Document Sample

International Journal of Emerging Trends & Technology in Computer Science (IJETTCS) Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com Volume 1, Issue 4, November – December 2012 ISSN 2278-6856 A Positive Lattice Application to RSA Cryptosystem Sushma Pradhan1, Birendra Kumar Sharma2 1 School of Studies in Mathematics, Pt. Ravishankar Shukla University Raipur, Chhattisgarh, India 2 School of Studies in Mathematics, Pt. Ravishankar Shukla University Raipur, Chhattisgarh, India Abstract: we present RSA and a positive lattice related application to it. More specifically, we present a lattice-based 2. THE RSA CRYPTOSYSTEM method that establishes the deterministic polynomial time equivalence between computing the RSA secret exponent d Before presenting RSA, we first give a formal definition and factoring RSA modulus N. of the term Cryptosystem as defined in [7]. The following Keywords: Lattice, RSA, Public-key Cryptosystem, definition applies both to private-key (symmetric) and to factoring. public-key (assymetric) Cryptosystems. 1. INTRODUCTION Definition 2.1 (Crpytosystem) A cryptosystem is a five tuple (P, C, K, E, D), where the In 1976, Whitfield Diffie and Martin Hellman [2] following conditions are satisfied: introduced the idea of Public-Key Cryprography. In their • P is a finite set of possible plaintexts. paper, Diffie and Hellman proposed the use of different • C is a finite set of possible ciphertexts. keys for encryption and decryption and introduced the • K is a finite set of possible keys. notion of trapdoor one-way functions. A trapdoor one-way • For each k K there is an encryption rule e K E function is a function that can be computed efficiently but for which there is no efficient algorithm that inverts the and a corresponding decryption rule d K D . Each function without the knowledge of a certain trapdoor. e K : P C and d K : C P are functions such that Diffie and Hellman only presented the properties such a function should possess and did not provide any specific d K (e K ( x )) x for every plaintext element x P . example of such a function. • The encryption function ek is public; the decryption One year later, in 1977, Ronald Rivest , Adi Shamir and function dk is secret. Leonard Adleman in their famous paper ”A method for In symmetric Cryptosytems, the key for encryption and Obtaining Digital Signatures and Public-Key decryption is the same. In contrast in public key Cryptosystems” [6] presented the well-known RSA (assymetric) encryption systems, each entity A (usually Cryptosystem which consists the first implementation of a referred to as Alice in bibliography) has a public key e trapdoor one-way function in Public-Key Cryptography. and a corresponding private key d. In secure Since then, RSA has become probably the most cryptosystems, the task of computing d given e is commonly used Cryptosystem in applications where computationally infeasible. The public key defines an providing privacy and ensuring authenticity of digital encryption transformation E e , while the private key data are crucial. Some typical RSA applications include ensuring secure remote login sessions, privacy and defines the associated decryption transformation Dd . An authenticity of email and electronic credit-card payment entity B (usually referred to as Bob), wishing to send a systems robustness. message m to A obtains an authentic copy of A0 ' s The remainder of the paper is organized as follows. We public key e, uses the encryption transformation to begin next section by presenting an introduction to produce a ciphertext Cryptosystems and a formal definition of RSA. In Section 3, we describe a recently discovered positive C Ee (m) and transmits c to A. To decrypt c, A application of lattices to RSA. More specifically, we applies the decryption transformation to obtain the present a lattice-based method that establishes the original message m Dd (c) . deterministic polynomial time equivalence between The main objective of public-key encryption is to provide computing the RSA secret exponent d and factoring RSA privacy and confidentiality. The public key e need not be modulus N. Finally, we give a short conclusion in Section kept secret whereas the private key d is known only to the 4. legitimate entity. The main advantage of public key Cryptosystems over symmetric Cryptosystems is that Volume 1, Issue 4 November - December 2012 Page 115 International Journal of Emerging Trends & Technology in Computer Science (IJETTCS) Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com Volume 1, Issue 4, November – December 2012 ISSN 2278-6856 providing authentic public keys is generally easier than Algorithm 3: RSA Decryption distributing secret keys securely. However, Public-Key Input: Private Key d and ciphertext c. cryptosystems are typically substantially slower than the Output: Plaintext m corresponding to ciphertext c. symmetric ones. That’s why public-key encryption is most Begin commonly used in practice for the transmission of keys A (the receiver) should do the following: subsequently used for bulk data encryption by symmetric Step 1. Use the private key d to recover algorithms. m c d (mod N ) . Below we describe the RSA Cryptosystem, the most widely used public-key Cryptosystem. In algorithm 1, we End present the generation of the parameters (keys) of RSA Cryptosystem while in algorithms 2 and 3, we present the Remark 2. This is the initial definition of the RSA encryption and decryption process respectively. Cryptosystem. Since the introduction of RSA, several variants have been presented. This variant differs from the original RSA-Scheme in that the values of some Algorithm 1: RSA-Key Generation parameters are slightly changed or in that there are some Input: The bit size of the modulus N. additional assumptions regarding these parameters. Output: A public key (N, e) and a private key d. Throughout this paper we will consider some of these Begin variants. However, whenever we refer to RSA we will Step 1. Generate two large random and distinct primes’ p mean the Scheme and notation presented above unless and q of about the same bit size. otherwise stated. Step 2. Compute N = pq and (N) = (p − 1)(q − 1). Step 3. Select a random integer e, 1 < e < (N) such that In RSA Cryptosystem, the trapdoor one-way function is e gcd (e, (N)) = 1. the function m m (mod N ) . Indeed, the above Step 4. Use the extended Euclidean algorithm to compute function can be easily computed but (as far as we know) the unique integer d; 1 < d < (N), such cannot be efficiently inverted without the knowledge of 1 the trapdoor d. However, if one knows the decryption that e d (mod ( N )) . exponent d, then one can recover the plaintext m as Step 5. A’s public key is (N, e), His private key is d. follows: End Since e.d 1(mod ( N )) , there exists an integer k The integer’s e and d in RSA Key Generation are called the encryption exponent and the decryption exponent such that ed = 1+k (N).Consider the following two respectively while N is called the modulus. cases: (a) gcd(m, p) = 1. Then by Fermat’s little theorem Remark 1. In the above algorithm we have restricted the m p 1 1(mod p ) . values of e, d to the interval [1, (N)]. We just mention If we raise both sides of this congruence to the power k that this is the typical values for the keys e, d produced by (q−1) and then multiply both sides by m we get the key generation process. However, each entity A can m1 k ( p 1)( q 1) m(mod p ) m ed m(mod p ) . choose e, d > (N) and the encryption and decryption 1 k ( p 1)( q 1) (b) gcd (m, p) = p. Then m m(mod p) processes work as well provided that holds trivially as both sides are equivalent 0modp. Thus e.d 1(mod ( N )) . ed again m m(mod p) . Using the same arguments we can prove that Algorithm 2: RSA Encryption m ed m(mod q) . Input: Public Key (N, e) and plaintext m. Finally the fact that p, q are distinct primes (which means Output: Ciphertext c corresponding to plaintext m. that gcd(p, q) = 1), along with the Chinese Remainder Begin Theorem, yield that B (the sender) should do the following: m ed m(mod N ) . Step 1. Obtain A’s authentic public key (N, e). Step 2. Represent the message he wants to send as an and hence integer m in the interval C d (m e ) d m(mod N ) . [0, N....1]. e Step 3. Compute c m (mod N ) . Step 4. Send the ciphertext c to A. 3. COMPUTING D FACTORING End In this section we present a positive application of lattices to the RSA Cryptosystem. by the term ”positive” we mean Volume 1, Issue 4 November - December 2012 Page 116 International Journal of Emerging Trends & Technology in Computer Science (IJETTCS) Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com Volume 1, Issue 4, November – December 2012 ISSN 2278-6856 an application that establishes the security of one RSA Previous Results: The problem of the polynomial time parameter. In particular, we present a result due to May equivalence between computing d and factoring has been [4] that establishes the deterministic polynomial time well studied in the past. Two of the most interesting equivalence between computing the RSA secret key and previous results are: Factoring. While a successful attack against a cryptosystem is 1. Existence of probabilistic polynomial time reduction sufficient to prove that the cryptosystem is not secure, any between the above problems. A proof can be found number of unsuccessful attacks does not suffice to in [7], pages 197-200] and in several other prove that the cryptosystem is in fact secure. How can we sources. then establish that a cryptosystem is secure? In public- 2. Deterministic Polynomial Time equivalence under Key Cryptography, where the encryption process is based the Extended Riemann Hypothesis (ERH). The on an one-way function that is hard to invert, security equivalence is directly established if we assume could be established if we could prove the polynomial the validity of the ERH and a result based on a time equivalence between the problem of recovering the paper by Miller [5]. plaintext m from the ciphertext c without the knowledge of the trapdoor and a well-known hard problem P, The presentation is separated into two parts. We first believed to be computationally intractable. present May’s result for balanced p, q and then a recent It is not hard to see that RSA is directly related to the generalization due to Coron and May [1] for unbalanced problem of factoring the modulus N which is considered p, q. to be hard. Indeed, once we recover p, q; we can compute (N) = (p − 1)(q − 1) and consequently decrypt any 3.1 Balanced primes p, q In his initial paper [4], May proved the equivalence ciphertext c by computing the unique d [0, (N)] such between computing d and factoring N under the following that ed 1(mod ( N )) . Thus, we could probably two assumptions: establish the security of RSA by proving that recovering (a) ed N and 2 e the plaintext m from the ciphertext c m (mod N ) (b) p, q are of the same bit size. and the public key is polynomially time equivalent to factoring the modulus N. This is a very important open Assume w log that p < q. Then the second assumption problem in Public-Key Cryptography. implies that Alternatively we can content ourselves with proving that p N 1/ 2 q 2 p 2N 1/ 2 recovering some secret information about RSA is equivalent to factoring. For example computing the value which gives the following inequalities (N) is equivalent to factoring the modulus N, since we can both compute (N) = (p − 1)(q − 1) if we know p, q p q 3N 1 / 2 . (1) and the factorization of N if we know the value (N) and by solving the system (N) = N + 1 − (p + q) >N/2. (2) N = p.q The last inequality is directly derived from (N) = N − (p + q) + 1. 1/ 2 p q 3N (for N 36). In order to illustrate the underlying idea, we first give In 2004, May [4] proved that computing the RSA secret May’s theorem/proof for a slightly weaker theorem, key d is deterministic polynomial time equivalent to 3/ 2 where we assume that ed N . factoring. This result establishes the satisfaction of a very fundamental requirement for a Public-Key Cryptosystem, Theorem 1. namely the hardness of recovering the secret key from Let N = pq be the RSA-modulus, where p and q are of the the public key. Indeed, the above result implies that an same bitsize. Suppose we know integers e, d such that efficient algorithm that recovers the secret key d from the ed > 1 and public key e can be transformed to an efficient algorithm that factors N. This renders the existence of efficient ed 1(mod ( N )) ; ed N 3 / 2 . algorithms that recover d impossible, provided that there Then N can be factored in time polynomial in its bit size. is no efficient algorithm that factors N. However, the above result does not provide any security In order to extend the above result to the case where for the public-key cryptosystem itself since there might be ed 1(mod ( N )) , May uses Coppersmith’s result for other ways to break the system without computing the finding small solutions to bivariate integer equations. secret key d. Here we restate the theorem for convenience. Volume 1, Issue 4 November - December 2012 Page 117 International Journal of Emerging Trends & Technology in Computer Science (IJETTCS) Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com Volume 1, Issue 4, November – December 2012 ISSN 2278-6856 Notice that in the ordinary case (algorithm 1), in Theorem 2. (Coppersmith’s Theorem for Bivariate * fact e, d Z ( N ) . This strengthens the power of the Integer Equations) result proved by May. Of course, as stated in remark 1, Let f(x, y) be an irreducible polynomial in two variables the encryption and decryption processes work even if e, d over Z, of maximum degree in each variable * separately. Let X, Y is upper bounds on the desired not belongs to Z (N ) . integer solution ( x 0 , y 0 ) . Let W be the absolute value of 3.2 Unbalanced primes p, q the largest entry in the coefficient vector of f ( xX , yY ) , Shortly after May’s initial paper, Coron and May [1] i that is W max i , j f i , j X Y j . If revisited the above problem. They provided an alternative proof for theorem 3 using a variant of Coppersmith’s XY W 2 / 3 technique for finding small solutions to univariate then in time polynomial in log W and 2 we can find modular equations (instead of bivariate integer equations). all integer pairs ( x 0 , y 0 ) such that f ( x 0 , y 0 ) =0; Interestingly, Coron and May [15] proved that the x 0 X and y 0 Y . equivalence between factoring and computing the secret key d is still valid even if the requirement that p, q are balanced is removed. In fact, they proved that factoring N May’s main result is given by the following theorem. given (e, d) becomes easier when the prime factors are unbalanced. Their technique is similar to the technique Theorem 3. introduced by Durfee and Nguyen [3] in which two Let N = pq be the RSA-modulus, where p and q are of the separate variables x and y are used for the primes p and q same bit size. Suppose we know integers e, d with ed > 1 2 respectively and each occurrence of x.y is replaced by N. and ed 1(mod ( N )) ; ed N . More specifically, they proved the following theorem. Then N can be factored in time polynomial in its bit size. Theorem 5. Remark 3. Both previous results can be easily Let and 0 1 / 2 be real values, such that generalized for the case where 2 (1 ) 1 . Let N = pq, where p, q are primes such p q poly (log N ) N 1 / 2 . 1 that p N and q 2N . Let e, d be such that Indeed (a) For the case where ed N 3/ 2 , we only have to ed 1(mod ( N )) , and 0 e.d N . Then given (N, e, d) one can recover the factorization of N in examine the values k i , for deterministic polynomial time. i 0,1,....2 poly (log N ) 1 (polynomially bounded by the bit size of N). Remark 5. The factorization of N is easier when p, q are 2 unbalanced in that the condition for the product e.d (b) For the case where ed N we just have to 1/ 4 divide the interval becomes weaker. Consider for example that p N . [ N poly (log N ) N 1 / 2 , N ] into Plugging the value 1 / 4 in the inequality 2 (1 ) 1 yields 8 / 3 . This means that the 2 poly (log N ) subintervals and run the proof of equivalence between computing d and factoring algorithm for each subinterval. 8/3 N can now tolerate values of the product e.d up to N 2 Remark 4. The above results can be summarized to the (instead of N ). Off course letting 1 / 2 (balanced following interesting (from the cryptographic point of p, q) we get the same result as in the previous subsection view) result. 2 ( ed N ). Theorem 4. Let N = pq be the RSA-modulus, where p and q are of the 4. CONCLUSION * We present RSA and a positive lattice related application same bit size. Furthermore let e Z ( N ) be an RSA to it. By the term “positive” we mean an application that public exponent. Suppose we have an algorithm that on establishes the security of one RSA parameter. More input (N, e) outputs in deterministic polynomial time the specifically, we present a lattice-based method that * RSA secret exponent d Z (N ) satisfying establishes the deterministic polynomial time equivalence ed 1(mod ( N )) . between computing the RSA secret exponent d and factoring RSA modulus N. Then N can be factored in deterministic polynomial time. Volume 1, Issue 4 November - December 2012 Page 118 International Journal of Emerging Trends & Technology in Computer Science (IJETTCS) Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com Volume 1, Issue 4, November – December 2012 ISSN 2278-6856 REFERENCE [1] Jean-Sebastien Coron and Alexander May, ”Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring”. Cryptology ePrint Archive, Report 2004/208, 2004. http:// eprint.iacr.org/. [2] Whitfield Diffie and Martin Hellman, ”New directions in cryptography”. IEEE Transactions on Information Theory, 22:644-654, 1976. URL:http://cr.yp.to/bib/entries.html-1976/diffie. [3] Glenn Durfee and Phong Q. Nguyen, ”Cryptanalysis of the RSA Schemes with Short Secret Exponent from Asiacrypt ’99”. In Tatsuaki Okamoto, editor, ASIACRYPT, volume 1976 of Lecture Notes in Computer Science, pp. 14-29. Springer, 2000. [4] Alexander May, ”Computing the RSA Secret Key Is Deterministic Polynomial Time Equivalent to Factoring”. In CRYPTO, pp. 213-219, 2004. [5] Gary L. Miller, ”Riemann’s Hypothesis and tests for primality”. In STOC ’75: Proceedings of seventh annual ACM symposium on Theory of computing, pp. 234-239, New York, USA, 1975. ACM Press. [6] Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman, ”A Method for Obtaining Digital Signatures and Public-Key Cryptosystems”. Commun. ACM, 21(2), pp.120-126, 1978. [7] Douglas Stinson. ”Cryptography: Theory and Practice, Second Edition”. CRC Press, Inc., Boca Raton, FL, USA, 2002. AUTHORS Sushma Pradhan received the B.Sc, M.Sc and M.Phill degree in Mathematics Pt. Ravishankar Shukla University, Raipur, Chattigarh, India in 2002, 2004 and 2007. She joined School of Studies in Mathematics, Pt. Ravishnakra Shukla University, Raipur, India for her Research work. She is a life time member of Cryptology Research Society of India (CRSI). Her area of interest is Public Key Cryptography and Integer factorization Problem. Birendra Kumar Sharma Professor, School of Studies in Mathematics, Pt. Ravishankar Shukla University Raipur (C. G.) India. He has been working for long time in the field of Non Linear Operator Theory and currently in Cryptography. He and his research scholars work on many branches of public key cryptography. He is a life member of Indian Mathematical Science and the Ramanujan Mathematical Society. Volume 1, Issue 4 November - December 2012 Page 119

DOCUMENT INFO

Shared By:

Categories:

Tags:
Sushma Pradhan1, Birendra Kumar Sharma2
1School of Studies in Mathematics, Pt. Ravishankar Shukla University
Raipur, Chhattisgarh, India
2School of Studies in Mathematics, Pt. Ravishankar Shukla University
Raipur, Chhattisgarh, India

Stats:

views: | 10 |

posted: | 1/14/2013 |

language: | |

pages: | 5 |

Description:
International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)
Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com
Volume 1, Issue 4, November – December 2012, ISSN 2278-6856, Impact Factor of IJETTCS for year 2012: 2.524

OTHER DOCS BY editorijettcs

How are you planning on using Docstoc?
BUSINESS
PERSONAL

By registering with docstoc.com you agree to our
privacy policy and
terms of service, and to receive content and offer notifications.

Docstoc is the premier online destination to start and grow small businesses. It hosts the best quality and widest selection of professional documents (over 20 million) and resources including expert videos, articles and productivity tools to make every small business better.

Search or Browse for any specific document or resource you need for your business. Or explore our curated resources for Starting a Business, Growing a Business or for Professional Development.

Feel free to Contact Us with any questions you might have.