RSA

Saravanan Vijayakumaran

Department of Electrical Engineering, IIT Bombay

October 13, 2025

RSA

• First public-key encryption scheme proposed by Rivest, Shamir, and Adleman in the late 1970s

Public-Key Encryption Workflow

• Suppose Bob wants to send a message to Alice

• Alice will generate a public-private key-pair (pk_A, sk_A)

  • The private key is also called the secret key

• Alice will share pk_A with Bob over the public channel

• Bob will encrypt a message m as c \leftarrow \textsf{Enc}_{pk_A}(m) and send c to Alice over the public channel

• Alice will decrypt c as m \leftarrow \textsf{Dec}_{sk_A}(c) using her private key sk_A

Why bother with private-key encryption?

• Public-key encryption is 2-3 orders of magnitude slower than private-key encryption

• Hybrid encryption is often used in practice

• Here \textsf{Enc} is a public-key encryption scheme and \textsf{Enc}' is a private-key encryption scheme

Public-Key Encryption Schemes

• A public-key encryption scheme is a triple of PPT algorithms (\textsf{Gen}, \textsf{Enc}, \textsf{Dec}) such that:

  1. (pk,sk) \leftarrow \textsf{Gen}(1^n)

     • pk is the public key and sk is the private key
     • The public key defines a message space \mathcal{M}_{pk}

  2. For m \in \mathcal{M}_{pk}, c \leftarrow \textsf{Enc}_{pk}(m).

  3. m \coloneqq \textsf{Dec}_{sk}(c), where m \in \mathcal{M}_{pk} \cup \{\perp\}.

• It is required that \textsf{Dec}_{sk}\left( \textsf{Enc}_{pk}\left( m \right) \right) = m for any message m \in \mathcal{M}_{pk}, except with negligible probability over the randomness of \textsf{Enc} and \textsf{Dec}

Plain RSA

Plain RSA Key Generation

• Let \textsf{GenRSA} be a PPT algorithm that on input 1^n, outputs a modulus N that is the product of two n-bit primes, along with integers e,d > 1 satisfying ed = 1 \bmod \phi(N)

• \textsf{Gen:} On input 1^n, run \textsf{GenRSA}(1^n) to obtain N, e, and d

  • The public key is \langle N,e \rangle and the private key is \langle N,d \rangle.

Plain RSA Encryption and Decryption

• \textsf{Enc:} On input a public key pk = \langle N,e \rangle and message m \in \mathbb{Z}_N^*, compute the ciphertext c = m^e \bmod N
• \textsf{Dec:} On input a private key sk = \langle N, d \rangle and ciphertext c \in \mathbb{Z}_N^*, output \hat{m} = c^d \bmod N

Necessary Conditions for RSA Security

• A PPT adversary should not be able derive the decryption exponent d from the public key pk = \langle N,e \rangle

• Since d = e^{-1} \bmod \phi(N), a PPT adversary should not be able to factor N

• No polynomial-time algorithm is known for factoring in general but small factors can be found easily

• The prime factors p and q should be large and random

Generating Moduli for RSA

• Pick a pair of random n-bit primes p,q and output their product N = pq
• How can we generate random primes?

Generating Random Primes

• Algorithm for generating an n-bit prime

• Input: Length n, loop count t

• Output: A uniform n-bit prime \begin{align*} & \textbf{for } i=1 \text{ to } t:\\ &\quad p' \leftarrow \{0,1\}^{n-1}\\ &\quad p \coloneqq 1 || p' \\ &\quad \textbf{if } p \text{ is prime } \textbf{return } p\\ &\textbf{return } \textsf{fail} \end{align*}

• We need to clarify two points

  • The probability that a uniform n-bit integer is a prime
  • How can we efficiently check whether a given integer is a prime?

Distribution of Primes

• Theorem: For any n > 1, the fraction of n-bit integers that are prime is at least \frac{1}{3n}

• Set the loop count t = 3n^2

• The probability that a prime is not chosen in all t iterations is at most \left(1-\frac{1}{3n}\right)^t \leq e^{-n}

Primality Testing

• First efficient algorithms were developed in the 70s

• Probabilistic algorithms with following guarantees

  • If input p is a prime, the algorithms always output “prime”
  • If p is composite, the algorithms might output “prime” with a negligible probability

• A deterministic polynomial-time algorithm was found in 2002 by Agrawal, Kayal, Saxena (AKS)

  • Not used in practice due to slower running time

The Factoring and RSA Assumptions

The Factoring Experiment

• Let \textsf{GenModulus} be a PPT algorithm that, on input 1^n, outputs (N,p,q) where N = pq, and p and q are n-bit primes except with probability negligible in n.

• The factoring experiment \textsf{Factor}_{\mathcal{A}, \textsf{GenModulus}}(n):

  • Run \textsf{GenModulus}(1^n) to obtain (N,p,q).
  • \mathcal{A} is given N, and outputs p',q' > 1.
  • The output of the experiment is 1 if N = p'q', and 0 otherwise.

• We use p', q' in the above experiment because it is possible that \textsf{GenModulus} returns composite integers p, q albeit with negligible probability

The Factoring Assumption

• Definition: Factoring is hard relative to \textsf{GenModulus} if for all PPT algorithms \mathcal{A} there exists a negligible function \textsf{negl} such that \Pr[\textsf{Factor}_{\mathcal{A}, \textsf{GenModulus}}(n) = 1] \le \textsf{negl}(n).

• The factoring assumption states that there exists a \textsf{GenModulus} relative to which factoring is hard.

The RSA Experiment

• \textsf{RSA-inv}_{\mathcal{A}, \textsf{GenRSA}}(n):

  • Run \textsf{GenRSA}(1^n) to obtain (N,e,d)
  • Choose a uniform y \in \mathbb{Z}_N^*
  • \mathcal{A} is given N,e,y, and outputs x \in \mathbb{Z}_N^*
  • The output of the experiment is 1 if x^e = y \bmod N, and 0 otherwise.

The RSA Assumption

• Definition: The RSA problem is hard relative to \textsf{GenRSA} if for all PPT algorithms \mathcal{A} there exists a negligible function \textsf{negl} such that \Pr[\textsf{RSA-inv}_{\mathcal{A}, \textsf{GenRSA}}(n) = 1] \le \textsf{negl}(n).

• The RSA assumption states that there exists a \textsf{GenRSA} relative to which RSA is hard.

• The RSA assumption is a stronger assumption than the factoring assumption

Attacks on Plain RSA

• Plain RSA is deterministic and hence not CPA-secure
• It is insecure even if used to encrypt “random messages”

Encrypting Short Messages Using Small e

• Suppose m < N^{1/e}
• Raising m to the eth power involves no modular reduction
• Give c, message m = c^{1/e} can be computed over the integers in \textsf{poly}(\| N \|) time
• Suppose e = 3 and \| N \| = 2048 bits; then the attack works when m is a 256-bit string

Encrypting Related Messages

• Suppose a sender encrypts two related messages to the same receiver
• Suppose the messages are m and m+\delta where \delta is known but m is not
• Given two ciphertexts c_1 = [m^e \bmod N] and c_2 = [(m+\delta)^e \bmod N], attacker defines two polynomials \begin{align*} f_1(x) & = x^e -c_1 \\ f_2(x) & = (x+\delta)^e -c_2\end{align*}
• m is root of both polynomials \implies x-m is a factor of both polynomials
• If \textsf{gcd}(f_1(x), f_2(x)) is a linear polynomial, it reveals m

Sending the Same Message to Multiple Receivers (1/2)

• Suppose e = 3
• Suppose the same message m is encrypted to three receivers having public keys pk_1 = \langle N_1, 3 \rangle, pk_2 = \langle N_2, 3 \rangle, pk_3 = \langle N_3, 3 \rangle
• Assume \gcd(N_i, N_j) = 1 for i \neq j
• Eavesdropper observes c_1 = [m^3 \bmod N_1], c_2 = [m^3 \bmod N_2], c_3 = [m^3 \bmod N_3]

Sending the Same Message to Multiple Receivers (2/2)

• For N^* = N_1N_2N_3, by CRT there exists a unique \hat{c} < N^* such that \hat{c} =c_1 \bmod N_1\\ \hat{c} = c_2 \bmod N_2\\\hat{c} = c_3 \bmod N_3
• As m < \min\{N_1, N_2, N_3\}, we have m^3 < N^*
• Then \hat{c} = m^3 over the integers
• Message m can be recovered by computing the integer cube root of \hat{c}

RSA Keys Should be Chosen Carefully

• Suppose all employees in a company share the same RSA modulus N
• Suppose two employees have encryption exponents e_1, e_2 such that e_1 \neq e_2 and \gcd(e_1, e_2) = 1
• Suppose the same message m is encrypted to give c_1 = m^{e_1} \bmod N \text{ and } c_2 = m^{e_2} \bmod N
• Then m can be recovered

RSA-OAEP

• OAEP = Optimal Asymmetric Encryption Padding
• RSA-OAEP = RSA-based encryption scheme which is CCA-secure if RSA assumption holds
• RSA-OAEP has been standardized (see RFC 8017)

Further Reading

• Sections 12.5.1, 9.2, 12.5.4 of Katz & Lindell