6. Introduction
Algorithm
Usage
Correctness
Security
About
What is it?
an algorithm for public key cryptography
based on the difficulty of factoring large integers.
Where does the name come from?
Adrian Spataru
RSA algorithm
Department of Computer Science, West University of Timi¸oara
s
7. Introduction
Algorithm
Usage
Correctness
Security
About
What is it?
an algorithm for public key cryptography
based on the difficulty of factoring large integers.
Where does the name come from?
Ron
Rivest
Adrian Spataru
RSA algorithm
Department of Computer Science, West University of Timi¸oara
s
8. Introduction
Algorithm
Usage
Correctness
Security
About
What is it?
an algorithm for public key cryptography
based on the difficulty of factoring large integers.
Where does the name come from?
Ron
Rivest
Adi
Shamir
Adrian Spataru
RSA algorithm
Department of Computer Science, West University of Timi¸oara
s
9. Introduction
Algorithm
Usage
Correctness
Security
About
What is it?
an algorithm for public key cryptography
based on the difficulty of factoring large integers.
Where does the name come from?
Ron
Rivest
Adi
Shamir
Leonard Adleman
Adrian Spataru
RSA algorithm
Department of Computer Science, West University of Timi¸oara
s
23. Introduction
Algorithm
Usage
Correctness
Security
Algorithm
1
2
3
4
Adrian Spataru
RSA algorithm
Take p and q large prime numbers
Compute n = p × q
n is called the modulus and it is public
Its length denotes the key length
Compute ϕ(n) = (p − 1)(q − 1)
ϕ is Euler’s totient function.
Choose e, s.t. 1 < e < ϕ(n) and gcd(e, ϕ(n)) = 1
e is released as public exponent
Department of Computer Science, West University of Timi¸oara
s
24. Introduction
Algorithm
Usage
Correctness
Security
Algorithm
1
2
3
4
5
Adrian Spataru
RSA algorithm
Take p and q large prime numbers
Compute n = p × q
n is called the modulus and it is public
Its length denotes the key length
Compute ϕ(n) = (p − 1)(q − 1)
ϕ is Euler’s totient function.
Choose e, s.t. 1 < e < ϕ(n) and gcd(e, ϕ(n)) = 1
e is released as public exponent
Compute d as d −1 ≡ e(modϕ(n))
Department of Computer Science, West University of Timi¸oara
s
25. Introduction
Algorithm
Usage
Correctness
Security
Algorithm
1
2
3
4
5
Adrian Spataru
RSA algorithm
Take p and q large prime numbers
Compute n = p × q
n is called the modulus and it is public
Its length denotes the key length
Compute ϕ(n) = (p − 1)(q − 1)
ϕ is Euler’s totient function.
Choose e, s.t. 1 < e < ϕ(n) and gcd(e, ϕ(n)) = 1
e is released as public exponent
Compute d as d −1 ≡ e(modϕ(n)) or
Department of Computer Science, West University of Timi¸oara
s
26. Introduction
Algorithm
Usage
Correctness
Security
Algorithm
1
2
3
4
5
Adrian Spataru
RSA algorithm
Take p and q large prime numbers
Compute n = p × q
n is called the modulus and it is public
Its length denotes the key length
Compute ϕ(n) = (p − 1)(q − 1)
ϕ is Euler’s totient function.
Choose e, s.t. 1 < e < ϕ(n) and gcd(e, ϕ(n)) = 1
e is released as public exponent
Compute d as d −1 ≡ e(modϕ(n)) or
d × e ≡ 1(modϕ(n))
Department of Computer Science, West University of Timi¸oara
s
33. Introduction
Algorithm
Usage
Correctness
Security
Scenario
Traian wants to communicate with Angela via RSA encrypted
messages.
Both of them generate a RSA key-pair.
Traian gives to Angela his public key, and Angela gives to
Traian hers.
Adrian Spataru
RSA algorithm
Department of Computer Science, West University of Timi¸oara
s
35. Introduction
Algorithm
Usage
Correctness
Security
Encryption
Angela wants to send Traian the message M.
The message is turned into an integer m, 0 ≤ m < n.
based on a padding scheme
Angela computes c = me (modn) (e from Traian’s public key,
and sends this to Traian.
Adrian Spataru
RSA algorithm
Department of Computer Science, West University of Timi¸oara
s
40. Introduction
Algorithm
Usage
Correctness
Security
Tricks
For encryption, exponentiation by squaring can save a lot
of time.
For decryption, the Chinese remainder algorithm can be
used.
This algorithm stores in the private key several
precomputed values (dP , dQ , qinv ).
dP = d(modp − 1)
Adrian Spataru
RSA algorithm
Department of Computer Science, West University of Timi¸oara
s
41. Introduction
Algorithm
Usage
Correctness
Security
Tricks
For encryption, exponentiation by squaring can save a lot
of time.
For decryption, the Chinese remainder algorithm can be
used.
This algorithm stores in the private key several
precomputed values (dP , dQ , qinv ).
dP = d(modp − 1)
dQ = d(modq − 1)
Adrian Spataru
RSA algorithm
Department of Computer Science, West University of Timi¸oara
s
42. Introduction
Algorithm
Usage
Correctness
Security
Tricks
For encryption, exponentiation by squaring can save a lot
of time.
For decryption, the Chinese remainder algorithm can be
used.
This algorithm stores in the private key several
precomputed values (dP , dQ , qinv ).
dP = d(modp − 1)
dQ = d(modq − 1)
qinv = q −1 (modp)
Adrian Spataru
RSA algorithm
Department of Computer Science, West University of Timi¸oara
s
43. Introduction
Algorithm
Usage
Correctness
Security
Tricks
For encryption, exponentiation by squaring can save a lot
of time.
For decryption, the Chinese remainder algorithm can be
used.
This algorithm stores in the private key several
precomputed values (dP , dQ , qinv ).
dP = d(modp − 1)
dQ = d(modq − 1)
qinv = q −1 (modp)
m1 = c dP (modp); m2 = c dQ (modq);
Adrian Spataru
RSA algorithm
Department of Computer Science, West University of Timi¸oara
s
44. Introduction
Algorithm
Usage
Correctness
Security
Tricks
For encryption, exponentiation by squaring can save a lot
of time.
For decryption, the Chinese remainder algorithm can be
used.
This algorithm stores in the private key several
precomputed values (dP , dQ , qinv ).
dP = d(modp − 1)
dQ = d(modq − 1)
qinv = q −1 (modp)
m1 = c dP (modp); m2 = c dQ (modq);
h = qinv (m1 − m2)(modp)
Adrian Spataru
RSA algorithm
Department of Computer Science, West University of Timi¸oara
s
45. Introduction
Algorithm
Usage
Correctness
Security
Tricks
For encryption, exponentiation by squaring can save a lot
of time.
For decryption, the Chinese remainder algorithm can be
used.
This algorithm stores in the private key several
precomputed values (dP , dQ , qinv ).
dP = d(modp − 1)
dQ = d(modq − 1)
qinv = q −1 (modp)
m1 = c dP (modp); m2 = c dQ (modq);
h = qinv (m1 − m2)(modp)
m = m2 + hq
Adrian Spataru
RSA algorithm
Department of Computer Science, West University of Timi¸oara
s
53. Introduction
Algorithm
Usage
Correctness
Security
Fermat’s little theorem generalization
Theorem
If p is prime and m and n are positive integers s.t.
m ≡ n(modϕ(p)), then ∀a, we have am ≡ an (modp).
m = b(p − 1) + n
Adrian Spataru
RSA algorithm
Department of Computer Science, West University of Timi¸oara
s
54. Introduction
Algorithm
Usage
Correctness
Security
Fermat’s little theorem generalization
Theorem
If p is prime and m and n are positive integers s.t.
m ≡ n(modϕ(p)), then ∀a, we have am ≡ an (modp).
m = b(p − 1) + n
am = ab(p−1) × an ≡ 1b × an ≡ an (modp)
Adrian Spataru
RSA algorithm
Department of Computer Science, West University of Timi¸oara
s
55. Introduction
Algorithm
Usage
Correctness
Security
Fermat’s little theorem generalization
Theorem
If p is prime and m and n are positive integers s.t.
m ≡ n(modϕ(p)), then ∀a, we have am ≡ an (modp).
m = b(p − 1) + n
am = ab(p−1) × an ≡ 1b × an ≡ an (modp)
q.e.d.
Adrian Spataru
RSA algorithm
Department of Computer Science, West University of Timi¸oara
s
60. Introduction
Algorithm
Usage
Correctness
Security
Security
Integer factorization and the RSA problem:
The task of taking eth roots modulo a composite n,
recovering m, s.t. c ≡ me (modn). For now, the most
promising approach is to factorize n
Faulty key generation:
Adrian Spataru
RSA algorithm
Department of Computer Science, West University of Timi¸oara
s
61. Introduction
Algorithm
Usage
Correctness
Security
Security
Integer factorization and the RSA problem:
The task of taking eth roots modulo a composite n,
recovering m, s.t. c ≡ me (modn). For now, the most
promising approach is to factorize n
Faulty key generation:
p and q should not be to close.
Adrian Spataru
RSA algorithm
Department of Computer Science, West University of Timi¸oara
s
62. Introduction
Algorithm
Usage
Correctness
Security
Security
Integer factorization and the RSA problem:
The task of taking eth roots modulo a composite n,
recovering m, s.t. c ≡ me (modn). For now, the most
promising approach is to factorize n
Faulty key generation:
p and q should not be to close.
if p − q < 2n1/4 (3 × 1077 ) - for a 1024-bit key, Fermat
factorization will make it trivial.
Adrian Spataru
RSA algorithm
Department of Computer Science, West University of Timi¸oara
s
63. Introduction
Algorithm
Usage
Correctness
Security
Strong number generator
p and q should be generated using a properly seeded with
adequate entropy random generator. This can be done seeding
the RNG with:
key stroke timings
electronic diode noise
atmospheric noise from a radio receiver tuned between
stations.
Adrian Spataru
RSA algorithm
Department of Computer Science, West University of Timi¸oara
s
67. Introduction
Algorithm
Usage
Correctness
Security
Breaking the RSA
Several RSA moduli have been factored:
RSA-768 (232 decimal digits) - 2009, December.
RSA-704 (212 decimal digits) - 2012, July.
Prizes for breaking the keys:
Adrian Spataru
RSA algorithm
Department of Computer Science, West University of Timi¸oara
s
68. Introduction
Algorithm
Usage
Correctness
Security
Breaking the RSA
Several RSA moduli have been factored:
RSA-768 (232 decimal digits) - 2009, December.
RSA-704 (212 decimal digits) - 2012, July.
Prizes for breaking the keys:
RSA-896 → $75, 000
Adrian Spataru
RSA algorithm
Department of Computer Science, West University of Timi¸oara
s
69. Introduction
Algorithm
Usage
Correctness
Security
Breaking the RSA
Several RSA moduli have been factored:
RSA-768 (232 decimal digits) - 2009, December.
RSA-704 (212 decimal digits) - 2012, July.
Prizes for breaking the keys:
RSA-896 → $75, 000
RSA-1024 → $100, 000
Adrian Spataru
RSA algorithm
Department of Computer Science, West University of Timi¸oara
s
70. Introduction
Algorithm
Usage
Correctness
Security
Breaking the RSA
Several RSA moduli have been factored:
RSA-768 (232 decimal digits) - 2009, December.
RSA-704 (212 decimal digits) - 2012, July.
Prizes for breaking the keys:
RSA-896 → $75, 000
RSA-1024 → $100, 000
RSA-1536 → $150, 000
Adrian Spataru
RSA algorithm
Department of Computer Science, West University of Timi¸oara
s
71. Introduction
Algorithm
Usage
Correctness
Security
Breaking the RSA
Several RSA moduli have been factored:
RSA-768 (232 decimal digits) - 2009, December.
RSA-704 (212 decimal digits) - 2012, July.
Prizes for breaking the keys:
RSA-896 → $75, 000
RSA-1024 → $100, 000
RSA-1536 → $150, 000
RSA-2048 → $200, 000. - not really possible in near
future.
Adrian Spataru
RSA algorithm
Department of Computer Science, West University of Timi¸oara
s