factoring by factoringchristensen/factoring by factoring.pdfan rsa example: creation of parameters...
TRANSCRIPT
Factoring by Factoring
David Fu
National Information Assurance Research LaboratoryNational Security Agency
Fort Meade, MD
18 September 2006Pi Mu Epsilon Initiation DinnerNorthern Kentucky University
Outline
Introduction
MotivationRSABack of the envelope, part I
Beating square rootTheme and variations on an old trickSmooth and luckyBack of the envelope, part II
A note before we begin
Everything I’m presenting is in the public domain. See, forexample, Neal Koblitz’s Algebraic Aspects of Cryptography,and/or Henri Cohen’s A Course in Computational AlgebraicNumber Theory.
Mathematician? Computer Scientist? Engineer?What is this guy?
hack 1
1.a A horse let out for common hire; also a horse used for allkinds of work.3. One who hires himself out for any sort of work, especiallyliterary work; a drudge.
1From Webster’s New International Dictionary, Second Edition,Unabridged
The Problem
GivenN = pq where p and q are distinct primes of about the samesize,
determinethe values of p and q. 2
2up to renaming...
The Solutionaccording to a mathematician
This is trivial, since p is finite: try everything up to d√
Ne.
The End.
Why the talk is not really over
I Why do people care about this problem?I Why is the trivial solution not good enough?I What is a better solution?
Why does anyone care?RSA
I RSA is a so–called “public–key cryptosystem”. It is namedafter Rivest, Shamir, and Adleman, who discovered it in1977 at MIT.
I It was also discovered by Clifford Cocks in 1973 at GCHQ.I It is ubiquitous in today’s communications.
What is a public–key cryptosystem?
It is a scheme which allows two parties to exchange informationprivately over a public channel, without having a predeterminedshared common secret.
An RSA example
CaveatVarious details will be glossed over and/or swept under the rug.
Alice and BobAlice and Bob want to communicate privately over a publicchannel. Suppose Bob wants to send a message to Alice. Hesends her a public note indicating that he wants to send her aprivate message.
An RSA example: creation of parameters
Alice:I creates her modulus N = pq where p and q are distinct
secret primes of about the same size;
I chooses a secret decrypt exponent , 1 < d < N; 3
I computes the public encrypt exponent
e = d−1 (mod Φ(N)); 4
Alice can do this quickly precisely because she knows pand q;
I sends N and e to Bob over the public channel.
3(d , N) = 14Φ(N) is what? Also can choose e first...
An RSA example: creation of parameters
Alice:I creates her modulus N = pq where p and q are distinct
secret primes of about the same size;I chooses a secret decrypt exponent , 1 < d < N; 3
I computes the public encrypt exponent
e = d−1 (mod Φ(N)); 4
Alice can do this quickly precisely because she knows pand q;
I sends N and e to Bob over the public channel.
3(d , N) = 14Φ(N) is what? Also can choose e first...
An RSA example: creation of parameters
Alice:I creates her modulus N = pq where p and q are distinct
secret primes of about the same size;I chooses a secret decrypt exponent , 1 < d < N; 3
I computes the public encrypt exponent
e = d−1 (mod Φ(N)); 4
Alice can do this quickly precisely because she knows pand q;
I sends N and e to Bob over the public channel.
3(d , N) = 14Φ(N) is what? Also can choose e first...
An RSA example: creation of parameters
Alice:I creates her modulus N = pq where p and q are distinct
secret primes of about the same size;I chooses a secret decrypt exponent , 1 < d < N; 3
I computes the public encrypt exponent
e = d−1 (mod Φ(N)); 4
Alice can do this quickly precisely because she knows pand q;
I sends N and e to Bob over the public channel.
3(d , N) = 14Φ(N) is what? Also can choose e first...
An RSA example: creation of parameters
Alice:I creates her modulus N = pq where p and q are distinct
secret primes of about the same size;I chooses a secret decrypt exponent , 1 < d < N; 3
I computes the public encrypt exponent
e = d−1 (mod Φ(N)); 4
Alice can do this quickly precisely because she knows pand q;
I sends N and e to Bob over the public channel.
3(d , N) = 14Φ(N) is what? Also can choose e first...
An RSA example: encryption
Bob:I receives modulus N and encrypt exponent e from Alice; 5
I takes his message, m, writes it as an integer modulo N, 6
and computes the encrypted message C = me (mod N);I sends C to Alice.
5Oh, really?6See preceding footnote.
An RSA example: encryption
Bob:I receives modulus N and encrypt exponent e from Alice; 5
I takes his message, m, writes it as an integer modulo N, 6
and computes the encrypted message C = me (mod N);
I sends C to Alice.
5Oh, really?6See preceding footnote.
An RSA example: encryption
Bob:I receives modulus N and encrypt exponent e from Alice; 5
I takes his message, m, writes it as an integer modulo N, 6
and computes the encrypted message C = me (mod N);I sends C to Alice.
5Oh, really?6See preceding footnote.
An RSA example: decryption
Alice:I receives the encrypted message C from Bob;
I recovers the message m by computing
Cd (mod N) = (me)d (mod N)
= mde (mod N)
= m1+kΦ(N) (mod N)
= m.
Recall e = d−1 (mod Φ(N)), and that Bob’s message wasan integer modulo N.
An RSA example: decryption
Alice:I receives the encrypted message C from Bob;I recovers the message m by computing
Cd (mod N) = (me)d (mod N)
= mde (mod N)
= m1+kΦ(N) (mod N)
= m.
Recall e = d−1 (mod Φ(N)), and that Bob’s message wasan integer modulo N.
Why is the trivial solution useless?
The security of RSA rests on the difficulty of computing aninverse modulo Φ(N) when the factors of N are not known.
Thus, for RSA to be secure, N must be chosen large enough toensure that the trivial solution, (which takes work proportionalto√
N), is computationally infeasible.
For example
Consider a case where log2 N = 256. Then√
N is proportionalto 2128. Assuming 230 operations per second 7, 2128 operationsrequires roughly 1022 years.
According to wikipedia, some astrophysicists claim that the ageof the known universe (according to the big bang theory), isabout 109 years.
71GHz = 109Hz ≈ 230Hz, 1Hz/operation is very generous
For example
Consider a case where log2 N = 256. Then√
N is proportionalto 2128. Assuming 230 operations per second 7, 2128 operationsrequires roughly 1022 years.
According to wikipedia, some astrophysicists claim that the ageof the known universe (according to the big bang theory), isabout 109 years.
71GHz = 109Hz ≈ 230Hz, 1Hz/operation is very generous
The story so farIn case you were sleeping and have just woken up...
I Factoring N = pq is of paramount importance in modernday public key cryptography.
I Exhausting all possibilities for p is not feasible.
Fermat
Suppose that we have integers x , y with x 6= ±y (mod N) suchthat
x2 = y2 (mod N).
Then(x − y)(x + y) = 0 (mod N)
and thus(x − y)(x + y) = kpq ∃k 6= 0.
So both p and q divide the left hand side. Thus, there is a goodchance 8 that p or q can be recovered as (x ± y , N). 9
850–50 is good.9For instance, if p divides x − y , and q does not, then (x − y , N) = p, etc.
Fermat
Suppose that we have integers x , y with x 6= ±y (mod N) suchthat
x2 = y2 (mod N).
Then(x − y)(x + y) = 0 (mod N)
and thus(x − y)(x + y) = kpq ∃k 6= 0.
So both p and q divide the left hand side. Thus, there is a goodchance 8 that p or q can be recovered as (x ± y , N). 9
850–50 is good.9For instance, if p divides x − y , and q does not, then (x − y , N) = p, etc.
Fermat
Suppose that we have integers x , y with x 6= ±y (mod N) suchthat
x2 = y2 (mod N).
Then(x − y)(x + y) = 0 (mod N)
and thus(x − y)(x + y) = kpq ∃k 6= 0.
So both p and q divide the left hand side. Thus, there is a goodchance 8 that p or q can be recovered as (x ± y , N). 9
850–50 is good.9For instance, if p divides x − y , and q does not, then (x − y , N) = p, etc.
Fermat
Suppose that we have integers x , y with x 6= ±y (mod N) suchthat
x2 = y2 (mod N).
Then(x − y)(x + y) = 0 (mod N)
and thus(x − y)(x + y) = kpq ∃k 6= 0.
So both p and q divide the left hand side. Thus, there is a goodchance 8 that p or q can be recovered as (x ± y , N). 9
850–50 is good.9For instance, if p divides x − y , and q does not, then (x − y , N) = p, etc.
So all we have to do...
... is to find integers x , y with x 6= ±y (mod N) such that
x2 = y2 (mod N).
It’s ok if we have to do this a few times.
An idea that doesn’t work
Compute a random number modulo N, square it, and see if theresidue modulo N is also a square. If so, then SUCCESS, else,TRY AGAIN.
This takes work proportional to√
N.
An idea that doesn’t work
Compute a random number modulo N, square it, and see if theresidue modulo N is also a square. If so, then SUCCESS, else,TRY AGAIN.
This takes work proportional to√
N.
Asking for less
Suppose we had numbers x1, x2 such that
x21 = r2
1 s (mod N)
x22 = r2
2 s (mod N)
i.e., the square–free parts of the residues of the squares of x1
and x2 modulo N are the same. Then multiplying the equationsgives us a solution:
(x1x2)2 = (r1r2s)2 (mod N)
This is still too much to ask for.
Asking for even less
Suppose we had numbers x1, x2, x3 such that
x21 = r2
1 s1s2 (mod N)
x22 = r2
2 s2s3 (mod N)
x23 = r2
3 s1s3 (mod N)
Then multiplying the equations gives us a solution:
(x1x2x3)2 = (r1r2r3s1s2s3)
2 (mod N)
Again, we don’t expect this to happen, but let us ponder this fora bit.
Looking at exponents
x21 = r2
1 s11s1
2s03 (mod N)
x22 = r2
2 s01s1
2s13 (mod N)
x23 = r2
3 s11s0
2s13 (mod N)
(x1x2x3)2 = (r1r2r3s1s2s3)
2 (mod N)
Let
v1 = (1, 1, 0) (mod 2)
v2 = (0, 1, 1) (mod 2)
v3 = (1, 0, 1) (mod 2)
Thenv1 + v2 + v3 = (0, 0, 0) (mod 2)
Linear algebra modulo 2
v1 = (1, 1, 0) (mod 2)
v2 = (0, 1, 1) (mod 2)
v3 = (1, 0, 1) (mod 2)
v1 + v2 + v3 = (0, 0, 0) (mod 2)
The exponent vectors of the factors of the non–square parts ofthe residues are linearly dependent (over the field of twoelements).
Another idea 10
I Compute a random number x modulo N, square it, andfactor the residue into a square part and a square–freepart. This will give us a binary vector v .
I Repeat, collecting vectors until you have a lineardependency (modulo 2):∑
i<∞vi = 0
I Then
x2 =
(∏i<∞
xi
)2
will have a residue modulo N which is also a square.
10that also doesn’t work
Objections!
Factoring random residues modulo N could well be as hard asfactoring N.
We have no reasonable grasp of the linear algebra problem.What are its dimensions?
Smooth
Let B be the set of the first t primes:
B = {π1 = 2, π2 = 3, π3 = 5, . . . , πt}
where πt << N. We often refer to B as a factor base .
We will say that a number is B–smooth (or often just smooth ),if all of its factors are in B.
It is relatively cheap to test whether a number is smooth. Trialdivision is ok.
Yet another idea 11
I Compute a random number x modulo N, square it, andtest its residue modulo N for smoothness. When it issmooth we obtain a t–dimensional binary vector v .
I Repeat until you have collected t + 1 vectors.I Do linear algebra (modulo 2) to find a dependency.
t∑i=1
δivi = 0 δi ∈ {0, 1}
I Then x2 =(∏t
i=1 xδii
)2will have a residue modulo N which
is also a square.
This is referred to as Dixon’s factorization method.
11which actually works
What are the odds?The sixty–four dollar question
The success or failure of Dixon’s factorization method hingeson the answer to the following question.
How often is a random number modulo NB–smooth?
What are the odds?The sixty–four dollar question
The success or failure of Dixon’s factorization method hingeson the answer to the following question.
How often is a random number modulo NB–smooth?
Often enough
Paraphrase of the theorem of Cantor, Erdos, Pomerance: Thechances of smoothness are rougly(
log Nlog πt
)− log Nlog πt
This turns out to be pretty good.
How good is pretty good?
It turns out that Dixon’s random squares takes workproportional to L(1
2 , N), i.e.,
L(
12, N)
= e√
log N log log N
This is “subexponential” work. 12 It is a big win.
12Constants are being ignored, hands are being waved, etc.
For example
Again consider a case where log2 N = 256. Work proportionalto L(1
2 , N) is roughly 245. Assuming 230 operations per second,245 operations requires roughly 7.5 hours.
According to wikipedia, such an N “can be factored in a fewhours on a personal computer, using software already freelyavailable.”
For example
Again consider a case where log2 N = 256. Work proportionalto L(1
2 , N) is roughly 245. Assuming 230 operations per second,245 operations requires roughly 7.5 hours.
According to wikipedia, such an N “can be factored in a fewhours on a personal computer, using software already freelyavailable.”
Other methods
There are other, more sophisticated subexponential factoringalgorithms, but the basic idea is the same:
I Choose a factor base.I Search for relations w.r.t. the factor base.I Do linear algebra to obtain an equation of the form
x2 = y2 (mod N)
The flip side
If you want to use RSA, a 256–bit modulus is probably notenough. Most modern implementations use a 1024 or even a2048–bit modulus.
The End.