Computing the RSA secret Key is Deterministic Polynomial Time equivalent to Factoring Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics Crypto 2004 Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial TimeCrypto equivalent 2004to Factoring 1 / 14 Outline 1 Introduction Quick Overview A more detailed description Related topics and previous Results 2 Main Results Goal and assumptions Proof Overview Main theorems Remarks Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial TimeCrypto equivalent 2004to Factoring 2 / 14 Introduction Quick Overview Main Result of the paper The knowledge of the RSA public key secret key pair (e,d) ⇒ Factorization of N=pq in Polynomial Time Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial TimeCrypto equivalent 2004to Factoring 3 / 14 Introduction Quick Overview Main Result of the paper The knowledge of the RSA public key secret key pair (e,d) ⇒ Factorization of N=pq in Polynomial Time Assumptions 1 e, d < φ(N) 2 p,q are of the same bit-size Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial TimeCrypto equivalent 2004to Factoring 3 / 14 Introduction Quick Overview Main Result of the paper The knowledge of the RSA public key secret key pair (e,d) ⇒ Factorization of N=pq in Polynomial Time Assumptions 1 e, d < φ(N) 2 p,q are of the same bit-size Technique used Coppersmith’s technique for finding small roots of bivariate integer polynomials Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial TimeCrypto equivalent 2004to Factoring 3 / 14 Introduction A more detailed description Common technique in public key Cryptography is to establish Polynomial Time equivalence between: Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial TimeCrypto equivalent 2004to Factoring 4 / 14 Introduction A more detailed description Common technique in public key Cryptography is to establish Polynomial Time equivalence between: • The problem of computing the secret key from the public information • a well-known hard problem p (believed to be computationally infeasible) Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial TimeCrypto equivalent 2004to Factoring 4 / 14 Introduction A more detailed description Common technique in public key Cryptography is to establish Polynomial Time equivalence between: • The problem of computing the secret key from the public information • a well-known hard problem p (believed to be computationally infeasible) This establishes the security of the secret key (given that p is computationally infeasible) However IT DOES NOT provide security for the public key system itself. Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial TimeCrypto equivalent 2004to Factoring 4 / 14 Introduction Related topics and previous Results Related Topics • Primality:Proven to be in P [AKS 2002] • Factoring:RSA’s security is based on the hardness of factoriztion: • It is yet unknown if factorization is equivalent to RSA cryptanalysis • Cryptanalysis of RSA is at least as easy as factoring. Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial TimeCrypto equivalent 2004to Factoring 5 / 14 Introduction Related topics and previous Results Related Topics • Primality:Proven to be in P [AKS 2002] • Factoring:RSA’s security is based on the hardness of factoriztion: • It is yet unknown if factorization is equivalent to RSA cryptanalysis • Cryptanalysis of RSA is at least as easy as factoring. Previous Results • Existence of probabilistic polynomial time equivalence between factoring N and finding d. • Factors of N can be obtained from d under the Extended Riemann Hypothesis (Miller , 1975) Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial TimeCrypto equivalent 2004to Factoring 5 / 14 Main Results Goal and assumptions Goal Knowledge of (e,d) ⇔ knowledge of factors p,q of N. Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial TimeCrypto equivalent 2004to Factoring 6 / 14 Main Results Goal and assumptions Goal Knowledge of (e,d) ⇔ knowledge of factors p,q of N. ⇐: trivial Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial TimeCrypto equivalent 2004to Factoring 6 / 14 Main Results Goal and assumptions Goal Knowledge of (e,d) ⇔ knowledge of factors p,q of N. ⇐: trivial ⇒: (Reduction of factoring problem to d computation) Input (N,e,d) ⇒ output (p,q) under the assumptions: (a) p,q have the same bitsize (b) e · d ≤ N 2 Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial TimeCrypto equivalent 2004to Factoring 6 / 14 Main Results Goal and assumptions Goal Knowledge of (e,d) ⇔ knowledge of factors p,q of N. ⇐: trivial ⇒: (Reduction of factoring problem to d computation) Input (N,e,d) ⇒ output (p,q) under the assumptions: (a) p,q have the same bitsize (b) e · d ≤ N 2 Remarks on the assumptions (a) This is usually the case Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial TimeCrypto equivalent 2004to Factoring 6 / 14 Main Results Goal and assumptions Goal Knowledge of (e,d) ⇔ knowledge of factors p,q of N. ⇐: trivial ⇒: (Reduction of factoring problem to d computation) Input (N,e,d) ⇒ output (p,q) under the assumptions: (a) p,q have the same bitsize (b) e · d ≤ N 2 Remarks on the assumptions (a) This is usually the case (b) Usually 1 < e, d < φ(N) Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial TimeCrypto equivalent 2004to Factoring 6 / 14 Main Results Goal and assumptions Goal Knowledge of (e,d) ⇔ knowledge of factors p,q of N. ⇐: trivial ⇒: (Reduction of factoring problem to d computation) Input (N,e,d) ⇒ output (p,q) under the assumptions: (a) p,q have the same bitsize (b) e · d ≤ N 2 Remarks on the assumptions (a) This is usually the case (b) Usually 1 < e, d < φ(N) Conclusion: The assumptions are not so restrictive Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial TimeCrypto equivalent 2004to Factoring 6 / 14 Main Results Proof Overview Basic technique Coppersmith’s method for finding small roots of bivariate integer polynomials Previous application:factorization of N when half of the msb of p are given. Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial TimeCrypto equivalent 2004to Factoring 7 / 14 Main Results Proof Overview Basic technique Coppersmith’s method for finding small roots of bivariate integer polynomials Previous application:factorization of N when half of the msb of p are given. Steps • Proof for the special case where ed ≤ N 3/2 . Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial TimeCrypto equivalent 2004to Factoring 7 / 14 Main Results Proof Overview Basic technique Coppersmith’s method for finding small roots of bivariate integer polynomials Previous application:factorization of N when half of the msb of p are given. Steps • Proof for the special case where ed ≤ N 3/2 . • Generalization of the proof for the case where ed ≤ N 2 Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial TimeCrypto equivalent 2004to Factoring 7 / 14 Main Results Proof Overview Basic technique Coppersmith’s method for finding small roots of bivariate integer polynomials Previous application:factorization of N when half of the msb of p are given. Steps • Proof for the special case where ed ≤ N 3/2 . • Generalization of the proof for the case where ed ≤ N 2 • Experimental Results and conclusion Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial TimeCrypto equivalent 2004to Factoring 7 / 14 Main Results Main theorems ed ≤ N 3/2 Wlog assume that p < q. Then p < N 1/2 < q < 2p < 2N 1/2 (1) which gives p + q < 3N 1/2 ≤ N 2 (2) (for N ≥ 36) Thus, φ(N) = N + 1 − (p + q) > N 2 (3) Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial TimeCrypto equivalent 2004to Factoring 8 / 14 Main Results Main theorems ed ≤ N 3/2 Wlog assume that p < q. Then p < N 1/2 < q < 2p < 2N 1/2 (1) which gives p + q < 3N 1/2 ≤ N 2 (2) (for N ≥ 36) Thus, φ(N) = N + 1 − (p + q) > N 2 (3) Theorem Let N=pq be the RSA-modulus, where p and q are of the same bitsize. Suppose we know integers e,d with ed > 1, ed ≡ 1(modφ(N)) and 3 ed ≤ N 2 Then N can be factored in time polynomial to its bitsize. Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial TimeCrypto equivalent 2004to Factoring 8 / 14 Main Results Main theorems ed ≤ N 3/2 Wlog assume that p < q. Then p < N 1/2 < q < 2p < 2N 1/2 (1) which gives p + q < 3N 1/2 ≤ N 2 (2) (for N ≥ 36) Thus, φ(N) = N + 1 − (p + q) > N 2 (3) Theorem Let N=pq be the RSA-modulus, where p and q are of the same bitsize. Suppose we know integers e,d with ed > 1, ed ≡ 1(modφ(N)) and 3 ed ≤ N 2 Then N can be factored in time polynomial to its bitsize. Proof. • dke:ceiling of k. • Z∗φ(N) : Ring of the invertible integers modφ(N). Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial TimeCrypto equivalent 2004to Factoring 8 / 14 Main Results Main theorems proof (continued) ed ≡ 1(modφ(N)) ⇒ ed = kφ(N) + 1 for some k ∈ N. k̄ = ed−1 N . Then k ≥ dk̄e In addition k − k̄ = ... = (p+q−1)(ed−1) φ(N)N (2) and (3) give k − k̄ < 6N −3/2 (ed − 1) (4) which gives by hypothesis k − k̄ < 6 ⇒ k − dk̄e < 6 Thus we only have to try dk̄e + i for i=0,...,5 to find the right k. Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial TimeCrypto equivalent 2004to Factoring 9 / 14 Main Results Main theorems proof (continued) ed ≡ 1(modφ(N)) ⇒ ed = kφ(N) + 1 for some k ∈ N. k̄ = ed−1 N . Then k ≥ dk̄e In addition k − k̄ = ... = (p+q−1)(ed−1) φ(N)N (2) and (3) give k − k̄ < 6N −3/2 (ed − 1) (4) which gives by hypothesis k − k̄ < 6 ⇒ k − dk̄e < 6 Thus we only have to try dk̄e + i for i=0,...,5 to find the right k. Complexity The complexity of the algorithm is O(log 2 N). Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial TimeCrypto equivalent 2004to Factoring 9 / 14 Main Results Main theorems ed ≤ N 2 Theorem (Coppersmith) Let f(x,y) be an irreducible polynomial in two variables over Z, of maximuum degree δ in each variable seperately. Let X,Y be bounds on the desired solutions (x0 , y0 ).Let W be the absolute value of the largest entry 2 in the coefficient vector of f(xX,yY). If XY ≤ W 3δ Then in time polynomial in logW and 2δ we can find all integer pairs (x0 , y0 ) with f (x0 , y0 ) = 0, |x0 | ≤ X and |y0 | ≤ Y . Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial Time Crypto equivalent 2004 to Factoring 10 / 14 Main Results Main theorems ed ≤ N 2 Theorem (Coppersmith) Let f(x,y) be an irreducible polynomial in two variables over Z, of maximuum degree δ in each variable seperately. Let X,Y be bounds on the desired solutions (x0 , y0 ).Let W be the absolute value of the largest entry 2 in the coefficient vector of f(xX,yY). If XY ≤ W 3δ Then in time polynomial in logW and 2δ we can find all integer pairs (x0 , y0 ) with f (x0 , y0 ) = 0, |x0 | ≤ X and |y0 | ≤ Y . Theorem Let N=pq be the RSA-modulus, where p and q are of the same bitsize. Suppose we know integers e,d with ed > 1, ed ≡ 1(modφ(N)) and ed ≤ N 2 Then N can be factored in time polynomial in the bitsize of N. Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial Time Crypto equivalent 2004 to Factoring 10 / 14 Main Results Main theorems Proof. Again ed ≡ 1(modφ(N)) ⇒ ed = kφ(N) + 1 (5) for some k ∈ N. Let k̄ = ed−1 be an underestimation of k. Using (4) we obtain N k − k̄ < 6N −3/2 (ed − 1) < 6N 1/2 Let us denote x = k − dk̄e (dk̄e:approximation of k, x: additive error) In addition N − φ(N) = p + q − 1 < 3N 1/2 Thus φ(N) lies in the interval [N − 3N 1/2 , N]. We divide the interval [N − 3N 1/2 , N] into 6 subintervals of length 21 N 1/2 1/2 , i = 1, ..., 6 For the correct i we have with centers N − 2i−1 4 N |N − 2i−1 1/2 4 N − φ(N)| ≤ 14 N 1/2 1/2 e for the right i. Then Let g = d 2i−1 4 N |N − g − φ(N)| < 14 N 1/2 + 1 ⇒ φ(N) = N − g − y for some unknown y with |y | ≤ 14 N 1/2 Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial Time Crypto equivalent 2004 to Factoring 11 / 14 Main Results Main theorems Proof (continued) (5) yields ed − 1 − (dk̄e + x)(N − g − y ) = 0 We define the bivariate integer polynomial : f (x, y ) = xy − (N − g )x + dk̄ey − dk̄e(N − g ) + ed − 1 with a known root (x0 , y0 ) = (k − dk̄e, p + q + 1 − g ) over the integers. We now apply Coppersmith’s theorem. We define X = 6N 1/2 andY = 41 N 1/2 + 1 Then |x0 | ≤ X and|y0 | ≤ Y . Let W denote the linf norm of the coefficient vector of f(xX,yY). Then W ≥ (N − g )X > 3N 3/2 2 144 Thus XY = ... < W 2/3 = W 3δ (for N > (2·91/3 ) −3)2 By Coppersmith’s theorem we can find the root (x0 , y0 ) in time polynomialin the bitsize of of W. Finally the solution y0 = p + q − 1 − g yields the factorization of N. Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial Time Crypto equivalent 2004 to Factoring 12 / 14 Main Results Remarks Remarks Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial Time Crypto equivalent 2004 to Factoring 13 / 14 Main Results Remarks Remarks 1 The running time of the algorithm is also polynomial in the bitsize of N since W ≤ NX = 6N 3/2 Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial Time Crypto equivalent 2004 to Factoring 13 / 14 Main Results Remarks Remarks 1 The running time of the algorithm is also polynomial in the bitsize of N since W ≤ NX = 6N 3/2 2 The previous theorem can be easily generalized for the case where p + q ≤ poly (logN)N 1/2 Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial Time Crypto equivalent 2004 to Factoring 13 / 14 Main Results Remarks Remarks 1 The running time of the algorithm is also polynomial in the bitsize of N since W ≤ NX = 6N 3/2 2 The previous theorem can be easily generalized for the case where p + q ≤ poly (logN)N 1/2 (a) For the case where ed ≤ N 3/2 we only have to examine the values dk̄e + i, for i=0,1,...,d2poly (logN)e − 1 (polynomialy bounded by the bitsize of N) Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial Time Crypto equivalent 2004 to Factoring 13 / 14 Main Results Remarks Remarks 1 The running time of the algorithm is also polynomial in the bitsize of N since W ≤ NX = 6N 3/2 2 The previous theorem can be easily generalized for the case where p + q ≤ poly (logN)N 1/2 (a) For the case where ed ≤ N 3/2 we only have to examine the values dk̄e + i, for i=0,1,...,d2poly (logN)e − 1 (polynomialy bounded by the bitsize of N) (b) For the case where ed ≤ N 2 we just have to divide the interval [N − poly (logN)N 1/2 , N] into d2poly (logN)e intervals. Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial Time Crypto equivalent 2004 to Factoring 13 / 14 Main Results Remarks Remarks 1 The running time of the algorithm is also polynomial in the bitsize of N since W ≤ NX = 6N 3/2 2 The previous theorem can be easily generalized for the case where p + q ≤ poly (logN)N 1/2 (a) For the case where ed ≤ N 3/2 we only have to examine the values dk̄e + i, for i=0,1,...,d2poly (logN)e − 1 (polynomialy bounded by the bitsize of N) (b) For the case where ed ≤ N 2 we just have to divide the interval [N − poly (logN)N 1/2 , N] into d2poly (logN)e intervals. Conclusion:Assumption (a) is not restrictive at all. Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial Time Crypto equivalent 2004 to Factoring 13 / 14 Main Results Remarks From the cryptography point of view ... Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial Time Crypto equivalent 2004 to Factoring 14 / 14 Main Results Remarks From the cryptography point of view ... Theorem Let N=pq be the RSA-modulus, where p and q are of the same bitsize. Furthermore let e ∈ Z∗φ(N) be an RSA public exponent. Suppose we have an algorithm that on input (N,e) outputs in deterministic polynomial time the RSA secret exponent d ∈ Z∗φ(N) satisfying ed = 1(modφ(N)) Then N can be factored in deterministic polynomial time. Alexander May (Faculty of Computer Science,Computing Electrical Engineering the RSA secret andKey Mathematics) is Deterministic Polynomial Time Crypto equivalent 2004 to Factoring 14 / 14
© Copyright 2026 Paperzz