introduction to basic cryptographykalyan/lecture2.pdf · introduction to basic cryptography attacks...

Introduction to Basic CryptographyAttacks on RSA, DLP

Kalyan ChakrabortyHarish-Chandra Research Institute

CIMPA School of Number Theory in Cryptography and Its Applications

School of Science, Kathmandu University,

Dhulikhel, Nepal

July 19 - July 31, 2010

Lecture 2: July 21, 2010

http://www.hri.res.in/~jaymehta/cryptographynotesCIMPA2010.pdf

Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 1 / 31

http://www.hri.res.in/~jaymehta/cryptographynotesCIMPA2010.pdf

Outline

Outline

1 Attacks on RSAThe Pollard p− 1 AlgorithmThe Pollard’s Rho AlgorithmWeiner’s Low Decryption Exponent Attack

2 Discrete Logarithm ProblemGeneral DL ProblemExampleThe ElGamal CryptosystemMassey-Omura Encryption


Attacks on RSA

Factoring Algorithms

Factoring Algorithms

The obvious way to attack RSA is to attempt to factor the publicmodulus.

If n is composite, then the basic method of dividing an integer n by allprimes p ≤ √n is much too slow for most purposes.


Attacks on RSA The Pollard p − 1 Algorithm

The Pollard p− 1 Algorithm

If one of the prime factors of n has a special property, it issometime easier to factor n. For example, if p|n and p− 1 has“small” prime factors, the following method is effective.




If one of the prime factors of n has a special property, it issometime easier to factor n. For example, if p|n and p− 1 has“small” prime factors, the following method is effective.This algorithm was invented by Pollard in 1974.




If one of the prime factors of n has a special property, it issometime easier to factor n. For example, if p|n and p− 1 has“small” prime factors, the following method is effective.This algorithm was invented by Pollard in 1974.Fix an integer B. Given an integer n, this algorithm finds a primep such that p|n and p− 1 has prime factors ≤ B.




If one of the prime factors of n has a special property, it issometime easier to factor n. For example, if p|n and p− 1 has“small” prime factors, the following method is effective.This algorithm was invented by Pollard in 1974.Fix an integer B. Given an integer n, this algorithm finds a primep such that p|n and p− 1 has prime factors ≤ B.

Pollard p− 1 factoring Algorithm (n,B)

a = 2

for j = 2 to B

do a = aj mod n

d = gcd(a − 1, n)

if 1 < d < n

then return(d)

else return (“failure”)Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 4 / 31


How to choose B ?For a small B the algorithm will run quickly but will have littlechance of success, while large B will make it very slow.The actual choice of B will depend on the situation at hand.



How to choose B ?For a small B the algorithm will run quickly but will have littlechance of success, while large B will make it very slow.The actual choice of B will depend on the situation at hand.

Avoding p− 1 attack :We use n = pq, which is hard to factor. So, we should ensure thatp− 1 has at least one large prime factor.

For p to have around 100 digits, choose large prime p0 (around1040). Look at integers of the form kp0 + 1 (k could be around1060) and test it for primality by Miller-Rabin Test. This producesdesired value of p in less than 100 steps.Apply same procedure for q.

Then the RSA modulus n will be resistant to p− 1 attack.



Complexity:

There are B − 1 modular exponentiation, each requiring at most2 log2 B modular multiplications. The gcd can be computed in timeO

(

(log n)3)

.

Hence the complexity of the algorithm is

O(

B log B(log n)3 + (log n)3)

.

If B is O(

(log n)i)

for some fixed i, then algorithm is indeed

polynomial time. One cannot again choose a very small B.

The more powerful elliptic curve factoring algorithm developed byLenstra, is infact a generalization of the p− 1 algorithm.



Example

Suppose n = 15770708441. If we apply the algorithm withB = 180 then one gets a = 11620221425 and d = 135979

In fact 15770708441 = 135979 × 115979

This factorization succeeds because 135978 has “small” primefactors:135978 = 2× 3× 131× 173.

Hence by taking B ≥ 173, it will be the case that 135978|B! asrequired.



Example

Suppose n = 15770708441. If we apply the algorithm withB = 180 then one gets a = 11620221425 and d = 135979

In fact 15770708441 = 135979 × 115979

This factorization succeeds because 135978 has “small” primefactors:135978 = 2× 3× 131× 173.

Hence by taking B ≥ 173, it will be the case that 135978|B! asrequired.

Exercise: Factor n = 376875575426394855599989992897873239 by thep− 1 Method. One can choose bound B = 100.


Attacks on RSA The Pollard’s Rho Algorithm

Pollard Rho Algorithm

Let p be prime divisor of n. Suppose ∃ x, x′ ∈ Zn such that x 6= x′

and x ≡ x′ mod p. Then p ≤ (x− x′, n) < n. One obtains anon-trivial factor of n by computing gcd.






One chooses a random subset X ⊂ Zn and then compute(x− x′, n) for all distinct values in X. This method will besuccessful if and only if the mapping x→ x mod p gives atleastone collision for x ∈ X.






One chooses a random subset X ⊂ Zn and then compute(x− x′, n) for all distinct values in X. This method will besuccessful if and only if the mapping x→ x mod p gives atleastone collision for x ∈ X.

The Pollard Rho Algorithm is a variation of this technique whichneeds fewer gcd computation and less memory and quickly findsrelatively small prime factor p of composite numbers in perhaps√

p steps.



Description

Description: Given an integer n, define a function f by

f(x) = x2 + a mod n (usually a = 1 is used)

and initialize by setting x = 2, x′ = f(x).



Description




Compute d = gcd(x − x′, n)if 1 < d < n, stop, d is proper divisor of n.if d = 1, replace x by f(x) and x′ by f(f(x′));and repeat.



Description




Compute d = gcd(x − x′, n)if 1 < d < n, stop, d is proper divisor of n.if d = 1, replace x by f(x) and x′ by f(f(x′));and repeat.

(If d = n; we have a failure and the algorithm has to be re-initialized).



Pollard Rho Factoring Algorithm (n, x1)

external f

x← x1

x′ ← f(x) mod n

p← gcd(x− x′, n)

while p = 1

do

comment: in the ith iteration, x = xi and x′ = x2i

x← f(x)(mod n)x′ ← f(x′)(mod n)x′ ← f(x′)(mod n)p← gcd(x− x′, n)

if p = n

then return (“n is prime”)

else return (p)



Let x1 ∈ Zn. Consider the sequence x1, x2, . . . where

xj = f(xj−1)mod n ∀ j ≥ 2.

Set X = {x1, x2, . . . xm} for some m.




xj = f(xj−1)mod n ∀ j ≥ 2.


One is looking for two distinct values xi, xj ∈ X such thatgcd(xj − xi, n) > 1.It turns out that one can reduce the gcd computation.




xj = f(xj−1)mod n ∀ j ≥ 2.



Now we show that xi ≡ xj (mod p)⇒ xi+1 ≡ xj+1 (mod p):

Suppose xi ≡ xj (mod p)⇒ f(xi) ≡ f(xj) (mod p);

xi+1 = f(xi) mod nxj+1 = f(xj) mod n

gives




xj = f(xj−1)mod n ∀ j ≥ 2.



Now we show that xi ≡ xj (mod p)⇒ xi+1 ≡ xj+1 (mod p):

Suppose xi ≡ xj (mod p)⇒ f(xi) ≡ f(xj) (mod p);

xi+1 = f(xi) mod nxj+1 = f(xj) mod n

gives

xi+1 mod p =(

f(xi) mod n)

mod p = f(xi) mod p as p|n.

xj+1 mod p =(

f(xj) mod n)

mod p = f(xj) mod p as p|n.

Therefore, xi+1 ≡ xj+1 (mod p).



So, if xi ≡ xj (mod p) then xi+δ ≡ xj+δ (mod p); δ ≥ 0.Denoting l = j − i⇒ xi′ ≡ xj′ (mod p) if j′ > i′ ≥ i and j′ − i′ = 0 (mod l).




The goal is to discover 2 terms xi ≡ xj (mod p) with i < j, bycomputing a gcd. In order to simplify and improve the algorithm,we restrict our search for collision by taking j = 2i.




The goal is to discover 2 terms xi ≡ xj (mod p) with i < j, bycomputing a gcd. In order to simplify and improve the algorithm,we restrict our search for collision by taking j = 2i.

If xi ≡ xj (mod p) then it is the case that xi′ ≡ x2i′ (mod p) for alli′ such that i′ ≡ 0 (mod l) and i′ ≥ i.

Among the l consecutive integers i, . . . , j − 1, there must be onethat is divisible by l. Therefore, the smallest value i′ that satisfiesthe condition is atmost j − 1. Hence the # of iterations requiredto find a factor p is atmost j.



Example

n = 7171 = 71× 101, f(x) = x2 + 1, x1 = 1, then the sequence xi are

1 2 5 26 677 6557 41016347 4903 2218 219 4936 · ·4872 375 4377 4389 2016 · ·

reduced mod 71

1 2 5 26 38 25 5828 4 17 6 37 21 1644 20 46 58 28 4 17

⇒ x7 mod 71 = x18 mod 71 = 58.

Here, i = 7, j = 18 and l = j − i = 11 which is the length of the cycle.The smallest integer i′ ≥ 7 which is divisible by 11 is i′ = 11.Therefore, this algorithm will give the factor 71 of n when it computesgcd(x11 − x22, n) = 71.



Exercises

Exercise:

Factor the following numbers using Pollard Rho Algorithm if thefunction f is defined to be f(x) = x2 + 1:

1 262063

2 9420457

3 181937053

How many iterations are needed in each cases?


Attacks on RSA Weiner’s Low Decryption Exponent Attack

Weiner’s Low Decryption Exponent attack

This attack succeeds in computing the secret decryption exponentd, whenever

3d < n1/4 and q < p < 2q. (1)



Weiner’s Low Decryption Exponent attack

This attack succeeds in computing the secret decryption exponentd, whenever

3d < n1/4 and q < p < 2q. (1)

This attack will work when d has fewer than l/4−1 bits in binaryrepresentation (assuming n has l-bits) and p and q are not farapart.

This result shows that method of reducing time should be avoided.



As, de ≡ 1 (mod φ(n)) ∃ t ∈ Z such that

de− tφ(n) = 1

Now, n = pq > q2, we have q <√

n. Therefore,

0 < n− φ(n) = p + q − 1 < 2q + q − 1 < 3q < 3√

n.

Thus,∣

∣

∣

∣

e

n− t

d

∣

∣

∣

∣

=

∣

∣

∣

∣

ed− tn

dn

∣

∣

∣

∣

=

∣

∣

∣

∣

1 + t(φ(n)− n)

dn

∣

∣

∣

∣

<3t√

n

dn=

3t

d√

n.



As, de ≡ 1 (mod φ(n)) ∃ t ∈ Z such that

de− tφ(n) = 1

Now, n = pq > q2, we have q <√

n. Therefore,

0 < n− φ(n) = p + q − 1 < 2q + q − 1 < 3q < 3√

n.

Thus,∣

∣

∣

∣

e

n− t

d

∣

∣

∣

∣

=

∣

∣

∣

∣

ed− tn

dn

∣

∣

∣

∣

=

∣

∣

∣

∣

1 + t(φ(n)− n)

dn

∣

∣

∣

∣

<3t√

n

dn=

3t

d√

n.

As t < d; one has 3t < 3d < n1/4.Therefore

∣

∣

∣

∣

e

n− t

d

∣

∣

∣

∣

=1

dn1/4<

1

3d2

td is very close approximation to e

n .



From the theory of continued fractions, it is known that anyapproximation of e

n that is this close must be one of theconvergents of the continued fraction expansion of e

n .



From the theory of continued fractions, it is known that anyapproximation of e

n that is this close must be one of theconvergents of the continued fraction expansion of e

n .

Theorem: Suppose (a, b) = (c, d) = 1 and

∣

∣

∣

a

b− c

d

∣

∣

∣<

1

2d2.

Then cd is one of the convergents of the continued fractions

expansion of ab .



Example

Example: Compute the continued fraction expansion of 3499

.The Euclidean Algorithm gives:

34 ≡ 0× 99 + 3499 ≡ 2× 34 + 3134 ≡ 1× 31 + 331 ≡ 10× 3 + 13 ≡ 3× 1

Hence, the continued fraction expansion of 34

99= [0, 2, 1, 10, 3].

34

99= 0 +

1

2 +1

1 +1

10 + 1

3



The convergents are:

[0] = 0, [0, 2] =1

2, [0, 2, 1] =

1

3, [0, 2, 1, 10] =

11

32, [0, 2, 1, 10, 3] =

34

99.

Thus if (1) holds then the unknown fraction td is a close

approximation to en .

If td is a convergent of e

n ; then one can compute the value of

φ(n) = (de− 1)/t.

Once n and φ(n) are known we can factor n.

One tries convergent of en until the factorization of n is found.



Weiner’s Algorithm (n, e)

(q1, . . . , qm; rm)← Euclidean Algorithm (e, n).c0 = 1, c1 = q1, d0 = 0, d1 = 1for j = 1 to mdo

cj = qjcj−1 + cj−2

dj = qjdj−1 + dj−2

n′ = (dje− 1)/cj

comment: n′ = φ(n) if cj/dj is the correct convergent.if n′ is an integer

then

let p, q be roots of x2 − (n− n′ + 1)x + n = 0if p, q are primitive integers < nthen return (p, q)

return(“failure”)


End of RSA Notes

Discrete Logarithm Problem General DL Problem

Discrete Logarithm Problem

Let G be a finite multiplicative group of order n.

Let α ∈ G be of order n.






Consider,< α > = {αi : 0 ≤ i ≤ n− 1}.

Set β ∈< α >.






Consider,< α > = {αi : 0 ≤ i ≤ n− 1}.

Set β ∈< α >.

For example, take G to be multiplicative group of a finite field Zp

and α to be a primitive element modulo p.



Problem : Find the unique integer ‘a’, 0 ≤ a ≤ n− 1 such that

αa = β.

Denote ‘a’ by logα β; discrete logarithm of β.




αa = β.


The utility of ‘dlp’ in a cryptographic setting is that finding ‘dl’ isdifficult.




αa = β.


The utility of ‘dlp’ in a cryptographic setting is that finding ‘dl’ isdifficult.

Stated Another Way: Exponentiation is a one-way formula insuitable groups.


Discrete Logarithm Problem Example

DLP Example

G = Z∗

19 = {1, 2, . . . , 18}.n = 18; generator g = 2

i 1 2 3 4 5 6 7 8 9

gi 2 4 8 16 13 7 14 9 18

i 10 11 12 13 14 15 16 17 18

gi 17 15 11 3 6 12 5 10 1

Then,log2 14 = 7

log2 6 = 14


Discrete Logarithm Problem Example

Exercises

1 Let p = 13. Compute log2 3.

Computer Exercises:

1 Let p = 53047. Verify that log3 8576 = 1234.

2 Let p = 3989. Show that log2 3925 = 2000.


Discrete Logarithm Problem The ElGamal Cryptosystem

The ElGamal Cryptosystem This cryptosystem is based on DLP.

ElGamal proposed a PKC based on dlp in (Z∗

p, ·).





p, ·).Encryption : Let p be a prime and g be a generator of Z

∗

p. Theprivate key x is an integer between 1 and p− 2. Set

y = gx mod p.

Public key = (p, g, y). Releasing y = gx mod p doesn’t reveal x.






∗


y = gx mod p.

Public key = (p, g, y). Releasing y = gx mod p doesn’t reveal x.To encrypt a plaintext M , a random integer k coprime to p− 1 isselected and compute

a = gk mod pb = Myk mod p

Ciphertext C = (a, b).






∗


y = gx mod p.

Public key = (p, g, y). Releasing y = gx mod p doesn’t reveal x.To encrypt a plaintext M , a random integer k coprime to p− 1 isselected and compute

a = gk mod pb = Myk mod p

Ciphertext C = (a, b).Decryption : M = b

ax mod p. Indeed we have;

b

axmod p = Myk(ax)−1 mod p

= Mgxk(gkx)−1 mod p

= M.



Example

Suppose p = 2579, α = 2. Let a = 765. So,

β = 2765 mod 2579 = 949.



Example


β = 2765 mod 2579 = 949.

Alice wishes to send a message x = 1299 to Bob. k = 853. Thenshe computes,

y1 = 2853 mod 2579 = 435

andy2 = 1299 × 949853 mod 2579 = 2396.



Example


β = 2765 mod 2579 = 949.

Alice wishes to send a message x = 1299 to Bob. k = 853. Thenshe computes,

y1 = 2853 mod 2579 = 435

andy2 = 1299 × 949853 mod 2579 = 2396.

Bob receives the ciphertext y = (435, 2396) and he computes

x = 2396 × (435765)−1 mod 2579 = 1299.


Discrete Logarithm Problem Massey-Omura Encryption

Massey - Omura Encryption

Parameters

p : prime number.e : a random private integer such that

0 < e < p and gcd(e, p− 1) = 1

d : an inverse of e

d = e−1 mod p− 1, i.e., de ≡ 1 mod p− 1

M : a message to be encrypted and decrypted



Massey - Omura Encryption

Parameters

p : prime number.e : a random private integer such that

0 < e < p and gcd(e, p− 1) = 1

d : an inverse of e

d = e−1 mod p− 1, i.e., de ≡ 1 mod p− 1

M : a message to be encrypted and decrypted

Alice wants to send a message M to Bob

For Alice : eA and dA are both privateFor Bob : eB and dB are both private



Massey-Omura for message transmission

Alice

1. Encryption (1)

C1 = MeA mod p




Alice

1. Encryption (1)

C1 = MeA mod p

Bob

2. Encryption(2)

C2 = C1eB

= MeAeB mod p




Alice

1. Encryption (1)

C1 = MeA mod p

3. Encryption (3)

C3 = C2dA

= (MeAeB)dA

= MeB mod p

Bob

2. Encryption(2)

C2 = C1eB

= MeAeB mod p




Alice

1. Encryption (1)

C1 = MeA mod p

3. Encryption (3)

C3 = C2dA

= (MeAeB)dA

= MeB mod p

Bob

2. Encryption(2)

C2 = C1eB

= MeAeB mod p

4. Decryption

M = C3dB

= MeBdB mod p


introduction to basic cryptographykalyan/lecture2.pdf · introduction to basic cryptography attacks...

Documents