Primality Testing and Integer Factorization in Public-Key Cryptography Second Edition Advances in Information Security Sushil J ajodia Consulting Editor Center for Secure Information Systems George Mason University Fairfax, VA 22030-4444 email: [email protected] The goals of the Springer International Series on ADVANCES IN INFORMATION SECURITY are, one, to establish the state of the art of, and set the course for future research in information security and, two, to serve as a central reference source for advanced and timely topics in information security research and development. The scope of this series includes all aspects of computer and network security and related areas such as fault tolerance and software assurance. ADVANCES IN INFORMATION SECURITY aims to publish thorough and cohesive overviews of specific topics in information security, as well as works that are larger in scope or that contain more detailed background information than can be accommodated in shorter survey articles. The series also serves as a forum for topics that may not have reached a level of maturity to warrant a comprehensive textbook treatment. Researchers, as well as developers, are encouraged to contact Professor Sushil Jajodia with ideas for books under this series. Additional titles in the series: INSIDER ATTACK AND CYBER SECURITY: Beyond the Hacker edited by Salvatore Stolfo, Steven M. Bellovin, Angelos D. Keromytis, Sara Sinclaire, Sean W. Smith; ISBN: 978-0-387-77321-6 INTRUSION DETECTION SYSTEMS edited by Robert Di Pietro and Luigi V. Mancini; ISBN: 978-0-387-77265-3 VULNERABILITY ANALYSIS AND DEFENSE FOR THE INTERNET edited by Abhishek Singh; ISBN: 978-0-387-74389-9 BOTNET DETECTION: Countering the Largest Security Threat edited by Wenke Lee, Cliff Wang and David Dagon; ISBN: 978-0-387-68766-7 PRIVACY-RESPECTING INTRUSION DETECTION by Ulrich Flegel; ISBN: 978-0-387- 68254-9 SYNCHRONIZING INTERNET PROTOCOL SECURITY (SIPSec) by Charles A. Shoniregun; ISBN: 978-0-387-32724-2 SECURE DATA MANAGEMENT IN DECENTRALIZED SYSTEMS edited by Ting Yu and Sushil Jajodia; ISBN: 978-0-387-27694-6 NETWORK SECURITY POLICIES AND PROCEDURES by Douglas W. Frye; ISBN: 0- 387-30937-3 DATA WAREHOUSING AND DATA MINING TECHNIQUES FOR CYBER SECURITY by Anoop Singhal; ISBN: 978-0-387-26409-7 SECURE LOCALIZATION AND TIME SYNCHRONIZATION FOR WIRELESS SENSOR AND AD HOC NETWORKS edited by Radha Poovendran, Cliff Wang, and Sumit Roy; ISBN: 0-387-32721-5 PRESERVING PRIVACY IN ON-LINE ANALYTICAL PROCESSING (OLAP) by Lingyu Wang, Sushil Jajodia and Duminda Wijesekera; ISBN: 978-0-387-46273-8 SECURITY FOR WIRELESS SENSOR NETWORKS by Donggang Liu and Peng Ning; ISBN: 978-0-387-32723-5 MALWARE DETECTION edited by Somesh Jha, Cliff Wang, Mihai Christodorescu, Dawn Song, and Douglas Maughan; ISBN: 978-0-387-32720-4 Additional information about this series can be obtained from http://www.springer.com Primality Testing and Integer Factorization in Public-Key Cryptography Second Edition by Song Y.Yan Harvard University and Massachusetts Institute of Technology USA 1 3 Author: Dr. Song Y. Yan Visiting Professor Department of Mathematics Harvard University One Oxford Street Cambridge, MA 02138-2901 [email protected] and Department of Mathematics Massachusetts Institute of Technology 77 Massachusetts Avenue Cambridge, MA 02139-4307 [email protected] Library of Congress Control Number: 2008935407 I SBN-13: 978-0-387-77267-7 e-ISBN-13: 978-0-387-77268-4 2009 Springer Science+Business Media, LLC. All rights reserved. This work may not be translated or copied in whole or in part without the written permission of the publisher (Springer Science+Business Media, LLC, 233 Spring Street, New York, NY 10013, USA), except for brief excerpts in connection with reviews or scholarly analysis. Use in connection with any form of information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed is forbidden. The use in this publication of trade names, trademarks, service marks and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights. Printed on acid-free paper springer.com In Memory of Prof Shiing-Shen Chern (1911–2004) Founding Director, Mathematical Sciences Research Institute, Berkeley Table of Contents Preface to the Second Edition ................................ ix Preface to the First Edition .................................. xi 1. Number-Theoretic Preliminaries ......................... 1 1.1 Problems in Number Theory ................................ 1 1.2 Groups, Rings and Fields.................................... 13 1.3 Divisibility Properties....................................... 23 1.4 Euclid’s Algorithm and Continued Fractions ................... 34 1.5 Arithmetic Functions σ(n),τ(n),φ(n),λ(n),µ(n) ............... 50 1.6 Linear Congruences......................................... 63 1.7 Quadratic Congruences...................................... 85 1.8 Primitive Roots and Power Residues .......................... 103 1.9 Arithmetic of Elliptic Curves................................. 113 1.10 Chapter Notes and Further Reading .......................... 124 2. Primality Testing and Prime Generation ................. 127 2.1 Computing with Numbers and Curves......................... 127 2.2 Riemann ζ and Dirichlet L Functions ......................... 139 2.3 Rigorous Primality Tests .................................... 149 2.4 Compositeness and Pseudoprimality Tests ..................... 157 2.5 Lucas Pseudoprimality Test.................................. 168 2.6 Elliptic Curve Primality Tests................................ 172 2.7 Superpolynomial-Time Tests................................. 177 2.8 Polynomial-Time Tests...................................... 182 2.9 Comparison of General Purpose Primality Tests ................ 188 2.10 Primality Tests for Special Numbers .......................... 192 2.11 Prime Number Generation .................................. 201 2.12 Chapter Notes and Further Reading .......................... 207 3. Integer Factorization and Discrete Logarithms ........... 209 3.1 Introduction ............................................... 209 3.2 Simple Factoring Methods ................................... 212 3.3 Elliptic Curve Method (ECM) ............................... 221 viii Table of Contents 3.4 General Factoring Congruence ............................... 226 3.5 Continued FRACtion Method (CFRAC) ...................... 230 3.6 Quadratic Sieve (QS) ....................................... 234 3.7 Number Field Sieve (NFS)................................... 239 3.8 Quantum Factoring Algorithm ............................... 251 3.9 Discrete Logarithms ........................................ 257 3.10 kth Roots ................................................. 270 3.11 Elliptic Curve Discrete Logarithms ........................... 278 3.12 Chapter Notes and Further Reading .......................... 285 4. Number-Theoretic Cryptography ........................ 287 4.1 Public-Key Cryptography ................................... 287 4.2 RSA Cryptosystem ......................................... 292 4.3 Security and Cryptanalysis of RSA ........................... 301 4.4 Rabin Cryptography ........................................ 314 4.5 Quadratic Residuosity Cryptography.......................... 320 4.6 Discrete Logarithm Cryptography ............................ 326 4.7 Elliptic Curve Cryptography ................................. 331 4.8 Zero-Knowledge Techniques.................................. 338 4.9 Deniable Authentication..................................... 341 4.10 Non-Factoring Based Cryptography........................... 346 4.11 Chapter Notes and Further Reading .......................... 351 Bibliography.................................................. 353 Index......................................................... 367 About the Author ............................................ 373 Preface to the Second Edition The mathematician’s patterns, like the painter’s or the poet’s must be beautiful; the ideas, like the colours or the words must fit together in a harmonious way. Beauty is the first test: there is no permanent place in this world for ugly mathematics. G. H. Hardy (1877–1947) The success of the first edition of the book encourages me to prepare this second edition. I have taken this opportunity to try to make the book as updated and self-contained as possible by including new developments and results in the field. Notable features of this new edition are that several new sectionsandmorethan100newpagesareadded.Theseincludeanewsection inChapter2onthecomparisonoftheRabin-MillerprobabilistictestinRP, the Atkin-Morain elliptic curve test in ZPP and the AKS deterministic test inP,anewsectioninChapter3onrecentworkinquantumfactoring,anda new section in Chapter 4 on post-quantum cryptography. To make the book suitable as an advanced undergraduate and/or postgraduate text/reference, abouttenproblemsatvariouslevelsofdifficultyareaddedattheendofeach section, making about 300 problems in total contained in the book; most of problems are research-oriented and with prizes offered by individuals or organizations to a total amount over five million US dollars. During the preparation of the book, I had a good opportunity to talk and to discuss with the later Prof Shiing-Shen Chern, the first Director of the Mathematical Sciences Research Institute in Berkeley, many times in his Home of Geometry at Nankai University, Tianjin, when I was a Specially Appointed Visiting Professor at Nankai. Although a geometer, Prof Chern had long been interested in number theory, partly because many of his close friends, e.g., Andr´e Weil (1906–1998), were working in both geometry and number theory. In contrast to G. H. Hardy (1877–1947) and L. E. Dickson (1874–1954), Chern always regarded number theory as a branch of applied mathematics as it is applicable to many other branches of mathematics and other science subjects. Special thanks must be given to Prof Michael Siper of the Massachusetts Institute of Technology, Prof Benedick Gross and Prof x Preface to the Second Edition BarryMazueofHarvardUniversity,ProfGlynJamesofCoventryUniversity, ProfYuanWangandProfZhexianWanofChineseAcademyofSciences,Prof ZikunWangofBeijingNormalUniversity,andtheeditors,SusanLagerstrom- Fife and Sharon Palleschi, of Springer in Boston for their encouragements and help during the preparation of this second edition. Finally, I would like to thank Prof Glyn James, Prof Zuowen Tan and Prof Duanqiang Xie for reading the manuscripts of the book. This work was financially supported by a Global Research Award from the Royal Academy of Engineering, London, UK to work at Harvard Uni- versity and the Massachusetts Institute of Technology. The author is very grateful to Prof Ivor Smith, Prof John McWhirter and Dr Chris Coulter of theRoyalAcademyofEngineeringfortheirsupport,andtoProfCliffTaubes, ChairmanoftheDepartmentofMathematicsatHarvardUniversityandProf MichaelSipser,HeadoftheDepartmentofMathematicsattheMassachusetts Institute of Technology for appointing me to work at the two institutions. Cambridge, Massachusetts, September 2008 S. Y. Y. Preface to the First Edition The problem of distinguishing prime numbers from composite, and of resolving composite numbers into their prime factors, is one of the most important and useful in all arithmetic. ... The dignity of science seems to demand that every aid to the solution of such an elegant and celebrated problem be zealously cultivated. C. F. Gauss (1777–1855) Primality testing and integer factorization, as identified by Gauss in his Dis- quisitionesArithmeticae,Article329, in1801, arethe twomostfundamental problems (as well as two most important research fields) in number theory. With the advent of modern computers, they have also been found unex- pected applications in public-key cryptography and information security. In this book, we shall introduce various methods/algorithms for primality test- ing and integer factorization, and their applications in public-key cryptog- raphy and information security. More specifically, we shall first review some basic concepts and results in number theory in Chapter 1. Then in Chapter 2 we shall discuss various algorithms for primality testing and prime num- ber generation, with an emphasis on the Miller-Rabin probabilistic test, the Goldwasser-Kilianand Atkin-Morainellptic curvetests,and Agrawal-Kayal- Saxenadeterministictestforprimality.Thereisalsoanintroductiontolarge primenumbergenerationinChapter2.InChapter3weshallintroducevari- ousalgorithms,particularlytheEllipticCurveMethod(ECM),theQuadratic Sieve (QS) and the Number Field Sieve (NFS) for integer factorization. Also in Chapter 3 we shall discuss some other computational problems that are related to factoring, such as the square root problem, the discrete logarithm problem and the quadratic residuosity problem. In Chapter 4, we shall dis- cuss the most widely used cryptographic systems based on the intractability of the integer factorization, square roots, discrete logarithms, elliptic curve discrete logarithms and quadratic residuosity problems. I have tried to make this book as self-contained as possible, so that it can be used either as a textbook suitable for a course for final-year undergraduate or first-year postgraduate students, or as a basic reference in the field.