Mini Topics on RSA and Discrete Logarithm Problem

Home , Discrete logarithm

Mini Topics On RSA and Discrete Logarithm Problem

賴奕甫

1 Contents

• Mini Topics on RSA Encryption • RSA bit Security • DLP bit Security

2 自我介紹

• 賴奕甫 (男) • 82 (1993) 年生 • 台大數學所碩二 (已通過口試) • 興趣:半夜慢跑, 摺紙

3 Chinese Remainder Theorem

中國南北朝時期（公元5世紀）的數學著作《孫子算經》卷下第二十六題，叫做「物不知數」問題，原文如下：有物不知其數，三三數之剩二，五五數之剩三，七七數之剩二。問物幾何？

푥 = 2 푚표푑 3 푥 = 3 푚표푑 5 푥 = 2 푚표푑 7

4 Chinese Remainder Theorem

Chinese Remainder Theorem: For 푥 ∈ ℤ푛∗푚, Given 푛, 푚 with 푔푐푑 푛, 푚 = 1. 휙 푥 = 푥 푚표푑 푛 , 푥 푚표푑 푚

Then the natural homomorphism 휙 ∶ ℤ푛∗푚 → ℤ푛 × ℤ푚 is an isomorphism. “Well-defined”

“hom”

“surjective”

5 RSA Encryption (Notation)

• Public Key :(푁 = 푝 ∗ 푞, 푒) ( 푝, 푞: distinct primes, 푔푐푑 푒, 휙 푁 = 1)

• Private Key: 푑 (푑푒 = 1 푚표푑 휙 푁 )

(푁, 푒)

푐

Message: 푚 ∈ ℤ푁

Decryption: Encryption: 푑 푒 푐 = 푚 ∈ ℤ푁 푐 = 푚 (푚표푑 푁)

6 Mini Topics on RSA encryption.

• The following content is not about the factoring algorithms but about some little topics in usage or on parameter settings in the RSA encryption.

7 RSA

• Can 휙(푁) be leaked? • 푑 can be chosen to be 푑푒 = 1 푚표푑 푙푐푚 푝 − 1, 푞 − 1 • What if 푒 is chosen too small (푒 = 3)? Can N be a domain parameter? • Can we only choose new 푑 if the old one is exposed • Can 푑 chosen to be small? (for speeding up decryption) • Is the least significant bit encryption of RSA as secure as the whole?

8 Can 휙(푁) be leaked?

Solve 푞 by the following steps: • Assume 휙 푁 = 푝 − 1 푞 − 1 is given • Public Key 푁 = 푝푞

• Write 푝 = 푁/푞 • Then 푁 휙 푁 = 푞 − 1 푞 − 1 ⇒ 휙 푁 푞 = 푁 − 푞 푞 − 1 • ⇒? 9 푑 can be chosen to be 푑푒 = 1 푚표푑 푙푐푚 푝 − 1, 푞 − 1

• Show the correctness: 푑푒 푚 = 푚 푚표푑 푁 푓표푟 푎푛푦 푚 ∈ ℤ푁 : Consider Chinese remainder theorem, it suffices to proof 푚푑푒 = 푚 푚표푑 푝 푚푑푒 = 푚 푚표푑 푞

: HOLDS! : It suffices to show 푚푑푒−1 = 1 푚표푑 푝 10 Show the correctness: 푑푒 푚 = 푚 푚표푑 푁 푓표푟 푎푛푦 푚 ∈ ℤ푁 (continued) : Since 푙푐푚 푝 − 1, 푞 − 1 | 푑푒 − 1, 푝 − 1 | 푙푐푚 푝 − 1, 푞 − 1 , and 푚푝−1 = 1 푚표푑 푝 (Fermat’s little theorem)

푚푙푐푚 푝−1,푞−1 = 1 푚표푑 푝 , so 푚푑푒−1 = 1 푚표푑 푝 ∎ 11 What if 푒 is chosen too small? -Hastad’s Broadcast Attack

• Take 푒 = 3 for example • Assumption:

• There are 3 people use RSA encryption with public key 푁1, 푒 , 푁2, 푒 , (푁3, 푒) (relatively prime 푁1, 푁2, 푁3) • They receive a cipher 푐𝑖 from the same message 푚 with their own public keys. (푚 < 푁𝑖 for all 푖)

• Oscar collects 푁𝑖, 푒 = 3 , and 푐𝑖. By CRT, ∃! 푐 ∈ ℤ푁1푁2푁3 satisfies

푐 = 푐1 푚표푑 푁1 푐 = 푐2 푚표푑 푁2 푐 = 푐3 푚표푑 푁3

12 What if 푒 is chosen too small? -Hastad’s Broadcast Attack

• Oscar collects 푁𝑖, 푒 = 3 , and 푐𝑖. By CRT, ∃! 푐 ∈ ℤ푁1푁2푁3 satisfies

3 푐 = 푐1 = 푚 푚표푑 푁1 3 푐 = 푐2 = 푚 푚표푑 푁2 3 푐 = 푐3 = 푚 푚표푑 푁3 3 • Hence, 푐 = 푚 푚표푑 푁1푁2푁3 3 • Notice that 푚 < 푁1푁2푁3 • ⇒?

13 Example

• (See)

14 If 푒 = 3, then half of bits of 푑 are exposed (roughly).

Assume primes 푝, 푞 > 5 and 푑 < 휙 푁 . Claim: 푒 = 3 ⇒ 푒푑 = 1 + 2휙 푁 Write 푒푑 = 1 + 푘휙 푁 = 1 + 푘 푝 − 1 푞 − 1 Known 0 < 푘 ≤ 푒 = 3 Calculate 푝 − 1 푚표푑 3 ∵ 푔푐푑 푝, 3 = 1 and 푔푐푑 푝 − 1,3 = 1 ∴ 푝 − 1 = 1 푚표푑 3 Similarly, 푞 − 1 = 1 푚표푑 3. Hence, 푘 = 2 푚표푑 3, so 푘 = 2

∎ 15 If 푒 = 3, then half of bits of 푑 are exposed (roughly).

1 1 • Let 푑′ = 1 + 푘푁 = 1 + 2푁 . 푒 푒 • Claim 푑′ − 푑 < 푝 + 푞

1 1 Write 푑′ = 1 + 2푁 = 1 + 2푁 + 휖 for some 휖, 휖 < 0.5 푒 푒 Then 푑′ − 푑 =?

16 If 푒 = 3, then the linear relation of messages can not be known.

• Assumption: • Alice uses RSA encryption with her public key 푁, 푒 = 3

• Encrypting 푚1 and 푚2 with a linear relation 푚2 = 푎푚1 + 푏 • Given two ciphertexts 푐1, 푐2 and the coefficients 푎 and 푏

• Oscar calculates 3 3 푏 푐2 + 2푎 푐1 − 푏 3 3 푚표푑 푁 푎 푐2 − 푎 푐1 + 2푏

3 3 푏 푐2 + 2푎 푐1 − 푏 3 3 =? 푚표푑 푁 푎 푐2 − 푎 푐1 + 2푏

17 Example

• (See)

18 Can N be a domain parameter?

푁 = 푝푞 Compute 푑𝑖푒𝑖 = 1 푚표푑 푁

푑1, 푒1 푑3, 푒3

푑2, 푒2

19 Can we only choose new 푑 (and 푒) if the old one is exposed?(With the same 푁)

• Claim: Given 푒. “Knowing 푑 ⇔ Factoring 푁” • “⇐”: Obviously, “Factoring 푁”⇒”Obtain 휙(푁)” ⇒”Getcha 푑” • “⇒”: The proof is an algorithm: Main idea: find x, 푥2 = 1 푚표푑 푁 Since 푁 = 푝푞 | 푥 + 1 푥 − 1 , if 푥 ≠ ±1 푚표푑 푁 , then gcd 푥 ± 1, 푁 will factor 푁.

Intuition: 푚푑푒−1 = 1 푚표푑 푁 푖푓 푔푐푑 푚, 푁 = 1 푡 푚2 푟 = 1 푚표푑 푁 푖푓 푔푐푑 푚, 푁 = 1

20 Remark: You can further prove that the algorithm Can we only ischoose able to factornew N with푑 probability(and 푒 greater) than ½ for each choice of 푚 if the old one is exposed? (With the same 푁)

• Claim: Given 푒. “Knowing 푑 ⇔ Factoring 푁” • “⇒”: Main idea: find x, 푥2 = 1 푚표푑 푁 Write 푘 = 푑푒 − 1 = 2푡푟, where 푟 is odd

1. Choose 푚 ∈ 2, … , 푁 − 1 at random Say 푔푐푑 푁, 푚 = 1 (why) 2. If 푚푟 = 1 푚표푑 푁 then back to 1.

′ 3. Compute 21푟, 22푟, 23푟, … until 2푡 푟 = 1 푚표푑 푁 first occurs.

푡′−1 4. If m2 푟 = ±1 푚표푑 푁 then back to 1. ′ 5. Else factor by 2푡 −1푟 푁 푔푐푑(푚 ± 1, 푁) 21 Can N be a domain parameter?

• Given 푒. “Knowing 푑 ⇔ Factoring 푁”

• Hence, it’s insecure that a group uses the same composite N

with different 푒𝑖, 푑𝑖

22 Question: Dose the other choice of 푑 푑푒 = 1 푚표푑 푙푐푚 푝 − 1, 푞 − 1 alter the result?

• Given 푒. “Knowing 푑 ⇔ Factoring 푁”

• 푑푒 = 1 푚표푑 푁 • 푑푒 = 1 푚표푑 푙푐푚 푝 − 1, 푞 − 1

23 Example

• (See)

24 This is a Kitten Licking Its Paw!

25 Can 푑 be chosen to be small ? (for speeding up decryption)

• Wiener’s Attack:

1 1 Given 푁, 푒. Assume 푞 < 푝 < 2푞 and 푑 < 푁4 3 Then there is an efficient way of factoring 푁.

• Goal: 푑푒 = 1 푚표푑 휙 푁 ⇔ 푑푒 − 푘휙 푁 = 1 Find 푘/푑

26 Continued Fraction

• 푥 = where 푎0 is an integer and 푎𝑖 is non-negative integer for 푖 ≥ 0

is said to be a continued fraction expression of 푥, denoted [푎0; 푎1, 푎2, … ].

• Any rational number can be written as a continued fraction form 44 2 1 1 = 6 + = 6 + = 6 + = [6; 3,2] Ex. 7 1 7 7 3 + 2 2 1 = 6 + = [6; 3,1,1] 1 3 + 1 27 1 + 1 Convergents

• You can also use the Euclidean algorithm to compute a continued fraction expression

1234 = 567 ∗ 2 + 100 1234 1 = 2 + 567 = 100 ∗ 5 + 67 1 567 5 + 100 = 67 ∗ 1 + 33 1 1 + 1 67 = 33 ∗ 2 + 1 2 + 33

푡ℎ • Let 푥 = [푎0; 푎1, 푎2, … ], 푦 is said to be the 푖 convergent of 푥 if 푦 = [푎0; 푎1, 푎2, … , 푎𝑖 ] 28 Origin : Rational Approximation by Continued Fraction

Theorem. Let 푥 be irrational, and let 푘/푑 be a rational number in lowest terms with 푑 > 0. Suppose that 푘 1 푥 − < . 푑 2푑2

Then 푘/푑 is a convergent in the continued fraction expansion for 푥

29 Origin : Rational Approximation by Continued Fraction

푒 Theorem. Let 푁 푥 be irrational, and let 푘/푑 be a rational number in lowest terms with 푑 > 0. Suppose that 푘 1 푒 푥 − < 2 . 푁 푑 2푑 푒 Then 푘/푑 is a convergent in the continued fraction expansion for 푥 푁

푑푒 = 1 푚표푑 휙 푁 ⇔ 푑푒 − 푘휙 푁 = 1

30 Wiener’s Attack: 1 1 Given 푁, 푒. Assume 푞 < 푝 < 2푞 and 푑 < 푁4 3 Then there is an efficient way of factoring 푁.

• Wiener’s Lemma. Given 푁, 푒, where 푁 = 푝푞 and 푑푒 − 푘휙 푁 = 1

1 1 Assume 푞 < 푝 < 2푞 and 푑 < 푁4 3 Then 푒 푘 1 − < . 푁 푑 2푑2 • Corollary. Using the condition above. Then 푘/푑 is a convergent in the continued fraction expansion for 푒 푁

31 푒 푘 1 + 푘휙 푁 − 푁푘 − = Wiener’s Lemma. 푁 푑 푑푁 푁 = 푝푞 3푘 푁 3푘 < < 푑푒 − 푘휙 푁 = 1. 푑푁 푑 푁 푞 < 푝 < 2푞 1 1 1 1 < < 푑 < 푁4 휙 푁 − 푁 = 푝푞 − 푝 − 푞 + 1 − 푝푞 1 3푑2 3 = − 푝 + 푞 − 1 푑푁4 > −3푞 Then, > −3 푁

푒 푘 1 푑휙 푁 ≥ 푑푒 > 푘휙 푁 − < . ⇒ 푑 > 푘 푁 푑 2푑2

32 Example : Wiener’s Attack

• (see)

33 Take a look at SP800-56B

• (See)

34 Bit Security of RSA Problem Is the least significant bit in the encryption of RSA as secure as the whole? 賴奕甫 RSA Problem

•RSA Problem： Given 푁, e and 푐 = 푚푒 푚표푑 푁 , where 푁 = 푝푞 , 푝, 푞: distinct odd primes 푑푒 = 1 푚표푑 휙 푁

Find (푚 (푚표푑 푁))

36 A Fact:

퐹푎푐푡표푟푖푛푔 푃푟표푏푙푒푚 ≥ RSA 푝푟표푏푙푒푚 is known

퐹푎푐푡표푟푖푛푔 푃푟표푏푙푒푚 ≱ RSA 푝푟표푏푙푒푚 or 퐹푎푐푡표푟푖푛푔 푃푟표푏푙푒푚 = RSA 푝푟표푏푙푒푚 is unknown

37 RSA Problem

• RSA Problem： Given 푁, e , where 푁 = 푝푞 , 푝, 푞: distinct odd primes 푑푒 = 1 푚표푑 휙 푁

푓 푥 = 푥푒 푚표푑 푁 is a 표푛푒-푤푎푦 function

38 •RSA Problem： 푓 푥 = 푥푒 푚표푑 푁 is a 표푛푒-푤푎푦 function

• Even though RSA problem may be hard, that does NOT mean we can know nothing from it. • For example, given 푐 = 푓 푚 = 푚푒 푚표푑 푁, we can know its

푚 푚 푚 푒 푐 Jacobi symbol value , since 푒 is odd. = = 푁 푁 푁 푁

39 The least significant bit secure of RSA Even though I accept 푓 푥 = 푥푚 푚표푑 푁 is a 표푛푒-푤푎푦 function, it only means I accept it’s hard to find the whole inverse element.

Is it still hard to find out the parity (lsb) of the inverse element?

40 In a Simple Usage

ALICE BOB 푒 푖푛푓표푟푚푎푡푖표푛 ║풌║ 푖푛푓표푟푚푎푡푖표푛 푚표푑 푁 RSA-3072 RSA-3072 (Asymmetric) (Asymmetric) AES-128 AES-128 with key 풌 with key 풌 (Symmetric) (Symmetric)

We don’t have to invert whole 푚푒 but recover some bits from 푚푒

Is RSA remain secure in this way?

41 Inverting the LSB ⇔ Solving RSA Problem

• Let 푁 = 푝푞 , 푒 , 푑 represent the RSA parameter

• The following calculation is under ℤ푁 • 푐 = 푚푒,define 1 푖푓 푙푠푏 표푓 푚 푖푠 1 푃푎푟푖푡푦 푐 ≔ 0 푖푓 푙푠푏 표푓 푚 푖푠 0

1 1 푖푓 푚 ∈ [0, 푁) 퐻푎푙푓 푐 ≔ 2 0 표. 푤

42 Inverting the LSB ⇔ Solving RSA Problem

1 1 푖푓 푙푠푏 표푓 푚 푖푠 1 푃푎푟푖푡푦 푐 ≔ 퐻푎푙푓 푐 ≔ 0 푖푓 푚 ∈ [0, 푁) 0 푖푓 푙푠푏 표푓 푚 푖푠 0 2 1 표. 푤

Having an oracle of 퐻푎푙푓 푐 ⇔ Having an oracle of 푃푎푟푖푡푦 푐 (Why?)

43 Inverting the LSB ⇔ Solving RSA Problem

• For 푐 = 푚푒, we have 1 퐻푎푙푓 푐 = 0 ⟺ 푚 ∈ [0, 푁) 2 1 2 3 퐻푎푙푓 2푒푐 = 0 ⟺ 푚 ∈ [0, 푁) ∪ [ 푁, 푁) 4 4 4 ⋮ • It follows that Having an oracle of 퐻푎푙푓 푐 ⇔ Solving RSA Problem. • Since Having an oracle of 퐻푎푙푓 푐 ⇔ Having an oracle of 푃푎푟푖푡푦 푐 , • We know Inverting the LSB ⇔ Solving RSA Problem.