15
Public-Key Cryptography

RSA

In 1978, Rivest, Shamir, and Adelman introduced some of the first techniques for public-key cryptography, based on the computational difficulty of factoring large numbers. There is no known efficient algorithm for factoring huge numbers (at least, not on classical computers). Along with the Diffie-Hellman-based techniques that we have already seen, RSA techniques are some of the most commonly used throughout cryptography.

15.1. Arithmetic modulo a composite

Earlier in section 3.4 we discussed the idea of multiplicative inverses. We say that XX is a multiplicative inverse of AA mod n\nmod if AXn1AX \equiv_\nmod 1. We also saw that when n\nmod is prime, all numbers in {1,,n1}\{1,\ldots,\nmod-1\} have a multiplicative inverse mod n\nmod.

When n\nmod is not a prime, not all numbers have multiplicative inverses mod n\nmod. But there is an easy way to characterize the numbers that do:

Review: GCD

gcd(X,Y)\gcd(X,Y) denotes the greatest common divisor of XX and YY. See section A.3 for a review.

Theorem 15.1.1 (Multiplicative inverses modulo a composite)

AA has a multiplicative inverse mod n\nmod if and only if gcd(A,n)=1\gcd(A,\nmod) = 1. When gcd(A,n)=1\gcd(A,\nmod)=1, we say that AA and n\nmod are relatively prime.

The proof of this theorem uses a fact from number theory called Bezout's theorem, which we will not prove.

Theorem 15.1.2 (Bezout's theorem)

For all integers A,BA, B, there exist integers s,ts,t, called Bezout coefficients, such that

sA+tB=gcd(A,B). s A + t B = \gcd(A,B).

Furthermore, gcd(A,B)\gcd(A,B) is the smallest positive integer that can be written as a linear combination of AA and BB with integer coefficients (an integer linear combination).

Now the proof of theorem 15.1.1:

Proof:

(\Rightarrow) Suppose AA has a multiplicative inverse XX mod n\nmod. Then AXn1AX \equiv_\nmod 1, or in other words, AX1AX - 1 is a multiple of n\nmod. Take kk such that AX1=knAX - 1 = k\nmod, and rearrange to obtain:

AXkn=1. AX - k \nmod = 1.

Since we can write 1 as an integer linear combination of AA and n\nmod, by Bezout's theorem we must have gcd(A,n)=1\gcd(A,\nmod)=1.

(\Leftarrow) Suppose gcd(A,n)=1\gcd(A,\nmod)=1; then by Bezout's theorem we can write sA+tn=1sA + t\nmod=1. Reducing this equation mod n\nmod gives:

1=sA+tnnsA+t0=sA. 1 = sA + t\nmod \equiv_\nmod sA + t \cdot 0 = s A.

Thus the Bezout coefficient ss is a multiplicative inverse of AA mod n\nmod.

Example 15.1.3 (Multiplicative inverses)

Which numbers have multiplicative inverses mod 15? They are the numbers from Z15={0,,14}\Z_{15} = \{0, \ldots, 14\} that have no factor in common with 15: {1,2,4,7,8,11,13,14}\{1,2,4,7,8,11,13,14\}.

Which numbers have multiplicative inverses mod 16? They are the numbers from Z16={0,,15}\Z_{16} = \{0, \ldots, 15\} that have no factor in common with 16. In this case, these are exactly the odd numbers {1,3,5,,15}\{1,3,5,\ldots, 15\}.

Example 15.1.4 (Multiplicative inverses)

When n\nmod is prime, every number from {1,,n1}\{1, \ldots, \nmod-1\} is relatively prime to n\nmod, and thus has a multiplicative inverse mod n\nmod. This matches what was shown previously in claim 3.4.4.

15.1.1. Computing inverses

Suppose you want to compute the multiplicative inverse of AA mod n\nmod. You will probably first compute gcd(A,n)\gcd(A,\nmod) to ensure that the inverse of AA indeed exists. GCDs can be computed using Euclid's algorithm (section A.3). By making a small modification to this algorithm, we can also compute the corresponding Bezout coefficients—and hence, the multiplicative inverse—along the way.

// Euclid's algorithm:
gcd(X,Y)\subname{gcd}(X,Y):
if Y==0Y==0: return XX
else: return gcd(Y,X%Y)\subname{gcd}(Y, X \pct Y)
\quad\leadsto\quad
// extended Euclid's algorithm:
extgcd(X,Y)\subname{extgcd}(X,Y):
// returns (d,s,t)(d,s,t) such that
// gcd(X,Y)=d=sX+tY\gcd(X,Y) = d = sX + tY
if Y==0Y==0:
return (X,1,0)(X,1,0)
else:
(d,s,t)=extgcd(Y,X%Y)(d,s,t) = \subname{extgcd}(Y, X \pct Y)
// “X/Y\lfloor X/Y \rfloor is the quotient upon
// dividing XX by YY
return (d,t,stX/Y)\bigl(d, t, s - t\lfloor{X/Y}\rfloor \bigr)

To compute the multiplicative inverse of AA mod n\nmod, first run (d,s,t):=extgcd(A,n)(d,s,t) := \subname{extgcd}(A,\nmod). If d=1d=1, then ss is the multiplicative inverse of AA; otherwise, AA has no multiplicative inverse.

Example 15.1.5 (Multiplicative inverses in Sage)

Sage implements the extended Euclidean algorithm as xgcd:

sage: xgcd(427,529) (1, 223, -180) sage: 223*427 - 180*529 # double-check Bezout linear combination 1 sage: def mult_inv(A,n): ....: (d,s,t) = xgcd(A,n) ....: if (d != 1): raise RuntimeError ....: return s sage: mult_inv(427,529) 223 sage: 1/Mod(427,529) # compare result to builtin 223 sage: mult_inv(5,15) # inverse shouldn't exist RuntimeError

15.1.2. Algebraic properties

Previously, in definition 13.1.3, we defined multiplicative groups for prime moduli n\nmod. We now extend the definition to composite moduli as well.

Definition 15.1.6 (Multiplicative group)

The multiplicative group mod n\nmod, called Zn\Z^*_\nmod, is defined as

Zn={AZngcd(A,n)=1}={AZnA has a multiplicative inverse mod n}.\begin{aligned} \Z^*_\nmod &= \{ A \in \Z^*_\nmod \mid \gcd(A,\nmod) = 1 \} \\ &= \{ A \in \Z^*_\nmod \mid A \text{ has a multiplicative inverse mod } \nmod \}.\end{aligned}

The Euler totient of n\nmod, written ϕ(n)\phi(\nmod), is defined to be the cardinality of Zn\Z_\nmod^* (equivalently, the order of the multiplicative group). “ϕ\phi is the Greek letter phi.

Example 15.1.7 (Multiplicative groups)
Z15={1,2,4,7,8,11,13,14}, so ϕ(15)=8;Z16={1,3,5,7,9,11,13,15}, so ϕ(16)=8;Z17={1,2,3,,15,16}, so ϕ(17)=16.\begin{aligned} \Z_{15}^* &= \{1,2,4,7,8,11,13,14\}, & \text{ so } \phi(15) &= 8; \\ \Z_{16}^* &= \{1,3,5,7,9,11,13,15\}, & \text{ so } \phi(16) &= 8; \\ \Z_{17}^* &= \{1,2,3,\ldots,15,16\}, & \text{ so } \phi(17) &= 16.\end{aligned}

It is convenient to have formulas for ϕ(n)\phi(\nmod), for different kinds of n\nmod. It is easy to see that when n\nmod is prime, ϕ(n)=n1\phi(\nmod) = \nmod-1. RSA-based cryptography uses n\nmod which is the product of two distinct primes n=pq\nmod = \pmod\qmod:

Claim 15.1.8 (Formula for ϕ(pq)\phi(\pmod\qmod))

If p\pmod and q\qmod are distinct primes, then ϕ(pq)=(p1)(q1)\phi(\pmod\qmod) = (\pmod-1)(\qmod-1).

Proof:

Let n=pq\nmod=\pmod\qmod and imagine constructing Zn\Z^*_\nmod by first writing down all of Zn={0,,n1}\Z_\nmod = \{0, \ldots, \nmod-1\} and then crossing out all the elements that share a common factor with n\nmod; these are precisely the multiples of p\pmod and multiples of q\qmod.

  • There are q\qmod multiples of p\pmod: 0,p,2p,,(q1)p0, \pmod, 2\pmod, \ldots, (\qmod-1)\pmod.

  • There are p\pmod multiples of q\qmod: 0,q,2q,,(p1)q0, \qmod, 2\qmod, \ldots, (\pmod-1)\qmod.

It looks like there are p+q\pmod+\qmod numbers to cross out; however, 0 appears on both lists so is double-counted. No other item appears on both lists, because the least common multiple of p\pmod and q\qmod is pq\pmod\qmod, since p\pmod and q\qmod are relatively prime.

Overall, we start with n=pq\nmod=\pmod\qmod elements, and cross out p+q1\pmod+\qmod-1 of them, leaving

n(p+q1)=pqpq+1=(p1)(q1) \nmod - (\pmod + \qmod - 1) = \pmod\qmod - \pmod - \qmod + 1 = (\pmod-1)(\qmod-1)

elements remaining in Zn\Z^*_\nmod.

You might wonder about the significance of the totient function ϕ(n)\phi(\nmod). Why is it so important to know the number of elements in Zn\Z^*_\nmod? The answer is the following useful theorem, usually called Euler's theorem (as if that would narrow things down), which we will not prove here:

Theorem 15.1.9 (Euler's theorem)

If XZnX \in \Z^*_\nmod, then Xϕ(n)n1X^{\phi(\nmod)} \equiv_\nmod 1.

15.2. The RSA function and RSA assumption

Another way to think about Euler's theorem is the following:

Claim 15.2.1 (Reduce exponents mod ϕ(n)\phi(\nmod))

For all XZnX \in \Z_\nmod^* and all positive integers ee,

XenXe%ϕ(n). X^e \equiv_\nmod X^{e \pct \phi(\nmod)}.

In other words, if you need to know the value of some expression mod n\nmod, you can reduce numbers that appear in the exponent mod ϕ(n)\phi(\nmod).

Proof:

The number ee is e%ϕ(n)e \pct \phi(\nmod) more than a multiple of ϕ(n)\phi(\nmod). So we can write

e=kϕ(n)+(e%ϕ(n)), e = k \cdot \phi(\nmod) + (e \pct \phi(\nmod)),

where kk is an integer. Then by the usual rules of exponents, we have:

Xe=Xkϕ(n)+(e%ϕ(n))=(Xϕ(n))kXe%ϕ(n)n1kXe%ϕ(n)=Xe%ϕ(n).\begin{aligned} X^e &= X^{ k \cdot \phi(\nmod) + (e \pct \phi(\nmod)) } \\ &= ( \hl{X^{\phi(\nmod)}} )^k \cdot X^{e \pct \phi(\nmod)} \\ &\equiv_\nmod \hl{1} ^k \cdot X^{e \pct \phi(\nmod)} \\ &= X^{e \pct \phi(\nmod)}.\end{aligned}

The next-to-last step uses Euler's theorem.

Euler's theorem motivates the following RSA functions:

Construction 15.2.2 (RSA functions)

Let n\nmod be the product of two distinct primes n=pq\nmod = \pmod\qmod, and let ee and dd satisfy edϕ(n)1ed \equiv_{\phi(\nmod)} 1. The RSA functions are:

XXe%n,(forward direction)YYd%n.(reverse direction)\begin{aligned} X &\mapsto X^e \pct \nmod , & \text{(forward direction)}\\ Y &\mapsto Y^d \pct \nmod. & \text{(reverse direction)}\end{aligned}
Claim 15.2.3 (RSA functions are inverses)

The RSA functions are inverses on Zn\Z_\nmod.

Proof:

Composing the two RSA functions gives the new function X(Xe)d%n=Xed%nX \mapsto (X^e)^d \pct \nmod = X^{ed} \pct \nmod. If XZnX \in \Z^*_\nmod, then claim 15.2.1 applies, and we have:

XednXed%ϕ(n)=X1. X^{ed} \equiv_\nmod X^{ed \pct \phi(\nmod)} = X^1.

So the two functions compose to give the identity function XXX \mapsto X.

What about the case of X∉ZnX \not\in \Z_\nmod^*? Section 15.4 introduces new number-theoretic tools that can help prove the claim for such elements as well. You are asked to complete the proof in exercise 15.25.

Example 15.2.4 (RSA arithmetic)

Here is a toy example implemented in Sage. These numbers are far too small to offer any reasonable security; see below.

First, we generate 64-bit primes p\pmod and q\qmod and compute n\nmod and ϕ(n)\phi(\nmod):

sage: p = random_prime(2^64) ; p 9724514111646324847 sage: q = random_prime(2^64) ; q 1207581156701649733 sage: n = p*q ; n 11743139999303384751883159151328815851 sage: phi = (p-1)*(q-1) ; phi 11743139999303384740951063882980841272

Next, we choose exponents ee and dd. They must be multiplicative inverses mod ϕ(n)\phi(\nmod), so we must ensure they are chosen relatively prime to ϕ(n)\phi(\nmod):

sage: while True: ....: e = randint(0,phi) ....: if gcd(e,phi) == 1: break sage: e 7719536541386642507223580820062608803 sage: d = 1 / Mod(e,phi) ; d 2131510104972159307593787500762994163

Finally, we can use an example to check that raising to the ee power and to the dd power are inverses:

sage: X = Mod(12345,n) ; X 12345 sage: Y = X^e ; Y 11128685282773989718428445860374322408 sage: Z = Y^d ; Z 12345

15.2.1. Security and eeth roots

Suppose n\nmod, ee, and dd have the relationship described above: n\nmod is the product of two distinct primes and e,de,d are multiplicative inverses mod ϕ(n)\phi(\nmod). The main idea behind RSA is that if you know n\nmod and ee (but not dd), then you can efficiently compute the function XXe%nX \mapsto X^e \pct \nmod, but there is no known efficient method to invert it.

Sometimes we refer to the act of inverting XXeX \mapsto X^e as computing ee-th roots mod n\nmod.

Formalizing this intuition starts with specifying how the relevant values n\nmod, ee, and dd are chosen:

RSA.KeyGen()\RSA.\KeyGen(\,):
// kk to be discussed below
uniformly choose k/2k/2-bit prime p\pmod
uniformly choose k/2k/2-bit prime q\qmod
n:=pq\nmod := \pmod \cdot \qmod
eZϕ(n)e \gets \Z^*_{\phi(\nmod)}
d:=e1%ϕ(n)d := e^{-1} \pct \phi(\nmod)
return (n,e,d)(\nmod,e,d)

We formalize the idea that “computing ee-th roots mod n\nmod is hard” using the following definition:

Definition 15.2.5 (RSA assumption)

The RSA assumption is that the following two libraries are indistinguishable:

Lrsa-real\lib{rsa-real}
(n,e,d):=RSA.KeyGen()(\nmod,e,d) := \RSA.\KeyGen()
YZnY \gets \Z_\nmod
rsa.challenge()\rsachallenge(\,):
return (n,e,Y)(\nmod,e,Y)
rsa.check(X)\rsacheck(X):
return YnXeY \equiv_\nmod X^e
\indist
Lrsa-ideal\lib{rsa-ideal}
(n,e,d):=RSA.KeyGen()(\nmod,e,d) := \RSA.\KeyGen()
YZnY \gets \Z_\nmod
rsa.challenge()\rsachallenge(\,):
return (n,e,Y)(\nmod,e,Y)
rsa.check(X)\rsacheck(X):
return false\myfalse

The value YY is called the RSA challenge, and the two libraries have different behavior only in the event that the adversary calls rsa.check\rsacheck with an ee-th root of the challenge. If the two libraries are indistinguishable, then no efficient adversary can compute ee-th roots with better than negligible probability, given only the information available to it: n\nmod, ee, and YY.

What is the connection between RSA and factoring?
If an adversary can factor n=pq\nmod = \pmod\cdot \qmod, then it can easily compute ϕ(n)=(p1)(q1)\phi(\nmod) = (\pmod-1)(\qmod-1). If it knows ϕ(n)\phi(\nmod), then it can compute the multiplicative inverse dd of ee mod ϕ(n)\phi(\nmod). If it knows dd, then it can compute ee-th roots mod n\nmod, via YYd%nY \mapsto Y^d \pct \nmod.

Thus, factoring n\nmod is the most natural approach to breaking the RSA assumption. If factoring is easy, then breaking RSA is easy too. To date, there is no known polynomial-time factoring algorithm (at least not on classical computers; see section 20.1).

How big should n\nmod be?
The best known method to break the RSA assumption is the obvious one: Simply factor the modulus. The best known factoring algorithms are not polynomial-time but still considerably faster than brute force. The following table shows, for a given target value λ\secpar, how large the modulus must be so that these factoring algorithms require 2λ2^\secpar effort:

λ\secpar n\nmod
128 >23072{} > 2^{3072}
192 >27680{} > 2^{7680}
256 >215360{} > 2^{15360}

These recommendations for modulus size are the same as those for the discrete logarithm problem. Most modern implementations of RSA produce a 3072-bit modulus by default.

How can you uniformly sample a prime of certain length in RSA.KeyGen\RSA.\KeyGen?
There is no real shortcut; sample the bits of a number uniformly at random and test whether it is prime. A famous result from number theory says that a O(1/k)O(1/k) fraction of kk-bit numbers are prime.

If it's easy to test whether a huge number is prime, can't you factor n\nmod?
State-of-the-art primality testing algorithms don't work by searching for a factor of n\nmod; instead, they look for other algebraic properties from number theory to distinguish between primes and composites. These algorithms simply aren't trying to find an explicit factor of n\nmod.

How exactly should exponents ee and dd be chosen?
Besides the fact that they must be multiplicative inverses mod ϕ(n)\phi(\nmod), there are relatively few restrictions. The cost of exponentiation depends on the number of bits in the exponent, so choosing a small exponent will speed up the corresponding exponentiation steps. However, attacks on RSA are possible when dd is particularly small (less than n1/4\nmod^{1/4}), so small values of dd should be avoided. Small values of ee are generally safe for RSA-KEM (introduced next in section 15.3); however, extreme values like e=3e=3 have some mild weaknesses. Many implementations of RSA always choose e=65537=216+1e = 65537 = 2^{16} +1.

15.3. Building a KEM from RSA

The RSA assumption gives us a function that anyone can compute but only someone with the secret information dd can invert. Doesn't this sound a lot like PKE? Can we use RSA for encryption, where encryption is XXeX \mapsto X^e and decryption is its inverse YYdY \mapsto Y^d?

Construction 15.3.1 (Textbook RSA encryption)

Textbook RSA encryption is defined as follows:

M=ZnC=ZnKeyGen=RSA.KeyGen\begin{aligned} \M &= \Z_\nmod \\ \C &= \Z_\nmod \\ \KeyGen &= \textsf{RSA}.\KeyGen \end{aligned}
Enc(PK=(n,e),M)\Enc(\pk = (\nmod,e), \ptxt):
C:=Me%n\ctxt := \ptxt^e \pct \nmod
return C\ctxt
Dec(SK=(n,d),C)\Dec(\sk = (\nmod,d), \ctxt):
M:=Cd%n\ptxt := \ctxt^d \pct \nmod
return M\ptxt

This section of the book includes some slight abuses of notation, which I hope you will excuse. In textbook RSA (and RSA-KEM below), the sets M\M (possible plaintexts) and C\C (possible ciphertexts) are not fixed parameters of the scheme but depend on a particular user's modulus n\nmod. A completely precise treatment would define syntax and security with respect to M(PK)\M(\pk) and C(PK)\C(\pk): the set of plaintexts/ciphertexts possible under a particular public key PK\pk.

Textbook RSA encryption is not secure! The main reason is quite obvious: It's deterministic! An adversary who has a guess of the plaintext value can check whether that guess is true, by re-encrypting it. So, NEVER use textbook RSA for encryption.

However, there is a simple modification to textbook RSA that results in a secure KEM: Simply hash the plaintext under a random oracle. The resulting construction even achieves CCA security!

Construction 15.3.2 (RSA-KEM)

Let H\ro be a hash function with λ\secpar output bits, which we will model as a random oracle. RSA-KEM is defined as follows:

M={0,1}λC=ZnKeyGen=RSA.KeyGen\begin{aligned} \M &= \bits^\secpar \\ \C &= \Z_\nmod \\ \KeyGen &= \textsf{RSA}.\KeyGen \end{aligned}
Encaps(PK=(n,e))\Encaps(\pk = (\nmod,e)):
RZnR \gets \Z_\nmod
C:=Re%n\ctxt := R^e \pct \nmod
M:=H(R)\ptxt := \ro(R)
return (C,M)(\ctxt, \ptxt)
Decaps(SK=(n,d),C)\Decaps(\sk = (\nmod,d), \ctxt):
R:=Cd%nR := \ctxt^d \pct \nmod
return H(R)\ro(R)
Claim 15.3.3 (CCA security of RSA-KEM)

Construction 15.3.2 is a CCA-secure KEM in the random oracle model, if the RSA assumption is true. From claim 14.2.2, it is enough to prove security for a single encryption. In other words,

Lkem-1cca-real+ro\lib{kem-1cca-real+ro}
(n,e,d):=RSA.KeyGen()(\nmod,e,d) := \RSA.\KeyGen()
PK:=(n,e)\pk := (\nmod,e)
// (C,M):=Encaps(PK)(\ctxt^*,\ptxt^*) := \Encaps(\pk):
RZnR^* \gets \Z_\nmod
C:=(R)e%n\ctxt^* := (R^*)^e \pct \nmod
M:=H(R)\ptxt^* := \ro(R^*)
1cca.pk()\ccaonepk(\,):
return PK\pk
1cca.enc()\ccaoneenc(\,):
return (C,M)(\ctxt^*, \ptxt^*)
1cca.dec(C)\ccaonedec(\ctxt):
// Decaps(C)\Decaps(\ctxt):
return H(Cd%n)\ro(\ctxt^d \pct \nmod)
H(A)\ro(A):
if H[A]\rotable[A] undefined:
H[A]{0,1}λ\rotable[A] \gets \bits^\secpar
return H[A]\rotable[A]
\indist
Lkem-1cca-rand+ro\lib{kem-1cca-rand+ro}
(n,e,d):=RSA.KeyGen()(\nmod,e,d) := \RSA.\KeyGen()
PK:=(n,e)\pk := (\nmod,e)
CZn\ctxt^* \gets \Z_\nmod
M{0,1}λ\ptxt^* \gets \bits^\secpar
1cca.pk()\ccaonepk(\,):
return PK\pk
1cca.enc()\ccaoneenc(\,):
return (C,M)(\ctxt^*, \ptxt^*)
1cca.dec(C)\ccaonedec(\ctxt):
if C==C\ctxt == \ctxt^*: return M\ptxt^*
return H(Cd%n)\ro(\ctxt^d \pct \nmod)
H(A)\ro(A):
if H[A]\rotable[A] undefined:
H[A]{0,1}λ\rotable[A] \gets \bits^\secpar
return H[A]\rotable[A]
Proof:

The proof contains two important conceptual steps. The first is to follow the usual strategy for proofs in the random oracle model: Argue that the adversary cannot directly call H\ro on the same inputs as the construction. Specifically, suppose the adversary calls H\ro on the ee-th root of the challenge ciphertext C\ctxt^*. In one library the result will be M\ptxt^*, but in the other it will be independent of M\ptxt^*. We can use the RSA assumption to argue that, given a uniformly chosen C\ctxt^*, it is hard to compute the ee-th root of C\ctxt^*, and thus it is hard to call the random oracle on this input.

However, there is a caveat: To use the RSA assumption in a proof, we must reach a hybrid that does not use the secret exponent dd anywhere; the libraries from the RSA assumption do not provide dd to the calling program. Thus, one of the most important parts of the proof is to modify the 1cca.dec\ccaonedec subroutine to operate without dd.

The only place dd is used is when calling H(Cd)\ro(\ctxt^d), which in turn accesses the random oracle's internal lazy random dictionary at position H[Cd]\rotable[\ctxt^d]. The clever trick in the proof is to imagine renaming every expression H[A]\rotable[A] to D[Ae]\mathcal{D}[A^e]. Thus, when the random oracle is called on input AA, its implementation accesses D[Ae]\mathcal{D}[A^e]. Importantly, when the decapsulation algorithm needs to access H[Cd]\ro[\ctxt^d], it can instead access D[(Cd)e]=D[C]\mathcal{D}[(\ctxt^d)^e] = \mathcal{D}[\ctxt]. Renaming terms in this way does not affect the library's behavior but allows 1cca.dec\ccaonedec to operate without the secret exponent dd.

Hybrid Sequence:
The starting point of the hybrid proof is Lkem-1cca-real+ro\lib{kem-1cca-real+ro}.
We can inline all of the calls to H\ro. The call to H\ro that determines M\ptxt^* is the first, so its result is always sampled uniformly.
Now we can perform the renaming suggested above. Whatever was previously stored in H[A]\rotable[A] is now stored in D[Ae]\mathcal{D}[A^e]. Thus, H[Cd]\rotable[\ctxt^d] becomes D[C]\mathcal{D}[\ctxt].
We can carve out an exception for the challenge ciphertext C\ctxt^*, so that D[C]\mathcal{D}[\ctxt^*] is never used. Additionally, now the value RR^* is used only to compute C\ctxt^*. Since RR^* is uniform, and exponentiation-by-ee is a 1-to-1 function, the resulting distribution on C\ctxt^* is uniform.
The special case in H(A)\ro(A) is triggered when the calling program provides an ee-th root of C\ctxt^*. Since dd is no longer used anywhere in the library, we can apply the RSA assumption to argue that this special case never happens.
We can remove the unreachable if-statement and also revert the previous change, replacing D[Ae]\mathcal{D}[A^e] with H[A]\rotable[A]. The result is Lkem-1cca-rand+ro\lib{kem-1cca-rand+ro}.
Lkem-1cca-real+ro\lib{kem-1cca-real+ro}
(n,e,(\nmod,e, {}
d):=RSA.KeyGen()d) := \RSA.\KeyGen()
C)rsa.challenge()\ctxt^*) \gets \rsachallenge()
d):=RSA.KeyGen()d) := \RSA.\KeyGen()
PK:=(n,e)\pk := (\nmod,e)
// (C,M):=Encaps(PK)(\ctxt^*,\ptxt^*) := \Encaps(\pk):
RZnR^* \gets \Z_\nmod
C\ctxt^*
:=(R)e%n{}:= (R^*)^e \pct \nmod
Zn{}\gets \Z_\nmod
M\ptxt^*
:={}:= {}
H(R)\ro(R^*)
H[R]{0,1}λ\rotable[R^*] \gets \bits^\secpar
D[C]{0,1}λ\mathcal{D}[\ctxt^*] \gets \bits^\secpar
{0,1}λ{}\gets \bits^\secpar
1cca.pk\ccaonepk( ):
return PK\pk
1cca.enc\ccaoneenc( ):
return (C,M)(\ctxt^*, \ptxt^*)
1cca.dec\ccaonedec(C\ctxt):
// Decaps(C)\Decaps(\ctxt):
return
H(Cd%n)\ro(\ctxt^d \pct \nmod)
H[Cd%n]\rotable[\ctxt^d \pct \nmod]
D[C]\mathcal{D}[\ctxt]
H(Cd%n)\ro(\ctxt^d \pct \nmod)
H\ro(AA):
if
H[A]\rotable[A] undefined:
D[Ae%n]\mathcal{D}[A^e \pct \nmod] undefined:
H[A]{0,1}λ\rotable[A] \gets \bits^\secpar
return
H[A]\rotable[A]
D[Ae%n]\mathcal{D}[A^e \pct \nmod]
H[A]\rotable[A]
\link
Lrsa-real\lib{rsa-real}
(n,e,d):=RSA.KeyGen()(\nmod,e, d) := \RSA.\KeyGen()
YZnY \gets \Z_\nmod
rsa.challenge\rsachallenge( ):
return (n,e,Y)(\nmod,e,Y)
rsa.check\rsacheck(XX):
return YnXeY \equiv_\nmod X^e
Lrsa-ideal\lib{rsa-ideal}
(n,e,d):=RSA.KeyGen()(\nmod,e, d) := \RSA.\KeyGen()
YZnY \gets \Z_\nmod
rsa.challenge\rsachallenge( ):
return (n,e,Y)(\nmod,e,Y)
rsa.check\rsacheck(XX):
return false\myfalse

15.4. ☆ Chinese remainder theorem

In RSA-based cryptography, one user knows the factorization of the modulus. This section introduces a technique that allows for faster modular arithmetic when the factors of the modulus are known.

History. In the Sunzi Suanjing, written some time around the fourth century ce, the Chinese mathematician Sunzi posed an interesting puzzle involving remainders:

We have a number of things, but we do not know exactly how many. If we count them by threes we have two left over. If we count them by fives we have three left over. If we count them by sevens we have two left over. How many things are there?

Sunzi's puzzle is the first known instance of a system of simultaneous equations involving modular arithmetic: In our notation, he is asking us to solve for XX in the following system of congruences:

X32X53X72\begin{aligned} X &\equiv_3 2 \\ X &\equiv_5 3 \\ X &\equiv_7 2\end{aligned}

We can solve such systems of equations using what is called (in the West) the Chinese remainder theorem (CRT). Below is one of the simpler formations of the CRT, involving only two moduli (unlike the example above, which involves three moduli):

Theorem 15.4.1 (Chinese remainder theorem)

Suppose gcd(p,q)=1\gcd(\pmod,\qmod)=1, not necessarily primes but merely relatively prime. Then for all integers U,VU, V, there is a solution for XX in the following system of equations:

XpUXqV\begin{aligned} X &\equiv_\pmod U \\ X &\equiv_\qmod V\end{aligned}

Furthermore, this solution is unique modulo pq\pmod\qmod.

Proof:

Since gcd(p,q)=1\gcd(\pmod,\qmod) = 1, we have by Bezout's theorem that 1=sp+tq1 = s\pmod + t\qmod for some integers ss and tt. If we reduce the this equation mod p\pmod, we see that tt is the multiplicative inverse of q\qmod mod p\pmod. Now set X=sVp+tUqX = sV\pmod + tU\qmod. Then,

X=sVp+tUqpsV0+(tq)Up0+1U=U. X = sV\pmod + tU\qmod \equiv_\pmod sV\cdot 0 + (t\qmod)U \equiv_\pmod 0 + 1\cdot U = U.

So XpUX \equiv_\pmod U, as desired. Similar reasoning mod q\qmod shows that XqVX \equiv_\qmod V as well. Thus, XX is a desired solution to both equations.

Now we argue that this solution is unique modulo pq\pmod\qmod. Suppose XX and XX' are two solutions, so we have:

XpXRU,XqXSV.\begin{aligned} X &\equiv_\pmod X' \equiv_R U, \\ X &\equiv_\qmod X' \equiv_S V.\end{aligned}

Since XpXX \equiv_\pmod X' and XqXX \equiv_\qmod X', it must be that XXX-X' is a multiple of p\pmod and a multiple of q\qmod. Any number that is a multiple of p\pmod and of q\qmod is also a multiple of their least common multiple, which is pq\pmod\qmod since p\pmod and q\qmod are relatively prime. Thus, XXX-X' is a multiple of pq\pmod\qmod. Hence, XpqXX \equiv_{\pmod\qmod} X'; that is, all solutions to this system of equations are congruent mod pq\pmod\qmod.

Example 15.4.2 (CRT in Sage)

Sage implements the crt function to solve for XX in these kinds of systems of equations. Suppose we want to solve for XX:

X42742,X529123.\begin{aligned} X &\equiv_{427} 42, \\ X &\equiv_{529} 123.\end{aligned}

In Sage, the solution can be found as follows:

sage: crt( 42,123, 427,529 ) 32921

We can check the solution:

sage: 32921 % 427 42 sage: 32921 % 529 123

15.4.1. Using CRT for modular arithmetic

Another way to think about the Chinese remainder theorem is:

If you know XX mod p\pmod, and you also know XX mod q\qmod, then you can efficiently determine XX mod pq\pmod\qmod.

This observation leads to a different approach for doing arithmetic mod pq\pmod\qmod:

CRT Recipe for Arithmetic Mod pq\pmod\qmod

Suppose p\pmod and q\qmod are relatively prime, and you want to know the value of some complicated expression mod pq\pmod\qmod. One method to compute its value is:

  • Evaluate the expression mod p\pmod.

  • Evaluate the expression mod q\qmod.

  • Apply the CRT to these two results to solve for the answer mod pq\pmod\qmod.

Example 15.4.3 (Addition using CRT)

Let's start with a simple example. We want to know the value of 3+73+7 mod 15. To compute it using the CRT recipe:

  • Evaluate the expression mod 3: 3+730+1=13+7 \equiv_3 0 + 1 = 1.

  • Evaluate the expression mod 5: 3+753+2=5503+7 \equiv_5 3 + 2 = 5 \equiv_5 0.

  • Use the CRT to solve for XX that satisfies X31X \equiv_3 1 and X50X \equiv_5 0. The result is 10.

You can compare the CRT “addition recipe” to the normal approach with the following sage code:

sage: def crtadd(X,Y, p,q): ....: U = (X+Y) % p # evaluate mod p ....: V = (X+Y) % q # evaluate mod q ....: return crt( U,V, p,q ) # solve for answer mod pq sage: def normaladd(X,Y,n): ....: return (X+Y) % n # directly evaluate mod n sage: crtadd(3,7, 3,5) 10 sage: normaladd(3,7, 15) 10
Example 15.4.4 (Multiplication using CRT)

The same recipe works for multiplication too. Let's compute 373\cdot7 mod 15, using the CRT recipe:

  • Evaluate the expression mod 3: 37301=03 \cdot 7 \equiv_3 0 \cdot 1 = 0.

  • Evaluate the expression mod 5: 37532=6513\cdot7 \equiv_5 3 \cdot 2 = 6 \equiv_5 1.

  • Use the CRT to solve for XX that satisfies X30X \equiv_3 0 and X51X \equiv_5 1. The result is 6.

The result matches what you would obtain in the usual way, as 37=211563\cdot 7 = 21 \equiv_{15} 6.

15.4.2. Applications to RSA

You may have gotten the impression that the “CRT recipe” for modular arithmetic is convoluted and wasteful. That's true when we're evaluating simple expressions like addition and multiplication, as in our examples. But remember, RSA-based cryptography involves modular exponentiations with huge exponents. The CRT method is significantly faster for these exponentiations.

Example 15.4.5 (Exponentiation using CRT)

In Sage, the usual way to compute an exponentiation like Xe%nX^e \pct \nmod is:

sage: def modexp(X,e,n): ....: return Mod(X,n)^e

If we know the factorization n=pq\nmod=\pmod\qmod of the modulus, we can use the CRT recipe. That is, we can compute Xe%pX^e \pct \pmod and Xe%qX^e \pct \qmod (separately) and use CRT to solve for the answer mod pq\pmod\qmod.

sage: def crtmodexp(X,e,p,q): ....: U = Mod(X,p)^e ....: V = Mod(X,q)^e ....: return crt( U.lift(),V.lift(), p,q )

We need to use the lift method, because the crt function expects integers and not Mod-objects.

Both of these methods will compute the same answer, and we can measure them to see which is faster on large inputs. Below is a test from my laptop using a 3072-bit RSA modulus, so p\pmod and q\qmod are each 1536 bits.

sage: p = random_prime(2^1536) sage: q = random_prime(2^1536) sage: n = p*q sage: X = 12345678901234567 sage: e = randint(0,n) # random exponent between 0 & n-1 sage: timeit('modexp(X,e,n)') 125 loops, best of 3: 6.17 ms per loop sage: timeit('crtmodexp(X,e,p,q)') 125 loops, best of 3: 3.11 ms per loop

The CRT method is almost twice as fast (3ms vs 6ms).

To understand why the CRT method is faster, it's enough to know that the cost of standard modular exponentiation over a kk-bit modulus is O(k3)O(k^3). For simplicity, let's pretend that exponentiation takes exactly k3k^3 steps.

With the CRT method, we perform an exponentiation mod p\pmod and another mod q\qmod. But p\pmod and q\qmod are each only k/2k/2 bits long. So the overall cost is (k/2)3+(k/2)3=2(k3/8)=k3/4(k/2)^3 + (k/2)^3 = 2(k^3/8) = k^3/4. By this rough analysis, it is four times faster than the standard method. In reality, there are other costs slowing down the CRT method, which this analysis doesn't account for, like the cost of solving for the answer mod pq\pmod\qmod. Still, the CRT method is indeed noticeably faster in practice.

Remember, in order to take advantage of the CRT speedup, you must know p\pmod and q\qmod. In RSA-KEM (construction 15.3.2), for example, only the private key holder will know this factorization. Thus, decapsulation can be sped up, but encapsulation cannot.

Exercises

  1. Using induction, prove that the extended Euclidean algorithm correctly returns (d,s,t)(d,s,t) such that gcd(X,Y)=d=sX+dY\gcd(X,Y) = d = sX + dY. You can use the fact that the standard Euclidean algorithm correctly computes the GCD.

  2. Euclid's GCD algorithm involves modular reductions X%YX \pct Y. Below is a variant called the binary GCD algorithm that avoids them:

    bgcd(X,Y)\subname{bgcd}(X,Y):
    if Y=0Y=0: return XX
    if XX is even and YY is even: return 2bgcd(X/2,Y/2)2 \cdot \subname{bgcd}(X/2, Y/2)
    if XX is even and YY is odd: return bgcd(X/2,Y)\subname{bgcd}(X/2,Y)
    if XX is odd and YY is even: return bgcd(X,Y/2)\subname{bgcd}(X,Y/2)
    if XX is odd and YY is odd: return bgcd(X,YX)\subname{bgcd}(X, Y-X)

    Augment this algorithm to also compute Bezout coefficients, and use induction to prove its correctness. Your modified algorithm should return (d,s,t)(d,s,t) such that d=gcd(X,Y)=sX+tYd = \gcd(X,Y) = sX + tY.

  3. Prove that if gan1g^a \equiv_\nmod 1 and gbn1g^b \equiv_\nmod 1 then ggcd(a,b)n1g^{\gcd(a,b)} \equiv_\nmod 1.

  4. You have a jug that can hold exactly AA liters, and another jug that can hold exactly BB liters. AA and BB are integers, and the jugs are labeled with their capacities. You also have two swimming pools with infinite capacity: One is empty and the other is full. Describe how to put exactly gcd(A,B)\gcd(A,B) liters of water into the empty pool.

  5. Find a formula for ϕ(pk)\phi(\pmod^k) where p\pmod is a prime.

  6. As a function of n\nmod, how many fractions a/ba/b in lowest terms are there, where 0<a/b<10 < a/b < 1 and bnb \le \nmod? For example, the answer for n=5\nmod=5 is 9, corresponding to the following fractions:

    15,14,13,25,12,35,23,34,45. \frac15, \frac14, \frac13, \frac25, \frac12, \frac35, \frac23, \frac34, \frac45.
  7. h Suppose n\nmod is an integer such that Zn\Z^*_\nmod is a cyclic group. Prove that Zn\Z^*_\nmod has exactly ϕ(ϕ(n))\phi(\phi(\nmod)) generators.

    Fix one generator gg, and prove that gag^a is also a generator if and only if aZϕ(n)a \in \Z^*_{\phi(\nmod)}.

  8. An ee-th root of XX mod n\nmod is a value RR such that RenXR^e \equiv_\nmod X. Suppose you know an aa-th root of XX and a bb-th root of XX, where gcd(a,b)=1\gcd(a,b)=1.

    1. Explain how you can compute an abab-th root of XX.

    2. Find the 427th root of XX mod n\nmod:

    n=3529989702930195629837009938006115078412418112416496826209336627007785798371354161537610954925266878624256967940099671370545330372624851667963106134013952353285024059460266308121063631688798419320109443074482643642387689894031811306984721157101102112383731318101907304584195929712979594815857713411733X=8890185195439274790973625657790688346599897717202670138670181493339334955276770493313535607178684740639618155319307194412377896758857413150966608657494373895251377597154999757086732953145699800209223817786901464636162465854377931581891001544539749219123794997019236523095450857828849160054362408377837th root of X=216917406623650384587543207101083935661359676706011676973077208944905115609501411521355323871890318017197379309360100500749132801904726369399771210032810511308431985742320641832664553738680572297514327378276755730330343785173650761376482510098756809439901126105908152519462554911920276576464975670758761st root of X=2828794670179084993266033755315338950066620307508352572766758892602982204835141232834843070815203542188387418055437464055168991761620966394079143233909356293523508717678281283608998199908043284537107503687626649723751604756530884329600883958305046615870295996132009177082547360022487017331837376643048\begin{aligned} \nmod &= \longnum{3529989702930195629837009938006115078412418112416496826209336627007785798371354161537610954925266878624256967940099671370545330372624851667963106134013952353285024059460266308121063631688798419320109443074482643642387689894031811306984721157101102112383731318101907304584195929712979594815857713411733} \\ X &= \longnum{889018519543927479097362565779068834659989771720267013867018149333933495527677049331353560717868474063961815531930719441237789675885741315096660865749437389525137759715499975708673295314569980020922381778690146463616246585437793158189100154453974921912379499701923652309545085782884916005436240837783} \\ \text{7th root of } X &= \longnum{2169174066236503845875432071010839356613596767060116769730772089449051156095014115213553238718903180171973793093601005007491328019047263693997712100328105113084319857423206418326645537386805722975143273782767557303303437851736507613764825100987568094399011261059081525194625549119202765764649756707587} \\ \text{61st root of } X &= \longnum{2828794670179084993266033755315338950066620307508352572766758892602982204835141232834843070815203542188387418055437464055168991761620966394079143233909356293523508717678281283608998199908043284537107503687626649723751604756530884329600883958305046615870295996132009177082547360022487017331837376643048}\end{aligned}
  9. True or false (prove or disprove): If X2n1X^2 \equiv_\nmod 1 then XZnX \in \Z_\nmod^*.

  10. Let n\nmod be an RSA modulus.

    1. Suppose you are given integers X,YX, Y such that X2nY2X^2 \equiv_\nmod Y^2 but X̸n±YX \not\equiv_\nmod \pm Y. Show how to easily factor n\nmod.

    2. Factor n\nmod below:

      n=5654762149685703354214693790848031657029658489174195095045308201171689244196382582693706951357995049006563040502366709138881656445631366795989012256182108569696793495347122425942615655071824204668643956490221216375437564525811249968746811896772606187045241925267058898354751028926702272628497786711523X=3580978208095998360659158965217310337620161478555975541101429421391816908728748749836340003033464866459980530061292884027697340913699570449072079862023912325165250698494363120775497939325143231400443629383563412067001065144016339332838870762061630265368146471427565774014995981435733156376738708930Y=28559790939461549743990406025231168349469120861042991216761797196853816843035360892647550121750966921890117551993466387033365039377265816392316616052346915640086645278964479178653154301009174051109632449970687601282569979655593959247505832952745931531151902384563552297126774532544521663924927782216\begin{aligned} \nmod &= \longnum{5654762149685703354214693790848031657029658489174195095045308201171689244196382582693706951357995049006563040502366709138881656445631366795989012256182108569696793495347122425942615655071824204668643956490221216375437564525811249968746811896772606187045241925267058898354751028926702272628497786711523} \\ X &= \longnum{3580978208095998360659158965217310337620161478555975541101429421391816908728748749836340003033464866459980530061292884027697340913699570449072079862023912325165250698494363120775497939325143231400443629383563412067001065144016339332838870762061630265368146471427565774014995981435733156376738708930} \\ Y &= \longnum{28559790939461549743990406025231168349469120861042991216761797196853816843035360892647550121750966921890117551993466387033365039377265816392316616052346915640086645278964479178653154301009174051109632449970687601282569979655593959247505832952745931531151902384563552297126774532544521663924927782216}\end{aligned}
  11. h Compute the following:

    • What is the last digit of 7123457^{12345}?

    • What is 227654321%232^{2^{7654321}} \pct 23?

    • What is 2227654321%472^{2^{2^{7654321}}} \pct 47?

    The last digit of XX is X%10X \pct 10.

  12. Provide the missing RSA parameters:

    p=2508155518612074411603483456053649492488128985989731823725285662913699958052730556491454817701843193235338530836280820397638580621580235357783239815254789q=???n=19780696365941038115808653814673581857568952327247226929990191572804292421135237238851869823521485898243284297974668758633421942655172386349407895354658437244009007312769136626560794840725353484955232772081654611792212477376066620814539486454983549904691798818130805033095638478772213822148316899475916866257e=65537d=???X=???Xe=18408592046547703375756701318112875027982329348260670087800300490698116060116543310952149339594433836470057966708020426387564225898802947405602885979947192219631365547861906826876402264886245542542447315050523282544713007050303049540775190384755815453703370619461544416372853881371966527791821549427879560631\begin{aligned} \pmod &= \longnum{2508155518612074411603483456053649492488128985989731823725285662913699958052730556491454817701843193235338530836280820397638580621580235357783239815254789} \\ \qmod &= \longnum{???} \\ \nmod &= \longnum{19780696365941038115808653814673581857568952327247226929990191572804292421135237238851869823521485898243284297974668758633421942655172386349407895354658437244009007312769136626560794840725353484955232772081654611792212477376066620814539486454983549904691798818130805033095638478772213822148316899475916866257} \\ e &= \longnum{65537} \\ d &= \longnum{???} \\ X &= \longnum{???} \\ X^e &= \longnum{18408592046547703375756701318112875027982329348260670087800300490698116060116543310952149339594433836470057966708020426387564225898802947405602885979947192219631365547861906826876402264886245542542447315050523282544713007050303049540775190384755815453703370619461544416372853881371966527791821549427879560631}\end{aligned}
  13. Why must the RSA exponents ee and dd always be odd?

  14. Why must p\pmod and q\qmod be distinct primes in RSA key generation? Why is it a bad idea to let p=q\pmod=\qmod?

  15. h Let n\nmod be an RSA modulus (product of distinct primes).

    1. Show that if you know n\nmod and ϕ(n)\phi(\nmod), then you can easily factor n\nmod.

    2. Factor the following number n\nmod:

      n=7927903415944936893588926763257010951562575183247774861367794801073233465922131018985321427787108175649840345485926879427445468578502246636114687852132041280655902666516260662516557830442228724702236120120527414726759176225329927782428088467364112170494813909836389383578652518325688048789844550683089ϕ(n)=7927903415944936893588926763257010951562575183247774861367794801073233465922131018985321427787108175649840345485926879427445468578502246636114687852126398436485259034841337888771241319431218512411726521588987966248136988004824546343685449003768609489343983835425185252299788706733893727226165143878500\begin{aligned} \nmod &= \longnum{7927903415944936893588926763257010951562575183247774861367794801073233465922131018985321427787108175649840345485926879427445468578502246636114687852132041280655902666516260662516557830442228724702236120120527414726759176225329927782428088467364112170494813909836389383578652518325688048789844550683089}\\ \phi(\nmod) &= \longnum{7927903415944936893588926763257010951562575183247774861367794801073233465922131018985321427787108175649840345485926879427445468578502246636114687852126398436485259034841337888771241319431218512411726521588987966248136988004824546343685449003768609489343983835425185252299788706733893727226165143878500}\end{aligned}

    There are two unknowns, p\pmod and q\qmod; each of n\nmod and ϕ(n)\phi(\nmod) give you one equation on those unknowns.

  16. h It's unwise to choose RSA primes p\pmod and q\qmod too close.

    1. Let n=pq\nmod = \pmod\qmod be an RSA modulus. Show that if you know δ=pq\delta = |\pmod-\qmod| then you can easily factor n\nmod.

    2. Factor the following number n\nmod, whose factors are too close together.

      n=222411814771269308827925512286318744055323682722912332852543706394589455527980618133528085951421013581679876758661948320578072381194530067735588426797943666875381066783263890133417095098180501268061546468664335659433927300108695187488992795843450761559627026755300386022159004496474996644842429948807\begin{aligned} \nmod = \longnum{222411814771269308827925512286318744055323682722912332852543706394589455527980618133528085951421013581679876758661948320578072381194530067735588426797943666875381066783263890133417095098180501268061546468664335659433927300108695187488992795843450761559627026755300386022159004496474996644842429948807}\end{aligned}

    There are two unknowns, p\pmod and q\qmod; each of n\nmod and δ\delta give you one equation on those unknowns.

  17. Continuing the theme of the previous problem, let n=pq\nmod=\pmod\qmod be an RSA modulus.

    1. Define the value t=(p+q)/2t = (\pmod+\qmod)/2. Note that when p\pmod and q\qmod are close, TT is not much larger than n\sqrt{\nmod}. Show that t2nt^2 - \nmod is a perfect square, and show how to efficiently factor n\nmod if you are given tt.

    2. Factor the following number n\nmod, whose factors are too close together. You may find Sage's is_square function useful.

      n=7813061858079685590220707750205644391045060422286896240625920430554886629534646829765557148132519988891972365860880312260351263459139332908185459745419812323708477546241889242960051897350686420104041122458840446021423628488635011059054138158312275066147565788230943202082756277867898949394745428918743\begin{aligned} \nmod = \longnum{7813061858079685590220707750205644391045060422286896240625920430554886629534646829765557148132519988891972365860880312260351263459139332908185459745419812323708477546241889242960051897350686420104041122458840446021423628488635011059054138158312275066147565788230943202082756277867898949394745428918743}\end{aligned}
    3. How long did it take you to factor n\nmod using this method? How long would it have taken using the method from exercise 15.16?

  18. Formalize the attack against textbook RSA encryption, showing that it is not a CPA-secure PKE.

  19. h Bob and Charlie are such good friends that their RSA public keys have the same n\nmod value, although they have different ee-values. Bob's public key is (n,e1)(\nmod,e_1) and Charlie's is (n,e2)(\nmod,e_2). Furthermore, gcd(e1,e2)=1\gcd(e_1,e_2) = 1.

    Alice encrypts the same plaintext M\ptxt for both Bob and Charlie using textbook RSA encryption, resulting in C1=Me1%n\ctxt_1 = \ptxt^{e_1} \pct \nmod and C2=Me2%n\ctxt_2 = \ptxt^{e_2} \pct \nmod. Explain how to efficiently recover M\ptxt, given C1,C2\ctxt_1, \ctxt_2, and the two public keys.

    Think about Bezout's theorem with respect to e1e_1 and e2e_2.

  20. Consider the following PKE scheme:

    Enc((n,e),M)\Enc\bigl( (\nmod,e), \ptxt \bigr):
    rZnr \gets \Z_\nmod
    C1:=Mr+e%n\ctxt_1 := \ptxt^{r+e} \pct \nmod
    C2:=Mre%n\ctxt_2 := \ptxt^{re} \pct \nmod
    return (C1,C2)(\ctxt_1, \ctxt_2)
    KeyGen=RSA.KeyGen\KeyGen = \RSA.\KeyGen
    Dec((n,d),(C1,C2))\Dec\bigl( (\nmod,d), (\ctxt_1, \ctxt_2) \bigr):
    M:=(C1)d(C2)d2%n\ptxt := (\ctxt_1)^d \cdot (\ctxt_2)^{-d^2} \pct \nmod
    return M\ptxt
    1. Show that the scheme satisfies correctness (decryption is the inverse of encryption).

    2. Show that the scheme is not CPA-secure.

  21. Below is an attempt to build a PKE from RSA, using CBC mode:

    Enc((n,e),M1M)\Enc\bigl( (\nmod,e), \ptxt_1 \| \cdots \| \ptxt_\ell \bigr):
    // each Mi\ptxt_i is λ\secpar bits.
    C0Zn\ctxt_0 \gets \Z_\nmod
    for i=1i = 1 to \ell:
    Ci=(Ci1+Mi)e%n\ctxt_i = (\ctxt_{i-1} + \ptxt_i)^e \pct \nmod
    return C0C\ctxt_0 \| \cdots \| \ctxt_\ell
    KeyGen=RSA.KeyGen\KeyGen = \RSA.\KeyGen
    Dec((n,d),C0C)\Dec\bigl( (\nmod,d), \ctxt_0 \| \cdots \| \ctxt_\ell \bigr):
    for i=1i = 1 to \ell:
    Mi=(Ci)dCi1%n\ptxt_i = (\ctxt_i)^d - \ctxt_{i-1} \pct \nmod
    return M1M\ptxt_1 \| \cdots \| \ptxt_\ell

    Show that the scheme is not a CPA-secure PKE.

  22. h Consider the following symmetric-key encryption scheme. The key K\key is a large integer. To encrypt a plaintext M\ptxt, first “pad” it into a prime number as follows: Append λ\secpar uniformly chosen bits to M\ptxt until the result is the binary representation of a prime number. After the plaintext has been converted to a prime number in this way, encrypt by multiplying with the private key. The idea is that recovering the private key should be as hard as factoring.

    Despite this intuition, show that the scheme is not CPA-secure.

    K={n-bit primes}M={0,1}nC={0,1}2n+λ\begin{aligned} \K &= \{ n\text{-bit primes} \} \\ \M &= \bits^n \\ \C &= \bits^{2n+\secpar} \end{aligned}
    Enc(K,M)\Enc(\key,\ptxt):
    do:
    R{0,1}λR \gets \bits^\secpar
    X:=MRX := \ptxt \| R
    until XX is binary encoding of a prime number
    return KX\key \cdot X // integer multiplication
    Dec(K,C)\Dec(\key,\ctxt):
    X:=C/KX := \ctxt / \key
    return first nn bits of XX

    Request any two ciphertexts.

  23. Generalize the Chinese Remainder Theorem to more than two moduli. Suppose n1,,nk\nmod_1, \ldots, \nmod_k are relatively prime, so for all iji \ne j we have gcd(ni,nj)=1\gcd(\nmod_i,\nmod_j) = 1. For any collection of integers UiZniU_i \in \Z_{\nmod_i}, describe how to compute an integer XX such that XniUiX \equiv_{\nmod_i} U_i for all ii.

  24. h Consider a rectangular grid of points, with width ww and height hh. Starting in the lower-left of the grid, start walking diagonally northeast. When you fall off end the grid, wrap around to the opposite side (i.e., Pac-Man topology). Below is an example of the first few steps you take on a grid with w=3w=3 and h=5h=5:

    Show that if gcd(w,h)=1\gcd(w,h) = 1, then you will eventually visit every point in the grid.

    What is the formula for your position after nn steps?

  25. h Let n\nmod be an RSA modulus and e,de,d be appropriate RSA exponents. The proof of claim 15.2.3 showed that Xedn1X^{ed} \equiv_\nmod 1 for all XZnX \in \Z_\nmod^*. Complete the proof by showing that the same is true for all XZnX \in \Z_\nmod, not just those in Zn\Z_\nmod^*.

    Use CRT.

  26. h Let n=pq\nmod=\pmod\qmod be an RSA modulus. Usually we choose the exponents ee and dd to satisfy edϕ(n)1ed \equiv_{\phi(\nmod)} 1.

    Define the value L=lcm(p1,q1)L = \text{lcm}(\pmod-1,\qmod-1), and show that RSA still works—that is, exponentiation by ee and exponentiation by dd are inverses mod n\nmod—if the exponents are chosen to satisfy edL1ed \hl{\equiv_L} 1.

    Use CRT.

  27. Suppose XZrsX \in \Z_{rs} is the solution to

    XrU,XsV.\begin{aligned} X &\equiv_r U, \\ X &\equiv_s V.\end{aligned}

    Prove that XZrsX \in \Z_{rs}^* if and only if UZrU \in \Z_r^* and VZsV \in \Z_s^*. As a result of this fact, it must be the case that ϕ(rs)=ϕ(r)ϕ(s)\phi(rs) = \phi(r) \phi(s), whenever gcd(r,s)=1\gcd(r,s)=1.

  28. h Let n\nmod be an RSA modulus and ee be a suitable RSA exponent. In this exercise we consider values XZnX \in \Z_\nmod that satisfy X2n1X^2 \equiv_\nmod 1.

    1. X=1X = 1 and X=1X = -1 (by which we mean X=n1X=\nmod-1) satisfy the equation. But there are two other nontrivial solutions; show how to compute them if you know the factorization of n\nmod.

    2. Explain how you can easily factor n\nmod if you are given either of the two nontrivial solutions.

    Use CRT.

  29. Suppose G\G is a cyclic group of composite order n=pq\nmod = \pmod\qmod, with generator gg. Every element of G\G can be written as a power of gg, and arithmetic in the exponent happens mod n\nmod.

    1. Prove that for any XGX \in \G, there exist integers aa and bb such that X=gap+bqX = g^{a\pmod + b\qmod}.

    2. Prove that there is an exponent cc such that, for all aa and bb, we have (gap+bq)c=gap(g^{a\pmod + b\qmod})^c = g^{a\pmod}. In other words, for all XGX \in \G, we know that XcX^c is always in the order-q\qmod subgroup (generated by gpg^\pmod), and if XX was already in the order-q\qmod subgroup (the case of b=0b=0 above), then Xc=XX^c = X.

Chapter Notes

RSA was introduced by Rivest, Shamir, and Adelman in 1978 [189]. In this landmark paper, they described basic public-key encryption and digital signature methods; these are the “textbook” RSA encryption and signature methods. The textbook constructions pre-date our modern approach to provable security, so they can be forgiven for not satisfying today's standard security definitions. Still, the basic RSA mechanism is valuable, and only minor modifications are needed to promote the textbook constructions into properly secure ones (construction 15.3.2 and construction 16.2.2). Over four years before the publication of the RSA paper, Clifford Cocks independently developed RSA encryption while working for British GCHQ [67]. His independent discovery of RSA remained classified until 1997.

The recommendations for RSA modulus size are from the National Institute of Standards and Technologies (NIST), the US government entity that standardizes cryptographic algorithms [9].

The attack on small values of dd is due to Wiener [217]. Boneh has written an accessible and comprehensive survey of attacks on RSA [50].

RSA-KEM (construction 15.3.2) is due to Shoup [205], who proves its security in the random oracle model and credits an earlier scheme of Bellare and Rogaway [26] as its inspiration. The construction in exercise 15.20 was proposed by Geng, Li, and Zhou [108].

  1. Previous Chapter14. Public-Key Encryption
  2. Next Chapter16. Digital Signatures