RSA and its Mathematics Behind

RSA and its Mathematics Behind

July 2011

Topics Modular Arithmetic Greatest Common Divisor Euler’s Identity RSA algorithm Security in RSA

Modular Arithmetic A system of arithmetic for

integers, where numbers wrap around after they reach a certain value—the modulus

Modular or "clock" arithmetic is arithmetic on a circle instead of a number line

In modulo N , we use only the twelve whole numbers from 0 through N-1

The 12-hour clock : modulo 12 If the time is 9:00 now, then 4 hours later it will be 1:00

9+4 =13 13 % 12= 1

Modular Clock Arithmetic 1:00 and and 13:00 hours are the same 1:00 and and 25:00 hours are the same 1 13 (mod 12)

a b (mod n)

n is the modulus a is congruent to b modulo n a-b is an integer multiple of (divisible by) na % n = b % n

Example

38 14 (mod 12) 38-14 = 24 ; multiple of 12

38 2 (mod 12) 38-2 = 36 ; multiple of 12

The same rule for negative number -8 7 (mod 5) 2 -3 (mod 5) -3 -8 (mod 5)

Congruence Class Example

Congruence Classes of the integers modulo 5

05

10

1 6 11 --

27

12

38

13

-- 14 9 4

--

-- --

1 6 11 (mod 5)

Replace of congruence item

Let 11 +16 3 (mod 12) and 16 4 (mod 12), therefore

11 +16 11 + 4 (mod 12)

Let 9835 7 (mod 12) and1177 1 (mod 12), therefore

9835*1177 7 * 1 7 (mod 12)

Modular Arithmetic NotationModulus operator Congruence relation

a = b mod n a b (mod n) Inputs a number a and a base b,outputs a mod b as the remiander of ab (value between 0 and b –1)

Relates two numbers a, b to each other relative some base

= means that integer a is the reminder of the division of integer b by integer n

indicates that the integers a and b fall into the same congruence class modulo n (same remainder when diving by b)

2 = 14 mod 3 14 2 (mod 3)

9

Exercise (I)A: Compute1. 113 mod 24:

2. -29 mod 711324

10

Exercise (I), contA: Compute1. 113 mod 24:

2. -29 mod 7

411324

17

96

11


2. -29 mod 7

411324

17

96

297

12


2. -29 mod 7

411324

17

96

5297

35

6

13

Exercise (II)

Q: Which of the following are true?1. 3 3 (mod 17)2. 3 -3 (mod 17)3. 172 177 (mod 5)4. -13 13 (mod 26)

14

Exercise (II), contA:1. 3 3 (mod 17)

True. any number is congruent to itself (3-3 = 0, divisible by all)

2. 3 -3 (mod 17) False. (3-(-3)) = 6 isn’t divisible by 17.

172 177 (mod 5) 1. True. 172-177 = -5 is a multiple of 5

-13 13 (mod 26) True: -13-13 = -26 divisible by 26.

Greatest Common Divisor Def: Let a,b be integers, not both zero. The greatest

common divisor of a and b (or gcd(a,b) ) is the biggest number d which divides both a and b without a remainder gcd (8,12) =4

Find gcd (54, 24) 54x1 = 27x2 = 18x3 = 9x6; {1, 2 ,3, 6, 9, 18, 27, 54} 24x1 = 12x2 = 8x3 = 4x6; {1, 2 ,3, 4, 6, 8, 12, 54} Share number : {1, 2, 3, 6} gcd (54, 24) = 6

Finding GCD gcd(a,0) = a, and gcd(a,b) = gcd(b, a mod b)

Find gcd(132, 28) :1.r = 132 mod 28 = 20 => gcd(28, 20)2.r = 28 mod 20 = 8 => gcd(20,8)3.r = 20 mod 8 = 4 => gcd(8,4)4.r = 8 mod 4 = 0 => gcd(4,0) gcd(132, 28) = 4

1 2 3 4 5

a 132 28 20 8 4b 28 20 8 4 0

GCD and Relatively Prime Def: two integers a and b are said to be relatively prime (also called

co-prime) if gcd(a,b) = 1 so no prime common divisors.

Find gcd(28, 15) :1.r = 28 mod 15 = 13 => gcd(15, 13)2.r = 15 mod 13 = 2 => gcd(13, 2)3.r = 13 mod 2 = 1 => gcd(2,1)4.r = 2 mod 1 = 0 => gcd(1,0) gcd(28,15) = 1 15 and 28 are relative prime

Since a prime number has no factors besides itself, clearly a prime number is relatively prime to every other number (except for multiples of itself)

19

Test Relative PrimeQ: Find the following gcd’s:1. gcd(77,11)2. gcd(77,33)3. gcd(36,24)4. gcd(23,7)

20

Test Relative PrimeA:1. gcd(77,11) = 112. gcd(77,33) = 113. gcd(36, 24) = 124. gcd(23,7) = 1. Therefore 23 and 7 are relatively

prime.

Euler's Totient Function (N) = the numbers between 1 and N - 1 which are

relatively prime to N Thus:

(4) = 2 (1 and 3 are relatively prime to 4) (5) = 4 (1, 2, 3, and 4 are relatively prime to 5) (6) = 2 (1 and 5 are relatively prime to 6) (7) = 6 (1, 2, 3, 4, 5, and 6 are relatively prime to 7) (8) = 4 (1, 3, 5, and 7 are relatively prime to 8) (9) = 6 (1, 2, 4, 5, 7, and 8 are relatively prime to 9)

Compute (N) in C code:

phi = 1; for (i = 2 ; i < N ; ++i) if (gcd(i, N) == 1) ++phi;

Euler's Totient Function, cont Note that (N) = N-1 when N is prime Somewhat obvious fact that (N) is also easy to

calculate when N has exactly two different prime factors:

Example: Find (15)

(p*q) = (p-1)*(q-1)

(15) = (3*5) = (3-1) * (5-1) = 4*2 =8 {1, 2, 4, 7, 8, 11, 13, and 14}

Euler’s Totient Theorem One of the important keys to the RSA algorithm

If gcd(m, n) = 1 and m < n, then m(n) 1 (mod n)

m (p-1)(q-1) mod n = 1

3840 mod 55 = 1

M=38

replace (p-1)(q-1)with(11-1)(5-1)

n=55

Example:

m(n) 1 (mod n)

m (p-1)(q-1) mod n = 1

where (n) = (p1-1)*(q-1)

relatively prime

More in Euler’s Theorem Multiply both sides of equation by m

m (p-1)(q-1) mod n = 1m (p-1)(q-1) *m mod n = 1*m

m (p-1)(q-1)+1 mod n = m

m (n)+1 mod n = m

The Road to crypto If we can find two numbers, call them e and d, such that

e*d = [(p-1)(q-1)]+1 n = p*q

Use e as the private key and d as the public key;Encrypts: c me (mod n)Decrypts: m cd (mod n)

cd = (me (mod n))d

= med (mod n)

= m(p-1)(q-1)+1 (mod n) = m(n)+1 (mod n) = m

m (n)+1 mod n = m Recall Euler’s theorem

A trapdoor one-way function

Messagem

Ciphertextc

c = f(m) = me mod n

m = f-1(c) = cd mod n

Public key

Private key(trapdoor information)

n = p*q (p & q: primes)

e*d = 1 mod (p-1)(q-1)

RSA

Public key cryptosystem Proposed in 1977 by Ron L. Rivest,

Adi Shamir and Leonard Adleman at MIT

Best known & widely used public-key scheme

Based on exponentiation in a finite (Galois) field over integers modulo a prime

Main patent expired in 2000

ShamirRivest Adleman

Shamir Rivest Adleman

RSA Algorithm Uses two keys : e and d for encryption and decryption A message m is encrypted to the cipher text by

c = me mod n

The ciphertext is recover by

m = cd mod n

Because of symmetric in modular arithmetic

m = cd mod n = (me)d mod n = (md)e mod n

One can use one key to encrypt a message and another key to decrypt it

RSA Key Setup1. Selecting two large primes at random : p, q

Typically 512 to 2048 bits

2. Computing their system modulus n=p*q note ø(n)=(p-1)(q-1)

3. Selecting at random the encryption key e1. where 1<e<ø(n), gcd(e,ø(n))=1 2. Meaning: there must be no numbers that divide neatly into e and

into (p-1)(q-1), except for 1.

4. Solve following equation to find decryption key d 1. e*d=1 mod ø(n) and 0≤d≤n 2. In other words, d is the unique number less than n that when multiplied by e

gives you 1 modulo ø(n)

5. Publish public encryption key: PU={e,n} 6. Keep secret private decryption key: PR={d,n}

Example: Key Generation Step by Step

Step Example

Selecting two large primes at random : p, q (use small numbers for demonstration)

p = 7; q = 19

Computing their system modulus n=p.qø(n) = (p-1)(q-1)

n = 7*19 = 133ø(n) = (7-1)*(19-1) = 6*18 = 108

Selecting at random the encryption key e and gcd(e, 108) = 1

e = 5

find decryption key d such that e*d = 1 mod ø(n) and 0≤d≤n

d*5 mod 108 = 1; d = 65Check : 65*5 = 325; 325 mod 108 = 1

Public encryption key: PU={e,n} PU = {5,133}

Secret private decryption key: PR = {d,n} PR = {65,133}

Encryption and Decryption for m = 6 c = me mod n = 65 % 133 = 62m = cd mod n = 6265 % 133 = 6

Key Generation : Find n and ø(n)1) Generate two large prime numbers, p and q

Lets have: p = 7 and q = 19

2) Find n = p*qn =7*19 = 133

3) Find ø(n) = (p-1)(q-1)ø(n) = (7-1)(19-1)= 6 * 18 = 108

Key Generation : Generate Private Key4) Choose a small number, e coprime to 108 Using Euclid's algorithm to find gcd(e,108)

e = 2 => gcd(e, 108) = 2 ✗e = 3 => gcd(e, 108) = 3 ✗e = 4 => gcd(e, 108) = 4 ✗ e = 5 => gcd(e, 108) = 1 ✓

Key Generation : Generate Public Key5) Find d, such that e*d = 1 mod ø(n) and 0≤d≤n ; e=5; ø(n)=108 Using extended Euclid algorithm;

e*d = 1 mod ø(n) => e*d = 1+k*ø(n) ; d, k are interger = (1+k*ø(n))/e

d = (1+k*108)/5

Try through values of k until an integer solution for d is found:k = 0 => d = 1 / 5 = 0.2 ✗ k = 1 => d = (1+1*108)/ 5 =109/5 = 21.8 ✗k = 2 => d = (1+2*108)/5 = 217/5 = 43.4 ✗ k = 3 => d = (1+3*108)/5 = 325/5 = 65 ✓

Example : Encryption PU= {e,n} = {5,133} Lets use the message m=16

c = me mod n = 165 mod 133 = 1048576 mod 133 = 4

Example: Decryption PR={d,n}={65,133} From the encryption c=4

m = cd mod n = 465 mod 133 = 1.361129467683755x1039 mod 133 = 16

Encode the ASCII String

01010011 01100101 01100011 01110010 01100101 01110100 00100001

83 101 99 114 101 116 33

S e c r e t !

01010011 01100101 01100011 01110010 01100101 01110100 00000000 00100001

21349 25458 25972 33

Message input string

Message input ASCII

Message input binary

Message input 16 bit binary

Message input 16 bit decimal for “Secret!”

padding

Sample 16 bits keyn = 1602475129e = 64037d = 1004908973m =104

c = (10464037) mod 1602475129 = 1187226754

m = (11872267541004908973 ) mod 3910095493 = 104

Directly computation of exponential needs too much memory and very slow

How to deal with 1024 bits? n=93518075472517812751194715143409086574889727146298665297205834171

602866192290591599380402185583024174931294331877382418445371201620581216480790833180280145991040770705928231264142720249609405749244943892408117844772524625134689327476917023068462758680788043986062882531909490562722483341876279065122161924203

e=47609 d=11964515064443823593596316031391223220980346742172807039116148962

154908903300678305190741870494784604791247742558447694989408640993739843088166039297214523541519746037912861388519729724288825143561005547814973195750655549449328508806029373024427172453884284448045662068755190227462789262813325769121319683889

we could still end up with a number with so many digits (before taking the remainder on dividing by p) that we wouldn't have enough memory to store it

Using Modular Exponential Using modular reduction to enhance computation

f mod i = j and f = g * h then(( g mod i ) * (h mod i)) mod i = j

42

Modular Exponential : 2320 mod 29exp (23exp-1 mod 29)*23 ((23exp-1 mod 29) *23) mod 29

2 23*23= 529 529 mod 29 =7

3 7*23=161 161 mod 29=16

4 16*23=368 368 mod 29=20

5 20*23=460 460 mod 29=25

6 25*23=575 575 mod 29=24

7 24*23=552 552 mod 29=1

8 1*23=23 23 mod 29=23

9 23*23=529 529 mod 29=7

10 7*23=161 161 mod 29=16: : :

16 23*23=529 529 mod 29=7: : :

19 20*23=460 460 mod 29=25

20 25*23=575 575 mod 29=24

232 mod 29 = 7

234=232*232 mod 29 = 7*7 mod 29 =49 mod 29 = 20

238=234*234 mod 29 = 20*20 mod 29 =400 mod 29 =23

2316=238*238 mod 29 = 23*23 mod 29 =529 mod 29 =7

2320=2316*234 mod 29 = 7*20 mod 29 =140 mod 29 =24

43

Modular Exponential : 23391 mod 55

exp 23exp/2*23exp/2 (23exp-1) * (23exp/2) mod 55

1 [exception] 231=23 23 mod 55 = 23

2 23*23= 529 529 mod 55 = 34

4 34*34=1156 1156 mod 55 = 1

8 1*1=1 1 mod 55 = 1

16 1*1=1 1 mod 55 = 1

32 1*1=1 1 mod 55 = 1

64 1*1=1 1 mod 55 = 1

128 1*1=1 1 mod 55 = 1

256 1*1=1 1 mod 55 = 1

512 1*1=1 1 mod 55 = 1

23391 = 23256*23128*234*232*231

= 1*1*1*34*23

= 722

722 mod 55 = 12

44

Modular Exponential : 31397 mod 55

exp 31exp/2*31exp/2 (31exp-1) * (31exp/2) mod 55

1 [exception] 311=31 31 mod 55 = 33

2 31*31= 961 961 mod 55 = 26

4 26*26=676 676 mod 55 = 16

8 16*16=256 256 mod 55 = 36

16 36*36=1296 1296 mod 55 = 31

32 31*31=961 961 mod 55 = 26

64 26*26=676 676 mod 55 = 16

128 16*16=256 256 mod 55 = 36

256 36*36=1296 1296 mod 55 = 31

512 31*31=961 961 mod 55 = 26

31397 % 55 = (31256*31128*318*314*311 ) % 55 = (31*36*36*16*33)

= ((1116 % 55)*36*16*33 ) % 55 = (16*36*16*33 ) % 55 = ((576 mod 55) *16 *33) % 55

= (26*16*33) % 55 = ((416 % 55) *33 ) % 55

= (31*3 ) % 55 = 961 % 55 = 26

31397 mod 55 = 1.1765014105569728144308343503655x1059 mod 55 = 26

Modular Exponential for RSA

The running time of RSA encryption, decryption is simple

Analyzing RSA RSA depends on being able to find large primes quickly,

whereas anyone given the product of two large primes “cannot” factor the number in a reasonable time.

If any one of p, q, m, d is known, then the other values can be calculated. So secrecy is important

1024 bits is considered in risk To protect the encryption, the minimum number of bits in

n should be 2048 RSA is slow in pratice

RSA is primary used to encrypt the session key used for secret key encryption (message integrity) or the message's hash value (digital signature)

RSA-Numbers RSA numbers are a set of large semiprimes (numbers

with exactly two prime factors) that are part of the RSA Factoring Challenge

Officially ended in 2007 but people can still attempt to find the factorizations

http://en.wikipedia.org/wiki/RSA_numbers#RSA-768

RSA-768 RSA-768 has 768 bits (232 decimal digits), and was

factored on December 12, 2009

RSA-768 = 12301866845301177551304949583849627207728535695953347921973224521517264005 07263657518745202199786469389956474942774063845925192557326303453731548268 50791702612214291346167042921431160222124047927473779408066535141959745985 6902143413

RSA-768 = 33478071698956898786044169848212690817704794983713768568912431388982883793 878002287614711652531743087737814467999489 ×36746043666799590428244633799627952632279158164343087642676032283815739666 511279233373417143396810270092798736308917

RSA-1024 and RSA-2048 RSA-1024 has 1,024 bits (309 decimal digits), and has not been

factored so farRSA-1024 =13506641086599522334960321627880596993888147560566702752448514385152651060

48595338339402871505719094417982072821644715513736804197039641917430464965

89274256239341020864383202110372958725762358509643110564073501508187510676

59462920556368552947521350085287941637732853390610975054433499981115005697 7236890927563

RSA-2048 has 2,048 bits (617 decimal digits) may not be factorizable for many years to come, unless considerable advances

are made in integer factorization RSA-2048 = 25195908475657893494027183240048398571429282126204032027777137836043662020 70759555626401852588078440691829064124951508218929855914917618450280848912 00728449926873928072877767359714183472702618963750149718246911650776133798 59095700097330459748808428401797429100642458691817195118746121515172654632 28221686998754918242243363725908514186546204357679842338718477444792073993 42365848238242811981638150106748104516603773060562016196762561338441436038 33904414952634432190114657544454178424020924616515723350778707749817125772 46796292638635637328991215483143816789988504044536402352738195137863656439 1212010397122822120720357

RSA security summary

One-way function Description

Encryption function

The encryption function is a trapdoor one-way function, whose trapdoor is the private key. The difficulty of reversing this function without the trapdoor knowledge is believed (but not known) to be as difficult as factoring.

Multiplication of two primes

The difficulty of determining an RSA private key from an RSA public key is known to be equivalent to factoring n. An attacker thus cannot use knowledge of an RSA public key to determine an RSA private key unless they can factor n. Because multiplication of two primes is believed to be a one-way function, determining an RSA private key from an RSA public key is believed to be very difficult.

There are two one-way functions involved in the security of RSA.

RSA and its Mathematics Behind

Documents

Transcript of RSA and its Mathematics Behind