CNS - 23 - Asymmetric Cryptography II

For us a string is a number \(m\). The value of the message \(m\) must be shorter than some other value \(N\). Notice that the function \(m^x \mod N\) is a periodic function. The following examples illustrate this:

• If \(N = 10 = 2 \cdot 5\) and \(m = 3\) the period is \(4\).

  \[3^x \mod 10 = \{3, 9, 7, 1, 3, 9, 7, 1, \ldots\}\]

• If \(N = 10\) and \(m = 7\) the period is still \(4\).

  \[7^x \mod 10 = \{7, 9, 3, 1, 7, 9, 3, 1, \ldots\}\]

• If \(N = 10\) and \(m = 9\) the period is instead \(2\)

  \[9^x \mod 10 = \{9, 1, 9, 1, 9, 1, \ldots\}\]

The maximum period of \(m^x \mod N\) can be computed using Euler Theorem (also known as Euler-Fermat Theorem, or Euler's Totient Theorem). It says that the maximum period of the function is the value of the Euler's Totient function \(\Phi(N)\). More formally, it says that if \(m\) is coprime with \(N\), i.e. if \(\text{GCD}(m, N) = 1\), then

\[m^{\Phi(N)} \mod N = 1\]

The RSA construction works as follows:

1. Generate two large primes \(p, q\) which must remain secret.

2. Compute RSA module \(N = p \cdot q\), which can be made public.

3. Compute \(\Phi(N) = (p-1)(q-1)\), which must remain secret.

4. Generate a public key \(1 < e < \Phi(N)\) such that \(e\) is coprime with \(\Phi(N)\).

5. Generate a private key \(d\) such that \(e \cdot d = 1 \mod \Phi(N)\).

The idea of RSA is to give you an exponent (public key) \(e\), such that given a message \(M\) we have that \((M^e)^d = M \mod N\).

As far as the encryption and decryption operations are concerned, we have the following

• The encryption operation is done as follows

  \[C = M^e \mod N\]

• The decryption operation is done as follows

  \[\begin{split} M &= C^d \mod N \\ &= (M^e)^d \mod N \\ &= M^{ed} \mod N \\ &= M^1 \mod N \\\ \end{split}\]

Typically both \(e\) and \(d\) should be choosen to be in the middle of the possible range from \((0, \Phi(N))\). The important thing is to have \(d\) large. If you choose your public key to be too small there are some crypto attacks which can leave you vulnerable.

The security of this construction relies on the fact that, given \(N\), it must be hard to find factors \(p\) and \(q\), and hence it is hard to find \(\Phi(N)\); finally, without \(\Phi(N)\), it is hard to compute \(d\) from \(e\).

In particular we have the following decryption challenge: given a public key \(N\), \(e\) and an encrypted message \(m^e\), computing the decryption key \(x\) such that \((m^e)^x = m \mod N\) is hard unless you know how to compute \(\Phi(N)\).

Consider the following primes \(p = 11, q = 17\). Then \(N = p \cdot q = 187\), and \(\Phi(N) = (p-1) \cdot (q-1) = 160\). Finally, consider the following public key \(e = 7\). From this we can compute the private key \(d\) such that \(e \cdot d = 1 \mod 160\), which is \(d = 23\).

If we now know want to encrypt we simply have to compute

\[C = M^7 \mod 187\]

while if we want to decrypt we have to compute

\[M = C^{23} \mod 187\]

Consider to have two coprime numbers, like \(51\) and \(11\). The idea is to find two numbers \(a, b\) such that

\[51 \cdot a + 11 \cdot b = 1\]

these numbers can be obtained using the following algorithm

\[\begin{array}{c | c | c | c} \text{a} & \text{b} & \text{val} & \text{rem}\\ \hline 1 & 0 & 51 & \\ 0 & 1 & 11 & \\ 1 = 1 - 4 \cdot 0 & -4 = 0 - 4 \cdot 1 & 7 = 51 - 4 \cdot 11 & 4 = \lfloor 51/11 \rfloor \\ -1 = 0 - 1 \cdot 1 & 5 = 1 - 1 \cdot (-4) & 4 = 11 - 1 \cdot 7 & 1 = \lfloor 11/7 \rfloor \\ 2 & -9 & 3 & 1 \\ -3 & 14 & 1 & \\ \end{array}\]

At the end when in the third row we have \(1\) we stop, and the find the following equation

\[51 \cdot (-3) + 11 \cdot (14) = 1\]

If we know \(\Phi(N)\) and the public key \(e\) to actually compute the private key we can use the extended euclidean algorithm, which we explained in the previous section.

The idea is to find \(a, b\) such that

\[\Phi(N) \cdot a + e \cdot b = 1\]

if that holds then we have

\[e \cdot b = 1 \mod \Phi(N)\]

and thus \(b\) is the inverse of \(e\) modulus \(\Phi(N)\). That is, \(b\) is the private key associated to the public key \(e\).

When using the RSA cryptosystem, if \(M\) is a message the RSA signature of \(M\) with respect to a pair of keys \((e, d)\) where \(e\) is the public key and \(d\) is the private key is the value \(H(M)^d \mod N\).

Thea idea is then to transfer the message \(M\) with the appended tag \(H(M)^d \mod N\).