Erwin Janssen

RSA

By Erwin Janssen

RSA is a public-key encryption and signature system and makes use of large prime numbers. The asymmetry is based on the fact that computing a product is fast, but factoring takes much longer.

Operation

The RSA algorithm involves the steps key generation, encryption and decryption. It can also be used for cryptographic signatures.

Key generation

The first step to setup an RSA system, is to generate the public and the private key. This is done in the following way:

  1. Pick two distinct prime numbers pp and qq with bit-length λ\lambda.
  2. Compute n=pqn = p \cdot q, this will be part of both the public and the private key.
  3. Compute φ(n)=(p1)(q1)\varphi(n) = (p - 1)(q - 1), where φ\varphi is Euler’s totient function.
  4. Choose an interger ee such that 1<e<φ(n)1 < e < \varphi(n) and gcd(e,φ(n))=1\gcd(e, \varphi(n)) = 1 (this means that ee and φ(n)\varphi(n) must be coprime). This will be part of the public key.
  5. Compute dd as the modular inverse of ee, so de1(modφ(n))d \equiv e^{-1} \pmod{\varphi(n)}. For example by using Euler’s theorem. This will be part of the private key.
  6. This results in:
    • Public key: (e,n)(e, n)
    • Private key (d,n)(d, n)

Encryption

To encrypt a message mm, where 0m<n0 \le m < n, perform the following computation:

cme(modn) c \equiv m^e \pmod{n}

Where ee is the public key and cc is the resulting ciphertext.

Decryption

To decrypt ciphertext cc with the private key dd, perform the following computation:

cdm(modn) c^d \equiv m \pmod{n}

Signatures

To sign a message mm, compute the hash of mm and sign it with the private key dd:

s(H(m))d(modn) s \equiv \left( H(m) \right)^d \pmod{n}

To verify the signature ss for the message mm, use the public key to check that:

H(m)se(modn) H(m) \equiv s^e \pmod{n}

RSA is exceptional in the fact that signing is the inverse of the encryption.

Remarks

Don’t use this schoolbook version RSA in practice, it has too much mathematical structure which gives it certain vulnerabilities. An example is the fact that this version of RSA is homomorphic, so two ciphertexts can be concatenated into a valid single ciphertext.

(m1)e(m2)e=(m1m2)e (m_1)^e \cdot (m_2)^e = (m_1 \cdot m_2)^e

This can be used as an attack vector, so in practice some padding is used like Optimal Asymmetric Encryption Padding (OAEP).

Optimizations

For efficiency many popular crypto libraries use the following optimization for decryption and signing based on the Chinese remainder theorem. The following values are precomputed and stored as part of the private key:

  • The primes from the key generation pp and qq.
  • The value dpd(modp1)d_p \equiv d \pmod{p - 1}
  • The value dqd(modq1)d_q \equiv d \pmod{q - 1}
  • The inverse of one of the primes mod the other prime: up1(modq)u \equiv p^{-1} \pmod{q}

Instead of computing mcd(modpq)m \equiv c^d \pmod{p\cdot q}, the ciphertext cc can then by decryption by computing

mpcdp(modp)mqcdq(modq)mmp+pu(mqmp)(modpq) \begin{aligned} m_p &\equiv c^{d_p} \pmod{p} \\ m_q &\equiv c^{d_q} \pmod{q} \\ m &\equiv m_p + p \cdot u \cdot (m_q - m_p) \pmod {p \cdot q} \end{aligned}