Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Foundations ofModern Cryptography
Chapter 1:Public Key Cryptosystems Based on Factoring
Prof. K. DohmenDepartment of Mathematics
Last Update:November 11, 2019
Contents
Asymmetric Cryptosystems
The RSA Cryptosystem
Conversion Between Strings and Numbers
More Mathematical Foundations
Attacks against RSA
Rabin’s Cryptosystem
Factoring
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 1
Asymmetric cryptosystems
General setting:I The sender encrypts a plaintext message using the receiver’s public key.I The receiver decrypts the received ciphertext message using his own pri-
vate key.
List of characters:Alice: sender of the messageBob: receiver of the messageEve: eavesdropper – a passive attacker that listens on messages between
Alice and BobMallory: malicious attacker who can modify messages, substitute her own
messages, replay old messages, etc.
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 3
The RSA CryptosystemRivest, Shamir, Adleman (1978)
I Initialization:1 Bob chooses two big primes p and q.2 He computes n = pq and φ(n) = (p − 1)(q − 1).3 He deletes p and q.
I Public key:4 Bob chooses e ∈ N satisfying 1 < e < φ(n) and
gcd(e, φ(n)) = 1.
5 He publicises (n, e).I Private key:
6 Bob computes d ∈ N satisfying 1 < d < φ(n) and
ed = 1 (mod φ(n)).
7 He deletes φ(n) and keeps (n, d) secret.
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 5
The RSA CryptosystemEncryption and decryption
Encryption:I Alice fetches Bob’s public key (n, e).I She encodes her message as m ∈ Zn.I She computes c = me in Zn.I She sends c to Bob.
Decryption:I Bob looks up his own private key (n, d).I He computes m = cd in Zn.
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 6
The RSA CryptosystemInitialization
ExampleBob chooses two big primes and computes
n = 43 · 59 = 2537,φ(n) = (43− 1)(59− 1) = 42 · 58 = 2436.
He then chooses 1 < e < φ(n), which is coprime with φ(n), e.g., e = 13, andcomputes its inverse in Z2436:
13 · d = 1 (mod 2436) .
The extended Euclidean algorithm gives d = 937.I Public key: (2537, 13)I Private key: (2537, 937)
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 7
The RSA CryptosystemEncryption
Example (Cont’d)Consider the plaintext
PUBLICKEYCRYPTOGRAPHYX.
By replacing each letter by its position 0, . . . , 25 in the alphabet, we obtain
1520 0111 0802 1004 2402 1724 1519 1406 1700 1507 2423 .
For (n, e) = (2537, 13) the encrypted message is
0095 1648 1410 1299 0811 2333 2132 0370 1185 1457 1084 .
For example, 152013 = 95 in Z2537.
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 8
RSA Correctness Theorem
TheoremLet (n, e) a public RSA key and (n, d) the corresponding private RSA key.Then
(me)d = m for all m ∈ Zn.
Proof.We have to show that for 0 ≤ m < n,
med = m (mod n).
Since n = pq it suffices to show that
med = m (mod p), (1)med = m (mod q). (2)
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 9
RSA Correctness Theorem
Proof (cont’d).We only prove (1). Evidently, med = m (mod p) if m = 0 (mod p), so wemay assume m 6= 0 (mod p). Since
ed = 1 (mod φ(n))
there exists k ∈ Z such that ed − 1 = kφ(n). Therefore,
med = m1+kφ(n) = mmk(p−1)(q−1) = m(mp−1)k(q−1) (mod p) .
Since m 6= 0 (mod p), m and p are coprime. Due to Fermat’s little theorem,
mp−1 = 1 (mod p),
whence med = m · 1k(q−1) = m (mod p).
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 10
Fermat’s Little Theorem
Theorem (Fermat, 1640)For any prime p and any a ∈ Z where a 6= 0 (mod p),
ap−1 = 1 (mod p).
Equivalently: For any prime p and any a ∈ Z,
ap = a (mod p) .
Proof.By mathematical induction on a using the implication of the binomialtheorem on (a + 1)p.
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 11
Proof of Fermat’s Little Theorem
Proof (Golomb, 1956).I Consider all strings of length p over an alphabet of a symbols without
those consisting of a single symbol:For p = 5 and a = 2 this gives
AAAAB, AAABA, AABAA, ABAAA, BAAAA,AAABB, AABBA, ABBAA, BBAAA, BAAAB,AABAB, ABABA, BABAA, ABAAB, BAABA,AABBB, ABBBA, BBBAA, BBAAB, BAABB,ABABB, BABBA, ABBAB, BBABA, BABAB,ABBBB, BBBBA, BBBAB, BBABB, BABBB.
I By combinatorics, there are ap − a of them.I Any two of them are regarded as equivalent, if we can rotate one to ob-
tain the other.I Each string is equivalent to at most p strings (including itself), since
there are no more than p rotations.Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 12
Proof of Fermat’s Little Theorem
Proof (cont’d).I If a string is equivalent to less than p strings (including itself), then the
string is built up from several copies of a shorter string.I The length of this shorter string is a divisor of p, and hence equal to 1
since p is prime. This is impossible since we excluded strings built froma single symbol.
I As a consequence, each equivalence class consists of p strings, whence
(no. of equivalence classes)× p = ap − a .
I As a conclusion, p divides ap − a.
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 13
Proof of Fermat’s Little TheoremGraph-theoretic version of Golomb’s proof
Proof.I The chromatic polynomial
PCp (λ) = (λ− 1)p + (−1)p(λ− 1)
gives the number of proper λ-colorings of Cp.I Any two proper λ-colorings are regarded as equivalent, if we can rotate
one to obtain the other.I Since there are no more than p rotations, each such coloring is equiva-
lent to at most p of them.I If a coloring is equivalent to less than p of them, then it has a repetitive
pattern of length l < p such that l | p, which is impossible since p isprime.
I As a consequence,(no. of equivalence classes)× p = PCp (λ) .
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 14
RSA in Sage
Examplesage: p = 67; q = 101sage: n = p∗q; e = 17sage: n,e(6767, 17)sage: d = inverse mod(e,(p−1)∗(q−1))sage: n,d(6767, 1553)sage: m = 1000sage: c = power mod(m,e,n)sage: c4838sage: power mod(c,d,n)1000
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 15
RSA in Sage (cont’d)
Examplesage: pl = ”Light the Bomb.”sage: plc = map(ord,pl)sage: plc[76, 105, 103, 104, 116, 32, 116, 104, 101, 32, 66, 111, 109, 98, 46]sage: m = ZZ(plc, 256)sage: m240842001936252170065895346936441164sage: ml = m.digits(256)sage: ml[76, 105, 103, 104, 116, 32, 116, 104, 101, 32, 66, 111, 109, 98, 46]sage: ms = ''. join (map(chr,ml))sage: msLight the Bomb.
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 16
Conversion between strings and num-bers
The following commands converts a string into an integer, and back again:
In Sagedef _str2num(s):
return ZZ(map(ord,s),256)
def _num2str(n):nl = n.digits(256)return ''.join(map(chr,nl))
Unfortunately, the integers obtained are quite large.
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 17
Conversion between strings and num-bers (cont’d)
We obtain smaller integers by restricting to e.g. 71 characters:
In Sagesymbols = " 0123456789ABCDEFGHIJKLMNOPQRS\TUVWXYZabcdefghijklmnopqrstuvwxyz?!,.+-/="
def str2num(s):digits = [symbols.find(c) for c in s]return ZZ(digits,len(symbols))
def num2str(n):s = ''.join([symbols[digit] for digit in
n.digits(len(symbols))])return s
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 18
Encoding of Binary DataBase64 Encoding
A well known standard for encoding binary data is Base64.I Each 24 bits of data are split into four 6-bit blocks.I These blocks represent numbers in {0, . . . , 63} and are encoded to 64
characters from our symbol string.
In Sage
import base64
def bin2num(data):return str2num(base64.b64encode(data))
def num2bin(number):return base64.b64decode(num2str(number))
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 19
How to find modular inverses?Bezout’s identity
TheoremFor any integers a and b there are integers a′ and b′ such that
aa′ + bb′ = gcd(a, b).
Proof.Without loss of generality, we may assume b ≥ 0. The proof is then byinduction on b.Induction base: For b = 0 choose a′ = sgn(a) and b′ ∈ Z.Induction step: Let b > 0 and assume that the theorem holds for smaller
numbers. Division with remainder yields
a = qb + r with 0 ≤ r < b.
We can now apply the induction hypothesis to r :
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 21
How to find modular inverses?Bezout’s Identity
Proof (Cont’d).Applying the induction hypothesis to r gives b∗, r∗ ∈ Z such that
b · b∗ + r · r∗ = gcd(b, r) = gcd(a, b).
By rearranging terms we obtain
gcd(a, b) = b · b∗ + (a − qb) · r∗ = a · r∗ + b · (b∗ − qr∗).
Now choose a′ := r∗ and b′ := b∗ − qr∗.
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 22
Extended Euclidean algorithmIn Python
def sgn(x):if x > 0: return 1if x < 0: return -1return 0
def xgcd(a, b):if b == 0:
return abs(a), sgn(a), 0q = a // br = a % bd, bb, rr = xgcd(b, r)return d, rr, bb-q*rr
>>> xgcd(40902, 24140)(34, 337, -571)
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 23
Worst-case complexity
LemmaLet n be the number of recursive calls to xgcd for a > b > 0. Then,
Fn+1 ≤ b (n = 1, 2, 3, . . . )
where F1 = 1, F2 = 1, Fn = Fn−1 + Fn−2 (n ≥ 3) are the Fibonacci numbers.
Proof.Induction base: If n = 1 then b ≥ 1 = F2, while for n = 2 we have b ≥ 2 =
F3.Induction step: For n ≥ 3 we apply the induction hypothesis to n − 1 and
n − 2:Fn+1 = F(n−1)+1 + F(n−2)+1 ≤ r + (b mod r)
= r + b − bbr cr ≤ r + b − r = b.
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 24
Worst-case complexity (cont’d)
Lame’s theorem (1795–1870)The number of divison steps in the extended Euclidean algorithm is at mostfive times the decimal length of the smaller argument.
Proof.Let
n be the number of division steps in xgcd for a > b > 0,k be the decimal length of b.
To obtain a contradiction, assume that n > 5k. Then,
b ≥ Fn+1 ≥ F5k+2 ≥ 10k ,
where the last inequality follows from the Binet representation. Thiscontradicts the definition of k.
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 25
Fast exponentiationPython implementation of the square-and-multiply algorithm
def pot(a,n):if n == 0:
return 1if n % 2 == 1:
return a*pot(a,n//2)**2else:
return pot(a,n//2)**2
ExerciseModify this code to obtain a function pot(a,n,m) for modularexponentiation modulo m.
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 26
Fast exponentiation (cont’d)
DefinitionFor any n ∈ N we use `(n) resp. #1(n)2 to denote the length of the binaryrepresentation of n (without trailing 0’s) resp. the number of 1’s in the binaryrepresentation of n.
LemmaFor any n ∈ N,
`(n) = blog(n) + 1c = dlog(n + 1)e.TheoremFor any n ∈ N the function pot(a, n) requires exactly `(n) + #1(n)2multiplications and `(n) divisions by 2.
Proof.By induction on `(n).
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 27
Fast exponentiation (cont’d)
Consider the arithmetic operations performed to compute
a23 = a(
a(
a(a2)2)2
)2= a
(a(
a((
a · 12)2)2)2)2
Using the abbreviations0 for squaring,1 for squaring and multiplying by a,
these operations can be described by0111 if the computation starts with a,
10111 if the computation starts with 1.Note that 10111 is the binary representation of 23:
23 = 1 · 24 + 0 · 23 + 1 · 22 + 1 · 21 + 1 · 20 .
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 28
Fast exponentiation (cont’d)Iterative implementation in Python
def pot(a,n):if n == 0: return 1n = bin(n)[3:]result = afor i in xrange(len(n)):
result *= resultif n[i] is '1':
result *= areturn result
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 29
Avoiding side channel attacksMontgomery’s method
def pot(a,n):if n == 0: return 1n = bin(n)[3:]result1 = aresult2 = a**2for i in xrange(len(n)):
if n[i] is '1':result1 = result1*result2result2 = result2**2
else:result2 = result1*result2result1 = result1**2
return result1
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 30
Speeding up encryption
Choose e of the form 2k + 1, e.g.,
e = 3, 17 or 65537.
Why is this sensible? Remember the fast exponentiation algorithm:
def pot(m,e):if e == 0: return 1e = bin(e)[3:]result = mfor i in xrange(len(e)):
result *= resultif e[i] is '1':
result *= mreturn result
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 31
Speeding up decryptionIn order to find m = cd (mod pq), first compute
mp := cd mod (p−1) mod p,mq := cd mod (q−1) mod q.
By Fermat’s little theorem,
m = mp (mod p),m = mq (mod q).
By the Chinese Remainer Theorem, the unique solution modulo pq to thissystem of congruences is given by
m = spmq + tqmp (mod pq),
where s, t ∈ Z are solutions to the diophantic equation
sp + tq = 1.
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 32
Chinese remainder theorem
TheoremLet n1, . . . , nk be positive integers that are pairwise coprime. Then, for anygiven integers a1, . . . , ak there exists an integer x solving the following systemof simultaneous congruences:
x = a1 (mod n1)x = a2 (mod n2)
...x = ak (mod nk)
Furthermore, all solutions x of this system are congruent modulo the productN = n1 . . . nk .
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 33
Chinese remainder theorem
Proof (Existence).Let [a−1]b denote the multiplicative inverse of a modulo b. Then
x :=∑
iai
Nni
[(Nni
)−1]
ni
is easily seen to solve the system of congruences.RemarkIn RSA decryption, the plaintext is recovered by
m = mqp[p−1]q + mpq[q−1]p
where
mp = cd mod (p−1) mod p,mq = cd mod (q−1) mod q.
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 34
Chinese remainder theorem
ExerciseSolve the system of simultaneous congruences
x = 4 (mod 5)x = 3 (mod 7)
Solution:By the extended Euclidean algorithm,
3 · 5− 2 · 7 = 1,
whence [5−1]7 = 3 and [7−1]5 = −2. By the Chinese Remainder Theorem,
x = 4 · 7 · [7−1]5 + 3 · 5 · [5−1]7= 4 · 7 · (−2) + 3 · 5 · 3 = −11 = 24 (mod 35)
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 35
Euler’s phi function
DefinitionFor n ∈ N let φ : N→ N be defined by
φ(n) := #{m ∈ N | 1 ≤ m ≤ n, gcd(m, n) = 1}.
φ is called Euler’s phi function or totient function.
Remarkφ(n) counts the units in the ring of integers modulo n.
Example1 For any prime p, φ(p) = p − 1.2 For any prime p and k ∈ N, φ(pk) = pk−1(p − 1).
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 36
Multiplicativity of Euler’s phi function
TheoremLet n1, . . . , nk ∈ N such that any two of them are relatively prime. Then,
φ(n1) · · ·φ(nk) = φ(n1 · · · nk).Proof.For any n ∈ N let
N(n) := {m ∈ N | 1 ≤ m ≤ n, gcd(m, n) = 1}.
We define f :∏k
i=1 N(ni )→ N(n1 · · · nk) by
f (a1, . . . , ak) := unique solution of x = ai (modni ) (1 ≤ i ≤ k).
By the Chinese Reminder Theorem, f is well-defined. By showing that f is aone-to-one correspondence and applying the product rule of combinatorics,the result follows.
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 37
Euler’s phi function for products oftwo primes
TheoremFor any two distinct primes p and q,
φ(pq) = (p − 1)(q − 1).
Proof.Since p and q are coprime,
φ(pq) = φ(p)φ(q) = (p − 1)(q − 1).
Remarks1 The preceding theorem can be generalized to any number of distinct
primes.2 For n = pq computing φ(n) is as difficult as factoring n.
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 38
A general formula for Euler’s phi func-tion
TheoremFor any n ∈ N, φ(n) = n
∏p|n
(1− 1
p
).
Proof.Let n = pe1
1 · · · pekk be the prime factorization of n.
φ (pe11 · · · p
ekk ) = φ (pe1
1 ) · · ·φ (pekk )
= pe1−11 (p1 − 1) · · · pek−1
k (pk − 1)
= pe11
(1− 1
p1
)· · · pek
k
(1− 1
pk
)= n
k∏i=1
(1− 1
pi
).
Alternatively, use the inclusion-exclusion principle.
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 39
Common modulus attack
Scenario:I A group of people use the same modulus n = pq, but with different
coprime exponents e1 and e2.I A message is encrypted twice using (n, e1) and (n, e2):
c1 = me1 (mod n),c2 = me2 (mod n).
I Eve, who knows the public keys (n, e1) and (n, e2), intercepts c1 and c2and computes s, t ∈ Z such that
se1 + te2 = 1.I Without loss of generality, assume that s is negative. Then, provided c1
is coprime with n,m = (c−1
1 )−sc t2 (mod n).
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 41
Low encryption attack
Scenario:I Two people use the same low exponent e, but with different coprime
moduli n1 and n2.I A message is encrypted twice, using (n1, e) and (n2, e):
c1 = me (mod n1),c2 = me (mod n2).
I Eve, who knows (n1, e) and (n2, e), intercepts c1 and c2, and applies theChinese Remainder Theorem:
me = c1n2[n−12 ]n1 + c2n1[n−1
1 ]n2 mod n1n2.
I Since e is low, she is can quickly compute m from me .
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 42
Timing attackDemonstrated by Paul Kocher (1996)
I In this scenario, Eve is able to recover the private key from timing thedecryption of chosen ciphertexts.
I One method of countering this attack is to randomize the ciphertext cbefore decryption, known as blinding:
1 The receiver of the message generates a random number r ∈ {1, . . . , n −1} which is coprime with n.
2 He then computes
c ′ = cr e (mod n)m′ = (c ′)d (mod n)
where (n, e) and (n, d) are his public and private key.3 Finally he recovers the plaintext by
m = m′r−1 (mod n).
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 43
Electromagnetic side channel attacksStealing keys by measuring CPU emissions during GnuPG decryption
Source: http://www.tau.ac.il/˜tromer/radioexp/index.html
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 44
Rabin’s cryptosystemMichael O. Rabin (1979)
Parameters: The private key consists of two large primes p, q = 3 (mod 4).The public key is n = pq.
Encryption: For a message m < n the ciphertext is
c = m2 (mod n).
Decryption: Solve the preceding equation for m.
RemarksI Encryption is faster than in RSA, while decryption is comparable to
RSA.I Breaking Rabin’s system is at least as hard as breaking RSA.
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 46
Decryption in Rabin’s system
Find m such that m2 = c (mod n) or equivalently,
m2 = c (mod p), m2 = c (mod q).
Let cp and cq be square roots of c modulo p resp. q. Then, m is the solutionto any of these systems of congruences:
m = ±cp (mod p), m = ±cq (mod q).
By the Chinese Remainder Theorem,
m1/2/3/4 = ±[q−1]pqcp ± [p−1]qpcq (mod n).
We claim that1 cp = c(p+1)/4 is a square root of c modulo p.2 cq = c(q+1)/4 is a square root of c modulo q.
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 47
Square roots modulo a prime
DefinitionFor integers x , d , n ∈ Z we write
x =√
d (mod n)
if x2 = d (mod n).
TheoremFor any c ∈ Z and any prime p = 3 (mod 4),
c(p+1)/4 =√
c (mod p).
Proof.Let m = √c (mod p). By Fermat’s little theorem,
(c(p+1)/4)2 = c(m2)(p−1)/2 = cmp−1 = c (mod p).
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 48
Rabin’s cryptosystem in Sage
Key generationsage: p = next prime(2ˆ64)sage: while mod(p,4)==1: p = next prime(p+1)sage: p18446744073709551667sage: q = next prime(p+1)sage: while mod(q,4)==1: q = next prime(q+1)sage: q18446744073709551923sage: n = p∗qsage: n340282366920938470067308985819787705641
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 49
Rabin’s cryptosystem in Sage (cont’d)
Encryptionsage: plaintext = ”Light the bomb.”sage: m = str2num(plaintext)sage: m21707254905248536231976545253sage: c = power mod(m,2,n)sage: c71388244789996898707437212230941411828
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 50
Rabin’s cryptosystem in Sage (cont’d)Decryptionsage: cp = power mod(c,(p+1)//4,p)sage: cq = power mod(c,(q+1)//4,q)sage: m1 = crt(cp,cq,p,q)sage: m121707254905248536231976545253sage: m2 = crt(cp,−cq,p,q)sage: m2338549995433718506206332383335100684527sage: m3 = crt(−cp,cq,p,q)sage: m31732371487219963860976602484687021114sage: m4 = crt(−cp,−cq,p,q)sage: m4340282366899231215162060449587811160388
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 51
An attack on Rabin’s system
If the same message m has been encrypted twice with coprime public keys N1and N2, then
c1 = m2 (mod N1),c2 = m2 (mod N2).
Using the Chinese Remainder Theorem,
m2 = [N−12 ]N1N2c1 + [N−1
1 ]N2N1c2 (mod N1N2),
so m is the integer square root of([N−1
2 ]N1N2c1 + [N−11 ]N2N1c2
)mod N1N2,
which can be computed efficiently.
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 52
A chosen ciphertext attackSuppose, Eve has access to the respective plaintexts for some chosenciphertext c:
m1 = [q−1]pqcp + [p−1]qpcq (mod n),m2 = [q−1]pqcp − [p−1]qpcq (mod n),m3 = −[q−1]pqcp + [p−1]qpcq (mod n),m4 = −[q−1]pqcp − [p−1]qpcq (mod n).
Taking differences, Eve obtains
m1 −m2 = m3 −m4 = 2[p−1]qpcq (mod n),m1 −m3 = m2 −m4 = 2[q−1]pqcp (mod n).
Using the Euclidean algorithm, she computes
gcd(m1 −m2, n) = gcd(m3 −m4, n) = p,gcd(m1 −m3, n) = gcd(m2 −m4, n) = q.
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 53
A chosen ciphertext attack (cont’d)
In Sagesage: p guess = gcd(m1−m2,n)sage: p guess18446744073709551667sage: q guess = gcd(m1−m3,n)sage: q guess18446744073709551923sage: factor (n)18446744073709551667 ∗ 18446744073709551923
NoteBreaking Rabin’s system (that is, recovering the respective plaintexts fromthe ciphertext) is as hard as factoring.
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 54
Factoring: Pollard’s ρ-methodJohn Pollard (1975)
In Sage
def pollard_rho(n):f = lambda k: (kˆ2+1)%nx = 2y = xwhile true:
x = f(x)y = f(f(y))g = gcd(x-y,n)if g>1 and g<n:
return gif x==y:
return None
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 57
Why Pollard’s ρ-method terminatesLet x0 = y0 = 2, and for i ≥ 1 let
xi = value of x after the i-th iteration of the while loop,yi = value of y after the i-th iteration of the while loop.
By induction on i it follows that
yi = x2i (i = 0, 1, 2, . . . ).
By the pigeonhole principle there are i , j such that i < j and xi = xj . Withl = j − i it follows by induction on m and k that
(1) xm = xm+l (m ≥ i), (2) xm = xm+kl (m ≥ i , k ≥ 0).
In particular, for k = di/le and m = kl (≥ i),
xm = xm+kl = xkl+kl = x2kl = x2m = ym.
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 58
Pollard’s ρ-method (cont’d)
Examplesage: p guess = gcd(m1−m2,n)sage: p guess18446744073709551667sage: q guess = gcd(m1−m3,n)sage: q guess18446744073709551923sage: factor (n)18446744073709551667 ∗ 18446744073709551923
ExerciseFind a factor of n = 323 by applying Pollard’s ρ-method without using Sage.
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 59
Pollard’s (p − 1)-methodJohn Pollard (1974)
Input: a composite integer nOutput: a non-trivial factor of n or failure
1 Select a smoothness bound B.2 M ←
∏primes q ≤ B
qblogq Bc
3 Pick 1 < a < n coprime to n.4 d ← gcd(aM − 1, n)5 If d = 1, then select a higher B and go to step 2 or return failure.6 If d = n, then select a lower B and go to step 2 or return failure.
Note: If for a factor p of n, p − 1 is B-powersmooth, then aM = 1 (mod p)by Fermat’s little theorem.
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 61
Pollard’s (p − 1)-method (cont’d)
ExampleLet us factorize n = 1241143 using a = 2 and B = 13. Then,
M = 23 · 32 · 5 · 7 · 11 · 13 = 360360.
We obtain
gcd(aM − 1, n) = gcd(2360360 − 1, 1241143)= gcd(861525, 1241143)= 547.
It follows that 547 is a factor of n, and hence,
n = 547 · 2269.
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 62
Fermat’s method
TheoremLet n ∈ N be odd. Then there is a one-to-one correspondence betweenfactorizations of the form n = ab, where a > b > 0, and representations ofthe form n = t2 − s2, where s, t ∈ N.
Proof.If n = ab, then
n =(
a + b2
)2−(
a − b2
)2.
Conversely, if n = t2 − s2, then
n = (t + s)(t − s).
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 63
The Fermat method (cont’d)
If n = ab and a, b are close one to another, then s = a−b2 is small, so
t =√
n + s2 is just a little greater than √n.In this case, a, b can be found by trying for t all values starting withb√
nc+ 1, until t2 − n is a square (= s2).
ExampleLet us factorize n = 200819. We have b√nc+ 1 = 449.I For t = 449, we have t2 − n = 782, which is not a square.I For t = 450, we have t2 − n = 1681 = 412 = s2. Hence,
n = (t + s)(t − s) = 491 · 409 .
Department of Mathematics, Prof. K. Dohmen Winter Term 2019/20Public Key Cryptosystems Based on Factoring 64