Factorig Algorithms ad Other Attacks o the RSA T-79550 Cryptology Lecture 8 April 8, 008 Kaisa Nyberg Factorig Algorithms ad Other Attacks o the RSA /
The Pollard p Algorithm Let B be a positive iteger ad p a factor of The Pollard p algorithm works if all prime power divisors of p B are less tha Set a For j a B! mod B compute a a j mod, that is, compute Compute d gcd a If d, the retur d; else retur failure The complexity of the algorithm is BlogB log log 3 Factorig Algorithms ad Other Attacks o the RSA /
Why It Works If q divides B! B for every prime power q that divides p, the p Sice p divides, it must be that a B! mod p Sice p mod p, it follows that a mod p The p divides a ad therefore p divides d = gcd a d is a o-trivial divisor of uless a If a the algorithm ca be repeated usig some other value tha to iitialize a Factorig Algorithms ad Other Attacks o the RSA 3/
Dixo s Radom Squares Suppose that we ca fid itegers x ad y such that x x y mod The divides either x The gcd x y For example, 0 y or x y is a o-trivial divisor of 3 mod 77 o-trivial divisor of 77, which ideed holds It follows that gcd 3 y mod 0 77 is a ad The algorithm uses a factor base which is a set of small primes The geerate several itegers z such that the prime factors of z mod are i the set Fid a subset z zs of these itegers such that the total umber of occureces of each prime factor i the squares of these umbers is eve The z umbers from z s is equivalet modulo to a square of a product of Factorig Algorithms ad Other Attacks o the RSA 4/
3 7 Radom Squares Example 577070844 ad 5 3 Select z 834093456, the z 3 7 mod z 04494944, the z 7 3 mod z 3 7737000, the z 3 3 3 mod z z z 3 9503435785 3 7 3 546 mod gcd 9503435785 546 577070844 5759 Curret state of factorig algorithms, see: LENSTRA Arje, Update o Factorig A kilobit special umber field sieve factorizatio at http://wikiuilu/esc/docs/a+kilobit+special+umber+field +sieve+factorizatioppt Factorig Algorithms ad Other Attacks o the RSA 5/
Computig φ If we ca compute φ Give φ, the oe ca factor oe ca solve p from the system of equatios φ pq p q By substitutig q p to the secod equatio, oe gets p φ p 0 The two solutios p of this quadratic equatio are the factors of Factorig Algorithms ad Other Attacks o the RSA 6/
The Private Expoet If we ca compute the private expoet the we ca factor with at least probability / Repeatig m times gives success probability Las Vegas algorithm is a radomized algorithm which may fail to give a aswer, but if it gives a aswer, the aswer is correct m Give a, b ad, with ab mod φ The idea is to fid a o-trivial square root of modulo write ab s r, where r is odd Choose w at radom such that ot, a o-trivial factor of has bee foud!) Compute v Else fid k If v 0 Else compute d w r mod If v s such that v 0 mod gcd w Check that gcd, the retur failure v k, the retur failure v 0 mod ad v 0 v k w mod (If Retur d, which is a o-trivial factor of Factorig Algorithms ad Other Attacks o the RSA 7/
Wieer s Small Private Expoet Attack If 3a 4, where pq ad q p q, the there is a efficiet determiistic algorithm for computig a ad the factorizatio of See separate power poit slides Factorig Algorithms ad Other Attacks o the RSA 8/
p p The Rabi Cryptosystem Let q 3 pq, where p ad q are distict primes ad p mod 4 Let a, ad defie q For K q, defie e K x x mod, ad d K y y mod The value is the public key, while p ad q comprise the private key a Testbook restricts plaitexts ad ciphertexts to Factorig Algorithms ad Other Attacks o the RSA 9/
Security of the Rabi Cryptosystem Theorem: Decryptig i the Rabi Cryptosystem is as hard as factorig the modulus Trivially, if factorig is easy the decryptig is easy It remais to prove the coverse Assume we have a efficiet algorithm for computig decryptios i the Rabi Cryptosystem The ca be used as a basis of a Las Vegas algorithm for factorig the modulus The failure probability of this algorithm is / Select x ad compute y x mod Give y to, which returs u which is oe of the four possible square roots of y modulo If u x mod (the probability that this happes is equal to /) the we ca compute a otrivial divisor of as gcd x u (or as gcd x u ) Factorig Algorithms ad Other Attacks o the RSA 0/
The Isecurity of the Rabi Cryptosystem The same proof shows that the Rabi Cryptosystem is completely isecure agaist Chose Plaitext Attack I the Chose Plaitext Attack the attacker is assumed to have access to a Decryptio Oracle Factorig Algorithms ad Other Attacks o the RSA /
Bleichebacher s Attack ad OAEP Bleichebacher s attack agaist RSA with PKC# paddig shows the importace of resistace agaist Chose Ciphertext Attack (CCA) I the CCA the attacker has access to a oracle which gives some partial iformatio about the plaitext The Optimal Asymmetric Ecryptio Paddig (OAEP) has bee desiged to provide plaitext awareess Factorig Algorithms ad Other Attacks o the RSA /