Attacks on public key systems

1
Attacks on public key systems

• Security relies on intractability of some
  computational problems.
• Polytime reduce A ?p B
• There exists a poly algorithm to convert A to B.
• So A is no harder than B.
• Computationally equivalent
• A ?pB if A ?p B and B ?p A
• Some computational problems of cryptographic
  relevance (See Table 3.1, page 88 in HAC)

2
Integer factorization problem

• Integer factorization problem
• given n, find its prime factors.
• Primality testing vs. factoring
• Easier than factoring, so assume n is a composite
• Splitting vs. factoring
• Find non-trivial factors nab.
• Test a and b for primality
• Continue to split a and b.
• So find any factor of n.
• Testing for perfect powers nak,
• O((lg n)3 lg lg lg n)
• Assume n is the product of at least two distinct
  primes

3
Finding a factor of n

• Special-purpose factoring algorithm
• Complexity depends on the special property of the
  factors of n.
• Examples trial division, Pollards rho
  algorithm, Pollards p-1 algorithm, elliptic
  curve algorithm and special number field sieve.
• General-purpose factoring algorithm
• Complexity depends solely on the size of n.
• Examples quadratic sieve, general number field
  sieve.

4
General strategy of factoring

• Apply trial division by small primes ? b1.
• Apply Pollards rho algorithm, hoping to find any
  small factors ? b2 ? b1.
• Apply the elliptic curve algorithm, hoping to
  find any small factors ? b3 ? b2.
• Apply a more powerful general-purpose algorithm.

5
Trial division

• By 2, 3, 5, 7,, up to ?n
• Try 2,3,4,, m, where m is some small number,
  small is determined by n.
• Fact let n be chosen uniformly at random from
  1,x
• If 1/2 ? ??1, the prob. that the largest prime
  factor of n is ? x? is approximately 1ln ?. Thus
  the prob. that n has a prime factor gt ?x is ln 2
  ?0.69.
• The prob that the second largest prime factor of
  n is ? x0.2117 is about ½.
• The expected total number of prime factors of n
  is ln ln x O(1)
• Result Find a small factor is quick, but the
  second largest prime factor takes a long time.

6
Pollard p-1 algorithm

• Select a random B
• a ? 2
• Or any a ? 2,n-1, compute dgcd(a,n), if dgt1,
  return (d)
• for j ? 2 to B (or the primes ? B)
• do a ?aj mod n
• d ? gcd(a-1, n)
• if 1lt d lt n
• then return (d)
• else return (failure)

7
Principle behind p-1 algorithm

• Suppose p is a prime factor of n.
• Suppose that q ? B for every prime power q(p-1),
  then (p-1)B!
• a ?2B! mod n, since pn, then a ?2B! mod p
• We know that 2p-1 ? 1 mod p
• So a ?2B! mod p ?2k(p-1) mod p ? 1 mod p
• So p(a-1), since pn, so gcd(a-1,n) is a factor
  of n

8
p-1 algorithm example

• n15770708441, select B180.
• a2180!11620221425, so d135979
• In fact 15770708441 135979 ?115979
• and 1359782 ?3 ?131 ?173

9
Definition and discussions

• Let B be an integer, n is said to be B-smooth if
  all its prime factors are ? B.
• p-1 algorithm assume p-1 is B-smooth.
• Complexity
• O(Blg B (lg n)2 (lg n)3).
• Larger B, more successful.
• RSA can easily beat p-1 factorization
• Let npq, the p and q are as follows
• Select a large prime p1 such that p2p11 is also
  a prime
• Select a large prime q1 such that q2q11 is also
  a prime

10
Pollard rho (?) algorithm

• Let f S?S be a random function, Sn.
• Let x0 ?S and xi1f(xi).
• then x0, x1, x2 , will cycle eventually.
• Find the xi and xj such that xi xj .
• Naïve solution
• compute and store the above sequence
• make comparison to find a collision.
• O(?n) space and O(?n) time (assume using hash
  table)

11
Pollard rho algorithm

• Floyds cycle-finding algorithm
• Begin from (x1, x2), compute (xi, x2i) from
  previous (xi-1, x2i-1) repeatedly until xm x2m
• O(1) space and O(?n) time
• Practical idea
• Suppose p is a prime factor of n.
• Defined x02 and xi1f(xi) xi21 mod p.
• Continue Floyds cycle finding algorithm until
  until xm x2m mod p.
• Since p is not known, compute d gcd(xm- x2m ,n)
  until d gt1.

12
Pollaards rho algorithm

• Set a ?2, b ?2
• For i1,2, do the following
• Compute a ?a21 mod n, b ?b21 mod n, b ?b21 mod
  n
• Compute dgcd(a-b,n)
• If 1lt d lt n then return d
• If d n then return (failure)

13
Pollards rho algorithm-- complexity and example

• Assume f(x)x21 mod p behaves like a random
  function, the find a factor p of n is O(?p),
  i.e., O(n1/4)
• Example 3.10, page 91 of HAC
• If Pollards rho algorithm returns failure, try
  another function
• f(x) ax2 c mod p

14
Random square factoring --method

• Idea
• Find x and y, integers, such that x2?y2 mod n but
  x ??y mod n.
• Therefore, n divides x2- y2 (xy)(x-y) but not
  xy or x-y. so gcd(xy, n) is a divisor of n.
• Fact
• Let n be an odd composite that is divisible by k
  distinct odd primes, if a ? Zn , then x2?a2 mod
  n has exact 2k solutions modulo n, two of which
  are xa and x-a.
• So find x, y at random such that x2?y2 mod n ,
  then at least 50 it is the case that x ??y mod
  n, thus a factor of n is found.
• Example n35, x2 ? 22 mod 35 has solutions
  2,12,23,33. So gcd(23-2, 35)gcd(21,35)7.

15
Random Square factor --algorithm

• Select a factor base Sp1,p2,,pt. pi are
  primes.
• Find pairs of integers (ai, bi) such that
• ai2?bi mod n and bi p1e1 p2e2 ptet where
  ei ?0.
• Find a subset of bis whose product is a perfect
  square, e.g., b2 ,b3 ,b5 then
• a22 a32 a52 ?b2 b3 b5 mod n i.e.,
• (a2 a3 a5)2 ? b2 mod n

16
Random Square factor --example

• Suppose n15770708441, and S2,3,5,7,11,13
• Consider
• 83409341562 ? 3 ? 7 mod n.
• 120449429442 ? 2 ? 7 ? 13 mod n.
• 27737000112 ? 2 ? 3 ? 13 mod n.
• Then
• (8340934156 ?12044942944 ? 2773700011)2 ? (2 ?3
  ?7 ?13)2 mod n,
• i.e., 95034357852 ? 5462 mod n
• gcd(9503435785-546, n) 115759.

17
Random Square factor find set of bi

• Sp1,p2,,pt.
• Suppose pairs (a1, b1) , (a2, b2) ,, (at1,
  bt1)
• we know that bi p1e1 p2e2 ptet where ei
  ?0.
• Compute a binary vector for each bi,
• vi (e1 mod 2, e2 mod 2, , et mod 2)
• The t-dimension vectors v1, v2,, vt1 must be
  linearly dependent.
• As a result, bis of these linear dependent
  vectors will product to p1E1 p2E2 ptEt .
  Where Ei are even.
• Dixons random chosen square algorithm.

18
Methods of selecting ai for squares

• Randomly select ai
• select ai in the form j ??kn?, j0,1,,
  k1,2,,
• tends to be small after squared and moduloed,
• higher probability in the factor base.
• select ai in the form ??kn?,
• a bit less than n, so ai2 is small.
• If factor base includes 1, then ai2 can be
  expressed in the factor base.
• Quadratic sieve ai j ??n? (i.e., xm)
• How large of the factor base tS.
• The the larger, the easier ai2 can be expressed
  in factor base, but the more ai are needed to
  find dependence.

19
Quadratic sieve factoring algorithm

• Given n, let m?n,
• Let q(x)(xm)2-n
• Select ai(xm), x0,?1,?2,?3,
• tests whether bi(xm)2-n is pt-smooth, if yes,
  keep (ai, bi), otherwise, discard (ai, bi).
• Moreover, if a prime p divides bi , then (xm)2?
  n mod p. that is n is a quadratic residue modulo
  p.
• Therefore factor base is Sp ( )1 ?
  -1,2

n
p
20
Discussions

• Algorithm 3.21, page 96 of HAC
• Pairs (a1, b1) , (a2, b2) ,, (ak, bk)
• For each (ai, bi) , test bi for pt-smooth by
  dividing bi with p1 , p2 ,, pt.
• The other way
• For each pi ,go through (a1, b1) , (a2, b2) ,,
  (ak, bk)
• If bj is a multiple of pi, divide bj by pi
  repeatedly.
• Through out (sieve out) all (aj, bj) for which bj
  is not 1.
• Complexity O(e(1o(1))? ln n ln ln n)

21
RSA problem

• RSAP given a positive integer n pq (two
  distinct primes), a positive integer e such that
  gcd(e,(p-1)(q-1))1 and an integer c, find an
  integer m such that mec mod n.
• Fact RSAP ?p FACTORING.
• Guess RSAP ?p FACTORING.

22
Other attacks on RSA

• Known ?(n) attack
• npq, ?(n) (p-1)(q-1), then
• p2-(n- ?(n) 1)pn0
• The two roots are p and q.
• If ?(n) can be computed, the RSA is broken
• In other words, computing ?(n) is no easier than
  factoring n.

23
Other attacks on RSA (cont.)

• Known decryption exponent attack
• (n,a) is private key, if a is disclosed, then
• n can be factorized in poly time by means of a
  randomized algorithm.
• So computing a is no easier than factoring n.
• If a is revealed accidentally, selecting another
  a is not secure. The n must be a new one.

24
RSA known a attack example

• Algorithm 5.10 RSA-FACTOR(n,a,b), page 197 of
  Cryptography theory and practice (CTP).
• Proof of the algorithm
• npq, then x2 ? 1 mod n has four solutions
• Two trivial solution x ? 1, two non-trivial
  solutions
• For non-trivial solution x, gcd(x1, n) is a
  factor.
• For random w, compute wr, w2r,w4r,, until w2 r ?
  1 mod n.
• If v0 is 1 or 1, then trivial solution found,
  failure, try another w.
• The probability of failure is at most ½. So some
  times later, a non-trivial will be found.
• Example 5.15, page 196 of CTP.

t
25
Quadratic residue problem

• QRP given an odd composite n, and a?Jn,
  determine whether a is a quadratic residue modulo
  n.
• If n is a prime, then Legendre symbol ( ) can
  determine whether a is a quadratic residue modulo
  n.
• If npq, then a?Qn iff a?Qp and a?Qq .
• Fact QRP ?p FACTORING.

a
n
26
Computing square roots in Zn

• If n is a prime, then efficient algorithms
  (Algorithm 3.34, 3.36, 3.37, 3.39, page 100 of
  HAC) exist for finding two square roots of a
  quadratic residue.
• SQROOT given a composite n and a quadratic
  residue a modulo n, find a square root of a
  modulo n.
• If npq and p, q are known, then the square root
  can be found by finding the square roots modulo p
  and modulo q respectively, then using CRT
  (Algorithm 3.44, page 102 of HAC).
• Fact SQROOT ?p FACTORING

27
SQROOT and FACTORING

• Fact FACTORING ?p SQROOT, so FACTORING ?p
  SQROOT
• Factoring based on square root
• Select an x randomly such that gcd(x,n)1.
• Compute a ? x2 mod n, call SQROOT(a,n) to return
  y.
• If y ? ?x mod n, then fail, select a new x,
• else gcd(x-y, n) is the factor of n.

28
Discrete logarithm problem

• DLP given prime p, a generator ? of Zp and an
  element ? ? Zp, find an integer x such that ?x ?
  ? mod p.
• Note the difficulty of DLP is independent of
  generator
• let ?, ? are two generators, and ? ? Zp, then
  log ? ? ? (log ? ? ) (log ? ? )-1 mod p.
• This means any algorithm which computes
  logarithms to the base ? can be used to compute
  logarithms to the base ? .

29
Solutions to DLP

• Exhaustive search
• O(n), O(1) space.
• How about O(1) time algorithm?
• Baby-step giant-step algorithm (Shanks)
• O(?n ) time and O(?n ) space.
• Pollard rho DLP algorithm
• O(?n ) time and O(1) space.

30
Sharks algorithm

• Algorithm 6.1 (p, ?, ?), page 229 of CTP
• m??p?
• For j0 to m-1 compute ?mj
• Sort all (j, ?mj) by the second component, L1
• For i0 to m-1 compute ??-i
• Sort all (i, ??-i) by the second component, L2
• Find a pair (j,y) in L1 and (i,y) in L2 (I.e.,
  the second components are identical)
• Set log ? ? (mji) mod p.

31
Pollard rho discrete logarithm algorithm

• Algorithm 6.2, page 233 of CTP. Also Algorithm
  3.60, page 106 of HAC.
• Idea
• Begin from x0, compute xi and x2i until xi x2i
• Then compute the discrete logarithm value.

32
Diffie-Hellman Problem

• DHP given a prime p, a generator ? of Zp and
  element ?a mod p and ?b mod p , find ?ab mod p
  .
• Fact DHP ?p DLP.
• Conjecture DLP ?p DHP.
• Fact Let p be a prime, where factorization of
  p-1 is known. suppose ?(p-1) is B-smooth, where
  BO((ln p)c) for some constant c, then DLP and
  DHP in Zp are computationally equivalent.

33
DHP and ElGamal system

• DHP given (p, ?, ?, ? ) where p prime, ?
  generator of Zp , ? ?b and ? ?r , compute
  log ? ? mod p
• (? log ? ? mod p ? ?br mod p ).
• ElGamal Problem given (p, ?, ?, y1,y2), compute
  x ?y2(y1 )-1 mod p.
• Fact breaking the ElGamal cryptosystem is
  equivalent to solving the DHP problem.

?
?
log ? ?
34
DLP and FACTORING

• Fact let n be a composite integer, if DLP in Zn
  can be solved in poly time, then n can be
  factored in expected poly time. i.e., FACTORING
  ?p DLP.
• Fact let n be a composite integer, DLP in Zn
  polytime reduces to the combination of factoring
  n and DLP in Zp for every prime factor p of n.

35
DHP and FACTORING

• Fact let npq where p and q are odd primes, if
  DHP in Zn can be solved in poly time for a
  non-negligible proportion of all bases ??Zn ,
  then n can be factored in expected poly time.
  i.e., FACTORING ?p DHP

36
Relation among number-theory problems

• RSAP ?p FACTORING. Guess FACTORING ?p RSAP
• Fact QRP ?p FACTORING.
• FACTORING ?p SQROOT
• Fact DHP ?p DLP. Guess DLP ?p DHP.
• FACTORING ?p DLP and DLPn ?p FACTORING DLPp
  DLPq
• FACTORING ?p DHP.
• ElGamal cryptosystem equivalent to the DHP
  problem.