RSA Public-key Cryptosystem

Seminar Report

Arun Moorthy (CS 93115)

Department of Computer Science & Engineering
Indian Institute of Technology, Madras

1
Contents
1 Introduction 3
2 RSA:How it works 4
2.1 Public and Private Keys : : : : : : : : : : : : : : : : : : : : : 4
2.2 RSA Privacy : : : : : : : : : : : : : : : : : : : : : : : : : : : 5
2.3 RSA Authentication : : : : : : : : : : : : : : : : : : : : : : : : 5
2.4 Important Features of RSA : : : : : : : : : : : : : : : : : : : : 6
2.5 Example : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 6
3 Choice of Primes 8
4 Tests for Primality 10
4.1 A Probabilistic Algorithm : : : : : : : : : : : : : : : : : : : : 10
4.2 Solovay-Strassen Primality Test : : : : : : : : : : : : : : : : : 11
4.3 Strong Pseudoprimes : : : : : : : : : : : : : : : : : : : : : : : 13
4.4 Miller-Rabin Primality Test : : : : : : : : : : : : : : : : : : : 13
5 RSA in practice 15
6 Conclusion 16

2
1 Introduction
RSA is the most widely used and tested public-key cryptosystem. It stands
for Rivest, Shamir, and Adleman. RSA was invented in 1977 by Ron Rivest,
Adi Shamir, and Leonard Adleman.
It is based on a very simple number-theoretical idea, and yet it has been
able to resist all cryptanalytic attacks. The idea is a clever use of the fact
that, while it is easy to multiply two large primes, it is extremely dicult to
factorize their product. Thus, the product can be publicized and used as the
encryption key. The primes themselves cannot be recovered from the product
and are used for decryption.
Two points need to be borne in mind however, while dealing with the
RSA system: there is no formal proof whatsoever
 that factorization is intractable or is intractable in the special case
needed for RSA, and
 that factorization is needed for the cryptanalysis of the RSA.

3
2 RSA:How it works
The working of the RSA can be explained in 3 stages:

2.1 Public and Private Keys

 Take two large prime numbers p and q(of the order of a few hundred
bits).
 Compute their product n. Also compute the Euler function (n) =
(p 1)(q 1)
 Choose a large random number d (d > 1) such that
(d; (n)) = 1
(i.e, d and (n) are relatively prime).
 Compute the number e, 1 < e < (n) such that
ed  1(mod (n))
(i.e, ed 1 is divisible by (p 1)(q 1)).
An introduction to some terminology will be appropriate at this junc-
ture.
Terminology
n : Modulus or Key
d : Private or Decryption Exponent
e : Public or Encryption Exponent
(n; e) : Public Key
(n; d) : Private Key
p; q; (n); d : form the Secret Trapdoor
(p and q may be kept with the private key or destroyed).

4
2.2 RSA Privacy
Plain-text (w) is encoded as a decimal number. The number is divided into
blocks of suitable size. The blocks are encrypted separately. A suitable block
size is i where
10i < n < 10i .
1

Example: ROOF 18 15 15 06
 Alice wants to send a message w to Bob.
 Cipher-text c is created as
c = (weB ; mod nB ) (Modular Exponentiation)
 c is sent to Bob.
 Bob decrypts c again by modular exponentiation,
w = (cdB ; mod nB ).
Note w  cd (mod n) and if decryption is unique, w = (cd; mod n).

2.3 RSA Authentication

Alice wants to send w to Bob and Bob wants to be sure that it was Alice who
sent w.
 Alice creates a digital signature DA (w),
DA (w) = (wdA ; mod nA).
 Alice sends the pair (w; DA (w)) to Bob.
 Bob can verify the signature by applying Alice's public encryption ex-
ponent eA. Since only Alice has dA, no other person could have signed
w.

5
2.4 Important Features of RSA
While studying the working of the RSA system, we need to note the following:
 Encryption and authentication takes place without sharing of private
keys: each person uses only other people's public keys and his/her own
private key.
 Anyone can send an encrypted message or verify a signed message,
using only public keys, but only someone in possession of correct private
keys can decrypt or sign a message.
 Modular Exponentiation: The computation of (ar; mod n) is done
using a method that is faster than repeatedly multiplying a by itself.
We use squaring. After each squaring, reduction modulo n is done. So
we never encounter numbers greater than n . Thus (ar; mod n) can be
2

computed in O(log r) time.

2.5 Example
The working of the RSA system will become clearer with the help of an
example: p = 5, q = 11, n = 55, (n) = (p 1)(q 1) = 40
e = 7, d = 23.
To calculate (8 ; mod 55).
7

j (8 j ; mod 55)
2

0 8
1 9
2 26

6
7 = 1112

(8 ; mod 55) = ((26(9:8))mod 55) = 2

7

This contrived example proves that public-key cryptosystems never work

for small plain-text spaces. A cryptanalyst can construct a complete de-
cryption table by encrypting all possible plain-texts and rearranging them in
alphabetic order.

7
3 Choice of Primes
The primes p and q need to be random primes and not some primes contained
in some table of primes(to factorize, one can always check through the table).
p and q should also not be close to one another. If p and q are close to
one another,
 p q
2
will be small.
 p+q p
will be only slightly larger than n
2

 p q
( + )2
4
n= ( p q)2 .
4

p
So to factorize n, keep checking integers x > n such than x 2
n is a
perfect square, say y . 2

Then p = x + y and q = x y.

Example:
n = 97343
pn = 311:998
Now 312 n = 1 (which is a perfect square).
2

So p = x + y = 313 and q = x y = 311.

For this reason, it is advisable that p and q are such that their bit represent-
ations dier in length by a few bits.
The two primes, p and q, which compose the modulus, should be of
roughly equal length; this will make the modulus harder to factor than if
one of the primes was very small. Thus if one chooses to use a 768-bit mod-
ulus, the primes should each have length approximately 384 bits. If the two
primes are extremely close (identical except for, say, 100 - 200 bits), there is a
potential security risk, but the probability that two randomly chosen primes
are so close is negligible.
8
Note: Every RSA crtyposystem has some plain-text blocks which are en-
crypted into themselves (in fact, at least four such blocks). For instance,
1,21,34,54 are plain-texts which are encrypted into themselves for the rst
example.

9
4 Tests for Primality
An ecient algorithm for the problem PRIMALITY(n) is necessary for RSA
cryptosystem design. It is not known whether the problem is in P . However,
stochastic algorithms with a low probability of failure are quite acceptable.
Such a stochastic algorithm works in most cases as follows. Consider a
compositeness test C (m). If an integer m passes the test, it is denitely
composite. If m fails the test, m may be prime. The likelihood of m being
prime increases with the number of compositeness tests it fails.

4.1 A Probabilistic Algorithm

We give a probabilistic algorithm for primality. In order to do this, we rst
state two results without proof.
Result 1 Assume that m is an odd integer and (w; m) = 1. If m is prime,
wm  1(mod m) ! (1)
1

Result 2 Either all or at most half of the integers w with 1  w < m and
(w; m) = 1 are the witnesses for the primality of m.
(1) can hold even if m is not prime. In such a case, m is termed a
pseudoprime to the base w.

An integer w with (w; m) = 1 and satisfying (1) is called a witness for the
primality of m. There are also false witnesses, if m is a pseudoprime only.
A method of showing that with high probability that m is prime consists of
gathering many witnesses for the primality of m. With this background, let
us proceed on to the Probabilistic Algorithm.

10
Probabilistic Algorithm
1. Given m, choose a random w, 1  w < m.
2. The GCD (w; m) is found using Euclid's algorithm.
3. If (w; m) > 1, m is composite.
4. Otherwise, compute u = (wm ; mod m) by repeated squaring.
1

5. If u 6= 1, m is composite.
6. If u = 1, w is a witness for the primality of m. In other words, we have
some evidence that m could be prime. The more witnesses we nd, the
stronger the evidence will be. If we have k witnesses, by Result 2, the
probability of m being composite is at most 2 k .
If m is prime then all numbers are witnesses, and the evidence obtained
points towards the right conclusion. However, all numbers can be witnesses
without m being prime. Such numbers are referred to as Carmichael numbers.
Thus, by denition, an odd composite number m is a Carmichael number i
(1) holds for all w with (w; m) = 1.
The probability estimate 2 k for the algorithm described above is not
valid if the number m to be tested happens to be a Carmichael number. By
this algorithm, our only chance to nd that m is composite is to hit a number
w with (w; m) > 1 in our random choice of numbers w.

4.2 Solovay-Strassen Primality Test

We now describe a test, referred to as the Solovay-Strassen Primality
Test. It is very similar to the test described above, except that instead of
(1) another condition is used. No analogues of Carmichael numbers exist

11
in connection with the latter condition. Thus, by nding more witnesses we
always increase the probability that the tested number is a prime.
Result 3 If m is an odd prime then, for all w
w m  ( mw )(mod m) ! (2)
2
1

Odd composite numbers m satisfying (2) for some w with

(w; m) = 1 are called Euler Pseudoprimes to the base w.
Result 4 If m is an odd composite number, then at most half of the integers
w with 1  w < m and (w; m) = 1 satisfy (2).
Solovay-Strassen Primality Test
This test uses (2) in exactly the same way that the earlier algorithm uses (1).
To test the primality of m,
1. Choose a random number w < m.
2. If (w; m) > 1, m is composite.
3. Otherwise test the validity of (2).
4. If (2) is not valid, m is composite.
5. Otherwise, w is a witness for the primality of m. Choose another ran-
dom number < m and repeat the procedure.
After nding k witnesses, the probability of m being composite is at most
2 k (according to Lemmas 3 and 4). This result is stronger than our earlier
algorithm, because there are no analogues of Carmichael numbers for (2).

12
4.3 Strong Pseudoprimes
Assume that m is a pseudoprime to the base w. Extract successive square
roots of the congruence(1) and check if the rst number dierent from 1
equals -1. If this is the case, but m is composite, we refer to m as a strong
pseudoprime to the base w.

4.4 Miller-Rabin Primality Test

There is another modication of the primality test, where the estimate of can
be improved: at most 25% of the possible numbers are (false) witnesses for a
composite number m to be prime. This test is known as the Miller-Rabin
Primality Test. As before, we shall state some number-theoretical facts
without proofs. These facts will aid us in developing the primality test.
Result 5 Let 2s be the highest power of 2 dividing m 1, that is, m 1 = 2s r,
where r is odd. Choose a number w with 1  w < m and (w; m) = 1.
Then m is a strong pseudoprime to the base w i the following condition
is satised:
0
either wr  1(mod m) or w s r  1(mod m) ! (3)
2

for some s0 with 0  s0 < s.

Result 6 If m is an odd composite integer, then m is a strong pseudoprime
to the base w for at most 25% of all w's satisfying 1  w < m.
Miller-Rabin Primality Test
1. Compute m 1 = 2sr, where m is the given odd integer and r is odd.
2. The random number w is chosen as before and the validity of (3) is
tested.

13
 3. If the test fails, m is composite
4. Otherwise, we regard w as a witness for the primality of m and repeat
the procedure for another w.
If we get k witnesses for the primality of m, then the probability of m
being composite is at most 4 k .

14
5 RSA in practice
RSA is combined with a secret-key cryptosystem, such as DES, to encrypt a
message by means of an RSA digital envelope.
Suppose Alice wishes to send an encrypted message to Bob.
 The message is rst encrypted by DES, using a randomly chosen DES
key.
 Alice then uses Bob's public key to encrypt the DES key.
 The DES-encrypted message and the RSA-encrypted DES key together
form the RSA digital envelope and are sent to Bob.
 Upon receipt of the message, Bob decrypts the DES key with his private
key, then uses the DES key to decrypt to message itself.
Thus the high speed of DES is combined with the key-management con-
venience of RSA.

15
6 Conclusion
We have studied the RSA public-key cryptosystem. We have delved into the
basis for its working, its strength, and its ease of understanding and use. We
have dealt mainly from the point of view of legal users.

RSA is the most popular public-key cryptosystem available today. Its

popularity stems from the fact that it can be used for both encryption and au-
thentication, and that it has been around for many years and has successfully
withstood much scrutiny.The security of RSA is related to the assumption
that factoring is dicult. An easy factoring method or some other feasible
attack would break RSA.

RSA is built into current operating systems by Microsoft, Apple, Sun, and
Novell. In hardware, RSA can be found in secure telephones, on Ethernet
network cards, and on smart cards. In addition, RSA is incorporated into
all of the major protocols for secure Internet communications. The estimated
installed base of RSA encryption engines is around 20 million, making it by
far the most widely used public-key cryptosystem in the world.

Finally, DES is much faster than RSA. In software, DES is generally at

least 100 times as fast as RSA. In hardware, DES is between 1,000 and 10,000
times as fast, depending on the implementation. Implementations of RSA will
probably narrow the gap a bit in coming years, as there are growing commer-
cial markets, but DES will get faster as well.

16
References
[1] Saloma, Arto, \Public-Key Cryptography" Springer-Verlag, 1990.
[2] RSA Laboratories, \Frequently Asked Questions About Today's Crypto-
graphy(version 3.0)", (http://www.rsa.com/rsalabs/newfaq/).

17