Attacks on RSA The Rabin Cryptosystem Semantic Security of RSA Cryptology, Tuesday, February 27th, 2007 Nils Andersen. Complexity Theoretic Reduction

Similar documents
Algorithms for factoring

2.3 Nilpotent endomorphisms

Section 3.6 Complex Zeros

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 12 Jan. 2017, 14:00-18:00

18.781: Solution to Practice Questions for Final Exam

Cryptanalysis of a Public-key Cryptosystem Using Lattice Basis Reduction Algorithm

THE CHINESE REMAINDER THEOREM. We should thank the Chinese for their wonderful remainder theorem. Glenn Stevens

Example: (13320, 22140) =? Solution #1: The divisors of are 1, 2, 3, 4, 5, 6, 9, 10, 12, 15, 18, 20, 27, 30, 36, 41,

Some Consequences. Example of Extended Euclidean Algorithm. The Fundamental Theorem of Arithmetic, II. Characterizing the GCD and LCM

5 The Rational Canonical Form

Foundations of Arithmetic

a b a In case b 0, a being divisible by b is the same as to say that

DISCRIMINANTS AND RAMIFIED PRIMES. 1. Introduction A prime number p is said to be ramified in a number field K if the prime ideal factorization

(2mn, m 2 n 2, m 2 + n 2 )

Problem Set 9 Solutions

Math 261 Exercise sheet 2

International Mathematical Olympiad. Preliminary Selection Contest 2012 Hong Kong. Outline of Solutions

Linear Approximation with Regularization and Moving Least Squares

PRIME NUMBER GENERATION BASED ON POCKLINGTON S THEOREM

Expected Value and Variance

Hash functions : MAC / HMAC

= z 20 z n. (k 20) + 4 z k = 4

Lecture 5 Decoding Binary BCH Codes

For now, let us focus on a specific model of neurons. These are simplified from reality but can achieve remarkable results.

Introduction to Algorithms

MTH 819 Algebra I S13. Homework 1/ Solutions. 1 if p n b and p n+1 b 0 otherwise ) = 0 if p q or n m. W i = rw i

Calculation of time complexity (3%)

Provable Security Signatures

Bernoulli Numbers and Polynomials

A summation on Bernoulli numbers

Chapter 5. Solution of System of Linear Equations. Module No. 6. Solution of Inconsistent and Ill Conditioned Systems

Polynomials. 1 What is a polynomial? John Stalker

Lecture 20: Lift and Project, SDP Duality. Today we will study the Lift and Project method. Then we will prove the SDP duality theorem.

First day August 1, Problems and Solutions

Lecture 4: Universal Hash Functions/Streaming Cont d

Transfer Functions. Convenient representation of a linear, dynamic model. A transfer function (TF) relates one input and one output: ( ) system

Finding Primitive Roots Pseudo-Deterministically

Math 217 Fall 2013 Homework 2 Solutions

Problem Solving in Math (Math 43900) Fall 2013

Min Cut, Fast Cut, Polynomial Identities

Section 8.3 Polar Form of Complex Numbers

Math Review. CptS 223 Advanced Data Structures. Larry Holder School of Electrical Engineering and Computer Science Washington State University

Formulas for the Determinant

HMMT February 2016 February 20, 2016

Errors for Linear Systems

Difference Equations

Speeding up Computation of Scalar Multiplication in Elliptic Curve Cryptosystem

APPENDIX A Some Linear Algebra

Hardening the ElGamal Cryptosystem in the Setting of the Second Group of Units

Exploring Naccache-Stern Knapsack Encryption

Recover plaintext attack to block ciphers

NUMERICAL DIFFERENTIATION

Post-quantum Key Exchange Protocol Using High Dimensional Matrix

THERE ARE INFINITELY MANY FIBONACCI COMPOSITES WITH PRIME SUBSCRIPTS

A property of the elementary symmetric functions

New modular multiplication and division algorithms based on continued fraction expansion

The Fundamental Theorem of Algebra. Objective To use the Fundamental Theorem of Algebra to solve polynomial equations with complex solutions

Learning Theory: Lecture Notes

A Novel Feistel Cipher Involving a Bunch of Keys supplemented with Modular Arithmetic Addition

U.C. Berkeley CS294: Beyond Worst-Case Analysis Handout 6 Luca Trevisan September 12, 2017

Lecture 10: May 6, 2013

Ph 219a/CS 219a. Exercises Due: Wednesday 12 November 2008

n α j x j = 0 j=1 has a nontrivial solution. Here A is the n k matrix whose jth column is the vector for all t j=0

Complex Numbers. x = B B 2 4AC 2A. or x = x = 2 ± 4 4 (1) (5) 2 (1)

Basic Number Theory. Instructor: Laszlo Babai Notes by Vincent Lucarelli and the instructor. Last revision: June 11, 2001

Lecture 2: Gram-Schmidt Vectors and the LLL Algorithm

arxiv: v1 [cs.cr] 22 Oct 2018

STAT 309: MATHEMATICAL COMPUTATIONS I FALL 2018 LECTURE 16

Homework 9 Solutions. 1. (Exercises from the book, 6 th edition, 6.6, 1-3.) Determine the number of distinct orderings of the letters given:

1 Generating functions, continued

Module 3 LOSSY IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur

Ph 219a/CS 219a. Exercises Due: Wednesday 23 October 2013

U.C. Berkeley CS294: Beyond Worst-Case Analysis Luca Trevisan September 5, 2017

Introduction to Algorithms

1 GSW Iterative Techniques for y = Ax

Anti-van der Waerden numbers of 3-term arithmetic progressions.

Chowla s Problem on the Non-Vanishing of Certain Infinite Series and Related Questions

Smarandache-Zero Divisors in Group Rings

Math 426: Probability MWF 1pm, Gasson 310 Homework 4 Selected Solutions

Computing Correlated Equilibria in Multi-Player Games

REDUCTION MODULO p. We will prove the reduction modulo p theorem in the general form as given by exercise 4.12, p. 143, of [1].

Introduction to Vapor/Liquid Equilibrium, part 2. Raoult s Law:

Stanford University CS254: Computational Complexity Notes 7 Luca Trevisan January 29, Notes for Lecture 7

find (x): given element x, return the canonical element of the set containing x;

Restricted divisor sums

Christian Aebi Collège Calvin, Geneva, Switzerland

LECTURE V. 1. More on the Chinese Remainder Theorem We begin by recalling this theorem, proven in the preceeding lecture.

Global Sensitivity. Tuesday 20 th February, 2018

J. Number Theory 130(2010), no. 4, SOME CURIOUS CONGRUENCES MODULO PRIMES

Finding Dense Subgraphs in G(n, 1/2)

The optimal delay of the second test is therefore approximately 210 hours earlier than =2.

On a CCA2-secure variant of McEliece in the standard model

U.C. Berkeley CS294: Spectral Methods and Expanders Handout 8 Luca Trevisan February 17, 2016

SL n (F ) Equals its Own Derived Group

Cryptanalysis of pairing-free certificateless authenticated key agreement protocol

ISSN: ISO 9001:2008 Certified International Journal of Engineering and Innovative Technology (IJEIT) Volume 3, Issue 1, July 2013

Exhaustive Search for the Binary Sequences of Length 2047 and 4095 with Ideal Autocorrelation

Feature Selection: Part 1

Notes on Frequency Estimation in Data Streams

= = = (a) Use the MATLAB command rref to solve the system. (b) Let A be the coefficient matrix and B be the right-hand side of the system.

Transcription:

Attacks on RSA The Rabn Cryptosystem Semantc Securty of RSA Cryptology, Tuesday, February 27th, 2007 Nls Andersen Square Roots modulo n Complexty Theoretc Reducton Factorng Algorthms Pollard s p 1 Pollard s ρ Dxon s Random Squares Fndng ϕ(n) Fndng the Decrypton Exponent Rabn s Cryptosystem Semantc Securty of RSA Stnson (thrd edton) Secton 5.5 5.9 1

Square Roots modulo p We know that for an odd prme p and an nteger a, p a, the congruence y 2 a (mod p) has no solutons f ( a p ) = 1, and two solutons (modulo p) f ( a p ) = 1, and we also know (Euler s crteron), that ( a p ) a p 1 2 (mod p). If p 3 (mod 4), the two solutons may be found as ±a p+1 4 (mod p). For odd p n general, there s a Las Vegasalgorthm by Tonell and Shanks (Neal Kobltz: A Course n Number Theory and Cryptography, p. 48 9). 2

Square Roots modulo n Theorem If p s an odd prme, e a postve nteger and a an nteger relatvely prme to p, the congruence y 2 a (mod p e ) has no solutons f ( ) a p = 1, and two solutons (modulo p e ) f ( a p ) = 1. Theorem If n = l =1 p e s the factorzaton of an odd nteger n > 1 (so that the p s are dstnct odd prmes), and a s an nteger relatvely prme to n, then the congruence y 2 a (mod n) has 2 l solutons modulo n f ( a p ) = 1 for all = 1,..., l, and no solutons otherwse. 3

Complexty Theoretc Reducton Suppose that G and H are (not necessarly decson) problems. G can be reduced to H, denoted G T H, f t s possble to solve G wth an algorthm that can call an oracle for H and takes polynomal tme (countng an oracle query as a sngle step). y = x b mod n RSA-problem: Gven n, b, y, fnd x. n = p q FACTORING: Gven n, fnd p and q. x 2 a (mod n) SQRROOT: Gven n, a, fnd x. 4

A problem herarchy RSA-problem s no harder than FACTORING: Knowng b and the factors of n reveals a decrypton exponent a, and x = y a mod n. FACTORING and SQRROOT are polynomaltme equvalent: To solve x 2 a (mod n), knowng how to factor n = p q, solve x 2 a (mod p) and x 2 a (mod q) wth Tonell-Shanks algorthm, and use the Chnese Remander Theorem. Conversely, to factor n, choose some y and solve x 2 y 2 (mod n), whch means n (x+y)(x y). If x ±y (mod n), reterate wth another y; otherwse p = gcd(x + y, n) s a non-trval factor of n. 5

Pollard s p 1 Algorthm (J. M. Pollard 1974:) factor d of n: To fnd a non-trval choose a small postve nteger a (e.g. 2) f gcd(a, n) = d > 1 then return d choose a lmt B for j from 2 to B do a a j mod n od f gcd(a 1, n) = d > 1 then return d falure Ths wll succeed, provded B q for each prme power q p 1. 6

Pollard s ρ Algorthm (J. M. Pollard 1975:) factor d of n: To fnd a non-trval choose a small nteger a (e.g. 1) def f(x) = (x 2 + a) mod n choose an ntal value x 0 x x x 0 do x f(x) x f(f(x )) d gcd(x x, n) untl d > 1 f d < n then return d falure Assume p n and x j0 x j0 +k (mod p) (probablty 100% for j 0 + k > p, 50% for j 0 + k > 1.17 p). Then x j x j+k (mod n) for j j 0, x j x j+mk (mod n) for j j 0 and all m, x Mk x Mk+Mk (mod n) for Mk j 0. 7

Dxon s Algorthm: Random Squares Obtan a collecton of equvalences z 2 l j=1 p e,j,j (mod n) for a large number of z s, where the prmes p all belong to a relatvely small base B. It may then be possble to fnd a product of the z 2 s whose prme decomposton has all ts prmes n even powers. If ths s z 2 ( p e ) 2 (mod n) gcd(z + p e, n) produces a non-trval factor of n. The desred product may be found lookng for lnear dependences among the rows of the matrx (e,j mod 2),j. 8

Fndng ϕ(n) FACTORING n s polynomal tme equvalent to fndng ϕ(n): Knowng n = p q obvously reveals ϕ(n) = (p 1)(q 1). On the other hand, p and q are the solutons of the quadratc equaton x 2 (n ϕ(n) + 1)x + n = 0 9

Ratonal approxmatons of a real number The best approxmatons p 1 q1, p 2 q2, p 3 q3,... of a number, usng enumerator and denomnator of a certan sze, are called the convergents of the number. For a real number α defne α 0 = α and for = 0, 1, 2,... (as long as a < α ) a = α α +1 = 1 α a Then α = α 0 = a 0 + 1 α 1 = a 0 + 1 a 1 + 1 = a 0 + 1 a 1 + 1 a 2 + 1 α 3 =... It can be shown that a 0 + α 2 1 a 1 +...+ 1 = p q a 1 are the convergents, and that ths rreducble fracton can be obtaned va p 2 = 0, p 1 = 1, p = a p 1 + p 2 for 0 q 1 = 0, q 0 = 1, q = a q 1 + q 2 for 1 10

Proofs: By nducton: p 1 q p q 1 = ( 1), so p q s n lowest terms. Defne r (j) j 2 = 0, r(j) j 1 = 1, r (j) = a r (j) 1 + r(j) 2 for j Then p = r (0), q = r (1), but by nducton t can be proved that r (j) = a j r (j+1) + r (j+2), and by another nducton for j =, 1,..., 1, 0 that r (j) r (j+1) = a j + 1 a j+1 + 1...+ 1 a Fact: If α p q 1 2q 2 for postve ntegers p and q, then p q s a convergent n the contnued fracton expanson of α. Example: π = 3 + 7+ 1 1 15+ 1 1+... 1 Convergents: 3, 22 7, 333 106, 355 113,... 11

Wener s attack on RSA Assume n = pq wth q < p < 2q and as usual ab 1 (mod (p 1)(q 1)). Ths means ab = 1+k(p 1)(q 1) for some k; gcd(a, k) = 1, and b < (p 1)(q 1), so k < a. If moreover a < 1 3 4 n then 0 < n (p 1)(q 1) = p + q 1 < 3q < 3 n and we derve b n k a = ab kn an = ab k(p 1)(q 1) k(n (p 1)(q 1)) an < 3k n an = 3k a n < 4 n a n = 1 a 4 n < 1 3a 2 < 1 2a 2 snce 3k < 3a < 4 n. We know gcd(k, a) = 1, so k a convergents of b n. found by checkng (m b ) a m s among the The rght one could be (mod n) for some random value of m, or even by fndng p and q from (p 1)(q 1) = (ab 1)/k and pq = n. 12

The Rabn Cryptosystem For two large prmes p and q (for convenence, choose p, q 3 (mod 4)) let the publc key be n = pq and some nteger a (whch could be 0). Plantexts and cphertexts are Z n. Encode x as y = x(x + a) mod n. Knowng the factorzaton n = pq enables one to solve (x + 2 a )2 a2 4 + y (mod n) by means of the Chnese Remander Theorem. But there wll be four solutons! FACTORING s polynomal tme equvalent to Rabn decrypton. 13

Semantc Securty Potental adversaral goals: total break Determnng the secret key partal break Wth some non-neglgble probablty to determne some specfc nformaton about the plantext, gven the cphertext. dstngushablty of cphertexts Wth probablty exceedng 1 2 to dstngush between encryptons of two gven plantexts. 14

Partal nformaton on RSA plantexts In an RSA cryptosystem y = x b mod n, snce b s odd, ( ) y n = ( ) x b n = ( ( x n ) ) b = ( ) x n But fndng the hgh order bt of x or the low order bt of x s as dffcult as fndng the whole of x: party(y) = x{ mod 2 0 f 0 x < n/2 hgh(y) = 1 f n/2 < x n 1 Note (Stnson 3., exercse 5.34): hgh(y) = party(2 b y mod n) party(y) = hgh(2 b y mod n) 15

Bt securty of RSA z:=y; lo:=0; h:=n; whle (* lo = 2 kn x = ya mod n < h = +1 2 k n *) (* z = 2 kb y mod n, z a mod n = 2 k x n *) h-lo > 1 do md:=(h +lo)/2; f hgh(z) then lo:=md else h:=md; z:=2 b z modn od (* y a mod n = h *) 16

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback