RSA: attempt

• currently: we have public encryption key $e$
  • and private decryption key $d$
• $En{c}_e(m)=m^e\mathrm{mod}p$
• $De{c}_d(c)=c^d\mathrm{mod}p$
• $\forall m\ne 0,De{c}_d(En{c}_e(m))=m$
  • $m^{ed}=m\mathrm{mod}p$
  • $m^{ed-1}=1\mathrm{mod}p$
  • $p-e|ed-1$
  • $ed-1=0\mathrm{mod}(p-1)$
  • $e=d^{-1}\mathrm{mod}(p-1)$
  • pick random $d$ until MMI in field is found
• problem: all knowing $p,e$ can compute $d=e^{-1}\mathrm{mod}(p-1)$
• can we make it harder?
  • and rely on the fact: factorization of large number is hard

Factorization problem

• inputs: number $N$ w/ $n$ digits
  • $N\ne p$ (i.e. composite)
• output: "a" factorization $a,b$ s.t. $a\cdot b=N$
• algorithm 1

  for (a = 2; a < N; ++a)
      if (N % a == 0)
          return (a, N / a)
  

  • simple analysis: trying at most $N-2$ values
  • actual runtime: if $a\cdot b=N$ and $a\le b$
    • $a\le \sqrt{N}$
• algorithm 2: checking primality

  for (a = 2; a < √N; ++a)
      if (N % a == 0)
          return false
  
  return true
  

  • run time: won't terminate in decades, even if $n\approx 1000$
• integer factorization: tried for 100s of years
  • no one "knows" the efficient solution
  • nor was proven
  • RSA: depends on this fact

RSA algorithm

• named after Ron Rivest, Adi Shamir, and Leonard Adleman
• key generation
  1. pick two large primes: $p,q$ (secret)
  2. $n=p\cdot q$
  • all calculations: $\mathrm{mod}n$
  3. pick $d$, let $e=d^{-1}\mathrm{mod}\phi (n)$
     • computation of $\phi (n)$: requires factorization of $n$
       • prevents the previous attack
     • no proof: RSA assumption
       • only given $n,e$, computing $d$ is hard
  4. announce $n,e$
• encryption / decryption
  • $En{c}_e(m)=m^e\mathrm{mod}n$ ($n\ne p$)
  • $De{c}_d(c)=c^d\mathrm{mod}n$
  • $\forall m\perp n,De{c}_d(En{c}_e(m))=m\mathrm{mod}n$
    • 👨‍🏫 if message $m/\perp n$ is sent: one can take $\gcd$ of the message and $n$\
      • then factorize it
    • $n^{ed}=n\mathrm{mod}n$
    • $n^{ed-1}=1\mathrm{mod}n$
    • $\phi (n)|ed-1$
      • where $\phi (n)=(p-1)(q-1)$
    • $ed-1=0\mathrm{mod}\phi (n)$
    • $ed=1\mathrm{mod}\phi (n)$
    • $e=d^{-1}\mathrm{mod}\phi (n)$
• 👨‍🏫 is $\phi (n)|ed-1$ necessary?
  • with CRT, to have $m^{ed-1}=1$
  • it is sufficient to have:
    • $m^{ed-1}=1\mathrm{mod}p$
      • $\Leftarrow p-1|ed-1$
    • $m^{ed-1}=1\mathrm{mod}q$
      • $\Leftarrow q-1|ed-1$
  • then $\text{lcm}(p-1,q-1)|ed-1$
    • $e=d^{-1}\mathrm{mod}l$ (instead of $\phi (n)$)
• again, RSA assumption:
  • given $e,n$ and $En{c}_e(m)$ of many $m$
  • one cannot decrypt any message unless $p,q,d$ are known
    • 👨‍🏫 knowing $p$ or $q$: leads to finding another and $d$
    • 👨‍🏫 knowing $d$, you can directly decrypt it!
• vulnerabilities exist for "special cases" (not general case)
  • e.g. for format $2^k$, etc.

Proof of security

• Bob: holds $p,q,d,n,e$
  • publishes $n,e$
• Alice: compute $m^e\mathrm{mod}n$
• Eve: cannot compute $m=(m^e{)}^d\mathrm{mod}n$
• 👨‍🏫 meet our friend: Dave
  • Dave: can manipulate the message over channel
• Alice: sends $m_1,m_2$, encrypted for Bob
  • $En{c}_e(m_1)=m_1^e$
  • $En{c}_e(m_2)=m_2^e$
  • then: $m_1^e\cdot m_1^e=(m_1\cdot m_2{)}^e\mathrm{mod}n=En{c}_e(m_1\cdot m_2)$
    • thus Dave: can replace message with $(m_1\cdot m_2{)}^e\mathrm{mod}n$
    • potential vulnerability
• with traditional email protocol: such vulnerabilities can be manipulated
  • (without digital signature)
  • e.g. fake email services
  • 👨‍🏫 you can claim to be other people / email address
    • just don't use my email for it :p

Digital signature

• let $m$ be a message
• $\text{sign}:{\sum }^{\ast }\to {\sum }^{\ast }$
• $\text{verify}:{\sum }^{\ast }\times {\sum }^{\ast }\to \{0,1\}$
  • invalid / valid
• property: only Alice can sign
  • yet, everyone can verify signature given $m,s=\text{sign}(m)$
• let verification $\approx$ encryption (as all can do)
  • and let sign $\approx$ decryption (as only Alice can do)

RSA signature

• simply using RSA encryption / decryption for digital signature
• ${\text{sign}}_d(m)=m^d\mathrm{mod}n$
• ${\text{verify}}_e(m,s)=s^e\stackrel{?}{=}m\mathrm{mod}n$
• a "safer" signature, thus:
  • whenever sending message, attach digital signature on the way, too
• similar vulnerability exists
  • $\text{sign}(m_1)=m_1^d\mathrm{mod}n$
  • $\text{sign}(m_2)=m_2^d\mathrm{mod}n$
  • $m_1^d\cdot m_2^d=(m_1\cdot m_2{)}^d=\text{sign}(m_1\cdot m_2)\mathrm{mod}n$
  • 👨‍🏫 you must ensure that message: following a particular format
    • e.g. starting with 10 0s
      • or starting with: I am Alice and my message is: {msg}
      • multiplication of two messages: results in invalid (protocol wise) message
• furthermore, you must use different key for encryption & signature
  • as signing = decrypting
  • publishing signature of a message = publishing decryption of a message

Example situation

• now Alice, having:
  • secret: $d_{A,m},d_{A,s}$
    • i.e. Alice's secrete key for encryption / signature
  • public: $e_{A,m},e_{A,s},n_{A,m},n_{A,s}$
• to send $m$ from Alice to Bob:
  1. compute $s={\text{sign}}_{d_{A,s}}(m)$
     • 👨‍🏫 actually: using $h(m)$ instead
  2. let $m^{\prime }=m||s$ (concatenation)
  3. let $c=En{c}_{e_{B,m}}(m^{\prime })$

1. $m^{\prime }=De{c}_{d_{B,m}}(c)$
2. $(m,s)=m^{\prime }$
3. ${\text{verify}}_{e_{A,s}}(m,s)$

• but ensure that you are using a correct key and modulus
• as separate modulus exist for a pair of keys!
  • common error found in the blockchain course
  • wrong modulus results in a garbage value