CS 553

CRYPTOGRAPHY

Lecture 24
RSA

Instructor
Dr. Dhiman Saha

Image Source: Google

1977 RSA

I In 1977, Ronald Rivest, Adi Shamir and Leonard Adleman

proposed a scheme which became the most widely used
asymmetric cryptographic scheme, RSA.
RSA Key Generation
 RSA Encryption

Given the public key (n, e) = kpub and the plaintext x, the
encryption function is:

y = ekpub (x) ≡ x e mod n

Here where x, y ∈ Zn .

I RSA encrypts plaintexts x, where we consider the bit string

representing x to be an element in Zn = {0, 1, · · · , n − 1}.
I As a consequence the binary value of the plaintext x must be
less than n.
I The value e is sometimes referred to as encryption exponent
or public exponent
 RSA Decryption

Given the private key d = kpr and and the ciphertext y , the
decryption function is:

x = dkpr (y ) ≡ y d mod n
Here x, y ∈ Zn .

I The private key d is sometimes called decryption exponent

or private exponent
 An Example

7.3 Key Generation and Proof of Correctness 177

Alice Bob
message x = 4 1. choose p = 3 and q = 11
2. n = p · q = 33
3. Φ (n) = (3 − 1)(11 − 1) = 20
4. choose e = 3
5. d ≡ e−1 ≡ 7 mod 20
k pub =(33,3)
←−−−−−−−−−−−−
y = xe ≡ 43 ≡ 31 mod 33
y=31
−−−−−−−−−−−−→
yd = 317 ≡ 4 = x mod 33

Note that the private and public exponents fulfill the condition e · d = 3 · 7 ≡
1 mod Φ (n).


Practical RSA parameters are much, much larger. As can be seen from Table 6.1,
the RSA modulus n should be at least 1024 bit long, which results in a bit length for
RSA Parameters for 1024 bit-length modulus
 Correctness of RSA

To Show
Decryption is the inverse function of encryption

dkpr (ekpub (x)) = x

 Points to Ponder

Computationally Infeasible
I d ←−−−−−−−−−−−−−−−−−− (e, n)
I Since x is only unique up to the size of the modulus n, we
cannot encrypt more than l bits with one RSA encryption,
where l is the bit length of n.
I Easy encryption/decryption
I Implies need for fast exponentiation
I For a given n, there should be many private-key/public-key
pairs, otherwise an attacker might be able to perform a
brute-force attack.
 The RSA Setting

Setup Let p and q be large primes, let n = pq, and let e and y be
integers

Problem Solve the congruence x e ≡ y mod n for the variable x.

Easy Bob, who knows the values of p and q, can easily solve for x
Hard Eve, who does not know the values of p and q, cannot easily
find x.

Trapdoor Solving x e ≡ y mod n is easy for a person who possesses

certain extra information, but it is apparently hard for all
other people.
 The RSA Setting

Setup Let p and q be large primes, let n = pq, and let e and y be
integers

Problem Solve the congruence x e ≡ y mod n for the variable x.

Easy Bob, who knows the values of p and q, can easily solve for x
Hard Eve, who does not know the values of p and q, cannot easily
find x.

Trapdoor Solving x e ≡ y mod n is easy for a person who possesses

certain extra information, but it is apparently hard for all
other people.
 The RSA Setting

Setup Let p and q be large primes, let n = pq, and let e and y be
integers

Problem Solve the congruence x e ≡ y mod n for the variable x.

Easy Bob, who knows the values of p and q, can easily solve for x
Hard Eve, who does not know the values of p and q, cannot easily
find x.

Trapdoor Solving x e ≡ y mod n is easy for a person who possesses

certain extra information, but it is apparently hard for all
other people.
 The RSA Setting

Setup Let p and q be large primes, let n = pq, and let e and y be
integers

Problem Solve the congruence x e ≡ y mod n for the variable x.

Easy Bob, who knows the values of p and q, can easily solve for x
Hard Eve, who does not know the values of p and q, cannot easily
find x.

Trapdoor Solving x e ≡ y mod n is easy for a person who possesses

certain extra information, but it is apparently hard for all
other people.
 The RSA Setting

Setup Let p and q be large primes, let n = pq, and let e and y be
integers

Problem Solve the congruence x e ≡ y mod n for the variable x.

Easy Bob, who knows the values of p and q, can easily solve for x
Hard Eve, who does not know the values of p and q, cannot easily
find x.

Trapdoor Solving x e ≡ y mod n is easy for a person who possesses

certain extra information, but it is apparently hard for all
other people.
 The RSA Setting

Setup Let p and q be large primes, let n = pq, and let e and y be
integers

Problem Solve the congruence x e ≡ y mod n for the variable x.

Easy Bob, who knows the values of p and q, can easily solve for x
Hard Eve, who does not know the values of p and q, cannot easily
find x.

Trapdoor Solving x e ≡ y mod n is easy for a person who possesses

certain extra information, but it is apparently hard for all
other people.
 The Number Φ(n)

I Crucial to RSA’s security

Why?
Finding Φ(n) =⇒ breaking RSA
I Thus p, q must be secret
I As knowing p, q =⇒ knowing Φ(n)
 the inverse of e. To show how this works, Listing 10-1 u
www.sagemath.org/),
SageMath (sagemath.org) an open-source Python-like Key enviro
Gen
many mathematical packages.

 sage: p = random_prime(2^32); p
1103222539
 sage: q = random_prime(2^32); q
17870599
 sage: n = p*q; n
c
 sage: phi = (p-1)*(q-1); phi
36567230045260644
 sage: e = random_prime(phi); e
13771927877214701
 sage: d = xgcd(e, phi)[1]; d
15417970063428857
 sage: mod(d*e, phi)
1

Listing 10-1: Generating RSA parameters using SageMath

SageMath (sagemath.org) RSA Enc/Dec

 sage: x = 1234567
 sage: y = power_mod(x, e, n); y
19048323055755904
 sage: power_mod(y, d, n)
1234567

Listing 10-2: Computing the RSA trapdoor permu

We assign the integer 1234567 to x 

power_mod(x, e, n), the exponentiation m
 RSA Security

How hard is it to find x without the trapdoor d?

I An attacker who can factor big numbers can break RSA by

recovering p and q and then Φ(n) in order to compute d from
e.
I An attackers ability to compute x from x e mod n, or e th roots
modulo n, without necessarily factoring n.

Both risks seem closely connected, though we don’t know for sure
whether they are equivalent.
 RSA Security

RSAs security level depends on three factors

I The size of modulus n
I The choice of p and q, and
I How the trapdoor permutation is used.

I What if n is too small?

I What if p, q are related of very different sizes?
I What if p, q are too close/small?
I Should the RSA trapdoor permutation be used directly for
encryption or signing?
 Textbook RSA Encryption

Textbook RSA Encryption

Used to describe the simplistic RSA encryption scheme
I The plaintext contains only the message you want to encrypt

Textbook RSA Encryption is deterministic

I Same plaintext =⇒ same ciphertext
 Breaking Malleability

Malleability
Informally, ability to generate related ciphertexts without actually
querying the encryption oracle.

Given two textbook RSA ciphertexts

I y1 = x1e mod n
I y2 = x2e mod n

What can you say about the ciphertext of (x1 × x2 )?

Multiplying the ciphertexts

y1 × y2 mod n = x1e × x2e mod n = (x1 × x2 )e mod n
 Breaking Malleability

Malleability
Informally, ability to generate related ciphertexts without actually
querying the encryption oracle.

Given two textbook RSA ciphertexts

I y1 = x1e mod n
I y2 = x2e mod n

What can you say about the ciphertext of (x1 × x2 )?

Multiplying the ciphertexts

y1 × y2 mod n = x1e × x2e mod n = (x1 × x2 )e mod n
 use Optimal Asymmetric Encryption Padding (OAEP), com
to as RSA-OAEP. This Strong RSA Encryption:
scheme involves creating a bit OAEP
string
Optimal Asymmetric Encryption Padding (OAEP)
modulus by padding the message with extra data and rando
applying the RSA function.

Padding
P RSA(n,e) C
algorithm

Figure 10-1: Encrypting a symmetric key, K, with RSA using

(n, e) as a public key
RSA-OAEP
This scheme involves creating a bit string as large as the modulus
by padding
Note OAEP the message
is referred with
to as extra data and
RSAES-OAEP inrandomness beforesuch as
official documents
applying the RSA function.
dard by the RSA company and NIST’s Special Publication 800-56B
on the earlier method now called PKCS#1 v1.5, which is one of the fi