1.08k likes | 1.09k Views
Learn about the RSA cryptosystem, which ensures secure communication by exploiting number-theoretic tasks. Discover how to encrypt and decrypt messages using prime numbers, modular arithmetic, and public/private keys.
E N D
Chapter 00 Introducing Foundations
Cryptography – The RSA Public Key Cryptosystem • The Rivest-Shamir-Adleman (RSA) cryptosystem uses • all the ideas we have introduced in this lecture note. • It derives very strong guarantees of security by ingeniously exploiting the wide gulf between • the polynomial-time computability of certain number-theoretic tasks • (modular exponentiation, • greatest common divisor, • primality testing) and • the intractability of others (factoring).
Cryptography – The RSA Public Key Cryptosystem • How encrypt and decrypt message using the RSA cipher: • Pick two large integers p and q, • [say, in the order of several hundred digits each, and are virtually certain to be prime]. • In order to encrypt a message eusing the RSA cipher, a person needs to know the value of • pqand • integer e, both of which are made publicly available. • But only a person, who knows the individual values of p and q, can decrypt an encrypted message.
Cryptography – The RSA Public Key Cryptosystem Suppose Alice decides to set up an RSA cipher. She chooses two prime numbers, p = 5 and q = 11, and then computes pq = 55, and also select a positive integer e = 3 which is relatively prime to (p-1)(q-1) = 40. The public key are the two numbers pq = 55 and e = 3, which she may distributed widely. [But, the secret key is p and q.] [The effectiveness of the system is the secrecy of the cipher which has two distinct large integers p, q – say on the order of several hundred digits each – that are virtually certain to be prime. And pick a very large e which is relatively prime to (p -1)(q – 1).]
Cryptography – The RSA Public Key Cryptosystem Because the RSA cipher works only on numbers, Alice also informs people how she will interpret the numbers in the message they send her. Suppose that she encodes letters of the alphabet the same way as was done for the Caesar cipher: A = 1, B = 2, C = 3, …, Z = 26. Assume that the messages Alice receives consist of blocks, each of which is taken to be a single, numerically encoded letter of the alphabet.
Cryptography – The RSA Public Key Cryptosystem To send Alice a message, someone requires to break the message into blocks, each consisting of a single letter, and finds the numeric equivalent for each block. The plaintext M in a block is converted into ciphertext C, according to the following formula: C = Me mod pq. ……..(RSA 0.4.5) Since both pq and e are public keys, anyone knows modular arithmetic and can use these public keys to encrypt a message to send to Alice, . (That is, Alice receives the ciphertext C for the plaintext M in a block of several blocks.)
Cryptography – The RSA Public Key Cryptosystem • Example 0.1.4.9 Encrypting a Message Using RSA Cryptography • Bob wants to send Alice the message HI. • What is the ciphertext (i.e., the encrypted message) for his message HI? • Bob will send his message in two blocks, one for the H and another for the I. • H is encoded as 08, or 8. The corresponding ciphertext is computed using formula (RSA 0.4.5 C = Me mod pq.) as follows: • C = 83 mod 55 • = 512 mod 55 • = 17. • I is encoded as 09, or 9. The corresponding ciphertext is • C = 93 mod 55 • = 729 mod 55 • = 14. • Accordingly, Bob sends Alice the encrypted message 17 14.
RSA Cryptography Example 0.1.4.10 decrypting a Message Using RSA Cryptography To decrypt the message 17 14, Alice needs to compute the decryption key, a number d which is a positive inverse to e modulo (p – 1)(q – 1). She then obtains the plaintext message M from the encrypted message (i.e., the ciphertext) C by the formula M = Cd mod pq. ……. (RSA 0.4.6) Because M + kpq M (mod pq), M must be taken to be less than pq, in order for the decryption to be guaranteed to produce the original message. Because p and q are normally taken to be so large (the order of several hundred digits each), this requirement does not cause problems. Long messages are broken into blocks of symbols to meet the restriction and several symbols are included in each block to present decryption based on knowledge of letter frequencies.
RSA Cryptography Recall Example: Find a positive inverse for 3 modulo 40. That is, find a positive integer x such that 3x 1(mod 40), or equivalently x 3-1 (mod 40). Solution: Find a linear combination of 3 and 40 that equals 1. 40 = 13* 3 + 1. This implies that 1 = 1*40 – 13*3. gcd(40, 3) = 3 = 3 * 1 + 0. This implies that 0 = 1*3 – 3*1gcd(3, 1) = 1 = 0 * 0 + 1. This implies that 1 = 1*1 – 0*0gcd(1, 0) = 1. Take the 3rd equation, 1 = 1*1 – 0*0 = 1* 1 = 1 * (1 *40 -13 *3) since 40 = 13* 3 + 1. Then, 1 = 1 * (1 *40 -13 *3) yields (-13)* 3 = 1+ (-1)*40 , which is, by definition of congruence modulo n, (-13)* 31(mod 40), or, equivalently, (-13) 3-1 (mod 40). This result implies that -13 is an inverse for 3 mod 40. To find a positive inverse, compute 40 -13 which yields 27, and 27 (mod 40) because 27 – (-13) = 40. So, by Theorem 0.1.4.3(3), ab cd (mod n), 27 * 3 (-13) *3 (1 mod 40), and thus by the transitive property of congruence modulo n, 27 is a positive integer that is an inverse for 3 modulo 40.
RSA Cryptography Example 0.1.4.10 Decrypting a Message Using RSA Cryptography Alice knows not only pq = 55 and e =3 as everyone has. In addition, Alice knows the secret key: p = 5 and q = 11, allowing her to compute (p -1)(q – 1) = 40. She needs to find the decryption key - a positive inverse for 3 modulo 40, which is to be 27 (as we obtained in previous Example). She then needs to compute M = Cd mod pq = 1727 mod 55. The residues obtain when 17 is raised to successively to 24 = 16. 27 = 16 + 8 + 2 + 1 = 24 + 23 + 2+ 1. 17 mod 55 = 17 172 mod 55 = 14 174 mod 55 = (172)2 mod 55 = (172 mod 55)2 mod 55 = (14)2 mod 55 = 31 178 mod 55 = (174)2 mod 55 = (174 mod 55)2 mod 55 = (31)2 mod 55 = 26 1716 mod 55 = (178)2 mod 55 = (26)2 mod 55 = 16 Then 1727 = 1716 + 8 + 2 + 1 = 1716 * 178 * 172 * 171.
RSA Cryptography Example 0.1.4.10 Decrypting a Message Using RSA Cryptography … 27 = 16 + 8 + 2 + 1 = 24 + 23 + 2+ 1. 17 mod 55 = 17 172 mod 55 = 14 174 mod 55 = (172)2 mod 55 = (172 mod 55)2 mod 55 = (14)2 mod 55 = 31 178 mod 55 = (174)2 mod 55 = (174 mod 55)2 mod 55 = (31)2 mod 55 = 26 1716 mod 55 = (178)2 mod 55 = (26)2 mod 55 = 16 Then 1727 = 1716 + 8 + 2 + 1 = 1716 + 178 + 172 + 171. Thus, 1727 mod 55 = (1716 * 178 * 172 * 171 ) mod 55 [(1716 mod 55)(178 mod 55)(172 mod 55)( 171 mod 55) ] (mod 55) (16 * 26 * 14 * 17) (mod 55) 99008 (mod 55) = 8 (mod 55) Hence 1727 mod 55 = 8, and thus the plaintext of the first part of Bob’s message is 8 or 08. In the last step Alice finds the letter correspond to 08, which is H.
RSA Cryptography Example 0.1.4.10 Decrypting a Message Using RSA Cryptography Likewise, Alice 14, the result is 9, which corresponds to the letter I. She needs to find the decryption key, which is a positive inverse for 3 modulo 40. The positive inverse for 3 modulo 40 is to be 27 (as we obtained in previous Example). She then needs to compute M = Cd mod pq = 1427 mod 55. 27 = 16 + 8 + 2 + 1 = 24 + 23 + 2+ 1. 14 mod 55 = 14 142 mod 55 = 31 144 mod 55 = (142)2 mod 55 = (142 mod 55)2 mod 55 = (31)2 mod 55 = 26 148 mod 55 = (144)2 mod 55 = (144 mod 55)2 mod 55 = (26)2 mod 55 = 16 1716 mod 55 = (148)2 mod 55 = (16)2 mod 55 = 36 Then 1427 = 1416 + 8 + 2 + 1 = 1416 * 148 * 142 * 141. Thus, 1427 mod 55 = (1416 * 148 * 142 * 141 ) mod 55 [(1416 mod 55)(148 mod 55)(142 mod 55)( 141 mod 55) ] (mod 55) (36 * 16 * 31 * 14) (mod 55) ((36 * 16) mod 55 * (31 * 14) (mod 55)) mod 55 (26 * 45) mod 55 1274 (mod 55) 9 (mod 55). Hence 1427 mod 55 = 9, and thus the plaintext of the first part of Bob’s message is 9 or 09. In the last step Alice finds the letter correspond to 09, which is I. So Alice got Bob’s message is HI.
For better understanding, read the following slides. Otherwise, skip those.
Euclid’s Lemma Theorem 0.1.4.8 Euclid’s Lemma For all integer a, b, and c, if gcd(a, c) = 1 and a | bc, then a | b. The unique factorization theorem for the integers states that nay integer greater than 1 has a unique representation as a product of prime numbers, except possibly for the order in which the numbers are written. This follows quickly from Euclid’s lemma. Another application of Euclid’s lemma is a cancellation theorem for congruence modulo n. This theorem allows us – under certain circumstances – to divide out common factor in a congruence relation.
Euclid’s Lemma Theorem 0.1.4.9 Cancellation Theorem for Modular Congruence For all integer a, b, c, and n with n > 1, if gcd(c, n) = 1 and ac bc (mod n), then a b (mod n). Proof: Suppose a, b, c, and n are any integers, gcd(c, n) = 1 and ac bc (mod n). We must show that a b (mod n). By definition of congruence modulo n, n | (ac – bc), that is, n | (a – b)c, since ac – bc = (a – b)c. Because gcd(c, n) = 1. We may apply Euclid’s lemma to obtain n | (a – b), and so, a b (mod n) by definition of congruence modulo n. QED
Fermat’s Little Theorem Theorem 0.1.4.10 Fermat’s Little Theorem If p is any prime number and a is any integer such that p | a, then ap-1 1 (mod p). Proof: Suppose p is any prime number and a is any integer such that p|a. Note that a 0 because otherwise p would divide a. Consider the set of integers S = { a, 2a, 3a, …, (p-1)a }. We claim that no two elements of S are congruence modulo p. For suppose sa ra (mod p) for some integers s and r with 1 r < s p-1. Then by definition of congruence modulo p, p | (sa – ra), or equivalently, p | (s – r)a. Now, p | a by hypothesis, and because p is prime, gcd(a, p) = 1. Thus, by Euclid’s lemma, p | (s – r). But this is impossible because 0 < s – r < p. …
Fermat’s Little Theorem Theorem 0.1.4.10 Fermat’s Little Theorem If p is any prime number and a is any integer such that p | a, then ap-1 1 (mod p). Proof: Continued … Consider the function F from S to the set T = {1, 2, 3, …, (p-1)} that sends each element of S to its reside modulo p. Then F is one-to-one because no two elements of S are congruence modulo p. We prove that if a function from one finite set to another is one-to-one, then it is also onto. Hence F is onto, and so the p-1 residues of the p-1 elements of S are exactly the numbers 1, 2, 3,., (p-1). It follows by Theorem 0.1.4.3(3) that a*2a*3a*…*(p-1)a [1*2*3*…*(p-1)] (mod p), or equivalently, ap-1(p-1)! (p-1)! (mod p). But because p is prime, p and (p-1)! are relatively prime. Thus, by the cancellation theorem for modular congruence (Theorem 0.1.4.9), ap-1 1 (mod p). QED
Why Does the RSA Cipher Work? begin For the RSA cryptography method, the formula M = Cd mod pq. ……. (RSA 0.4.6) is supposed to produce the original plaintext message, M when the encrypted message is C. How can we be sure that it always does so? We require M < pq and we know that C = Me mod pq. ……..(RSA 0.4.5) By substitution, M = Cd mod pq = (Me mod pq)d mod pq = Med (mod pq) by theorem 0.1.4.3(4). And so, it suffices to show M Med (mod pq).
Why Does the RSA Cipher Work? For the RSA cryptography method, the formula M = Cd mod pq. ……. (RSA 0.4.6) is supposed to produce the original plaintext message, M when the encrypted message is C. And so, it suffices to show M Med (mod pq). Recall that d was chosen to be a positive inverse for e modulo(p-1)(q-1), which exists because gcd(e, (p-1)(q-1)) = 1. In other words, ed 1 (mod(p-1)(q-1)), or equivalently, ed = 1 + k (p-1)(q-1) for some positive integer k. Therefore, Med = M1 + k (p-1)(q-1) = M(Mp-1 )k(q-1) = M(Mq-1 )k(p-1)
Why Does the RSA Cipher Work? … Therefore, Med = M1 + k (p-1)(q-1) = M(Mp-1 )k(q-1) = M(Mq-1 )k(p-1) If p | M, then by Fermat’s little theorem, Mp-1 1 (mod p), and so Med = M(Mp-1 )k(q-1) M(1)k(q-1) (mod p) = M (mod p). Likewise, if q | M, then by Fermat’s little theorem, Mq-1 1 (mod q), and so Med = M(Mq-1 )k(p-1) M(1)k(p-1) (mod q) = M (mod q). Thus, if M is relatively prime to pq, Med M (mod p) and Med M (mod q) .
Why Does the RSA Cipher Work? … If M is not relative prime to pq, then either p | M or q | M. Without loss of generality, assume p | M. It follows that Med 0 M (mod p), Moreover, because M < pq, q | M, and thus, as above Med 0 M (mod q). Therefore, in this case also, Med M (mod p) and Med M (mod q) . By Theorem 0.1.4.1, p | (Med – M) and q | (Med – M) , and by definition of divisibility, (Med – M) = pt for some integer t.
Why Does the RSA Cipher Work? … and by definition of divisibility, (Med – M) = pt for some integer t. By substitution, q | pt, and since q and p are distinct prime numbers, Euclid’s lemma applies to give q | t. Thus, t = qu for some integer u by definition of divisibility. By substitution, M - Med = pt = p(qu) = (pq)u, where u is an integer, and so, pq | (M - Med)
Why Does the RSA Cipher Work? end … where u is an integer, and so, pq | (M - Med) by definition of divisibility. Thus M - Med0 (mod pq), by definition of congruence, or, equivalently, M Med(mod pq). Because M < pq, this last congruence implies that M Med(mod pq), and thus the RSA cipher gives the correct result. QED The RSA Cipher Works!
RSA • The RSA scheme is based heavily upon number theory. Think of • messages from Alice to Bob as numbers modulo N; • messages larger than N can be broken into smaller pieces. • The encryption function will then be a bijection on {0, 1, 2, 3, …, N - 1}, and the decryption function will be its inverse. • What values of N are appropriate, and what bijection should be used?
Two Properties • Pick any two very large primes p and q. Let N = p*q. For any e relatively prime to (p – 1)(q – 1): • The mapping x |→ xe mod N is a bijection on { 0, 1, 2, …, N – 1}. • The inverse mapping is easily realized: • Let d be the inverse of e modulo (p – 1)(q – 1), • i.e., d = e-1 mod (p-1)(q-1). • Then for all x ɛ {0, 1, 2, …, N – 1}, • ( xe )d ≡ x mod N.
Property (Continued) • 1. The mapping x |→ xe mod N is a bijection on { 0, 1, 2, …, N – 1}. • This property tells us that the mapping x |→ xe mod N is a reasonable way to encode messages x; no information is lost. • If Bob publishes (N, e) as his public key, everyone else can use it to send him encrypted messages. d can be found using d = e-1 mod (p-1)(q-1). Then the original text x can be obtained by Bob applying his sKey d on his received cipertextxe from Alice using ( xe )d ≡ x mod N. That is x = ( xe )d .
Two Properties (Continued) • 2. The inverse mapping is easily realized: • Let d be the inverse of e modulo (p – 1)(q – 1), • i.e., d = e-1 mod (p-1)(q-1). • Then for all x ɛ {0, 1, 2, …, N – 1}, ( xe )d ≡ x mod N. • The second property then tells us how decryption can be achieved. Bob should retain the value d as his secret key, with which he can decode all messages that come to him by simply raising them to the dth power modulo N. d can be found using d = e-1 mod (p-1)(q-1). Then the original text x can be obtained by Bob applying his sKey d (i.e., p and q) on his received cipertextxe from Alice using ( xe )d ≡ x mod N. That is x = ( xe )d .
Example 0.72: Let N = 55 = 5*11. Choose encryption exponent e = 3, which satisfies the condition gcd(e, (p – 1)(q – 1)) = gcd(3, 40) = 1. The decryption exponent is then d = 3-1 mod 40 = 27. That is, 27 * 3 1 mod 40 if, and only if, 40 | (27*3 – 1). Now for any message x mod 55, the encryption of x is y = x3 mod 55, and the decryption of y is x = y27 mod 55. For example: if x = 13, then y = 133 mod 55 = 52. That is, 133 52 mod 55. and 13 = 5227 mod 55. (This can be computed as in the following two slides.)
Show 13 = 5227 mod 55. 5227 mod 55 = (52 mod 55)27 mod 55 = (-3)27 mod 55 = (-3)9*3 mod 55 = (81 * 81 * -3)9*3 mod 55, where 81 = (-3)4 = (26 * 26 * -3)3 mod 55 = (52 * 13 * -3)3 mod 55 = (-3 * 13 * -3)3 mod 55 = (117)3 mod 55 = (7)3 mod 55 = (343) mod 55 = 13 The other way as follows: Either this way or the way presented in the following slide.
Show 13 = 5227 mod 55. 27 = 16 + 8 + 2 + 1 = 24 + 23 + 2 + 1 Then, 5227 = 5216 + 8 + 2 + 1 = 5216 * 528 * 522 * 521 We can find the residues obtained when 52 is raised to successively higher powers of 2, up to 24 = 16. 52 mod 55 = 52 522 mod 55 = 9 524 mod 55 = (522) 2 mod 55 = (522 mod 55 ) 2 mod 55 = 92 mod 55 = 26 528 mod 55 = (524) 2 mod 55 = (524 mod 55 ) 2 mod 55 = 262 mod 55 = 16 5216 mod 55 = (528) 2 mod 55 = (528 mod 55 ) 2 mod 55 = 162 mod 55 = 36 Thus, 5227mod 55= (5216 * 528 * 522 * 521 )mod 55 [(5216 mod 55) * (528 mod 55) * (522 mod 55) * (521mod 55)](mod 55) (36* 16* 9* 52) (mod 55)
How secure it is? • The computations it requires of Alice and Bob are elementary. • But how secure is it against Eve? • The security of RSA hinges upon a simple assumption: • Give N, e, and y = xe mod N, it is computationally intractable to determine x.
For better understanding, read the following slides. Otherwise, skip those.
RSA Cryptography - Formalization Theoretical Background Begin++++++++++++++++++++++++++++++++++++++++++++++++++++ The RSA Cryptosystem The RSA cryptosystem relies on the facts that we can find large primes fairly readily, but we have no efficient method for factoring a large number.
The System - Formalization • In the RSA public-key cryptosystem, each participants creates his public key and secret key according to the following steps: • Select two very large prime number p and q. The number of bits needed to represent p and q might be 1024. • Compute • n = pq • (n) = (p – 1) (q – 1). • The formula for (n) is owing to Theorem: The number of elements in is given by Euler’s totient function, which is • where the product is over all primes that divide n, including n if n is prime.
Choose a small prime number as an encryption component g, that is • relatively prime to (n). That means, gcd(g, (n) ) = 1. In other words, • gcd(g, (p-1)(q-1)) = 1. • Using Algorithm sL, compute the multiplicative inverse That is, • The inverse exists and is unique, according to Corollary s4. • That is, the decryption component h = g-1 mod (n). • 5. Let pkey = (n, g) by the public key, and skey = (n, h) be the secret key.
For any message x mod n, the encryption of x is y = xg mod n. • The decryption of y is x = yh mod n. End of the formalization of the RSA public-key cryptosystem
The set of permissible messages is . The function corresponding to the public key pkey = (n, g) is pub(b) = bg (s0.1) where b , and the function corresponding to the secret key skey = (n, h) is sec(b) = bh. (s0.2) The value of these functions can be computed using Algorithm Polynomial_Determine_Prime_10.5
For this system to be correct, the functions corresponding to the public and secret keys must be inverses of each other. Next we prove this is the case. Theorem 0.21 The function in Equalities (s0.1) pub(b) = bg, and (s0.2) sec(b) = bh are inverses of each other. Proof: Left for an exercise. We give the algorithms that are used in the preceding RSA public-key cryptosystem …
AlgorithmModular_Linear_Equation_sL(n, m, k) //Find all solutions to a modular linear equation. Inputs: positive integers m and n, and integer k. Outputs: if the equation is solvable, all solutions to it. index l; integer i, j, d; extended-Euclid(n, m, d, i, j); if (d | k) for (l = 0; l < d -1; l++) count << ;
Corollary s4 The equivalence class [m]n has a multiplicative inverse modulo n if and only if gcd(n, m) = 1. That is, the equation [m]n x = [1]n has a solution if and only if gcd(n, m) = 1. Furthermore, if it has n inverse that inverse is unique. +++++++++++++++++++++++++++++++++++++++++++++++++++++end
Discussion First of all, we have no efficient method for factoring a large number. The success of the RSA cryptosystem relies on the facts that we can find large primes fairly readily. That is, we can find a large prime as follows: First, we randomly choose integers of the appropriate size. For each integer chosen, we can then use Algorithm Polynomial_Determine_Prime_10.5, which is polynomial-time, to check whether the number is prime. WE do this until we find two large primes. Before this Algorithm, the Miller-Rabin Randomized Primality Test was used to efficiently check with a very low error rate whether a number was prime.
This Miller-Rabin Randomized Primality Test may still be the algorithm of choice for prime checking since its time complexity is in , where s is the number of bits it takes to encode the input, and e is an integer chosen such that the probability the algorithm makes an error is no greater than . So if we choose e to be only 40, the probability of an error is no greater than , the probability of an error is no greater than
On the other hand, no one has ever found a polynomial-time algorithm for factoring a number. The possibility exists that one could find the value of h in the secret key skey = (n, h) without factoring n. However no one has found an efficient way to do this either. Currently we can achieve security with the RSA cryptosystem if integers containing around 1024 or more bits are used.
Example: • Encipher, encode, encrypt • convert (a message or piece of text) into a coded form. • Decipher, decode, decrypt • convert (a text written in code, or a coded signal) into normal language. • Let the public key to be denoted as pkey = (n, g) and secret key denoted as skey = (n, h). • Consider an RSA cryptosystem using p = 7 and q = 17, and g = 5. • What is the encode form for 13 mod 119? That is, encipher the message . • What is the encode form for 39 mod 119? That is, encipher the message .
Solution: • For the public key pkey = (n, g) such as pkey = (119, 5). • Then n = pq = 7*17 = 119. • Encode(x) = y = xg mod n. • Let x = 13. We encode the message 13 mod 119, which is as follows: • Encode(13) = y = 135 mod 119 • = 371293 mod 119 • = (371280 + 13) mod 119 • = ((371280 mod 119 + 13 mod 119)mod119 • = (0 + 13 mod 119) mod 119 • = 13 mod 119 = 13 • That is, the encryption of give message 13 is 13.
For decode this message 13 mod 119, it requires that we know the public key pkey = (n, g) = (119, 5). (b) we find the private key skey (n, h), which is calculated as follows: Step 1: We find p and q, such that p*q = n. n = pq = 7*17 = 119. We know g = 5.
Step 2:(n) = (p – 1) (q – 1) = 6 * 16 = 96. The reason is: The formula for (n) is owing to Theorem: The number of elements in is given by Euler’s totient function, which is where the product is over all primes that divide n, including n if n is prime. That is (n) = (p – 1) (q – 1) = For example, we have only two prime p = 7 and p =17 other than itself, such that 7|119 and 17|119, for all prime candidates less than 119. (119) = (p – 1) (q – 1) = 119 * (1- ) (1- ) = 119* = (7-1) (17-1) = 96. Since g = 5, g is relative prime of (n) = (119) = 96.
Step 3: compute the multiplicative inverse That is, We know that = = { …, -287, -191, -95, 1, 97, 193, 289, …}. Compute g * h 1 mod(n). h * 5 1 mod (119) h * 5 1 mod 96 h mod 96 h 5-1 mod 96.