ASC X9 IR-F01-2022
© ASC X9 Inc., 2022 – All Rights Reserved
. Another way to think about modular arithmetic is that the result of reducing a number modulo is the integer
remainder when you divide that number by .
One of the features of modular arithmetic is that useful patterns emerge as we reduce larger and larger values under
a fixed modulus. We can easily see that if we take the numbers , and so on, and
reduce them modulo , we get a repeating, cyclical pattern: , and so on. Other patterns exist
as well. What if we selected a number, say , and looked at what happens when we take the values
,
etc, and reduce them modulo ? We cannot say exactly what those values end up being without explicitly knowing
a value for . However, we can say with certainty that a cyclical, repeating pattern will eventually emerge. The
mathematical reason for this emerging pattern is that there are exactly possible values for a number reduced
modulo , namely . If we keep taking higher and higher powers of two, we will never get or more
distinct values after we perform the reductions, and so necessarily numbers will repeat eventually. We are
guaranteed then that after reducing distinct numbers, we get at least one repeat. Once the values get their
first repeat, the one after that will be the same number that followed it the first time around, similarly for that number,
and so on. And so, a cyclical pattern emerges. The number of distinct numbers in the pattern is often called the
period of the pattern.
Recall again from section 8.2 that during RSA encryption or signing, the message is raised to some exponent (the
public value in the case of encryption, or the private value in the case of signing), and the resulting value is
reduced modulo . Concretely, suppose we are given an RSA ciphertext of the form
mod, and we wanted
to recover the plaintext message . We know from the above that there is some sort of pattern in the values
etc. when taken modulo . Further, we know that this pattern eventually repeats, that it
eventually cycles back to . If the pattern has period , then
mod, and
. It turns out, again
for somewhat mathematical reasons, that the period here has a very special relationship with the values and ,
the secret prime factors of . Specifically, that is some multiple of .
Knowing that for some integer is interesting, but since we do not know the value of , we
cannot calculate the pattern, and hence the period, to begin with. Instead of dealing with then, we can select our
own value and build our own pattern! Suppose that we selected a random number between and (0 and 1
are not useful to select here), call it , and computed the period for the pattern
. Call this period . We
might first want to quickly check if is a multiple of (we might have just gotten lucky and found a factor of , but
for large , it is not likely). We know that is a multiple of . Using this information, along with a tool
from Number Theory called The Euclidean Algorithm, we can compute the value of either or , and hence, both.
Thus, we completely recover the RSA secret key.
The problem with the above attack is that RSA moduli, the values of , are enormous. It simply is not practical to
find the period for a random value when working modulo a cryptographically large number. At least, if you are using
classical methods. The Period Finding Problem can be restated using the language of the Hidden Subgroup Problem
(for finite abelian Groups), which can be efficiently solved by a quantum computer running Shor’s Algorithm.
Going back to the discussion of Shor’s Algorithm from section 11.1.2, we can now see how the Quantum Fourier
Transformation can be used to compute the period for a randomly selected value , and with some relatively
straightforward post-processing, completely break RSA. That is, the set
forms a (hidden)
subgroup of , by learning the subgroup we learn the period of , and by learning the period of we
can recover the RSA private key. Importantly, in the above description, we selected only a single value and found
its period. In practice, when running the QFT we might need to select and try more than one random number, as
this technique does not work for every possible value of .
11.2.2.2 Elliptic Curve Cryptography
Recall from Section 8.2.3 that the points on a given elliptic curve, the mathematical constructs underpinning Elliptic
Curve Cryptography, form a group. The study of elliptic curve groups and their properties is a rich and deeply
complex area of mathematics, with many fascinating theoretical results and applications. The mathematical details
aside, it turns out that elliptic curve groups are abelian. Therefore, by defining an elliptic curve’s points over a finite
field, the resulting group is both finite and abelian. Importantly, the elliptic curve groups used in practical