5 RSA Public Key Cryptography

Basic Cryptography 

Chap.5-1 

5 RSA Public Key Cryptography 

Michael Mendler 

Information Security


Chap.5-2 

Symmetric vs Asymmetric Cryptosystems 

Definition 5.1 A cryptosystem is called 

• symmetric-key if for each encryption key e ∈ K it is “computationally 

easy” to determine a corresponding decryption key d ∈ K 

to give a key-pair (e, d), and vice versa to determine e from d. In 

practice, mostly, e = d. 

• asymmetric-key if for all encryption keys e ∈ K it is “computationally 

infeasible” to compute a corresponding decryption key 

d ∈ K for a key-pair (e, d). 

In an asymmetric cryptosystem, also called public-key crypto 

system, e is the public key and d private key. Sometimes one uses 

two different keyspaces K, K ′ for encryption and decryption. 




Chap.5-3 

Symmetric Key Encryption 

Examples 

• DES (Data Encryption Standard), AES (Advanced Encryption 

Standard, “Rijndael”), IDEA 

Remarks 

• Very efficient hardware implementation, good for large volume 

traffic. 

• All participants must share the same secret key, which makes key 

distribution difficult, in particular if key life time is to be limited 

for security reasons. 

• Ameliorated by (a hierarchy) Trusted Third Parties that act 

as key servers to distribute symmetric session keys. 

Exercise: Find out about DES and AES in the literature! 




Chap.5-4 

Asymmetric Key Cryptosystems 

Inventors: 

• W. Diffie, M.E. Hellman (1976) developed the original idea 

• R. Rivest, A. Shamir, L. Adleman (1978) found the first concrete 

realisation. This first and most widely used public key system, 

RSA, is named after them. 

RSA is used in many applications: 

Public Key Cryptography Standards (PKCS), Pretty Good Privacy 

(PGP), Privacy Enhanced Mail (PEM), Society for Worldwide 

Interbank Financial Telecommunications (SWIFT), Secure Socket 

Layer (SSL), ... 




Chap.5-5 

The New Picture 

Eve 

Eve 

m 

E 

c 

D 

m 

m 

E 

c 

D 

m 

e 

d 

secret region 

d 

key generator 

secret region 

e 

key generator 

secret region 

Symmetric Cryptosystem 

Public Data 

Private Data 

Asymmetric Cryptosystem 

Symmetric Crypto E, D, c e, m, d 

Asymmetric Crypto E, D, c, e m, d 

What does this difference buy us? ... 




Chap.5-6 

The Big Innovation Leap I 

Breakthrough features of public-key cryptography: 

• No need for shared keys! 

• Instant secret communication for principals that have never 

met! 

• Simple key distribution: For n principals to communicate with 

each other, we only need to distribute n public keys as opposed 

to 1 2n(n − 1) shared keys in the symmetric case! 

• Digital Signatures: For given c only Bob can produce m such 

that E e (m) = c, since only he knows the inverse D d . So, m can 

act as Bob’s signature for message c. 




Chap.5-7 

Where is the catch? 

The Big Innovation Leap II 

• The sender or verifier, Alice, must be sure she holds an authentic 

public key of Bob 

• The receiver or signatory, Bob, must be sure he receives an 

authentic message from Alice 

Beware the Man-in-the-Middle! 




Chap.5-8 

Secrecy of Asymmetric Cryptosystems 

• Secrecy = No information about private data leaks from public 

data 

• Adversary = “Inverting” function from public to private data 

EASY 

secrecy plateau 

m 

D 

m 

secrecy plateau 

d 

key generator 

E 

c 

e 

HARD 

public domain 

Eve 

⇒ the public encryption function E e : M → C, which is known to 

Eve, must not be easily invertible. 




Chap.5-9 

But wait, ... 

... usually encryption E e : M → C is injective: 

• For each ciphertext c the original message m with c = E e (m) is 

uniquely determined. 

• Information-theoretically, the adversary Eve has full information 

about m as soon as she sees c (⇒ perfect secrecy impossible!). 

• Does this not mean Eve can compute m? 




Chap.5-10 

Platonic vs Computational Existence 

• The fact that a function f : M → C is efficiently computable, 

does not mean that its inverse f −1 : C → M is! 

⇒ Such functions are called one-way functions. 

Analogy 

It is easy to show that there must be two people living in New 

York that have exactly the same number of hair on their head 

(mathematical existence). Yet, this does not mean we can efficiently 

find them (computational existence)! 

• Even if there exists an efficient algorithm for f −1 (mathematical 

existence) there is no reason why it should be possible to build 

this algorithm efficiently (computational existence)! 

⇒ Such functions are called trap-door one-way functions. 




Chap.5-11 

Recall: In symmetric crypto (in particular perfect) secrecy is achieved 

by the fact that for given c, in general, there are many possible pairs 

(k, m) with c = E(k, m). 

But consider what happens if keys are reused and either ... 

• Eve has full access to the encryption device, say the machine code, 

implementing some unknown encryption function Code : M → C 

for fixed but unknown key, or 

• Messages are not independent, so that after some number n of 

encryptions E n : K × M n → C n the cryptograms (c 1 , c 2 , . . .,c n ) 

uniquely determine both the key and the messages? 

Here, too, secrecy must be based on the mere computational 

difficulty of inverting a function such as Code or E n . 




Chap.5-12 

Computational Secrecy 

Definition 5.2 (Informal) A cryptosystem with public information 

Pub and secret information Sec is computationally secret if 

no probabilistic polynomial time (PPT) adversary can gain any 

information about Sec from Pub with more than only negligible 

probability. 

Alternative Choices of Adversary 

• Nondeterministic poly-time (NP): Simple guess-and-check 

can invert any polynomial encryption Sec → Pub ⇒ too strong! 

• Deterministic poly-time (P): Admits only brute force exhaustive 

searching, no guessing at all. ⇒ too weak! 

Note: PPT lies between P and NP. Hence, computational secrecy 

depends on P ≠ NP! Yet, PPT refers to probabilistic average case 

not just the worst case as in ordinary complexity theory (O-notation). 




Chap.5-13 

Basic Notions of Secrecy 

increasing "guessing" power of adversary 

Non−determinism 

all−mighty, breaks−it−all adversary 

complexity class NP 

Probabilistic 

Computational Secrecy 

Perfect Secrecy 

Deterministic 

weak adversaries 

complexity class P 

polytime 

arbitrary 

increasing computational power of adversary 




Chap.5-14 

How Do We Get Trap-door One-way Functions? 

Modern cryptography is concerned with encryption of numeric data 

(of any kind, e.g, coded natural langage texts. Encryption amounts 

to sophisticated algebraic manipulations of 

• Bits and bytes ⇒ bit-level arithmetics 

Bit-arithmetics is heavily used in symmetric cryptosystems since 

it can be quite efficient, in particular with hardware support. It 

is more difficult to produce convincing one-way functions in this 

way. 

• Integers ⇒ number theory 

Number theory is less efficient in implementation but offers 

sophisticated one-way functions that are easy to describe and 

investigate. 

Let us look at the second kind ... 




Chap.5-15 

A convenient choice is to encypt information coded in the residue 

class ring Z n = {0, 1, . . .,n − 1} of integers modulo n. 

What kind of Z n arithmetics is good for encryption? 

• Linear operations E k (m) = k ·m mod n define a permutation of 

Z n for certain k. This might seem like encryption, but is a BAD 

CHOICE. Linear operations are not one-way, they can be easily 

cryptanalysed (even if key unknown). 

• Nonlinear operations such as E k (m) = m k mod n or E k (m) = 

k m mod n also generate permutations for certain k. These are 

MUCH BETTER, as they are hard to invert (given today’s 

knowledge). 

We’ll study some functions of the second kind. First, we need ... 




Chap.5-16 

Some Basic Facts About Z n 

Proposition 5.3 An element a ∈ Z n has a multiplicative inverse a −1 

such that a · a −1 = 1 mod n iff gcd(a, n) = 1. 

The set Z ∗ n := {1 ≤ x ≤ n − 1 | gcd(x, n) = 1} ⊂ Z n of numbers 

relatively prime to n is the multiplicative group of Z n . Its size 

φ(n) := |Z ∗ n| is known as Euler’s totient function. The elements 

u ∈ Z ∗ n are called units. 

Proposition 5.4 If n = ∏ k 

i=1 pr i 

i is the prime factorisation of n, 

then φ(n) = ∏ k 

i=1 pr i−1 

i (p i − 1). 

Here is why φ(n) is relevant: 

Theorem 5.5 (Euler’s Theorem) ∀a ∈ Z ∗ n. a φ(n) = 1 mod n. 

From this it follows that for all a ∈ Z n , a φ(n)+1 = a mod n. This gives 

us ... 




Chap.5-17 

Naive RSA Encryption Scheme 

Alice wants to send Bob a confidential message. 

• Key Generation 

– Bob generates two (large ≥ 1024 bit) distinct primes p, q and 

computes n = p · q. 

– Bob selects e ∈ Z ∗ φ(n) (i.e., relatively prime to φ(n)) and computes 

its inverse d = e −1 mod φ(n) (Extended Euclid). 

– Bob publishes (n, e) as his public key and retains (n, d) as his 

private key. 

• Encryption with public key (n, e) 

– Alice represents her message as an integer m ∈ Z n (if necessary 

broken into blocks). 

– Alice computes c = m e mod n and sends c to Bob. 

• Decryption with private key (n, d): Bob retrieves m = c d mod n. 




Chap.5-18 

Naive RSA Signature Scheme 

Alice wants Bob to sign a message. 

• Key Generation 

As before, Bob publishes public key (n, e) and keeps private key 

(n, d). 

• Signing with secret key (n, d) 

Alice sends Bob the message m, from which he computes the 

signed message (m, σ) with signature σ = m d mod n. Bob 

publishes (m, σ). 

• Verifying with public key (n, e) 

Alice, and in fact anyone, may verify Bob has signed (m, σ) by 

checking that m = σ e mod n. 




Chap.5-19 

• Computing d from (n, e) 

RSA Security 

– As difficult as factoring integers: if we can factor n = p · q we 

also have φ(n) and thus e −1 mod φ(n), and vice versa, if we 

have d we can get p, q efficiently. 

– No poly-time algorithm for factoring known, believed to be 

PPT intractable. 

• Computing m from (n, e) and c 

– Amounts to computing e√ c mod n. 

– Not known if this as hard as computing d, i.e., factoring n, but 

believed to be PPT intractable. 

Security is a statistical property. Even average computational 

difficulty does not rule out special threat situations ... 




Chap.5-20 

RSA Weak Messages Attack 

• Messages must be chosen from the subset Z ∗ n, otherwise RSA can 

be broken completely. 

Suppose that gcd(m, n) ≠ 1, i.e., m is a multiple of one of n’s factors, 

say m = a · p. 

Then, its encryption 

c = m e mod n = (a · p) e mod n = (a · p) e mod p · q 

also is a multiple of p. 

Now both p = gcd(c, n) and q = n/p can be easily computed from 

public data. 




Chap.5-21 

RSA Common Modulus Attack 

• Plaintext information is not protected when sent to two users 

with same modulus n and relatively prime encryption exponents. 

Suppose Bob and Bridget have public keys (n, e 1 ) and (n, e 2 ), 

respectively, such that gcd(e 1 , e 2 ) = 1. Then there are integers r 1 , r 2 

such that r 1 e 1 + r 2 e 2 = 1. These can be obtained with Extended 

Euclid. We may assume r 1 < 0, otherwise interchange r 1 and r 2 . 

Suppose, message m is encrypted for both Bob and Bridget, i.e., 

c 1 = m e 1 

mod n, c 2 = m e 2 

mod n. 

Everybody can now retrieve m as follows: 

m = m r 1e 1 +r 2 e 2 

mod n = (m e 1 

) r1 · (m e 2 

) r 2 

mod n = c r 1 

1 cr 2 

2 

mod n, 

where we assume c 1 ∈ Z ∗ n (otherwise, Weak Messages Attack possible). 




Chap.5-22 

RSA Common Factor Attack 

• Different users must not share prime factors. 

Suppose Bob and Bert share the same prime factor p for different q i , 

i.e., n 1 = p · q 1 and n 2 = p · q 2 . 

Then, anyone can compute p = gcd(n 1 , n 2 ) and q i = n i /p from public 

data. 




Chap.5-23 

RSA Attack: Small Message Space 

• The message space may have small areas of unsafe messages. 

Eve can pre-tabulate any finite number of possible input-output pairs 

E approx = {(m 1 , c 1 ), (m 2 , c 2 ), . . .,(m N , c N )} 

of the real encryption function E. 

When she picks up a cryptogram c she simply tries to look up a 

corresponding m in E approx . 

To prevent this attack messages should be padded with random “salt” 

to avoid repeating previous or otherwise predictable message patterns. 




Chap.5-24 

RSA Attack: Disclosed Garbage 

• Even garbage messages may leak information. 

1. Alice sends Bob a secret message m, encrypted as c = m e mod n. 

2. Eve intercepts c and somehow decomposes c = c 1 · c 2 . 

3. Eve gets Bob to accept the “secret” messages c 1 and c 2 from her, 

which he decrypts as m 1 = c d 1 and m 2 = c d 2. 

4. Since m 1 , m 2 seem garbage to him and of no value he throws them 

away, thereby revealing them to Eve. 

5. Eve picks up m 1 , m 2 and computes Alice’s original message 

m = m 1 m 2 = c d 1c d 2 = (c 1 c 2 ) d = c d = m ed . 




Chap.5-25 

RSA Attack: Common Low Encryption Exponents 

• Messages sent to many users with the same low encryption 

exponent are not protected. 

Bob, Bridget, Bert have public keys (n 1 , e), (n 2 , e), (n 3 , e). Suppose 

m is sent to all three and m e < n := n 1 · n 2 · n 3 , which happens when 

e is relatively small compared to each n i . 

Eve picks up all ciphers c i = m e mod n i , i.e., the remainders of the 

same integer m e with respect to three different moduli. Assuming the 

n i are relatively prime to each other, she can exploit the Chinese 

Remainder Theorem to compute a unique residue class c such that 

c = m e mod n. Since m e < n, in fact, we have c = m e . Hence, Eve 

simply computes m = e√ c in Z, which can be done efficiently. 

Exercise: Look up Chinese Remainder Theorem in textbooks! 




Chap.5-26 

RSA Attack: Encryption and Signing with Same Keys 

• Don’t use the same key for both encryption and signing. 

Here is why: 

1. Alice sends Bob a secret message m and Eve intercepts the 

cryptogram c = m e formed with Bob’s public key (n, e). 

2. Eve selects a random integer r ∈ Z ∗ n and computes 

x = c · r e mod n = m e · r e mod n = (mr) e mod n. 

3. Eve has Bob sign the now random looking x to get his signature 

σ = x d involving Bob’s secret key (n, d). 

4. Eve retrieves the “secret” message m = σr −1 mod n. 




Chap.5-27 

Other Attacks 

• Low Private Key Exponent: 

Suppose, n = p · q with q 

3 n. Then, d 

can be computed efficiently from (n, e). [M.J.Wiener, 1990] (prevented 

by replacing e with e + l · φ(n).) 

• Iterated Encryption: 

If e ∈ Z ∗ φ(n) has a small order, i.e. e k = 1 mod φ(n) for small k. Then, 

c = (c ek−1 ) e mod n and hence m = c ek−1 mod n. 

• Partial Key Exposure: 

Suppose n has k bits and k = 0 mod 4. If we know the k/4 least 

significant bits of private key d, n can be factored efficiently. [D. 

Coppersmith] 

• Brute force: The 1999 512-bit RSA Factorisation Challenge has been 

solved in 3.7 months on a network of ≈ 300 PCs and workstations. 

[http://www.rsasecurity.com/rsalabs/challenges/factoring/rsa155.html] 




Chap.5-28 

So, How Can RSA Work? 

The secure application of RSA Encryption requires 

• Careful Key Generation 

• Careful Message Processing 

– Padding 

– Pseudorandom Bit Generators 

– Hash Functions 

Exercise: Look up practically secure RSA techniques in textbooks!

5 RSA Public Key Cryptography

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?