The document summarizes the RSA encryption algorithm. It begins by explaining that RSA was developed in 1977 by Rivest, Shamir and Adleman. It then provides an example to demonstrate how RSA works step-by-step, generating keys, encrypting a message and decrypting the ciphertext. Finally, it discusses some challenges with breaking RSA encryption, including brute force attacks and mathematical attacks based on factoring the encryption keys, as well as timing attacks that aim to deduce keys based on variations in processing time.

1. THE RSA ALGORITHM
BY,
SHASHANK SHETTY
ARUN DEVADIGA

2. INTRODUCTION
 By Rivest, Shamir & Adleman of MIT in 1977.
 Best known & widely used public-key scheme.
uses large integers (eg. 1024 bits)
 Based on exponentiation in a finite field over integers
modulo a prime
Plaintext is encrypted in blocks, with each block
having the binary value less than some number n.
Security due to cost of factoring large numbers.

3. RSA EXAMPLE 1

4. 1) Generate two large prime numbers, p and q
To make the example easy to follow I am going to use small numbers, but
this is not secure. To find random primes, we start at a random number and
go up ascending odd numbers until we find a prime. Lets have:
p=7
q = 19
2) Let n = pq
n = 7 * 19
= 133
3) Let m = (p - 1)(q - 1)
m = (7 - 1)(19 - 1)
= 6 * 18
= 108

5. 4) Choose a small number, e coprime to m (
 e coprime to m, means that the largest number that can exactly
divide both e and m (their greatest common divisor, or gcd) is 1.
Euclid's algorithm is used to find the GCD of two numbers.
e = 2 => GCD(108,e) = 2 (no)
e = 3 => GCD(108,e) = 3 (no)
e = 4 => GCD(108,e) = 4 (no)
e = 5 => GCD(108,e) = 1 (yes!)

6. 5) Find d, such that {de mod ɸ(n) = 1}
This is equivalent to finding d which satisfies de = 1 + km where k is
any integer. We can rewrite this as d = (1 + km) / e. Now we work
through values of k until an integer solution for e is found:
k = 0 => d = 1 / 5 (no)
k = 1 => d = 109 / 5 (no)
k = 2 => d = 217 / 5 (no)
k = 3 => d = 325 / 5
= 65 (yes!)
To do this with big numbers, a more sophisticated algorithm called
extended Euclid must be used.

7. Public Key
Secret Key
n = 133
e=5
m =108
d = 65
Communication
6) Encryption
The message must be a number less than the smaller of p and q. However, at
this point we don't know p or q, so in practice a lower bound on p and q must
be published. This can be somewhat below their true value and so isn't a major
security concern. For this example, lets use the message "6".
Cipher = (message)e mod n
= 65 mod 133
= 7776 mod 133
= 62

8. 7) Decryption
This works very much like encryption, but involves a larger
exponentiation, which is broken down into several steps.
message = (cipher)d mod n
= 6265 mod 133
= 62 * 6264 mod 133
= 62 * (622)32 mod133
= 62 * 384432 mod 133
= 62 * (3844 mod133)32 mod 133
= 62 * 12032 mod 133
We now repeat the sequence of operations that reduced 6265 to 12032 to
reduce the exponent down to 1.
= 62 * 3616 mod 133
= 62 * 998 mod 133
= 62 * 924 mod 133
= 62 * 852 mod 133
= 62 * 43 mod 133
= 2666 mod 133 = 6

9. Fermat's Theorem
ap-1 mod p = 1
where p is prime and gcd(a,p)=1
also known as Fermat’s Little Theorem
useful in public key and primality testing

10. EULER’S THEOREM & TOTIENT FUNCTION Ø(n)
•
Euler’s totient function (ɸ(n)), defined as the number of
positive integers less than n and relatively prime to n.
– for p (p prime)
– for p.q (p,q prime)
ø(p) = p-1
ø(p.q) = (p-1)(q-1)
• For Example: DETERMINE ɸ (37) and ɸ(35).
• Because 37 is prime, all of the positive integers from 1
through 36 are relatively prime to 37.Thus ɸ (37)=36.
• To determine ɸ(35), we list all of the positive integers less
than 35 that are relatively prime to it:
1, 2, 3, 4, 6, 8, 9, 11, 12, 13, 16, 17, 18
19, 22, 23, 24, 26, 27, 29, 31, 32, 33, 34
• There are 24 numbers on the list, so ɸ(35) = 24.

11. EULER’S THEOREM & TOTIENT FUNCTION Ø(n) (cont…)
(Generalization of Fermat’s Little Theorem)
In a more general sense what is (p-1)? Ø(p).
Ø(p) = Number of integers a < p such that (a, p) = 1.
This is obviously (p-1) because p is prime.
So we can say
akø(p)+1 ≡ a (mod p)
More generally, let n = p • q p prime, q prime.
akø(n)+1 ≡ a (mod n)
p = 3, q = 5, n = 15, Ø(n) = (3-1) • (5-1) = 8
a = 7:
78+1 = 7 (mod 15)
78k+1 = 7 (mod 15)
a = 5:
58+1 = 5 (mod 15)
58k+1 = 5 (mod 15)

12. CARMICHAEL’S THEOREM
( A Refinement of Euler’s Theorem)
 Is also called as reduced totient function.
Ø(n) = (p-1) • (q-1)
λ(n) = LCM{(p-1), (q-1)}
akλ(n)+1 ≡ a (mod n)
p = 3, q = 5, n = 15, Ø(n) = (3-1) • (5-1) = 8
λ(n) = LCM{(p-1), (q-1)} = LCM{2, 4} = 4
a = 7:
74+1 = 7 (mod 15)
74k+1 = 7 (mod 15)
a = 5:
54+1 = 5 (mod 15)
54k+1 = 5 (mod 15)

13. RSA EXAMPLE 2
Choose p = 19, q = 37, n = 703
Ø(n) = 648,
λ(n) = 36,
GCD{(p-1),(q-1)} = 18
Choose e = 5
CARMICHAEL d = 29
EULER d = 389
Both d’s will work, but Carmichael gives a much simpler d; in
this case security is reduced.

14. Factoring Problem
 Mathematical approach takes 3 forms:
– factor N=p.q, hence find ø(N) and then .
– determine ø(N) directly and find d
– find d directly

15. FERMAT FACTORIZATION
 Fermat factorization attempts to factor a number by
representing it as the difference of two squares.
• Proposition: Let n be an odd integer. There is a one-to-one
correspondence .
• Proof: If n=ab, n is odd so a and b are odd. Then a+b and a-b
are even, so (a+b)/2 and (a-b)/2 are integers. Now
expresses n as a difference of two squares. Conversely,
suppose n is written as as difference of squares:
Then n=(s+t) (s-t) is a factorization of n.

17. QUADRATIC SIEVE FACTORIZATION
Our goal is to find a nontrivial factorization of n:
• Consider the value n=1649, a composite number but not
divisible by any prime up to its logarithm.
and so on, with no squares in immediate sight.
• Note that while neither 32 nor 200 is a square, their
product is a square: 6400 = 802. Thus, since
•
we have
that is,

18. QUADRATIC SIEVE FACTORIZATION (cont…)
We have found a solution,
So, GCD (a+b, n) and GCD (a-b, n) must find the non
trivial factors of n.
 Hence the,
GCD( 114+80,1649)
GCD (194,1649)
GCD (194, 97)
GCD(97,0)
=97
and
and
and
and
and
GCD(114-80, 1649 )
GCD(34,1649)
GCD(34,17)
GCD(17,0)
=17
 So, 17 and 97 are the non trivial factor of 1649.

19. RSA Challenges:
•
•
•
•
•
RSA - 640 November 2, 2005
RSA $200,000 Challenge
RSA - DES Challenge
RSA - 576 Challenge
Cracking RSA
Ref: On the Cost of Factoring RSA-1024
Adi Shamir and Eran Tromer

20. What are RSA factoring Challenges???
 The RSA Factoring Challenge was a challenge put
forward by RSA Laboratories on March 18, 1991.
 to encourage research into computational number theory
and the practical difficulty of factoring large integers
and cracking RSA keys used in cryptography
 They published a list of semiprimes (numbers with
exactly two prime factors) known as the RSA numbers,
with a cash prize for the successful factorization of some
of them

21. RSA - 640 November 2, 2005
The factoring research team of F. Bahr, M. Boehm, J. Franke, T. Kleinjung
continued its productivity with a successful factorization of the challenge
number RSA-640, reported on November 2, 2005. The factors [verified by
RSA Laboratories] are:
16347336458092538484431338838650908598417836700330
92312181110852389333100104508151212118167511579
And
1900871281664822113126851573935413975471896789968
515493666638539088027103802104498957191261465571
The effort took approximately 30 2.2GHz-Opteron-CPU years according to
the submitters, over five months of calendar time. (This is about half the
effort for RSA-200, the 663-bit number that the team factored in 2004.)
Ref: RSA Laboratories - RSA-640 is factored!

22. RSA $200,000 Challenge
 RSA Security is running a factoring challenge that offers would-be code breakers a
prize of up to $200,000 for finding the two numbers of the kind used to create ultrasecure 2048-bit encryption key.
RSA-2048
Status: Not Factored
Decimal Digits: 617
25195908475657893494027183240048398571429282126204
03202777713783604366202070759555626401852588078440
69182906412495150821892985591491761845028084891200
72844992687392807287776735971418347270261896375014
97182469116507761337985909570009733045974880842840
17974291006424586918171951187461215151726546322822
16869987549182422433637259085141865462043576798423
38718477444792073993423658482382428119816381501067
48104516603773060562016196762561338441436038339044
14952634432190114657544454178424020924616515723350
77870774981712577246796292638635637328991215483143
81678998850404453640235273819513786365643912120103
97122822120720357
Decimal Digit Sum: 2738

23. RSA - DES Challenge
Identifier: DES-Challenge-III
Cipher: DES
Start: January 18, 1999 9:00 AM PST
Prize: $10,000
Plaintext: See you in Rome (second AES Conference, March 22-23, 1999)
Ciphertext:
bd 0d de 91 99 60 b8 8a 47 9c b1 5c 23 7b 81 18 99 05
45 bc de 82 01 ab 53 4d 6f 1c b4 30 63 3c ee cd 96 2e
07 c6 e6 95 99 9c 96 46 5a 95 70 02 02 70 98 bd 41 c2
88 a9 f0 2f 8b e5 48 20 d2 a8 a0 6b bf 93 de 89 f6 e2
52 fd 8a 25 eb d0 7d 96 83 ee a4 2d c8 8d 1b 71
REF: RSA Laboratories - DES Challenge III

24. RSA - 576 Challenge
 On December 3, 2003, a team of researchers in Germany and
several other countries reported a successful factorization of
the challenge number RSA-576. According to the
announcement by J. Franke:
 The factors [verified by RSA Laboratories] are
3980750864240649373971255005503864911990643623425267
08406385189575946388957261768583317
and
4727721461074353025362230719730482246329146953020971
16459852171130520711256363590397527
 Lattice sieving was done by J. Franke and T. Kleinjung
using Hardware of the Scientific Computing Institute and
the Pure Mathematics
REF: RSA Laboratories - RSA-576 is factored!

25. RSA EXAMPLE 3
Encryption
Decryption
Ciphertext
Plaintext
11
7
88 mod 187 = 11
11
23
Plaintext
mod 187 = 88
88
88
KU = 7, 187
KR = 23, 187
Figure 1. Example of RSA Algorithm

26. RSA Security
Three approaches to attacking RSA:
brute force key search (infeasible given size
of numbers)
mathematical attacks (based on difficulty of
computing ø(N), by factoring modulus N)
timing attacks (on running of decryption)

27. Timing Attacks
• developed in mid-1990’s
• exploit timing variations in operations
– eg. multiplying by small vs large number
– or IF's varying which instructions executed
• infer operand size based on time taken
• RSA exploits time taken in exponentiation
• countermeasures
– use constant exponentiation time
– add random delays
– blind values used in calculations

28. References
[1] William Stallings, “The cryptography and network
security”.
[2] RSA Laboratories, http://www.emc.com/emcplus/rsa-labs/historical/the-rsa-factoring-challengefaq.htm.
[3] Dr. Herong Yang, “Cryptography Tutorials - Herong's
Tutorial Example”,
http://www.herongyang.com/Cryptography/.