1. Cryptology Design Fundamentals
Grundlagen des kryptographischen Systementwurfs
Module ID: ET-IDA-048
, v29-1
Prof. W. Adi
Lecture-10
Public-Key Cryptography
RSA Rivest-Shamir-Adelmann Public-Key System

2. Lecture Outlines Historical Overview !
RSA Public-Key Encryption System
RSA Public-Key Signature System
RSA Security considerations

3. The Target of Public Key Cryptography
Ciphering
Sender
De-Ciphering
Receiver
Y = E (Z,X) X
E ( Z,X )
D ( Z,Y ) X
Message
Channel
Message
Secret Key = Z Z
Secret Key Channel
Public-Key system
drops out that secret key-
agreement completely
Secret key exchange is not a part of the secret-key system:

4. Public-Key Secrecy System RSA 1978
(Rivest Shamir Adelmann) MIT, USA !!
K-close
K-open
Trap-door One Way Function !
RSA secrecy system: Was published 1978 based mainly on Euler theorem
and on the claim that Euler function for any integer m is only computable if the
factorization of m is known and that factorization is considered as computationally unsolved problem
For m = p1 p2 p pt
e1 e2 e et
(m) = m ( ) ( ) …… P2 1 P1

5. Basic Public Key Secrecy System (RSA system1978)
RSA: Rivest-Shamir-Adleman, MIT, USA
(Mechanical simulation: user A sends a message to B)
All operations
in Zm
User A
User B
Public register
Close Kc
open
Ko= Kc-1
( )Kc (mod m) Kc M
MKc.Ko = M
(MKc)Ko Ko
MKc

6. Conventional Public-Key Crypto-system (using asymmetric keys)
Sender
Receiver
Y = E (Zp,X) X X
E ( Zp,X )
D ( Zs,Y )
Message
Channel
Message
Secret-Key Zs
Public-Key Zp
Public Directory
Z.. Zp
Z... Zs

7. ( ) RSA-Lock (Hiding Function) Uses Exponentiation in the Ring Zm
Where m = p.q , p and q are two large secret primes
Open key E
M E (mod m) ENCRYPTION
( ) D
M E (mod m) DECRYPTION
Secret key
( M E )D mod (m) = M E. D mod (m) = M
To get M, the following should hold: E . D = 1 or D = E-1 in the exponent
That is E and D should be invertible modulo (m) ! Or gcd (E, (m) ) =1
Security Considerations: m is a large composite (m=p q), p and q are two large secret primes. To break the system (m) is required to compute D =E-1 modulo (m). However (m) can only be computed if p and q are known. Therefore, the system can only be broken if and only if m can be factored or (m) can be found somehow!

8. RSA Public Key Secrecy System 1978
Design Scheme of
RSA Public Key Secrecy System 1978
Open directory
USER A:
Na = pa . qa open modulus of A
pa . qa tow secret large primes
(Na) = (pa-1).(qa -1)
Ea = open Encryption key of A
Da = Ea-1 [mod (Na) ]
USER B:
Nb = pb . qb open modulus of B
pb . qb tow secret large primes
(Nb) = (pb-1).(qb -1)
Eb = open Encryption key of B
Db = Eb-1 [mod (Nb) ]
User A Na Ea
User B Nb Eb
Y= M mod Nb
(Encrypt) Eb
Condition: gcd [Ea , (Na) ] = 1
Condition: gcd [ Eb , (Nb) ] = 1
Number of possible keys = [(Na)]
Number of possible keys = [(Nb)]
A sends Message M to B: Db
Eb Db
= M mod Nb =M
(Decrypt) Y

9. Public-Key Signature Scheme
Signing Process
Verification Process
Message M
to be signed
Message M
Signature Sa
of user A
Signed Message
Public Directory
Ea Verification Key for A
Message
Public-Key
encryption
Signature Sa
Encrypted M by Da
Encrypting by secret-key Da
Reject
Check if
decryption by Ea
gives M
Accept

10. RSA Public Key Signature System 1978 A signs Document M for B:
Design Scheme of
RSA Public Key Signature System 1978
User B Nb Eb
User A Na Ea
USER A:
Na = pa . qa open modulus of A
pa . qa two secret large primes
(Na) = (pa-1).(qa -1)
Ea = open Encryption key of A
Da = Ea-1 [mod (Na) ]
USER B:
Nb = pb . qb open modulus of B
pb . qb twosecret large primes
(Nb) = (pb-1).(qb -1)
Eb = open Encryption key of B
Db = Eb-1 [mod (Nb) ]
Open directory
gcd [ Eb , (Nb) ] = 1
gcd [Ea , (Na) ] = 1 Ea Da
A signs Document M for B:
(M,S)
Signed Message
Da Ea
= M mod Na=M´ (Verify M´=M)? M
= S mod Na S
If M´= M then the signature is true

11. Security design considerations of
RSA Public-Key Encryption and Signature System
Security considerations and RSA system facts:
Based on the assumption that Integer Factoring is not efficiently computable
Every user should find two large primes p and q and multiply them to get N which the user publishes as his open modulus. Both primes p and q are kept secret by the user.
As the user knows p and q, he can compute Euler function (N)= (p.q)= (p-1)(q-1). The then seeks a random integer E, which should be invertible modulo (N) and publishes E as his open encryption key. The inverse of E modulo (N) is D and this is to be kept secret.
Caution: There is no evidence that no efficient algorithms can be found to break the system.
p-1 and q-1 should have large prime factor to make attacks more infeasible (p and q are “strong primes”).

12. Security of RSA Public Key System
Is Exponentiation y = a x in Zm a One-Way Function ?
Theoretically not (no proof that (m) is not computable if we do not know p and q !!)
Practically and still yes if : m is a product of two strong primes!
RSA system can be broken by:
1. Factoring m = p . q
2. Computing (m) somehow without factoring.
(m) = (p -1)(q -1) = m - p - q + 1
 s = (p + q) = m - (m) + 1
m = p . q
 p or q = ( s   s2 - 4 m ) / 2
But factoring is computationally equivalent to computing Euler function (m)
Proof:

13. Example: Construct RSA secrecy system using the two prime pairs 11, 5 and 3,11. Encrypt the message M=2 sent to user B. Let B signs M and send his signature back to A.
Solution:
Open directory
USER A:
Na = 11 x 5 open modulus of A
pa . qa two secret large primes
(Na) = (pa-1).(qa -1)=40
7= open Encryption key of A
Da = [mod 40) ] =23
USER B:
Nb = open modulus of B
pb . qb two secret large primes
(Nb) = (pb-1).(qb -1) =20
3 = open Encryption key of B
Db = Eb-1 [mod (Nb) ] =7
User A 55 7
User B 33 3
gcd [Ea , (Na) ] = 1
gcd [ Eb , (Nb) ] = 1
A sends Message M=5 to B: 3
Y = 26
Y = 5 mod 33= 26
(A Encrypts M) 7 26
mod 33 = 5 = M
(Decrypt)
Security Gap:
Notice that anybody can
decrypt S to disclose M!
Any other solution?
M’=143 mod 33 = 5 = M
(Verify)
S = 14
S= 57 mod 33 = 14
(B signes M)