The RSA Cryptosystemand Factoring Integers (I)

Rong-Jaye Chen

p2.

OUTLINE

[1] Modular Arithmetic Algorithms [2] The RSA Cryptosystem

[3] Quadratic Residues

[4] Primality Testing

[5] Square Roots Modulo n

[6] Factoring Algorithms

[7] Other Attacks on RSA

[8] The Rabin Cryptosystem

[9] Semantics Security of RSA

p3.

[1] Modular Arithmetic Algorithms 1. The integers

a divides b a|b If b has a divisor , then a is said to be

nontrivial. a is prime if it has no nontrivial divisors;

otherwise, a is composite. The prime theorem ：

If c|a and c|b, then c is common divisor of a and b.

If d is a great common divisor of a and b, then we write d=gcd(a,b).

},1{ ba

xxxxaa log/~)(]},2[|prime is {

p4.

Euclidean algorithm(a,b) (for great common divisor) input ： output ： (1) Set r0=a and r1=b

(2) Determine the first so that rn+1=0,

where ri+1=ri-1 mod ri

(3) Return (rn)

Extended Euclidean algorithm(a,b) input ： a>0, b>0 output: (r, s, t) with r=gcd(a,b) and sa+tb=r (Omitted)

0ba),gcd( bad

0n

p5.

Example ： gcd(299,221)=?

)78,1( 782211299 22 rq

)65,2( 65782221 33 rq

)13,1( 1365178 44 rq

)0,5( 013565 55 rq

657813)221,299gcd( 4 r

221783)782221(78

22142993221)2211299(3

p6.

If gcd(a,b)=1, then a and b are said to be relatively prime. Phi function ：

}1 and 1),gcd(|{#)( nanaan

1),gcd(for )()()( .2

p rimefor )1()( 1. 1

babaab

pppp ee

p7.

2. The integers modulo n

a is congruent to b modulo n, written ,

if n|a-b.

Zn={0,1,…,n-1}

Given , if , then a is

said to be invertible and its inverse x is denoted a-1.

)(mod nba

nZa ) (mod 1 s.t. naxZx n

p8.

Use Extended Euclidean Algo to calculate a-1 mod n

Example ： a=7 and n=9

Euclidean algorithmto find gcd(a,n)

Extended Euclidean algorithm to write gcd(a,b)=sa+tn

2719 1237 0122

2371 9374)719(37

9 mod 47 1

p9.

Zn*={a|gcd(a,n)=1 and 0<a<n}

For example, Z12*={1,5,7,11},

Z15*={1,2,4,7,8,11,13,14}

(Zn*, *) forms a multiplication group

* as defined is )( nZn

p10.

Fermat’s little theorem ：

Euler’s theorem ：

The order of , written ord(a), as the least

positive integer t such that

If , has , then a is said

to be a generator of Zn*; in this case,

)(mod 1 then , prime) is ( If 1* papZa pp

)(mod 1 then , If )(* naZa nn

*nZa

).(mod1 nat *nZa )()( * nZaord n

)}.(0|{* niaZ in

p11.

Example ： n=15

Z15*={1,2,4,7,8,11,13,14}

ψ(15)= ψ(3) ψ(5)=2*4=8

1*15Za

)(aord

2 4 7 8 11 13 14

1 4 2 4 2 2 4 2

p12.

3. Chinese remainder theorem

If the integers n1,…,nk are pairwise relatively prime,

then the system of congruences

has a unique solution modulo n=n1*n2*…*n k

)(mod 11 nax )(mod 22 nax

)(mod kk nax

p13.

Algorithm ： Gauss algorithm

(1) Input k , ni , ai , for i=1,2,…,k

(2) Compute for i=1,2,…,k

(3) Compute inverse for i =1,2,…,k

(4) Compute

n

ijjji nN

,1

iii nNM mod1

k

iiii nMNax

1

mod

p14.

Example

118 210 mod 958

1218 4306 1701

)10mod1(218 )7mod2(306 )3mod1(701

)10mod21(218 )7mod30(306 )3mod70(701

algorithm, Gauss toAccording

10mod 8

7mod 6

3mod 1

111

111

x

x

x

x

p15.

4. Square-and-Multiply

Algorithm: Square-and-Multiply(x, c, n)

Input ： , c with binary

representation

Output ：

nxc modnZx

1

0

2l

i

iicc

)(return

mod then

1 if

mod do

0 downto 1 for

1

2

z

nx)(zz

c

nzz

li

z

i

p16.

Example :

97263533 mode 11413=?

i ci z

11 1 12x9726=9726

10 1 97262x9726=2659

9 0 26592=5634

8 1 56342x9726=9167

7 1 91672x9726=4958

6 1 49582x9726=7783

5 0 77832=6298

4 0 62982=4629

3 1 46292x9726=10185

2 1 101852x9726=105

1 0 1052=11025

0 1 110252x9726=5761

p17.

[2] The RSA Cryptosystem Proposed by Rivest, Shamir, and Adleman (1977) Used for encryption and signature schemes Based on the intractability of the integer factorization

problem Key generation

Let p, q be large prime, n=pq and (n)=(p-1)(q-1)

Choose randomly b s.t. gcd(b,(n))=1 Compute a b-1 mod (n) Public-key: (n, b) Private-key: (n, a) or (p, q, a)

p18.

RSA Cryptosystem

Let n=pq, where p and q are primes.

Let P = C = Zn , and define

K ={(n,p,q,a,b): ab=1 (mod (n))}.

For K= (n,p,q,a,b), define eK(x)=xb mod n

and dK(y)=ya mod n

Public-key: (n, b) Private-key: (n, a) or (p, q, a)

p19.

Verify the encryption and decryption are inverse operations

ab=1 (mod (n)),we have ab = t(n)+1, for t>=1Suppose that x in Zn*; then we have

(xb)a = xt(n)+1 (mod n) = (x(n))tx = 1tx (mod n) = x (mod n)

As desired. For x in Zn but not in Zn*, (do exercise)

p20.

Eg. p=7, q=13, n=91, (n)=(p-1)(q-1)=72

Choose b=5, compute a=b-1=29 Public-key: (91,5) Private-key: (7,13,29) Assume message m=23

So cipher-text c = me mod n = 235 mod 91 = 4

and can be decrypted by

m = cd mod n = 429 mod 91 = 23

p21.

RSA encryption

Alice

Bob

n = pqb*a = 1 (mod ø(n))

Private keyKRBob = (n, a)

Public keyKUBob = (n, b)

Encryption Decryption

M E C

KUBob

EKUBob(M)=Mb (mod n)

D

KRBob

DKRBob(C)=Ca (mod n)

M

p22.

RSA signature scheme

Alice

Hash Bob

Signing Verification

M

H E

M

AKRAlice

EKRAlice(H(M))=H(M)a (mod n)

H

D

KUAliceCompare

DKUAlice(A)=Ab (mod n)

n = pqb*a = 1 (mod ø(n))

Signing keyKRAlice = (n, a)

Verification keyKUAlice = (n, b)

p23.

[3] Quadratic Residue 1. Quadratic residue modulo n

Let , then a is a quadratic residue modulo n

if there exists with In this case,

x is a square root of a modulo n. Otherwise, a is a

quadratic nonresidue modulo n.

Qn： the set of quadratic residues modulo n. ： the set of quadratic nonresidues modulo n.

*nZx

*nZa

).(mod2 nax

nQ

nnn QQZ *

p24.

2. Theorem ： p > 2 is prime and α is a generator of Zp*

)(mod p modulo residue quadratica is 2* pZ s.t. aiZa ip

p25.

3. Corollary ： p > 2 is prime and α is a generator of Zp*

(1)

(2)

(3)

(4)

4. Legendre symbol ： p > 2 is prime and

}20 even, |mod{ piipQ ip

}20 odd, |mod{ piipQ ip

2/)1( pQQ pp

solutions. woexactly t has )(mod then, If 2 paxQa p

)(mod12

1

pp

p

a Za

p

a0

1

1

ap |

pQpa mod

pQpa mod

p26.

5. Theorem ： Euler’s criterion

6. E.g ：

use Square-and-Multiply

)(mod then, and prime is 2

1

pap

a Zap

p

?23

3

232

123

3 so ,123 mod323

3 Q

210112

1-32

p27.

7. Jacobi symbol ：

n > 2 is an odd integer, pi is prime and

n

a

ke

k

e

p

a

p

a

n

a

1

1

kee ppn 111

p28.

8. Properties of Jacobi symbol ： m, n > 2 are odd integers (1)

(2)

(3)

(4)

(5)

(6)

1)(gcd 0 and },1,0,1{

a,nn

a

n

a

and

n

a

m

a

mn

a

n

b

n

a

n

ab

n

b

n

anba then )mod( If

)4(mod3 ,1

)4(mod1 1, )1(

1 and 1

1 2

1

n

n

nn

n

)8(mod3 ,1

)8(mod1 1, )1(

2 8

12

n

n

n

n

(-1) 2

1

2

1 n-m-

m

n

n

m

p29.

9. E.g ： calculate Jacobi symbol without factoring n

55

7

55

2

55

282

55,28 na

(property 2)

2

17

2

155

)1(7

55

(property 6)

7

6

7

55 (property 3)

1)1(7

1 2

17

(property 4)

p30.

10. Jacobi symbol V.S. Quadratic residue modulo n

The element of are called psedosquares modulo

n.

nQan

a

1

}1|{ definition *

n

aZaJ nn

nnn QJQ \~

prime. is case thein and,~

nJQJQ nnnn

p31.

11. E.g ： n=15

The Jacobi symbol are calculated in the following table ：

and 5315

aaa

),3(mod2 ,1

),3(mod1 1,

3

a

aa

).5(mod2 ,1

),5(mod1 1,

5

a

aa

n

a

1*15Za

3

a

2

1

1

1

5

a

15

a

-1

-1

1

4

1

1

1

7 8

1

-1

-1

-1

-1

1

11 13

-1

1

-1

1

-1

-1

14

-1

1

-1

}8,2{\ then },4,1{that verfied be canIt }.8,4,2,1{ Hence, 151515

~

1515 QJQQJ

p32.

12. Quadratic residuosity problem(QRP)

Determine if a given is a quadratic residue or

pseudosquare modulo n

nJa

p33.

[4] Primality Testing (1) Prime numbers

1. How to generate large prime numbers?

(1) Generate as candidate a random odd number n of appropriate size. (2) Test n for primality. (3) If n is composite, return to the first step.

p34.

2. Distribution of prime numbers

(1) prime number theorem

Let Π(x) denote the number of prime numbers ≦x.

Π(x) ~ x/ln(x) when n∞.

(2)Dirichlet theorem

If gcd(a, n)=1, then there are infinitely many primes congruent to a mod n.

p35.

(3) Let Π(x, n, a) denote the number of primes in the interval [2, x] which are congruent to a modulo n, where gcd(a, n)=1 . Then

Π(x, n, a) ~

The prime numbers are roughly uniformly distributed among the φ(n) congruence classes in Zn

*

(4) Approximation for the nth prime number pn

xn

x

ln)(

6nfor lnlnlnln n)nn(pnn n

p36.

(2) Solovay-Strassen primality test

1. Trial method for testing n is prime or composite

2. Definition ： Euler witness

Let n be an odd composite integer and .

(1) If

then a is an Euler witness (to compositeness) for n.

na 1

prime is dividenot does if ,],2[ nnana

or 1),gcd( na )(mod 2/)1( nn

aa n

p37.

(2) Otherwise, if

then n is said to be an Euler pseudoprime to

the base a. The integer a is called an Euler

liar

(to primality) for n.

and 1),gcd( na )(mod 2/)1( nn

aa n

p38.

3. Example (Euler pseudoprime) Consider n = 91 (= 7x13) Since 945 =1 mod 91, and

so 91 is an Euler pseudoprime to the base 9.

4. Fact At most Φ(n)/2 of all the numbers a, are Euler liars for n.

191

9

p39.

5. Algorithm ： Solovay-Strassen(n, t) INPUT: n is odd, n ≧3, t ≧1 OUTPUT: “prime” or “composite”

1. for i = 1 to t do :1.1 choose a random integer a, 2 ≦ a≦n-

2 if gcd(a,n) ≠1 then return

( “composite” )

1.2 compute r=a(n-1)/2 mod n (use square-and-multiply)

if r ≠ 1 and r ≠ n-1 then return ( “composite” )

1.3 compute Jacobi symbol s= if r ≠ s then return ( “composite” )

2. return ( “prime” )

n

a

p40.

6. Solovay-Strassen error-probability bound For any odd composite integer n, the

probability that Solovay-Strassen (n, t) declares n to be “prime” is less than (1/2)t

p41.

(3) Miller-Rabin primality test 1. Fact

P : odd primep-1 = 2sr, where r is odd , gcd (a, p) = 1then ar = 1 (mod n)or a2jr = -1 (mod n) for some j, 0≦ j≦s-1

Why ?(1) Fermat’s little theorem, ap-1 = 1 mod p(2) 1, -1 are the only two square roots of 1 in Zp*

a N

p42.

2. Definition n : odd composite integer

n-1 = 2sr, where r is odd 1≦a ≦n-1 a is a strong witness to compositeness for

nif ar ≠ 1 (mod n), and

a2jr ≠ -1 (mod n) for all j, 0≦ j≦s-1

n is a strong pseudoprime to the base a

if ar = 1 (mod n)or a2jr = -1 (mod n) for some j, 0≦ j≦s-1(a is called a strong liar to primality for n)

p43.

3. Algorithm: Miller-Rabin (n, t) INPUT: n is odd, n ≧3, t ≧1 OUTPUT: “prime” or “composite”

1. write n-1 = 2sr such that r is odd. 2. for i = 1 to t do :

2.1 choose a random integer a, 2 ≦ a≦n-2

2.2 compute y=ar mod n (use square-and-multiply)

2.3 if y ≠ 1 and y ≠ n-1 do :j 1while j ≦ s-1 and y ≠n-1 do :

y y2 mod nif y = 1 then return

( “composite” )j j+1

if y ≠ n-1 then return ( “composite” )

3. return ( “prime” )

p44.

4. Example (strong pseudoprime) Consider n = 91 (= 7x13) 91-1 = 2*45, s=1, r=45 Since 9r = 945 =1 mod 91, 91 is a strong

pseudoprime to the base 9. The set of all strong liars for 91 is {1,

9, 10, 12, 16, 17, 22, 29, 38, 53, 62, 69, 74, 75, 79, 81, 82, 90}

The number of strong liars of for 91 is 18 = Φ(91)/4

p45.

5. Fact If n is an odd composite integer, then

at most ¼ of all the numbers a, 1 ≦a ≦n-1 are strong liars for n. In fact if n=!9, then number of strong liars for n is at most Φ(n)/4.

p46.

6. Miller-Rabin error-probability bound For any odd composite integer n, the

probability that Miller-Rabin (n, t) declares n to be “prime” is less than (1/4)t

7. Remark For most composite integers n, the

number of strong liars for n is actually much smaller than the upper bound of Φ(n)/4.

Miller-Rabin error-probability bound is much smaller than (1/4)t .