The RSA Algorithm Rocky K. C. Chang, March 2014 1
1
The RSA Algorithm
Rocky K. C. Chang, March 2014
2
Outline
Trapdoor one-way function The RSA algorithm Some practical considerations RSA’s security Some pitfalls of RSA
3
Trapdoor one-way function Suppose n = pq, where p and q are large
primes. Consider f(m) = me mod n. For certain values of e and that n is large
enough, f(m) is a one-way function. It is computationally infeasible to obtain m based
on the knowledge of n, e, and f(m). However, with the knowledge of a certain
trapdoor, the inversion is easy to do. The trapdoor for RSA is the factorization of n (i.e.,
the knowledge of p and q).
4
The RSA algorithm Let n = pq, where p and q are primes. Note
that n is a composite number. Let M = C = Zn = {0, 1, 2, …, n–1}. K = {(n, p, q, d, e): e d 1 (mod (n))}.
We will see that (n) = (p–1)(q–1). For K = (n, p, q, d, e), define
EK(m) = me mod n, and DK(c) = cd mod n, where m, c Zn.
The (n, e) comprise the “public key.” The (p, q, (n), d) comprise the “private key.”
5
To probe further Both encryption and decryption involve
modulo multiplications. Since n is a composite, Zn is not a group under
modulo multiplication, i.e., the inverse may not exist. Z*
n = {a Zn: gcd(a,n) = 1}. Zn \ Z*
n = {a Zn: gcd(a,n) > 1}.
How many elements in Z*n?
We denote the number of elements by (n). Recall that (n) is used in determining d and e.
6
The value of (n) Note that gcd(a,n) = 1 iff gcd(a,p) = 1 and
gcd(a,q) = 1. There are q numbers in Zn that satisfy a mod p =
0: {0, p, 2p, …, (q–1)p}. There are p numbers in Zn that satisfy a mod q =
0: {0, q, 2q, …, (p–1)q}. Therefore, the total number of numbers in Zn that
their gcd(a,n) > 1 is p+q–1. Thus, (n) = pq – (p+q–1) = (p–1)(q–1). Use the well-known result (in slide 28 of the
prelude slides) that if b Z*n, then b(n) 1 (mod n).
Therefore, a(p–1)(q–1) 1 (mod n), for a Z*n.
7
For example, Let p = 3, q = 5. Therefore, n = 15 and (p–1)(q–1)
= 8. For any a {0, 3, 5, 6, 9, 10, 12}, a8 ! 1 (mod 15). For any a {1, 2, 4, 7, 8, 11, 13, 14}, a8 1 (mod
15), e.g., 24 1 (mod 15). 42 1 (mod 15). 74 1 (mod 15). …
Note that primitive elements may not exist in Z*n,
because n is not a prime.
8
The relationship between e and d The values of e and d have to satisfy
e d 1 (mod (p–1)(q–1)). Recall that d exists iff gcd(e,(p–1)(q–1)) = 1 (slide 17 of
the prelude slides). For example, p = 101 and q = 113.
n = pq = 11413. (n) = (p–1)(q–1) = 11200 = 26527. Pick e = 3533, which is not divisible by 2, 5, or 7. Use the extended Euclidean algorithm to compute d = e-1
mod 11200 = 6597. To encrypt m = 9726, compute 92763533 mod 11413 =
5761. To decrypt c = 5761, compute 57616597 mod 11413 =
9726.
9
DK(EK(m)) = m? Recall that ed 1 (mod (n)). In other words, ed = t(n)+1, where t is a
nonnegative integer. Part 1: Let’s consider an m Z*
n. (me)d mt(n)+1(mod n). (me)d (m(n))tm (mod n). (me)d (1)tm (mod n). (me)d m (mod n).
10
DK(EK(m)) = m? Part II: Let’s consider an m Zn \ Z*
n. Using the Chinese Remainder Theorem, m mod n can be
uniquely represented by (m mod p, m mod q). Note that either the following is true:
m mod p = 0 and m mod q = 0 or m mod p = 0 and m mod q 0 or m mod p 0 and m mod q = 0.
For m mod p = 0 and m mod q = 0, med mod p = 0 and med mod q = 0. Therefore, med m (mod p) = 0 and med m (mod q) = 0.
For those cases where m mod p = 0 or m mod q = 0, Say m mod p = 0 or m mod q 0, By the CRT, med mod n can be represented by (0, med mod q). Using the previous two results, (0, med mod q) is equal to (0, m mod q).
11
Digital signing using RSA To sign a message m, Alice computes s = md
mod n. The pair (m,s) is a signed message. To verify the signature, anyone who knows the
public key can verify that se m mod n, the message itself.
12
Some practical considerations
13
Generating the RSA parameters1. Generate 2 large primes, p and q (each with
size k/2 bits).2. n (k ≥ 2048 bits) pq and (n) (p–1)(q–1).3. Choose a random e (1 < e < (n)) such that
gcd(e,(n)) = 1.4. d = e-1 mod (n).5. Publish (n,e) and safeguard the secret (p, q,
(n), d).
14
Generating the RSA parameters1. Need an efficient algorithm to generate a
large prime. Rabin-Miller test determines whether an odd
integer n is prime.
2. Find 2 large primes.3. Use the Euclidean algorithm to make sure
that gcd(e,(n)) = 1.4. Use the extended Euclidean algorithm to
compute d = e-1 mod (n).
15
Practical considerations Usually fix the value of e, e.g., e = 3 for
signatures and e = 5 for encryption. There are pitfalls when one is using the same
exponent for both encryption and signatures. Therefore, p – 1 and q – 1 cannot be multiples of 3
or 5. Smaller exponent for signatures (why?) Some problems with small exponents (to be
discussed shortly). Other common values for e are 17 and 65537.
16
RSA’s (in)security
17
The RSA’s security An obvious attack against RSA is to factor n.
If this can done, then obtain p and q. Compute (p–1)(q–1). Compute e-1 mod (p–1)(q–1) = d.
Roughly speaking, breaking the RSA algorithm is as difficult as factoring n. The “current” factoring algorithms are able to
factor numbers having up to 512 bits. On the safe side, n ≥ 2048 bits to make the
factoring problem computationally infeasible to solve.
18
The RSA’s security Moreover, if one can obtain (n), one can obtain
other elements in the private key. First of all, one can obtain p and q by solving
n = pq and (n) = (p–1)(q–1).
The solution for p is given by p2 – (n – (n) + 1)p + n = 0.
In other words, if one can compute (n), one can factor p and q.
Lastly, what happen if one can obtain the value of d? n can be factored in polynomial time using a randomized
algorithm.
19
Pitfalls using RSA Problem 1: If Alice signs 2 messages m1 and
m2. Eve can compute Alice’s signature on m3 = m1m2 mod n. Original signatures: m1
d and m2d.
Eve can produce the signature for m3 by multiplying m1
d and m2d.
20
Pitfalls using RSA Problem 2: When RSA is used to encrypt a very
small message m. E.g., if e = 5 and m < n1/5, then me = m5 < n. Therefore,
no mod n operation needed. Simply take a fifth root of c to recover m! For example, if encrypting a 256-bit key using RSA, the
encrypted key is less than 22565 = 21280 << 22048 if n is a 2048-bit integer.
The main problem is the existence of a structure in the numbers that RSA operates on.
A possible approach is to use an encoding function to destroy the structure as much as possible.
21
Message encryption using RSA Using RSA to encrypt a message is almost
never practiced. The size of the message is limited by the size of n.
Instead, choose a random secret key K, and encrypt K with the RSA key. The message encryption is based on secret key
cryptosystem, Sending Ke mod n, EK(m).
22
Message encryption using RSA A better approach is:
Choose a suitable random number r {0, 1, …, n–1}.
Set K = h(r), where h() is some hash function. Send re mod n and EK(m).
Advantages: There is no structure in r. The hash function ensures that no structure
between r’s propagates to structure in the K’s.
23
Digital signatures using RSA Problem: remove the structures of the
messages that are signed. Use a hash function to hash the messages.
The hash function’s output (e.g., 256 bits) is small compared with the size of n (e.g., 2048 bits). Cannot use the hash function output directly in
RSA.
24
Digital signatures using RSA A solution is to use a pseudorandom mapping
to expand h(m) to a random number s {0, 1, …, n – 1}.
If you ask Alice to sign a number of messages m1, m2, …, mi. Eve can get hold of the (m, s), but the values of s
are effectively random. Thus, the information does not help forge Alice’s
signature.
25
The RSA Lab’s public-key cryptography standard PKCS #1 for RSA or RFC 3447 covers
Data conversion primitives: a text <-> a non-negative integer
Cryptographic primitives Encryption schemes
RSAES-OAEP (for new applications) – cryptographic primitives + Bellare and Rogaway's Optimal Asymmetric Encryption scheme
RSAES-PKCS1-v1_5 (for existing applications) – cryptographic primitives + a PKCS1-v1_5 encoding method
Digital Signature schemes RSASSA-PSS (for new applications) – cryptographic primitives
+ a probabilistic signature scheme-based encoding method RSASSA-PKCS1-v1_5 (for existing applications) – cryptographic
primitives + a PKCS1-v1_5 encoding method
26
Conclusions RSA can be used for encryption as well as digital
signatures. The security of RSA lies on the difficulty of
factoring a large number into 2 primes. RSA encryption and decryption require expensive
exponentiation operations. The CRT helps accelerate the operations.
In practice, RSA is used to encrypt a secret key with an encoding function.
In practice, the messages to be signed have to go through a hash function to destroy the message structures.
27
Acknowledgments The notes are prepared mostly based on
D. Stinson, Cryptography: Theory and Practice, Chapman & Hall/CRC, Second Edition, 2002.
N. Ferguson and B. Schneier, Practical Cryptography, Wiley, 2003.
http://www.rsa.com/rsalabs/pkcs/files/h11300-wp-pkcs-1v2-2-rsa-cryptography-standard.pdf