350 likes | 668 Views
The RSA Algorithm. Rocky K. C. Chang, March 2014. Outline. Trapdoor one-way function The RSA algorithm Some practical considerations RSA ’ s security Some pitfalls of RSA. Trapdoor one-way function. Suppose n = p q, where p and q are large primes. Consider f(m) = m e mod n.
E N D
The RSA Algorithm Rocky K. C. Chang, March 2014
Outline • Trapdoor one-way function • The RSA algorithm • Some practical considerations • RSA’s security • Some pitfalls of RSA
Trapdoor one-way function • Suppose n = pq, where p and q are large primes. • Consider f(m) = me mod n. • For certain values of e and that n is large enough, f(m) is a one-way function. • It is computationally infeasible to obtain m based on the knowledge of n, e, and f(m). • However, with the knowledge of a certain trapdoor, the inversion is easy to do. • The trapdoor for RSA is the factorization of n (i.e., the knowledge of p and q).
The RSA algorithm • Let n = pq, where p and q are primes. Note that n is a composite number. • Let M = C = Zn = {0, 1, 2, …, n–1}. • K = {(n, p, q, d, e): e d 1 (mod (n))}. • We will see that (n) = (p–1)(q–1). • For K = (n, p, q, d, e), define • EK(m) = me mod n, and • DK(c) = cd mod n, where m, c Zn. • The (n, e) comprise the “public key.” • The (p, q, (n), d) comprise the “private key.”
To probe further • Both encryption and decryption involve modulo multiplications. • Since n is a composite, Zn is not a group under modulo multiplication, i.e., the inverse may not exist. • Z*n = {a Zn: gcd(a,n) = 1}. • Zn \Z*n = {a Zn: gcd(a,n) > 1}. • How many elements in Z*n? • We denote the number of elements by (n). • Recall that (n) is used in determining d and e.
The value of (n) • Note that gcd(a,n) = 1 iffgcd(a,p) = 1 andgcd(a,q) = 1. • There are q numbers in Zn that satisfy a mod p = 0: {0, p, 2p, …, (q–1)p}. • There are p numbers in Zn that satisfy a mod q = 0: {0, q, 2q, …, (p–1)q}. • Therefore, the total number of numbersin Zn that their gcd(a,n) > 1 is p+q–1. • Thus, (n) = pq – (p+q–1) = (p–1)(q–1). • Use the well-known result (in slide 28 of the prelude slides) that if b Z*n, then b(n) 1 (mod n). • Therefore, a(p–1)(q–1) 1 (mod n), for a Z*n.
For example, • Let p = 3, q = 5. Therefore, n = 15 and(p–1)(q–1) = 8. • For any a {0, 3, 5, 6, 9, 10, 12}, a8!1(mod 15). • For any a {1, 2, 4, 7, 8, 11, 13, 14}, a8 1 (mod 15), e.g., • 24 1 (mod 15). • 42 1 (mod 15). • 74 1 (mod 15). • … • Note that primitive elements may not exist in Z*n, because n is not a prime.
The relationship between e and d • The values of e and d have to satisfy • e d 1 (mod (p–1)(q–1)). • Recall that d exists iffgcd(e,(p–1)(q–1)) = 1 (slide 17 of the prelude slides). • For example, p = 101 and q = 113. • n = pq = 11413. • (n) = (p–1)(q–1) = 11200 = 26527. • Pick e = 3533, which is not divisible by 2, 5, or 7. • Use the extended Euclidean algorithm to compute d = e-1 mod 11200 = 6597. • To encrypt m = 9726, compute 92763533 mod 11413 = 5761. • To decrypt c = 5761, compute 57616597 mod 11413 = 9726.
DK(EK(m)) = m? • Recall that ed 1 (mod (n)). • In other words, ed = t(n)+1, where t is a nonnegative integer. • Part 1: Let’s consider an m Z*n. • (me)d mt(n)+1(mod n). • (me)d (m(n))tm(mod n). • (me)d (1)tm(mod n). • (me)d m (mod n).
DK(EK(m)) = m? • Part II: Let’s consider an m Zn\Z*n. • Using the Chinese Remainder Theorem, m mod n can be uniquely represented by (m mod p, m mod q). • Note that either the following is true: • m mod p = 0 and m mod q = 0 or • m mod p = 0 and m mod q 0 or • m mod p 0 and m mod q = 0. • For m mod p = 0 and m mod q = 0, • med mod p = 0 and med mod q = 0. • Therefore, med m (mod p) = 0 and med m (mod q) = 0. • For those cases where m mod p = 0 or m mod q = 0, • Say m mod p = 0 or m mod q 0, • By the CRT, med mod n can be represented by (0, med mod q). • Using the previous two results, (0, med mod q) is equal to (0, mmod q).
Digital signing using RSA • To sign a message m, Alice computes s = md mod n. • The pair (m,s) is a signed message. • To verify the signature, anyone who knows the public key can verify that se m mod n, the message itself.
Generating the RSA parameters • Generate 2 large primes, p and q (each with size k/2 bits). • n (k ≥ 2048 bits) pqand (n)(p–1)(q–1). • Choose a random e (1 < e < (n)) such that gcd(e,(n)) = 1. • d = e-1 mod (n). • Publish (n,e) and safeguard the secret (p, q, (n), d).
Generating the RSA parameters • Need an efficient algorithm to generate a large prime. • Rabin-Miller test determines whether an odd integer n is prime. • Find 2 large primes. • Use the Euclidean algorithm to make sure that gcd(e,(n)) = 1. • Use the extended Euclidean algorithm to compute d = e-1 mod (n).
Practical considerations • Usually fix the value of e, e.g., e = 3 for signatures and e = 5 for encryption. • There are pitfalls when one is using the same exponent for both encryption and signatures. • Therefore, p – 1 and q – 1 cannot be multiples of 3 or 5. • Smaller exponent for signatures (why?) • Some problems with small exponents (to be discussed shortly). • Other common values for e are 17 and 65537.
The RSA’s security • An obvious attack against RSA is to factor n. • If this can done, then obtain p and q. • Compute (p–1)(q–1). • Compute e-1 mod (p–1)(q–1) = d. • Roughly speaking, breaking the RSA algorithm is as difficult as factoring n. • The “current” factoring algorithms are able to factor numbers having up to 512 bits. • On the safe side, n ≥ 2048 bits to make the factoring problem computationally infeasible to solve.
The RSA’s security • Moreover, if one can obtain (n), one can obtain other elements in the private key. • First of all, one can obtain p and q by solving • n = pq and • (n) = (p–1)(q–1). • The solution for p is given by • p2 – (n – (n) + 1)p + n = 0. • In other words, if one can compute (n), one can factor p and q. • Lastly, what happen if one can obtain the value of d? • n can be factored in polynomial time using a randomized algorithm.
Pitfalls using RSA • Problem 1: If Alice signs 2 messages m1 and m2. Eve can compute Alice’s signature on m3 = m1m2 mod n. • Original signatures: m1d and m2d. • Eve can produce the signature for m3 by multiplying m1d and m2d.
Pitfalls using RSA • Problem 2: When RSA is used to encrypt a very small message m. • E.g., if e = 5 and m < n1/5, then me = m5 < n. Therefore, no mod n operation needed. • Simply take a fifth root of c to recover m! • For example, if encrypting a 256-bit key using RSA, the encrypted key is less than 22565 = 21280 << 22048 if n is a 2048-bit integer. • The main problem is the existence of a structure in the numbers that RSA operates on. • A possible approach is to use an encoding function to destroy the structure as much as possible.
Message encryption using RSA • Using RSA to encrypt a message is almost never practiced. • The size of the message is limited by the size of n. • Instead, choose a random secret key K, and encrypt K with the RSA key. • The message encryption is based on secret key cryptosystem, • Sending Ke mod n, EK(m).
Message encryption using RSA • A better approach is: • Choose a suitable random number r {0, 1, …, n–1}. • Set K = h(r), where h() is some hash function. • Send re mod n and EK(m). • Advantages: • There is no structure in r. • The hash function ensures that no structure between r’s propagates to structure in the K’s.
Digital signatures using RSA • Problem: remove the structures of the messages that are signed. • Use a hash function to hash the messages. • The hash function’s output (e.g., 256 bits) is small compared with the size of n (e.g., 2048 bits). • Cannot use the hash function output directly in RSA.
Digital signatures using RSA • A solution is to use a pseudorandom mapping to expand h(m) to a random number s {0, 1, …, n – 1}. • If you ask Alice to sign a number of messages m1, m2, …, mi. • Eve can get hold of the (m, s), but the values of s are effectively random. • Thus, the information does not help forge Alice’s signature.
The RSA Lab’s public-key cryptography standard • PKCS #1 for RSA or RFC 3447 covers • Data conversion primitives: a text <-> a non-negative integer • Cryptographic primitives • Encryption schemes • RSAES-OAEP (for new applications) – cryptographic primitives + Bellare and Rogaway's Optimal Asymmetric Encryption scheme • RSAES-PKCS1-v1_5 (for existing applications) – cryptographic primitives + a PKCS1-v1_5 encoding method • Digital Signature schemes • RSASSA-PSS (for new applications) – cryptographic primitives + a probabilistic signature scheme-based encoding method • RSASSA-PKCS1-v1_5 (for existing applications) – cryptographic primitives + a PKCS1-v1_5 encoding method
Conclusions • RSA can be used for encryption as well as digital signatures. • The security of RSA lies on the difficulty of factoring a large number into 2 primes. • RSA encryption and decryption require expensive exponentiation operations. • The CRT helps accelerate the operations. • In practice, RSA is used to encrypt a secret key with an encoding function. • In practice, the messages to be signed have to go through a hash function to destroy the message structures.
Acknowledgments • The notes are prepared mostly based on • D. Stinson, Cryptography: Theory and Practice, Chapman & Hall/CRC, Second Edition, 2002. • N. Ferguson and B. Schneier, Practical Cryptography, Wiley, 2003. • http://www.rsa.com/rsalabs/pkcs/files/h11300-wp-pkcs-1v2-2-rsa-cryptography-standard.pdf