COMP424
Computer Security

______________________________________

Prof. Wiegley
jeffw@csun.edu

Rivest, Shamir & Adelman (RSA)
Implementation

“Relatively prime”_______________________________________

Prime: n, is “prime” if its only two factors are 1 and n. (and n ⁄= 1).
Relatively prime: Two numbers x and y are relatively prime if x and y do not share any factors (other than 1) in common.
- Example: 18 and 27 are not relatively prime because they share the factor 3.
  $18 = 2 ⋅3⋅3 27 = 3 ⋅3⋅3$
- Example: 42 and 55 are relatively prime because none of 42’s factors are a factor of 55. (Even though neither is prime.)
  $42 = 2 ⋅3⋅7 55 = 5 ⋅11$

“Modulo”_______________________________________________

Programmers identify “modulo” as the operator that yields the remainder of an integer division.
Mathematicians use “modulo” to deﬁne a mathematical space.
Notation is slightly different:
$x b = 1 mod n$ means that in the space “modulo n”, b^x is equal to 1. (As opposed to a programmer’s perspective which might read b^x is equal to 1%n.)
This requires some understanding of basic modulo algebraic rules.

“Modulo algebra (multiplication)”_______________________

ab mod n = (a mod n ⋅ b mod n) mod n
The value of ab mod n can be calculated by ﬁrst calculating a mod n and then b mod n, multiplying the results and taking the modulo of the result.
- Example: let n = 10.
  $16⋅19 mod 10 = (16 mod 10)⋅19 mod 10) mod 10 = (6⋅9) mod 10 = 54 mod 10 = 4$
  The outer modulo operator must remain because the product of the inner portions may exceed n.

“Modulo algebra (addition)”_____________________________

Similarly, a + b mod n = (a mod n + b mod n) mod n
- Example: let n = 10 again.
  $16+ 19 mod 10 = (16 mod 10)+ 19 mod 10) mod 10 = (6+ 9) mod 10 = 15 mod 10 = 5$
  Again, The outer modulo operator must remain because the sum of the inner portions may also exceed n.

“Modulo algebra (inverse)”______________________________

In standard algebra the inverse of n is . This allows that n = 1.
Similarly, in modulo space n, for some value, x, the value y is the inverse of x if xy = 1 mod n.
- Example: Let n = 10 and x = 3. y is the inverse of x when y = 7. Because 7 ⋅ 3 = 21 and 21 = 1 mod 10.

“RSA”__________________________________________________

In order to encrypt and decrypt a message, RSA relies on three values:

n e d

The public key (used to encrypt messages) is the tuple (e,n).
The private key (used to decrypt messages) is the tuple (d,n).

The remaining slides present how n,e and d are computed.

Step 1: obtaining n______________________________________

Pick a prime number, p.
Pick a different prime number, q

Any prime numbers will work though in practice, to be secure, p and q should not be twin primes or small.

n is simply the product of the two primes p and q.

n = pq

Example: p = 73, q = 61 yields n = 4453

Step 2: obtaining e______________________________________

Pick any value e such that e is relatively prime to (p - 1)(q - 1)

Note: Any prime number other p or q is automatically relatively prime.
However, when p, q are very large (1024 bits) then e should also be proportionately large and it becomes computationally difficult to test whether a chosen value is prime.
Choosing an even value of e is futile. p and q are prime and therefore must be odd. (p-1)(q -1) is therefore even and all even numbers share the factor 2. Thus e would not be relatively prime to (p - 1)(q - 1).

But there is a method for quickly testing if a chosen value is relatively prime to (p - 1)(q - 1).

Euclidean Algorithm (used to sift possible values of e).___

Choose a possible value for e.
- Example e = 35.
Test if e is relatively prime to (p - 1)(q - 1) using the Euclidean algorithm.
Start by setting up a series of equation of the form:
$Ei : αi - βi ⋅δi = γi$
where β_i = ⌊⌋. For each equation α_i = δ_i-1 and δ_i = γ_i-1.
This is esentially subtracting the largest possible multiple of δ from α. δ and the remainder, γ, must share a common factor in order for α and δ to share a common factor. Continue the equations until γ_i = 0.

Euclidean Algorithm example____________________________

Begin with α₀ = (p - 1)(q - 1) and δ₀ = e.

E0 : (p - 1)(q - 1) - α ⋅ e = β (73 - 1)(61 - 1) - α ⋅ 35 = β 72⋅60 - α ⋅ 35 = β 4320 - 123 ⋅ 35 = 15 E1 : 35 - 2 ⋅ 15 = 5 E2 : 15 - 3 ⋅ 5 = 0

Since the second last result is 5 then e and (p- 1)(q - 1) share the factor 5. So e is not relatively prime to (p - 1)(q - 1).

Increment e by 2 and repeat test.________________________

Since the ﬁrst choice for e was unacceptable, increment e by 2 and test again. Repeat this procedure until e is relatively prime to (p - 1)(q - 1).

Example e = 35 + 2 = 37.

Test if e is proven to be relatively prime to (p - 1)(q - 1). $E0 : (p - 1)(q- 1) - α ⋅ e = β (73 - 1)(61- 1) - α ⋅ 37 = β 72⋅60 - α ⋅ 37 = β 4320 - 116 ⋅ 37 = 28 E1 : 37 - 1 ⋅ 28 = 9 E2 : 28 - 3 ⋅ 9 = 1 E3 : 9 - 9 ⋅ 1 = 0$

Since the second last result is 1 then the smallest common factor of e and (p - 1)(q - 1) is 1 and therefore e is relatively prime to (p - 1)(q - 1).

Step 3: Calculating d____________________________________

d is the inverse of e mod (p-1)(q-1). basically, (d⋅e = 1 mod n).
By substituting values from the euclidean proof of e, d can be calculated:
$e⋅d = 1 mod (p - 1)(q- 1) = 28- 3⋅9 = 28- 3⋅(37- 1⋅28) = - 3⋅37+ 4⋅28 = - 3⋅37+ 4⋅(4320- 116⋅37) = 4 ⋅4320- 467⋅37 = 17280- 467⋅37 = 0 - 467⋅37 e⋅d = - 467 ⋅e d = - 467$

Negative d?_____________________________________________

A negative value for d is slightly disappointing.
The modulo (p - 1)(q - 1) space consists of the positive integers (0,...,(p-1)(q-1)-1)
if the modulo (p - 1)(q - 1) space is thought of as a “ring” then traveling x units in the negative direction yields the same point as traveling (p - 1)(q - 1) - x in the positive direction.
if d is negative, subtract it from (p - 1)(q - 1) to yield an equivalent positive value.
$d = (p- 1)(q - 1)- d d = 4320 - 467 d = 3853$
(e ⋅ d = 37 ⋅ 3853 = 142561 = 33 ⋅ 4320 + 1 = 1 mod 4320)

Final results_____________________________________________

Calculations for computing a public/private key are complete.
- Public key: (e,n) = (37,4453)
- Private key: (d,n) = (3853,4453)
RSA is secure so long as n cannot be factored easily.
- The attacker knows n because it is published as part of the public key.
- n only has two factors, p and q. (p and q are prime.)
- If an attacker could recover p and q then they have obtained (p - 1)(q - 1).
- Knowing e and (p - 1)(q - 1) allows an attacker to easily compute d using the Euclidean algorithm since e ⋅ d = 1 mod (p - 1)(q - 1).

Encryption______________________________________________

So now we have a public key of {e,n} and a private key of {d,n} we can decrypt a message P by:

e C = P mod n.

Similarly an encrypted message, C, can be decrypted to yield the original message, P, by:

P = Cd mod n.

This works because if P = C^d and C = P^e then

P = P ed = P e⋅d = P 1 = P.

ModPow________________________________________________

But P^e is going to be rediculously large. So large that modern calculators cannot carry out this computation.¹

A method is needed to constrain the calculation to small numbers and we will use modulo arithmetic to provide this ability.

First, start with P¹ mod n. We can see from the axioms that

2 1 1 P = (P mod n)(P mod n) mod n.

In general:

P a⋅b = (P a mod n)(P b mod n) mod n.

So let’s work with powers of 2 to aid the calculation of P^e.

Powers of 2______________________________________________

Let’s take an example using the key computed earlier:

P = 101,e = 75,n = 391.

First, notice that

Pe = 10175 = 10164 ⋅1018 ⋅1012 ⋅1011,

Where the power (75) has been broken down into powers of 2.

We could have broken it down in many ways but powers of two will decrease our work the most.

So ﬁrst calculate all the values of 101 raised to a power of 2.

Calculating exponents of powers of 2_____________________

The ﬁrst power of 2 is easy:

1 101 mod n = 101.

Now, for all other powers of two we can use the axiom as a trick:

101x mod n = (101 x2 mod n)(101x2 mod n) mod n.

Since we are only interest in powers of 2, x
2

will simply be the value computed in the previous iteration.

The computation________________________________________

Remembering that n = 391, we have:

1011 mod 391 = 101 1012 mod 391 = (101)(101) mod 391 = 35 1014 mod 391 = (35)(35) mod 391 = 52 1018 mod 391 = (52)(52) mod 391 = 358 10116 mod 391 = (358)(358) mod 391 = 307 10132 mod 391 = (307)(307) mod 391 = 18 10164 mod 391 = (18)(18) mod 391 = 324.

Now, these values can be used to quickly compute 101^y where y ≤ 127.

The computation________________________________________

75 64 8 2 1 101 = (101 ⋅101 ⋅101 ⋅101 ) mod 391 = (324⋅358⋅35 ⋅101) mod 391

So life is a bit simpler but we still have a long string of factors that could produce a number larger than our calculator/computer can deal with.

To reduce the number of factors we can make use

a⋅b a b P = (P mod n)(P mod n) mod n.

Combining factors_______________________________________

This will enable us to combine factors two (or more) at a time.

(324⋅358) mod 391 = (324 mod 391⋅358 mod 391) mod 391 = (324 ⋅358) mod 391 = 115992 mod 391 = 256.

Similarly:

(35⋅101) mod 391 = (35 mod 391⋅101 mod 391) mod 391 = (35 ⋅101) mod 391 = 3535 mod 391 = 16.

Combining factors_______________________________________

10175 = (10164 ⋅1018 ⋅1012 ⋅1011) mod 391 = (324⋅358⋅35 ⋅101) mod 391 = (256⋅16) mod 391 = 4096 mod 391 = 186

The cipher text message, after encryption, is therefore 186.

The proof that decryption yields the original message is left as an exercise for the reader.

Proving the correctness of RSA__________________________

Lagrange’s theorem states:

φ(n) b = 1 mod n.

Where φ(n) = the number of integers less than n that are relatively prime to n.

For RSA, let n = pq. (you can guess where RSA started their thinking now.)

Then, how many relatively prime integers are there in φ(pq)?

Combining factors_______________________________________

Take pq, We know that p and q are prime so we can determine φ(pq)

remove p,2p,3p,4p,…,qp, this removes q items.
remove q,2q,3q,4q,…,pq, this removes p items.
Now, you need back one of the pq that was removed twice.

So,

φ(pq) = pq- p- q- 1 = (p - 1)(q- 1).

Therefore,

φ(n) (p-1)(q-1) b = b = 1 mod n.

Keep that in mind, you’ll need it in a second.

RSA proof______________________________________________

e⋅d = 1 mod (p- 1)(q- 1)

We’re working in modulo so we could have gone “around” the ring some arbitrary number of times. Let l be the number of wraps. Then

e⋅d = 1 +l(p- 1)(q- 1) ed e⋅d Pe⋅d = P 1+l(p-1)(q-1) P = P = P 1⋅Pl(p-1)(q-1) = P 1⋅(P(p-1)(q-1))l = P 1⋅(1 mod n)l [By lagrange′s substitution!] = P 1⋅(1)l 1 = P 1⋅1 = P = P

Conclusion______________________________________________

By using Lagrange’s theorem we have proven that

(Pe)d = P,

and thus RSA works as advertised so long as our constraints about selecting p, q and e are met.