Understanding Cryptography – A Textbook for

Students and Practitioners

by Christof Paar and Jan Pelzl

www.crypto-textbook.com

Chapter 7 – The RSA Cryptosystem

ver. December 7, 2010

These slides were prepared by Benedikt Driessen, Christof Paar and Jan Pelzl
Cryptography
Lecture 11
RSA Cryptosystem
Content of this Chapter
• The RSA Cryptosystem
• RSA Encryption and Decryption
• RSA Examples
• Implementation aspects: Fast Exponentiation
• Speed-Up Techniques
• Attacks and Countermeasures
• Lessons Learned
The RSA Cryptosystem
• Martin Hellman and Whitfield Diffie published their landmark public-
key paper in 1976
• Ronald Rivest, Adi Shamir and Leonard Adleman proposed the
asymmetric RSA cryptosystem in1977
• Until now, RSA is the most widely use asymmetric cryptosystem
although elliptic curve cryptography (ECC) becomes increasingly
popular
• RSA is mainly used for two applications
• Transport of (i.e., symmetric) keys (cf. Chptr 13 of Understanding
Cryptography)
• Digital signatures (cf. Chptr 10 of Understanding Cryptography)
 The RSA Cryptosystem
Basic Protocol for Public-Key Encryption

Alice Bob

KpubB (KpubB,KprB) = K

x
y=eKpubB(x) y

x=dKprB(y)
→ Key Distribution Problem solved *

*) at least for now; public keys need to be authenticated, cf.Chptr. 13 of Understanding Cryptogr.
The RSA Cryptosystem
• Bob generates two big keys: public key E and private key D
• Bob publish E for anyone to access (public)
• Anyone can encrypt message for Bob using E
• Only Bob can decrypt an encrypted message using D
• The encryption algorithm is public, so actually anyone can decrypt by
trying all possible keys, but with known algorithms, it would take
hundreds of years or more.
 Asymmetric Cryptography Practices

• Symmetric-key cryptography is based on sharing secrecy;

• asymmetric-key cryptography is based on personal secrecy.
• In symmetric-key cryptography system, the number of keys needed for each user is 1.
• In asymmetric-key cryptography system, the number of keys needed for each user is 2.
RSA Key Generation
• Like all asymmetric schemes, RSA has set-up phase during which
the private and public keys are computed
Algorithm: RSA Key Generation
Output: public key: kpub = (n, e) and private key kpr = d
1. Choose two large primes p, q Remarks:
2. Compute n = p * q p,q ≥ 2512
n≥21024
3. Compute Φ(n) = (p-1) * (q-1)
4. Select the public exponent e ε {1, 2, …, Φ(n)-1} such that
gcd(e, Φ(n) ) = 1
5. Compute the private key d such that d * e ≡ 1 mod Φ(n) Using EEA
6. RETURN kpub = (n, e), kpr = d

Remarks:
• Choosing two large, distinct primes p, q (in Step 1) is non-trivial
• gcd(e, Φ(n)) = 1 ensures that e has an inverse and, thus, that there
is always a private key d
Content of this Chapter
• The RSA Cryptosystem
• RSA Encryption and Decryption
• RSA Examples
• Implementation aspects: Fast Exponentiation
• Speed-Up Techniques
• Attacks and Countermeasures
• Lessons Learned
RSA Encryption and Decryption
• RSA operations are done over the integer ring Zn (i.e., arithmetic
modulo n), where n = p * q, with p, q being large primes
• Encryption and decryption are simply exponentiations in the ring
Definition
Given the public key (n,e) = kpub and the private key d = kpr we write Remarks:
y = ekpub(x) ≡ xe mod n yd= (xe)d=xed=x
x = dkpr(y) ≡ yd mod n
where x, y ε Zn.
We call ekpub() the encryption and dkpr() the decryption operation.

• In practice x, y, n and d are very long integer numbers (≥ 1024 bits)

• The security of the scheme relies on the fact that it is hard to derive
the „private exponent“ d given the public-key (n, e)

Remarks:
p, q and Φ(n) are top secret
RSA Encryption and Decryption
Complexity of operations in RSA
Content of this Chapter
• The RSA Cryptosystem
• RSA Encryption and Decryption
• RSA Examples
• Implementation aspects: Fast Exponentiation
• Speed-Up Techniques
• Attacks and Countermeasures
• Lessons Learned
 Example: RSA with small numbers
ALICE
BOB
Message x = 4
1. Choose p = 3 and q = 11
2. Compute n = p * q = 33
3. Φ(n) = (3-1) * (11-1) = 20
4. Choose e = 3
5. d ≡ e-1 ≡7 mod 20
Kpub = (33,3)
3.7=1 mod 20
y = xe ≡ 43 ≡ 31 mod 33
y = 31
yd = 317 ≡ 4 = x mod 33

Check:
317 ≡(-2)7 mod 33 ≡-128 mod 33 ≡-4.33+ 4 mod 33=4
 Example: RSA with big numbers
1. Select the prime numbers p = 17 and q = 11.
a. n = p.q = 187
b. ∅(n) = (p-1)(q-1) = 16 x 10 = 160
2. Select e such that it is relatively prime to 160 and less than 160. Lets choose e = 7.
3. Choose d such that de ≡ 1 (mod 160) and d < 160
a. d = 23. Since 23 x 7 = 161 = 10 x 160 + 1
(extended Euclid’s algorithm can be used to calculate d)
Therefore:
Public Key = (e,n) = (7,187)
Private Key = (d,n) = (23,187)
Now encrypt M = 88

Encryption Decryption
 Example: RSA with a long mesage

Here is a more realistic example. We choose a 512-bit p

and q, calculate n and f(n), then choose e and test for
relative primeness with f(n). We then calculate d. Finally,
we show the results of encryption and decryption. The
integer p is a 159-digit number.
 Example: RSA with a long mesage

The modulus n = p × q. It has 309 digits.

f(n) = (p − 1)(q − 1) has 309 digits.

 Example: RSA with a long mesage

Bob chooses e = 35535 (the ideal is 65537) and tests it to

make sure it is relatively prime with f(n). He then finds the
inverse of e modulo f(n) and calls it d.
 Example: RSA with a long mesage
Alice wants to send the message “THIS IS A TEST”, which can be changed to a
numeric value using the 00−26 encoding scheme (26 is the space character).

The ciphertext calculated by Alice is C = Pe, which is

Bob can recover the plaintext from the ciphertext using P = Cd, which is

The recovered plaintext is “THIS IS A TEST” after decoding.

Content of this Chapter
• The RSA Cryptosystem
• RSA Encryption and Decryption
• RSA Examples
• Implementation aspects: Fast Exponentiation
• Speed-Up Techniques
• Attacks and Countermeasures
• Lessons Learned
Implementation aspects: Fast Exponentiation
• The RSA cryptosystem uses only one arithmetic operation (modular
exponentiation) which makes it conceptually a simple asymmetric
scheme
• Even though conceptually simple, due to the use of very long
numbers, RSA is orders of magnitude slower than symmetric
schemes, e.g., DES, AES
• When implementing RSA (esp. on a constrained device such as
smartcards or cell phones) close attention has to be paid to the
correct choice of arithmetic algorithms
• The square-and-multiply algorithm allows fast exponentiation, even
with very long numbers…
Implementation aspects: Fast Exponentiation
Square-and-Multiply
• Basic principle: Scan exponent bits from left to right and
square/multiply operand accordingly
Algorithm: Square-and-Multiply for xH mod n
Input: Exponent H, base element x, Modulus n
Output: y = xH mod n
1. Determine binary representation H = (ht, ht-1, ..., h0)2
2. FOR i = t-1 TO 0
3. y = y2 mod n
4. IF hi = 1 THEN
5. y = y * x mod n
6. RETURN y

• Rule: Square in every iteration (Step 3) and multiply current result

by x if the exponent bit hi = 1 (Step 5)
• Modulo reduction after each step keeps the operand y small
 Implementation aspects: Fast Exponentiation
Square-and-Multiply
1024
X2
X4 X8
Naïve Better Naïve Better Naïve Better
x.x=x2 x.x=x2 x.x=x2 x.x=x2 x.x=x2 x.x=x2
.
x2.x=x3 x2.x=x3 . x2. x2=x4
x3.x=x4 x2. x2=x4 x3.x=x4 x2. x2=x4 .
x4. x4=x8
3 Mul 2 Mul .
.
.
1024 1024 1023 1023 1024
X2 X2 =X2
x7.x=x8 X2 -1 X=X2

7 Mul 3 Mul 1024

2
X -1 Mul 1024 Mul

Linear Logarithmic
Complexity Complexity
Implementation aspects: Fast Exponentiation
Example: Square-and-Multiply
Binary method/ left-to-ritght expon. x26-=x110102
• Computes x26 without modulo reduction
• Binary representation of exponent: 26 =(1,1,0,1,0)2
Scan the
Binary exponent bits
Step Op
exponent Left to right
1 x = x1 (1)2 1) Add 0 in every
iteration we
2 (x1)2 = x2 (10)2 SQ x102 Shift Left
Square
3 x2 * x = x3 (11)2 MUL x112 Add One 2) If current bit 1
Multiply by x
4 (x3)2 = x6 (110)2 SQ x1102 Shift Left
5 (x6)2 = x12 (1100)2 SQ x11002 Add One
6 x12 * x = x13 (1101)2 MUL x11012 Shift Left
7 (x13)2 = x26 (11010)2 SQ x110102 Add One
8 - (11010)2 -
• Observe how the exponent evolves into x26 = x11010
Complexity of Square-and-Multiply Alg.
• The square-and-multiply algorithm has a logarithmic complexity, i.e.,
its run time is proportional to the bit length (rather than the absolute
value) of the exponent
• Given an exponent with t+1 bits
H = (ht,ht-1, ..., h0)2
with ht = 1, we need the following operations
• # Squarings =t
• Average # multiplications = 0.5 t
• Total complexity: #SQ + #MUL = 1.5 t
• Exponents are often randomly chosen, so 1.5 t is a good estimate
for the average number of operations
• Note that each squaring and each multiplication is an operation with
very long numbers, e.g., 2048 bit integers.
Content of this Chapter
• The RSA Cryptosystem
• RSA Encryption and Decryption
• RSA Examples
• Implementation aspects: Fast Exponentiation
• Speed-Up Techniques
• Attacks and Countermeasures
• Lessons Learned
Speed-Up Techniques
• Modular exponentiation is computationally intensive
• Even with the square-and-multiply algorithm, RSA can be quite slow
on constrained devices such as smart cards
• Some important tricks:
• Short public exponent e
• Chinese Remainder Theorem (CRT)
• Exponentiation with pre-computation (not covered here)
Fast encryption with small public exponent
• Choosing a small public exponent e does not weaken the security of
RSA
• A small public exponent improves the speed of the RSA encryption
significantly
Public Key e as binary string #MUL + #SQ

21+1 = 3 (11)2 1+1=2 Minimum

24+1 = 17 (1 0001)2 4+1=5

216 + 1 (1 0000 0000 0000 0001)2 16 + 1 = 17 Recommended

• This is a commonly used trick (e.g., SSL/TLS, etc.) and makes RSA
the fastest asymmetric scheme with regard to encryption!
• RSA here : Fast encryption/ Slow decryption
• ElGamal: Approx. same time for both
 Fast decryption with CRT
• Choosing a small private key d results in security weaknesses!
• In fact, d must have at least 0.3t bits, where t is the bit length
of the modulus n
• However, the Chinese Remainder Theorem (CRT) can be used to
(somewhat) accelerate exponentiation with the private key d
• Based on the CRT we can replace the computation of
xd mod Φ(n) mod n
by two computations
xd mod (p-1) mod p and xd mod (q-1) mod q
where q and p are „small“ compared to n

Approx. 4 times faster than doing directly

➢only owner of private key who knows values of p & q can use this technique

28 /34
Content of this Chapter
• The RSA Cryptosystem
• RSA Encryption and Decryption
• RSA Examples
• Implementation aspects: Fast Exponentiation
• Speed-Up Techniques
• Attacks and Countermeasures
• Lessons Learned
Attacks and Countermeasures 1/3
• There are two distinct types of attacks on cryptosystems
• Analytical attacks try to break the mathematical structure of the
underlying problem of RSA
• Implementation attacks try to attack a real-world
implementation by exploiting inherent weaknesses in the way
RSA is realized in software or hardware
Attacks and Countermeasures 2/3
RSA is typically exposed to these analytical attack vectors
• Mathematical attacks
• The best known attack is factoring of n in order to obtain Φ(n)
• Can be prevented using a sufficiently large modulus n
• The current factoring record is 664 bits. Thus, it is recommended
that n should have a bit length between 1024 and 3072 bits
• Protocol attacks
• Exploit the malleability of RSA, i.e., the property that a ciphertext
can be transformed into another ciphertext which decrypts to a
related plaintext – without knowing the private key
• Can be prevented by proper padding
 Attacks and Countermeasures 3/3
• Implementation attacks can be one of the following:

•Side-channel analysis
•Exploit physical leakage of RSA implementation (e.g., power consumption,
EM emanation, etc.)
•Fault-injection attacks
•Inducing faults in the device while CRT is executed can lead to a complete
leakage of the private key
Recommendations
▪ The number of bits in n should be at least 1024.

▪ Two primes p & q must be 512 bit at least.

▪ p & q should not be close to each other.

▪ Modulus n must not be shared.

▪ If d is leaked, immediately change n, e and d.

▪ Message must be padded by OAEP.

Public-Key Applications
➢ can classify uses into 3 categories:
⚫ encryption/decryption (provide secrecy)

⚫ digital signatures (provide authentication)

⚫ key exchange (of session keys)

➢ some algorithms are suitable for all uses, others

are specific to one
MCQs
1. In the RSA algorithm, we select 2 random large values ‘p’ and ‘q’. Which of the
following is the property of ‘p’ and ‘q’?
a) p and q should be divisible by Ф(n)
b) p and q should be co-prime
c) p and q should be prime
d) p/q should give no remainder

2. In RSA, Ф(n) = _______ in terms of p and q.

a) (p)/(q) b) (p)(q) c) (p-1)(q-1) d) (p+1)(q+1)

3. In RSA, we select a value ‘e’ such that it lies between 0 and Ф(n) and it is
relatively prime to Ф(n).
a) True b) False

4. For p = 11 and q = 19 and choose e=17. Apply RSA algorithm where

message=5 and find the cipher text.
a) C=80 b) C=92 c) C=56 d) C=23
Lessons Learned
• RSA is the most widely used public-key cryptosystem
• RSA is mainly used for key transport and digital signatures
• The public key e can be a short integer, the private key d needs to
have the full length of the modulus n
• RSA relies on the fact that it is hard to factorize n
• Currently 1024-bit cannot be factored, but progress in factorization
could bring this into reach within 10-15 years. Hence, RSA with a
2048 or 3076 bit modulus should be used for long-term security
• A naïve implementation of RSA allows several attacks, and in
practice RSA should be used together with padding