‫كــلــيـــة هندسة الحاسوب والمعلوماتية‬

Faculty of Computer &Informatics Engineering

Information Systems Security

LAB
Eng. Christine Zenieh

RSA Cryptography Algorithm

The pioneering paper by Diffie and Hellman introduced a new approach
to cryptography and, in effect, challenged cryptologists to come up with a
cryptographic algorithm that met the requirements for public-key
systems. A number of algorithms have been proposed for public-key
cryptography. Some of these, though initially promising, turned out to be
breakable.
One of the first successful responses to the challenge was developed in
1977 by Ron Rivest, Adi Shamir, and Len Adleman at MIT and first
published in 1978. The Rivest-Shamir-Adleman (RSA) scheme has since
that time reigned supreme as the most widely accepted and implemented
general-purpose approach to public-key encryption.
The RSA scheme is a block cipher in which the plaintext and ciphertext
are integers between 0 and n - 1 for some n. A typical size for n is 1024
bits, or 309 decimal digits. That is, n is less than 21024.We examine RSA
in this section in some detail, beginning with an explanation of the
algorithm. Then we examine some of the computational and
cryptanalytical implications of RSA.

Description of the Algorithm

RSA makes use of an expression with exponentials. Plaintext is encrypted
in blocks, with each block having a binary value less than some number
n. That is, the block size must be less than or equal to log2(n) + 1; in
1
Syrian Private University Information Systems Security LAB
Faculty of Computer &Informatics Engineering
 practice, the block size is i bits, where 2i < n ≤ 2i+1. Encryption and
decryption are of the following form, for some plaintext block M and
ciphertext block C.

Both sender and receiver must know the value of n. The sender knows the
value of e, and only the receiver knows the value of d. Thus, this is a
public-key encryption algorithm with a public key of PU = {e, n} and a
private key of PR = {d, n}.
For this algorithm to be satisfactory for public-key encryption, the
following requirements must be met.
1. It is possible to find values of e, d, n such that Med mod n = M for
all M < n.
2. It is relatively easy to calculate Me mod n and Cd mod n for all
values of M < n.
3. It is infeasible to determine d given e and n.
For now, we focus on the first requirement and consider the other
questions later. We need to find a relationship of the form
Med mod n = M
The preceding relationship holds if e and d are multiplicative inverses
modulo φ(n), where φ(n) is the Euler totient function. For p, q prime,
φ (pq) = (p - 1)(q - 1). The relationship between e and d can be expressed
as
ed mod φ(n) = 1
This is equivalent to saying
𝑒𝑑 ≡ 1 𝑚𝑜𝑑 ∅ 𝑛
𝑑 ≡ 𝑒 −1 𝑚𝑜𝑑 ∅ 𝑛
That is, e and d are multiplicative inverses mod φ(n). Note that, according
to the rules of modular arithmetic, this is true only if d (and therefore e) is
relatively prime to φ(n). Equivalently, gcd(∅ (n), d) = 1.
We are now ready to state the RSA scheme. The ingredients are the
following:
p, q, two prime numbers (private, chosen)
n = pq (public, calculated)
e, with gcd(∅ (n), e) = 1; 1 < e < ∅ (n) (public, chosen)
-1
d ≡ e (mod ∅ (n)) (private, calculated)
The private key consists of {d, n} and the public key consists of {e, n}.
2
Syrian Private University Information Systems Security LAB
Faculty of Computer &Informatics Engineering
 Suppose that user A has published its public key and that user B wishes to
send the message M to A. Then B calculates C = Me mod n and transmits
C. On receipt of this ciphertext, user A decrypts by calculating
M = Cd mod n.
The figure summarizes the RSA algorithm: Alice generates a
public/private key pair; Bob encrypts using Alice’s public key; and Alice
decrypts using her private key. For this example, the keys were generated
as follows.
1. Select two prime numbers, p = 17 and q = 11.
2. Calculate n = pq = 17 × 11 = 187.
3. Calculate Ø(n) = (p - 1)(q - 1) = 16 × 10 = 160.
4. Select e such that e is relatively prime to Ø(n) = 160 and less than
Ø(n); we choose e = 7.
5. Determine d such that de ≡ 1 (mod 160) and d < 160.The correct
value is d = 23, because 23 × 7 = 161 = (1 × 160) + 1; (d can be
calculated using the extended Euclid’s algorithm).
The resulting keys are public key PU = {7, 187} and private key
PR = {23, 187}. The example shows the use of these keys for a plaintext
input of M= 88.
For encryption, we need to calculate C = 887 mod 187. Exploiting the
properties of modular arithmetic, we can do this as follows.
887 mod 187 = [(884 mod 187)×(882 mod 187)×(881 mod 187)] mod 187
881 mod 187 = 88
882 mod 187 = 7744 mod 187 = 77
884 mod 187 = 59,969,536 mod 187 = 132
887 mod 187 = (88 × 77 × 132) mod 187 = 894,432 mod 187 = 11

For decryption, we calculate M = 1123 mod 187:

1123 mod 187 = [(111 mod 187) × (112 mod 187) × (114 mod 187)
× (118 mod 187) × (118 mod 187)] mod 187
111 mod 187 = 11
112 mod 187 = 121
114 mod 187 = 14,641 mod 187 = 55
118 mod 187 = 214,358,881 mod 187 = 33
1123 mod 187 = (11 × 121 × 55 × 33 × 33) mod 187
= 79,720,245 mod 187 = 88

3
Syrian Private University Information Systems Security LAB
Faculty of Computer &Informatics Engineering
 We now look at an example, which shows the use of RSA to process
multiple blocks of data. In this simple example, the plaintext is an
alphanumeric string. Each plaintext symbol is assigned a unique code of
two decimal digits (e.g., a = 00, A = 26). A plaintext block consists of
four decimal digits, or two alphanumeric characters. The figure illustrates
the sequence of events for the encryption of multiple blocks, and gives a
specific example. The circled numbers indicate the order in which
operations are performed.

4
Syrian Private University Information Systems Security LAB
Faculty of Computer &Informatics Engineering
 Computational Aspects
We now turn to the issue of the complexity of the computation required
to use RSA. There are actually two issues to consider:
encryption/decryption and key generation. Let us look first at the process
of encryption and decryption and then consider key generation.

EXPONENTIATION IN MODULAR ARITHMETIC

Both encryption and decryption in RSA involve raising an integer to an
integer power, mod n. If the exponentiation is done over the integers and
then reduced modulo n, the intermediate values would be gargantuan.
Fortunately, as the preceding example shows, we can make use of a
property of modular arithmetic:
[(a mod n)  (b mod n)] mod n = (a  b) mod n
Thus, we can reduce intermediate results modulo n. This makes the
calculation practical.
Another consideration is the efficiency of exponentiation, because with
RSA, we are dealing with potentially large exponents. To see how

5
Syrian Private University Information Systems Security LAB
Faculty of Computer &Informatics Engineering
 efficiency might be increased, consider that we wish to compute x16. A
straightforward approach requires 15 multiplications:
x16 = x x x  x  x  x  x  x  x  x  x  x  x  x  x  x
However, we can achieve the same final result with only four
multiplications if we repeatedly take the square of each partial result,
successively forming (x2, x4, x8, x16).
As another example, suppose we wish to calculate x11 mod n for some
integers x and n. Observe that x11 = x1+2+8 = (x)(x2)(x8). In this case, we
compute x mod n, x2 mod n, x4 mod n, and x8 mod n and then calculate
[(x mod n) × (x2 mod n) × (x8 mod n)] mod n.
More generally, suppose we wish to find the value ab with a and m
positive integers. If we express b as a binary number bkbk-1. . . b0, then we
have

Therefore,

We can therefore develop the algorithm for computing ab mod n, shown

in the next figure. Note that the variable c is not needed; it is included for
explanatory purposes. The final value of c is the value of the exponent.

6
Syrian Private University Information Systems Security LAB
Faculty of Computer &Informatics Engineering
 EFFICIENT OPERATION USING THE PRIVATE KEY
We cannot similarly choose a small constant value of d for efficient
operation. A small value of d is vulnerable to a bruteforce attack and to
other forms of cryptanalysis. However, there is a way to speed up
computation using the CRT. We wish to compute the value M=Cd mod n.
Let us define the following intermediate results:
Vp = Cd mod p Vq = Cd mod q
Following the CRT, define the quantities
Xp = q  (q-1 mod p) Xq = p  (p-1 mod q)
The CRT then shows that
M = (VpXp + VqXq) mod n
Furthermore, we can simplify the calculation of Vp and Vq using Fermat’s
theorem, which states that ap-1 ≡ 1 (mod p) if p and a are relatively prime.
Some thought should convince you that the following are valid.
Vp = Cd mod p = Cd mod (p-1) mod p, Vq = Cd mod q = Cd mod (q-1) mod q
The quantities d mod (p - 1) and d mod (q - 1) can be precalculated. The
end result is that the calculation is approximately four times as fast as
evaluating M= Cd mod n directly.

KEY GENERATION
Before the application of the public-key cryptosystem, each participant
must generate a pair of keys. This involves the following tasks.
 Determining two prime numbers, p and q.
 Selecting either e or d and calculating the other.
First, consider the selection of p and q. Because the value of n = pq will
be known to any potential adversary, in order to prevent the discovery of
p and q by exhaustive methods, these primes must be chosen from a
sufficiently large set (i.e., p and q must be large numbers). On the other
hand, the method used for finding large primes must be reasonably
efficient.
At present, there are no useful techniques that yield arbitrarily large
primes, so some other means of tackling the problem is needed. The
procedure that is generally used is to pick at random an odd number of
the desired order of magnitude and test whether that number is prime. If
not, pick successive random numbers until one is found that tests prime.
A variety of tests for primality have been developed. Almost invariably,
the tests are probabilistic.
7
Syrian Private University Information Systems Security LAB
Faculty of Computer &Informatics Engineering
 That is, the test will merely determine that a given integer is probably
prime. Despite this lack of certainty, these tests can be run in such a way
as to make the probability as close to 1.0 as desired. As an example, one
of the more efficient and popular algorithms, the Miller-Rabin algorithm.
With this algorithm and most such algorithms, the procedure for testing
whether a given integer n is prime is to perform some calculation that
involves n and a randomly chosen integer a. If n “fails” the test, then n is
not prime. If n “passes” the test, then n may be prime or nonprime. If n
passes many such tests with many different randomly chosen values for a,
then we can have high confidence that n is, in fact, prime.
In summary, the procedure for picking a prime number is as follows.
1. Pick an odd integer n at random (e.g., using a pseudorandom
number generator).
2. Pick an integer a < n at random.
3. Perform the probabilistic primality test, such as Miller-Rabin, with
a as a parameter. If n fails the test, reject the value n and go to step
1.
4. If n has passed a sufficient number of tests, accept n; otherwise, go
to step 2.
This is a somewhat tedious procedure. However, remember that this
process is performed relatively infrequently: only when a new pair (PU,
PR) is needed.
It is worth noting how many numbers are likely to be rejected before a
prime number is found. A result from number theory, known as the prime
number theorem, states that the primes near N are spaced on the average
one every (ln N) integers.
Thus, on average, one would have to test on the order of ln(N) integers
before a prime is found. Actually, because all even integers can be
immediately rejected, the correct figure is ln(N)/2. For example, if a
prime on the order of magnitude of 2200 were sought, then about
ln(2200)/2 = 70 trials would be needed to find a prime.
Having determined prime numbers p and q, the process of key generation
is completed by selecting a value of e and calculating d or, alternatively,
selecting a value of d and calculating e. Assuming the former, then we
need to select an e such that gcd(Ø(n), e) = 1 and then calculate
d ≡ e-1 (mod Ø(n)). Fortunately, there is a single algorithm that will, at the
same time, calculate the greatest common divisor of two integers and, if
8
Syrian Private University Information Systems Security LAB
Faculty of Computer &Informatics Engineering
 the gcd is 1, determine the inverse of one of the integers modulo the
other. The algorithm, referred to as the extended Euclid’s algorithm.
Thus, the procedure is to generate a series of random numbers, testing
each against Ø(n) until a number relatively prime to Ø(n) is found.
Again, we can ask the question: How many random numbers must we test
to find a usable number, that is, a number relatively prime to Ø(n)? It can
be shown easily that the probability that two random numbers are
relatively prime is about 0.6; thus, very few tests would be needed to find
a suitable integer.

The Security of RSA

Four possible approaches to attacking the RSA algorithm are
 Brute force: This involves trying all possible private keys.
 Mathematical attacks: There are several approaches, all
equivalent in effort to factoring the product of two primes.
 Timing attacks: These depend on the running time of the
decryption algorithm.
 Chosen ciphertext attacks: This type of attack exploits properties
of the RSA algorithm.
The defense against the brute-force approach is the same for RSA as for
other cryptosystems, namely, to use a large key space. Thus, the larger
the number of bits in d, the better. However, because the calculations
involved, both in key generation and in encryption/decryption, are
complex, the larger the size of the key, the slower the system will run.

9
Syrian Private University Information Systems Security LAB
Faculty of Computer &Informatics Engineering