Attacks on RSA The Rabn Cryptosystem Semantc Securty of RSA Cryptology, Tuesday, February 27th, 2007 Nls Andersen Square Roots modulo n Complexty Theoretc Reducton Factorng Algorthms Pollard s p 1 Pollard s ρ Dxon s Random Squares Fndng ϕ(n) Fndng the Decrypton Exponent Rabn s Cryptosystem Semantc Securty of RSA Stnson (thrd edton) Secton 5.5 5.9 1
Square Roots modulo p We know that for an odd prme p and an nteger a, p a, the congruence y 2 a (mod p) has no solutons f ( a p ) = 1, and two solutons (modulo p) f ( a p ) = 1, and we also know (Euler s crteron), that ( a p ) a p 1 2 (mod p). If p 3 (mod 4), the two solutons may be found as ±a p+1 4 (mod p). For odd p n general, there s a Las Vegasalgorthm by Tonell and Shanks (Neal Kobltz: A Course n Number Theory and Cryptography, p. 48 9). 2
Square Roots modulo n Theorem If p s an odd prme, e a postve nteger and a an nteger relatvely prme to p, the congruence y 2 a (mod p e ) has no solutons f ( ) a p = 1, and two solutons (modulo p e ) f ( a p ) = 1. Theorem If n = l =1 p e s the factorzaton of an odd nteger n > 1 (so that the p s are dstnct odd prmes), and a s an nteger relatvely prme to n, then the congruence y 2 a (mod n) has 2 l solutons modulo n f ( a p ) = 1 for all = 1,..., l, and no solutons otherwse. 3
Complexty Theoretc Reducton Suppose that G and H are (not necessarly decson) problems. G can be reduced to H, denoted G T H, f t s possble to solve G wth an algorthm that can call an oracle for H and takes polynomal tme (countng an oracle query as a sngle step). y = x b mod n RSA-problem: Gven n, b, y, fnd x. n = p q FACTORING: Gven n, fnd p and q. x 2 a (mod n) SQRROOT: Gven n, a, fnd x. 4
A problem herarchy RSA-problem s no harder than FACTORING: Knowng b and the factors of n reveals a decrypton exponent a, and x = y a mod n. FACTORING and SQRROOT are polynomaltme equvalent: To solve x 2 a (mod n), knowng how to factor n = p q, solve x 2 a (mod p) and x 2 a (mod q) wth Tonell-Shanks algorthm, and use the Chnese Remander Theorem. Conversely, to factor n, choose some y and solve x 2 y 2 (mod n), whch means n (x+y)(x y). If x ±y (mod n), reterate wth another y; otherwse p = gcd(x + y, n) s a non-trval factor of n. 5
Pollard s p 1 Algorthm (J. M. Pollard 1974:) factor d of n: To fnd a non-trval choose a small postve nteger a (e.g. 2) f gcd(a, n) = d > 1 then return d choose a lmt B for j from 2 to B do a a j mod n od f gcd(a 1, n) = d > 1 then return d falure Ths wll succeed, provded B q for each prme power q p 1. 6
Pollard s ρ Algorthm (J. M. Pollard 1975:) factor d of n: To fnd a non-trval choose a small nteger a (e.g. 1) def f(x) = (x 2 + a) mod n choose an ntal value x 0 x x x 0 do x f(x) x f(f(x )) d gcd(x x, n) untl d > 1 f d < n then return d falure Assume p n and x j0 x j0 +k (mod p) (probablty 100% for j 0 + k > p, 50% for j 0 + k > 1.17 p). Then x j x j+k (mod n) for j j 0, x j x j+mk (mod n) for j j 0 and all m, x Mk x Mk+Mk (mod n) for Mk j 0. 7
Dxon s Algorthm: Random Squares Obtan a collecton of equvalences z 2 l j=1 p e,j,j (mod n) for a large number of z s, where the prmes p all belong to a relatvely small base B. It may then be possble to fnd a product of the z 2 s whose prme decomposton has all ts prmes n even powers. If ths s z 2 ( p e ) 2 (mod n) gcd(z + p e, n) produces a non-trval factor of n. The desred product may be found lookng for lnear dependences among the rows of the matrx (e,j mod 2),j. 8
Fndng ϕ(n) FACTORING n s polynomal tme equvalent to fndng ϕ(n): Knowng n = p q obvously reveals ϕ(n) = (p 1)(q 1). On the other hand, p and q are the solutons of the quadratc equaton x 2 (n ϕ(n) + 1)x + n = 0 9
Ratonal approxmatons of a real number The best approxmatons p 1 q1, p 2 q2, p 3 q3,... of a number, usng enumerator and denomnator of a certan sze, are called the convergents of the number. For a real number α defne α 0 = α and for = 0, 1, 2,... (as long as a < α ) a = α α +1 = 1 α a Then α = α 0 = a 0 + 1 α 1 = a 0 + 1 a 1 + 1 = a 0 + 1 a 1 + 1 a 2 + 1 α 3 =... It can be shown that a 0 + α 2 1 a 1 +...+ 1 = p q a 1 are the convergents, and that ths rreducble fracton can be obtaned va p 2 = 0, p 1 = 1, p = a p 1 + p 2 for 0 q 1 = 0, q 0 = 1, q = a q 1 + q 2 for 1 10
Proofs: By nducton: p 1 q p q 1 = ( 1), so p q s n lowest terms. Defne r (j) j 2 = 0, r(j) j 1 = 1, r (j) = a r (j) 1 + r(j) 2 for j Then p = r (0), q = r (1), but by nducton t can be proved that r (j) = a j r (j+1) + r (j+2), and by another nducton for j =, 1,..., 1, 0 that r (j) r (j+1) = a j + 1 a j+1 + 1...+ 1 a Fact: If α p q 1 2q 2 for postve ntegers p and q, then p q s a convergent n the contnued fracton expanson of α. Example: π = 3 + 7+ 1 1 15+ 1 1+... 1 Convergents: 3, 22 7, 333 106, 355 113,... 11
Wener s attack on RSA Assume n = pq wth q < p < 2q and as usual ab 1 (mod (p 1)(q 1)). Ths means ab = 1+k(p 1)(q 1) for some k; gcd(a, k) = 1, and b < (p 1)(q 1), so k < a. If moreover a < 1 3 4 n then 0 < n (p 1)(q 1) = p + q 1 < 3q < 3 n and we derve b n k a = ab kn an = ab k(p 1)(q 1) k(n (p 1)(q 1)) an < 3k n an = 3k a n < 4 n a n = 1 a 4 n < 1 3a 2 < 1 2a 2 snce 3k < 3a < 4 n. We know gcd(k, a) = 1, so k a convergents of b n. found by checkng (m b ) a m s among the The rght one could be (mod n) for some random value of m, or even by fndng p and q from (p 1)(q 1) = (ab 1)/k and pq = n. 12
The Rabn Cryptosystem For two large prmes p and q (for convenence, choose p, q 3 (mod 4)) let the publc key be n = pq and some nteger a (whch could be 0). Plantexts and cphertexts are Z n. Encode x as y = x(x + a) mod n. Knowng the factorzaton n = pq enables one to solve (x + 2 a )2 a2 4 + y (mod n) by means of the Chnese Remander Theorem. But there wll be four solutons! FACTORING s polynomal tme equvalent to Rabn decrypton. 13
Semantc Securty Potental adversaral goals: total break Determnng the secret key partal break Wth some non-neglgble probablty to determne some specfc nformaton about the plantext, gven the cphertext. dstngushablty of cphertexts Wth probablty exceedng 1 2 to dstngush between encryptons of two gven plantexts. 14
Partal nformaton on RSA plantexts In an RSA cryptosystem y = x b mod n, snce b s odd, ( ) y n = ( ) x b n = ( ( x n ) ) b = ( ) x n But fndng the hgh order bt of x or the low order bt of x s as dffcult as fndng the whole of x: party(y) = x{ mod 2 0 f 0 x < n/2 hgh(y) = 1 f n/2 < x n 1 Note (Stnson 3., exercse 5.34): hgh(y) = party(2 b y mod n) party(y) = hgh(2 b y mod n) 15
Bt securty of RSA z:=y; lo:=0; h:=n; whle (* lo = 2 kn x = ya mod n < h = +1 2 k n *) (* z = 2 kb y mod n, z a mod n = 2 k x n *) h-lo > 1 do md:=(h +lo)/2; f hgh(z) then lo:=md else h:=md; z:=2 b z modn od (* y a mod n = h *) 16