RSA Last Updated: Oct 14, 2017
Recap Number thery What is a prime number? What is prime factrizatin? What is a GCD? What des relatively prime mean? What des c-prime mean? What des cngruence mean? What is the additive inverse f 13 % 17? What is the multiplicative inverse f 7 % 8?
Recap: Diffie-Hellman Yu re trapped in yur spaceship Yu have enugh energy t send a single message t yur HQ Yu have: HQ s public DH values g=5, p = 875498279345 g a = 32477230478 Yur AES implementatin frm Labs #1 & 2 An arbitrary precisin calculatr Hw can yu cnstruct yur message s that it will be safe frm eavesdrppers?
Asymmetric Encryptin
Public Key Terminlgy Public Key Private Key Digital Signature Yu encrypt with a public key, and yu decrypt with a private key Yu sign with a private key, and yu verify with a public key
Mdel fr Encryptin with Public Key Cryptgraphy Alice Bb s Public Key Bb Bb s Private Key Plaintext Ciphertext Plaintext Encryptin Algrithm Decryptin Algrithm
Mdel fr Digital Signature with Public Key Cryptgraphy Alice Alice s Private Key Bb Alice s Public Key Plaintext Signed Dcument Plaintext Signing Algrithm Signature Verificatin Algrithm
Histry f RSA Invented in 1977 by Rn Rivest Adi Shamir Lenard Adleman Patented until 2000 It s withstd years f extensive cryptanalysis Suggests a level f cnfidence in the algrithm Example f successful attacks against implementatins Side channel attacks Pr randm number generatrs
Textbk RSA m = message c = ciphertext e = public expnent d = private expnent n = mdulus RSA Encryptin c = m e % n RSA Decryptin m = c d % n
The Math Behind RSA RSA encrypt/decrypt peratins are simple The math t get t the pint where these peratins wrk is nt s simple (at first) Fermat s little therem Euler s generalizatin f Fermat s little therem
If Fermat s Little Therem p is prime a is relatively prime t p (c-prime) Then Fermat s therem states a p-1 º 1 (md p) fr all 0 < a < p This serves as the basis fr Fermat s primality test Which values f a aren t c-prime t p? Euler s generalizatin Pierre de Fermat (1601-1655)
Euler s Generalizatin f Fermat s Little Therem Euler said a phi(n) º 1 (md n) phi(n) Euler s ttient functin j(n) The number f values less than n which are relatively prime t n Multiplicative grup f integers (Z n *) n desn t need t be prime a must still be c-prime t n RSA is interested in values f n that are the prduct f tw prime numbers p and q Lenhard Euler (1707-1783)
Cmputing phi(n) in RSA phi(n) is the number f integers between 0 and n that are c-prime t n When p * q = n, and p and q are prime, what is the phi(n)? (p-1)(q-1) Prf (When p * q = n) Observatins 1) there are p-1 multiples f q between 1 and n 2) there are q-1 multiples f p between 1 and n These multiples are nt c-prime t n Definitin: phi(n) = # f values between 0 and n that are c-prime t n phi(n) = # f values between 0 and n minus # f values between 0 and n nt c-prime t n Why nt? phi(n) = [ n 1] [(p-1) + (q-1)] = [pq 1] (p-1) (q-1) = pq p q + 1 = (p-1)(q-1)
RSA Euler said: a phi(n) º 1 (md n) m (p-1)(q-1) º 1 (md n) Ntice: m (p-1)(q-1) * m º m (p-1)(q-1)+1 º m (md n) m phi(n)+1 º m (md n) Let e*d = k*phi(n) + 1 Then e*d º 1 (md phi(n)) Therefre m ed º m k*phi(n)+1 º m phi(n) *m phi(n) * * m º m (md n) RSA Encryptin m e = c (md n) RSA Decryptin c d = m (md n)
Steps fr RSA Encryptin Select p, q (large prime numbers) n=p*q phi(n) = (p-1)(q-1) Select integer e where e is relatively prime t phi(n) Cmmn values fr e are 3 and 65537. Why? Calculate d, where d*e = 1 (md phi(n)) Public key is KU = {e, n} Private key is KR = {d, n} RSA encryptin m e = c (md n) RSA decryptin c d = m (md n) Why is RSA Secure? Hard t factr large numbers Hard t cmpute d withut phi(n) Discrete lgs are hard (m d % n) Given signature, hard t find d
RSA Usage Given m e = c (md n) and c d = m (md n) What restrictins shuld be placed n m? Fr bulk encryptin (files, emails, web pages, etc) Sme try using RSA as blck cipher Never, never, never encrypt data directly using RSA Inefficient Insecure Always use symmetric encryptin fr data, and use RSA t encrypt the symmetric key (after adding the apprpriate padding) Digital signatures D nt sign the entire dcument - t slw Sign ( encrypt ) a hash f the dcument using the private key The length f the hash is < n
Hw d we get p, q, e, & d? What is p? Hw d we get it? What is q? Hw d we get it? What is e? Hw d we get it? What is the relatinship f e and (p-1)(q-1)? What is d? Hw d we get it?
Multiplicative Inverses Use the extended Euclidean algrithm Based n the fact that GCD can be defined recursively If x > y, then GCD(x,y) = (recursively) GCD(y, x-y) Als if x > y, then GCD(x,y) = (recursively) GCD(y, x%y) GCD can als be used as fllws: Suppse ax + by = gcd(x,y) If x is the mdulus, and gcd (x,y) = 1 Then ax + by = 1 and b is y -1
Steps fr RSA Encryptin Select p, q (large prime numbers) n=p*q phi(n) = (p-1)(q-1) Select integer e where e is relatively prime t phi(n) Cmmn values fr e are 3 and 65537. Why? Calculate d, where d*e = 1 (md phi(n)) Public key is KU = {e, n} Private key is KR = {d, n} RSA encryptin m e = c (md n) RSA decryptin c d = m (md n)
Extended Euclidean algrithm We will use this algrithm t cmpute d Based n the fact that GCD can be defined recursively If x > y, then GCD(x,y) = (recursively) GCD(y, x-y) Als if x > y, then GCD(x,y) = (recursively) GCD(y, x%y)
GCD(x,y) = GCD(y, x%y) Apply this principle recursively GCD (120,23) 120 / 23 = 5 r 5 GCD ( 23, 5) 23 / 5 = 4 r 3 GCD ( 5, 3) 5 / 3 = 1 r 2 GCD ( 3, 2) 3 / 2 = 1 r 1 GCD ( 2, 1) 2 / 1 = 2 r 0 GCD is the last nn-zer remainder GCD is 1, 120 and 23 are c-prime
Sum f Prducts Each remainder r is equal t a sum f prducts f the riginal x and y GCD (x, y) = q remainder r, where r = x(1) + y(-q) GCD (120, 23) 120 / 23 = 5 r 5 => 5 = 120(1) + 23(-5) 23 / 5 = 4 r 3 => 3 = 23(1) + 5(-4) 5 / 3 = 1 r 2 => 2 = 5(1) + 3(-1) 3 / 2 = 1 r 1 => 1 = 3(1) + 2(-1) Ntice the first line is a sum f prducts invlving 120 and 23. We can derive a frmula fr each remainder t be a sum f prducts f 120,23.
Substitutin ** Substitute the equatin fr 5 the prir line and simplify t prduce a sum f prducts using the riginal numbers 120 and 23 t replace the sum f prducts f 23 and 5. GCD (120, 23) 120 / 23 = 5 r 5 => 5 = 120(1) + 23(-5) 23 / 5 = 4 r 3 => 3 = 23(1) + 5(-4) ** 5 / 3 = 1 r 2 => 2 = 5(1) + 3(-1) 3 / 2 = 1 r 1 => 1 = 3(1) + 2(-1) GCD (120, 23) 120 / 23 = 5 r 5 => 5 = 120(1) + 23(-5) 23 / 5 = 4 r 3 => 3 = 23 + [120(1) + 23(-5)] (-4) = 23 + (120(-4) + 23(20)) = 23(21) + 120(-4) 5 / 3 = 1 r 2 => 2 = 5(1) + 3(-1) 3 / 2 = 1 r 1 => 1 = 3(1) + 2(-1)
Sum f Prducts ** Cntinue this pattern. Simplify the next line t be a sum f prducts f 120 and 23 using equatins already in the frm fr the prir remainders 5 and 3. Simplify. Be careful t get the signs crrect. Keep like terms (multiples) tgether. GCD (120, 23) 120 / 23 = 5 r 5 => 5 = 120(1) + 23(-5) 23 / 5 = 4 r 3 => 3 = 23(21) + 120(-4) 5 / 3 = 1 r 2 => 2 = 5(1) + 3(-1) ** 3 / 2 = 1 r 1 => 1 = 3(1) + 2(-1) GCD (120, 23) 120 / 23 = 5 r 5 => 5 = 120(1) + 23(-5) 23 / 5 = 4 r 3 => 3 = 23(21) + 120(-4) 5 / 3 = 1 r 2 => 2 = [120(1)+23(-5)](1) + [23(21)+120(-4)](-1) = 120(5) + 23(-26) 3 / 2 = 1 r 1 => 1 = 3(1) + 2(-1)
Sum f Prducts GCD (120, 23) 120 / 23 = 5 r 5 => 5 = 120(1) + 23(-5) 23 / 5 = 4 r 3 => 3 = 23(21) + 120(-4) 5 / 3 = 1 r 2 => 2 = 120(5) + 23(-26) 3 / 2 = 1 r 1 => 1 = 3(1) + 2(-1) GCD (120, 23) 120 / 23 = 5 r 5 => 5 = 120(1) + 23(-5) 23 / 5 = 4 r 3 => 3 = 23(21) + 120(-4) 5 / 3 = 1 r 2 => 2 = 120(5) + 23(-26) 3 / 2 = 1 r 1 => 1 = [23(21) + 120(-4)](1) + [120(5) + 23(-26)](-1) = 23(47) + 120(-9) Ntice that 1 = 23*47 + 120(-9) means that 47 is the multiplicative inverse f 23 (md 120)
Cmputing d Fr RSA, calculate GCD(phi(n), e) t find d using extended Euclidean algrithm (see handut n Lab #4 page) Manual iterative methd fr the exam Use the table methd in yur lab Fr RSA, the GCD(phi(n),e) will result in an equatin f the frm 1 = e*d + phi(n)*k Where d r k is negative If d is negative cnvert it t an equivalent psitive number (md n) using phi(n) + d
Steps fr determining d Calculate phi(n) and select an e (3, 5, 7 usually fr ur ty prblems) Find the GCD f (phi(n), e) which shuld always be 1 if e is valid. If the GCD is nt 1, repeat fr a different value f e. Create a sum f prducts expressin fr each remainder frm x/y f the frm [ remainder = X(1) + y(-qutient) ] Starting frm the first expressin, use substitutin t create an equatin f the frm: remainder = phi(n)*k + e(d) If d is negative, cnvert t a psitive number d = phi(n) + d
p=5, q=11, e=3 Practice
Practice p=5, q=11, e=3 n = p*q = 5*11 = 55 phi(n) = (p-1)(q-1) = 4*10 = 40 Calculate d GCD (phi(n), e) = GCD (40, 3) 40/ 3 = 13 r 1 => 1 = 40(1) + 3(-13) Since d is negative, d = phi(n) + d = 40 + (-13) = 27 Public Key = {3, 55} Private Key = {27, 55}
p=11, q=13, e= number <= 8 Practice
Practice p=11, q=13, e= number <= 8 n = p*q = 11*13 = 143 phi(n) = (p-1)(q-1) = 10*12 = 120 Calculate d GCD (phi(n),e) = GCD (120,3/5/7) ** nte that 3,5 nt c-prime t 120 120/ 7 = 17 r 1 => 1 = 120(1) + 7(-17) Since d is negative, d = phi(n) + d = 120 + (-17) = 103 Public Key = {7, 143} Private Key = {103, 143}
p=5, q=13, e=5 Practice
Practice p=5, q=13, e=5 n = p*q = 5*13 = 65 phi(n) = (p-1)(q-1) = 4*12 = 48 Calculate d GCD (phi(n),e) = GCD (48,5) 48/ 5 = 9 r 3 => 3 = 48(1) + 5(-9) 5 / 3 = 1 r 2 => 2 = 5(1) + 3(-1) = 5(1) + [48(1) + 5(-9)](-1) 5(10) + 48(-1) 3 / 2 = 1 r 1 => 1 = 3(1) + 2(-1) = [48(1) + 5(-9)](1) + [5(10) + 48(-1)](-1) 48(2) + 5(-19) Since d is negative, d = phi(n) + d = 48 + (-19) = 29 Public Key = {5, 65} Private Key = {29, 65}
p=17, q=11, e=7 Practice
Practice p=17, q=11, e=7 n = p*q = 17*11 = 187 phi(n) = (p-1)(q-1) = 16*10 = 160 Calculate d GCD (phi(n), e) = GCD (160, 7) 160/ 7 = 22 r 6 => 6 = 160(1) + 7(-22) 7 / 6 = 1 r 1 => 1 = 7(1) + 6(-1) 7(1) + [160(1) + 7(-22)](-1) 160(-1) + 7(23) Public Key = {7, 187} Private Key = {23, 187}