1 / 9

The RSA Cryptosystem

The RSA Cryptosystem. Factoring large integers. Factorization. Given an integer N > 1, it has a unique factorization into primes: N = p 1 r 1  p 2 r 2  ...  p k r k ; Elementary-school algorithm for factoring: List primes and try each in order

pterry
Download Presentation

The RSA Cryptosystem

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The RSA Cryptosystem Factoring large integers

  2. Factorization • Given an integer N > 1, it has a unique factorization into primes: • N = p1r1  p2r2  ...  pkrk; • Elementary-school algorithm for factoring: • List primes and try each in order • Inefficient: If N is k bits long, primes  √N, or less than k/2 bits long should be tried. • There are 2k/2/ksuch primes. Exponential workload Florida State University Fall 2005

  3. RSA Integers • Let k = 1024, or 2048, for instance. • Generate two primes p, q, of bitlength k/2 • Put N = p•q • Under most conditions, it is hard to factorN • The primes p, q must not be of a “weak” form • All known algorithms to factor such numbers have super-polynomial running times. • Publish N; keep p, q secret. Florida State University Fall 2005

  4. Size of the RSA ring • Let ZN* be the set of integers a such that: • a is in [1, N-1]; • a relatively prime to N: • a and N have no common divisors; • Then ZN* contains (p-1)(q-1) elements. • For each integer L: • let (L) be the size of the subset of [1, L-1] made of numbers relatively prime to L • We have seen that if N = pq, a product of primes: • (N) = (p - 1)(q - 1) Florida State University Fall 2005

  5. Exponentiation modulo N • If a is relatively prime to (N),then: • Let b be such that ab + k (N) = 1. • Such bexists by the Euclidean algorithm for GCD • It follows that for every M in ZN* : • C = Ma mod N • D = Cb mod N • Then D = M mod N (!!!) Florida State University Fall 2005

  6. Inverting exponents • If p, q are known: • First compute (N) • Then use GCD algorithm to find, for each exponent a, its inverse. • If p and qare not known: • Given an exponent, one cannot find its inverse without first having to factor N. • Public Key: (N, e) • Private Key: (p, q, d), where d = e-1 Florida State University Fall 2005

  7. To encrypt using RSA • Retrieve the public key (N, e) • First, encode a block Bof bitlength smaller than k = | N |, as an element M of ZN* : • M = Encode(N, B) • Then compute C = Me mod N. • SendCto recipient, who then uses privated: • Recovers M = Cd mod N. • Decodes B = Decode(N, M). This is not an encryption everybody knows how to decode Florida State University Fall 2005

  8. To sign using RSA • Compute digest H = H(M) of message M. • EncodeH as an element K of ZN* • K = Encode(N, H) • Use private key (p, q, d): • S = Kd mod N. • To verify signature S on Message M • Re-compute: H = H(M) • K = Encode(N, H) • Retrieve public key (N, e) • Check: (K = Se mod N)? Florida State University Fall 2005

  9. RSA Encoding • Unlike DSA and discrete-log type signatures, the encoding of bytes as elements of is security-critical in RSA signatures and encryption. • The encoding is specified as part of the RSA standard. There are two main encoding standards used w/ RSA: • RSA-OAEP(+) • EMSA-PSS Florida State University Fall 2005

More Related