Problem with RSA deciphering

Question

I don't quite get the algorithm yet. Sometimes it works and other times it doesn't,so clearly I am overseeing or misunderstanding something.

I will just write what I did. My $N=143$ and has factors $p=11$, and $q=13$. To determine my second public number: $R=(p-1)(q-1)= 10 \cdot12=120$. So the second number can not be a factor of $120$. I figured $e=7$ would be fine.

I simply want to message $'7'$. So $\mod\frac{7^7}{143}= 6$ will be my message.

My friend wants to decode it and needs to exponentiate this number by $d$. $d=\frac{R+1}{e}=121/7$ But this should be natural number right?

I noticed it doesn't work for $e=9$ as well. Even though it is not a factor of $120$. It does work for $e=11$.

Should $e$ be chosen so that it is a factor of $R+1$?

$c = m^e \bmod n$ so $ c = 7^7 \bmod 143$. Did you read the RSA on Wikipedia? — kelalaka, May 06 '20 at 22:34
No, on some other article. But $c=6$ only the deciphering goes wrong. — Jordy Molenaar, May 06 '20 at 22:39
I am reading on Wikipedia now and I am indeed missing a lot of crucial steps in the algorithm. — Jordy Molenaar, May 06 '20 at 22:42
So $\operatorname{lcm}(10,12)=60$ and $\gcd(7,60)=1$ So $e=7$ should be a valid candidate. — Jordy Molenaar, May 06 '20 at 22:51

kelalaka · Answer 1 · 2020-05-21T10:22:09.383

For textbook RSA, we have

Key-Gen

The modulus $n$ must be a product of two distinct random large primes due to the security, $n = p \cdot q$

in your case $n=143 = 11\cdot 13$

For finding the primes, the probabilistic Miller–Rabin primality test, it should be enough. Note that the Miller–Rabin primality test is probabilistic; composite output is always true, prime output has probability defined by the number iterations, $k$; $$\Pr( p\text{ is not prime} ) \ll \frac{1}{4^k}$$ and can be stated as $$\log_2(\Pr( p\text{ is not prime} ))\ll-2k$$ This is a rough calculation, and as noted by fgrieu, the probability is approaching 0 as the size of the number to be tested increases. The FIPS 186-4 table C.3 provides specific numbers for $k$;
- for 512 bits gives $k=7$ rounds with $\log_2(\Pr( p\text{ is not prime} ))<-100$,
- for 1024 bits gives $k=4$ rounds with $\log_2(\Pr( p\text{ is not prime} ))<-100$, and
- for 1536 bits gives $k=3$ rounds with $\log_2(\Pr( p\text{ is not prime} ))<-100$.
The factors of modulus are $p=11$ and $q =13$
$\varphi(n) = (p-1)(q-1)$, in your case $\varphi(143) = 10\cdot 12 = 120$,

Actually, we prefer $\lambda(n) = \operatorname{lcm}(p,q)$ and this will give us the smallest private exponent. That can be helpful for signature calculation speed, and actually, one should use the CRT method ( see the last bullet of Key-Gen)

The relation is; $$\varphi(n)=\lambda(n)\cdot\gcd(p-1,q-1)$$ and this implies that $\lambda(n)| \varphi(n)$
The public exponent $e$ is chosen relatively prime to $\varphi(n)$, so $e=7$ is fine. Normally the $e$ is chosen advance in $\{3, 5, 17, 257, 65537\}$. If the $\gcd(e,\varphi(n)) \neq 1$ then a new modulus is generated.

$(n,e)$ makes the public key to distribute.
The private exponent $d$ is the inverse of $e$ modulo $\varphi(n)$, i.e. $d\cdot e \equiv 1 \bmod \varphi(n)$, in your case $d=103$. This can be used with the Ext-GCD which result in a Bézout's identity $ e \cdot x + n \cdot k =1$. Take modulus $n$ then $x$ is the inverse of $e$.

$(n,e,d,p,q, d_p, d_q, q_{inv})$ is your private key. One can use CRT to speed up the decryption up to 4 times.

Encrypt

$c = m^e \bmod n$

The $m \in [0,n)$, otherwise after the decryption one will get an equivalence class representative of $m$ less then $n$.

Decrypt

$m = c^d \bmod n = (m^{e})^{d} \bmod n = m^{ed} \bmod n = m$

Example

$m = 7$ then $c = 7^7 \pmod{143} = 6$
$m = 6^{103} \pmod {143}= 7$

Notes:

There is also multi-prime RSA where the large prime factors of $n$ are mode than 2.
Textbook RSA is not secure one should never use it without a proper padding scheme. One is the PKCS#v1.5 padding scheme and the other is RSA-OAEP. RSA OAEP has a security proof and PKCS#v1.5 has not. PKCS#v1.5 has many attacks over the years and should not be used.
RSA ( actually any public-key encryption) is not preferable due to the speed. We prefer the hybrid encryption schemes like RSA-KEM for Key Encapsulation Mechanism then encrypt the data with AES-GCM or ChaCha20-Poly-1305 to achieve Data Encapsulation Mechanism, use 256 bit key with AES, preferably.

With this composition of a KEM and a DEM, one can achieve IND-CCA2/NM-CCA2—ciphertext indistinguishability and nonmalleability under adaptive chosen-ciphertext attack.

$d\cdot e = 1 \mod{\phi(n)}$ is to be solved. I understand $103\cdot 7 = 721$ and this works because $6\cdot 120= 720$. Only I am nowhere near familiar with modulo and the algorithms. I see one can use extended euclidean algorithm. — Jordy Molenaar, May 06 '20 at 23:40
But I will certainly look into it. I realise I miss vital operation and understanding. It's funny because it actually worked quite a few times with the wrong approach. https://www.abc.net.au/news/science/2018-01-20/how-prime-numbers-rsa-encryption-works/9338876 (at the end it tells how to calculate e and d. — Jordy Molenaar, May 06 '20 at 23:53
Because the modulus is small. One of the reasons for test vectors. — kelalaka, May 06 '20 at 23:54

Exlife · Answer 2 · 2024-01-15T16:24:21.233

(1) $p$ and $q$ is chosen as: $p = 11, q = 13$, then $n = pq = 143$.

(2) $\lambda (n) = \lambda (143) = lcm (p-1, q-1) = lcm (10, 12) = 60$.

(3) Find $e$ that $gcd(e, \lambda(n)) = 1$, which means $e$ is coprime with $\lambda(n)$, choose $e = 7$, for 7 and 60 has no common divisors other than 1.

(4) Find $d$, that $de \equiv 1 \pmod {\lambda(n)}$, choose $d = 43$, since $de = 43 \times 7 = 301$, and $301 \equiv 1 \pmod {60}$.

(5) So, public key is $(e = 7, n = 143)$, private key is $(d = 43)$.

(i) Encrypt specific $(m = 7)$ with public key $(e = 7, n = 143)$:

$$c = m^e \pmod n = 7^7 \pmod {143} = 823543 \pmod {143} = 6$$.

(ii) Decrypt $c$ (= 6) with private key $(d = 43)$:

$m = c^d \pmod n = 6^{43} \pmod {143}$ = 2887378820390246558653190730940416 (mod 143) = 7.

How does RSA work, I will use $(k_1, k_2, k_3, ...)$ to represent a integer that we don't care its value.

Consider a plain message $m$ ($m$ < $p$, $m$ < $q$), thus $m$ is coprime with $n$ (= pq), $e$ and $d$ is chosen as: $ed \pmod {\lambda (n)} = 1$, assume $ed = k_1 \lambda (n) + 1$.

$$m^{ed} = m^{k_1 \lambda (n) + 1} = {(m ^ {λ(n)})}^{k_1} m$$.

As Carmichael function's definition: $m ^ {\lambda (n)} \equiv 1 \pmod n$, assume $m ^ {\lambda(n)} = k_2 n + 1$

$$m ^ {ed} = (k_2 n + 1) ^ {k_1} m = (k_3 n + 1) m \equiv m \pmod n$$.

So:

$$m ^ {ed} \pmod n = m$$.

When encrypt, $c = m ^ e \pmod n$, assume $m ^ e = k_4 n + c$, then:

$$m ^ {ed} = (k_4 n + c) ^ d = (k_5 n + c ^ d) \equiv c ^ d \pmod n$$.

Since we already know: $m ^ {ed} \pmod n = m$, so:

$$c ^ d \pmod n = m$$.

That is the decryption process.

And with a chosen $(e, d)$, obviously, for any integer $k_1 \ge 0, k_2 \ge 0$, the $(e + k_1 \lambda (n), d + k_2 \lambda (n))$ key serials are all valid and equivalent.

How can a hacker peek your message? Anyone will know public key ($e$, $n$), if he want to decrypt cypher text, he must know $d$, that means he find out $p$ and $q$ that $n = pq$, then he can guess the private key $d$ with the relation $ed \equiv 1 \pmod {lcm(p-1, q-1)}$. When we generate key pairs, we choose very big prime number $p$ and $q$, so if a hacker want to find out $p$ and $q$, it is a relatively difficult problem for today's computer (for eg, if given a public key with $n$ = 143, it is very easy to find out that $n$ = 11 * 13.). But if give a person enough long time and a large amount of computers to find result simultaneously, he will finally get $p$ and $q$, so I think we should update our key pair after a period of time.

Welcome to crypto-SE. Here you can use LaTex, e.g. $6^{43}\bmod 143$ for $6^{43}\bmod 143$ rather than "6^43 mod 143". More on that here. The part where you have "6^43 mod 143 = 2.88...e+33 mod 143 = 7" gives the incorrect impression that we need to compute $6^{43}$ then reduce modulo $143$ and can use an approximation, when in reality we must not make any approximation, and the modular reduction can be along the exponentiation (and must be for parameters of practical size). In (1) we must have $p\ne q$ (beside $p$ and $q$ prime). — fgrieu, Jan 09 '24 at 15:53
@fgrieu: Thanks for suggestions, and I have edit my answer again with Tex used. And yes, this is about big integer number algorithms, it is a big integer with 34 decimal digits, so I write it in scientific form (that I got from calculator app of windows OS) to keep it short and clear. — Exlife, Jan 10 '24 at 08:08

Problem with RSA deciphering

2 Answers2