Sebery J.Cryptography.An introduction to computer security.1989
.pdf
4.2 RSA Cryptosystem 181
From Section 2.3.6, we know that both primality and factorization problems belong to NPI\co-NPI. This means that there is no polynomial-time deterministic algorithm for primality testing. There is, however, a class of probabilistic algorithms which can be used if we accept a small probability of error (Section 2.3.9).
We start from Fermat's Little Theorem (Section 2.1.4) which can be used to design a simple primality test algorithm. The theorem asserts that if the modulus p is prime than the following congruence is true
ap 1 1 (mod p) |
(4.13) |
for any nonzero integer a 2 Zp. A Monte Carlo algorithm based upon the congruence will always generate the correct answer if the tested integer is indeed prime no matter what is the value of a. Unfortunately, if p is composite, Congruence (4.13) may also be satis ed for some integers. These numbers are called pseudoprimes. For example, each of the Fermat numbers Fn = 22n + 1 satis es Congruence (4.13) but not all these are primes. The situation becomes worse when the tested number p is a Carmichael number. Carmichael numbers satisfy (4.13) for every a which is coprime to p (i.e. gcd(a; p) = 1). In other words, we need a stronger primality test.
Fermat's Little Theorem can still be useful for primality testing. However, to avoid problems with pseudoprimes, it is necessary to modify the testing
procedure. Note that we do not need to use the congruence ap 1 |
1 (mod p). |
||
Instead we may apply the congruence |
|
||
a |
p 1 |
(mod p): |
|
2 |
|
||
If p is prime the congruence is equal to either 1 or 1. A fast test which looks into factors of p 1 in order to determine the primality of the modulus p, was developed by Miller [346] and Rabin [423]. In the Miller-Rabin test, rst p 1 is represented in the form 2r s where s is an odd number. As the tested integer p is odd (even integers are not prime), p 1 is even so this representation is always valid. The testing starts by checking if as 1 (mod p) for a random nonzero a 2 Zp. If the congruence is true, we conclude that p is prime. Otherwise, we check whether a2is 1 (mod p) for i = 1; : : : ; r 1. If there is some i for which the congruence is true, the test returns \p is prime" otherwise it returns \p is composite."
Miller-Rabin primality test { checks whether an integer p is prime.
182 4 PUBLIC-KEY CRYPTOSYSTEMS
T1. Find an odd integer s such that p 1 = 2r s. T2. Select at random a nonzero integer a 2R Zp. T3. Compute
b = as (mod p):
If b = 1, return \p is prime" and quit. T4. For i = 1; : : : ; r 1, calculate
c b2i
If c = 1, return \p is prime" and quit. t5. Otherwise return \p is composite".
The test always gives the correct answer if the integer p is indeed prime. For composite p, the following theorem characterizes the test.
Theorem 17. (Rabin [423]) If p is composite, then the Miller-Rabin test fails for at least one quarter of integers a where 0 < a p 1. In other words, the test erroneously returns \p is prime" for at most 14 of all integers a if p is composite.
So now we have a fast Monte Carlo algorithm for primality testing. It never makes mistakes when p is prime. If p is composite, it returns \p is prime" with probability 14 . For instance, in order to bound the probability of error to be smaller than 2 50, it is enough to use the Miller-Rabin test 25 times.
4.2.3 Factorization
The most obvious attack on RSA is to try to factor the public modulus N. Knowing the factors of N, it is easy to recover the secret key. The factorization problem is believed to be intractable so we may not hope for a polynomial time algorithm. But certainly we need to know how eÆcient the existing factoring algorithms are.
The sieve of Eratosthenes (Section 2.1.2) is a factorization algorithm whose
eÆciency is O(pN) or O(2 |
n |
|
|
b |
|
c |
|
|
10200, the |
2 ) where n = |
log2N |
. For moduli |
|||||||
|
100 |
|
|
|
|
||||
sieve of Eratosthenes would take O(10 |
) steps. It is easy to check that this |
||||||||
algorithm starts to be unworkable for moduli larger than 1020.
More eÆcient algorithms take advantage of the following theorem.
4.2 RSA Cryptosystem 183
Theorem 18. Let N be a composite natural number and X; Y be a pair of
6 |
|
|
integers such that X + Y = N. If X2 |
|
Y 2 (mod N), then gcd(X + Y; N ) and |
gcd(X Y; N) are nontrivial factors of N.
The following example shows how Theorem 18 can be used to factor N = 77.
We start with the two following congruences: 72 |
5 (mod 77) and 45 |
32 |
|
(mod 77). Multiplying the separate sides gives: |
|
|
|
72 45 ( 5) ( 32) (mod 77): |
|
|
|
The congruence can be rewritten as |
|
|
|
23 34 5 ( 1)2 5 25 |
(mod 77) |
|
|
which yields upon reduction |
92 22 (mod 77). Hence gcd(9 + 2; 77) and |
||
gcd(9 2; 77) give the primes p = 11 and q = 7.
Quadratic Sieve (QS). Let us discuss brie y the basic Quadratic Sieve algorithm for factoring an integer N. The algorithms proceeds as follows.
Quadratic Sieve algorithm { nds factors of integer N.
F1. Initialization: a sequence of quadratic residues Q(x) = (m + x)2 N is generated for small values of x where m = bpNc.
F2. Forming the factor base: the base consists of a small collection of small
primes. The set is F B = f1; 2; p1; : : : ; pt 1g.
F3. Sieving: the quadratic residues Q(x) are now factored using the factor base. The sieving stops when t full factorizations of Q(x) have been found.
F4. Forming and solving the matrix: for the collection of fully factored Q(x), a matrix F is constructed. The matrix contains information about the factors. The goal of this stage is to nd a linear combination of Q(x)'s which gives the quadratic congruence from Theorem 18. The congruence gives a nontrivial factor of N with the probability 12 .
Let us illustrate steps of the algorithm using a simple numerical example. Assume that we wish to nd factors of N = 4841. First we generate a sequence of quadratic residues Q(x). To keep Q(x) as small as possible, we nd m = bpNc = 69 and compute
Q(x) = (m + x)2 N |
(4.14) |
for x = 8; : : : ; 1; 0; 1; : : : ; 8. The sequence of Qs is as follows:
184 4 PUBLIC-KEY CRYPTOSYSTEMS
x = 8 ! Q(x) = 1120 = ( 1) 25 5 7 x = 7 ! Q(x) = 997 = ( 1) 997
x = 6 ! Q(x) = 872 = ( 1) 23 109 x = 5 ! Q(x) = 745 = ( 1) 5 149
x = 4 ! Q(x) = 616 = ( 1) 23 7 11 x = 3 ! Q(x) = 485 = ( 1) 5 97
x = 2 ! Q(x) = 352 = ( 1) 25 11 x = 1 ! Q(x) = 217 = ( 1) 7 31
x = 0 ! Q(x) = 80 = 24 5 x = 1 ! Q(x) = 59 = 59
x = 2 ! Q(x) = 200 = 23 52 x = 3 ! Q(x) = 343 = 73
x = 4 ! Q(x) = 488 = 23 61 x = 5 ! Q(x) = 635 = 5 127 x = 6 ! Q(x) = 784 = 24 72
x = 7 ! Q(x) = 935 = 5 11 17 x = 8 ! Q(x) = 1088 = 26 17
A factor base can be a collection of the smallest consecutive primes so F B =
f1; 2; 3; 5; 7; 11g. Note that Q( 8), Q( 4), Q( 2), Q(0), Q(2), Q(3), and Q(6) have all their factors in the set F B. These are the required full factorizations.
There are eight fully factored Qs and the number of elements in the set F B is six so there is a good chance to nd a quadratic congruence X2 Y 2 (mod N) as required in Theorem 18.
For a fully factored Q(x), we create a binary vector F(x) of the length ` =jF Bj whose coordinates indicate the presence or absence of the factor from F B. Thus, for Q( 8), the vector F ( 8) = [1; 1; 0; 1; 1; 0] as its factorization contains primes 1, 2, 5 and 7. The collection of all vectors F for fully factored Qs, is:
Q( 8) ! F ( 8) = [1; 1; 0; 1; 1; 0]
Q( 4) ! F ( 4) = [1; 1; 0; 0; 1; 1]
Q( 2) ! F ( 2) = [1; 1; 0; 0; 0; 1]
4.2 RSA Cryptosystem 185
Q(0) ! F(0) = [0; 1; 0; 1; 0; 0]
Q(2) ! F(2) = [0; 1; 0; 1; 0; 0]
Q(3) ! F(3) = [0; 0; 0; 0; 1; 0]
Q(6) ! F(6) = [0; 1; 0; 0; 1; 0]
The vectors F(x) form the rows of our matrix F:
|
F ( 8) |
3 |
2 |
1; 1; 0; 1; 1; 0 |
3 |
2F ( 4) |
1; 1; 0; 0; 1; 1 |
||||
F = |
F ( 2) |
= |
|
1; 1; 0; 0; 0; 1 |
(4.15) |
F(0) |
|
0; 1; 0; 1; 0; 0 |
|||
|
F(2) |
|
|
0; 1; 0; 1; 0; 0 |
|
4 |
F(3) |
5 |
4 |
0; 0; 0; 0; 1; 0 |
5 |
|
|
||||
6 |
F(6) |
7 |
60; 1; 0; 0; 1; 0 |
7 |
|
Now we look for a collection of rows such that
F (i1 ) F (i2) : : : F (ir) = 0:
This step can be done using standard row-reducing techniques. Observe that F ( 4) F ( 2) F(3) = 0. Take the corresponding Q( 4), Q( 2) and Q(3) and write them as:
Q( 4) |
(69 |
4)22 |
(mod 4841) |
Q( 2) |
(69 |
2) |
(mod 4841) |
Q(3) (69 + 3)2 |
(mod 4841) |
||
On the other hand, we can use their factorizations for a second set of relations:
Q( 4) |
|
( 1) |
253 |
7 |
11 |
(mod 4841) |
|
Q( 2) |
|
( 1) |
2 |
11 |
(mod 4841) |
||
Q(3) 73 (mod 4841) |
|
|
|||||
The requested congruence X2 |
Y 2 |
(mod N) can be constructed as follows: |
|||||
Q( 4)Q( 2)Q(3) 28 74 |
112 |
(mod 4841) |
|||||
Note that the left hand side is Q( 4)Q( 2)Q(3) = (69 4)2(69 2)2(69 + 3)2 and the right and side is 28 74 112. Therefore, both sides are powers of two. The left integer
X = (69 4)(69 2)(69 + 3) 3736 (mod 4841) and the right integer
186 4 PUBLIC-KEY CRYPTOSYSTEMS |
|
|
|||
Y = q |
|
= 24 72 11 3783 |
|
||
( 1)23 7 11 ( 1)25 11 73 |
(mod 4841): |
||||
6 |
|
|
|
|
|
As X +Y = i |
N, we obtain the factors of N. Indeed, gcd(3736 |
|
3783; 4841) = 47 |
||
and gcd(3736 + 3783; 4841) = 103. So N = 47 103.
Concept of Number Field Sieve (NFS). The main idea is to produce two integers X and Y such that X2 Y 2 mod N, where N is an integer to be factored. Unlike Quadratic Sieve, the Number Field Sieve uses two di erent algebraic structures:
{ring ZN { this is the algebraic structure where quadratic equations are sieved to nd factors,
{number eld K = R( ) { for some algebraic integer that is the root of an irreducible monic polynomial p(x) 2 R[x] of degree d or p( ) = 0. Assume that an integer m is known such that
p(m) = ` N |
(4.16) |
for some integer `.
In both algebraic structures we look for quadratic equations. Suppose that wend two such equations
a + b m = X2 mod N in the ring ZN and
a + b = 2 in the eld R( )
for some integers a; b. Clearly, to use the second equation, we have to transform it into ZN . For this purpose, we de ne a homomorphism
: ZK ! ZN
where ZK denotes all integers in K and ( ) = m mod N while (a) = a mod N for all a 2 ZN .
This idea is best illustrated by an example. Suppose N = 161 is to be factored. De ne the number eld K = R( ) where is the root of the polynomial p(x) = x2 2 or (p( ) = 0). Note that the condition in Equation (4.16) holds, i.e.
p(18) = 2 161:
|
2 K |
4.2 RSA Cryptosystem |
187 |
|
? |
|
|
for m = 18. Now we take element |
|
and compute their squares 2 |
= |
a + b and check whether the corresponding equation a + b m Y 2 mod N. If the second equation holds, then we transform the rst equation using the homomorphism . Here we need to extend our homomorphism so it works for
elements of the form (a + b ) where a; b 2 ZN . The extended homomorphism |
||||
is de ned as follows: |
|
|
|
|
m mod N |
if b = 1; |
Z |
|
|
(b ) = (b(b 1a + m) mod N |
if b has its inverse in |
N |
||
|
||||
Note that with an overwhelming probability, the element b has its inverse (otherwise a nontrivial factor of N is found). The computations can progress by random selection of quadratic equations as shown below.
Field |
K |
a; b |
Ring ZN |
|||
2 |
|
|
|
|
||
( + 1) = 3 + 2 |
(3;2) |
3 + 2 |
|
18 = 39 |
||
( + 2)2 = 6 + 4 |
(6;4) |
4 + 4 |
|
18 = 78 |
||
(2 + 1)2 = 9 + 4 |
|
(9;4) |
9 + 4 18 = 81 = 92 |
|||
The last row gives us two quadratic equations one in K and the other in ZN . Now we transform the equation in K into ZN using the homomorphism , i.e.
(9 + 4 ) = 9 + 4 m and (2 + 1) = 37 We combine the two equations and get
92 372 mod N
and two nontrivial factors gcd(37 9; 161) = 7 and gcd(37 + 9;161) = 23.
To factor a large integer, guessing a and b will not lead to an eÆcient implementation of NFS. Like in QS, NFS uses a factor base to work around this problem. What di ers between QS and NFS is the fact that NFS uses two di erent factor bases, one in ZN and the other in ZK. The factor base in ZN can be easily generated and typically includes all primes not exceeding some bound B. Generation of the factor base in ZK is more complicated as it involves the selection of the so-called prime ideals of ZK. The description of the NFS algorithm is beyond the scope of the book and the reader is referred to [102] for details.
Factorization is considered to be a part of cryptanalysis since progress in factoring tends to weaken the existing RSA hardware implementations. There are several classes of factorization algorithms
188 4 PUBLIC-KEY CRYPTOSYSTEMS
{Quadratic sieve [126, 127, 412, 471],
{Residue list sieve [111],
{Number eld sieve [300],
{Continued fraction [354], and
{Elliptic curve [302].
QS has been extensively used as it is the fastest known algorithm to factor integers shorter than 130 decimal digits. In 1994 Atkins, Gra , Lenstra, and Leyland successfully factored 129 decimal digit long modulus of RSA (known as RSA-129 on the RSA factoring challenge list). The factorization was done using computing resources donated from around the world. As the whole communication was done by electronic mail, the project was called \factoring by e-mail." For details see [10]. This proved that 512-bit moduli of RSA are no longer secure against a powerful attacker who can match the resources used in the factorization.
NFS is the newest algorithm and the fastest as its asymptotic running time
is
|
1 |
|
2 |
; |
O e(1:92+o(1))(ln n) 3 |
(ln ln n) 3 |
|||
which compares favorably with the asymptotic running time of the QS algorithm, which is
|
1 |
|
O e(1+o(1))(ln n ln ln n) 2 |
: |
|
The NFS algorithm outperforms QS if factored integers are longer than 130 decimal digits.
4.2.4 Security of RSA
An instance of RSA can be compromised if the corresponding instances of factorization problems are easy to compute. Interestingly enough, the security of some versions of RSA are equivalent to the diÆculty of factoring the modulus.
Consider the Rabin scheme. Assume that the adversary tries to decrypt a ciphertext c of an unknown plaintext having access to the encryption algorithm that is public (every body knows the encryption key). The adversary can decrypt c if they are able to nd square root of c modulo N. Clearly, nding square root modulo N is equivalent to factoring N. If we assume that factoring
4.2 RSA Cryptosystem 189
N is intractable, then the Rabin scheme is immune against a chosen plaintext attack.
Assume that the adversary has access to the decryption algorithm (this is also called the lunch-time attack or midnight attack). So the adversary can choose a ciphertext and the decryption algorithm returns the message m such that m2 c (mod N). This is a chosen ciphertext attack. The adversary can then use the decryption algorithm to factor N as follows:
1. |
Select at random a message m 2 ZN . |
|
2. |
Calculate the cryptogram c = m2 |
(mod N). |
3.Apply the decryption algorithm m0 = D(c; N).
4.If m = m0, go to Step 1 and select another message. Otherwise, compute gcd(m m0; N) which is either p or q.
Hence, the Rabin scheme is insecure against a chosen ciphertext attack. Simmons and Norris [479] showed that RSA is breakable if the multiplicative
group contains short cycles. Let the opponent know the public elements (N; e) and a cryptogram c 2 ZN . Clearly, the opponent can generate the following sequence:
ci cei 1 (mod N)
where c1 = c and i = 2; 3; : : :. If there is an element cj such that c = cj, then the message used to generate c is cj 1.
The iteration attack can be seen as a clumsy way of factoring N [426]. Note that the iteration attack works only if the following two congruences hold at the same time:
cer c (mod p) and cer c (mod q)
for some r. Clearly, before reaching this point in the sequence of exponentiation, there are many cases where one congruence holds while the other does not. For instance,
cer c (mod p) and cer 6 c (mod q): |
|
er |
c is multiple of p. |
In this case, however, it is possible to factor N as c |
If '(N) is public, then anyone can nd d from e or vice versa. Assume that Euler's totient function '(N) has been made public. Take a closer look at '(N), which is
190 4 PUBLIC-KEY CRYPTOSYSTEMS
'(N) = (p 1)(q 1) = N p q + 1 = N p Np + 1: This equation can be rewritten as
p2 + p('(N) N 1) + N = 0:
Clearly, the equation has two solutions: the factors p and q. The conclusion is that revealing '(N) allows an adversary to factor N and compute d from e.
Can the modulus N be shared amongst several RSA schemes? This can be an attractive solution when a single user would like to use the same N after the decryption key has been compromised. Or perhaps several cooperating users would like to use the same modulus N to establish their public schemes. To be more precise, assume that two pairs of keys have been compromised and made public. Is it possible to nd factors of N or equivalently '(N)? Denote the two pairs as (e1; d1) and (e2; d2). All keys have to be odd numbers. They can be represented as
e1d1 1 12r1 p0q0 e2d2 1 22r2 p0q0
where p 1 = 2p0 and q 1 = 2q0 and 1; 2 are two odd numbers. It is easy to compute gcd(e1d1 1; e2d2 1) = 2jr1 r2j. Note that if = 1, then '(N)
can be determined as p0q0 is easy to calculate. This happens if 1 and 2 are coprime. As pairs of keys are randomly chosen, we may assume that 1 and 2 are also two odd random integers. What is the probability that two odd integers smaller than N selected randomly and uniformly are coprime?
To answer the question consider a collection of sets Dd. The set Dd consists of odd integers less than N and divisible by d. Then
|
|
|
|
|
|
N |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
P ( 1; 2 are coprime) = |
X |
(d)P( 1; 2 2 Dd) |
|
|
|
|
|
|
|
|
|
||||||||||
d=1;d is odd |
|
|
|
|
|
|
|
|
|
||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
where (d) is the M•obius function, (1) = 1, and |
|
|
|
|
|
|
|
|
|
|
|||||||||||
|
|
|
8 |
( 1)k |
if d = p1 pk; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(d) = |
> |
|
where pi; i = 1; : : : ; k; are distinct primes |
|
|
|
|
|
|
|
|||||||||||
|
|
|
: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<0 |
otherwise |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
N |
> |
|
|
|
|
N |
2 |
|
2 |
|
|
1 |
|
1 |
|
2 |
|
|||
Denote Pd = P( 1 |
; 2 2 Dd), then Pd = b d c |
N |
|
and Pd |
= d2 |
+ O |
|
N |
|
. Note |
|||||||||||
that b |
|
c stands for the integral part of the fraction. Now, choosing M = bN |
1 |
c, |
|||||||||||||||||
|
|
||||||||||||||||||||
d |
|
||||||||||||||||||||
we have |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||