RSA Cryptosystem
0 likes39 views
The document summarizes the RSA cryptosystem. It discusses how exponentiation modulo n can be used to build a cryptographic system by defining functions that are easy to compute but hard to invert without extra information. RSA works by choosing large prime numbers p and q, and using exponentiation with keys to encrypt and decrypt messages modulo n=pq. While RSA provides a practical cryptosystem, there is no proof it is theoretically secure or that factoring large numbers is inherently hard.
RSA Cryptosystem
- 1. 7 RSA Cryptosystem ax 0 1 2 3 4 5 6 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 Addition and multiplication modulo n do not offer the 2 1 2 4 1 2 4 1 computational difficulties needed to build a viable cryp- 3 1 3 2 6 4 5 1 tographic system. We will see that exponentiation modulo 4 1 4 2 1 4 2 1 n does. 5 1 5 4 6 2 3 1 6 1 6 1 6 1 6 1 Operations as functions. Recall that +n and ·n each Table 5: Exponentiation modulo n = 7. We write x from left to read two integers and return a third integer. If we fix one of right and a from top to bottom. the two input integers, we get two functions. Specifically, fixing a ∈ Zn , we have functions Aa : Zn → Zn and Ma : Zn → Zn defined by P ROOF. Since p is prime, multiplication with a gives an injective function for every non-zero a ∈ Zp . In other Aa (x) = x +n a; words, multiplying with a permutes the non-zero integers Ma (x) = x ·n a; in Zp . Hence, see Table 4. Clearly, Aa is injective for every choice of X = 1 ·p 2 ·p . . . ·p (p − 1) = (1 ·p a) ·p (2 ·p a) ·p . . . ·p ((p − 1) ·p a) x 0 1 2 3 4 5 = X ·p (ap−1 mod p). A2 (x) 2 3 4 5 0 1 M2 (x) 0 2 4 0 2 4 Multiplying with the inverse of X gives ap−1 mod p = 1. Table 4: The function A2 defined by adding 2 modulo n = 6 is injective. In contrast, the function M2 defined by multiplying with 2 is not injective. Protocol. The RSA cryptosystem is based on the exis- tence of one-way functions f : Zn → Zn defined by the n > 0 and a ∈ Zn . On the other hand, Property II stated following three properties: in Section 5 implies that Ma is injective iff gcd(a, n) = 1. In particular, Ma is injective for every non-zero a ∈ Zn if • f is easy to compute; n is prime. • its inverse, f −1 : Zn → Zn , exists; • without extra information, f −1 is hard to compute. Exponentiation. Yet another function we may consider is taking a to the x-th power. Define Ea : Zn → Zn by The notions of ‘easy’ and ‘hard’ computation have to be Ea (x) x = a mod n made precise, but this is beyond the scope of this course. Roughly, it means that given x, computing y = f (x) takes = a ·n a ·n . . . ·n a, on the order of a few seconds while computing f −1 (y) takes on the order of years. RSA uses the following recipe where we multiply x copies of a together. To get a feeling to construct one-way functions: for this construction, Table 5 shows the seven functions of the form Ea (x) = ax for n = 7. Clearly, E0 (x) = 0 1. Choose large primes p and q, and let n = pq. for every x. In contrast, we have Ea (x) = 0 mod n for all a = 0 mod n because n = 7 is a prime. Note also 2. Choose e = 1 relative prime to (p − 1)(q − 1) and let that for some values of a, the restriction of Ea to the non- d be its multiplicative inverse modulo (p − 1)(q − 1). zero integers is injective and for others it is not. Perhaps 3. The one-way function is defined by f (x) = xe mod surprisingly, the last column of Table 5 is 1 for almost all n and its inverse is defined by g(y) = y d mod n. values of a. According to the RSA protocol, Bob publishes e and n and F ERMAT ’ S L ITTLE T HEOREM. Let p be prime. Then keeps d private. Finally, Alice and Bob use the following ap−1 mod p = 1 for every non-zero a ∈ Zp . two steps to exchange a secret message, x ∈ Zn : 21
- 2. 4. Alice computes y = f (x) and publishes y. Summary. We talked about exponentiation modulo n and proved Fermat’s Little Theorem. We then described 5. Bob reads y and computes z = g(y). how RSA uses exponentiation to construct one-way func- tions, and we proved it correct. A proof that RSA is secure To show that RSA is secure, we would need to prove would be nice but is beyond what is currently known. Be- that without knowing p, q, d, it is hard to compute g. We sides, it might not be secure. leave this to future generations of computer scientists. In- deed, nobody today can prove that computing p and q from n = pq is hard, but then nobody knows how to factor large integers efficiently either. Correctness. To show that RSA works, we need to prove that z = x. In other words, g(y) = f −1 (y) for every y ∈ Zn . Recall that y is computed as f (x) = xe mod n. We need y d mod n = x but we first prove a result that is weaker. L EMMA. y d mod p = x mod p for every x ∈ Zn . P ROOF. Since d is the multiplicative inverse of e modulo (p − 1)(q − 1), we can write ed = (p − 1)(q − 1)k + 1. Hence, y d mod p = xed mod p = xk(p−1)(q−1)+1 mod p. Suppose first that xk(q−1) mod p = 0. Then Fermat’s Lit- tle Theorem implies xk(p−1)(q−1) mod p = 1, which im- plies y d mod p = x mod p, as claimed. Suppose second that xk(q−1) mod p = 0. Since p is prime, every power of a non-zero integer is non-zero. Hence, x mod p = 0. But this implies y d mod p = 0 and thus y d mod p = x mod p, as before. By symmetry, we also have y d mod q = x mod q. Hence, (y d − x) mod p = 0; d (y − x) mod q = 0. By the Chinese Remainder Theorem, this system of two linear equations has a unique solution in Zn , where n = pq. Since y d − x = 0 is a solution, there can be no other. Hence, (y d − x) mod n = 0. The left hand side can be written as ((y d mod n) − x) mod n. This finally implies y d mod n = x, as desired. 22