Modular Powers

LetI :={(n, e)|n=pq, p6=q primes,0< e < ϕ(n), eprime toϕ(n)}.The family

RSA := (RSAn,e:Z∗n −→Zn∗, x7−→xe)(n,e)∈I is called theRSA family.

Consider an (n, e)∈ I, and letd∈ Z∗

ϕ(n) be the inverse of emodϕ(n). Then we have xed _{= x}edmodϕ(n) _{= x for x ∈ Z}∗

n, since xϕ(n) = 1 (see Proposition A.25). This shows that RSAn,e is bijective and that the inverse function is also an RSA function, namely RSAn,d:Z∗n −→Z∗n, x7−→xd.

5_{Actually, ϕ(x) is much closer to x. It can be shown that ϕ(x) >} x

6 log(|x|) (see

6.4 Modular Powers 159

RSAn,e can be computed by modular exponentiation, an efficient algo- rithm.dcan be easily computed by the extended Euclidean algorithm A.5, ifϕ(n) = (p−1)(q−1) is known. No algorithm to compute RSA−_n,e1 in poly- nomial time is known, if p, q and d are kept secret. We call d (or p, q) the

trapdoor information for the RSA function.

All known attacks to break RSA, if implemented by an efficient algorithm, would deliver an efficient algorithm for factoring n. All known factoring al- gorithms have exponential running time. Therefore, it is widely believed that

RSA cannot be efficiently inverted. The following assumption makes this more precise.

Definition 6.7.Let Ik :={(n, e)∈I | n=pq,|p|=|q|=k}, withk ∈N, and letQ(X)∈Z[X] be a positive polynomial. LetA(n, e, y) be a probabilis- tic polynomial algorithm. Then there exists ak0∈N, such that

prob(A(n, e, y) = RSAn,d(y) : (n, e)←u Ik, y←u Z∗n)≤ 1

Q(k) fork≥k0.

This is called theRSA assumption.

Remarks:

1. The assumption states the one-way property of the RSA family. The algo- rithmAmodels an adversary, who tries to computex= RSAn,d(y) from

y = RSAn,e(x) =xe(in Z∗n) without knowing the trapdoor information

d. By using Proposition 6.3, we may interpret the RSA assumption in an analogous way to the discrete logarithm assumption (Definition 6.1). The fraction of keys (n, e) inIk, for which the adversaryAhas a signifi- cant chance to succeed, is negligibly small if the security parameter kis sufficiently large.

2. RSAn,e is bijective, and its range and domain coincide. Therefore, we also speak of a family of one-way permutations (or a family oftrapdoor permutations).

3. Here and in what follows, we restrict the key setIof the RSA family and consider only those functions RSAn,e, wheren=pqis the product of two primes of the same binary length. Instead, we could also define a stronger version of the assumption, whereIkis the set of pairs (n, e), with|n|=k (the primes may have different length). However, our statement is closer to normal practice. To generate keys with a given security parameter k, usually two primes of length kare chosen and multiplied.

4. The RSA problem – computingxfromxe_{– is random self-reducible (see} the analogous remark on the discrete logarithm problem on p. 154). Stating the RSA assumption as above, we assume that the set I of keys can be uniformly sampled by an efficient algorithm.

Proposition 6.8. There is a probabilistic polynomial uniform sampling al- gorithm for I = (Ik)k∈N, which on input 1k yields a key (n, e) ∈ Ik along

with the trapdoor information (p, q, d).

Proof. Above (see the examples after Lemma 6.5), we saw that Primesk can be uniformly sampled by a probabilistic polynomial algorithm. Thus, there is a probabilistic polynomial uniform sampling algorithm for

(Xk:={n=pq|p, qdistinct primes ,|p|=|q|=k} × {0,1}2k)k∈N. In the proof of Proposition 6.6, we observed that |x| ·ϕ(x) ≥ x, and we immediately conclude that

|Z∗_ϕ(n)|=ϕ(ϕ(n))≥ ϕ(n) |ϕ(n)| ≥ n |n| · |ϕ(n)| ≥ n 4k2 ≥ 22k−2 4k2 = 22k 16k2. Thus, we can apply Lemma 6.5 to Yk := Ik ⊆ Xk and obtain the desired sampling algorithm. It yields (p, q, e). The inverse d of e in Z∗

ϕ(n) can be computed using the extended Euclidean algorithm (Algorithm A.5). 2

Remarks:

1. The uniform sampling algorithm for (Ik)k∈N which we derived in the proof of Proposition 6.8 is constructed by the method given in Lemma 6.5. Thus, it chooses triples (p, q, e) uniformly and then tests whether

e < ϕ(n) = (p−1)(q−1) and whether e is prime toϕ(n). If this test fails, a new triple (p, q, e) is selected. It would be more natural and more efficient to first choose a pair (p, q) uniformly, and then, with n = pq

fixed, to choose an exponenteuniformly fromZ∗

ϕ(n). Then, however, the statistical distance between the distribution of the elements (n, e) and the uniform distribution is not negligible. The sampling algorithm is not uniform. Note that even for fixedk, there is a rather large variance of the cardinalities|Z∗

ϕ(n)|. Nevertheless, this more natural sampling algorithm is an admissible key generator for the RSA family; i.e., the one-way con- dition is preserved if the keys are sampled by it (see Definition 6.13, of admissible key generators, and Exercise 1).

An analogous remark applies to the sampling algorithm, given in the proof of Proposition 6.6.

2. We can generate the primespand q by uniformly selecting numbers of lengthk and testing their primality by using a probabilistic prime num- ber test (see the examples after Lemma 6.5). There are also other very efficient algorithms for the generation of uniformly distributed primes (see, e.g., [Maurer95]).

6.5 Modular Squaring 161

6.5 Modular Squaring

LetI:={n|n=pq, p, qdistinct prime numbers,|p|=|q|}. The family Sq := (Sqn:Z∗n−→Zn∗, x7−→x2)n∈I

is called the Square family.6 _Sq

n is neither injective nor surjective. If Sq−n1(x)6=∅, then|Sq−n1(x)|= 4 (see Proposition A.62).

Modular squaring can be done efficiently. Square roots modulopare com- putable by a probabilistic polynomial algorithm ifpis a prime number (see Al- gorithm A.61). Applying the Chinese Remainder Theorem (Theorem A.29), it is then easy to derive an efficient algorithm that computes square roots in

Z∗

n ifn=pq (pandqare distinct prime numbers) and if the factorization of

nis known.

Conversely, given an efficient algorithm for computing square roots inZ∗

n, an efficient algorithm for the factorization ofncan be derived (see Proposition A.64).

All known factoring algorithms have exponential running time. Therefore, it is widely believed that the factors ofn(or, equivalently, square roots mod- ulon) cannot be computed efficiently. We make this statement more precise by the following assumption.

Definition 6.9. Let Ik := {n ∈ I | n = pq,|p| = |q| = k}, with k ∈ N, and let Q(X)∈Z[X] be a positive polynomial. Let A(n) be a probabilistic polynomial algorithm. Then there exists ak0∈N, such that

prob(A(n) =p:n←u Ik)≤ 1

Q(k) fork≥k0.

This is called thefactoring assumption.

Stating the factoring assumption, we again assume that the setIof keys may be uniformly sampled by an efficient algorithm.

Proposition 6.10.There is a probabilistic polynomial uniform sampling al- gorithm for I = (Ik)k∈N, which on input 1k yields a number n∈ Ik, along

with its factorspandq.

Proof. The algorithm chooses at random integerspandqwith|p|=|q|=k, and applies a probabilistic primality test (see Appendix A.8) to check whether

pand q are prime. By repeating the probabilistic primality test sufficiently

6 _{As above in the RSA family, we only consider modulinwhich are the product}

of two primes of equal binary length; see the remarks after the RSA assumption (Definition 6.7).

often, we can, with a probability>1−2−k_{, correctly test the primality of an} elementxin{0,1}k_{. This sampling algorithm is uniform (Lemma 6.5). 2} Restricting the range and the domain to the set QRn of squares modulo

n (called the quadratic residues modulon, see Definition A.48), the modu- lar squaring function can be made bijective in many cases. Of course, each

x∈QRnhas a square root. Ifpandqare distinct primes withp, q≡3 mod 4 andn:=pq, then exactly one of the four square roots ofx∈QRn is an ele- ment in QR_n (see Proposition A.66). Taking as key set

I:={n|n=pq, p, qdistinct prime numbers,|p|=|q|, p, q≡ 3 mod 4},

we get a family

Square := (Square_n: QR_n−→QR_n, x7−→x2₎ n∈I

of bijective functions, also called the Square family. Since the range and domain are of the same set, we speak of a family of permutations. The family of inverse maps is denoted by

Sqrt := (Sqrt_n : QR_n−→QR_n)n∈I.

Sqrtn mapsxto the square root ofxwhich is an element of QRn.

The same considerations as those on Sqn:Z∗n−→Z∗n above show that Square_n is efficiently computable, and that computing Sqrt_n is equivalent to factoring n. Square is a family of trapdoor permutations with trapdoor informationpandq.