Basic idea on RSA Cryptosystem

M.Sc. Project Report

Submitted by

DIPANKAR SARKAR
Roll No. - 15MA40004
Under the supervision of

Prof. SOURAV MUKHOPADHYAY

Department of Mathematics
Indian Institute of Technology Kharagpur
Kharagpur - 721302
West Bengal, India

CERTIFICATE

This is to certify that the project report entitled Basic idea on RSA Cryptosystem is
a bona fide record of the work done by Dipankar Sarkar, Roll No.15MA40004, a student
of two year M.Sc. course in Mathematics,under my supervision for the partial fulfilment of the
requirements for the award of the degree of Master of Science in Mathematics. The same report
has not been submitted anywhere for the award of any other degree or diploma.

Prof. M. P. Biswal
Head of Department,
Department of Mathematics,
Indian Institute of Technology,
Kharagpur, West Bengal-721302

Prof. Sourav Mukhopadhyay

Supervisor,
Department of Mathematics,
Indian Institute of Technology,
Kharagpur,West Bengal-721302

Acknowledgement

I would like to articulate my deep gratitude to my project guide Prof. Sourav Mukhopadhyay who have always been a source of motivation for carrying out the project and assisted
always whenever required. His constant inspiration and ideas have helped me in shaping this
project.I am thankful to him for giving his valuable time despite his busy schedule for completion
of my project.
I would like to express my gratitude to all the professors for making me capable for this research
project and to all those authors for giving shape to my thoughts through their publications.
Last but not the least I would like to thank my seniors and my family for supporting me in
every possible way while carrying out this project work.

Dipankar Sarkar (15MA40004)

Department of Mathematics,
Indian Institute of Technology,
Kharagpur, West Bengal -721302

Date:
Kharagpur

Abstract
The basic aim of the paper is to warn the user that Even if a secure cryptosystem is used for a
given application, this doesnt mean a pirate cannot mount a successful attack. The motivation of
this report is to highlight on the construction and possible attacks to the celebrated public key
cryptosystem namely RSA.
Most popular attack on RSA Cryptosystem is Factorization Attack. Upto this date the best
method is the Number Field Sieve for its run time. Also some well known are Lenstra Elliptic
Curve Factorization Method(ECM) and Quadratic Sieve Field. In 2009, Thorsten Kleinjung
factorize 768 bit RSA modulus using Number of Field Sieve. But RSA 1024 is still safe. Also
their some another popular attack on RSA namely Low Private Exponent, Low Public Exponent,
Implementation Attack.
One of the misuses of RSA is to use a small value of d to reduce decryption time. Unfortunately,
a clever attack due to M. Wiener in 1990(IEEE Transactions on Information Theory) shows that
a small d can result in a total break of the RSA cryptosystem. Later on 1999, Boneh and Durfee
( Advances in Cryptology EUROCRYPT 99) improve the bound of d.

Contents
1 RSA Cryptosystem
1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2 Core of the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6
6
7

2 Attack
2.1 Factorization Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.2 Chosen-Cipher Text Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.3 Low Private Exponent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

9
9
10
11

3 Implementation
3.1 Implementation . . . . .
3.1.1 Basic Knowledge
3.1.2 Code . . . . . . .
3.1.3 Practical Test . .

15
15
15
16
16

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

4 Conclusion and Future Scope

24

Bibliography

25

Chapter 1
RSA Cryptosystem
1.1

Introduction

In The Lives of the Twelve Caesars, Suetonius writes of Julius Caesar: ... if there was occasion
for secrecy, he wrote in cyphers; that is, he used the alphabet in such a manner, that not a single
word could be made out. The way to decipher those epistles was to substitute the fourth for the
first letter, as d for a, and so for the other letters respectively.
We are acquainted with the term RSA for the first time by famous mathematician Ron Rivest,
Adi Shamir and Len Adleman in Scientific American, which was issued in august 1977. RSA is
a very important public domain. The RSA algorithm became a standard encryption method for
many pieces of software, especially Internet related software such as Microsoft Internet Explorer
and Netscape Navigator. It is also used in the TLS (Transport Layer Security) and SSL (Secure
Socket Layer) protocols which provide security for Internet communications such as email and
web browsing. As it is widely used now-a-days, therefore we should put attention on its security
too. The main purpose of this cryptosystem is to provide privacy and authenticity of digital data.
Of late, RSA is deployed in many commercial purpose. Mainly it is used by the web servers and
browsers to secure web traffic; i.e. to ensure privacy and authenticity of E-mail. Again it is also
used for remote login session. It is also basement of electronic card payment system. In short it
can be safely asserted that, RSA is basically used in applications where security of digital data is
concerned.
Upto this year many possible attacks on RSA has been found but none of them is highly
devastating. Throughout this session we follow standard notation and standard name that is, we
think Alice wants to communicate with Bob in a public channel and Marvin is the third person
who want to intervene in the public channel, a bad guy.
Definition 1.1.1. One Way Function A one way function is a function that satisfies the
following properties:
1. f is easy to compute. In other words, given x, y = f (x) can be easily computed.
2. f 1 is difficult to compute. In other words, given y, it is computationally infeasible to calculate
x = f 1 (y).
A trapdoor one way function is a one way function with the property:
3. Given y and a trapdoor(secret), x can be easily computed.
6

Example When N is large with N = p q is a one way function. Note that in this function x
is a tuple (p, q) of two primes and y is N . Given p and q it is easy to calculate N , but given N it
is infeasible to find p and q. This problem is known as Factorization problem, secrecy of RSA is
depend on this N P hard problem. So it is also known as RSA problem.

1.2

Core of the System

We start our discussion with the definition of RSA. First we take two large prime p and q each of
which have same size. Then we calculate N = p q; RSA number. Using the concept of Eulers
phi function we calculate (N ) = (p 1) (q 1). Let e be an invertible element in the group
Z(N ) . Find d such that ed 1 mod (N ). Make hN, ei as public key and hp, q, di be the private
key. Let Alice have a message M wants to encrypt it using public key hN, ei. So she calculate
C M e (mod N ); C is the corresponding cipher text and sent it to Bob via public channel. To
decrypt the message Bob calculate M C d (mod N ).
Algorithm 1.2.1. RSA Key Generation
Input: two large prime p and q.
Output: Public_Key and Private_Key
1. Calculate N p q.
2. (N ) (p 1)(q 1).
3. Select e such that gcd(e, (N ) = 1 with e 6= 1.
4. d e1 mod (N ).
5. Public_Key (e, N )
Private_Key d
6. return Public_Key and Private_Key

Anyone can send a message to Bob using his public key. Encryption in RSA can be done using
an algorithm with the polynomial time complexity.
Algorithm 1.2.2. RSA Encryption
Input: Message M , Public_Key, and N
Output: Ciphetext C.
C M e mod N
to calculate above term one can use Fast Exponentiation Algorithm.
Now Bob want to decrypt the ciphertext message. Decryption in RSA can be done using an
algorithm with the polynomial time complexity.

Algorithm 1.2.3. RSA Decryption

Input: Ciphetext C, Private_Key, and N
Output: Message M .
M C d mod N
to calculate above term one can use Fast Exponentiation Algorithm.
Example Suppose p = 7; q = 11. So N = 77. Therefore (N ) = 60. Choose e = 13 so d = 37.
Now message M = 5 So ciphertext is
C 513 26

mod 77

Bob recived the ciphertext and using his private key he want to decypt the message
M 2637 5

mod 77.

The plaintext 5 send by Alice is recived as plaintext 5 by Bob.

Chapter 2
Attack
No highly devastating attacks on RSA have been yet discovered. Many mathematician proposed
many kinds of attack that based on the weak plain text, weak parameter selection or inappropriate
implementation.
Categories of potential attacks are(i) Factorization Attack
(ii) Chosen Ciphertext
(iii) Decryption Exponent (Revealed and low exponent)
(iv) Encryption Exponent (Coppersmith, Broadcast, Related Message and short time pad)
(v) Modulus and Another Attack(Common Modulus, Davidas Attack)
(vi) Implementation(time and power)

2.1

Factorization Attack

The most obvious way to attack the RSA Cryptosystem is to attempt to factor the public components. Because if Marvin can factor N then he can calculate (N ) for which he get d easily. We
refer to factoring the modulus as a brute-force attack on RSA. The problem of integer factorization
is one of the oldest beautiful work in number theory. Although factoring algorithms have been
steadily improving, the current state of the art is still far from posing a threat to the security of
RSA when RSA is used properly.
We can identify three approaches to attack RSA mathematically.
1. Factoring N into its two prime factors. This enables calculation of (N ) = (p 1)(q 1),
which in tern enables determination of d e1 mod (N ).
2. Determine (N ) directly, without first determing p and q. Again this enables determination of
d e1 mod (N )
3. Determine d directly, without first determining (N ).

So our main part of discussion is, if an efficient factoring algorithm exists, then RSA is insecure.
The converse is a long standing open problem: must one factor N in order to efficiently compute
eth roots modulo N ? Is breaking RSA as hard as factoring? We state the concrete open problem
below.
Open Problem 2.1.1. Given integers N and e satisfying gcd(e, (N )) = 1, define the function
fe,N : Zn Zn by fe,N (x) = x1/e mod N . Is there a polynomial-time algorithm A that computes
the factorization of N given N and access to an oracle fe,N (x) for some e?
An oracle for f (x) evaluates the function on any input x in unit time. But many mathematicians give the observation that, for small e there may not exist a polynomial time reduction
from factoring to breaking RSA. We note that a positive answer to open problem gives rise to a
Chosen Cipher Text Attack on RSA. Therefore, a negative answer may be negative answer may
be welcome.
So many factorization methods[?] are there named as Pollard p 1 algorithm, Pollard Rho
Algorithm, Dixon Random Squares Algorithm, Williams p + 1 algorithm, Elliptic Curve Method,
General Number of Field Sieve etc.. We do not discuss about such factorization method. We put
the running time of such method. The notation o(1) denotes a function of N that approaches 0
as n , p denotes the smallest prime factor of N , and Eulers constant e = 2.718.
Running Time

i. Pollards Rho algorithm O( p)

ii. Pollards p-1 algorithm O(
p) where p is the largest prime factor of p 1.
iii. Williams p+1 algorithm O(
p) where p is the largest prime factor of p + 1.
1/2

iv. Elliptic Curve Method(ECM) O(e(1+o(1))(2 ln p ln ln p)

1/2

v. Quadratic Sieve(Q.S) O(e(1+o(1))(ln N ln ln N )

1/3

vi. Number Field Sieve(NFS) O(e(1.92+o(1))(ln N )

(ln ln N )2/3

RSA-110 has 110 decimal digits (364 bits), and was factored in April 1992 by Arjen K. Lenstra
and Mark S. Manasse in approximately one month.
Recently on December 12, 2009 RSA 768 was factored using Number of Field Sieve by Thorsten
Kleinjung, Arjen Lenstra[10]. But RSA 1024 is still secure under any factorization method. So
RSA 1024 is recommended.

2.2

Chosen-Cipher Text Attack

A potential attack on RSA is based on the multiplicative property of RSA. Assume that Alice
creates the cipher text C M e mod N and sends M to Bob. Also assume that Bob will decrypt
an arbitrary ciphertext from Marvin othe than C. Marvin intercepts C and uses the following
steps to find M :
10

i. Marvin chooses a random integer X in ZN

ii. Marvin calculate Y CX e mod N .
iii. Marvin sends Y to Bob for decryption and get Z Y d mod N . This step is instance of a
chosen cipher text attack.
iv. Marvin can easily find M because
Z Y d mod N
d

CX e mod N C d X ed mod N
C d Xmod N M Xmod N
M ZX 1 mod N
Usually, a Chosen Cipher text attack is based on the theoretical assumption that the attacker
has access to a decryption device that returns the complete decryption for a Chosen Cipher text.
Hence, if a public key cryptosystem is susceptible to a Chosen Cipher text attack, which often is
considered to be only a theoretical weakness. Chosen Cipher text attack requires more decryptions
with each candidate key to identify the expected clear text statistics. In public key cryptosystems,
it suffices to know the victims public key, since the attacker can generate by himself the required
cipher text pairs.

2.3

Low Private Exponent

To reduce decryption time (or signature-generation time), one may wish to use a small value of d
rather than a random d. Since modular exponentiation takes time linear in log2 d, a small d can
improve performance by at least a factor of 10 (for a 1024 bit modulus). Unfortunately, a clever
attack due to M . Wiener[12] shows that a small d results in a total break of the cryptosystem.
Now if N and (N ) is known to Marvin then he can factor N using following rule.
i. N = pq and
(N ) = (p 1)(q 1)
ii. Put q =

N
p

in the above equation then we have a quadratic equation in p



p2 N (N ) + 1 p + N = 0

iii. The roots of the above equation are factor of N . Thus Marvin can break the system if he can
learn the value (N ).
So this technique gives a method that if Marvin have (N ) then he can learn the value of d, the
RSA decryption component. Now how Marvin can have the value of (N )?
1

Theorem 2.3.1. (M. Wiener) Let N = pq with q < p < 2q. Let d < 31 N 4 . Given hN, ei with
ed 1 mod (N ), Marvin can efficiently recover d.

11

Proof. In this proof we use concept of continued fractions [7]. Since ed 1 mod (N ), there
exists a k such that ed k(N ) = 1. Therefore,
 e
k 
1

=

(N ) d
d(N )

(2.1)

e
Clearly kd is an approximation of (N
. Also note that Marvin does not know (N ), but for
)
approximation heuse N . Also (N ) = N p
q + 1 and 0 < N (N ) = p + q 1 <
2 q + q 1 < 3 N . So we have |N (N )| < 3 N .
Replacing N by (N ) in above equation, we obtain

e
k   ed k(N ) kN + k(N )   1 k(N (N ))   3k N 
3k

(2.2)
 =
=

= .
N
d
Nd
Nd
Nd
d N
1

Now k(N ) = ed 1 < ed. Since e < (N ), we see that k < d < 13 N 4 . Hence we obtain
e


N

1
k 
1

1 <
d
2d2
dN 4

(2.3)

This is a classic approximation relation. The number of fractions kd with d < N approximating
e
so closely is bounded by log2 N . In fact, all such fractions are obtained as convergent of the
N
continued fraction expansion of Ne . All one has to do is compute the log N convergent of the
continued fraction for Ne . One of these will equal kd . Since ed k(N ) = 1, we have gcd(k, d) = 1,
and hence kd is a reduced fraction. This is a linear-time algorithm for recovering the secret key
d.
2
Algorithm 2.3.1. Wiener Attack

1. Input: a public key hN, ei,a continued fractions of

e
N

: [q1 , q2 ...qm ];

Output: a non-trivial factors p and q of N .

2. Set c0 = 1, c1 = q1 , d0 = 0, d1 = 1
3. while i = 2 to m do Calculate z =

(ci e1)
di

3.1. If z is an integer then Let p and q be the roots of the equation:

x2 (N z + 1)x + N = 0;
3.2. If p and q are positive integers then return hp, qi;
3.3. i = i + 1;
3.4. ci = qi ci1 + ci2 ;
3.5. di = qi di1 + di2 ;
4. return failure;

12

Example Suppose that N = 1605233347 and e = 60728973. The continued fraction expansion
of e/N is
[0, 2, 1, 1, 1, 4, 12, 102, 1, 1, 2, 3, 2, 2, 36]
The first few convergents are
1 1 2 3 14
0, , , , ,
2 3 5 8 37
We can verify that the first five convergents do not produce a factorization of N . However,
the convergent 14/37 yields
z=

37 60728973 1
= 1605233347.
14

Now, if we solve the equation

x2 25348x + 1605233347 = 0,
then we find the roots x = 12347, 13001. Therefore we have discovered the factorization
1605233347 = 12347 13001.
Notice that, for the modulus N = 1605233347, Wieners algorithm will work for
d <

n1/4
37.52
3

Now at this position we think that RSA is insecure against this attack. But do not worry Wieners
gives the method to prevent the attack.
Preventing Wieners Attack
1. Large e: Suppose instead of reducing e modulo (N ), one uses < N, e > for the public key
where e = e+t(N ) for some large t. Clearly e can be used in place of e for message encryption.
However, when a large value of e is used, the k in the above proof is no longer small. A simple
calculation shows that if e > N 1.5 then no matter how small d is, the above attack cannot be
mounted. Unfortunately, large values of e result in increased encryption time.
2. Using CRT: An alternate approach is to use the Chinese Remainder Theorem (CRT). Suppose
one chooses d such that both dp = d mod (p 1) and dq = d mod (q 1) are small, say 128
bits each. Then fast decryption of a ciphertext C can be carried out as follows: first compute
Mp = C dp mod p and Mq = C dq mod q. Then use the CRT to compute the unique value
M ZN satisfying M Mp mod p and M Mq mod q. The resulting M satisfies M C d
mod N as required. The point is that although dp and dq are small, the value of d mod (N )
can be large, i.e., on the order of (N ). As a result, the attack of Wieners Theorem does not
apply. We note p
that if
phN, ei is given, there exists an attack enabling an adversary to factor N
in time O(min( dp , dq )). Hence, dp and dq cannot be made too small.
But note that we do not claim this methods are secure, we claim that this methods is ineffective
against Wieners attack. In 1999 Boneh and Durfee[8] improve the upper bound as d < N 0.292 .
We also discuss about proof of this theorem. So our correct bound is d < N 0.5 . At the time of
this writing, this is an open problem.
13

Open Problem 2.3.1. Let N = pq and d < N 0.5 . If Marvin is given < N, e > with ed 1 mod
(N ) and e < (N ), can he efficiently recover d.
Since Wieners proposal in 1990, it has been a challenging open question whether there exists
a polynomial time attack on small private CRT exponents. Ellen Jochemsz and Alexander May
gave an affirmative answer to this question and showed that a polynomial time attack exists if dp
and dq are smaller than N 0.073 .

14

Chapter 3
Implementation
3.1

Implementation

GMP was chosen for this project because it is feature-rich, efficient, and free. It is currently used
in commercial applications such as Mathematica. A custom bignum library was not feasible due
to time constraints. Also, we couldnt hope to match the performance of GMP, as many of its
functions are hand-crafted in assembly.

3.1.1

Basic Knowledge

Number Theoretic Functions:

 mpz probab prime p(mpz t n, int reps) :- Check if n is prime, returns 2 if n is definitely
prime, 1 if n is probably prime and 0 if n is definitely not prime. The function uses the MillerRabin probabilistic primality tests. reps is the number of tests to carry out, a higher number
reduces a non-prime being returned as probably prime.
 mpz gcd(mpz t answer, mpz t op1, mpz t op2) :- Set answer to the greatest common
denominator of op1 and op2.
 mpz gcdext(mpz t g, mpz t s, mpz t t, mpz t a, mpz t b) :- Set g to the greatest common denominator of a and b. Also find s and t to satisfy the equation as + bt = g.
Comparison Functions:
 mpz cmp(mpz t op1, mpz t op2) and mpz cmp si (mpz t op1, unsigned long int op2)
:- Compare op1 and op2, return a positive value if op1 > op2, 0 if op1 = op2 and a negative
value if op1< op2.
Random Number Functions:
 mpz urandomb(mpz t answer, gmp rand state t state, unsigned long int n):- Generate a random number between 0 and 2n 1 and store in answer. state is a variable which
is initialized using the Random State Initialization Functions below.
Random State Initialization:
 gmp randstate t state:- Define state as a state variable.
 gmp randseed ui(gmp rand state t state, unsigned long int seed) :- Set an initial
seed value into state.
15

 gmp randinit default(state) :- Initialize state with the default algorithm (default set to
the Mersenne Twister algorithm).
Input/Output Functions:
 gmp printf(const char *fmt,) :- Print to standard output.
 gmp fprintf(FILE *fp, const char *fmt,): - Print to the file fp.
 gmp scanf(const char *fmt,): - Read from standard input.
 gmp fscanf(FILE *fp, const char *fmt,): - Read from file fp.

3.1.2

Code

Key Generation Using the small number implementation code as a template I rewrote the code
using the functions from the GMP library.
 Generate p and q :- To generate the two prime numbers, a random number was generated
using the mpz urandomb() function then tested if it was a prime number using mpz probab prime().
A second prime number was then generated in the same way and checked that it was different
from the first.
 Calculating n and (n):- As n is calculated by multiplying p and q the mpz mul() was
used to multiply the two numbers. (n) is (p 1) (q 1) so the mpz sub ui() was used to
subtract 1 from p and q then the mpz mul() function used to multiply the answers.
 Calculating e:- A random number was generated again using mpz urandomb(). The greatest
common denominator of this number and r was then calculated using mpz gcd(). This process
was repeated until the generated number and (n) had a greatest common denominator of 1. This
was checked using the mpz cmp si() function.
 Calculating d:- The gmp gcdext() function with the parameters e and (n) was used to
run the Extended Euclidean Algorithm and calculate d.
Encryption/Decryption:- These functions read the numbers stored in the relevant key file
and get an input from the user of either the plaintext or ciphertext, this is done using the
gmp fscanf(), gmp printf() and gmp scanf() functions. The encryption/decryption algorithm
is then used on these values using the mpz powm() function.

3.1.3

Practical Test

Key Generation, Encryption and Decryption As the keys generated in this implementation are so
large, it is not practical to work through any of the algorithms by hand. Instead we will test this
implementation by generating different key pairs and using them to encrypt and decrypt different
numbers. If the decrypted number matches the original one then the key generation, encryption
and decryption must have been successful.
 Example: We generated a 512 bit key pairs and encrypt and decrypt the plaintext.
Here,
p = first prime;
16

q = second prime;
N = product of p and q;
(N ) = (p 1) (q 1), Euler totient function.
e is an integer such that gcd(e, (N )) = 1 and 3 < e < n 1
d is the inverse of e such that ed = 1 mod N .
p = 51059215397751307956557936184219435227970660472434307428500609444887554518
61889239744272031317090498111978081274825593317529526214968755445699992091740393
q = 73824668574061999853565513873025790932853259751174355246065158254587837753724
61362062045820666878762511356540299642555233884181281078528337149776823892359
N = 37694296543906335586457294409065467794729914544795087193692231906468893145122
446857314296184646219071278929240003720926138253245898231770817835204307386751160
150945133369542319196243524519313061901483948190549213833213617754898397273660469
812114603416649233498729752693512539100645154965411840847304804357087
(N ) = 37694296543906335586457294409065467794729914544795087193692231906468893145
122446857314296184646219071278929240003720926138253245898231770817835204307386738
671762547952038761306851237799996696979509461587324281757256443670215671162923058
663494262619447388610164108178225363987686937658918128057997535888724336
e=7872959189757277802663554654120033962447452943021981134577495867473115949925098
994150115623712444085665218586299407411001078737251769375199906240293635001
d=180296967148655820002504997725793268149371868562067479745430935518997599484268
090457030978844221322944902911832308548092802119113407650518715868944885087281130
668169988984618871256859688776590626713889378912947464454470339449139239652968823
71721355073851719095847676985528667617418130751375637305949724720681
Enter a message:12345
Encrypted message is: 3335037606334032202683168706698580428855217968308987826860
235220523193866436337070365472464380571396974794036934046537439690796493117172742
292985364764035251681217354713582051188291068086677589174784493005043489403113068
400063795475441173060523893646831270355692434066214492849276497620971320642022742
7568490
Decrypted message is: 12345

To write a code of RSA using GMP library we choose UBUNTU 12.04. First we include GMP
library using command sudo apt-get install libgmp3-dev. Also we generate an algorithm to
generate a message of given length. Because to give one 2048 bit number is really difficult. For
this purpose we write this algorithm.
# include < stdio .h >
# include < math .h >

17

# include < gmp .h >

# include < time .h >
void main () {
int seed , SIZE =512;
mpz_t p ;
mpz_init ( p ) ;
gmp_randstate_t state ;
srand ( time ( NULL ) ) ;
g m p _ r a n d i n i t _ d e f a u l t ( state ) ;
seed = rand () ;
gmp_randseed_ui ( state , seed ) ;
mpz_urandomb (p , state , SIZE ) ;
gmp_printf ( " \ n Required Message is :% Zd \ n " ,p ) ;
}

Now here we write the complete program of RSA Algorithm. This program also measure the
running time to execute the algorithm. We just suggest to change the value of SIZE in our program
to get output of different key bits. Here to get a message of 512 bit we use above algorithm and
put it as input to the following algorithm. One may want to message size of different bit, he/she
can change similarly.
Listing 3.1: RSA Implementation using GMP Library
# include < stdio .h >
# include < stdlib .h >
# include < gmp .h >
# include < time .h >
int SIZE =2048;
int main ()
{
mpz_t p ,q ,n , gcd ,e , nm1 , pm1 , qm1 ,r ,g ,s ,t , plaintext , ciphertext , result ;
int seed , prime_count1 , prime_count2 , error ;
gmp_randstate_t state ;
mpz_init ( p ) ;
mpz_init ( q ) ;
mpz_init ( nm1 ) ;
mpz_init ( pm1 ) ;
mpz_init ( qm1 ) ;
mpz_init ( n ) ;
mpz_init ( r ) ;
mpz_init ( e ) ;
mpz_init ( gcd ) ;
mpz_init ( g ) ;
mpz_init ( s ) ;
mpz_init ( t ) ;
mpz_init ( plaintext ) ;
mpz_init ( ciphertext ) ;
mpz_init ( result ) ;
error =0;
srand ( time ( NULL ) ) ;
g m p _ r a n d i n i t _ d e f a u l t ( state ) ;
seed = rand () ;
gmp_randseed_ui ( state , seed ) ;
do

18

{
do
{
mpz_urandomb (p , state , SIZE ) ;
prime_count1 = mp z_ pro ba b_ pr im e_ p (p ,100) ;
} while ( prime_count1 ==0) ;
do
{
do
{
mpz_urandomb (q , state , SIZE ) ;
prime_count2 = mp z_p ro ba b_ pr im e_ p (q ,100) ;
} while ( prime_count2 ==0) ;
} while ( mpz_cmp (q , p ) ==0) ;
mpz_mul (n , p , q ) ;
mpz_sub_ui ( nm1 , n , 1) ;
mpz_sub_ui ( pm1 , p , 1) ;
mpz_sub_ui ( qm1 , q , 1) ;
mpz_mul (r , pm1 , qm1 ) ;
do
{
do
{
mpz_urandomb (e , state , SIZE ) ;
} while (( mpz_cmp_si (e ,3) <0) ||( mpz_cmp (e , nm1 ) >0) ) ;
mpz_gcd ( gcd , e , r ) ;
} while ( mpz_cmp_si ( gcd ,1) !=0) ;
mpz_gcdext (g ,s ,t ,e , r ) ;
} while ( mpz_cmp_si (s ,1) <0) ;
gmp_printf ( " p =% Zd \ n \ n q =% Zd \ n \ nn =% Zd \ n \ nPhi ( N ) =% Zd \ n \ ne =% Zd \ n \ ns =
% Zd \ n \ n " ,p ,q ,n ,r ,e , s ) ;
gmp_printf ( " Enter a message : " ) ;
gmp_scanf ( " % Zd " , plaintext ) ;
mpz_powm ( ciphertext , plaintext ,e , n ) ;
gmp_printf ( " \ nEncrypted message is :% Zd \ n " , ciphertext ) ;
mpz_powm ( result , ciphertext ,s , n ) ;
gmp_printf ( " \ nDecrypted message is :% Zd \ n " , result ) ;
return 0; }

Here we establish two table one is verses key size with running time when message size fixed and
another is verses message size with running time when key size is fixed when key size means size
of p or q. Here we also observe that the running is may be different for a fixed message and key
size may vary. That means if we take key size 512 bit and run the program for fixed text 12345
then it may give two different running time. We also plot the graph according to the following
two table. In first case we fixed the message 12345 and vary the key size.

Key Size(x)
Running Time(y)

288
298
314
320
352
512
768
1024
0.0246655 0.16441 0.020405 0.022092 0.026908 0.034045 0.077043 0.410469

Now using MATLAB we plot the data, choose Key Size as X axis and Running Time as y axis.

19

As we tell previously we also have another data table Message length in bits(x) vs Running
Time(y). In this case we fixed the key size 1024 bit.
Key Size(x)
Running Time(y)

64
128
196
256
512
768
1024
1240
0.33456 0.16536 0.132279 0.600242 0.264961 0.257289 0.125543 0.625437

Here we put the second graph Message length vs Running time:

20

So in above code we use through out GMP library but question is can we implement RSA without
using GMP library. Answer is yes. We run this(without using GMP) in Windows Operating
System and for C purpose we choose DEV C++ software.
Listing 3.2: RSA Implementation

# include < stdio .h >

# include < conio .h >
# include < stdlib .h >
# include < math .h >
# include < string .h >
long int p ,q ,n ,t , flag , e [100] , d [100] , temp [100] , j , m [100] , en [100] , i ;
char msg [100]; int prime ( long int ) ; void ce () ; long int cd ( long int ) ;
void encrypt () ; void decrypt () ;
main () {
printf ( " \ n ENTER FIRST PRIME NUMBER \ n " ) ;
scanf ( " % d " ,& p ) ;
flag = prime ( p ) ;
if ( flag ==0) {
printf ( " \ n WRONG INPUT \ n " ) ;
}
printf ( " \ n ENTER ANOTHER PRIME NUMBER \ n " ) ;
scanf ( " % d " ,& q ) ;
flag = prime ( q ) ;
if ( flag ==0|| p == q ) {
printf ( " \ nWRONG INPUT \ n " ) ;
}
printf ( " \ n ENTER MESSAGE \ n " ) ;
scanf ( " % s " , msg ) ;
for ( i =0; msg [ i ]!= NULL ; i ++)
m [ i ]= msg [ i ];
n=p*q;
t =( p -1) *( q -1) ;
ce () ;
printf ( " \ n POSSIBLE VALUES OF e AND d ARE \ n " ) ;
for ( i =0; i <j -1; i ++)
printf ( " \ n % ld \ t % ld " ,e [ i ] , d [ i ]) ;
encrypt () ;
decrypt () ;
getch () ;
}
int prime ( long int pr ) {
int i ;
j = sqrt ( pr ) ;
for ( i =2; i <= j ; i ++) {
if ( pr % i ==0)
return 0;
}
return 1;

21

}
void ce () {
int k ;
k =0;
for ( i =2; i < t ; i ++) {
if ( t % i ==0)
continue ;
flag = prime ( i ) ;
if ( flag ==1&& i != p && i != q ) {
e [ k ]= i ;
flag = cd ( e [ k ]) ;
if ( flag >0) {
d [ k ]= flag ;
k ++;
}
if ( k ==99)
break ;
}
}
}
long int cd ( long int x ) {
long int k =1;
while (1) {
k=k+t;
if ( k % x ==0)
return ( k / x ) ;
}
}
void encrypt () {
long int pt , ct , key = e [0] , k , len ;
i =0;
len = strlen ( msg ) ;
while ( i != len ) {
pt = m [ i ];
pt = pt -96;
k =1;
for ( j =0; j < key ; j ++) {
k = k * pt ;
k=k%n;
}
temp [ i ]= k ;
ct = k +96;
en [ i ]= ct ;
i ++;
}
en [ i ]= -1;
printf ( " \ nTHE ENCRYPTED MESSAGE IS \ n " ) ;
for ( i =0; en [ i ]!= -1; i ++)
printf ( " % c " , en [ i ]) ;
} void decrypt () {
long int pt , ct , key = d [0] , k ;
i =0;
while ( en [ i ]!= -1) {
ct = temp [ i ];
k =1;
for ( j =0; j < key ; j ++) {

22

k = k * ct ;
k=k%n;
}
pt = k +96;
m [ i ]= pt ;
i ++;
}
m [ i ]= -1;
printf ( " \ n THE DECRYPTED MESSAGE IS \ n " ) ;
for ( i =0; m [ i ]!= -1; i ++)
printf ( " % c " ,m [ i ]) ;
}

23

Chapter 4
Conclusion and Future Scope
Thirty years after RSA was first publicized it still remains an active research area. In this chapter,
we conclude the work. We have studied weaknesses of RSA cryptosystem, results related to integer
factorization, secrecy of private key, secrecy of public key and variants of RSA and its cryptanalysis.
According to the cryptoanalysis over thirty years on RSA, we conclude that RSA still secure
but having survived a great deal of cryptanalytic security.
Recommendations
The following recommendations are based on the theoretical and experimental results.
i. The number of bits for nshould be at least 1024 bits. This means that n should be around
21024 , or 309 decimal digits.
ii. The two primes p and q must each be at least 512 bits. This means that p and q should be
around 2512 or 309 decimal digits.
iii. The values of p and q should never be very close to each other.
iv. Both p 1 and q 1 should have at least one large prime factor.
v. The ratio p/q should not be close to a rational number with a small numerator and denominator.
vi. The modulus n must not be shared.
vii. The value of e should be 216 + 1 or an integer close to this value.
viii. If the private key d is leaked, Bob must immediately change n as well as both e and d. It
has been proven that knowledge of n na done pair he, di can lead to the discovery of other
pairs of the same modulus.
An open problem related to this area: For d < N 0.5 . Is Marvin can efficiently recover d for given
< N, e > with ed 1 mod (N ) and e < (N ). That means a grater bound is required.

24

Bibliography
[1] Menezes, Alfred J., Paul C. Van Oorschot, and Scott A. Vanstone. Handbook of applied
cryptography. CRC press, 1996.
[2] Davida G., 1982. Chosen Signature Cryptanalysis of the RSA (MIT) Public-Key Cryptosystem. Technical Report TR-CS-82-2, University of Wisconsin 1994.
[3] Stinson, Douglas R. Cryptography: theory and practice. CRC press, 2005.
[4] William, Stallings, and William Stallings. Cryptography and Network Security, 4/E. Pearson
Education India, 2006.
[5] Forouzan, Behrouz A. Cryptography & Network Security. McGraw-Hill, Inc., 2007.
[6] Lenstra, Arjen K. Memo on RSA signature generation in the presence of faults. No. EPFLREPORT-164524. 1996.
[7] Burton, David M. Elementary number theory. Tata McGraw-Hill Education, 2006.
[8] Boneh, D., and G. Durfee. New results on cryptanalysis of low private exponent RSA.
preprint (1998): 1-18.
[9] Boneh, D.: Twenty years of attacks on the RSA cryptosystem. In Notices of Americans
Mathematics Society, volume 46, issue 2, pages 203-213. AMS, 1999.
[10] Kleinjung, Thorsten, Kazumaro Aoki, Jens Franke, Arjen K. Lenstra, Emmanuel Thom,
Joppe W. Bos, Pierrick Gaudry et al. Factorization of a 768-bit RSA modulus. In Advances
in CryptologyCRYPTO 2010, pp. 333-350. Springer Berlin Heidelberg, 2010.
[11] Von Zur Gathen, Joachim, and Jrgen Gerhard. Modern computer algebra. Cambridge university press, 2013.
[12] Wiener, Michael J. Cryptanalysis of short RSA secret exponents. Information Theory, IEEE
Transactions on 36, no. 3 (1990): 553-558.

25