Introduction
RSA is one of the first public-key cryptosystems, whose security relies on the conjectured intractability of the factoring problem. It was designed in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman (hence the name). You may read the original RSA paper here. While many people believe RSA to be the first public-key encryption, British mathematician Clifford Cocks invented an algorithm equivalent to RSA earlier in 1973, but this remained classified until 1997.
Asymmetric (public-key) cryptography relies heavily on number theoretic functions, and it is quite different from symmetric algorithms such as DES or AES. In a symmetric system, the same secret key is used for both encryption and decryption.
Figure 1: Principle of symmetric-key encryption |
This means that if Alice and Bob want to communicate using private-key encryption, they must find a way to establish the secret key over a secure channel first. This is known as the key distribution problem. Furthermore, the number of keys can become large fast: if we require each pair of users to have a separate pair of keys, a network with users would need a total of $$ \stc{n}{2} = \frac{n\cdot(n-1)}{2} $$ key pairs. For a corporation comprised of 1000 people, this amounts to about half a million keys that need to be generated and distributed securely to the individuals. Increase the number of users to 2000, and we’re looking at 2 million keys in total.
Asymmetric encryption overcomes these drawbacks (and a few others), as keys can be generated on the fly and the public key can be shared over insecure channels. In this article we will discuss the underlying mathematical theory, implement the unpadded RSA algorithm, and prove its correctness.
Mathematical Background
The mathematics behind RSA can be elegantly stated in the language of group theory. For simplicity, we introduce two classical theorems that are at the heart of the algorithm. The first one is due to Pierre de Fermat:
Theorem (Fermat’s Little Theorem, 1640) Suppose is prime and is any integer. Then $$ a^p \equiv a \md p. $$
This was first proved by Euler about a hundred years later, in 1736. Euler continued exploring the topic, and eventually provided the following generalization:
Theorem (Euler’s Theorem, 1763) Suppose and are coprime positive integers. Then $$ a^{\phi(n)} \equiv 1 \md n. $$
Here is Euler’s totient function, which is defined as $$ \phi(n) = \text{# of positive integers less than $n$ that are relatively prime to $n$}. $$
We provide proofs for these theorems in the mathy bit section. For implementing RSA, we need to know the following properties of :
- for any prime , we have , and
- for distinct primes and , $$ \phi(pq) = \phi(p) \phi(q) = (p-1)(q-1), $$
both of which can be easily derived using a counting argument.
The Algorithm
There are three main steps involved in RSA encryption:
- Public and secret key generation
- Encryption
- Decryption
Key Generation
Choose and to be two distinct (and large) primes, and compute $$ n = pq \quad \text{and} \quad \phi = \phi(n) = (p-1)(q-1). $$
To construct the public key, find any element that is coprime to , so that is an element of the group . The public key is the pair .
To find the secret key, take the inverse of in the group , i.e. $$ d = e\inv \md \phi. $$
Notice how computing the secret key would be impossible if we didn’t require , a necessary condition in order for to be invertible modulo .
Encryption
Suppose Alice wants to encrypt a message and send the ciphertext to Bob. Bob first generates a pair and provides Alice with the , which she uses to encrypt via $$ \enc(m) = m^e \mod n = c. $$
The key Alice uses does not need to be secret. Bob can provide this information over an insecure channel.
Decryption
Bob receives the ciphertext back from Alice, and uses his matching secret key to retrieve the plain text: $$ \dec(c) = c^d \mod n = m. $$
Notice how, although Bob can reveal , he never reveals . Doing so would make it very easy to compute his secret key by inverting .
Implementation
Java (BigInteger)
Java’s java.math.BigInteger
class provides all the methods necessary for implementing unpadded RSA. To initialize the values for and , one needs an instance of java.util.Random
, then use the appropriate BigInteger constructor. Here are the necessary imports:
Setup
The first step is initializing the RSA primes. If we want to be bits long, the code would be:
Notice how we made and to be 64 bits each. This is to ensure that is 128-bit. In general, if we multiply an -bit integer to a -bit integer, the upper bound for the product is $$ (2^a - 1)(2^b - 1) = 2^{a+b} - 2^a - 2^b + 1 \leq 2^{a+b} - 1, $$ so it would require at most bits.
If we take a look at the documentation for the BigInteger class, we see that the certainty
parameter influences the probability that the generated numbers are actually prime. In particular, the generated and are prime with probability
$$
1 - \frac{1}{2^\text{certainty}}
$$
Because of the sheer size of the integers involved, it is computationally infeasible to actually try to factor and in order to ensure with 100% certainty that they are prime. Instead, some variation of the Miller–Rabin primality test is used to verify that these randomly chosen BigInteger are prime with some probability.
For example, a certainty value of 4 would yield a prime with 93.75% probability (very bad!). The primality test is not very expensive computationally, so we picked a default value of 20. However, for production-level security we would use something larger in the 50-100 range.
Key Generation
Since we want the public key to be in the group , we generate a (positive) random BigInteger that occupies the same number of bits as , until we find one from the group. The BigInteger class provides two methods for doing so, with slight differences:
phi.bitCount()
, which returns the number of bits in the two’s complement representation of that differ from its sign bit.phi.bitLength()
, which returns the number of bits in the minimal two’s-complement representation of , excluding a sign bit.
We want the second function. In the implementation, we actually have occupy one bit less than , in the hopes to gain some speed and ensure we are inside the group. However, this is not the most secure approach.
Finding the secret key is straightforward:
Encryption and Decryption
Once the system is set up, encrypting and decrypting are both very easy to implement. Suppose we wanted to encrypt the variable message
, which is of type BigInteger
. We’d do:
which can be recovered very easily by
If we wanted to encrypt a message that is comprised of actual text (like an email), we’d have to first have a mapping between characters and numbers (e.g. their ASCII code), with padding so that each possible character encodings have the same size. Next, concatenate the encoded characters to obtain an encoded (but easily recoverable) message. Finally, break up the fully encoded message into equal sized blocks that are at most bits
long (with padding if necessary), and encrypt each block using the code above. Implementing this is beyond the scope of this article, and is left to the reader.
Java with java-gmp
The GitHub repository includes a modified version of the code above which uses the java-gmp library for computing parts of the algorithm. In particular, prime generation, GCD, modular exponentiation, and modular inversion have all proven to be faster when using native GMP calls over Java’s BigInteger methods.
Here’s a comparison of executing times for RSA object initialization, as well as the encryption/decryption cycles, as calculated by the TestRSA.java
class:
Python (gmpy2)
RSA can be easily implemented in Python, but it is desirable to use a library that allows for multiple-precision integer arithmetic. One good option is gmpy2
(see documentation here). The following imports are necessary:
Let’s set up the parameters for our encryption, and the necessary variables. For prime generation, gmpy2 also requires a random state object. Furthermore, we define a separate function to generate primes, making our code shorter:
Below is the rest of the code, as well as encrypting and decrypting a test message:
Below is some sample output from the code:
The Mathy Bit
Group Theoretic Results
Let’s go ahead and prove some of the mathematical theory behind the RSA. We assume the reader is familiar with basic concepts from group and ring theory. In particular, we provide Lagrange’s theorem without proof.
Lemma 1 (Lagrange’s theorem) If is a finite group, and is a subgroup of , then divides .
Lemma 2 If is a finite group and , then , the identity element.
Proof. Let be the (cyclic) subgroup generated by of order , and . By Lagrange, we have for some integer , and so $$ a^{|G|} = a^{rk} = (a^r)^k = e^k = e. $$
Lemma 3 Let be a finite abelian group. Then for any and any integer , $$ a^{k} = a^{k \mod |G|} $$
Proof. Let be an abelian group of order , and pick any . For any , we may write for some . Notice that , so $$ a^k = a^{nq+r} = a^{nq} a^r = e a^r = e^r = e^{k \mod |G|}. $$
Now that we have these prerequisites, let’s show that RSA is correct.
Correctness of RSA
The ciphertext is given by . To see why the decryption algorithm recovers the message , recall that . In other words, and we may write for some integer . The decryption algorithm then gives $$ c^d \equiv (m^e)^d = m^{ed} = m^{1+k\phi(n)} = m \cdot (m^{\phi(n)})^k \md n, $$
and if , Euler’s theorem immediately gives the desired result, and RSA is correct for any message in the group . But what if we want to work with the entire group ? After all, the original RSA paper doesn’t say anything about restricting the message space to elements coprime to .
Suppose and . Then one and only one of may divide (otherwise would be too large to belong to the group). Let’s assume WLOG that , but that .
By the Chinese Remainder Theorem, we have a ring isomorphism between and the direct product . In other words, every corresponds to a unique solution to a system of congruences of the form $$ m \md n \longleftrightarrow \begin{cases} m \equiv a_p \md p \\ m \equiv a_q \md q \end{cases} $$
where and . Since divides , this system has a simpler form $$ m \md n \longleftrightarrow \begin{cases} m \equiv a_p \md p \\ m \equiv 0 \md q \end{cases} $$
Looking at , let’s show that it maps to the same system under our ring isomorphism. First, reduces to 0 modulo . What about modulo ? Notice that $$ m^{ed} \equiv a_p^{ed} \md p $$
where is nonzero, and thus relatively prime to . Write , which is congruent to modulo , which is the order of the group . Invoking Lemma 3, we have $$ m^{ed} \equiv a_p^{ed} \equiv a^{ed \mod \phi(p)} \equiv a_p^1 = a_p \md p $$
Therefore is the unique solution to the system $$ \begin{cases} m^{ed} \equiv a_p^{ed} \equiv a_p \md p \\ m^{ed} \equiv 0 \md q \end{cases} $$
which a priori had as a solution modulo . Therefore , which concludes the correctness proof.
Fermat’s Little Theorem
For any prime and any integer , we have .
Proof. This is trivial for , so let’s assume is nonzero. Since , we can work inside the multiplicative group of order . Invoking Lemma 3, we have $$ a^p = a^{p-1} a \equiv a \md p $$ as desired.
Euler’s Theorem
Suppose and are coprime positive integers. Then $$ a^{\phi(n)} \equiv 1 \md n $$
Proof. As in the FLT proof, we work inside , and since , we actually have , a multiplicative group of order . The result follows immediately from Lemma 3.
An alternate way to see this, without making use of Lemma 3, is to enumerate all the elements of the group : $$ G = \prc{x_1, x_2, \dots, x_{\phi(n)}} $$
Taking has the effect of permuting the elements in (otherwise if and , we’d have , a contradiction), so as sets. But then $$ \prod_{i=1}^{\phi(n)} x_i = \prod_{i=1}^{\phi(n)} ax_i = a^{\phi(n)}\prod_{i=1}^{\phi(n)} x_i $$
which implies is the identity element in .
Security of RSA
If the numbers are both very large, the ciphertext appears random and unrelated to . However, RSA is deterministic (in the sense that encrypting the same always gives the same ciphertext), which allows an attacker to build a dictionary. There are other encryption schemes where this is not the case.
Another way an attacker can break RSA is to successfully factor as . Currently there is no known algorithm that can do this in polynomial time for large numbers (bigger than ). The best known general algorithm to date is the General Number Field Sieve, whose complexity is $$ \exp\pr{\pr{\sqrt[3]{\frac{64}{9}} + o(1)} b^{1/3} \pr{\ln b}^{2/3}} $$
for a number that is bits large. This algorithm is sub-exponential, but still super-polynomial.
In cryptography, there are formal definitions for correctness. We also have precise notions of semantic security (a way to measure the knowledge gain from a ciphertext when considering background knowledge) and ciphertext indistinguishability (which does not take into account background knowledge when measuring gain). It turns out the last two are equivalent.
While going into the details is beyond the scope of this article, it is worth mentioning that deterministic algorithms like RSA are not semantically secure. Even though cannot be factored in polynomial time, encrypting the message space using the public key is doable in polynomial time. Furthermore, unpadded RSA is not indistinguishable against eavesdropping attacks.
This issue does not exist for probabilistic encryption schemes like ElGamal, which we will discuss in a future article.