1. and Factoring Integers (I)
The RSA Cryptosystem
and Factoring Integers (I)
Rong-Jaye Chen

2. OUTLINE [1] Modular Arithmetic Algorithms [2] The RSA Cryptosystem
[3] Quadratic Residues
[4] Primality Testing
[5] Square Roots Modulo n
[6] Factoring Algorithms
[7] Other Attacks on RSA
[8] The Rabin Cryptosystem
[9] Semantics Security of RSA

3. [1] Modular Arithmetic Algorithms
1. The integers
a divides b a|b
If b has a divisor , then a is said to be nontrivial.
a is prime if it has no nontrivial divisors; otherwise, a is composite.
The prime theorem：
If c|a and c|b, then c is common divisor of a and b.
If d is a great common divisor of a and b, then we write d=gcd(a,b).

4. Euclidean algorithm(a,b)
(for great common divisor)
input：
output：
(1) Set r0=a and r1=b
(2) Determine the first so that rn+1=0,
where ri+1=ri-1 mod ri
(3) Return (rn)
Extended Euclidean algorithm(a,b)
input：a>0, b>0
output: (r, s, t) with r=gcd(a,b) and sa+tb=r
(Omitted)

5. Example ：gcd(299,221)=?

6. If gcd(a,b)=1, then a and b are said to be
relatively prime.
Phi function：

7. 2. The integers modulo n
a is congruent to b modulo n, written ,
if n|a-b.
Zn={0,1,…,n-1}
Given , if , then a is
said to be invertible and its inverse x is denoted a-1.

8. Use Extended Euclidean Algo to calculate a-1 mod n
Example：a=7 and n=9
Euclidean algorithm
to find gcd(a,n)
Extended Euclidean algorithm
to write gcd(a,b)=sa+tn

9. Zn*={a|gcd(a,n)=1 and 0<a<n}
For example, Z12*={1,5,7,11},
Z15*={1,2,4,7,8,11,13,14}
(Zn*, *) forms a multiplication group

10. Fermat’s little theorem：
Euler’s theorem：
The order of , written ord(a), as the least positive integer t such that
If , has , then a is said to be a generator of Zn*; in this case,

11. Example ：n=15 Z15*={1,2,4,7,8,11,13,14} ψ(15)= ψ(3) ψ(5)=2*4=8 1 2 4 7

12. 3. Chinese remainder theorem
If the integers n1,…,nk are pairwise relatively prime,
then the system of congruences
has a unique solution modulo n=n1*n2*…*n k

13. Algorithm：Gauss algorithm
(1) Input k , ni , ai , for i=1,2,…,k
(2) Compute for i=1,2,…,k
(3) Compute inverse for i =1,2,…,k
(4) Compute

14. Example

15. 4. Square-and-Multiply
Algorithm: Square-and-Multiply(x, c, n)
Input： , c with binary representation
Output：

16. i ci z 11 1
12x9726=9726 10
97262x9726=2659 9
26592=5634 8
56342x9726=9167 7
91672x9726=4958 6
49582x9726=7783 5
77832=6298 4
62982=4629 3
46292x9726=10185 2
101852x9726=105
1052=11025
110252x9726=5761
Example :
mode 11413=?

17. [2] The RSA Cryptosystem
Proposed by Rivest, Shamir, and Adleman (1977)
Used for encryption and signature schemes
Based on the intractability of the integer factorization problem
Key generation
Let p, q be large prime, n=pq and (n)=(p-1)(q-1)
Choose randomly b s.t. gcd(b,(n))=1
Compute a  b-1 mod (n)
Public-key: (n, b)
Private-key: (n, a) or (p, q, a)

18. RSA Cryptosystem
Let n=pq, where p and q are primes.
Let P = C = Zn , and define
K ={(n,p,q,a,b): ab=1 (mod (n))}.
For K= (n,p,q,a,b), define
eK(x)=xb mod n
and
dK(y)=ya mod n
Public-key: (n, b)
Private-key: (n, a) or (p, q, a)

19. Verify the encryption and decryption are inverse operations
ab=1 (mod (n)),
we have ab = t(n)+1, for t>=1
Suppose that x in Zn*; then we have
(xb)a = xt(n)+1 (mod n)
= (x(n))tx
= 1tx (mod n)
= x (mod n)
As desired. For x in Zn but not in Zn*, (do exercise)

20. Eg. p=7, q=13, n=91, (n)=(p-1)(q-1)=72
Choose b=5, compute a=b-1=29
Public-key: (91,5)
Private-key: (7,13,29)
Assume message m=23
So cipher-text c = me mod n = 235 mod 91 = 4
and can be decrypted by
m = cd mod n = 429 mod 91 = 23

21. Encryption Decryption M E C KUBob EKUBob(M)= Mb (mod n) D KRBob
n = pq
b*a = 1 (mod ø(n))
Private key
KRBob = (n, a)
Public key
KUBob = (n, b)
RSA encryption
Alice
Bob
Encryption
Decryption M E C
KUBob
EKUBob(M)=
Mb (mod n) D
KRBob
DKRBob(C)=
Ca (mod n)

22. Signing Verification M H E A KRAlice EKRAlice(H(M))= H(M)a (mod n) D
n = pq
b*a = 1 (mod ø(n))
Signing key
KRAlice = (n, a)
Verification key
KUAlice = (n, b)
RSA signature scheme
Alice
Hash Bob
Signing
Verification M H E A
KRAlice
EKRAlice(H(M))=
H(M)a (mod n) D
KUAlice
Compare
DKUAlice(A)=
Ab (mod n)

23. [3] Quadratic Residue 1. Quadratic residue modulo n
Let , then a is a quadratic residue modulo n
if there exists with In this case,
x is a square root of a modulo n. Otherwise, a is a
quadratic nonresidue modulo n.
Qn：the set of quadratic residues modulo n.
：the set of quadratic nonresidues modulo n.

24. 2. Theorem ：p > 2 is prime and α is a generator of Zp*

25. 3. Corollary ： p > 2 is prime and α is a generator of Zp*
(1)
(2)
(3)
(4)
4. Legendre symbol ：p > 2 is prime and

26. 5. Theorem ：Euler’s criterion
6. E.g ：
use Square-and-Multiply

27. 7. Jacobi symbol ：
n > 2 is an odd integer, pi is prime and

28. 8. Properties of Jacobi symbol：m, n > 2 are odd integers
(1)
(2)
(3)
(4)
(5)
(6)

29. 9. E.g ：calculate Jacobi symbol without factoring n
(property 2)
(property 6)
(property 3)
(property 4)

30. 10. Jacobi symbol V.S. Quadratic residue modulo n
The element of are called psedosquares modulo n.

31. 11. E.g ：n=15 The Jacobi symbol are calculated in the following table：2 -1 4 7 8 11 13 14

32. 12. Quadratic residuosity problem(QRP)
Determine if a given is a quadratic residue or
pseudosquare modulo n

33. [4] Primality Testing (1) Prime numbers
1. How to generate large prime numbers?
(1) Generate as candidate a random odd number n of
appropriate size.
(2) Test n for primality.
(3) If n is composite, return to the first step.

34. 2. Distribution of prime numbers
(1) prime number theorem
Let Π(x) denote the number of prime
numbers ≦x.
Π(x) ~ x/ln(x) when n∞.
(2)Dirichlet theorem
If gcd(a, n)=1, then there are infinitely many primes congruent to a mod n.

35. (3) Let Π(x, n, a) denote the number of primes in the interval [2, x] which are congruent to a modulo n, where gcd(a, n)=1 . Then
Π(x, n, a) ~
The prime numbers are roughly uniformly distributed among the φ(n) congruence classes in Zn*
(4) Approximation for the nth prime number pn

36. (2) Solovay-Strassen primality test
1. Trial method for testing n is prime or composite
2. Definition ：Euler witness
Let n be an odd composite integer and
(1) If
then a is an Euler witness (to compositeness) for n.

37. (2) Otherwise, if
then n is said to be an Euler pseudoprime to
the base a. The integer a is called an Euler liar
(to primality) for n.

38. 3. Example (Euler pseudoprime)
Consider n = 91 (= 7x13)
Since 945 =1 mod 91, and
so 91 is an Euler pseudoprime to the base 9.
4. Fact
At most Φ(n)/2 of all the numbers a, are Euler liars
for n.

39. 5. Algorithm ：Solovay-Strassen(n, t)
INPUT: n is odd, n ≧3, t ≧1
OUTPUT: “prime” or “composite”
1. for i = 1 to t do : 1.1 choose a random integer a, 2 ≦ a≦n if gcd(a,n) ≠1 then return ( “composite” )
1.2 compute r=a(n-1)/2 mod n (use square-and-multiply) if r ≠ 1 and r ≠ n-1 then return ( “composite” )
1.3 compute Jacobi symbol s= if r ≠ s then return ( “composite” )
2. return ( “prime” )

40. 6. Solovay-Strassen error-probability bound
For any odd composite integer n, the probability that Solovay-Strassen (n, t) declares n to be “prime” is less than (1/2)t

41. (3) Miller-Rabin primality test
1. Fact
P : odd prime p-1 = 2sr, where r is odd , gcd (a, p) = 1 then ar = 1 (mod n) or a2jr = -1 (mod n) for some j, 0≦ j≦s-1
Why ? (1) Fermat’s little theorem, ap-1 = 1 mod p (2) 1, -1 are the only two square roots of 1 in Zp*

42. 2. Definition
n : odd composite integer n-1 = 2sr, where r is odd
1≦a ≦n-1
a is a strong witness to compositeness for n if ar ≠ 1 (mod n), and
a2jr ≠ -1 (mod n) for all j, 0≦ j≦s-1
n is a strong pseudoprime to the base a if ar = 1 (mod n) or a2jr = -1 (mod n) for some j, 0≦ j≦s-1 (a is called a strong liar to primality for n)

43. 3. Algorithm: Miller-Rabin (n, t) INPUT: n is odd, n ≧3, t ≧1
OUTPUT: “prime” or “composite”
1. write n-1 = 2sr such that r is odd.
2. for i = 1 to t do : 2.1 choose a random integer a, 2 ≦ a≦n compute y=ar mod n (use square-and-multiply) 2.3 if y ≠ 1 and y ≠ n-1 do : j  1 while j ≦ s-1 and y ≠n-1 do : y  y2 mod n if y = 1 then return ( “composite” )
j  j+1
if y ≠ n-1 then return ( “composite” )
3. return ( “prime” )

44. 4. Example (strong pseudoprime)
Consider n = 91 (= 7x13)
91-1 = 2*45, s=1, r=45
Since 9r = 945 =1 mod 91, 91 is a strong pseudoprime to the base 9.
The set of all strong liars for 91 is {1, 9, 10, 12, 16, 17, 22, 29, 38, 53, 62, 69, 74, 75, 79, 81, 82, 90}
The number of strong liars of for 91 is
18 = Φ(91)/4

45. 5. Fact
If n is an odd composite integer, then at most ¼ of all the numbers a, 1 ≦a ≦n-1 are strong liars for n. In fact if n=!9, then number of strong liars for n is at most Φ(n)/4.

46. 6. Miller-Rabin error-probability bound
For any odd composite integer n, the probability that Miller-Rabin (n, t) declares n to be “prime” is less than (1/4)t
7. Remark
For most composite integers n, the number of strong liars for n is actually much smaller than the upper bound of Φ(n)/4.
Miller-Rabin error-probability bound is much smaller than (1/4)t .