Pollard's+attack+on+RSA

The most famous attack on RSA is Pollard's. As we just saw last week, finding the factoring of P1*P2 gives you an easy way to decrypt any message encrypted with RSA using those two primes. You don't even have to recover the original m, y (or a,b in Stinson's notation)!

I think of Pollard as enhancing a blind guess with a sieve of Erastosthenes.

The sieve is an old way of finding primes. You take a number line with the positive integers ticked. Cross off all the multiples of 2 because the only even prime is 2 and we know that one. Now cross off all the multiples of three. And so on. When you travel this number line, you find numbers which have not been crossed off. So long as you have crossed off all the multiples of the numbers less than the squareroot of of this surviving number, this surviving number must be prime. A simple idea and slow as mud to implement. This method does find all the consecutive primes from the low end of the number line.

There are several clever tricks to find large primes. The most famous are the Mersenne primes. These numbers are light years ahead of the known consecutive primes. RSA likes to use big primes from the high end of the known consecutives and even larger primes from using math tricks. There are some worries that prime-seeking programs might choose composite numbers by accident and then an RSA program uses these not-quite-prime numbers as primes, inadvertently weakening security (better chance of factoring P1*P2) and increasing the chance of the RSA encryption failing (remember our examples where the P1 and the little a were the same? You get crap when the message has a factor in common with P1*P2 as well.)

Pollard's method gambles at finding the P1, P2. It uses a partial sieve, based on multiples of factors of a factorial. This is clever because the smaller numbers are the ones which create the fineness of the mesh used in the sieve. Then the method tests numbers which survive the sieve as divisors of P1*P2. Clever, eh?

1.Suppose we wish to factor //n //and //n=pm //for some unknown prime //p //and //m //.

2.Choose a random number //a //and a number B that has LOTS of prime factors. 3. Compute gcd((//a^ //B) -1 mod //n, n //). If not //n //or 1, then we have a factor of //n //. 4. We'll have to try various a's and B's. So this is a method best left to Maple.

Let's see some examples. Baby example: n = P1*P2 = 11*41 = 451 a = 2, B = 24 fails to turn up a factor. a = 3, B = 12 fails to turn up a factor. a = 3, B = 15 turns up a factor.

Problem 1. Why is seeking the gcd of (a^B) - 1 mod n ,n) better than trying to factor n? Problem 2. What structure does a^B - 1 have which is useful in this method of factoring?

Problem 3. What does a^B - 1 have to do with Repunit numbers?

Second example. In Maple, we could use nextprime(13840) and nextprime(117772) to get P1 *P2 without seeing them. Choosing a = 2 and B = 180! (that's 180 factorial) scores a factor on the first try.

Problem 4. What is this factor? Probelm 5. Can you find another a, B combination which works?