b = 4679, n = 36581 and write
ab − 1 = 2s r = 25 × 2052765. We choose w = 2.
◮
◮
◮
v ← w r mod n = 22052765 mod 36581 = 12117 6= 1,
continue.
2
v0 ← v 2 mod n = 22136 6= ±1, v02 ≡ v 2 ≡ 1 (mod n) and
k = 2.
d ← gcd(v0 + 1, n) = gcd(22137, 36581) = 157.
Thus we have 36581 = 157 × 233.
T-79.5501 Cryptology
Spring 2016
17/27
Wiener’s Small Private Exponent Attack
√
If 3a < 4 n, where n = pq and q < p < 2q, then there is an efficient
deterministic algorithm for computing a and the factorization of n.
Note. Assumption q < p < 2q typically holds. When q < p, then for
security, one should select p ≥ 2q. For efficiency, p and q are usually
selected to satisfy p ≈ 2q.
T-79.5501 Cryptology
Spring 2016
18/27
RSA Equation
ab − k φ(pq) = 1
(1)
for some k , where only b is known.
Additional information: pq = n is known and q < p < 2q. Then we
have
√
n > φ(n) = (p − 1)(q − 1) = pq − p − q + 1 ≥ n − 3 n.
Also we know that b < φ(n), hence k < a.
Wiener (1989) showed how to exploit this information to solve (1) for
the private exponent a and all other parameters k , p and q provided
that a is sufficiently small.
Wiener’s method is based on continued fractions.
T-79.5501 Cryptology
Spring 2016
19/27
Continued Fractions
Every positive rational number t has a unique representation as a
finite chain of fractions
q1 +
1
q2 +
1
q3 +···+
,
1
qm−1 + 1
qm
where qi , i = 1, 2, . . . , m, are positive integers and qm > 1. Then we
write t = [q1 , q2 , q3 , . . . , qm ].
T-79.5501 Cryptology
Spring 2016
20/27
Convergent
Let t = [q1 , q2 , q3 , . . . , qm ] be a rational number. For each j,
1 ≤ j ≤ m, the rational number tj = [q1 , q2 , q3 , . . . , qj ] is called the jth
convergent of t. For t = vu , just run the Euclidean algorithm on u and
v to find the integers qi , i = 1, 2, . . . , m.
We state without proof:
Theorem 5.14 Suppose that gcd(u, v ) = gcd(c, d) = 1 and
Then
of vu .
c
d
u
1
c .
− <
v
d
2d 2
is one of the convergents of the continued fraction expansion
T-79.5501 Cryptology
Spring 2016
21/27
Solving the RSA Equation
Recall the RSA equation: ab − k φ(n) = 1.
Write it as:
b
k
1
− =
.
φ(n) a
aφ(n)
By Thm 5.14, if 2a < φ(n), then k /a is a convergent of b/φ(n). But
we do not know φ(n). Wiener used the fact that φ(n) ≈ n and showed
that ka can be computed as a convergent of bn .
T-79.5501 Cryptology
Spring 2016
22/27
Wiener’s Theorem
Theorem. If in the RSA cryptosystem
a<
1√
4
n,
3
that is, the length of the private exponent a is less than about one
fourth of the length of n, then a can be computed in polynomial time
with respect to the length of n.
Proof. We show that k /a is a convergent of b/n. If this is the case,
then k /a can be computed in polynomial time using Euclid’s
algorithm. We estimate:
b k ab − kn 1 + k φ(n) − kn 3
1
=
≤ 3k
− =
a√n < √n < 2a2 .
n
a an an
The claim follows from Thm 5.14.
T-79.5501 Cryptology
Spring 2016
23/27
Wiener’s Algorithm (1)
First the convergents
cj
b
= [q1 , q2 , q3 , . . . , qj ] of
dj
n
j = 1, 2, . . ., are computed by Euclid’s algorithm by setting r0 = b and
r1 = n as follows. Set c0 = 1, c1 = q1 , d0 = 0, d1 = 1. Given qj such
that rj−1 = qj rj + rj+1 set
cj
=
qj cj−1 + cj−2
dj
=
qj dj−1 + dj−2 .
T-79.5501 Cryptology
Spring 2016
24/27
Wiener’s Algorithm (2)
For the correct convergent k /a = cj /dj it holds that
bdj − cj φ(n) = 1.
To find it, we compute for each convergent
n′ =
dj b − 1
cj
and check if n′ = φ(n). The check is based on the fact that if
n′ = φ(n) then the equation
x 2 − (n − n′ + 1)x + n = 0
has two positive integer solutions p and q.
T-79.5501 Cryptology
Spring 2016
25/27
Wiener’s Algorithm – Example
◮
Stinson, Problem 5.32: Suppose that n = 317940011 and
b = 77537081 in the RSA Cryptosystem. Using Wiener’s
Algorithm, attempt to factor n. If you succeed, determine the
secret exponent a and φ(n).
◮
Running Wiener’s algorithm we get:
j
0
1
2
3
4
5
6
..
.
rj
77537081
317940011
77537081
7791687
7411898
379789
195907
..
.
qj
0
0
4
9
1
19
1
..
.
cj
1
0
1
9
10
199
209
..
.
dj
0
1
4
37
41
816
857
..
.
n′
310148323
318763555.111
317902032
317940995.452
..
.
T-79.5501 Cryptology
Spring 2016
26/27
Example Continued
◮
j = 2 no solution, since n′ is odd (φ(n) is divisible by 4).
◮
j = 3 no solution, since n′ is not integer.
◮
j = 4 looks promising. Substitute n = 317940011 and
n′ = 317902032 to equation x 2 − (n − n′ + 1)x + n = 0 and get
x 2 − 37980x + 317940011 = 0,
from where we get solutions for p and q, which are
x = 18990 ± 6533. Then a = d4 = 41, and
φ(n) = n′ = 317902032.
T-79.5501 Cryptology
Spring 2016
27/27