RSA

Tobias M. Bölz
Contents
1st Introduction 2 Public-key encryption 3rd Description of the procedure 4 Evid
ence 5th Security 2 2 3 4 5
5.1. Options for attack. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . 5.2. Security problems. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
6th Implementation
5 5
5
6.1. Key generation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . 6.2. Computation of M e n mod. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
A. Sample programs
6 7
8
A.1. inversmod.c. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . A.2. encrypt1.c. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . A.3. encrypt2.c. . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
B. Literature
8 8 9
10
This content is licensed under a Creative Commons Attribution-Non-Commercial-Sha
re Alike license. To view the license, please go to http://creativecommons.org/l
icenses/by-nc-sa/2.0/de/ or send a letter to Creative Commons, 559 Nathan Abbott
Way, Stanford, California 94305, USA.
1
2 PUBLIC-KEY ENCRYPTION
1st Initiation
The RSA algorithm was the first public-key encryption method that suited both fo
r encryption and to create digital signatures. It was invented 19 781 and, after
its inventors Ronald Rivest, Adi Shamir and Leonard Adleman named [1]. Since th
e concept of a public-key encryption method by Whitfield Diffie and Martin E. He
llman [2] gave the impetus to the discussions, this idea is explained in the nex
t section. Then you will find a description of the RSA algorithm and the outline
s of a possible proof procedure, security considerations and algorithms, with wh
ich one can implement it.
2nd Public-key encryption
The concept of public-key encryption (also called asymmetric encryption) in 1976
by Whitfield Diffie and Martin E. Hellman developed [2]: Each user publishes an
encryption method E and keeps the corresponding decryption method D secret. For
E and D must be in terms of: (a) The decryption of the encrypted form of the me
ssage M is M, ie D (E (M)) = M (2) E and D should be easily predictable. (3) D m
ay not be easily (and should ideally not at all) be predictable from E. (4) It s
hould be just as possible to encrypt a text with the Entdchlüsselungsalgorithmus
and then to decrypt the encryption algorithm: E (D (M)) = M. This is used when
creating digital signatures. A function E, which (1) - (3) are fulfilled, is a t
rap-door one-way function. Where it also (4) is satisfied, it is a trap-door one
-way permutation. They may consist of the Fuktionen for encryption and decryptio
n usually consist of a general function and a key. A message is encrypted using
the public key of the recipient. In order to decrypt the message using the recip
ient's private key (see Figure 1). If it is in the function used by a trap-door
one-way permutation, it is also possible to sign a digital message. In the messa
ge D and the private key is encrypted on the sender. Since (4) is now, anyone wh
o possesses the public key of the sender to convert the signed message by e agai
n in plain text (see Figure 2). Since only the sender possesses the private key
can only he who signed the message. If the message
A loud
Some sources say 1977, the publication took place in 1978 but definitely
2
3 DESCRIPTION OF PROCEDURE
Figure 1: encryption with a public key method
intended for a specific recipient, the encrypted signed message with the one who
se public key. Alternative to the signing of the total can be sent only with a s
igned checksum of the message.
Figure 2: Digital signature with a public key method
Diffie and Hellman introduced the concept only, but not before possible implemen
tation.
3rd Description of the procedure
To encrypt a message M, one needs a public key (e, n). To decrypt an encrypted m
essage C requires a private key (d, n). The message must be broken down into blo
cks and the blocks are represented respectively controlled through an integer be
tween 0 and n - 1. What procedure is used here is irrelevant to the encryption b
ecause it only serves to bring the message into numerical form.€A message is n w
ith the function C = M e mod with the public key (e, n) is encrypted. In order t
o decipher the function is M = Cd mod n with the private key (d, n) (M, C, e, d,
n ∈ N). For this method to work, e, d and n are calculated as follows: • n is t
he product of two very large prime numbers p and q: n = p qp and q must remain
secret because of them and the public key and private key Calculate liese.
3
4 PROOF • d is a large random integer, the (p - 1) (q - 1) is prime, then gcd
(d, (p - 1) (q - 1)) = 1 fulfills. • e is the inverse of d with respect mod (p
- 1) (q - 1), or in other words (e d) mod (p - 1) (q - 1) = 1
4th Evidence
The RSA method is

based fundamentally on the set of Euler, which states
that aφ
(n) ≡ 1 mod n i a and n are
relatively prime. It is φ (n) the Euler φ unction,
which returns the number

o all natural numbers that are smaller
than n and pri
me to n,
(For a proo , see eg [3]). For

primes is φ (p) = p - 1 I RSA is the pr
oduct o two primes n p and q. There ore, φ (n) = φ (p) · φ (q) = (p - 1) · (q -
1) The statements pointing to D (E (M))

= M and E (D (M)) = M
with E (M) = M e
mod n and D
(C) = Cd

mod n can be re erred to the power rule or residual arithm
etic trans orm as ollows: M = D (E (M)) = (E (M)) d mod n = M e · d mod n M = E
(D (M))

mod n = M mod n d e · From the

condition (s · d) mod (p -
1) · (q - 1)
= 1 ollows d e · = k · φ (n) + 1 k or a ∈ N. From the theorem o Euler, M Yiel
d p-1 ≡ 1 mod p and since (p - 1) φ (n) divides k · M is φ (n) +1 ≡ M mod p, sin


ce the same thing applies or q and e · d = k · φ (n) + a valid e · d M ≡ M mod
n and thus D (E (M)) = M and E (D (M)) = M.
4
6 IMPLEMENTATION
5th Security



It is believed that the security o RSA is based on the problem o actoring lar
ge numbers.

This is not proven, it could be that there are other ways to calcula
te M rom

C and e.
5.1. O attack






A Agri smöglichkeit
is n
actored. Then it appears rom the igures obtained

an
d de charge. One o the astest
methods to this
is the
elliptic curve

actorizat
ion. The resulting estimates or the duration
o the actorization

o n is shown
in Table 1 So it is virtually impossible to actorize n, i it is large enough.
Key size 399 bit 512 bit 1024 bit length

830 MIPS-years
4, 2 · 105 MIPS-years

2
, 8 · 1015 MIPS-years evaluation with ast computers easible being sa e over th
e long term





Table 1: Estimation o the duration o the actorization o n using the elliptic
KurvenFaktorisierung. (Source: [4])


It would also be possible to φ (n) be calculated without actoring n. From φ (n)
and e can also e are calculated.

Since n is composite, there is no easy way to
φ (n) be calculated without actoring n. Another way is to guess

d. However, sin
ce there are very many possible d this process is extremely ine icient.
5.2. Security Issues
It could be that a user is decoded by signing an encrypted message. This should
be done, however, happen to have the same private key as the one who encrypted t
he message * has rare or a key that is M = Cd mod n *. This is very unlikely but
not impossible.

Another

problem that occurs when the implementation is that

mos
t algorithms or inding prime numbers work probabilistically. When used or p o
r q is a composite number, the encryption and decryption will probably not work
correctly.
6th Implementation


This section presents

some algorithms that can be used or implementation be ore
. The source code or executable programs with the algorithms presented here, se
e the Appendix.
5
1.6
Key generation
6 IMPLEMENTATION
6.1. Key generation


The
public and private keys can be generated

as
ollows: 1 Since n is the produc
t o two primes p and q, a way must be ound to
ind a very
large random primes.

This should p and q be similar in size and hal the size o the proposed size o
n. There are several possibilities. One is, as long as random numbers generate
d in
the desired

size, until a prime number is. The numbers generally are review
ed or per ormance reasons, using probabilistic methods,
which can lead

to error
s. An alternative, which would however require a lot o memory, is, rom a list



o prime numbers randomly select one. 2nd For d is suitable,

or example, any pr
ime that is greater than p and q. 3rd€In order to n e rom d and φ () can be cal
culated

using


the extended Euclidean algorithm [1, 5]. This addition to the gcd
o the coe icients u and v calculated the equation gcd (a, b) = u + v × a · b,
u, v ∈ Z. Now we substitute a = φ (n) and b = e we obtain gcd ( φ (n), e) = u ·
φ (n) + v · e = 1 since e and φ (n) are relatively prime. mod
φ
(n) is given (u
· φ (n) + v °
E) mod φ (n) = v · e mod φ (n) = 1 v Thus it ul ills the required
conditions or d. The Euclidean algorithm leads gcd (a, b) gcd (b, a mod b retu
rns). The extended
Euclidean algorithm

yields also u × a +
b u v · · b + v · (a
mod b) back. The ollowing C unction calculates the gcd o a and b and u and v.
The results are in global variables g, u and
v are stored.
int g, u, v; erweuklid void (int a, int b) (i (b == 0) (g = a, u = 1, v = 0;) e
lse (erweuklid (b, a% b); int tmp = u, u = v, v = tmp - a / b * v;))
6
6.2


Computation o M e mod n
6 IMPLEMENTATION


6.2. Computation o M e mod n


For the calculation o M e mod n and Cd
mod n there

are many possibilities. The
least ideal would be to the standard eatures o the programming
language, like
C pow (M, s)% would n. Here the individual calculation

steps per ormed successiv
ely, which means

that

the intermediate result o M e, the extremely

large, would
be cached. I one ollows the equation to be solved trans orms M i n +1 can mod
= (M · (M i mod n)) mod n we recognize that it can be solved recursively [6]. T
his can be easily

implemented using a loop:
int C = 1, i or (i = 1; i <= d; i + +) (C = (C * M)% n;) In [1] proposes
the po
tentiation by repeated squaring and multiplication. This
method works as ollows
: 1 ek ek-1. .
. e1 e0 is the binary

representation o e 2 Initialization: C
= 1
3 Repeat the ollowing steps or i = k, k - 1,. . . , 0 a) C = C2 nb mod) i ei
= 1, then C = (C • M) mod n 4 Now C = M e mod n In C provides the example like
this: int c = 1 while (e! = 0) (C = (C * C)% n if (e & 1) (C = (C * M)% n;) e =
e>> 1;) There are of course many others and, above all, more efficient algorithm
s for this problem. A selection can be found, for example] in the [seventh
7
A SAMPLE PROGRAM
A. Sample programs
A.1. inversmod.c
# Include # include void <stdlib.h> erweuklid (int a, int b) int g, u, v; int ma
in (int argc, char ** argv) (erweuklid (atoi (argv [1 ]), atoi (argv [2])) print
f ("% i \ n", v) return 0;) void erweuklid (int a, int b) (if (b == 0) (g = a; u
= 1, v = 0;) else (erweuklid (b, a% b); int tmp = u, u = v, v = tmp - a / b * v
;))
A.2. encrypt1.c
# Include # include <stdlib.h> int encrypt (int M, int s, int n) int main (int a
rgc, char ** argv n) (printf ("% i \", encrypt ( atoi (argv [1]), atoi (argv [2]
), atoi return (argv [3 ]))); 0;)
8
A.3
encrypt2.c
A SAMPLE PROGRAM
encrypt (int int M, e, int int n) (int c = 1; int i; for (i = 1; i <= e, i + +)
(C = (C * M)% n;) return C;)
A.3. encrypt2.c
# Include # include <stdlib.h> int encrypt (int M, int s, int n) int main (int a
rgc, char ** argv n) (printf ("% i \", encrypt ( atoi (argv [1]), atoi (argv [2]
), atoi return (argv [3 ]))); 0;)
int encrypt (int M, e, int int n) (int c = 1 while (e! = 0) (C = (C * C n)% if (
e & 1) (C = (C * M) % n;) e = e>> 1;) return C;)
9
B. Literature
[1] Rivest, RL, Shamir, A. and Adleman, L. A Method for Obtaining Digital Signat
ures and Public-Key Cryptosystems. 1978 [2] Diffie, W. and Hellman, P. New Direc
tions in Cryptography. 1976 [3] Wikipedia. Euler's theorem. http://de.wikipedia.
org/wiki/Satz_von_Euler [4] Patzelt, D. presentation on RSA encryption. http://w
ww.inf.hs-zigr.de/ ~ wagenkn / TI / complexity / Speeches / RSA / [5] Extended E
uclidean algorithm. http://www.iti.fh-flensburg.de/lang/algorithmen/code/krypto/
euklid.htm [6] Werner, B. RSA encryption and other applications of elementary nu
mber theory to the calendar account. 2003 [7] Knuth, DE The Art of Computer Prog
ramming, Vol 2: Seminumerical Algorithms. Addison-Wesley, 1969
10