Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

9.5 The RSA Challenge

When the RSA algorithm was first made public in 1977, Rivest, Shamir, and Adleman made the following challenge.

Let the RSA modulus be

\begin{array}{l} n = \\ 114381625757888867669235779976146612010218296721242362 \\ 562561842935706935245733897830597123563958705058989075 \\ 147599290026879543541 \end{array}

$\begin{array}{l} n = \\ 114381625757888867669235779976146612010218296721242362 \\ 562561842935706935245733897830597123563958705058989075 \\ 147599290026879543541 \end{array}$

and let $e = 9007$ $e = 9007$ be the encryption exponent. The ciphertext is

\begin{array}{l} c = \\ 968696137546220614771409222543558829057599911245743198 \\ 746951209308162982251457083569314766228839896280133919 \\ 90551829945157815154. \end{array}

$\begin{array}{l} c = \\ 968696137546220614771409222543558829057599911245743198 \\ 746951209308162982251457083569314766228839896280133919 \\ 90551829945157815154. \end{array}$

Find the message.

The only known way of finding the plaintext is to factor $n$ $n$ . In 1977, it was estimated that the then-current factorization methods would take $4 \times 10^{16}$ $4 \times 10^{16}$ years to do this, so the authors felt safe in offering $100 to anyone who could decipher the message before April 1, 1982. However, techniques have improved, and in 1994, Atkins, Graff, Lenstra, and Leyland succeeded in factoring $n$ $n$ .

They used 524339 “small” primes, namely those less than 16333610, plus they allowed factorizations to include up to two “large” primes between 16333610 and $2^{30}$ $2^{30}$ . The idea of allowing large primes is the following: If one large prime $q$ $q$ appears in two different relations, these can be multiplied to produce a relation with $q$ $q$ squared. Multiplying by $q^{- 2} (mod n)$ $q^{- 2} (mod n)$ yields a relation involving only small primes. In the same way, if there are several relations, each with the same two large primes, a similar process yields a relation with only small primes. The “birthday paradox” (see Section 12.1) implies that there should be several cases where a large prime occurs in more than one relation.

Six hundred people, with a total of 1600 computers working in spare time, found congruence relations of the desired type. These were sent by e-mail to a central machine, which removed repetitions and stored the results in a large matrix. After seven months, they obtained a matrix with 524339 columns and 569466 rows. Fortunately, the matrix was sparse, in the sense that most of the entries of the matrix were 0s, so it could be stored efficiently. Gaussian elimination reduced the matrix to a nonsparse matrix with 188160 columns and 188614 rows. This took a little less than 12 hours. With another 45 hours of computation, they found 205 dependencies. The first three yielded the trivial factorization of $n$ $n$ , but the fourth yielded the factors

\begin{array}{l} p = \\ 349052951084765094914784961990389813341776463849338784 \\ 3990820577, \end{array}

$\begin{array}{l} p = \\ 349052951084765094914784961990389813341776463849338784 \\ 3990820577, \end{array}$

\begin{array}{l} q = \\ 327691329932667095499619881908344614131776429679929425 \\ 39798288533. \end{array}

$\begin{array}{l} q = \\ 327691329932667095499619881908344614131776429679929425 \\ 39798288533. \end{array}$

Computing $9007^{- 1} (mod (p - 1) (q - 1))$ $9007^{- 1} (mod (p - 1) (q - 1))$ gave the decryption exponent

\begin{array}{l} d = \\ 106698614368578024442868771328920154780709906633937862 \\ 801226224496631063125911774470873340168597462306553968 \\ 544513277109053606095. \end{array}

$\begin{array}{l} d = \\ 106698614368578024442868771328920154780709906633937862 \\ 801226224496631063125911774470873340168597462306553968 \\ 544513277109053606095. \end{array}$

Calculating $c^{d} (mod n)$ $c^{d} (mod n)$ yielded the plaintext message

\begin{array}{l} 200805001301070903002315180419000118050019172105011309 \\ 190800151919090618010705, \end{array}

$\begin{array}{l} 200805001301070903002315180419000118050019172105011309 \\ 190800151919090618010705, \end{array}$

which, when changed back to letters using $a = 01, b = 02, \dots, blank = 00$ $a = 01, b = 02, \dots, blank = 00$ , yielded

the magic words are squeamish ossifrage

$the magic words are squeamish ossifrage$

(a squeamish ossifrage is an overly sensitive hawk; the message was chosen so that no one could decrypt the message by guessing the plaintext and showing that it encrypted to the ciphertext). For more details of this factorization, see [Atkins et al.]. If you want to see how the decryption works once the factorization is known, see Example 28 in the Computer Appendices.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for 9.5 The RSA Challenge

Create new playlist

Sign In

Sign Up

Table of Contents for
9.5 The RSA Challenge