Public-Key Encryption schemes allow us to encrypt arbitrary messages. Whilst a number of proposals have been made over the years, only those based on exponentiation in various finite fields are still secure. This is a worry! It also shows just how difficult it has been to find suitable asymmetric problems to use.
RSA is the best known, and by far the most widely used general public key encryption algorithm. The main hinderance to its further use are legal concerns over its patent status (expired some places, soon to be elsewhere, and likely invalid in others still).
p, q
N=p.q
e, where
e<N, gcd(e,ø(N))=1
d:
e.d=1 mod ø(N) and 0<=d<=N
Kr={er,Nr}
K-1r={d,p,q}
This key setup is done once (rarely) when a user establishes
(replaces) their public key. The exponent e is usually fairly
small, just must be relatively prime to ø(N). Need to compute its inverse to
find d. It is critically important the {d,p,q} are all kept
secret, since if any become known, the system can be broken. Note that
different users will have different modulii N.
p, q
e to be a small
number
ø(N)
e may be the same for all users
3 was suggested
216-1 = 65535 is often used
d will then be large
Note here some caveats on the selection of RSA parameters. Further suggestions have been made about "strong RSA" primes, which may or may not improve security (they concern the makeup of p-1 & q-1).
Kr={er,Nr}
C=Mer mod
Nr, where 0<=M<N
K-1r={d,p,q}
M=Cd mod Nr N = pq where p, q are primes,
then:Xø(N) = 1 mod N
gcd(x,ø(N))=1
e.d=1+q.ø(N)
M = Cd = Me.d =
M1+q.ø(N) =
M1.(Mø(N))q =
M1.(1)q = M1 mod N N=11*47=517
ø(N) = (p-1)(q-1) = 10*46 = 460
3
GCD(3,ø(N)) = GCD(3,460) = 1
d by solving:e.d=1
mod ø(N) where 0<=d<=N
d=Inverse(3,460)=307 by Euclid's alg
K=(3,517)
K-1=(307,11,47) M = 26
C = 263 mod 517 = 515
M = 515307 mod 517 = 26
Would need to use general inverse alg to compute d, and "square and multiply" for all exponentiations.
N
| Decimal Digits in N | #Bit Operations to Factor N |
| 20 | 7.20e+03 |
| 40 | 3.11e+06 |
| 60 | 4.63e+08 |
| 80 | 3.72e+10 |
| 100 | 1.97e+12 |
| 120 | 7.69e+13 |
| 140 | 2.35e+15 |
| 160 | 5.92e+16 |
| 180 | 1.26e+18 |
| 200 | 2.36e+19 |
| Decimal Digits | Bits | When | MIPS-Years | Alg Used |
| 100 | 332 | Apr 91 | 7 | Quadratic Sieve |
| 110 | 365 | Apr 92 | 75 | Quadratic Sieve |
| 120 | 398 | Jun 93 | 830 | Quadratic Sieve |
| 129 | 428 | Apr 94 | 5000 | Quadratic Sieve |
| 130 | 431 | Apr 96 | 500 | Number Field Sieve |
| 140 | 464 | Feb 99 | 1500 | Number Field Sieve |
Original RSA inventors proposed a challenge published in Scientific American in 1977 for US$100 reward. This was for a 129 digit number, and was broken (and the prize claimed) in 1994. Subsequently RSA Labs have issued a series of challenges, complementing their DES/RC-5 challenges for 110, 120, 130, 140 etc digit numbers. nb. A MIPS-year is 3x1013 instructions/year.
These are both esorteric approaches that would come into play if exceed 2000 digits, till then the conventional approach is best.
M = Cd mod R
M1 = M mod p = (C mod p)d mod (p-1) M2 = M mod q = (C mod q)d mod (q-1)
M = M1 mod p M = M2 mod q
M = [((M2 +q - M1)u mod q] p + M1 where p.u mod q = 1
Using the Chinese Remainder Theorem though is a well known
and fairly widely used method for speeding up decrpytion/signature
calculations, by working mod p, mod q separately and then
combining the results. Remeber speed of exponentiation is proprtional to the
cube of the size of the numbers! Of course, you have to know p,
q which means only the key owner can do this.
These figures are all rather dated now. Need an update!!! Key difference is mostly between small end-user systems (PC's to smartcards) which have to do single computations "fast enough" not to annoy user, ie < few secs; to large systems which have to support many users, and hence have to do multiple computations in (pseudo) parallel and still be "fast enough".
El Gamal is the major alternative to RSA for public key encrpytion use. Whilst there is some patent coverage, it is much less encumbered, and hence has been preferred where patent issues were of concern.
p, and
a a primitive element mod p
xB
yB = axB mod p
Note that key setup is identical to Diffie-Hellman, each user chooses a random secret number and "protects" it using exponentiation.
0<=k<=p-1
K = yBk mod p C = {C1,C2}
C1 = ak mod p
C2 = K.M mod p k should be destroyed after use
The idea with encryption is basically to choose another
random key, protect it, then use it to scramble the message by multiplying
the message with it. Two bits of info have to be sent: the first to recover
this temporary key, the second the actual scrambled message. Note that all
trace of the temporary key k should be destroyed once its been
used.
K = C1xB mod p =
ak.xB mod p M = C2.K-1 mod p
Decryption consists of recovering the temporary key
K (in a manner very similar to the DH shared secret), and then
recovering the message by solving the same equation, this time by dividing
by K, ie mult with inverse of K.
p=97 with primitive root a=5
xB=58 &
computes & publishes his public
key:yB=558=44 mod 97
M=3 to Bob
yB=44
k=36 and computes the stream
key:K=4436=75 mod 97
C1 = 536 = 50 mod 97
C2 = 75.3 mod 97 = 31 mod 97 {50,31} to Bob
K=5058=75 mod 97
K-1 = 22 mod 97
M = 31.22 = 3 mod 97
This examples illustrates the use of ElGamal encryption & decryption. Would need to use the general inverse alg to compute K-1, and of course the "square and multiply" alg for all exponentiations.