RSA and its Mathematics Behind July 2011
Topics Modular Arithmetic Greatest Common Divisor Euler’s Identity RSA algorithm Security in RSA
Modular Arithmetic A system of arithmetic for integers, where numbers wrap around after they reach a certain value—the modulus Modular or "clock" arithmetic is arithmetic on a circle instead of a number line In modulo N, we use only the twelve whole numbers from 0 through N-1 The 12-hour clock : modulo 12 If the time is 9:00 now, then 4 hours later it will be 1: =13 13 % 12= 1
Modular Clock Arithmetic 1:00 and and 13:00 hours are the same 1:00 and and 25:00 hours are the same 1 13 (mod 12) a b (mod n) n is the modulus a is congruent to b modulo n a-b is an integer multiple of (divisible by) n a % n = b % n
Example 38 14 (mod 12) = 24 ; multiple of 12 38 2 (mod 12) 38-2 = 36 ; multiple of 12 The same rule for negative number -8 7 (mod 5) 2 -3 (mod 5) -3 -8 (mod 5)
Congruence Class Example Congruence Classes of the integers modulo 6 11 (mod 5)
Replace of congruence item Let 3 (mod 12) and 16 4 (mod 12), therefore (mod 12) Let 9835 7 (mod 12) and 1177 1 (mod 12), therefore 9835*1177 7 * 1 7 (mod 12)
Modular Arithmetic Notation Modulus operatorCongruence relation a = b mod n a b (mod n) Inputs a number a and a base b, outputs a mod b as the remiander of a b (value between 0 and b –1) Relates two numbers a, b to each other relative some base = means that integer a is the reminder of the division of integer b by integer n indicates that the integers a and b fall into the same congruence class modulo n (same remainder when diving by b) 2 = 14 mod 3 14 2 (mod 3)
9 Exercise (I) A: Compute mod 24: mod 7
10 Exercise (II) Q: Which of the following are true? 1. 3 3 (mod 17) 2. 3 -3 (mod 17) 177 (mod 5) 13 (mod 26)
Topics Modular Arithmetic Greatest Common Divisor Euler’s Identity RSA algorithm Security in RSA
Greatest Common Divisor Def: Let a,b be integers, not both zero. The greatest common divisor of a and b (or gcd(a,b) ) is the biggest number d which divides both a and b without a remainder gcd (8,12) =4 Find gcd (54, 24) 54x1 = 27x2 = 18x3 = 9x6; {1, 2,3, 6, 9, 18, 27, 54} 24x1 = 12x2 = 8x3 = 4x6; {1, 2,3, 4, 6, 8, 12, 54} Share number : {1, 2, 3, 6} gcd (54, 24) = 6
Finding GCD gcd(a,0) = a, and gcd(a,b) = gcd(b, a mod b) Find gcd(132, 28) : 1.r = 132 mod 28 = 20 => gcd(28, 20) 2.r = 28 mod 20 = 8 => gcd(20,8) 3.r = 20 mod 8 = 4 => gcd(8,4) 4.r = 8 mod 4 = 0 => gcd(4,0) gcd(132, 28) = a b
GCD and Relatively Prime Def: two integers a and b are said to be relatively prime (also called co-prime) if gcd(a,b) = 1 so no prime common divisors. Find gcd(28, 15) : 1.r = 28 mod 15 = 13 => gcd(15, 13) 2.r = 15 mod 13 = 2 => gcd(13, 2) 3.r = 13 mod 2 = 1 => gcd(2,1) 4.r = 2 mod 1 = 0 => gcd(1,0) gcd(28,15) = 1 15 and 28 are relative prime Since a prime number has no factors besides itself, clearly a prime number is relatively prime to every other number (except for multiples of itself)
15 Test Relative Prime Q: Find the following gcd’s: 1. gcd(77,11) 2. gcd(77,33) 3. gcd(36,24) 4. gcd(23,7)
Topics Modular Arithmetic Greatest Common Divisor Euler’s Identity RSA algorithm Security in RSA
Euler's Totient Function ( N ) = the numbers between 1 and N - 1 which are relatively prime to N Thus: (4) = 2 (1 and 3 are relatively prime to 4) (5) = 4 (1, 2, 3, and 4 are relatively prime to 5) (6) = 2 (1 and 5 are relatively prime to 6) (7) = 6 (1, 2, 3, 4, 5, and 6 are relatively prime to 7) (8) = 4 (1, 3, 5, and 7 are relatively prime to 8) (9) = 6 (1, 2, 4, 5, 7, and 8 are relatively prime to 9) Compute (N) in C code: phi = 1; for (i = 2 ; i < N ; ++i) if (gcd(i, N) == 1) ++phi;
Euler's Totient Function, cont Note that ( N ) = N-1 when N is prime Somewhat obvious fact that ( N ) is also easy to calculate when N has exactly two different prime factors: Example: Find (15) (p*q) = (p-1)*(q-1)
Euler’s Totient Theorem One of the important keys to the RSA algorithm If gcd(m, n) = 1 and m < n, then m (n) 1 (mod n) m (p-1)(q-1) mod n = mod 55 = 1 M=38 replace (p-1)(q-1) with (11-1)(5-1) n=55 Example: m (n) 1 (mod n) m (p-1)(q-1) mod n = 1 where (n) = (p1-1)*(q-1) relatively prime
More in Euler’s Theorem Multiply both sides of equation by m m (p-1)(q-1) mod n = 1 m (p-1)(q-1) *m mod n = 1*m m (p-1)(q-1)+1 mod n = m m (n) +1 mod n = m
The Road to crypto If we can find two numbers, call them e and d, such that e*d = [(p-1)(q-1)]+1 n = p*q Use e as the private key and d as the public key; Encrypts: c m e (mod n) Decrypts: m c d (mod n) c d = (m e (mod n)) d = m ed (mod n) = m (p-1)(q-1)+1 (mod n) = m (n) +1 (mod n) = m m (n) +1 mod n = m Recall Euler’s theorem
A trapdoor one-way function Message m Ciphertext c c = f(m) = m e mod n m = f -1 (c) = c d mod n Public key Private key (trapdoor information) n = p*q (p & q: primes) e*d = 1 mod (p-1)(q-1)
Topics Modular Arithmetic Greatest Common Divisor Euler’s Identity RSA algorithm Security in RSA
RSA Public key cryptosystem Proposed in 1977 by Ron L. Rivest, Adi Shamir and Leonard Adleman at MIT Best known & widely used public- key scheme Based on exponentiation in a finite (Galois) field over integers modulo a prime Main patent expired in 2000 Shamir Rivest Adleman ShamirRivestAdleman
RSA Algorithm Uses two keys : e and d for encryption and decryption A message m is encrypted to the cipher text by c = m e mod n The ciphertext is recover by m = c d mod n Because of symmetric in modular arithmetic m = c d mod n = (m e ) d mod n = (m d ) e mod n One can use one key to encrypt a message and another key to decrypt it
RSA Key Setup 1. Selecting two large primes at random : p, q Typically 512 to 2048 bits 2. Computing their system modulus n=p*q note ø(n)=(p-1)(q-1) 3. Selecting at random the encryption key e where 1<e<ø(n), gcd(e,ø(n))=1 Meaning: there must be no numbers that divide neatly into e and into (p-1)(q-1), except for Solve following equation to find decryption key d e*d=1 mod ø(n) and 0≤d≤n In other words, d is the unique number less than n that when multiplied by e gives you 1 modulo ø(n) 5. Publish public encryption key: P U ={e,n} 6. Keep secret private decryption key: P R ={d,n}
Example: Key Generation Step by Step StepExample Selecting two large primes at random : p, q (use small numbers for demonstration) p = 7; q = 19 Computing their system modulus n=p.q ø(n) = (p-1)(q-1) n = 7*19 = 133 ø(n) = (7-1)*(19-1) = 6*18 = 108 Selecting at random the encryption key e and gcd(e, 108) = 1 e = 5 find decryption key d such that e*d = 1 mod ø(n) and 0≤d≤n d*5 mod 108 = 1; d = 65 Check : 65*5 = 325; 325 mod 108 = 1 Public encryption key: P U ={e,n} P U = {5,133} Secret private decryption key: P R = {d,n}P R = {65,133} Encryption and Decryption for m = 6c = m e mod n = 6 5 % 133 = 62 m = c d mod n = % 133 = 6
Key Generation : Find n and ø(n) 1) Generate two large prime numbers, p and q Lets have: p = 7 and q = 19 2) Find n = p*q n =7*19 = 133 3) Find ø(n) = (p-1)(q-1) ø(n) = (7-1)(19-1)= 6 * 18 = 108
Key Generation : Generate Private Key 4) Choose a small number, e coprime to 108 Using Euclid's algorithm to find gcd(e,108) e = 2 => gcd(e, 108) = 2 ✗ e = 3 => gcd(e, 108) = 3 ✗ e = 4 => gcd(e, 108) = 4 ✗ e = 5 => gcd(e, 108) = 1 ✓
Key Generation : Generate Public Key 5) Find d, such that e*d = 1 mod ø(n) and 0≤d≤n ; e=5; ø(n)=108 Using extended Euclid algorithm; e*d = 1 mod ø(n) => e*d = 1+k*ø(n) ; d, k are interger = (1+k*ø(n))/e d = (1+k*108)/5 Try through values of k until an integer solution for d is found: k = 0 => d = 1 / 5 = 0.2 ✗ k = 1 => d = (1+1*108)/ 5 =109/5 = 21.8 ✗ k = 2 => d = (1+2*108)/5 = 217/5 = 43.4 ✗ k = 3 => d = (1+3*108)/5 = 325/5 = 65 ✓
Example : Encryption P U = {e,n} = {5,133} Lets use the message m=16 c = m e mod n = 16 5 mod 133 = mod 133 = 4
Example: Decryption P R ={d,n}={65,133} From the encryption c=4 m = c d mod n = 4 65 mod 133 = x10 39 mod 133 = 16
Encode the ASCII String Secret! Message input string Message input ASCII Message input binary Message input 16 bit binary Message input 16 bit decimal for “Secret!” padding
Sample 16 bits key n = e = d = m =104 c = ( ) mod = m = ( ) mod = 104 Directly computation of exponential needs too much memory and very slow
How to deal with 1024 bits? n= e=47609 d= we could still end up with a number with so many digits (before taking the remainder on dividing by p) that we wouldn't have enough memory to store it
Using Modular Exponential Using modular reduction to enhance computation f mod i = j and f = g * h then (( g mod i ) * (h mod i)) mod i = j
37 Modular Exponential : mod 29 exp(23 exp-1 mod 29)*23((23 exp-1 mod 29) *23) mod *23= mod 29 =7 37*23= mod 29=16 416*23= mod 29=20 520*23= mod 29=25 625*23= mod 29=24 724*23= mod 29=1 81*23=2323 mod 29=23 923*23= mod 29=7 107*23= mod 29=16 ::: 1623*23= mod 29=7 ::: 1920*23= mod 29= *23= mod 29= mod 29 = =23 2 *23 2 mod 29 = 7*7 mod 29 =49 mod 29 = =23 4 *23 4 mod 29 = 20*20 mod 29 =400 mod 29 = =23 8 *23 8 mod 29 = 23*23 mod 29 =529 mod 29 = =23 16 *23 4 mod 29 = 7*20 mod 29 =140 mod 29 =24
38 Modular Exponential : mod 55 exp23 exp/2 *23 exp/2 (23 exp-1 ) * (23 exp/2 ) mod 55 1[exception] 23 1 =2323 mod 55 = *23= mod 55 = *34= mod 55 = 1 81*1=11 mod 55 = 1 161*1=11 mod 55 = 1 321*1=11 mod 55 = 1 641*1=11 mod 55 = *1=11 mod 55 = *1=11 mod 55 = *1=11 mod 55 = = * *23 4 *23 2 *23 1 = 1*1*1*34*23 = mod 55 = 12
39 Modular Exponential : mod 55 exp31 exp/2 *31 exp/2 (31 exp-1 ) * (31 exp/2 ) mod 55 1[exception] 31 1 =3131 mod 55 = *31= mod 55 = *26= mod 55 = *16= mod 55 = *36= mod 55 = *31= mod 55 = *26= mod 55 = *16= mod 55 = *36= mod 55 = *31= mod 55 = % 55 = ( * *31 8 *31 4 *31 1 ) % 55 = (31*36*36*16*33) = ((1116 % 55)*36*16*33 ) % 55 = (16*36*16*33 ) % 55 = ((576 mod 55) *16 *33) % 55 = (26*16*33) % 55 = ((416 % 55) *33 ) % 55 = (31*3 ) % 55 = 961 % 55 = mod 55 = x10 59 mod 55 = 26
Modular Exponential for RSA The running time of RSA encryption, decryption is simple
Topics Modular Arithmetic Greatest Common Divisor Euler’s Identity RSA algorithm Security in RSA
Analyzing RSA RSA depends on being able to find large primes quickly, whereas anyone given the product of two large primes “cannot” factor the number in a reasonable time. If any one of p, q, m, d is known, then the other values can be calculated. So secrecy is important 1024 bits is considered in risk To protect the encryption, the minimum number of bits in n should be 2048 RSA is slow in pratice RSA is primary used to encrypt the session key used for secret key encryption (message integrity) or the message's hash value (digital signature)
RSA-Numbers RSA numbers are a set of large semiprimes (numbers with exactly two prime factors) that are part of the RSA Factoring Challenge Officially ended in 2007 but people can still attempt to find the factorizations
RSA-768 RSA-768 has 768 bits (232 decimal digits), and was factored on December 12, 2009 RSA-768 = RSA-768 = ×
RSA-1024 and RSA-2048 RSA-1024 has 1,024 bits (309 decimal digits), and has not been factored so far RSA-1024 = RSA-2048 has 2,048 bits (617 decimal digits) may not be factorizable for many years to come, unless considerable advances are made in integer factorization RSA-2048 =
RSA security summary One-way functionDescription Encryption function The encryption function is a trapdoor one-way function, whose trapdoor is the private key. The difficulty of reversing this function without the trapdoor knowledge is believed (but not known) to be as difficult as factoring. Multiplication of two primes The difficulty of determining an RSA private key from an RSA public key is known to be equivalent to factoring n. An attacker thus cannot use knowledge of an RSA public key to determine an RSA private key unless they can factor n. Because multiplication of two primes is believed to be a one-way function, determining an RSA private key from an RSA public key is believed to be very difficult. There are two one-way functions involved in the security of RSA.
Q&A