COMP409 : Applied Cryptography Fall 203 M. Jason Hinek Carleton University
Applied Cryptography Day 3 public-key encryption schemes some attacks on RSA factoring small private exponent 2
RSA cryptosystem textbook RSA choose random primes p, q, let N = pq P = C = Z N (plaintext-space and ciphertext-space) choose e, d such that ed mod φ(n) Public key is pk = (e, N) Private key is sk = (p, q, d) Encrypt to encrypt plaintext m ENC pk (m) = m e mod N = c Decrypt given ciphertext c DEC sk (c) = c d mod N = m 3
Pollard s p method Let N = pq be an RSA modulus Let p = α α 2 α l each α i is a power of a single prime gcd(α i, α j ) = for all i j Let B satisfy α i < B for each α i Compute X := 2 B! mod N as shown in class Since B > (α α 2 α l ) = (p ), we know that each α i will be present in B!. Thus, B! = k(p ) for some integer k. Alternatively, we know that That is, p divides B! p B! 4
Pollard s p method We now have X = 2 B! + un (converting relation to equation, for some u) p B! Therefore, (X mod p) = ( 2 B! + un mod p ) = ( 2 B! mod p ) = Recalling Fermat s Little Theorem a q mod q q a prime and a 0 ( ) 2 k(p ) mod p we conclude that X mod p and so (for some integer v) X = vp 5
Pollard s p method Therefore, gcd(x, N) = gcd(vp, pq) = p How did we know that v is not a multiple of q? (If it was, we fail because the gcd will output N = pq instead of just p) Since X is originally computed modulo N, we know that 0 X < N. If v was a multiple of q, we would have X = v pq = v N (where v = v/q) and then X > N. (A contradiction) We have then found one of the primes in N = pq and know the factorization now. (The other prime is simply N/p) 6
Pollard s p method What is the runtime of the method? Let n = log 2 (N) bitlength of N computing 2 B! mod N we need B modular exponentiations a modular exponentiation is O(n 3 ) total cost is O(Bn 3 ) If B = N /2 guarantees that one prime p satisfies p < B for any N = pq runtime is O(N /2 n 3 ) = O(2 0.5 log 2 (N) n 3 ) = O(2 0.5n n 3 ) (exponential in n; no better then trial division to factor) If B = cn k runtime is polyomial in n we have to be really lucky for p < B 7
Factoring Factoring arbitrary integers is believed to be difficult Best known algorithms to factor a number N (p is a prime factor of N) method Quadratic Sieve (QS) Elliptic Curve Method (ECM) Number Field Sieve (NFS) heuristic runtime O (e (+o())(log n log log n)/2) (+o())(2 log p log log O (e p)/2) O (e (.92+o())(log n)/3 (log log n) 2/3) 8
Wiener s Attack RSA is completely insecure if the private (decrypting) exponent is chosen to be too small assume that N = pq, where p and q are random balanced primes q < p < 2q < 2N /2 (balanced primes) ed (mod φ(n)) (key relation) ed = + kφ(n) (key equation) d < 6 N/4 (private exponent is small ) < e < φ(n) (e is computed modulo φ(n)) let φ(n) = (p )(q ) = N p q + = N Λ, where Λ = p + q < 2q + q < 3q < 3N /2 Notice that k = ed φ(n) = ed φ(n) φ(n) < ed φ(n) < d 9
Wiener s Attack Notice that e N k d = ed kn dn = kλ dn < 2 kλ dn < 2 dλ dn (k < d) < 2 d3n /2 dn (Λ < 3N /2 ) < N /4 N /2 dn (6d < N /4 ) = dn /4 < ( 6d 2 N < ) /4 6d < 2d 2 0
Wiener s Attack We then have and... e N k d < 2d 2
Mathematical Aside any rational number can be written as finite (simple) continued fraction a = q + q 2 + q 3+ q 4 + + qm the continued fraction expansion of a is given by [q, q 2,..., q m ] The integers q i can easily be computed by repeated division (Euclidean algorithm) for example, consider 37/0 37 = 0 0 + 37 0 = 2 37 + 27 37 = 27 + 0 27 = 2 0 + 7 0 = 7 + 3 7 = 2 4 + 3 = 4 + 0 2
Mathematical Aside for example, consider 37/0 37 = 0 0 + 37 0 = 2 37 + 27 37 = 27 + 0 27 = 2 0 + 7 0 = 7 + 3 7 = 2 4 + 3 = 4 + 0 this corresponds to or 37 0 = 0 + 2 + + 2+ + 2+ 4 [0, 2,, 2,, 2, 4] 3
Mathematical Aside let a have a continued fraction expansion [q, q 2,..., q m ] then C i = [q, q 2,..., q i ] is called the i th convergent of [q, q 2,..., q m ] the convergents of a are a sequence of (rational) approximations of a. If a is rational, the final convergent is equal to a. the convergents of 37/0 are given by C = 0 C 2 = 2 = 0.5 C 3 = C 4 = C 5 = C 6 = 2 + / = 3 0.333333 2 + +/2 2 + + 2+/ 2 + + 2+ +/2 = 3 8 = 0.375000 = 4 0.363636 = 30 0.366666 C 7 = 37 0 0.366336 4
Mathematical Aside C = 0 C 2 = 0.5 C 3 0.333333 C 4 = 0.375000 C 5 0.363636 C 6 0.366666 C 7 0.366336 the first convergent underestimates a, the next overestimates it, the next under, the next over,... C j is a better estimate then C j 2 5
Mathematical Aside Theorem: given α R and c, d Z such that gcd(c, d) =, and then c d α c d < 2d 2, is one of the convergents in the continued fraction expansion of α Note: when α = a/b is rational, then the number of convergents is polynomial in log max(a, b). (computing all the convergents requires polynomial time) 6
Wiener s Attack We then have e N k d < 2d 2 and so k d is one of the convergents in the continued fraction expansion of (which is known!) e N this leads to the following attack 7
Wiener s Attack compute each convergent C i of e/n for each convergent C i = c i /d i, compute φ i := ed i c i if φ i is not an integer, go to the next convergent otherwise, φ i is a candidate for φ(n) solve the system N = xy φ i = (x )(y ) if φ i = φ(n) then x, y reveal the factorization p, q otherwise, go to next convergent 8
Wiener s Attack RSA with balanced primes and d < N /4 = N 0.25 is insecure! this attack came out of left field... (it was not anticipated at all! many attacks are like this) don t use small d to try and speed up decryption using lattices and lattice basis reduction, d < N 0.292 is insecure (asymptotically) don t use small d to try and speed up decryption 9