Square Roots and the Rabin Cryptosystem William J

The Roots of Higher Mathematics Computing Square Roots and the Rabin Cryptosystem William J. Martin, WPI

Abstract: We explore thought experiments dealing with the computation of square roots in various number systems. As an application, we introduce an encryption scheme of Rabin.

1 Weird Number Systems

A child learns about number systems in a very sensible way: First the counting numbers, then perhaps integers, then fraction, on to real numbers, and then the complex numbers. This seems very reasonable: each contains all the previous ones and enjoys more and more features, allowing more and more ﬂexibility. Before we discuss other systems, let us review the notation for these familiar objects. The natural numbers, or positive integers, are denoted N = {1, 2, 3,...}. They are closed under addition and multiplication: if we add or multiply two numbers from this set, the answer is guaranteed to be in this set. This is a great context for a discussion of unique factorization: an integer p > 1 is prime if its only divisors are 1 and itself. (Note that one is neither prime nor composite; it has an inverse, so it is called a “unit”.) The integers are the ﬁrst ring a student sees. The set

Z = {..., −3, −2, −1, 0, 1, 2, 3,...} is closed under both addition and multiplication. It is a commutative ring since ab = ba for any two integers a and b. Every element has an additive inverse: stately precisely, for any integer a, there is a (unique) integer b such that a + b = 0. In algebra, we extend intuitive notation and denote this b by “−a”. As a ring, we have a distributive law:

a(b + c) = ab + ac and (a + b)c = ac + bc for all integers a, b and c. But only a = 1 and a = −1 have multiplicative inverses; for only these values of a does the equation ax = 1 have an integer solution x. The rational numbers are denoted by Q and their precise definition involves some subtlety to overcome the issue that (−6)/4 = 3/(−2) etc. (The concept of “canonical forms” is useful here: every rational number can be expressed uniquely in lowest terms where the numerator and denominator have no common factor and the denominator is positive.) This is our first example of a field! Both addition and multiplication are commutative: a + b = b + a and ab = ba. We have associativity so we can move parentheses around whenever expressions involve only one operation. We have the distributive laws. But now we have multiplicative inverses: for every rational number a, not equal to zero, there is a (unique) rational number x such that ax = 1. In high school, a student encounters phenomena in physics, chemistry, biology, finance, etc. where continuous variables are required for an accurate model. A “realistic” model. So

1 we feed them the real numbers. This set of objects is denoted by R but few students see the true definition of this set or a precise way to add or multiply real numbers. We usually equate them with non-terminating decimals and accept some finite precision (say 8 digits past the decimal point) so that addition (and multiplication, up to some error) is performed as with rational numbers. (In fact, any calculator or computer system can only represent a finite number of possibilities, so ignoring computer algebra systems, the “real” numbers students compute with a a very small subset of the rational numbers.) Applications in physics and electrical engineering, as well as a rigorous approach to mathematics, demand more: every polynomial of positive degree must have a root. While this property fails for the rational numbers (e.g., take f(x) = x2 − 3) and the real numbers (e.g., take f(x) = x2 + 3), the Fundamental Theorem of Algebra tells us that the complex numbers C = {a + bi | a, b ∈ R} have this “algebraically closed” property, where i is some object that squares to −1. There are other algebraically closed fields, such as the field of algebraic numbers. The collection of objects of the form f(x)/g(x) where f(x) and g(x) are polynomials with complex coefficients forms a field, called the field of rational functions and these have a (unique) algebraic closure. There also p-adic fields for any prime p. So we can find algebraically closed fields where a + a = 0 for all a, or where a + a + a = 0 for all a. This is the sort of field that becomes most useful in communications. In information theory, we concern ourselves with the mathematics of communication. We may be interested in efficient compression, balancing space savings against recoverability. We may be interested in error-correction, balancing “parity-check” overhead against message recovery in the presence of noise. Or we may be interested in encryption, where we aim to ensure that an encoded message is understandable only to its intended recipient.

2 Square Root Computation

The cryptosystem we will discuss today is the invention of Michael Rabin of Harvard Uni- versity. Its main beauty lies in its simplicity. To encrypt a message m, you simply interpret m as a number (in a certain ring) and transmit m2. So the encryption function is just E(x) = x2 a function which, at face value, is familiar to every algebra student. Correct decryption involves computing a square root. How hard can that be?

2.1 One-way functions Cryptographers have great interest in “one-way” functions. A function f : X → Y (i.e., taking inputs from a set X and producing a well-deﬁned output y = f(x) in the set Y for any x in X) is said to be one-way if

• given any x in X, it is easy to compute f(x)

• given any y in Y , it is hard to ﬁnd some x in X with f(x) = y, even if promised that one exists

2 (The proper deﬁnition is more technical. There must exist a polynomial time algorithm which, given x, computes f(x) while recovering x from only the value f(x) and a description of the function should be NP-hard or similar.) Unfortunately, we do not know any one- way functions! Researchers have many candidates, many suspicions about what sorts of functions should work, but no one has successfully proven the existence or non-existence of such functions. So the basic idea is to encrypt a message by incorporating a one-way function into the encryption process. An eavesdropper who intercepts the message must invert f in order to recover the message. But if f is one-way, this is essentially impossible. But this begs the question: If recovering the message is hard, how can the intended recipient obtain the message? In order to achieve this, we need not just a one-way function but a one-way trapdoor function: a one-way function which becomes eﬃciently invertible given some extra (secret) information.

2.2 Computing square roots Given all this theory, it’s quite surprising that f : x 7→ x2 could be a candidate one-way trapdoor function. But we’ll see how this works as we develop the ingredients below. First let’s recall what happens over the real numbers. Squaring an integer can be done quickly and the same technique is used for real numbers when represented as fixed-precision decimals. Since the advent of calculators, most people have forgotten how to estimate square roots by hand. The grade school method regularly taught until the 1960s is very clever and instills in a student skills that can be generalized to more abstract calculations of the same sort at the university level. In elementary calculus, a student learns Newton’s Method (following the tangent line, instead of the curve, to reach the x-axis and then iterating) for finding roots of functions. I was surprised to learn, some years back, that this is essentially how a Texas Instrument calculator finds square roots. When I push the “SQRT” button on a calculator1, the input is first scaled to some number a lying between 1/2 and 2 (this contributes some powers of two to the answer) and then the calculator performs two iterations of Newton’s Method on the function f(x) = x2 − a. Let us observe that not all real numbers have square roots. Working inside R, the square root of a negative number does not exist. The number zero is special: it has only one square root while all positive numbers have exactly two square roots. Please keep this classification in mind as we move to stranger number systems below. A communications system cannot realistically work with real numbers. Devices such as cellphones and CD players have very constrained memory and must perform calculations quickly. For these and other reasons, such environments employ modular arithmetic. What we will see next is that, while squaring a number in modular arithmetic can be performed quite efficiently, computing square roots seems to be easy in some moduli and extremely hard in others. (But we still cannot prove this. This remains a research problem for mathe- maticians and computer scientists.)

1At least on some TI calculators. I’ve seen their machine code, but it may have been updated since then.

3 3 Modular Arithmetic

We have all seen modular (or “clock”) arithmetic and familiarity with it is simply a matter of practice. Since my job requires me to use it almost daily, I have become quite adept at such calculation (but don’t ask me to compute a derivative of a trig function!). I don’t expect many readers have been doing these computations regularly, but I will be brief nonetheless. If a person gets interested in this sort of stuﬀ, the rote calculations can be a good deal of fun. Let us, as a working example, do computations modulo seven. The symbol Z represents the set (or ring) of all integers, both positive and negative, so we use Z7 to represent the set (or ﬁeld) of integers modulo seven2. + 0 1 2 3 4 5 6 · 0 1 2 3 4 5 6 0 0 1 2 3 4 5 6 0 0 0 0 0 0 0 0 1 1 2 3 4 5 6 0 1 0 1 2 3 4 5 6 2 2 3 4 5 6 0 1 2 0 2 4 6 1 3 5 3 3 4 5 6 0 1 2 3 0 3 6 2 5 1 4 4 4 5 6 0 1 2 3 4 0 4 1 5 2 6 3 5 5 6 0 1 2 3 4 5 0 5 3 1 6 4 2 6 6 0 1 2 3 4 5 6 0 6 5 4 3 2 1

2 We can examine the diagonal and extract the function x 7→ x in Z7: x 0 1 2 3 4 5 6 x2 0 1 4 2 2 4 1 We see several things. First, (−x)2 = x2 if we interpret −x as 7 − x, the number in our number system which, added to x, gives zero. Second, not all numbers have square roots! x 0 1 2 3 4 5 6 √ x 0 1,6 3,4 dne 2,5 dne dne √ Here “ x” should be taken ﬁguratively. As this example indicates, this is a poor notation for a number system where unexpected things occur. And “dne” here means “does not exist”. In order to have a square root for 3 (for example) modulo seven, we need to create some imaginary numbers. But we won’t do that here. (Evariste Galois explored such possibilities before dying in a duel in Paris in 1832, but that is another story entirely!) Now things get stranger and stranger. If you have a sheet of paper handy, try computing squares and square roots modulo twelve:

x 0 1 2 3 4 5 6 7 8 9 10 11

x2 0 1

2Ah, and you ask: “Please remind me of the difference between a ring and a field!” Both rings and fields have all of the addition properties we expect from childhood, and the distributive law holds in both. In the commutative ring of integers, we have ab = ba for all a and b, but we don’t always have inverses — e.g., 5x = 1 has no integer solution x. In a field, every non-zero element has a multiplicative inverse, so we can talk about ‘division’.

4 I’ll bet that you immediately ﬁnd yourself discovering theorems (or “shortcuts”, as the kids call them). For example, (−x)2 = x2 cuts your work in half (and it’s true!) and (2x)2 = 4·x2 can also help, perhaps with error checking. √ Now invert the above table, fully aware that x 7→ x is not a function. How many square roots does each number have modulo twelve? Can you discover a pattern?

x 0 1 2 3 4 5 6 7 8 9 10 11 all y with y2 = x

This is a wonderful point of departure for a study in number theory. For example there are eight diﬀerent square roots of 1 when working modulo 24. But, in order to introduce the Rabin cryptosystem, we need only consider odd moduli of a very special form. In order to enter the world of cryptography, we will have to work modulo a product of two large primes. In practice, a secure computer system must use a modulus of about 600 digits, a product n = pq of two 300-digit primes. (Simple calculations with logarithms tell us that each of these primes p and q requires about 1000 bits of storage, so n is a 2 kilobit number in practice.) To get “under the hood” of such a set-up, we are wiser to choose p = 7, q = 11 and n = 35. (Other nice values are n = 35, 55, 65 or even n = 15, 21. Try them!)

Theorem 1 (Chinese Remainder Theorem). Suppose p and q have no common factor (i.e., they are “relatively prime”) and n = pq. Then there is a bijection (a one-to-one, onto 0 0 function) σ : Zp × Zq → Zn such that, for any a, a ∈ Zp and any b, b ∈ Zq, σ(a, b) + σ(a0, b0) = σ(a + a0, b + b0), σ(a, b) · σ(a0, b0) = σ(aa0, bb0).

The inverse function is obtained by

x 7→ (x mod p, x mod q).

To get a concrete handle on this theorem, you might want to ﬁll in the following table. The rows are labelled by the least residues modulo three. (The “canonical forms” mod 3.) The columns are labelled by the least residues modulo seven. Now proceed through the numbers 0, 1,..., 20 entering each number x in row x mod 3 and column x mod 7. The above theorem says each and every box in the table will be used exactly once, since 3 and 7 have no common divisor.

3\7 0 1 2 3 4 5 6

5 For moduli bigger than three and seven, a table might get cumbersome. How can we ﬁnd the number that will appear in a given row and column when there are many trillions of each? In fact, we can ﬁnd σ(a, b) by solving a system of diophantine equations:

x ≡ a (mod p) x ≡ b (mod q)

Let’s do some examples in group work. The ﬁrst two will require a bit more work, but then we’ll use algebra to get to the answer faster. Example 2: Solve the system

x ≡ 1 (mod 3) x ≡ 2 (mod 13)

Solution: Since 13 is the larger, we consider numbers that reduce to two modulo 13 and “hop along” until we ﬁnd one that is one more than a multiple of three: x = 2 is bad; this x ≡ 2 (mod 3) of course. x = 2 + 13 = 15 is bad; this x ≡ 0 (mod 3). x = 15 + 13 = 28 is good! x ≡ 2 (mod 13) by design, but now also x = 1 (mod 3), as desired. Example 3: Solve the system

x ≡ 4 (mod 5) x ≡ 3 (mod 21)

The answer will be unique if we restrict x to the range {0,..., 104}. Example 4: Solve the system

x ≡ 7 (mod 10) x ≡ 2 (mod 7)

Again, the Chinese Remainder Theorem guarantees us a unique answer modulo 70. Example 5: Solve the system

x ≡ 4 (mod 21) x ≡ 23 (mod 55)

Solution: Now the search space is getting larger. So let us be a bit more clever in our search for x. Since x ≡ 23 (mod 55), we know that x is 23 more than some multiple of 55. That is, there is some integer k such that

x = 55k + 23 .

This takes care of our second congruence. So we just solve the ﬁrst one:

x ≡ 4 (mod 21);

6 which is now written 55k + 23 ≡ 4 (mod 21) 13k + 2 ≡ 4 (mod 21) where we reduced the coeﬃcients 55 and 23 modulo 21 to make them smaller. Now we solve for k: 13k ≡ 2 (mod 21) . −1 We need to ﬁnd the inverse of 13 (in the ring Z21). It turns out that 13 = 13 in this number system! (Indeed, 132 = 169 = 168 + 1 = 8 · 21 + 1.) This gives 13(13k) ≡ 13 · 2 (mod 21) k ≡ 5 (mod 21) So we can take k = 5 and this gives us x = 55k + 23 = 275 + 23 = 298. The solution is then x ≡ 298 (mod 1155) since 21 · 55 = 1155. Try some smaller examples of this form on your own: Example 6: Solve the system x ≡ 8 (mod 11) x ≡ 2 (mod 13)

Example 7: Solve the system x ≡ 1 (mod 7) x ≡ 3 (mod 11)

Okay, so the Chinese Remainder Theorem allows us to turn a congruence modulo some composite number n into a system of smaller congruences modulo factors of n, provided those factors are pairwise relatively prime.

3.1 Square roots modulo a prime

If p is a prime and we work in the number system Zp (which is a ﬁeld when p is prime), it turns out we can compute square roots eﬃciently. But the story is complicated for “half” the primes and easy for the other “half”. Ignoring p = 2, the primes split into those congruent to one modulo four 5, 13, 17, 29, 37, 41, 53, 61,... and those congruent to three modulo four: 3, 7, 11, 19, 23, 31, 43, 47, 59,....

(There are infinitely many of each type.) Finding square roots in Zp for p in the first group is complicated, so we prefer — not only for pedagogical purposes, but also for fast implementation of our decryption algorithm — to restrict attention to primes of the second sort. But how to find square roots in such a number system? The answer is surprising. We appeal to a theorem of Fermat (not his last!) which tells us about high exponents.

7 Theorem 2 (Fermat’s Little Theorem). If p is prime and a is an integer which is not a p−1 multiple of p, then a = 1 in Zp. p−1 If we think for a while, and recall that p must be odd unless p = 2, this tells us that a 2 is equal, in the number system Zp to either 1 or p − 1. Now let us think further about this. Suppose p ≡ 3 (mod 4); i.e., p takes the form p = 4k + 3 for some integer k. Working in Zp, we have ap−1 = 1 ap = a ap+1 = a2 p+1 a 2 = ±a

p+1 2 So b = ±a 4 satisﬁes b = ±a. This is amazing! But we have to resolve a technical glitch: we want b2 = a, not b2 = −a. It turns out (and I encourage you to experiment with small values to get some evidence for this theorem) that −1 is a square modulo p if and only if p ≡ 1 (mod 4) (or p = 2, which we ignore). So if we know that a is a perfect square, and p ≡ 3 (mod 4) as we are assuming, then −a cannot be a perfect square. So b2 does indeed equal a if we construct b in the above fashion. The upshot? We can compute square roots modulo any prime congruent to three modulo four! I will omit a discussion of the “square-and-multiply” algorithm for raising numbers to high exponents. But please take my word that, even if p is a 400-digit number, we can p+1 compute a 4 with only about 800 multiplications. (Alternatively, you can ﬁnd tutorials on “square and multiply” on the web.)

4 The Rabin Cryptosystem

Now we have all the tools necessary to understand the Rabin cryptosystem. As with any cryptosystem, we must specify how to generate keys for individual users, we must specify an encryption algorithm and a decryption algorithm. And then we should provide some proofs of security, perhaps based on core assumptions such as “Assume that the opponent cannot efficiently compute square roots modulo large composite numbers and that the opponent cannot efficiently factor large numbers into primes.” All of the material below must be made (or assumed to be) publicly available. Many talented young people miss this point (known as Kerckhoffs’s principle in cryptography): the security of your system cannot rely on keeping its general format secret — an opponent will eventually find out how it is designed — only the private keys are assumed to be out of public view. Some central trusted authority generates keys for all users in the system and promises not to disclose our private keys to others. These providers, such as VeriSign and Digital Signature Trust Co., are known as “Third Party Certificate Authorities” and we are often asked to accept their credentials when entering a secure session on the web. Key Generation: For this user, generate two large prime numbers p and q (say 1000 bits each), both congruent to three modulo four, and set n = pq. The public key n is available to

8 anyone who wishes to send a message to this user (say on a web page or in a directory) while the private key (p, q) is kept in a secure location (on the user’s computer or other trusted device). Encryption: To send a message to this user, ﬁrst interpret the message as a number m (e.g., ASCII text becomes a string of zeros and ones, which can be broken into 1000-bit blocks each of which becomes an integer represented in binary, or a number in Zn). Locate the user’s public key n and, instead of sending the “plaintext” m, send the “ciphertext” c = E(m) = m2 (mod n). Decryption: Upon receiving a ciphertext c, we must solve the equation m2 ≡ c (mod n) for the message m. Knowing the factorization n = pq and applying the Chinese Remainder Theorem, we obtain a system of two linear congruences in the “variable” m2:

m2 ≡ c (mod p) m2 ≡ c (mod q)

p+1 p+1 We get two solutions modulo p, namely a1 = c 4 and a2 = −c 4 . Likewise, we obtain q+1 q+1 two solutions modulo p, namely b1 = c 4 and b2 = −c 4 . This gives us four potential plaintexts. We use the Chinese Remainder Theorem to recover

m1 ≡ a1 (mod p), m1 ≡ b1 (mod q)

m2 ≡ a1 (mod p), m2 ≡ b2 (mod q)

m3 ≡ a2 (mod p), m3 ≡ b1 (mod q)

m4 ≡ a2 (mod p), m4 ≡ b2 (mod q)

One of these four values is our message m. One less-than-desirable feature of this scheme is this last fact that we get not one but four possible answers. In practice, this is easily overcome by agreeing that every message will begin with some known string or adhere to some agreed format (e.g. ASCII). When we 600 have 10 possible numbers mi in our ring Zn, the probability that a randomly chosen one will make sense as a decrypted message is negligibly small. And, indeed, three out of the four mi computed are essentially random elements of the ring.

References

I ﬁnish with a few books one might glance at to get new ideas for enrichment projects in cryptography and number theory.

James K. Strayer, Elementary Number Theory, PWS Publishing Co., Boston, 1994. Douglas R. Stinson, Cryptography: Theory and Practice (3rd ed.), CRC Press, Boca Raton, 2005. Neal Koblitz, Cryptography As a Teaching Tool, Cryptologia, 21, no. 4 (1997), 317–326..