1

Lecture 6: Overview of Public-Key Cryptography and RSA

Yuan Xue

In this lecture, we give an overview to the public-key cryptography, which is also referred to as asymmetric cryptography. We will rst introduce the background of public-key cryptography. Then we will study the model of public-key cryptosystem, and the requirement to design a practical public-key algorithm. Finally, we will study the design of RSA algorithm. I. BACKGROUND The concept of public-key (asymmetric) cryptography evolved from an attempt to address the following two difcult problems associated with the secret-key (symmetric) cryptosystem.

Key distribution. Symmetric encryption requires a shared secret key. As we have seen in the previous lecture, this leads to the problem of key distribution, which in turn requires secret sharing either between the communicating parties or between the communicating hosts and the KDC.

Non-repudiation. In symmetric encryption, the sending party may deny sending the message, because it is possible for the receiver to forge a message based on the same secret key. Accordingly, the receiving party may claim the receipt of a message from the sender which is actually forged by himself.

To address both problems, Dife and Hellman achieved an important breakthrough in 1976. The proposed scheme was radically different from all previous approaches to cryptography. First, it uses a pair of different keys in contrast to one shared key in symmetric encryption. Second, it is based on mathematical functions instead of substitution and permutation. The proposed scheme is called pubic-key (asymmetric) cryptography, which is one of the greatest revolutions in the history of cryptography. Its use of two keys has profound consequences in facilitating key distribution, and providing digital signature. However, the scheme proposed by Dife and Hellman is not a general-purpose encryption algorithm. It can only provide secure secret key exchange. Thus it presents a challenge for the cryptologists to design a general-purpose encryption algorithm that satises the public-key encryption requirements. One of the rst responses to the challenge was developed in 1977 by Rivest, Shamir, Adleman at MIT, so called RSA. Since then, the RSA scheme has become the most widely accepted and implemented general-purpose approach to public-key encryption.

II. P UBLIC -K EY C RYPTOSYSTEM M ODEL In this section, we look at the overall framework for public-key cryptography. Public-key cryptosystem uses a pair of different but related keys one for encryption, the other for decryption; one is placed in a pubic register (public key), the other is kept secret (private key). It is required that given only knowledge of the cryptographic algorithm and the public key, it is computationally infeasible to determine the private key. In some algorithms, such as RSA, either public key or private key can be used for encryption, with the other one used for decryption. Fig. 1 illustrates that different security services can be provided with different usages of the keys. In Fig. 1(a), sender A encrypts plaintext P using Bs public key KUB 1 . The ciphertext C = E(KUB , P ) is transmitted to B. B, in possession of the matching private key KRB , is able to decrypt the ciphertext C and retrieve the plaintext P = D(KRB , P ). No one else can decrypt the message without Bs private key KRB . Thus the condentiality of incoming communication to B is assured as long as Bs private key is kept secret. In Fig. 1(b), A encrypts P with its private key KRA . The ciphertext C = E(KRA , P ) received by B can be decrypted using As public key KUA : P = D(KUA , C). Without As private key, it is impossible to change the message. Therefore, the public-key encryption provides authentication in terms of both source and data integrity. At the same time, the entire message serves as a digital signature. This is because the message was encrypted using As private key, and only A could have prepared the message. It is important to emphasize that this encryption process does not provide condentiality. This is, the message is safe from alteration but not from eavesdropping. This is because any observer can decrypt the message by using As public key. To provide both authentication and condentiality for data delivery, a double use of the public-key encryption can be applied as shown in Fig. 1(c). In this scenario, the message is rst encrypted by As private key, which provides authentication. Then Bs public key is applied again to provide condentiality. At the receiver side, Bs private key will rst be used for decryption, followed by the decryption using As public key. The essential steps to use public-key encryption are summarized as follows. 1) Generate a pair of keys. For example, A generates the public key KUA , and the private key KRA . 2) Publish the public key e.g., KUA , while keeping the private key secret. Users have the access to a collection of public keys from their communication parties.
1

As a convention, KU is used for public key; KR is used for private key.

3) Use one of the above models to encrypt the message to achieve different security goals and deliver the message. The received message is decrypted using the corresponding schemes in the models. Based on the public-key encryption framework, the following requirements need to be satised to design a public-key encryption algorithm. 1) It is computationally infeasible for an opponent, knowing the public key KU , and the encryption and decryption algorithms E, D, to determine the companion private key KR . 2) It is computationally infeasible for an opponent, knowing the public key KU and the ciphertext C which is encrypted via this key C = E(KU , P ), to determine the plaintext P . For practical use, the following features are also preferred in a public-key encryption algorithm. 1) It is computationally easy to generate a pair of keys (public key and private key). 2) It is computationally easy to encrypt a message using either public or private key, and decrypt it via the companion key. III. RSA As we have mentioned earlier, Dife and Hellman introduced a new approach to cryptography, and challenged cryptologist to design a general-purpose encryption algorithm that satises the public-key encryption requirements. One of the rst responses to the challenge was developed in 1977 by Ron Rivest, Adi Shamir, Len Adleman at MIT. Since then, the Rivest-Shamir-Adleman (RSA) scheme has become the most widely accepted and implemented general-purpose approach to public-key encryption2. Now we will study RSA algorithm. In particular, we shall examine the following topics: 1) Mathematical preliminaries of RSA; 2) RSA algorithm description; 3) Why RSA would work; 4) Why RSA is secure; Students are encouraged to read the textbook [WS] Section 9.2 to understand the computational aspect and the security of RSA. Additional reading materials on threats to RSA, and practical considerations are provided at the discussion board in the blackboard system. A. Mathematical Preliminaries In this section, we will introduce the mathematical background that helps to understand RSA.
2 Recently, a competing system has begun to challenge RSA: elliptic curve cryptography (ECC), which offers equal security for a far smaller key size, thereby reducing processing overhead.

1) Modular Addition: Lets start with one of the simplest ciphers: general Caesar cipher. Its encryption and decryption operation can be represented using the following mathematical functions.

C = (P + K) mod 26 P = (C K) mod 26 P\K 0 1 2 3 4 5 6 7 8 9 0 0 1 2 3 4 5 6 7 8 9 1 1 2 3 4 5 6 7 8 9 0 2 2 3 4 5 6 7 8 9 0 1 3 3 4 5 6 7 8 9 0 1 2 4 4 5 6 7 8 9 0 1 2 3 5 5 6 7 8 9 0 1 2 3 4 6 6 7 8 9 0 1 2 3 4 5 7 7 8 9 0 1 2 3 4 5 6 8 8 9 0 1 2 3 4 5 6 7 9 9 0 1 2 3 4 5 6 7 8

(1) (2)

TABLE I A DDITION M ODULO 10

For simplicity, we replace 26 with 10, and show the general Caesar cipher, which is also the modular addition operation, in Table I. Note that the decryption operation, which subtracts the secret key K from ciphertext C modulo 10, can also be done by adding K , which is the additive inverse of K modulo 10. An additive modular inverse of K is the number which is added to K to get 0 after modular operation. For example, 4s inverse (modulo 10) is 6, because (4 + 6) mod 10 = 0. If the secret key were 4, then to encrypt in general Caesar cipher, 4 is added to the plaintext; and to decrypt, 6 is added to the ciphertext. Formally, we have

C = (P + K) mod 26 P = (C + K ) mod 26 where K + K mod 10 = 0.

(3) (4)

(5)

P\K 0 1 2 3 4 5 6 7 8 9

0 0 0 0 0 0 0 0 0 0 0

1 0 1 2 3 4 5 6 7 8 9

2 0 2 4 6 8 0 2 4 6 8

3 0 3 6 9 2 5 8 1 4 7

4 0 4 8 2 6 0 4 8 2 6

5 0 5 0 5 0 5 0 5 0 5

6 0 6 2 8 4 0 6 2 8 4

7 0 7 4 1 8 5 2 9 6 3

8 0 8 6 4 2 0 8 6 4 2

9 0 9 8 7 6 5 4 3 2 1

TABLE II M ULTIPLICATION M ODULO 10

2) Modular Multiplication: Now lets look at the mod 10 multiplication operation as shown in Table II. We note that only when K = 1, 3, 7, 9, the modular multiplication operation works as a cipher, because it only performs a one-to-one mapping between the plaintext and the ciphertext in these cases. What is special about the numbers {1, 3, 7, 9}? The answer is that those numbers are all relatively prime to 10. Generally, a number K is relatively prime to n means

gcd(K, n) = 1; 1 K < n where gcd denotes the greatest common divisor.

(6)

For decryption, we can look for multiplicative inverse, and undo the multiplication by multiplying the ciphertext by the multiplicative inverse of the key. Multiplicative inverse of K, denoted by K 1 , is the number by which youd multiply K to get 1 in mod n. Formally, the cryptosystem can be represented as follows.

C = (P K) mod n P = (C K 1 ) mod n where K K 1 mod n = 1

(7) (8)

(9)

Note that only those numbers that are relatively prime to n have multiplicative inverses in mod n. It is non-trivial to to nd a multiplicative inverse in mod n arithmetic, especially when n is very large. But

there is an algorithm, known as Euclids algorithm, which can efciently nd the inverse3 . At this point, we observe that the modular multiplication can also be used as a cipher, if the value of K is chosen appropriately. Moreover, K and K 1 can be used as a pair of keys for encryption and decryption, which is required by public-key encryption model. The problem is, however, there exists an algorithm (Euclids algorithm) to calculate K 1 based on K, while in public-key encryption model, the private key can not be derived from knowledge of the public key. So lets further explore other mathematical functions. Before that, wed examine the question how many numbers less than n are relatively prime to n? This number is denoted as (n), and called totient function. As we will see later, this number is quite important in the design of RSA. It is obvious that,

when n is a prime, (n) = n 1; when n is the product of two district primes p, q, (i.e., n = p q, p = q are primes), (n) = (p 1)(q 1).

3) Modular Exponentiation: Now lets proceed to consider encryption and decryption using modular exponentiation operation.

C = (P K ) mod n P = (C K ) mod n where K is the exponentiative inverse of K.

(10) (11)

Just like multiplicative inverse, we may ask what kind of values of K has the exponentiative inverse? and how its inverse can be calculated? The answers to these questions lead to the design of RSA. In what follows, we give a description of RSA algorithm rst, then discuss how it is related with modular exponentiation. B. RSA Description The RSA scheme is a block cipher. Each plaintext block is an integer between 0 and n 1 for some n, which leads to a block size log2 (n). The typical block size for RSA is 1024 bits. The details of the RSA algorithm are described as follows.

Key generation 1) Pick two large prime numbers p and q, p = q;

For details, please refer to http://en.wikipedia.org/wiki/Euclidean algorithm, or step II in the hint.pdf le for homework 1.

2) Calculate n = p q; 3) Calculate (n) = (p 1)(q 1); 4) Pick e, so that gcd(e, (n)) = 1, 1 < e < (n); 5) Calculate d, so that d e mod (n) = 1, i.e., d is the multiplicative inverse of e in mod (n); 6) Get public key as KU = {e, n}; 7) Get private key as KR = {d, n}.

Encryption For plaintext block P < n, its ciphertext C = P e mod n.

Decryption For ciphertext block C, its plaintext is P = C d mod n.

C. Why RSA works As we have seen from the RSA design, RSA algorithm uses modular exponentiation operation. For n = p q, e which is relatively prime to (n), has exponential inverse in mod n. Its exponential inverse d can be calculated as the multiplicative inverse of e in mod (n). The reason is illustrated as follows. Based on Eulers theorem, for y which satises y mod (n) = 1, the following equation holds.

xy mod n = x mod n

(12)

As d e mod (n) = 1, we have that P ed P mod n. So the correctness of RSA cryptosystem is shown as follows.

Encryption: C = P e mod n; Decryption: P = C d mod n = (P e )d mod n = P ed mod n = P mod n = P .

D. Why RSA is secure The premise behind RSAs security is the assumption that factoring a big number (n into p, and q) is hard. And thus it is difcult to determine (n). Without the knowledge of (n), it would be hard to derive d based on the knowledge of e. However factoring n is not the only way to break RSA. Students are encouraged to read the suggested material to nd out more threats to RSA.

Encryption C = E(KUB,P) plaintext P ciphertext C

Decryption P = D(KRB,C) plaintext P

Public key KUB

Private key KRB (a) Confidentiality

key pair source

Encryption C = E(KRA,P) plaintext P ciphertext C

Decryption P = D(KUA,C) plaintext P

key pair source

Private key KRA

Public key KUA (b) Authentication

Encryption C' = E(KRA,P) plaintext P

Encryption C = E(KUB,C') ciphertext C

Decryption C' = D(KRB,C)

Decryption P = D(KUA,C') plaintext P

Private key KRB Private key KRA Public key KUB key pair source Public key KUA key pair source (c) Confidentiality and Authentication
Fig. 1. Asymmetric Cryptosystem Models.