1 C Theme : Cryptography Instructor : Prof. C Pandu Rangan Speaker : Arun Moorthy 93115 CS
2 RSA Cryptosystem Outline of the Talk! Introduction to RSA! Working of the RSA system and associated terminology! Important Features of RSA and an example! Choice of Primes! Tests for Primality! RSA in practice Introduction! RSA stands for Rivest, Shamir and Adleman. It was invented in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman.! RSA is public-key cryptosystem for both encryption(privacy) and authentication.! RSA is based on the fact that while it is easy to multiply two large primes, it is extremely dicult to factorize their product.
3 Working of the RSA Public-Key Cryptosystem RSA works as follows: 1. Take two large prime numbers p and q(of the order of a few hundred bits). 2. Compute their product n. Also compute the Euler function (n) = (p 1)(q 1) 3. Choose a large random number d (d > 1) such that (d; (n)) = 1 (i.e, d and (n) are relatively prime). 4. Compute the number e, 1 < e < (n) such that ed 1(mod (n)) (i.e, ed 1 is divisible by (p 1)(q 1)).
4 Terminology n d e : Modulus or Key : Private or Decryption Exponent : Public or Encryption Exponent (n; e) (n; d) : Public Key : Private Key p; q; (n); d : form the Secret Trapdoor (p and q may be kept with the private key or destroyed). 5. RSA Privacy Plaintext (w) is encoded as a decimal number. The number is divided into blocks of suitable size. The blocks are encrypted separately. A suitable block size is i where 10 i 1 < n < 10 i. Example: ROOF 18 15 15 06 Alice wants to send a message w to Bob. Ciphertext c is created as c = (w e B; mod n B ) (Modular Exponentiation) c is sent to Bob.
5 Bob decrypts c again by modular exponentiation, w = (c d B ; mod n B ). NOTE w c d (mod n) and if decryption is unique, w = (c d ; mod n). 6. RSA Authentication Alice wants to send w to Bob and Bob wants to be sure that it was Alice who sent w. Alice creates a digital signature D A (w), D A (w) = (w d A; mod n A ). Alice sends the pair (w; D A (w)) to Bob. Bob can verify the signature by applying Alice's public encryption exponent e A. Since only Alice has d A, no other person could have signed w.
6 Highlights! Encryption and authentication takes place without sharing of private keys: each person uses only other people's public keys and his/her own private key.! Anyone can send an encrypted message or verify a signed message, using only public keys, but only someone in possession of correct private keys can decrypt or sign a message.! Modular Exponentiation: The computation of (a r ; mod n) is done using a method that is faster than repeatedly multiplying a by itself. We use squaring. After each squaring, reduction modulo n is done. So we never encounter numbers greater than n 2. Thus (a r ; mod n) can be computed in O(log r) time.
7 Example p = 5, q = 11, n = 55, (n) = (p 1)(q 1) = 40 e = 7, d = 23. Plaintexts are numbers in the interval [1; 54]. For this particular example, it is easy to obtain a complete encryption table. To calculate (8 7 ; mod 55). j (8 2j ; mod 55) 0 8 1 9 2 26 7 = 111 2 (8 7 ; mod 55) = ((26(9:8))mod 55) = 2 This contrived example proves that public-key cryptosystems never work for small plain-text spaces. A cryptanalyst can construct a complete decryption table by encrypting all possible plaintexts and rearranging them in alphabetic order.
Choice of Primes 8 p and q should not be close to one another. If p and q are close to one another, p q 2 will be small. p+q 2 will be only slightly larger than p n (p+q)2 n = (p q) 2 4 4. So to factorize n, keep checking integers x > p n such than x 2 n is a perfect square, say y 2. Then p = x + y and q = x y. Example: n = 97343 p n = 311:998 Now 312 2 n = 1 (which is perfect square). So p = x + y = 313 and q = x y = 311. For this reason, it is advisable that p and q are such that their bit representations dier in length by a few bits. Note: Every RSA crtyposystem has some plaintext blocks which are encrypted into themselves (in fact, at least four such blocks). For instance, 1,21,34,54 are plaintexts which are encrypted into themselves for the rst example.
9 Primality Tests Lemma 1: Assume that m is an odd integer and (w; m) = 1. If m is prime, w m 1 1(mod m)! (1) The above condition can hold even if m is not prime. In such a case, m is termed a pseudoprime to the base w. Also, an integer w with (w; m) = 1 and satisfying (1) is called a witness for the primality of m. There are also false witnesses, if m is a pseudoprime only. Lemma 2: Either all or at most half of the integers w with 1 w < m and (w; m) = 1 are the witnesses for the primality of m.
10 Probabilistic Algorithm 1. Given m, choose a random w, 1 w < m. 2. The GCD (w; m) is found using Euclid's algorithm. 3. If (w; m) > 1, m is composite. 4. Otherwise, compute u = (w m 1 ; mod m) by repeated squaring. 5. If u 6= 1, m is composite. 6. If u = 1, w is a witness for the primality of m. In other words, we have some evidence that m could be prime. The more witnesses we nd, the stronger the evidence will be. If we have k witnesses, by Lemma 2, the probability of m being composite is at most 2 k. This test fails for Carmichael numbers. An odd composite number m is a Carmichael number i (1) holds for all w with (w; m) = 1.
11 Lemma 3 If m is an odd prime then, for all w w m 1 2 ( w )(mod m)! (2) m Odd composite numbers m satisfying (2) for some w with (w; m) = 1 are called Euler Pseudoprimes to the base w. Lemma 4: If m is an odd composite number, then at most half of the integers w with 1 w < m and (w; m) = 1 satisfy (2). Solovay-Strassen Primality Test This test uses (2) in exactly the same way that the earlier algorithm uses (1). To test the primality of m, 1. Choose a randon number w < m. 2. If (w; m) > 1, m is composite. 3. Otherwise test the validity of (2). 4. If (2) is not valid, m is composite. 5. Otherwise, w is a witness for the primality of m. Choose another random number < m and repeat the procedure.
12 After nding k witnesses, the probability of m being composite is at most 2 k (according to Lemmas 3 and 4). This result is stronger than our earlier algorithm, because there are no analogues of Carmichael numbers for (2). Strong Pseudoprimes: Assume that m is a pseudoprime to the base w. Extract succesive square roots of the congruence(1) and check if the rst number dierent from 1 equals -1. If this is the case, but m is composite, we refer to m as a strong pseudoprime to the base w. Lemma 5: Let 2 s be the highest power of 2 dividing m 1, that is, m 1 = 2 s r, where r is odd. Choose a number w with 1 w < m and (w; m) = 1. Then m is a strong pseudoprime to the base w i the following condition is satised: either w r 1(mod m) or w 2s0 r 1(mod m)! (3) for some s 0 with 0 s 0 < s. Lemma 6 If m is an odd composite integer, then m is a strong pseudoprime to the base w for at most 25% of all w's satisfying 1 w < m.
13 Miller-Rabin Primality Test 1. Compute m 1 = 2 s r, where m is the given odd integer and r is odd. 2. The random number w is chosen as before and the validity of (3) is tested. 3. If the test fails, m is composite 4. Otherwise, we regard w as a witness for the primality of m and repeat the procedure for another w. If we get k witnesses for the primality of m, then the probability of m being composite is at most 4 k.
14 RSA in practice RSA is combined with a secret-key cryptosystem, such as DES, to encrypt a message by means of an RSA digital envelope. Suppose Alice wishes to send an encrypted message to Bob. The message is rst encrypted by DES, using a randomly chosen DES key. Alice then uses Bob's public key to encrypt the DES key. The DES-encrypted message and the RSA-encrypted DES key together form the RSA digital envelope and are sent to Bob. Upon receipt of the message, Bob decrypts the DES key with his private key, then uses the DES key to decrypt to message itself. Thus the high speed of DES is combined with the key-management convenience of RSA.
15 Concluding Remarks RSA is the most popular public-key cryptosystem available today. Its popularity stems from the fact that it can be used for both encryption and authentication, and that it has been around for many years and has successfully withstood much scrutiny. RSA is built into current operating systems by Microsoft, Apple, Sun, and Novell. In hardware, RSA can be found in secure telephones, on Ethernet network cards, and on smart cards. In addition, RSA is incorporated into all of the major protocols for secure Internet communications. The estimated installed base of RSA encryption engines is around 20 million, making it by far the most widely used public-key cryptosystem in the world. The security of RSA is related to the assumption that factoring is dicult. An easy factoring method or some other feasible attack would break RSA.
16 By comparison, DES is much faster than RSA. In software, DES is generally at least 100 times as fast as RSA. In hardware, DES is between 1,000 and 10,000 times as fast, depending on the implementation. Implementations of RSA will probably narrow the gap a bit in coming years, as there are growing commercial markets, but DES will get faster as well.