RSA Secret Key ≡dpt Factoring
advertisement
RSA Secret Key ≡dpt Factoring Alex May Faculty of Computer Science, Electrical Engineering and Mathematics Paderborn University Secret Key vs. Factoring – p.1/12 RSA and Factoring RSA setting: N = pq with p, q of the same bit-size ed = 1 mod φ(N ) with φ(N ) = N − (p + q − 1) Easy: Factoring N ⇒ Computing the secret key d Secret Key vs. Factoring – p.2/12 RSA and Factoring RSA setting: N = pq with p, q of the same bit-size ed = 1 mod φ(N ) with φ(N ) = N − (p + q − 1) Easy: Factoring N ⇒ Computing the secret key d Rivest, Shamir and Adleman (1978): Computing d ⇒ Factoring N in probabilistic polynomial time Secret Key vs. Factoring – p.2/12 The new result Theorem. Let N = pq be an RSA-modulus. Suppose we are given (N, e, d), ed > 1 with ed = 1 mod φ(N ) and ed < N 2 . Then N can be factored in deterministic time polynomial in log(N ). Secret Key vs. Factoring – p.3/12 The new result Theorem. Let N = pq be an RSA-modulus. Suppose we are given (N, e, d), ed > 1 with ed = 1 mod φ(N ) and ed < N 2 . Then N can be factored in deterministic time polynomial in log(N ). Proof idea: Determine unknowns (x0 , y0 ) = (k, p + q − 1) in ed = 1 + k(N − (p + q − 1)). N = pq . Solve y0 = p + q − 1 Secret Key vs. Factoring – p.3/12 The proof We start with ed = 1 + k(N − (p + q − 1)). Define k̃ = ed−1 N . Secret Key vs. Factoring – p.4/12 The proof We start with ed = 1 + k(N − (p + q − 1)). Define k̃ = ed−1 N . Then ed − 1 ed − 1 k − k̃ = − φ(N ) N N (ed − 1) − φ(N )(ed − 1) = φ(N )N 1 (p + q − 1)(ed − 1) = ≤ N2 φ(N )N Secret Key vs. Factoring – p.4/12 A nice by-product Small Theorem. Let N = pq be an RSA-modulus. Suppose we are given (N, e, d), ed > 1 with ed = 1 mod φ(N ) and 3 2 ed ≤ N . Then N can be factored in deterministic time 2 O(log (N )). Proof: l m ed−1 Compute k = k̃ = N Solve ed = 1 + k(N − (p + q − 1)). Secret Key vs. Factoring – p.5/12 3 2 The case N ≤ ed ≤ N 2 We know that (k̃ + (k − k̃))(N − (p + q − 1)) − ed + 1 = 0 Define the polynomial f (x, y) = (k̃ + x)(N − y) − ed + 1 with the root (x0 , y0 ) = (k − k̃, p + q − 1). 1 2 Let X = Y = N . Then x0 ≤ X and y0 ≤ Y . Secret Key vs. Factoring – p.6/12 Coppersmith method Theorem (Coppersmith 1996): Let f (x, y) be an irreducible polynomial of degree δ: f (x, y) = (k̃ + x)(N − y) − ed + 1, δ = 1 X, Y be bounds on the desired solution (x0 , y0 ): 1 X = Y = N2 W = ||f (xX, yY )||`∞ : 3 W = ||(−k̃Y, XN, −XY, k̃N − ed + 1)||`∞ ≥ N 2 Secret Key vs. Factoring – p.7/12 Coppersmith method Theorem (Coppersmith 1996): Let f (x, y) be an irreducible polynomial of degree δ: f (x, y) = (k̃ + x)(N − y) − ed + 1, δ = 1 X, Y be bounds on the desired solution (x0 , y0 ): 1 X = Y = N2 W = ||f (xX, yY )||`∞ : 3 W = ||(−k̃Y, XN, −XY, k̃N − ed + 1)||`∞ ≥ N 2 Then we can find all solutions (x0 , y0 ) for the equation f (x, y) = 0 with 2 3δ XY ≤ W : XY = N ≤ W 2 3 in time polynomial in (log W, 2δ ). Secret Key vs. Factoring – p.7/12 The running time Theoretical analysis: Lattice dimension : n = log N Entries in the lattice : B = log2 N Brute force search : c = O(1) bits L3 running time : O(n6 B 3 ) Total running time : O(log12 N ) Secret Key vs. Factoring – p.8/12 Dependency lattice dimension N c dim L3 -time 1024 bit 105 bit 16 2.5 min 1024 bit 82 bit 25 26 min 1024 bit 67 bit 36 242 min Results for ed ≈ N 2 Secret Key vs. Factoring – p.9/12 Dependency on N N c dim L3 -time 512 bit 43 bit 25 6 min 768 bit 63 bit 25 13 min 1024 bit 82 bit 25 26 min Results for ed ≈ N 2 Secret Key vs. Factoring – p.10/12 Dependency on ed N c dim L3 -time 512 bit 10 bit 25 6 min 768 bit 13 bit 25 13 min 1024 bit 18 bit 25 26 min Results for ed ≈ N 1.75 Secret Key vs. Factoring – p.11/12 Remarks and Conclusions Computing d ⇒ Factoring in deterministic PTime Result holds for balanced p, q (and for p ≤ N 0.38 ) Mainly of theoretical interest J.-S. Coron: Univariate modular formulation Univariate formulation: Works for arbitrary p, q. Secret Key vs. Factoring – p.12/12
