Lecture 8: Primality Testing and Factoring Piotr Faliszewski Cryptography Lecture 8: Primality Testing and Factoring Piotr Faliszewski

Previous Class Attacks on RSA Practical RSA Known digits attacks Low exponent attacks Short plaintext attacks Timing attacks Practical RSA Exponentiation modulo n Primality testing

Factoring and Primality Testing Input: n  N Output: nontrivial factor of n Primality testing Input n  N Output: the number is composite the number is probably prime Is there a difference? Yes! – primality testing much easier! You do not need to factor the number to see it is composite

Miller-Rabin Test Generalization of the Fermat’s test Principle if p is a prime then x2 = 1 (mod p) has only two solutions: x = 1 and x = -1 Why does the principle hold? Gist of the MR test find a number b such that b2 = 1 (mod p) If b  {-1,1} then composite

Miller-Rabin Test What are we doing? b0 = am (mod n) b1 = a2m (mod n) MR( int n ): let n-1 = 2km a  random in {2, 3, ..., n-2 } b0 = am (mod n) if b0 = ±1 (mod n) then declare prime for j = 1 to k-1 do bj = bj-12 (mod n) if bj = 1 (mod n) then declare composite if bj = -1 (mod n) then declare prime declare composite What are we doing? b0 = am (mod n) b1 = a2m (mod n) b2 = a4m (mod n) ... bj = a2jm (mod n) bk-1 = a(n-1)/2 (mod n)

Miller-Rabin Test: Examples k = 7, m = 3 a = 9 b0 = 93 = 344 (mod 385) b1 = 93*2 = 141 (mod 385) b2 = 93*22 = 246 (mod 385) b3 = 93*23 = 71 (mod 385) b4 = 93*24 = 36 (mod 385) b5 = 93*25 = 141 (mod 385) n = 3*11*17 = 561 n -1 = 560 = 24*35 k = 4, m = 35 a = 2 b0 = 235 = 263 (mod 561) b1 = 235*2 = 166 (mod 561) b2 = 235*22 = 67 (mod 561) b3 = 235*23 = 1 (mod 561) Proof of compositeness!

Miller-Rabin Test: Examples k = 4, m = 25 a = 3 b0 = 325 = 268 (mod 401) b1 = 325*2 = 45 (mod 401) b2 = 325*22 = 20 (mod 401) b3 = 325*23 = 400 (mod 401) = -1 (mod 401) n = 401 n -1 = 400 = 24*25 k = 4, m = 25 a = 2 b0 = 225 = 356 (mod 401) b1 = 225*2 = 20 (mod 401) b2 = 225*22 = 400 (mod 401) Evidence of primality!

Miller-Rabin Test if b0 = ±1 (mod n) i  {1, ..., k-1} Why this works? all bi’s (i > 0) will be 1 can’t find nontrivial roots of 1 i  {1, ..., k-1} if bi = 1 (mod n) then bi-1 is neither 1 nor -1 bi-12 = 1 (mod n) we found a nontrivial root if bi = -1 (mod n) then bi+1 through bk are all 1 (mod n) Why this works? n-1 = 2km b0 = am (mod n) b1 = a2m (mod n) b2 = a4m (mod n) ... bj = a2jm (mod n) bk-1 = a(n-1)/2 (mod n)

Miller-Rabin Test: Quality MR test is probabilistic Answer composite – the number is certainly composite prime – the number is prime with high probability Errors MR(n) says prime but n is composite Pr[error] ≤ ¼ Repeat the test to downgrade the prob. of error

Other Primality Tests Solovay-Strassen Test Deterministic test similar in nature to MR uses so called Jacobi symbol fast in practice probabilistic Deterministic test Agrawal, Kayal, and Saxena 2002 extremely slow Tests that prove primality MR tests compositeness! fairly slow needed in very few cases

Factoring Huge amount of work on factoring! Some best algorithms we look at some simple algorithms Some best algorithms quadratic sieve elliptic curve number field sieve Assumption Factor an odd integer produce one factor how to get all of them? O(e(1+o(1))sqrt(lnn lnln n)) O(e(1+o(1))sqrt(lnp lnln p)) O(e(1.92+o(1))(lnn)1/3(lnlnn)2/3)

Factoring Factoring There are about (n) = n / ln n primes ≤ n Input: n  N Output: nontrivial factor of n There are about (n) = n / ln n primes ≤ n Trivial methods divide by all numbers in {2, ... , n-1} or by all primes p p ≤ sqrt(n) These are exponential!

Fermat’s Method The principle The algorithm Examples express n as a difference of squares n = x2 - y2 n = (x-y)(x+y) The algorithm Compute: n + i2 for i  {1,2, ... } Stop when n + i2 is a square (i.e., x2 = n+i2) Then we have n = x2 – i2 Examples 15 = 42 – 12 = (4-1)(4+1) = 3*5 21 = 52 – 22 = 25 - 4 = (5-2)(5+2) = 3*7

Fermat’s Method The principle The algorithm Performance express n as a difference of squares n = x2 - y2 n = (x-y)(x+y) The algorithm Compute: n + i2 for i 2 {1,2, ... } Stop when n + i2 is a square (i.e., x2 = n+i2) Then we have n = x2 – i2 Performance depends on distance between x and y could be very slow! Conclusion for RSA p and q should differ by a large value

Pollard’s p-1 Method The method Goal of the method Example input: n choose a > 1 (e.g., a = 2) choose B let b = aB! (mod n) d = gcd( b - 1, n ) d is a factor of n Goal of the method factor n = pq... provided p-1 has only small prime factors Example n = 7 * 11 = 77 a = 2 B = 4, B! = 2*3*4 = 24 b = 224 = 71 (mod 77) gcd(b-1, n) = gcd(70,77) = 7

Pollard’s p-1 Method The method Goal of the method Example input: n choose a > 1 (e.g., a = 2) choose B let b = aB! (mod n) d = gcd( b - 1, n ) d is a factor of n Goal of the method factor n = pq... provided p-1 has only small prime factors Example n = 7 * 11 = 77 a = 2 B = 2, B! = 2 b = 22 = 4 (mod 77) gcd(b-1, n) = gcd(3,77) = 1

Pollard’s p-1 Method The method Goal of the method Example input: n choose a > 1 (e.g., a = 2) choose B let b = aB! (mod n) d = gcd( b - 1, n ) d is a factor of n Goal of the method factor n = pq... provided p-1 has only small prime factors Example n = 7 * 11 = 77 a = 2 B = 6, B! = 2*3*4*5*6 = 720 b = 2720 = 1 (mod 77) gcd(b-1, n) = gcd(0,77) = 77

Pollard’s p-1 Method In symbols: How to compute aB! b1 = a (mod n) b2 = b12 (mod n) ... bi = bi-1i How to compute aB! B! – can be very big 5! = 120 6! = 720 10! = 3628800 20! = 2432902008176640000 n! – about n log2 n bits

Pollard’s p-1 Method In symbols: How to compute aB! b1 = a (mod n) b2 = b12 (mod n) ... bi = bi-1i How to compute aB! a = 2, B = 4, n = 77 b1 = 2 (mod 77) b2 = 22 = 4 (mod 77) b3 = 43 = 64 (mod 77) b4 = 644 = 1677721 = 71 (mod 77)

Pollard’s p-1 Method The method Why does it work? input: n choose a > 1 (e.g., a = 2) choose B let b = aB! (mod n) d = gcd( b - 1, n ) d is a factor of n Why does it work? p – prime factor of n suppose: p-1 has only small prime factors Then likely p-1 | B! Then B! = k(n-1) b = (ap-1)k (mod p) b = 1 (mod p) p | b - 1

Pollard’s p-1 Method Potential problems Choice of B n = pq both p and q have small factors b = 1 (mod p) b = 1 (mod q) Method fails Choice of B too small  method won’t work too big  works slowly or fails Example n = 7 * 11 = 77 a = 2 B = 2  to small B = 4  worked B = 6  to big 7 - 1 = 6 = 2*3 2! – does not contain 3 4! – contains 2 and 3 6! – contains 2,3 and 5  covers both factors!

Pollard’s p-1 Method Conclusions for RSA How to defend? n = pq p-1 or q-1 has small prime factors? then RSA can be broken How to defend? p0  chose a large prime e.g., p0 > 1040 try numbers of the form: kp0 + 1 k – needs to be even! k > 1060 test kp0+1 for primality

Factoring Relation to squares Examples n – an integer x,y – to integers s.t. x2 = y2 (mod n) x  y (mod n) if such x, y exist then n is composite gcd( x-y, n ) is a nontrivial factor Examples 112 = 121 = 1 (mod 12) 52 = 25 = 1 (mod 12) 11  5 (mod 12) gcd(11-5, 12 ) = 6

Factoring Relation to squares Examples n – an integer x,y – to integers s.t. x2 ´ y2 (mod n) x  y (mod n) if such x, y exist then n is composite gcd( x-y, n ) is a nontrivial factor Examples 52 = 25 = 7 (mod 9) 142 = 196 = 7 (mod 9) 14 = 9+5 = 5 (mod 9) gcd(14-5, 9 ) = 9

Quadratic Sievie Idea try to apply the principle from the previous slide find x,y such that x2 = y2 (mod n) x  y (mod n) x  -y (mod n) finding such x, y  not obvious Take “random” squares Reduce modulo n Factor (hope for small factors!) Try to build squares from what you get

Quadratic Sieve: Example n = 3837523 93982 = 55  19 (mod n) 190952 = 22  5  11  13  19 (mod n) 19642 = 32  133 (mod n) 170782 = 26  32  11 (mod n) 80772 = 2  19 ( mod n) 33972 = 25  5  132 (mod n) 142622 = 52  72  13 (mod n) (9398  19095  1964  17078)2 = 28  32  56  112  134  192 = (24  3  53  11  132  19)2 (mod n) 22303872 = 25867052 (mod n) gcd( 2230387 – 2586705, 3837523) = 1093

Quadratic Sieve: Example n = 3837523 93982 = 55  19 (mod n) 190952 = 22  5  11  13  19 (mod n) 19642 = 32  133 (mod n) 170782 = 26  32  11 (mod n) 80772 = 2  19 ( mod n) 33972 = 25  5  132 (mod n) 142622 = 52  72  13 (mod n) (9398  8077  3397)2 = 26  56  132  192 = (23  53  13  19)2 (mod n) 35905232 = 2470002 (mod n) BUT: n – 247000 = 3590523  3590523 = -247000 (mod n)

How to Find the Squares? What squares to use? we want small prime factors? so x2 should be slightly above n Idea: Try integers close to: sqrt(i  n) + j small j, various i (sqrt(i  n) + j)2 ≈ in + 2j sqrt(in) +j2 approx: 2j sqrt(in) + j2 (mod n)