RSA Public Key Encryption 1

RSA Public Key Encryption 1 Ivor Page 2

One of the most important methods of providing secrecy and authentication is encryption. Secrecy means the secure transmission of data to a speciﬁed recipient (without others being able to read the data) while authentication means that the recipient can be certain of who sent the data. In practice, it is usually possible for unintended others to receive encrypted messages, but it should be extremely time consuming (thousands of years in some cases) for unintended recipients to decrypt them. There is no perfect cipher - one that can never be broken - but it is possible to make the task of decrypting messages too costly in time for all practical purposes.

1 A Method for Obtaining Digital Signatures and Public Key Cryptosystems R. L. Rivest, A. Shamir, and L. Adleman. Communications of the ACM, Vol. 21, No. 2, February 1978 2University of Texas at Dallas RSA Public Key Encryption 2

There have been many famous ciphers that have frustrated attempts to crack them, but the digital computer has brought extremely powerful methods to the aid of cryptanalysts. The computer’s ability to enu- merate many possible cracking strategies in a very short time makes the problem of selecting tough ciphers much more diﬃcult. We will study the Public Key Encryption System known as RSA after its in- ventors, Rivest, Shamir and Adleman. The most popular encryption system based on RSA and used by the public is Pretty Good Privacy (PGP). There is a free downloadable version of the software and there are companies that provide key pairs to users of these systems 3. A personal note of caution: You might choose to encrypt all your personal email and data but, if you are sued, the court may ask you to decrypt it. Failure to do so is regarded as withholding evidence. It is better not to create messages that might embarrass you later.

3http://members.aol.com/netnavig/pgp.htm RSA Public Key Encryption 3

DES DES was introduced for use in U.S. unclassiﬁed government applica- tions in 1977. Since then it has come under criticism for ease of cracking. It uses a single well publicized algorithm for encryption and decryption. Secrecy is guarded by a single 56 bit key, known only to the sender and recipient. The algorithm partitions each message into 64 bit blocks and makes use of transpositions of groups of bits within each block and an Excusive OR function between the transposed bit sequence and the key. Many argue that the key length is too short and some hackers have published strategies for cracking DES on WEB sites. For more information on DES, RSA, and many other encryption tech- niques and security matters, consult the text by Dorothy and Robling Denning4.

4Cryptography and Data Security by Dorothy and Robling Denning, Addison Wesley, 1982, Reprinted with corrections, 1983. RSA Public Key Encryption 4

RSA Each agent A that wishes to communicate has two keys, a public key Ap, known to everyone with whom A communicates, and a secret key As,knownonlytoA. A user of an RSA encryption system will generally not memorize these keys. They will be stored in the agents’ computers. This means that physical security, usually implemented via passwords, is at least as important as the encryption system. Someone could maliciously login to As computer and send messages in As name or receive messages that should only be readable by A.Great care must be given to the selection and regular updating of passwords. Many password cracking systems try dictionary words and common names. People often use their dogs’ names or something equally easy to guess, or they leave their passwords written on notes in their desks. Agents also must not leave their computers logged in while they are not present. It takes only a few seconds for an experienced spy to compromise security. RSA Public Key Encryption 5

Secret communication with RSA When A wishes to send a secret message M to B, A uses B’s public key to encrypt the message, C = EBp (M), where C is the ciphertext. Agent B uses B s secret key to decrypt the message, M = DBs (M). Only B can read the message, but anyone possessing A’s public key could have sent it. Agent A Agent B

Bp Bs

Message M E D M ciphertext C

Figure 1: Secret Communication with RSA

Here E and D are the encryption and decryption algorithms. For RSA, the encryption and decryption algorithms are identical and are known to everyone, E = D.Wecallsuchsystemssymmetrical. RSA Public Key Encryption 6

Authenticated Communication with RSA When A wants to send a message to B signed by a digital signature, A encrypts the message using A s secret key, C = EAs (M)andB uses

A’s public key to decrypt the message, M = EAp (C). Here, only A could have sent the message, but anyone possessing As public key can read the message.

Agent A Agent B

As Ap

Message M E D M ciphertext C

Figure 2: Authenticated Communication with RSA

The use of RSA for authentication of the sender is often referred to as applying a Digital Signature. A digitally signs the message by encrypting it with As secret key. RSA Public Key Encryption 7

Secret and Authenticated Communication with RSA To incorporate both secrecy and authentication, A encrypts the message twice, once using As secret key, and once using B’s public key,

C = EBp (EAs (M)). B does the symmetrically opposite operations on the ciphertext: M = EAp (EBs (C)).

Agent A

As Bp

Message M E E ciphertext C

Figure 3: Secret and Authenticated Communication with RSA RSA Public Key Encryption 8

RSA Encryption Algorithm A pair of integers (e, n) is used in the encryption process, and another pair (d, n) is used to decrypt the message. The value of n is publicly known. We represent message M as an integer between 0 and n − 1. If M is too large, it is broken up into blocks of the above size and each block is encrypted separately. If, for example, n has 128 bits, then any text message could be partitioned into blocks of 16 8 bit characters, and each block represented as an 128 bit binary number in base 2128. Then C = M e mod n To decrypt C, M = Cd mod n RSA Public Key Encryption 9

The numbers of bits in M and C are the same, |C| = |M|. Since e and d are large, more than 100 bits, the computations of M e and Cd might appear to be problematic. Since the blocks of the message M will have the same number of bits as n,raisingM to a large power would appear to require a huge integer with tens of thousands of bits. A result from number theory helps reduce the computational burden considerably:

(a b) mod n =[(amodn) (bmodn)] mod n

Where is one of {+, −, ∗}. Therefore all the calculations and intermediate results need only be computed mod n, i.e. no more bits than in n. RSA Public Key Encryption 10

The (public) encryption key is the pair (e, n) and the (private) decryption key is the pair (d, n). Each agent has its own pair of keys. The value of n is the product of two large randomly chosen primes of size at least 100 decimal digits, n = pq

Then d is chosen to be a large random integer that is coprime to (p − 1)(q − 1) and preferably larger than both p and q. Two integers a, b are coprime if their greatest common divisor is 1, GCD(a, b)=1. GCD(d, (p − 1)(q − 1)) = 1

Then e is computed from p, q,andd to be the multiplicative inverse of d, mod (p − 1)(q − 1): ed mod (p − 1)(q − 1) = 1 RSA Public Key Encryption 11

For the process to work, E(e,n) and E(d,n) must be inverse functions. Proof Euler’s generalization of a theorem by Fermat states that for any integer M coprime to n, M φ(n) mod n =1 where φ(n) is the Euler totient function giving the number of positive integers less than n which are coprime to n.Forprimep, φ(p)=p − 1; φ(n)=φ(pq)=φ(p)φ(q)=(p − 1)(q − 1). The theorem implies that if e and d can be chosen such that, ed mod φ(n)=1 then M e mod n and M d mod n must be inverse functions. If M ∈ [0,n−1] and edmodφ(n) such that GCD(M, n)=1,werequire that: (M e mod n)d mod n = M RSA Public Key Encryption 12

We start with:

(M e mod n)d mod n = M ed mod n

Now, ed mod φ(n) = 1 implies ed = kφ(n) + 1 for some integer k. Therefore

M ed mod n = M kφ(n)+1 mod n = MMkφ(n) mod n = M(M kφ(n) mod n) mod n = M(1) mod n = M since M kφ(n) mod n =1 We have shown that, if ed mod φ(n) = 1 the encryption and decryption algorithms are inverses, as required. Now we show how to choose e and d. Yet another result from number theory states that, if e is coprime to φ(n), then e exists such that ed mod φ(n)=1. RSA Public Key Encryption 13

Any value coprime to φ(n) will do for d.Thene is found by a modiﬁed Euclid’s algorithm. We would have to use much bigger integers than long ints in a practical version. See the use of the modInverse function from JAVA’s BigInteger package on page 22. long int modInverse(long int d,longintφ(n)) { long int g0 = φ(n),g1 = d, u0 =1,v0 =0,u1 =0,v1 =1,i=1; while(gi =0) { // gi = uiφ(n)+vid long int y = gi−1/gi; gi+1 = gi−1 − y ∗ gi; ui+1 = ui−1 − y ∗ ui; vi+1 = vi−1 − y ∗ vi; i ++; }

long int x = vi−1; if(x ≥ 0) return x; return x + φ(n); } RSA Public Key Encryption 14

Simple Example: Set p =17,q= 23, therefore n = pq = 391, and (p − 1)(q − 1) = 352. Pick d to be coprime to 352. Any prime will work, but it is preferable that d>pand d>q. We will choose d = 37. Then solve 37emod352 = 1 to obtain e = 333. (Other pairs are d =29,e= 85, and d =13,e= 27). The RSA paper suggests:

• p and q should diﬀer in length by a few digits, • Both p − 1andq − 1 should have large prime factors, and • GCD(p − 1,q− 1) should be small.

Our example only satisﬁes the ﬁrst of these. RSA Public Key Encryption 15

Larger Example: In a slightly larger example, p =47q = 59, n = 2773, and φ(n)=(p−1)(q−1) = 2668. If d = 157 then e = 17. We can encode two letters per block if we use the numeric conversion, blank = 00, A=01, B=02, ...,Z=26. Then the message ITS ALL GREEK TO ME becomes

0920 1900 0112 1200 0718 0505 1100 2015 0013 0500.

Now since the Binary representation of e is 10001, we can raise each block M to the power e by just 5 multiplications: M 17 = (((M 2)2)2)2M. e In general, computing M takes at most 2 log2(e) multiplications and 2 log2(e) divisions. For the ﬁrst block, 92017 mod 2773 = 948. The ciphertext is:

0948 2342 1084 1444 2663 2390 0778 0774 0219 1655 RSA Public Key Encryption 16

To break the code, since n is known, it is only necessary to factor n into p and q, but n is expected to be of the order of 200 decimal digits. The fastest known factoring algorithm at the time of publication of the RSA paper would require in excess of 1023 operations. With a computer operating at the rate of 109 operations per second, the factorization would take 1014 seconds, or 3 ∗ 106 years. Note that there are fast probabilistic algorithms to test if a given number is prime. See the algorithm by Solovay and Strassen on page 20.It is, however, much more diﬃcult to ﬁnd factors of a huge number, even when it is certain that the number has exactly two factors. RSA Public Key Encryption 17

Eﬃcient Encryption Algorithm e Computing M modn requires at most 2log2(e) multiplies and 2log2(e) divides using the following method:

Let ekek−1 ···e0 be the binary representation of e; C =1; for(i = k; i>=0;i −−) { C =(C ∗ C) mod n; if(ei == 1) C =(C ∗ M) mod n; }

Repeated squaring is used. Consider computing M 11mod n. The binary representation of 11 is 1011. C = 1 initially and after each of the 4 iterations its value is Mmodn, M 2 mod n, M 5 mod n,andM 11 mod n. RSA Public Key Encryption 18

Here is the algorithm in JAVA using the BigInteger package:

BigInteger encryptBlock(BigInteger m, BigInteger e) { BigInteger c = new BigInteger("1"); // c = 1 int k = e.bitLength(); // nmbr of bits in e for(int i=k;i>=0;i--) { c = c.multiply(c); // c *= c c = c.mod(n); // c %= n if(e.testBit(i)) { // bit 0 is lsb c = c.multiply(m); // c *= m c = c.mod(n); // c %= n } } return c; }

The BigInteger package provides integers of arbitrary length. They grow in size as determined by the calculations. RSA Public Key Encryption 19

Choosing the Primes Each user must choose two large primes, p,andq. Their product, n = pq will be public. If n is to be of the order of 200 decimal digits, then p and q must each have about 100 digits. The Prime Number Theorem states that about one number in every (ln 10s)/2 numbers will be prime for numbers of s decimal digits. For 100 digit numbers, approximately one number in every 115 will be prime. This result is rather surprising. There are a lot of prime numbers! The density of primes does reduce with the number of digits, but rather slowly. RSA Public Key Encryption 20

To test a number b for primality, Rivest et. al. recommend the following probabilistic algorithm due to Solovay and Strassen. Pick a random value a in the range {1 ···b − 1} Test if GCD(a, b) = 1 AND J(a, b)=a(b−1)/2 mod b The ﬁrst clause tests whether a is a factor of b.Ifitisnot,then GCD(a,b) will be 1. The second clause uses the Jacobi function shown on page 21. If b is prime, the test is always true. If b is not prime then the test will yield false with probability of 1/2. If the test holds true for 100 randomly chosen values of a,thenb is prime with probability 1 − 1/2100. The Jacobi function returns a value in {-1,1}. If it returns -1, then the test fails since a(b−1)/2 cannot be negative. If the Jacobi function returns 1, we compute a(b−1)/2 modb using the repeated squaring algorithm that is used for encryption on page 17. RSA Public Key Encryption 21

Computation of J(a, b) using long ints:

long int Jacobi(long int a, long int b) { if(a==1) return 1; if(a%2==0) { // if(a is even) if(((b*b-1)/8)%2==0) return Jacobi(a/2,b); return -Jacobi(a/2,b); } if(((a-1)*(b-1)/4)%2==0) return Jacobi(b%a,a); return -Jacobi(b%a,a); }

The Jacobi function returns a value in {-1,1}. We could not use long ints in a real implementation since b is likely to be of size 100 decimal digits. The Solovay and Strassen algorithm is, however, built into the JAVA BigInteger package. See page 22. RSA Public Key Encryption 22

Here we choose the keys in JAVA using the BigInteger package:

Random r = new Random(); BigInteger p,q,n,d,e,phi; p = new BigInteger(size,certainty,r); // uses Solovay and q = new BigInteger(size,certainty,r); // Strassen, see below n = new BigInteger(p.multiply(q)); int blocklength = n.bitLength(); boolean notdone = true; while(notdone) { d = new BigInteger(blocklength/2+2,certainty,r); if(d.compareTo(p)>0 && d.compareTo(q)>0) notdone = false; } } phi = new BigInteger (p.subtract(one).multiply(q.subtract(one))); e = new BigInteger(d.modInverse(phi)); RSA Public Key Encryption 23

• Random r = new Random(); is not part of the BigInteger package, but is essential to our needs. It creates a random number generator r.

• p = new BigInteger(size,certainty,r); creates a new BigInteger (p is a reference to it) with random value of up to size bits that is prime with probability at least 1 − 1/2certainty.

• int blocklength = n.bitLength(); gives the number of bits in n.

• d = new BigInteger(blocklength/2+2,certainty,r); computes a random integer of up to blocklength/2+2 bits in length. The while loop ensures that d is larger than p and q.

• phi = new BigInteger(p.subtract(one).multiply(q.subtract(one))); computes phi =(p − 1)(q − 1). RSA Public Key Encryption 24

• And in: e = new BigInteger(d.modInverse(phi)); the modInverse function calculates e such that e*d mod(phi)=1