1 The RSA Algorithm Rocky K. C. Chang February 23, 2007

Rocky, K. C. Chang2 Outline  Trapdoor one-way function  The RSA algorithm  Some practical considerations  RSA ’ s security  Some pitfalls of RSA

Rocky, K. C. Chang3 Trapdoor one-way function  Suppose n = pq, where p and q are large primes.  Consider f(m) = m e mod n.  For certain values of e and that n is large enough, f(m) is a one-way function. It is computationally infeasible to obtain m based on the knowledge of n, e, and f(m).  However, with the knowledge of a certain trapdoor, the inversion is easy to do. The trapdoor for RSA is the factorization of n (i.e., the knowledge of p and q).

Rocky, K. C. Chang4 The RSA algorithm  Let n = pq, where p and q are primes. Note that n is a composite number.  Let M = C = Z n = {0, 1, 2, …, n–1}.  K = {(n, p, q, d, e): e  d  1 (mod (n))}. We will see that (n) = (p–1)(q–1).  For K = (n, p, q, d, e), define E K (m) = m e mod n, and D K (c) = c d mod n, where m, c  Z n.  The (n, e) comprise the “public key”.  The (p, q, (n), d) comprise the “private key.”

Rocky, K. C. Chang5 To probe further  Both encryption and decryption involve modulo multiplications.  Since n is a composite, Z n is not a group under modulo multiplication, i.e., the inverse may not exist. Z * n = {a  Z n : gcd(a,n) = 1}. Z n \ Z * n = {a  Z n : gcd(a,n) > 1}.  How many elements in Z * n ? We denote the number of elements by (n). Recall that (n) is used in determining d and e.

Rocky, K. C. Chang6 The value of  (n)  Note that gcd(a,n) = 1 iff gcd(a,p) = 1 and gcd(a,q) = 1.  There are q numbers in Z n that satisfy a mod p = 0: {0, p, 2p, …, (q–1)p}.  There are p numbers in Z n that satisfy x mod q = 0: {0, q, 2q, …, (p–1)q}.  Therefore, the total number of integers in Z n that their gcd(a,n) > 1 is p+q–1.  Thus, (n) = pq – (p+q–1) = (p–1)(q–1).  Use the well-known result that if b  Z * n, then b (n)  1 (mod n). Therefore, a (p–1)(q–1)  1 (mod n), for a  Z * n.

Rocky, K. C. Chang7 For example,  Let p = 3, q = 5. Therefore, n = 15 and (p–1)(q– 1) = 8.  For any a  {0, 3, 5, 6, 9, 10, 12, 15}, a 8 ! 1 mod 15.  For any a  {1, 2, 4, 7, 8, 11, 13, 14}, a 8  1 mod 15, e.g., 2 4  1 mod  1 mod  1 mod 35. …  Note that primitive elements may not exist in Z * n, because n is not a prime.

Rocky, K. C. Chang8 The relationship between e and d  The values of e and d have to satisfy e  d  1 (mod (p–1)(q–1)). Recall that d exists iff gcd(e,(p–1)(q–1)) = 1.  For example, p = 101 and q = 113. n = pq = (n) = (p–1)(q–1) = = Pick e = 3533, which is not divisible by 2, 5, or 7. Use the extended Euclidean algorithm to compute d = e -1 mod = To encrypt m = 9726, compute mod = To decrypt c = 5761, compute mod = 9726.

Rocky, K. C. Chang9 D K (E K (m)) = m?  Recall that ed  1 (mod (n)).  In other words, ed = t(n)+1, where t is a nonnegative integer.  Let’s consider an m  Z * n. (m e ) d  m t(n)+1 (mod n). (m e ) d  (m (n) ) t m (mod n). (m e ) d  (1) t m (mod n). (m e ) d  m (mod n).

Rocky, K. C. Chang10 D K (E K (m)) = m?  Let’s consider an m  Z n \ Z * n.  Using the Chinese Remainder Theorem, m mod n can be represented by (m mod p, m mod q).  Note that either the following is true: m mod p = 0 and m mod q = 0 or m mod p = 0 and m mod q  0 or m mod p  0 and m mod q = 0.  For those cases where m mod p = 0 or m mod q = 0, m ed mod p = 0 or m ed mod q = 0. Therefore, m ed  m (mod p) = 0, or m ed  m (mod q) = 0.

Rocky, K. C. Chang11 Digital signing using RSA  To sign a message m, Alice computes s = m d mod n.  The pair (m,s) is a signed message.  To verify the signature, anyone who knows the public key can verify that s e  m mod n, the message itself.

12 Some practical considerations

Rocky, K. C. Chang13 Generating the RSA parameters 1. Generate 2 large primes, p and q (each with size k/2 bits). 2. n (k ≥ 2048 bits)  pq and (n)  (p–1)(q–1). 3. Choose a random e (1 < e < (n)) such that gcd(e,(n)) = d = e -1 mod (n). 5. Publish (n,e) and safeguard the secret (p, q, (n), d).

Rocky, K. C. Chang14 Generating the RSA parameters 1. Need an efficient algorithm to generate a large prime.  Rabin-Miller test determines whether an odd integer n is prime. 2. Find 2 large primes. 3. Use the Euclidean algorithm to make sure that gcd(e,(n)) = Use the extended Euclidean algorithm to compute d = e -1 mod (n).

Rocky, K. C. Chang15 Practical considerations  Usually fix the value of e, e.g., e = 3 for signatures and e = 5 for encryption. There are pitfalls when one is using the same exponent for both encryption and signatures. Therefore, p – 1 and q – 1 cannot be multiples of 3 or 5. Smaller exponent for signatures (why?) Some problems with small exponents (to be discussed shortly).  Other common values for e are 17 and

16 RSA’s (in)security

Rocky, K. C. Chang17 The RSA’s security  An obvious attack against RSA is to factor n. If this can done, then obtain p and q. Compute (p–1)(q–1). Compute e -1 mod (p–1)(q–1) = d.  Roughly speaking, breaking the RSA algorithm is as difficult as factoring n. The “ current ” factoring algorithms are able to factor numbers having up to 512 bits. On the safe side, n ≥ 2048 bits to make the factoring problem computationally infeasible to solve.

Rocky, K. C. Chang18 The RSA’s security  Moreover, if one can obtain (n), one can obtain other elements in the private key.  First of all, one can obtain p and q by solving n = pq and (n) = (p–1)(q–1).  The solution for p is given by p 2 – (n – (n) + 1)p + n = 0.  In other words, if one can compute (n), one can factor p and q.  Lastly, what happen if one can obtain the value of d? n can be factored in polynomial time using a randomized algorithm.

Rocky, K. C. Chang19 Pitfalls using RSA  Problem 1: If Alice signs 2 messages m 1 and m 2. Eve can compute Alice ’ s signature on m 3 = m 1 m 2 mod n. Original signatures: m 1 d and m 2 d. Eve can produce the signature for m 3 by multiplying m 1 d and m 2 d.

Rocky, K. C. Chang20 Pitfalls using RSA  Problem 2: When RSA is used to encrypt a very small message m. E.g., if e = 5 and m < n 1/5, then m e = m 5 < n. Therefore, no mod n operation needed. Simply take a fifth root of c to recover m! For example, if encrypting a 256-bit key using RSA, the encrypted key is less than 2 2565 = << if n is a 2048-bit integer.  The main problem is the existence of a structure in the numbers that RSA operates on.

Rocky, K. C. Chang21 Resolving the pitfalls  A possible approach is to use an encoding function to destroy the structure as much as possible.  The Public-Key Cryptography Standard (PKCS1 for RSA) covering cryptographic primitives; encryption schemes; signature schemes with appendix; ASN.1 syntax for representing keys and for identifying the schemes.

Rocky, K. C. Chang22 Message encryption using RSA  Using RSA to encrypt a message is almost never practiced. The size of the message is limited by the size of n.  Instead, choose a random secret key K, and encrypt K with the RSA key. The message encryption is based on secret key cryptosystem, Sending K e mod n, E K (m).

Rocky, K. C. Chang23 Message encryption using RSA  A better approach is: Choose a suitable random number r  {0, 1, …, n–1}. Set K = h(r), where h() is some hash function. Send r e mod n and E K (m).  Advantages: There is no structure in r. The hash function ensures that no structure between r’s propagates to structure in the K’s.

Rocky, K. C. Chang24 Digital signatures using RSA  Problem: remove the structures of the messages that are signed. Use a hash function to hash the messages.  The hash function’s output (e.g., 256 bits) is small compared with the size of n (e.g., 2048 bits). Cannot use the hash function output directly in RSA.

Rocky, K. C. Chang25 Digital signatures using RSA  A solution is to use a pseudorandom mapping to expand h(m) to a random number s  {0, 1, …, n – 1}.  If you ask Alice to sign a number of messages m 1, m 2, …, m i. Eve can get hold of the (m, s), but the values of s are effectively random. Thus, the information does not help forge Alice’s signature.

Rocky, K. C. Chang26 Conclusions  RSA can be used for encryption as well as digital signatures.  The security of RSA lies on the difficulty of factoring a large number into 2 primes.  RSA encryption and decryption require expensive exponentiation operations. The CRT helps accelerate the operations.  In practice, RSA is used to encrypt a secret key with an encoding function.  In practice, the messages to be signed have to go through a hash function to destroy the message structures.

Rocky, K. C. Chang27 Acknowledgments  The notes are prepared mostly based on D. Stinson, Cryptography: Theory and Practice, Chapman & Hall/CRC, Second Edition, N. Ferguson and B. Schneier, Practical Cryptography, Wiley, 2003.