Rsa

Spring 2012 Cryptography: RSA Mike Rosulek
xkcd webcomic. http://xkcd.com/538/

CHAPTER VII: PUBLIC-KEY CRYPTOGRAPHY
WITH RSA
Revision: March 5, 2012
Contents
1 The RSA Function 2
1.1 Number Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 The RSA Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 The Security of RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Chinese Remainder Theorem and Applications 6
2.1 Application to RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3 Security Reductions 8
4 Partial Information Leaked by RSA 11
4.1 Quadratic Residuosity and Jacobi Symbols . . . . . . . . . . . . . . . . . . . . . . . . 11
4.2 RSA Leaks the Jacobi Symbol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.3 RSA Does Not Leak the First-Half Function . . . . . . . . . . . . . . . . . . . . . . . . 12
5 Primality Testing 14
5.1 Randomized Primality Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
5.2 Solovay-Strassen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
5.3 Miller-Rabin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
6 Problems 19
1
1 The RSA Function
RSA was among the rst public-key cryptography developed. It was rst described in 1978, and
is named after its creators, Ron Rivest, Adi Shamir, and Len Adleman.
1
Although plain textbook
RSA does not satisfy all of the desired properties of a proper encryption scheme, it provides a good
rst exposure to practical public-key cryptography.
Before introducing RSA, we need to rst reacquaint (or introduce) ourselves to a few important
concepts from number theory.
1.1 Number Theory
Z is the set of integers (positive, negative, and zero). For a, b Z, we say that a divides b, and
write a [ b, if there exists an integer c such that ac = b. In other words, b is an integer multiple of a.
Division Theorem. For all a, b Z with b ,= 0, there exist unique q, r Z simultaneously satisfying
a = bq +r and 0 r < [b[.
We dene a % b to be the unique value of r from the division theorem. The % symbol is called
the modulus operator.
2
We write a b (mod n) if n [ (a b). Equivalently, a b (mod n) if and
only if a %n = b %n.
We dene Z
n
= 0, . . . , n 1 to be the set of remainders modulo n, or, more formally, the
additive group modulo n. Arithmetic (addition, subtraction, multiplication)
3
works in Z
n
by simply
reducing the result modulo n. It doesnt matter whether you reduce intermediate steps modulo n,
since:
((a %n) + (b %n)) %n = (a +b) %n
((a %n)(b %n)) %n = ab %n
Every element x Z
n
has an inverse with respect to addition mod n: namely x % n. For
example, the additive inverse of 11 mod 14 is 11 3 (mod 14).
Greatest Common Divisors
If d [ x and d [ y, then d is a common divisor of x and y. The largest possible such d is called the
greatest common divisor (GCD), denoted gcd(x, y). The oldest numerical algorithm known is the
one Euclid described for computing GCDs (ca. 300 BCE):
GCD(x, y): // Euclids algorithm
if y = 0 then return x
else return GCD(y, x %y)
If gcd(x, y) = 1, then we say that x and y are relatively prime.
We let Z
n
denote the set x Z
n
[ gcd(x, n) = 1, the multiplicative group modulo n. This
group is closed under the operation of modular multiplication (if gcd(x, n) = gcd(y, n) = 1, then
1
Poor Clifford Cocks; he developed an equivalent scheme in 1973, but it was classied since he was working for
British intelligence. Maybe we should incorporate a C into the acronym somewhere... SCAR?
2
We use the convention that a % b is always always nonnegative, even if a is negative. This is different than the
convention in some programming languages, in which (a) %b = (a %b).
3
Division does not always just work in Zn.
2
gcd(xy, n) = 1 and thus gcd(xy % n, n) = 1 by Euclids algorithm). To be a group, the set must be
closed under inverses; that is, for all x Z
n
there must be a y Z
n
so that xy 1 (mod n). This
follows from the following theorem:
Bezouts Theorem. For all integers x and y, there exist integers s and t such that sx + ty =
gcd(x, y). In fact, gcd(x, y) is the smallest positive integer that can be written as an integral linear
combination of x and y.
If x Z
n
then gcd(x, n) = 1 and there exist integers s, t satisfying sx + tn = 1. By reducing
both sides of this equation modulo n, we have
1 sx +tn sx + 0 (mod n)
(since tn 0 (mod n)). Thus the integer s guaranteed by Bezouts theorem is a multiplicative
inverse of x modulo n. We write x
1
for the element s %n Z
n
.
An extended version of Euclids GCD algorithm can be used to compute the integers s and t
while the GCD is being computed. This is one effcient way to compute modular (multiplicative)
inverses:
Bezout(x, y):
// returns (d, s, t) such that
// gcd(x, y) = d = sx +ty
if y = 0 then return (x, 1, 0)
else (d, s, t) = Bezout(y, x %y)
return (d, t, s tx/y|)
The Totient Function
Eulers totient function is dened as (n) = [Z
n
[, in other words, the number of elements of Z
n
which are relatively prime to n.
As an example, if p is a prime, then Z
n
= Z
n
0 (every integer from 1 to p 1 is relatively
prime to p), thus (p) = p 1.
If p and q are distinct primes, then (pq) = (p 1)(q 1). One way to see this is that there are
pq elements in Z
pq
. Lets count how many elements in Z
pq
share a common divisor with pq (i.e.,
are not in Z
pq
):
Zero. Thats one element.
The multiples of p: p, 2p, 3p, . . . , (q 1)p. Thats (q 1) elements.
The multiples of q: q, 2q, 3q, . . . , (p 1)q. Thats (p 1) elements.
We have not double-counted in the last two lists: any item that occurs in both lists would be a
common multiple of both p and q, but when p and q are distinct primes, their least common multiple
is pq, which is larger than any item in the lists. Therefore the size of Z
pq
is pq 1(p1) (q 1),
which you can easily verify to be equal to (p 1)(q 1).
General formulas for (n) exist, but they typically rely on knowing the prime factorization of
n. We will see more connections between the difculty of computing (n) and the difculty of
factoring n later in this chapter.
Heres an important theorem from abstract algebra:
3
LaGranges Theorem. If G is a multiplicative group with k elements, then x
k
= 1 for all x G.
As a corollary, we have that:
x
(n)
1 (mod n) for all x Z
And as a nal corollary, we can deduce Fermats little theorem, that x
p1
1 (mod p) for all x,
when p is prime.
1.2 The RSA Function
The RSA function is dened as follows:
Let p and q be distinct primes (later we will say more about how they are chosen), and let
N = pq. N is called the RSA modulus.
Let e and d be integers such that ed 1 (mod (N)). e is called the encryption exponent,
and d is called the decryption exponent. These names are historical, but not entirely precise;
remember that RSA by itself does not achieve the security of a proper encryption scheme.
The RSA function is RSA((N, e), m) = m
e
%N.
The inverse RSA function is RSA
1
((N, d), c) = c
d
%N.
Essentially, the RSA function (and its inverse) is a simple modular exponentiation. It is important
to note that e and d live in Z
(N)
, while m and c live in Z
N
.
Lets make sure the claimed inverse is really an inverse. That is, when N, e, and d satisfy the
properties listed above, we have RSA
1
((N, d), RSA((N, e), m)) = m. Since ed 1 (mod (N)),
we can write ed = t(N) + 1 for some integer t. Then:
(m
e
)
d
m
ed
m
t(N)+1
(m
(N)
)
t
m 1
t
m m (mod N)
where we have used the fact that m
(N)
1 (mod N) from LaGranges theorem.
1.3 The Security of RSA
We see that for anyone who knows the values (N, d) (or equivalently, knows the factorization of
N = pq), it is easy to invert the RSA function. Our desired security from RSA is that the RSA
function is hard to invert when given only the values (N, e).
Because the denition refers to inversion (and not other properties like hiding partial informa-
tion), we reuse many of the concepts from our earlier denition of one-way functions. However,
here we must adapt the denitions to accommodate keys being generated. (Recall that one-way
functions were not parameterized by any kind of keys.)
Denition. Let = (KeyGen, F, F
1
) be a collection of three functions. Dene the following game,
called the inversion game, played between an adversary (algorithm) / and a challenger:
1. The challenger generates (pk, sk) KeyGen and chooses a string x uniformly from 0, 1
n
.
2. The challenger gives pk and F(pk, x) as input to /.
3. / outputs a string x.
4
4. If F(pk, x) = F(pk, x), then the outcome of the game is YES, otherwise the outcome is NO.
Denote the (random variable) outcome of this game as Invert(, /).
Denition. Let = (KeyGen, F, F
1
) be a collection of three functions. Then the collection is a
trapdoor function (TDF) if:
1. Efciency: Each of KeyGen, F, and F
1
can be computed efciently.
2. Correctness: For all (pk, sk) KeyGen and all strings x, we have F
1
(sk, F(pk, x)) = x.
3. Trapdoor one-wayness: For every efcient adversary /, we have Pr[Invert(, /) = YES] 0.
Formally, the security denition applies to the trio (KeyGen, F, F
1
). To make things simpler,
though, we typically refer to the forward-computing function F when the corresponding KeyGen
function and F
1
are clear from context. For example, we would say that the RSA function
m m
e
% N is a trapdoor function, with the understanding that N and e are chosen in the
appropriate way.
5
2 Chinese Remainder Theorem and Applications
The multiplicative group Z
N
has some interesting structure when N is the product of distinct
primes. We can use this structure to optimize some algorithms related to RSA.
Chinese Remainder Theorem (CRT). Dene the function CRT
r,s
: Z
rs
Z
r
Z
s
as
CRT
r,s
(x) = (x %r, x %s).
Then CRT
r,s
is a bijection whenever gcd(r, s) = 1.
Proof: First, we will show that CRT
r,s
is a surjection; that is, every (u, v) Z
r
Z
s
is equal to
CRT
r,s
(x) for some x Z
rs
.
Let u Z
r
and v Z
s
. Since gcd(r, s) = 1, we have by Bezouts theorem that 1 = ar + bs
for some integers a and b. Recall that b s
1
(mod r), from our earlier discussion of modular
(multiplicative) inverses. Choose x = var +ubs. Then,
x var +ubs (va)0 +u(s
1
s) u (mod r)
By a symmetric argument, we can see that x v (mod s). Next, note that (x % rs) % r = x % r,
and (x % rs) % s = x % s. Thus CRT
r,s
(x % rs) = (x % r, x % s) = (u, v), so x % rs is the desired
preimage of (u, v) in Z
rs
.
Then, since [Z
rs
[ = rs = [Z
r
Z
s
[, and since CRT
r,s
is a surjection from one set to another, it
must be a bijection.
Another way to think of the CRT is in terms of solving a system of modular equations:
Chinese Remainder Theorem (CRT), restated. If gcd(r, s) = 1 then for all integers u, v, there is
a solution for x in the following system of equations:
x u (mod r)
x v (mod s)
Furthermore, this solution is unique modulo rs.
Groups
We can consider the cartesian product Z
r
Z
s
to be a mathematical group. Its elements are pairs,
and we can dene addition and multiplication on those pairs as follows:
(a, b) + (c, d) = (a +c, b +d)
(a, b) (c, d) = (a c, b d)
Note that the + and operators on the left-hand side are the operator in Z
r
Z
s
that we are
dening. The operators on the right-hand side are the operators within the groups Z
r
and Z
s
,
respectively, which we are using.
With addition and multiplication dened within the product group Z
r
Z
s
, it is easy to see
that the following properties of the CRT function are true for all x, y Z
rs
:
CRT
r,s
(x) +CRT
r,s
(y) = CRT
r,s
(x +y)
CRT
r,s
(x) CRT
r,s
(y) = CRT
r,s
(x y)
6
Again, the addition and multiplication on the left-hand side are operating on elements of Z
r
Z
s
(i.e., pairs), while the addition and multiplication on the right-hand side are operating on elements
of Z
rs
(i.e., single numbers).
We see that the CRT function is a bijection and that it preserves group operations. We call such
a function an isomorphism, and say that the two groups Z
rs
and Z
r
Z
s
are isomorphic (written as
Z
rs

= Z
r
Z
s
).
The correspondence between Z
rs
and Z
r
Z
s
extends beyond simple addition and multiplica-
tion. Almost every conceivable property of the elements is preserved. For example, CRT
r,s
always
maps elements of Z
rs
to elements of Z
r
Z
s
, and vice-versa; that is, it preserves the invertibility of
elements. This is because gcd(x, rs) = 1 implies gcd(x, r) = gcd(x, s) = 1 whenever gcd(r, s) = 1.
Fun fact: this yields an alternative proof that (pq) = (p 1)(q 1) when p and q are prime.
4
2.1 Application to RSA
Since Z
rs
and Z
r
Z
s
are essentially the same mathematical object, we can use whichever inter-
pretation is convenient for us. A great example is computing the RSA inverse function c c
d
%N.
If p and q are n bits long, then N is about 2n bits long. Performing an exponentiation modulo a
n-bit number requires about n
3
steps. So the RSA inverse function costs about (2n)
3
= 8n
3
steps to
perform.
However, consider the following observation:
c
d
= CRT
1
p,q
(CRT
p,q
(c
d
)) = CRT
1
p,q
((CRT
p,q
(c))
d
) = CRT
1
p,q
(c
d
%p, c
d
%q)
In other words, we could also compute c
d
by rst applying the CRT mapping, to obtain the pair
(c % p, c % q), then perform the exponentiation separately modulo p and modulo q, then invert
the CRT mapping. This would require 2 exponentiations, now modulo n-bit numbers, thus about
2(n
3
) steps. Computing CRT
1
p,q
(whose denition is implicit in the rst proof of this section) is
inconsequential compared to the cost of the exponentiations. Thus, using CRT, we obtain a speed
increase by a factor of about 4.
Its worth pointing out that this speedup can only be done for the RSA inverse function. One
must know p and q in order to exploit the Chinese Remainder Theorem, and only the party per-
forming the RSA inverse function typically knows this.
4
(pq) = |Z
pq
| = |Z
p
Z
q
| = (p 1)(q 1).
7
3 Security Reductions
It is believed (but not proved) that the RSA scheme is a trapdoor one-way function.
RSA Assumption. The RSA function is a trapdoor function.
It is not hard to see that if one is able to factor the modulus N, then one can easily compute
the decryption exponent d and thus invert RSA. Thus, if RSA really is a TDF then the following
assumption must be true:
Factoring Assumption. There is no efcient algorithm that outputs p or q with more than negli-
gible probability given pq as input, when p and q are distinct primes chosen uniformly at random
from all n-bit primes.
When RSA was originally proposed, it was conjectured that inverting RSA is equivalent to the
Factoring Assumption. Certainly, if RSA is a TDF, then the Factoring Assumption is true. Unfortu-
nately, it is not known whether the Factoring Assumption implies that RSA is a TDF. In other words,
we do not know if there are ways to invert RSA that dont involve factoring N, or computing d.
However, we do know that certain kinds of attacks against RSA are equivalent to factoring, and
these will provide our rst exposure to security reductions.
Security Reductions
A security reduction is a statement like if there is an efcient algorithm for A, then there is an
efcient algorithm for B. Why is such a statement useful? Consider the case where A is the
problem of violating a security condition, and B is a problem like factoring. Then the security
reduction means that any attack on the system can be transformed into an algorithm for factoring.
Now consider the contrapositive: If we believe that no efcient algorithm for B (factoring) exists,
then there must not be an efcient algorithm for A; in our example, there is no efcient way to
violate the security condition.
An overview of several security reductions related to RSA is given below in Figure 1. For
instance, if the factorization of N = pq is known, then (N) can be easily computed as (N) =
(p 1)(q 1). If (N) is known, then it is easy to compute d e
1
(mod (N)). If d is known,
then it is trivial to invert RSA by computing c c
d
%N. After all, we imagine that the person who
chooses N, e, and d is already able to (easily) do all of these things. These very simple reductions
establish the three main left-to-right arrows in the gure. Note that these simple reductions involve
steps like multiplication, computing modular inverses, and computing modular exponentiation
all of which are efcient in the security parameter, which is the number of bits in the numbers
involved.
A more sophisticated reduction is the following:
Claim. If there is an efcient algorithm for computing d, then there is an efcient algorithm for
factoring N.
Its convenient to break down this reduction into two steps. We rst introduce a new problem
X and then show two reductions: that an efcient algorithm for computing d implies an efcient
algorithm for X; and that an efcient algorithm for X implies an efcient algorithm for factoring
N. The problem X in question is the following:
8
Factoring
N
Computing
(N)
Finding
non-trivial
1 mod N
Computing
d
Inverting
RSA
trivial
trivial trivial
homework
t
h
i
s
s
e
c
t
i
o
n
t
h
is
s
e
c
t
io
n
h
o
m
e
w
o
r
k
??
Figure 1. An arrow from A to B means that an ecient algorithm for A implies one for B.
Denition. A number x is a square root of unity modulo N if x
2
1 (mod N). If x , 1 (mod N)
and x , 1 (mod N), then we say that x is a non-trivial square root of unity.
Note that 1 are always square roots of unity modulo N, for any N. But if N = pq is the
product of distinct odd primes, then there are 4 square roots of unity modulo N: two trivial and
two non-trivial ones (see the exercises in this chapter).
Lemma. If there is an efcient algorithm for computing nontrivial square roots of unity modulo
N, then there is an efcient algorithm for factoring N.
Proof: We assume that there is an efcient algorithm for computing nontrivial square roots; i.e.,
we are allowed to write an algorithm that includes the step nd a nontrivial square root of unity
modulo N, and we assume that this step takes a polynomial amount of time (polynomial in the
number of bits needed to represent the numbers involved).
Our reduction is simple: the efcient algorithm for factoring N is:
Factor(N):
x = nd a nontrivial square root of unity modulo N
return gcd(N, x + 1) and gcd(N, x 1)
The algorithm is simple, but we must argue that it is correct.
Let x be a nontrivial square root of unity modulo N. Then x
2
1 (mod pq), or in other words,
pq [ (x
2
1). Factoring the right-hand-side, we have pq [ (x + 1)(x 1). But since x is a nontrivial
square root of unity, we have x , 1 (mod pq), thus pq ,[ (x 1).
When p and q are distinct primes, then we have the following:
pq [ AB and pq ,[ A and pq ,[ B = either (p [ A and q [ B) or (p [ B and q [ B)
Substituting A = x + 1 and B = x 1, it follows that gcd(N, x 1), gcd(N, x + 1) = p, q.
Lemma. If there is an efcient algorithm for computing d, then there is an efcient algorithm for
computing nontrivial square roots of unity modulo N.
Proof: As before, we suppose that in addition to the modulus N and exponent e, we can obtain
the exponent d in polynomial time. Now consider the following subroutine:
SqrtUnity(N, e, d):
Write ed 1 = 2
s
r, with r odd (i.e., factor out as many 2s as possible)
Choose w uniformly at random from Z
N
.
Compute the sequence (1, w
r
, w
2r
, w
4r
, w
8r
, . . . , w
2
s
r
) modulo N.
Return the number just before the rst 1 that appears in the sequence.
9
Since ed 1 (mod (N)), we can write ed = t(N) + 1 for some integer t. Then w
2
s
r
= w
ed1
w
t(N)
1
t
1 (mod N) from LaGranges theorem. So 1 is the last number in the sequence
in step 3 of SqrtUnity, thus step 4 of SqrtUnity is well-dened there is always a 1 appearing
somewhere in the sequence. Furthermore, since the sequence of numbers w
r
, w
2r
, . . . are obtained
by squaring the previous number, the output of SqrtUnity is indeed a square root of unity.
In the rare event that w is chosen so that w , Z
N
, this would mean that gcd(N, w) ,= 1. In that
case, gcd(N, w) p, q and we can factor N. After N is factored, it is easy to compute a nontrivial
square root of unity modulo N (see the homework).
Conditioned on w Z
N
, it is possible to show that SqrtUnity(N, e, d) returns a square root
of unity chosen uniformly at random from among the four possible square roots of unity. With
probability 1/2, the output is a nontrivial square root. We can repeat this basic process n times,
and the probability that we fail to encounter a nontrivial square root of unity is 1/2
n
, which is
negligible.
5
When we have a reduction (or path of reductions) from A to B and also from B to A, we say
that A and B are equivalent. Indeed, there is an efcient algorithm for A if and only if there is
one for B. In our case, we can see that four problems factoring N, computing (N), computing
d, and nding a nontrivial square root of unity mod N are all equivalent in this sense. Since
there is a reduction from these equivalent problems to the problem of inverting RSA, we say that
inverting RSA is no harder than factoring. It is not clear whether inverting RSA is actually easier
than factoring. Indeed, it may be the case that the factoring assumption is true (i.e., factoring RSA
moduli is hard) and yet RSA is not a TDF.
5
In general it is acceptable for reductions such as these to fail with negligible probability.
10
4 Partial Information Leaked by RSA
If the RSA function is hard to invert, does that mean that it hides all partial information about its
input? We have previously seen in the case of (plain) one-way functions that hard to invert does
not imply hides all partial information.
Indeed, this is also the case when considering trapdoor functions. In this section we will see
one example of information that is leaked by RSA. However, we will also see an example of some
partial information that is not leaked. Since the security denition of RSA makes no reference
to partial information leakage, how can we be sure that certain information is not leaked? This
will be one of our lovely examples of how all of our security statements are demonstrated via
appropriate algorithms. To prove both of these claims (that partial information A is leaked, and
partial information B is not leaked), we simply describe an appropriate algorithm!
A good way to think about partial information is as a function on plaintexts. Suppose f : /
X for some set X. Well say that a TDF leaks f if there is an efcient algorithm that determines
f(m) given only pk and F(pk, m). If [X[ = 1, then there is really no information leaked we can
compute f(m) without looking at F(pk, m)! But even if [X[ = 2, we will consider it a signicant
leakage.
4.1 Quadratic Residuosity and Jacobi Symbols
Denition. We say that x Z
n
is a quadratic residue modulo n if there exists y Z
n
satisfying
x y
2
(mod n). We let QR
n
denote the set of quadratic residues modulo n.
Example: We can write out the elements of Z
15
and square each one. The resulting numbers are
the quadratic residues:
x 1 2 4 7 8 11 13 14
x
2
1 4 1 4 4 1 4 1
Therefore we see that QR
15
= 1, 4.
Due to the following famous theorem of Euler, we have an easy way of determining quadratic
residuosity modulo an odd prime:
Theorem (Eulers Criterion). If p is an odd prime then a QR
p
if and only if a
(p1)/2
1
(mod p).
Note that there are only two possibilities for a
(p1)/2
. This quantity is always a square root of
unity modulo p, so it must be either +1 or 1.
The idea behind Eulers criterion can be extended for a non-prime modulus. This is done with
the Jacobi symbol:
Denition. The Jacobi symbol
_
a
n
_
is dened as follows:
_
a
n
_
=
_
a
(n1)/2
%n if n is prime
i
_
a
p
i
_
e
i
if n =
i
p
e
i
i
is the prime factorization of n
We will be most interested in the case where the denominator is the product of two distinct
primes. We can see that
_
a
pq
_
=
_
a
p
__
a
q
_
, which equals 0 if gcd(a, pq) ,= 1.
_
a
pq
_
is 1 if a is a
quadratic residue modulo exactly one of p and q; and it is +1 otherwise.
11
Even though the denition of the Jacboi symbol is in terms of the prime factorization of the
denominator, we do not need to factor numbers to compute it. In fact, there is an efcient algorithm
for determing the value of a Jacobi symbol based applying the following four identities:
_
a
n
_
=
_
a %n
n
_ _
2
n
_
= (1)
(n
2
1)/8
_
ab
n
_
=
_
a
n
_
_
b
n
_
_
a
n
_
=
_
_
n
a
_
if n a 3 (mod 4)
_
n
a
_
otherwise
4.2 RSA Leaks the Jacobi Symbol
The Jacobi symbol
_
x
n
_
satises the equality
_
x
n
_ _
y
n
_
=
_
xy
n
_
. Thus in the context of RSA, we have
that
_
m
N
_
e
=
_
m
e
N
_
. We leave it as an exercise for the reader that the encryption exponent e must
always be odd. Since the Jacobi symbol is always in 1, 0, +1, we must have
_
m
e
N
_
=
_
m
N
_
e
=
_
m
N
_
.
In other words, the Jacobi symbol of the ciphertext (m
e
) is the same as that of the plaintext (m);
the RSA function preserves the Jacobi symbol. Approximately half of the elements of Z
N
= /
have Jacobi symbol +1 and the other half have Jacobi symbol 1 (a very small fraction have
Jacobi symbol 0), so learning the Jacobi symbol of the plaintext narrows down the set of potential
plaintexts by about half! Equivalently, it can double the adversarys probability of successfully
guessing the plaintext.
4.3 RSA Does Not Leak the First-Half Function
We now give an example leakage function f such that RSA does not leak f(m). How can we say
that a TDF does not leak a given function f, when after all the TDF denition does not consider
partial information leakage? The way to do it is by reducing the problem of learning f(m) to a
problem that the TDF denition does consider!
We will show the following reduction: If there is an efcient algorithm to determine f(m) in the
TDF experiment, then we could use that algorithm to completely determine m. So as long as we
are condent that RSA is indeed a TDF, we can be condent that there is no efcient algorithm for
determining f(m) in other words, RSA does not leak f as long as RSA does not leak the entire
plaintext!
The leakage function we have in mind is the following (dened over the set of RSA plaintexts
/ = Z
N
):
FH(m) =
_
0 if 0 m
N1
2
1 if
N+1
2
m N 1
Although FH (which incidentally stands for rst half) is only a single bit of information about m,
we will show that if one is able to compute it, then one is able to recover all of m.
Suppose we had an efcient algorithm A, which on input pk = (N, e) and c = m
e
%N correctly
outputs FH(m). Our algorithm for recovering m given pk and c works like this:
6
When we receive input c, for all we know m could be any number in Z
N
. After running A on
input (pk, c) to determine FH(m), we narrow down the possibilities for m by half m is either in
the rst half or second half of Z
N
. Next, note that if we know c = m
e
, we can compute (2m)
e
= c2
e
using information we already know (c and e). So we can call algorithm A on input (pk, c2
e
) to
6
The main idea behind the reduction is fairly simple binary search. But writing out the full details of the reduction
is quite tedious; well just present an outline of the approach.
12
determine whether 2m%N is in the rst half or second half of Z
N
as well! Now observe that when
we double the numbers 0, 1, . . . , (N 1)/2, we get 0, 2, 4, . . . , N 1. When we double (mod
N) the numbers (N +1)/2, . . . , N 1, we get 1, 3, 5, . . . , N 2. Each of the halves gets spread
out across all of Z
N
from this doubling operation. So suppose, for example, that we know that m
is in the rst half. Then if 2m is in the second half of Z
N
, we know that m must have in fact been
from the 2nd half of the 1st half of Z
N
, or in other words, the 2nd quarter of Z
N
. We have again
cut the set of possibilities for m by half.
In summary, we can use the algebraic properties of RSA along with our assumed algorithm A to
determine FH(2
i
m) for values i = 0, 1, . . .. Each time we do so, we reduce the possibilities for m
by half, like a binary search. To get from N possibilites for m to only one possibility for m requires
us to halve the possibilities ,log
2
N| = n times. So our algorithm for determining m requires n calls
to the algorithm A (as well as some other multiplications, etc) slower, but still polynomial-time
in the security parameter n if A is polynomial-time.
13
5 Primality Testing
One issue weve glossed over that you may have noticed is that the KeyGen algorithm for RSA must
choose two large random prime numbers. How is this done? Perhaps the most straightforward
approach would be the following trial-and-error approach:
RandomPrime(k): // returns a random k-bit prime
do:
n random k-bit string (most signicant bit 1)
while not IsPrime(n)
return n
It is clear that this algorithm will return a prime number, uniformly distributed from all primes
whose binary representation requires exactly k bits. What is less clear is the efciency of such an
algorithm. There are two main issues related to the efciency of this trial-and-error approach:
1. How many times will the algorithm execute the main loop (on average) before it nds a
prime?
2. How can we implement IsPrime() efciently?
The rst question is answered by the following famous theorem of number theory:
Prime Number Theorem. Let (N) be the number of primes less than N. Then (N)/N grows
asymptotically as 1/ ln N.
The ratio (N)/N is the percentage of numbers less than N that are prime. Stated differently,
if you were to pick a number uniformly at random from 1, . . . N, the probability that you would
pick a prime number is about 1/ ln N = O(1/ log
2
N). If N = 2
n
1 (the largest n-bit number),
then this probability is O(1/n).
If a process has a successful outcome with probability p, then the expected number of times
needed to repeat the process to encounter the rst successful outcome is 1/p. So it requires an
expected O(n) tries to pick a random n-bit prime. By our convention of measuring efciency of
numerical algorithms as a function of the number of bits in the numbers, O(n) is considered
efcient. So as long as the IsPrime subroutine is similarly efcient, the RandomPrime algorithm
given above is efcient (in the average case).
5.1 Randomized Primality Algorithms
In 2002, Agrawal, Kayal, and Saxena proved that there is a deterministic efcient algorithm for
determining whether a number is prime. So in principle, we could use their algorithm for the
IsPrime subroutine. Unfortunately, for n-bit numbers the algorithm takes about O(n
12
) time. This
is efcient by our denitions, but not very practical. Subsequent improvements have reduced the
complexity of the algorithm to about O(n
6
), but this is still pretty bad.
So instead of using deterministic algorithms for primality, most applications use a probabilistic
(randomized) algorithm. These algorithms are much more practical, but this efciency comes at a
price. They have a very small probability of reporting a false positive; that is, they might report a
composite number to be prime, with very small probability. But this probability can be tuned to be
as low as we want it. Without much effort we can make the false-positive probability less than, say,
the probability of an alpha-particle causing a hardware failure in your computer.
14
The general outline of a randomized primality test goes like this: First, we nd an equation
P(a, N) with the following two properties:
1. If N is prime, then P(a, N) is true for all a Z
N
.
2. If N is composite, then P(a, N) is false for at least half of a Z
N
.
With such a condition P in hand, we can then do the following:
RandomizedIsPrime(N):
n = number of bits in N
do n times:
pick a random a (Z
N
0)
if gcd(a, N) ,= 1 then output composite
if P(a, N) is false, output composite
output prime
Whenever the algorithm outputs composite, it is correct. However, it might erroneously report
that a composite number N is prime. Conditioned on the event that the algorithm never outputs
composite, we see that a is chosen uniformly from Z
N
, not just Z
N
. If N is still composite, then
the algorithm can only output prime with probability at most 1/2
n
because each time a is chosen,
the algorithm must have avoided the half of Z
N
for which P(a, N) is guaranteed to be false.
5.2 Solovay-Strassen
The Solovay-Strassen algorithm ts into this framework by using a connection between primes and
the Jacobi symbol. Recall that the Jacobi symbol is dened as follows:
_
a
n
_
=
_
a
(n1)/2
%n if n is prime
i
_
a
p
i
_
e
i
if n =
i
p
e
i
i
is the prime factorization of n
Recall also that there is an efcient algorithm for computing the Jacobi symbol
_
a
n
_
given a and n.
The Solovay-Strassen algorithm uses our general framework for a randomized primality test, with
the following condition P(a, N):
P(a, N) =
_
true if
_
a
N
_
a
(N1)/2
(mod N)
false otherwise
We can see by the denition of Jacobi symbols that if N is prime, then P(a, N) is true for all a. It
simply remains to prove the following other property of P:
Claim. If N is composite, then P(a, N) = false for at least half of a Z
N
.
Before we can prove the claim, we need a little more machinery from abstract algebra.
Subgroups
Let X be a subset of Z
N
, the multiplicative group modulo N. We say that X is a subgroup of Z
N
if it satises the following conditions:
15
(Closure under multiplication) For all a, b X, we have (ab %N) X.
(Closure under inverses) For all a X, there is an element a
1
X such that aa
1
1
(mod N).
For instance, the set of quadratic residues QR
N
is a subgroup of Z
N
, because the product of
quadratic residues is also a quadratic residue, and the inverse of a quadratic residue is a quadratic
residue.
The following theorem from LaGrange turns out to be very helpful...
LaGranges Theorem. If X is a subgroup of Z
N
, then [X[ divides (N).
... because it yields the following corollary:
Corollary. If X is a subgroup of Z
N
and X ,= Z
N
, then [X[ (N)/2.
Why is this helpful? We want to be able to say that if N is composite, then P(a, N) is false for
at least half of the elements a Z
N
. To do this, we can show that X = a Z
N
[ P(a, N) is true
is a subgroup of Z
N
. X are the bad elements of Z
N
, from our point of view they mislead us
into thinking that N is prime. If we can then show that there is even one element a Z
N
X, then
we will have established that [X[ (N)/2; in other words, the elements a for which P(a, N) is
false is Z
N
X, which has size at least (N)/2.
Proof of the claim
We will prove the claim about P(a, N) for the special case where N is a product of distinct primes
N = p
1
p
2
p
t
. The case where a prime power divides N is slightly more complicated.
We will follow the outline sketched above. Let N = p
1
p
t
and dene X = a Z
N
[
_
a
N
_

a
(N1)/2
(mod N). We rst claim that X is a subgroup of Z
N
. For a, b X, we see that:
_
ab
N
_
=
_
a
N
_
_
b
N
_
(identity for Jacobi symbols)
a
(N1)/2
b
(N1)/2
(mod N) (since a, b X)
(ab)
(N1)/2
(mod N)
So ab X as well. Similarly, if a X, then:
_
a
1
N
_
=
_
a
N
_
1
(a
(N1)/2
)
1
(a
1
)
(N1)/2
(mod N)
So a
1
X as well. Thus X is a subgroup of Z
N
.
All we have to do now is to show that there exists a number a Z
N
X; that is, a number
a Z
N
such that
_
a
N
_
, a
(N1)/2
(mod N).
Recall that N = p
1
p
t
. Using the Chinese Remainder theorem, we can nd a number a Z
N
that satises the following system:
a b (mod p
1
)
a 1 (mod N/p
1
)
16
In the above equation, we choose b to be any non-quadratic-residue modulo p
1
. Then using the
identies for Jacobi symbols, we have:
_
a
N
_
=
_
a
p
1
__
a
N/p
1
_
=
_
b
p
1
__
1
N/p
1
_
= (1)(1) = 1
On the other hand:
a
(N1)/2
1 (mod p
1
) (from Eulers criterion for quadratic residues)
a
(N1)/2
1 (mod N/p
1
)
So a
(N1)/2
cannot be congruent to 1 modulo N since it is not congruent to 1 modulo N/p
1
.
Thus for this choice of a we have
_
a
N
_
= 1 , a
(N1)/2
(mod N). By demonstrating an element
a Z
N
X, we have shown that [X[ (N)/2.
5.3 Miller-Rabin
The Miller-Rabin primality test is motivated by Fermats little theorem: a
N1
1 (mod N) for
all a, if N is prime. Unfortunately, Fermats little theorem cant be used directly as a basis for a
primality test. There exist composite numbers N for which a
N1
1 (mod N) for all a. Numbers
with this property are called Carmichael numbers, the smallest of which is 561.
However, the Miller-Rabin test combines Fermats little theoremwith another property of primes,
namely the following:
Observation. N is a prime power if and only if 1 are the only square roots of unity modulo N.
A prime power is a number of the form p
k
where p is a prime. A prime power cannot be a
Carmichael number, so we have the following observations:
If N is prime, then it has only two square roots of unity, and it satises Fermats little theorem.
If N is a composite and a Carmichael number, then it has at least four square roots of unity.
If N is a composite and not a Carmichael number (possibly a prime power), then it does not
satisfy Fermats little theorem. That is, there is some a for which a
N1
, 1 (mod N).
The Miller-Rabin test cleverly tests both conditions (Fermats little theorem and square roots of
unity) at once, using an approach similar to one weve seen before:
MillerRabin(a, N):
Write N 1 = 2
s
r, with r odd (i.e., factor out as many 2s as possible)
Compute the sequence (1, a
r
, a
2r
, a
4r
, a
8r
, . . . , a
2
s
r
) modulo N.
If the last element of the sequence is not 1, then output composite
If the element before the rst 1 in the sequence is not 1, then output composite
Otherwise, output prime
Whenever this test outputs composite, it is true that N is a composite number. If it outputs
composite in the third line, then we have 1 , a
2
s
r
= a
N1
(mod N), so Fermats little theorem is
not satised. Recall from our earlier discussion of square roots of unity that the number preceeding
the rst 1 in the sequence (1, a
r
, a
2r
, . . . , a
2
s
r
) is a square root of unity other than 1. So if the
17
algorithm outputs composite in the fourth line, then N has a square root of unity other than 1.
In both cases, N must be composite.
Finally, it sufces to show that if N is composite, then at least half of the values a Z
N
will
cause the test to output composite. In the case that N is not a prime power, we already know
that the fourth line considers a uniformly random square root of unity, and thus this test alone
has probability at least half of encountering a non-trivial square root of unity (with even higher
probability the more prime factors N has). In the case where N is a prime power, it is possible to
show using a similar argument as in the previous section that at least half of the values of a will
satisfy a
(N1)
, 1 (mod N).
As with the Solovay-Strassen algorithm, we may repeat the test n times on an independently
random choice of a to lower the total probability of a false positive to 1/2
n
.
18
6 Problems
1. Prove that if g
a
1 (mod n) and g
b
1 (mod n), then g
gcd(a,b)
1 (mod n).
2. Prove that gcd(2
a
, 2
b
) = 2
gcd(a,b)
.
3. Prove that x
a
% n = x
a%(n)
% n. In other words, when working modulo n, you can reduce
exponents modulo (n).
4. In this problem we determine the efciency of Euclids GCD algorithm. Since its input is a pair
of numbers (a, b), lets call a+b the size of the input. Let F
k
denote the kth Fibonacci number,
using the indexing convention F
0
= 1; F
1
= 2. Prove that (F
k
, F
k1
) is the smallest-size input
on which Euclids algorithm makes k recursive calls. Hint: Use induction on k.
Note that the size of input (F
k
, F
k1
) is F
k+1
, and recall that F
k+1

k+1
, where 1.618 . . .
is the golden ratio. Thus, for any inputs of size N [F
k
, F
k+1
), Euclids algorithm will make
less than k log
N recursive calls. In other words, the worst-case number of recursive calls

made by Euclids algorithm on an input of size N is O(log N), which is linear in the number
of bits needed to write such an input.
7
5. Consider the following multi-message TDF inversion game:
(a) The challenger generates (pk, sk) KeyGen and gives pk to /.
(b) As many times as / wants: the challenger chooses a string x
i
uniformly from 0, 1
n
and gives F(pk, x
i
) to /.
(c) / outputs a string x.
(d) If F(pk, x) = F(pk, x
i
) for any x
i
chosen in step (b), then the outcome of the game is
YES, otherwise the outcome is NO.
Show that if (KeyGen, F, F
1
) is a TDF, then it no adversary succeeds with more than negli-
gible probability in the multi-message game above.
6. The Chinese Remainder Theorem states that there is always a solution for x in the following
system of equations, when gcd(r, s) = 1:
x u (mod r)
x v (mod s)
Give an example u, v, r, s, with gcd(r, s) ,= 1 for which the equations have no solution.
Explain why there is no solution.
7. (a) Show a reduction from the problem of computing (N) to the problem of factoring N,
when N is the product of two distinct primes. That is, show that given N and (N), it
is possible to factor N easily. BTW, you cant say rst compute d, then nd a non-trivial
square root of unity, then factor N because the rst step (computing d) is only relevant
when a corresponding encryption exponent e is known. In this problem, all you are
given is N and (N). Hint: write down the coefcients of the quadratic equation whose
two roots are p and q.
7
A more involved calculation that incorporates the cost of each division (modulus) operation shows the worst-case
overall efciency of the algorithm to be O(log
2
N) quadratic in the number of bits needed to write the input.
19
(b) Write a pari function that takes as input an RSA modulus N and (N) and factors
N. Use it to factor the following 2048-bit RSA modulus. Note: take care that there
are no precision issues in how you solve the quadratic equation; double-check your
factorization!
N = 133140272889335192922108409260662174476303831652383671688547009484
253235940586917140482669182256368285260992829447207980183170174867
620358952230969986447559330583492429636627298640338596531894556546
013113154346823212271748927859647994534586133553218022983848108421
465442089919090610542344768294481725103757222421917115971063026806
587141287587037265150653669094323116686574536558866591647361053311
046516013069669036866734126558017744393751161611219195769578488559
882902397248309033911661475005854696820021069072502248533328754832
698616238405221381252145137439919090800085955274389382721844956661
1138745095472005761807
phi = 133140272889335192922108409260662174476303831652383671688547009484
253235940586917140482669182256368285260992829447207980183170174867
620358952230969986447559330583492429636627298640338596531894556546
013113154346823212271748927859647994534586133553218022983848108421
465442089919090610542344768294481725103757214932292046538867218497
635256772227370109066785312096589779622355495419006049974567895189
687318110498058692315630856693672069320529062399681563590382015177
322909744749330702607931428154183726552004527201956226396835500346
779062494259638983191178915027835134527751607017859064511731520440
2981816860178885028680
8. In 1937, Alan Turing proposed the following cipher, based on the difculty of factoring:
8
Beforehand, Alice and Bob agree on a secret key k, which is a large prime.
To encrypt an English plaintext m, Alice encodes m as a large prime number m in the
following way:
(a) Replace A with 01, B with 02, etc.
(b) Append all these numbers together. For instance, the message VICTORY would be-
come 22090320151825:
V I C T O R Y
22 09 03 20 15 18 25
(c) Append several digits to the resulting number so that the result is prime. For in-
stance, 22090320151825 ; 2209032015182513 is prime. We assume this can be
done efciently, perhaps by adding sufcient 0s and then using the nextprime func-
tion in PARI.
(d) Call the resulting encoding m. So if m = VICTORY, then mcould be 2209032015182513
Then Alice computes the integer c = m k. The ciphertext is c.
To decrypt c, Bob computes m = c/k, which is guaranteed to be a (prime) integer, and
then decodes m into the corresponding English message m.
8
He may have been the rst to recognize that number theory and intractibility could be used for practical purposes.
20
Show that if Alice encrypts and sends two messages to Bob, then the eavesdropper can easily
recover the secret key. The eavesdropper need not know the two messages sent.
9. (a) Show that if p and q are known distinct primes, then it is possible to efciently compute
all four square roots of unity modulo pq. Hint: CRT!
(b) Implement a pari function that takes distinct primes p and q as input and returns the
four square roots of unity modulo pq. Use it to compute the four square roots of unity
modulo
N = 1052954986442271985875778192663 611174539744122090068393470777
10. Show that, conditioned on w Z
N
, the SqrtUnity subroutine outputs a square root of unity
chosen uniformly at random from the 4 possible square roots of unity. Hint: use the Chinese
Remainder Theorem.
11. Suppose N is an RSA modulus, and x
2
y
2
(mod N), and x , y (mod N). Show that N
can be efciently factored if such a pair x and y are known.
12. Explain why the RSA encryption exponent e must always be an odd number.
13. When N is an RSA modulus, why is squaring modulo N a 4-to-1 function, but raising to the
e
th
power modulo N is 1-to-1?
14. Prove that the CRT
r,s
function preserves quadratic residuosity (when r and s are relatively
prime). That is, if x is a quadratic residue modulo rs then x%r is a quadratic residue modulo
r and x %s is a quadratic residue modulo s.
15. Show that the set a Z
N
[ a
N1
1 (mod N) is a subgroup of Z
N
, for every N.
16. Implement the Solovay-Strassen test in pari. The probability of a false positive should be
at most 1/2
n
, where n is the number of bits in the given number. Note: pari implements
the Jacobi symbol under the name kronecker the Kronecker symbol generalizes the Jacobi
symbol.
17. Implement a pari function that efciently factors an RSA modulus N, given only N, e, and
d. Use your function to factor the following 2048-bit RSA modulus. Note: pari function
valuation(n,p) returns the largest number d such that p
d
[ n.
N = 157713892705550064909750632475691896977526767652833932128735618711
213662561319634033137058267272367265499003291937716454788882499492
311117065951077245304317542978715216577264400048278064574204140564
709253009840166821302184014310192765595015483588878761062406993721
851190041888790873152584082212461847511180066690936944585390792304
663763886417861546718283897613617078370412411019301687497005038294
389148932398661048471814117247898148030982257697888167001010511378
647288478239379740416388270380035364271593609513220655573614212415
962670795230819103845127007912428958291134064942068225836213242131
15022256956985205924967
e = 327598866483920224268285375349315001772252982661926675504591773242
501030864502336359508677092544631083799700755236766113095163469666
21
905258066495934057774395712118774014408282455244138409433389314036
198045263991986560198273156037233588691392913730537367184867549274
682884119866630822924707702796323546327425328705958528315517584489
590815901470874024949798420173098581333151755836650797037848765578
433873141626191257009250151327378074817106208930064676608134109788
601067077103742326030259629322458620311949453584045538305945217564
027461013225009980998673160144967719374426764116721861138496780008
6366258360757218165973
d = 138476999734263775498100443567132759182144573474474014195021091272
755207803162019484487127866675422608401990888942659393419384528257
462434633738686176601555755842189986431725335031620097854962295968
391161090826380458969236418585963384717406704714837349503808786086
701573765714825783042297344050528898259745757741233099297952332012
749897281090378398001337057869189488734951853748327631883502135139
523664990296334020327713900408683264232664645438899178442633342438
198329983121207315436447041915897544445402505558420138506655106015
215450140256129977382476062366519087386576874886938585789874186326
69265500594424847344765
18. Bob chooses an RSA plaintext m Z
N
and encrypts it under Alices public key as c m
e
(mod N). To decrypt, Alice rst computes m
p
c
d
(mod p) and m
q
c
d
(mod q), then uses
the CRT to solve for m in Z
N
, just as expected. But suppose Alice is using faulty hardware, so
that she computes a wrong value for m
q
. The rest of the computation happens correctly, and
Alice computes the (wrong) result m. Show that, no matter what m is, and no matter what
Alices computational error was, Bob can factor N if he learns m. Hint: Bob knows m and m
satisfying the following:
m m (mod p)
m , m (mod q)
19. In this problem well see that its bad to choose RSA prime factors p and q too close together.
(a) Let s = (p q)/2 and t = (p + q)/2. Then t is an integer greater than

N such that
t
2
N is a perfect square. When p and q are close, t is not much larger than

N, so by
testing successive integers, it is possible to nd t and s, and hence p and q. Describe the
details of this attack and how it works.
(b) Implement a pari function that factors RSA moduli using this approach. Use it to factor
the following 2048-bit number (whose two prime factors are guaranteed to be close
enough for the factoring approach to work in a reasonable amount of time, but far
enough apart that you cant do the trial-and-error part by hand). What qualies as close
prime factors in this problem? How close was t to

N? Hint: pari has an issquare
function. Also, be sure to do exact square roots over the integers, not the reals.
N = 514202868664266501986736340226343880193216864011643244558701956114
553317880043289827487456460284103951463512024249329243228109624011
915392411888724026403127686707255825056081890692595715828380690811
131686383180282330775572385822102181209569411961125753242467971879
131305986986525600110340790595987975345573842266766492356686762134
22
653833064511337433089249621257629107825681429573934949101301135200
918606211394413498735486599678541369375887840013842439026159037108
043724221865116794034194812236381299786395457277559879575752254116
612726596118528071785474551058540599198869986780286733916614335663
3723003246569630373323
20. I have published my RSA public key (N, e) and agree to play the following game with you:
(a) I (secretly) choose a plaintext m uniformly from Z
N
. I encrypt it under my public key to
obtain c. I tell you c.
(b) You choose a value c
,= c.
(c) I decrypt c
under my RSA private key to obtain m
. I tell you m
.
(d) You try to guess m.
Describe a strategy by which you can always correctly guess m in this game. Clearly state
how you choose c
and how you compute your guess for m.

Note: It is important that c
,= c in step (b). If you were allowed to choose c
= c, then
m
= m, and it would be trivially easy to correctly guess m.

23

Rsa

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Rsa

Încărcat de

Drepturi de autor:

Formate disponibile

Spring 2012 Cryptography: RSA Mike Rosulek

xkcd webcomic. http://xkcd.com/538/

N recursive calls. In other words, the worst-case number of recursive calls

under my RSA private key to obtain m

and how you compute your guess for m.

,= c in step (b). If you were allowed to choose c

= m, and it would be trivially easy to correctly guess m.

S-ar putea să vă placă și