RSA and Public Key Cryptography

Chester Rebeiro IIT Madras

CR STINSON : chapter 5, 6 Ciphers

• Symmetric Algorithms – Encrypon and Decrypon use the same key

– i.e. KE = KD – Examples: • Block Ciphers : DES, AES, PRESENT, etc. • Stream Ciphers : A5, Grain, etc. • Asymmetric Algorithms – Encrypon and Decrypon keys are diﬀerent

– KE ≠ KD – Examples: • RSA • ECC

CR 2 Asymmetric Key Algorithms

KE KD

untrusted communicaon link Alice E D Bob #%AR3Xf34^$ “Aack at Dawn!!” Plaintext encrypon (ciphertext) decrypon “Aack at Dawn!!”

The Key K is a secret

Encrypon Key KE not same as decrypon key KD Advantage : No need of secure KE known as Bob’s public key; K is Bob’s private key key exchange between Alice and D Bob

Asymmetric key algorithms based on trapdoor one-way funcons

CR 3 One Way Funcons

• Easy to compute in one direcon • Once done, it is diﬃcult to inverse

Press to lock Once locked it is (can be easily done) difficult to unlock without a key

CR 4 Trapdoor One Way Funcon

• One way funcon with a trapdoor • Trapdoor is a special funcon that if possessed can be used to easily invert the one way

trapdoor

Locked (difficult to unlock) Easily Unlocked

CR 5 Public Key Cryptography (An Anology) • Alice puts message into box and locks it • Only Bob, who has the key to the lock can open it and read the message

CR 6 Mathemacal Trapdoor One way funcons • Examples – Integer Factorizaon (in NP, maybe NP-complete) • Given P, Q are two primes • and N = P * Q – It is easy to compute N – However given N it is difficult to factorize into P and Q • Used in cryptosystems like RSA – Discrete Log Problem (in NP) • Consider b and g are elements in a finite group and bk = g, for some k • Given b and k it is easy to compute g • Given b and g it is difficult to determine k • Used in cryptosystems like Diffie-Hellman • A variant used in ECC based crypto-systems

CR 7 Applicaons of Public key Cryptography • Encrypon • Digital Signature : “Is this message really from Alice?” • Alice signs by ‘encrypng’ with private key • Anyone can verify signature by ‘decrypng’ with Alice’s public key • Why it works? – Only Alice, who owns the private key could have signed

CR 8 Applicaons of Public key

Cryptography Diﬃe-Hellman Key Exchange • Key Establishment : “Alice and Bob want to use a block cipher for encrypon. How do they agree upon the secret key”

Alice and Bob agree upon a prime p and a generator g. This is public information

choose a secret a choose a secret b compute A = ga mod p compute B = gb mod p

B A Compute K = Ba mod p Compute K = Ab mod p

b a b b a a A mod p = (g ) mod p = (g ) mod p = B mod p

CR 9 RSA

Shamir, Rivest, Adleman (1977)

CR 10 More Number Theory

Mathemacal Background

CR 11 RSA : Key Generaon

Bob first creates a pair of keys (one public the other private)

1. Generatetwolargeprimes p,q ( p ≠ q) 2.Computen = p× q and φ(n) = ( p −1)(q −1) 3. Choosea randomb (1< b < φ(n))and gcd(b,φ(n)) =1 4.Computea = b−1 mod(φ(n))

Given the private key it is easy to Bob's public key is(n,b) compute the public key Bob's private key is( p,q,a) Given the public key it is diﬃcult to derive the private key

CR 12 RSA Encrypon & Decrypon

Encryption Decryption

b eK (x) = y = x mod n a dK (x) = y mod n where x∈ Zn

CR 13 RSA Example

1. Take twoprimesp = 653and q = 877 2. n = 653×877 = 572681; φ(n) = 652×876 = 571152 3. Choose public key b =13; note that gcd(13,571152) =1 4. Privatekey a = 395413 =13-1 mod571152

Message x =12345 encryption : y =1234513 mod572681 ≡ 536754 decryption : x = 536754395413 mod 572681 ≡12345

CR 14 Correctness

when x ∈ Zn and gcd(x,n) =1

Encryption Decryption b eK (x) = y = x mod n d (x) = ya mod n where x∈ Zn K y a ≡ (xb )a mod n ab ≡1modϕ(n) ab 1 t (n) ab − = ϕ ≡(x ) mod n ab = tϕ(n) +1 ≡(xtφ (n)+1) mod n From Fermat’s theorem ≡ (xtφ (n) x) mod n ≡ x CR 15 Correctness

when x∈ Zn and gcd(x,n) ≠ 1 Since n = pq,gcd(x,n) = p or gcd(x,n) = q Assumegcd(n, x) = p If =▹ p | x =▹ pk = x x xab mod p ≡ LHS : x mod p ≡ pk mod p ≡ 0 ab x ≡ x mod q RHS : xab mod p ≡ 0 ab =▹ x ≡ x mod n ∵gcd( p, x) = pitimpliesgcd(q, x) =1 (by CRT ) xab mod q ≡ xtφ (n)+1 mod q ≡ xtφ ( p)φ (q)+1 mod q ≡ (xφ (q) )tϕ ( p) ⋅ x mod q tϕ ( p) CR ≡ (1) ⋅ x mod q ≡ x 16 RSA Implementaon

y = xc mod n

i ei z 4 1 12* x = x 3 0 x2 4 5 c = 23 = (10111)2 2 1 x * x = x 1 1 X10 * x = x11 0 1 x22 * x = x23

CR 17 RSA Implementaon in Soware (Mul-precision Arithmec) • RSA requires arithmec in 1024 or 2048 bit numbers • Modern processors have ALUs that are 8, 16, 32, 64 bit – Typically can perform arithmec on 8/16/32/64 bit numbers • soluon: mul-precision arithmec (gmp library)

base : 2b, where b = 64/32/16/8 bits

1024 bits CR 18 Mul-precision Addion

• ADD : a = 9876543210 = (2, 76, 176, 22, 234)256

b = 1357902468 = (80, 239, 242, 132)256 base = 8 bit (256)

i ai bi cin ai+bi+cin(mod 256) Carry? cout 0 234 132 0 110 (110 < 234)? 1 1 22 242 1 9 (9 < 22)? 1 2 176 239 1 160 (160 ≤ 176)? 1 3 76 80 1 157 (157 ≤ 76)? 0 4 2 0 0 2 (2 ≤ 2)? 0

a + b = (2, 157, 160, 9, 110)256 = 11234445678

CR “Computaonal Number Theory”, Abhijit Das, CRC Press 19 Mul-Precision Addion Algorithm

CR 20 Mul-precision Subtracon

• SUB : a = 9876543210 = (2, 76, 176, 22, 234)256

b = 1357902468 = (80, 239, 242, 132)256 base = 256 (8 bit)

i ai bi Cin Borrow? Cout ai-bi-cin(mod 256) 0 234 132 0 (234 < 132)? 0 102 1 22 242 0 (22 < 242)? 1 -220 = 36 2 176 239 1 (176 < 239)? 1 -64=192 3 76 80 1 (76 < 80)? 1 -5=251 4 2 0 1 (2 < 0)? 0 1

a - b = (1, 251, 192, 36, 102)256 = 8658640742

CR 21 Mul-Precision Subtracon Algorithm

CR 22 Mul-Precision Mulplicaon

C = A x B mod N (without Modular operaon) • Classical (School book) algorithm • Karatusba algorithm • Toom-3 algorithm • FFT

CR 23 Mul-precision Mulplicaon (Classical Mulplicaon)

• MUL : a = 1234567 = (18, 214, 135)256

b = 76543210 = (4, 143, 244, 234)256 base = 8 bit (256)

a * b =

(0 85 241 247 25 195 102)256 = 99447721140070

CR 24 Mul-precision Mulplicaon (Karatsuba Mulplicaon)

Let a,b be twomultiprecision integers with n B − ary words. Let m = n / 2 m a = ah B + al m b = bh B + bl 2m m a×b = (ahbh )B + (ahbl + albh )B + albl 2m m = (ahbh )B + (ahbh + albl +- (ah − al )(bh − bl ))B + albl

using (ah − al )(bh − bl ) = ahbh − ahbl − albh + albl

Karatsuba multiplication converts n bit multiplications into 3 multiplications of n/2 bits The penalty is an increased number of additions

CR 25 Mul-precision Mulplicaon (Karatsuba Mulplicaon)

B = 256; a b = (1, 176, 254, 234) a = 123456789 = (7, 91, 205, 21) h h 256 256 a b = (83, 222, 83, 133) b = 987654321 = (58, 222, 104, 177)256 l l 256 ah - bh = -(197, 186)256 al - bl = -(45, 211)256 n=4; m=2 (ah - bh) (al - bl) = (35, 100, 170, 78)256 ah = (7, 91); al = (205, 21) ahbl + albh 2 a = (7, 91)256 + (205, 21) = ahbh+ albl - (ah - bh) (al - bl)

= (50, 42, 168, 33)256 bh = (58, 222); bl = (104, 177) b = (58, 222)2562 + (104, 177)

1 176 254 234 50 42 168 33 83 222 83 133 1 177 49 20 251 255 83 133

CR 26 Performing Modular Reducon

• Divide and get remainder (repeated subtracon)

Alternavely, we could use Montgomery mulplicaon that will not require modular reducon.

CR 27 Montgomery Mulplicaon

c = a x b mod m

Select R = 2x, gcd(R, m) =1, R slightlygreater than m

Use Extended Euclidean Algorithm to find R−1 and m' s.t R⋅ R−1 − m⋅ m' =1 Convert multiplicands to Montgomery domain a = aRmod m −2 b = bRmod m Note that c = a ⋅ b⋅ R mod m

The Montgomery multiplier computes c = a ⋅ b⋅ R−1 mod m No specific benefits this way CR 28 Montgomery’s Trick

Montgomery's trick 1) t = a ⋅ b 2) u= (t +((t modr)⋅ m'modr)⋅ m) / r 3) if (u ≥ m) return u − m; else return u.

CR 29 Montgomery’s Trick (why it works) Montgomery's trick 1) t = a ⋅ b 2) u= (t +((t mod R)⋅ m'mod R)⋅ m) / R 3) if (u ≥ m) return u − m; else return u. • First note that R | t • Then R | (t ⋅ m'⋅ mmod R) ....this follows because RR−1 − m'm =1; then takemod R • Therefore R | (t + t ⋅ m'⋅ mmod R) ....the division in step 2 is valid • u⋅ R = t + t ⋅ m'⋅ mmod R = t + t ⋅ m'⋅ m = t + k ⋅ m = t mod m See google groups for more details

CR 30 Speeding RSA decrypon with CRT

• Decrypon is done as follows : x = ya mod n • Bob can also decrypt by using CRT x = ya mod p x = ya mod q (since he knows the factors of n, i.e. p,q) • CRT turns out to be much faster since the size (in bits) of p and q is about ½ that of n

CR 31 Mul-precision libraries

• GMP : GNU Mul-precision library • Make use of Intel’s SSE/AVX instrucons – These are SIMD instrucons that have large registers (128, 256, 512 bit) • Crypto libraries – OpenSSL, PolarSSL, NaCL, etc.

CR 32 RSA Speeds

CR 33 RSA Speeds 32 Bit ARM Cortex

16 Bit TI Micro-controller

CR 34 Finding Primes

CR 35 Test for Primes

• How to generate large primes? – Select a random large number – Test whether or not the number is prime • What is the probability that the chosen number is a prime? – Let π(N) be the number of primes < N – From number theory, π(N) ≈ N/ln N – Therefore probability of a random number (< N) being a prime is 1/ln N • As N increases, it becomes increasingly diﬃcult to ﬁnd large primes

CR 36 GIMPS

• There are inﬁnite prime numbers (proved by Euclid) • Finding them becomes increasingly diﬃcult as N increases • GIMPS : Great Internet Mersenne Prime Search – Mersenne Prime has the form 2n – 1 – Largest known prime (found in 2016) has 22 million digits 2274,207,281 − 1 • $3000 to beat this J

hps://en.wikipedia.org/wiki/Largest_known_prime_number CR 37 Primality Tests with Trial Division

• School book methods (trial division) – Find if N divides any number from 2 to N-1 – ﬁnd if N divides any number from 2 to N1/2 – Find if N divides any prime number from 2 to N1/2 – Too slow!!! • Need to divide by N-1 numbers • Need to divide by N1/2 numbers • Need to divide by (N/lnN)1/2 primes – For example, if n is approx 21024, then need to check around 2507 numbers • Need something beer for large primes – Randomized algorithms

CR 38 Randomized Algorithms for Primality Tesng • Monte-carlo Randomized Algorithms – Always runs in polynomial me – May produce incorrect results with bounded probability

– Yes-based Monte-carlo method • Answer YES is always correct, but answer NO may be wrong – No-based Monte-carlo method • Answer NO is always correct, but answer YES may be wrong

CR 39 Finding Large Primes (using Fermat’s Theorem)

n 1 is _ prime(n){ If n is prime, then a − ≡ 1 mod n is true for any ‘a’ pick a ← Zn If n is composite n−1 n−1 a ≡1mod n if (a ≡1mod n) is false but may be true for some values of a. returnTRUE For example: n = 221 (13*17) else and a = 38 then 38220 mod 221 ≡ 1. return FALSE We need to increase our confidence } with more values of a

CR 40 Fermat’s Primality Test

• Increasing conﬁdence with mulple bases

primality _ test(n){ c = 0 for(i = 0;i <1000;+ +i){ if (is _ prime(n) == FALSE) returnCOMPOSITE } return probably PRIME }

CR 41 Carmichael Number

Some composites act as primes. Irrespective of the ‘a’ chosen, the test an−1 ≡1mod n passes.

for example Carmichael numbers are composite numbers which satisfy Fermat’s little theorem irrespective of the value of a.

Eg. 561 = 3 x 11 x 17

CR 42 Strong probable-primality test

• If n is prime, the square root of an-1 is either +1 or -1 n−1 let a 2 = b

b2 ≡1modn b2 −1≡ modn (b +1)(b −1) ≡ 0modn either(b +1) ≡ 0modn or(b −1) ≡ 0modn

CR 43 Miller-Rabin Primality Test

• Yes-base primality test for composites • Does not suﬀer due to Carmichael numbers • Write n-1 = 2sd – where d is odd and s is non-negave – n is a composite if r ad ≠1modn and (ad )2 ≠ −1modn for all numbersrlessthans

CR 44 Proof of Miller-Rabin test

• Write n-1 = 2sd r ad ≠1mod n and (ad )2 ≠ −1mod n for all number r lessthan s

• Proof: We prove the contra-posive. We will assume n to be prime. Thus, r ad ≡1mod n or (ad )2 ≡ −1mod n for somenumber r lessthan s

CR 45 Proof of Miller-Rabin test

Proof: We prove the contra-posive. We will assume n to be prime. Thus we prove, r ad ≡1mod n or (ad )2 ≡ −1mod n

for somenumber r lessthan s 1 (Fermat ‘s) • Consider the sequence : d 21 d 22 d 23 d 2s−1 d 2s d a , a , a , a ,!!, a , a

– The roots of x2 = 1 mod n is either +1 or -1 – In the sequence, if ad is 1, then all elements in the sequence will be 1 – If ad is not 1, then there should be some element in the sequence which is -1, in order to have the ﬁnal element as 1

CR 46 Miller-Rabin Algorithm (test for composites)

Input n T1. Find an oddintegerd such that n −1 = 2s d

T 2. Select at randoma nonzero a ∈ Zn T3. Compute b = ad mod n If b = ±1, return'nisprime'

i T 4. Fori =1,!,r −1,calculate c ≡ b2 mod n If c = −1, return'nisprime' T5. Otherwisereturn'niscomposite'

CR 47 Quadrac Residues

a cannot be 0 • Example : m=13, square elements in Z13. 1,4,9, 3, 12, 10, 10, 12, 3, 9, 4, 1

The quadrac residues Z13 are therefore {1, 4, 3, 9, 10, 12}

If an element is not a quadratic residue, then it is a quadratic non-residue

quadratic non-residues in Z13 are {2, 5, 6, 7, 8, 11}

CR 48 Legendre Symbol

⎧ 0 if p | a ⎛ a ⎞ ⎪ ⎜ ⎟ = ⎨1 if aisaQR mod p ⎝ p ⎠ ⎪ ⎩−1 if aisaQNR mod p

Given p is an odd prime

CR 49 Euler’s Criteria

A result from Euler

p−1 ⎛ a ⎞ 2 ⎜ ⎟ ≡ a mod p ⎝ p ⎠

when aisaQR,∃x ∈ Z s.t. a ≡ x2 mod p when p | a p p−1 ( p−1) p 1 2 − =▹ a 2 ≡ x 2 mod p a 2 ≡ 0mod p ≡ x p−1 mod p ≡1

CR 50 when Quadrac Non Residue

2 when aisaQNR, no such x ∈ Z pexists s.t. a ≡ x mod p p−1 consider : a 2 mod p (note p −1 iseven,if pisan odd prime) squaring : a p−1 mod p ≡1 2 ⎛ p−1 ⎞ so,⎜a 2 ⎟ 1mod p ⎜ ⎟ ≡ ⎝ ⎠ p−1 Thus, a 2 ≡ ±1mod p p−1 a 2 ≠1mod p, sincea isnot a QR p−1 Thus a 2 ≡ −1mod p

CR 51 Examples when holds always Congruence

p−1 ⎛ a ⎞ prime odd n is an ⎜ ⎟ ≡ a 2 mod p 4 isaQR mod13 ⎜ p ⎟ ⎝ ⎠ 13−1 4 2 mod13 ≡ 46 mod13 ≡1 5isaQNR mod13 56 mod13 ≡12 mod13 ≡ −1 Congruence or may notor may

15−1 n is not prime Euler’s Witness 2 7

7 mod15 ≡ 7 mod15 ≡ −2 when

15−1 may Euler’s Liar hold 14 2 mod15 ≡147 mod15 ≡ −1

CR 52 Solovay Strassen Primality Test

SOLOVAYSTRASSEN(n){ choose a randomintegerasuch that 1 ≤ a ≤ n-1 ⎛ a ⎞ compute x =⎜ ⎟ ⎝ n ⎠ How to compute if (x = 0) returnCOMPOSITE Legendre’s symbol n−1 compute y = a 2 mod n if (x ≡ y mod n) return possiblyPRIME else returnCOMPOSITE }

error probability is at most ½

CR 53 Jacobi Symbol

• Jacobi Symbol is a generalizaon of the Legendre symbol • Let n be any posive odd integer and a>=0 any integer. The Jacobi symbol is deﬁned as:

Suppose nisan odd positive integer with prime factorization

e1 e2 e3 e4 n = p1 ×p2 ×p3 ×p4 ... T

Then,

e1 e2 e3 e4 ⎛ a ⎞ ⎛ a ⎞ ⎛ a ⎞ ⎛ a ⎞ ⎛ a ⎞ ⎜ ⎟ = ⎜ ⎟ ×⎜ ⎟ ×⎜ ⎟ ×⎜ ⎟ × ! ⎝ n ⎠ ⎝ p1 ⎠ ⎝ p2 ⎠ ⎝ p3 ⎠ ⎝ p4 ⎠

CR 54 Jacobi Properes

⎛ a ⎞ ⎛ b ⎞ P1. If a ≡ b mod n then⎜ ⎟ = ⎜ ⎟ ⎝ n ⎠ ⎝ n ⎠ ⎛ 2 ⎞ ⎧ 1 if n ≡ ±1mod8 P2. ⎜ ⎟ = ⎨ ⎝ n ⎠ ⎩−1 if n ≡ ±3mod8 ⎛ ab ⎞ ⎛ a ⎞⎛ b ⎞ P3. ⎜ ⎟ = ⎜ ⎟⎜ ⎟ ⎝ n ⎠ ⎝ n ⎠⎝ n ⎠ k k ⎛ a ⎞ ⎛ 2 ⎞ ⎛ t ⎞ P4. if aiseven, a = 2 t, ⎜ ⎟ = ⎜ ⎟ ⎜ ⎟ ⎝ n ⎠ ⎝ n ⎠ ⎝ n ⎠ P5. if aisodd, ⎧ ⎛ n ⎞ ⎪ − ⎜ ⎟ if n ≡ a ≡ 3mod 4 ⎛ a ⎞ ⎪ ⎝ a ⎠ ⎜ ⎟ = ⎨ n ⎛ n ⎞ ⎝ ⎠ ⎪ ⎜ ⎟ otherwise ⎩⎪ ⎝ a ⎠ CR 55 Compung Jacobi

From the theorem P5, P1, then P2

P5, P1, P5, P1, P3, P2

P5, P1 and 1 is a QR mod 13

CR 56 Factoring Algorithms

CR 57 Factorizaon to get the private key • Public informaon (n, b) • If Mallory can factorize n into p and q then, • She can compute φ(n) = (p-1)(q-1) • She can then computethe private key by ﬁnding a ≡ b-1 mod φ(n)

How to factorize n?

CR 58 Trial Division

Fundamental theorem of arithmec Any integer number (greater than 1) is either prime or a product of prime powers e1 e2 e3 ek n = p1 p2 p3 ! pk

prime generation algorithm

Prime factors of n cannot be greater than ⎣ n⎦

n = n / p : remove this factor from n

Running Time of algorithm order of π(2n/2)

CR 59 Pollard p-1 Factorizaon

n = p× q 1 choose a random integer a(1< a < n). If gcd(a, n) ≠1, then a is a prime factor. However, this is most likely not the case.

2 L Supposeweselectsome Land compute d=gcd(a -1,n) why aL -1? if 1< d < n then we have factored n since d is prime and d | (aL −1) L d | n and d | (a −1) aL ≡1mod d d has to be the prime p or the prime q ϕ(d) | L => (d −1)k=L Thus we need to find L which is some factor of (d −1). 3 If gcd(aL −1, n) = n How to choose L? No easy way, trial and This is possible only when p | n and p | aL 1 (or q | n and q | aL 1) − − error!! and aL −1> n Factorials have a lot of divisors. So that is a nice way. So, take L as a factorial of some number r. CR 60 Pollard p-1 Factorizaon

Pollard p-1 factorization for n. S1. a ← 2 S2. if gcd(a, n) > 1, then this gcd is a prime factor of n, we are done. S3. compute d ← gcd(ar!-1, n) if d = n, start again from S1 with next value of a else if d =1 , increment r and repeat S3 else d is the prime factor of n; we are done!

r = 2,3, 4, ….. 1. Will the algorithm terminate? 2. When will we choose the next value of a? (will we get an infinite loop?) When r = d-1 then L = r! = (d-1)! = d-1(d-2)! = (d-1)k (d-1) | L à we will get the gcd(ak(d-1), n) = n or its prime factor.

CR 61 Pollard Rho Algorithm

• Form a sequence S1 by selecng randomly (all diﬀerent) from the set Zn x0 ≡ x mod p S1= x0 , x1, x2 , x3, x4 ,! 0

• Also assume we magically ﬁnd a x1 ≡ x1 mod p new sequence S2 comprising of x2 ≡ x2 mod p S2 = x0 ,x1, x2 , x3, x4,! where x3 ≡ x3 mod p

• If we keep adding elements to x4 ≡ x4 mod p

S1, we will eventually ﬁnd an xi and xj (i≠j) such that xi = x j When this happens,

p | (xi − x j )

∵p | nalso, gcd((xi − x j ),n)is p.We found a factor of n!! CR 62 Doing without magic

• Form a sequence S1 by selecng randomly (with replacement) from the set Zn

S1= x0 , x1, x2 , x3, x4 ,!

• For every pair i,j in the sequence compute

d ← gcd((xi − x j ,n)

• If d > 1 then it is a factor of n

CR 63 Selecng elements of S1

To choose the next element of S1, Pollard suggests

using a funcon f : Zn → Zn with requirement that the output looks random. Example : f (x) = x2 +1mod n

⎛⎧x0 where x0 ischosen randomly fromZn ⎞ S1= ⎜⎨ ⎟ ⎜ x i 0 and x f (x ) ⎟ ⎝⎩ i > i = i−1 ⎠

CR 64 Example This column is just • N= 82123, x = 631, f(x) = x2 + 1 for understanding. 0 In reality we will not know this

Drawback… Large number of GCD Computations. 55 gcd computations in this case

Can we reduce the number of gcd computations?

Given xi mod N, we compute gcds of every pair until we find a gcd greater than 1

gcd(x3 − x10 , N) = gcd(63222,82123) =41 A factor of N

CR 65 The Rho in Pollard-Rho

2 • N= 82123, x0 = 631, f(x) = x + 1 21 26

5 32

2 0 40 1

xt = xt+l mod p • The smallest value of t and l, for which the above congruence holds is t=3, l=7 • For l=7, all values of t > 3 satisfy the congruence • This leads to a cycle as shown in the figure (and a shape like the Greek letter rho) x j = x j+l mod p t ≥ 3 CR 66 Reducing gcd computaons

• GCD computaons can be expensive. • Use Floyd’s cycle detecon algorithm to reduce the number 21 of GCD computaons. 26 5 32

choose a random x0 = y0 ∈ Zn 2 0 xi = f (xi 1) − 40 1 yi = x2i = f ( f (yi−1)) 11 loop

If d = gcd(xi − yi , N) > 0,return d 16

claim : The first time xi = yi mod p occurs when i ≤ t + l This means that we get a collision before x completing an entire circle

CR 67 The ﬁrst me xi = yi mod p occurs is when i ≤ t + l • l is the number of points in the cycle • t is the smallest value of i such that xi ≡ yi mod p

xi and yi meet at the same point in the cycle Therefore, yi must have traversed (some) cycles more

xi ≡ yi mod N consider i =(k +1)l = t + (−t modl) xi ≡ x2i mod N ≤t + l l | (2i −i) l | i =▹ l(k +1) = i (−t modl)

CR 68 Expected number of operaons before a collision • Can be obtained from Birthday paradox to be p

CR 69 Congruences of Squares

• Given N=p x q, we need to ﬁnd p and q • Suppose we ﬁnd an x and y such that x2 ≡ y2 mod N • Then, N | (x2 − y2 ) =▹ N | (x − y)(x + y) • This implies,

gcd(N,(x − y)) or gcd(N,(x + y)) factors N

CR 70 Example

• Consider N = 91

102 ≡ 32 mod91 34 2 ≡ 82 mod 91 91| (10 − 3)(10 + 3) 91| (34 + 8)(34 −8) 91| (7×13) 91| 42 × 26 gcd(91,13) =13 gcd(91,26) =13 gcd(91,7) = 7 gcd(91,42) = 7

So… we can use x and y to factorize N. x2 ≡ y2 mod N But how do we find such pairs?

CR 71 Another Example

• N = 1649

2 32 and 200 are not perfect squares. 41 ≡ 32 mod1649 However (32x200 = 6400) = 802 432 ≡ 200mod1649 is a perfect square (41×43)2 ≡ (32 ×200)mod1649 ≡ 80 2 mod1649

Thus, it is possible to combine non-squares to form a prefect square

the examples are borrowed from Mark Stamp (http://cs.sjsu.edu/faculty/stamp/) CR 72 Forming Perfect Squares

Recall, Fundamental theorem of arithmec Any integer number (greater than 1) is either prime or a product of prime powers e1 e2 e3 ek n = p1 p2 p3 ! pk

Thus, a number is a perfect square if it prime factors have even powers.

e1,e2 ,e3,... iseven Thus, 32 = 2550 not a perfect square 200 = 2352 not a perfect square (32x200) = 2550 x 2352 = 2852 = (2451)2 is a prefect square

CR 73 Dixon’s Random Squares Algorithm 1. Choose a set B comprising of ‘b’ smallest primes. Add -1 to this set. (A number is said to be b-smooth, if its factors are in this set) 2. Select an r at random – Compute y = r 2 mod N – Test if y factors completely in the set B. – If NO, then discard. ELSE save (y, r) (these are called B-smooth numbers) 3. Repeat step 2, unl we have b+1 such (y,r) pairs 4. Solve the system of linear congruencies

CR 74 Example

• N = 1829 • b = 6 B = {-1, 2,3,5,7,11,13} • Choose random values of r, square and factorize

All numbers are 6-smooth except 60 and 75. Leave these and consider all others

CR 75 Check Exponents

-1 2 3 5 7 11 13 -65 1 0 0 1 0 0 1 20 0 2 0 1 0 0 0 63 0 0 2 0 1 0 0 -11 1 0 0 0 0 1 0 -91 1 0 0 0 1 0 1 80 0 4 0 1 0 0 0

CR 76 Check Exponents

-1 2 3 5 7 11 13 -65 1 0 0 1 0 0 1 20 0 2 0 1 0 0 0 63 0 0 2 0 1 0 0 -11 1 0 0 0 0 1 0 -91 1 0 0 0 1 0 1 80 0 4 0 1 0 0 0

Find rows where exponents sum is even -65, 20, 63, -91

sum 2 2 2 2 2 0 2 (42 ×43×61×85)2 ≡ (−1×2×3×5×7×13)2 mod1829 14592 ≡ 9012 mod1829 CR 77 Final Steps

(42 ×43×61×85)2 ≡ (−1×2×3×5×7×13)2 mod1829 14592 ≡ 9012 mod1829

1829 | (1459 + 901)(1459 − 901) =▹1829 | 2360 gcd(1829,2360) = 59 =▹1829 | 558 gcd(1829,558) = 31

Thus 1829 = 59 ×31

CR 78 State of the Art Factorizaon Techniques • Quadrac Sieve – Fastest for less than 100 digits • General Number ﬁeld Sieve – Fastest technique known so far for greater than 100 digits – Open source code (google GGNFS) • RSA factoring challenge – Best so far is 768 bit factorizaon – Current challenges 896 bits (reward $75,000), 1024 bit ($100,000)

https://en.wikipedia.org/wiki/RSA_Factoring_Challenge CR 79 RSA Aacks

aacks that don’t require factorizaon algorithms

CR 80 Φ(n) leaks

• If an aacker gets Φ(n) then n can be factored n = pq q = n / p φ(n) = ( p −1)(q −1) = pq − ( p + q) +1 n φ(n) = n − ( p + ) +1 p p2 − (n −φ(n) +1) p + n = 0

Solve to get p (a factor of n)

CR 81 square roots of 1 mod n 2 There are two trivial and two non-trivial soluons for y ≡1mod n The trivial soluons are +1 and -1 By CRT, these congruences are equivalent ⎧ y ≡1mod p ⎨ ⎧y2 ≡1mod p ⎩y ≡ −1mod p y2 1mod n ≡ 〈=〉⎨ 2 ⎩ y ≡1mod q ⎧ y ≡1mod q ⎨ ⎩y ≡ −1mod q

To get the non-trivial solutions solve using CRT

y ≡ +1mod p y ≡ −1mod p y ≡ −1mod q y ≡ +1mod q

CR 82 Example

• n=403 = 13 x 31 2 • To get the non-trivial soluons of solve using CRT y ≡1mod n

y ≡ +1mod p y ≡ −1mod p y ≡ −1mod q y ≡ +1mod q

(31⋅31−1 mod13 −13⋅13−1 mod31) mod 403 (31⋅8 −13⋅12) mod 403 ≡ 92 403− 91 = 311

2 2 The non-trivial solutions are 92 and 311 Note:92 ≡ 311 ≡1mod 403

What happens when we solve y ≡ +1mod p y ≡ +1mod q CR 83 Decrypon exponent leaks

• If the decrypon exponent ‘a’ leaks, then n can be factored • The aacker can then compute ab ab ≡1modφ(n) kφ(n) = (ab −1) • Now, for any message x ≠ 0 xab−1 ≡1mod n ab−1 • Aack Plan, take square root : y ≡ x 2 mod n y 2 ≡1 mod n =▹ n | (y 2 −1) i.e., However we =▹ n | (y −1)(y +1) need y ≠ ±1 gcd(n, y −1)isa factor of n to have a non- trivial result CR 84 The Aack (basic idea) we assume we know the private key a

ab ≡1modφ(n) 1.given a computeab −1 kφ(n) = ab −1

ab −1 ab−1 2.Represent t = 2 2 y1 = x ≡1mod n 2 3. chooseany message x thus,(y1 −1) ≡ 0mod n 4.put y = xt mod n n | (y +1)(y −1) 5.computed ← gcd( y −1,n) This will only work if y ≠±1 mod n. 6.if d ≠ 1, return"a factorof n isd"; exit If y = ±1 mod n. then goto step 7 7.if (t is even) t = t / 2; goto step4 elsereturn" failure"

Probability of success of the attack is at-least 1/2

CR 85 Example

• N=403, b=23, a=47 t = ab −1 =1080 x = 2 1080 loop1: t = = 540 y ≡ xt mod 403 = 2540 mod 403 ≡1 2 540 loop2 : t = = 270 y ≡ xt mod 403 = 2270 mod 403 ≡ 311 2 gcd(310,403) = 31 (a factor of n)

t = ab −1 =1080 x = 9 1080 loop1: t = = 540 y ≡ xt mod 403 = 9540 mod 403 ≡1 2 540 loop2 : t = = 270 y ≡ xt mod 403 = 9270 mod 403 ≡1 2 270 loop3: t = =135 y ≡ xt mod 403 = 9135 mod 403 ≡1 2 can’t divide 135 further. failure CR 86 Small Encrypon Exponent

• In order to improve eﬃciency of encrypon, a small encrypon exponent is preferred • However, this can lead to a vulnerability

CR 87 Small Encrypon Exponent

3 c1 Alice m mod N1 m 3 c2 m mod N2 c 3 3 m mod N2

Insecure channel • Consider, Alice sending the same message x to 3 different people.

• Each having a different N (say N1, N2, N3) • But same public key b (say 3)

CR 88 Small Encrypon Exponent

3 c1 Alice m mod N1 3 m c1 ≡ m mod N1 3 c2 m mod N2 3 c2 ≡ m mod N2 c c m3 mod N 3 3 3 ≡ 3 m mod N2

Insecure channel • Consider, Alice sending the same message x to 3 different people.

• Each having a different N (say N1, N2, N3) • But same public key b (say 3) • This allows Mallory to snoop in and get 3 ciphertexts

CR 89 Small Encrypon Exponent

By CRT

3 ⎧c1 ≡ m mod N1 ⎪ 3 3 ⎨c2 ≡ m mod N2 〈=〉 X ≡ m mod(N1 ⋅ N2 ⋅ N3 ) ⎪c m3 mod N ⎩ 3 ≡ 3 • Thus, Mallory can compute X

• Since m < N1, m n < ( N1 x N2 x N3) • Thus, X1/3=m – i.e. The message can be decrypted

It is tempng to have small private and public keys, so that encrypon or decrypon may be carried out eﬃciently. However you would do this at the cost of security!!

CR 90 Low Decrypon Exponent

• The aack applies when the private key a is 4 n a < small, 3

• In such a case ‘a’ can be computed eﬃciently

CR 91 Paral Informaon of Plaintexts

Compung Jacobi of the plaintext y ≡ xb mod n yistheciphertext; x themessage bis the public key and gcd(b, φ(n)) =1 Thus, gcd(b, (p-1)(q-1))=1 ( p −1)(q −1) iseven, therefore b must be odd consider Jacobi ⎛ y ⎞ ⎜ ⎟ = ±1 ⎝ n ⎠ b ⎛ y ⎞ ⎛ x ⎞ ⎛ x ⎞ ⎜ ⎟ = ⎜ ⎟ = ⎜ ⎟ ⎝ n ⎠ ⎝ n ⎠ ⎝ n ⎠ sincebisodd

⎛ x ⎞ thus, RSA encrypon leaks the value of the Jacobi symbol ⎜ ⎟ ⎝ n ⎠ CR 92 Paral Informaon of Plaintexts ﬁrst half or second half? • given y = xbmod n, – is it possible to determine if (0 ≤ x < n/2) or (n/2 ≤ x < n-1) first half second half

• We prove that RSA does not leak this informaon • If there exists an eﬃcient algorithm that can determine if x is in the ﬁrst or second half then, the enre plaintext can be obtained

CR 93 Binary Search Trees on x

Consider this function [0,13) ⎧ n ⎪0 if 0 ≤ x < 0 HALF (x) = 2 ⎨ n [0-6.5) [6.5,13) ⎪1 if ≤ x < n −1 ⎩ 2 0 example [0,3.25) x = 3mod13 HALF (x) = 0 [0,1.625) 1 2x ≡ 6mod13 HALF (2x) = 0 4x ≡12 mod13 HALF (4x) =1 [1.625,3.25) 8x ≡11mod13 HALF (8x) =1 16x ≡ 9mod13 HALF (16x) =1 3

CR 94 Paral Informaon of Plaintexts (ﬁrst or second half proof) • Assume a hypothecal oracle called HALF as follows ⎧ n ⎪0 if 0 ≤ x < HALF (n,b, y) = 2 ⎨ n y ≡ xb mod n ⎪1 if ≤ x < n −1 ⎩ 2 2b ⋅ y ≡ (2x)b mod n b b n 4 ⋅ y ≡ (4x) mod n HALF (y)= 0 =▹ x∈[0, ) b b 2 8 ⋅ y ≡ (8x) mod n 16b ⋅ y ≡ (16x)b mod n n n n HALF (2b y) = 0 =▹ x∈[0, ) HALF (2b y)=1 =▹ x∈[ , ) 4 4 2

n n n HALF (22b y)= 0 =▹ x∈[0, ) HALF (22b y)= 0 =▹ x∈[ , ) 8 8 4

CR 95 Example

n=1457, b=779, y=722

hi 1 0 1 0 1 1 1 1 1 0 0

Thus, if we have an efficient function HALF, we can recover the plaintext message.

CR 96 Man in the Middle Aack

• The process of encrypon with a public key cipher

Bob sends his public key

Alice encrypts with Bob’s public key

Bob decrypts with his private key

CR 97 Man in the Middle Aack

• The process of encrypon with a public key cipher Man in the middle Intercepts messages

Bob Mallory sends his public key sends her public key

Alice encrypts Mallory decrypts with Mallory’s public key with her private key and re- encrypts Bob decrypts with Bob’s with his private public key key CR 98 Searching the Message Space

• Suppose message space is small, – Mallory can try all possible messages, encrypt them (since she knows Bob’s public key) and check if it matches Alice’s ciphertext

Bob sends his public key

Alice encrypts with Bob’s public key Bob decrypts with his private key

CR 99 Bad Prime Generaon Algorithms

• Suppose the prime generaon was faulty – So that, primes generated were always from a small subset – Then, RSA can be broken • Pairwise GCD of over a million RSA modulii collected from the Internet showed that – 2 in 1000 have a common prime factor

CR Ron was Wrong, Whit is right, 2012 100 Discrete Log Problem, ElGamal, and Diﬃe Hellman

CR STINSON : chapter 6 101 Primive Elements of a Group

Let (G,⋅ )be a group of order n. Let α ∈G, The order of α is the smallest integer m such that α m = 1 α is termed as a primitive element if it has order n. If α is a primitive element then α = {α i : 0 ≤ i ≤ n -1} generates all elements in G

Consider Z * {1,2,3, ,12} 13 = ! * (Z13,⋅) formsa groupof order12 Let 7∈ Z * , <7> has order 12 13 and generates all elements in Z. 7 = {7, 10, 5,9,11,12,6,3,8,4,2,1} Thus, 7 is a primitive element

CR 102 Discrete Log Problem

Let (G,⋅)be a group Letα ∈G be a primitiveelement in thegroup with order n Define theset α = {α i : 0 ≤ i ≤ n −1}

For any uniqueintegera (0 ≤ a ≤ n −1), let α a = β

Denote a = logα β as thediscrete logarithmof β

Given α and a, it is easy to compute β Given α and β it is computationally difficult to determine what a was

CR 103 ElGamal Public Key Cryptosystem

• Fix a prime p (and group Zp)

• Let be a primive element α ∈ Z p • Choose a secret ‘a’ and compute β ≡ α a mod p

Public keys : α , β, p Private key : a

Encryption Decryption

choose a random (secret) k Z a −1 ← p dk (x) = y2 (y1 ) mod p e (x) (y , y ) k ka −1 k = 1 2 = x⋅ β (α ) mod p k where y1 = α mod p, ka ka −1 k = x⋅α (α ) mod p y2 = x⋅ β mod p CR ≡ x 104 ElGamal Example

• p = 2579, α = 2 (α is a primive element mod p) • Choose a random a = 765 • Compute β ≡ 2765 mod 2579 Encrypon of message x = 1299 choose a random key k = 853 853 y1 = 2 mod 2579 = 435 853 y2 = 1299 x 949 = 2396

Decrypon of cipher (435, 2396) 2396 x (435765)-1 mod p = 1299

CR 105 Finding the Log

β ≡ α a mod p Given α and β it is computationally difficult to determine what a was • Brute force (compute intensive) compute α,α 2 ,α 3,α 4...... (until you reach β) this would deﬁnitely work, but not praccal if p is large complexity O(p), space complexity O(1) • Memory Intensive precompute (all values). Sort and store. α,α 2 ,α 3,α 4...... For any given β look up the table of stored values. complexity O(1) but space complexity O(n)

CR 106 Shank’s Algorithm (also known as Baby-step Giant-step)

β ≡ α a mod p

Rewrite a as a = mq + r where m = ⎡ p⎤

β ≡ α mqα r mod p q β(α −m ) ≡ α r mod p

We neither know q nor r, so we need to try out several values for q and r until we find a collision

CR 107 Shank’s Algorithm (example) • p= 31 and α=3. Suppose β=6. • What is a? (3−1)6 mod 31 = 2 m = ⎡ 31⎤= 6 collision α ≡ 3 β (α −6 )0 = 6⋅20 = 6 α 2 ≡ 9 β (α −6 )1 = 6⋅21 =12 α 3 ≡ 27 β (α −6 )2 = 6⋅22 = 24 List1 List2 α 4 = 81 ≡19 mod 31 β (α −6 )3 = 6⋅23 ≡17 mod 31 α 5 =19 ⋅3 ≡ 26 mod31 β (α −6 )4 = 6⋅24 ≡ 3mod 31

Thus, m=6, q=4, r=1, a= mq+r = 25

CR 108 Shank’s Algorithm

Create List 1

Create List 2

Find collision

CR 109 Complexity of Shank’s Algorithm

O(m) O(mlog m)

O(log m)

O(mlogm) ~ O(m) = O(p1/2)

CR 110 Other Discrete Log Algorithms

β ≡ α a mod n

• Pollard-Hellman Algorithm used when n is a composite • Pollard-Rho Algorithm about the same runme as the Shank’s algorithm, but has much less memory requirements

CR 111 Diﬃe Hellman Problem

Let (G,⋅)be a group Letα ∈G be a primitiveelement in thegroup with order n Define theset α = {α i : 0 ≤ i ≤ n −1}

a b ab given α and α , find α Computational DH (CDH) given α a ,α b and α c , determineif c ≡ ab mod n Decision DH (DDH)

CR 112 Recall… Diﬃe Hellman Key Exchange

Alice and Bob agree upon a prime p and a generator g. This is public information

choose a secret a choose a secret b compute A = ga mod p compute B = gb mod p

B A Compute K = Ba mod p Compute K = Ab mod p

b a b b a a A mod p = (g ) mod p = (g ) mod p = B mod p

CR 113 CR 114