# RSA Public Key Cryptosystem

RSA is the most commonly used public key cryptosystem.

It can be used for
1. Public key encryption and
2. Digital signatures.

It was invented in 1977 by Ronald L. __R__ivest, Adi __S__hamir, and Leonard M. __A__dleman.

The security of the RSA public key cryptosystem is based on the difficulty of factoring a large integer composite.




## RSA Public Key Encryption

There are 3 different algorithms for
1. Key pair generation
2. Message encryption
3. Cipher decryption

### Key Pair Generation

(1) Choose at random two large distinct prime numbers of equal size as $p$ and $q$.

> Remember the criteria for security:
> 1. Numbers must be selected randomly
2. Numbers must be large
3. Numbers must be distinct (not equal)
4. Numbers must be of equal size 
5. Numbers must be prime
6. Numbers must be kept secret

> How large is large? It used to be
> 1. 512 bit-length for short-term
2. 1024 bit-length for medium-term
3. 2048 bit-length for long-term

> At present, the recomended sizes are
> 1. 1024 bit-length for short-term
2. 2048 bit-length for medium-term
3. 4096 bit-length for long-term

(2) Compute the prime composite $n$ as <font color=blue>$n = p*q$</font>.

> The value $n$ is used as the __modulus__ for all modulo arithmetic operations.

> The size of $n$ expressed as a bit-length is the __key length__ of the RSA cryptosystem.

> $n$ is a public value.

(3) Compute the Euler Totient Function value of $n$ as <font color=blue>$\phi(n) = (p-1)*(q-1)$</font>.

> The value $\phi(n)$ must be kept secret.

(4) Choose an integer $e$ such that 
> 1. $1 < e < n$ and 
2. greatest common divisor $gcd(e, \phi(n)) = 1$.

> That is, $e$ and $\phi(n)$ must be coprimes.

> $e$ is a public value.

> It is common to select a prime number such as $2^{16} + 1$ as the $e$ value. 


(5) Compute $d$ such that <font color=blue>$d*e \mod \phi(n) = 1$</font>. 

> $d$ is the modular multiplicative inverse of $e$ with modulo $\phi(n)$. 

> $d$ is a secret value.

After the key pair generation, we must __securely dispose (or destroy) the values $p$, $q$, and $\phi(n)$__.

> The public key is the value pair $(e,n)$.

> The secret key is the value $d$.

### Message Encryption

Divide the original message $M$ into a set of blocks $M_0, M_1, M_2, \ldots$ so that each block $M_i$ can be converted to a number $m_i$ such that $m_i < n$.

Compute the encrypted blocks $c_0, c_1, c_2, \ldots$ with the public key $(e,n)$ of the __receiver__ as <font color=blue>$c_i = m_i^e \mod n$</font>.

Transmit the encrypted blocks $c_0, c_1, c_2, \ldots$ as the encrypted message $C$ to the owner of the secret key.

### Cipher Decryption

Divide the encrypted message $C$ back into blocks $c_0, c_1, c_2, \ldots$ of the same block size used in the encryption process.

Decrypt each block $c_i$ with the secret key $d$ of the __receiver__ by computing as <font color=blue> $m_i = c_i^d \mod n$</font>.

Assemble the decrypted blocks $m_i$ together after converting them to $M_i$ to get the original message $M$.


### RSA example with small values

In [23]:
##### print("Key Pair Generation")
print("-------------------")
p = 5
q = 7
n = p*q
print("p =",p, "and", "q =", q)
print("modulus n =",n)
phi_n = (p-1)*(q-1)
print("phi(n) =",phi_n)
e = 5
print("Is e =",e," and phi(n) =",phi_n,"coprime?")
d = 5
print("Is d =", d, " a modular multiplicative inverse of e =", e, "?", (d*e % phi_n) == 1)
print("public key {e,n} is {",e,",",n,"}")
print("secret key {d} is {",d,"}")

-------------------
p = 5 and q = 7
modulus n = 35
phi(n) = 24
Is e = 5  and phi(n) = 24 coprime?
Is d = 5  a modular multiplicative inverse of e = 5 ? True
public key {e,n} is { 5 , 35 }
secret key {d} is { 5 }


In [24]:
print("Message Encryption")
print("------------------")
m = 12
print("message m =",m)
c = m**e % n
print("ciphertext c =",c)

Message Encryption
------------------
message m = 12
ciphertext c = 17


In [25]:
print("Ciphetext Decryption")
print("--------------------")
print("ciphertext c =",c)
m1 = c**d % n
print("plaintext m1 =",m1)
print("Have we recovered the original message?",m1 == m)

Ciphetext Decryption
--------------------
ciphertext c = 17
plaintext m1 = 12
Have we recovered the original message? True


### <font color=red>Quick Exercise 1</font>

For the prime numbers 7 and 19, 
1. what is the public key?
2. what is the secret key?
3. what is the ciphertext for plaintext given as number 6?

_Make a note of your answers to these questions, as you will need to enter them as part of your CA quizzes._

In [1]:
def encrypt_cipher(m,e,n):
    return m**e%n

def decrypt_cipher(c,d,n):
    return c**d%n

In [7]:
def is_coprime(p,q):
    while q != 0:
        p, q = q, p%q
    return p==1

# QUICK EXERCISE 1
p = 7
q = 19
# BEGIN SOLUTION
n = p*q # 133
phi_n = (p-1)*(q-1) #108
print("n = "+str(n)," phi_n = ",str(phi_n))

# Define e as a prime
e=65
if(is_coprime(e,phi_n)):
    print(str(e)+" and phi_n "+str(phi_n)+" are co-primes")
#calculate d using phi_n,e
i = 1
d=1 #5
while(True):
    if((phi_n*i+1)%(e)==0):
        d= (phi_n*i+1)/(e)
        break
    i+=1
print("Public key : (e,n) ("+ str(e)+","+str(n)+")")
print("Private Key : d = "+ str(d)) 
# Encrypt using public key
m=6
c = m**e%n # 55
print("For m="+str(m)+" , c= "+str(c))
# END SOLUTION

m1= c**d%n
print(m)

n = 133  phi_n =  108
65 and phi_n 108 are co-primes
Public key : (e,n) (65,133)
Private Key : d = 5.0
For m=6 , c= 55
6


# Calculate D 

In [3]:

pn = 108
e = 65
i = 1
d=1
while(True):
    if((pn*i+1)%(e)==0):
        d= (pn*i+1)/(e)
        print(d)
        break
    i+=1

5.0


# Cyphertext

In [5]:
print(encrypt_cipher(6,65,133))

55


In [6]:
print(decrypt_cipher(55,5,133))

6


### Proof of RSA Public Key Encryption

We _showed_ by numerical examples that a plaintext $m$ encrypted as $c = m^e \mod n$ can be recovered through the decryption of the ciphertext as $m = c^d \mod n$.

How can we _prove_ that decryption always compute correctly so that $(m^e \mod n)^d \mod n = m$?


$(m^e \mod n)^d \mod n$

> $= ((m^e)^d \mod n) \mod n$ as $ \mod n$ operation can be done for partial results or for the final result.

> $= (m^e)^d \mod n$ as after the first $ \mod n$ operation, the result would be the same for any number of modulo operations.

> $= m^{ed} \mod n$ as exponentiation of an exponentiation is the exponentiation by the multiplication of exponents.

> $= m^{1 \mod \phi(n)} \mod n$ as $d*e \mod \phi(n) = 1$.

> $= m^{k \phi(n) + 1} \mod n$ for some integer $k$.

> $= (m^{k \phi(n)} m^1) \mod n$ as exponentiation by additive exponents is the multiplication of exponentiations with individual components.

> $= (m^{k \phi(n)} \mod n) (m \mod n)$ as noted above for application of $ \mod n$ operations.

> $= (m^{{\phi(n)}^k} \mod n) (m \mod n)$ as noted above for exponentiation of exponentiations.

> $= (m^{\phi(n)} \mod n)^k (m \mod n)$ as noted above for application of $ \mod n$ operations.

According to <font color=blue>__Fermat's Little Theorem__</font> 

$m^{\phi(n)} \mod n = 1$ when $m$ and $n$ are coprimes (that is, when they do not share any factors other than $1$).

> $= (1)^k (m \mod n)$ as factors of $n$ are the primes $p$ and $q$ with the __assumption__ that $m$ does not have these primes as it's factors.

> $= m \mod n$ as $1^k = 1$ for any integer $k$.

> $= m$ as length $m$ of is selected so that $m < n$.

### <font color=red>Quick Exercise 2</font>

How can we ensure that the assumption $m$ does not have the primes $p$ and $q$ as it's factors remains true?

_Make a note of your answers to these questions, as you will need to enter them as part of your CA quizzes._

Select m as a number less than min(p,q). Then m does not have p,q as its factors. 
Since n only have p and q as factors, there are no any common factors for m and n.
Therefore m and n are co-primes.

Since m and n are co-primes, they does not share any common factors.

n = p x q. Therefore factors of n = 1,p,q

let factors set of m = A = {m1,m2,...}

since m and n are co-primes, p,q does not belongs to set A.

Therefore m does not have p,q as it factors.

### Security of RSA Cryptosystem

The security of RSA cryptosystem is based on the number theoretic problem called the __Integer Factorization Problem__.

_For a given integer $n$ computed as the product of 2 distinct prime numbers $p$ and $q$, it is computationally intractable to find the factors $p$ and $q$ for sufficiantly large prime numbers._

What would happen if and when integer factorization is computationally feasible?

1. __If integer factorization is practical__, then for a given prime composite $n$, compute the factors $p$ and $q$ by factorizing $n$.
2. Compute the Euler Totient Function value of $n$ as $\phi(n) = (p-1)*(q-1)$.
3. Compute the secret key $d$ such that $d*e \mod \phi(n) = 1$ using the public key value $e$.

## RSA Digital Signature

There are 3 different algorithms for
1. Key pair generation - this is the same as for RSA public key encryption
2. Message signing
3. Signature verification

### Message Signing

#### Message signing with message recovery
This scheme is used when the message $M$ can be mapped directly to a number $m$ with $m < n$.

Sign the mapped value $m$ with the secret key $d$ of the __signer__ by computing the signature $\sigma$ as <font color=blue> $\sigma = m^d \mod n$</font>.

The signed message is simply the signature $\sigma$ only.


#### Message signing without message recovery
Using a cryptographically secure hash function $H$, compute the hash value $h = H(M)$.

Sign the hash value $h$ with the secret key $d$ of the __signer__ by computing the signature $\sigma$ as <font color=blue> $\sigma = h^d \mod n$</font>.

The signed message is the message and signature pair $(M,\sigma)$.


### Signature Verification

#### Verifying message signed for message recovery
First check if the received signed message $\sigma$ satisfies the condition $\sigma < n$.

Compute the recovered message $m'$ with the public key $(e,n)$ of the __verifier__ as <font color=blue>$m' = \sigma^e \mod n$</font>.

The signature verifier must be capable of determining if the recovered message $m'$ is in fact the original signed message $m$.

#### Verifying message-signature pair
Assume that the verifier has received the signed message $(M',\sigma)$.

Using a cryptographically secure hash function $H$, compute the hash value $h' = H(M')$.

Compute the value $h$ with the public key $(e,n)$ of the __verifier__ as <font color=blue>$h = \sigma^e \mod n$</font>.

Finally, check the condition $h = h'$ and accept the signature as valid if true, else the signature is invalid.

### Is RSA signing same as RSA decryption?

There is a tendency to erroneously view RSA signing operation as applying the RSA decryption function to the plaintext message $m$ (and correspondingly, signature verification as RSA encryption of the ciphertext message $c$.

This view is due to the use of <font color=blue>Textbook RSA</font> as described earlier.

In practice, the signature generation uses a standard __PKCS#1__ that defines the parameters, algorithms, and encoding schemes used in the signature generation.

### <font color=red>Quick Exercise 3</font>

What is the <b>main reason</b> for using a standard scheme such as PKCS#1 rather than direct RSA computation?<p>
<i>Make a note of your answers to these questions, as you will need to enter them as part of your CA quizzes.<i>

Using a standard scheme, it can make different application from different vendors work with each other by enabling secure information exchange via public communication methods by using a public key infrastructure.