Number Theory Resolves a Problem in a Divorce

Home , RSA Factoring Challenge, RSA numbers

Number theory resolves a problem in a divorce

Sunil K. Chebolu Illinois State University

1/23 Sunil Chebolu Number theory resolves a problem in a divorce

. Beer is proof that God loves us and wants us to have a good time

Benjamin Franklin

Number Theory is proof that God loves us and wants us to have a good time

Sunil Chebolu

2/23 Sunil Chebolu Number theory resolves a problem in a divorce A divorce problem

Alice and Bob are getting a divorce and have to discuss who gets what.

They are already separated and they live in diﬀerent cities and can’t stand facing each other.

They don’t seem to agree on one thing:

3/23 Sunil Chebolu Number theory resolves a problem in a divorce Who gets the car?

4/23 Sunil Chebolu Number theory resolves a problem in a divorce After much deliberation on the matter, they decide to ﬂip a coin

5/23 Sunil Chebolu Number theory resolves a problem in a divorce Coin ﬂipping over the telephone is tricky

Problem: If they don’t trust each other how can they ﬂip a coin over the telephone without bringing in a 3rd party (a referee)?

“Flipping a coin” really means performing some random experiment akin to coin tossing which has two equally likely outcomes and in which no party can cheat.

6/23 Sunil Chebolu Number theory resolves a problem in a divorce Assumptions

Before we go further we will make a couple of mild assumptions on the couple.

I Bob and Alice have math degrees and they love number theory (more than their partner).

I They also have access to MAPLE software for computing.

7/23 Sunil Chebolu Number theory resolves a problem in a divorce The coin toss protocol

1. Alice picks two large distinct prime numbers p and q and tells Bob the product n(= pq). (p and q are known only to Alice.) 2. Bob picks a random positive integer s less than n such that gcd(s, n) = 1. He sends Alice the remainder a obtained when s2 is divided by n. (Thus s2 ≡ a mod n.) 3. Alice then solves the equation x2 ≡ a mod n and will get two pair of solutions:

{s, −s} and {t, −t}.

Alice now picks one pair and tells it to Bob. (If pairs are not distinct, they startover.) 4. If Alice picks {s, −s} she get the car. Otherwise, Bob will keep the car, and to prove that he won he reveals s.

8/23 Sunil Chebolu Number theory resolves a problem in a divorce An example with numbers

1. Alice picks p = 31 and q = 23 and tells Bob n = pq = 713. 2. Bob picks s = 220 and sends Alice a = 629;

629 ≡ 2202 mod 713.

3. Alice solves the modular quadratic equation

x2 ≡ 629 mod 713

and obtains two pairs of solutions:{220, 493} and {654, 59} Alice now picks one of these pairs and sends it to Bob. 4. If she picks {220, 493} she wins, otherwise Bob wins.

9/23 Sunil Chebolu Number theory resolves a problem in a divorce Computational issues

I Database of large primes is available for free on the internet, and multiplying them is done easily by MAPLE. This is how Alice gets hold of n, which is p × q.

I One does not have to search for large primes on the internet. There are fantastic methods for primality testing which Alice can use to get hold of large primes.

I Bob has to pick a random number s less than n which is coprime to n: this is also easy because the Euclidean algorithm runs in polynomial time. The next step for Bob is to square s and take the remainder a obtained upon dividing by n. This is done by MAPLE in a split second.

10/23 Sunil Chebolu Number theory resolves a problem in a divorce 2 I Alice now has to solve the equation x = a in Zn. This has at least one solution (s). In fact, the Chinese remainder theorem ∼ Zn = Zp × Zq

(recall that p 6= q) tells that the above equation has four solutions because s is chosen such that gcd(s, n) = 1. These four solutions come in pairs corresponding to the equations

2 2 x1 ≡ a1 mod p, x2 ≡ a2 mod q,

Here x = (x1, x2) and a = (a1, a2) under the Chinese reminder theorem.

Thanks to the Tonelli-Shanks algorithm which gives an eﬃcient method to compute the roots of a quadratic equation modulo a prime.

11/23 Sunil Chebolu Number theory resolves a problem in a divorce The Key point

The key point here is that it is only Alice who can ﬁnd all 4 roots of the equation x2 ≡ a mod n because she is the one who knows the two prime factors p and q of n.

Bob, on the other hand, has no access to these two primes which constitute n. So he cannot compute (in any reasonable amount of time) the roots of the above equation even using the world’s fastest super computer. He does know that {s, −s} are the roots but that is of no help in getting the other two roots.

12/23 Sunil Chebolu Number theory resolves a problem in a divorce Why can’t Bob decompose n into its prime factors?

This is next to impossible. The arithmetic complexity is enormous. To give some numbers, a single 2.2 GHz machines takes about 70 years to decompose an integer n with 200 digits into its prime factors!

However, a large assembly of IBM supercomputers (see above picture) is estimated to cut down the computing time to one year. The impossibility of factoring these large numbers in real time is the basis for this protocol. The same is true for the RSA protocol.

13/23 Sunil Chebolu Number theory resolves a problem in a divorce Why is it not possible to cheat?

Clearly the punch line is the last step where Alice sends Bob one of the two pairs {s, −s}, {t, −t}. Alice wins if and only if she sends Bob the only pair {s, −s} which he has. Let us then consider the two possibilities. 1. Alice sends {s, −s}: Bob cannot claim that he has the other pair with him because he has to declare it, and as mentioned above there is no way he can get that without the knowledge of the primes p and q which constitute n. So Alice wins. (Bob will of course verify that this is indeed the other root of the the equation by substituting it in the equation.) 2. Alice sends {t, −t}: This is a clear case. Bob wins because he will instantly declare the pair {s, −s} which is diﬀerent from what Alice has sent.

14/23 Sunil Chebolu Number theory resolves a problem in a divorce Bottom line: There is no room for cheating! The algorithm is cheat-proof.

15/23 Sunil Chebolu Number theory resolves a problem in a divorce Warning!

There is one aspect in which this protocol diﬀers from an ordinary unbiassed coin: n cannot be reused

Suppose Bob and Alice want to do another coin toss to decide who gets the computer. They cannot reuse the same value of n. Why is that so?

Suppose Bob won the ﬁrst time. This happens when Alice declared the pair {t, −t}. Bob already has {s, −s}. So now Bob has all four roots. Using these roots he can compute p and q as follows.

16/23 Sunil Chebolu Number theory resolves a problem in a divorce The roots s and t determine p and q

2 2 I s ≡ t ≡ a mod n 2 2 I n divides t − s = (t + s)(t − s)

I n cannot divide t − s or else t ≡ s mod n

I similarly n cannot divide t + s or else t ≡ −s mod n

I since n = pq, this means p divides t + s and q divides t − s, or vice-versa.

I at any rate, Bob would know the factorisation n = pq as n = gcd(n, s + t) gcd(n, t − s). Good News: This is not a problem because the great Euclid told us more than 2000 years ago that there are inﬁnitely many primes.

17/23 Sunil Chebolu Number theory resolves a problem in a divorce Decomposing an integer into its prime factors is HARD

The impossibility of factoring these large numbers in real time is the basis for this protocol. The same is true for the RSA public-key encryption.

This is where all the money is.

18/23 Sunil Chebolu Number theory resolves a problem in a divorce RSA Factoring Challenge

The RSA Factoring Challenge was a challenge put forward by RSA Laboratories in 1991 to encourage research into computational number theory and the practical diﬃculty of factoring large integers and cracking RSA keys used in cryptography. They published a list of semiprimes (numbers with exactly two prime factors) known as the RSA numbers, with a cash prize for the successful factorization of some of them. The smallest of them, a 100 decimal digit number called RSA-100 was factored by April 1, 1991, but many of the bigger numbers have still not been factored and are expected to remain unfactored for quite some time.

19/23 Sunil Chebolu Number theory resolves a problem in a divorce A recent result

In 2010 the following 232-digit number (RSA-768) has been factored as a combined eﬀort of several researches and hundreds of high-powered machines over a span of 2 years. RSA-768 = 12301866845301177551304949583849627207728535 6959533479219732245215172640050726365751874520219978646 9389956474942774063845925192557326303453731548268507917 02612214291346160429214311602221240479274737940806653514 19597459856902143413 = 3347807169895689878604416984821269081770479498371376856891 2431388982883793878002287614711652531743087737814467999489 × 3674604366679959042824463379962795263227915816434308764267 60322838157396665112792333734171433968102702798736308917

20/23 Sunil Chebolu Number theory resolves a problem in a divorce How can we become rich?

RSA has announced $200,000 cash prize for factoring the following 617-digit number. RSA-617= 2270180129378501419358040512020458674106123596276658390709 4021879215171483119139894870133091111044901683400949483846 8182995180417635079489225907749254660881718792594659210265 9704670044981989909686203946001774309447381105699129412854 2891880855362707407670722593737772666973440977361243336397 3080517630915068363107953126072395203652900321058488395079 8145230729941718571579629745499502350531604091985919371802 3307414880446217922800831766040938656344571034778553457121 0805307363945359239326518660305150410609664373133236728315 3932350006793710754195543736243324836124252594586880235391 6766181532375855504886901432221349733

21/23 Sunil Chebolu Number theory resolves a problem in a divorce Looking into the future

The RSA-617 is predicted to be factored in 2041 !

Based on today’s technology, it is predicted that factoring a 230-digit number in one year would require 215,000 Pentium-class machines!

This is the story with digital electronic computers. What about quantum computers? That is a can of worms to be opened in another talk but it suﬃces to say that the research on quantum computing is still in its early stages and mankind has a long way to go before it can announce any impressive results.

22/23 Sunil Chebolu Number theory resolves a problem in a divorce THANK YOU

23/23 Sunil Chebolu Number theory resolves a problem in a divorce