Professional Documents
Culture Documents
Lec 24
Lec 24
CRYPTOGRAPHY
Lecture 24
RSA
Instructor
Dr. Dhiman Saha
Given the public key (n, e) = kpub and the plaintext x, the
encryption function is:
Given the private key d = kpr and and the ciphertext y , the
decryption function is:
x = dkpr (y ) ≡ y d mod n
Here x, y ∈ Zn .
Alice Bob
message x = 4 1. choose p = 3 and q = 11
2. n = p · q = 33
3. Φ (n) = (3 − 1)(11 − 1) = 20
4. choose e = 3
5. d ≡ e−1 ≡ 7 mod 20
k pub =(33,3)
←−−−−−−−−−−−−
y = xe ≡ 43 ≡ 31 mod 33
y=31
−−−−−−−−−−−−→
yd = 317 ≡ 4 = x mod 33
Note that the private and public exponents fulfill the condition e · d = 3 · 7 ≡
1 mod Φ (n).
Practical RSA parameters are much, much larger. As can be seen from Table 6.1,
the RSA modulus n should be at least 1024 bit long, which results in a bit length for
RSA Parameters for 1024 bit-length modulus
Correctness of RSA
To Show
Decryption is the inverse function of encryption
Computationally Infeasible
I d ←−−−−−−−−−−−−−−−−−− (e, n)
I Since x is only unique up to the size of the modulus n, we
cannot encrypt more than l bits with one RSA encryption,
where l is the bit length of n.
I Easy encryption/decryption
I Implies need for fast exponentiation
I For a given n, there should be many private-key/public-key
pairs, otherwise an attacker might be able to perform a
brute-force attack.
The RSA Setting
Setup Let p and q be large primes, let n = pq, and let e and y be
integers
Easy Bob, who knows the values of p and q, can easily solve for x
Hard Eve, who does not know the values of p and q, cannot easily
find x.
Setup Let p and q be large primes, let n = pq, and let e and y be
integers
Easy Bob, who knows the values of p and q, can easily solve for x
Hard Eve, who does not know the values of p and q, cannot easily
find x.
Setup Let p and q be large primes, let n = pq, and let e and y be
integers
Easy Bob, who knows the values of p and q, can easily solve for x
Hard Eve, who does not know the values of p and q, cannot easily
find x.
Setup Let p and q be large primes, let n = pq, and let e and y be
integers
Easy Bob, who knows the values of p and q, can easily solve for x
Hard Eve, who does not know the values of p and q, cannot easily
find x.
Setup Let p and q be large primes, let n = pq, and let e and y be
integers
Easy Bob, who knows the values of p and q, can easily solve for x
Hard Eve, who does not know the values of p and q, cannot easily
find x.
Setup Let p and q be large primes, let n = pq, and let e and y be
integers
Easy Bob, who knows the values of p and q, can easily solve for x
Hard Eve, who does not know the values of p and q, cannot easily
find x.
Why?
Finding Φ(n) =⇒ breaking RSA
I Thus p, q must be secret
I As knowing p, q =⇒ knowing Φ(n)
the inverse of e. To show how this works, Listing 10-1 u
www.sagemath.org/),
SageMath (sagemath.org) an open-source Python-like Key enviro
Gen
many mathematical packages.
sage: p = random_prime(2^32); p
1103222539
sage: q = random_prime(2^32); q
17870599
sage: n = p*q; n
c
sage: phi = (p-1)*(q-1); phi
36567230045260644
sage: e = random_prime(phi); e
13771927877214701
sage: d = xgcd(e, phi)[1]; d
15417970063428857
sage: mod(d*e, phi)
1
sage: x = 1234567
sage: y = power_mod(x, e, n); y
19048323055755904
sage: power_mod(y, d, n)
1234567
Both risks seem closely connected, though we don’t know for sure
whether they are equivalent.
RSA Security
Malleability
Informally, ability to generate related ciphertexts without actually
querying the encryption oracle.
Malleability
Informally, ability to generate related ciphertexts without actually
querying the encryption oracle.
Padding
P RSA(n,e) C
algorithm