RSA Crash Course

1
RSACrash Course

• Public Key and Digital Signature Scheme
• by
• Rivest
• Shamir
• Adleman

2
Public Key Encryption

• ALICE produces a pair of keys
• SA private, secret
• PA public
• Publishes PA - Keeps SA a secret

Assume DSA (EPA (x))x

• BOB sends a message to ALICE by
• cipher-text EPA ( plain-text )

• Only ALICE can decrypt
• plain-text DSA ( cipher-text )

3
Digital Signature

• ALICE produces a pair of keys
• SA private, secret
• PA public
• Publishes PA - Keeps SA a secret

Assume EPA ( DSA (x ))x

• To sign a message, ALICE sends to Bob
• signed-message DSA( message )

• Everyone can verify signature
• message EPA ( signed-message )
• ALICE cannot disclaim signature (no one else is
  capable of computing DSA )

4
Numbers
Long 01000110011101010010101..010100
1001010101010101010101010101

• 01000110011101010010101..01010010
• Arithmetic
• Addition
• Multiplication
• Raising to a Power

4096
5
Addition X Y (mod N)

• Carry overlinear number of operations

6
Multiplication XY (mod N)

• Quadratic number of operations

7
Power XY (mod N)

• Compute, given X
• X2 (mod N)
• X4 (mod N)
• X8 (mod N)
• X2n (mod N)
• Each step requires only squaring!
• Let Y0, .., Yn be the binary representation of
  Y,compute the product (mod N) of all powers Xi
  for which Yi1

8
Complexity Assumption (almost)
Ex whats the prime-factorization of 9797?

• Factoring is hardGiven a number N of n
  bits, N pqthere is no way to compute p and q
  within a reasonable (subexponential in n) time
• Best known algorithm runs for 2O(lg3n n1/3) time
• 2100 ? 1030

9
Euler Function
Example N 711 77 then ?(N) 60excluding
7 divisible by 11, 11 divisible by 7 0 excluded
twice

• Let ?(k) denote the number of i lt kthat are
  coprime to k, namely for which gcd(i, k) 1
• ?(N) (p-1)(q-1) Excluding numbers divisible
  by p or by q

• Knowing N and ?(N) it is easy to factor N
• N - ?(N) 1 pq (pq p q 1) 1 pq
• (pq)2 2N p2 2pq q2 2pq (p-q)2
• Arithmetic over both mod p and mod q

10

• LemmaLet e and d be so that ed ? 1 (mod
  ?(N)) that is, d is the inverse of e mod ?(N)
  Then, for any m, (me)d ? m (mod N)
• ProofTrue for both p and q. W.L.O.G. we prove
  for p
• if p divides m trivial
• Otherwisemed ? m1(p-1)(q-1)i ?
  m(m(p-1))(q-1)i ? m (mod p)

11
Prime Numbers

• Prime Number TheoremThere are many prime
  numbers ( k/log k in the range 1, .., k )
• Fermas TheoremFor a prime p and any m mp-1 ?
  1 (mod p)
• ConjectureFor (almost all) composite numbers k,
  for at least one of m 1,..,log2k mk-1 ?
  1 (mod k)

12
Picking a random prime number

• Choose random numbers until one is tested to be
  prime
• To check if a number p is prime, go over all
  numbers m ? log2p and check whether mp-1 ? 1
  (mod p)
• Without conjecture probabilistic algorithm.
  Almost as followsRepeat randomly choose m, if
  p not prime, with high probability mp-1 ? 1
  (mod p)

13
The Public and Private Keys

• Choose two long, random prime numbers p, q
• set N pq
• Randomly choose an odd number e satisfying
• 1 lt e lt ?(N)
• gcd(e, ?(N)) 1
• Let d be the inverse of e, namely ed ? 1
  (mod ?(n))
• Publish the Public key ltN, egt
• Keep secret the Private key d
• Through away the rest

Compute d using Euclids gcd algorithm
14
Encryption and Decryption

• To encrypt a message, write it as a number m,
  and compute EN,e(m) me (mod N)
• To decrypt a cipher text c, compute Dd(c)
  cd (mod N)
• Now for (almost) any m,
• med ? m (mod N)
• And therefore (me)d ? m (mod N)
• Therefore Dd(EN,e(m)) ? m (mod N)

15
Digital Signatures

• To sign a text T, compute Sign(T) Td
  (mod N)
• To verify a signature S compute EN,e(S)
  Se (mod N)
• EN,e(Dd(T)) ? T (mod N)