chris farley - missouri state university · web viewrsa public-key cryptosystem suppose alice and...
TRANSCRIPT
Chris Farley
PAGE
11
Farley
Chris Farley
Research Paper
RSA Public-key Cryptosystem
Suppose Alice and Bob want to communicate with each other, but they do not want others to be able to ‘ease drop’ on their conversations. For example, Alice and Bob may be working on top-secret research or they may be allies in a war. They would need to develop their own system for communication like their own language or alphabet. However, this would not necessarily ensure that they could protect the translation from an attacker. They need a way of converting information and then decoding the converted information so that it is only understood by each other. The process by which they will achieve this is cryptography, also known as cryptology. The particular scheme that they employ is a cryptosystem.
Cryptosystems are made up of three basic parts: the encryption algorithm, the decryption algorithm, and the key(s). The encryption algorithm is the algorithm used to encode an original, or a plaintext message. The decryption algorithm is the reverse process of the encryption algorithm. With the decryption algorithm, the user converts the encoded message back to its original plaintext message. The key system is used during the process of encrypting and decrypting messages. Generally, an encryption key is used to encrypt messages, whereas a decryption key is used decrypt messages.
The RSA algorithm is used in cryptography as a public-key cryptosystem. This algorithm was the first known to be suitable for signing as well as encryption. Because of this, it was one of the first great advancements in public-key cryptology. RSA is still widely used and is believed to be secure given sufficiently long keys. This is because RSA is based on the difficulty of factoring large prime numbers.
Ron Rivest, Adi Shamir, and Len Adleman described the RSA algorithm at MIT in 1977. The algorithm’s name, “RSA”, was derived from the initials of their last names. The algorithm was patented by MIT in the United States in 1983. It was given the U.S. Patent number 4,405,829, expiring on September 21, 2000 (Wikipedia, RSA).
A British mathematician, Clifford Cocks, supposedly had written an equivalent system to RSA in 1973. However, the research was not pursued due to the lack of and the cost of computers that were needed to execute the algorithm. This discovery was not revealed until 1997 because of the top-secret classification given by GCHQ (UK Government Communications Head Quarters), of which, Cocks was affiliated.
Now that we have a little background about RSA, it is time to answer how Alice can securely communicate with Bob. How do we go about generating the keys that we need to securely send the message? If Bob wants to have Alice send him a secure message over an insecure medium, then he needs to take the following steps to generate the public and private keys:
1. Choose two large primes, p and q, randomly and independently of each other; however, be sure that they are very large so that their product will be of sufficient size. Also, the primes are to be kept secret.
2. Compute the product N = pq. The product, N, is to be made public and is known as the modulus.
3. Compute the totient
).
1
)(
1
(
)
(
-
-
=
q
p
N
f
The totient function is Euler’s phi function (see notes section).
4. Choose an integer e (which is to be made public), where
),
(
1
N
e
f
<
<
such that
,
1
)
),
(
gcd(
=
e
N
f
or equivalently, e is coprime or relatively prime to
).
(
N
f
In general, if
,
1
)
,
gcd(
=
b
a
then a and b are relatively prime, and
))
(
(mod
N
b
a
f
º
is a congruence. Note that this can be found using the Euclidean Algorithm.
5. Compute the private key, d, which is the multiplicative inverse of
)),
(
(mod
N
e
f
i.e., find an integer d with
)).
(
(mod
1
N
de
f
º
In general, solve for d in the equation
).
1
)(
1
mod(
1
-
-
=
q
p
ed
The existence of d follows from the fact that if given two integers, a and b, where the
,
1
)
,
gcd(
=
b
a
then b is invertible (mod a) and b has a multiplicative inverse in
a
Z
. This can also be found with the Euclidean Algorithm.
That is how we generate our keys. The public key consists of the modulus, N, and the public exponent, also referred to as the encryption exponent, e. The private key consists of, again, the public modulus, N, and the private exponent, d, which is also called the decryption exponent. The value of d must be kept secret, as well as the values of p, q, and
).
(
N
f
Now that we have our keys, we can start sending messages. How do we use our keys to send encrypted messages and then decrypt them? To explain, we will return to our hypothetical ‘guinea pigs’, Alice and Bob. Suppose Alice wishes to send a message M to Bob. Alice converts the message M to an integer, m < N, by using whatever method she chooses (I will briefly discuss different types of methods that are generally used to do this in other sections of the paper). Note that if
,
N
m
³
then Alice would need to break it up into groups, where each group is a number
...
2
,
1
,
0
,
=
<
i
N
i
m
and the encryption procedure would be done on all groups. However, for this example, we will assume that m < N. Alice has m, and given the public key N and e, she then converts m to the ciphertext, y, by using the following equation:
N
e
m
y
mod
=
This can be done quickly using the method of exponentiation by squaring (see notes section), but is usually done with a computer. After Alice converts the message to cyphertext, she sends it to Bob. When Bob receives the message, he uses his private key, d, to recover m from y by doing the inverse modular exponentiation process:
N
d
y
m
mod
=
That was easy enough, right? However, you may be asking how we can be sure that when Bob receives the ciphered message, and then deciphers it, that he will arrive at the original message sent by Alice? In other words, we need to verify that
)
(mod
N
m
d
e
m
º
(this notation is described in the notes section, briefly; we say
d
e
m
is congruent to m modulo N, where N is the modulus of the congruence, also written
m
N
d
e
m
=
mod
, Michon, G. P.) For a quick explanation, the decryption procedure works because d mod N is the multiplicative inverse of e. Thus,
d
y
is the inverse of
.
e
m
To elaborate,
,
mod
mod
)
(
mod
N
ed
m
N
d
e
m
N
d
y
=
=
also,
)
1
(mod
1
-
º
p
ed
and
).
1
(mod
1
-
º
q
ed
Using Fermat’s little theorem (see notes section) we conclude that
)
(mod
p
m
d
e
m
º
and
).
(mod
q
m
d
e
m
º
Given that p and q are distinct primes, the Chinese remainder theorem (see notes section) says that these two congruences can be rewritten as
)
(mod
pq
m
d
e
m
º
, and finally,
).
(mod
N
m
d
e
m
º
■ (Wikipedia, RSA)
In order to exemplify the RSA encryption/decryption process with a working example, we will use very small numbers that are not recommended to be used for real RSA processes. Suppose Alice wants to send the message “Hello Bob” to Bob. Also, assume that Alice and Bob have decided to convert letters to numbers by using each letter’s corresponding two-digit representational position in the alphabet. So our number m is to represent the message “Hello Bob”. Before we go further, we need to generate our keys. First, we will pick our two primes which are to be kept secret. Since we are using relatively small numbers, we let p = 53 and q = 41. Next, we compute N = pq =
,
2173
41
53
=
´
which is the modulus, a part of the public key. Then, we choose e such that it is coprime to
).
(
2080
40
52
)
1
)(
1
(
N
q
p
f
=
=
´
=
-
-
For this example, we will choose e = 7, verified by
.
1
)
7
,
2080
gcd(
)
),
(
gcd(
=
º
e
N
f
Remember that e, the encryption exponent, is also part of the public key. From here, we can find d by solving for it in the equation 1 = 7d mod 2080. In this case, d = 1783 will work because
).
(mod
1
1
)
2080
(
6
12481
1783
7
N
=
+
=
=
´
(CITE)
Now that we have generated our public key, (N, e), and our private key, (N, d), we are ready to proceed. We will assume that Bob made the public key and sent it to Alice so that she could transfer encrypted messages to him. We will also assume that Bob has our private key, which he will use to decrypt the message. Alice transforms “Hello Bob” to m = 080512121500021502 (for our example any blank space is represented by 00). Since the number m is larger than the modulus N, Alice must split it up. To do so, she splits m into six different numbers, each containing three digits, ensuring that each
N
m
i
<
:
502
121
021
512
500
080
6
3
5
2
4
1
=
=
=
=
=
=
m
m
m
m
m
m
Next, for each
i
m
, Alice will convert the cyphertext y, where y is also made up of six numbers corresponding to each of the
.
s
'
i
m
To do this, Alice computes
N
e
i
m
i
y
mod
=
:
592
2173
mod
7
502
6
1102
2173
mod
7
121
3
1837
2173
mod
7
021
5
1730
2173
mod
7
512
2
1355
2173
mod
7
500
4
200
2173
mod
7
080
1
=
=
=
=
=
=
=
=
=
=
=
=
y
y
y
y
y
y
Alice then transmits all six of these messages to Bob. When Bob gets around to checking his messages, he realizes that Alice has sent him one. Excited, he quickly applies his private key, d = 1783 to decipher the cyphertext. To do so, he computes
,
mod
N
d
i
y
i
m
=
for each
i
y
:
502
2173
mod
1783
592
6
121
2173
mod
1783
1102
3
021
2173
mod
1783
1837
5
512
2173
mod
1783
1730
2
500
2173
mod
1783
1355
4
080
2173
mod
1783
200
1
=
=
=
=
=
=
=
=
=
=
=
=
m
m
m
m
m
m
I will explain how one can compute these large modular exponentiations later (see notes section), for now, I will continue with the decrypting process.
Bob now has all of the pieces that he needs to decipher the message. Bob groups the pieces together and gets the number 080512121500021502. He then splits the number up again by grouping in pairs: 08 05 12 12 15 00 02 12 02. Since Bob knows that the numbers correspond to positions of letters in the alphabet, he can convert the message one step further, deciphering the message to discover that Alice says, “Hello Bob.”
As mentioned earlier, the security of relies on the fact it is difficult to factor sufficiently large numbers. No polynomial-time method for factoring large integers on a classical computer has been found yet. However, it has not been proven that none exists. As of November 8, 2005, the largest number factored by general purpose methods was 640 bits long (known as the RSA-640 number) which was a 193 digit number. This factorization was done on 80 CPU’s working together and took approximately four and a half months, total. The prize that the German BSI team received for factoring this number was $20,000. Because of the different methods of factorization that are being used with the help of linked computers or super-computers, the current recommendation for the product of primes, N, is for it to be is at least 2048 bits long. However, if quantum computing reaches a sufficient level, as it is predicted to be no earlier than 2015, it potentially can perform factorization in polynomial time, rendering RSA and related algorithms obsolete.
How do we know that the message we receive is the sent by our correspondent? For this, RSA provides for message “signing” which entails the sender producing a hash value of the message to be sent, raising that value to the power of d mod N (as done when decrypting), and attaching it as a “signature” to the message. When the receiver gets the signed message, he raises the signature to the power of e mod N (as done when encrypting), and compares the resulting hash value with the message’s actual hash value, making sure they agree, therefore verifying the signature. (Wikipedia, RSA)
There are various different methods that are used to pad numbers to messages to enhance the security of the messages. These methods are commonly referred to as padding schemes. Although, we will not fully discuss these schemes, I think that it is pertinent to know the value of applying these techniques for a practical application. For example, if a sender did not use padding schemes, then the security of their message may be flawed by the following things:
1. Both of the values of m = 0 or m = 1 will produce the same ciphertext due to the properties of exponentiation.
2. If the encryption is done with small encryption exponents and small message values, then the result of
e
m
could be strictly less than the value of the modulus n. If this is the case, then the ciphertext is easily discovered by taking the eth root of it (without using the modulus).
3. Because RSA uses public keys, then an attacker could develop a ciphertext library of resultant ciphers of encryptions using the public key. If the ciphertext that are intercepted match any of the library’s ciphers, then the attacker would know the resultant plaintext.
Again, there are many different techniques that are employed to securely pad plaintext. This paper has some references which describe some of these schemes in further detail.
The computation of RSA renders it to be slower than other cryptosystems. Because of this, typical applications of RSA would involve sending credit card numbers, very short messages, map coordinates, or other relatively small numbers. If someone wished to send a large message, they usually would encrypt the message with a different cryptography method such as DES. Then they would encrypt a key to decrypt the message with RSA. Of course, the key would be relatively small. After which, the sender would transmit both the RSA encrypted key to the message and the encrypted message itself.
There are lots of other security issues and general considerations regarding RSA. For more information, consult the references listed at the end of this paper. For now, we will elaborate on the mathematical ‘backbone’ of RSA.
Notes Section: How It All Works
This section presents some principles of number theory and definitions that are used throughout this paper. First, for congruences, we have several forms of notation. For example, “a is congruent to b modulo N” is a congruence where N is the modulus of the congruence. Mathematically, this congruence can be expressed with the following notations, of which, the first two are used in this paper:
10
]
[
10
]
[
]
[
mod
)
(mod
b
a
N
b
a
b
N
a
N
b
a
=
º
=
º
Next, these ideas are the foundational tools that make the RSA cryptosystem work.
· Prime numbers are those that are greater than one, which only has factors of one and itself.
· Two numbers are said to be relatively prime or coprime if the two numbers have no common factors other than one.
· The largest integer that divides two integers, say, a and b, is known as the greatest common divisor of a and b, denoted
).
,
gcd(
b
a
· If two numbers, a and b, are coprime, then
1
)
,
gcd(
=
b
a
. The converse is also true. A corollary to this idea is that there exist integers x and y such that
1
=
+
by
ax
(Bézout’s identity).
· The Euler phi function or totient function, denoted
),
(
N
f
is defined as the number of integers from 1 to N that are coprime to N, where such numbers are totatives of N. Also, for any prime p,
.
1
)
(
-
=
p
p
f
· When we say N divides a, we use the notation N | a. Also, there exists an integer k such that a = Nk.
· The common notation,
),
(mod
N
b
a
º
means a and b have the same remainder when divided by N, or N | a-b.
· If
)
(mod
N
b
a
º
and
)
(mod
N
d
c
º
then
N
d
b
c
a
)
(mod
±
=
±
and
).
(mod
N
bd
ac
=
· If given that p and q are coprime, and p | a and q | a, then pq | a. Also, if pq | a then p | a and q | a, for all p and q.
· If p and q are coprime, then
).
(
)
(
)
(
pq
q
p
f
f
f
=
The following section describes the theorems that RSA cryptography is based on:
· Taken from the Chinese Remainder Theorem: Let p and q be integers, not necessarily prime, such that they are coprime. If
)
(mod
p
b
a
º
and
)
(mod
q
b
a
º
then we have
).
(mod
pq
b
a
º
Proof: Since
),
(mod
p
b
a
º
then p | a-b. Also, since
),
(mod
q
b
a
º
then q | a-b. But p and q are coprime, thus pq | a-b. Therefore,
).
(mod
pq
b
a
º
■ (Davis, T.)
· Fermat’s Little Theorem: For any integer a and any prime number p,
).
(mod
p
a
p
a
º
If a and p are coprime, then
),
(mod
1
1
p
p
a
º
-
or, equivalently,
).
1
1
(
|
-
-
p
a
p
This Theorem has many proofs, for ours, we will prove it by using group theory. For this we will need to recognize that
{
}
1
...,
,
2
,
1
-
=
p
G
forms a group under the operation of multiplication modulo p and also, we will need to use Lagrange’s Theorem: The order of any subgroup divides the order of the whole group.
Proof: Let
{
}
1
...,
,
2
,
1
-
=
p
G
form a group under the operation of multiplication modulo p. Choose
.
G
a
Î
Let k be the order of a, so that
).
(mod
1
p
k
a
º
By Lagrange’s theorem, k divides the order of G, which is
.
1
-
p
So,
km
p
=
-
1
for some positive integer m. Thus,
).
(mod
1
1
)
(
1
p
m
m
k
a
km
a
p
a
º
º
º
º
-
■ (Wikipedia, Proofs of Fermat’s Little Theorem)
· Fermat-Euler Theorem or Euler’s Generalization of Fermat’s Little Theorem: For any number a coprime to n, we have
),
(mod
1
)
(
n
n
a
º
f
where
)
(
n
f
is Euler’s phi function (as previously described). Since this is a generalization of Fermat’s Little Theorem, we will not display a formal proof.
From here, we have all of the tools needed to prove the main result of the RSA process. The following is a proof that will use the abovementioned number theory and theorems to prove the main result of the RSA scheme. Choose two large primes, p and q, randomly and independently of each other. Let
,
pq
N
=
also, define the totient function
).
1
)(
1
(
)
(
-
-
=
q
p
N
f
Next, let e be an integer such that
1
)
),
(
gcd(
=
e
N
f
(i.e. e is coprime to
)
(
N
f
). Then, let d be a number such that
))
(
(mod
1
N
ed
f
º
(A further elaboration of how to generate d is given following our proof). Given the message m, an integer such that
,
0
N
m
<
£
define the encoded message, y, as
.
mod
N
e
m
y
=
We need to show that the decoded message is given by
.
mod
N
d
y
m
=
Proof of main result: Since we are given that
)),
(
(mod
1
N
ed
f
º
we can express this congruence as
),
1
(
|
)
(
-
ed
N
f
that is
)
(
N
f
divides
.
1
-
ed
Since p and q are coprime, we have
).
(
)
(
)
(
)
(
q
p
pq
N
f
f
f
f
=
=
Therefore,
),
1
(
|
)
(
)
(
-
ed
q
p
f
f
and we can also express this as
)
1
(
|
)
(
-
ed
p
f
and
).
1
(
|
)
(
-
ed
q
f
Since
),
1
(
|
)
(
-
ed
p
f
then
$
an integer k such that
)
(
1
p
k
ed
f
=
-
or, because p is prime,
).
1
(
1
-
=
-
p
k
ed
Now, looking at the general case of
.
,
mod
Z
Î
a
p
ed
a
We can form the congruence
),
(mod
1
1
p
ed
a
ed
a
+
-
º
or equivalently,
).
(mod
1
p
a
ed
a
ed
a
×
-
º
As shown above, we can substitute for
1
-
ed
and we have,
).
(mod
)
1
(
p
a
p
k
a
ed
a
×
-
º
Since p is prime, then our integer, a, will be either coprime to p, or it will be a multiple of p (i.e.
).
)
,
gcd(
p
p
a
=
Case 1: In the case where a is coprime to p, from Fermat’s Little Theorem, we have
).
(mod
1
1
p
p
a
º
-
We can raise this to the power of an integer k getting
).
(mod
1
)
1
(
p
p
k
a
º
-
Thus, our congruence can be rewritten as
).
(mod
1
)
1
(
p
a
a
a
p
k
a
ed
a
º
×
º
×
-
º
Case 2: Considering the other case where a is a multiple of p, we recognize that if
,
|
a
p
then
.
|
ed
a
p
From this fact, we have
).
(mod
0
p
ed
a
º
But, since
,
|
a
p
we have
).
(mod
0
p
a
º
Therefore, because
,
0
|
-
a
p
the congruence
)
(mod
p
a
ed
a
º
still holds true.
By the same argument, we can show that because
),
1
(
|
)
(
-
ed
q
f
we have
).
(mod
q
a
ed
a
º
We have shown that
)
(mod
p
a
ed
a
º
and
).
(mod
q
a
ed
a
º
Thus, because p and q are coprime, by the Chinese Remainder Theorem,
).
(mod
)
(mod
N
a
pq
a
ed
a
º
º
We can now relate this to our original equation, as given,
.
mod
N
e
m
y
=
Now we have
).
(mod
)
(
N
ed
m
d
e
m
d
y
º
º
But, as a result shown above,
).
(mod
N
m
ed
m
º
Hence,
)
(mod
N
m
d
y
º
and
).
(mod
N
d
y
m
º
At this point, it is important to mention that expressed as a congruence, this relationship does not yield a one-to-one correspondence between our message m and our ciphertext y. But, because the calculation is limited to
N
Z
, we are limiting the value to be less than our modulus, N. Therefore, there is only one integer m, satisfying
).
(mod
N
d
y
m
º
Thus,
.
0
,
mod
N
m
N
d
y
m
<
£
=
■ (DI Management)
Further elaboration on the generation of d, with terms defined as above, is as follows: Given the integer e, we will need to find d such that
)).
(
(mod
1
N
ed
f
º
To find this d, we will use Euler’s Generalization of Fermat’s Little Theorem. By this theorem we get
,
1
)
(
mod
))
(
(
=
N
N
e
f
f
f
so
)
(
mod
1
))
(
(
N
N
e
f
f
f
-
is a suitable value for d (Davis, T.).
The following section describes, as promised, the computation of large modular exponentiations:
Look at the following computation, as seen previously.
080
2173
mod
1783
200
1
=
=
m
Although this calculation looks tough, it can be done by taking the binary expansion of the exponent, d, in order to calculate partial results modulo N, otherwise known as the method of modular exponentiation by squaring. To elaborate, consider our d = 1783. This can also be written as d =1024 + 512 + 128 + 64+ 32 + 16 + 4 + 2 + 1 = 1783. Therefore, if we want to calculate
1783
200
, we do the following:
.
1
200
512
200
1024
200
1
2
4
16
32
64
128
512
1024
200
1783
200
×
×
×
=
+
+
+
+
+
+
+
+
=
Now we need to calculate the partial results modulo N, and following the repeated squaring pattern of 200, we will get all the exponents that have a power of 2. As we obtain these, we will exclude the ones that are not used in the binary expansion of 1783 (we will not need 256 or 8):
256
2173
mod
1024
200
16
2173
mod
512
200
1371
2173
mod
128
200
1773
2173
mod
64
200
672
2173
mod
32
200
365
2173
mod
16
200
543
2173
mod
4
200
886
2173
mod
2
200
200
2173
mod
1
200
=
=
=
=
=
=
=
=
=
The result we will generate from this is:
1
80
2173
mod
)
200
886
543
365
672
1773
1371
16
256
(
2173
mod
1783
200
m
=
=
×
×
×
×
×
×
×
×
=
That is exactly what we were looking for. In this case, the computation of
1024
200
is also too challenging for your calculator, but you can repeat the preceding process on it and then use its result to finish the computation (Davis, T.).
Random quote:
“Mathematics is the Queen of sciences, and arithmetic the Queen of mathematics.”
–Carl Friedrich Gauss (1777-1855).
Reference:
Davis, T., “RSA Encryption.” Geometer, Math Circles. Retrieved on November 11, 2005 from the World Wide Web: http://www.geometer.org/mathcircles
DI Management, “RSA Theory.” DI Management Services, © 2000-2004. Retrieved on December 4, 2005 from the World Wide Web:
http://www.di-mgt.com.au/rsa_theory.html
DI Management, “RSA Algorithm.” DI Management Services, © 2000-2004. Retrieved on December 4, 2005 from the World Wide Web:
http://www.di-mgt.com.au/rsa_theory.html
Gilbert, J., Gilbert, L., “Elements of Modern Algebra.” Brooks/Cole, Thompson Learning, © 2000. ISBN 0-534-37351-8.
Gottesman, D., Lo Hoi-Kwong, “Figure 2 from ‘From Quantum Cheating to Quantum Security’.” Physics Today Online, © 2001 American Institute of Physics. Retrieved on November 8, 2005 from the World Wide Web: http://www.physicstoday.org/pt/vol-53/iss-11/captions/p22cap2.html
Johnsonbaugh, R., “Discrete Mathematics.” Prentice Hall © 2001. ISBN 0-13-089008-1.
Lewand, R. E., “Cryptological Mathematics.” The Mathematical Association of America Inc., © 2000. Library of Congress Catalog Card Number 00-105256.
ISBN 0-88385-719-7.
Michon, G. P., “Final Answers: Modular Arithmetic.” © 2000-2005 Gerald P. Michon, Ph.D. Retrieved on December 4, 2005 from: http://home.att.net/~numericana/answer/modular.htm
Weisstein, E. W., “RSA-640 Factored.” MathWorld Headline News. Nov. 8, 2005. Retrieved on November 11, 2005 from MathWorld: http://mathworld.wolfram.com/news/2005-11-08/rsa-640/
Weisstein, E. W., “RSA Encryption.” From MathWorld—A Wolfram Web Resource. Retrieved on October 21, 2005 from MathWorld: http://mathworld.wolfram.com/RSAEncryption.html
Wikipedia, “Proofs of Fermat’s little theorem.” Wikipedia, the free encyclopedia. Retrieved on November 10, 2005 from Wikipedia: http://en.wikipedia.org/wiki/Proofs _of_Fermat%27s_little_theorem
Wikipedia, “RSA.” Wikipedia, the free encyclopedia. Retrieved on October 21, 2005 from Wikipedia: http://en.wikipedia.org/wiki/RSA