SlideShare a Scribd company logo
1 of 42
Download to read offline
Computing the Square Roots of Unity to
break RSA using Quantum Algo
Dr. Dharma Ganesan, Ph.D.,
Disclaimer
● The opinions expressed here are my own
○ But not the views of my employer
● The source code fragments and exploits shown here can be reused
○ But without any warranty nor accept any responsibility for failures
● Do not apply the exploit discussed here on other systems
○ Without obtaining authorization from owners
2
Goal
● Break RSA using Peter Shor’s quantum algorithm
○ But, we will not look into Quantum Computing
○ We will find the square roots of unity on a classical computer
● Investigate the square root of unity (i.e., sqrt(1)) in a Finite Group
○ Algorithm 1: Naïve/Bruteforce
○ Algorithm 2: Random Search
○ Algorithm 3: Peter Shor’s period calculation algorithm
○ Algorithm 4: Our little tweaks of Peter Shor’s period function (bounded search)
3
Prerequisite
Some familiarity with the following topics will help to follow the rest of the slides
● Group Theory
● Number Theory
● Algorithms and Complexity Theory
● If not, it should still be possible to obtain a high-level overview
4
Agenda
● Mathematical foundation/facts
● Brief overview of RSA
● Different algorithms to find the square roots of unity (in a finite group)
● Demos of finding the square roots of unity to factor composite numbers
● Conclusion
5
6
Notations and Facts
GCD(x, y): The greatest common divisor that divides integers x and y
Co-prime: If gcd(x, y) = 1, then x and y are co-primes
Zn
= { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn
as a circular wall clock
Z*
n
= { x ∈ Zn
| gcd(x, n) = 1 }; (additional info: Z*
n
is a multiplicative group)
φ(n): Euler’s Totient function denotes the number of elements in Z*
n
φ(nm) = φ(n).φ(m) (This property is called multiplicative)
φ(p) = p-1, if p is a prime number
Notations and Facts ...
● x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n
● Euler’s Theorem: aφ(n)
≡ 1 (mod n), if gcd(a, n) = 1
● Fermat’s Little Theorem: ap
≡ a (mod p)
● Gauss’s Fundamental Theorem of Arithmetic: Any integer greater than 1 is
either a prime or can be written as a unique product of primes
○ Euclid’s work is the foundation for this theorem, see The Elements
● Euclid’s Lemma: if a prime p divides the product of two natural numbers a
and b, then p divides a or p divides b
● Euclid’s Infinitude of Primes (c. 300 BC): There are infinitely many primes
7
How can Bob send a message to Alice securely?
8
Public Key PuA
● Alice and Bob never met each other
● Bob will encrypt using Alice’s public key
○ Assume that public keys are known to the world
● Alice will decrypt using her private key
○ Private keys are secrets (never sent out)
● Bob can sign messages using his private key
○ Alice verifies message integrity using Bob’s public key
● Note: Alice and Bob need other evidence (e.g., passwords,
certificates) to prove their identity to each other
● Who are Alice, Bob, and Eve?
Private Key PrA
Public Key PuB
Private Key PrB
RSA Public Key Cryptography System
● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman
● Rooted in elegant mathematics - Group Theory and Number Theory
● Core idea: Anyone can encrypt a message using recipient's public key but
○ (as far as we know) no one can efficiently decrypt unless they got the matching private key
● Encryption and Decryption are inverse operations (math details later)
○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA
● Eavesdropper Eve cannot easily derive the secret (math details later)
○ Unless she solves “hard” number theory problems that are computationally intractable
9
RSA - Key Generation Algo
1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits)
○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later)
2. Pick two independent, large random primes, p and q, of half of n’s bitlength
○ In practice, q < p < 2q to avoid attacks (e.g., Fermat’s factorization)
3. Compute n = p.q (n is also called the RSA modulus)
4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1)
5. Select numbers e and d from Zn
such that e.d ≡ 1(mod φ(n))
○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt)
○ d is the multiplicative inverse of e in Zn
6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q>
10
RSA Trapdoor
● RSA: Zn
→ Zn
● Let x and y ∈ Zn
● y = RSA(x) = xe
mod n
○ We may view x as a plaintext, and y as the corresponding ciphertext
● x = RSA-1
(y) = yd
mod n
● e and d are also called encryption and decryption exponents, respectively
● In practice, some random padding is used (not relevant for this presentation)
11
RSA Trapdoor variables’ dependency graph
12
Private variable
Public variable
Note: If we can factor n and find p and q, then private keys are open to the world
What are the square roots of unity in Z?
● 1 and -1 are the two square roots of one because (±1)2
= 1
● This is true only if we work in the infinite set of integers Z
● In Cryptography, we often work with finite groups
● There are other non-trivial roots of unity other than ±1 in Z*
n
13
Square roots of unity in a finite group Z*
n
Consider this tiny multiplicative group Z*15
= {1, 2, 4, 7, 8, 11, 13, 14}
The square roots of unity are 1, 4, 11, and 14
Note that 14 ≡ -1 mod 15 (basically -1 is the same as 14)
But, we have two other roots 4 and 11 of unity (e.g., 4*4 = 1 mod 15)
1 and 14 are trivial roots of unity, whereas 4 and 11 are non-trivial roots of unity
Fact: Let n = pq, where p and q are odd primes, then there are four roots of unity
14
Algorithm: Factor n using the square roots of unity
Problem: Given a composite number n and sqrt(1), find the factors p and q of n
Let x be a square root of 1, then x2
= 1 (mod n)
Thus, x2
- 1 = 0 (mod n) ⇒ (x+1)(x-1) = 0 (mod n)
This means that n divides (x+1)(x-1)
If (x+1) and (x-1) are not multiples of n, then the factors of n are the following:
p = gcd(x+1, n) or gcd(x-1, n); q = n/p
15
Toy example: Let’s factor n = 15 using Z*15
Z*15
= {1, 2, 4, 7, 8, 11, 13, 14}
Since 4 and 11 are square roots of unity, we can use one of them to factor n
Let x = 4
x2
= 1 (mod 15)
(x+1)(x-1) = 0 (mod 15)
Factor p = gcd(x+1, 15) = gcd(5, 15) = 5; Factor q = n/p = 15/5 = 3
16
Factoring n using the square roots of unity ...
If we can find the non-trivial square roots on n, then we can factor n
Let’s investigate how easy it is to find the sqrt(1) in a finite multiplicative group
Four different algorithms to find the sqrt(1):
1. Bruteforce/Naive
2. Random Search
3. Peter Shor’s Quantum Algorithm
4. Our little tweaks of Shor’s algorithm
17
Algorithm 1: Naïve sqrt(1) in Zn
*
Step 1: x = 0
Step 2: if(x < n) goto step 3; otherwise goto step 5
Step 3: if(x2
= 1 mod n) then x is a square root of one.
Step 4: x = x + 1. goto step 2.
Step 5: End.
18
19
~/crypto/RSA$ java SqrtOneNaive 2086784737
Input bit length = 31
Sqrt(n) = 45681
sqrt(1) = 1 bit length = 1
sqrt(1) = 530886943 bit length = 29
sqrt(1) = 1555897794 bit length = 31
sqrt(1) = 2086784736 bit length = 31
Note: sqrt(n) is only 45681, but sqrt(1) can be the same bit length as n
(See the Appendix for the source code of Sqrt(1) naïve method)
Algorithm 1: Find the sqrt(1) in the group Z*2086784737
Algorithm 1: Analysis of the naïve algorithm
● The naïve algorithm is simple to understand and implement
● However, it is very slow because we enumerate all numbers of the group Zn
● If n is a 2048-bit composite number, this algorithm will perform 22048
iterations
● In other words, it will take several billion years to calculate sqrt(1)
20
Algorithm 2: Random search to find sqrt(1) in Zn
*
Step 1: Pick a random x from Zn
Step 2: if(x = ± 1 mod n) then goto step 1
Step 3: if(x2
= 1 mod n) then x is a sqrt(1) goto step 4; else step 1
Step 4: End.
21
22
dharmalingam_ganesan11@instance-1:~/crypto/RSA$ java RandomSqrtOne 45649
sqrt(1) = 43738
Number of random tries = 236
ddharmalingam_ganesan11@instance-1:~/crypto/RSA$ java RandomSqrtOne 45649
sqrt(1) = 43738
Number of random tries = 82005
dharmalingam_ganesan11@instance-1:~/crypto/RSA$ java RandomSqrtOne 45649
sqrt(1) = 43738
Number of random tries = 167572
Algorithm 2: Find the sqrt(1) in the group Z*45649
23
Algorithm 2: Analysis of Random Search Algo
● The random algorithm can find the square roots of one (for “small” n)
● But, it just needs a lots of tries to find a needle in the haystack
● In general, the number of tries is the size of the input composite number
● Random search is not able to find sqrt(1) for very large input n
24
25
Algorithm 3: Peter Shor’s Algorithm (core idea)
● To find an x such that x2
= 1 (mod n), we compute f(x) = ax
mod n, random a
● Fact: Every element of a finite group generates a cyclic subgroup
● In other words, the function f(x) is the same as the cyclic subgroup <a>
● Thus, f(r) = 1 mod n for some r; equivalently, ar
= 1 mod n for some r
● Once we find such an r, (ar/2
)2
= 1 mod n; (if r is even, the hacker is lucky)
● Thus, ar/2
is the sqrt(1); we know how to factor n once the sqrt(1) is exposed!
Algorithm 3: Finding the period r of the function f(x)
26
x f(x) = ax
mod n
0 a0
mod n
1 a1
mod n
2 a2
mod n
r ar
mod n = 1
● Peter Shor uses quantum computing
to find the period r of the function f(x)
● We implemented this function on my
classical computer (my laptop)
● Just to better understand the inner
beauty of this algorithm
27
~/crypto/RSA$ java -ea SqrtOneShor 45649
period = 1330
sqrt(1) = 1911
~/crypto/RSA$ java -ea SqrtOneShor 45649
period = 4522
sqrt(1) = 43738
~/crypto/RSA$ java -ea SqrtOneShor 45649
period = 22610
sqrt(1) = 1911
~/crypto/RSA$ java -ea SqrtOneShor 45649
period = 22610
sqrt(1) = 1911
~/crypto/RSA$ java -ea SqrtOneShor 45649
period = 4522
sqrt(1) = 1911
~/crypto/RSA$ java -ea SqrtOneShor 45649
period = 22610
sqrt(1) = 43738
28
~/crypto/RSA$ time java -ea SqrtOneShor 1421727721
period = 236941974
Sqrt(1) = 521638680
real 0m47.429s
user 0m47.100s
sys 0m0.288s Period is very large
29
~/crypto/RSA$ java FactorShor 45649
period = 22610
p = 191
q = 239
~/crypto/RSA$ java FactorShor 45649
period = 170
p = 239
q = 191
~/crypto/RSA$ java FactorShor 45649
period = 3230
p = 239
q = 191
Algorithm 3: Factor a small number n = 45649
30
Algorithm 3: Analysis of the period of f(x) = ax
mod n
● The above set of runs shows that the period of f(x) can be very large
○ Thus, we cannot apply this algorithm to find sqrt(1) for a large group Zn
used in RSA
● Remember, we are running the algorithm on a classical computer
● It is good to play with this algorithm on a classical computer to understand it
● Algorithm 4 talks about some little tweaks of Algorithm 3
Algorithm 4: Let’s tweak Peter Shor’s algorithm
What if we put a bound b on the period r?
Step 1: Initialize bound b (e.g., b = n1/2
, n1/4
, etc.), r = 0, success = false
Step 2: Pick a random a from Zn
*
Step 3: if 0 ≤ r ≤ b goto step 4; otherwise goto step 7
Step 4: Compute f(r) = ar
mod n
Step 5: If f(r) != 1 then r = r+1 and goto step 3
Step 6: If r is even, then success = true; otherwise goto step 2
Step 7: If success = true, we found the period r; otherwise goto step 2
31
32
~/crypto/RSA$ time java -ea SqrtOneShor 1421727721
period = 33738
sqrt(1) = 521638680
real 0m45.786s
user 0m45.510s
sys 0m0.244s
Algorithm 4: bound = n1/2
33
~/crypto/RSA$ time java -ea SqrtOneShor 1421727721
period = 18
Square root of one = 521638680
real 6m14.713s
user 6m12.706s
sys 0m1.759s
Algorithm 4: bound = n1/4
34
~/crypto/RSA$ time java -ea SqrtOneShor 1421727721
period = 18
Square root of one = 521638680
real 2m29.435s
user 2m28.400s
sys 0m0.936s
Algorithm 4: bound = n1/6
35
~/crypto/RSA$ time java -ea SqrtOneShor 1421727721
period = 6
Square root of one = 900089041
real 2m31.106s
user 2m29.703s
sys 0m1.304s
Algorithm 4: bound = n1/8
Amazing, we found a cyclic subgroup of order 6
Algorithm 4: Analysis of our tweaks
● Z*
n
has even number of elements; there must be cyclic subgroups for each
divisor of |Zn
*|. (This is a theorem in Group Theory)
● The open question is how easy it is to find small cyclic subgroups of Z*n
● If we quickly find one cyclic subgroup, then sqrt(1) are easily revealed
● If we put a bound b on the period r, then sqrt(1) runs quick for a small n
● Our bounded random search variant of Shor’s algorithm is slow for a large n
36
Conclusion
● We studied the problem of finding the square roots of unity in a finite group
● We tried to factor composite numbers using sqrt(1)
● Experimental results showed that finding sqrt(1) in Z*n
where n = pq is “hard”
● We implemented Shor’s function f(x) = ax
mod n on a classical computer
● We learned that in general the period of f(x) is the same size as n
● We made minor tweaks by defining a bound on the period of f(x) = ax
mod n
● More experimentation of our tweaks is part of future work
37
Appendix
38
39
import java.math.BigInteger;
import java.security.SecureRandom;
public class SqrtOneNaive implements IBigIntConstants
{
public static void main(String[] args)
{
/* Error handling is omitted */
BigInteger n = new BigInteger(args[0]);
BigInteger x = zero;
while(x.compareTo(n) <= 0) {
// is square(x) = 1 (mod n)?
if(x.multiply(x).mod(n).equals(one)) {
System.out.println(x + " is the square root of one ");
}
x = x.add(one);
}
}
}
Implementation of naïve Sqrt(1) algorithm
40
public static void main(String[] args)
{
BigInteger n = new BigInteger(args[0]); // Error handling code is removed
BigInteger x;
while(true) {
// Pick a random element from Zn
x = BigIntUtil.getRandomElt(n, new SecureRandom());
// We don't want non-trivial roots '1' or '-1'.
// If x = -1 (mod n) or x = 1 (mod n), then we have to restart.
if(x.add(one).mod(n).equals(zero) ||
x.subtract(one).mod(n).equals(zero)) { continue; }
if(x.multiply(x).mod(n).equals(one)) {
System.out.println(x + " is the square root of one ");
System.out.println("Number of random tries = " + counter);
break;
}
}
}
Implementation of random Sqrt(1) algorithm
41
Finding the Sqrt(1) using Peter Shor’s
algorithm (simplied)
References
● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE
Transactions on Information Theory, vol. IT-22, no. 6, November, 1976
● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital
signatures and public-key cryptosystems,” CACM 21, 2, February, 1978
● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied
Cryptography,” CRC Press, 1996
● P. Shor, “Polynomial-Time Algorithms for Prime Factorization and Discrete
Logarithms on a Quantum Computer,” SIAM J.Sci.Statist.Comput. 26 (1997).
42

More Related Content

What's hot

Broadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackBroadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackAnkita Kapratwar
 
Lattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWE
Lattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWELattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWE
Lattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWEPriyanka Aash
 
Tính toán khoa học - Chương 0: Introduction
Tính toán khoa học - Chương 0: IntroductionTính toán khoa học - Chương 0: Introduction
Tính toán khoa học - Chương 0: IntroductionChien Dang
 
Chuong 2arm cortex
Chuong 2arm cortexChuong 2arm cortex
Chuong 2arm cortexTien Le
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard ProblemsSam Bowne
 
Quy hoach tuyen tinh C H U O N G2
Quy hoach tuyen tinh C H U O N G2Quy hoach tuyen tinh C H U O N G2
Quy hoach tuyen tinh C H U O N G2Ngo Hung Long
 
Phuong trinh vi phan
Phuong trinh vi phanPhuong trinh vi phan
Phuong trinh vi phantrintd
 
Thuật toán mã hóa rsa
Thuật toán mã hóa rsaThuật toán mã hóa rsa
Thuật toán mã hóa rsaBảo Điệp
 
99 giải toán bằng cách lập phương trình truonghocso.com
99 giải toán bằng cách lập phương trình   truonghocso.com99 giải toán bằng cách lập phương trình   truonghocso.com
99 giải toán bằng cách lập phương trình truonghocso.comThế Giới Tinh Hoa
 
Hệ điều hành (chương 2)
Hệ điều hành (chương 2)Hệ điều hành (chương 2)
Hệ điều hành (chương 2)realpotter
 
Lý thuyết tính toán - BKHN - 3
Lý thuyết tính toán - BKHN - 3Lý thuyết tính toán - BKHN - 3
Lý thuyết tính toán - BKHN - 3Minh Lê
 
38 câu trắc nghiệm quản trị mạng
38 câu trắc nghiệm quản trị mạng38 câu trắc nghiệm quản trị mạng
38 câu trắc nghiệm quản trị mạngstartover123
 
Introduction - Lattice-based Cryptography
Introduction - Lattice-based CryptographyIntroduction - Lattice-based Cryptography
Introduction - Lattice-based CryptographyAlexandre Augusto Giron
 

What's hot (20)

Broadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackBroadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attack
 
Lattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWE
Lattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWELattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWE
Lattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWE
 
Take-Grant Protection Model
Take-Grant Protection ModelTake-Grant Protection Model
Take-Grant Protection Model
 
Tính toán khoa học - Chương 0: Introduction
Tính toán khoa học - Chương 0: IntroductionTính toán khoa học - Chương 0: Introduction
Tính toán khoa học - Chương 0: Introduction
 
Chuong 2arm cortex
Chuong 2arm cortexChuong 2arm cortex
Chuong 2arm cortex
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
Quy hoach tuyen tinh C H U O N G2
Quy hoach tuyen tinh C H U O N G2Quy hoach tuyen tinh C H U O N G2
Quy hoach tuyen tinh C H U O N G2
 
01 ma hoa
01 ma hoa01 ma hoa
01 ma hoa
 
Phuong trinh vi phan
Phuong trinh vi phanPhuong trinh vi phan
Phuong trinh vi phan
 
Hệ mật mã Mcelice
Hệ mật mã MceliceHệ mật mã Mcelice
Hệ mật mã Mcelice
 
Hệ mật mã Elgamal
Hệ mật mã ElgamalHệ mật mã Elgamal
Hệ mật mã Elgamal
 
Thuật toán mã hóa rsa
Thuật toán mã hóa rsaThuật toán mã hóa rsa
Thuật toán mã hóa rsa
 
Phan phoi chuan
Phan  phoi chuanPhan  phoi chuan
Phan phoi chuan
 
99 giải toán bằng cách lập phương trình truonghocso.com
99 giải toán bằng cách lập phương trình   truonghocso.com99 giải toán bằng cách lập phương trình   truonghocso.com
99 giải toán bằng cách lập phương trình truonghocso.com
 
Hệ điều hành (chương 2)
Hệ điều hành (chương 2)Hệ điều hành (chương 2)
Hệ điều hành (chương 2)
 
Lý thuyết tính toán - BKHN - 3
Lý thuyết tính toán - BKHN - 3Lý thuyết tính toán - BKHN - 3
Lý thuyết tính toán - BKHN - 3
 
38 câu trắc nghiệm quản trị mạng
38 câu trắc nghiệm quản trị mạng38 câu trắc nghiệm quản trị mạng
38 câu trắc nghiệm quản trị mạng
 
Introduction - Lattice-based Cryptography
Introduction - Lattice-based CryptographyIntroduction - Lattice-based Cryptography
Introduction - Lattice-based Cryptography
 
Hệ mật mã Mcliece
Hệ mật mã MclieceHệ mật mã Mcliece
Hệ mật mã Mcliece
 
57202837 msc-51
57202837 msc-5157202837 msc-51
57202837 msc-51
 

Similar to Computing the Square Roots of Unity to break RSA using Quantum Algorithms

Similar to Computing the Square Roots of Unity to break RSA using Quantum Algorithms (20)

Dependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private Variables
 
Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionCyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor Function
 
On the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysOn the Secrecy of RSA Private Keys
On the Secrecy of RSA Private Keys
 
RSA cracking puzzle
RSA cracking puzzleRSA cracking puzzle
RSA cracking puzzle
 
RSA without Integrity Checks
RSA without Integrity ChecksRSA without Integrity Checks
RSA without Integrity Checks
 
RSA without Padding
RSA without PaddingRSA without Padding
RSA without Padding
 
Analysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dAnalysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent d
 
Security of RSA and Integer Factorization
Security of RSA and Integer FactorizationSecurity of RSA and Integer Factorization
Security of RSA and Integer Factorization
 
Randomized algorithms ver 1.0
Randomized algorithms ver 1.0Randomized algorithms ver 1.0
Randomized algorithms ver 1.0
 
An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eAn Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent e
 
Algorithms - A Sneak Peek
Algorithms - A Sneak PeekAlgorithms - A Sneak Peek
Algorithms - A Sneak Peek
 
RSA Game using an Oracle
RSA Game using an OracleRSA Game using an Oracle
RSA Game using an Oracle
 
2010 3-24 cryptography stamatiou
2010 3-24 cryptography stamatiou2010 3-24 cryptography stamatiou
2010 3-24 cryptography stamatiou
 
RSA final notation change2
RSA final notation change2RSA final notation change2
RSA final notation change2
 
NFSFIXES
NFSFIXESNFSFIXES
NFSFIXES
 
RSA Two Person Game
RSA Two Person GameRSA Two Person Game
RSA Two Person Game
 
Analysis of Shared RSA Modulus
Analysis of Shared RSA ModulusAnalysis of Shared RSA Modulus
Analysis of Shared RSA Modulus
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
1_Asymptotic_Notation_pptx.pptx
1_Asymptotic_Notation_pptx.pptx1_Asymptotic_Notation_pptx.pptx
1_Asymptotic_Notation_pptx.pptx
 
PKC&RSA
PKC&RSAPKC&RSA
PKC&RSA
 

More from Dharmalingam Ganesan

Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfReverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfDharmalingam Ganesan
 
An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)Dharmalingam Ganesan
 
How do computers exchange secrets using Math?
How do computers exchange secrets using Math?How do computers exchange secrets using Math?
How do computers exchange secrets using Math?Dharmalingam Ganesan
 
Requirements driven Model-based Testing
Requirements driven Model-based TestingRequirements driven Model-based Testing
Requirements driven Model-based TestingDharmalingam Ganesan
 
Automated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksAutomated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksDharmalingam Ganesan
 
On deriving the private key from a public key
On deriving the private key from a public keyOn deriving the private key from a public key
On deriving the private key from a public keyDharmalingam Ganesan
 
Reverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesReverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesDharmalingam Ganesan
 
Integer security analysis using smt solver
Integer security analysis using smt solverInteger security analysis using smt solver
Integer security analysis using smt solverDharmalingam Ganesan
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitDharmalingam Ganesan
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleThreat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleDharmalingam Ganesan
 

More from Dharmalingam Ganesan (17)

.NET Deserialization Attacks
.NET Deserialization Attacks.NET Deserialization Attacks
.NET Deserialization Attacks
 
Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfReverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdf
 
How to exploit rand()?
How to exploit rand()?How to exploit rand()?
How to exploit rand()?
 
An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)
 
Thank-a-Gram
Thank-a-GramThank-a-Gram
Thank-a-Gram
 
Active Attacks on DH Key Exchange
Active Attacks on DH Key ExchangeActive Attacks on DH Key Exchange
Active Attacks on DH Key Exchange
 
Can I write to a read only file ?
Can I write to a read only file ?Can I write to a read only file ?
Can I write to a read only file ?
 
How do computers exchange secrets using Math?
How do computers exchange secrets using Math?How do computers exchange secrets using Math?
How do computers exchange secrets using Math?
 
Requirements driven Model-based Testing
Requirements driven Model-based TestingRequirements driven Model-based Testing
Requirements driven Model-based Testing
 
Automated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksAutomated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering Tasks
 
On deriving the private key from a public key
On deriving the private key from a public keyOn deriving the private key from a public key
On deriving the private key from a public key
 
Reverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesReverse Engineering of Module Dependencies
Reverse Engineering of Module Dependencies
 
Software Architecture
Software ArchitectureSoftware Architecture
Software Architecture
 
Integer security analysis using smt solver
Integer security analysis using smt solverInteger security analysis using smt solver
Integer security analysis using smt solver
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profit
 
20170605135932210 thank you card7
20170605135932210 thank you card720170605135932210 thank you card7
20170605135932210 thank you card7
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleThreat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
 

Recently uploaded

INGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignINGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignNeo4j
 
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...OnePlan Solutions
 
Workforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdfWorkforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdfDeskTrack
 
SQL Injection Introduction and Prevention
SQL Injection Introduction and PreventionSQL Injection Introduction and Prevention
SQL Injection Introduction and PreventionMohammed Fazuluddin
 
how-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdfhow-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdfMehmet Akar
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletAndrea Goulet
 
What need to be mastered as AI-Powered Java Developers
What need to be mastered as AI-Powered Java DevelopersWhat need to be mastered as AI-Powered Java Developers
What need to be mastered as AI-Powered Java DevelopersEmilyJiang23
 
Malaysia E-Invoice digital signature docpptx
Malaysia E-Invoice digital signature docpptxMalaysia E-Invoice digital signature docpptx
Malaysia E-Invoice digital signature docpptxMok TH
 
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfThe Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfkalichargn70th171
 
A Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationA Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationHelp Desk Migration
 
Jax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined DeckJax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined DeckMarc Lester
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Andrea Goulet
 
IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024vaibhav130304
 
Reinforcement Learning – a Rewards Based Approach to Machine Learning - Marko...
Reinforcement Learning – a Rewards Based Approach to Machine Learning - Marko...Reinforcement Learning – a Rewards Based Approach to Machine Learning - Marko...
Reinforcement Learning – a Rewards Based Approach to Machine Learning - Marko...Marko Lohert
 
Crafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationCrafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationWave PLM
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Andreas Granig
 
The Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion ProductionThe Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion ProductionWave PLM
 
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product UpdatesGraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product UpdatesNeo4j
 
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdfStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdfsteffenkarlsson2
 
Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024Soroosh Khodami
 

Recently uploaded (20)

INGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignINGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by Design
 
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
 
Workforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdfWorkforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdf
 
SQL Injection Introduction and Prevention
SQL Injection Introduction and PreventionSQL Injection Introduction and Prevention
SQL Injection Introduction and Prevention
 
how-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdfhow-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdf
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea Goulet
 
What need to be mastered as AI-Powered Java Developers
What need to be mastered as AI-Powered Java DevelopersWhat need to be mastered as AI-Powered Java Developers
What need to be mastered as AI-Powered Java Developers
 
Malaysia E-Invoice digital signature docpptx
Malaysia E-Invoice digital signature docpptxMalaysia E-Invoice digital signature docpptx
Malaysia E-Invoice digital signature docpptx
 
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfThe Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
 
A Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationA Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data Migration
 
Jax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined DeckJax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined Deck
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
 
IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024
 
Reinforcement Learning – a Rewards Based Approach to Machine Learning - Marko...
Reinforcement Learning – a Rewards Based Approach to Machine Learning - Marko...Reinforcement Learning – a Rewards Based Approach to Machine Learning - Marko...
Reinforcement Learning – a Rewards Based Approach to Machine Learning - Marko...
 
Crafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationCrafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM Integration
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
 
The Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion ProductionThe Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion Production
 
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product UpdatesGraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
 
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdfStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
 
Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024
 

Computing the Square Roots of Unity to break RSA using Quantum Algorithms

  • 1. Computing the Square Roots of Unity to break RSA using Quantum Algo Dr. Dharma Ganesan, Ph.D.,
  • 2. Disclaimer ● The opinions expressed here are my own ○ But not the views of my employer ● The source code fragments and exploits shown here can be reused ○ But without any warranty nor accept any responsibility for failures ● Do not apply the exploit discussed here on other systems ○ Without obtaining authorization from owners 2
  • 3. Goal ● Break RSA using Peter Shor’s quantum algorithm ○ But, we will not look into Quantum Computing ○ We will find the square roots of unity on a classical computer ● Investigate the square root of unity (i.e., sqrt(1)) in a Finite Group ○ Algorithm 1: Naïve/Bruteforce ○ Algorithm 2: Random Search ○ Algorithm 3: Peter Shor’s period calculation algorithm ○ Algorithm 4: Our little tweaks of Peter Shor’s period function (bounded search) 3
  • 4. Prerequisite Some familiarity with the following topics will help to follow the rest of the slides ● Group Theory ● Number Theory ● Algorithms and Complexity Theory ● If not, it should still be possible to obtain a high-level overview 4
  • 5. Agenda ● Mathematical foundation/facts ● Brief overview of RSA ● Different algorithms to find the square roots of unity (in a finite group) ● Demos of finding the square roots of unity to factor composite numbers ● Conclusion 5
  • 6. 6 Notations and Facts GCD(x, y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes Zn = { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn as a circular wall clock Z* n = { x ∈ Zn | gcd(x, n) = 1 }; (additional info: Z* n is a multiplicative group) φ(n): Euler’s Totient function denotes the number of elements in Z* n φ(nm) = φ(n).φ(m) (This property is called multiplicative) φ(p) = p-1, if p is a prime number
  • 7. Notations and Facts ... ● x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n ● Euler’s Theorem: aφ(n) ≡ 1 (mod n), if gcd(a, n) = 1 ● Fermat’s Little Theorem: ap ≡ a (mod p) ● Gauss’s Fundamental Theorem of Arithmetic: Any integer greater than 1 is either a prime or can be written as a unique product of primes ○ Euclid’s work is the foundation for this theorem, see The Elements ● Euclid’s Lemma: if a prime p divides the product of two natural numbers a and b, then p divides a or p divides b ● Euclid’s Infinitude of Primes (c. 300 BC): There are infinitely many primes 7
  • 8. How can Bob send a message to Alice securely? 8 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other ● Who are Alice, Bob, and Eve? Private Key PrA Public Key PuB Private Key PrB
  • 9. RSA Public Key Cryptography System ● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman ● Rooted in elegant mathematics - Group Theory and Number Theory ● Core idea: Anyone can encrypt a message using recipient's public key but ○ (as far as we know) no one can efficiently decrypt unless they got the matching private key ● Encryption and Decryption are inverse operations (math details later) ○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA ● Eavesdropper Eve cannot easily derive the secret (math details later) ○ Unless she solves “hard” number theory problems that are computationally intractable 9
  • 10. RSA - Key Generation Algo 1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits) ○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later) 2. Pick two independent, large random primes, p and q, of half of n’s bitlength ○ In practice, q < p < 2q to avoid attacks (e.g., Fermat’s factorization) 3. Compute n = p.q (n is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from Zn such that e.d ≡ 1(mod φ(n)) ○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in Zn 6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q> 10
  • 11. RSA Trapdoor ● RSA: Zn → Zn ● Let x and y ∈ Zn ● y = RSA(x) = xe mod n ○ We may view x as a plaintext, and y as the corresponding ciphertext ● x = RSA-1 (y) = yd mod n ● e and d are also called encryption and decryption exponents, respectively ● In practice, some random padding is used (not relevant for this presentation) 11
  • 12. RSA Trapdoor variables’ dependency graph 12 Private variable Public variable Note: If we can factor n and find p and q, then private keys are open to the world
  • 13. What are the square roots of unity in Z? ● 1 and -1 are the two square roots of one because (±1)2 = 1 ● This is true only if we work in the infinite set of integers Z ● In Cryptography, we often work with finite groups ● There are other non-trivial roots of unity other than ±1 in Z* n 13
  • 14. Square roots of unity in a finite group Z* n Consider this tiny multiplicative group Z*15 = {1, 2, 4, 7, 8, 11, 13, 14} The square roots of unity are 1, 4, 11, and 14 Note that 14 ≡ -1 mod 15 (basically -1 is the same as 14) But, we have two other roots 4 and 11 of unity (e.g., 4*4 = 1 mod 15) 1 and 14 are trivial roots of unity, whereas 4 and 11 are non-trivial roots of unity Fact: Let n = pq, where p and q are odd primes, then there are four roots of unity 14
  • 15. Algorithm: Factor n using the square roots of unity Problem: Given a composite number n and sqrt(1), find the factors p and q of n Let x be a square root of 1, then x2 = 1 (mod n) Thus, x2 - 1 = 0 (mod n) ⇒ (x+1)(x-1) = 0 (mod n) This means that n divides (x+1)(x-1) If (x+1) and (x-1) are not multiples of n, then the factors of n are the following: p = gcd(x+1, n) or gcd(x-1, n); q = n/p 15
  • 16. Toy example: Let’s factor n = 15 using Z*15 Z*15 = {1, 2, 4, 7, 8, 11, 13, 14} Since 4 and 11 are square roots of unity, we can use one of them to factor n Let x = 4 x2 = 1 (mod 15) (x+1)(x-1) = 0 (mod 15) Factor p = gcd(x+1, 15) = gcd(5, 15) = 5; Factor q = n/p = 15/5 = 3 16
  • 17. Factoring n using the square roots of unity ... If we can find the non-trivial square roots on n, then we can factor n Let’s investigate how easy it is to find the sqrt(1) in a finite multiplicative group Four different algorithms to find the sqrt(1): 1. Bruteforce/Naive 2. Random Search 3. Peter Shor’s Quantum Algorithm 4. Our little tweaks of Shor’s algorithm 17
  • 18. Algorithm 1: Naïve sqrt(1) in Zn * Step 1: x = 0 Step 2: if(x < n) goto step 3; otherwise goto step 5 Step 3: if(x2 = 1 mod n) then x is a square root of one. Step 4: x = x + 1. goto step 2. Step 5: End. 18
  • 19. 19 ~/crypto/RSA$ java SqrtOneNaive 2086784737 Input bit length = 31 Sqrt(n) = 45681 sqrt(1) = 1 bit length = 1 sqrt(1) = 530886943 bit length = 29 sqrt(1) = 1555897794 bit length = 31 sqrt(1) = 2086784736 bit length = 31 Note: sqrt(n) is only 45681, but sqrt(1) can be the same bit length as n (See the Appendix for the source code of Sqrt(1) naïve method) Algorithm 1: Find the sqrt(1) in the group Z*2086784737
  • 20. Algorithm 1: Analysis of the naïve algorithm ● The naïve algorithm is simple to understand and implement ● However, it is very slow because we enumerate all numbers of the group Zn ● If n is a 2048-bit composite number, this algorithm will perform 22048 iterations ● In other words, it will take several billion years to calculate sqrt(1) 20
  • 21. Algorithm 2: Random search to find sqrt(1) in Zn * Step 1: Pick a random x from Zn Step 2: if(x = ± 1 mod n) then goto step 1 Step 3: if(x2 = 1 mod n) then x is a sqrt(1) goto step 4; else step 1 Step 4: End. 21
  • 22. 22 dharmalingam_ganesan11@instance-1:~/crypto/RSA$ java RandomSqrtOne 45649 sqrt(1) = 43738 Number of random tries = 236 ddharmalingam_ganesan11@instance-1:~/crypto/RSA$ java RandomSqrtOne 45649 sqrt(1) = 43738 Number of random tries = 82005 dharmalingam_ganesan11@instance-1:~/crypto/RSA$ java RandomSqrtOne 45649 sqrt(1) = 43738 Number of random tries = 167572 Algorithm 2: Find the sqrt(1) in the group Z*45649
  • 23. 23 Algorithm 2: Analysis of Random Search Algo ● The random algorithm can find the square roots of one (for “small” n) ● But, it just needs a lots of tries to find a needle in the haystack ● In general, the number of tries is the size of the input composite number ● Random search is not able to find sqrt(1) for very large input n
  • 24. 24
  • 25. 25 Algorithm 3: Peter Shor’s Algorithm (core idea) ● To find an x such that x2 = 1 (mod n), we compute f(x) = ax mod n, random a ● Fact: Every element of a finite group generates a cyclic subgroup ● In other words, the function f(x) is the same as the cyclic subgroup <a> ● Thus, f(r) = 1 mod n for some r; equivalently, ar = 1 mod n for some r ● Once we find such an r, (ar/2 )2 = 1 mod n; (if r is even, the hacker is lucky) ● Thus, ar/2 is the sqrt(1); we know how to factor n once the sqrt(1) is exposed!
  • 26. Algorithm 3: Finding the period r of the function f(x) 26 x f(x) = ax mod n 0 a0 mod n 1 a1 mod n 2 a2 mod n r ar mod n = 1 ● Peter Shor uses quantum computing to find the period r of the function f(x) ● We implemented this function on my classical computer (my laptop) ● Just to better understand the inner beauty of this algorithm
  • 27. 27 ~/crypto/RSA$ java -ea SqrtOneShor 45649 period = 1330 sqrt(1) = 1911 ~/crypto/RSA$ java -ea SqrtOneShor 45649 period = 4522 sqrt(1) = 43738 ~/crypto/RSA$ java -ea SqrtOneShor 45649 period = 22610 sqrt(1) = 1911 ~/crypto/RSA$ java -ea SqrtOneShor 45649 period = 22610 sqrt(1) = 1911 ~/crypto/RSA$ java -ea SqrtOneShor 45649 period = 4522 sqrt(1) = 1911 ~/crypto/RSA$ java -ea SqrtOneShor 45649 period = 22610 sqrt(1) = 43738
  • 28. 28 ~/crypto/RSA$ time java -ea SqrtOneShor 1421727721 period = 236941974 Sqrt(1) = 521638680 real 0m47.429s user 0m47.100s sys 0m0.288s Period is very large
  • 29. 29 ~/crypto/RSA$ java FactorShor 45649 period = 22610 p = 191 q = 239 ~/crypto/RSA$ java FactorShor 45649 period = 170 p = 239 q = 191 ~/crypto/RSA$ java FactorShor 45649 period = 3230 p = 239 q = 191 Algorithm 3: Factor a small number n = 45649
  • 30. 30 Algorithm 3: Analysis of the period of f(x) = ax mod n ● The above set of runs shows that the period of f(x) can be very large ○ Thus, we cannot apply this algorithm to find sqrt(1) for a large group Zn used in RSA ● Remember, we are running the algorithm on a classical computer ● It is good to play with this algorithm on a classical computer to understand it ● Algorithm 4 talks about some little tweaks of Algorithm 3
  • 31. Algorithm 4: Let’s tweak Peter Shor’s algorithm What if we put a bound b on the period r? Step 1: Initialize bound b (e.g., b = n1/2 , n1/4 , etc.), r = 0, success = false Step 2: Pick a random a from Zn * Step 3: if 0 ≤ r ≤ b goto step 4; otherwise goto step 7 Step 4: Compute f(r) = ar mod n Step 5: If f(r) != 1 then r = r+1 and goto step 3 Step 6: If r is even, then success = true; otherwise goto step 2 Step 7: If success = true, we found the period r; otherwise goto step 2 31
  • 32. 32 ~/crypto/RSA$ time java -ea SqrtOneShor 1421727721 period = 33738 sqrt(1) = 521638680 real 0m45.786s user 0m45.510s sys 0m0.244s Algorithm 4: bound = n1/2
  • 33. 33 ~/crypto/RSA$ time java -ea SqrtOneShor 1421727721 period = 18 Square root of one = 521638680 real 6m14.713s user 6m12.706s sys 0m1.759s Algorithm 4: bound = n1/4
  • 34. 34 ~/crypto/RSA$ time java -ea SqrtOneShor 1421727721 period = 18 Square root of one = 521638680 real 2m29.435s user 2m28.400s sys 0m0.936s Algorithm 4: bound = n1/6
  • 35. 35 ~/crypto/RSA$ time java -ea SqrtOneShor 1421727721 period = 6 Square root of one = 900089041 real 2m31.106s user 2m29.703s sys 0m1.304s Algorithm 4: bound = n1/8 Amazing, we found a cyclic subgroup of order 6
  • 36. Algorithm 4: Analysis of our tweaks ● Z* n has even number of elements; there must be cyclic subgroups for each divisor of |Zn *|. (This is a theorem in Group Theory) ● The open question is how easy it is to find small cyclic subgroups of Z*n ● If we quickly find one cyclic subgroup, then sqrt(1) are easily revealed ● If we put a bound b on the period r, then sqrt(1) runs quick for a small n ● Our bounded random search variant of Shor’s algorithm is slow for a large n 36
  • 37. Conclusion ● We studied the problem of finding the square roots of unity in a finite group ● We tried to factor composite numbers using sqrt(1) ● Experimental results showed that finding sqrt(1) in Z*n where n = pq is “hard” ● We implemented Shor’s function f(x) = ax mod n on a classical computer ● We learned that in general the period of f(x) is the same size as n ● We made minor tweaks by defining a bound on the period of f(x) = ax mod n ● More experimentation of our tweaks is part of future work 37
  • 39. 39 import java.math.BigInteger; import java.security.SecureRandom; public class SqrtOneNaive implements IBigIntConstants { public static void main(String[] args) { /* Error handling is omitted */ BigInteger n = new BigInteger(args[0]); BigInteger x = zero; while(x.compareTo(n) <= 0) { // is square(x) = 1 (mod n)? if(x.multiply(x).mod(n).equals(one)) { System.out.println(x + " is the square root of one "); } x = x.add(one); } } } Implementation of naïve Sqrt(1) algorithm
  • 40. 40 public static void main(String[] args) { BigInteger n = new BigInteger(args[0]); // Error handling code is removed BigInteger x; while(true) { // Pick a random element from Zn x = BigIntUtil.getRandomElt(n, new SecureRandom()); // We don't want non-trivial roots '1' or '-1'. // If x = -1 (mod n) or x = 1 (mod n), then we have to restart. if(x.add(one).mod(n).equals(zero) || x.subtract(one).mod(n).equals(zero)) { continue; } if(x.multiply(x).mod(n).equals(one)) { System.out.println(x + " is the square root of one "); System.out.println("Number of random tries = " + counter); break; } } } Implementation of random Sqrt(1) algorithm
  • 41. 41 Finding the Sqrt(1) using Peter Shor’s algorithm (simplied)
  • 42. References ● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976 ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978 ● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996 ● P. Shor, “Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer,” SIAM J.Sci.Statist.Comput. 26 (1997). 42