16 Given a polynomial time algorithm for computing square roots mod n = pq there exists a probabilistic algorithm for factoring n with

polynomial expected running time.

Proof: Given a square x2_{modn there are exactly four square roots,} ±x,±ymodn. If we knowxandythen

(x−y)(x+y)=x2−y2=0 modn.

Hence pq divides (x+y)(x−y). But we know thatx= ±ymodnso either

pdividesx+yandqdividesx−yor vice-versa. In either case we can easily find one of the prime factors ofn by calculating gcd(x+y,n) using Euclid’s algorithm. We can then find the other prime factor by division.

So if we know two square rootsxandysuch thatx= ±ymodnthen we can factorneasily.

We now describe a probabilistic algorithm for factoringngiven a polynomial time algorithm for computing square roots modn. LetAbe the polynomial time algorithm for computing square roots modn. Our factoring algorithm works as follows.

156 7 Public key cryptography

Input: an integern=pq, withpandq prime repeat x∈R Z∗p z←x2_modn y← A(z) ify= ±xmodnthen s←gcd(x+y,n) outputs,n/s end-repeat.

Clearly the probability of success on a single iteration is 1/2, since this is the probability that the algorithmAreturns a square rootyofx2_{modnthat satisfies} y= ±xmodn. Hence this algorithm has polynomial expected running time. Moreover its output is the factorisation ofn. 2 The proof of Theorem 7.15 is based on the Miller–Rabin primality test (see Theorem 4.6). It gives a probabilistic algorithm which, when given the public and private RSA keys, will with high probability find a non-trivial square root of 1 (that iscsuch thatc2=1 modnbutc= ±1 modn). As we saw in Propo- sition 7.16 this ability to find a non-trivial square root allows us to factornvia Euclid’s algorithm.

The proof also requires the Chinese Remainder Theorem (see Appendix 3, Theorem A3.5) and Lagrange’s Theorem (see Appendix 3, Theorem A3.1).

Proof of Theorem 7.15:Given the RSA keys (n,e) andd we know thatde=

1 mod (p−1)(q−1). Hence there exists an integera≥2 and an odd integer

bsuch thatde−1=2a_b.

Our algorithm for factoringnis as follows:

Input: RSA public and private keys: (n,e) andd.

dividede−1 by 2 to obtaina,b, withbodd such thatde−1=2a_b. repeat

x∈RZn.

c←gcd(x,n)

(∗) ifc=1 thencis a prime factor ofnso outputc,n/c y←xb_modn i←1 whilei≤a−1 ify2i = ±1 modnandy2i+1 =1 modnthen c←gcd(y2i +1,n) (∗∗) outputc,n/c

7.7 Finding the RSA private key and factoring 157

i ←i+1 end-while end-repeat

If the algorithm outputs at line (∗) thenc= porc=q so we have factoredn. If the algorithm outputs at line (∗∗) theny2iis a non-trivial square root 1 mod

n. Hencepq|(y2i

−1)(y2i

+1) but pq does not divide (y2i

−1) or (y2i

+1) and so gcd(y2i +1,n)= por gcd(y2i +1,n)=q. Hencec= porc=qand we have factoredn.

We will show that with probability at least 1/2 we succeed during a single iteration of this algorithm. Since a single iteration of the algorithm can be performed in polynomial time this will imply that the algorithm has polynomial expected running time.

If the algorithm choosesx∈R Znthat is not coprime withnthen it outputs the factorisation ofnat line (∗). Thus we may suppose thatx∈RZ∗n.

Define the integertby

t=max0≤s≤a−1|there existsx∈Z∗_nsuch thatx2sb =1 modn.

Consider the set

Bt =

x ∈Z∗n |x2 t_b

= ±1 modn.

If we show thatBtis a subgroup ofZ∗nthen Lagrange’s Theorem implies that|Bt| divides|Z∗n|. If we also show thatBt =Z∗n then|Bt|<|Z∗n|(sinceBt ⊆Z∗n). From this we can deduce that|Bt| ≤ |Zn∗|/2.

This then implies that forx∈R Z∗nwe have Pr[x∈Bt]=1−|Bt| |Z∗ n| ≥ 1 2 and hence Prx2tb= ±1 modn≥ 1 2.

But by definition oft we know thatx2t+1b =1 modn and so with probability at least 1/2 the algorithm outputs a factor ofnat line (∗∗).

It remains to show that Btis a subgroup ofZ∗nandBt=Z∗n. To see thatBt is a subgroup ofZ∗nis easy: (i) 12tb=1 modn =⇒ 1∈ Bt. (ii) x∈ Bt =⇒ (x−1)2 t_b =(±1)−1_{= ±1 modn =⇒ x}−1 _∈B t. (iii) x,y∈ Bt =⇒ (x y)2 t_b =(±1)(±1)= ±1 modn =⇒ x y∈Bt.

158 7 Public key cryptography

So finally we simply need to show that Bt =Z∗n. To do this we need to find

w∈Z∗

n\Bt.

By definition oftthere existsz∈Z∗_n such thatz2t_b

=v=1 modn. Ifv=

−1 then we are done, sincez∈Bt. So we may supposev= −1. Now, by the Chinese Remainder Theorem, there existsw∈Z∗nsuch that

w=zmodp, w=1 modq.

We will show thatw∈ Bt. Clearly

w2t_b

=z2tb = −1 modp, w2t_b

=12tb =1 modq.

But this implies thatw2t_b

= ±1 modnsince

w2t_b

=1 modn =⇒ w2tb=1 modp and w2tb =1 modq;

w2t_b

= −1 modn =⇒ w2tb= −1 modp and w2tb = −1 modq.

Hencew2t_b

= ±1 modnand sow∈Bt, as required. 2 The following deterministic version of this result was given by May (2004).

Theorem 7.17 If n= pq is an RSA public modulus and p, q have the same