CNS 2201 9/25/2023

Introduction
• The RSA crypto scheme, sometimes referred to as the Rivest–Shamir–Adleman
algorithm, is currently the most widely used asymmetric cryptographic scheme,
even though elliptic curves and discrete logarithm schemes are gaining ground.
The RSA Cryptosystem • RSA was patented in the USA (but not in the rest of the world) until 2000.
• There are many applications for RSA, but in practice it is most often used for:
• Encryption of small pieces of data, especially for key transport
• Digital signatures for digital certificates on the internet (discussed later)

1 2

Introduction Encryption and Decryption

• It should be noted that RSA encryption is not meant to replace symmetric ciphers
because it is several times slower than ciphers such as AES.
• This is because of the many computations involved in performing RSA.
• Thus, the main use of the encryption feature is to securely exchange a key for a
symmetric cipher (key transport).
• In practice, RSA is often used together with a symmetric cipher such as AES,
where the symmetric cipher does the actual bulk data encryption.
• The underlying one-way function of RSA is the integer factorization problem:
Multiplying two large primes is computationally easy (in fact, you can do it with
paper and pencil), but factoring the resulting product is very hard.

3 4
CNS 2201
Encryption and Decryption
• In practice, x, y, n and d are very long numbers, usually 1024 bit long or more.
• The value e is sometimes referred to as encryption exponent or public exponent,
and the private key d is sometimes called decryption exponent or private
exponent.
• If Alice wants to send an encrypted message to Bob, Alice needs to have his
public key (n,e), and Bob decrypts with his private key d.
• We discuss later how these three crucial parameters d, e, and n are generated.
5 6
Key Generation
• Here are the steps involved in computing the public and private-key for an RSA
cryptosystem.
7
9/25/2023
Encryption and Decryption
• Requirements for the RSA cryptosystem are as follows:
1. Since an attacker has access to the public key, it must be computationally infeasible to
determine the private-key d given the public-key values e and n.
2. It should be relatively easy to calculate xe mod n, i.e., to encrypt, and yd mod n, i.e., to
decrypt. This means we need a method for fast exponentiation with very long numbers.
3. For a given n, there should be many private-key/public-key pairs, otherwise an attacker
might be able to perform a brute-force attack.
Key Generation - Alternative
CNS 2201 9/25/2023

Example 2 Example 2

Example 1 Example 2

11
CNS 2201 9/25/2023

Fast Exponentiation Fast Exponentiation

• Unlike symmetric algorithms such as AES, DES or stream ciphers, public-key
algorithms are based on arithmetic with very long numbers.
• Unless we pay close attention to how to realize the necessary computations, we
can easily end up with schemes that are too slow for practical use.
• If we look at RSA encryption and decryption in we see that both are based on
modular exponentiation
• where SQ denotes squaring and MUL multiplication.
• Unfortunately, the exponents e and d are in general very large numbers.
• The exponents are typically chosen in the range of 1024–3072 bit or even larger.
• The public exponent e is sometimes chosen to be a small value, but d is always very
long.
• Straightforward exponentiation as shown above would thus require around 21024 or
more multiplications.

13 14

Fast Exponentiation Fast Exponentiation - Example

• The central question is whether there are considerably faster
methods for exponentiation available.
• The answer is, luckily, yes.
• Otherwise we could forget about RSA and pretty much all other
public-key cryptosystems in use today, since they all rely on
exponentiation.
• One such method is the square-and-multiply algorithm.

15 16
CNS 2201 9/25/2023

Fast Exponentiation - Example Fast Exponentiation

• In the example above we computed the sequence SQ, MUL, SQ, SQ, MUL, SQ.
• However, we do not know the sequence in which the squarings and
multiplications have to be performed for other exponents.
• One solution is the square-and-multiply algorithm.
• It provides a systematic way for finding the sequence in which we have
to perform squarings and multiplications by x for computing xH.
• Roughly speaking, the algorithm works as follows: The algorithm is based on
scanning the bit of the exponent from the left (the most significant bit) to the
right (the least significant bit). In every iteration, i.e., for every exponent bit,
the current result is squared. If and only if the currently scanned exponent bit
has the value 1, a multiplication of the current result by x is executed following
the squaring.

17 18

Fast Decryption Chinese Remainder Theorem

• RSA involves exponentiation with very long numbers.
• Even if the low-level arithmetic involving modular multiplication and squaring as
well as the square-and-multiply algorithm are implemented carefully, performing
a full RSA exponentiation with operands of length 1024 bit or beyond is
computationally intensive.
• Thus, people have studied speed-up techniques for RSA since its
invention.
• Chinese Remainder Theorem is one such general acceleration technique.

19 20
CNS 2201 9/25/2023

Fast Decryption Chinese Remainder Theorem
• We cannot choose a short private key without compromising the security for RSA.
• If we were to select keys d as short as we did in the case of encryption in the
section above, an attacker could simply brute-force all possible numbers up to a
given bit length, i.e., 50 bit.
• But even if the numbers are larger, say 128 bit, there are key recovery attacks.
• In practice, e is often chosen short and d has full bit length.
• What one does instead is to apply a method which is based on the Chinese
Remainder Theorem (CRT).
• We do not introduce the CRT itself here but merely how it applies to accelerate
RSA decryption and signature generation.
Fast Decryption Chinese Remainder Theorem
• Our goal is to perform the exponentiation xd mod n efficiently.
• First we note that the party who possesses the private key also knows the primes
p and q.
• The basic idea of the CRT is that rather than doing arithmetic with one “long”
modulus n, we do two individual exponentiations modulo the two “short” primes
p and q.
• This is a type of transformation arithmetic.
• Like any transform, there are three steps: transforming into the CRT domain,
computation in the CRT domain, and inverse transformation of the result.

21 22

Chinese Remainder Theorem Chinese Remainder Theorem

23 24
CNS 2201 9/25/2023

Chinese Remainder Theorem Chinese Remainder Theorem - Example

25 26

Chinese Remainder Theorem - Example Chinese Remainder Theorem - Example

27 28