PUBLIC-KEY ENCRYPTION Focusing on RSA Hoang Vu

Introduction to Public Key Encryption Paint Mixing Example Nathan and John choose their owns “private color”. “public color” is now announced. Nathan and John mix the public color with their private colors then public the public-private mixture. Now Nathan and John mix the public-private mixture with their private colors to find the shared secret color. Katie wants to know shared secret color with only knowledge of the public color and the public-private color mixture but he just could not find out no matter what color he would add to the mixture.

Notes Katie can not detach the colors in the mixture, he can only attach more colors to the mixture. This is the key point of public key cryptography: One-way action: something that can be done but can not be undone. The idea of a public-key cryptography was due to Diffie and Hellman in 1976. The first realization of public-key system came in 1977 by Rivest, Shamir and Adleman, who invented the well-known RSA Cryptosystem.

Some Types of Cryptography System Secure systems: McEliece bases on algebraic coding theory - the problem of decoding a linear code (NP-complete). Chor-Rivest aka a “knapsack” type system. Elliptic Curve is a modification of other system, working in the domain of elliptic curves rather than finite fields (secure for smaller keys). Insecure: Merkle-Hellman Knapsack bases on subset sum problem’s difficulty (NP-complete). ElGamal bases on the discrete logarithm problem for finite fields' difficulty.

So What Is RSA? RSA: its security is based on the difficulty of factoring large integers. Rivest Shamir Adleman

Tools Using in RSA Euclidean Algorithm computes: gcd( 𝑟 𝑖 , 𝑟 𝑗 ) in which r ∈ ℤ 𝑛 Extended Euclidean Algorithm: If gcd( 𝑟 𝑖 , 𝑟 𝑗 ) = 1, there exists t ∈ ℤ 𝑛 s.t. t = 𝑟 1 −1 mod r Corollary : 𝑏 𝜙(𝑛) ≡ 1 (mod n) in which b ∈ ℤ 𝑛 ∗ 𝑛=𝑝𝑞 𝜙 𝑛 =(𝑝−1)(𝑞−1)

The Euclidean Algorithm Computing gcd( 𝑟 0 , 𝑟 1 ) where 𝑟 0 > 𝑟 1 performing this sequence of divisions: 𝑟 0 = 𝑞 1 𝑟 1 + 𝑟 2 , 0 < 𝑟 2 < 𝑟 1 𝑟 1 = 𝑞 2 𝑟 2 + 𝑟 3 , 0 < 𝑟 3 < 𝑟 2 . 𝑟 𝑚−2 = 𝑞 𝑚−1 𝑟 𝑚−1 + 𝑟 𝑚 , 0 < 𝑟 𝑚 < 𝑟 𝑚−1 𝑟 𝑚−1 = 𝑞 𝑚 𝑟 𝑚 gcd( 𝑟 0 , 𝑟 1 ) = gcd( 𝑟 1 , 𝑟 2 ) = … = gcd( 𝑟 𝑚−1 , 𝑟 𝑚 ) = 𝑟 0

Running Time of Euclidean Algorithm Computing gcd( 𝑟 0 , 𝑟 1 ) where 𝑟 0 > 𝑟 1 : In each iteration we compute a quotient and remainder, which takes O( (log 𝑟 0 ) 2 ). Lamé’s Theorem gives upper bound on the number of iterations: For s = 𝑁 𝑜 of iterations then 𝑓 𝑠+2 ≤ 𝑟 0 ( 𝑓 𝑖 denotes the ith Fibonacci number). Since 𝑓 𝑖 ≈ 1+ 5 2 𝑖 it follows that s is O( log 𝑟 0 ). Therefore complexity is O( (log 𝑟 0 ) 3 ) Actually, with more careful analysis we can show that in fact the running time of Euclidean algorithm is O( (log 𝑟 0 ) 2 ).

The Extended Euclidean Algorithm 1. n 0 =n; b 0 =b; t 0 =0;t=1;q= n 0 b 0 ; r = n 0 – q × b 0 ; 2. while r > 0 do 3. temp = t 0 – q ×t 4. if temp ≥ 0 then temp = temp mod n 5. if temp < 0 then temp = n – ((– temp) mod n) 6. t 0 =t; t = temp; n 0 = b 0 ; b 0 = r; q= n 0 b 0 ; r = n 0 – q × b 0 ; 7. if b 0 ≠ 1 then b has no inverse modulo n 8. else b −1 =t mod n

Example n 0 =75; b 0 =28; t 0 = 0; t = 1; q = n 0 b 0 = 2; r = n 0 – q × b 0 = 75 – 2 × 28 = 19 temp = t 0 – q ×t = -2 < 0 so temp = n – ((–temp) mod n) = 73 … 𝑏 −1 = 67 (mod 75)

RSA Cryptosystem Let n = pq where p and q are primes. Let P = C = ℤ 𝑛 and define K = {(n, p, q, a, b): n = pq, Φ(n) = (p – 1)(q – 1) p, q prime, ab ≡ 1 (mod Φ(n))} For K = (n, p, q, a, b), define y = 𝑒 𝑘 𝑥 = 𝑥 𝑏 mod n (x ∈ ℤ 𝑛 ). and 𝑑 𝑘 𝑦 = 𝑦 𝑎 mod n (y ∈ ℤ 𝑛 ). The values n and b are public and the values p, q, a are secret

Encryption & Decryption Are Inverse Functions ab ≡ 1 (mod Φ(n)) so ab = t Φ(n) + 1 for t ≥ 1. Suppose that x ∈ ℤ 𝑛 ∗ ; then we have: (𝑥 𝑏 ) 𝑎 ≡ 𝑥 tΦ(n) + 1 (mod n) ≡ (𝑥 Φ(n) ) 𝑡 𝑥 (mod n) ≡ 1 𝑡 x (mod n) ≡ x (mod n) Therefore encryption and decryption are inversed which means a = 𝑏 −1

Example Dr. Cusack generates p = 101 and q = 113, so: n = pq = 11413 = 100 × 112 = 11200 He then chooses b = 3533, using the Euclidean to verify that that gcd(Φ(n), b) = 1. Now the Extended Euclidean Algorithm yields: 𝑏 −1 ( mod 11200) =6597 =𝑎 Dr. Cusack now publishes n = 11413 and b = 3533 and suppose Cole wants to send Dr. Cusack a plaintext 9726 so Cole would compute: 9726 3533 mod 11413 =5761 Then Cole sends 5761 through channel and assume that Dr. Cusack successfully received this and to decrypt he computes: 5761 6597 mod 11413 =9726

Notes The security of RSA is based on the hope that the encryption function: 𝑒 𝑘 (x) = 𝑥 𝑏 (mod n) 𝑒 𝑘 (x) is one-way so it will be computationally infeasible for an opponent to decrypt a cipher text. The trapdoor allows us to decrypt is the knowledge of the factorization: n = pq Since we know this factorization, we can compute: Φ(n) = (p – 1)(q – 1) And then compute the decryption exponent a using the Extended Euclidean algorithm.

Notes (Continued) Secured RSA Cryptosystem has n = pq that is large enough, which makes factoring it be computationally infeasible. Currently factoring algorithms are able to factor numbers having up to 130 decimal digits. p and q should be chosen to have about 100 digits so that n would have 200 digits. Several hardware implementations of RSA use a 512 bits modulus which corresponds to about 154 decimal digits. Hence, it does not offer good long-term security.

Implement RSA Generate two large primes, p and q. Compute n = pq and Φ(n) = (p – 1)(q – 1). Choose a random b(0 < b < Φ(n)) such that gcd(b, Φ(n)) = 1. Compute a = 𝑏 −1 mod Φ(n) using the Euclidean algorithm. Publish n and b in a directory as public key.

Generating Random Primes p, q Generate large random numbers. Test them for primality using a probabilistic polynomial-time Monte Carlo algorithm (e.g. Solovay-Strassen or Miller-Rabin algorithm). These algorithms are quite fast. Given integer n can be tested in log 2 𝑛 which is polynomial. There is chance that the algorithm may claim that n is prime when it is not. However, by running the algorithm enough times the error probability can be reduced below any desired threshold.

Is It Possible? According to Prime number theorem, 𝑁 𝑜 of primes not exceeding N is approximately 𝑁 𝑙𝑛𝑁 . ⇒ If p is chosen at random, the probability that p is prime ≈ 1 𝑙𝑛𝑁 . For a 512 bit modulus we have 1 𝑙𝑛𝑁 ≈ 1 177 , or on average, of 177 random integers, one will be prime (if we focus only to odd integers, the probability ≈ 2 177 ). Therefore it is indeed practical to generate sufficiently large random numbers that are probably prime. ⇒ It is practical to set up the RSA Cryptosystem.

Modular Multiplication Suppose that n has k bits in its binary representation. With 2 k-bit integers: Addition takes O(k). Multiplication takes O( 𝑘 2 ). Reducing mod n of an integer having at most 2k bits takes O( 𝑘 2 ). Given x, y 𝜖 ℤ 𝑛 s.t. 0 ≤ x, y ≤ n – 1. Computing xy mod n requires: Calculating the product xy (which is 2k-bit integer). Reducing it modulo n. These two steps take O( 𝑘 2 ).

Modular Exponentiation RSA’s encryption and decryption operations are both exponential. Computation of 𝑥 𝑐 mod n: Normal approach: Requires c – 1 modular multiplications. Very inefficient since c can be large (e.g. c = Φ(n) – 1, which is exponentially large compared to k) INEFFICIENT Square-and multiply algorithm approach: Requires at most 2s modular multiplications in which s is the number of bits in the binary representation of c. Since m ≤ k, it follows that 𝑥 𝑐 mod n can be computed in O( 𝑘 3 ). ⇒ RSA encryption and decryption can both be done in polynomial time.

Square-And-Multiply Algorithm Assumes that the exponent b say is represented in binary notation, say: b = 𝑖=0 𝑙 −1 𝑏 𝑖 2 𝑖 in which 𝑏 𝑖 = 0 or 1, 0 ≤ i ≤ l – 1 Code: z = 1 for i = l – 1 downto 0 do z = 𝑧 2 mod n if 𝑏 𝑖 = 1 then z = z × x mod n There are always s squarings performed in step 3. 𝑁 𝑜 of modular multiplications in step 4 = 𝑁 𝑜 of 1’s in the binary representation of b which is an integer between 0 and s. ⇒ s ≤ total 𝑁 𝑜 of modular multiplications ≤ 2s.

Example of Dr. Cusack & Cole i 𝑏 𝑖 z 11 10 9 8 7 6 5 4 3 2 1 1 2 × 9726 = 9726 9726 2 × 9726 = 2659 2659 2 = 9726 5634 2 × 9726 = 9167 9167 2 × 9726 = 4958 4958 2 × 9726 = 7783 7783 2 = 6298 6298 2 = 4629 4629 2 × 9726 = 10185 10185 2 × 9726 = 105 105 2 = 11025 11025 2 × 9726 = 5761 Recall that n = 11413 & b = 3533. Cole wants to send Dr. Cusack the plaintext 9726. He computes 9726 3533 mod 11413 using the square-and multiply algorithm. As illustrated in the table, Cole finally sends the cipher text of 5761 through the channel.

Running Time of Implementing RSA Generate p & q O( log 2 𝑝 ) + O( log 2 𝑞 ) Compute n & Φ(n) O (log 𝑛) 2 Choose b and verify gcd(Φ(n), b) = 1 O( (log Φ(n)) 2 ) Compute a using Euclidean Algorithm O( (log Φ(n)) 2 ) Publish n & b 1 ⇒ Total time = O( log 2 𝑝 + log 2 𝑞 + (log 𝑛) 2 + 2 (log Φ(n)) 2 ) = O(( (log 𝑛) 2 )

Attack on RSA Factoring n. If Φ(n) and n are known. Attacking on the decryption exponent a. Given y = 𝑒 𝑘 (x) compute parity(y) or half(y) to retrieve the plaintext x.

Factoring n Factoring n. Compute Φ(n) = (p – 1)(q – 1). Compute the decryption exponent a exactly as how Dr. Cusack did. It has been conjectured that breaking RSA is polynomially equivalent to factoring n but this still remains unproved.

If n And Φ(n) Are Known. Know n = pq & Φ(n) = (p – 1)(q – 1) we derive an equation: This can be solved by the quadratic formula. Example: Given n = 84773093 and Φ(n) = 84754668 we have an equation: 𝑝 2 − 8426p + 84773093 = 0 Solve this we have p = 9539 & q = 8887 Not easier than factoring n. 𝑝 2 −(𝑛 −Φ(n) + 1)p + n = 0

Attacking on the Decryption Exponent a Any algorithm which computes the decryption exponent a can be used as a subroutine (or oracle) in a probabilistic algorithm that factors n. Computing a is no easier than factoring n. However, this does not rule out the possibility of breaking the cryptosystem without computing a. ⇒ If a is revealed then n is also compromised. ⇒ Dr. Cusack needs to choose not only a new encryption exponent but also a new modulus n.

Partial Information Concerning Plaintext Bits Given y = 𝑒 𝑘 (x) any algorithm computing parity(y) or half(y) can be used as an oracle to construct an algorithm that computes the plaintext x. Given a cipher text, computing the low-order bit of the plaintext is polynomially equivalent to determining the whole plaintext y = 𝑒 𝑘 (x), compute parity(y) denoting the low-order bit of x. y = 𝑒 𝑘 (x), compute half(y) where half(y) = 0 if 0 ≤ x ≤ 𝑛 2 and half(y) = 1 if 𝑛 2 < x ≤ n – 1.

Decrypting RSA Ciphertext Given An Oracle for Computing half(y) denote k = ⌊ log 2 𝑛 ⌋ for i = 0 to k do 𝑦 𝑖 = half(y) y = (y × 𝑒 𝑘 (2)) mod n lo = 0; hi = n mid = (hi + lo)/2 if 𝑦 𝑖 = 1 then lo = mid else hi = mid x =⌊hi⌋

Example Given n = 1457, b = 779 & a cipher text y = 722. 𝑒 𝑘 (2) . 𝑒 𝑘 (2) . First for loop results: = 𝑥 𝑏 mod n = 946 i 1 2 3 4 5 6 7 8 9 10 𝑦 𝑖

Binary Search for RSA Decryption lo mid hi 0.00 728.50 1457.00 1 1092.75 2 910.62 3 1001.69 4 956.16 5 978.92 6 990.30 7 996.00 8 998.84 9 1000.26 10 999.55 Second loop results: Hence, the plain text is: x = ⌊hi⌋ = ⌊999.55⌋ = 999

x = 𝑖=1 𝑟 𝑎 𝑖 𝑀 𝑖 𝑦 𝑖 mod M (1 ≤ i ≤ r) Q&A What happened if p and q are not prime? Wont be as secured. 𝑝 𝑎 𝑏 ≡ p (mod q) since p, q are primes. According to Euler’s theorem: if a, b  satisfy the equation ab ≡ 1 (mod ϕ(n)) then p,q makes a valid public/private exponent pair. What is Chinese Remainder Theorem Theorem to solve some sets of congruence problems x = 𝑖=1 𝑟 𝑎 𝑖 𝑀 𝑖 𝑦 𝑖 mod M (1 ≤ i ≤ r) x ≡ 𝑎 𝑖 (mod 𝑚 𝑖 ); M = 𝑚 1 × … × 𝑚 𝑟 ; 𝑀 𝑖 = 𝑀 𝑚 𝑖 ; 𝑦 𝑖 = 𝑀 𝑖 −1

The Chinese Remainder Theorem Example Let r = 3; 𝑚 1 =7; 𝑚 1 =11; 𝑚 1 =13. We have: M = 1001; 𝑀 1 =143; 𝑀 2 =91; 𝑀 3 =77; 𝑦 1 =5; 𝑦 2 =4; 𝑦 3 =12. Then we derive the function: 𝜋 −1 𝑎 1 , 𝑎 2 , 𝑎 3 =715 𝑎 1 +364 𝑎 2 +924 𝑎 3 (mod 1001) Suppose that x ≡ 5 (mod 7); x ≡ 3 (mod 11); x ≡10 (mod 13) then: x ≡ 715×5+364×3+924×10 (mod 1001) ≡ 894 (mod 1001)

Thanks for Listening & Thanks to the Creators Rivest Shamir Adleman Da Crew in 2003