This action might not be possible to undo. Are you sure you want to continue?

**xkcd webcomic. http://xkcd.com/538/
**

CHAPTER VII: PUBLIC-KEY CRYPTOGRAPHY

WITH RSA

Revision: March 5, 2012

Contents

1 The RSA Function 2

1.1 Number Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.2 The RSA Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.3 The Security of RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 Chinese Remainder Theorem and Applications 6

2.1 Application to RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3 Security Reductions 8

4 Partial Information Leaked by RSA 11

4.1 Quadratic Residuosity and Jacobi Symbols . . . . . . . . . . . . . . . . . . . . . . . . 11

4.2 RSA Leaks the Jacobi Symbol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

4.3 RSA Does Not Leak the First-Half Function . . . . . . . . . . . . . . . . . . . . . . . . 12

5 Primality Testing 14

5.1 Randomized Primality Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

5.2 Solovay-Strassen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

5.3 Miller-Rabin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

6 Problems 19

1

Spring 2012 Cryptography: RSA Mike Rosulek

1 The RSA Function

RSA was among the ﬁrst public-key cryptography developed. It was ﬁrst described in 1978, and

is named after its creators, Ron Rivest, Adi Shamir, and Len Adleman.

1

Although plain “textbook”

RSA does not satisfy all of the desired properties of a proper encryption scheme, it provides a good

ﬁrst exposure to practical public-key cryptography.

Before introducing RSA, we need to ﬁrst reacquaint (or introduce) ourselves to a few important

concepts from number theory.

1.1 Number Theory

Z is the set of integers (positive, negative, and zero). For a, b ∈ Z, we say that a divides b, and

write a [ b, if there exists an integer c such that ac = b. In other words, b is an integer multiple of a.

Division Theorem. For all a, b ∈ Z with b ,= 0, there exist unique q, r ∈ Z simultaneously satisfying

a = bq +r and 0 ≤ r < [b[.

We deﬁne a % b to be the unique value of r from the division theorem. The % symbol is called

the modulus operator.

2

We write a ≡ b (mod n) if n [ (a − b). Equivalently, a ≡ b (mod n) if and

only if a %n = b %n.

We deﬁne Z

n

= ¦0, . . . , n − 1¦ to be the set of remainders modulo n, or, more formally, the

additive group modulo n. Arithmetic (addition, subtraction, multiplication)

3

works in Z

n

by simply

reducing the result modulo n. It doesn’t matter whether you reduce intermediate steps modulo n,

since:

((a %n) + (b %n)) %n = (a +b) %n

((a %n)(b %n)) %n = ab %n

Every element x ∈ Z

n

has an inverse with respect to addition mod n: namely −x % n. For

example, the additive inverse of 11 mod 14 is −11 ≡ 3 (mod 14).

Greatest Common Divisors

If d [ x and d [ y, then d is a common divisor of x and y. The largest possible such d is called the

greatest common divisor (GCD), denoted gcd(x, y). The oldest numerical algorithm known is the

one Euclid described for computing GCDs (ca. 300 BCE):

GCD(x, y): // Euclid’s algorithm

if y = 0 then return x

else return GCD(y, x %y)

If gcd(x, y) = 1, then we say that x and y are relatively prime.

We let Z

∗

n

denote the set ¦x ∈ Z

n

[ gcd(x, n) = 1¦, the multiplicative group modulo n. This

group is closed under the operation of modular multiplication (if gcd(x, n) = gcd(y, n) = 1, then

1

Poor Clifford Cocks; he developed an equivalent scheme in 1973, but it was classiﬁed since he was working for

British intelligence. Maybe we should incorporate a “C” into the acronym somewhere... SCAR?

2

We use the convention that a % b is always always nonnegative, even if a is negative. This is different than the

convention in some programming languages, in which (−a) %b = −(a %b).

3

Division does not always “just work” in Zn.

2

Spring 2012 Cryptography: RSA Mike Rosulek

gcd(xy, n) = 1 and thus gcd(xy % n, n) = 1 by Euclid’s algorithm). To be a group, the set must be

closed under inverses; that is, for all x ∈ Z

∗

n

there must be a y ∈ Z

∗

n

so that xy ≡ 1 (mod n). This

follows from the following theorem:

Bezout’s Theorem. For all integers x and y, there exist integers s and t such that sx + ty =

gcd(x, y). In fact, gcd(x, y) is the smallest positive integer that can be written as an integral linear

combination of x and y.

If x ∈ Z

∗

n

then gcd(x, n) = 1 and there exist integers s, t satisfying sx + tn = 1. By reducing

both sides of this equation modulo n, we have

1 ≡ sx +tn ≡ sx + 0 (mod n)

(since tn ≡ 0 (mod n)). Thus the integer s guaranteed by Bezout’s theorem is a multiplicative

inverse of x modulo n. We write x

−1

for the element s %n ∈ Z

∗

n

.

An extended version of Euclid’s GCD algorithm can be used to compute the integers s and t

while the GCD is being computed. This is one effcient way to compute modular (multiplicative)

inverses:

Bezout(x, y):

// returns (d, s, t) such that

// gcd(x, y) = d = sx +ty

if y = 0 then return (x, 1, 0)

else (d, s, t) = Bezout(y, x %y)

return (d, t, s −t¸x/y|)

The Totient Function

Euler’s totient function is deﬁned as φ(n) = [Z

∗

n

[, in other words, the number of elements of Z

n

which are relatively prime to n.

As an example, if p is a prime, then Z

∗

n

= Z

n

¸ ¦0¦ (every integer from 1 to p − 1 is relatively

prime to p), thus φ(p) = p −1.

If p and q are distinct primes, then φ(pq) = (p −1)(q −1). One way to see this is that there are

pq elements in Z

pq

. Let’s count how many elements in Z

pq

share a common divisor with pq (i.e.,

are not in Z

∗

pq

):

• Zero. That’s one element.

• The multiples of p: p, 2p, 3p, . . . , (q −1)p. That’s (q −1) elements.

• The multiples of q: q, 2q, 3q, . . . , (p −1)q. That’s (p −1) elements.

We have not double-counted in the last two lists: any item that occurs in both lists would be a

common multiple of both p and q, but when p and q are distinct primes, their least common multiple

is pq, which is larger than any item in the lists. Therefore the size of Z

∗

pq

is pq −1−(p−1) −(q −1),

which you can easily verify to be equal to (p −1)(q −1).

General formulas for φ(n) exist, but they typically rely on knowing the prime factorization of

n. We will see more connections between the difﬁculty of computing φ(n) and the difﬁculty of

factoring n later in this chapter.

Here’s an important theorem from abstract algebra:

3

Spring 2012 Cryptography: RSA Mike Rosulek

LaGrange’s Theorem. If G is a multiplicative group with k elements, then x

k

= 1 for all x ∈ G.

As a corollary, we have that:

x

φ(n)

≡ 1 (mod n) for all x ∈ Z

And as a ﬁnal corollary, we can deduce Fermat’s “little theorem,” that x

p−1

≡ 1 (mod p) for all x,

when p is prime.

1.2 The RSA Function

The RSA function is deﬁned as follows:

• Let p and q be distinct primes (later we will say more about how they are chosen), and let

N = pq. N is called the RSA modulus.

• Let e and d be integers such that ed ≡ 1 (mod φ(N)). e is called the encryption exponent,

and d is called the decryption exponent. These names are historical, but not entirely precise;

remember that RSA by itself does not achieve the security of a proper encryption scheme.

• The RSA function is RSA((N, e), m) = m

e

%N.

• The inverse RSA function is RSA

−1

((N, d), c) = c

d

%N.

Essentially, the RSA function (and its inverse) is a simple modular exponentiation. It is important

to note that e and d “live” in Z

∗

φ(N)

, while m and c “live” in Z

N

.

Let’s make sure the claimed inverse is really an inverse. That is, when N, e, and d satisfy the

properties listed above, we have RSA

−1

((N, d), RSA((N, e), m)) = m. Since ed ≡ 1 (mod φ(N)),

we can write ed = tφ(N) + 1 for some integer t. Then:

(m

e

)

d

≡ m

ed

≡ m

tφ(N)+1

≡ (m

φ(N)

)

t

m ≡ 1

t

m ≡ m (mod N)

where we have used the fact that m

φ(N)

≡ 1 (mod N) from LaGrange’s theorem.

1.3 The Security of RSA

We see that for anyone who knows the values (N, d) (or equivalently, knows the factorization of

N = pq), it is easy to invert the RSA function. Our desired security from RSA is that the RSA

function is hard to invert when given only the values (N, e).

Because the deﬁnition refers to inversion (and not other properties like hiding partial informa-

tion), we reuse many of the concepts from our earlier deﬁnition of one-way functions. However,

here we must adapt the deﬁnitions to accommodate keys being generated. (Recall that one-way

functions were not parameterized by any kind of keys.)

Deﬁnition. Let Σ = (KeyGen, F, F

−1

) be a collection of three functions. Deﬁne the following game,

called the inversion game, played between an adversary (algorithm) / and a challenger:

1. The challenger generates (pk, sk) ← KeyGen and chooses a string x uniformly from ¦0, 1¦

n

.

2. The challenger gives pk and F(pk, x) as input to /.

3. / outputs a string ´ x.

4

Spring 2012 Cryptography: RSA Mike Rosulek

4. If F(pk, ´ x) = F(pk, x), then the outcome of the game is YES, otherwise the outcome is NO.

Denote the (random variable) outcome of this game as Invert(Σ, /).

Deﬁnition. Let Σ = (KeyGen, F, F

−1

) be a collection of three functions. Then the collection is a

trapdoor function (TDF) if:

1. Efﬁciency: Each of KeyGen, F, and F

−1

can be computed efﬁciently.

2. Correctness: For all (pk, sk) ← KeyGen and all strings x, we have F

−1

(sk, F(pk, x)) = x.

3. Trapdoor one-wayness: For every efﬁcient adversary /, we have Pr[Invert(Σ, /) = YES] ≈ 0.

Formally, the security deﬁnition applies to the trio (KeyGen, F, F

−1

). To make things simpler,

though, we typically refer to the forward-computing function F when the corresponding KeyGen

function and F

−1

are clear from context. For example, we would say that “the RSA function

m → m

e

% N is a trapdoor function,” with the understanding that N and e are chosen in the

appropriate way.

5

Spring 2012 Cryptography: RSA Mike Rosulek

2 Chinese Remainder Theorem and Applications

The multiplicative group Z

∗

N

has some interesting structure when N is the product of distinct

primes. We can use this structure to optimize some algorithms related to RSA.

Chinese Remainder Theorem (CRT). Deﬁne the function CRT

r,s

: Z

rs

→Z

r

Z

s

as

CRT

r,s

(x) = (x %r, x %s).

Then CRT

r,s

is a bijection whenever gcd(r, s) = 1.

Proof: First, we will show that CRT

r,s

is a surjection; that is, every (u, v) ∈ Z

r

Z

s

is equal to

CRT

r,s

(x) for some x ∈ Z

rs

.

Let u ∈ Z

r

and v ∈ Z

s

. Since gcd(r, s) = 1, we have by Bezout’s theorem that 1 = ar + bs

for some integers a and b. Recall that b ≡ s

−1

(mod r), from our earlier discussion of modular

(multiplicative) inverses. Choose x = var +ubs. Then,

x ≡ var +ubs ≡ (va)0 +u(s

−1

s) ≡ u (mod r)

By a symmetric argument, we can see that x ≡ v (mod s). Next, note that (x % rs) % r = x % r,

and (x % rs) % s = x % s. Thus CRT

r,s

(x % rs) = (x % r, x % s) = (u, v), so x % rs is the desired

preimage of (u, v) in Z

rs

.

Then, since [Z

rs

[ = rs = [Z

r

Z

s

[, and since CRT

r,s

is a surjection from one set to another, it

must be a bijection.

Another way to think of the CRT is in terms of solving a system of modular equations:

Chinese Remainder Theorem (CRT), restated. If gcd(r, s) = 1 then for all integers u, v, there is

a solution for x in the following system of equations:

x ≡ u (mod r)

x ≡ v (mod s)

Furthermore, this solution is unique modulo rs.

Groups

We can consider the cartesian product Z

r

Z

s

to be a mathematical group. Its elements are pairs,

and we can deﬁne addition and multiplication on those pairs as follows:

(a, b) + (c, d) = (a +c, b +d)

(a, b) (c, d) = (a c, b d)

Note that the + and operators on the left-hand side are the operator in Z

r

Z

s

that we are

deﬁning. The operators on the right-hand side are the operators within the groups Z

r

and Z

s

,

respectively, which we are using.

With addition and multiplication deﬁned within the product group Z

r

Z

s

, it is easy to see

that the following properties of the CRT function are true for all x, y ∈ Z

rs

:

CRT

r,s

(x) +CRT

r,s

(y) = CRT

r,s

(x +y)

CRT

r,s

(x) CRT

r,s

(y) = CRT

r,s

(x y)

6

Spring 2012 Cryptography: RSA Mike Rosulek

Again, the addition and multiplication on the left-hand side are operating on elements of Z

r

Z

s

(i.e., pairs), while the addition and multiplication on the right-hand side are operating on elements

of Z

rs

(i.e., single numbers).

We see that the CRT function is a bijection and that it preserves group operations. We call such

a function an isomorphism, and say that the two groups Z

rs

and Z

r

Z

s

are isomorphic (written as

Z

rs

∼

= Z

r

Z

s

).

The correspondence between Z

rs

and Z

r

Z

s

extends beyond simple addition and multiplica-

tion. Almost every conceivable property of the elements is preserved. For example, CRT

r,s

always

maps elements of Z

∗

rs

to elements of Z

∗

r

Z

∗

s

, and vice-versa; that is, it preserves the invertibility of

elements. This is because gcd(x, rs) = 1 implies gcd(x, r) = gcd(x, s) = 1 whenever gcd(r, s) = 1.

Fun fact: this yields an alternative proof that φ(pq) = (p −1)(q −1) when p and q are prime.

4

2.1 Application to RSA

Since Z

rs

and Z

r

Z

s

are essentially the same mathematical object, we can use whichever inter-

pretation is convenient for us. A great example is computing the RSA inverse function c → c

d

%N.

If p and q are n bits long, then N is about 2n bits long. Performing an exponentiation modulo a

n-bit number requires about n

3

steps. So the RSA inverse function costs about (2n)

3

= 8n

3

steps to

perform.

However, consider the following observation:

c

d

= CRT

−1

p,q

(CRT

p,q

(c

d

)) = CRT

−1

p,q

((CRT

p,q

(c))

d

) = CRT

−1

p,q

(c

d

%p, c

d

%q)

In other words, we could also compute c

d

by ﬁrst applying the CRT mapping, to obtain the pair

(c % p, c % q), then perform the exponentiation separately modulo p and modulo q, then invert

the CRT mapping. This would require 2 exponentiations, now modulo n-bit numbers, thus about

2(n

3

) steps. Computing CRT

−1

p,q

(whose deﬁnition is implicit in the ﬁrst proof of this section) is

inconsequential compared to the cost of the exponentiations. Thus, using CRT, we obtain a speed

increase by a factor of about 4.

It’s worth pointing out that this speedup can only be done for the RSA inverse function. One

must know p and q in order to exploit the Chinese Remainder Theorem, and only the party per-

forming the RSA inverse function typically knows this.

4

φ(pq) = |Z

∗

pq

| = |Z

∗

p

×Z

∗

q

| = (p −1)(q −1).

7

Spring 2012 Cryptography: RSA Mike Rosulek

3 Security Reductions

It is believed (but not proved) that the RSA scheme is a trapdoor one-way function.

RSA Assumption. The RSA function is a trapdoor function.

It is not hard to see that if one is able to factor the modulus N, then one can easily compute

the decryption exponent d and thus invert RSA. Thus, if RSA really is a TDF then the following

assumption must be true:

Factoring Assumption. There is no efﬁcient algorithm that outputs p or q with more than negli-

gible probability given pq as input, when p and q are distinct primes chosen uniformly at random

from all n-bit primes.

When RSA was originally proposed, it was conjectured that inverting RSA is equivalent to the

Factoring Assumption. Certainly, if RSA is a TDF, then the Factoring Assumption is true. Unfortu-

nately, it is not known whether the Factoring Assumption implies that RSA is a TDF. In other words,

we do not know if there are ways to invert RSA that don’t involve factoring N, or computing d.

However, we do know that certain kinds of attacks against RSA are equivalent to factoring, and

these will provide our ﬁrst exposure to security reductions.

Security Reductions

A security reduction is a statement like “if there is an efﬁcient algorithm for A, then there is an

efﬁcient algorithm for B.” Why is such a statement useful? Consider the case where A is the

problem of violating a security condition, and B is a problem like factoring. Then the security

reduction means that any attack on the system can be transformed into an algorithm for factoring.

Now consider the contrapositive: If we believe that no efﬁcient algorithm for B (factoring) exists,

then there must not be an efﬁcient algorithm for A; in our example, there is no efﬁcient way to

violate the security condition.

An overview of several security reductions related to RSA is given below in Figure 1. For

instance, if the factorization of N = pq is known, then φ(N) can be easily computed as φ(N) =

(p − 1)(q − 1). If φ(N) is known, then it is easy to compute d ≡ e

−1

(mod φ(N)). If d is known,

then it is trivial to invert RSA by computing c → c

d

%N. After all, we imagine that the person who

chooses N, e, and d is already able to (easily) do all of these things. These very simple reductions

establish the three main left-to-right arrows in the ﬁgure. Note that these simple reductions involve

steps like multiplication, computing modular inverses, and computing modular exponentiation —

all of which are efﬁcient in the security parameter, which is the number of bits in the numbers

involved.

A more sophisticated reduction is the following:

Claim. If there is an efﬁcient algorithm for computing d, then there is an efﬁcient algorithm for

factoring N.

It’s convenient to break down this reduction into two steps. We ﬁrst introduce a new problem

“X” and then show two reductions: that an efﬁcient algorithm for computing d implies an efﬁcient

algorithm for X; and that an efﬁcient algorithm for X implies an efﬁcient algorithm for factoring

N. The problem “X” in question is the following:

8

Spring 2012 Cryptography: RSA Mike Rosulek

Factoring

N

Computing

φ(N)

Finding

non-trivial

√

1 mod N

Computing

d

Inverting

RSA

trivial

trivial trivial

homework

t

h

i

s

s

e

c

t

i

o

n

t

h

is

s

e

c

t

io

n

h

o

m

e

w

o

r

k

??

Figure 1. An arrow from A to B means that an eﬃcient algorithm for A implies one for B.

Deﬁnition. A number x is a square root of unity modulo N if x

2

≡ 1 (mod N). If x ,≡ 1 (mod N)

and x ,≡ −1 (mod N), then we say that x is a non-trivial square root of unity.

Note that ±1 are always square roots of unity modulo N, for any N. But if N = pq is the

product of distinct odd primes, then there are 4 square roots of unity modulo N: two trivial and

two non-trivial ones (see the exercises in this chapter).

Lemma. If there is an efﬁcient algorithm for computing nontrivial square roots of unity modulo

N, then there is an efﬁcient algorithm for factoring N.

Proof: We assume that there is an efﬁcient algorithm for computing nontrivial square roots; i.e.,

we are allowed to write an algorithm that includes the step “ﬁnd a nontrivial square root of unity

modulo N”, and we assume that this step takes a polynomial amount of time (polynomial in the

number of bits needed to represent the numbers involved).

Our reduction is simple: the efﬁcient algorithm for factoring N is:

Factor(N):

x = ﬁnd a nontrivial square root of unity modulo N

return gcd(N, x + 1) and gcd(N, x −1)

The algorithm is simple, but we must argue that it is correct.

Let x be a nontrivial square root of unity modulo N. Then x

2

≡ 1 (mod pq), or in other words,

pq [ (x

2

−1). Factoring the right-hand-side, we have pq [ (x + 1)(x −1). But since x is a nontrivial

square root of unity, we have x ,≡ ±1 (mod pq), thus pq ,[ (x ±1).

When p and q are distinct primes, then we have the following:

pq [ AB and pq ,[ A and pq ,[ B =⇒ either (p [ A and q [ B) or (p [ B and q [ B)

Substituting A = x + 1 and B = x −1, it follows that ¦gcd(N, x −1), gcd(N, x + 1)¦ = ¦p, q¦.

Lemma. If there is an efﬁcient algorithm for computing d, then there is an efﬁcient algorithm for

computing nontrivial square roots of unity modulo N.

Proof: As before, we suppose that in addition to the modulus N and exponent e, we can obtain

the exponent d in polynomial time. Now consider the following subroutine:

SqrtUnity(N, e, d):

Write ed −1 = 2

s

r, with r odd (i.e., factor out as many 2s as possible)

Choose w uniformly at random from Z

N

.

Compute the sequence (−1, w

r

, w

2r

, w

4r

, w

8r

, . . . , w

2

s

r

) modulo N.

Return the number just before the ﬁrst 1 that appears in the sequence.

9

Spring 2012 Cryptography: RSA Mike Rosulek

Since ed ≡ 1 (mod φ(N)), we can write ed = tφ(N) + 1 for some integer t. Then w

2

s

r

= w

ed−1

≡

w

tφ(N)

≡ 1

t

≡ 1 (mod N) from LaGrange’s theorem. So 1 is the last number in the sequence

in step 3 of SqrtUnity, thus step 4 of SqrtUnity is well-deﬁned — there is always a “1” appearing

somewhere in the sequence. Furthermore, since the sequence of numbers w

r

, w

2r

, . . . are obtained

by squaring the previous number, the output of SqrtUnity is indeed a square root of unity.

In the rare event that w is chosen so that w ,∈ Z

∗

N

, this would mean that gcd(N, w) ,= 1. In that

case, gcd(N, w) ∈ ¦p, q¦ and we can factor N. After N is factored, it is easy to compute a nontrivial

square root of unity modulo N (see the homework).

Conditioned on w ∈ Z

∗

N

, it is possible to show that SqrtUnity(N, e, d) returns a square root

of unity chosen uniformly at random from among the four possible square roots of unity. With

probability 1/2, the output is a nontrivial square root. We can repeat this basic process n times,

and the probability that we fail to encounter a nontrivial square root of unity is 1/2

n

, which is

negligible.

5

**When we have a reduction (or path of reductions) from A to B and also from B to A, we say
**

that A and B are equivalent. Indeed, there is an efﬁcient algorithm for A if and only if there is

one for B. In our case, we can see that four problems — factoring N, computing φ(N), computing

d, and ﬁnding a nontrivial square root of unity mod N — are all equivalent in this sense. Since

there is a reduction from these equivalent problems to the problem of inverting RSA, we say that

inverting RSA is no harder than factoring. It is not clear whether inverting RSA is actually easier

than factoring. Indeed, it may be the case that the factoring assumption is true (i.e., factoring RSA

moduli is hard) and yet RSA is not a TDF.

5

In general it is acceptable for reductions such as these to fail with negligible probability.

10

Spring 2012 Cryptography: RSA Mike Rosulek

4 Partial Information Leaked by RSA

If the RSA function is hard to invert, does that mean that it hides all partial information about its

input? We have previously seen in the case of (plain) one-way functions that “hard to invert” does

not imply “hides all partial information.”

Indeed, this is also the case when considering trapdoor functions. In this section we will see

one example of information that is leaked by RSA. However, we will also see an example of some

partial information that is not leaked. Since the security deﬁnition of RSA makes no reference

to partial information leakage, how can we be sure that certain information is not leaked? This

will be one of our lovely examples of how all of our security statements are demonstrated via

appropriate algorithms. To prove both of these claims (that partial information A is leaked, and

partial information B is not leaked), we simply describe an appropriate algorithm!

A good way to think about partial information is as a function on plaintexts. Suppose f : / →

X for some set X. We’ll say that a TDF leaks f if there is an efﬁcient algorithm that determines

f(m) given only pk and F(pk, m). If [X[ = 1, then there is really no information leaked – we can

compute f(m) without looking at F(pk, m)! But even if [X[ = 2, we will consider it a signiﬁcant

leakage.

4.1 Quadratic Residuosity and Jacobi Symbols

Deﬁnition. We say that x ∈ Z

∗

n

is a quadratic residue modulo n if there exists y ∈ Z

∗

n

satisfying

x ≡ y

2

(mod n). We let QR

n

denote the set of quadratic residues modulo n.

Example: We can write out the elements of Z

∗

15

and square each one. The resulting numbers are

the quadratic residues:

x 1 2 4 7 8 11 13 14

x

2

1 4 1 4 4 1 4 1

Therefore we see that QR

15

= ¦1, 4¦.

Due to the following famous theorem of Euler, we have an easy way of determining quadratic

residuosity modulo an odd prime:

Theorem (Euler’s Criterion). If p is an odd prime then a ∈ QR

p

if and only if a

(p−1)/2

≡ 1

(mod p).

Note that there are only two possibilities for a

(p−1)/2

. This quantity is always a square root of

unity modulo p, so it must be either +1 or −1.

The idea behind Euler’s criterion can be extended for a non-prime modulus. This is done with

the Jacobi symbol:

Deﬁnition. The Jacobi symbol

_

a

n

_

is deﬁned as follows:

_

a

n

_

=

_

a

(n−1)/2

%n if n is prime

i

_

a

p

i

_

e

i

if n =

i

p

e

i

i

is the prime factorization of n

We will be most interested in the case where the “denominator” is the product of two distinct

primes. We can see that

_

a

pq

_

=

_

a

p

__

a

q

_

, which equals 0 if gcd(a, pq) ,= 1.

_

a

pq

_

is −1 if a is a

quadratic residue modulo exactly one of p and q; and it is +1 otherwise.

11

Spring 2012 Cryptography: RSA Mike Rosulek

Even though the deﬁnition of the Jacboi symbol is in terms of the prime factorization of the

denominator, we do not need to factor numbers to compute it. In fact, there is an efﬁcient algorithm

for determing the value of a Jacobi symbol based applying the following four identities:

_

a

n

_

=

_

a %n

n

_ _

2

n

_

= (−1)

(n

2

−1)/8

_

ab

n

_

=

_

a

n

_

_

b

n

_

_

a

n

_

=

_

−

_

n

a

_

if n ≡ a ≡ 3 (mod 4)

_

n

a

_

otherwise

4.2 RSA Leaks the Jacobi Symbol

The Jacobi symbol

_

x

n

_

satisﬁes the equality

_

x

n

_ _

y

n

_

=

_

xy

n

_

. Thus in the context of RSA, we have

that

_

m

N

_

e

=

_

m

e

N

_

. We leave it as an exercise for the reader that the encryption exponent e must

always be odd. Since the Jacobi symbol is always in ¦−1, 0, +1¦, we must have

_

m

e

N

_

=

_

m

N

_

e

=

_

m

N

_

.

In other words, the Jacobi symbol of the ciphertext (m

e

) is the same as that of the plaintext (m);

the RSA function preserves the Jacobi symbol. Approximately half of the elements of Z

N

= /

have Jacobi symbol +1 and the other half have Jacobi symbol −1 (a very small fraction have

Jacobi symbol 0), so learning the Jacobi symbol of the plaintext narrows down the set of potential

plaintexts by about half! Equivalently, it can double the adversary’s probability of successfully

guessing the plaintext.

4.3 RSA Does Not Leak the First-Half Function

We now give an example “leakage function” f such that RSA does not leak f(m). How can we say

that a TDF does not leak a given function f, when after all the TDF deﬁnition does not consider

partial information leakage? The way to do it is by reducing the problem of learning f(m) to a

problem that the TDF deﬁnition does consider!

We will show the following reduction: If there is an efﬁcient algorithm to determine f(m) in the

TDF experiment, then we could use that algorithm to completely determine m. So as long as we

are conﬁdent that RSA is indeed a TDF, we can be conﬁdent that there is no efﬁcient algorithm for

determining f(m) — in other words, RSA does not leak f as long as RSA does not leak the entire

plaintext!

The leakage function we have in mind is the following (deﬁned over the set of RSA plaintexts

/ = Z

N

):

FH(m) =

_

0 if 0 ≤ m ≤

N−1

2

1 if

N+1

2

≤ m ≤ N −1

Although FH (which incidentally stands for ﬁrst half) is only a single bit of information about m,

we will show that if one is able to compute it, then one is able to recover all of m.

Suppose we had an efﬁcient algorithm A, which on input pk = (N, e) and c = m

e

%N correctly

outputs FH(m). Our algorithm for recovering m given pk and c works like this:

6

When we receive input c, for all we know m could be any number in Z

N

. After running A on

input (pk, c) to determine FH(m), we narrow down the possibilities for m by half — m is either in

the ﬁrst half or second half of Z

N

. Next, note that if we know c = m

e

, we can compute (2m)

e

= c2

e

using information we already know (c and e). So we can call algorithm A on input (pk, c2

e

) to

6

The main idea behind the reduction is fairly simple — binary search. But writing out the full details of the reduction

is quite tedious; we’ll just present an outline of the approach.

12

Spring 2012 Cryptography: RSA Mike Rosulek

determine whether 2m%N is in the ﬁrst half or second half of Z

N

as well! Now observe that when

we double the numbers ¦0, 1, . . . , (N − 1)/2¦, we get ¦0, 2, 4, . . . , N − 1¦. When we double (mod

N) the numbers ¦(N +1)/2, . . . , N −1¦, we get ¦1, 3, 5, . . . , N −2¦. Each of the halves gets “spread

out” across all of Z

N

from this doubling operation. So suppose, for example, that we know that m

is in the ﬁrst half. Then if 2m is in the second half of Z

N

, we know that m must have in fact been

from the 2nd half of the 1st half of Z

N

, or in other words, the 2nd quarter of Z

N

. We have again

cut the set of possibilities for m by half.

In summary, we can use the algebraic properties of RSA along with our assumed algorithm A to

determine FH(2

i

m) for values i = 0, 1, . . .. Each time we do so, we reduce the possibilities for m

by half, like a binary search. To get from N possibilites for m to only one possibility for m requires

us to halve the possibilities ,log

2

N| = n times. So our algorithm for determining m requires n calls

to the algorithm A (as well as some other multiplications, etc) — slower, but still polynomial-time

in the security parameter n if A is polynomial-time.

13

Spring 2012 Cryptography: RSA Mike Rosulek

5 Primality Testing

One issue we’ve glossed over that you may have noticed is that the KeyGen algorithm for RSA must

choose two large random prime numbers. How is this done? Perhaps the most straightforward

approach would be the following “trial-and-error” approach:

RandomPrime(k): // returns a random k-bit prime

do:

n ← random k-bit string (most signiﬁcant bit 1)

while not IsPrime(n)

return n

It is clear that this algorithm will return a prime number, uniformly distributed from all primes

whose binary representation requires exactly k bits. What is less clear is the efﬁciency of such an

algorithm. There are two main issues related to the efﬁciency of this trial-and-error approach:

1. How many times will the algorithm execute the main loop (on average) before it ﬁnds a

prime?

2. How can we implement IsPrime() efﬁciently?

The ﬁrst question is answered by the following famous theorem of number theory:

Prime Number Theorem. Let π(N) be the number of primes less than N. Then π(N)/N grows

asymptotically as 1/ ln N.

The ratio π(N)/N is the percentage of numbers less than N that are prime. Stated differently,

if you were to pick a number uniformly at random from ¦1, . . . N¦, the probability that you would

pick a prime number is about 1/ ln N = O(1/ log

2

N). If N = 2

n

− 1 (the largest n-bit number),

then this probability is O(1/n).

If a process has a successful outcome with probability p, then the expected number of times

needed to repeat the process to encounter the ﬁrst successful outcome is 1/p. So it requires an

expected O(n) tries to pick a random n-bit prime. By our convention of measuring efﬁciency of

numerical algorithms as a function of the number of bits in the numbers, O(n) is considered

efﬁcient. So as long as the IsPrime subroutine is similarly efﬁcient, the RandomPrime algorithm

given above is efﬁcient (in the average case).

5.1 Randomized Primality Algorithms

In 2002, Agrawal, Kayal, and Saxena proved that there is a deterministic efﬁcient algorithm for

determining whether a number is prime. So in principle, we could use their algorithm for the

IsPrime subroutine. Unfortunately, for n-bit numbers the algorithm takes about O(n

12

) time. This

is “efﬁcient” by our deﬁnitions, but not very practical. Subsequent improvements have reduced the

complexity of the algorithm to about O(n

6

), but this is still pretty bad.

So instead of using deterministic algorithms for primality, most applications use a probabilistic

(randomized) algorithm. These algorithms are much more practical, but this efﬁciency comes at a

price. They have a very small probability of reporting a false positive; that is, they might report a

composite number to be prime, with very small probability. But this probability can be tuned to be

as low as we want it. Without much effort we can make the false-positive probability less than, say,

the probability of an alpha-particle causing a hardware failure in your computer.

14

Spring 2012 Cryptography: RSA Mike Rosulek

The general outline of a randomized primality test goes like this: First, we ﬁnd an equation

P(a, N) with the following two properties:

1. If N is prime, then P(a, N) is true for all a ∈ Z

∗

N

.

2. If N is composite, then P(a, N) is false for at least half of a ∈ Z

∗

N

.

With such a condition P in hand, we can then do the following:

RandomizedIsPrime(N):

n = number of bits in N

do n times:

pick a random a ∈ (Z

N

¸ ¦0¦)

if gcd(a, N) ,= 1 then output “composite”

if P(a, N) is false, output “composite”

output “prime”

Whenever the algorithm outputs “composite”, it is correct. However, it might erroneously report

that a composite number N is prime. Conditioned on the event that the algorithm never outputs

“composite”, we see that a is chosen uniformly from Z

∗

N

, not just Z

N

. If N is still composite, then

the algorithm can only output “prime” with probability at most 1/2

n

because each time a is chosen,

the algorithm must have avoided the half of Z

∗

N

for which P(a, N) is guaranteed to be false.

5.2 Solovay-Strassen

The Solovay-Strassen algorithm ﬁts into this framework by using a connection between primes and

the Jacobi symbol. Recall that the Jacobi symbol is deﬁned as follows:

_

a

n

_

=

_

a

(n−1)/2

%n if n is prime

i

_

a

p

i

_

e

i

if n =

i

p

e

i

i

is the prime factorization of n

Recall also that there is an efﬁcient algorithm for computing the Jacobi symbol

_

a

n

_

given a and n.

The Solovay-Strassen algorithm uses our general framework for a randomized primality test, with

the following condition P(a, N):

P(a, N) =

_

true if

_

a

N

_

≡ a

(N−1)/2

(mod N)

false otherwise

We can see by the deﬁnition of Jacobi symbols that if N is prime, then P(a, N) is true for all a. It

simply remains to prove the following other property of P:

Claim. If N is composite, then P(a, N) = false for at least half of a ∈ Z

∗

N

.

Before we can prove the claim, we need a little more machinery from abstract algebra.

Subgroups

Let X be a subset of Z

∗

N

, the multiplicative group modulo N. We say that X is a subgroup of Z

∗

N

if it satisﬁes the following conditions:

15

Spring 2012 Cryptography: RSA Mike Rosulek

• (Closure under multiplication) For all a, b ∈ X, we have (ab %N) ∈ X.

• (Closure under inverses) For all a ∈ X, there is an element a

−1

∈ X such that aa

−1

≡ 1

(mod N).

For instance, the set of quadratic residues QR

N

is a subgroup of Z

∗

N

, because the product of

quadratic residues is also a quadratic residue, and the inverse of a quadratic residue is a quadratic

residue.

The following theorem from LaGrange turns out to be very helpful...

LaGrange’s Theorem. If X is a subgroup of Z

∗

N

, then [X[ divides φ(N).

... because it yields the following corollary:

Corollary. If X is a subgroup of Z

∗

N

and X ,= Z

∗

N

, then [X[ ≤ φ(N)/2.

Why is this helpful? We want to be able to say that if N is composite, then P(a, N) is false for

at least half of the elements a ∈ Z

∗

N

. To do this, we can show that X = ¦a ∈ Z

∗

N

[ P(a, N) is true¦

is a subgroup of Z

∗

N

. X are the “bad” elements of Z

∗

N

, from our point of view — they mislead us

into thinking that N is prime. If we can then show that there is even one element a ∈ Z

∗

N

¸ X, then

we will have established that [X[ ≤ φ(N)/2; in other words, the elements a for which P(a, N) is

false is Z

∗

N

¸ X, which has size at least φ(N)/2.

Proof of the claim

We will prove the claim about P(a, N) for the special case where N is a product of distinct primes

N = p

1

p

2

p

t

. The case where a prime power divides N is slightly more complicated.

We will follow the outline sketched above. Let N = p

1

p

t

and deﬁne X = ¦a ∈ Z

∗

N

[

_

a

N

_

≡

a

(N−1)/2

(mod N)¦. We ﬁrst claim that X is a subgroup of Z

∗

N

. For a, b ∈ X, we see that:

_

ab

N

_

=

_

a

N

_

_

b

N

_

(identity for Jacobi symbols)

≡ a

(N−1)/2

b

(N−1)/2

(mod N) (since a, b ∈ X)

≡ (ab)

(N−1)/2

(mod N)

So ab ∈ X as well. Similarly, if a ∈ X, then:

_

a

−1

N

_

=

_

a

N

_

−1

≡ (a

(N−1)/2

)

−1

≡ (a

−1

)

(N−1)/2

(mod N)

So a

−1

∈ X as well. Thus X is a subgroup of Z

∗

N

.

All we have to do now is to show that there exists a number a ∈ Z

∗

N

¸ X; that is, a number

a ∈ Z

∗

N

such that

_

a

N

_

,≡ a

(N−1)/2

(mod N).

Recall that N = p

1

p

t

. Using the Chinese Remainder theorem, we can ﬁnd a number a ∈ Z

N

that satisﬁes the following system:

a ≡ b (mod p

1

)

a ≡ 1 (mod N/p

1

)

16

Spring 2012 Cryptography: RSA Mike Rosulek

In the above equation, we choose b to be any non-quadratic-residue modulo p

1

. Then using the

identies for Jacobi symbols, we have:

_

a

N

_

=

_

a

p

1

__

a

N/p

1

_

=

_

b

p

1

__

1

N/p

1

_

= (−1)(1) = −1

On the other hand:

a

(N−1)/2

≡ −1 (mod p

1

) (from Euler’s criterion for quadratic residues)

a

(N−1)/2

≡ 1 (mod N/p

1

)

So a

(N−1)/2

cannot be congruent to −1 modulo N since it is not congruent to −1 modulo N/p

1

.

Thus for this choice of a we have

_

a

N

_

= −1 ,≡ a

(N−1)/2

(mod N). By demonstrating an element

a ∈ Z

∗

N

¸ X, we have shown that [X[ ≤ φ(N)/2.

5.3 Miller-Rabin

The Miller-Rabin primality test is motivated by Fermat’s little theorem: a

N−1

≡ 1 (mod N) for

all a, if N is prime. Unfortunately, Fermat’s little theorem can’t be used directly as a basis for a

primality test. There exist composite numbers N for which a

N−1

≡ 1 (mod N) for all a. Numbers

with this property are called Carmichael numbers, the smallest of which is 561.

However, the Miller-Rabin test combines Fermat’s little theoremwith another property of primes,

namely the following:

Observation. N is a prime power if and only if ¦±1¦ are the only square roots of unity modulo N.

A prime power is a number of the form p

k

where p is a prime. A prime power cannot be a

Carmichael number, so we have the following observations:

• If N is prime, then it has only two square roots of unity, and it satisﬁes Fermat’s little theorem.

• If N is a composite and a Carmichael number, then it has at least four square roots of unity.

• If N is a composite and not a Carmichael number (possibly a prime power), then it does not

satisfy Fermat’s little theorem. That is, there is some a for which a

N−1

,≡ 1 (mod N).

The Miller-Rabin test cleverly tests both conditions (Fermat’s little theorem and square roots of

unity) at once, using an approach similar to one we’ve seen before:

MillerRabin(a, N):

Write N −1 = 2

s

r, with r odd (i.e., factor out as many 2s as possible)

Compute the sequence (−1, a

r

, a

2r

, a

4r

, a

8r

, . . . , a

2

s

r

) modulo N.

If the last element of the sequence is not 1, then output “composite”

If the element before the ﬁrst 1 in the sequence is not −1, then output “composite”

Otherwise, output “prime”

Whenever this test outputs “composite”, it is true that N is a composite number. If it outputs

“composite” in the third line, then we have 1 ,≡ a

2

s

r

= a

N−1

(mod N), so Fermat’s little theorem is

not satisﬁed. Recall from our earlier discussion of square roots of unity that the number preceeding

the ﬁrst 1 in the sequence (−1, a

r

, a

2r

, . . . , a

2

s

r

) is a square root of unity other than 1. So if the

17

Spring 2012 Cryptography: RSA Mike Rosulek

algorithm outputs “composite” in the fourth line, then N has a square root of unity other than ±1.

In both cases, N must be composite.

Finally, it sufﬁces to show that if N is composite, then at least half of the values a ∈ Z

∗

N

will

cause the test to output “composite.” In the case that N is not a prime power, we already know

that the fourth line considers a uniformly random square root of unity, and thus this test alone

has probability at least half of encountering a non-trivial square root of unity (with even higher

probability the more prime factors N has). In the case where N is a prime power, it is possible to

show using a similar argument as in the previous section that at least half of the values of a will

satisfy a

(N−1)

,≡ 1 (mod N).

As with the Solovay-Strassen algorithm, we may repeat the test n times on an independently

random choice of a to lower the total probability of a false positive to 1/2

n

.

18

Spring 2012 Cryptography: RSA Mike Rosulek

6 Problems

1. Prove that if g

a

≡ 1 (mod n) and g

b

≡ 1 (mod n), then g

gcd(a,b)

≡ 1 (mod n).

2. Prove that gcd(2

a

, 2

b

) = 2

gcd(a,b)

.

3. Prove that x

a

% n = x

a%φ(n)

% n. In other words, when working modulo n, you can reduce

exponents modulo φ(n).

4. In this problem we determine the efﬁciency of Euclid’s GCD algorithm. Since its input is a pair

of numbers (a, b), let’s call a+b the size of the input. Let F

k

denote the kth Fibonacci number,

using the indexing convention F

0

= 1; F

1

= 2. Prove that (F

k

, F

k−1

) is the smallest-size input

on which Euclid’s algorithm makes k recursive calls. Hint: Use induction on k.

Note that the size of input (F

k

, F

k−1

) is F

k+1

, and recall that F

k+1

≈ φ

k+1

, where φ ≈ 1.618 . . .

is the golden ratio. Thus, for any inputs of size N ∈ [F

k

, F

k+1

), Euclid’s algorithm will make

less than k ≤ log

φ

N recursive calls. In other words, the worst-case number of recursive calls

made by Euclid’s algorithm on an input of size N is O(log N), which is linear in the number

of bits needed to write such an input.

7

5. Consider the following “multi-message” TDF inversion game:

(a) The challenger generates (pk, sk) ← KeyGen and gives pk to /.

(b) As many times as / wants: the challenger chooses a string x

i

uniformly from ¦0, 1¦

n

and gives F(pk, x

i

) to /.

(c) / outputs a string ´ x.

(d) If F(pk, ´ x) = F(pk, x

i

) for any x

i

chosen in step (b), then the outcome of the game is

YES, otherwise the outcome is NO.

Show that if (KeyGen, F, F

−1

) is a TDF, then it no adversary succeeds with more than negli-

gible probability in the multi-message game above.

6. The Chinese Remainder Theorem states that there is always a solution for x in the following

system of equations, when gcd(r, s) = 1:

x ≡ u (mod r)

x ≡ v (mod s)

Give an example u, v, r, s, with gcd(r, s) ,= 1 for which the equations have no solution.

Explain why there is no solution.

7. (a) Show a reduction from the problem of computing φ(N) to the problem of factoring N,

when N is the product of two distinct primes. That is, show that given N and φ(N), it

is possible to factor N easily. BTW, you can’t say “ﬁrst compute d, then ﬁnd a non-trivial

square root of unity, then factor N” because the ﬁrst step (computing d) is only relevant

when a corresponding encryption exponent e is known. In this problem, all you are

given is N and φ(N). Hint: write down the coefﬁcients of the quadratic equation whose

two roots are p and q.

7

A more involved calculation that incorporates the cost of each division (modulus) operation shows the worst-case

overall efﬁciency of the algorithm to be O(log

2

N) — quadratic in the number of bits needed to write the input.

19

Spring 2012 Cryptography: RSA Mike Rosulek

(b) Write a pari function that takes as input an RSA modulus N and φ(N) and factors

N. Use it to factor the following 2048-bit RSA modulus. Note: take care that there

are no precision issues in how you solve the quadratic equation; double-check your

factorization!

N = 133140272889335192922108409260662174476303831652383671688547009484

253235940586917140482669182256368285260992829447207980183170174867

620358952230969986447559330583492429636627298640338596531894556546

013113154346823212271748927859647994534586133553218022983848108421

465442089919090610542344768294481725103757222421917115971063026806

587141287587037265150653669094323116686574536558866591647361053311

046516013069669036866734126558017744393751161611219195769578488559

882902397248309033911661475005854696820021069072502248533328754832

698616238405221381252145137439919090800085955274389382721844956661

1138745095472005761807

phi = 133140272889335192922108409260662174476303831652383671688547009484

253235940586917140482669182256368285260992829447207980183170174867

620358952230969986447559330583492429636627298640338596531894556546

013113154346823212271748927859647994534586133553218022983848108421

465442089919090610542344768294481725103757214932292046538867218497

635256772227370109066785312096589779622355495419006049974567895189

687318110498058692315630856693672069320529062399681563590382015177

322909744749330702607931428154183726552004527201956226396835500346

779062494259638983191178915027835134527751607017859064511731520440

2981816860178885028680

8. In 1937, Alan Turing proposed the following cipher, based on the difﬁculty of factoring:

8

• Beforehand, Alice and Bob agree on a secret key k, which is a large prime.

• To encrypt an English plaintext m, Alice encodes m as a large prime number ´ m in the

following way:

(a) Replace A with “01”, B with “02”, etc.

(b) Append all these numbers together. For instance, the message VICTORY would be-

come 22090320151825:

V I C T O R Y

22 09 03 20 15 18 25

(c) Append several digits to the resulting number so that the result is prime. For in-

stance, 22090320151825 ; 2209032015182513 is prime. We assume this can be

done efﬁciently, perhaps by adding sufﬁcient 0s and then using the nextprime func-

tion in PARI.

(d) Call the resulting encoding ´ m. So if m = VICTORY, then ´ mcould be 2209032015182513

Then Alice computes the integer c = ´ m k. The ciphertext is c.

• To decrypt c, Bob computes ´ m = c/k, which is guaranteed to be a (prime) integer, and

then decodes ´ m into the corresponding English message m.

8

He may have been the ﬁrst to recognize that number theory and intractibility could be used for practical purposes.

20

Spring 2012 Cryptography: RSA Mike Rosulek

Show that if Alice encrypts and sends two messages to Bob, then the eavesdropper can easily

recover the secret key. The eavesdropper need not know the two messages sent.

9. (a) Show that if p and q are known distinct primes, then it is possible to efﬁciently compute

all four square roots of unity modulo pq. Hint: CRT!

(b) Implement a pari function that takes distinct primes p and q as input and returns the

four square roots of unity modulo pq. Use it to compute the four square roots of unity

modulo

N = 1052954986442271985875778192663 611174539744122090068393470777

10. Show that, conditioned on w ∈ Z

∗

N

, the SqrtUnity subroutine outputs a square root of unity

chosen uniformly at random from the 4 possible square roots of unity. Hint: use the Chinese

Remainder Theorem.

11. Suppose N is an RSA modulus, and x

2

≡ y

2

(mod N), and x ,≡ ±y (mod N). Show that N

can be efﬁciently factored if such a pair x and y are known.

12. Explain why the RSA encryption exponent e must always be an odd number.

13. When N is an RSA modulus, why is squaring modulo N a 4-to-1 function, but raising to the

e

th

power modulo N is 1-to-1?

14. Prove that the CRT

r,s

function preserves quadratic residuosity (when r and s are relatively

prime). That is, if x is a quadratic residue modulo rs then x%r is a quadratic residue modulo

r and x %s is a quadratic residue modulo s.

15. Show that the set ¦a ∈ Z

∗

N

[ a

N−1

≡ 1 (mod N)¦ is a subgroup of Z

∗

N

, for every N.

16. Implement the Solovay-Strassen test in pari. The probability of a false positive should be

at most 1/2

n

, where n is the number of bits in the given number. Note: pari implements

the Jacobi symbol under the name kronecker – the Kronecker symbol generalizes the Jacobi

symbol.

17. Implement a pari function that efﬁciently factors an RSA modulus N, given only N, e, and

d. Use your function to factor the following 2048-bit RSA modulus. Note: pari function

valuation(n,p) returns the largest number d such that p

d

[ n.

N = 157713892705550064909750632475691896977526767652833932128735618711

213662561319634033137058267272367265499003291937716454788882499492

311117065951077245304317542978715216577264400048278064574204140564

709253009840166821302184014310192765595015483588878761062406993721

851190041888790873152584082212461847511180066690936944585390792304

663763886417861546718283897613617078370412411019301687497005038294

389148932398661048471814117247898148030982257697888167001010511378

647288478239379740416388270380035364271593609513220655573614212415

962670795230819103845127007912428958291134064942068225836213242131

15022256956985205924967

e = 327598866483920224268285375349315001772252982661926675504591773242

501030864502336359508677092544631083799700755236766113095163469666

21

Spring 2012 Cryptography: RSA Mike Rosulek

905258066495934057774395712118774014408282455244138409433389314036

198045263991986560198273156037233588691392913730537367184867549274

682884119866630822924707702796323546327425328705958528315517584489

590815901470874024949798420173098581333151755836650797037848765578

433873141626191257009250151327378074817106208930064676608134109788

601067077103742326030259629322458620311949453584045538305945217564

027461013225009980998673160144967719374426764116721861138496780008

6366258360757218165973

d = 138476999734263775498100443567132759182144573474474014195021091272

755207803162019484487127866675422608401990888942659393419384528257

462434633738686176601555755842189986431725335031620097854962295968

391161090826380458969236418585963384717406704714837349503808786086

701573765714825783042297344050528898259745757741233099297952332012

749897281090378398001337057869189488734951853748327631883502135139

523664990296334020327713900408683264232664645438899178442633342438

198329983121207315436447041915897544445402505558420138506655106015

215450140256129977382476062366519087386576874886938585789874186326

69265500594424847344765

18. Bob chooses an RSA plaintext m ∈ Z

N

and encrypts it under Alice’s public key as c ≡ m

e

(mod N). To decrypt, Alice ﬁrst computes m

p

≡ c

d

(mod p) and m

q

≡ c

d

(mod q), then uses

the CRT to solve for m in Z

N

, just as expected. But suppose Alice is using faulty hardware, so

that she computes a wrong value for m

q

. The rest of the computation happens correctly, and

Alice computes the (wrong) result ˆ m. Show that, no matter what m is, and no matter what

Alice’s computational error was, Bob can factor N if he learns ˆ m. Hint: Bob knows m and ˆ m

satisfying the following:

m ≡ ˆ m (mod p)

m ,≡ ˆ m (mod q)

19. In this problem we’ll see that it’s bad to choose RSA prime factors p and q too close together.

(a) Let s = (p − q)/2 and t = (p + q)/2. Then t is an integer greater than

√

N such that

t

2

−N is a perfect square. When p and q are close, t is not much larger than

√

N, so by

testing successive integers, it is possible to ﬁnd t and s, and hence p and q. Describe the

details of this attack and how it works.

(b) Implement a pari function that factors RSA moduli using this approach. Use it to factor

the following 2048-bit number (whose two prime factors are guaranteed to be close

enough for the factoring approach to work in a reasonable amount of time, but far

enough apart that you can’t do the trial-and-error part by hand). What qualiﬁes as “close

prime factors” in this problem? How close was t to

√

N? Hint: pari has an issquare

function. Also, be sure to do exact square roots over the integers, not the reals.

N = 514202868664266501986736340226343880193216864011643244558701956114

553317880043289827487456460284103951463512024249329243228109624011

915392411888724026403127686707255825056081890692595715828380690811

131686383180282330775572385822102181209569411961125753242467971879

131305986986525600110340790595987975345573842266766492356686762134

22

Spring 2012 Cryptography: RSA Mike Rosulek

653833064511337433089249621257629107825681429573934949101301135200

918606211394413498735486599678541369375887840013842439026159037108

043724221865116794034194812236381299786395457277559879575752254116

612726596118528071785474551058540599198869986780286733916614335663

3723003246569630373323

20. I have published my RSA public key (N, e) and agree to play the following game with you:

(a) I (secretly) choose a plaintext m uniformly from Z

N

. I encrypt it under my public key to

obtain c. I tell you c.

(b) You choose a value c

,= c.

(c) I decrypt c

under my RSA private key to obtain m

. I tell you m

.

(d) You try to guess m.

Describe a strategy by which you can always correctly guess m in this game. Clearly state

how you choose c

**and how you compute your guess for m.
**

Note: It is important that c

,= c in step (b). If you were allowed to choose c

= c, then

m

**= m, and it would be trivially easy to correctly guess m.
**

23

Spring 2012

Cryptography: RSA

Mike Rosulek

1

The RSA Function

RSA was among the ﬁrst public-key cryptography developed. It was ﬁrst described in 1978, and is named after its creators, Ron Rivest, Adi Shamir, and Len Adleman.1 Although plain “textbook” RSA does not satisfy all of the desired properties of a proper encryption scheme, it provides a good ﬁrst exposure to practical public-key cryptography. Before introducing RSA, we need to ﬁrst reacquaint (or introduce) ourselves to a few important concepts from number theory.

1.1

Number Theory

Z is the set of integers (positive, negative, and zero). For a, b ∈ Z, we say that a divides b, and write a | b, if there exists an integer c such that ac = b. In other words, b is an integer multiple of a. Division Theorem. For all a, b ∈ Z with b = 0, there exist unique q, r ∈ Z simultaneously satisfying a = bq + r and 0 ≤ r < |b|. We deﬁne a % b to be the unique value of r from the division theorem. The % symbol is called the modulus operator.2 We write a ≡ b (mod n) if n | (a − b). Equivalently, a ≡ b (mod n) if and only if a % n = b % n. We deﬁne Zn = {0, . . . , n − 1} to be the set of remainders modulo n, or, more formally, the additive group modulo n. Arithmetic (addition, subtraction, multiplication)3 works in Zn by simply reducing the result modulo n. It doesn’t matter whether you reduce intermediate steps modulo n, since: ((a % n) + (b % n)) % n = (a + b) % n ((a % n)(b % n)) % n = ab % n Every element x ∈ Zn has an inverse with respect to addition mod n: namely −x % n. For example, the additive inverse of 11 mod 14 is −11 ≡ 3 (mod 14). Greatest Common Divisors If d | x and d | y, then d is a common divisor of x and y. The largest possible such d is called the greatest common divisor (GCD), denoted gcd(x, y). The oldest numerical algorithm known is the one Euclid described for computing GCDs (ca. 300 BCE): GCD(x, y): // Euclid’s algorithm if y = 0 then return x else return GCD(y, x % y) If gcd(x, y) = 1, then we say that x and y are relatively prime. We let Z∗ denote the set {x ∈ Zn | gcd(x, n) = 1}, the multiplicative group modulo n. This n group is closed under the operation of modular multiplication (if gcd(x, n) = gcd(y, n) = 1, then

Poor Clifford Cocks; he developed an equivalent scheme in 1973, but it was classiﬁed since he was working for British intelligence. Maybe we should incorporate a “C” into the acronym somewhere... SCAR? 2 We use the convention that a % b is always always nonnegative, even if a is negative. This is different than the convention in some programming languages, in which (−a) % b = −(a % b). 3 Division does not always “just work” in Zn .

1

2

. (q − 1)p. 2p.e. y) is the smallest positive integer that can be written as an integral linear combination of x and y. there exist integers s and t such that sx + ty = gcd(x. y). • The multiples of p: p. Here’s an important theorem from abstract algebra: 3 . . To be a group. but they typically rely on knowing the prime factorization of n. 0) else (d. We have not double-counted in the last two lists: any item that occurs in both lists would be a common multiple of both p and q. pq which you can easily verify to be equal to (p − 1)(q − 1). This is one effcient way to compute modular (multiplicative) inverses: Bezout(x. . . 1. n) = 1 and there exist integers s. One way to see this is that there are pq elements in Zpq . their least common multiple is pq. . s. n) = 1 by Euclid’s algorithm). s − t x/y ) The Totient Function Euler’s totient function is deﬁned as φ(n) = |Z∗ |. gcd(x. 3p. then φ(pq) = (p − 1)(q − 1). . (p − 1)q.Spring 2012 Cryptography: RSA Mike Rosulek gcd(xy. • The multiples of q: q. n) = 1 and thus gcd(xy % n. That’s (p − 1) elements. if p is a prime. We write x−1 for the element s % n ∈ Z∗ . for all x ∈ Z∗ there must be a y ∈ Z∗ so that xy ≡ 1 (mod n). General formulas for φ(n) exist. y) = d = sx + ty if y = 0 then return (x. As an example. In fact. Therefore the size of Z∗ is pq − 1 − (p − 1) − (q − 1). x % y) return (d. . in other words. t satisfying sx + tn = 1. 3q. . For all integers x and y. That’s (q − 1) elements. but when p and q are distinct primes. then Z∗ = Zn \ {0} (every integer from 1 to p − 1 is relatively n prime to p). By reducing n both sides of this equation modulo n. t) such that // gcd(x. we have 1 ≡ sx + tn ≡ sx + 0 (mod n) (since tn ≡ 0 (mod n)). that is. s. If x ∈ Z∗ then gcd(x. thus φ(p) = p − 1. t. t) = Bezout(y. the number of elements of Zn n which are relatively prime to n. the set must be closed under inverses. which is larger than any item in the lists. . 2q. If p and q are distinct primes. Thus the integer s guaranteed by Bezout’s theorem is a multiplicative inverse of x modulo n. are not in Z∗ ): pq • Zero. This n n follows from the following theorem: Bezout’s Theorem. y): // returns (d. That’s one element. We will see more connections between the difﬁculty of computing φ(n) and the difﬁculty of factoring n later in this chapter. Let’s count how many elements in Zpq share a common divisor with pq (i. n An extended version of Euclid’s GCD algorithm can be used to compute the integers s and t while the GCD is being computed.

F. played between an adversary (algorithm) A and a challenger: 1.) Deﬁnition. It is important to note that e and d “live” in Z∗ ) . As a corollary. called the inversion game. These names are historical. 1.3 The Security of RSA We see that for anyone who knows the values (N. N is called the RSA modulus.Spring 2012 Cryptography: RSA Mike Rosulek LaGrange’s Theorem. but not entirely precise.” that xp−1 ≡ 1 (mod p) for all x. • The inverse RSA function is RSA−1 ((N. 1}n . F −1 ) be a collection of three functions. e). Let Σ = (KeyGen. (Recall that one-way functions were not parameterized by any kind of keys. remember that RSA by itself does not achieve the security of a proper encryption scheme. However. we can deduce Fermat’s “little theorem. The challenger gives pk and F (pk. we have that: xφ(n) ≡ 1 (mod n) for all x ∈ Z And as a ﬁnal corollary. • Let e and d be integers such that ed ≡ 1 (mod φ(N )). 2. when p is prime. Because the deﬁnition refers to inversion (and not other properties like hiding partial information). and let N = pq. and d is called the decryption exponent. That is. m) = me % N . Then: (me )d ≡ med ≡ mtφ(N )+1 ≡ (mφ(N ) )t m ≡ 1t m ≡ m (mod N ) where we have used the fact that mφ(N ) ≡ 1 (mod N ) from LaGrange’s theorem. m)) = m. here we must adapt the deﬁnitions to accommodate keys being generated. it is easy to invert the RSA function. Since ed ≡ 1 (mod φ(N )). Essentially. d). Deﬁne the following game. the RSA function (and its inverse) is a simple modular exponentiation. and d satisfy the properties listed above. • The RSA function is RSA((N. knows the factorization of N = pq). 4 . then xk = 1 for all x ∈ G. d) (or equivalently. 1. e). φ(N Let’s make sure the claimed inverse is really an inverse. e. If G is a multiplicative group with k elements. d). RSA((N. sk) ← KeyGen and chooses a string x uniformly from {0. we reuse many of the concepts from our earlier deﬁnition of one-way functions. while m and c “live” in ZN . e is called the encryption exponent. e). we can write ed = tφ(N ) + 1 for some integer t. A outputs a string x. Our desired security from RSA is that the RSA function is hard to invert when given only the values (N. c) = cd % N . x) as input to A. The challenger generates (pk. when N . 3.2 The RSA Function The RSA function is deﬁned as follows: • Let p and q be distinct primes (later we will say more about how they are chosen). we have RSA−1 ((N.

F −1 ). 3. though. Denote the (random variable) outcome of this game as Invert(Σ. we have Pr[Invert(Σ. then the outcome of the game is YES. F −1 ) be a collection of three functions. F. otherwise the outcome is NO. we typically refer to the forward-computing function F when the corresponding KeyGen function and F −1 are clear from context. Deﬁnition. F (pk. x) = F (pk. x). the security deﬁnition applies to the trio (KeyGen. 2. x)) = x. Then the collection is a trapdoor function (TDF) if: 1. Correctness: For all (pk. Trapdoor one-wayness: For every efﬁcient adversary A. A). A) = YES] ≈ 0. 5 . F . Formally. Efﬁciency: Each of KeyGen. If F (pk. we would say that “the RSA function m → me % N is a trapdoor function. and F −1 can be computed efﬁciently.” with the understanding that N and e are chosen in the appropriate way. Let Σ = (KeyGen. For example. we have F −1 (sk. sk) ← KeyGen and all strings x. To make things simpler.Spring 2012 Cryptography: RSA Mike Rosulek 4. F.

Its elements are pairs. We can use this structure to optimize some algorithms related to RSA.s (x) · CRTr. v. x ≡ var + ubs ≡ (va)0 + u(s−1 s) ≡ u (mod r) By a symmetric argument. respectively. Since gcd(r.s (x) + CRTr. it must be a bijection. Recall that b ≡ s−1 (mod r). s) = 1. With addition and multiplication deﬁned within the product group Zr × Zs .s (x · y) 6 (mod s) . d) = (a + c. x % s) = (u. and we can deﬁne addition and multiplication on those pairs as follows: (a. restated. Thus CRTr. we can see that x ≡ v (mod s). Groups We can consider the cartesian product Zr × Zs to be a mathematical group. every (u. this solution is unique modulo rs. Let u ∈ Zr and v ∈ Zs . The operators on the right-hand side are the operators within the groups Zr and Zs . Deﬁne the function CRTr. s) = 1 then for all integers u. s) = 1. Choose x = var + ubs. and (x % rs) % s = x % s.s (x) for some x ∈ Zrs .s (x) = (x % r.s (x + y) CRTr. note that (x % rs) % r = x % r. b) · (c.s (y) = CRTr. Another way to think of the CRT is in terms of solving a system of modular equations: Chinese Remainder Theorem (CRT). b + d) (a.s (x % rs) = (x % r. so x % rs is the desired preimage of (u. Then CRTr.s is a surjection.Spring 2012 Cryptography: RSA Mike Rosulek 2 Chinese Remainder Theorem and Applications The multiplicative group Z∗ has some interesting structure when N is the product of distinct N primes. v) in Zrs . Chinese Remainder Theorem (CRT). Then. If gcd(r. Then. we will show that CRTr. x % s). from our earlier discussion of modular (multiplicative) inverses. v). we have by Bezout’s theorem that 1 = ar + bs for some integers a and b. there is a solution for x in the following system of equations: x ≡ u (mod r) x≡v Furthermore. and since CRTr. since |Zrs | = rs = |Zr × Zs |. Next.s is a surjection from one set to another.s (y) = CRTr. it is easy to see that the following properties of the CRT function are true for all x. b · d) Note that the + and · operators on the left-hand side are the operator in Zr × Zs that we are deﬁning. b) + (c.s is a bijection whenever gcd(r. v) ∈ Zr × Zs is equal to CRTr. y ∈ Zrs : CRTr. d) = (a · c. Proof: First. which we are using.s : Zrs → Zr × Zs as CRTr. that is.

q (CRTp. single numbers). It’s worth pointing out that this speedup can only be done for the RSA inverse function. while the addition and multiplication on the right-hand side are operating on elements of Zrs (i. = The correspondence between Zrs and Zr × Zs extends beyond simple addition and multiplication. Thus.q (c))d ) = CRTp. and only the party performing the RSA inverse function typically knows this. c % q).q (cd )) = CRTp. A great example is computing the RSA inverse function c → cd % N .q (whose deﬁnition is implicit in the ﬁrst proof of this section) is inconsequential compared to the cost of the exponentiations..1 Application to RSA Since Zrs and Zr × Zs are essentially the same mathematical object. to obtain the pair (c % p. then perform the exponentiation separately modulo p and modulo q. 4 φ(pq) = |Z∗ | = |Z∗ × Z∗ | = (p − 1)(q − 1). it preserves the invertibility of rs r s elements. the addition and multiplication on the left-hand side are operating on elements of Zr × Zs (i. then N is about 2n bits long. pq p q 7 . If p and q are n bits long.e. cd % q) In other words.Spring 2012 Cryptography: RSA Mike Rosulek Again. This would require 2 exponentiations.e. r) = gcd(x. This is because gcd(x. We call such a function an isomorphism. thus about −1 2(n3 ) steps. that is.4 2. we obtain a speed increase by a factor of about 4. Fun fact: this yields an alternative proof that φ(pq) = (p − 1)(q − 1) when p and q are prime. and vice-versa. we could also compute cd by ﬁrst applying the CRT mapping.q (cd % p. Almost every conceivable property of the elements is preserved. Computing CRTp. Performing an exponentiation modulo a n-bit number requires about n3 steps.. So the RSA inverse function costs about (2n)3 = 8n3 steps to perform. s) = 1. One must know p and q in order to exploit the Chinese Remainder Theorem. using CRT. However. s) = 1 whenever gcd(r. We see that the CRT function is a bijection and that it preserves group operations. now modulo n-bit numbers. then invert the CRT mapping. CRTr. pairs).s always maps elements of Z∗ to elements of Z∗ × Z∗ .q ((CRTp. For example. and say that the two groups Zrs and Zr × Zs are isomorphic (written as Zrs ∼ Zr × Zs ). we can use whichever interpretation is convenient for us. rs) = 1 implies gcd(x. consider the following observation: −1 −1 −1 cd = CRTp.

then it is trivial to invert RSA by computing c → cd % N . then φ(N ) can be easily computed as φ(N ) = (p − 1)(q − 1). Then the security reduction means that any attack on the system can be transformed into an algorithm for factoring. Now consider the contrapositive: If we believe that no efﬁcient algorithm for B (factoring) exists. It’s convenient to break down this reduction into two steps. then there must not be an efﬁcient algorithm for A. if the factorization of N = pq is known. Certainly. computing modular inverses. The problem “X” in question is the following: 8 . When RSA was originally proposed. Security Reductions A security reduction is a statement like “if there is an efﬁcient algorithm for A. which is the number of bits in the numbers involved. The RSA function is a trapdoor function. A more sophisticated reduction is the following: Claim. and B is a problem like factoring. in our example. In other words.Spring 2012 Cryptography: RSA Mike Rosulek 3 Security Reductions It is believed (but not proved) that the RSA scheme is a trapdoor one-way function. e. and that an efﬁcient algorithm for X implies an efﬁcient algorithm for factoring N . and d is already able to (easily) do all of these things. After all. we imagine that the person who chooses N . If d is known. then there is an efﬁcient algorithm for B. It is not hard to see that if one is able to factor the modulus N . An overview of several security reductions related to RSA is given below in Figure 1. These very simple reductions establish the three main left-to-right arrows in the ﬁgure. If there is an efﬁcient algorithm for computing d. and computing modular exponentiation — all of which are efﬁcient in the security parameter. However. RSA Assumption. then one can easily compute the decryption exponent d and thus invert RSA. For instance. then there is an efﬁcient algorithm for factoring N . Thus. Note that these simple reductions involve steps like multiplication. if RSA is a TDF.” Why is such a statement useful? Consider the case where A is the problem of violating a security condition. If φ(N ) is known. it was conjectured that inverting RSA is equivalent to the Factoring Assumption. then the Factoring Assumption is true. then it is easy to compute d ≡ e−1 (mod φ(N )). it is not known whether the Factoring Assumption implies that RSA is a TDF. or computing d. when p and q are distinct primes chosen uniformly at random from all n-bit primes. We ﬁrst introduce a new problem “X” and then show two reductions: that an efﬁcient algorithm for computing d implies an efﬁcient algorithm for X. we do not know if there are ways to invert RSA that don’t involve factoring N . we do know that certain kinds of attacks against RSA are equivalent to factoring. if RSA really is a TDF then the following assumption must be true: Factoring Assumption. there is no efﬁcient way to violate the security condition. and these will provide our ﬁrst exposure to security reductions. Unfortunately. There is no efﬁcient algorithm that outputs p or q with more than negligible probability given pq as input.

x + 1)} = {p. If there is an efﬁcient algorithm for computing d. then there are 4 square roots of unity modulo N : two trivial and two non-trivial ones (see the exercises in this chapter). .Spring 2012 trivial homework thi s se ctio n ho me wo rk Cryptography: RSA Mike Rosulek Factoring N Computing φ(N ) Finding non-trivial √ 1 mod N trivial Computing d n tio trivial Inverting RSA ?? th ec is s Figure 1. wr . but we must argue that it is correct. s Compute the sequence (−1. . Lemma. Return the number just before the ﬁrst 1 that appears in the sequence..e. Proof: We assume that there is an efﬁcient algorithm for computing nontrivial square roots. x − 1) The algorithm is simple. If there is an efﬁcient algorithm for computing nontrivial square roots of unity modulo N . Our reduction is simple: the efﬁcient algorithm for factoring N is: Factor(N ): x = ﬁnd a nontrivial square root of unity modulo N return gcd(N. Lemma. w2r .e. we are allowed to write an algorithm that includes the step “ﬁnd a nontrivial square root of unity modulo N ”. An arrow from A to B means that an eﬃcient algorithm for A implies one for B.. If x ≡ 1 (mod N ) and x ≡ −1 (mod N ). . e. then there is an efﬁcient algorithm for factoring N . d): Write ed − 1 = 2s r. for any N . 9 . or in other words. it follows that {gcd(N. But if N = pq is the product of distinct odd primes. w4r . Let x be a nontrivial square root of unity modulo N . i. Deﬁnition. pq | (x2 − 1). w2 r ) modulo N . q}. and we assume that this step takes a polynomial amount of time (polynomial in the number of bits needed to represent the numbers involved). . thus pq | (x ± 1). Now consider the following subroutine: SqrtUnity(N. x + 1) and gcd(N. with r odd (i. we have x ≡ ±1 (mod pq). then there is an efﬁcient algorithm for computing nontrivial square roots of unity modulo N . we have pq | (x + 1)(x − 1). x − 1). gcd(N. Note that ±1 are always square roots of unity modulo N . then we have the following: pq | AB and pq | A and pq | B =⇒ either (p | A and q | B) or (p | B and q | B) Substituting A = x + 1 and B = x − 1. Factoring the right-hand-side. then we say that x is a non-trivial square root of unity. A number x is a square root of unity modulo N if x2 ≡ 1 (mod N ). Proof: As before. we suppose that in addition to the modulus N and exponent e. factor out as many 2s as possible) Choose w uniformly at random from ZN . But since x is a nontrivial square root of unity. w8r . When p and q are distinct primes. Then x2 ≡ 1 (mod pq). we can obtain the exponent d in polynomial time.

With probability 1/2. computing φ(N ).5 When we have a reduction (or path of reductions) from A to B and also from B to A. computing d. Then w2 r = wed−1 ≡ wtφ(N ) ≡ 1t ≡ 1 (mod N ) from LaGrange’s theorem. We can repeat this basic process n times. we can write ed = tφ(N ) + 1 for some integer t. gcd(N. there is an efﬁcient algorithm for A if and only if there is one for B. w) ∈ {p. e. In that case. After N is factored. . d) returns a square root N of unity chosen uniformly at random from among the four possible square roots of unity. this would mean that gcd(N. 5 In general it is acceptable for reductions such as these to fail with negligible probability. it is possible to show that SqrtUnity(N. Furthermore.. . Indeed. 10 . which is negligible. since the sequence of numbers wr . it may be the case that the factoring assumption is true (i. are obtained by squaring the previous number. q} and we can factor N .e. ∗ In the rare event that w is chosen so that w ∈ ZN . It is not clear whether inverting RSA is actually easier than factoring. So 1 is the last number in the sequence in step 3 of SqrtUnity. and the probability that we fail to encounter a nontrivial square root of unity is 1/2n . Since there is a reduction from these equivalent problems to the problem of inverting RSA. we can see that four problems — factoring N . Indeed. and ﬁnding a nontrivial square root of unity mod N — are all equivalent in this sense. it is easy to compute a nontrivial square root of unity modulo N (see the homework). factoring RSA moduli is hard) and yet RSA is not a TDF. w2r . In our case. we say that A and B are equivalent. Conditioned on w ∈ Z∗ . we say that inverting RSA is no harder than factoring. w) = 1.Spring 2012 Cryptography: RSA Mike Rosulek s Since ed ≡ 1 (mod φ(N )). thus step 4 of SqrtUnity is well-deﬁned — there is always a “1” appearing somewhere in the sequence. . the output of SqrtUnity is indeed a square root of unity. the output is a nontrivial square root.

pq) = 1. pq is −1 if a is a quadratic residue modulo exactly one of p and q. The Jacobi symbol a = n a n is deﬁned as follows: if n is prime if n = ei i pi a(n−1)/2 % n i a pi ei is the prime factorization of n We will be most interested in the case where the “denominator” is the product of two distinct a a a primes. In this section we will see one example of information that is leaked by RSA. This quantity is always a square root of unity modulo p. However. 4}. so it must be either +1 or −1. which equals 0 if gcd(a. and partial information B is not leaked).Spring 2012 Cryptography: RSA Mike Rosulek 4 Partial Information Leaked by RSA If the RSA function is hard to invert. If |X| = 1. we simply describe an appropriate algorithm! A good way to think about partial information is as a function on plaintexts. 4. this is also the case when considering trapdoor functions. Note that there are only two possibilities for a(p−1)/2 . We say that x ∈ Z∗ is a quadratic residue modulo n if there exists y ∈ Z∗ satisfying n n x ≡ y 2 (mod n). we have an easy way of determining quadratic residuosity modulo an odd prime: Theorem (Euler’s Criterion). We can see that pq = a p q . To prove both of these claims (that partial information A is leaked. and it is +1 otherwise. how can we be sure that certain information is not leaked? This will be one of our lovely examples of how all of our security statements are demonstrated via appropriate algorithms. Example: We can write out the elements of Z∗ and square each one. then there is really no information leaked – we can compute f (m) without looking at F (pk. We let QRn denote the set of quadratic residues modulo n. The resulting numbers are 15 the quadratic residues: x 1 2 4 7 8 11 13 14 x2 1 4 1 4 4 1 4 1 Therefore we see that QR15 = {1. This is done with the Jacobi symbol: Deﬁnition. Since the security deﬁnition of RSA makes no reference to partial information leakage.” Indeed. we will also see an example of some partial information that is not leaked.1 Quadratic Residuosity and Jacobi Symbols Deﬁnition. Suppose f : M → X for some set X. We’ll say that a TDF leaks f if there is an efﬁcient algorithm that determines f (m) given only pk and F (pk. The idea behind Euler’s criterion can be extended for a non-prime modulus. Due to the following famous theorem of Euler. we will consider it a signiﬁcant leakage. 11 . does that mean that it hides all partial information about its input? We have previously seen in the case of (plain) one-way functions that “hard to invert” does not imply “hides all partial information. m). m)! But even if |X| = 2. If p is an odd prime then a ∈ QRp if and only if a(p−1)/2 ≡ 1 (mod p).

we must have m = N = N m N . Our algorithm for recovering m given pk and c works like this:6 When we receive input c. when after all the TDF deﬁnition does not consider partial information leakage? The way to do it is by reducing the problem of learning f (m) to a problem that the TDF deﬁnition does consider! We will show the following reduction: If there is an efﬁcient algorithm to determine f (m) in the TDF experiment. Next. 4. Since the Jacobi symbol is always in {−1. there is an efﬁcient algorithm for determing the value of a Jacobi symbol based applying the following four identities: a = n ab n = a%n n a n b n 2 n = (−1)(n − n a n a 2 −1)/8 a = n if n ≡ a ≡ 3 otherwise (mod 4) 4.2 RSA Leaks the Jacobi Symbol y x x The Jacobi symbol n satisﬁes the equality n n = xy . Approximately half of the elements of ZN = M have Jacobi symbol +1 and the other half have Jacobi symbol −1 (a very small fraction have Jacobi symbol 0). After running A on input (pk. e) and c = me % N correctly outputs F H(m). we will show that if one is able to compute it. note that if we know c = me . But writing out the full details of the reduction is quite tedious. it can double the adversary’s probability of successfully guessing the plaintext. we do not need to factor numbers to compute it. which on input pk = (N. In fact. we have n m e me that N = N . we narrow down the possibilities for m by half — m is either in the ﬁrst half or second half of ZN . we’ll just present an outline of the approach. +1}. 0. we can be conﬁdent that there is no efﬁcient algorithm for determining f (m) — in other words.Spring 2012 Cryptography: RSA Mike Rosulek Even though the deﬁnition of the Jacboi symbol is in terms of the prime factorization of the denominator. Thus in the context of RSA. c2e ) to The main idea behind the reduction is fairly simple — binary search. then we could use that algorithm to completely determine m.3 RSA Does Not Leak the First-Half Function We now give an example “leakage function” f such that RSA does not leak f (m). RSA does not leak f as long as RSA does not leak the entire plaintext! The leakage function we have in mind is the following (deﬁned over the set of RSA plaintexts M = ZN ): −1 0 if 0 ≤ m ≤ N 2 F H(m) = +1 1 if N 2 ≤ m ≤ N − 1 Although F H (which incidentally stands for ﬁrst half) is only a single bit of information about m. then one is able to recover all of m. so learning the Jacobi symbol of the plaintext narrows down the set of potential plaintexts by about half! Equivalently. the Jacobi symbol of the ciphertext (me ) is the same as that of the plaintext (m). In other words. c) to determine F H(m). How can we say that a TDF does not leak a given function f . Suppose we had an efﬁcient algorithm A. we can compute (2m)e = c2e using information we already know (c and e). We leave it as an exercise for the reader that the encryption exponent e must e m e always be odd. So as long as we are conﬁdent that RSA is indeed a TDF. 6 12 . the RSA function preserves the Jacobi symbol. So we can call algorithm A on input (pk. for all we know m could be any number in ZN .

we get {0. N − 2}. So our algorithm for determining m requires n calls to the algorithm A (as well as some other multiplications. . When we double (mod N ) the numbers {(N + 1)/2. but still polynomial-time in the security parameter n if A is polynomial-time. 1. or in other words. . we can use the algebraic properties of RSA along with our assumed algorithm A to determine F H(2i m) for values i = 0. we know that m must have in fact been from the 2nd half of the 1st half of ZN . (N − 1)/2}. Each time we do so. . 4. In summary. . . we reduce the possibilities for m by half. for example. Then if 2m is in the second half of ZN . . . N − 1}. . 1. We have again cut the set of possibilities for m by half. 2. . . etc) — slower. . . . . that we know that m is in the ﬁrst half. 13 . . . . Each of the halves gets “spread out” across all of ZN from this doubling operation. N − 1}. 3. .Spring 2012 Cryptography: RSA Mike Rosulek determine whether 2m % N is in the ﬁrst half or second half of ZN as well! Now observe that when we double the numbers {0. To get from N possibilites for m to only one possibility for m requires us to halve the possibilities log2 N = n times. So suppose. 5. like a binary search. the 2nd quarter of ZN . .. we get {1.

but this is still pretty bad.Spring 2012 Cryptography: RSA Mike Rosulek 5 Primality Testing One issue we’ve glossed over that you may have noticed is that the KeyGen algorithm for RSA must choose two large random prime numbers. Without much effort we can make the false-positive probability less than. Let π(N ) be the number of primes less than N . Stated differently. the RandomPrime algorithm given above is efﬁcient (in the average case). . . say. uniformly distributed from all primes whose binary representation requires exactly k bits. but not very practical.1 Randomized Primality Algorithms In 2002. So in principle. with very small probability. If N = 2n − 1 (the largest n-bit number). they might report a composite number to be prime. This is “efﬁcient” by our deﬁnitions. If a process has a successful outcome with probability p. Unfortunately. These algorithms are much more practical. then the expected number of times needed to repeat the process to encounter the ﬁrst successful outcome is 1/p. How can we implement IsPrime() efﬁciently? The ﬁrst question is answered by the following famous theorem of number theory: Prime Number Theorem. O(n) is considered efﬁcient. How is this done? Perhaps the most straightforward approach would be the following “trial-and-error” approach: RandomPrime(k): // returns a random k-bit prime do: n ← random k-bit string (most signiﬁcant bit 1) while not IsPrime(n) return n It is clear that this algorithm will return a prime number. the probability of an alpha-particle causing a hardware failure in your computer. if you were to pick a number uniformly at random from {1. Agrawal. for n-bit numbers the algorithm takes about O(n12 ) time. How many times will the algorithm execute the main loop (on average) before it ﬁnds a prime? 2. then this probability is O(1/n). N }. Subsequent improvements have reduced the complexity of the algorithm to about O(n6 ). They have a very small probability of reporting a false positive. What is less clear is the efﬁciency of such an algorithm. By our convention of measuring efﬁciency of numerical algorithms as a function of the number of bits in the numbers. the probability that you would pick a prime number is about 1/ ln N = O(1/ log2 N ). The ratio π(N )/N is the percentage of numbers less than N that are prime. . 14 . and Saxena proved that there is a deterministic efﬁcient algorithm for determining whether a number is prime. that is. Then π(N )/N grows asymptotically as 1/ ln N . There are two main issues related to the efﬁciency of this trial-and-error approach: 1. most applications use a probabilistic (randomized) algorithm. So as long as the IsPrime subroutine is similarly efﬁcient. So instead of using deterministic algorithms for primality. Kayal. So it requires an expected O(n) tries to pick a random n-bit prime. But this probability can be tuned to be as low as we want it. 5. we could use their algorithm for the IsPrime subroutine. but this efﬁciency comes at a price.

Recall that the Jacobi symbol is deﬁned as follows: a = n a(n−1)/2 % n i a pi ei if n is prime if n = ei i pi is the prime factorization of n a Recall also that there is an efﬁcient algorithm for computing the Jacobi symbol n given a and n. N With such a condition P in hand. N 2. Conditioned on the event that the algorithm never outputs “composite”. then N the algorithm can only output “prime” with probability at most 1/2n because each time a is chosen. N ) is true for all a ∈ Z∗ . the algorithm must have avoided the half of Z∗ for which P (a. N ) is true for all a. N ) is false for at least half of a ∈ Z∗ . However. If N is prime. N 5. we ﬁnd an equation P (a.Spring 2012 Cryptography: RSA Mike Rosulek The general outline of a randomized primality test goes like this: First. If N is composite. then P (a. It simply remains to prove the following other property of P : Claim. it might erroneously report that a composite number N is prime. N Before we can prove the claim. output “composite” output “prime” Whenever the algorithm outputs “composite”. If N is still composite. N ) = 1 then output “composite” if P (a. the multiplicative group modulo N . If N is composite. N ) = false for at least half of a ∈ Z∗ . N ) = true false a if N ≡ a(N −1)/2 otherwise (mod N ) We can see by the deﬁnition of Jacobi symbols that if N is prime. with the following condition P (a. The Solovay-Strassen algorithm uses our general framework for a randomized primality test. we see that a is chosen uniformly from Z∗ . not just ZN . it is correct. we can then do the following: RandomizedIsPrime(N ): n = number of bits in N do n times: pick a random a ∈ (ZN \ {0}) if gcd(a. N ): P (a. then P (a.2 Solovay-Strassen The Solovay-Strassen algorithm ﬁts into this framework by using a connection between primes and the Jacobi symbol. we need a little more machinery from abstract algebra. N ) is guaranteed to be false. then P (a. N ) is false. We say that X is a subgroup of Z∗ N N if it satisﬁes the following conditions: 15 . Subgroups Let X be a subset of Z∗ . N ) with the following two properties: 1. then P (a.

which has size at least φ(N )/2. then N we will have established that |X| ≤ φ(N )/2. Thus X is a subgroup of Z∗ . N Proof of the claim We will prove the claim about P (a. N . from our point of view — they mislead us is a subgroup of ZN N into thinking that N is prime. Similarly. a We will follow the outline sketched above... N N Why is this helpful? We want to be able to say that if N is composite. For instance. the elements a for which P (a. N ) is false is Z∗ \ X. we see that: N ab N = a N b N (mod N ) (N −1)/2 (identity for Jacobi symbols) (since a. Let N = p1 · · · pt and deﬁne X = {a ∈ Z∗ | N ≡ N a(N −1)/2 (mod N )}. To do this.. X are the “bad” elements of Z∗ . there is an element a−1 ∈ X such that aa−1 ≡ 1 (mod N ). The following theorem from LaGrange turns out to be very helpful. we can show that X = {a ∈ ZN | P (a. because the product of N quadratic residues is also a quadratic residue. b ∈ X) ≡ a(N −1)/2 b(N −1)/2 ≡ (ab) (mod N ) So ab ∈ X as well.Spring 2012 Cryptography: RSA Mike Rosulek • (Closure under multiplication) For all a. we have (ab % N ) ∈ X. then: a−1 N = a N −1 ≡ (a(N −1)/2 )−1 ≡ (a−1 )(N −1)/2 (mod N ) So a−1 ∈ X as well. if a ∈ X. b ∈ X. If we can then show that there is even one element a ∈ Z∗ \ X. N Recall that N = p1 · · · pt . The case where a prime power divides N is slightly more complicated. We ﬁrst claim that X is a subgroup of Z∗ . then |X| divides φ(N ). then |X| ≤ φ(N )/2. b ∈ X. and the inverse of a quadratic residue is a quadratic residue. Using the Chinese Remainder theorem. For a. the set of quadratic residues QRN is a subgroup of Z∗ .. a number N a a ∈ Z∗ such that N ≡ a(N −1)/2 (mod N ). If X is a subgroup of Z∗ and X = Z∗ . If X is a subgroup of Z∗ . N ) is false for ∗ at least half of the elements a ∈ Z∗ . then P (a. in other words. we can ﬁnd a number a ∈ ZN that satisﬁes the following system: a ≡ b (mod p1 ) a≡1 (mod N/p1 ) 16 . because it yields the following corollary: Corollary. • (Closure under inverses) For all a ∈ X. N ) is true} N ∗ . N All we have to do now is to show that there exists a number a ∈ Z∗ \ X. N ) for the special case where N is a product of distinct primes N = p1 p2 · · · pt . LaGrange’s Theorem. that is.

and it satisﬁes Fermat’s little theorem. the Miller-Rabin test combines Fermat’s little theorem with another property of primes. with r odd (i. That is. we have: a N On the other hand: a(N −1)/2 ≡ −1 a (N −1)/2 = a p1 a N/p1 = b p1 1 N/p1 = (−1)(1) = −1 (mod p1 ) (mod N/p1 ) (from Euler’s criterion for quadratic residues) ≡1 So a(N −1)/2 cannot be congruent to −1 modulo N since it is not congruent to −1 modulo N/p1 . • If N is a composite and a Carmichael number. factor out as many 2s as possible) s Compute the sequence (−1. . a2r . N is a prime power if and only if {±1} are the only square roots of unity modulo N . . ar .e. If the last element of the sequence is not 1. N ): Write N − 1 = 2s r. we have shown that |X| ≤ φ(N )/2.Spring 2012 Cryptography: RSA Mike Rosulek In the above equation. If it outputs s “composite” in the third line. There exist composite numbers N for which aN −1 ≡ 1 (mod N ) for all a. N 5. A prime power is a number of the form pk where p is a prime. a4r . . then it has only two square roots of unity. a2 r ) modulo N . So if the 17 . then it has at least four square roots of unity. then it does not satisfy Fermat’s little theorem. then output “composite” If the element before the ﬁrst 1 in the sequence is not −1. using an approach similar to one we’ve seen before: MillerRabin(a. we choose b to be any non-quadratic-residue modulo p1 . . if N is prime. The Miller-Rabin test cleverly tests both conditions (Fermat’s little theorem and square roots of unity) at once. . . then output “composite” Otherwise. . a Thus for this choice of a we have N = −1 ≡ a(N −1)/2 (mod N ). so Fermat’s little theorem is not satisﬁed. namely the following: Observation. Recall from our earlier discussion of square roots of unity that the number preceeding s the ﬁrst 1 in the sequence (−1. • If N is a composite and not a Carmichael number (possibly a prime power). there is some a for which aN −1 ≡ 1 (mod N ). a2r .. so we have the following observations: • If N is prime. ar . then we have 1 ≡ a2 r = aN −1 (mod N ).3 Miller-Rabin The Miller-Rabin primality test is motivated by Fermat’s little theorem: aN −1 ≡ 1 (mod N ) for all a. it is true that N is a composite number. Unfortunately. a2 r ) is a square root of unity other than 1. a8r . . A prime power cannot be a Carmichael number. the smallest of which is 561. By demonstrating an element a ∈ Z∗ \ X. Numbers with this property are called Carmichael numbers. output “prime” Whenever this test outputs “composite”. However. Fermat’s little theorem can’t be used directly as a basis for a primality test. Then using the identies for Jacobi symbols.

N must be composite. 18 . it is possible to show using a similar argument as in the previous section that at least half of the values of a will satisfy a(N −1) ≡ 1 (mod N ). Finally. As with the Solovay-Strassen algorithm. then N has a square root of unity other than ±1. we already know that the fourth line considers a uniformly random square root of unity.” In the case that N is not a prime power. then at least half of the values a ∈ Z∗ will N cause the test to output “composite. it sufﬁces to show that if N is composite. In both cases. In the case where N is a prime power.Spring 2012 Cryptography: RSA Mike Rosulek algorithm outputs “composite” in the fourth line. we may repeat the test n times on an independently random choice of a to lower the total probability of a false positive to 1/2n . and thus this test alone has probability at least half of encountering a non-trivial square root of unity (with even higher probability the more prime factors N has).

Spring 2012 Cryptography: RSA Mike Rosulek 6 Problems 1. when N is the product of two distinct primes. then g gcd(a. 7. BTW. 3. where φ ≈ 1. then ﬁnd a non-trivial square root of unity. A more involved calculation that incorporates the cost of each division (modulus) operation shows the worst-case overall efﬁciency of the algorithm to be O(log2 N ) — quadratic in the number of bits needed to write the input. That is. 7 19 . then the outcome of the game is YES . F.b) ≡ 1 (mod n). Fk−1 ) is the smallest-size input on which Euclid’s algorithm makes k recursive calls. s. Explain why there is no solution. The Chinese Remainder Theorem states that there is always a solution for x in the following system of equations. all you are given is N and φ(N ). is the golden ratio. Show that if (KeyGen. using the indexing convention F0 = 1. b). . which is linear in the number of bits needed to write such an input. In other words.b) . Since its input is a pair of numbers (a. (a) Show a reduction from the problem of computing φ(N ) to the problem of factoring N . 4. (c) A outputs a string x. you can reduce exponents modulo φ(n).7 5. you can’t say “ﬁrst compute d. Consider the following “multi-message” TDF inversion game: (a) The challenger generates (pk. it is possible to factor N easily. let’s call a + b the size of the input. then it no adversary succeeds with more than negligible probability in the multi-message game above. xi ) to A.618 . . Note that the size of input (Fk . F1 = 2. with gcd(r. Fk−1 ) is Fk+1 . r. then factor N ” because the ﬁrst step (computing d) is only relevant when a corresponding encryption exponent e is known. Thus. Fk+1 ). Hint: Use induction on k. when gcd(r. when working modulo n. v. show that given N and φ(N ). Prove that gcd(2a . Prove that (Fk . 2b ) = 2gcd(a. Prove that xa % n = xa%φ(n) % n. Euclid’s algorithm will make less than k ≤ logφ N recursive calls. xi ) for any xi chosen in step (b). for any inputs of size N ∈ [Fk . and recall that Fk+1 ≈ φk+1 . otherwise the outcome is NO . (b) As many times as A wants: the challenger chooses a string xi uniformly from {0. the worst-case number of recursive calls made by Euclid’s algorithm on an input of size N is O(log N ). (d) If F (pk. Prove that if g a ≡ 1 (mod n) and g b ≡ 1 (mod n). s) = 1 for which the equations have no solution. Let Fk denote the kth Fibonacci number. s) = 1: x ≡ u (mod r) x≡v (mod s) Give an example u. In this problem we determine the efﬁciency of Euclid’s GCD algorithm. In this problem. 2. In other words. 6. F −1 ) is a TDF. 1}n and gives F (pk. Hint: write down the coefﬁcients of the quadratic equation whose two roots are p and q. x) = F (pk. sk) ← KeyGen and gives pk to A.

etc. B with “02”. Bob computes m = c/k. In 1937. double-check your factorization! N = 133140272889335192922108409260662174476303831652383671688547009484 253235940586917140482669182256368285260992829447207980183170174867 620358952230969986447559330583492429636627298640338596531894556546 013113154346823212271748927859647994534586133553218022983848108421 465442089919090610542344768294481725103757222421917115971063026806 587141287587037265150653669094323116686574536558866591647361053311 046516013069669036866734126558017744393751161611219195769578488559 882902397248309033911661475005854696820021069072502248533328754832 698616238405221381252145137439919090800085955274389382721844956661 1138745095472005761807 phi = 133140272889335192922108409260662174476303831652383671688547009484 253235940586917140482669182256368285260992829447207980183170174867 620358952230969986447559330583492429636627298640338596531894556546 013113154346823212271748927859647994534586133553218022983848108421 465442089919090610542344768294481725103757214932292046538867218497 635256772227370109066785312096589779622355495419006049974567895189 687318110498058692315630856693672069320529062399681563590382015177 322909744749330702607931428154183726552004527201956226396835500346 779062494259638983191178915027835134527751607017859064511731520440 2981816860178885028680 8. perhaps by adding sufﬁcient 0s and then using the nextprime function in PARI. For instance. Alice encodes m as a large prime number m in the following way: (a) Replace A with “01”. 20 . (d) Call the resulting encoding m. Note: take care that there are no precision issues in how you solve the quadratic equation. based on the difﬁculty of factoring:8 • Beforehand. 8 He may have been the ﬁrst to recognize that number theory and intractibility could be used for practical purposes. then m could be 2209032015182513 Then Alice computes the integer c = m · k. For instance. 2209032015182513 is prime. Alice and Bob agree on a secret key k. 22090320151825 . Alan Turing proposed the following cipher. The ciphertext is c. the message VICTORY would become 22090320151825: V I C T O R Y 22 09 03 20 15 18 25 (c) Append several digits to the resulting number so that the result is prime. which is guaranteed to be a (prime) integer. So if m = VICTORY. Use it to factor the following 2048-bit RSA modulus. • To decrypt c. which is a large prime. We assume this can be done efﬁciently.Spring 2012 Cryptography: RSA Mike Rosulek (b) Write a pari function that takes as input an RSA modulus N and φ(N ) and factors N . • To encrypt an English plaintext m. and then decodes m into the corresponding English message m. (b) Append all these numbers together.

Show that N can be efﬁciently factored if such a pair x and y are known. Show that the set {a ∈ Z∗ | aN −1 ≡ 1 (mod N )} is a subgroup of Z∗ . Use it to compute the four square roots of unity modulo N = 1052954986442271985875778192663 × 611174539744122090068393470777 10. 13. Suppose N is an RSA modulus. N N 16. Hint: use the Chinese Remainder Theorem. 11. where n is the number of bits in the given number. 9. 12. Use your function to factor the following 2048-bit RSA modulus. 17. (a) Show that if p and q are known distinct primes. The probability of a false positive should be at most 1/2n . Note: pari function valuation(n. the SqrtUnity subroutine outputs a square root of unity N chosen uniformly at random from the 4 possible square roots of unity. 15. then the eavesdropper can easily recover the secret key. conditioned on w ∈ Z∗ . why is squaring modulo N a 4-to-1 function. and x2 ≡ y 2 (mod N ).s function preserves quadratic residuosity (when r and s are relatively prime). Hint: CRT! (b) Implement a pari function that takes distinct primes p and q as input and returns the four square roots of unity modulo pq.Spring 2012 Cryptography: RSA Mike Rosulek Show that if Alice encrypts and sends two messages to Bob. Implement a pari function that efﬁciently factors an RSA modulus N . then it is possible to efﬁciently compute all four square roots of unity modulo pq. N = 157713892705550064909750632475691896977526767652833932128735618711 213662561319634033137058267272367265499003291937716454788882499492 311117065951077245304317542978715216577264400048278064574204140564 709253009840166821302184014310192765595015483588878761062406993721 851190041888790873152584082212461847511180066690936944585390792304 663763886417861546718283897613617078370412411019301687497005038294 389148932398661048471814117247898148030982257697888167001010511378 647288478239379740416388270380035364271593609513220655573614212415 962670795230819103845127007912428958291134064942068225836213242131 15022256956985205924967 e = 327598866483920224268285375349315001772252982661926675504591773242 501030864502336359508677092544631083799700755236766113095163469666 21 . e. The eavesdropper need not know the two messages sent. for every N . Note: pari implements the Jacobi symbol under the name kronecker – the Kronecker symbol generalizes the Jacobi symbol. Show that. Implement the Solovay-Strassen test in pari. given only N . and d. but raising to the eth power modulo N is 1-to-1? 14. if x is a quadratic residue modulo rs then x % r is a quadratic residue modulo r and x % s is a quadratic residue modulo s. and x ≡ ±y (mod N ). When N is an RSA modulus. That is. Prove that the CRTr. Explain why the RSA encryption exponent e must always be an odd number.p) returns the largest number d such that pd | n.

no matter what m is. In this problem we’ll see that it’s bad to choose RSA prime factors p and q too close together. N = 514202868664266501986736340226343880193216864011643244558701956114 553317880043289827487456460284103951463512024249329243228109624011 915392411888724026403127686707255825056081890692595715828380690811 131686383180282330775572385822102181209569411961125753242467971879 131305986986525600110340790595987975345573842266766492356686762134 22 . Also. Bob can factor N if he learns m. Hint: Bob knows m and m ˆ ˆ satisfying the following: m ≡ m (mod p) ˆ m ≡ m (mod q) ˆ 19. The rest of the computation happens correctly. √ (a) Let s = (p − q)/2 and t = (p + q)/2. Then t is an integer greater than N√ such that 2 − N is a perfect square. Use it to factor the following 2048-bit number (whose two prime factors are guaranteed to be close enough for the factoring approach to work in a reasonable amount of time. so that she computes a wrong value for mq . (b) Implement a pari function that factors RSA moduli using this approach. it is possible to ﬁnd t and s. and no matter what ˆ Alice’s computational error was. Describe the details of this attack and how it works. t is not much larger than t N . then uses the CRT to solve for m in ZN . and hence p and q. be sure to do exact square roots over the integers. When p and q are close. Alice ﬁrst computes mp ≡ cd (mod p) and mq ≡ cd (mod q). just as expected. What qualiﬁes as “close √ prime factors” in this problem? How close was t to N ? Hint: pari has an issquare function. Bob chooses an RSA plaintext m ∈ ZN and encrypts it under Alice’s public key as c ≡ me (mod N ). so by testing successive integers. But suppose Alice is using faulty hardware. and Alice computes the (wrong) result m. To decrypt. Show that. not the reals.Spring 2012 Cryptography: RSA Mike Rosulek 905258066495934057774395712118774014408282455244138409433389314036 198045263991986560198273156037233588691392913730537367184867549274 682884119866630822924707702796323546327425328705958528315517584489 590815901470874024949798420173098581333151755836650797037848765578 433873141626191257009250151327378074817106208930064676608134109788 601067077103742326030259629322458620311949453584045538305945217564 027461013225009980998673160144967719374426764116721861138496780008 6366258360757218165973 d = 138476999734263775498100443567132759182144573474474014195021091272 755207803162019484487127866675422608401990888942659393419384528257 462434633738686176601555755842189986431725335031620097854962295968 391161090826380458969236418585963384717406704714837349503808786086 701573765714825783042297344050528898259745757741233099297952332012 749897281090378398001337057869189488734951853748327631883502135139 523664990296334020327713900408683264232664645438899178442633342438 198329983121207315436447041915897544445402505558420138506655106015 215450140256129977382476062366519087386576874886938585789874186326 69265500594424847344765 18. but far enough apart that you can’t do the trial-and-error part by hand).

Spring 2012 Cryptography: RSA Mike Rosulek 653833064511337433089249621257629107825681429573934949101301135200 918606211394413498735486599678541369375887840013842439026159037108 043724221865116794034194812236381299786395457277559879575752254116 612726596118528071785474551058540599198869986780286733916614335663 3723003246569630373323 20. If you were allowed to choose c = c. then m = m. I tell you m . and it would be trivially easy to correctly guess m. (b) You choose a value c = c. Clearly state how you choose c and how you compute your guess for m. I encrypt it under my public key to obtain c. I tell you c. Note: It is important that c = c in step (b). Describe a strategy by which you can always correctly guess m in this game. (c) I decrypt c under my RSA private key to obtain m . I have published my RSA public key (N. 23 . e) and agree to play the following game with you: (a) I (secretly) choose a plaintext m uniformly from ZN . (d) You try to guess m.

Sign up to vote on this title

UsefulNot useful- rsa
- Encryption Ppt
- rsa
- VLSI Implementation of RSA Encryption System Using Ancient
- RSA Encryption in Java
- rsa algorithm
- rsa_examples
- rsa1
- RSA Algorithm for Encryption and Digital Signatures
- Module Public Key Encryption RSA
- encryption
- IKV_2_main
- Crypto Lecture 10
- 13150 Unit 18
- Lecture 11
- 9789814401166_0006
- ALG4.0
- making of encrypted algorithms
- factorizacion-algnotes
- ALG4.0
- Lecture 11
- Factoring
- rsa
- Miller Rabin
- RSAmath
- ALG4.0
- A Numerical Function in Congruence Theory
- RSA Cryptography
- NumberTheory(I)
- primroot2
- rsa