RSA cryptosystem

1
RSA cryptosystem

• Suppose np?q, where p and q are big primes (512
  bits).
• Select (find) a and b, such that a ? b1 mod ?(n)
  ((p-1)(q-1)).
• K(n,p,q,a,b), publicize n,b, but keep p,q,a
  secret.
• For any x,y?Zn , define
• eK(x) xb mod n dK(y) ya mod n
• Of course, from n,b, it is very difficult to get
  a (as well as p,q,?(n)).

2
Proof of RSA

• If x0 ?Zn , then it is correct.
• If x ?Zn , then
• ab1 mod ?(n), abt?(n)1 (for some t).
• ya(xb)a ? x t?(n)1 ? (x?(n))t x ? 1t x ? x
  (mod n)
• If x ? Zn\Zn , then

How to prove it?
3
RSA--implementation

• Generate two large primes, p and q.
• n ? pq and ?(n) ? (p-1)(q-1)
• Chose a random b (1lt b lt ?(n)) such that gcd(b,
  ?(n))1
• a ? b-1 mod ?(n)
• The public key is (n,b) and the private key is
  (p,q,a).

Could you raise any questions about RSA?
4
Questions about RSA

• How to generate large primes?
• How to compute the modular-exponentiation
  (encryption decryption) efficiently?
• RSA attack attempt to factor n and how?
• RSA uses numbers, therefore need encoding for
  normal text.

5
Complexity of some operations

• Given x and y having k and l bits respectively
• i.e., k ? log2x? 1 and l ? log2y? 1,
  suppose kgtl
• Then complexities (in bit operations) are
• x y in time O(k)
• x y in time O(k)
• x ? y in time O(kl)
• x / y in time O(kl)
• gcd(x,y) in time O(k3)

6
Complexity of some operations

• Modular operation in Zn , n is k-bit integer, 0 ?
  m1,m2 ? n,
• (m1 m2) mod n in time O(k).
• (m1 - m2) mod n in time O(k).
• (m1 ? m2) mod n in time O(k2).
• (m1)-1 mod n in time O(k3).
• (m1)c mod n in time O((logc)k2).

7
Modular exponentiation-- xc mod n

• Using c-1 traditional modular multiplications,
• the exponential complexity in term of k.
• Using square-and-multiply algorithm
• Very efficient, O((logc)k2).
• Write down c in binary representation (in fact it
  is!)
• Initialize z 1
• From the highest bit to the lowest bit
• Perform z z2 mod n
• If the bit is 1 then perform z (z ? x) mod n
• Return z.
• Example 5.5 (cont.) page 171

8
RSAprimality testing

• How to generate large primes?
• Select a random large number
• Test whether or not the number is a prime.
• How often a random selected number is a prime?
• Let ?(N) be the number of primes ? N.
• Prime number theory ?(N) ? N/lnN
• Therefore the probability of a random number
  being a prime is 1/lnN
• Suppose n pq is 1024 bits, so p and q are 512
  bits, 1/ln2512 ? 1/355.

9
RSAprimality testing

• (yes-biased) Monte Carlo algorithm
• For yes-no decision problem
• Random algorithm (randomly choose a number)
• If the algorithm gives answer yes, it is always
  correct
• It the answer is no, it may be incorrect.

Therefore, may try several times such that the
probability of the incorrectness for no is
extremely small.
Las Vegas algorithm may not give answer, but any
answer it gives is correct.
10
RSAprimality testing

• (yes-biased) Monte Carlo algorithm
• Solovay-Strassen algorithm
• Miller-Rabin algorithm
• A good news confirmed primality testing
  algorithm
• By three Indian scientists.

11
Solovay-Strassen primality test

• Given integer n, is n a composite?
• Choose a random integer a ( 1 lt a lt n)
• x?
• If x0 then return yes (n is a composite)
• y ? a(n-1)/2 (mod n)
• If x ? y (mod n)
• then return no (n is a prime) (of course maybe
  incorrect)
• else return yes (n is a composite)

12
Solovay-Strassen primality test

• Jacobi symbol
• Properties about Jacobi symbol.
• Example for computing Jacobi symbol, page 5.8
• The proof of the algorithm (i.e., the theory the
  algorithm is based on) discussed later if time
  is allowed.
• Other primality testing algorithms (discussed
  later)

13
RSA attacks

• Factoring algorithms
• Trial division up to ? n
• Pollard p-1 algorithm
• Pollard Rho algorithm
• Other attacks
• Computing ?(n) no easier than factoring n.
• Decryption Exponent ano easier than factoring n

14
RSA attackPollard p-1 algorithm

• Given n, and select a random B (not too big)
• a ? 2
• For j2 to B
• a ? aj mod n
• d ? gcd(a-1,n)
• If d gt 1
• then return d (d is a factor of n)
• else return false.

15
Trap-door one way function

• The function is easy to compute, but its inverse
  is very difficult to compute
• But if you know the trap-door, then the inverse
  of the function becomes easy.
• In RSA, eK(x)xb mod n is a one-way trap-door
  function, its inverse dK(y)ya mod n is difficult
  to compute unless you know the trap-door a.

16
Merkle-Hellman knapsack public-key cryptosystem

• Knapsack problem
• NP-complete
• Superincreasing knapsack problem
• easy to solve
• Idea of Merkle-Hellman knapsack public-key
  cryptosystem
• Select a superincreasing knapsack problem
• Transform it into a knapsack problem
• The knapsack problem is the public key, but the
  superincreasing knapsack problem is the private
  key.

17
Algorithm for superincreasing knapsack problem

• Suppose (a1,a2,..,ai,,an) are superincreasing
  knapsack values (all positive), i.e,
  aigt?j1i-1aj
• Given any integer s which is the sum of a subset
  of ai, find a binary vector (x1,x2,..,xi,,xn)
  such that s ?i1n xiai
• For in downto 1
• If s ? ai then xi1 ss-ai else xi0
• Return (x1,x2,..,xn)

18
Merkle-Hellman knapsack public-key cryptosystem

• Select a superincreasing knapsack values
  (a1,a2,..,an)
• Select a M such that M gt ?j1naj
• Select a W such that gcd(W,M)1.
• Select a permutation ? of 1,2,,n.
• Compute biWa?(i) mod M.
• (b1,b2,..,bn) is public key and (a1,a2,..,an ?,
  W,M) is private key

19
Merkle-Hellman knapsack public-key cryptosystem

• Encryption
• For message x, let xx1x2xn (in binary format)
• Compute y b1x1 b2x2 bnxn and send y.
• Decryption
• Compute syW-1 mod M
• Solve the superincreasing knapsack problem for s
  in term of (a1,a2,..,an) and find r1,r2,..,rn
• Let xir?(i).

20
Merkle-Hellman knapsack public-key cryptosystem

• Proof of the system
• yW-1 mod M(b1x1 b2x2 bnxn ) W-1 mod M
• (b1 W-1 x1 b2 W-1 x2 bn W-1 xn ) mod M
• (a?(1) x1 a?(2) x2 a?(n) xn ) mod M
• Example
• From this public-key system, it can be seen that
  the problem used for a public-key system is hard
  problem (unless you know the trap-door) but not
  NP-complete problem.