Cryptography: Joining the RSA Cryptosystem Greg Plaxton Theory in Programming Practice, Fall 2005 Department of Computer Science University of Texas at Austin
Joining the RSA Cryptosystem: Overview First, Bob randomly chooses two large (e.g., 512-bit) primes p and q Then, Bob computes n = pq, φ(n) = (p 1)(q 1), and a positive integer d < n such that d and φ(n) are relatively prime For example, any prime exceeding max(p, q) (and less than n) is a valid choice for d Then, Bob computes e such that de is congruent to 1 modulo φ(n) Thus e and φ(n) are also relatively prime Bob s public key is (e, n) and Bob s private key is (d, n) Remark: The scheme will also work if we use (d, n) as the public key and (e, n) as the private key We will discuss each of these steps in greater detail in the slides that follow
Primality Testing Surprisingly, there exist efficient (and polynomial time) algorithms for primality testing, that is, for determining whether a given integer n is prime or composite These algorithms do not work by factoring, since no efficient algorithms are known for factoring Miller gave the first polynomial-time primality testing algorithm in 1976 His work yields gives an efficient randomized algorithm In fact, it yields a deterministic algorithm subject to the extended Riemann hypothesis In a theoretical breakthrough, the first deterministic polynomial-time algorithm for primality testing was discovered in 2002 by Agrawal, Kayal, and Saxena Still, the primality testing algorithms used in practice are randomized, since they are faster (on average)
Prime Number Theorem Prime number theorem: As n tends to infinity, the fraction of the first n positive integers that are prime tends to 1 ln n For example, about a.002818 fraction of the numbers less than 2 512 are prime, and about a.002823 fraction of the numbers less than 2 511 are prime Thus, about a.002813 fraction of 512-bit numbers (i.e., with leading 1 bit in bit position 511, indexing from 0), or about one in 355.5, is prime So if we pick a set S of a few thousand 512-bit numbers independently and uniformly at random, we are overwhlemingly likely to pick at least one prime We can use an efficient primality test to find a prime in S We can make this approach more efficient by, e.g., picking only odd 512-bit numbers
Joining the RSA Cryptosystem: Implementation Given that we ve seen how to generate random large primes, we now know how to compute p, q, and d Of course, p and q also give us n = pq and φ(n) = (p 1)(q 1) All that is left is to compute e such that de is congruent to 1 modulo φ(n) We will compute e using the extended Euclid algorithm, as discussed on the next slide
Joining the RSA Cryptosystem: Computation of e Recall that given nonnegative integers x and y (at least one of which is nonzero), the extended Euclid algorithm calculates a and b such that ax + by = gcd(x, y) Set x to d and y to φ(n) Since d and φ(n) are relatively prime, gcd(d, φ(n)) = 1 Thus, the extended Euclid algorithm gives us a and b such that ad + bφ(n) = 1 Hence ad is congruent to 1 modulo φ(n) So we can just set e to the unique integer in {0,..., φ(n) 1} that is congruent to a modulo φ(n)
Joining the RSA Cryptosystem: Example Suppose we choose primes p = 47 and q = 59 (in practice, we would choose much larger primes) Then n = 47 59 = 2773 and φ(n) = 46 58 = 2668 Now suppose we choose d = 157 Note that 157 is a prime greater than p and q and hence is relatively prime to φ(n) Running the extended Euclid algorithm with x = 157 and y = 2668 yields e = 17 Bob s public key is (17, 2773) and his private key is (157, 2773)
RSA Encryption and Decryption Next time we ll see how to use Bob s public key to encrypt messages sent to Bob We ll also see how Bob uses his private key to decrypt these messages