The RSA Algorithm Rocky K. C. Chang, March 2014 1.

1

The RSA Algorithm

Rocky K. C. Chang, March 2014

2

Outline

Trapdoor one-way function The RSA algorithm Some practical considerations RSA’s security Some pitfalls of RSA

3

Trapdoor one-way function Suppose n = pq, where p and q are large

primes. Consider f(m) = me mod n. For certain values of e and that n is large

enough, f(m) is a one-way function. It is computationally infeasible to obtain m based

on the knowledge of n, e, and f(m). However, with the knowledge of a certain

trapdoor, the inversion is easy to do. The trapdoor for RSA is the factorization of n (i.e.,

the knowledge of p and q).

4

The RSA algorithm Let n = pq, where p and q are primes. Note

that n is a composite number. Let M = C = Zn = {0, 1, 2, …, n–1}. K = {(n, p, q, d, e): e d 1 (mod (n))}.

We will see that (n) = (p–1)(q–1). For K = (n, p, q, d, e), define

EK(m) = me mod n, and DK(c) = cd mod n, where m, c Zn.

The (n, e) comprise the “public key.” The (p, q, (n), d) comprise the “private key.”

5

To probe further Both encryption and decryption involve

modulo multiplications. Since n is a composite, Zn is not a group under

modulo multiplication, i.e., the inverse may not exist. Z*

n = {a Zn: gcd(a,n) = 1}. Zn \ Z*

n = {a Zn: gcd(a,n) > 1}.

How many elements in Z*n?

We denote the number of elements by (n). Recall that (n) is used in determining d and e.

6

The value of (n) Note that gcd(a,n) = 1 iff gcd(a,p) = 1 and

gcd(a,q) = 1. There are q numbers in Zn that satisfy a mod p =

0: {0, p, 2p, …, (q–1)p}. There are p numbers in Zn that satisfy a mod q =

0: {0, q, 2q, …, (p–1)q}. Therefore, the total number of numbers in Zn that

their gcd(a,n) > 1 is p+q–1. Thus, (n) = pq – (p+q–1) = (p–1)(q–1). Use the well-known result (in slide 28 of the

prelude slides) that if b Z*n, then b(n) 1 (mod n).

Therefore, a(p–1)(q–1) 1 (mod n), for a Z*n.

7

For example, Let p = 3, q = 5. Therefore, n = 15 and (p–1)(q–1)

= 8. For any a {0, 3, 5, 6, 9, 10, 12}, a8 ! 1 (mod 15). For any a {1, 2, 4, 7, 8, 11, 13, 14}, a8 1 (mod

15), e.g., 24 1 (mod 15). 42 1 (mod 15). 74 1 (mod 15). …

Note that primitive elements may not exist in Z*n,

because n is not a prime.

8

The relationship between e and d The values of e and d have to satisfy

e d 1 (mod (p–1)(q–1)). Recall that d exists iff gcd(e,(p–1)(q–1)) = 1 (slide 17 of

the prelude slides). For example, p = 101 and q = 113.

n = pq = 11413. (n) = (p–1)(q–1) = 11200 = 26527. Pick e = 3533, which is not divisible by 2, 5, or 7. Use the extended Euclidean algorithm to compute d = e-1

mod 11200 = 6597. To encrypt m = 9726, compute 92763533 mod 11413 =

5761. To decrypt c = 5761, compute 57616597 mod 11413 =

9726.

9

DK(EK(m)) = m? Recall that ed 1 (mod (n)). In other words, ed = t(n)+1, where t is a

nonnegative integer. Part 1: Let’s consider an m Z*

n. (me)d mt(n)+1(mod n). (me)d (m(n))tm (mod n). (me)d (1)tm (mod n). (me)d m (mod n).

10

DK(EK(m)) = m? Part II: Let’s consider an m Zn \ Z*

n. Using the Chinese Remainder Theorem, m mod n can be

uniquely represented by (m mod p, m mod q). Note that either the following is true:

m mod p = 0 and m mod q = 0 or m mod p = 0 and m mod q 0 or m mod p 0 and m mod q = 0.

For m mod p = 0 and m mod q = 0, med mod p = 0 and med mod q = 0. Therefore, med m (mod p) = 0 and med m (mod q) = 0.

For those cases where m mod p = 0 or m mod q = 0, Say m mod p = 0 or m mod q 0, By the CRT, med mod n can be represented by (0, med mod q). Using the previous two results, (0, med mod q) is equal to (0, m mod q).

11

Digital signing using RSA To sign a message m, Alice computes s = md

mod n. The pair (m,s) is a signed message. To verify the signature, anyone who knows the

public key can verify that se m mod n, the message itself.

12

Some practical considerations

13

Generating the RSA parameters1. Generate 2 large primes, p and q (each with

size k/2 bits).2. n (k ≥ 2048 bits) pq and (n) (p–1)(q–1).3. Choose a random e (1 < e < (n)) such that

gcd(e,(n)) = 1.4. d = e-1 mod (n).5. Publish (n,e) and safeguard the secret (p, q,

(n), d).

14

Generating the RSA parameters1. Need an efficient algorithm to generate a

large prime. Rabin-Miller test determines whether an odd

integer n is prime.

2. Find 2 large primes.3. Use the Euclidean algorithm to make sure

that gcd(e,(n)) = 1.4. Use the extended Euclidean algorithm to

compute d = e-1 mod (n).

15

Practical considerations Usually fix the value of e, e.g., e = 3 for

signatures and e = 5 for encryption. There are pitfalls when one is using the same

exponent for both encryption and signatures. Therefore, p – 1 and q – 1 cannot be multiples of 3

or 5. Smaller exponent for signatures (why?) Some problems with small exponents (to be

discussed shortly). Other common values for e are 17 and 65537.

16

RSA’s (in)security

17

The RSA’s security An obvious attack against RSA is to factor n.

If this can done, then obtain p and q. Compute (p–1)(q–1). Compute e-1 mod (p–1)(q–1) = d.

Roughly speaking, breaking the RSA algorithm is as difficult as factoring n. The “current” factoring algorithms are able to

factor numbers having up to 512 bits. On the safe side, n ≥ 2048 bits to make the

factoring problem computationally infeasible to solve.

18

The RSA’s security Moreover, if one can obtain (n), one can obtain

other elements in the private key. First of all, one can obtain p and q by solving

n = pq and (n) = (p–1)(q–1).

The solution for p is given by p2 – (n – (n) + 1)p + n = 0.

In other words, if one can compute (n), one can factor p and q.

Lastly, what happen if one can obtain the value of d? n can be factored in polynomial time using a randomized

algorithm.

19

Pitfalls using RSA Problem 1: If Alice signs 2 messages m1 and

m2. Eve can compute Alice’s signature on m3 = m1m2 mod n. Original signatures: m1

d and m2d.

Eve can produce the signature for m3 by multiplying m1

d and m2d.

20

Pitfalls using RSA Problem 2: When RSA is used to encrypt a very

small message m. E.g., if e = 5 and m < n1/5, then me = m5 < n. Therefore,

no mod n operation needed. Simply take a fifth root of c to recover m! For example, if encrypting a 256-bit key using RSA, the

encrypted key is less than 22565 = 21280 << 22048 if n is a 2048-bit integer.

The main problem is the existence of a structure in the numbers that RSA operates on.

A possible approach is to use an encoding function to destroy the structure as much as possible.

21

Message encryption using RSA Using RSA to encrypt a message is almost

never practiced. The size of the message is limited by the size of n.

Instead, choose a random secret key K, and encrypt K with the RSA key. The message encryption is based on secret key

cryptosystem, Sending Ke mod n, EK(m).

22

Message encryption using RSA A better approach is:

Choose a suitable random number r {0, 1, …, n–1}.

Set K = h(r), where h() is some hash function. Send re mod n and EK(m).

Advantages: There is no structure in r. The hash function ensures that no structure

between r’s propagates to structure in the K’s.

23

Digital signatures using RSA Problem: remove the structures of the

messages that are signed. Use a hash function to hash the messages.

The hash function’s output (e.g., 256 bits) is small compared with the size of n (e.g., 2048 bits). Cannot use the hash function output directly in

RSA.

24

Digital signatures using RSA A solution is to use a pseudorandom mapping

to expand h(m) to a random number s {0, 1, …, n – 1}.

If you ask Alice to sign a number of messages m1, m2, …, mi. Eve can get hold of the (m, s), but the values of s

are effectively random. Thus, the information does not help forge Alice’s

signature.

25

The RSA Lab’s public-key cryptography standard PKCS #1 for RSA or RFC 3447 covers

Data conversion primitives: a text <-> a non-negative integer

Cryptographic primitives Encryption schemes

RSAES-OAEP (for new applications) – cryptographic primitives + Bellare and Rogaway's Optimal Asymmetric Encryption scheme

RSAES-PKCS1-v1_5 (for existing applications) – cryptographic primitives + a PKCS1-v1_5 encoding method

Digital Signature schemes RSASSA-PSS (for new applications) – cryptographic primitives

+ a probabilistic signature scheme-based encoding method RSASSA-PKCS1-v1_5 (for existing applications) – cryptographic

primitives + a PKCS1-v1_5 encoding method

26

Conclusions RSA can be used for encryption as well as digital

signatures. The security of RSA lies on the difficulty of

factoring a large number into 2 primes. RSA encryption and decryption require expensive

exponentiation operations. The CRT helps accelerate the operations.

In practice, RSA is used to encrypt a secret key with an encoding function.

In practice, the messages to be signed have to go through a hash function to destroy the message structures.

27

Acknowledgments The notes are prepared mostly based on

D. Stinson, Cryptography: Theory and Practice, Chapman & Hall/CRC, Second Edition, 2002.

N. Ferguson and B. Schneier, Practical Cryptography, Wiley, 2003.

http://www.rsa.com/rsalabs/pkcs/files/h11300-wp-pkcs-1v2-2-rsa-cryptography-standard.pdf