RSA & FACTORING INTEGERSBY: MIKE NEUMILLER & BRIAN YARBROUGH

INTEGER FACTORIZATION

• Reducing an integer into its prime components• Useful for code breaking• RSA uses a semi-prime number to encrypt data

Semi-prime number: a number made by the multiplication of two prime numbers

RSA

• Public Key Cryptosystem• Currently used key sizes: 1024 bits to 4096

bits• Many versions have been cracked already• Largest of which is the 768 bit version (RSA-768)• RSA-1024 expected to be cracked in the near

future

KEY GENERATION – PUBLIC KEY

•Public key consists of a semi-prime, n, madefrom two large prime numbers and an exponent, e.

• Steps to find n and e:• Pick two distinct primes, p and q of similar bit-length• Calculate n = p * q• Compute φ(n) = (p – 1)(q – 1)• Pick an integer e that is coprime with φ(n), such that 1 < e

< φ(n)

• Encryption is c ≡ me (mod n)

p, q

n

mod n

φ(n)

edd

KEY GENERATION – PRIVATE KEY

• Private key consists of mod n, and an exponent, d.

• Use e, n and φ(n)) to create the private key.• d ≡ e-1 (mod φ(n)) • or find d given d⋅e ≡ 1 (mod φ(n))

• Decode using m ≡ cd (mod n)

p, q

n

mod n

φ(n)

e dd

HOW DO WE BREAK IT?

• Private key consists of:• mod n and d

• n is known, so mod n is known, thus d is all we have to find.

• d is created using:• φ(n) and e

• e is known, so φ(n) is all we have to find now.

• φ(n) = (p – 1) (q – 1)• So now we only need to find p and q

• n = p * q• p and q are both primes, so use Integer Factorization!

p, qn

mod n

φ(n)

e dd

FACTORING INTEGERS – THE SIMPLE SOLUTION• Trial Division• Easily understood, but laborious for the computer.• Repeatedly try to divide a number by increasingly larger primes until

the full factorization has been found.• Similar to the way most humans would probably approach the problem.

EXAMPLE CODE FOR TRIAL DIVISION

int main(int argc, char * argv[]){

unsigned long n = 1;

if (argc <= 1) {cout << "Please specify a number to factor: ";cin >> n;cout << endl;} else {n = atol(argv[1]);}

cout << "Using Trial Division to calculate the prime factors of “ << n << "...\n" << endl;

vector<unsigned int> factors = trial_division(n);

cout << "Factors found to be: ";

for (unsigned int i = 0; i < factors.size(); ++i) {if (i > 0) { cout << ", "; }cout << factors[i];}

cout << endl;

return 0;}

std::vector<unsigned int> trial_division(unsigned long n){

std::vector<unsigned int> factors;

if (n == 1) {factors.push_back(1);return factors;

}

std::vector<unsigned long> primes = prime_sieve(sqrt(n) + 1);

for (unsigned int i = 0; i < primes.size(); ++i) {if (primes[i] * primes[i] > n) { break; }

while (n % primes[i] == 0) {factors.push_back(primes[i]);

n /= primes[i];}

}

if (n > 1) {factors.push_back(n);

}

return factors;}

std::vector<unsigned long> prime_sieve(unsigned long max){

std::vector<bool> is_prime;std::vector<unsigned long> primes;

is_prime.resize(max + 1, true);

for (unsigned long i = 2; i <= max; ++i) {if (!is_prime[i]) { continue; }

primes.push_back(i);

for (unsigned long j = i * i; j <= max; j += i) {is_prime[j] = false;}}

return primes;}

FACTORING INTEGERS – THE PARALLEL SOLUTIONS• Quadratic Sieve (QS)• Factored RSA-129 on April 2, 1994

• 2GB of data was collected over 8 months using computers distributed across the internet.

• Processing of the collected data took another 45 hours on Bellcore’s MasPar supercomputer.

• Was fastest known method for traditionalcomputers until the Number Field Sievewas discovered.

FACTORING INTEGERS – THE PARALLEL SOLUTIONS• Number Field Sieve (NFS)• Fastest known method for factoring• Factored RSA-130 on April 10, 1996

• All RSA numbers to be factored since have been done with NFS.• Factored RSA-768 (232 digits) on December 12, 2009 after more than

2 years of calculations using a state-of-the-art distributed implementation of NFS.

EXAMPLE - RSA-768 FACTORED

• RSA-768 = 1230186684530117755130494958384962720772853569595334792197322452151726400507263657518745202199786469389956474942774063845925192557326303453731548268507917026122142913461670429214311602221240479274737794080665351419597459856902143413

• When factored, RSA-768 =33478071698956898786044169848212690817704794983713768568912431388982883793878002287614711652531743087737814467999489

× 36746043666799590428244633799627952632279158164343087642676032283815739666511279233373417143396810270092798736308917

FACTORING INTEGERS – THE QUANTUM SOLUTION• Shor’s Algorithm• Formulated in 1994 by Peter Shor.• Has already been shown to work

• Factored 15 in 2001 and again in 2012• Factored 21 in 2012

• Runs in polynomial time• Substantially faster than all of our current methods!

COMPARING RUNTIMES

Trial Division O

Number Field Sieve (NFS) O

Shor’s Algorithm O((log N)3)

Comparison of Integer Factorization Algorithm Run Times

Trial Division General Number Field SieveShor's Algorithm

Input Size(Increasing from left to right)

Estim

ated

Run

Tim

e

REQUIREMENTS FOR SHOR’S ALGORITHM

• The number must be odd• If the number is even, you can always divide by 2 until you get an odd

number and then run Shor’s Algorithm.

• The number must be a composite number• This can be tested by simply checking if the number is already a prime

• The number must not be a power of a prime• This is checked for by checking the square, cubic, …, k-roots of N where k ≤

log2(n)

HOW SHOR’S ALGORITHM WORKS

• Consists of two parts• A reduction of the factoring problem to the problem of order-finding problem.

• This part simply turns the factoring problem into the problem of find the period of a function.

• This part can be done on a classical computer!• A quantum algorithm to solve the order-finding problem.

• This part finds the period using the Quantum Fourier transform.• This part is responsible for the incredible speedup of Shor’s Algorithm compared to

our current methods.

INTEGER FACTORIZATION ALGORITHMS (RECAP)• Trial Division

• Easily understood, but laborious for the computer.

• Quadratic Sieve (QS)• Factored RSA-129 on April 2, 1994 after more than 8 months of calculations.• Second fastest known method for traditional computers.

• Number Field Sieve (NFS)• Fastest known method for factoring.• Factored RSA-768 (232 digits) on December 12, 2009 after more than 2 years of calculations.

• Shor’s Algorithm• Bad news for the RSA encryption if we get a quantum computer of capable of running it for large

numbers.

QUESTIONS?