RSA Reference : Rivest, Shamir, Adleman, A Method for Obtaining - PDF document

RSA Reference : Rivest, Shamir, Adleman, A Method for Obtaining Digital Sig- natures and Public Key Cryptosystems , CACM, Vol. 21, No. 2, pp. 120–126, February 1978. RSA is a public key cryptosystem based on number theory. The security of RSA is based on the difficulty of factoring a number to its prime factors, while its efficiency is based on the ease of multiplying prime Public Key Cryptography 2 numbers and checking whether given numbers are primes. Public Key Cryptography 2 (11) • � Eli Biham - May 3, 2005 c 295 Public Key Cryptography 2 (11) � Eli Biham - May 3, 2005 c 296 RSA — the Key Generation RSA — the Key Generation (cont.) User A chooses his keys by: Notes : 1. Randomly chooses two large prime numbers p and q of size 512 bits (154 1. It is easy to find random primes: One of every ln n numbers around n is decimal digits) at least. a prime. Given a number, it is easy to check whether it is a prime (by a probabilistic algorithm). Therefore, to choose a random prime, random 2. Computes n = pq (a 1024-bit number). numbers are chosen and are checked whether they are primes. On average about ln n number are chosen and checked till a prime is found. 3. Randomly chooses an odd number e in the range 1 < e < ϕ ( n ) which is coprime to ϕ ( n ) (i.e., e ∈ Z ∗ ϕ ( n ) ). 2. Choosing e : In Z ∗ ϕ ( n ) there are ϕ ( ϕ ( n )) invertible numbers modulo ϕ ( n ), and we do not choose even e ’s (which are not invertible). Thus, about 4. Computes e ≡ d − 1 (mod ϕ ( n )) by Euclid’s algorithm. Thus, de ≡ 1 ϕ ( n ) 2 ϕ ( ϕ ( n )) random e ’s should be chosen till an invertible e is found — in (mod ϕ ( n )). most cases the first or second chosen e is selected. 5. Publishes e , n as the public key, and keeps d secret as the secret key. (There is no need to keep p , q and ϕ ( n )). We denote the public key of user A by e A , n A and the secret key by d A . � Eli Biham - May 3, 2005 c 297 Public Key Cryptography 2 (11) † � Eli Biham - May 3, 2005 c 298 Public Key Cryptography 2 (11) † RSA — Encryption/Decryption RSA — Correctness The encryption algorithm E : Theorem : ∀ m ∈ Z n D ( E ( m )) = m. Everybody can encrypt messages m (0 ≤ m < n A ) to user A by c = E A ( m ) = m e A mod n A . Proof : We should prove that ( m e ) d ≡ m The ciphertext c (0 ≤ c < n A ) can be sent to A , and only A can decrypt. ∀ m ∈ Z n (mod n ) . The decryption algorithm D : Only A knows his secret key d A and can decrypt: It suffices to prove the congruence twice: modulo p and modulo q . Without m = D A ( c ) = c d A mod n A . loss of generality we prove modulo p . 1. if p | m : m ed ≡ 0 ed ≡ 0 ≡ m (mod p ). 2. if p � | m : m ed ≡ m 1+ k ( p − 1)( q − 1) ≡ m ( m p − 1 ) ( q − 1) k ≡ m (mod p ) . QED � Eli Biham - May 3, 2005 c 299 Public Key Cryptography 2 (11) � Eli Biham - May 3, 2005 c 300 Public Key Cryptography 2 (11) RSA — Efficiency RSA — Efficiency (cont.) Key generation : Encryption and decryption : 1. It is easy to test random numbers for primality (using probabilistic algo- 1. Efficient modular exponentiation to the exponent e requires about 1 . 5 log e rithms; a less efficient deterministic algorithm also exists). multiplications, where each multiplication is modular as well (all interme- diate results are not larger than the modulus). 2. It is easy to invert numbers in Z n using Euclid’s algorithm. 2. To increase efficiency of encryption, relatively small e ’s can be used. 3. To increase efficiency of decryption (by a factor of about 4), it is possible to decrypt modulo p and q separately, and combine the results using the Chinese remainder theorem. In practice, key generation takes up to a few seconds, and encryption/decryption can be performed thousands of times every second on modern computers. c c � Eli Biham - May 3, 2005 301 Public Key Cryptography 2 (11) � Eli Biham - May 3, 2005 302 Public Key Cryptography 2 (11)

RSA — Strength RSA — Strength (cont.) Note that if p | m (or q | m ) and m � = 0 then gcd( m, n ) = p (or q ). In such a Theorem : Given ϕ ( n ) it is easy to compute p and q . case, the user can compute p , q and the secret key d . Proof : Given ϕ ( n ) it is easy to compute p + q by We now show that the probability of it is low: The number of numbers coprime n − ϕ ( n ) + 1 = pq − pq + p + q − 1 + 1 = p + q to n in Z n is ϕ ( n ). Thus, the number of non-coprime numbers is and p − q by n − ϕ ( n ) = pq − ( p − 1)( q − 1) = pq − pq + p + q − 1 = p + q − 1 , ( p − q ) 2 = p 2 + q 2 − 2 pq = ( p + q ) 2 − 4 pq = ( n − ϕ ( n ) + 1) 2 − 4 n. and the probability to have a non-coprime number is ≈ 2 512 + 2 512 n − ϕ ( n ) = p + q − 1 = 2 − 511 2 1024 n n Then, (or less if | n | > 1024). Therefore, it is very improbable that m and n are not p = ( p + q ) + ( p − q ) coprime. 2 We assume that factoring is difficult. Otherwise, from the factors p and q of q = ( p + q ) − ( p − q ) . n it is easy to compute ϕ ( n ) and d . 2 QED Public Key Cryptography 2 (11) †• � Eli Biham - May 3, 2005 c 303 � Eli Biham - May 3, 2005 c 304 Public Key Cryptography 2 (11) RSA — Strength (cont.) RSA — Strength (cont.) Theorem : Computing d is equivalent to factoring n . Therefore, any algorithm that computes the secret key given e , n (and possibly encrypted messages) can be converted to an algorithm to factor n . Sketch of Proof : Note : Computing m from E ( m ) = m e mod n is not known to be equivalent to factoring (since it does not require to compute d ). It requires “only” to 1. Given d it is easy to compute a multiple of ϕ ( n ) by e · d − 1. Denote it by 2 k · t , where t is odd. compute an e ’th root, however, computing the e ’th root modulo n is also a difficult problem. 2. Take a random integer r . With a good probability (usually about half) r The particular case of computing square roots was shown to be equivalent to is a primitive root. factoring, but this function is not 1-1! 3. Compute r 1 = r t (mod n ), and then iteratively r i = r 2 (mod n ) till i − 1 r j = 1 (mod n ) for some j . 4. Then, r j − 1 is a square root of 1. 5. We will see later that a non-trivial square root of 1 allows to compute the factorization of n by gcd( · , n ). QED � Eli Biham - May 3, 2005 c 305 Public Key Cryptography 2 (11) � Eli Biham - May 3, 2005 c 306 Public Key Cryptography 2 (11) † Signatures using RSA Rabin’s RSA Variant Since the domain and the range of RSA are equal ( Z n ), RSA can be used both Reference : M. Rabin, Digitalized Signatures and Public Key Functions as Intractable as Factoring , Technical report MIT/LCS/TR-212, January 1979. for encryption and for signing. Given the public key e A , n A and the secret key d A , A signs a document m Rabin’s RSA variant is similar to RSA but uses e = 2. This choice allows to (actually signs H ( m )) by prove the equivalence to factoring. S = D A ( m ) = m d A mod n A , Notes : and any other user can verify the signatures by checking whether 1. Using e = 2 decryption is not unique, since ciphertexts can have four m ? = E A ( S ) = S e A mod n A . distinct roots. 2. There is no d such that ed ≡ 1 (mod ϕ ( n )), since gcd( e, ϕ ( n )) = 2 � = 1. Forging signatures is difficult since D A should be computed to forge a signature. To forge a signature either d A should be known, or an efficient algorithm to compute the e A ’th root should be known. � Eli Biham - May 3, 2005 c 307 Public Key Cryptography 2 (11) • � Eli Biham - May 3, 2005 c 308 Public Key Cryptography 2 (11) Difficulty of Computing Modular Square Roots Difficulty of Computing Modular Square Roots (cont.) 1. It is difficult to compute modular square roots modulo n whose factor- 3. It is easy to compute square roots modulo n whose factorization is known, ization is unknown. Computing square roots modulo n is equivalent to by computing modulo each of the prime factors, and using the Chinese factoring n . remainder theorem. 2. It is easy to compute square roots modulo prime numbers: • p = 4 k + 3: Let α be a quadratic residue modulo p . Then p +1 4 ≡ α k +1 β ≡ α (mod p ) is a square root of α : β 2 ≡ α p +1 p − 1 2 ≡ αα 2 ≡ α 1 ≡ α (mod p ) . • p = 4 k + 1: There is a probabilistic algorithm to compute the modular square roots. c c � Eli Biham - May 3, 2005 309 Public Key Cryptography 2 (11) � Eli Biham - May 3, 2005 310 Public Key Cryptography 2 (11)