-
Computing the RSA secret Key is DeterministicPolynomial Time
equivalent to Factoring
Alexander May
Faculty of Computer Science, Electrical Engineering and
Mathematics
Crypto 2004
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 1
/ 14
-
Outline
1 IntroductionQuick OverviewA more detailed descriptionRelated
topics and previous Results
2 Main ResultsGoal and assumptionsProof OverviewMain
theoremsRemarks
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 2
/ 14
-
Introduction Quick Overview
Main Result of the paper
The knowledge of the RSA public key secret key pair (e,d)
Factorization of N=pq in Polynomial Time
Assumptions
1 e, d < (N)
2 p,q are of the same bit-size
Technique used
Coppersmiths technique for finding small roots of bivariate
integerpolynomials
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 3
/ 14
-
Introduction Quick Overview
Main Result of the paper
The knowledge of the RSA public key secret key pair (e,d)
Factorization of N=pq in Polynomial Time
Assumptions
1 e, d < (N)
2 p,q are of the same bit-size
Technique used
Coppersmiths technique for finding small roots of bivariate
integerpolynomials
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 3
/ 14
-
Introduction Quick Overview
Main Result of the paper
The knowledge of the RSA public key secret key pair (e,d)
Factorization of N=pq in Polynomial Time
Assumptions
1 e, d < (N)
2 p,q are of the same bit-size
Technique used
Coppersmiths technique for finding small roots of bivariate
integerpolynomials
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 3
/ 14
-
Introduction A more detailed description
Common technique in public key Cryptography is to establish
PolynomialTime equivalence between:
The problem of computing the secret key from the public
information a well-known hard problem p (believed to be
computationallyinfeasible)
This establishes the security of the secret key (given that p
iscomputationally infeasible)However IT DOES NOT provide security
for the public key system itself.
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 4
/ 14
-
Introduction A more detailed description
Common technique in public key Cryptography is to establish
PolynomialTime equivalence between:
The problem of computing the secret key from the public
information a well-known hard problem p (believed to be
computationallyinfeasible)
This establishes the security of the secret key (given that p
iscomputationally infeasible)However IT DOES NOT provide security
for the public key system itself.
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 4
/ 14
-
Introduction A more detailed description
Common technique in public key Cryptography is to establish
PolynomialTime equivalence between:
The problem of computing the secret key from the public
information a well-known hard problem p (believed to be
computationallyinfeasible)
This establishes the security of the secret key (given that p
iscomputationally infeasible)However IT DOES NOT provide security
for the public key system itself.
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 4
/ 14
-
Introduction Related topics and previous Results
Related Topics
Primality:Proven to be in P [AKS 2002] Factoring:RSAs security
is based on the hardness of factoriztion:
It is yet unknown if factorization is equivalent to RSA
cryptanalysis Cryptanalysis of RSA is at least as easy as
factoring.
Previous Results
Existence of probabilistic polynomial time equivalence
betweenfactoring N and finding d.
Factors of N can be obtained from d under the Extended
RiemannHypothesis (Miller , 1975)
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 5
/ 14
-
Introduction Related topics and previous Results
Related Topics
Primality:Proven to be in P [AKS 2002] Factoring:RSAs security
is based on the hardness of factoriztion:
It is yet unknown if factorization is equivalent to RSA
cryptanalysis Cryptanalysis of RSA is at least as easy as
factoring.
Previous Results
Existence of probabilistic polynomial time equivalence
betweenfactoring N and finding d.
Factors of N can be obtained from d under the Extended
RiemannHypothesis (Miller , 1975)
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 5
/ 14
-
Main Results Goal and assumptions
Goal
Knowledge of (e,d) knowledge of factors p,q of N.
: trivial: (Reduction of factoring problem to d
computation)Input (N,e,d) output (p,q) under the assumptions:(a)
p,q have the same bitsize
(b) e d N2
Remarks on the assumptions
(a) This is usually the case
(b) Usually 1 < e, d < (N)
Conclusion: The assumptions are not so restrictive
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 6
/ 14
-
Main Results Goal and assumptions
Goal
Knowledge of (e,d) knowledge of factors p,q of N.: trivial
: (Reduction of factoring problem to d computation)Input (N,e,d)
output (p,q) under the assumptions:(a) p,q have the same
bitsize
(b) e d N2
Remarks on the assumptions
(a) This is usually the case
(b) Usually 1 < e, d < (N)
Conclusion: The assumptions are not so restrictive
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 6
/ 14
-
Main Results Goal and assumptions
Goal
Knowledge of (e,d) knowledge of factors p,q of N.: trivial:
(Reduction of factoring problem to d computation)Input (N,e,d)
output (p,q) under the assumptions:(a) p,q have the same
bitsize
(b) e d N2
Remarks on the assumptions
(a) This is usually the case
(b) Usually 1 < e, d < (N)
Conclusion: The assumptions are not so restrictive
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 6
/ 14
-
Main Results Goal and assumptions
Goal
Knowledge of (e,d) knowledge of factors p,q of N.: trivial:
(Reduction of factoring problem to d computation)Input (N,e,d)
output (p,q) under the assumptions:(a) p,q have the same
bitsize
(b) e d N2
Remarks on the assumptions
(a) This is usually the case
(b) Usually 1 < e, d < (N)
Conclusion: The assumptions are not so restrictive
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 6
/ 14
-
Main Results Goal and assumptions
Goal
Knowledge of (e,d) knowledge of factors p,q of N.: trivial:
(Reduction of factoring problem to d computation)Input (N,e,d)
output (p,q) under the assumptions:(a) p,q have the same
bitsize
(b) e d N2
Remarks on the assumptions
(a) This is usually the case
(b) Usually 1 < e, d < (N)
Conclusion: The assumptions are not so restrictive
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 6
/ 14
-
Main Results Goal and assumptions
Goal
Knowledge of (e,d) knowledge of factors p,q of N.: trivial:
(Reduction of factoring problem to d computation)Input (N,e,d)
output (p,q) under the assumptions:(a) p,q have the same
bitsize
(b) e d N2
Remarks on the assumptions
(a) This is usually the case
(b) Usually 1 < e, d < (N)
Conclusion: The assumptions are not so restrictive
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 6
/ 14
-
Main Results Proof Overview
Basic technique
Coppersmiths method for finding small roots of bivariate
integerpolynomialsPrevious application:factorization of N when half
of the msb of p aregiven.
Steps
Proof for the special case where ed N3/2. Generalization of the
proof for the case where ed N2 Experimental Results and
conclusion
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 7
/ 14
-
Main Results Proof Overview
Basic technique
Coppersmiths method for finding small roots of bivariate
integerpolynomialsPrevious application:factorization of N when half
of the msb of p aregiven.
Steps
Proof for the special case where ed N3/2.
Generalization of the proof for the case where ed N2
Experimental Results and conclusion
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 7
/ 14
-
Main Results Proof Overview
Basic technique
Coppersmiths method for finding small roots of bivariate
integerpolynomialsPrevious application:factorization of N when half
of the msb of p aregiven.
Steps
Proof for the special case where ed N3/2. Generalization of the
proof for the case where ed N2
Experimental Results and conclusion
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 7
/ 14
-
Main Results Proof Overview
Basic technique
Coppersmiths method for finding small roots of bivariate
integerpolynomialsPrevious application:factorization of N when half
of the msb of p aregiven.
Steps
Proof for the special case where ed N3/2. Generalization of the
proof for the case where ed N2 Experimental Results and
conclusion
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 7
/ 14
-
Main Results Main theorems
ed N3/2Wlog assume that p < q. Then p < N1/2 < q <
2p < 2N1/2(1) which
gives p + q < 3N1/2 N2 (2) (for N 36) Thus,
(N) = N + 1 (p + q) > N2 (3)
Theorem
Let N=pq be the RSA-modulus, where p and q are of the same
bitsize.Suppose we know integers e,d with ed > 1, ed 1(mod(N))
anded N 32Then N can be factored in time polynomial to its
bitsize.
Proof.
dke:ceiling of k. Z(N): Ring of the invertible integers
mod(N).
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 8
/ 14
-
Main Results Main theorems
ed N3/2Wlog assume that p < q. Then p < N1/2 < q <
2p < 2N1/2(1) which
gives p + q < 3N1/2 N2 (2) (for N 36) Thus,
(N) = N + 1 (p + q) > N2 (3)Theorem
Let N=pq be the RSA-modulus, where p and q are of the same
bitsize.Suppose we know integers e,d with ed > 1, ed 1(mod(N))
anded N 32Then N can be factored in time polynomial to its
bitsize.
Proof.
dke:ceiling of k. Z(N): Ring of the invertible integers
mod(N).
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 8
/ 14
-
Main Results Main theorems
ed N3/2Wlog assume that p < q. Then p < N1/2 < q <
2p < 2N1/2(1) which
gives p + q < 3N1/2 N2 (2) (for N 36) Thus,
(N) = N + 1 (p + q) > N2 (3)Theorem
Let N=pq be the RSA-modulus, where p and q are of the same
bitsize.Suppose we know integers e,d with ed > 1, ed 1(mod(N))
anded N 32Then N can be factored in time polynomial to its
bitsize.
Proof.
dke:ceiling of k. Z(N): Ring of the invertible integers
mod(N).
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 8
/ 14
-
Main Results Main theorems
proof (continued)
ed 1(mod(N)) ed = k(N) + 1 for some k N.k = ed1N . Then k dkeIn
addition k k = ... = (p+q1)(ed1)(N)N(2) and (3) give k k <
6N3/2(ed 1) (4) which givesby hypothesis k k < 6 k dke <
6Thus we only have to try dke+ i for i=0,...,5 to find the right
k.
Complexity
The complexity of the algorithm is O(log2N).
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 9
/ 14
-
Main Results Main theorems
proof (continued)
ed 1(mod(N)) ed = k(N) + 1 for some k N.k = ed1N . Then k dkeIn
addition k k = ... = (p+q1)(ed1)(N)N(2) and (3) give k k <
6N3/2(ed 1) (4) which givesby hypothesis k k < 6 k dke <
6Thus we only have to try dke+ i for i=0,...,5 to find the right
k.
Complexity
The complexity of the algorithm is O(log2N).
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 9
/ 14
-
Main Results Main theorems
ed N2
Theorem (Coppersmith)
Let f(x,y) be an irreducible polynomial in two variables over Z,
ofmaximuum degree in each variable seperately. Let X,Y be bounds on
thedesired solutions (x0, y0).Let W be the absolute value of the
largest entry
in the coefficient vector of f(xX,yY). If XY W 23 Then in
timepolynomial in logW and 2 we can find all integer pairs (x0, y0)
withf (x0, y0) = 0, |x0| X and |y0| Y .
Theorem
Let N=pq be the RSA-modulus, where p and q are of the same
bitsize.Suppose we know integers e,d with ed > 1, ed 1(mod(N))
anded N2Then N can be factored in time polynomial in the bitsize of
N.
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 10
/ 14
-
Main Results Main theorems
ed N2
Theorem (Coppersmith)
Let f(x,y) be an irreducible polynomial in two variables over Z,
ofmaximuum degree in each variable seperately. Let X,Y be bounds on
thedesired solutions (x0, y0).Let W be the absolute value of the
largest entry
in the coefficient vector of f(xX,yY). If XY W 23 Then in
timepolynomial in logW and 2 we can find all integer pairs (x0, y0)
withf (x0, y0) = 0, |x0| X and |y0| Y .
Theorem
Let N=pq be the RSA-modulus, where p and q are of the same
bitsize.Suppose we know integers e,d with ed > 1, ed 1(mod(N))
anded N2Then N can be factored in time polynomial in the bitsize of
N.
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 10
/ 14
-
Main Results Main theorems
Proof.
Again ed 1(mod(N)) ed = k(N) + 1 (5) for some k N.Let k = ed1N
be an underestimation of k. Using (4) we obtain
k k < 6N3/2(ed 1) < 6N1/2Let us denote x = k dke
(dke:approximation of k, x: additive error) Inaddition N (N) = p +
q 1 < 3N1/2Thus (N) lies in the interval [N 3N1/2,N].We divide
the interval [N 3N1/2,N] into 6 subintervals of length 12N1/2with
centers N 2i14 N1/2, i = 1, ..., 6 For the correct i we have|N 2i14
N1/2 (N)| 14N1/2
Let g = d2i14 N1/2e for the right i. Then|N g (N)| < 14N1/2 +
1 (N) = N g y for some unknown ywith |y | 14N1/2
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 11
/ 14
-
Main Results Main theorems
Proof (continued)
(5) yields ed 1 (dke+ x)(N g y) = 0We define the bivariate
integer polynomial :f (x , y) = xy (N g)x + dkey dke(N g) + ed
1with a known root (x0, y0) = (k dke, p + q + 1 g) over the
integers.We now apply Coppersmiths theorem. We defineX = 6N1/2 andY
= 14N
1/2 + 1 Then |x0| X and |y0| Y .Let W denote the linf norm of
the coefficient vector of f(xX,yY). ThenW (N g)X > 3N3/2
Thus XY = ... < W 2/3 = W23 (for N > 144
(291/33)2 )By Coppersmiths theorem we can find the root (x0, y0)
in timepolynomialin the bitsize of of W.Finally the solution y0 = p
+ q 1 g yields the factorization of N.
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 12
/ 14
-
Main Results Remarks
Remarks
1 The running time of the algorithm is also polynomial in the
bitsize ofN since W NX = 6N3/2
2 The previous theorem can be easily generalized for the case
wherep + q poly(logN)N1/2(a) For the case where ed N3/2 we only
have to examine the values
dke+ i , for i=0,1,...,d2poly(logN)e 1(polynomialy bounded by
the bitsize of N)
(b) For the case where ed N2 we just have to divide the
interval[N poly(logN)N1/2,N] into d2poly(logN)e intervals.
Conclusion:Assumption (a) is not restrictive at all.
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 13
/ 14
-
Main Results Remarks
Remarks
1 The running time of the algorithm is also polynomial in the
bitsize ofN since W NX = 6N3/2
2 The previous theorem can be easily generalized for the case
wherep + q poly(logN)N1/2(a) For the case where ed N3/2 we only
have to examine the values
dke+ i , for i=0,1,...,d2poly(logN)e 1(polynomialy bounded by
the bitsize of N)
(b) For the case where ed N2 we just have to divide the
interval[N poly(logN)N1/2,N] into d2poly(logN)e intervals.
Conclusion:Assumption (a) is not restrictive at all.
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 13
/ 14
-
Main Results Remarks
Remarks
1 The running time of the algorithm is also polynomial in the
bitsize ofN since W NX = 6N3/2
2 The previous theorem can be easily generalized for the case
wherep + q poly(logN)N1/2
(a) For the case where ed N3/2 we only have to examine the
valuesdke+ i , for i=0,1,...,d2poly(logN)e 1(polynomialy bounded by
the bitsize of N)
(b) For the case where ed N2 we just have to divide the
interval[N poly(logN)N1/2,N] into d2poly(logN)e intervals.
Conclusion:Assumption (a) is not restrictive at all.
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 13
/ 14
-
Main Results Remarks
Remarks
1 The running time of the algorithm is also polynomial in the
bitsize ofN since W NX = 6N3/2
2 The previous theorem can be easily generalized for the case
wherep + q poly(logN)N1/2(a) For the case where ed N3/2 we only
have to examine the values
dke+ i , for i=0,1,...,d2poly(logN)e 1(polynomialy bounded by
the bitsize of N)
(b) For the case where ed N2 we just have to divide the
interval[N poly(logN)N1/2,N] into d2poly(logN)e intervals.
Conclusion:Assumption (a) is not restrictive at all.
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 13
/ 14
-
Main Results Remarks
Remarks
1 The running time of the algorithm is also polynomial in the
bitsize ofN since W NX = 6N3/2
2 The previous theorem can be easily generalized for the case
wherep + q poly(logN)N1/2(a) For the case where ed N3/2 we only
have to examine the values
dke+ i , for i=0,1,...,d2poly(logN)e 1(polynomialy bounded by
the bitsize of N)
(b) For the case where ed N2 we just have to divide the
interval[N poly(logN)N1/2,N] into d2poly(logN)e intervals.
Conclusion:Assumption (a) is not restrictive at all.
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 13
/ 14
-
Main Results Remarks
Remarks
1 The running time of the algorithm is also polynomial in the
bitsize ofN since W NX = 6N3/2
2 The previous theorem can be easily generalized for the case
wherep + q poly(logN)N1/2(a) For the case where ed N3/2 we only
have to examine the values
dke+ i , for i=0,1,...,d2poly(logN)e 1(polynomialy bounded by
the bitsize of N)
(b) For the case where ed N2 we just have to divide the
interval[N poly(logN)N1/2,N] into d2poly(logN)e intervals.
Conclusion:Assumption (a) is not restrictive at all.
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 13
/ 14
-
Main Results Remarks
From the cryptography point of view ...
Theorem
Let N=pq be the RSA-modulus, where p and q are of the same
bitsize.Furthermore let e Z(N) be an RSA public exponent.Suppose we
have an algorithm that on input (N,e) outputs in
deterministicpolynomial time the RSA secret exponent d Z(N)
satisfyinged = 1(mod(N))Then N can be factored in deterministic
polynomial time.
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 14
/ 14
-
Main Results Remarks
From the cryptography point of view ...
Theorem
Let N=pq be the RSA-modulus, where p and q are of the same
bitsize.Furthermore let e Z(N) be an RSA public exponent.Suppose we
have an algorithm that on input (N,e) outputs in
deterministicpolynomial time the RSA secret exponent d Z(N)
satisfyinged = 1(mod(N))Then N can be factored in deterministic
polynomial time.
Alexander May (Faculty of Computer Science, Electrical
Engineering and Mathematics)Computing the RSA secret Key is
Deterministic Polynomial Time equivalent to FactoringCrypto 2004 14
/ 14
OutlineIntroductionQuick OverviewA more detailed
descriptionRelated topics and previous Results
Main ResultsGoal and assumptionsProof OverviewMain
theoremsRemarks