Problem with RSA deciphering

Question

I don't quite get the algorithm yet. Sometimes it works and other times it doesn't,so clearly I am overseeing or misunderstanding something.

I will just write what I did. My $N=143$ and has factors $p=11$, and $q=13$. To determine my second public number: $R=(p-1)(q-1)= 10 \cdot12=120$. So the second number can not be a factor of $120$. I figured $e=7$ would be fine.

I simply want to message $'7'$. So $\mod\frac{7^7}{143}= 6$ will be my message.

My friend wants to decode it and needs to exponentiate this number by $d$. $d=\frac{R+1}{e}=121/7$ But this should be natural number right?

I noticed it doesn't work for $e=9$ as well. Even though it is not a factor of $120$. It does work for $e=11$.

Should $e$ be chosen so that it is a factor of $R+1$?

kelalaka · Answer 1 · 2020-05-21T10:22:09.383

For textbook RSA, we have

Key-Gen

The modulus $n$ must be a product of two distinct random large primes due to the security, $n = p \cdot q$

in your case $n=143 = 11\cdot 13$

For finding the primes, the probabilistic Miller–Rabin primality test, it should be enough. Note that the Miller–Rabin primality test is probabilistic; composite output is always true, prime output has probability defined by the number iterations, $k$; $$\Pr( p\text{ is not prime} ) \ll \frac{1}{4^k}$$ and can be stated as $$\log_2(\Pr( p\text{ is not prime} ))\ll-2k$$ This is a rough calculation, and as noted by fgrieu, the probability is approaching 0 as the size of the number to be tested increases. The FIPS 186-4 table C.3 provides specific numbers for $k$;
- for 512 bits gives $k=7$ rounds with $\log_2(\Pr( p\text{ is not prime} ))<-100$,
- for 1024 bits gives $k=4$ rounds with $\log_2(\Pr( p\text{ is not prime} ))<-100$, and
- for 1536 bits gives $k=3$ rounds with $\log_2(\Pr( p\text{ is not prime} ))<-100$.
The factors of modulus are $p=11$ and $q =13$
$\varphi(n) = (p-1)(q-1)$, in your case $\varphi(143) = 10\cdot 12 = 120$,

Actually, we prefer $\lambda(n) = \operatorname{lcm}(p,q)$ and this will give us the smallest private exponent. That can be helpful for signature calculation speed, and actually, one should use the CRT method ( see the last bullet of Key-Gen)

The relation is; $$\varphi(n)=\lambda(n)\cdot\gcd(p-1,q-1)$$ and this implies that $\lambda(n)| \varphi(n)$
The public exponent $e$ is chosen relatively prime to $\varphi(n)$, so $e=7$ is fine. Normally the $e$ is chosen advance in $\{3, 5, 17, 257, 65537\}$. If the $\gcd(e,\varphi(n)) \neq 1$ then a new modulus is generated.

$(n,e)$ makes the public key to distribute.
The private exponent $d$ is the inverse of $e$ modulo $\varphi(n)$, i.e. $d\cdot e \equiv 1 \bmod \varphi(n)$, in your case $d=103$. This can be used with the Ext-GCD which result in a Bézout's identity $ e \cdot x + n \cdot k =1$. Take modulus $n$ then $x$ is the inverse of $e$.

$(n,e,d,p,q, d_p, d_q, q_{inv})$ is your private key. One can use CRT to speed up the decryption up to 4 times.

Encrypt

$c = m^e \bmod n$

The $m \in [0,n)$, otherwise after the decryption one will get an equivalence class representative of $m$ less then $n$.

Decrypt

$m = c^d \bmod n = (m^{e})^{d} \bmod n = m^{ed} \bmod n = m$

Example

$m = 7$ then $c = 7^7 \pmod{143} = 6$
$m = 6^{103} \pmod {143}= 7$

Notes:

There is also multi-prime RSA where the large prime factors of $n$ are mode than 2.
Textbook RSA is not secure one should never use it without a proper padding scheme. One is the PKCS#v1.5 padding scheme and the other is RSA-OAEP. RSA OAEP has a security proof and PKCS#v1.5 has not. PKCS#v1.5 has many attacks over the years and should not be used.
RSA ( actually any public-key encryption) is not preferable due to the speed. We prefer the hybrid encryption schemes like RSA-KEM for Key Encapsulation Mechanism then encrypt the data with AES-GCM or ChaCha20-Poly-1305 to achieve Data Encapsulation Mechanism, use 256 bit key with AES, preferably.

With this composition of a KEM and a DEM, one can achieve IND-CCA2/NM-CCA2—ciphertext indistinguishability and nonmalleability under adaptive chosen-ciphertext attack.

Exlife · Answer 2 · 2024-01-15T16:24:21.233

(1) $p$ and $q$ is chosen as: $p = 11, q = 13$, then $n = pq = 143$.

(2) $\lambda (n) = \lambda (143) = lcm (p-1, q-1) = lcm (10, 12) = 60$.

(3) Find $e$ that $gcd(e, \lambda(n)) = 1$, which means $e$ is coprime with $\lambda(n)$, choose $e = 7$, for 7 and 60 has no common divisors other than 1.

(4) Find $d$, that $de \equiv 1 \pmod {\lambda(n)}$, choose $d = 43$, since $de = 43 \times 7 = 301$, and $301 \equiv 1 \pmod {60}$.

(5) So, public key is $(e = 7, n = 143)$, private key is $(d = 43)$.

(i) Encrypt specific $(m = 7)$ with public key $(e = 7, n = 143)$:

$$c = m^e \pmod n = 7^7 \pmod {143} = 823543 \pmod {143} = 6$$.

(ii) Decrypt $c$ (= 6) with private key $(d = 43)$:

$m = c^d \pmod n = 6^{43} \pmod {143}$ = 2887378820390246558653190730940416 (mod 143) = 7.

How does RSA work, I will use $(k_1, k_2, k_3, ...)$ to represent a integer that we don't care its value.

Consider a plain message $m$ ($m$ < $p$, $m$ < $q$), thus $m$ is coprime with $n$ (= pq), $e$ and $d$ is chosen as: $ed \pmod {\lambda (n)} = 1$, assume $ed = k_1 \lambda (n) + 1$.

$$m^{ed} = m^{k_1 \lambda (n) + 1} = {(m ^ {λ(n)})}^{k_1} m$$.

As Carmichael function's definition: $m ^ {\lambda (n)} \equiv 1 \pmod n$, assume $m ^ {\lambda(n)} = k_2 n + 1$

$$m ^ {ed} = (k_2 n + 1) ^ {k_1} m = (k_3 n + 1) m \equiv m \pmod n$$.

So:

$$m ^ {ed} \pmod n = m$$.

When encrypt, $c = m ^ e \pmod n$, assume $m ^ e = k_4 n + c$, then:

$$m ^ {ed} = (k_4 n + c) ^ d = (k_5 n + c ^ d) \equiv c ^ d \pmod n$$.

Since we already know: $m ^ {ed} \pmod n = m$, so:

$$c ^ d \pmod n = m$$.

That is the decryption process.

And with a chosen $(e, d)$, obviously, for any integer $k_1 \ge 0, k_2 \ge 0$, the $(e + k_1 \lambda (n), d + k_2 \lambda (n))$ key serials are all valid and equivalent.

How can a hacker peek your message? Anyone will know public key ($e$, $n$), if he want to decrypt cypher text, he must know $d$, that means he find out $p$ and $q$ that $n = pq$, then he can guess the private key $d$ with the relation $ed \equiv 1 \pmod {lcm(p-1, q-1)}$. When we generate key pairs, we choose very big prime number $p$ and $q$, so if a hacker want to find out $p$ and $q$, it is a relatively difficult problem for today's computer (for eg, if given a public key with $n$ = 143, it is very easy to find out that $n$ = 11 * 13.). But if give a person enough long time and a large amount of computers to find result simultaneously, he will finally get $p$ and $q$, so I think we should update our key pair after a period of time.

Problem with RSA deciphering

2 Answers2