CMSC 441 — Spring 2020 — C. S. Marron

Project 2: RSA and Factoring

Moduli List

The moduli list, status, and CSV download are now available!

Due Dates

1. Part 1a due before 9:00 pm on Thursday 4/23
   Must be completed individually.
2. Part 1b due before 9:00 pm on Monday 4/27
   Must be completed individually.
3. Part 2 due by 9:00 pm on Thursday 5/7
   May be completed with a partner.

Objectives

1. Implement and use important number-theoretic algorithms
2. Understand the application of number-theoretic algorithms to RSA
3. Implement and apply a factoring algorithm to "break" RSA keys

Assignment

In this project, you will write code to generate RSA public and private keys and implement a factoring algorithm to "break" RSA moduli generated by your fellow students. Extra credit will be awarded for generating moduli that are as small as possible while withstanding other students' attempts to factor it; choosing an appropriate modulus size will require familiarity with the factoring algorithm. Extra credit may also be awarded for factoring other students' moduli.

Part 1a: RSA Key Generation

Must be completed individually.

You need to write code to generate RSA public and private keys. The program must accept the desired modulus size in bits as a parameter (e.g. 1024, 2048) and must write the keys, clearly labeled, to stdout. You will need to use a multiprecision library and may use the library's functions for multiplication, modular reduction, and modular exponentation; however, you must write your own code to compute modular inverses (e.g. Extended Euclidean Algorithm) and to perform the Miller-Rabin test for probable primes.

Allowed languages and multiprecision libraries are as follows:

Language	Multiprecision Library
C/C++	GMP
C++	Boost Multiprecision
Java	BigInteger class
Python	native or GMPY

Lastly, you must generate a set of public and private keys and use the private key to sign the message "I deserve an X", where X is the grade you believe you deserve for Part 1a. See Section 31.7 in CLRS for a description of how to use RSA to create a signature. In order to sign the message, you will need to encode it as an integer with the first character of the message forming the high byte of the integer. The following Python code demonstrates how to encode the message M (a string) in the integer x:

     x = 0
     for c in M:
             x = x << 8
             x = x ^ ord(c)

Your submission for Part 1a should include

• Source code for RSA key generation with build instructions
• A public/private key pair generated using your program
• The message "I deserve an ..." along with its signature; the signature must be computed using the submitted private key.

If your library uses different algorithms depending on parameters sizes, you should describe the algorithms used for numbers of cryptographic size, i.e. moduli of 1024 – 4096 bits. You may submit the algorithm descriptions, signed message, and public key in a separate file, or you may include them in a comment block at the top of your key generation code. In either case, the descriptions must be well-written and should identify relationships to the algorithms presented in class.

Part 1b: Provide a Modulus

Must be completed individually.

This portion of the project is very simple: generate a key pair using your code from Part 1a and provide the modulus (n). All the submitted moduli will be posted for the class to try to factor.

Normally, one would choose a very large modulus, at least 1024 bits, but in this case, extra credit will be awarded for providing a small modulus that resists your fellow students' attempts at factoring. To pick the modulus size, you will need to have some understanding of the capabilities of the Pollard rho (and possibly Pollard p-1) factoring method. For example, if you believe Pollard rho can only factor moduli up to 100 bits, then you might choose a 110-bit modulus — or smaller if you want to live dangerously. At any rate, you can't choose a modulus size intelligently untill you've done some research or tested an implementation of Pollard rho.

Your submission for Part 1b should include

• Your modulus (n)

Part 2: Factoring

May be completed with a partner.

For the final part of the project, you must implement the Pollard rho algorithm and use it to attempt to factor your fellow students' moduli. If you succeed in factoring a classmate's modulus, you should send the factorization to me in an email as soon as possible so that you can receive credit for being the first to factor the modulus (if that is the case) and so I can keep track of how many people have factored each modulus.

I will also provide some moduli, some of which will be easy to factor, and others more difficult; one or two will be "tricky." Your code must be able to factor the "easy" moduli that I provide, and factoring one or more "moderate" moduli will improve your score. Extra credit will be awarded for successfully factoring a classmate's modulus (other than your partner's, if you're working with one) or any of the "tricky" moduli.

You should give some thought to the efficiency of your factoring algorithm. Would it be more effective to use trial division up to some bound before using Pollard rho? Can you make good use of multithreading? Is it worth implementing some other factoring algorithm, such as the Pollard p-1 method? On the other hand, you may do better just getting a simple Pollard rho working and letting it chug-away at your classmates' moduli — it's up to you.

Implementing Pollard rho will require a multiprecision library; the permissible languages and libraries are the same as in Part 1a. However, for this part of the project, you may use any library functions, including the gcd, which is likely to be more efficient than your implementation from Part 1a.

If you succeed in factoring another student's modulus, you should submit to me by email, as soon as possible,

• The modulus and its factors

Your final submission for Part 2 should include

• Factoring code, well-documented, including build instructions
• A list of the moduli you factored, along with their factors
• If you succed in factoring a "tricky" moduli, include a description of how you were able to factor it (i.e. what was the trick)

The list of factored moduli and descriptions of "tricks" may be submitted in a separate file or may be included in a comment block at the top of your source code.

Grading

Points will be distributed among Parts 1a, 1b, and 2 as follows:

• Part 1a — 20 points
• Part 1b — 5 points
• Part 2 — 25 points

Grading of Part 1a will be based on correctness of the Extended Euclidean Algorithm and Miller-Rabin algorithm implementations and correctness of the signed message.

Grading of Part 1b will be based entirely on completion.

Grading of Part 2 will be based on correctness and efficiency of the factoring implementation and success in factoring moduli that I provide.

Extra credit will be awarded for producing a modulus in Part 1b that is as small as possible while resisting attempts at factoring, success in factoring other students' moduli, and success in factoring "tricky" moduli.

Late penalties will be applied to each part independently.