Cryptography: Joining the RSA Cryptosystem Greg Plaxton Theory in Programming Practice, Spring 2004 Department of Computer Science University of Texas at Austin
Joining the RSA Cryptosystem: Overview • First, Bob randomly chooses two large (e.g., 512-bit) primes p and q • Then, Bob computes n = pq , φ ( n ) = ( p − 1)( q − 1) , and a positive integer d < n such that d and φ ( n ) are relatively prime – In particular, any prime exceeding max( p, q ) (and less than n ) is a valid choice for d • Then, Bob computes e such that de is congruent to 1 modulo φ ( n ) • Bob’s public key is ( e, n ) and Bob’s private key is ( d, n ) • We will discuss each of these steps in greater detail in the slides that follow Theory in Programming Practice, Plaxton, Spring 2004
Primality Testing • Surprisingly, there exist efficient (and polynomial time) algorithms for “primality testing”, that is, for determining whether a given integer n is prime or composite • These algorithms do not work by factoring, since no efficient algorithms are known for factoring • Miller gave the first polynomial-time primality testing algorithm in 1976 – His work yields gives an efficient randomized algorithm – In fact, it yields a deterministic algorithm suvject to the extended Riemann hypothesis • In a theoretical breakthrough, the first deterministic polynomial-time algorithm for primality testing was discovered in 2002 by Agrawal, Kayal, and Saxena – Still, the primality testing algorithms used in practice are randomized, since they are faster (on average) Theory in Programming Practice, Plaxton, Spring 2004
Prime Number Theorem • Prime number theorem: As n tends to infinity, the fraction of the first 1 n positive integers that are prime tends to ln n • For example, about a . 002818 fraction of the numbers less than 2 512 are prime, and about a . 002823 fraction of the numbers less than 2 511 are prime – Thus, about a . 002813 fraction of 512-bit numbers (i.e., with leading 1 bit in bit position 511, indexing from 0), or about one in 355.5, is prime – So if we pick a set S of a few thousand 512-bit numbers independently and uniformly at random, we are overwhlemingly likely to pick at least one prime – We can use an efficient primality test to find a prime in S – We can make this approach more efficient by, e.g., picking only odd 512-bit numbers Theory in Programming Practice, Plaxton, Spring 2004
Joining the RSA Cryptosystem: Implementation • Given that we’ve seen how to generate random large primes, we now know how to compute p , q , and d – Of course, p and q also give us n = pq and φ ( n ) = ( p − 1)( q − 1) • All that is left is to compute e such that de is congruent to 1 modulo φ ( n ) – We will compute e using the extended Euclid algorithm, as discussed on the next slide Theory in Programming Practice, Plaxton, Spring 2004
Joining the RSA Cryptosystem: Computation of e • Recall that given nonnegative integers x and y (at least one of which is nonzero), the extended Euclid algorithm calculates a and b such that ax + by = gcd( x, y ) • Set x to d and y to φ ( n ) • Since d and φ ( n ) are relatively prime, gcd( d, φ ( n )) = 1 • Thus, the extended Euclid algorithm gives us a and b such that ad + bφ ( n ) = 1 • Hence ad is congruent to 1 modulo φ ( n ) • So we can just set e to the unique integer in { 0 , . . . , φ ( n ) − 1 } that is congruent to a modulo φ ( n ) Theory in Programming Practice, Plaxton, Spring 2004
Joining the RSA Cryptosystem: Example • Suppose we choose primes p = 47 and q = 59 (in practice, we would much larger primes) • Then n = 47 · 59 = 2773 and φ ( n ) = 46 · 58 = 2668 • Now suppose we choose d = 157 – Note that 157 is a prime greater than p and q and hence is relatively prime to φ ( n ) • Running the extended Euclid algorithm with x = 157 and y = 2668 yields e = 17 • Bob’s public key is (17 , 2773) and his private key is (157 , 2668) Theory in Programming Practice, Plaxton, Spring 2004
RSA Encryption and Decryption • Next time we’ll see how to use Bob’s public key to encrypt messages sent to Bob • We’ll also see how Bob uses his private key to decrypt these messages Theory in Programming Practice, Plaxton, Spring 2004
Recommend
More recommend
