RSA Tobias M.

Bölz Contents 1st Introduction 2 Public-key encryption 3rd Description of the procedure 4 Evid ence 5th Security 2 2 3 4 5 5.1. Options for attack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2. Security problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6th Implementation 5 5 5 6.1. Key generation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.2. Computation of M e n mod. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A. Sample programs 6 7 8 A.1. inversmod.c. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.2. encrypt1.c. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.3. encrypt2.c. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B. Literature 8 8 9 10 This content is licensed under a Creative Commons Attribution-Non-Commercial-Sha re Alike license. To view the license, please go to http://creativecommons.org/l icenses/by-nc-sa/2.0/de/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA. 1 2 PUBLIC-KEY ENCRYPTION 1st Initiation The RSA algorithm was the first public-key encryption method that suited both fo r encryption and to create digital signatures. It was invented 19 781 and, after its inventors Ronald Rivest, Adi Shamir and Leonard Adleman named [1]. Since th e concept of a public-key encryption method by Whitfield Diffie and Martin E. He llman [2] gave the impetus to the discussions, this idea is explained in the nex t section. Then you will find a description of the RSA algorithm and the outline s of a possible proof procedure, security considerations and algorithms, with wh ich one can implement it. 2nd Public-key encryption The concept of public-key encryption (also called asymmetric encryption) in 1976 by Whitfield Diffie and Martin E. Hellman developed [2]: Each user publishes an encryption method E and keeps the corresponding decryption method D secret. For E and D must be in terms of: (a) The decryption of the encrypted form of the me ssage M is M, ie D (E (M)) = M (2) E and D should be easily predictable. (3) D m ay not be easily (and should ideally not at all) be predictable from E. (4) It s hould be just as possible to encrypt a text with the Entdchlüsselungsalgorithmus and then to decrypt the encryption algorithm: E (D (M)) = M. This is used when

creating digital signatures. A function E, which (1) - (3) are fulfilled, is a t rap-door one-way function. Where it also (4) is satisfied, it is a trap-door one -way permutation. They may consist of the Fuktionen for encryption and decryptio n usually consist of a general function and a key. A message is encrypted using the public key of the recipient. In order to decrypt the message using the recip ient's private key (see Figure 1). If it is in the function used by a trap-door one-way permutation, it is also possible to sign a digital message. In the messa ge D and the private key is encrypted on the sender. Since (4) is now, anyone wh o possesses the public key of the sender to convert the signed message by e agai n in plain text (see Figure 2). Since only the sender possesses the private key can only he who signed the message. If the message A loud Some sources say 1977, the publication took place in 1978 but definitely 2 3 DESCRIPTION OF PROCEDURE Figure 1: encryption with a public key method intended for a specific recipient, the encrypted signed message with the one who se public key. Alternative to the signing of the total can be sent only with a s igned checksum of the message. Figure 2: Digital signature with a public key method Diffie and Hellman introduced the concept only, but not before possible implemen tation. 3rd Description of the procedure To encrypt a message M, one needs a public key (e, n). To decrypt an encrypted m essage C requires a private key (d, n). The message must be broken down into blo cks and the blocks are represented respectively controlled through an integer be tween 0 and n - 1. What procedure is used here is irrelevant to the encryption b ecause it only serves to bring the message into numerical form.€A message is n w ith the function C = M e mod with the public key (e, n) is encrypted. In order t o decipher the function is M = Cd mod n with the private key (d, n) (M, C, e, d, n ∈ N). For this method to work, e, d and n are calculated as follows: • n is t he product of two very large prime numbers p and q: n = p qp and q must remain secret because of them and the public key and private key Calculate liese. 3 4 PROOF • d is a large random integer, the (p - 1) (q - 1) is prime, then gcd (d, (p - 1) (q - 1)) = 1 fulfills. • e is the inverse of d with respect mod (p - 1) (q - 1), or in other words (e d) mod (p - 1) (q - 1) = 1 4th Evidence The RSA method is based fundamentally on the set of Euler, which states that aφ (n) ≡ 1 mod n i a and n are relatively prime. It is φ (n) the Euler φ unction, which returns the number o all natural numbers that are smaller than n and pri me to n, (For a proo , see eg [3]). For primes is φ (p) = p - 1 I RSA is the pr oduct o two primes n p and q. There ore, φ (n) = φ (p) · φ (q) = (p - 1) · (q 1) The statements pointing to D (E (M)) = M and E (D (M)) = M with E (M) = M e mod n and D (C) = Cd mod n can be re erred to the power rule or residual arithm etic trans orm as ollows: M = D (E (M)) = (E (M)) d mod n = M e · d mod n M = E (D (M)) mod n = M mod n d e · From the condition (s · d) mod (p - 1) · (q - 1) = 1 ollows d e · = k · φ (n) + 1 k or a ∈ N. From the theorem o Euler, M Yiel d p-1 ≡ 1 mod p and since (p - 1) φ (n) divides k · M is φ (n) +1 ≡ M mod p, sin

¡

¡

¡

¡

 

 

 

 

¡

¡

¡

¡

¡

¡

¡

 

¡

¡

¡

ce the same thing applies or q and e · d = k · φ (n) + a valid e · d M ≡ M mod n and thus D (E (M)) = M and E (D (M)) = M. 4 6 IMPLEMENTATION 5th Security It is believed that the security o RSA is based on the problem o actoring lar ge numbers. This is not proven, it could be that there are other ways to calcula te M rom C and e. 5.1. O attack A Agri smöglichkeit is n actored. Then it appears rom the igures obtained an d de charge. One o the astest methods to this is the elliptic curve actorizat ion. The resulting estimates or the duration o the actorization o n is shown in Table 1 So it is virtually impossible to actorize n, i it is large enough. Key size 399 bit 512 bit 1024 bit length 830 MIPS-years 4, 2 · 105 MIPS-years 2 , 8 · 1015 MIPS-years evaluation with ast computers easible being sa e over th e long term Table 1: Estimation o the duration o the KurvenFaktorisierung. (Source: [4]) actorization o n using the elliptic

It would also be possible to φ (n) be calculated without actoring n. From φ (n) and e can also e are calculated. Since n is composite, there is no easy way to φ (n) be calculated without actoring n. Another way is to guess d. However, sin ce there are very many possible d this process is extremely ine icient. 5.2. Security Issues It could be that a user is decoded by signing an encrypted message. This should be done, however, happen to have the same private key as the one who encrypted t he message * has rare or a key that is M = Cd mod n *. This is very unlikely but not impossible. Another problem that occurs when the implementation is that mos t algorithms or inding prime numbers work probabilistically. When used or p o r q is a composite number, the encryption and decryption will probably not work correctly. 6th Implementation This section presents some algorithms that can be used or implementation be ore . The source code or executable programs with the algorithms presented here, se e the Appendix. 5 1.6 Key generation 6 IMPLEMENTATION 6.1. Key generation The public and private keys can be generated as ollows: 1 Since n is the produc t o two primes p and q, a way must be ound to ind a very large random primes. This should p and q be similar in size and hal the size o the proposed size o n. There are several possibilities. One is, as long as random numbers generate d in the desired size, until a prime number is. The numbers generally are review ed or per ormance reasons, using probabilistic methods, which can lead to error s. An alternative, which would however require a lot o memory, is, rom a list

¡

¡

¡

¡

¡

¡

¡ ¡

¡¡

¡

¡

¡

¡

¡

¡

¡

¡

¡

¡

¡ ¡ ¡

¡

¡

¡

¡

¡

¡

¡

¡

¡

¡ ¡

¡

¡

¡ ¡

¡

¡

¡

¡¡

¡ ¡

¡ ¡

¡

o prime numbers randomly select one. 2nd For d is suitable, or example, any pr ime that is greater than p and q. 3rd€In order to n e rom d and φ () can be cal culated using the extended Euclidean algorithm [1, 5]. This addition to the gcd o the coe icients u and v calculated the equation gcd (a, b) = u + v × a · b, u, v ∈ Z. Now we substitute a = φ (n) and b = e we obtain gcd ( φ (n), e) = u · φ (n) + v · e = 1 since e and φ (n) are relatively prime. mod φ (n) is given (u · φ (n) + v ° E) mod φ (n) = v · e mod φ (n) = 1 v Thus it ul ills the required conditions or d. The Euclidean algorithm leads gcd (a, b) gcd (b, a mod b retu rns). The extended Euclidean algorithm yields also u × a + b u v · · b + v · (a mod b) back. The ollowing C unction calculates the gcd o a and b and u and v. The results are in global variables g, u and v are stored. int g, u, v; erweuklid void (int a, int b) (i (b == 0) (g = a, u = 1, v = 0;) e lse (erweuklid (b, a% b); int tmp = u, u = v, v = tmp - a / b * v;)) 6 6.2 Computation o M e mod n 6 IMPLEMENTATION 6.2. Computation o M e mod n For the calculation o M e mod n and Cd mod n there are many possibilities. The least ideal would be to the standard eatures o the programming language, like C pow (M, s)% would n. Here the individual calculation steps per ormed successiv ely, which means that the intermediate result o M e, the extremely large, would be cached. I one ollows the equation to be solved trans orms M i n +1 can mod = (M · (M i mod n)) mod n we recognize that it can be solved recursively [6]. T his can be easily implemented using a loop: int C = 1, i or (i = 1; i <= d; i + +) (C = (C * M)% n;) In [1] proposes the po tentiation by repeated squaring and multiplication. This method works as ollows : 1 ek ek-1. . . e1 e0 is the binary representation o e 2 Initialization: C = 1 3 Repeat the ollowing steps or i = k, k - 1,. . . , 0 a) C = C2 nb mod) i ei = 1, then C = (C • M) mod n 4 Now C = M e mod n In C provides the example like this: int c = 1 while (e! = 0) (C = (C * C)% n if (e & 1) (C = (C * M)% n;) e = e>> 1;) There are of course many others and, above all, more efficient algorithm s for this problem. A selection can be found, for example] in the [seventh 7 A SAMPLE PROGRAM A. Sample programs A.1. inversmod.c # Include # include void <stdlib.h> erweuklid (int in (int argc, char ** argv) (erweuklid (atoi (argv f ("% i \ n", v) return 0;) void erweuklid (int a, = 1, v = 0;) else (erweuklid (b, a% b); int tmp = ;))

a, int [1 ]), int b) u, u =

b) int g, u, v; int ma atoi (argv [2])) print (if (b == 0) (g = a; u v, v = tmp - a / b * v

A.2. encrypt1.c # Include # include <stdlib.h> int encrypt (int M, int s, int n) int main (int a rgc, char ** argv n) (printf ("% i ###BOT_TEXT###quot;, encrypt ( atoi (argv [1]), atoi (argv [2] ), atoi return (argv [3 ]))); 0;) 8 A.3

¡

¡

¡

¡ ¡

¡

¡

¡

¡

¡

¡

¡

¡

¡

¡

¡

¡

¡

¡

¡

¡

¡

¡

¡

¡

¡¡

¡ ¡

encrypt2.c A SAMPLE PROGRAM encrypt (int int M, e, int int n) (int c = 1; int i; for (i = 1; i <= e, i + +) (C = (C * M)% n;) return C;) A.3. encrypt2.c # Include # include <stdlib.h> int encrypt (int M, int s, int n) int main (int a rgc, char ** argv n) (printf ("% i ###BOT_TEXT###quot;, encrypt ( atoi (argv [1]), atoi (argv [2] ), atoi return (argv [3 ]))); 0;) int encrypt (int M, e, int int n) (int c = 1 while (e! = 0) (C = (C * C n)% if ( e & 1) (C = (C * M) % n;) e = e>> 1;) return C;) 9 B. Literature [1] Rivest, RL, Shamir, A. and Adleman, L. A Method for Obtaining Digital Signat ures and Public-Key Cryptosystems. 1978 [2] Diffie, W. and Hellman, P. New Direc tions in Cryptography. 1976 [3] Wikipedia. Euler's theorem. http://de.wikipedia. org/wiki/Satz_von_Euler [4] Patzelt, D. presentation on RSA encryption. http://w ww.inf.hs-zigr.de/ ~ wagenkn / TI / complexity / Speeches / RSA / [5] Extended E uclidean algorithm. http://www.iti.fh-flensburg.de/lang/algorithmen/code/krypto/ euklid.htm [6] Werner, B. RSA encryption and other applications of elementary nu mber theory to the calendar account. 2003 [7] Knuth, DE The Art of Computer Prog ramming, Vol 2: Seminumerical Algorithms. Addison-Wesley, 1969 10