The RSA cryptosystem document discusses: 1) The RSA cryptosystem uses a public and private key to encrypt and decrypt messages based on large prime number factorization. 2) An example is provided where a message is encrypted with a public key and decrypted with a private key. 3) The security of RSA relies on the difficulty of factoring large numbers, as factorization algorithms take exponential time relative to the number of bits.

1. RSA Cryptosystem 6/8/2002 2:20 PM
Outline
Euler’s theorem (§10.1.3)
RSA cryptosystem (§10.2.3)
RSA Cryptosystem Definition
Example
Bits PCs Memory Security
430 1 128MB Correctness
760 215,000 4GB
Algorithms for RSA
1,020 342×106 170GB
Modular power (§10.1.4)
1,620 1.6×1015 120TB
Modular inverse (§10.1.5)
Randomized primality testing (§10.1.6)
6/8/2002 2:20 PM RSA Cryptosystem 1 6/8/2002 2:20 PM RSA Cryptosystem 2
Euler’s Theorem RSA Cryptosystem
The multiplicative group for Zn, denoted with Z*n, is the subset of Setup: Example
elements of Zn relatively prime with n n = pq, with p and q Setup:
The totient function of n, denoted with φ(n), is the size of Z*n primes p = 7, q = 17
Example e relatively prime to n = 7⋅17 = 119
φ(n) = (p − 1) (q − 1) φ(n) = 6⋅16 = 96
Z*10 = { 1, 3, 7, 9 } φ(10) = 4
d inverse of e in Zφ(n) e=5
If p is prime, we have
Keys: d = 77
Z*p = {1, 2, …, (p − 1)} φ(p) = p − 1
Public key: KE = (n, e) Keys:
Euler’s Theorem public key: (119, 5)
Private key: KD = d
For each element x of Z*n, we have xφ(n) mod n = 1 private key: 77
Example (n = 10) Encryption: Encryption:
3φ(10) mod 10 = 34 mod 10 = 81 mod 10 = 1 Plaintext M in Zn M = 19
7φ(10) mod 10 = 74 mod 10 = 2401 mod 10 = 1 C = Me mod n C = 195 mod 119 = 66
9φ(10) mod 10 = 94 mod 10 = 6561 mod 10 = 1 Decryption: Decryption:
M = Cd mod n C = 6677 mod 119 = 19
6/8/2002 2:20 PM RSA Cryptosystem 3 6/8/2002 2:20 PM RSA Cryptosystem 4
Complete RSA Example Security
Setup: Encryption The security of the RSA In 1999, a 512-bit number was
cryptosystem is based on the factored in 4 months using the
p = 5, q = 11 C = M3 mod 55 widely believed difficulty of following computers:
n = 5⋅11 = 55 Decryption factoring large numbers
160 175-400 MHz SGI and Sun
φ(n) = 4⋅10 = 40 M = C27 mod 55 The best known factoring
algorithm (general number 8 250 MHz SGI Origin
e=3
field sieve) takes time 120 300-450 MHz Pentium II
d = 27 (3⋅27 = 81 = 2⋅40 + 1) exponential in the number of 4 500 MHz Digital/Compaq
bits of the number to be
factored Estimated resources needed to
M 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 factor a number within one year
The RSA challenge, sponsored
C 1 8 27 9 15 51 13 17 14 10 11 23 52 49 20 26 18 2 by RSA Security, offers cash Bits PCs Memory
M 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 prizes for the factorization of
430 1 128MB
C 39 25 21 33 12 19 5 31 48 7 24 50 36 43 22 34 30 16 given large numbers
In April 2002, prizes ranged 760 215,000 4GB
M 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54
C 53 37 29 35 6 3 32 44 45 41 38 42 4 40 46 28 47 54 from $10,000 (576 bits) to 1,020 342×106 170GB
$200,000 (2048 bits) 1,620 1.6×1015 120TB
6/8/2002 2:20 PM RSA Cryptosystem 5 6/8/2002 2:20 PM RSA Cryptosystem 6
1

2. RSA Cryptosystem 6/8/2002 2:20 PM
Correctness Algorithmic Issues
We show the correctness of Thus, we obtain The implementation of Setup
the RSA cryptosystem for the (Me)d mod n = the RSA cryptosystem Generation of random
case when the plaintext M Med mod n = requires various numbers with a given
does not divide n Mkφ(n) + 1 mod n = number of bits (to generate
algorithms
Namely, we show that MMkφ(n) mod n = candidates p and q)
M (Mφ(n))k mod n = Overall Primality testing (to check
(Me)d mod n = M
M (Mφ(n) mod n)k mod n = Representation of integers that candidates p and q are
Since ed mod φ(n) = 1, there is of arbitrarily large size and
M (1)k mod n = prime)
an integer k such that arithmetic operations on
M mod n = Computation of the GCD (to
ed = kφ(n) + 1 them verify that e and φ(n) are
Since M does not divide n, by M Encryption relatively prime)
Euler’s theorem we have See the book for the proof of Modular power Computation of the
correctness in the case when multiplicative inverse (to
Mφ(n) mod n = 1 the plaintext M divides n Decryption compute d from e)
Modular power
6/8/2002 2:20 PM RSA Cryptosystem 7 6/8/2002 2:20 PM RSA Cryptosystem 8
Modular Power Modular Inverse
The repeated squaring Example Theorem Given positive integers a and b,
algorithm speeds up the 318 mod 19 (18 = 10010) Given positive integers a the extended Euclid’s algorithm
computation of a modular and b, let d be the smallest computes a triplet (d,i,j) such that
Q1 = 31 mod 19 = 3
power ap mod n d = gcd(a,b)
Q2 = (32 mod 19)30 mod 19 = 9 positive integer such that
Write the exponent p in binary d = ia + jb
Q3 = (92 mod 19)30 mod 19 = d = ia + jb
p = pb − 1 pb − 2 … p1 p0 To test the existence of and
81 mod 19 = 5 for some integers i and j.
Start with Q4 = (52 mod 19)31 mod 19 = We have compute the inverse of x ∈ Zn, we
Q1 = apb − 1 mod n (25 mod 19)3 mod 19 =
execute the extended Euclid’s
d = gcd(a,b) algorithm on the input pair (x,n)
Repeatedly compute 18 mod 19 = 18
Example Let (d,i,j) be the triplet returned
Qi = ((Qi − 1)2 mod n)apb − i mod n Q5 = (182 mod 19)30 mod 19 = a = 21
(324 mod 19) mod 19 = d = ix + jn
We obtain b = 15
17⋅19 + 1 mod 19 = 1 Case 1: d = 1
Qb = ap mod n d=3
i is the inverse of x in Zn
The repeated squaring p5 − 1 1 0 0 1 0 i = 3, j = −4
Case 2: d > 1
algorithm performs O (log p) 2 p5 − i 3 1 1 3 1 3 = 3⋅21 + (−4)⋅15 =
arithmetic operations 63 − 60 = 3 x has no inverse in Zn
Qi 3 9 5 18 1
6/8/2002 2:20 PM RSA Cryptosystem 9 6/8/2002 2:20 PM RSA Cryptosystem 10
Pseudoprimality Testing Randomized Primality Testing
The number of primes less than or equal to n is about n / ln n Compositeness witness function
witness(x, n) with error probability Algorithm RandPrimeTest(n, k)
Thus, we expect to find a prime among, O(b) randomly generated
q for a random variable x Input integer n,confidence
numbers with b bits each parameter k and composite
Case 1: n is prime
Testing whether a number is prime (primality testing) is believed witness function witness(x,n)
witness w(x, n) = false with error probability q
to be a hard problem Case 2: n is composite Output an indication of
An integer n ≥ 2 is said to be a base-x pseudoprime if witness w(x, n) = false with whether n is composite or prime
xn − 1 mod n = 1 (Fermat’s little theorem) probability q < 1 with probability 2−k
Composite base-x pseudoprimes are rare: Algorithm RandPrimeTest tests
whether n is prime by repeatedly t ← k/log2(1/q)
A random 100-bit integer is a composite base-2 pseudoprime with for i ← 1 to t
evaluating witness(x, n)
probability less than 10-13
A variation of base- x x ← random()
The smallest composite base-2 pseudoprime is 341
pseudoprimality provides a if witness(x,n)= true
Base-x pseudoprimality testing for an integer n: suitable compositeness witness return “n is composite”
Check whether xn − 1 mod n = 1 function for randomized primality return “n is prime”
Can be performed efficiently with the repeated squaring algorithm testing (Rabin-Miller algorithm)
6/8/2002 2:20 PM RSA Cryptosystem 11 6/8/2002 2:20 PM RSA Cryptosystem 12
2