# A Positive Lattice Application to RSA Cryptosystem

Document Sample

```					    International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)
Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com
Volume 1, Issue 4, November – December 2012                                    ISSN 2278-6856

A Positive Lattice Application to RSA
Cryptosystem
1
School of Studies in Mathematics, Pt. Ravishankar Shukla University
Raipur, Chhattisgarh, India
2
School of Studies in Mathematics, Pt. Ravishankar Shukla University
Raipur, Chhattisgarh, India

Abstract: we present RSA and a positive lattice related
application to it. More specifically, we present a lattice-based   2. THE RSA CRYPTOSYSTEM
method that establishes the deterministic polynomial time
equivalence between computing the RSA secret exponent d            Before presenting RSA, we first give a formal definition
and factoring RSA modulus N.                                       of the term Cryptosystem as defined in [7]. The following
Keywords: Lattice, RSA, Public-key Cryptosystem,                   definition applies both to private-key (symmetric) and to
factoring.                                                         public-key (assymetric) Cryptosystems.

1. INTRODUCTION                                                    Definition 2.1 (Crpytosystem)
A cryptosystem is a five tuple (P, C, K, E, D), where the
In 1976, Whitfield Diffie and Martin Hellman [2]                   following conditions are satisfied:
introduced the idea of Public-Key Cryprography. In their           • P is a finite set of possible plaintexts.
paper, Diffie and Hellman proposed the use of different            • C is a finite set of possible ciphertexts.
keys for encryption and decryption and introduced the              • K is a finite set of possible keys.
notion of trapdoor one-way functions. A trapdoor one-way
• For each k  K there is an encryption rule e K  E
function is a function that can be computed efficiently but
for which there is no efficient algorithm that inverts the         and a corresponding decryption rule d K  D . Each
function without the knowledge of a certain trapdoor.              e K : P  C and d K : C  P are functions such that
Diffie and Hellman only presented the properties such a
function should possess and did not provide any specific           d K (e K ( x ))  x for every plaintext element x  P .
example of such a function.                                        • The encryption function ek is public; the decryption
One year later, in 1977, Ronald Rivest , Adi Shamir and            function dk is secret.
Leonard Adleman in their famous paper ”A method for                In symmetric Cryptosytems, the key for encryption and
Obtaining      Digital    Signatures    and    Public-Key          decryption is the same. In contrast in public key
Cryptosystems” [6] presented the well-known RSA                    (assymetric) encryption systems, each entity A (usually
Cryptosystem which consists the first implementation of a          referred to as Alice in bibliography) has a public key e
trapdoor one-way function in Public-Key Cryptography.              and a corresponding private key d. In secure
Since then, RSA has become probably the most                       cryptosystems, the task of computing d given e is
commonly used Cryptosystem in applications where                   computationally infeasible. The public key defines an
providing privacy and ensuring authenticity of digital             encryption transformation E e , while the private key
data are crucial. Some typical RSA applications include
ensuring secure remote login sessions, privacy and                 defines the associated decryption transformation Dd . An
authenticity of email and electronic credit-card payment           entity B (usually referred to as Bob), wishing to send a
systems robustness.                                                message m to A obtains an authentic copy of A0 ' s
The remainder of the paper is organized as follows. We
public key e, uses the encryption transformation to
begin next section by presenting an introduction to
produce a ciphertext
Cryptosystems and a formal definition of RSA. In
Section 3, we describe a recently discovered positive               C  Ee (m) and transmits c to A. To decrypt c, A
application of lattices to RSA. More specifically, we              applies the decryption transformation to obtain the
present a lattice-based method that establishes the                original message m  Dd (c) .
deterministic polynomial time equivalence between
The main objective of public-key encryption is to provide
computing the RSA secret exponent d and factoring RSA
privacy and confidentiality. The public key e need not be
modulus N. Finally, we give a short conclusion in Section
kept secret whereas the private key d is known only to the
4.
legitimate entity. The main advantage of public key
Cryptosystems over symmetric Cryptosystems is that
Volume 1, Issue 4 November - December 2012                                                                        Page 115
International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)
Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com
Volume 1, Issue 4, November – December 2012                                    ISSN 2278-6856

providing authentic public keys is generally easier than        Algorithm 3: RSA Decryption
distributing secret keys securely. However, Public-Key          Input: Private Key d and ciphertext c.
cryptosystems are typically substantially slower than the       Output: Plaintext m corresponding to ciphertext c.
symmetric ones. That’s why public-key encryption is most        Begin
commonly used in practice for the transmission of keys          A (the receiver) should do the following:
subsequently used for bulk data encryption by symmetric         Step 1. Use the private key d to recover
algorithms.                                                     m  c d (mod N ) .
Below we describe the RSA Cryptosystem, the most
widely used public-key Cryptosystem. In algorithm 1, we         End
present the generation of the parameters (keys) of RSA
Cryptosystem while in algorithms 2 and 3, we present the        Remark 2. This is the initial definition of the RSA
encryption and decryption process respectively.                 Cryptosystem. Since the introduction of RSA, several
variants have been presented. This variant differs from
the original RSA-Scheme in that the values of some
Algorithm 1: RSA-Key Generation
parameters are slightly changed or in that there are some
Input: The bit size of the modulus N.
Output: A public key (N, e) and a private key d.
Throughout this paper we will consider some of these
Begin
variants. However, whenever we refer to RSA we will
Step 1. Generate two large random and distinct primes’ p
mean the Scheme and notation presented above unless
and q of about the same bit size.
otherwise stated.
Step 2. Compute N = pq and  (N) = (p − 1)(q − 1).
Step 3. Select a random integer e, 1 < e <  (N) such that      In RSA Cryptosystem, the trapdoor one-way function is
e
gcd (e,  (N)) = 1.                                             the function m  m (mod N ) . Indeed, the above
Step 4. Use the extended Euclidean algorithm to compute         function can be easily computed but (as far as we know)
the unique integer d; 1 < d <  (N), such                       cannot be efficiently inverted without the knowledge of
1                                                   the trapdoor d. However, if one knows the decryption
that e  d (mod  ( N )) .                                      exponent d, then one can recover the plaintext m as
Step 5. A’s public key is (N, e), His private key is d.         follows:
End
Since e.d  1(mod  ( N )) , there exists an integer k
The integer’s e and d in RSA Key Generation are called
the encryption exponent and the decryption exponent             such that ed = 1+k  (N).Consider the following two
respectively while N is called the modulus.                     cases:
(a) gcd(m, p) = 1. Then by Fermat’s little theorem
Remark 1. In the above algorithm we have restricted the                              m p 1  1(mod p ) .
values of e, d to the interval [1,  (N)]. We just mention      If we raise both sides of this congruence to the power k
that this is the typical values for the keys e, d produced by   (q−1) and then multiply both sides by m we get
the key generation process. However, each entity A can             m1 k ( p 1)( q 1)  m(mod p )  m ed  m(mod p ) .
choose e, d >  (N) and the encryption and decryption                                              1 k ( p 1)( q 1)
(b) gcd (m, p) = p. Then m                              m(mod p)
processes       work       as     well     provided      that
holds trivially as both sides are equivalent 0modp. Thus
e.d  1(mod  ( N )) .                                                   ed
again m  m(mod p) .
Using the same arguments we can prove that
Algorithm 2: RSA Encryption                                                          m ed  m(mod q) .
Input: Public Key (N, e) and plaintext m.                       Finally the fact that p, q are distinct primes (which means
Output: Ciphertext c corresponding to plaintext m.              that gcd(p, q) = 1), along with the Chinese Remainder
Begin                                                           Theorem, yield that
B (the sender) should do the following:
m ed  m(mod N ) .
Step 1. Obtain A’s authentic public key (N, e).
Step 2. Represent the message he wants to send as an            and hence
integer m in the interval                                                      C d  (m e ) d  m(mod N ) .
[0, N....1].
e
Step 3. Compute c  m (mod N ) .
Step 4. Send the ciphertext c to A.                             3. COMPUTING D  FACTORING
End                                                             In this section we present a positive application of lattices
to the RSA Cryptosystem. by the term ”positive” we mean

Volume 1, Issue 4 November - December 2012                                                                           Page 116
International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)
Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com
Volume 1, Issue 4, November – December 2012                                    ISSN 2278-6856

an application that establishes the security of one RSA         Previous Results: The problem of the polynomial time
parameter. In particular, we present a result due to May        equivalence between computing d and factoring has been
[4] that establishes the deterministic polynomial time          well studied in the past. Two of the most interesting
equivalence between computing the RSA secret key and            previous results are:
Factoring.
While a successful attack against a cryptosystem is               1. Existence of probabilistic polynomial time reduction
sufficient to prove that the cryptosystem is not secure, any           between the above problems. A proof can be found
number of unsuccessful attacks does not suffice to                     in [7], pages 197-200] and in several other
prove that the cryptosystem is in fact secure. How can we              sources.
then establish that a cryptosystem is secure? In public-          2. Deterministic Polynomial Time equivalence under
Key Cryptography, where the encryption process is based                the Extended Riemann Hypothesis (ERH). The
on an one-way function that is hard to invert, security                equivalence is directly established if we assume
could be established if we could prove the polynomial                  the validity of the ERH and a result based on a
time equivalence between the problem of recovering the                 paper by Miller [5].
plaintext m from the ciphertext c without the knowledge
of the trapdoor and a well-known hard problem P,                The presentation is separated into two parts. We first
believed to be computationally intractable.                     present May’s result for balanced p, q and then a recent
It is not hard to see that RSA is directly related to the       generalization due to Coron and May [1] for unbalanced
problem of factoring the modulus N which is considered          p, q.
to be hard. Indeed, once we recover p, q; we can compute
 (N) = (p − 1)(q − 1) and consequently decrypt any             3.1 Balanced primes p, q
In his initial paper [4], May proved the equivalence
ciphertext c by computing the unique d     [0,  (N)] such
between computing d and factoring N under the following
that ed  1(mod  ( N )) . Thus, we could probably              two assumptions:
establish the security of RSA by proving that recovering        (a) ed  N and
2
e
the plaintext m from the ciphertext c  m (mod N )              (b) p, q are of the same bit size.
and the public key is polynomially time equivalent to
factoring the modulus N. This is a very important open          Assume w log that p < q. Then the second assumption
problem in Public-Key Cryptography.                             implies that
Alternatively we can content ourselves with proving that                      p  N 1/ 2  q  2 p  2N 1/ 2
recovering some secret information about RSA is
equivalent to factoring. For example computing the value        which gives the following inequalities
 (N) is equivalent to factoring the modulus N, since we
can both compute  (N) = (p − 1)(q − 1) if we know p, q                       p  q  3N 1 / 2 .                  (1)
and the factorization of N if we know the value      (N)       and
by solving the system                                                   (N) = N + 1 − (p + q) >N/2.               (2)

N = p.q                               The    last        inequality   is    directly   derived    from
 (N) = N − (p + q) + 1.                                          1/ 2
p  q  3N (for N  36).
In order to illustrate the underlying idea, we first give
In 2004, May [4] proved that computing the RSA secret           May’s theorem/proof for a slightly weaker theorem,
key d is deterministic polynomial time equivalent to                                                 3/ 2
where we assume that ed  N                 .
factoring. This result establishes the satisfaction of a very
fundamental requirement for a Public-Key Cryptosystem,
Theorem 1.
namely the hardness of recovering the secret key from
Let N = pq be the RSA-modulus, where p and q are of the
the public key. Indeed, the above result implies that an
same bitsize. Suppose we know integers e, d such that
efficient algorithm that recovers the secret key d from the
ed > 1 and
public key e can be transformed to an efficient algorithm
that factors N. This renders the existence of efficient                   ed  1(mod  ( N )) ; ed  N 3 / 2 .
algorithms that recover d impossible, provided that there       Then N can be factored in time polynomial in its bit size.
is no efficient algorithm that factors N.
However, the above result does not provide any security         In order to extend the above result to the case where
for the public-key cryptosystem itself since there might be      ed  1(mod  ( N )) , May uses Coppersmith’s result for
other ways to break the system without computing the            finding small solutions to bivariate integer equations.
secret key d.                                                   Here we restate the theorem for convenience.

Volume 1, Issue 4 November - December 2012                                                                              Page 117
International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)
Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com
Volume 1, Issue 4, November – December 2012                                    ISSN 2278-6856

Notice that in the ordinary case (algorithm 1), in
Theorem 2. (Coppersmith’s Theorem for Bivariate                                             *
fact e, d  Z  ( N ) . This strengthens the power of the
Integer Equations)
result proved by May. Of course, as stated in remark 1,
Let f(x, y) be an irreducible polynomial in two variables
the encryption and decryption processes work even if e, d
over Z, of maximum degree  in each variable                                                     *
separately. Let X, Y is upper bounds on the desired                           not belongs to Z        (N )   .
integer solution ( x 0 , y 0 ) . Let W be the absolute value of
3.2 Unbalanced primes p, q
the largest entry in the coefficient vector of f ( xX , yY ) ,                Shortly after May’s initial paper, Coron and May [1]
i
that is W  max i , j f i , j X Y
j
. If                              revisited the above problem. They provided an alternative
proof for theorem 3 using a variant of Coppersmith’s
XY  W 2 / 3                                         technique for finding small solutions to univariate
then in time polynomial in log W and 2 we can find
                 modular equations (instead of bivariate integer
equations).
all integer pairs ( x 0 , y 0 ) such that f ( x 0 , y 0 ) =0;                 Interestingly, Coron and May [15] proved that the
x 0  X and y 0  Y .                                                        equivalence between factoring and computing the secret
key d is still valid even if the requirement that p, q are
balanced is removed. In fact, they proved that factoring N
May’s main result is given by the following theorem.
given (e, d) becomes easier when the prime factors are
unbalanced. Their technique is similar to the technique
Theorem 3.                                                                    introduced by Durfee and Nguyen [3] in which two
Let N = pq be the RSA-modulus, where p and q are of the
separate variables x and y are used for the primes p and q
same bit size. Suppose we know integers e, d with ed > 1
2
respectively and each occurrence of x.y is replaced by N.
and ed  1(mod  ( N )) ; ed  N .                                            More specifically, they proved the following theorem.
Then N can be factored in time polynomial in its bit size.
Theorem 5.
Remark 3. Both previous results can be easily                                 Let  and 0    1 / 2 be real values, such that
generalized  for      the      case    where                                   2 (1   )  1 . Let N = pq, where p, q are primes such
p  q  poly (log N ) N 1 / 2 .                                                                           1
that p  N and q  2N            . Let e, d be such that
Indeed
(a) For the case where ed  N
3/ 2
, we only have to       ed  1(mod  ( N )) , and 0  e.d  N  . Then given
(N, e, d) one can recover the factorization of N in
examine         the                values k   i ,           for
deterministic polynomial time.
i  0,1,....2 poly (log N )  1 (polynomially
bounded by the bit size of N).                                       Remark 5. The factorization of N is easier when p, q are
2                          unbalanced in that the condition for the product e.d
(b) For the case where ed  N                          we just have to                                                       1/ 4
divide             the                                    interval   becomes weaker. Consider for example that p  N           .
[ N  poly (log N ) N 1 / 2 , N ]      into                          Plugging the value   1 / 4 in the inequality
2 (1   )  1 yields   8 / 3 . This means that the
2 poly (log N ) subintervals and run the                           proof of equivalence between computing d and factoring
algorithm for each subinterval.                                                                                                8/3
N can now tolerate values of the product e.d up to N
2
Remark 4. The above results can be summarized to the                          (instead of N ). Off course letting   1 / 2 (balanced
following interesting (from the cryptographic point of                        p, q) we get the same result as in the previous subsection
view) result.                                                                           2
( ed  N ).

Theorem 4.
Let N = pq be the RSA-modulus, where p and q are of the                       4. CONCLUSION
*                      We present RSA and a positive lattice related application
same bit size. Furthermore let e  Z  ( N ) be an RSA                        to it. By the term “positive” we mean an application that
public exponent. Suppose we have an algorithm that on                         establishes the security of one RSA parameter. More
input (N, e) outputs in deterministic polynomial time the                     specifically, we present a lattice-based method that
*
RSA secret exponent d  Z           (N )    satisfying                       establishes the deterministic polynomial time equivalence
ed  1(mod  ( N )) .                                        between computing the RSA secret exponent d and
factoring RSA modulus N.
Then N can be factored in deterministic polynomial time.

Volume 1, Issue 4 November - December 2012                                                                                   Page 118
International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)
Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com
Volume 1, Issue 4, November – December 2012                                    ISSN 2278-6856

REFERENCE
[1] Jean-Sebastien Coron and Alexander May,
”Deterministic Polynomial Time Equivalence of
Computing the RSA Secret Key and Factoring”.
Cryptology ePrint Archive, Report 2004/208, 2004.
http:// eprint.iacr.org/.
[2] Whitfield Diffie and Martin Hellman, ”New
directions in cryptography”. IEEE Transactions on
Information Theory, 22:644-654, 1976.
URL:http://cr.yp.to/bib/entries.html-1976/diffie.
[3]        Glenn Durfee and Phong Q. Nguyen,
”Cryptanalysis of the RSA Schemes with Short
Secret Exponent from Asiacrypt ’99”. In Tatsuaki
Okamoto, editor, ASIACRYPT, volume 1976 of
Lecture Notes in Computer Science, pp. 14-29.
Springer, 2000.
[4] Alexander May, ”Computing the RSA Secret Key
Is Deterministic Polynomial Time Equivalent to
Factoring”. In CRYPTO, pp. 213-219, 2004.
[5] Gary L. Miller, ”Riemann’s Hypothesis and tests
for primality”. In STOC ’75: Proceedings of seventh
annual ACM symposium on Theory of computing,
pp. 234-239, New York, USA, 1975. ACM Press.
[6] Ronald L. Rivest, Adi Shamir, and Leonard M.
Adleman, ”A Method for Obtaining Digital
Signatures       and     Public-Key   Cryptosystems”.
Commun. ACM, 21(2), pp.120-126, 1978.
[7] Douglas Stinson. ”Cryptography: Theory and
Practice, Second Edition”. CRC Press, Inc., Boca
Raton, FL, USA, 2002.

AUTHORS
and M.Phill degree in Mathematics Pt.
Ravishankar Shukla University, Raipur,
Chattigarh, India in 2002, 2004 and 2007.
She joined School of Studies in
Mathematics, Pt. Ravishnakra Shukla University, Raipur,
India for her Research work. She is a life time member of
Cryptology Research Society of India (CRSI). Her area of
interest is Public Key Cryptography and Integer
factorization Problem.

Birendra Kumar Sharma Professor,
School of Studies in Mathematics, Pt.
Ravishankar Shukla University Raipur (C.
G.) India. He has been working for long
time in the field of Non Linear Operator
Theory and currently in Cryptography. He and his
research scholars work on many branches of public key
cryptography. He is a life member of Indian Mathematical
Science and the Ramanujan Mathematical Society.

Volume 1, Issue 4 November - December 2012                                          Page 119

```
DOCUMENT INFO
Shared By:
Categories:
Stats:
 views: 10 posted: 1/14/2013 language: pages: 5
Description: International Journal of Emerging Trends & Technology in Computer Science (IJETTCS) Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com Volume 1, Issue 4, November – December 2012, ISSN 2278-6856, Impact Factor of IJETTCS for year 2012: 2.524