1. PUBLIC-KEY ENCRYPTION Focusing on RSA
Hoang Vu

2. Introduction to Public Key Encryption Paint Mixing Example
Nathan and John choose their owns “private color”.
“public color” is now announced.
Nathan and John mix the public color with their private colors then public the public-private mixture.
Now Nathan and John mix the public-private mixture with their private colors to find the shared secret color.
Katie wants to know shared secret color with only knowledge of the public color and the public-private color mixture but he just could not find out no matter what color he would add to the mixture.

3. Notes
Katie can not detach the colors in the mixture, he can only attach more colors to the mixture.
This is the key point of public key cryptography:
One-way action: something that can be done but can not be undone.
The idea of a public-key cryptography was due to Diffie and Hellman in 1976.
The first realization of public-key system came in 1977 by Rivest, Shamir and Adleman, who invented the well-known RSA Cryptosystem.

4. Some Types of Cryptography System
Secure systems:
McEliece bases on algebraic coding theory - the problem of decoding a linear code (NP-complete).
Chor-Rivest aka a “knapsack” type system.
Elliptic Curve is a modification of other system, working in the domain of elliptic curves rather than finite fields (secure for smaller keys).
Insecure:
Merkle-Hellman Knapsack bases on subset sum problem’s difficulty (NP-complete).
ElGamal bases on the discrete logarithm problem for finite fields' difficulty.

5. So What Is RSA?
RSA: its security is based on the difficulty of factoring large integers.
Rivest Shamir Adleman

6. Tools Using in RSA Euclidean Algorithm computes:
gcd( 𝑟 𝑖 , 𝑟 𝑗 ) in which r ∈ ℤ 𝑛
Extended Euclidean Algorithm:
If gcd( 𝑟 𝑖 , 𝑟 𝑗 ) = 1, there exists t ∈ ℤ 𝑛 s.t. t = 𝑟 1 −1 mod r
Corollary :
𝑏 𝜙(𝑛) ≡ 1 (mod n) in which b ∈ ℤ 𝑛 ∗ 𝑛=𝑝𝑞 𝜙 𝑛 =(𝑝−1)(𝑞−1)

7. The Euclidean Algorithm
Computing gcd( 𝑟 0 , 𝑟 1 ) where 𝑟 0 > 𝑟 1 performing this sequence of divisions:
𝑟 0 = 𝑞 1 𝑟 𝑟 2 , < 𝑟 2 < 𝑟 1
𝑟 1 = 𝑞 2 𝑟 𝑟 3 , < 𝑟 3 < 𝑟 2 .
𝑟 𝑚−2 = 𝑞 𝑚−1 𝑟 𝑚−1 + 𝑟 𝑚 , 0 < 𝑟 𝑚 < 𝑟 𝑚−1
𝑟 𝑚−1 = 𝑞 𝑚 𝑟 𝑚
gcd( 𝑟 0 , 𝑟 1 ) = gcd( 𝑟 1 , 𝑟 2 ) = … = gcd( 𝑟 𝑚−1 , 𝑟 𝑚 ) = 𝑟 0

8. Running Time of Euclidean Algorithm
Computing gcd( 𝑟 0 , 𝑟 1 ) where 𝑟 0 > 𝑟 1 :
In each iteration we compute a quotient and remainder, which takes O( (log 𝑟 0 ) 2 ).
Lamé’s Theorem gives upper bound on the number of iterations:
For s = 𝑁 𝑜 of iterations then 𝑓 𝑠+2 ≤ 𝑟 0 ( 𝑓 𝑖 denotes the ith Fibonacci number). Since 𝑓 𝑖 ≈ 𝑖 it follows that s is O( log 𝑟 0 ).
Therefore complexity is O( (log 𝑟 0 ) 3 )
Actually, with more careful analysis we can show that in fact the running time of Euclidean algorithm is O( (log 𝑟 0 ) 2 ).

9. The Extended Euclidean Algorithm
1. n 0 =n; b 0 =b; t 0 =0;t=1;q= n 0 b 0 ; r = n 0 – q × b 0 ; 2. while r > 0 do 3. temp = t 0 – q ×t 4. if temp ≥ 0 then temp = temp mod n 5. if temp < 0 then temp = n – ((– temp) mod n) 6. t 0 =t; t = temp; n 0 = b 0 ; b 0 = r; q= n 0 b 0 ; r = n 0 – q × b 0 ; 7. if b 0 ≠ 1 then b has no inverse modulo n 8. else b −1 =t mod n

10. Example
n 0 =75; b 0 =28; t 0 = 0; t = 1; q = n 0 b 0 = 2; r = n 0 – q × b 0 = 75 – 2 × 28 = 19 temp = t 0 – q ×t = -2 < 0 so temp = n – ((–temp) mod n) = 73 … 𝑏 −1 = 67 (mod 75)

11. RSA Cryptosystem
Let n = pq where p and q are primes. Let P = C = ℤ 𝑛 and define K = {(n, p, q, a, b): n = pq, Φ(n) = (p – 1)(q – 1) p, q prime, ab ≡ 1 (mod Φ(n))} For K = (n, p, q, a, b), define y = 𝑒 𝑘 𝑥 = 𝑥 𝑏 mod n (x ∈ ℤ 𝑛 ). and 𝑑 𝑘 𝑦 = 𝑦 𝑎 mod n (y ∈ ℤ 𝑛 ). The values n and b are public and the values p, q, a are secret

12. Encryption & Decryption Are Inverse Functions
ab ≡ 1 (mod Φ(n)) so ab = t Φ(n) + 1 for t ≥ 1. Suppose that x ∈ ℤ 𝑛 ∗ ; then we have: (𝑥 𝑏 ) 𝑎 ≡ 𝑥 tΦ(n) + 1 (mod n) ≡ (𝑥 Φ(n) ) 𝑡 𝑥 (mod n) ≡ 1 𝑡 x (mod n) ≡ x (mod n) Therefore encryption and decryption are inversed which means a = 𝑏 −1

13. Example Dr. Cusack generates p = 101 and q = 113, so: n = pq = 11413
= 100 × 112 = 11200
He then chooses b = 3533, using the Euclidean to verify that that gcd(Φ(n), b) = 1. Now the Extended Euclidean Algorithm yields:
𝑏 − ( mod 11200)
=6597 =𝑎
Dr. Cusack now publishes n = and b = 3533 and suppose Cole wants to send Dr. Cusack a plaintext 9726 so Cole would compute:
mod 11413
=5761
Then Cole sends 5761 through channel and assume that Dr. Cusack successfully received this and to decrypt he computes: mod 11413
=9726

14. Notes
The security of RSA is based on the hope that the encryption function:
𝑒 𝑘 (x) = 𝑥 𝑏 (mod n)
𝑒 𝑘 (x) is one-way so it will be computationally infeasible for an opponent to decrypt a cipher text. The trapdoor allows us to decrypt is the knowledge of the factorization:
n = pq
Since we know this factorization, we can compute:
Φ(n) = (p – 1)(q – 1)
And then compute the decryption exponent a using the Extended Euclidean algorithm.

15. Notes (Continued)
Secured RSA Cryptosystem has n = pq that is large enough, which makes factoring it be computationally infeasible.
Currently factoring algorithms are able to factor numbers having up to 130 decimal digits.
p and q should be chosen to have about 100 digits so that n would have 200 digits.
Several hardware implementations of RSA use a 512 bits modulus which corresponds to about 154 decimal digits. Hence, it does not offer good long-term security.

16. Implement RSA Generate two large primes, p and q.
Compute n = pq and Φ(n) = (p – 1)(q – 1).
Choose a random b(0 < b < Φ(n)) such that gcd(b, Φ(n)) = 1.
Compute a = 𝑏 −1 mod Φ(n) using the Euclidean algorithm.
Publish n and b in a directory as public key.

17. Generating Random Primes p, q
Generate large random numbers.
Test them for primality using a probabilistic polynomial-time Monte Carlo algorithm (e.g. Solovay-Strassen or Miller-Rabin algorithm).
These algorithms are quite fast. Given integer n can be tested in log 2 𝑛 which is polynomial.
There is chance that the algorithm may claim that n is prime when it is not. However, by running the algorithm enough times the error probability can be reduced below any desired threshold.

18. Is It Possible?
According to Prime number theorem, 𝑁 𝑜 of primes not exceeding N is approximately 𝑁 𝑙𝑛𝑁 .
⇒ If p is chosen at random, the probability that p is prime ≈ 1 𝑙𝑛𝑁 .
For a 512 bit modulus we have 1 𝑙𝑛𝑁 ≈ , or on average, of 177 random integers, one will be prime (if we focus only to odd integers, the probability ≈ ).
Therefore it is indeed practical to generate sufficiently large random numbers that are probably prime.
⇒ It is practical to set up the RSA Cryptosystem.

19. Modular Multiplication
Suppose that n has k bits in its binary representation.
With 2 k-bit integers:
Addition takes O(k).
Multiplication takes O( 𝑘 2 ).
Reducing mod n of an integer having at most 2k bits takes O( 𝑘 2 ).
Given x, y 𝜖 ℤ 𝑛 s.t. 0 ≤ x, y ≤ n – 1.
Computing xy mod n requires:
Calculating the product xy (which is 2k-bit integer).
Reducing it modulo n.
These two steps take O( 𝑘 2 ).

20. Modular Exponentiation
RSA’s encryption and decryption operations are both exponential.
Computation of 𝑥 𝑐 mod n:
Normal approach:
Requires c – 1 modular multiplications.
Very inefficient since c can be large (e.g. c = Φ(n) – 1, which is exponentially large compared to k)
INEFFICIENT
Square-and multiply algorithm approach:
Requires at most 2s modular multiplications in which s is the number of bits in the binary representation of c.
Since m ≤ k, it follows that 𝑥 𝑐 mod n can be computed in O( 𝑘 3 ).
⇒ RSA encryption and decryption can both be done in polynomial time.

21. Square-And-Multiply Algorithm
Assumes that the exponent b say is represented in binary notation, say: b = 𝑖=0 𝑙 −1 𝑏 𝑖 2 𝑖 in which 𝑏 𝑖 = 0 or 1, 0 ≤ i ≤ l – 1
Code:
z = 1
for i = l – 1 downto 0 do
z = 𝑧 2 mod n
if 𝑏 𝑖 = 1 then z = z × x mod n
There are always s squarings performed in step 3.
𝑁 𝑜 of modular multiplications in step 4 = 𝑁 𝑜 of 1’s in the binary representation of b which is an integer between 0 and s.
⇒ s ≤ total 𝑁 𝑜 of modular multiplications ≤ 2s.

22. Example of Dr. Cusack & Colei
𝑏 𝑖 z 11 10 9 8 7 6 5 4 3 2 1
1 2 × 9726 = 9726
× 9726 = 2659
= 9726
× 9726 = 9167
× 9726 = 4958
× 9726 = 7783
= 6298
= 4629
× 9726 = 10185
× 9726 = 105
= 11025
× 9726 = 5761
Recall that
n = & b = Cole wants to send Dr. Cusack the plaintext 9726.
He computes mod using the square-and multiply algorithm.
As illustrated in the table, Cole finally sends the cipher text of 5761 through the channel.

23. Running Time of Implementing RSA
Generate p & q O( log 2 𝑝 ) + O( log 2 𝑞 )
Compute n & Φ(n) O (log 𝑛) 2
Choose b and verify gcd(Φ(n), b) = 1 O( (log Φ(n)) 2 )
Compute a using Euclidean Algorithm O( (log Φ(n)) 2 )
Publish n & b
⇒ Total time = O( log 2 𝑝 + log 2 𝑞 + (log 𝑛) (log Φ(n)) 2 )
= O(( (log 𝑛) 2 )

24. Attack on RSA Factoring n. If Φ(n) and n are known.
Attacking on the decryption exponent a.
Given y = 𝑒 𝑘 (x) compute parity(y) or half(y) to retrieve the plaintext x.

25. Factoring n Factoring n. Compute Φ(n) = (p – 1)(q – 1).
Compute the decryption exponent a exactly as how Dr. Cusack did.
It has been conjectured that breaking RSA is polynomially equivalent to factoring n but this still remains unproved.

26. If n And Φ(n) Are Known.
Know n = pq & Φ(n) = (p – 1)(q – 1) we derive an equation:
This can be solved by the quadratic formula.
Example:
Given n = and Φ(n) = we have an equation:
𝑝 2 − 8426p = 0
Solve this we have p = 9539 & q = 8887
Not easier than factoring n.
𝑝 2 −(𝑛 −Φ(n) + 1)p + n = 0

27. Attacking on the Decryption Exponent a
Any algorithm which computes the decryption exponent a can be used as a subroutine (or oracle) in a probabilistic algorithm that factors n.
Computing a is no easier than factoring n. However, this does not rule out the possibility of breaking the cryptosystem without computing a.
⇒ If a is revealed then n is also compromised.
⇒ Dr. Cusack needs to choose not only a new encryption exponent but also a new modulus n.

28. Partial Information Concerning Plaintext Bits
Given y = 𝑒 𝑘 (x) any algorithm computing parity(y) or half(y) can be used as an oracle to construct an algorithm that computes the plaintext x.
Given a cipher text, computing the low-order bit of the plaintext is polynomially equivalent to determining the whole plaintext
y = 𝑒 𝑘 (x), compute parity(y) denoting the low-order bit of x.
y = 𝑒 𝑘 (x), compute half(y) where half(y) = 0 if 0 ≤ x ≤ 𝑛 2 and half(y) = 1 if 𝑛 2 < x ≤ n – 1.

29. Decrypting RSA Ciphertext Given An Oracle for Computing half(y)
denote k = ⌊ log 2 𝑛 ⌋
for i = 0 to k do
𝑦 𝑖 = half(y)
y = (y × 𝑒 𝑘 (2)) mod n
lo = 0; hi = n
mid = (hi + lo)/2
if 𝑦 𝑖 = 1 then lo = mid
else hi = mid
x =⌊hi⌋

30. Example Given n = 1457, b = 779 & a cipher text y = 722. 𝑒 𝑘 (2) .
𝑒 𝑘 (2)
First for loop results:
= 𝑥 𝑏 mod n
= 946 i 1 2 3 4 5 6 7 8 9 10
𝑦 𝑖

31. Binary Search for RSA Decryptionlo
mid hi
0.00
728.50 1 2
910.62 3 4
956.16 5
978.92 6
990.30 7
996.00 8
998.84 9 10
999.55
Second loop results:
Hence, the plain text is:
x = ⌊hi⌋
= ⌊999.55⌋
= 999

32. x = 𝑖=1 𝑟 𝑎 𝑖 𝑀 𝑖 𝑦 𝑖 mod M (1 ≤ i ≤ r)
Q&A
What happened if p and q are not prime?
Wont be as secured.
𝑝 𝑎 𝑏 ≡ p (mod q) since p, q are primes.
According to Euler’s theorem: if a, b  satisfy the equation ab ≡ 1 (mod ϕ(n)) then p,q makes a valid public/private exponent pair.
What is Chinese Remainder Theorem
Theorem to solve some sets of congruence problems
x = 𝑖=1 𝑟 𝑎 𝑖 𝑀 𝑖 𝑦 𝑖 mod M (1 ≤ i ≤ r)
x ≡ 𝑎 𝑖 (mod 𝑚 𝑖 ); M = 𝑚 1 × … × 𝑚 𝑟 ; 𝑀 𝑖 = 𝑀 𝑚 𝑖 ; 𝑦 𝑖 = 𝑀 𝑖 −1

33. The Chinese Remainder Theorem Example
Let r = 3; 𝑚 1 =7; 𝑚 1 =11; 𝑚 1 =13. We have: M = 1001; 𝑀 1 =143; 𝑀 2 =91; 𝑀 3 =77; 𝑦 1 =5; 𝑦 2 =4; 𝑦 3 =12. Then we derive the function: 𝜋 −1 𝑎 1 , 𝑎 2 , 𝑎 3 =715 𝑎 𝑎 𝑎 3 (mod 1001) Suppose that x ≡ 5 (mod 7); x ≡ 3 (mod 11); x ≡10 (mod 13) then: x ≡ 715×5+364×3+924×10 (mod 1001) ≡ 894 (mod 1001)

34. Thanks for Listening & Thanks to the Creators
Rivest Shamir Adleman
Da Crew in 2003