Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and



Similar documents
Factoring & Primality

Lecture 13: Factoring Integers

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, Notes on Algebra

= = 3 4, Now assume that P (k) is true for some fixed k 2. This means that

Number Theory. Proof. Suppose otherwise. Then there would be a finite number n of primes, which we may

SUBGROUPS OF CYCLIC GROUPS. 1. Introduction In a group G, we denote the (cyclic) group of powers of some g G by

The Mathematics of the RSA Public-Key Cryptosystem

The Prime Numbers. Definition. A prime number is a positive integer with exactly two positive divisors.

An Overview of Integer Factoring Algorithms. The Problem

A New Generic Digital Signature Algorithm

Cryptography and Network Security Chapter 8

8 Primes and Modular Arithmetic

Basic Algorithms In Computer Algebra

Computing exponents modulo a number: Repeated squaring

Today s Topics. Primes & Greatest Common Divisors

Lecture 13 - Basic Number Theory.

11 Ideals Revisiting Z

Notes on Factoring. MA 206 Kurt Bryan

GREATEST COMMON DIVISOR

Short Programs for functions on Curves

Discrete Mathematics, Chapter 4: Number Theory and Cryptography

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

Public Key Cryptography and RSA. Review: Number Theory Basics

Integer Factorization using the Quadratic Sieve

RSA Question 2. Bob thinks that p and q are primes but p isn t. Then, Bob thinks Φ Bob :=(p-1)(q-1) = φ(n). Is this true?

Primality - Factorization

CONTINUED FRACTIONS AND FACTORING. Niels Lauritzen

On the generation of elliptic curves with 16 rational torsion points by Pythagorean triples

Integer roots of quadratic and cubic polynomials with integer coefficients

CHAPTER 5. Number Theory. 1. Integers and Division. Discussion

CIS 5371 Cryptography. 8. Encryption --

Applications of Fermat s Little Theorem and Congruences

9. POLYNOMIALS. Example 1: The expression a(x) = x 3 4x 2 + 7x 11 is a polynomial in x. The coefficients of a(x) are the numbers 1, 4, 7, 11.

RSA and Primality Testing

I. GROUPS: BASIC DEFINITIONS AND EXAMPLES

Study of algorithms for factoring integers and computing discrete logarithms

Chapter 4, Arithmetic in F [x] Polynomial arithmetic and the division algorithm.

CONTINUED FRACTIONS AND PELL S EQUATION. Contents 1. Continued Fractions 1 2. Solution to Pell s Equation 9 References 12

Factoring by Quantum Computers

Introduction to Finite Fields (cont.)

PROBLEM SET 6: POLYNOMIALS

Continued Fractions and the Euclidean Algorithm

FACTORING LARGE NUMBERS, A GREAT WAY TO SPEND A BIRTHDAY

CS 103X: Discrete Structures Homework Assignment 3 Solutions

Elementary Number Theory and Methods of Proof. CSE 215, Foundations of Computer Science Stony Brook University

Factoring Algorithms

Computer and Network Security

MATH 168: FINAL PROJECT Troels Eriksen. 1 Introduction

SOLUTIONS FOR PROBLEM SET 2

ALGEBRAIC APPROACH TO COMPOSITE INTEGER FACTORIZATION

MATH 289 PROBLEM SET 4: NUMBER THEORY

FACTORING POLYNOMIALS IN THE RING OF FORMAL POWER SERIES OVER Z

Faster deterministic integer factorisation

Lecture Notes on Polynomials

ECE 842 Report Implementation of Elliptic Curve Cryptography

Module MA3411: Abstract Algebra Galois Theory Appendix Michaelmas Term 2013

CHAPTER SIX IRREDUCIBILITY AND FACTORIZATION 1. BASIC DIVISIBILITY THEORY

How To Know If A Domain Is Unique In An Octempo (Euclidean) Or Not (Ecl)

COMMUTATIVITY DEGREES OF WREATH PRODUCTS OF FINITE ABELIAN GROUPS

Quantum Computing Lecture 7. Quantum Factoring. Anuj Dawar

1 = (a 0 + b 0 α) (a m 1 + b m 1 α) 2. for certain elements a 0,..., a m 1, b 0,..., b m 1 of F. Multiplying out, we obtain

Math Review. for the Quantitative Reasoning Measure of the GRE revised General Test

Shor s algorithm and secret sharing

Mathematics Course 111: Algebra I Part IV: Vector Spaces

Table of Contents. Bibliografische Informationen digitalisiert durch

A Factoring and Discrete Logarithm based Cryptosystem

Quotient Rings and Field Extensions

Lecture 3: Finding integer solutions to systems of linear equations

Number Theory Hungarian Style. Cameron Byerley s interpretation of Csaba Szabó s lectures

The finite field with 2 elements The simplest finite field is

Overview of Number Theory Basics. Divisibility

A SOFTWARE COMPARISON OF RSA AND ECC

Theorem3.1.1 Thedivisionalgorithm;theorem2.2.1insection2.2 If m, n Z and n is a positive

Elliptic Curve Cryptography

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay

NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

Some Polynomial Theorems. John Kennedy Mathematics Department Santa Monica College 1900 Pico Blvd. Santa Monica, CA

Advanced Cryptography

Homework until Test #2

How To Prove The Dirichlet Unit Theorem

Unique Factorization

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Integer factorization is in P

Every Positive Integer is the Sum of Four Squares! (and other exciting problems)

Lecture 6: Finite Fields (PART 3) PART 3: Polynomial Arithmetic. Theoretical Underpinnings of Modern Cryptography

Handout NUMBER THEORY

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Elementary factoring algorithms

k, then n = p2α 1 1 pα k

Public Key Cryptography: RSA and Lots of Number Theory

EMBEDDING DEGREE OF HYPERELLIPTIC CURVES WITH COMPLEX MULTIPLICATION

MATH 22. THE FUNDAMENTAL THEOREM of ARITHMETIC. Lecture R: 10/30/2003

Some facts about polynomials modulo m (Full proof of the Fingerprinting Theorem)

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

Number Theory and Cryptography using PARI/GP


Arithmetic algorithms for cryptology 5 October 2015, Paris. Sieves. Razvan Barbulescu CNRS and IMJ-PRG. R. Barbulescu Sieves 0 / 28

Elementary Number Theory

Transcription:

Breaking The Code Ryan Lowe Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and a minor in Applied Physics. As a sophomore, he took an independent study course on cryptography, where he learned the abstract algebra behind various encryption techniques, such as RSA public key cryptography and elliptic curve cryptography. Introduction The RSA public key code [1, Chapter 12] is the most widely used encryption technique in modern communication networks, such as the Internet. Its security relies on the fact that no known (classical) computer program can efficiently factor large numbers n, which are the product of two (unknown) primes, p1 and p2. Quantum computers, which currently exist only as mathematical models and have not yet been physically built, can perform certain tasks with efficiency that is not matched by standard computers. In this article we will learn how, in theory, one such task can be used to factor n in a reasonable amount of time, thus breaking the RSA code. I studied this algorithm as part of an independent study cryptography course, which I took with Dr. Fischer. This article is a summary of a talk I gave on the subject for the undergraduate colloquium series in August 2002. The Algorithm Given the product n of two distinct odd prime numbers p1 and p2, the goal of the algorithm is to efficiently find p1 and p2, and it attempts to do so via a certain randomized process. It will suffice, if the algorithm produces the desired output in 50% of all cases, since repeated application will then quickly result in success. This algorithm, which runs on the current mathematical models of quantum computers, was first conceived by Shor [4]. Our exposition is modeled on Preskill [3]. Here is the pseudo code: B.S. Undergraduate Mathematics Exchange, Vol. 1, No. 1 (Fall 2003) 35

Input: A product n of two distinct (unknown) odd prime numbers p 1 and p 2. Execute the following routine as often as needed until n has been factored: Step 1. Randomly, select a number a {1, 2,, n 1}. Step 2. Compute the greatest common divisor gcd(a, n) of a and n. Step 3. Step 4. Step 5. Step 6. If gcd(a, n) 1, then output p 1 = a and p 2 = n/a and stop; else continue. [This step requires a quantum computer.] Find the smallest positive integer r with a r 1 (mod n). If r is odd, then output factoring failed in this round and stop. Compute q =gcd(a r/2 + 1, n). If q = n, then output factoring failed in this round and stop; else output p 1 = q and p 2 = n/q and stop. Analysis of the Algorithm First, we randomly select a number a between 1 and n 1. Next, we use the very efficient Euclidean Algorithm [1, Theorem 1.6] to compute the greatest common divisor gcd(a, n) of a and n. If gcd(a, n) 1, then a = p 1 or a = p 2, because the only divisors of n are 1, p 1, p 2 and n. We will assume the worst case, where gcd(a, n) = 1, and proceed to Step 4. Note that the set Z n = {k (mod n) gcd(k, n) = 1} forms a group under multiplication [1, Corollary 2.10]. Since this group is finite, there is a smallest positive integer r, called the order of a (mod n), such that a r 1 (mod n)[1, Theorem 7.8(1)]. The next step of the algorithm calls for computing the value of r, which can be done by computing the period of the function f(x) = a x, since f(x + r) = a x+r = a x a r = a x 1 = f(x) (mod n). It is not feasible to carry out this step on a classical computer. However, a quantum computer is able to find this period (in theory) in an efficient manner. (See [2] to learn how.) If r turns out to be odd, our algorithm fails. From here on, we are going to assume that r is even. Let us denote the phrase i divides j by i j. Since a r 1 (mod n), then n (a r 1) = (a r/2 1) (a r/2 + 1). We know that n (a r/2 1), otherwise r would not be the order of a. (If n (a r/2 1), then a r/2 1 (mod n), contradicting the choice of r.) Therefore, gcd(a r/2 + 1, n) 1. Now if n (a r/2 + 1), i.e. if a r/2 1 (mod n), then n must have a nontrivial common factor with each of a r/2 ± 1, which we extract by computing 1 gcd(a r/2 + 1, n) {p 1, p 2 }. So we succeed in factoring n, unless either r is odd, or r is even and a r/2 1 (mod n). 1 A computational note: gcd(a r/2 + 1, n) is found by first reducing a r/2 modulo n. Even for very large numbers, a r/2 (mod n) can be computed efficiently. This is done by first expressing the exponent r/2 as the sum of powers of 2 and then repeatedly squaring a, each 36 B.S. Undergraduate Mathematics Exchange, Vol. 1, No. 1 (Fall 2003)

How Likely Is Success? Recall that n = p 1 p 2, where p 1 and p 2 are two distinct odd primes. By the Chinese Remainder Theorem (CRT) [1, Theorem 13.2], for each pair a 1 and a 2 of integers with 0 a 1 < p 1 and 0 a 2 < p 2, there exists exactly one integer a with 0 a < p 1 p 2, such that a a 1 (mod p 1 ) a a 2 (mod p 2 ) Hence, randomly choosing a {1, 2,, n 1} with gcd(a, n) = 1, is equivalent to randomly choosing a 1 {1, 2,, p 1 1} and a 2 {1, 2,, p 2 1}, independently. (Note that a i = 0 corresponds to p i a.) Now, let r 1 denote the order of a 1 (mod p 1 ) and let r 2 denote the order of a 2 (mod p 2 ). By the CRT, a x 1 (mod p 1 p 2 ) is equivalent to a x a x 1 1 (mod p 1 ) a x a x 2 1 (mod p 2 ) This, in turn, is equivalent to r 1 x and r 2 x [1, Theorem 7.8(3)]. Consequently, since r is the smallest positive x with a x 1 (mod p 1 p 2 ), then r = lcm(r 1, r 2 ). Therefore, if both r 1 and r 2 are odd, then so is r and the factoring attempt fails. If either r 1 or r 2 is even, then so is r and we proceed. Since a r a r i 1 (mod p i), we see that p i a r 1 = (a r/2 + 1) (a r/2 1). However, p i is prime, so that either p i (a r/2 + 1) or p i (a r/2 1). In other words: a r/2 ±1 (mod p 1 ) We will now analyze the four cases: a r/2 ±1 (mod p 2 ) Case 1 Case 2 Case 3 Case 4 a r/2 1 mod p 1 a r/2 1 mod p 1 a r/2 1 mod p 1 a r/2 1 mod p 1 a r/2 1 mod p 2 a r/2 1 mod p 2 a r/2 1 mod p 2 a r/2 1 mod p 2 a r/2 1 mod n a r/2 1 mod n a r/2 1 mod n a r/2 1 mod n Not Possible Failure Success Success Let us factor out all of the 2 s from r 1 and r 2, that is, let us write r 1 = 2 C1 m 1 r 2 = 2 C2 m 2 with two odd integers m 1 and m 2 and C i 0. time reducing the result modulo n. Multiplying the appropriate powers a (2i) (mod n), while reducing modulo n after each multiplication, finally yields a r/2 (mod n). This procedure decreases the number of necessary arithmetic steps on a logarithmic scale. B.S. Undergraduate Mathematics Exchange, Vol. 1, No. 1 (Fall 2003) 37

Suppose now that C 1 > C 2, then r = lcm(r 1, r 2 ) = 2 r 2 z, for some integer z, and we claim that a r/2 1 (mod p 2 ) and a r/2 1 (mod p 1 ), which leads us to Case 3. To see this, first note that a r/2 (a r2 ) z (a r2 2 )z 1 z 1 (mod p 2 ). And since a r/2 1 (mod n), we must have a r/2 1 (mod p 1 ). So we obtain a r/2 1 (mod p 1 ). By symmetry, if C 2 > C 1, we end up in Case 4. Now let us suppose that C 1 = C 2 1. Then r = lcm(r 1, r 2 ) = r 1 u 1 = r 2 u 2, for some odd integers u i. We claim that a r/2 1 (mod p 1 ) and a r/2 1 (mod p 2 ), which places us into Case 2. To see this, first notice that r 1 r1 2 u 1, due to the lack of a factor of 2 on the right hand side. Hence, a r/2 = a r 1 2 u 1 1 1 (mod p 1 ). By symmetry we also get a r/2 = a r2 2 u 2 2 1 (mod p 2 ). Moreover, r will be odd if and only if C 1 = C 2 = 0, in which case the algorithm fails. In summary, we succeed if and only if C 1 C 2. We now wish to estimate the likelihood of this to occur. To this end, we view C i as a function of the variable a i, whose domain is the set {1, 2,, p i 1}. Let Ĉi denote the maximum value of the function C i. Below, we will show that the function C i assumes its maximum value Ĉi for exactly 50% of all a i {1, 2,, p i 1}. For now, let us assume this to be true. Then each of the following four systems of equations is true exactly 25% of the time: (1) C 1 = Ĉ1 and C 2 = Ĉ2; (2) C 1 = Ĉ1 and C 2 < Ĉ2; (3) C 1 < Ĉ1 and C 2 = Ĉ2; (4) C 1 < Ĉ1 and C 2 < Ĉ2. If Ĉ1 = Ĉ2, we succeed in Situations (2) and (3). If Ĉ1 < Ĉ2, we succeed in Situations (1) and (3). Finally, if Ĉ1 > Ĉ2, we succeed in Situations (1) and (2). So, either way, we succeed in at least 50% of all cases as we claimed we would. The remaining task is to verify the following Lemma. C i = Ĉi for exactly half of the values of a i {1, 2,, p i 1}. PROOF. Recall that the multiplicative group Z p i = {1 (mod p i ), 2 (mod p i ),, p i 1 (mod p i )} is cyclic [1, Theorem 7.15] and therefore must contain a generating element of order p i 1. Let b i (mod p i ) be such a generator, that is, suppose Z p i Say, a i (mod p i ) = b ti i element a i (mod p i ). Now, a x i which is in turn equivalent to = {b 1 i (mod p i ), b 2 i (mod p i ),, b pi 1 i (mod p i )}. (mod p i ). Recall that r i is defined to be the order of the 1 (mod p i ) if and only p i 1 (t i x), bti x i p i 1 gcd(t i, p i 1) x. 38 B.S. Undergraduate Mathematics Exchange, Vol. 1, No. 1 (Fall 2003)

Therefore, 2 Ci m i = r i = order(a i ) = p i 1 gcd(t i, p i 1). Writing p i 1 = 2 ki s i with k i 1 and some odd integer s i, we see that Ĉ i = k i and that C i = k i if and only if t i is odd. This happens half of the time. Conclusion We have presented an algorithm, which successfully factors n = p 1 p 2 at least 50% of the time and does so efficiently, if implemented on a quantum computer. Note that repeated execution of this algorithm will result in rapidly increasing probability of success. Here is a table of accumulative failure probabilities: Number of Executions Probability of Not Having Factored n 1 (1/2) 1 =.500 2 (1/2) 2 =.250 3 (1/2) 3 =.125.. 7 (1/2) 7.008 Already after 7 executions, this algorithm has a 99.2% chance of succeeding in factoring n. References [1] T.W. Hungerford, Abstract Algebra: An Introduction (Second Ed.), Saunders College Publishing (1997). [2] A.O. Pittenger, An introduction to quantum computing algorithms, Birkhäuser (2001). [3] J. Preskill, Quantum Information and Computation, Lecture notes for Physics 229, Available at http://www.theory.caltech.edu/~preskill [4] P. Shor, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, SIAM J. Comput. 26 (1997) 1484 1509. B.S. Undergraduate Mathematics Exchange, Vol. 1, No. 1 (Fall 2003) 39

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information