The RSA cipher

The idea of this cipher is due to R.L. Rivest, A. Shamir, and L. Adleman: A method for obtaining digital signatures and public-key cryptosystems, Comm. ACM 21 (1978), pp. 120-126. The key point is that factoring large numbers into primes is dicult. Perhaps surprisingly, merely testing large numbers for primality is much easier.

The hard task

Description of encryption and encryption

Elementary aspects of security of RSA

Speed of encryption/decryption algorithms

Key generation and management

Export regulations?!

The hard task

The hard task here is

factorization of large integers into primes

. Essential tasks which are relatively easy are:

exponentiationx^e%nmodulonforn >10¹⁶⁰and for large exponentse.

nding many large primesp >10⁸⁰

As we will see, the contrast in apparent diculties of these tasks is the basis for the security of the RSA cipher secure.

The diculty of factoring large integers into primes is intuitively clear, although this itself is no proof of its diculty. By contrast, it is should be surprising that we can test large numbers for primality without looking for their factors.

The issue of eciently evaluating large powersx^e of large integersxreduced modulo large integersnis more elementary.

And keep in mind that the relevant sizesn >10¹⁶⁰andp >10⁸⁰ will have to be increased somewhat as computing speeds increase, even if no improvements in algorithms occur.

Description of encryption and decryption

There are two keys,eand d. Auxiliary information, which is not secret, consists of a large-ish integer n. (The nature ofn, and the relation of e;d to each other and ton will be described below). A plaintext x is encoded rst as a positive integer which we still callx, and for present purposes we require thatx < n. Then the

encoding

step is

En;e(x) =x^e%n

wherez%ndenotes the

reduction

ofz modulon. This produces a ciphertexty=x^e%nwhich is also a positive integer in the range 0< y < n. The

decryption

step is

D_n;d(y) =y^d%n

That's it!

Of course, for the decryption step to really decrypt, the two keyse;dmust have the property that (x^e)^dxmodn

for all integersx (at least in the range 0< x < n).

Euler's Theorem

(below) asserts that ifgcd(x;n) = 1

then x^'(n)1 modn

where '(n) is the Euler phi-function evaluated at n, dened to be the number of integers ` in the range 0< `nwithgcd(`;n) = 1. Thus, the relation betweeneanddis that they are mutually

multiplicative inverses modulo

^'(n), meaning that

de1 mod'(n)

In that case, we can verify that the encryption-decryption really works forgcd(x;n) = 1.

Dn;d(En;e(x)) = (x^e%n)^d %n= (x^e)^d%n

since by now we know that reduction moduloncan be done whenever we feel like it, or not, in the course of an arithmetic calculation whose answer will be reduced modulonat the end. By properties of exponents,

(x^e)^d%n=x^ed%n Sinceed1 mod'(n), there is an integer`so that

ed= 1 +`'(n)

Then x^ed=x^{1+`'(n)</sup>=x<sup>1</sup>(x<sup>'(n)</sup>)<sup>`}x1^`xmodn by invoking Euler's theorem.

Note that we must assume that the plaintextxis

prime to

n. Sincenis the product of the two large primespandq, being relatively prime tonsimply means not being divisible by eitherporq. The probability that a \random" integerx in the range 0xnwould be divisible by porq is

1p^{+ 1}q^,pq¹ This is a very tiny number, so we just ignore this possibility.

The encryption exponente(and decryption exponentd) must be prime to'(n) = (p^,1)(q^,1) so that so that it will have a multiplicative inverse modulo'(n), which will be the decryption exponentd.

A common chain of events is the following. Alice picks two large primespandq(withp⁶=q), and puts n = pq. The primes pand q must be kept secret. She then further picks the encryption and decryption exponents e and dso that ed1 mod '(n). She publishes the encryption exponent e on her web page, along with the modulus n. Her decryption exponent dis kept secret also. Then anyone who wants to send email to Alice encrypted so that only Alice can read it can encrypt plaintextx by

En;e(x) =x^e%n

Alice is the only person who knows the decryption exponentd, so she is the only one who can recover the plaintext by

x=D_n;d(E_n;e(x))

Since in this situation she can make the encryption key public, often the encryption keye is called the

public key

and the decryption keydis called the

private key

^.

Elementary aspects of security of RSA

The security of RSA more or less depends upon the diculty of factorization of integers into primes.

This seems to be a genuinely dicult problem. But, more precisely, security of RSA depends upon a much more special problem, the diculty of factoring numbers of the special formn=pq (with p;q prime) into primes. It is conceivable that the more special problem could be solved by special methods not applicable to the general one. But for now the special-ness of the problem seems not to have allowed any particularly good specialized factorization attacks.

The reason that diculty of factorization makes RSA secure is that fornthe product of two big primes p;q(with the primes kept secret), it seems hard to compute'(n) when onlynis given. Of course, once the prime factorizationn=pq is known, then it is easy to compute'(n) via the standard formula

'(n) ='(pq) = (p^,1)(q^,1)

If an attacker learns'(n), then the decryption exponent dcan be relatively easily computed from the encryption exponent e, by using the

Euclidean Algorithm

, since the decryption exponent is just the multiplicative inverse ofemodulon.

In fact, we can prove that for numbers n of this special form, knowing both n and '(n) is gives the factorizationn=pq(with very little computation). The trick is based on the fact that p;q are the roots of the equation

x^2,(p+q)x+pq= 0

Already pq = n, so if we can express p+q in terms of n and '(n), we will have the coecients of this equation expressed in terms ofnand'(n), giving an easy route topandqseparately.

Since

'(n) = (p^,1)(q^,1) =pq^,(p+q) + 1 =n^,(p+q) + 1 we can rearrange to get

p+ 1 =n^,'(n) + 1 Therefore,pandq are the roots of the equation

x^2,(n^,'(n) + 1)x+n= 0 Therefore, the two roots

,(n^,'(n) + 1)^p(n^,'(n) + 1)^2,4n arepandq. 2

Andwe must note that it is conceivable that there is some other way to obtain the plaintext, or some portion of it, without factoringn.

It might seem that knowledge of the encryption and decryption exponentse;dwould not yield the prime factorizationn=pq. Thus, it might seem that even if the paire;dis compromised, in the sense that both numbers become known to an adversary, the utility of the number n=pq is not gone. However, in fact disclosure of the private (decryption) key compromises the cipher. Specically, there is a Las Vegas algorithm that runs \quickly" which will yield the factorizationn=pq.

Note that none of the users of a system with modulusn(the product of two secret primesp;q), public keye, and private keyddo not need to know the primes p;q. Therefore, it would be possible for a

central

agency

to use the same modulusn=pqover and over. However, as just noted, compromise of one key pair compromises the others.

Speed of encryption/decryption algorithms

If done naively, raising large numbers to large powers takes a long time. Such exponentiation is re-quired by both encryption and decryption in the RSA, so from a naive viewpoint it may be unclear why the algorithms themselves are any easier to execute than a hostile attack. But, in fact, the required expo-nentiation can be arranged to be much faster than prime factorizations for numbers in the relevant range (with a hundred or more digits). Even so, at this time it seems that the RSA encryption and decryption algorithms (and most asymmetric cipher algorithms) run considerably more slowly than the best symmetric cipher algorithms.

Typically the primes p;q are chosen to have a hundred digits or so. Therefore, even if the encryption exponenteis chosen to be relatively small, perhaps just a few decimal digits, the multiplicative inverse (the decryption key) will be about as large asn. Thus, the task of computing large powers of integers, modulo a largen, must be executable relatively quickly by comparison to the task of factoringn.

There is an important elementary speed-up of exponentiation we'll describe below, which allows us to consider exponentiation \easy". This algorithm is useful for computing powers of numbers or other algebraic even more generally. That is, to computex^ewe do not computex¹;x²;x³;x⁴;x⁵;:::;x^e,1;x^e.

Key generation and management

To set up a modulusn=pqfrom secret primesp;q, and to determine a key paire;dwithed1 mod 1, requires rst of all two large primes p;q, at least >10⁸⁰, for example. Since the security of RSA is based upon the intractability of factoring, it is very lucky that primality testing is much easier than factorization into primes. That is, we are able to obtain many \large" primes p;q >10⁸⁰ cheaply, despite the fact that we cannot generally factor \large" numbersn=pq >10¹⁶⁰into primes (even with good algorithms).

The decryption (or private) key d can be chosen rst, after p;q. For there to be a corresponding encryptionkey eit must be thatdis relatively prime to (p^,1)(q^,1), and then the Euclidean Algorithm gives an ecient means to computee.

One way to obtain drelatively prime to (p^,1)(q^,1) is simply by guessing and checking, as follows.

Note that since p^,1 and q^,1 themselves are large we may not have their prime factorizations! We pick a random large primed, and then use the Euclidean Algorithm to nd the greatest common divisor of this dand (p^,1)(q^,1). If the gcd is>1 we just guess again. Sincedwas a large random prime the heuristic probability is very high that there rst guess itself will already be relatively prime to (p^,1)(q^,1).

Further technical notes:

In many implementations, to make encryption easy, the encryption exponent is always taken to be just 3, and the primesp;qnotcongruent to 1 modulo 3. This certainly oers further simplications.

For technical reasons, some people have more recently recommended 2¹⁶+ 1 = 65537

(which is prime) as encryption exponent. Then take the primesp;qnotcongruent to 1 modulo 65537.

Both p^,1 and q^,1 should have at least one very large prime factor, since there are factorization attacks againstn=pq that are possible ifp^,1 orq^,1 have only smallish prime factors.

The primespandqshould not be \close" to each other, since there are factorization attacks onnthat succeed in this case (Fermat, Pollard's rho, etc).

Don't want the ratiop=qto be \close" to a rational number with smallish numerator and denominator, since then D.H. Lehmer's Continued Fraction factorization attack onn=pq will succeed.

No documento Intro Abstract Algebra c (páginas 67-71)