Cryptography

Cryptography

Lecture 8: Primality Testing and Factoring

Piotr Faliszewski

Previous Class Attacks on RSA

Known digits attacks Low exponent attacks Short plaintext attacks Timing attacks

Practical RSA Exponentiation modulo n Primality testing

Factoring and Primality Testing

Factoring Input: n N Output: nontrivial factor of n

Primality testing Input n N Output:

the number is composite the number is probably

prime

Is there a difference? Yes! – primality testing

much easier!

You do not need to factor the number to see it is composite

Miller-Rabin Test Generalization of the

Fermat’s test

Principle if p is a prime then

x2 = 1 (mod p)

has only two solutions:

x = 1 and x = -1

Why does the principle hold?

Gist of the MR test find a number b such

that b2 = 1 (mod p) If b {-1,1} then

composite

Miller-Rabin Test

MR( int n ):let n-1 = 2kma random in {2, 3, ..., n-2 }

b0 = am (mod n)

if b0 = ±1 (mod n) then declare primefor j = 1 to k-1 do

bj = bj-12 (mod n)

if bj = 1 (mod n) then declare composite

if bj = -1 (mod n) thendeclare prime

declare composite

What are we doing?

b0 = am (mod n)

b1 = a2m (mod n)

b2 = a4m (mod n) ... bj = a2jm (mod n) ... bk-1 = a(n-1)/2 (mod n)

Miller-Rabin Test: Examples n = 5*7*11 = 385

n -1 = 384 = 27*3

k = 7, m = 3

a = 9

b0 = 93 = 344 (mod 385)

b1 = 93*2 = 141 (mod 385)

b2 = 93*22 = 246 (mod 385)

b3 = 93*23 = 71 (mod 385)

b4 = 93*24 = 36 (mod 385)

b5 = 93*25 = 141 (mod 385)

n = 3*11*17 = 561n -1 = 560 = 24*35

k = 4, m = 35

a = 2

b0 = 235 = 263 (mod 561)

b1 = 235*2 = 166 (mod 561)

b2 = 235*22 = 67 (mod 561)

b3 = 235*23 = 1 (mod 561)

Proof of compositeness!

Miller-Rabin Test: Examples n = 401

n -1 = 400 = 24*25

k = 4, m = 25

a = 3

b0 = 325 = 268 (mod 401)

b1 = 325*2 = 45 (mod 401)

b2 = 325*22 = 20 (mod 401)

b3 = 325*23 = 400 (mod 401)= -1

(mod 401)

n = 401n -1 = 400 = 24*25

k = 4, m = 25

a = 2

b0 = 225 = 356 (mod 401)

b1 = 225*2 = 20 (mod 401)

b2 = 225*22 = 400 (mod 401)

Evidence of primality!

Miller-Rabin Test

if b0 = ±1 (mod n) all bi’s (i > 0) will be 1 can’t find nontrivial roots of 1

i {1, ..., k-1} if bi = 1 (mod n) then

bi-1 is neither 1 nor -1 bi-1

2 = 1 (mod n) we found a nontrivial root

if bi = -1 (mod n) then bi+1 through bk are all 1 (mod

n) can’t find nontrivial roots of 1

Why this works?

n-1 = 2km

b0 = am (mod n) b1 = a2m (mod n) b2 = a4m (mod n) ... bj = a2jm (mod n) ... bk-1 = a(n-1)/2 (mod n)

Miller-Rabin Test: Quality MR test is probabilistic Answer

composite – the number is certainly composite

prime – the number is prime with high probability

Errors MR(n) says prime but n

is composite Pr[error] ≤ ¼ Repeat the test to

downgrade the prob. of error

Other Primality Tests Solovay-Strassen Test

similar in nature to MR uses so called Jacobi

symbol fast in practice probabilistic

Deterministic test Agrawal, Kayal, and

Saxena 2002 extremely slow

Tests that prove primality MR tests

compositeness! fairly slow needed in very few

cases

Factoring Huge amount of work

on factoring! we look at some simple

algorithms

Some best algorithms quadratic sieve elliptic curve number field sieve

Assumption Factor an odd integer produce one factor how to get all of them?

O(e(1+o(1))sqrt(lnn lnln n))

O(e(1+o(1))sqrt(lnp lnln p))

O(e(1.92+o(1))(lnn)1/3(lnlnn)2/3)

Factoring Factoring

Input: n N Output: nontrivial factor

of n

There are about(n) = n / ln n

primes ≤ n

Trivial methods divide by all numbers in

{2, ... , n-1} or by all primes p

p ≤ sqrt(n)

These are exponential!

Fermat’s Method The principle

express n as a difference of squares

n = x2 - y2

n = (x-y)(x+y)

The algorithm Compute: n + i2

for i {1,2, ... } Stop when n + i2 is a square

(i.e., x2 = n+i2) Then we have n = x2 – i2

Examples

15 = 42 – 12

= (4-1)(4+1)

= 3*5

21 = 52 – 22

= 25 - 4

= (5-2)(5+2)

= 3*7

Fermat’s Method The principle

express n as a difference of squares

n = x2 - y2

n = (x-y)(x+y)

The algorithm Compute: n + i2

for i 2 {1,2, ... } Stop when n + i2 is a square

(i.e., x2 = n+i2) Then we have n = x2 – i2

Performance depends on

distance between x and y

could be very slow!

Conclusion for RSA p and q should

differ by a large value

Pollard’s p-1 Method The method

input: n

choose a > 1 (e.g., a = 2)

choose B

let b = aB! (mod n)

d = gcd( b - 1, n )

d is a factor of n

Goal of the method factor n = pq... provided p-1 has only

small prime factors

Examplen = 7 * 11 = 77a = 2B = 4, B! = 2*3*4 = 24

b = 224 = 71 (mod 77)gcd(b-1, n) = gcd(70,77) = 7


input: n

choose a > 1 (e.g., a = 2)

choose B

let b = aB! (mod n)

d = gcd( b - 1, n )

d is a factor of n


small prime factors

Examplen = 7 * 11 = 77a = 2B = 2, B! = 2

b = 22 = 4 (mod 77)gcd(b-1, n) = gcd(3,77) = 1


input: n

choose a > 1 (e.g., a = 2)

choose B

let b = aB! (mod n)

d = gcd( b - 1, n )

d is a factor of n


small prime factors

Examplen = 7 * 11 = 77a = 2B = 6, B! = 2*3*4*5*6 = 720

b = 2720 = 1 (mod 77)gcd(b-1, n) = gcd(0,77) = 77

Pollard’s p-1 Method In symbols:

b1 = a (mod n)

b2 = b12 (mod n)

... bi = bi-1

i

...

How to compute aB!

B! – can be very big 5! = 120 6! = 720 10! = 3628800 20! = 2432902008176640000

n! – about n log2 n bits

Pollard’s p-1 Method In symbols:

b1 = a (mod n)

b2 = b12 (mod n)

... bi = bi-1

i

...

How to compute aB!

a = 2, B = 4, n = 77

b1 = 2 (mod 77)

b2 = 22 = 4 (mod 77)

b3 = 43 = 64 (mod 77)

b4 = 644 = 1677721 = 71 (mod 77)


input: n

choose a > 1 (e.g., a = 2)

choose B

let b = aB! (mod n)

d = gcd( b - 1, n )

d is a factor of n

Why does it work? p – prime factor of n suppose:

p-1 has only small prime factors

Then likelyp-1 | B!

ThenB! = k(n-1)b = (ap-1)k

(mod p)b = 1 (mod p)p | b - 1

Pollard’s p-1 Method Potential problems

n = pq both p and q have

small factors b = 1 (mod p) b = 1 (mod q)

Method fails

Choice of B too small method

won’t work too big works slowly

or fails

Examplen = 7 * 11 = 77a = 2

B = 2 to smallB = 4 workedB = 6 to big

7 - 1 = 6 = 2*32! – does not contain 34! – contains 2 and 36! – contains 2,3 and 5 covers

both factors!

Pollard’s p-1 Method Conclusions for RSA

n = pq p-1 or q-1 has small

prime factors? then RSA can be

broken

How to defend? p0 chose a large

prime e.g., p0 > 1040

try numbers of the form: kp0 + 1 k – needs to be even! k > 1060

test kp0+1 for primality

Factoring

Relation to squares n – an integer x,y – to integers s.t.

x2 = y2 (mod n) x y (mod n)

if such x, y exist then n is composite gcd( x-y, n ) is a

nontrivial factor

Examples

112 = 121 = 1 (mod 12) 52 = 25 = 1 (mod 12) 11 5 (mod 12) gcd(11-5, 12 ) = 6

Factoring

Relation to squares n – an integer x,y – to integers s.t.

x2 ´ y2 (mod n) x y (mod n)

if such x, y exist then n is composite gcd( x-y, n ) is a

nontrivial factor

Examples

52 = 25 = 7 (mod 9) 142 = 196 = 7 (mod 9) 14 = 9+5 = 5 (mod 9) gcd(14-5, 9 ) = 9

Quadratic Sievie Idea

try to apply the principle from the previous slide

find x,y such that

x2 = y2 (mod n)

x y (mod n)

x -y (mod n)

finding such x, y not obvious

Take “random” squares Reduce modulo n Factor (hope for small

factors!) Try to build squares

from what you get

Quadratic Sieve: Examplen = 3837523

93982 = 55 19 (mod n)

190952 = 22 5 11 13 19 (mod n)

19642 = 32 133 (mod n)

170782 = 26 32 11 (mod n)

80772 = 2 19 ( mod n)

33972 = 25 5 132 (mod n)

142622 = 52 72 13 (mod n)

(9398 19095 1964 17078)2 = 28 32 56 112 134 192 = (24 3 53 11 132 19)2 (mod n)

22303872 = 25867052 (mod n)

gcd( 2230387 – 2586705, 3837523) = 1093

Quadratic Sieve: Examplen = 3837523

93982 = 55 19 (mod n)

190952 = 22 5 11 13 19 (mod n)

19642 = 32 133 (mod n)

170782 = 26 32 11 (mod n)

80772 = 2 19 ( mod n)

33972 = 25 5 132 (mod n)

142622 = 52 72 13 (mod n)

(9398 8077 3397)2 = 26 56 132 192 = (23 53 13 19)2 (mod n)

35905232 = 2470002 (mod n)

BUT: n – 247000 = 3590523 3590523 = -247000 (mod n)

How to Find the Squares? What squares to use?

we want small prime factors?

so x2 should be slightly above n

Idea: Try integers close to: sqrt(i n) + j small j, various i

(sqrt(i n) + j)2 ≈ in + 2j sqrt(in) +j2

approx: 2j sqrt(in) + j2 (mod n)

Documents

Cryptography