RSA algorithm (two)

Reprint: http://www.ruanyifeng.com/blog/2013/07/rsa_algorithm_part_two.html

Nanyi

Date: July 4, 2013

Last time, I introduced some knowledge of number theory.

With this knowledge, we can read the RSA algorithm. This is currently the most important encryption algorithm on the Earth.

Vi. Steps for key generation

We use an example to understand the RSA algorithm. Suppose Alice wants to encrypt her communication with Bob, how should she generate the public and private keys?

The first step is to randomly select two unequal prime numbers p and Q.

Alice chose 61 and 53. (In practice, the larger the two prime numbers, the harder it is to crack.) ）

The second step is to calculate the product N of P and Q.

Alice multiplied the 61 and the 53.

n = 61x53 = 3233

The length of n is the key length. 3233 is written in binary is 110010100001, a total of 12 bits, so this key is 12 bits. In practice, RSA keys are generally 1024-bit and 2048-bit for important occasions.

The third step is to calculate the Euler function φ (n) of N.

According to the formula:

φ (n) = (p-1) (q-1)

Alice calculates that φ (3233) equals 60x52, or 3120.

The fourth step, randomly selects an integer e, the condition is 1< e <φ (n), and E and φ (n) coprime.

Alice was between 1 and 3120, randomly choosing 17. (In practical applications, 65537 is often selected.) ）

The fifth step is to calculate e for the modulo inverse element d of φ (n).

The so-called "modulo inverse element" means that there is an integer d, which allows Ed to divide the remainder of φ (n) by 1.

Ed≡1 (modφ (n))

This equation is equivalent to

Ed-1 = kφ (n)

So, to find the modulo inverse element D, is essentially the following two-dollar equation solution.

Ex +φ (n) y = 1

Known e=17,φ (n) = 3120,

17x + 3120y = 1

This equation can be solved with the "extended Euclidean algorithm", where the specific process is omitted. In short, Alice calculates a set of integer solutions (x, y) = (2753,-15), or d=2753.

All calculations are complete at this point.

The sixth step is to encapsulate N and e as public keys, and N and D as private keys.

In Alice's case, n=3233,e=17,d=2753, so the public key is (3233,17), the private key is (3233, 2753).

In practice, the public and private key data are expressed in ASN.1 format (instance).

Vii. Reliability of RSA algorithm

Review the key generation steps above, with a total of six numbers:

P
Q
N
φ (n)
E
D

Of these six numbers, the public key is used for two (n and e) and the remaining four are not public. The most critical of these is D, because N and D make up the private key, and once d leaks, it is equal to the private key leak.

So, is it possible to derive a d in the case of known N and e?

(1) ed≡1 (modφ (n)). D can only be calculated if E and φ (n) are known.

(2) φ (n) = (p-1) (q-1). Only the P and Q are known to calculate φ (n).

(3) N=pq. P and Q can be calculated only if the n factor is decomposed.

Conclusion: If n can be decomposed by factoring, D can be calculated, which means that the private key is cracked.

However, the factorization of large integers is a very difficult thing to do. At present, there are no other effective ways to find other than brute force. Wikipedia writes:

"The difficulty of factoring the maximal integers determines the reliability of the RSA algorithm." In other words, the more difficult the factorization of a large integer, the more reliable the RSA algorithm.

If someone finds a fast factorization algorithm, then RSA's reliability will be extremely degraded. But the likelihood of finding such an algorithm is very small. Only a short RSA key can be cracked today. Until 2008, there was no reliable way to attack the RSA algorithm in the world.

As long as the key length is long enough, the information encrypted with RSA is not actually broken. "

For example, you can factor in the decomposition of 3233 (61x53), but you cannot decompose the integer below.

12301866845301177551304949
58384962720772853569595334
79219732245215172640050726
36575187452021997864693899
56474942774063845925192557
32630345373154826850791702
61221429134616704292143116
02221240479274737794080665
351419597459856902143413

It equals such a product of two prime numbers:

33478071698956898786044169
84821269081770479498371376
85689124313889828837938780
02287614711652531743087737
814467999489
X
36746043666799590428244633
79962795263227915816434308
76426760322838157396665112
79233373417143396810270092
798736308917

In fact, this is probably the largest integer that humans have decomposed (232 decimal digits, 768 bits). The larger factor decomposition than it has not been reported, so the longest RSA key currently cracked is 768 bits.

Viii. Encryption and decryption

With the public key and the key, it can be encrypted and decrypted.

(1) Encrypt to use public key (N,e)

Suppose Bob is going to send Alice an encrypted message m, he will encrypt m with Alice's public key (N,e). It is important to note that M must be an integer (the string can take an ASCII or Unicode value) and M must be less than N.

The so-called "encryption" is to calculate the following formula C:

Me≡c (mod n)

Alice's public Key is (3233, 17), Bob's M hypothesis is 65, then the following equation can be calculated:

6517≡2790 (mod 3233)

So, C equals 2790, Bob sends 2790 to Alice.

(2) Decryption to use the private key (N,d)

After Alice gets 2790 of Bob's hair, she decrypts it with her private key (3233, 2753). It can be proved that the following equation must be true:

Cd≡m (mod n)

In other words, the remainder of the d of C divided by N is M. Now, C equals 2790, the private key is (3233, 2753), so Alice calculates

27902753≡65 (mod 3233)

So Alice knew that Bob's original text before the encryption was 65.

At this point, the entire process of "encryption-decryption" is complete.

We can see that if D is not known, there is no way to find m from c. As already said, to know that D must decompose N, which is extremely difficult to do, so the RSA algorithm to ensure the security of communications.

You might ask, if the public key (N,e) can only encrypt an integer m less than n, what if you want to encrypt an integer greater than n? There are two solutions: one is to divide the long information into several short messages, each of which is encrypted, and the other is to select a "symmetric encryption algorithm" (such as DES), encrypt the information with the key of the algorithm, and then encrypt the DES Key with the RSA public key.

Nine, the proof of private key decryption

Finally, let us prove that why the private key decryption, must be able to correctly get m. This is the proof of the following equation:

Cd≡m (mod n)

Because, according to the encryption rules

Me≡c (mod n)

Thus, C can be written in the following form:

c = me-kn

Put C into the decryption rule that we want to prove:

(me-kn) d≡m (mod n)

It's equivalent to proving

Med≡m (mod n)

Because

Ed≡1 (modφ (n))

So

ed = hφ (n) +1

Put Ed into:

Mhφ (n) +1≡m (mod n)

Next, there are two cases to prove the above equation.

(1) m and N coprime.

According to Euler's theorem, at this point

Mφ (n) ≡1 (mod n)

Get

(Mφ (n)) hxm≡m (mod n)

The original has been proved.

(2) m and n are not coprime relations.

At this point, because n equals the product of the prime number p and Q, m must be equal to KP or KQ.

Take m = KP as an example, considering that at this point K and Q are bound to coprime, then according to Euler theorem, the following formula is established:

(KP) q-1≡1 (mod q)

Further to get

[(KP) q-1]h (p-1) XKP≡KP (mod q)

That

(KP) ED≡KP (mod q)

Change it to the equation below.

(KP) ed = tq + KP

T must be divisible by P, i.e. t=t ' p

(KP) ed = T ' PQ + KP

Because M=KP,N=PQ, so

Med≡m (mod n)

The original has been proved.

RSA algorithm (two)