Factoring Algorithms and Other Attacks on the RSA 1/12

Size: px

Start display at page:

Download "Factoring Algorithms and Other Attacks on the RSA 1/12"

Ashley Baker
5 years ago
Views:

1 Factorig Algorithms ad Other Attacks o the RSA T Cryptology Lecture 8 April 8, 008 Kaisa Nyberg Factorig Algorithms ad Other Attacks o the RSA /

2 The Pollard p Algorithm Let B be a positive iteger ad p a factor of The Pollard p algorithm works if all prime power divisors of p B are less tha Set a For j a B! mod B compute a a j mod, that is, compute Compute d gcd a If d, the retur d; else retur failure The complexity of the algorithm is BlogB log log 3 Factorig Algorithms ad Other Attacks o the RSA /

3 Why It Works If q divides B! B for every prime power q that divides p, the p Sice p divides, it must be that a B! mod p Sice p mod p, it follows that a mod p The p divides a ad therefore p divides d = gcd a d is a o-trivial divisor of uless a If a the algorithm ca be repeated usig some other value tha to iitialize a Factorig Algorithms ad Other Attacks o the RSA 3/

4 Dixo s Radom Squares Suppose that we ca fid itegers x ad y such that x x y mod The divides either x The gcd x y For example, 0 y or x y is a o-trivial divisor of 3 mod 77 o-trivial divisor of 77, which ideed holds It follows that gcd 3 y mod 0 77 is a ad The algorithm uses a factor base which is a set of small primes The geerate several itegers z such that the prime factors of z mod are i the set Fid a subset z zs of these itegers such that the total umber of occureces of each prime factor i the squares of these umbers is eve The z umbers from z s is equivalet modulo to a square of a product of Factorig Algorithms ad Other Attacks o the RSA 4/

5 3 7 Radom Squares Example ad 5 3 Select z , the z 3 7 mod z , the z 7 3 mod z , the z mod z z z mod gcd Curret state of factorig algorithms, see: LENSTRA Arje, Update o Factorig A kilobit special umber field sieve factorizatio at +sieve+factorizatioppt Factorig Algorithms ad Other Attacks o the RSA 5/

6 Computig φ If we ca compute φ Give φ, the oe ca factor oe ca solve p from the system of equatios φ pq p q By substitutig q p to the secod equatio, oe gets p φ p 0 The two solutios p of this quadratic equatio are the factors of Factorig Algorithms ad Other Attacks o the RSA 6/

7 The Private Expoet If we ca compute the private expoet the we ca factor with at least probability / Repeatig m times gives success probability Las Vegas algorithm is a radomized algorithm which may fail to give a aswer, but if it gives a aswer, the aswer is correct m Give a, b ad, with ab mod φ The idea is to fid a o-trivial square root of modulo write ab s r, where r is odd Choose w at radom such that ot, a o-trivial factor of has bee foud!) Compute v Else fid k If v 0 Else compute d w r mod If v s such that v 0 mod gcd w Check that gcd, the retur failure v k, the retur failure v 0 mod ad v 0 v k w mod (If Retur d, which is a o-trivial factor of Factorig Algorithms ad Other Attacks o the RSA 7/

8 Wieer s Small Private Expoet Attack If 3a 4, where pq ad q p q, the there is a efficiet determiistic algorithm for computig a ad the factorizatio of See separate power poit slides Factorig Algorithms ad Other Attacks o the RSA 8/

9 p p The Rabi Cryptosystem Let q 3 pq, where p ad q are distict primes ad p mod 4 Let a, ad defie q For K q, defie e K x x mod, ad d K y y mod The value is the public key, while p ad q comprise the private key a Testbook restricts plaitexts ad ciphertexts to Factorig Algorithms ad Other Attacks o the RSA 9/

10 Security of the Rabi Cryptosystem Theorem: Decryptig i the Rabi Cryptosystem is as hard as factorig the modulus Trivially, if factorig is easy the decryptig is easy It remais to prove the coverse Assume we have a efficiet algorithm for computig decryptios i the Rabi Cryptosystem The ca be used as a basis of a Las Vegas algorithm for factorig the modulus The failure probability of this algorithm is / Select x ad compute y x mod Give y to, which returs u which is oe of the four possible square roots of y modulo If u x mod (the probability that this happes is equal to /) the we ca compute a otrivial divisor of as gcd x u (or as gcd x u ) Factorig Algorithms ad Other Attacks o the RSA 0/

11 The Isecurity of the Rabi Cryptosystem The same proof shows that the Rabi Cryptosystem is completely isecure agaist Chose Plaitext Attack I the Chose Plaitext Attack the attacker is assumed to have access to a Decryptio Oracle Factorig Algorithms ad Other Attacks o the RSA /

12 Bleichebacher s Attack ad OAEP Bleichebacher s attack agaist RSA with PKC# paddig shows the importace of resistace agaist Chose Ciphertext Attack (CCA) I the CCA the attacker has access to a oracle which gives some partial iformatio about the plaitext The Optimal Asymmetric Ecryptio Paddig (OAEP) has bee desiged to provide plaitext awareess Factorig Algorithms ad Other Attacks o the RSA /

Math 609/597: Cryptography 1

Math 609/597: Cryptography 1 The Solovay-Strasse Primality Test 12 October, 1993 Burt Roseberg Revised: 6 October, 2000 1 Itroductio We describe the Solovay-Strasse primality test. There is quite a bit