Introduction to Cryptography and Security

The RSA Cryptosystem

1 / 23
 Outline

1 The RSA Cryptosystem

2 Encryption and Decryption: Fast Exponentiation

 Review: arithmetic mod composites
Let N = p · q where p, q are prime.

ZN = {0, . . . , N − 1} ; Z∗N = { invertible elements in ZN }

Fact
• x ∈ ZN is invertible iff gcd(x, N ) = 1
• Number of elements in Z∗N is

ϕ(N ) = (p − 1)(q − 1) = N − p − q + 1

Theorem (Euler)
∀x ∈ Z∗N : x ϕ(N ) = 1 (mod N )

3 / 23
 The RSA Cryptosystem

First published: Scientific American, Aug. 1977.

Very widely used:

• SSL/TLS: certificates and key-exchange
• Secure e-mail and file systems

4 / 23
Figure: Adi Shamir, Ron Rivest, and Leonard Adleman

5 / 23
 Review: Public key encryption
Definition
A Public key encryption system is a triple of algorithms

(G, E, D)

where:
G() : randomized algorithm output a key pair (pk, sk).
E(pk, m) : randomized algorithm that takes m ∈ M and
output c ∈ C.
D(sk, c) : deterministic algorithm that takes c ∈ C and
output m ∈ M or ⊥ (error).

Consistency: For all (pk, sk) output by G:

∀m ∈ M : D(sk, E(pk, m)) = m.

6 / 23
 RSA Cryptosystem
Key gen G()

• choose random primes p, q ≈ 1024 bits. Set N = p · q.

• choose integers e, d such that e · d = 1 mod ϕ(N )
• output pk = (N , e), sk = (N , d)

Encryption & Decryption

E(pk, x) : D(sk, y) :
return x (mod N )
e
return y d (mod N )

7 / 23
 Correctness of Decryption

Since e · d ≡ 1 (mod ϕ(N )), there exists an integer j such that:

e · d = 1 + j · ϕ(N )

Therefore:

(x e )d = x 1+ j·ϕ(N )
= x · (x ϕ(N ) ) j
= x · 1 (mod N )
= x (mod N )

8 / 23
 Key Generation in Detail

Output: public key: pk = (N , e) and private key: sk = (N , d)

1 Choose two large primes p and q.
2 Compute N = p · q.
3 Compute ϕ(N ) = (p − 1)(q − 1).
4 Select the public exponent e ∈ {1, 2, . . . , ϕ(N ) − 1} such that
gcd(e, ϕ(N )) = 1.
5 Compute the private key d such that d · e ≡ 1 (mod ϕ(N )).

9 / 23
 Practical RSA Parameters

• Practical RSA parameters are much, much larger.

• It is recommended that the RSA modulus n be at least 2048
bits long for practical security.
• This results in a bit length for p and q of 1024.

10 / 23
 The RSA assumption
RSA is one-way permutation

RSA assumption

For all efficient algorithms A:

Pr A(N , e, y) = y 1/e < negligible

 

where p, q ←$ n-bit primes, N = pq, and y ←$ Z∗N

11 / 23
 Security of RSA

• The security of RSA is based on the hardness of factoring large

composite numbers.
• The RSA assumption is that it is hard to compute the e-th root
of a random element in Z∗N .
• The RSA assumption is not known to be equivalent to the
hardness of factoring.

12 / 23
 Exercise

Let the two primes p = 41 and q = 17 be given as setup

parameters for RSA.
1 Which of the parameters e1 = 32, e2 = 49 is a valid RSA
exponent? Justify your choice.
2 Compute the corresponding private key sk = (p, q, d). Use the
extended Euclidean algorithm for the inversion and show
every calculation step.

13 / 23
 Exercise

Encrypt and decrypt by means of the RSA algorithm with the

following system parameters:
1 p = 3, q = 11, d = 7, x = 5
2 p = 5, q = 11, e = 3, x = 9
Only use a pocket calculator at this stage.

14 / 23
 Outline

1 The RSA Cryptosystem

2 Encryption and Decryption: Fast Exponentiation

 Fast Exponentiation
Example
Suppose we want to compute

3218 (mod 1000).

First, we write 218 in base 2:

218 = 2 + 23 + 24 + 26 + 27 .

Thus, 3218 becomes

3
+24 +26 +27 3 4 6 7
3218 = 32+2 = 32 · 32 · 32 · 32 · 32 .

Notice that it is easy to compute the powers

2 3 4
3 , 32 , 32 , 32 , 32 , . . .

16 / 23
Example (continued)
We create a table

i 0 1 2 3 4 5 6 7
2i
3 (mod 1000) 3 9 81 561 721 841 281 961

then compute
3 4 6 7
3218 = 32 · 32 · 32 · 32 · 32
≡ 9 · 561 · 721 · 281 · 961 (mod 1000)
≡ 489 (mod 1000).

17 / 23
 Fast Computation of a b (mod n)

MODULAR-EXPONENTIATION(a, b, n)
c=0
d =1
Represent b = 〈bk , bk−1 , . . . , b0 〉2
for i = k downto 0
c = 2c
d = (d · d) mod n
if bi == 1 then
c = c+1
d = (d · a) mod n
return d

• The value of c is 〈bk , bk−1 , . . . , bi+1 〉2

• and d = a c mod n.

18 / 23
 Example
Compute 7560 mod 561

i 9 8 7 6 5 4 3 2 1 0
bi 1 0 0 0 1 1 0 0 0 0
c 1 2 4 8 17 35 70 140 280 560
d 7 49 157 526 160 241 298 166 67 1

• Result of computing a b (mod n) with

a = 7, b = 560 = 〈1000110000〉2 , and n = 561

• The final result is 1

19 / 23
Recursive Algorithm for a b mod n

MODULAR-EXPONENTIATION(a, b, n)
if b == 0 then return 1
if b == 1 then return a
r = MODULAR-EXPONENTIATION(a, b/2, n)
r =r∗r
if b mod 2 == 1 then r = r ∗ a
return r

20 / 23
 Exercise: Efficient Modular
Exponentiation

Computing modular exponentiation efficiently is central to using

RSA in practice. Compute the following exponentiations x e
mod m using the square-and-multiply algorithm:
1 x = 2, e = 79, m = 101
2 x = 3, e = 197, m = 101
3 x = 5, e = 54, m = 151
4 x = 8, e = 127, m = 151
After every iteration step, show the exponent of the intermediate
result in binary notation.

21 / 23
Exercise
• Given that you know ϕ(n),
• explain how to compute the modular inverse

a−1 mod n for any a ∈ Z∗n

using the MODULAR-EXPONENTIATION algorithm.

Hint: Recall that aϕ(n) = 1 mod n.

22 / 23
Thank you!

23 / 23