THE COMPARISON OF FACTORING METHODS FOR BREAKING RSA CRYPTO SYSTEM

Holmi Noviana, 2Is Esti Firmanesa, 3Syamsi Nurdiansah

Lembaga Sandi Negara

Abstract. In this paper, we will present the factoring methods for RSA. RSA is a public key cryptography. Cryptography is study of mathematical techniques related to aspects of information security such as confidentiality, data integrity, entity authentication, and data origin authentication. The security RSA is based on the apparent intractability of the following Integer Factorization Problem (IFP): given an nZ , determine the integer p and q, p, q Z such that n = pq, p q. The methods to breaking RSA use factoring public modulus methods. They are Fermats Difference of Square, Pollards , Pollards p-1, Square Forms Factorization (SQUFOF), and Elliptic Curve Factorization Method. And then, the methods will be compared to get the fastest method for integer factoring RSA.
Key word: RSA, factoring, prime. 1. Introduction. RSA crypto system was invented by Rivest-Shamir-Adelman in 1970. Secure RSA dependence from difficulty factoring large numbers. The public and private keys are functions of a pair of factoring large prime number. RSA works by the following method: Let n = pq, where p and q are two distinct large prime numbers. The prime p and q are usually chosen of similar bit length. Calculate t = (n) = (p-1) (q-1) which is the Euler Totient of n. Let e be a positive integer, eZ, 1 < e < t, gcd(e, t) = 1, e also be prime. Calculate d = e-1 in Zt, t hat is such that ed 1(mod t). If we represent our message M as an integer, then we can use e as an encryption exponent, and d as a decrypting exponent, and have ciphertext C M e(mod n). We will then be able to calculate back the plaintext M C d M ed (mod n). We now use the pair ( e, n ) as the public key and the pair ( d, n ) as a private key. The public key are e and n, so that they can encrypt massages, but it is extremely difficult to compute d without being able to factor n. Most proposed methods of breaking this algorithm simply involve factoring n to obtain p and q, so that the totient can be calculated. In this paper, we will compare the factoring methods use sample ni, 1 i 5. The first, we necessary to generate a pair of random large numbers ( p , q ) Z , p q , 0 i 5. And then we test them for primality
i i i i

test that use the randomized Miller-Rabin Algorithm. The next, we get a pair of ( p ', q ') P , and
i i

ni = pi ' qi ' .

Thus, the ni, will be factored that use five factoring methods, and the main goal of this paper

is to get the fastest method for breaking RSA algorithms.

2. Primality Testing One of the most useful applications of mathematics is distinguishing between prime and composite numbers. Primality tests are algorithms that are used to directly determine whether a specified number is prime or composite without resorting to factoring. In this paper, we will test prime number for primality using the Miller-Rabin Algorithm. Practically, Miller-Rabin algorithm is the most popular primality test. This algorithm use concept that all the prime numbers which are bigger than 2 are odd numbers. And pick an odd n randomly to determine whether it is a prime or not. Miller-Rabin algorithm is let n be an odd prime, and let n 1 = 2s r where r is odd. Let a be any integer such that gcd(a, n) = 1. Then either ar 1 (mod n) or a2 j r 1 (mod n) for some j, 0 j s - 1. In this case we use n as 20 digits, 22 digits, 24 digits, 26 digits, 28 digits and 30 digits number that can be used to test. Let a pair of (pi, qi) Z, p q, 1 i 5. And then test all of pair (pi, qi) using MillerRabin Algorithm to produce (pi, qi) P, P is prime number. And then each pair of (pi, qi) can product ni = pi. qi Z, 1 i 5. After that, we can start to factor them use any factoring methods as below. 3. Factoring Methods. The basic method of dividing an integer n by all primes p n is much too slow for more purposes. For many years, people have worked on developing more efficient factoring algorithms. We present some of them here. Factoring an integer modulus n means find its prime numbers p and q. The comparison of factoring algorithms has already been done many times over. In this paper we use factoring methods as bellow : a. Fermats Difference of Square b. Pollards c. Pollards p-1 d. Square Forms Factorization ( SQUFOF ) e. Elliptic Curve Factorization Methode (ECM) We just discusss the algorithms because this paper only want to explain that the fastest algorithm can be used as methods for breaking RSA.

a.

Fermats Difference of Square One method, which is also too slow. The idea is to express n as a difference of two squares n = x2 - y2. Then n = (x+y)(x-y) gives a factorization of n. (Wade Trappe, 1997:149). Algorithm 1( Wagstaff, 2003 :144 ) Fermats Difference of square : Pollards (Rho) Pollards Rho () algorithm is a special-purpose factoring algorithm for finding small factors of a composite integer. A prime factorization algorithm also known as Pollard Monte Carlo factorization method. There are two aspects to the Pollard

b.

factorization method. The first is the idea of iterating a formula until it falls into a cycle. Let n = pq, where n is the number to be factored and p and q are its unknown prime factors. (Menezes, 1997:9 Algorithm 2 ( Douglas R. Stinson ) : POLLARD RHO FACTORING ALGORITHM ( n, x1 )
e x te r n a l x x x '
1

f ( x ) m od n

p g c d ( x x ', n ) w h ile p = 1 c o m m e n t : i n t h e i th i t e r a t i o n , x = x ' a n d x ' = x x x ' f ( x ) m od n f ( x ') m o d n

2 i

p g c d ( x x ', n ) if p = n t h e n r e t u r n ( " fa i l u r e " ) e ls e r e t u r n ( p )

c.

Pollards p-1 Pollard's p 1 algorithm is a number theoretic integer factorization algorithm, invented by John Pollard in 1974. It is a special-purpose algorithm, meaning that it is only suitable for integers with specific types of factors. Pollards p1 factoring algorithmis a special-purpose factoring algorithm that can be used to efficiently find any prime factors p of a composite integer n for which p1 is smooth with respect to some relatively small bound B. (Menezes, 1997:92) Algoritmh 3 ( Douglas R. Stinson ): POLLARD p-1 FACTORING ALGORITHM (n, B)
a 2 for j 2 to B do a a mod n
j

d gcd( a 1, n ) if 1 < d < n then return ( d ) else return (" failure ")

d.

Square Forms Factorization (SQUFOF) Shanks' square forms factorization was devised as an improvement on Fermat's factorization method. Daniel Shanks developed SQUFOF in the 1970s, and it is still the fastest known algorithm for factoring integers in the 20- to 30-digit range. Most modern computer packages implement numerous algorithms for factoring. (http://www.usna.edu/Users/cs/crabbe/papers/mcmath-IJPAM.pdf)

Algoritma 4 ( Shanks ) Square forms factorization methods

Input : N , the int eger to be factored , which must be neither a prime number nor a perfect square Output : a non trivial factor of N The a lg orithm : initialize P =
0

, Q

= 1, Q1 = N P0

repeat
bi =

+ P , Q
i +1 i

Pi = bi Qi Pi 1 , Qi +1 = Qi 1 + bi ( Pi 1 Pi )

Until Qi is perfect square Initialize b0 = repeat

bi =

P ,P Q
i 1 i

= b0

Qi + Pi 1 , Q0 =

Q i , Q1 =

N P0 Q0

i +1

+ P , Q
i 1 i i

Pi = bi Qi Pi 1 , Qi +1 = Qi 1 + bi ( Pi 1 Pi )

until P = P then Gcd ( N , Pi ) is a non trivial factor of N .

e.

Elliptic Curve Factorization Method (ECM) The elliptic curve factorization method (ECM) or the Lenstra elliptic curve factorization is a fast, sub-exponential running time algorithm for integer factorization which employs elliptic curves. Practically speaking, ECM is considered a special purpose factoring algorithm as it is most suitable for finding small factors. Frequently, ECM is used to remove small factors from a very large integer with many factors, if the remaining integer is still composite, then it has only large factors and is factored using general purpose techniques. (http://en.wikipedia.org/wiki/Lenstra_elliptic_curve_factorization)

Algorithm 5 ( Wagstaff, 2003 : 177 ) Elliptic Curve Factorization Method :

Input Pr ocess : Let Choice any random elliptic curve E , b mod n
a

: Integer n;

Let choise a po int P = ( x , y ) in E : {a , x , y {0, ..., n 1} b = (y x a )

2 2 3 3 n

d = gcd(4 a + 27 b , n )
2

if d = n then choise a new elliptic curve E , b and po int P

a

if d > 1 then p = d if d = 1 then { Let choise smooth bound B and B where B , B n

1 2 1 2

for all prime p B do

1

{m =

P
pB
1

where e is a highest square

p

and p B + 2
e
p

B +1
2

P = m. P if m. P is success then n is prime number on the otherway , find division factor n}} Output : prime factor of n or false

4. Evaluate and Analysis Factoring Methods In this session, we will analysis our data from the factoring methods. The first, we see the Table 1. The calculation of factorization accelerate.

Tabel 1. The calculation of factorization speed No. 1. 2. 3. 4. 5. 6. Jumlah Digit 20 22 24 26 28 30 Kecepatan (S) Pollard 0.156 0.517 4.422 28.031 57.297 356.394

ECM 0.028 0.547 0.843 5.187 6.188 9.908

Pollard P-1 0.109 1.125 1.406 8.438 34.672 242.078

Squfof 0.39 2.375 15.983 128.185 67.608 716.594

Fermat 210.58 269.27 296.59 426.65 714,95 955,162

In the table 1, we can see that the five factoring methods use digit length as n1=20, n2=22, n3=24, n4=26,n5=28, and n6=30. And then we can see that from fastest methods until the slowest one are ECM, Pollard p-1, Pollard Rho, SQUFOF and Fermat. ECM is the best test.. The speed of the factoring methods will be slower at the length of n at 26. For ECM, its decreasing speed is not too big if we compare it with another methods. At below, we present them in a graphic. At the graphic, we also can see that the ECM method is the best test, because its result almost be linear.

Although the Pollard Rho factorization algorithm was touted as an improvement to the Pollard p-1 method, it appears to be slower in this simulation. In terms of median running times for these data, the Pollard p-1 and ECM methods are fastest, and the Fermat factorization method is slowest. We use the Maple11.01 for our programs, with specification as follow : Operating System : Microsoft Windows xp Porfesional Processor : Intel Pentium M Processor 1.73GHz Memory : 2045 MB RAM

Grafik 1. Test of the factorization speed

1200 1000 Speed of ECM Speed (s) 800 600 400 200 0 20 22 24 26 28 30 Number of Digits Speed of Pollard P-1 Speed of Pollard Speed of Squfof Speed of Fermat

5. Conclusion There are no known algorithms which can factor arbitrary large integers efficiently. ECM algorithm is in most cases more efficient than Pollard p-1 and Pollard Rho algorithms. However, the algorithms can fail when given certain prime products: for example, Fermat algorithm fails for N = 20. Integer factorization algorithms are an important subject in mathematics, and for practical purposes such as for breaking RSA. References [1] R.L. Rivest, A. Shamir, and L. Adleman,Signatures and Public-Key Cryptosystems, [2] Robert G. Salembier and Paul Southerington, An Implementation of the AKS Primality Test, Member, IEEE. [3] A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography, CRC Press, 1996. [4] Bruce Schneier, Applied Cryptography, protocols, Algorithms, And Sourse code in C, Second Edition, 1996 [5] Douglas R. Stinson, Cryptography: Theory and Practice, Second Edition, CRC Press, 2002. [6] Justin Moore, Runtime and Implementation of Factoring Algorithms: A Comparison, CSC290 Cryptology, December 20, 2003.

[7] Connelly Barnes, Integer Factorization Algorithms, Department of Physics, Oregon State University, December 7, 2004. [8] Connelly Barnes, Integer Factorization Algorithms , Department of Physics, Oregon State University, December 7, 2004. [9] Julio Cancero Marsyah, Perbandingan Efisiensi Antara Metode Elliptic Curve, Pollards Rho, Square Free dan Fermat untuk memfaktorkan Bilangan Integer N menjadi dua factor bilangan Prima P dan Q Pada system sandi RSA, Sekolah Tinggi Sandi Negara, 15 September 2006. [10] Christopher Swenson, Modern Cryptanalysis, Techniques for advanced code breaking, Wiley publishing, inc, 2008.