Highly Secure Systems

Asymmetric Key Cryptography – RSA

Dr Bobby Mee Loong Yang

Dr Bobby Yang 1/26

 Outline

1 Asymmetric key cryptography operations

2 main PKC algorithms – RSA, DH

2 RSA algorithm
Mathematical basis of RSA
Simple example (Schoolbook) RSA

3 Security of RSA
Security basis of RSA
Attacks on RSA

4 Applications of RSA

Dr Bobby Yang 2/26

 Motivations
• Alice and Bob are connected over the Internet. How can
Alice encrypt a message M to Bob without first sharing an
encryption key?
• Bob receives a message M from Alice. How can Bob
prove that Bob is the only person who could have created
the message?
• Alice connects to a website. How can Alice be sure that
the website is genuine?

Dr Bobby Yang 3/26

 Asymmetric key Cryptography
operations
• Alice wish to encrypt a message M to Bob.
• Bob has a public private key-pair hkpub,kp r i.
• Bob sends his public key to Alice

Alice ← kB,pub Bob

encrypts M
C = E (M)kB,pub C→ decrypts
M = D(E (M)kB,pub )kB,pr
• If M is encrypted with the public key, it can only be
decrypted with private key, vice versa.
• Analogy: Bob buys a padlock, keeps the key and send the
lock to Alice. Alice gets a box, put the document inside,
locks the box with the padlock, and sends it to Bob. Only
Bob can open box with the key and retrieve the document.
Dr Bobby Yang 4/26
 Asymmetric key cryptography (PKC)

1. Public and private key pair, hkpub , kpr i.

2. One way function – infeasible to reverse, i.e. given, kpub &
C = E (M)kpub – infeasible to find E −1 without kpr
3. A trap door function D exist such that it is easy to reverse
the encryption using kpr , i.e. D(E (M)kpub , kpr ) = M
• There are 2 main types of PKC algorithms:
• RSA – Rivest, Shamir, and Adleman (1978)
• DH – Diffie and Hellmann (1976)

Dr Bobby Yang 5/26

 Some results from number theory
• Relatively prime: If gcd(a, n) = 1, then a and n are
relatively prime (coprime). The largest common divisor
between them is 1.
e.g. 3, 5, 8, 11... are relatively prime.
• Totient function: φ(n) is the number of positive integers in
{1, ...., n − 1} that are relatively prime to n.
e.g. if n = 10, then {1, 3, 7, 9} are relatively prime to 10,
φ(10) = 4.
• Euler’s theorem: If a is relatively prime to n, then
a φ(n) ≡ 1 mod n
• Fermat’s Little theorem: If p is prime then for all
a = {1, 2, · · · , p − 1}, a p−1 ≡ 1 mod p
e.g. try for p = 31, 61, 389, 571, 709, 937, ....

Dr Bobby Yang 6/26

 Fermat’s little theorem
• Let a be an integer and p be a prime, then for all
a ∈ {1, 2, · · · , p − 1}

a p ≡ a mod p, i.e.
a p−1 ≡ 1 mod p
• Uses:
• Testing if an integer is prime
• Compute multiplicative inverse modulo a prime p
a−1 ≡ a p−2 mod p

Dr Bobby Yang 7/26

 Totient function
• Let p, q be primes, n = pq, and Zn = {1, 2, · · · , n − 1}
1. Distinct primes, p 6= q
• Zn = {1, 2, · · · , pq − 1} includes the p(1, 2, . . . , q − 1) and
q(1, 2, · · · , p − 1) terms
E.g. p = 3, q = 5; n = 15,
Z15 = {1, 2, 3(1, 2, 3, 4), 5(1, 2), 4, 7, 8, 11, 13, 14}
• Then then number of integers in Zn which are coprime with
n is then

φ(n) = (pq − 1) − (q − 1) − (p − 1) = pq − p − q + 1
= (p − 1)(q − 1)

E.g. in Z15 , φ(15) = 14 − 4 − 2 = (5 − 1)(3 − 1) = 4 × 2 = 8

2. Non-distinct primes, p = q, then n = p · p = p 2 ,
in Zn = {1, 2, p(1, · · · , p − 1), · · · , p 2 − 1}
φ(n) = p 2 − 1 − (p − 1) = p(p − 1)

Dr Bobby Yang 8/26

 Euler’s theorem – informal proof
• Consider a set of integers {1, · · · , n − 1}, all relatively
prime with n, i.e. Sn = {s1 , s2 , · · · , sφ(n) }
The number of elements in Sn , defined as the totient
function, φ(n)
e.g. If n = 10, S10 = {1, 3, 7, 9}, φ(10) = 4
• Multiply all the element of Sn by a, where gcd(a, n) = 1 to
get the set Sa,φ(n) = {as1 , as2 , as3 , · · · , asφ(n) }.
The sets Sa,n and Sn are equivalent classes mod n,
i.e. Sa,n ≡ Sn mod n
e.g. S10 = {1, 3, 7, 9} with a = 3,
S3,10 = {(3 × 1), (3 × 3), (3 × 7), (3 × 9)}
i.e. {3, 9, 21, 27} ≡ {3, 9, 1, 7} mod 10

Dr Bobby Yang 9/26

 Euler’s theorem – cont’d
• Product of all elements in Sn : Pn = s1 · s2 · · · sφ(n)
and in Sa,n ; Pa,n = (a · s1 ) · (a · s2 ) · · · (a · sφ(n) )
• e.g.
P10 = 1 · 3 · 7 · 9, and
P3,10 = (3×1)·(3×3)·(3×7)·(3×9) = 34 (1·3·7·9) = 34 P10
i.e. Pa,n = aφ(n) Pn
• In general, product Pφ(n) of all elements in set Sn (where
all si are relatively prime to n), and if gcd(a,n)=1, then
(as1 ·as2 ·as3 · · · asφ(n) ) = aφ(n) (s1 ·s2 · · · sφ(n) ) = aφ(n) Pφ(n)
• LHS: (as1 · as2 · · · asφ(n) ) ≡ (s1 · s2 · · · sφ(n) ) ≡ Pφ(n) mod n,
then Pφ(n) ≡ aφ(n) Pφ(n) mod n.
−1
since Pφ(n) mod n exists, we have

aφ(n) ≡ 1 mod n
where φ(n) is then number of elements in {1, 2, · · · , n − 1}
that are relatively prime to n, and gcd(a, n) = 1
Dr Bobby Yang 10/26
 Chinese Remainder Theorem SunZi

“There are certain things

whose number is unknown.
If we count them by threes,
we have two left over; by
fives, we have three left
over; and by sevens, two
are left over. How many
things are there?” – Sunzi
(3rd century AD)

x ≡ 2 mod 3
x ≡ 3 mod 5
x ≡ 2 mod 7

Dr Bobby Yang 11/26

 Chinese remainder theorem
• Problem: What number when divided by p1 leaves a1 ,
divided by p2 leaves a2 , divided by p3 leaves a3 , etc.? i.e.
x ≡ a1 mod p1
x ≡ a2 mod p2
..
.
x ≡ am mod pm
• Theorem: If p1 , p1 , · · · , pm are pairwise coprime, then a
unique solution exists.
• First stated by Chinese mathematician, Sun Tzu (3rd
century AD)

Dr Bobby Yang 12/26

 Chinese remainder theorem
• The CRT is useful for proving correctness of RSA and also
decryption operation.
• Theorem: Consider only two equivalences. If p, and q are
coprime, given;

x ≡ a mod p
x ≡ b mod q
then x ≡ c mod pq has a unique solution for z
where c = (p + q)−1 (qa + pb)

• Example: What number divided by 5 leaves 4, divided by 7

leaves 3?

Dr Bobby Yang 13/26

 CRT example
• Example: What number divided by 5 leaves 4 remainding,
divided by 7 leaves 3? i.e.

x ≡ 4 mod 5
x ≡ 3 mod 7
write x ≡ c mod 35

where
c = (5 + 7)−1 (4 × 7 + 3 × 5)
c = 12−1 · 43 = 3 · 43 = 24 mod 35
Ans: 24

Dr Bobby Yang 14/26

 RSA algorithm
1 Choose 2 distinct prime numbers p, q, compute n = p · q.
The number of positive integers < n and relatively prime to
n is φ(n) = (p − 1)(q − 1)
2 Compute the public and private exponents he, d i.
• Compute e, d < n, and e 6= d such that, e · d ≡ 1 mod φ
i.e. e · d = k φ + 1 for some integer k
• or, chooses a suitable value of e such that gcd(e, φ) = 1,
then d ≡ e−1 mod φ
Key-pair: private key hd , ni, public key he, ni
3 Encrypt message M, C ≡ M e mod n
4 Decrypt ciphertext C d ≡ (M e )d mod n

Dr Bobby Yang 15/26

 RSA correctness
• Decryption of C ≡ M e mod n
• if gcd (M, n) = 1, i.e. M, n are relatively prime, let k be an
intger, write
P ≡ C d mod n ≡ M ed mod n ≡ M k φ(n)+1 mod n
Using Euler’s theorem, M φ(n) ≡ 1 mod n
Then, P ≡ M · M k φ(n) ≡ M mod n

Dr Bobby Yang 16/26

 • If gcd (M, n) 6= 1

Let P ≡ C d mod p
and P ≡ C d mod q
by CRT, P ≡ (p + q)−1 (qC d + pC d ) mod q
≡ C d mod pq
i.e. P ≡ C d mod n

Consider solving P ≡ C d mod p instead of P ≡ C d mod n

Now, P ≡ (M e )d ≡ (M)ed ≡ M k φ(n)+1 mod p
since p is prime, (M k (q−1) )(p−1) mod p ≡ 1 mod p
p−1
Then, P = M · (M k (q−1) ) ≡ M · 1 mod p
Similarly, for P ≡ C d mod q

Dr Bobby Yang 17/26

 Simple “school book” RSA example
• Public private keys for Bob: choose primes p = 5, q = 13
Compute n = p · q = 5 × 13 = 65
Totient φ = (p − 1)(q − 1) = 4 × 12 = 48
Find distinct e, d < n such that e · d ≡ 1(mod 48)
try e = 5, d = 29 check: 5 × 2 = 145 ≡ 1(mod 48)
Private key: hd , 65i = h29, 65i
Public key: he, 65i = h5, 65i
• Alice has message M = 33 for Bob. Obtains Bob’s public
key he, ni, encrypts and sends to Bob

C ≡ M e ≡ 335 (mod 65) = 63

• Bob obtains C, decrypts

C d ≡ 6329 (mod 65) = 33 = M

• Solution using CRT?
Dr Bobby Yang 18/26
 Solution using CRT

Let, dp ≡ d mod (p − 1), and , Cp ≡ C mod p

d k (p−1)+d
then, Cp p ≡ Cp 1 ≡ Cpd mod p
d
i.e. Cpd ≡ Cp p mod p
since, Cp ≡ C mod p,
d
we can write, C d ≡ Cp p mod p · · · · · · (1)
Similarly, dq ≡ d mod (q − 1), and , Cq ≡ C mod q
d d
we can get C ≡ Cq q mod q · · · · · · (2)
From(1)&(2) using CRT ,
d d d
Decryption, C ≡ (p + q)−1 (qCp p + pCq q ) mod n

Note: Cp , Cq and dp , dq are much smaller in sizes.

The values of dp , dq , and inverse can be precomputed.
Dr Bobby Yang 19/26
 Example
• Given ciphertext C = 63, decrypt C knowing p = 5, q = 13,
and d = 29, n = 65
Calculate dp ≡ 29 mod (p − 1) ≡ 1,
dq ≡ 29 mod (q − 1) ≡ 5
• Calculate Cp ≡ 63 mod 5 ≡ 3;
d
then, Cp p ≡ 31 ≡ 3 mod 5
• Cq ≡ 63 mod 13 ≡ 11
d
then, Cq q ≡ 115 ≡ 7 mod 13
• Hence using CRT, C d ≡ (p + q)−1 (qCpdp + pCqdq ) mod n
C d ≡ (5 + 13)−1 (13 × 3 + 5 × 7) mod 65 ≡ 33
• dp , dq and (p + q)−1 mod n can be pre-computed.
• dp , dq and Cp , Cq are much smaller then d and C, resp.

Dr Bobby Yang 20/26

 Implementation considerations
• Modular multiplication using square-and-multiply: e.g.

x 26 = ((((x)2 · x)2 )2 · x)2

SQ MUL SQ SQ MUL SQ
= x −→ x 2 −→ x 3 −→ x 6 −→ x 12 −→ x 13 −→ x 26

• Fast encryption using short public exponents, e.g.

e = 3, 17, 216 + 1
• Fast decryption using Chinese Remainder Theorem (CRT)
if p and q are known.

Dr Bobby Yang 21/26

 Finding large primes
• Probability that an odd number p̃ is prime, from prime
number theorem, is P(p̃ is prime) ≈ ln(2p̃)
1
e.g. probability of finding a 512-bit prime number is ≈ 177
• Primality tests
• Fermat’s test: Choose a number a, p̃ is likely prime if
a p̃−1 ≡ 1 mod p̃
need to run several runs, and p̃ must not be a “Carmichael
number” which are not primes but behave like one, e.g. 561
• Rabin-Miller test:

Dr Bobby Yang 22/26

 RSA algorithm security and operations
• If n is large (≥ 1024bits), it is infeasible to be factorised
into to two prime numbers. In 2018, 762-bit number was
factorized.
• The time required increases exponentially with size of n
• Today, use sizes of 1024, 2048 or 4096 bits or more
⋆ Quantum computers would easily factorize large nummbers
quickly, breaking RSA
• In the private key hd , ni, d is usually very large, i.e. private
key operation is very slow
The private key must be stored very securely.
• In the public key he, d i, e is very much smaller, i.e. public
key operations is much faster
The public key can be freely distributed

Dr Bobby Yang 23/26

 How RSA can be broken?
• Theoretically quite safe but for implementation flaws
• Lots of ways to break RSA due to:
• poor choice of prime numbers p, q
• small factors of (p − 1), (q − 1),(p + 1), or (q + 1)
• if ( pq ≈ 1) can use Fermat’s method to factorize
• Weak keys
• low entropy
1
• small private exponent, esp. if d < n4
3

• Side channel attacks - power consumption, etc.

• Fault injection
• Quantum algorithm will probably kill RSA in 20 ∼ 25 yrs
• To be safe, use at least 1024 bits, preferably 2048 bits, or
more

Dr Bobby Yang 24/26

 Side channel attack

Dr Bobby Yang 25/26

 Applications of RSA Algorithm
RSA has 3 main applications which are widely used and
enables secure transactions in the Internet.
1. Session key transport (Key exchange) - Confidentiality
2. Digital signatures – for Non-Repudiation
3. Authentication – proof of identity using public key
Extensively used in Internet
• Authentication of origin using digital signatures
• Authentication of devices –hosts, servers
• Block chains.
• Electronic passports

Dr Bobby Yang 26/26