CS 161
Computer Security
Fall 2005
Joseph/Tygar/Vazirani/Wagner
Notes 10
1
Oneway function
A oneway function is a fundamental notion in cryptography. It is a function on
n
bits such that given
x
it is
easy to compute
f
(
x
)
but on input
f
(
x
)
it is hard to recover
x
(or any other preimage of
f
(
x
)
). One of the
fundamental sources of oneway functions is the remarkable contrast between multiplication, which is fast,
and factoring, for which we know only exponential time algorithms. The simplest procedures for factoring
a number require an enormous effort if that number is large. Given a number
N
, one can try dividing it
by 1
,
2
,...,
N

1 in turn, and returning all the factors that emerge. This algorithm requires
N

1 steps.
If
N
is in binary representation, as is customary, then its length is
n
=
d
log
2
N
e
bits, which means that the
running time is proportional to 2
n
, exponential in the size of the input. One clever simplification is to restrict
the possible candidates to just 2
,
3
,...,
√
N
, and for each factor
f
found in this shortened list, to also note
the corresponding factor
N
/
f
. As justification, witness that if
N
=
ab
for some numbers
a
and
b
, then at
most one of these numbers can be more than
√
N
. The modified procedure requires only
√
N
steps, which
is proportional to 2
n
/
2
but is still exponential. Factoring is one of the most intensely studied problems by
algorithmists and number theorists. The best algorithms for this problem take 2
cn
1
/
3
log
2
/
3
n
steps. The current
record is the factoring of RSA576, a 576 bit challenge by RSA Inc. The factoring of 1024 bit numbers is
well beyond the capability of current algorithms.
The security of the RSA public key cryptosystem is based on this stark contrast between the hardness of
factoring and multiplication.
2
Outline of RSA
In the RSA cryptosystem, each user selects a public key
(
N
,
e
)
, where
N
is a product of two large primes
P
and
Q
, and
e
is the encryption exponent (usually
e
=
3).
P
and
Q
are unknown to the rest of the World,
and are used by the owner of the key (say Alice), to compute the private key
(
N
,
d
)
. Even though
d
is
uniquely defined by the public key
(
N
,
e
)
, actually recovering
d
from
(
N
,
e
)
is as hard as factoring
N
. i.e.
given
d
there is an efficient algorithm to recover
P
and
Q
. The encryption function is a permutation on
{
0
,
1
,...,
N

1
}
. It is given by
E
(
m
) =
m
e
mod N
. The decryption function is
D
(
c
) =
c
d
mod N
, with the
property that
D
(
E
(
m
)) =
m
. i.e. for every
m
,
m
e
d
=
m mod N
. To establish these properties and understand
how to choose
d
,
e
we must review modular arithmetic.
Before we do that let us make some observations about RSA. First, what makes public key cryptography
counterintuitive is the seeming symmetry between the recepient of the message, Alice, and the eavesdrop
per, Eve.
After all, the ciphertext
m
e
mod N
together with the public key
(
N
,
e
)
uniquely specifies the
plaintext
m
. In principle one could try computing
x
e
mod N
for all 0
≤
x
≤
N

1 until one hits upon the
ciphertext. However this is prohibitively expensive. RSA breaks the symmetry between Alice and Eve be