1

Public Key Ciphers: The RSA Cryptosystem

Debdeep MukhopadhyayIIT Kharagpur

Public Key Cryptography

• Two keys– Sender uses recipient’s public key to encrypt– Receiver uses his private key to decrypt

• Based on trap door, one way function– Easy to compute in one direction– Hard to compute in other direction– “Trap door” used to create keys– Example: Given p and q, product N=pq is easy to

compute, but given N, it is hard to find p and q

2

Public Key Cryptography• Encryption

– Suppose we encrypt M with Bob’s public key– Only Bob’s private key can decrypt to find M

• Digital Signature– Sign by “encrypting” with private key– Anyone can verify signature by “decrypting” with

public key– But only private key holder could have signed– Like a handwritten signature

Encryption

3

Authentication

The RSA

4

Proof of Correctness

* 1 ( ) ( )

*

1(mod (n)) ab=1+t (n)for some integer t 1.Suppose, ( ) ( mod n)[follows from Euler's Theorem]Now, consider x \

,gcd( , ) 1 ( is a multiple of )or( is a multiple

ab t n n tn

n n

ab

x Z x x x x x

Z ZSo x n x p x

φ φ

φ φ

+

≡ ⇒≥

∈ ⇒ ≡ ≡ ≡

∈≠ ⇒ of )

Thus, gcd(x,p)=p or gcd(x,q)=qIf gcd(x,p)=p, then gcd(x,q)=1[as otherwise x is a multiple of both p and q and still x is less than n=pq]

q

Proof of Correctness( ) ( ) ( )

( )

( )

( ) 1

Thus, 1(mod ) 1(mod ) 1(mod )Thus, 1 ,where k is a positive integerMultiplying both sides by ,

gcd( , ) , for som

q q p

n

n

n

x q x qx q

x kq

xx x kqx

x p p x cp

φ φ φ

φ

φ

φ +

≡ ⇒ ≡

⇒ ≡

= +

= += ⇒ =∵

( ) 1

( ) 1

e positive integer

(mod n)Similarly, we can prove when gcd(x,q)=q

n

n

cx x kcpq

x x

φ

φ

+

+

= +

⇒ ≡

5

Example

• Bob chooses p=101 and q=113• Thus n=11413• Φ(n)=100x112=11200=26527• b can be used for encryption if and only if

it is not a multiple of 2, 5 or 7. Let b=3533• In practice Bob will not factor Φ(n), but will

check whether gcd(b, Φ(n))=1 using EA and compute b-1 at the same time.

Examples

• Bob publishes n=11413 and b=3533.• Suppose Alice wants to encrypt x=9726

and send to Bob.• Hence, she computes xb(mod

n)=97263533mod 11413=5761 and sends it to Bob.

• Bob computes b-1mod Φ(n)=6597 and decrypts using 57616597 mod 11413=9726

6

Efficient Exponentiation

• Compute xc efficiently mod n.• Express c as follows:

Choosing the parameters of RSA

• n is known, but its factors are not known• b is also known, so to compute a one needs the value of Φ(n), for

which we need p and q• It has been conjectured that breaking RSA is polynomially

equivalent to factoring n. But there is no proof!• Typically, value of n is 1024 bit long and the factors are also large of

around 512 bits.

7

Primality Testing

• How do we say whether a given number is prime?

• We propose randomized algorithms, called Monte-Carlo algorithms

• These algorithms give an answer in time that is polynomial in log2n, which is the number of bits required to store n.

• However there is a probability that the algorithm may claim that n is prime when it is not.

Prime Number Theorem

• Number of primes that are less than or equal to N is given by:

( )ln N

NNπ ≈

8

Hence,…

• If N is a 512 bit number, then there are around 2512/ln 2512 ≈2512/355.

• So, a random 512 bit integer will be prime with probability of 1/355.

• Thus, if you choose 355 integers then there is one number which is prime

• Thus not bad.• If you choose only odd numbers the

probability doubles.

Monte-Carlo Algorithm

• Randomized algorithm, which is yes based• There is always an answer• When the answer is yes, it is correct• If the answer is no, the answer may be wrong• (Error Probability=ε) => (for any instance if the

answer is yes, it can say no with a probability at most ε).

• The probability is over all random choices of the algorithm.

9

The Problem Composites

• This is a decision problem.• We will discuss the Solovay-Strassen Algorithm,

which is a Monte-Carlo algorithm for Composites.

• Thus if it says yes, n is surely composite. • However, if n is composite then it says yes with

probability at least ½

Quadratic Residue

• There are exactly (p-1)/2 QR (Quadratic Residues)

10

Example• Z11

12=122=432=942=552=362=372=582=992=4102=1

Note, that the QR forms a palindrome

There are exactly (11-1)/2=5 QRs.

Generalization2

2 *

2

2

How many solutions are there to (mod ) for odd positive prime ?If, (mod ),

then (- ) (mod )Note, (mod ), as p is oddThus, the quadratic congruence:

0(mod )can be factored in

p

x a pp

y a p y Z

y a py y p

x a p

≡

≡ ∈

≡≡ −

− ≡to

( - )( ) 0(mod )Since, is prime, | ( - ) or | ( )Thus, (mod )Thus, there are exactly two solutions of the congruence.

x y x y pp p x y p x yx y p

+ ≡+

≡ ±

11

The QR Problem

• We have a polynomial time deterministic algorithm to solve this decision problem.

Euler comes to the rescue again

• The time complexity of this check is O(log p)3

by applying square and multiply method to raise an element to a power.

• Note that if then a is a non-quadratic residue.

( 1) / 2 1(mod )pa p− ≡ −

12

Legendre Symbol

Jacobi Symbol

13

Example

• Compute

• Note 9975=3x52x7x19

62789975

⎛ ⎞⎜ ⎟⎝ ⎠

2

2

2

6278 6278 6278 6278 62789975 3 5 7 19

2 3 6 8 3 5 7 19

( 1)( 1) ( 1)( 1) 1

⎛ ⎞ ⎛ ⎞⎛ ⎞ ⎛ ⎞⎛ ⎞=⎜ ⎟ ⎜ ⎟⎜ ⎟ ⎜ ⎟⎜ ⎟⎝ ⎠ ⎝ ⎠⎝ ⎠ ⎝ ⎠⎝ ⎠

⎛ ⎞⎛ ⎞ ⎛ ⎞⎛ ⎞= ⎜ ⎟⎜ ⎟ ⎜ ⎟⎜ ⎟⎝ ⎠⎝ ⎠ ⎝ ⎠⎝ ⎠

= − − − − = −

Prime vs Composite• Suppose n>1 is odd. If n is prime then

• But if n is composite, it may or may not be the case that the above equation holds

• For any odd composite n, n is an Euler Pseudo-prime to the base a for at most half of the integers a Є Zn

*

( 1) / 2 (mod n)na an

−⎛ ⎞ ≡⎜ ⎟⎝ ⎠

14

Example• 91 is a pseudo prime number to the base 10• Note that gcd(10,91)=1

• If gcd(a,n)>1 then a and n have at least one common prime factor. Thus the Jacobi of a to the base n is 0. The condition is actually if and only if. Thus if Jacobi is 0 with respect to any a, n is composite. But remember the choice of a is random.

(91 1) / 2 4510 10 (mod 91) 10 (mod 91)91

-1

−⎛ ⎞ ≡ ≡⎜ ⎟⎝ ⎠

≡

Testing Primality

• However if the Jacobi is not zero, then we check whether is is equal to a(n-1)/2 mod n.

• If no, then it is composite.• But if yes….

– it can be prime – it can be pseudo-prime

• we say it is prime• so the result can be erroneous

15

Testing Primality

• Luckily we have the following fact:– If the Jacobi is not zero wrt a then gcd(a,n)=1– So, aεZn

*

– For any odd composite n, n is an Euler pseudo-prime to the base a for at most half of the integers aεZn

*

– Thus we have the following Monte-Carlo Algorithm with error probability at most ½

Solovay-Strassen Algorithm

The decision problem is “Is n composite?”.

Note that whenever the algorithm says “yes”, the answer is correct.

Error may occur when the answer is “no” and the error probability is at most 1/2.

16

Rules to be remembered

Example

An Example

17

Complexity

• Roughly O(log n)3

• Only arithmetic operations are factoring out powers of two and modular reductions.

• Former depends on number of trailing zeros if the number is encoded as binary.

• So, dominated by modular reduction.• Roughly O(log n) modular reductions

necessary, each can be done in O(log n)2

• Note this is a loose estimate.

Repeated Application

• a: a random odd integer n of specified size is composite

• b: the algorithm answers n is prime m times in succession

• Pr[b|a]≤2-m, but we need Pr[a|b].• We apply Bayes’ Theorem.

18

Repeated Application

• What is Pr[a]?– Assume N≤n≤2N. Thus number of prime

numbers between N and 2N is about:• [2N/ln(2N)]-[N/(ln N)]≈ N/(ln N)≈n/ln(n)• Since there are N/2≈n/2 odd integers in this range,

the probability of choosing a prime number is 2/ln(n), and thus that of choosing composite number is: Pr[a] ≈ 1-[2/ln(n)]

Repeated Application

19

Error Probability of Solovay-Strassen

both becomes fairly small and negligible values and can be neglected.

Factoring Algorithms

• Most obvious way to attack RSA would be to try to factor the public modulus, n

• Modern Algorithms: Quadratic Sieve, Elliptic Curve Factoring Sieve, Number field Sieve.

• Other well-known algorithms: p-1 algorithm, Pollard’s rho algorithm etc.

• Of course we have trial division.

20

Complexity of Trial Division• If n is composite, then n has a prime factor less

than √n.• Good is n is less than 240.• We need to better than trial division for larger

composite numbers• We shall study two algorithms.• Note we are just searching for a non-trivial

factor.• If we desire for complete prime factorizations,

then we need to test for primality of the obtained factors, and if composite further factorize them

The Pollard p-1 algorithm

• Two inputs:n: odd integerB: Prescribed bound

21

Explanation of the Algorithm

• Suppose p is a prime divisor of n.

• Consider the prime factors of (p-1)

• Suppose for every prime power q|(p-1), q≤B

1 2

1 2

1 2

1 2

Prime Facorization of (p-1): ( 1)

wlog let then, ( 1) | !This is because, all the prime powers exist in the terms of B! at least once.At the end of the f

k

k

ee ek

ee ek

p q q q

q q q Bp B

− =

< < < ≤−

……

B!

B!

B!

B!

p-1

B!

or loop, the algorithm computes:a 2 (mod n).Hence, a=kn+2 , where k is an integer.Now, n=pq. Thus, a=kpq+2 .Thus, a 2 (mod p).Since, we have 2 1(mod p) and (p-1)|B!

a 2 1(mod p)Thus, p|(a-1)

≡

≡

≡

⇒ ≡ ≡and p|n, thus p|gcd(a-1,n).

Thus we have a non-trivial factor of n, unless a=1.

22

Example

• n=15770708441• Set, B=180• a=11620221425• d=gcd(a-1,n)=135979

• 1577078441=135979x115979

Finer Points• There are B-1 modular exponentiations each requiring at

most 2log2B modular multiplications, using square and multiply.

• The gcd can be computed in O(log2n)3 using the Extended Euclidean algorithm.

• Overall complexity=O(BlogB(log n)2+(log n)3). If B=O(logn)I, then we have a polynomial time algorithm.

• However, if B increases the success probability increases, but the algorithm becomes as slow as the trial division.

• Hence, the modulus n should be such that p-1 does not have all prime powers small.

23

Pollard’s Rho Method

• Say, n=16843009– What is d|n? (We know that d ≤ √n)– A possible method: Start picking up a and b

at random (0 ≤a,b<n). Since, d is small there is a good chance that a≡b (mod d). Thus d|(a-b) and we know d|n.

– Thus, gcd(a-b,n) gives a non-trivial factor of n.– From Birthday paradox, if the number of

elements picked are O(√p), then we have a large chance of a collision.

Number of gcd’s too large

• Pick a and b: compute gcd(a,b)• Pick up c: compute gcd(a,c), gcd(b,c)• Pick up d: compute gcd(d,a),gcd(d,b),gcd(d,c)• Thus if |X|=O(√p) is the number of elements

chosen, number of gcds is: |X|2 ( ) ( )

( )

( )

C O p O N

Memory O N

Time O N

= =

=

=

24

Improvement

• We wish to compute less gcd’s.• We choose a polynomial f(x)=x2+a, to randomly

choose the numbers mod n.– note a is not 0 or -2 mod n. Why?

1 1

1 1

Suppose, (mod p) ( ) ( ) mod

( ) mod , we have mod [ ( ) mod ]mod ( ) modSimilarly, mod [ ( ) mod ]mod ( ) mod modRepeating, if mod , we have mod ,

i j i j

i i i i i

j j j i

i j i j

x x f x f x p

x f x n x p f x n p f x px p f x n p f x p x p

x x p x x pδ δ δ

+ +

+ +

+ +

≡ ⇒ ≡

≡ ≡ ≡≡ ≡ ≡

≡ ≡ ∀ ≥

∵

0

Looks like the letter ρ (rho)

mod 1387 mod 19 mod 73

25

Reducing number of gcds

• Our goal is to find two terms xi≡xj(mod p), i<j.

' '

1 1

, and is the length of the cycle., where is an integer

Now in consecutive terms, , ,...,

there is one index say ' which is divisible by .If | ' | (2 ' ')Thus as ' an

i i kl

i i j

l j i lx x k

lx x x

i ll i l i i

i i

+

+ −

= −≡

⇒ −>

2 ' '

2

d (2 '- ') is a multiple of , (mod )

Thus we compute gcd only when the current index is even and gcd( - , ) gives a non-trivial factor of .

i i

i i

i i lx x p

d x x n n

≡

=

• Consider, x’3,x’4,x’5 in the cycle for mod 19, there is one index namely 3 which is divisible by 3, the cycle length. So, gcd(x6-x3,1387)=gcd(1186-8,1387)=19.

26

The Pollard Rho Algorithm

Complexity

• You have to compute gcd till j and j is O(√p)=O(n1/4)