CSCI 2824, Discrete Structures

Spring 2018
Alexandra Kolla

Lecture 22: Cryptography -

Public Key Encryption and RSA
1
Announcements and reminders

● HW 7 (Moodle) is due TODAY at 12 PM.

● HW 8 (written) is available for download, linked from course

calendar and on Piazza

● If you have concerns about how your exam was graded:

1) Check the solutions first.

2) Put in writing what specifically you want me to look at.
3) Bring this note and your exam to me today (9 March)

2
What did we do last time?

● Solving systems of congruences: Chinese Remainder Theorem, Back Substitution

● Shift (+) and Affine (+, x) Ciphers

Today:
● Putting a ton of number theory
stuff together: RSA!

3
Cryptography

Last time we talked about shift ciphers and affine ciphers

Shift Encrypt: C = F(M) = (M + k) mod 26

Shift Decrypt: M = F-1(C) = (C - k) mod 26

Affine Encrypt: C = F(M) = (aM + b) mod 26

Affine Decrypt: M = F-1(C) = (C - b) mod 26

Both of these ciphers are examples of private key encryption

The sender and receiver both need to know the keys (k or a and b)

4
Cryptography

Obviously, this poses some problems to implement on a large scale.

The solution to this: Public Key Encryption

Allows senders and receivers to determine secret keys by transferring public information
completely in the open

RSA is the most common Public Key Encryption system

● Developed by Rivest, Shamir and Adleman in 1977
● … but first discovered by Clifford Cocks in 1973 (working for British government)

5
Cryptography

RSA builds on a bunch of topics we have seen before:

● Fast modular exponentiation
● The Euclidean algorithm
● Bezout’s theorem
● Modular inverses
● Fermat’s Little Theorem
● The Chinese Remainder Theorem

6
Cryptography - RSA

Basic idea:

● Alice wants to send a message M to Bob that she doesn’t want anyone else to read

● In a public key system, Bob will send Alice (or anyone!) his public key and Alice will use
it to encrypt the message M as a cipher C

● When Bob receives the message, he decrypts it using his private key

● Anyone in the world could intercept the public key and use it to encrypt message…

● … but nobody could decrypt messages without Bob’s private key

7
Cryptography - RSA
Implementation in practice:
● We want to create a one-way function F that, given a message M and publicKey,
encrypts M as C = F(M, publicKey)
● The function F is called “one-way” because
○ Given M and publicKey, it is easy to compute C = F(m, publicKey)
to encrypt M
○ But if someone intercepts C and publicKey, it is extremely difficult to
invert F and compute M = F-1(C, publicKey)
● If it’s so hard to invert F, how is it that Bob can do it?
○ Using the privateKey, Bob has a function G that will allow him to compute
M = G(C, privateKey) quickly

8
Implementation in practice:
● So our scheme should give us function F and G such that
○ F is easy to compute (using publicKey) but very difficult to invert, unless…
○ … you know privateKey, then G is easy to compute and inverts F

RSA uses a huge number n that is the product of two huge primes, p and q (~200 digits)
● Encryption:
○ The public key is a pair of numbers (e, n)
○ Each message M is assumed to be a number between 0 and n-1
○ We encrypt a message by computing C = M e mod n
○ … which we can do quickly with fast modular exponentiation
● Decryption:
○ The private key is another pair of numbers (d, n) that relies on knowing p and q
○ We decrypt a message by computing M = Cd mod n,
where d is inverse of c (mod (p-1)(q-1)) 9
Implementation in practice:
● So our scheme should give us function F and G such that
○ F is easy to compute (using publicKey) but very difficult to invert, unless…
○ … you know privateKey, then G is easy to compute and inverts F

RSA uses a huge number n that is the product of two huge primes, p and q (~200 digits)
● Encryption:
○ The public key is a pair of numbers (e, n)
○ Each message M is assumed to be a number between 0 and n-1
○ We encrypt a message by computing C = M e mod n
○ … which we can do quickly with fast modular exponentiation
● Decryption:
○ The private key is another pair of numbers (d, n) that relies on knowing p and q
○ We decrypt a message by computing M = Cd mod n,
where d is inverse of e (mod (p-1)(q-1)) 10
Cryptography - RSA
Example: Let’s make up our own RSA scheme to send messages!

Public keys

11
Cryptography - RSA
Example: Let’s take the message M = 1098 and encrypt it using the key e = 13 and
n = 17947 = 131 · 137

We compute: C= M e mod 17947 = 109813 mod 17947

12
Cryptography - RSA
Example: Let’s take the message M = 1098 and encrypt it using the key e = 13 and
n = 17947 = 131 · 137

We compute: C= M e mod 17947= 109813 mod 17947

13
Cryptography - RSA
Example: Let’s take the message M = 1098 and encrypt it using the key e = 13 and
n = 17947 = 131 · 137

We compute: C= M e mod 17947= 109813 mod 17947

(in the wild, you’d make a computer do this…)

14
Cryptography - RSA
If an unintended recipient sees the encoded message C and the public key (e, n), it would be
extremely difficult for them to find M

● So far we have identified the function F: F(M, (e,n)) = M e mod n

Now the idea is to find a private key (d, n) that decrypts the message via:
C d mod n = M

● This is our inversion function G: G(C, (d,n)) = C d mod n

● To do this, we need to find e and d that satisfy: C d mod n = (M e)d mod n = M

● Which means we need e and d such that: M ed mod n = M

● And we need to figure out how to find such a pair (e, d), where it’s hard to discover d if you
know (e, n)...
15
 Cryptography - RSA
● Let’s make some assumptions about our keys (public and private), and see how they can
lead to an unbreakable cryptosystem (at least by today’s standards)

Assumptions:
1. n = pq , where p and q are very large primes (~200+ digits)
2. e is a number that is relatively prime to (p-1)(q-1)
3. d is the inverse of e (mod (p-1)(q-1)) (which must exist from #2, above)

Let’s see why these assumptions are helpful.

● First, notice that since de ≡ 1 (mod (p-1)(q-1))
there exists an integer k such that
de = 1 + k (p-1)(q-1)

16
 Cryptography - RSA
Now this means that for some integer k, we have that

C d ≡ (M e)d ≡ M de ≡ M 1+k(p-1)(q-1) ≡ M · ((M (p-1))(q-1)) k (mod n)

In order to get our decryption function G, we need to show that this implies that

C d ≡ M (mod n)
This is valid except
Assume that gcd(M, p) = 1 and gcd(M, q) = 1. when your message M
is a multiple of p or q,
Then Fermat’s Little Theorem tells us that which is very rare.

M p-1 ≡ 1 (mod p) and M q-1 ≡ 1 (mod q)

Which gives (modulo p):

C d ≡ M · ((M (p-1))(q-1)) k ≡ M · 1(q-1) k ≡ M (mod p)

17
Which gives (modulo p):

C d ≡ M · ((M (p-1))(q-1)) k ≡ M · 1(q-1) k ≡ M (mod p)

And similarly (modulo q):

C d ≡ M · ((M (q-1))(p-1)) k ≡ M · 1(p-1) k ≡ M (mod q)

So we have:

C d ≡ M (mod p) x ≡ M (mod p)

C d ≡ M (mod q) ⇒ (which looks awfully familiar) ⇒ x ≡ M (mod q)

where x = C d is a solution to a system of congruences.

Since p and q are relatively prime (actually, both are prime), the Chinese Remainder
Theorem tells us that it is a unique solution modulo pq = n. Thus:

C d ≡ M (mod n)
18
 Cryptography - RSA
Getting back to practical application: What does Bob need to do?

1. Choose two very large primes p and q, and form n = pq

Note: Large primes p and q can be found quickly with probabilistic guess-and-checking.

19
 Cryptography - RSA
Getting back to practical application: What does Bob need to do?

1. Choose two very large primes p and q, and form n = pq

Note: Large primes p and q can be found quickly with probabilistic guess-and-checking.

2. Find an e that is relatively prime to (p-1)(q-1)

20
 Cryptography - RSA
Getting back to practical application: What does Bob need to do?

1. Choose two very large primes p and q, and form n = pq

Note: Large primes p and q can be found quickly with probabilistic guess-and-checking.

2. Find an e that is relatively prime to (p-1)(q-1)

3. Find d, the inverse of e modulo (p-1)(q-1)

21
 Cryptography - RSA
Getting back to practical application: What does Bob need to do?

1. Choose two very large primes p and q, and form n = pq

Note: Large primes p and q can be found quickly with probabilistic guess-and-checking.

2. Find an e that is relatively prime to (p-1)(q-1)

3. Find d, the inverse of e modulo (p-1)(q-1)

4. Save privateKey (d, n) and send Alice publicKey (e, n)

Note: This only enables Alice to send Bob secure messages! If Bob wants to send Alice secure
messages, then Alice needs to do the same.

22
 Cryptography - RSA
Example: Encrypt and decrypt the message M = 1819 using a Public Key Encryption based on
p = 43, q = 59 and e = 13

23
 Cryptography - RSA
Example: Encrypt and decrypt the message M = 1819 using a Public Key Encryption based on
p = 43, q = 59 and e = 13

We have n = 43 · 59 = 2537 and (p-1)(q-1) = 42 · 58 = 2436

Note that

2436= 13·187 + 5
13 = 5·2 + 3
5 = 3·1 + 2
3 = 2·1 + 1

So gcd(2436, 13) = 1, which means e = 13 works as a public key. Good!

24
 Cryptography - RSA
Example: Encrypt and decrypt the message M = 1819 using a Public Key Encryption based on
p = 43, q = 59 and e = 13

We have n = 43 · 59 = 2537 and (p-1)(q-1) = 42 · 58 = 2436

Now we need to find the private key, d, which is the inverse of e = 13 modulo 2436

2436= 13·187 + 5
13 = 5·2 + 3
5 = 3·1 + 2
3 = 2·1 + 1

25
 Cryptography - RSA
Example: Encrypt and decrypt the message M = 1819 using a Public Key Encryption based on
p = 43, q = 59 and e = 13

We have n = 43 · 59 = 2537 and (p-1)(q-1) = 42 · 58 = 2436

Now we need to find the private key, d, which is the inverse of e = 13 modulo 2436

2436= 13·187 + 5 1 = 3 - 1·2

13 = 5·2 + 3 = 3 - 1·(5 - 1·3) = 2·3 - 1·5
5 = 3·1 + 2 = 2·(13 - 2·5) - 1·5 = 2·13 - 5·5
3 = 2·1 + 1 = 2·13 - 5·(2436 - 187·13) = 937·13 - 5·2436
So, by Bezout’s Theorem and “climbing back up” the Euclidean algorithm, we find that the inverse
of e = 13 modulo 2436 is d = 937

26
 Cryptography - RSA
Example: Encrypt and decrypt the message M = 1819 using a Public Key Encryption based on
p = 43, q = 59 and e = 13

We have n = 43 · 59 = 2537 and (p-1)(q-1) = 42 · 58 = 2436

We now have our public and private keys:

publicKey = (e, n) = (13, 2537)

privateKey = (d, n) = (937, 2537)

Encryption: C = M e mod n =

Decryption: M = C d mod n =

27
 Cryptography - RSA
Example: Encrypt and decrypt the message M = 1819 using a Public Key Encryption based on
p = 43, q = 59 and e = 13

We have n = 43 · 59 = 2537 and (p-1)(q-1) = 42 · 58 = 2436

We now have our public and private keys:

publicKey = (e, n) = (13, 2537)

privateKey = (d, n) = (937, 2537)

Encryption: C = M e mod n = 181913 mod 2537 = (using fast mod. exp.) = 2081

Decryption: M = C d mod n = 2081937 mod 2537 = (using fast mod. exp.) = 1819

(Yeah, I’m not doing that one by hand…)

28
Cryptography - RSA
Getting back to practical application: Okay, so why can’t we break RSA?

● If we know (e, n), couldn’t we do a brute-force attack to determine d ?

● Well, technically yes. But d is the inverse of e modulo (p-1)(q-1)

● Without knowing how n is factored into n = pq, we have no idea that we have to look for an
inverse modulo (p-1)(q-1)

● So we need to factor n first…

● … and it turns out that factoring large products of primes is hard. There’s only one answer
and a s***load lots of numbers to sift through.

⇒ There is no known polynomial time solution

29
Cryptography - RSA
Getting back to practical application: Okay, so why can’t we break RSA?

● The best-known factoring method is estimated to have complexity ~ 2 number of bits in n

● In 2009, researchers successfully factored a 232 decimal digit product of two primes
○ It took two years running in parallel on hundreds of machines.
○ The equivalent of 2000 years running on a single-core machine.

⇒ Factoring large numbers is difficult!

30
Cryptography - RSA
Getting back to practical application: Okay, so why can’t we break RSA?

That being said… A lock is only secure if you actually use it properly

Some company generated keys in a way such that the private

key was practically computable from the public key. Not great.

[1] Links: [1], [2]

[2]
31
Cryptography - more tidbits
Block ciphers

When we translate our message M into a number, we need to be careful that the numerical
representation of M does not exceed n

Question: Why?

Answer: If M exceeds n, then we would be unable to distinguish between M and any other
message that is congruent to M mod n

Typically, we break the message up into blocks (hence, block cipher), then encode the blocks
as digits, and then encrypt the blocks

Example: S’pose we wanted to send the message HELP

32
Cryptography - more tidbits
Example: S’pose we wanted to send the message HELP

First, separate into blocks: HE LP

Second, encode: 0704 1115 ← note the padding with 0s

● Blocks of 2 letters works for n ≥ 2525 (first “25” represents first letter, …)
● Blocks of 3 letters would work with n ≥ 252525
● And so on…

Let’s encrypt HELP using the keys from the previous example (e = 13, d = 937, n = 2537)

33
Cryptography - more tidbits
Example: Encrypt HELP using the keys from the previous example (e = 13, d = 937, n = 2537)

Our public key was (e, n) = (13, 2537), so we have:

HE = 070413 mod 2537 ≡ (FYOG: fast mod. exp.) ≡ 981 (mod 2537)

LP = 111513 mod 2537 ≡ (FYOG: fast mod. exp.) ≡ 461 (mod 2537)

So the encrypted message would be sent out as 0981 0461

34
Cryptography - more tidbits
Example: Decrypt C = 1188 1346 using the keys from the previous example
(e = 13, d = 937, n = 2537)

1188937 mod 2537 ≡ (fast mod. exp.) ≡ 1814 (mod 2537) → SO

1346937 mod 2537 ≡ (fast mod. exp.) ≡ 1823 (mod 2537) → SX

So the decrypted message in characters would be SOSX

Convention: If your message doesn’t fit perfectly into your block size, then you pad the end of
the last block with X’s

⇒ So this message is likely SOS

35
Cryptography - more tidbits

Recap:
● RSA public key encryption:
○ You give everyone your publicKey (e, n) so they can encrypt messages to you
○ You know what the 2 primes p and q such that n = pq…
○ … So you know what d is (the inverse of e modulo (p-1)(q-1)) …
○ … So you can invert the encrypted messages without spending >thousands of years
throwing CPUs at it

Next time:
● We get inductive!

36
FYOG: hints!
070413 mod 2537 ≡ … ≡ 981 (mod 2537)

13 = 23 + 22 + 20 , so 70413 = 7048·7044·7041, so we need to calculate

these powers of 704 (modulo 2537)

7041 = 704 (modulo 2537)

7042 = 495616 ≡ 901 (mod 2537)

7044 = (7042)2 ≡ 9012 = 811801 ≡ 2498 (mod 2537)

and 7048 = (7044)2 ≡ 24982 = 6240004 ≡ 1521 (mod 2537)

⇒ 70413 = 7048·7044·7041 ≡ 1521·2498·704 (mod 2537) ≡ 981 (mod 2537)

37