SlideShare a Scribd company logo

Computing the Square Roots of Unity to break RSA using Quantum Algorithms

Dharmalingam Ganesan, profile picture
Dharmalingam Ganesan

The document discusses breaking RSA encryption by computing square roots of unity using classical computing methods and Peter Shor’s quantum algorithm. It introduces various algorithms for finding square roots of unity in finite groups, their mathematical background, and potential applications in cryptography. Additionally, it includes a demonstration of these algorithms and their effectiveness in factoring composite numbers.

Software
1 of 42
Download to read offline
1
2
3
Most read
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
Computing the Square Roots of Unity to break RSA using Quantum Algo Dr. Dharma Ganesan, Ph.D.,
Disclaimer ● The opinions expressed here are my own ○ But not the views of my employer ● The source code fragments and exploits shown here can be reused ○ But without any warranty nor accept any responsibility for failures ● Do not apply the exploit discussed here on other systems ○ Without obtaining authorization from owners 2
Goal ● Break RSA using Peter Shor’s quantum algorithm ○ But, we will not look into Quantum Computing ○ We will find the square roots of unity on a classical computer ● Investigate the square root of unity (i.e., sqrt(1)) in a Finite Group ○ Algorithm 1: Naïve/Bruteforce ○ Algorithm 2: Random Search ○ Algorithm 3: Peter Shor’s period calculation algorithm ○ Algorithm 4: Our little tweaks of Peter Shor’s period function (bounded search) 3
Prerequisite Some familiarity with the following topics will help to follow the rest of the slides ● Group Theory ● Number Theory ● Algorithms and Complexity Theory ● If not, it should still be possible to obtain a high-level overview 4
Agenda ● Mathematical foundation/facts ● Brief overview of RSA ● Different algorithms to find the square roots of unity (in a finite group) ● Demos of finding the square roots of unity to factor composite numbers ● Conclusion 5
6 Notations and Facts GCD(x, y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes Zn = { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn as a circular wall clock Z* n = { x ∈ Zn | gcd(x, n) = 1 }; (additional info: Z* n is a multiplicative group) φ(n): Euler’s Totient function denotes the number of elements in Z* n φ(nm) = φ(n).φ(m) (This property is called multiplicative) φ(p) = p-1, if p is a prime number
Notations and Facts ... ● x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n ● Euler’s Theorem: aφ(n) ≡ 1 (mod n), if gcd(a, n) = 1 ● Fermat’s Little Theorem: ap ≡ a (mod p) ● Gauss’s Fundamental Theorem of Arithmetic: Any integer greater than 1 is either a prime or can be written as a unique product of primes ○ Euclid’s work is the foundation for this theorem, see The Elements ● Euclid’s Lemma: if a prime p divides the product of two natural numbers a and b, then p divides a or p divides b ● Euclid’s Infinitude of Primes (c. 300 BC): There are infinitely many primes 7
How can Bob send a message to Alice securely? 8 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other ● Who are Alice, Bob, and Eve? Private Key PrA Public Key PuB Private Key PrB
RSA Public Key Cryptography System ● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman ● Rooted in elegant mathematics - Group Theory and Number Theory ● Core idea: Anyone can encrypt a message using recipient's public key but ○ (as far as we know) no one can efficiently decrypt unless they got the matching private key ● Encryption and Decryption are inverse operations (math details later) ○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA ● Eavesdropper Eve cannot easily derive the secret (math details later) ○ Unless she solves “hard” number theory problems that are computationally intractable 9
RSA - Key Generation Algo 1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits) ○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later) 2. Pick two independent, large random primes, p and q, of half of n’s bitlength ○ In practice, q < p < 2q to avoid attacks (e.g., Fermat’s factorization) 3. Compute n = p.q (n is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from Zn such that e.d ≡ 1(mod φ(n)) ○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in Zn 6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q> 10
RSA Trapdoor ● RSA: Zn → Zn ● Let x and y ∈ Zn ● y = RSA(x) = xe mod n ○ We may view x as a plaintext, and y as the corresponding ciphertext ● x = RSA-1 (y) = yd mod n ● e and d are also called encryption and decryption exponents, respectively ● In practice, some random padding is used (not relevant for this presentation) 11
RSA Trapdoor variables’ dependency graph 12 Private variable Public variable Note: If we can factor n and find p and q, then private keys are open to the world
What are the square roots of unity in Z? ● 1 and -1 are the two square roots of one because (±1)2 = 1 ● This is true only if we work in the infinite set of integers Z ● In Cryptography, we often work with finite groups ● There are other non-trivial roots of unity other than ±1 in Z* n 13
Square roots of unity in a finite group Z* n Consider this tiny multiplicative group Z*15 = {1, 2, 4, 7, 8, 11, 13, 14} The square roots of unity are 1, 4, 11, and 14 Note that 14 ≡ -1 mod 15 (basically -1 is the same as 14) But, we have two other roots 4 and 11 of unity (e.g., 4*4 = 1 mod 15) 1 and 14 are trivial roots of unity, whereas 4 and 11 are non-trivial roots of unity Fact: Let n = pq, where p and q are odd primes, then there are four roots of unity 14
Algorithm: Factor n using the square roots of unity Problem: Given a composite number n and sqrt(1), find the factors p and q of n Let x be a square root of 1, then x2 = 1 (mod n) Thus, x2 - 1 = 0 (mod n) ⇒ (x+1)(x-1) = 0 (mod n) This means that n divides (x+1)(x-1) If (x+1) and (x-1) are not multiples of n, then the factors of n are the following: p = gcd(x+1, n) or gcd(x-1, n); q = n/p 15
Toy example: Let’s factor n = 15 using Z*15 Z*15 = {1, 2, 4, 7, 8, 11, 13, 14} Since 4 and 11 are square roots of unity, we can use one of them to factor n Let x = 4 x2 = 1 (mod 15) (x+1)(x-1) = 0 (mod 15) Factor p = gcd(x+1, 15) = gcd(5, 15) = 5; Factor q = n/p = 15/5 = 3 16
Factoring n using the square roots of unity ... If we can find the non-trivial square roots on n, then we can factor n Let’s investigate how easy it is to find the sqrt(1) in a finite multiplicative group Four different algorithms to find the sqrt(1): 1. Bruteforce/Naive 2. Random Search 3. Peter Shor’s Quantum Algorithm 4. Our little tweaks of Shor’s algorithm 17
Algorithm 1: Naïve sqrt(1) in Zn * Step 1: x = 0 Step 2: if(x < n) goto step 3; otherwise goto step 5 Step 3: if(x2 = 1 mod n) then x is a square root of one. Step 4: x = x + 1. goto step 2. Step 5: End. 18
19 ~/crypto/RSA$ java SqrtOneNaive 2086784737 Input bit length = 31 Sqrt(n) = 45681 sqrt(1) = 1 bit length = 1 sqrt(1) = 530886943 bit length = 29 sqrt(1) = 1555897794 bit length = 31 sqrt(1) = 2086784736 bit length = 31 Note: sqrt(n) is only 45681, but sqrt(1) can be the same bit length as n (See the Appendix for the source code of Sqrt(1) naïve method) Algorithm 1: Find the sqrt(1) in the group Z*2086784737
Algorithm 1: Analysis of the naïve algorithm ● The naïve algorithm is simple to understand and implement ● However, it is very slow because we enumerate all numbers of the group Zn ● If n is a 2048-bit composite number, this algorithm will perform 22048 iterations ● In other words, it will take several billion years to calculate sqrt(1) 20
Algorithm 2: Random search to find sqrt(1) in Zn * Step 1: Pick a random x from Zn Step 2: if(x = ± 1 mod n) then goto step 1 Step 3: if(x2 = 1 mod n) then x is a sqrt(1) goto step 4; else step 1 Step 4: End. 21
22 dharmalingam_ganesan11@instance-1:~/crypto/RSA$ java RandomSqrtOne 45649 sqrt(1) = 43738 Number of random tries = 236 ddharmalingam_ganesan11@instance-1:~/crypto/RSA$ java RandomSqrtOne 45649 sqrt(1) = 43738 Number of random tries = 82005 dharmalingam_ganesan11@instance-1:~/crypto/RSA$ java RandomSqrtOne 45649 sqrt(1) = 43738 Number of random tries = 167572 Algorithm 2: Find the sqrt(1) in the group Z*45649
23 Algorithm 2: Analysis of Random Search Algo ● The random algorithm can find the square roots of one (for “small” n) ● But, it just needs a lots of tries to find a needle in the haystack ● In general, the number of tries is the size of the input composite number ● Random search is not able to find sqrt(1) for very large input n
24
25 Algorithm 3: Peter Shor’s Algorithm (core idea) ● To find an x such that x2 = 1 (mod n), we compute f(x) = ax mod n, random a ● Fact: Every element of a finite group generates a cyclic subgroup ● In other words, the function f(x) is the same as the cyclic subgroup <a> ● Thus, f(r) = 1 mod n for some r; equivalently, ar = 1 mod n for some r ● Once we find such an r, (ar/2 )2 = 1 mod n; (if r is even, the hacker is lucky) ● Thus, ar/2 is the sqrt(1); we know how to factor n once the sqrt(1) is exposed!
Algorithm 3: Finding the period r of the function f(x) 26 x f(x) = ax mod n 0 a0 mod n 1 a1 mod n 2 a2 mod n r ar mod n = 1 ● Peter Shor uses quantum computing to find the period r of the function f(x) ● We implemented this function on my classical computer (my laptop) ● Just to better understand the inner beauty of this algorithm
27 ~/crypto/RSA$ java -ea SqrtOneShor 45649 period = 1330 sqrt(1) = 1911 ~/crypto/RSA$ java -ea SqrtOneShor 45649 period = 4522 sqrt(1) = 43738 ~/crypto/RSA$ java -ea SqrtOneShor 45649 period = 22610 sqrt(1) = 1911 ~/crypto/RSA$ java -ea SqrtOneShor 45649 period = 22610 sqrt(1) = 1911 ~/crypto/RSA$ java -ea SqrtOneShor 45649 period = 4522 sqrt(1) = 1911 ~/crypto/RSA$ java -ea SqrtOneShor 45649 period = 22610 sqrt(1) = 43738
28 ~/crypto/RSA$ time java -ea SqrtOneShor 1421727721 period = 236941974 Sqrt(1) = 521638680 real 0m47.429s user 0m47.100s sys 0m0.288s Period is very large
29 ~/crypto/RSA$ java FactorShor 45649 period = 22610 p = 191 q = 239 ~/crypto/RSA$ java FactorShor 45649 period = 170 p = 239 q = 191 ~/crypto/RSA$ java FactorShor 45649 period = 3230 p = 239 q = 191 Algorithm 3: Factor a small number n = 45649
30 Algorithm 3: Analysis of the period of f(x) = ax mod n ● The above set of runs shows that the period of f(x) can be very large ○ Thus, we cannot apply this algorithm to find sqrt(1) for a large group Zn used in RSA ● Remember, we are running the algorithm on a classical computer ● It is good to play with this algorithm on a classical computer to understand it ● Algorithm 4 talks about some little tweaks of Algorithm 3
Algorithm 4: Let’s tweak Peter Shor’s algorithm What if we put a bound b on the period r? Step 1: Initialize bound b (e.g., b = n1/2 , n1/4 , etc.), r = 0, success = false Step 2: Pick a random a from Zn * Step 3: if 0 ≤ r ≤ b goto step 4; otherwise goto step 7 Step 4: Compute f(r) = ar mod n Step 5: If f(r) != 1 then r = r+1 and goto step 3 Step 6: If r is even, then success = true; otherwise goto step 2 Step 7: If success = true, we found the period r; otherwise goto step 2 31
32 ~/crypto/RSA$ time java -ea SqrtOneShor 1421727721 period = 33738 sqrt(1) = 521638680 real 0m45.786s user 0m45.510s sys 0m0.244s Algorithm 4: bound = n1/2
33 ~/crypto/RSA$ time java -ea SqrtOneShor 1421727721 period = 18 Square root of one = 521638680 real 6m14.713s user 6m12.706s sys 0m1.759s Algorithm 4: bound = n1/4
34 ~/crypto/RSA$ time java -ea SqrtOneShor 1421727721 period = 18 Square root of one = 521638680 real 2m29.435s user 2m28.400s sys 0m0.936s Algorithm 4: bound = n1/6
35 ~/crypto/RSA$ time java -ea SqrtOneShor 1421727721 period = 6 Square root of one = 900089041 real 2m31.106s user 2m29.703s sys 0m1.304s Algorithm 4: bound = n1/8 Amazing, we found a cyclic subgroup of order 6
Algorithm 4: Analysis of our tweaks ● Z* n has even number of elements; there must be cyclic subgroups for each divisor of |Zn *|. (This is a theorem in Group Theory) ● The open question is how easy it is to find small cyclic subgroups of Z*n ● If we quickly find one cyclic subgroup, then sqrt(1) are easily revealed ● If we put a bound b on the period r, then sqrt(1) runs quick for a small n ● Our bounded random search variant of Shor’s algorithm is slow for a large n 36
Conclusion ● We studied the problem of finding the square roots of unity in a finite group ● We tried to factor composite numbers using sqrt(1) ● Experimental results showed that finding sqrt(1) in Z*n where n = pq is “hard” ● We implemented Shor’s function f(x) = ax mod n on a classical computer ● We learned that in general the period of f(x) is the same size as n ● We made minor tweaks by defining a bound on the period of f(x) = ax mod n ● More experimentation of our tweaks is part of future work 37
Appendix 38
39 import java.math.BigInteger; import java.security.SecureRandom; public class SqrtOneNaive implements IBigIntConstants { public static void main(String[] args) { /* Error handling is omitted */ BigInteger n = new BigInteger(args[0]); BigInteger x = zero; while(x.compareTo(n) <= 0) { // is square(x) = 1 (mod n)? if(x.multiply(x).mod(n).equals(one)) { System.out.println(x + " is the square root of one "); } x = x.add(one); } } } Implementation of naïve Sqrt(1) algorithm
40 public static void main(String[] args) { BigInteger n = new BigInteger(args[0]); // Error handling code is removed BigInteger x; while(true) { // Pick a random element from Zn x = BigIntUtil.getRandomElt(n, new SecureRandom()); // We don't want non-trivial roots '1' or '-1'. // If x = -1 (mod n) or x = 1 (mod n), then we have to restart. if(x.add(one).mod(n).equals(zero) || x.subtract(one).mod(n).equals(zero)) { continue; } if(x.multiply(x).mod(n).equals(one)) { System.out.println(x + " is the square root of one "); System.out.println("Number of random tries = " + counter); break; } } } Implementation of random Sqrt(1) algorithm
41 Finding the Sqrt(1) using Peter Shor’s algorithm (simplied)
References ● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976 ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978 ● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996 ● P. Shor, “Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer,” SIAM J.Sci.Statist.Comput. 26 (1997). 42

More Related Content

PDF
Algoritmos e lp parte 2-fundamentos
Mauro Pereira
 
PPTX
Material Algoritmos e Estruturas de Dados - 1º Bimestre
Elaine Cecília Gatto
 
PDF
Apostila cobol
lucioandrade
 
PPT
Pilhas e Filas
CriatividadeZeroDocs
 
PPT
Logica Algoritmo 02 Algoritmo
Regis Magalhães
 
PDF
Java orientação a objetos (variaveis de instancia e metodos)
Armando Daniel
 
PDF
Programação orientada a objetos – II
Gabriel Faustino
 
PDF
Inteligencia artificial para classificação de texto e sentimento
Antônio Marques
 
Algoritmos e lp parte 2-fundamentos
Mauro Pereira
 
Material Algoritmos e Estruturas de Dados - 1º Bimestre
Elaine Cecília Gatto
 
Apostila cobol
lucioandrade
 
Pilhas e Filas
CriatividadeZeroDocs
 
Logica Algoritmo 02 Algoritmo
Regis Magalhães
 
Java orientação a objetos (variaveis de instancia e metodos)
Armando Daniel
 
Programação orientada a objetos – II
Gabriel Faustino
 
Inteligencia artificial para classificação de texto e sentimento
Antônio Marques
 

What's hot (20)

PPTX
Algoritmos - Pseudocódigo
Elaine Cecília Gatto
 
PDF
Estrutura de dados - Variáveis homogêneas e Heterogêneas
Adriano Teixeira de Souza
 
PDF
Lista de exercicios algoritmos com pseudocodigo
Mauro Pereira
 
PDF
Banco de Dados - MySQL Basico
Rangel Javier
 
PDF
Engenharia de Software II - Atividade: Diagramas da UML
Alessandro Almeida
 
PPTX
Materi 1. algoritma pemrograman
Melva Amma Kalian
 
PPTX
A Linguagem sql
Centro Paula Souza
 
PPT
Logica Algoritmo 03 Tipos Expressoes Variaveis Operadores
Regis Magalhães
 
PPT
Gerência de processos
Virgínia
 
PPTX
Criando um banco de dados com MySQL Workbench
Centro Paula Souza
 
PPTX
DER - Diagrama de Entidade e Relacionamentos
Cláudio Amaral
 
PDF
Modul2 metode regula falsi praktikum metode numerik
James Montolalu
 
ODP
Algoritmo aula 01-f
Professor Samuel Ribeiro
 
PDF
LaTeX Básico I
Rodrigo Smarzaro
 
PPSX
Polimorfismo java
FAFICA
 
PDF
Estrutura de Dados - Registros
Adriano Teixeira de Souza
 
PDF
Maratona de Programação
Marcos Castro
 
PDF
Modul 2 variabel, tipe data dan operator
Fardian Syah
 
PPTX
Estrutura de repetição
Jailson Torquato
 
PPTX
Estrutura de decisão switch case
Alessandra Sra JM
 
Algoritmos - Pseudocódigo
Elaine Cecília Gatto
 
Estrutura de dados - Variáveis homogêneas e Heterogêneas
Adriano Teixeira de Souza
 
Lista de exercicios algoritmos com pseudocodigo
Mauro Pereira
 
Banco de Dados - MySQL Basico
Rangel Javier
 
Engenharia de Software II - Atividade: Diagramas da UML
Alessandro Almeida
 
Materi 1. algoritma pemrograman
Melva Amma Kalian
 
A Linguagem sql
Centro Paula Souza
 
Logica Algoritmo 03 Tipos Expressoes Variaveis Operadores
Regis Magalhães
 
Gerência de processos
Virgínia
 
Criando um banco de dados com MySQL Workbench
Centro Paula Souza
 
DER - Diagrama de Entidade e Relacionamentos
Cláudio Amaral
 
Modul2 metode regula falsi praktikum metode numerik
James Montolalu
 
Algoritmo aula 01-f
Professor Samuel Ribeiro
 
LaTeX Básico I
Rodrigo Smarzaro
 
Polimorfismo java
FAFICA
 
Estrutura de Dados - Registros
Adriano Teixeira de Souza
 
Maratona de Programação
Marcos Castro
 
Modul 2 variabel, tipe data dan operator
Fardian Syah
 
Estrutura de repetição
Jailson Torquato
 
Estrutura de decisão switch case
Alessandra Sra JM
 
Ad

Similar to Computing the Square Roots of Unity to break RSA using Quantum Algorithms (20)

PDF
Dependency Analysis of RSA Private Variables
Dharmalingam Ganesan
 
PDF
Cyclic Attacks on the RSA Trapdoor Function
Dharmalingam Ganesan
 
PDF
On the Secrecy of RSA Private Keys
Dharmalingam Ganesan
 
PDF
RSA cracking puzzle
Dharmalingam Ganesan
 
PDF
Solutions to online rsa factoring challenges
Dharmalingam Ganesan
 
PDF
RSA without Integrity Checks
Dharmalingam Ganesan
 
PPTX
RSA without Padding
Dharmalingam Ganesan
 
PDF
Analysis of Short RSA Secret Exponent d
Dharmalingam Ganesan
 
PDF
Security of RSA and Integer Factorization
Dharmalingam Ganesan
 
PPT
Randomized algorithms ver 1.0
Dr. C.V. Suresh Babu
 
PDF
An Analysis of RSA Public Exponent e
Dharmalingam Ganesan
 
PDF
Algorithms - A Sneak Peek
BADR
 
PDF
RSA Game using an Oracle
Dharmalingam Ganesan
 
PPT
2010 3-24 cryptography stamatiou
vafopoulos
 
PPTX
RSA final notation change2
Coleman Gorham
 
PDF
NFSFIXES
Robert Reynoldson
 
PDF
RSA Two Person Game
Dharmalingam Ganesan
 
PDF
Book.pdf01_Intro.ppt algorithm for preperation stu used
archu26
 
PDF
Analysis of Shared RSA Modulus
Dharmalingam Ganesan
 
PPTX
RSA ALGORITHM
Sathish Kumar
 
Dependency Analysis of RSA Private Variables
Dharmalingam Ganesan
 
Cyclic Attacks on the RSA Trapdoor Function
Dharmalingam Ganesan
 
On the Secrecy of RSA Private Keys
Dharmalingam Ganesan
 
RSA cracking puzzle
Dharmalingam Ganesan
 
Solutions to online rsa factoring challenges
Dharmalingam Ganesan
 
RSA without Integrity Checks
Dharmalingam Ganesan
 
RSA without Padding
Dharmalingam Ganesan
 
Analysis of Short RSA Secret Exponent d
Dharmalingam Ganesan
 
Security of RSA and Integer Factorization
Dharmalingam Ganesan
 
Randomized algorithms ver 1.0
Dr. C.V. Suresh Babu
 
An Analysis of RSA Public Exponent e
Dharmalingam Ganesan
 
Algorithms - A Sneak Peek
BADR
 
RSA Game using an Oracle
Dharmalingam Ganesan
 
2010 3-24 cryptography stamatiou
vafopoulos
 
RSA final notation change2
Coleman Gorham
 
NFSFIXES
Robert Reynoldson
 
RSA Two Person Game
Dharmalingam Ganesan
 
Book.pdf01_Intro.ppt algorithm for preperation stu used
archu26
 
Analysis of Shared RSA Modulus
Dharmalingam Ganesan
 
RSA ALGORITHM
Sathish Kumar
 
Ad

More from Dharmalingam Ganesan (17)

PDF
.NET Deserialization Attacks
Dharmalingam Ganesan
 
PDF
Reverse Architecting using Relation Algebra.pdf
Dharmalingam Ganesan
 
PDF
How to exploit rand()?
Dharmalingam Ganesan
 
PDF
An Analysis of Secure Remote Password (SRP)
Dharmalingam Ganesan
 
PDF
Thank-a-Gram
Dharmalingam Ganesan
 
PDF
Active Attacks on DH Key Exchange
Dharmalingam Ganesan
 
PDF
Can I write to a read only file ?
Dharmalingam Ganesan
 
PPTX
How do computers exchange secrets using Math?
Dharmalingam Ganesan
 
PDF
Requirements driven Model-based Testing
Dharmalingam Ganesan
 
PDF
Automated Traceability for Software Engineering Tasks
Dharmalingam Ganesan
 
PDF
On deriving the private key from a public key
Dharmalingam Ganesan
 
PDF
Reverse Engineering of Module Dependencies
Dharmalingam Ganesan
 
PPTX
Software Architecture
Dharmalingam Ganesan
 
PPTX
Integer security analysis using smt solver
Dharmalingam Ganesan
 
PDF
Remote file path traversal attacks for fun and profit
Dharmalingam Ganesan
 
PDF
20170605135932210 thank you card7
Dharmalingam Ganesan
 
PPTX
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Dharmalingam Ganesan
 
.NET Deserialization Attacks
Dharmalingam Ganesan
 
Reverse Architecting using Relation Algebra.pdf
Dharmalingam Ganesan
 
How to exploit rand()?
Dharmalingam Ganesan
 
An Analysis of Secure Remote Password (SRP)
Dharmalingam Ganesan
 
Thank-a-Gram
Dharmalingam Ganesan
 
Active Attacks on DH Key Exchange
Dharmalingam Ganesan
 
Can I write to a read only file ?
Dharmalingam Ganesan
 
How do computers exchange secrets using Math?
Dharmalingam Ganesan
 
Requirements driven Model-based Testing
Dharmalingam Ganesan
 
Automated Traceability for Software Engineering Tasks
Dharmalingam Ganesan
 
On deriving the private key from a public key
Dharmalingam Ganesan
 
Reverse Engineering of Module Dependencies
Dharmalingam Ganesan
 
Software Architecture
Dharmalingam Ganesan
 
Integer security analysis using smt solver
Dharmalingam Ganesan
 
Remote file path traversal attacks for fun and profit
Dharmalingam Ganesan
 
20170605135932210 thank you card7
Dharmalingam Ganesan
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Dharmalingam Ganesan
 

Recently uploaded (20)

PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PDF
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PDF
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
PDF
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
System and Network Administraation Chapter 3
jaramharo
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PDF
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
AI in Product Development-omnex systems
omnex systems
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
System and Network Administraation Chapter 3
jaramharo
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
Transform Your Business with a Software ERP System
Canada Software Company
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
System and Network Administration Chapter 2
jaramharo
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 

Computing the Square Roots of Unity to break RSA using Quantum Algorithms

  • 1. Computing the Square Roots of Unity to break RSA using Quantum Algo Dr. Dharma Ganesan, Ph.D.,
  • 2. Disclaimer ● The opinions expressed here are my own ○ But not the views of my employer ● The source code fragments and exploits shown here can be reused ○ But without any warranty nor accept any responsibility for failures ● Do not apply the exploit discussed here on other systems ○ Without obtaining authorization from owners 2
  • 3. Goal ● Break RSA using Peter Shor’s quantum algorithm ○ But, we will not look into Quantum Computing ○ We will find the square roots of unity on a classical computer ● Investigate the square root of unity (i.e., sqrt(1)) in a Finite Group ○ Algorithm 1: Naïve/Bruteforce ○ Algorithm 2: Random Search ○ Algorithm 3: Peter Shor’s period calculation algorithm ○ Algorithm 4: Our little tweaks of Peter Shor’s period function (bounded search) 3
  • 4. Prerequisite Some familiarity with the following topics will help to follow the rest of the slides ● Group Theory ● Number Theory ● Algorithms and Complexity Theory ● If not, it should still be possible to obtain a high-level overview 4
  • 5. Agenda ● Mathematical foundation/facts ● Brief overview of RSA ● Different algorithms to find the square roots of unity (in a finite group) ● Demos of finding the square roots of unity to factor composite numbers ● Conclusion 5
  • 6. 6 Notations and Facts GCD(x, y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes Zn = { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn as a circular wall clock Z* n = { x ∈ Zn | gcd(x, n) = 1 }; (additional info: Z* n is a multiplicative group) φ(n): Euler’s Totient function denotes the number of elements in Z* n φ(nm) = φ(n).φ(m) (This property is called multiplicative) φ(p) = p-1, if p is a prime number
  • 7. Notations and Facts ... ● x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n ● Euler’s Theorem: aφ(n) ≡ 1 (mod n), if gcd(a, n) = 1 ● Fermat’s Little Theorem: ap ≡ a (mod p) ● Gauss’s Fundamental Theorem of Arithmetic: Any integer greater than 1 is either a prime or can be written as a unique product of primes ○ Euclid’s work is the foundation for this theorem, see The Elements ● Euclid’s Lemma: if a prime p divides the product of two natural numbers a and b, then p divides a or p divides b ● Euclid’s Infinitude of Primes (c. 300 BC): There are infinitely many primes 7
  • 8. How can Bob send a message to Alice securely? 8 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other ● Who are Alice, Bob, and Eve? Private Key PrA Public Key PuB Private Key PrB
  • 9. RSA Public Key Cryptography System ● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman ● Rooted in elegant mathematics - Group Theory and Number Theory ● Core idea: Anyone can encrypt a message using recipient's public key but ○ (as far as we know) no one can efficiently decrypt unless they got the matching private key ● Encryption and Decryption are inverse operations (math details later) ○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA ● Eavesdropper Eve cannot easily derive the secret (math details later) ○ Unless she solves “hard” number theory problems that are computationally intractable 9
  • 10. RSA - Key Generation Algo 1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits) ○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later) 2. Pick two independent, large random primes, p and q, of half of n’s bitlength ○ In practice, q < p < 2q to avoid attacks (e.g., Fermat’s factorization) 3. Compute n = p.q (n is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from Zn such that e.d ≡ 1(mod φ(n)) ○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in Zn 6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q> 10
  • 11. RSA Trapdoor ● RSA: Zn → Zn ● Let x and y ∈ Zn ● y = RSA(x) = xe mod n ○ We may view x as a plaintext, and y as the corresponding ciphertext ● x = RSA-1 (y) = yd mod n ● e and d are also called encryption and decryption exponents, respectively ● In practice, some random padding is used (not relevant for this presentation) 11
  • 12. RSA Trapdoor variables’ dependency graph 12 Private variable Public variable Note: If we can factor n and find p and q, then private keys are open to the world
  • 13. What are the square roots of unity in Z? ● 1 and -1 are the two square roots of one because (±1)2 = 1 ● This is true only if we work in the infinite set of integers Z ● In Cryptography, we often work with finite groups ● There are other non-trivial roots of unity other than ±1 in Z* n 13
  • 14. Square roots of unity in a finite group Z* n Consider this tiny multiplicative group Z*15 = {1, 2, 4, 7, 8, 11, 13, 14} The square roots of unity are 1, 4, 11, and 14 Note that 14 ≡ -1 mod 15 (basically -1 is the same as 14) But, we have two other roots 4 and 11 of unity (e.g., 4*4 = 1 mod 15) 1 and 14 are trivial roots of unity, whereas 4 and 11 are non-trivial roots of unity Fact: Let n = pq, where p and q are odd primes, then there are four roots of unity 14
  • 15. Algorithm: Factor n using the square roots of unity Problem: Given a composite number n and sqrt(1), find the factors p and q of n Let x be a square root of 1, then x2 = 1 (mod n) Thus, x2 - 1 = 0 (mod n) ⇒ (x+1)(x-1) = 0 (mod n) This means that n divides (x+1)(x-1) If (x+1) and (x-1) are not multiples of n, then the factors of n are the following: p = gcd(x+1, n) or gcd(x-1, n); q = n/p 15
  • 16. Toy example: Let’s factor n = 15 using Z*15 Z*15 = {1, 2, 4, 7, 8, 11, 13, 14} Since 4 and 11 are square roots of unity, we can use one of them to factor n Let x = 4 x2 = 1 (mod 15) (x+1)(x-1) = 0 (mod 15) Factor p = gcd(x+1, 15) = gcd(5, 15) = 5; Factor q = n/p = 15/5 = 3 16
  • 17. Factoring n using the square roots of unity ... If we can find the non-trivial square roots on n, then we can factor n Let’s investigate how easy it is to find the sqrt(1) in a finite multiplicative group Four different algorithms to find the sqrt(1): 1. Bruteforce/Naive 2. Random Search 3. Peter Shor’s Quantum Algorithm 4. Our little tweaks of Shor’s algorithm 17
  • 18. Algorithm 1: Naïve sqrt(1) in Zn * Step 1: x = 0 Step 2: if(x < n) goto step 3; otherwise goto step 5 Step 3: if(x2 = 1 mod n) then x is a square root of one. Step 4: x = x + 1. goto step 2. Step 5: End. 18
  • 19. 19 ~/crypto/RSA$ java SqrtOneNaive 2086784737 Input bit length = 31 Sqrt(n) = 45681 sqrt(1) = 1 bit length = 1 sqrt(1) = 530886943 bit length = 29 sqrt(1) = 1555897794 bit length = 31 sqrt(1) = 2086784736 bit length = 31 Note: sqrt(n) is only 45681, but sqrt(1) can be the same bit length as n (See the Appendix for the source code of Sqrt(1) naïve method) Algorithm 1: Find the sqrt(1) in the group Z*2086784737
  • 20. Algorithm 1: Analysis of the naïve algorithm ● The naïve algorithm is simple to understand and implement ● However, it is very slow because we enumerate all numbers of the group Zn ● If n is a 2048-bit composite number, this algorithm will perform 22048 iterations ● In other words, it will take several billion years to calculate sqrt(1) 20
  • 21. Algorithm 2: Random search to find sqrt(1) in Zn * Step 1: Pick a random x from Zn Step 2: if(x = ± 1 mod n) then goto step 1 Step 3: if(x2 = 1 mod n) then x is a sqrt(1) goto step 4; else step 1 Step 4: End. 21
  • 22. 22 dharmalingam_ganesan11@instance-1:~/crypto/RSA$ java RandomSqrtOne 45649 sqrt(1) = 43738 Number of random tries = 236 ddharmalingam_ganesan11@instance-1:~/crypto/RSA$ java RandomSqrtOne 45649 sqrt(1) = 43738 Number of random tries = 82005 dharmalingam_ganesan11@instance-1:~/crypto/RSA$ java RandomSqrtOne 45649 sqrt(1) = 43738 Number of random tries = 167572 Algorithm 2: Find the sqrt(1) in the group Z*45649
  • 23. 23 Algorithm 2: Analysis of Random Search Algo ● The random algorithm can find the square roots of one (for “small” n) ● But, it just needs a lots of tries to find a needle in the haystack ● In general, the number of tries is the size of the input composite number ● Random search is not able to find sqrt(1) for very large input n
  • 24. 24
  • 25. 25 Algorithm 3: Peter Shor’s Algorithm (core idea) ● To find an x such that x2 = 1 (mod n), we compute f(x) = ax mod n, random a ● Fact: Every element of a finite group generates a cyclic subgroup ● In other words, the function f(x) is the same as the cyclic subgroup <a> ● Thus, f(r) = 1 mod n for some r; equivalently, ar = 1 mod n for some r ● Once we find such an r, (ar/2 )2 = 1 mod n; (if r is even, the hacker is lucky) ● Thus, ar/2 is the sqrt(1); we know how to factor n once the sqrt(1) is exposed!
  • 26. Algorithm 3: Finding the period r of the function f(x) 26 x f(x) = ax mod n 0 a0 mod n 1 a1 mod n 2 a2 mod n r ar mod n = 1 ● Peter Shor uses quantum computing to find the period r of the function f(x) ● We implemented this function on my classical computer (my laptop) ● Just to better understand the inner beauty of this algorithm
  • 27. 27 ~/crypto/RSA$ java -ea SqrtOneShor 45649 period = 1330 sqrt(1) = 1911 ~/crypto/RSA$ java -ea SqrtOneShor 45649 period = 4522 sqrt(1) = 43738 ~/crypto/RSA$ java -ea SqrtOneShor 45649 period = 22610 sqrt(1) = 1911 ~/crypto/RSA$ java -ea SqrtOneShor 45649 period = 22610 sqrt(1) = 1911 ~/crypto/RSA$ java -ea SqrtOneShor 45649 period = 4522 sqrt(1) = 1911 ~/crypto/RSA$ java -ea SqrtOneShor 45649 period = 22610 sqrt(1) = 43738
  • 28. 28 ~/crypto/RSA$ time java -ea SqrtOneShor 1421727721 period = 236941974 Sqrt(1) = 521638680 real 0m47.429s user 0m47.100s sys 0m0.288s Period is very large
  • 29. 29 ~/crypto/RSA$ java FactorShor 45649 period = 22610 p = 191 q = 239 ~/crypto/RSA$ java FactorShor 45649 period = 170 p = 239 q = 191 ~/crypto/RSA$ java FactorShor 45649 period = 3230 p = 239 q = 191 Algorithm 3: Factor a small number n = 45649
  • 30. 30 Algorithm 3: Analysis of the period of f(x) = ax mod n ● The above set of runs shows that the period of f(x) can be very large ○ Thus, we cannot apply this algorithm to find sqrt(1) for a large group Zn used in RSA ● Remember, we are running the algorithm on a classical computer ● It is good to play with this algorithm on a classical computer to understand it ● Algorithm 4 talks about some little tweaks of Algorithm 3
  • 31. Algorithm 4: Let’s tweak Peter Shor’s algorithm What if we put a bound b on the period r? Step 1: Initialize bound b (e.g., b = n1/2 , n1/4 , etc.), r = 0, success = false Step 2: Pick a random a from Zn * Step 3: if 0 ≤ r ≤ b goto step 4; otherwise goto step 7 Step 4: Compute f(r) = ar mod n Step 5: If f(r) != 1 then r = r+1 and goto step 3 Step 6: If r is even, then success = true; otherwise goto step 2 Step 7: If success = true, we found the period r; otherwise goto step 2 31
  • 32. 32 ~/crypto/RSA$ time java -ea SqrtOneShor 1421727721 period = 33738 sqrt(1) = 521638680 real 0m45.786s user 0m45.510s sys 0m0.244s Algorithm 4: bound = n1/2
  • 33. 33 ~/crypto/RSA$ time java -ea SqrtOneShor 1421727721 period = 18 Square root of one = 521638680 real 6m14.713s user 6m12.706s sys 0m1.759s Algorithm 4: bound = n1/4
  • 34. 34 ~/crypto/RSA$ time java -ea SqrtOneShor 1421727721 period = 18 Square root of one = 521638680 real 2m29.435s user 2m28.400s sys 0m0.936s Algorithm 4: bound = n1/6
  • 35. 35 ~/crypto/RSA$ time java -ea SqrtOneShor 1421727721 period = 6 Square root of one = 900089041 real 2m31.106s user 2m29.703s sys 0m1.304s Algorithm 4: bound = n1/8 Amazing, we found a cyclic subgroup of order 6
  • 36. Algorithm 4: Analysis of our tweaks ● Z* n has even number of elements; there must be cyclic subgroups for each divisor of |Zn *|. (This is a theorem in Group Theory) ● The open question is how easy it is to find small cyclic subgroups of Z*n ● If we quickly find one cyclic subgroup, then sqrt(1) are easily revealed ● If we put a bound b on the period r, then sqrt(1) runs quick for a small n ● Our bounded random search variant of Shor’s algorithm is slow for a large n 36
  • 37. Conclusion ● We studied the problem of finding the square roots of unity in a finite group ● We tried to factor composite numbers using sqrt(1) ● Experimental results showed that finding sqrt(1) in Z*n where n = pq is “hard” ● We implemented Shor’s function f(x) = ax mod n on a classical computer ● We learned that in general the period of f(x) is the same size as n ● We made minor tweaks by defining a bound on the period of f(x) = ax mod n ● More experimentation of our tweaks is part of future work 37
  • 39. 39 import java.math.BigInteger; import java.security.SecureRandom; public class SqrtOneNaive implements IBigIntConstants { public static void main(String[] args) { /* Error handling is omitted */ BigInteger n = new BigInteger(args[0]); BigInteger x = zero; while(x.compareTo(n) <= 0) { // is square(x) = 1 (mod n)? if(x.multiply(x).mod(n).equals(one)) { System.out.println(x + " is the square root of one "); } x = x.add(one); } } } Implementation of naïve Sqrt(1) algorithm
  • 40. 40 public static void main(String[] args) { BigInteger n = new BigInteger(args[0]); // Error handling code is removed BigInteger x; while(true) { // Pick a random element from Zn x = BigIntUtil.getRandomElt(n, new SecureRandom()); // We don't want non-trivial roots '1' or '-1'. // If x = -1 (mod n) or x = 1 (mod n), then we have to restart. if(x.add(one).mod(n).equals(zero) || x.subtract(one).mod(n).equals(zero)) { continue; } if(x.multiply(x).mod(n).equals(one)) { System.out.println(x + " is the square root of one "); System.out.println("Number of random tries = " + counter); break; } } } Implementation of random Sqrt(1) algorithm
  • 41. 41 Finding the Sqrt(1) using Peter Shor’s algorithm (simplied)
  • 42. References ● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976 ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978 ● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996 ● P. Shor, “Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer,” SIAM J.Sci.Statist.Comput. 26 (1997). 42