Modern Cryptography Foundations of Contents€¦ · Foundations of Modern Cryptography Chapter 1: Public Key Cryptosystems Based on Factoring Prof. K. Dohmen Department of Mathematics

Foundations ofModern Cryptography

Chapter 1:Public Key Cryptosystems Based on Factoring

Prof. K. DohmenDepartment of Mathematics

Last Update:November 11, 2019

Contents

Asymmetric Cryptosystems

The RSA Cryptosystem

Conversion Between Strings and Numbers

More Mathematical Foundations

Attacks against RSA

Rabin’s Cryptosystem

Factoring

Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 1

Asymmetric cryptosystems

General setting:I The sender encrypts a plaintext message using the receiver’s public key.I The receiver decrypts the received ciphertext message using his own pri-

vate key.

List of characters:Alice: sender of the messageBob: receiver of the messageEve: eavesdropper – a passive attacker that listens on messages between

Alice and BobMallory: malicious attacker who can modify messages, substitute her own

messages, replay old messages, etc.


The RSA CryptosystemRivest, Shamir, Adleman (1978)

I Initialization:1 Bob chooses two big primes p and q.2 He computes n = pq and φ(n) = (p − 1)(q − 1).3 He deletes p and q.

I Public key:4 Bob chooses e ∈ N satisfying 1 < e < φ(n) and

gcd(e, φ(n)) = 1.

5 He publicises (n, e).I Private key:

6 Bob computes d ∈ N satisfying 1 < d < φ(n) and

ed = 1 (mod φ(n)).

7 He deletes φ(n) and keeps (n, d) secret.


The RSA CryptosystemEncryption and decryption

Encryption:I Alice fetches Bob’s public key (n, e).I She encodes her message as m ∈ Zn.I She computes c = me in Zn.I She sends c to Bob.

Decryption:I Bob looks up his own private key (n, d).I He computes m = cd in Zn.


The RSA CryptosystemInitialization

ExampleBob chooses two big primes and computes

n = 43 · 59 = 2537,φ(n) = (43− 1)(59− 1) = 42 · 58 = 2436.

He then chooses 1 < e < φ(n), which is coprime with φ(n), e.g., e = 13, andcomputes its inverse in Z2436:

13 · d = 1 (mod 2436) .

The extended Euclidean algorithm gives d = 937.I Public key: (2537, 13)I Private key: (2537, 937)


The RSA CryptosystemEncryption

Example (Cont’d)Consider the plaintext

PUBLICKEYCRYPTOGRAPHYX.

By replacing each letter by its position 0, . . . , 25 in the alphabet, we obtain

1520 0111 0802 1004 2402 1724 1519 1406 1700 1507 2423 .

For (n, e) = (2537, 13) the encrypted message is

0095 1648 1410 1299 0811 2333 2132 0370 1185 1457 1084 .

For example, 152013 = 95 in Z2537.


RSA Correctness Theorem

TheoremLet (n, e) a public RSA key and (n, d) the corresponding private RSA key.Then

(me)d = m for all m ∈ Zn.

Proof.We have to show that for 0 ≤ m < n,

med = m (mod n).

Since n = pq it suffices to show that

med = m (mod p), (1)med = m (mod q). (2)


RSA Correctness Theorem

Proof (cont’d).We only prove (1). Evidently, med = m (mod p) if m = 0 (mod p), so wemay assume m 6= 0 (mod p). Since

ed = 1 (mod φ(n))

there exists k ∈ Z such that ed − 1 = kφ(n). Therefore,

med = m1+kφ(n) = mmk(p−1)(q−1) = m(mp−1)k(q−1) (mod p) .

Since m 6= 0 (mod p), m and p are coprime. Due to Fermat’s little theorem,

mp−1 = 1 (mod p),

whence med = m · 1k(q−1) = m (mod p).


Fermat’s Little Theorem

Theorem (Fermat, 1640)For any prime p and any a ∈ Z where a 6= 0 (mod p),

ap−1 = 1 (mod p).

Equivalently: For any prime p and any a ∈ Z,

ap = a (mod p) .

Proof.By mathematical induction on a using the implication of the binomialtheorem on (a + 1)p.


Proof of Fermat’s Little Theorem

Proof (Golomb, 1956).I Consider all strings of length p over an alphabet of a symbols without

those consisting of a single symbol:For p = 5 and a = 2 this gives

AAAAB, AAABA, AABAA, ABAAA, BAAAA,AAABB, AABBA, ABBAA, BBAAA, BAAAB,AABAB, ABABA, BABAA, ABAAB, BAABA,AABBB, ABBBA, BBBAA, BBAAB, BAABB,ABABB, BABBA, ABBAB, BBABA, BABAB,ABBBB, BBBBA, BBBAB, BBABB, BABBB.

I By combinatorics, there are ap − a of them.I Any two of them are regarded as equivalent, if we can rotate one to ob-

tain the other.I Each string is equivalent to at most p strings (including itself), since

there are no more than p rotations.Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 12

Proof of Fermat’s Little Theorem

Proof (cont’d).I If a string is equivalent to less than p strings (including itself), then the

string is built up from several copies of a shorter string.I The length of this shorter string is a divisor of p, and hence equal to 1

since p is prime. This is impossible since we excluded strings built froma single symbol.

I As a consequence, each equivalence class consists of p strings, whence

(no. of equivalence classes)× p = ap − a .

I As a conclusion, p divides ap − a.


Proof of Fermat’s Little TheoremGraph-theoretic version of Golomb’s proof

Proof.I The chromatic polynomial

PCp (λ) = (λ− 1)p + (−1)p(λ− 1)

gives the number of proper λ-colorings of Cp.I Any two proper λ-colorings are regarded as equivalent, if we can rotate

one to obtain the other.I Since there are no more than p rotations, each such coloring is equiva-

lent to at most p of them.I If a coloring is equivalent to less than p of them, then it has a repetitive

pattern of length l < p such that l | p, which is impossible since p isprime.

I As a consequence,(no. of equivalence classes)× p = PCp (λ) .


RSA in Sage

Examplesage: p = 67; q = 101sage: n = p∗q; e = 17sage: n,e(6767, 17)sage: d = inverse mod(e,(p−1)∗(q−1))sage: n,d(6767, 1553)sage: m = 1000sage: c = power mod(m,e,n)sage: c4838sage: power mod(c,d,n)1000


RSA in Sage (cont’d)

Examplesage: pl = ”Light the Bomb.”sage: plc = map(ord,pl)sage: plc[76, 105, 103, 104, 116, 32, 116, 104, 101, 32, 66, 111, 109, 98, 46]sage: m = ZZ(plc, 256)sage: m240842001936252170065895346936441164sage: ml = m.digits(256)sage: ml[76, 105, 103, 104, 116, 32, 116, 104, 101, 32, 66, 111, 109, 98, 46]sage: ms = ''. join (map(chr,ml))sage: msLight the Bomb.


Conversion between strings and num-bers

The following commands converts a string into an integer, and back again:

In Sagedef _str2num(s):

return ZZ(map(ord,s),256)

def _num2str(n):nl = n.digits(256)return ''.join(map(chr,nl))

Unfortunately, the integers obtained are quite large.


Conversion between strings and num-bers (cont’d)

We obtain smaller integers by restricting to e.g. 71 characters:

In Sagesymbols = " 0123456789ABCDEFGHIJKLMNOPQRS\TUVWXYZabcdefghijklmnopqrstuvwxyz?!,.+-/="

def str2num(s):digits = [symbols.find(c) for c in s]return ZZ(digits,len(symbols))

def num2str(n):s = ''.join([symbols[digit] for digit in

n.digits(len(symbols))])return s


Encoding of Binary DataBase64 Encoding

A well known standard for encoding binary data is Base64.I Each 24 bits of data are split into four 6-bit blocks.I These blocks represent numbers in {0, . . . , 63} and are encoded to 64

characters from our symbol string.

In Sage

import base64

def bin2num(data):return str2num(base64.b64encode(data))

def num2bin(number):return base64.b64decode(num2str(number))


How to find modular inverses?Bezout’s identity

TheoremFor any integers a and b there are integers a′ and b′ such that

aa′ + bb′ = gcd(a, b).

Proof.Without loss of generality, we may assume b ≥ 0. The proof is then byinduction on b.Induction base: For b = 0 choose a′ = sgn(a) and b′ ∈ Z.Induction step: Let b > 0 and assume that the theorem holds for smaller

numbers. Division with remainder yields

a = qb + r with 0 ≤ r < b.

We can now apply the induction hypothesis to r :


How to find modular inverses?Bezout’s Identity

Proof (Cont’d).Applying the induction hypothesis to r gives b∗, r∗ ∈ Z such that

b · b∗ + r · r∗ = gcd(b, r) = gcd(a, b).

By rearranging terms we obtain

gcd(a, b) = b · b∗ + (a − qb) · r∗ = a · r∗ + b · (b∗ − qr∗).

Now choose a′ := r∗ and b′ := b∗ − qr∗.


Extended Euclidean algorithmIn Python

def sgn(x):if x > 0: return 1if x < 0: return -1return 0

def xgcd(a, b):if b == 0:

return abs(a), sgn(a), 0q = a // br = a % bd, bb, rr = xgcd(b, r)return d, rr, bb-q*rr

>>> xgcd(40902, 24140)(34, 337, -571)


Worst-case complexity

LemmaLet n be the number of recursive calls to xgcd for a > b > 0. Then,

Fn+1 ≤ b (n = 1, 2, 3, . . . )

where F1 = 1, F2 = 1, Fn = Fn−1 + Fn−2 (n ≥ 3) are the Fibonacci numbers.

Proof.Induction base: If n = 1 then b ≥ 1 = F2, while for n = 2 we have b ≥ 2 =

F3.Induction step: For n ≥ 3 we apply the induction hypothesis to n − 1 and

n − 2:Fn+1 = F(n−1)+1 + F(n−2)+1 ≤ r + (b mod r)

= r + b − bbr cr ≤ r + b − r = b.


Worst-case complexity (cont’d)

Lame’s theorem (1795–1870)The number of divison steps in the extended Euclidean algorithm is at mostfive times the decimal length of the smaller argument.

Proof.Let

n be the number of division steps in xgcd for a > b > 0,k be the decimal length of b.

To obtain a contradiction, assume that n > 5k. Then,

b ≥ Fn+1 ≥ F5k+2 ≥ 10k ,

where the last inequality follows from the Binet representation. Thiscontradicts the definition of k.


Fast exponentiationPython implementation of the square-and-multiply algorithm

def pot(a,n):if n == 0:

return 1if n % 2 == 1:

return a*pot(a,n//2)**2else:

return pot(a,n//2)**2

ExerciseModify this code to obtain a function pot(a,n,m) for modularexponentiation modulo m.


Fast exponentiation (cont’d)

DefinitionFor any n ∈ N we use `(n) resp. #1(n)2 to denote the length of the binaryrepresentation of n (without trailing 0’s) resp. the number of 1’s in the binaryrepresentation of n.

LemmaFor any n ∈ N,

`(n) = blog(n) + 1c = dlog(n + 1)e.TheoremFor any n ∈ N the function pot(a, n) requires exactly `(n) + #1(n)2multiplications and `(n) divisions by 2.

Proof.By induction on `(n).


Fast exponentiation (cont’d)

Consider the arithmetic operations performed to compute

a23 = a(

a(

a(a2)2)2

)2= a

(a(

a((

a · 12)2)2)2)2

Using the abbreviations0 for squaring,1 for squaring and multiplying by a,

these operations can be described by0111 if the computation starts with a,

10111 if the computation starts with 1.Note that 10111 is the binary representation of 23:

23 = 1 · 24 + 0 · 23 + 1 · 22 + 1 · 21 + 1 · 20 .


Fast exponentiation (cont’d)Iterative implementation in Python

def pot(a,n):if n == 0: return 1n = bin(n)[3:]result = afor i in xrange(len(n)):

result *= resultif n[i] is '1':

result *= areturn result


Avoiding side channel attacksMontgomery’s method

def pot(a,n):if n == 0: return 1n = bin(n)[3:]result1 = aresult2 = a**2for i in xrange(len(n)):

if n[i] is '1':result1 = result1*result2result2 = result2**2

else:result2 = result1*result2result1 = result1**2

return result1


Speeding up encryption

Choose e of the form 2k + 1, e.g.,

e = 3, 17 or 65537.

Why is this sensible? Remember the fast exponentiation algorithm:

def pot(m,e):if e == 0: return 1e = bin(e)[3:]result = mfor i in xrange(len(e)):

result *= resultif e[i] is '1':

result *= mreturn result


Speeding up decryptionIn order to find m = cd (mod pq), first compute

mp := cd mod (p−1) mod p,mq := cd mod (q−1) mod q.

By Fermat’s little theorem,

m = mp (mod p),m = mq (mod q).

By the Chinese Remainer Theorem, the unique solution modulo pq to thissystem of congruences is given by

m = spmq + tqmp (mod pq),

where s, t ∈ Z are solutions to the diophantic equation

sp + tq = 1.


Chinese remainder theorem

TheoremLet n1, . . . , nk be positive integers that are pairwise coprime. Then, for anygiven integers a1, . . . , ak there exists an integer x solving the following systemof simultaneous congruences:

x = a1 (mod n1)x = a2 (mod n2)

...x = ak (mod nk)

Furthermore, all solutions x of this system are congruent modulo the productN = n1 . . . nk .



Proof (Existence).Let [a−1]b denote the multiplicative inverse of a modulo b. Then

x :=∑

iai

Nni

[(Nni

)−1]

ni

is easily seen to solve the system of congruences.RemarkIn RSA decryption, the plaintext is recovered by

m = mqp[p−1]q + mpq[q−1]p

where

mp = cd mod (p−1) mod p,mq = cd mod (q−1) mod q.



ExerciseSolve the system of simultaneous congruences

x = 4 (mod 5)x = 3 (mod 7)

Solution:By the extended Euclidean algorithm,

3 · 5− 2 · 7 = 1,

whence [5−1]7 = 3 and [7−1]5 = −2. By the Chinese Remainder Theorem,

x = 4 · 7 · [7−1]5 + 3 · 5 · [5−1]7= 4 · 7 · (−2) + 3 · 5 · 3 = −11 = 24 (mod 35)


Euler’s phi function

DefinitionFor n ∈ N let φ : N→ N be defined by

φ(n) := #{m ∈ N | 1 ≤ m ≤ n, gcd(m, n) = 1}.

φ is called Euler’s phi function or totient function.

Remarkφ(n) counts the units in the ring of integers modulo n.

Example1 For any prime p, φ(p) = p − 1.2 For any prime p and k ∈ N, φ(pk) = pk−1(p − 1).


Multiplicativity of Euler’s phi function

TheoremLet n1, . . . , nk ∈ N such that any two of them are relatively prime. Then,

φ(n1) · · ·φ(nk) = φ(n1 · · · nk).Proof.For any n ∈ N let

N(n) := {m ∈ N | 1 ≤ m ≤ n, gcd(m, n) = 1}.

We define f :∏k

i=1 N(ni )→ N(n1 · · · nk) by

f (a1, . . . , ak) := unique solution of x = ai (modni ) (1 ≤ i ≤ k).

By the Chinese Reminder Theorem, f is well-defined. By showing that f is aone-to-one correspondence and applying the product rule of combinatorics,the result follows.


Euler’s phi function for products oftwo primes

TheoremFor any two distinct primes p and q,

φ(pq) = (p − 1)(q − 1).

Proof.Since p and q are coprime,

φ(pq) = φ(p)φ(q) = (p − 1)(q − 1).

Remarks1 The preceding theorem can be generalized to any number of distinct

primes.2 For n = pq computing φ(n) is as difficult as factoring n.


A general formula for Euler’s phi func-tion

TheoremFor any n ∈ N, φ(n) = n

∏p|n

(1− 1

p

).

Proof.Let n = pe1

1 · · · pekk be the prime factorization of n.

φ (pe11 · · · p

ekk ) = φ (pe1

1 ) · · ·φ (pekk )

= pe1−11 (p1 − 1) · · · pek−1

k (pk − 1)

= pe11

(1− 1

p1

)· · · pek

k

(1− 1

pk

)= n

k∏i=1

(1− 1

pi

).

Alternatively, use the inclusion-exclusion principle.


Common modulus attack

Scenario:I A group of people use the same modulus n = pq, but with different

coprime exponents e1 and e2.I A message is encrypted twice using (n, e1) and (n, e2):

c1 = me1 (mod n),c2 = me2 (mod n).

I Eve, who knows the public keys (n, e1) and (n, e2), intercepts c1 and c2and computes s, t ∈ Z such that

se1 + te2 = 1.I Without loss of generality, assume that s is negative. Then, provided c1

is coprime with n,m = (c−1

1 )−sc t2 (mod n).


Low encryption attack

Scenario:I Two people use the same low exponent e, but with different coprime

moduli n1 and n2.I A message is encrypted twice, using (n1, e) and (n2, e):

c1 = me (mod n1),c2 = me (mod n2).

I Eve, who knows (n1, e) and (n2, e), intercepts c1 and c2, and applies theChinese Remainder Theorem:

me = c1n2[n−12 ]n1 + c2n1[n−1

1 ]n2 mod n1n2.

I Since e is low, she is can quickly compute m from me .


Timing attackDemonstrated by Paul Kocher (1996)

I In this scenario, Eve is able to recover the private key from timing thedecryption of chosen ciphertexts.

I One method of countering this attack is to randomize the ciphertext cbefore decryption, known as blinding:

1 The receiver of the message generates a random number r ∈ {1, . . . , n −1} which is coprime with n.

2 He then computes

c ′ = cr e (mod n)m′ = (c ′)d (mod n)

where (n, e) and (n, d) are his public and private key.3 Finally he recovers the plaintext by

m = m′r−1 (mod n).


Electromagnetic side channel attacksStealing keys by measuring CPU emissions during GnuPG decryption

Source: http://www.tau.ac.il/˜tromer/radioexp/index.html


Rabin’s cryptosystemMichael O. Rabin (1979)

Parameters: The private key consists of two large primes p, q = 3 (mod 4).The public key is n = pq.

Encryption: For a message m < n the ciphertext is

c = m2 (mod n).

Decryption: Solve the preceding equation for m.

RemarksI Encryption is faster than in RSA, while decryption is comparable to

RSA.I Breaking Rabin’s system is at least as hard as breaking RSA.


http://www.tau.ac.il/~tromer/radioexp/index.html

Decryption in Rabin’s system

Find m such that m2 = c (mod n) or equivalently,

m2 = c (mod p), m2 = c (mod q).

Let cp and cq be square roots of c modulo p resp. q. Then, m is the solutionto any of these systems of congruences:

m = ±cp (mod p), m = ±cq (mod q).

By the Chinese Remainder Theorem,

m1/2/3/4 = ±[q−1]pqcp ± [p−1]qpcq (mod n).

We claim that1 cp = c(p+1)/4 is a square root of c modulo p.2 cq = c(q+1)/4 is a square root of c modulo q.


Square roots modulo a prime

DefinitionFor integers x , d , n ∈ Z we write

x =√

d (mod n)

if x2 = d (mod n).

TheoremFor any c ∈ Z and any prime p = 3 (mod 4),

c(p+1)/4 =√

c (mod p).

Proof.Let m = √c (mod p). By Fermat’s little theorem,

(c(p+1)/4)2 = c(m2)(p−1)/2 = cmp−1 = c (mod p).


Rabin’s cryptosystem in Sage

Key generationsage: p = next prime(2ˆ64)sage: while mod(p,4)==1: p = next prime(p+1)sage: p18446744073709551667sage: q = next prime(p+1)sage: while mod(q,4)==1: q = next prime(q+1)sage: q18446744073709551923sage: n = p∗qsage: n340282366920938470067308985819787705641


Rabin’s cryptosystem in Sage (cont’d)

Encryptionsage: plaintext = ”Light the bomb.”sage: m = str2num(plaintext)sage: m21707254905248536231976545253sage: c = power mod(m,2,n)sage: c71388244789996898707437212230941411828


Rabin’s cryptosystem in Sage (cont’d)Decryptionsage: cp = power mod(c,(p+1)//4,p)sage: cq = power mod(c,(q+1)//4,q)sage: m1 = crt(cp,cq,p,q)sage: m121707254905248536231976545253sage: m2 = crt(cp,−cq,p,q)sage: m2338549995433718506206332383335100684527sage: m3 = crt(−cp,cq,p,q)sage: m31732371487219963860976602484687021114sage: m4 = crt(−cp,−cq,p,q)sage: m4340282366899231215162060449587811160388


An attack on Rabin’s system

If the same message m has been encrypted twice with coprime public keys N1and N2, then

c1 = m2 (mod N1),c2 = m2 (mod N2).

Using the Chinese Remainder Theorem,

m2 = [N−12 ]N1N2c1 + [N−1

1 ]N2N1c2 (mod N1N2),

so m is the integer square root of([N−1

2 ]N1N2c1 + [N−11 ]N2N1c2

)mod N1N2,

which can be computed efficiently.


A chosen ciphertext attackSuppose, Eve has access to the respective plaintexts for some chosenciphertext c:

m1 = [q−1]pqcp + [p−1]qpcq (mod n),m2 = [q−1]pqcp − [p−1]qpcq (mod n),m3 = −[q−1]pqcp + [p−1]qpcq (mod n),m4 = −[q−1]pqcp − [p−1]qpcq (mod n).

Taking differences, Eve obtains

m1 −m2 = m3 −m4 = 2[p−1]qpcq (mod n),m1 −m3 = m2 −m4 = 2[q−1]pqcp (mod n).

Using the Euclidean algorithm, she computes

gcd(m1 −m2, n) = gcd(m3 −m4, n) = p,gcd(m1 −m3, n) = gcd(m2 −m4, n) = q.


A chosen ciphertext attack (cont’d)

In Sagesage: p guess = gcd(m1−m2,n)sage: p guess18446744073709551667sage: q guess = gcd(m1−m3,n)sage: q guess18446744073709551923sage: factor (n)18446744073709551667 ∗ 18446744073709551923

NoteBreaking Rabin’s system (that is, recovering the respective plaintexts fromthe ciphertext) is as hard as factoring.


Factoring: Pollard’s ρ-methodJohn Pollard (1975)

In Sage

def pollard_rho(n):f = lambda k: (kˆ2+1)%nx = 2y = xwhile true:

x = f(x)y = f(f(y))g = gcd(x-y,n)if g>1 and g<n:

return gif x==y:

return None


Why Pollard’s ρ-method terminatesLet x0 = y0 = 2, and for i ≥ 1 let

xi = value of x after the i-th iteration of the while loop,yi = value of y after the i-th iteration of the while loop.

By induction on i it follows that

yi = x2i (i = 0, 1, 2, . . . ).

By the pigeonhole principle there are i , j such that i < j and xi = xj . Withl = j − i it follows by induction on m and k that

(1) xm = xm+l (m ≥ i), (2) xm = xm+kl (m ≥ i , k ≥ 0).

In particular, for k = di/le and m = kl (≥ i),

xm = xm+kl = xkl+kl = x2kl = x2m = ym.


Pollard’s ρ-method (cont’d)

Examplesage: p guess = gcd(m1−m2,n)sage: p guess18446744073709551667sage: q guess = gcd(m1−m3,n)sage: q guess18446744073709551923sage: factor (n)18446744073709551667 ∗ 18446744073709551923

ExerciseFind a factor of n = 323 by applying Pollard’s ρ-method without using Sage.


Pollard’s (p − 1)-methodJohn Pollard (1974)

Input: a composite integer nOutput: a non-trivial factor of n or failure

1 Select a smoothness bound B.2 M ←

∏primes q ≤ B

qblogq Bc

3 Pick 1 < a < n coprime to n.4 d ← gcd(aM − 1, n)5 If d = 1, then select a higher B and go to step 2 or return failure.6 If d = n, then select a lower B and go to step 2 or return failure.

Note: If for a factor p of n, p − 1 is B-powersmooth, then aM = 1 (mod p)by Fermat’s little theorem.


Pollard’s (p − 1)-method (cont’d)

ExampleLet us factorize n = 1241143 using a = 2 and B = 13. Then,

M = 23 · 32 · 5 · 7 · 11 · 13 = 360360.

We obtain

gcd(aM − 1, n) = gcd(2360360 − 1, 1241143)= gcd(861525, 1241143)= 547.

It follows that 547 is a factor of n, and hence,

n = 547 · 2269.


Fermat’s method

TheoremLet n ∈ N be odd. Then there is a one-to-one correspondence betweenfactorizations of the form n = ab, where a > b > 0, and representations ofthe form n = t2 − s2, where s, t ∈ N.

Proof.If n = ab, then

n =(

a + b2

)2−(

a − b2

)2.

Conversely, if n = t2 − s2, then

n = (t + s)(t − s).


The Fermat method (cont’d)

If n = ab and a, b are close one to another, then s = a−b2 is small, so

t =√

n + s2 is just a little greater than √n.In this case, a, b can be found by trying for t all values starting withb√

nc+ 1, until t2 − n is a square (= s2).

ExampleLet us factorize n = 200819. We have b√nc+ 1 = 449.I For t = 449, we have t2 − n = 782, which is not a square.I For t = 450, we have t2 − n = 1681 = 412 = s2. Hence,

n = (t + s)(t − s) = 491 · 409 .


Documents

Modern Cryptography Foundations of Contents€¦ · Foundations of Modern Cryptography Chapter 1: Public Key Cryptosystems Based on Factoring Prof. K. Dohmen Department of Mathematics