In the previous segment we saw how to build public key encryption from trapdoor

functions, in this segment we're going to build a classic trapdoor function called

RSA. But first let's quickly review what a trapdoor function is. So recall that a

trapdoor function is made up of three algorithms. There is a key generation

algorithm, the function itself, and the inverse of the function. The key

generation algorithm outputs a public key and a secret key. And in this case, in

this lecture the public key is going to define a function that maps the set X onto

itself. Which is why I call these things trapdoor permutations, as opposed to

trapdoor functions, simply because the function maps X onto itself, whereas a

trapdoor function might map the set X to some arbitrary set Y. Now given the public

key, the function, as we say, basically defines this function from the set X to

the set X. And then given the secret key, we can invert this function. So this

function F evaluates the function in the forward direction, and this function F

inverse, which means the secret key SK, computes F in the reverse direction. Now

we say that the trapdoor permutation is secure if the function defined by the

public key is in fact a one-way function, which means that it's easy to evaluate,

but without the trapdoor, the secret trapdoor, it's difficult to invert. Before

we look at our first example of a trapdoor permutation, I want to do a quick review

of some necessary arithmetic facts that we're gonna need. And in particular,

let's look at some arithmetic facts modulo composites. So here we have our

modulus N, which happens to be a product of two primes, and you should be thinking

of P and Q as roughly equal size numbers, since particular P and Q are both roughly

on the size of square root of N. So both are roughly the same size. Recall that we

denoted by ZN the set of integers from zero to N minus one, and we said that we

can do addition and multiplication module N. We denoted by ZN star the set of

invertible elements in ZN. So these are all the elements, which have a modular

inverse. And we said that actually X is invertible if and only if it's relatively

prime to N. Moreover, I also told you that the number of invertible elements in ZN

star is denoted by this function phi(N). So phi(N) is the number of invertible elements in ZN

star, And I told you that when N is a product of two distinct primes, then in

fact phi(N) is equal to (P - 1) times (Q - 1) and if you extend that out, you

see that this is really equal to (N - P - Q + 1). Now remember that I said

that P and Q are on the order of square root of N which means that P + Q is

also on the order of square root of N. Which means that really phi(N) is on the

order of N minus two square root of N. So, in other words, it's very, very close to

N. Basically, subtracting the square root of N from a number, this is from, N is

going to be a huge number in our case, like 600 digits. And so subtracting from a

600 digit number, the square root of that 600 digit number, namely a 300 digit

number, hardly affects the size of the number. Which means that phi(N) is really,

really, really close to N, and I want you to remember that, because we will actually

be using this now and again. And so the fact that phi(N) is really close to N, means

that if we choose a random element modulo N It's very, very, very likely to be in ZN

star. So it's very unlikely that by choosing a random element in ZN, we will

end up choosing an element that is not invertable. Okay. So just remember that,

that in fact almost all elements in ZN are actually invertible. And the last thing

that we'll need is Euler's theorem, which we covered last week, which basically says

that for any element X in ZN star, if I raise X to the power of phi(N), I get one, in

ZN. So in other words, I get 1 modulo N. I'll say it one more time because this

is gonna be critical to what's coming. Again X to the phi(N) is equal to 1 modulo

N. So now that we have the necessary background we can actually describe the

RSA trapdoor permutation. This is a classic, classic, classic construction in

cryptography that was first published in Scientific American back in 1977, this is

a very well known article in cryptography. And ever since then, this was 35 years

ago, the RSA trapdoor permutation has been used extensively in cryptographic applications.

For example, SSL and TLS use RSA both for certificates and for key exchange. There

are many secure email systems and secure file systems that use RSA to encrypt

emails and encrypt files in the file system. And there are many, many, many

other applications of this system. So this is a very, very classic, crypto

construction, and I'll show you how it works. I should say that RSA is named for

its inventors, Ron Rivest, Adi Shamir and Len Adleman, who were all at MIT at the

time they made this important discovery. So now we're ready to describe the RSA

trapdoor permutation. To do that, I have to describe the key generation algorithm,

the function ƒ and the function ƒ−1. So let's see. So the way the key

generation algorithm works is as follows: What we do is we generate two primes, P

and Q, each would be, say on the order of 1000 bits, so, you know, roughly 300

digits, and then the RSA modulus is simply going to be the product of those two

primes. The next thing we do is we pick two exponents, e and d, such that e times

d is 1 modulo phi(N). What this means is that e and d first of all are relatively

prime to phi(N) and second of all they're actually modular inverses of one another,

modulo phi(N). And then we output the public key as the pair N,e and the

secret key is the secret key N,d. I should mention that the exponent e,

that the number e is sometimes called the encryption exponent and the exponent d is

sometimes called the decryption exponent. And you'll see why I keep referring to

these as exponents in just a second. Now the way the RSA function itself is

defined is really simple. For simplicity I'm gonna define it as the function

from ZN star to ZN star. And the way the function is defined is simply given an

input X, all we do is we simply take X and raise it to the power of e in ZN. So we

just compute X to the e, modulo N. That's it. And then to decrypt, what we do is we

simply, given an input Y, we simply raise Y to the power of d, modulo N. And that's

it. So now you can see why as I refer to e and d as exponents. They're the things

that X and Y are being raised to. So let's quickly verify that F inverse really does

invert the function F. So let's see what happens when we compute Y to the d. So

suppose Y itself happens to be the RSA function of some value X. In which case,

what Y to the d is, is really RSA of X to the power of d. While X by itself is

simply gonna be X to the e modulo N, And therefore, Y to the d is simply X to the e

times d modulo N. Again, just using rules of exponentiation, the exponents multiply,

so we get X to the e times d. But what do we know about e times d? e times d we said

is one modulo phi(N). And what that means is there exists some integer such that e

times d is equal to K times phi(N) plus one. This is what it means that e times d is

one modulo phi(N). So, we can simply replace e times d by K times phi(N)+1. So, that's

what I wrote here. So, we have X to the power of K times phi(N)+1. But now again

just using rules of exponentiation, we can re-write this as X to the power of phi(N) to

the power of K times X. This is really the same thing as K times phi(N)+1 as the

exponent. I just kind of separated the exponent into it's different components.

Now, X to the phi(N) by Euler's theorem, we know that X to the phi(N) is equal to one. So what

is this whole product equal to? Well since X to the phi(N) is equal to one, one to

the K is also equal to one, so this whole thing over here is simply equal to one.

And what we're left with is X. So what we just proved is that if I take the output of

the RSA function and raise it to the power of 'd', I get back X. Which means that

raising to the power of 'd' basically inverts the RSA function, which is what we

wanted to show. So that's it, that's the whole description of the function, we've

described the key generation. The function itself, which is simply raising things to

the power of e modulo N, and the inversion function which is simply raising things to

the power of d, also modulo N. The next question is, why is this function secure?

In other words, why is this function one way if all I have is just a public key,

but I don't have the secret key? And so to argue that this function is one way we

basically state the RSA assumption which basically says that the RSA function is a

one way permutation. And formally the way we state that is that, basically for all

efficient algorithms, A, it so happens that if I generate two primes p and q,

random primes p and q. I multiply them to get to modulus N and then I choose a

random 'y' in ZN star. And now I give the modulus, the exponent and this 'y' to

algorithm A, the probability that I'll get the inverse of RSA at the point Y, mainly

I'll get Y to the power of one over E. That's really what the inverse is. This

probability is negligible. So this assumption is called the RSA assumption.

It basically states that RSA is a one way permutation just given the public [key?]. And

therefore, it is a trapdoor permutation because it has a trapdoor. And makes this

easy to invert for anyone who knows the trap door. So now that we have a secure

trap door permutation, we can simply plug that into our construction for public key

encryption, and get our first real world public key encryption system. And so what

we'll do is we'll simply plug the, the RSA trapdoor permutation into the iso standard

construction that we saw in the previous segment. So, if you recall, that

construction was based on a symmetric encryption system that had to provide

authenticated encryption. And it was also based on a hash function. Then mapped

while transferring it into the world of RSA, it maps elements in

ZN, into secret keys for the symmetric key system. And now the

way the encryption scheme works is really easy to describe. Basically algorithm G

just runs the RSA key generation algorithm and produces a public key and a secret

key. Just as before. So you notice the public key contains the encryption

exponent and the, secret key contains the decryption exponent. And the way we

encrypt is as follows. Well, we're going to choose a random X in ZN. We're going

to apply the RSA function to this X, we're going to deduce a symmetric key from this

X by hashing it, so we compute H of X to obtain the key K, and then we output this

Y along with the encryption of the message under the symmetric key K. And in

practice, the hash function H would be just implemented just using SHA-256, and

you would use the output of SHA-256 to generate a symmetric key that could then

be used for the symmetric encryption assistant. So that's how we would encrypt

and then the way we would decrypt is pretty much as we saw in the previous

segment, where the first thing we would do is we would use the secret key to invert

the header of the ciphertext. So we would compute RSA invert of Y, that would give

us the value X. Then we would apply the hash function to X so that this would give

us the key K. And then we would run the decryption algorithm for the symmetric

system on the ciphertext and that would produce the original message m. And then

we stated a theorem in the previous segment to say that if the RSA trapdoor

permutation is secure, Es and Ds, the symmetric encryption scheme [inaudible]

provides authenticated encryption. And as we said, H is just random oracle. It's,

you know, kind of a random function from ZN to the key space. Then, in fact, this

system is chosen cipher text secure, and is a good public key system to use.