Computing The RSA Secret Key Is Deterministic Polynomial Time Equivalent To Factoring

Computing the RSA secret Key is Deterministic
Polynomial Time equivalent to Factoring

Alexander May
Faculty of Computer Science, Electrical Engineering and Mathematics
Crypto 2004
Alexander May (Faculty of Computer Science,Computing

Electrical Engineering
the RSA secret
andKey
Mathematics)
is Deterministic Polynomial TimeCrypto
equivalent
2004to Factoring
1 / 14
Outline
1 Introduction
Quick Overview
A more detailed description
Related topics and previous Results
2 Main Results
Goal and assumptions

Proof Overview
Main theorems
Remarks

the RSA secret
andKey
Mathematics)
equivalent
2004to Factoring
2 / 14
Introduction
Quick Overview
Main Result of the paper

The knowledge of the RSA public key secret key pair (e,d)
Factorization of N=pq in Polynomial Time

the RSA secret
andKey
Mathematics)
equivalent
2004to Factoring
3 / 14
Introduction
Quick Overview

Assumptions
1
e, d < (N)
p,q are of the same bit-size

the RSA secret
andKey
Mathematics)
equivalent
2004to Factoring
3 / 14
Introduction
Quick Overview

Assumptions
1
e, d < (N)
p,q are of the same bit-size
Technique used
Coppersmiths technique for finding small roots of bivariate integer
polynomials

the RSA secret
andKey
Mathematics)
equivalent
2004to Factoring
3 / 14
Introduction
Common technique in public key Cryptography is to establish Polynomial

Time equivalence between:

the RSA secret
andKey
Mathematics)
equivalent
2004to Factoring
4 / 14
Introduction

The problem of computing the secret key from the public information
a well-known hard problem p (believed to be computationally
infeasible)

the RSA secret
andKey
Mathematics)
equivalent
2004to Factoring
4 / 14
Introduction

The problem of computing the secret key from the public information
a well-known hard problem p (believed to be computationally
infeasible)
This establishes the security of the secret key (given that p is

computationally infeasible)
However IT DOES NOT provide security for the public key system itself.

the RSA secret
andKey
Mathematics)
equivalent
2004to Factoring
4 / 14
Introduction
Related Topics
Primality:Proven to be in P [AKS 2002]
Factoring:RSAs security is based on the hardness of factoriztion:
It is yet unknown if factorization is equivalent to RSA cryptanalysis
Cryptanalysis of RSA is at least as easy as factoring.

the RSA secret
andKey
Mathematics)
equivalent
2004to Factoring
5 / 14
Introduction
Related Topics
Primality:Proven to be in P [AKS 2002]
Factoring:RSAs security is based on the hardness of factoriztion:
It is yet unknown if factorization is equivalent to RSA cryptanalysis
Cryptanalysis of RSA is at least as easy as factoring.
Previous Results
Existence of probabilistic polynomial time equivalence between
factoring N and finding d.

Factors of N can be obtained from d under the Extended Riemann
Hypothesis (Miller , 1975)

the RSA secret
andKey
Mathematics)
equivalent
2004to Factoring
5 / 14
Main Results
Goal
Knowledge of (e,d) knowledge of factors p,q of N.

the RSA secret
andKey
Mathematics)
equivalent
2004to Factoring
6 / 14
Main Results
Goal
: trivial

the RSA secret
andKey
Mathematics)
equivalent
2004to Factoring
6 / 14
Main Results
Goal
: trivial
: (Reduction of factoring problem to d computation)
Input (N,e,d) output (p,q) under the assumptions:
(a) p,q have the same bitsize
(b) e d N 2

the RSA secret
andKey
Mathematics)
equivalent
2004to Factoring
6 / 14
Main Results
Goal
: trivial
(b) e d N 2
Remarks on the assumptions
(a) This is usually the case

the RSA secret
andKey
Mathematics)
equivalent
2004to Factoring
6 / 14
Main Results
Goal
: trivial
(b) e d N 2
(b) Usually 1 < e, d < (N)

the RSA secret
andKey
Mathematics)
equivalent
2004to Factoring
6 / 14
Main Results
Goal
: trivial
(b) e d N 2
(b) Usually 1 < e, d < (N)
Conclusion: The assumptions are not so restrictive

the RSA secret
andKey
Mathematics)
equivalent
2004to Factoring
6 / 14
Main Results
Proof Overview
Basic technique
Coppersmiths method for finding small roots of bivariate integer
polynomials
Previous application:factorization of N when half of the msb of p are
given.

the RSA secret
andKey
Mathematics)
equivalent
2004to Factoring
7 / 14
Main Results
Proof Overview
Basic technique
polynomials
given.
Steps
Proof for the special case where ed N 3/2 .

the RSA secret
andKey
Mathematics)
equivalent
2004to Factoring
7 / 14
Main Results
Proof Overview
Basic technique
polynomials
given.
Steps
Generalization of the proof for the case where ed N 2

the RSA secret
andKey
Mathematics)
equivalent
2004to Factoring
7 / 14
Main Results
Proof Overview
Basic technique
polynomials
given.
Steps
Generalization of the proof for the case where ed N 2
Experimental Results and conclusion

the RSA secret
andKey
Mathematics)
equivalent
2004to Factoring
7 / 14
Main Results
Main theorems
ed N 3/2
Wlog assume that p < q. Then p < N 1/2 < q < 2p < 2N 1/2 (1) which
gives p + q < 3N 1/2
N
2
(2) (for N 36) Thus,
(N) = N + 1 (p + q) >
N
2
(3)

the RSA secret
andKey
Mathematics)
equivalent
2004to Factoring
8 / 14
Main Results
Main theorems
ed N 3/2
N
2
(N) = N + 1 (p + q) >
N
2
(3)
Theorem
Let N=pq be the RSA-modulus, where p and q are of the same bitsize.
Suppose we know integers e,d with ed > 1, ed 1(mod(N)) and
3
ed N 2
Then N can be factored in time polynomial to its bitsize.

the RSA secret
andKey
Mathematics)
equivalent
2004to Factoring
8 / 14
Main Results
Main theorems
ed N 3/2
N
2
(N) = N + 1 (p + q) >
N
2
(3)
Theorem
3
ed N 2
Then N can be factored in time polynomial to its bitsize.
Proof.
dke:ceiling of k.
Z(N) : Ring of the invertible integers mod(N).
the RSA secret
andKey
Mathematics)
equivalent
2004to Factoring
8 / 14
Main Results
Main theorems
proof (continued)
ed 1(mod(N)) ed = k(N) + 1 for some k N.
k = ed1
N . Then k dke
In addition k k = ... = (p+q1)(ed1)
(N)N
(2) and (3) give k k < 6N 3/2 (ed 1) (4) which gives
<6
by hypothesis k k < 6 k dke
Thus we only have to try dke + i for i=0,...,5 to find the right k.

the RSA secret
andKey
Mathematics)
equivalent
2004to Factoring
9 / 14
Main Results
Main theorems
proof (continued)
ed 1(mod(N)) ed = k(N) + 1 for some k N.
k = ed1
N . Then k dke
In addition k k = ... = (p+q1)(ed1)
(N)N
(2) and (3) give k k < 6N 3/2 (ed 1) (4) which gives
<6
by hypothesis k k < 6 k dke
Thus we only have to try dke + i for i=0,...,5 to find the right k.
Complexity
The complexity of the algorithm is O(log 2 N).

the RSA secret
andKey
Mathematics)
equivalent
2004to Factoring
9 / 14
Main Results
Main theorems
ed N 2
Theorem (Coppersmith)
Let f(x,y) be an irreducible polynomial in two variables over Z, of
maximuum degree in each variable seperately. Let X,Y be bounds on the
desired solutions (x0 , y0 ).Let W be the absolute value of the largest entry
2
in the coefficient vector of f(xX,yY). If XY W 3 Then in time
polynomial in logW and 2 we can find all integer pairs (x0 , y0 ) with
f (x0 , y0 ) = 0, |x0 | X and |y0 | Y .

the RSA secret
andKey
Mathematics)
is Deterministic Polynomial Time
Crypto
equivalent
2004 to Factoring
10 / 14
Main Results
Main theorems
ed N 2
Theorem (Coppersmith)
Let f(x,y) be an irreducible polynomial in two variables over Z, of
maximuum degree in each variable seperately. Let X,Y be bounds on the
desired solutions (x0 , y0 ).Let W be the absolute value of the largest entry
2
in the coefficient vector of f(xX,yY). If XY W 3 Then in time
polynomial in logW and 2 we can find all integer pairs (x0 , y0 ) with
f (x0 , y0 ) = 0, |x0 | X and |y0 | Y .
Theorem
ed N 2
Then N can be factored in time polynomial in the bitsize of N.
the RSA secret
andKey
Mathematics)
Crypto
equivalent
2004 to Factoring
10 / 14
Main Results
Main theorems
Proof.
Again ed 1(mod(N)) ed = k(N) + 1 (5) for some k N.
Let k = ed1
be an underestimation of k. Using (4) we obtain
N
k k < 6N 3/2 (ed 1) < 6N 1/2
(dke:approximation
Let us denote x = k dke

of k, x: additive error) In
addition N (N) = p + q 1 < 3N 1/2
Thus (N) lies in the interval [N 3N 1/2 , N].
We divide the interval [N 3N 1/2 , N] into 6 subintervals of length 21 N 1/2
1/2 , i = 1, ..., 6 For the correct i we have
with centers N 2i1
4 N
|N
2i1 1/2
4 N
(N)| 14 N 1/2
1/2 e for the right i. Then

Let g = d 2i1
4 N
|N g (N)| < 14 N 1/2 + 1 (N) = N g y for some unknown y
with |y | 14 N 1/2

the RSA secret
andKey
Mathematics)
Crypto
equivalent
2004 to Factoring
11 / 14
Main Results
Main theorems
Proof (continued)
+ x)(N g y ) = 0
(5) yields ed 1 (dke
We define the bivariate integer polynomial :
dke(N
f (x, y ) = xy (N g )x + dkey
g ) + ed 1
p + q + 1 g ) over the integers.
with a known root (x0 , y0 ) = (k dke,
We now apply Coppersmiths theorem. We define
X = 6N 1/2 andY = 41 N 1/2 + 1 Then |x0 | X and|y0 | Y .
Let W denote the linf norm of the coefficient vector of f(xX,yY). Then
W (N g )X > 3N 3/2
2
144
Thus XY = ... < W 2/3 = W 3 (for N > (291/3
)
3)2
By Coppersmiths theorem we can find the root (x0 , y0 ) in time
polynomialin the bitsize of of W.
Finally the solution y0 = p + q 1 g yields the factorization of N.

the RSA secret
andKey
Mathematics)
Crypto
equivalent
2004 to Factoring
12 / 14
Main Results
Remarks
Remarks

the RSA secret
andKey
Mathematics)
Crypto
equivalent
2004 to Factoring
13 / 14
Main Results
Remarks
Remarks
The running time of the algorithm is also polynomial in the bitsize of

N since W NX = 6N 3/2

the RSA secret
andKey
Mathematics)
Crypto
equivalent
2004 to Factoring
13 / 14
Main Results
Remarks
Remarks

The previous theorem can be easily generalized for the case where
p + q poly (logN)N 1/2

the RSA secret
andKey
Mathematics)
Crypto
equivalent
2004 to Factoring
13 / 14
Main Results
Remarks
Remarks

(a) For the case where ed N 3/2 we only have to examine the values
+ i, for i=0,1,...,d2poly (logN)e 1
dke
(polynomialy bounded by the bitsize of N)

the RSA secret
andKey
Mathematics)
Crypto
equivalent
2004 to Factoring
13 / 14
Main Results
Remarks
Remarks

dke
(b) For the case where ed N 2 we just have to divide the interval
[N poly (logN)N 1/2 , N] into d2poly (logN)e intervals.

the RSA secret
andKey
Mathematics)
Crypto
equivalent
2004 to Factoring
13 / 14
Main Results
Remarks
Remarks

dke
(b) For the case where ed N 2 we just have to divide the interval
[N poly (logN)N 1/2 , N] into d2poly (logN)e intervals.
Conclusion:Assumption (a) is not restrictive at all.

the RSA secret
andKey
Mathematics)
Crypto
equivalent
2004 to Factoring
13 / 14
Main Results
Remarks
From the cryptography point of view ...

the RSA secret
andKey
Mathematics)
Crypto
equivalent
2004 to Factoring
14 / 14
Main Results
Remarks
From the cryptography point of view ...

Theorem
Furthermore let e Z(N) be an RSA public exponent.
Suppose we have an algorithm that on input (N,e) outputs in deterministic
polynomial time the RSA secret exponent d Z(N) satisfying
ed = 1(mod(N))
Then N can be factored in deterministic polynomial time.

the RSA secret
andKey
Mathematics)
Crypto
equivalent
2004 to Factoring
14 / 14

Computing The RSA Secret Key Is Deterministic Polynomial Time Equivalent To Factoring

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Computing The RSA Secret Key Is Deterministic Polynomial Time Equivalent To Factoring

Uploaded by

Copyright:

Available Formats

Computing the RSA secret Key is Deterministic

Polynomial Time equivalent to Factoring

Alexander May (Faculty of Computer Science,Computing

Goal and assumptions

Alexander May (Faculty of Computer Science,Computing

Main Result of the paper

Alexander May (Faculty of Computer Science,Computing

Main Result of the paper

p,q are of the same bit-size

Alexander May (Faculty of Computer Science,Computing

Main Result of the paper

p,q are of the same bit-size

Alexander May (Faculty of Computer Science,Computing

A more detailed description

Common technique in public key Cryptography is to establish Polynomial

Alexander May (Faculty of Computer Science,Computing

A more detailed description

Common technique in public key Cryptography is to establish Polynomial

Alexander May (Faculty of Computer Science,Computing

A more detailed description

Common technique in public key Cryptography is to establish Polynomial

This establishes the security of the secret key (given that p is

Alexander May (Faculty of Computer Science,Computing

Related topics and previous Results

Alexander May (Faculty of Computer Science,Computing

Related topics and previous Results

factoring N and finding d.

Hypothesis (Miller , 1975)

Alexander May (Faculty of Computer Science,Computing

Goal and assumptions

Alexander May (Faculty of Computer Science,Computing

Goal and assumptions

Alexander May (Faculty of Computer Science,Computing

Goal and assumptions

Alexander May (Faculty of Computer Science,Computing

Goal and assumptions

Alexander May (Faculty of Computer Science,Computing

Goal and assumptions

Alexander May (Faculty of Computer Science,Computing

Goal and assumptions

Alexander May (Faculty of Computer Science,Computing

Alexander May (Faculty of Computer Science,Computing

Alexander May (Faculty of Computer Science,Computing

Alexander May (Faculty of Computer Science,Computing

Alexander May (Faculty of Computer Science,Computing

(2) (for N 36) Thus,

Alexander May (Faculty of Computer Science,Computing

(2) (for N 36) Thus,

Alexander May (Faculty of Computer Science,Computing

(2) (for N 36) Thus,

Alexander May (Faculty of Computer Science,Computing

Alexander May (Faculty of Computer Science,Computing

Alexander May (Faculty of Computer Science,Computing

Let us denote x = k dke

1/2 e for the right i. Then

Alexander May (Faculty of Computer Science,Computing

Alexander May (Faculty of Computer Science,Computing

Alexander May (Faculty of Computer Science,Computing

The running time of the algorithm is also polynomial in the bitsize of

Alexander May (Faculty of Computer Science,Computing

The running time of the algorithm is also polynomial in the bitsize of

Alexander May (Faculty of Computer Science,Computing

The running time of the algorithm is also polynomial in the bitsize of