the rsa algorithm rocky k. c. chang, march 2014 1
TRANSCRIPT
![Page 1: The RSA Algorithm Rocky K. C. Chang, March 2014 1](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649ddb5503460f94ad2ccb/html5/thumbnails/1.jpg)
1
The RSA Algorithm
Rocky K. C. Chang, March 2014
![Page 2: The RSA Algorithm Rocky K. C. Chang, March 2014 1](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649ddb5503460f94ad2ccb/html5/thumbnails/2.jpg)
2
Outline
Trapdoor one-way function The RSA algorithm Some practical considerations RSA’s security Some pitfalls of RSA
![Page 3: The RSA Algorithm Rocky K. C. Chang, March 2014 1](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649ddb5503460f94ad2ccb/html5/thumbnails/3.jpg)
3
Trapdoor one-way function Suppose n = pq, where p and q are large
primes. Consider f(m) = me mod n. For certain values of e and that n is large
enough, f(m) is a one-way function. It is computationally infeasible to obtain m based
on the knowledge of n, e, and f(m). However, with the knowledge of a certain
trapdoor, the inversion is easy to do. The trapdoor for RSA is the factorization of n (i.e.,
the knowledge of p and q).
![Page 4: The RSA Algorithm Rocky K. C. Chang, March 2014 1](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649ddb5503460f94ad2ccb/html5/thumbnails/4.jpg)
4
The RSA algorithm Let n = pq, where p and q are primes. Note
that n is a composite number. Let M = C = Zn = {0, 1, 2, …, n–1}. K = {(n, p, q, d, e): e d 1 (mod (n))}.
We will see that (n) = (p–1)(q–1). For K = (n, p, q, d, e), define
EK(m) = me mod n, and DK(c) = cd mod n, where m, c Zn.
The (n, e) comprise the “public key.” The (p, q, (n), d) comprise the “private key.”
![Page 5: The RSA Algorithm Rocky K. C. Chang, March 2014 1](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649ddb5503460f94ad2ccb/html5/thumbnails/5.jpg)
5
To probe further Both encryption and decryption involve
modulo multiplications. Since n is a composite, Zn is not a group under
modulo multiplication, i.e., the inverse may not exist. Z*
n = {a Zn: gcd(a,n) = 1}. Zn \ Z*
n = {a Zn: gcd(a,n) > 1}.
How many elements in Z*n?
We denote the number of elements by (n). Recall that (n) is used in determining d and e.
![Page 6: The RSA Algorithm Rocky K. C. Chang, March 2014 1](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649ddb5503460f94ad2ccb/html5/thumbnails/6.jpg)
6
The value of (n) Note that gcd(a,n) = 1 iff gcd(a,p) = 1 and
gcd(a,q) = 1. There are q numbers in Zn that satisfy a mod p =
0: {0, p, 2p, …, (q–1)p}. There are p numbers in Zn that satisfy a mod q =
0: {0, q, 2q, …, (p–1)q}. Therefore, the total number of numbers in Zn that
their gcd(a,n) > 1 is p+q–1. Thus, (n) = pq – (p+q–1) = (p–1)(q–1). Use the well-known result (in slide 28 of the
prelude slides) that if b Z*n, then b(n) 1 (mod n).
Therefore, a(p–1)(q–1) 1 (mod n), for a Z*n.
![Page 7: The RSA Algorithm Rocky K. C. Chang, March 2014 1](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649ddb5503460f94ad2ccb/html5/thumbnails/7.jpg)
7
For example, Let p = 3, q = 5. Therefore, n = 15 and (p–1)(q–1)
= 8. For any a {0, 3, 5, 6, 9, 10, 12}, a8 ! 1 (mod 15). For any a {1, 2, 4, 7, 8, 11, 13, 14}, a8 1 (mod
15), e.g., 24 1 (mod 15). 42 1 (mod 15). 74 1 (mod 15). …
Note that primitive elements may not exist in Z*n,
because n is not a prime.
![Page 8: The RSA Algorithm Rocky K. C. Chang, March 2014 1](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649ddb5503460f94ad2ccb/html5/thumbnails/8.jpg)
8
The relationship between e and d The values of e and d have to satisfy
e d 1 (mod (p–1)(q–1)). Recall that d exists iff gcd(e,(p–1)(q–1)) = 1 (slide 17 of
the prelude slides). For example, p = 101 and q = 113.
n = pq = 11413. (n) = (p–1)(q–1) = 11200 = 26527. Pick e = 3533, which is not divisible by 2, 5, or 7. Use the extended Euclidean algorithm to compute d = e-1
mod 11200 = 6597. To encrypt m = 9726, compute 92763533 mod 11413 =
5761. To decrypt c = 5761, compute 57616597 mod 11413 =
9726.
![Page 9: The RSA Algorithm Rocky K. C. Chang, March 2014 1](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649ddb5503460f94ad2ccb/html5/thumbnails/9.jpg)
9
DK(EK(m)) = m? Recall that ed 1 (mod (n)). In other words, ed = t(n)+1, where t is a
nonnegative integer. Part 1: Let’s consider an m Z*
n. (me)d mt(n)+1(mod n). (me)d (m(n))tm (mod n). (me)d (1)tm (mod n). (me)d m (mod n).
![Page 10: The RSA Algorithm Rocky K. C. Chang, March 2014 1](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649ddb5503460f94ad2ccb/html5/thumbnails/10.jpg)
10
DK(EK(m)) = m? Part II: Let’s consider an m Zn \ Z*
n. Using the Chinese Remainder Theorem, m mod n can be
uniquely represented by (m mod p, m mod q). Note that either the following is true:
m mod p = 0 and m mod q = 0 or m mod p = 0 and m mod q 0 or m mod p 0 and m mod q = 0.
For m mod p = 0 and m mod q = 0, med mod p = 0 and med mod q = 0. Therefore, med m (mod p) = 0 and med m (mod q) = 0.
For those cases where m mod p = 0 or m mod q = 0, Say m mod p = 0 or m mod q 0, By the CRT, med mod n can be represented by (0, med mod q). Using the previous two results, (0, med mod q) is equal to (0, m mod q).
![Page 11: The RSA Algorithm Rocky K. C. Chang, March 2014 1](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649ddb5503460f94ad2ccb/html5/thumbnails/11.jpg)
11
Digital signing using RSA To sign a message m, Alice computes s = md
mod n. The pair (m,s) is a signed message. To verify the signature, anyone who knows the
public key can verify that se m mod n, the message itself.
![Page 12: The RSA Algorithm Rocky K. C. Chang, March 2014 1](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649ddb5503460f94ad2ccb/html5/thumbnails/12.jpg)
12
Some practical considerations
![Page 13: The RSA Algorithm Rocky K. C. Chang, March 2014 1](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649ddb5503460f94ad2ccb/html5/thumbnails/13.jpg)
13
Generating the RSA parameters1. Generate 2 large primes, p and q (each with
size k/2 bits).2. n (k ≥ 2048 bits) pq and (n) (p–1)(q–1).3. Choose a random e (1 < e < (n)) such that
gcd(e,(n)) = 1.4. d = e-1 mod (n).5. Publish (n,e) and safeguard the secret (p, q,
(n), d).
![Page 14: The RSA Algorithm Rocky K. C. Chang, March 2014 1](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649ddb5503460f94ad2ccb/html5/thumbnails/14.jpg)
14
Generating the RSA parameters1. Need an efficient algorithm to generate a
large prime. Rabin-Miller test determines whether an odd
integer n is prime.
2. Find 2 large primes.3. Use the Euclidean algorithm to make sure
that gcd(e,(n)) = 1.4. Use the extended Euclidean algorithm to
compute d = e-1 mod (n).
![Page 15: The RSA Algorithm Rocky K. C. Chang, March 2014 1](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649ddb5503460f94ad2ccb/html5/thumbnails/15.jpg)
15
Practical considerations Usually fix the value of e, e.g., e = 3 for
signatures and e = 5 for encryption. There are pitfalls when one is using the same
exponent for both encryption and signatures. Therefore, p – 1 and q – 1 cannot be multiples of 3
or 5. Smaller exponent for signatures (why?) Some problems with small exponents (to be
discussed shortly). Other common values for e are 17 and 65537.
![Page 16: The RSA Algorithm Rocky K. C. Chang, March 2014 1](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649ddb5503460f94ad2ccb/html5/thumbnails/16.jpg)
16
RSA’s (in)security
![Page 17: The RSA Algorithm Rocky K. C. Chang, March 2014 1](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649ddb5503460f94ad2ccb/html5/thumbnails/17.jpg)
17
The RSA’s security An obvious attack against RSA is to factor n.
If this can done, then obtain p and q. Compute (p–1)(q–1). Compute e-1 mod (p–1)(q–1) = d.
Roughly speaking, breaking the RSA algorithm is as difficult as factoring n. The “current” factoring algorithms are able to
factor numbers having up to 512 bits. On the safe side, n ≥ 2048 bits to make the
factoring problem computationally infeasible to solve.
![Page 18: The RSA Algorithm Rocky K. C. Chang, March 2014 1](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649ddb5503460f94ad2ccb/html5/thumbnails/18.jpg)
18
The RSA’s security Moreover, if one can obtain (n), one can obtain
other elements in the private key. First of all, one can obtain p and q by solving
n = pq and (n) = (p–1)(q–1).
The solution for p is given by p2 – (n – (n) + 1)p + n = 0.
In other words, if one can compute (n), one can factor p and q.
Lastly, what happen if one can obtain the value of d? n can be factored in polynomial time using a randomized
algorithm.
![Page 19: The RSA Algorithm Rocky K. C. Chang, March 2014 1](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649ddb5503460f94ad2ccb/html5/thumbnails/19.jpg)
19
Pitfalls using RSA Problem 1: If Alice signs 2 messages m1 and
m2. Eve can compute Alice’s signature on m3 = m1m2 mod n. Original signatures: m1
d and m2d.
Eve can produce the signature for m3 by multiplying m1
d and m2d.
![Page 20: The RSA Algorithm Rocky K. C. Chang, March 2014 1](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649ddb5503460f94ad2ccb/html5/thumbnails/20.jpg)
20
Pitfalls using RSA Problem 2: When RSA is used to encrypt a very
small message m. E.g., if e = 5 and m < n1/5, then me = m5 < n. Therefore,
no mod n operation needed. Simply take a fifth root of c to recover m! For example, if encrypting a 256-bit key using RSA, the
encrypted key is less than 22565 = 21280 << 22048 if n is a 2048-bit integer.
The main problem is the existence of a structure in the numbers that RSA operates on.
A possible approach is to use an encoding function to destroy the structure as much as possible.
![Page 21: The RSA Algorithm Rocky K. C. Chang, March 2014 1](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649ddb5503460f94ad2ccb/html5/thumbnails/21.jpg)
21
Message encryption using RSA Using RSA to encrypt a message is almost
never practiced. The size of the message is limited by the size of n.
Instead, choose a random secret key K, and encrypt K with the RSA key. The message encryption is based on secret key
cryptosystem, Sending Ke mod n, EK(m).
![Page 22: The RSA Algorithm Rocky K. C. Chang, March 2014 1](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649ddb5503460f94ad2ccb/html5/thumbnails/22.jpg)
22
Message encryption using RSA A better approach is:
Choose a suitable random number r {0, 1, …, n–1}.
Set K = h(r), where h() is some hash function. Send re mod n and EK(m).
Advantages: There is no structure in r. The hash function ensures that no structure
between r’s propagates to structure in the K’s.
![Page 23: The RSA Algorithm Rocky K. C. Chang, March 2014 1](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649ddb5503460f94ad2ccb/html5/thumbnails/23.jpg)
23
Digital signatures using RSA Problem: remove the structures of the
messages that are signed. Use a hash function to hash the messages.
The hash function’s output (e.g., 256 bits) is small compared with the size of n (e.g., 2048 bits). Cannot use the hash function output directly in
RSA.
![Page 24: The RSA Algorithm Rocky K. C. Chang, March 2014 1](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649ddb5503460f94ad2ccb/html5/thumbnails/24.jpg)
24
Digital signatures using RSA A solution is to use a pseudorandom mapping
to expand h(m) to a random number s {0, 1, …, n – 1}.
If you ask Alice to sign a number of messages m1, m2, …, mi. Eve can get hold of the (m, s), but the values of s
are effectively random. Thus, the information does not help forge Alice’s
signature.
![Page 25: The RSA Algorithm Rocky K. C. Chang, March 2014 1](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649ddb5503460f94ad2ccb/html5/thumbnails/25.jpg)
25
The RSA Lab’s public-key cryptography standard PKCS #1 for RSA or RFC 3447 covers
Data conversion primitives: a text <-> a non-negative integer
Cryptographic primitives Encryption schemes
RSAES-OAEP (for new applications) – cryptographic primitives + Bellare and Rogaway's Optimal Asymmetric Encryption scheme
RSAES-PKCS1-v1_5 (for existing applications) – cryptographic primitives + a PKCS1-v1_5 encoding method
Digital Signature schemes RSASSA-PSS (for new applications) – cryptographic primitives
+ a probabilistic signature scheme-based encoding method RSASSA-PKCS1-v1_5 (for existing applications) – cryptographic
primitives + a PKCS1-v1_5 encoding method
![Page 26: The RSA Algorithm Rocky K. C. Chang, March 2014 1](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649ddb5503460f94ad2ccb/html5/thumbnails/26.jpg)
26
Conclusions RSA can be used for encryption as well as digital
signatures. The security of RSA lies on the difficulty of
factoring a large number into 2 primes. RSA encryption and decryption require expensive
exponentiation operations. The CRT helps accelerate the operations.
In practice, RSA is used to encrypt a secret key with an encoding function.
In practice, the messages to be signed have to go through a hash function to destroy the message structures.
![Page 27: The RSA Algorithm Rocky K. C. Chang, March 2014 1](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649ddb5503460f94ad2ccb/html5/thumbnails/27.jpg)
27
Acknowledgments The notes are prepared mostly based on
D. Stinson, Cryptography: Theory and Practice, Chapman & Hall/CRC, Second Edition, 2002.
N. Ferguson and B. Schneier, Practical Cryptography, Wiley, 2003.
http://www.rsa.com/rsalabs/pkcs/files/h11300-wp-pkcs-1v2-2-rsa-cryptography-standard.pdf