RSA Cryptanalysis

3rd Class
22 4 2018

1
Public Key Model

2
Public Key Encryption

3
Public Key Signature

4
 Public-Key Cryptanalysis
Brute-force attack (Try all possible keys)
Derive private key from public key
– Try to find the relationship between the public key
and the private key and compute the private key
from the public one.
Probable-message attack
– The public key is known.
– Encrypt all possible messages
– Try to find a match between the ciphertext and one
of the encrypted messages.
– Example: Prof. sends encrypted of letter grades to his
students based on their public key.

5
 RSA (Rivest, Shamir, Adleman)
See: R. Rivest, A. Shamir, and L. Adleman, "A
Method for Obtaining Digital Signatures and
Public-Key Cryptosystems", CACM 21, pp.
120--126, Feb. 1978
The first public key encryption and signature system
Supports both public key encryption and digital
signature.
• Theoretical basis:
Factorization of large numbers is hard.
Variable key length (usually 1024 bits).
Variable plaintext block size.
Plaintext must be “smaller” than the key.
Ciphertext block size is the same length as the
key. 6
 The RSA Algorithm
To generate a key pair:
– Pick large primes p and q (do not
disclose them)
– Let n = p*q
– For the public key, choose e that is
relatively prime to ø(n)=(p-1)(q-1).
public key = <e,n>
– For private key, find (d ) that is the
multiplicative inverse of e mod ø(n), i.e.,
e*d
7
 Using RSA

Given pubKey = <e, n> and privKey = <d,

n>
If Message = m
Then:
encryption: c = (m^e) mod n, m < n
decryption: m = (c^d) mod n
signature: s = (m^d) mod n, m < n
verification: m = (s^e) mod n
8
 Example of RSA (1)
Choose p = 7 and q = 17.
Compute n = p*q= 119.
Compute f(n)=(p-1)(q-1)=96.
Select e = 5, (a relatively prime to f(n).)
Compute d = _77_such that e*d=1 mod f(n).
• Public key: <5,119>
• Private key: <77,119>
• Message = 19
• Encryption: (19^5) mod 119 = 66
• Decryption: (66^77) mod 119 = 19
9
 Example of RSA (2)
p = 7, q = 11, n = 77
Alice chooses e = 17, making d = 53
Bob wants to send Alice secret message
HELLO (07 04 11 11 14)
– 0717 mod 77 = 28; 0417 mod 77 = 16
– 1117 mod 77 = 44; – 1117 mod 77 = 44
– 1417 mod 77 = 42
• Bob sends 28 16 44 44 42
10
 Example of RSA (3)
Alice receives 28 16 44 44 42
Alice uses private key, d = 53, to decrypt
message:
– 2853 mod 77 = 07; 1653 mod 77 = 04
– 4453 mod 77 = 11; 4453 mod 77 = 11
– 4253 mod 77 = 14
• Alice translates 07 04 11 11 14 to HELLO
No one else could read it, as only Alice knows
her
private key (needed for decryption) 11
 Digital Signatures in RSA
RSA has an important property: Encryption and
decryption are symmetric
Encryption followed by decryption yields the
original
– (M^e mod n)^d mod n = M
Decryption followed by encryption yields the
original
– (M^d mod n)^e mod n = M
– Because e and d are symmetric in
e*d = 1 mod (p-1)*(q-1) 12
 Signature example in RSA
p = 7, q = 11, n = 77
Alice chooses e = 17, making d = 53
Alice wants to send message HELLO (07 04 11
11 14) so that Bob knows it is from Alice, and
has not been modified in transit
– 0753 mod 77 = 35, 0453 mod 77 = 09
– 1153 mod 77 = 44, 1153 mod 77 = 44
– 1453 mod 77 = 49
• Alice sends 35 09 44 44 49
13
 Verify sender
Bob receives 35 09 44 44 49
He uses Alice’s public key, e = 17, n = 77, to
decrypt it:
– 3517 mod 77 = 07, 0917 mod 77 = 04
– 4417 mod 77 = 11,4417 mod 77 = 11
– 4917 mod 77 = 14
• Bob has 07 04 11 11 14  HELLO
Only Alice has her private key, so no one else could
have created a correct signature
The (deciphered) signature matches the transmitted
plaintext, so the plaintext was not altered
14
 The Security of RSA
• Attacks against RSA
– Brute force: Try all possible private keys
• Can be defeated by using a large key space
– Mathematical attacks
• Factor n into n=p*q.
• Determine.
Determine ø (n) directly: equivalent to factoring n.
Determine (d) directly: at least as difficult as
factoring n.
15
 The Security of RSA (Cont’d)
Factoring a large integer is very hard!
If you can factor the number (n) then, given
public key <e, n>, you can find (d), and hence
the private key by:
– Knowing factors p, q, such that, n = p*q
– Then ø(n) =(p-1)(q-1)
– Then (d) such that e*d = 1 mod ø(n)
• Ways to make (n) difficult to factor
– p and q should differ in length by only a few digits
– Both (p-1) and (q-1) should contain a large prime
factor
– gcd(p-1, q-1) should be small.
16
 RSA versus DES
• Fastest implementations of RSA can encrypt
kilobits/second
• Fastest implementations of DES can encrypt
megabits/second
• RSA could be used for secure exchange of DES
keys
• This 1000-fold difference in speed is likely to
remain
independent of technology advances
17