computing the rsa secret key is deterministic …pmol/talks/rsa_dpt_factoring.pdf · computing the...

Computing the RSA secret Key is DeterministicPolynomial Time equivalent to Factoring

Alexander May

Faculty of Computer Science, Electrical Engineering and Mathematics

Crypto 2004

Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 1 / 14

Outline

1 IntroductionQuick OverviewA more detailed descriptionRelated topics and previous Results

2 Main ResultsGoal and assumptionsProof OverviewMain theoremsRemarks

Introduction Quick Overview

Main Result of the paper

The knowledge of the RSA public key secret key pair (e,d) ⇒Factorization of N=pq in Polynomial Time

Assumptions

1 e, d < φ(N)

2 p,q are of the same bit-size

Technique used

Coppersmith’s technique for finding small roots of bivariate integerpolynomials

Assumptions

1 e, d < φ(N)

Technique used

Assumptions

1 e, d < φ(N)

Technique used

Introduction A more detailed description

Common technique in public key Cryptography is to establish PolynomialTime equivalence between:

• The problem of computing the secret key from the public information

• a well-known hard problem p (believed to be computationallyinfeasible)

This establishes the security of the secret key (given that p iscomputationally infeasible)However IT DOES NOT provide security for the public key system itself.

Introduction Related topics and previous Results

Related Topics

• Primality:Proven to be in P [AKS 2002]

• Factoring:RSA’s security is based on the hardness of factoriztion:• It is yet unknown if factorization is equivalent to RSA cryptanalysis• Cryptanalysis of RSA is at least as easy as factoring.

Previous Results

• Existence of probabilistic polynomial time equivalence betweenfactoring N and finding d.

• Factors of N can be obtained from d under the Extended RiemannHypothesis (Miller , 1975)

Main Results Goal and assumptions

Knowledge of (e,d) ⇔ knowledge of factors p,q of N.

⇐: trivial⇒: (Reduction of factoring problem to d computation)Input (N,e,d) ⇒ output (p,q) under the assumptions:

(a) p,q have the same bitsize

(b) e · d ≤ N2

Remarks on the assumptions

(a) This is usually the case

(b) Usually 1 < e, d < φ(N)

Conclusion: The assumptions are not so restrictive

Knowledge of (e,d) ⇔ knowledge of factors p,q of N.⇐: trivial

⇒: (Reduction of factoring problem to d computation)Input (N,e,d) ⇒ output (p,q) under the assumptions:

(b) e · d ≤ N2

Knowledge of (e,d) ⇔ knowledge of factors p,q of N.⇐: trivial⇒: (Reduction of factoring problem to d computation)Input (N,e,d) ⇒ output (p,q) under the assumptions:

(b) e · d ≤ N2

Main Results Proof Overview

Basic technique

Coppersmith’s method for finding small roots of bivariate integerpolynomialsPrevious application:factorization of N when half of the msb of p aregiven.

• Proof for the special case where ed ≤ N3/2.

• Generalization of the proof for the case where ed ≤ N2

• Experimental Results and conclusion

Basic technique

Main Results Main theorems

ed ≤ N3/2

Wlog assume that p < q. Then p < N1/2 < q < 2p < 2N1/2(1) which

gives p + q < 3N1/2 ≤ N2 (2) (for N ≥ 36) Thus,

φ(N) = N + 1− (p + q) > N2 (3)

Theorem

Let N=pq be the RSA-modulus, where p and q are of the same bitsize.Suppose we know integers e,d with ed > 1, ed ≡ 1(modφ(N)) and

ed ≤ N32

Then N can be factored in time polynomial to its bitsize.

Proof.

• dke:ceiling of k.

• Z∗φ(N): Ring of the invertible integers modφ(N).

ed ≤ N3/2

φ(N) = N + 1− (p + q) > N2 (3)

Theorem

ed ≤ N32

Proof.

ed ≤ N3/2

φ(N) = N + 1− (p + q) > N2 (3)

Theorem

ed ≤ N32

Proof.

proof (continued)

ed ≡ 1(modφ(N)) ⇒ ed = kφ(N) + 1 for some k ∈ N.k̄ = ed−1

N . Then k ≥ dk̄eIn addition k − k̄ = ... = (p+q−1)(ed−1)

φ(N)N

(2) and (3) give k − k̄ < 6N−3/2(ed − 1) (4) which givesby hypothesis k − k̄ < 6 ⇒ k − dk̄e < 6Thus we only have to try dk̄e+ i for i=0,...,5 to find the right k.

Complexity

The complexity of the algorithm is O(log2N).

proof (continued)

ed ≡ 1(modφ(N)) ⇒ ed = kφ(N) + 1 for some k ∈ N.k̄ = ed−1

N . Then k ≥ dk̄eIn addition k − k̄ = ... = (p+q−1)(ed−1)

φ(N)N

(2) and (3) give k − k̄ < 6N−3/2(ed − 1) (4) which givesby hypothesis k − k̄ < 6 ⇒ k − dk̄e < 6Thus we only have to try dk̄e+ i for i=0,...,5 to find the right k.

Complexity

The complexity of the algorithm is O(log2N).

ed ≤ N2

Theorem (Coppersmith)

Let f(x,y) be an irreducible polynomial in two variables over Z, ofmaximuum degree δ in each variable seperately. Let X,Y be bounds on thedesired solutions (x0, y0).Let W be the absolute value of the largest entry

in the coefficient vector of f(xX,yY). If XY ≤ W23δ Then in time

polynomial in logW and 2δ we can find all integer pairs (x0, y0) withf (x0, y0) = 0, |x0| ≤ X and |y0| ≤ Y .

Theorem

Let N=pq be the RSA-modulus, where p and q are of the same bitsize.Suppose we know integers e,d with ed > 1, ed ≡ 1(modφ(N)) anded ≤ N2

Then N can be factored in time polynomial in the bitsize of N.

ed ≤ N2

Theorem (Coppersmith)

Let f(x,y) be an irreducible polynomial in two variables over Z, ofmaximuum degree δ in each variable seperately. Let X,Y be bounds on thedesired solutions (x0, y0).Let W be the absolute value of the largest entry

in the coefficient vector of f(xX,yY). If XY ≤ W23δ Then in time

polynomial in logW and 2δ we can find all integer pairs (x0, y0) withf (x0, y0) = 0, |x0| ≤ X and |y0| ≤ Y .

Theorem

Let N=pq be the RSA-modulus, where p and q are of the same bitsize.Suppose we know integers e,d with ed > 1, ed ≡ 1(modφ(N)) anded ≤ N2

Then N can be factored in time polynomial in the bitsize of N.

Proof.

Again ed ≡ 1(modφ(N)) ⇒ ed = kφ(N) + 1 (5) for some k ∈ N.Let k̄ = ed−1

N be an underestimation of k. Using (4) we obtain

k − k̄ < 6N−3/2(ed − 1) < 6N1/2

Let us denote x = k − dk̄e (dk̄e:approximation of k, x: additive error) In

addition N − φ(N) = p + q − 1 < 3N1/2

Thus φ(N) lies in the interval [N − 3N1/2,N].We divide the interval [N − 3N1/2,N] into 6 subintervals of length 1

with centers N − 2i−14 N1/2, i = 1, ..., 6 For the correct i we have

|N − 2i−14 N1/2 − φ(N)| ≤ 1

Let g = d2i−14 N1/2e for the right i. Then

|N − g − φ(N)| < 14N1/2 + 1 ⇒ φ(N) = N − g − y for some unknown y

with |y | ≤ 14N1/2

Proof (continued)

(5) yields ed − 1− (dk̄e+ x)(N − g − y) = 0We define the bivariate integer polynomial :f (x , y) = xy − (N − g)x + dk̄ey − dk̄e(N − g) + ed − 1with a known root (x0, y0) = (k − dk̄e, p + q + 1− g) over the integers.

We now apply Coppersmith’s theorem. We defineX = 6N1/2 andY = 1

4N1/2 + 1 Then |x0| ≤ X and |y0| ≤ Y .

Let W denote the linf norm of the coefficient vector of f(xX,yY). ThenW ≥ (N − g)X > 3N3/2

Thus XY = ... < W 2/3 = W23δ (for N > 144

(2·91/3−3)2)

By Coppersmith’s theorem we can find the root (x0, y0) in timepolynomialin the bitsize of of W.Finally the solution y0 = p + q − 1− g yields the factorization of N.

Main Results Remarks

Remarks

1 The running time of the algorithm is also polynomial in the bitsize ofN since W ≤ NX = 6N3/2

2 The previous theorem can be easily generalized for the case wherep + q ≤ poly(logN)N1/2

(a) For the case where ed ≤ N3/2 we only have to examine the valuesdk̄e+ i , for i=0,1,...,d2poly(logN)e − 1(polynomialy bounded by the bitsize of N)

(b) For the case where ed ≤ N2 we just have to divide the interval[N − poly(logN)N1/2,N] into d2poly(logN)e intervals.

Conclusion:Assumption (a) is not restrictive at all.

Remarks

From the cryptography point of view ...

Theorem

Let N=pq be the RSA-modulus, where p and q are of the same bitsize.Furthermore let e ∈ Z∗

φ(N) be an RSA public exponent.

Suppose we have an algorithm that on input (N,e) outputs in deterministicpolynomial time the RSA secret exponent d ∈ Z∗

φ(N) satisfying

ed = 1(modφ(N))Then N can be factored in deterministic polynomial time.

From the cryptography point of view ...

Theorem

Let N=pq be the RSA-modulus, where p and q are of the same bitsize.Furthermore let e ∈ Z∗

φ(N) be an RSA public exponent.

Suppose we have an algorithm that on input (N,e) outputs in deterministicpolynomial time the RSA secret exponent d ∈ Z∗

φ(N) satisfying

ed = 1(modφ(N))Then N can be factored in deterministic polynomial time.

computing the rsa secret key is deterministic …pmol/talks/rsa_dpt_factoring.pdf · computing the...

Documents