RSA
In 1978, Rivest, Shamir, and Adelman introduced some of the first techniques for public-key cryptography, based on the computational difficulty of factoring large numbers. There is no known efficient algorithm for factoring huge numbers (at least, not on classical computers). Along with the Diffie-Hellman-based techniques that we have already seen, RSA techniques are some of the most commonly used throughout cryptography.
15.1. Arithmetic modulo a composite
Earlier in section 3.4 we discussed the idea of multiplicative inverses. We say that is a multiplicative inverse of mod if . We also saw that when is prime, all numbers in have a multiplicative inverse mod .
When is not a prime, not all numbers have multiplicative inverses mod . But there is an easy way to characterize the numbers that do:
denotes the greatest common divisor of and . See section A.3 for a review.
has a multiplicative inverse mod if and only if . When , we say that and are relatively prime.
The proof of this theorem uses a fact from number theory called Bezout's theorem, which we will not prove.
For all integers , there exist integers , called Bezout coefficients, such that
Furthermore, is the smallest positive integer that can be written as a linear combination of and with integer coefficients (an integer linear combination).
Now the proof of theorem 15.1.1:
() Suppose has a multiplicative inverse mod . Then , or in other words, is a multiple of . Take such that , and rearrange to obtain:
Since we can write 1 as an integer linear combination of and , by Bezout's theorem we must have .
() Suppose ; then by Bezout's theorem we can write . Reducing this equation mod gives:
Thus the Bezout coefficient is a multiplicative inverse of mod .
Which numbers have multiplicative inverses mod 15? They are the numbers from that have no factor in common with 15: .
Which numbers have multiplicative inverses mod 16? They are the numbers from that have no factor in common with 16. In this case, these are exactly the odd numbers .
When is prime, every number from is relatively prime to , and thus has a multiplicative inverse mod . This matches what was shown previously in claim 3.4.4.
15.1.1. Computing inverses
Suppose you want to compute the multiplicative inverse of mod . You will probably first compute to ensure that the inverse of indeed exists. GCDs can be computed using Euclid's algorithm (section A.3). By making a small modification to this algorithm, we can also compute the corresponding Bezout coefficients—and hence, the multiplicative inverse—along the way.
To compute the multiplicative inverse of mod , first run . If , then is the multiplicative inverse of ; otherwise, has no multiplicative inverse.
Sage implements the extended Euclidean algorithm as xgcd:
15.1.2. Algebraic properties
Previously, in definition 13.1.3, we defined multiplicative groups for prime moduli . We now extend the definition to composite moduli as well.
The multiplicative group mod , called , is defined as
The Euler totient of , written , is defined to be the cardinality of (equivalently, the order of the multiplicative group). “” is the Greek letter phi.
It is convenient to have formulas for , for different kinds of . It is easy to see that when is prime, . RSA-based cryptography uses which is the product of two distinct primes :
If and are distinct primes, then .
Let and imagine constructing by first writing down all of and then crossing out all the elements that share a common factor with ; these are precisely the multiples of and multiples of .
-
There are multiples of : .
-
There are multiples of : .
It looks like there are numbers to cross out; however, 0 appears on both lists so is double-counted. No other item appears on both lists, because the least common multiple of and is , since and are relatively prime.
Overall, we start with elements, and cross out of them, leaving
elements remaining in .
You might wonder about the significance of the totient function . Why is it so important to know the number of elements in ? The answer is the following useful theorem, usually called Euler's theorem (as if that would narrow things down), which we will not prove here:
If , then .
15.2. The RSA function and RSA assumption
Another way to think about Euler's theorem is the following:
For all and all positive integers ,
In other words, if you need to know the value of some expression mod , you can reduce numbers that appear in the exponent mod .
The number is more than a multiple of . So we can write
where is an integer. Then by the usual rules of exponents, we have:
The next-to-last step uses Euler's theorem.
Euler's theorem motivates the following RSA functions:
Let be the product of two distinct primes , and let and satisfy . The RSA functions are:
The RSA functions are inverses on .
Composing the two RSA functions gives the new function . If , then claim 15.2.1 applies, and we have:
So the two functions compose to give the identity function .
What about the case of ? Section 15.4 introduces new number-theoretic tools that can help prove the claim for such elements as well. You are asked to complete the proof in exercise 15.25.
Here is a toy example implemented in Sage. These numbers are far too small to offer any reasonable security; see below.
First, we generate 64-bit primes and and compute and :
Next, we choose exponents and . They must be multiplicative inverses mod , so we must ensure they are chosen relatively prime to :
Finally, we can use an example to check that raising to the power and to the power are inverses:
15.2.1. Security and th roots
Suppose , , and have the relationship described above: is the product of two distinct primes and are multiplicative inverses mod . The main idea behind RSA is that if you know and (but not ), then you can efficiently compute the function , but there is no known efficient method to invert it.
Sometimes we refer to the act of inverting as computing -th roots mod .
Formalizing this intuition starts with specifying how the relevant values , , and are chosen:
We formalize the idea that “computing -th roots mod is hard” using the following definition:
The RSA assumption is that the following two libraries are indistinguishable:
The value is called the RSA challenge, and the two libraries have different behavior only in the event that the adversary calls with an -th root of the challenge. If the two libraries are indistinguishable, then no efficient adversary can compute -th roots with better than negligible probability, given only the information available to it: , , and .
What is the connection between RSA and factoring?
If an adversary can factor , then it can easily compute .
If it knows , then it can compute the multiplicative inverse of mod .
If it knows , then it can compute -th roots mod , via .
Thus, factoring is the most natural approach to breaking the RSA assumption. If factoring is easy, then breaking RSA is easy too. To date, there is no known polynomial-time factoring algorithm (at least not on classical computers; see section 20.1).
How big should be?
The best known method to break the RSA assumption is the obvious one: Simply factor the modulus.
The best known factoring algorithms are not polynomial-time but still considerably faster than brute force.
The following table shows, for a given target value , how large the modulus must be so that these factoring algorithms require effort:
| 128 | |
| 192 | |
| 256 |
These recommendations for modulus size are the same as those for the discrete logarithm problem. Most modern implementations of RSA produce a 3072-bit modulus by default.
How can you uniformly sample a prime of certain length in ?
There is no real shortcut; sample the bits of a number uniformly at random and test whether it is prime.
A famous result from number theory says that a fraction of -bit numbers are prime.
If it's easy to test whether a huge number is prime, can't you factor ?
State-of-the-art primality testing algorithms don't work by searching for a factor of ; instead, they look for other algebraic properties from number theory to distinguish between primes and composites.
These algorithms simply aren't trying to find an explicit factor of .
How exactly should exponents and be chosen?
Besides the fact that they must be multiplicative inverses mod , there are relatively few restrictions.
The cost of exponentiation depends on the number of bits in the exponent, so choosing a small exponent will speed up the corresponding exponentiation steps.
However, attacks on RSA are possible when is particularly small (less than ), so small values of should be avoided.
Small values of are generally safe for RSA-KEM (introduced next in section 15.3); however, extreme values like have some mild weaknesses.
Many implementations of RSA always choose .
15.3. Building a KEM from RSA
The RSA assumption gives us a function that anyone can compute but only someone with the secret information can invert. Doesn't this sound a lot like PKE? Can we use RSA for encryption, where encryption is and decryption is its inverse ?
Textbook RSA encryption is defined as follows:
This section of the book includes some slight abuses of notation, which I hope you will excuse. In textbook RSA (and RSA-KEM below), the sets (possible plaintexts) and (possible ciphertexts) are not fixed parameters of the scheme but depend on a particular user's modulus . A completely precise treatment would define syntax and security with respect to and : the set of plaintexts/ciphertexts possible under a particular public key .
Textbook RSA encryption is not secure! The main reason is quite obvious: It's deterministic! An adversary who has a guess of the plaintext value can check whether that guess is true, by re-encrypting it. So, NEVER use textbook RSA for encryption.
However, there is a simple modification to textbook RSA that results in a secure KEM: Simply hash the plaintext under a random oracle. The resulting construction even achieves CCA security!
Let be a hash function with output bits, which we will model as a random oracle. RSA-KEM is defined as follows:
Construction 15.3.2 is a CCA-secure KEM in the random oracle model, if the RSA assumption is true. From claim 14.2.2, it is enough to prove security for a single encryption. In other words,
The proof contains two important conceptual steps. The first is to follow the usual strategy for proofs in the random oracle model: Argue that the adversary cannot directly call on the same inputs as the construction. Specifically, suppose the adversary calls on the -th root of the challenge ciphertext . In one library the result will be , but in the other it will be independent of . We can use the RSA assumption to argue that, given a uniformly chosen , it is hard to compute the -th root of , and thus it is hard to call the random oracle on this input.
However, there is a caveat: To use the RSA assumption in a proof, we must reach a hybrid that does not use the secret exponent anywhere; the libraries from the RSA assumption do not provide to the calling program. Thus, one of the most important parts of the proof is to modify the subroutine to operate without .
The only place is used is when calling , which in turn accesses the random oracle's internal lazy random dictionary at position . The clever trick in the proof is to imagine renaming every expression to . Thus, when the random oracle is called on input , its implementation accesses . Importantly, when the decapsulation algorithm needs to access , it can instead access . Renaming terms in this way does not affect the library's behavior but allows to operate without the secret exponent .
15.4. ☆ Chinese remainder theorem
In RSA-based cryptography, one user knows the factorization of the modulus. This section introduces a technique that allows for faster modular arithmetic when the factors of the modulus are known.
History. In the Sunzi Suanjing, written some time around the fourth century ce, the Chinese mathematician Sunzi posed an interesting puzzle involving remainders:
We have a number of things, but we do not know exactly how many. If we count them by threes we have two left over. If we count them by fives we have three left over. If we count them by sevens we have two left over. How many things are there?
Sunzi's puzzle is the first known instance of a system of simultaneous equations involving modular arithmetic: In our notation, he is asking us to solve for in the following system of congruences:
We can solve such systems of equations using what is called (in the West) the Chinese remainder theorem (CRT). Below is one of the simpler formations of the CRT, involving only two moduli (unlike the example above, which involves three moduli):
Suppose , not necessarily primes but merely relatively prime. Then for all integers , there is a solution for in the following system of equations:
Furthermore, this solution is unique modulo .
Since , we have by Bezout's theorem that for some integers and . If we reduce the this equation mod , we see that is the multiplicative inverse of mod . Now set . Then,
So , as desired. Similar reasoning mod shows that as well. Thus, is a desired solution to both equations.
Now we argue that this solution is unique modulo . Suppose and are two solutions, so we have:
Since and , it must be that is a multiple of and a multiple of . Any number that is a multiple of and of is also a multiple of their least common multiple, which is since and are relatively prime. Thus, is a multiple of . Hence, ; that is, all solutions to this system of equations are congruent mod .
Sage implements the crt function to solve for in these kinds of systems of equations. Suppose we want to solve for :
In Sage, the solution can be found as follows:
We can check the solution:
15.4.1. Using CRT for modular arithmetic
Another way to think about the Chinese remainder theorem is:
If you know mod , and you also know mod , then you can efficiently determine mod .
This observation leads to a different approach for doing arithmetic mod :
Suppose and are relatively prime, and you want to know the value of some complicated expression mod . One method to compute its value is:
-
Evaluate the expression mod .
-
Evaluate the expression mod .
-
Apply the CRT to these two results to solve for the answer mod .
Let's start with a simple example. We want to know the value of mod 15. To compute it using the CRT recipe:
-
Evaluate the expression mod 3: .
-
Evaluate the expression mod 5: .
-
Use the CRT to solve for that satisfies and . The result is 10.
You can compare the CRT “addition recipe” to the normal approach with the following sage code:
The same recipe works for multiplication too. Let's compute mod 15, using the CRT recipe:
-
Evaluate the expression mod 3: .
-
Evaluate the expression mod 5: .
-
Use the CRT to solve for that satisfies and . The result is 6.
The result matches what you would obtain in the usual way, as .
15.4.2. Applications to RSA
You may have gotten the impression that the “CRT recipe” for modular arithmetic is convoluted and wasteful. That's true when we're evaluating simple expressions like addition and multiplication, as in our examples. But remember, RSA-based cryptography involves modular exponentiations with huge exponents. The CRT method is significantly faster for these exponentiations.
In Sage, the usual way to compute an exponentiation like is:
If we know the factorization of the modulus, we can use the CRT recipe. That is, we can compute and (separately) and use CRT to solve for the answer mod .
We need to use the lift method, because the crt function expects integers and not Mod-objects.
Both of these methods will compute the same answer, and we can measure them to see which is faster on large inputs. Below is a test from my laptop using a 3072-bit RSA modulus, so and are each 1536 bits.
The CRT method is almost twice as fast (3ms vs 6ms).
To understand why the CRT method is faster, it's enough to know that the cost of standard modular exponentiation over a -bit modulus is . For simplicity, let's pretend that exponentiation takes exactly steps.
With the CRT method, we perform an exponentiation mod and another mod . But and are each only bits long. So the overall cost is . By this rough analysis, it is four times faster than the standard method. In reality, there are other costs slowing down the CRT method, which this analysis doesn't account for, like the cost of solving for the answer mod . Still, the CRT method is indeed noticeably faster in practice.
Remember, in order to take advantage of the CRT speedup, you must know and . In RSA-KEM (construction 15.3.2), for example, only the private key holder will know this factorization. Thus, decapsulation can be sped up, but encapsulation cannot.
Exercises
-
Using induction, prove that the extended Euclidean algorithm correctly returns such that . You can use the fact that the standard Euclidean algorithm correctly computes the GCD.
-
Euclid's GCD algorithm involves modular reductions . Below is a variant called the binary GCD algorithm that avoids them:
Augment this algorithm to also compute Bezout coefficients, and use induction to prove its correctness. Your modified algorithm should return such that .
-
Prove that if and then .
-
You have a jug that can hold exactly liters, and another jug that can hold exactly liters. and are integers, and the jugs are labeled with their capacities. You also have two swimming pools with infinite capacity: One is empty and the other is full. Describe how to put exactly liters of water into the empty pool.
-
Find a formula for where is a prime.
-
As a function of , how many fractions in lowest terms are there, where and ? For example, the answer for is 9, corresponding to the following fractions:
-
h Suppose is an integer such that is a cyclic group. Prove that has exactly generators.
Fix one generator , and prove that is also a generator if and only if .
-
An -th root of mod is a value such that . Suppose you know an -th root of and a -th root of , where .
-
Explain how you can compute an -th root of .
-
Find the 427th root of mod :
-
-
True or false (prove or disprove): If then .
-
Let be an RSA modulus.
-
Suppose you are given integers such that but . Show how to easily factor .
-
Factor below:
-
-
h Compute the following:
-
What is the last digit of ?
-
What is ?
-
What is ?
The last digit of is .
-
-
Provide the missing RSA parameters:
-
Why must the RSA exponents and always be odd?
-
Why must and be distinct primes in RSA key generation? Why is it a bad idea to let ?
-
h Let be an RSA modulus (product of distinct primes).
-
Show that if you know and , then you can easily factor .
-
Factor the following number :
There are two unknowns, and ; each of and give you one equation on those unknowns.
-
-
h It's unwise to choose RSA primes and too close.
-
Let be an RSA modulus. Show that if you know then you can easily factor .
-
Factor the following number , whose factors are too close together.
There are two unknowns, and ; each of and give you one equation on those unknowns.
-
-
Continuing the theme of the previous problem, let be an RSA modulus.
-
Define the value . Note that when and are close, is not much larger than . Show that is a perfect square, and show how to efficiently factor if you are given .
-
Factor the following number , whose factors are too close together. You may find Sage's is_square function useful.
-
How long did it take you to factor using this method? How long would it have taken using the method from exercise 15.16?
-
-
Formalize the attack against textbook RSA encryption, showing that it is not a CPA-secure PKE.
-
h Bob and Charlie are such good friends that their RSA public keys have the same value, although they have different -values. Bob's public key is and Charlie's is . Furthermore, .
Alice encrypts the same plaintext for both Bob and Charlie using textbook RSA encryption, resulting in and . Explain how to efficiently recover , given , and the two public keys.
Think about Bezout's theorem with respect to and .
-
Consider the following PKE scheme:
-
Show that the scheme satisfies correctness (decryption is the inverse of encryption).
-
Show that the scheme is not CPA-secure.
-
-
Below is an attempt to build a PKE from RSA, using CBC mode:
Show that the scheme is not a CPA-secure PKE.
-
h Consider the following symmetric-key encryption scheme. The key is a large integer. To encrypt a plaintext , first “pad” it into a prime number as follows: Append uniformly chosen bits to until the result is the binary representation of a prime number. After the plaintext has been converted to a prime number in this way, encrypt by multiplying with the private key. The idea is that recovering the private key should be as hard as factoring.
Despite this intuition, show that the scheme is not CPA-secure.
Request any two ciphertexts.
-
Generalize the Chinese Remainder Theorem to more than two moduli. Suppose are relatively prime, so for all we have . For any collection of integers , describe how to compute an integer such that for all .
-
h Consider a rectangular grid of points, with width and height . Starting in the lower-left of the grid, start walking diagonally northeast. When you fall off end the grid, wrap around to the opposite side (i.e., Pac-Man topology). Below is an example of the first few steps you take on a grid with and :
Show that if , then you will eventually visit every point in the grid.
What is the formula for your position after steps?
-
h Let be an RSA modulus and be appropriate RSA exponents. The proof of claim 15.2.3 showed that for all . Complete the proof by showing that the same is true for all , not just those in .
Use CRT.
-
h Let be an RSA modulus. Usually we choose the exponents and to satisfy .
Define the value , and show that RSA still works—that is, exponentiation by and exponentiation by are inverses mod —if the exponents are chosen to satisfy .
Use CRT.
-
Suppose is the solution to
Prove that if and only if and . As a result of this fact, it must be the case that , whenever .
-
h Let be an RSA modulus and be a suitable RSA exponent. In this exercise we consider values that satisfy .
-
and (by which we mean ) satisfy the equation. But there are two other nontrivial solutions; show how to compute them if you know the factorization of .
-
Explain how you can easily factor if you are given either of the two nontrivial solutions.
Use CRT.
-
-
Suppose is a cyclic group of composite order , with generator . Every element of can be written as a power of , and arithmetic in the exponent happens mod .
-
Prove that for any , there exist integers and such that .
-
Prove that there is an exponent such that, for all and , we have . In other words, for all , we know that is always in the order- subgroup (generated by ), and if was already in the order- subgroup (the case of above), then .
-
Chapter Notes
RSA was introduced by Rivest, Shamir, and Adelman in 1978 [189]. In this landmark paper, they described basic public-key encryption and digital signature methods; these are the “textbook” RSA encryption and signature methods. The textbook constructions pre-date our modern approach to provable security, so they can be forgiven for not satisfying today's standard security definitions. Still, the basic RSA mechanism is valuable, and only minor modifications are needed to promote the textbook constructions into properly secure ones (construction 15.3.2 and construction 16.2.2). Over four years before the publication of the RSA paper, Clifford Cocks independently developed RSA encryption while working for British GCHQ [67]. His independent discovery of RSA remained classified until 1997.
The recommendations for RSA modulus size are from the National Institute of Standards and Technologies (NIST), the US government entity that standardizes cryptographic algorithms [9].
The attack on small values of is due to Wiener [217]. Boneh has written an accessible and comprehensive survey of attacks on RSA [50].
RSA-KEM (construction 15.3.2) is due to Shoup [205], who proves its security in the random oracle model and credits an earlier scheme of Bellare and Rogaway [26] as its inspiration. The construction in exercise 15.20 was proposed by Geng, Li, and Zhou [108].