Abstract
The Diffie–Hellman key exchange method and the Elgamal public key cryptosystem studied in Sects. 2.3 and 2.4 rely on the fact that it is easy to compute powers \(a^{n}\bmod p\), but difficult to recover the exponent n if you know only the values of a and \(a^{n}\bmod p\). An essential result that we used to analyze the security of Diffie–Hellman and Elgamal is Fermat’s little theorem (Theorem 1.24),
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
In the great courthouse of mathematics, witnesses never lie!
- 2.
Unfortunately, although this deduction seems reasonable, it is not quite accurate. In the language of probability theory, we need to compute the conditional probability that n is composite given that the Miller–Rabin test fails 10 times; and we know the conditional probability that the Miller–Rabin test succeeds at least 75 % of the time if n is composite. See Sect. 5.3.2 for a discussion of conditional probabilities and Exercise 5.175 for a derivation of the correct formula, which says that the probability (25 %)10 must be approximately multiplied by ln(n).
- 3.
The Riemann hypothesis is another of the $1,000,000 Millennium Prize problems.
- 4.
We have assumed that \(p \nmid a\) and \(q \nmid a\), since if p and q are very large, this will almost certainly be the case. Further, if by some chance p∣a and \(q \nmid a\), then we can recover p as p = gcd(a, N).
- 5.
Stirling’s formula says more precisely that \(\ln (n!) = n\ln (n) - n + \frac{1} {2}\ln (2\pi n) + O(1/n)\).
- 6.
Why do we start with a = 3129? The answer is that unless a 2 is larger than N, then there is no reduction modulo N in \(a^{2}\bmod N\), so we cannot hope to gain any information. The value 3129 comes from the fact that \(\sqrt{N} = \sqrt{9788111} \approx 3128.6\).
- 7.
Note: Big-Ω notation as used by computer scientists and cryptographers does not mean the same thing as the big-Ω notation of mathematicians. In mathematics, especially in the field of analytic number theory, the expression \(f(n) =\varOmega {\bigl ( g(n)\bigr )}\) means that there is a constant c such that there are infinitely many integers n such that f(n) ≥ cg(n). In this book we use the computer science definition.
- 8.
In practice when N is large, the t values used in the quadratic sieve are close enough to \(\sqrt{N}\) that the value of t 2 − N is between 1 and N. For our small numerical example, this is not the case, so it would be more efficient to reduce our values of t 2 modulo N, rather than merely subtracting N from t 2. However, since our aim is illumination, not efficiency, we will pretend that there is no advantage to subtracting additional multiples of N from t 2 − N.
- 9.
Looking back at the congruences (3.23), you may have noticed that it is even easier to use the fact that 152 is itself congruent to a square modulo 221, yielding \(\gcd (15 - 2, 221) = 13\). In practice, the true power of the quadratic sieve appears only when it is applied to numbers much too large to use in a textbook example.
- 10.
- 11.
If you don’t believe that p and q are prime, use Miller–Rabin (Table 3.2) to check.
- 12.
Goldwasser and Micali were not the first to use the problem of squares modulo pq for cryptography. Indeed, an early public key cryptosystem due to Rabin that is provably secure against chosen plaintext attacks (assuming the hardness of factorization) relies on this problem.
- 13.
The concatenation of 2 bit strings is formed by placing the first string before the second string. For example, \(1101 \| 1001\) is the bit string 11011001.
References
M. Agrawal, N. Kayal, N. Saxena, PRIMES is in P. Ann. Math. (2) 160(2), 781–793 (2004)
W.R. Alford, A. Granville, C. Pomerance, There are infinitely many Carmichael numbers. Ann. Math. (2) 139(3), 703–722 (1994)
T.M. Apostol, Introduction to Analytic Number Theory. Undergraduate Texts in Mathematics (Springer, New York, 1976)
E. Bach, Explicit bounds for primality testing and related problems. Math. Comput. 55(191), 355–380 (1990)
E. Bach, J. Shallit, Algorithmic Number Theory: Efficient Algorithms. Foundations of Computing Series, vol. 1 (MIT, Cambridge, 1996).
J. Blömer, A. May, Low secret exponent RSA revisited, in Cryptography and Lattices, Providence, 2001. Volume 2146 of Lecture Notes in Computer Science (Springer, Berlin, 2001), pp. 4–19
D. Boneh, G. Durfee, Cryptanalysis of RSA with private key d less than N 0. 292, in Advances in Cryptology—EUROCRYPT ’99, Prague. Volume 1592 of Lecture Notes in Computer Science (Springer, Berlin, 1999), pp. 1–11
D. Boneh, G. Durfee, Cryptanalysis of RSA with private key d less than N 0. 292. IEEE Trans. Inf. Theory 46(4), 1339–1349 (2000)
D. Boneh, R. Venkatesan, Breaking RSA may not be equivalent to factoring (extended abstract), in Advances in Cryptology—EUROCRYPT ’98, Espoo. Volume 1403 of Lecture Notes in Computer Science (Springer, Berlin, 1998), pp. 59–71
E.R. Canfield, P. Erdős, C. Pomerance, On a problem of Oppenheim concerning “factorisatio numerorum”. J. Number Theory 17(1), 1–28 (1983)
H. Cohen, A Course in Computational Algebraic Number Theory. Volume 138 of Graduate Texts in Mathematics (Springer, Berlin, 1993)
D. Coppersmith, Solving homogeneous linear equations over GF(2) via block Wiedemann algorithm. Math. Comput. 62(205), 333–350 (1994)
R. Crandall, C. Pomerance, Prime Numbers (Springer, New York, 2001)
H. Davenport, The Higher Arithmetic (Cambridge University Press, Cambridge, 1999)
M. Dietzfelbinger, Primality Testing in Polynomial Time: From Randomized Algorithms to “PRIMES is in P”. Volume 3000 of Lecture Notes in Computer Science (Springer, Berlin, 2004)
W. Diffie, M.E. Hellman, New directions in cryptography. IEEE Trans. Inf. Theory IT-22(6), 644–654 (1976)
G.H. Hardy, E.M. Wright, An Introduction to the Theory of Numbers, 5th edn. (The Clarendon Press/Oxford University Press, New York, 1979)
K. Ireland, M. Rosen, A Classical Introduction to Modern Number Theory. Volume 84 of Graduate Texts in Mathematics (Springer, New York, 1990)
B.A. LaMacchia, A.M. Odlyzko, Solving large sparse linear systems over finite fields, in Advances in Cryptology—CRYPTO ’90, Santa Barbara, 1990. Lecture Notes in Computer Science (Springer, Berlin, 1990)
H.W. Lenstra jr., C. Pomerance, Primality testing with Gaussian periods (2011). https://www.math.dartmouth.edu/~carlp/PDF/complexity12.pdf
G.L. Miller, Riemann’s hypothesis and tests for primality. J. Comput. Syst. Sci. 13(3), 300–317 (1976). Working papers presented at the ACM-SIGACT Symposium on the Theory of Computing, Albuquerque, 1975
I. Niven, H.S. Zuckerman, H.L. Montgomery, An Introduction to the Theory of Numbers (Wiley, New York, 1991)
C. Pomerance, A tale of two sieves. Not. Am. Math. Soc. 43(12), 1473–1485 (1996)
H. Riesel, Prime Numbers and Computer Methods for Factorization. Volume 126 of Progress in Mathematics (Birkhäuser, Boston, 1994)
K.H. Rosen, Elementary Number Theory and Its Applications, 4th edn. (Addison-Wesley, Reading, 2000)
V. Shoup, A Computational Introduction to Number Theory and Algebra (Cambridge University Press, 2005). http://shoup.net/ntb/ntb-b5.pdf
J.H. Silverman, A Friendly Introduction to Number Theory, 4th edn. (Pearson, Upper Saddle River, 2013)
A.E. Western, J.C.P. Miller, Tables of Indices and Primitive Roots. Royal Society Mathematical Tables, vol. 9 (Published for the Royal Society at the Cambridge University Press, London, 1968)
M.J. Wiener, Cryptanalysis of short RSA secret exponents. IEEE Trans. Inf. Theory 36(3), 553–558 (1990)
S.Y. Yan, Primality Testing and Integer Factorization in Public-Key Cryptography. Volume 11 of Advances in Information Security (Kluwer Academic, Boston, 2004)
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer Science+Business Media New York
About this chapter
Cite this chapter
Hoffstein, J., Pipher, J., Silverman, J.H. (2014). Integer Factorization and RSA. In: An Introduction to Mathematical Cryptography. Undergraduate Texts in Mathematics. Springer, New York, NY. https://doi.org/10.1007/978-1-4939-1711-2_3
Download citation
DOI: https://doi.org/10.1007/978-1-4939-1711-2_3
Published:
Publisher Name: Springer, New York, NY
Print ISBN: 978-1-4939-1710-5
Online ISBN: 978-1-4939-1711-2
eBook Packages: Mathematics and StatisticsMathematics and Statistics (R0)