CSE 477: Introduction to

Computer Security
Lecture – 8

Course Teacher: Dr. Md Sadek Ferdous

Assistant Professor, CSE, SUST
E-mail: [Link]@[Link]
Outline
• Number theory review
• RSA Cryptosystem
• RSA Implementation
Prime numbers
• Prime number 𝑝 :
• 𝑝 is an integer (Integers are like whole numbers, but they also include negative
numbers, but no fractions allowed)
• 𝑝≥2
• The only divisors of 𝑝 is 1 and 𝑝
• Examples
• 2, 7, 19 are primes
• -3, 0, 1, 6 are not primes
• Prime decomposition (aka factorization) of a positive integer 𝑛:
𝑒 𝑒 𝑒
• 𝑛 = 𝑝11 × 𝑝22 × ⋯ × 𝑝𝑘𝑘
• Example:
• 200 = 23 × 52
• Fundamental Theorem of Arithmetic:
• The prime decomposition of a positive integer is unique
Greatest Common Divisor (GCD)
• The greatest common divisor (GCD) of two integers a and b, denoted
gcd(a, b), is the largest positive integer that divides both a and b
• Examples:
• gcd(18, 30) = 6
• gcd(0, 20) = 20
• gcd(-21, 49) = 7
• Two integers a and b are said to be relatively prime if gcd(a, b) = 1
• Example:
• 15 and 28 are relatively prime, as gcd(15,28) = 1
Modular arithmetic
• Modulo operator for a positive integer 𝑛:
• 𝑟 = 𝑎 𝑚𝑜𝑑 𝑛, here, 𝑟 and 𝑎 are integers and 𝑟 is the reminder
• It is equivalent to: 𝑎 = 𝑟 + 𝑘𝑛
• Here, 𝑘 is the quotient, also denoted with 𝑞
• Example:
• 29 mod 13 = 3 13 mod 13 = 0 -1 mod 13 = 12
• 29 = 3 + 2 x 13 13 = 0 + 1 x 13 -1 = 12 + (-1) x 13
• Modulo and GCD
• gcd(a, b) = gcd(b, a mod b)
• Example:
• gcd(21, 12) = 3 gcd(12, 21 mod 12) = gcd(12, 9) = 3
Euclid’s GCD algorithm
• Euclid’s algorithm for
Algorithm EuclidGCD(a,b)
computing the GCD Input integers a and b
repeatedly applies the Output gcd(a,b)
if b = 0
formula return a
• gcd(a, b) = gcd(b, a mod b) else
return EuclidGCD(b, a mod b)
• Example: gcd(412, 260) = 4

a 412 260 152 108 44 20 4

b 260 152 108 44 20 4 0
Multiplicative Inverse
• The residues modulo a positive integer 𝑛 are the set
• 𝑍𝑛 = 0, 1, 2, … , 𝑛 − 1
• Let 𝑥 and 𝑦 be two elements of Z𝑛 such that: 𝑥𝑦 𝑚𝑜𝑑 𝑛 = 1
• Then we say that 𝑦 is the multiplicative inverse of 𝑥 in Z𝑛
• and we write 𝑦 = 𝑥 −1 𝑚𝑜𝑑 𝑛
• Example:
• Multiplicative inverses of the residues modulo 11

x 0 1 2 3 4 5 6 7 8 9 10
x-1 1 6 4 3 9 2 8 7 5 10
Multiplicative Inverse
• Theorem:
• An element 𝑥 of Z𝑛 has a multiplicative inverse if and only if 𝑥 and 𝑛 are
relatively prime
• Example:
• The elements of Z10 with a multiplicative inverse are 1, 3, 7, 9
x 0 1 2 3 4 5 6 7 8 9
x-1 1 7 3 9

• Corollary:
• If 𝑝 is prime, every nonzero residue in Z𝑝 has a multiplicative inverse
x 0 1 2 3 4 5 6 7 8 9 10
x-1 1 6 4 3 9 2 8 7 5 10
Powers
• Let 𝑝 be a prime
• The sequences of successive powers of some elements of Z𝑝 exhibit
repeating sub-sequences
• The sizes of the repeating sub-sequences and the number of their
repetitions are the divisors of 𝑝 − 1
• Example (𝑝 = 7), all operations mod p x x2 x3 x4 x 5 x6
1 1 1 1 1 1 1
2 2 4 1 2 4 1
3 3 2 6 4 5 1
4 4 2 1 4 2 1
5 5 4 6 2 3 1
6 6 1 6 1 6 1
Modular exponentiation
• The form 𝑥 𝑦 𝑚𝑜𝑑 𝑛 is called the
modular exponentiation
• It has several properties
• If 𝑛 is not prime, e.g. 𝑛 = 10, there are
modular powers equal to 1 only for the
elements of 𝑍𝑛 that are relatively prime
with 𝑛
• That is, those elements whose gcd with 𝑛
is 1
• For 𝑛 = 10, these elements are 1, 3, 7, 9
• If 𝑛 is prime, e.g. 𝑛 = 13, every nonzero
element of 𝑍𝑛 has a power equal to 1
Fermat’s Little Theorem
• Theorem
• Let 𝑝 be a prime. For each nonzero residue 𝑥 of Z𝑝 , we have
• 𝑥 𝑝−1 𝑚𝑜𝑑 𝑝 = 1
• Example (𝑝 = 5):
• 14 𝑚𝑜𝑑 5 = 1 24 𝑚𝑜𝑑 5 = 16 𝑚𝑜𝑑 5 = 1
• 34 𝑚𝑜𝑑 5 = 81 𝑚𝑜𝑑 5 = 1 44 𝑚𝑜𝑑 5 = 256 𝑚𝑜𝑑 5 = 1
• Corollary
• Let 𝑝 be a prime. For each nonzero residue 𝑥 of Z𝑝 , the multiplicative inverse of 𝑥
is 𝑥 𝑝−2 𝑚𝑜𝑑 𝑝
• Proof
• 𝑥 𝑥 𝑝−2 𝑚𝑜𝑑 𝑝 = 𝑥 𝑝−1 𝑚𝑜𝑑 𝑝 = 1
Euler’s Theorem
• The multiplicative group of Z𝑛 , denoted with Z𝑛∗ , is the subset of elements of
Z𝑛 relatively prime with 𝑛
• The totient function of 𝑛, denoted with Φ 𝑛 is the size of Z𝑛∗ , Φ 𝑛 = |Z𝑛∗ |
• Example :
∗
• Z10 = {1,3,7,9} Φ 10 = 4
• If 𝑝 is prime, we have:
• Z𝑝∗ = {1,2,3, … , (𝑝 − 1)} Φ 𝑝 =𝑝−1
• Theorem:
• For each element 𝑥 of Z𝑛∗ we have: 𝑥 Φ 𝑛 𝑚𝑜𝑑 𝑛 = 1
• Example (𝑛 = 10)
• 3Φ 10
𝑚𝑜𝑑 10 = 34 𝑚𝑜𝑑 10 = 81 𝑚𝑜𝑑 10 = 1
• 7Φ 10
𝑚𝑜𝑑 10 = 74 𝑚𝑜𝑑 10 = 2401 𝑚𝑜𝑑 10 = 1
• 9Φ 10
𝑚𝑜𝑑 10 = 94 𝑚𝑜𝑑 10 = 6561 𝑚𝑜𝑑 10 = 1
RSA Cryptosystem
• RSA is named after its inventors,
Ronal Rivest, Adi Shamir, and
Leonard Adleman
• First published in 1977
• It is based on the practical difficulty
of the factorization of the product of
two large prime numbers
• One of the most widely used
cryptosystems
• Because of its implications, the
inventors have received Turing prize
in 2002, the so-called Noble prize of
CS
RSA Cryptosystem
• Setup • Setup
• 𝑛 = 𝑝𝑞, here 𝑝 and 𝑞 should be large prime • 𝑝 = 7, 𝑞 = 17
numbers (e.g. 1024 digits)
• 𝑒 is chosen such that it is relatively prime to • 𝑛 = 7 × 17 = 119
Φ 𝑛 • Φ 𝑛 = 𝑝 − 1 𝑞 − 1 = 6 × 16 = 96
• That is gcd 𝑒, Φ 𝑛 = 1 • 𝑒=5
• Φ 𝑛 =Φ 𝑝 Φ 𝑞 = 𝑝−1 𝑞−1
• 𝑑 = 77
• 𝑑 is inverse of 𝑒 in ZΦ 𝑛
• That is 𝑑𝑒 𝑚𝑜𝑑 Φ 𝑛 = 1 • Keys
• Keys • Public key: (119,5)
• Public key, 𝐾𝑒 = (𝑛, 𝑒) • Private key: 77
• Private key, 𝐾𝑑 = 𝑑 • Encryption
• Encryption • 𝑀 = 19
• Plaintext , 𝑀
• 𝐶 = 195 𝑚𝑜𝑑 119 = 66
• Ciphertext, 𝐶 = 𝑀𝑒 𝑚𝑜𝑑 𝑛
• Decryption • Decryption
• 𝑀 = 𝐶 𝑑 𝑚𝑜𝑑 𝑛 • 𝑀 = 6677 𝑚𝑜𝑑 119 = 19
RSA Cryptosystem
• Setup • Encryption
• 𝑝 = 5, 𝑞 = 11 • 𝐶 = 𝑀3 𝑚𝑜𝑑 55
• 𝑛 = 5 × 11 = 55 • Decryption
• Φ 𝑛 = 4 × 10 = 40 • 𝑀 = 𝐶 27 𝑚𝑜𝑑 55
• 𝑒=3
• 𝑑 = 27 (3.27 = 81 = 2.40 + 1)
RSA Correctness
• Ciphertext, 𝐶 = 𝑀𝑒 𝑚𝑜𝑑 𝑛 with the assumption that gcd 𝑀, 𝑛 = 1
• This is probably the case, since 𝑝 and 𝑞 are very large, they are unlikely to be a factor of
𝑀
• We need to show that 𝐶 𝑑 𝑚𝑜𝑑 𝑛 = 𝑀
• Since 𝑒𝑑 𝑚𝑜𝑑 Φ 𝑛 = 1, there is an integer 𝑘 such that:
• 𝑒𝑑 = 𝑘Φ 𝑛 + 1
• Since 𝑀 is relatively prime with 𝑛, we get the following from Euler’s theorem
• 𝑀Φ 𝑛 𝑚𝑜𝑑 𝑛 = 1
• Now,
• 𝐶 𝑑 𝑚𝑜𝑑 𝑛 = 𝑀𝑒𝑑 𝑚𝑜𝑑 𝑛 = 𝑀𝑘Φ 𝑛 +1 𝑚𝑜𝑑 𝑛
• = 𝑀𝑀𝑘Φ 𝑛 𝑚𝑜𝑑 𝑛 = 𝑀(𝑀Φ 𝑛 )𝑘 𝑚𝑜𝑑 𝑛 = 𝑀. 1𝑘 = 𝑀
RSA Security
• The security of the RSA cryptosystem is based on the difficulty of finding d,
given e and n
• If we knew φ(n) = (p−1)(q−1), it would be easy to compute d from e
• Thus, Bob needs to keep p and q secret (or even destroy all knowledge of
them), since anyone who knows the values of p and q immediately knows the
value of φ(n)
• Anyone who knows the value of φ(n) can compute d = e−1 mod φ(n), using the
extended Euclidian algorithm
• Thus, the security of the RSA cryptosystem is closely tied to factoring n, which
would reveal the values of p and q
• Fortunately, since this problem has shown itself to be hard to solve, we can
continue to rely on the security of the RSA cryptosystem, provided we use a
large enough modulus
RSA Security
• In 1999, 512-bit challenge factored in 4
months using 35.7 CPU-years
• 160 175-400 MHz SGI and Sun
• 8 250 MHz SGI Origin
• 120 300-450 MHz Pentium II
• 4 500 MHz Digital/Compaq Length
PCs Memory
• In 2005, a team of researchers factored (bits)
the RSA-640 challenge number using 30 430 1 128MB
2.2GHz CPU years
• In 2004, the prize for factoring RSA-2048 760 215,000 4GB
was $200,000
1020 342x106 170GB
• Current practice is 2,048-bit keys
• Estimated resources needed to factor a 1620 1.6x1015 120TB
number within one year
RSA Security
• Side channel attacks have also been
demonstrated on RSA, based on
measuring the time taken by decryption
and/or the power consumption of the
CPU performing the operation
• A very recent (30 August, 2018)
research presented at USENIX’18,
authors were able to retrieve the
encryption keys from mobile device
within seconds and without physical
access to the devices
• The attack recovers the exponent’s bits
during modular exponentiation from
analog signals that are unintentionally
produced by the processor
• [Link]
rence/usenixsecurity18/[Link]
RSA Determinism
• We must take some care in how we use the RSA cryptosystem, however,
because of its deterministic nature
• For example, suppose we use the RSA algorithm to encrypt two plaintext
messages, M1 and M2, into the respective ciphertexts, C1 and C2, using
the same public key
• Because RSA is deterministic, we know that, in this case, if C1 = C2, then
M1 = M2
• Unfortunately, this fact could allow a cryptanalyst to infer information
from ciphertexts encrypted from supposedly different plaintexts
• There is an alternative cryptosystem which can handle this issue
RSA Implementation
• The implementation of the RSA cryptosystem requires various algorithms
• Overall
• Representation of integers of arbitrarily large size and arithmetic operations on them
• Encryption
• Modular power
• Decryption
• Modular power
• Setup
• Generation of random numbers with a given number of bits (to generate candidates p
and q)
• Primality testing (to check that candidates p and q are prime)
• Computation of the GCD (to verify that e and Φ 𝑛 are relatively prime)
• Computation of the multiplicative inverse (to compute d from e)
Repeated squaring
• RSA requires modular exponentiation in the form of 𝑥 𝑦 𝑚𝑜𝑑 𝑛 for its
encryption and decryption functions
• One simple approach to calculate 𝑥 𝑦 then perform the modular operation
• This is fully impractical in case 𝑦 is large, as in the case of RSA
• Let’s assume that we would like to compute 21234 𝑚𝑜𝑑 789
• If we compute 21234 at first and then reduce it to 789, we will need to deal
with very large numbers even though the final will contain only 3 digits
• Another approach could be
• Perform each multiplication and then calculate the remainder
• But it would require to perform the multiplication 1234 times which will be
too slow to be practical
• In such cases, another method is utilised called repeated squaring
Repeated squaring
• 22 𝑚𝑜𝑑 789 = 4 • 1234 = 1024 + 128 + 64 + 16 + 2
• 24 𝑚𝑜𝑑 789 = 42 = 16 • 21234 = 21024+128+64+16+2
• 28 𝑚𝑜𝑑 789 = 162 = 256 = 21024 . 2128 . 264 . 216 . 22
• 216 𝑚𝑜𝑑 789 = 2562 = 49
= [Link].4 𝑚𝑜𝑑 789
• 232 𝑚𝑜𝑑 789 = 492 = 34
= 481
• 264 𝑚𝑜𝑑 789 = 342 = 367
• 2128 𝑚𝑜𝑑 789 = 3672 = 559 • If we want compute 𝑎𝑏 𝑚𝑜𝑑 𝑛
256 2 • We can do it with at most 2 log 2 (𝑏)
•2 𝑚𝑜𝑑 789 = 559 = 37 multiplications 𝑚𝑜𝑑 𝑛
• 2512 𝑚𝑜𝑑 789 = 372 = 580 • We never have to deal with numbers
• 21024 𝑚𝑜𝑑 789 = 5802 = 286 larger than 𝑛2
Multiplicative inverse calculation
• Given integers 𝑎 and 𝑏, there are integers 𝑖 and 𝑗 such that
• 𝑖𝑎 + 𝑗𝑏 = gcd 𝑎, 𝑏 = 𝑑
• Example: a=21, b=15, d=3, i=3, j=-4
• 3=3x21 + (-4)15 = 63 - 60 = 3
• Given positive integers a and b, the extended Euclid’s algorithm computes a
triplet (d,i,j) such that
• d = gcd(a,b)
• d = ia + jb
• To test the existence of and compute the inverse of 𝑥 ∈ 𝑍𝑛 ,
• we execute the extended Euclid’s algorithm on the input pair (x,n)
• Let (d,i,j) be the triplet returned where d = ix + jn
• If d = 1, i is the multiplicative inverse of x in 𝑍𝑛
• If d > 1, x has no inverse in 𝑍𝑛
Primality testing
• Yet another important computation that is often used in modern
cryptography is primality testing
• In this instance, we are given a positive integer, n, and we want to
determine if n is prime or not
• That is, we want to determine if the only factors of n are 1 and n itself
• Fortunately, there are efficient methods for performing such tests
• None of these methods actually factor n
• They just indicate whether n is prime or not
Primality testing
• Fermat Primality Test:
• Let 𝑛 > 1 be an integer. Choose a random integer 𝑎 with 1 < 𝑎 < 𝑛 − 1.
• If 𝑎n−1 mod n ≠ 1, then 𝑛 is composite
• If 𝑎n−1 mod n = 1, then n is probably prime
• Given an efficient way of performing primality testing, actually
generating a random prime number is relatively easy
• This simplicity is due to an important fact about numbers
• the number of prime numbers between 1 and any number n is at least n/ln n, for
n≥4
• Selecting a random number between the range, check for its primality
• if we repeat this process a logarithmic number of times, testing each number
generated for primality, then one of our generated numbers is expected to be
prime
Typical RSA use-case
• Even with an efficient implementation, the RSA cryptosystem is orders-
of-magnitude slower than the AES symmetric cryptosystem
• Thus, a standard approach to encryption is as follows:
• Encrypt a secret key, K, with the RSA cryptosystem for the AES symmetric
cryptosystem
• Encrypt with AES using key K
• Transmit the RSA-encrypted key together with the AES-encrypted document
• The above method illustrates a common use of public-key cryptography
in conjunction with a symmetric cryptosystem
The lecture slides can be found in the following location!