# RSA and Homomorphic Multiplication
- https://arnaucube.com
- https://github.com/arnaucube
- https://twitter.com/arnaucube
2018-11-30
---
- Intro
- Public key cryptography
- Basics of modular arithmetic
- Brief history of RSA
- Keys generation
- Prime numbers
- Encryption
- Decryption
- What's going on in encryption and decryption?
- Signature
- Verification of the signature
- Homomorphic Multiplication with RSA
- Resources
---
# Intro
- I'm not an expert on the field, neither a mathematician. Just an engineer with interest for cryptography
- Short talk (15 min), with the objective to make a practical introduction to the RSA cryptosystem
- Is not a talk about mathematical demostrations, is a talk with the objective to get the basic notions to be able to do a practical implementation of the algorithm
- After the talk, we will do a practical workshop to implement the concepts. We can offer support for Go, Rust, Python and Nodejs (you can choose any other language, but we will not be able to help)
---
# Public key cryptography
![pubkencr](https://upload.wikimedia.org/wikipedia/commons/f/f9/Public_key_encryption.svg "pubkencr")
---
Some examples:
- RSA
- Paillier
- ECC (Corba el·líptica)
---
# Basics of modular arithmetic
- Modulus, `mod`, `%`
- Remainder after division of two numbers
![clocks](https://upload.wikimedia.org/wikipedia/commons/thumb/a/a4/Clock_group.svg/220px-Clock_group.svg.png "clocks")
```
5 mod 12 = 5
14 mod 12 = 2
83 mod 10 = 3
```
```
5 + 3 mod 6 = 8 mod 6 = 2
```
---
# Brief history of RSA
- RSA (Rivest–Shamir–Adleman): Ron Rivest, Adi Shamir, Leonard Adleman
- year 1977
- one of the first public key cryptosystems
- based on the difficulty of factorization of the product of two big prime numbers
---
# Prime numbers
- We need an asymmetric key, in a way where we can decrypt a message encrypted with the asymetric key
- Without allowing to find the private key from the public key
- in RSA we resolve this with factorization of prime numbers
- using prime numbers for $p$ and $q$, it's difficult factorize $n$ to obtain $p$ and $q$, where $n=p*q$
---
Example:
If we know $n$ which we need to find the $p$ and $q$ values where $p*q=n$:
```
n = 35
```
To obtain the possible factors, is needed to brute force trying different combinations, until we find:
```
p = 5
q = 7
```
In this case is easy as it's a simple example with small numbers. The idea is to do this with big prime numbers
---
Another exmample with more bigger prime numbers:
```
n = 272604817800326282194810623604278579733
```
From $n$, I don't have a 'direct' way to obtain $p$ and $q$. I need to try by brute force the different values until finding a correct combination.
```
p = 17975460804519255043
q = 15165386899666573831
n = 17975460804519255043 * 15165386899666573831 = 272604817800326282194810623604278579733
```
---
If we do this with non prime numbers:
```
n = 32
We can factorize 32 = 2 * 2 * 2 * 2 * 2
combining that values in two values X * Y
for example (2*2*2) * (2*2) = 8*4 = 32
we can also take 2 * (2*2*2*2) = 2 * 16 = 32
...
```
---
One example with bigger non prime numbers:
```
n = 272604817800326282227951471308464408608
We can take:
p = 17975460804519255044
q = 15165386899666573832
Or also:
p = 2
q = 136302408900163141113975735654232204304
...
```
In the real world:
- https://en.wikipedia.org/wiki/RSA_numbers
- https://en.wikipedia.org/wiki/RSA_Factoring_Challenge#The_prizes_and_records
So, we are basing this in the fact that is not easy to factorize big numbers composed by big primes.
---
# Keys generation
- PubK: $e$, $n$
- PrivK: $d$, $n$
- are choosen randomly 2 big prime numbers $p$ and $q$, that will be secrets
- $n = p * q$
- $λ$ is the Carmichael function
- $λ(n) = (p − 1) * (q − 1)$
- Choose a prime number $e$ that satisfies $1 < e < λ(n)$ and $gcd(e, λ(n))=1$
- Usually in examples is used $e = 2^16 + 1 = 65537$
- $d$ such as $e * d = 1 mod λ(n)$
- $d = e^(-1) mod λ(n) = e modinv λ(n)$
---
### Example
- `p = 3`
- `q = 11`
- `e = 7` value choosen between 1 and λ(n)=20, where λ(n) is not divisible by this value
- `n = 3 * 11 = 33`
- `λ(n) = (3-1) * (11-1) = 2 * 10 = 20`
- `d` such as `7 * d = 1 mod 20`
- `d = 3`
- PubK: `e=7, n=33`
- PrivK: `d=3, n=33`
---
### Naive code
```python
def egcd(a, b):
if a == 0:
return (b, 0, 1)
g, y, x = egcd(b%a,a)
return (g, x - (b//a) * y, y)
def modinv(a, m):
g, x, y = egcd(a, m)
if g != 1:
raise Exception('No modular inverse')
return x%m
```
---
```
def newKeys():
p = number.getPrime(n_length)
q = number.getPrime(n_length)
# pubK e, n
e = 65537
n = p*q
pubK = PubK(e, n)
# privK d, n
phi = (p-1) * (q-1)
d = modinv(e, phi)
privK = PrivK(d, n)
return({'pubK': pubK, 'privK': privK})
```
---
# Encryption
- Brenna wants to send the message `m` to Alice, so, will use the Public Key from Alice to encrypt `m`
- `m` powered at `e` of the public key from Alice
- evaluate at modulus of `n`
### Example
- message to encrypt `m = 5`
- receiver public key: `e=7, n=33`
- `c = 5 ^ 7 mod 33 = 78125 mod 33 = 14`
### Naive code
```python
def encrypt(pubK, m):
c = (m ** pubK.e) % pubK.n
return c
```
---
# Decrypt
- from an encrypted value `c`
- `c` powered at `d` of the private key of the person to who the message was encrypted
- evaluate at modulus of `n`
### Example
- receiver private key, PrivK: `d=3, n=33`
- `m = 14 ^ 3 mod 33 = 2744 mod 33 = 5`
### Naive code
```python
def decrypt(privK, c):
m_d = (c ** privK.d) % privK.n
return m_d
```
---
# What's going on when encrypting and decrypting?
![encrdecr](https://cdn-images-1.medium.com/max/1600/1*4AXQNOrddQJud0fZJ3FNgg.png "encrdecr")
---
```
n = pq
e
phi = (p-1)(q-1)
d = e^-1 mod (phi) = e^-1 mod (p-1)(q-1)
# encrypt
c = m^e mod n = m^e mod pq
# decrypt
m' = c^d mod n = c ^(e^-1 mod (p-1)(q-1)) mod pq =
= (m^e)^(e^-1 mod (p-1)(q-1)) mod pq =
= m^(e * e^-1 mod (p-1)(q-1)) mod pq =
= m^(1 mod (p-1)(q-1)) mod pq =
[theorem in which we're not going into details]
a ^ (1 mod λ(N)) mod N = a mod N
[/theorem]
= m mod pq
```
---
# Signature
- encryption operation but using PrivK instead of PubK, and PubK instead of PrivK
- having a message `m`
- power of `m` at `d` of the private key from the signer person
- evaluated at modulus `n`
---
### Example
- private key of the person emitter of the signature: `d = 3, n = 33`
- message to be signed: `m=5`
- signature: `s = 5 ** 3 % 33 = 26`
### Naive code
```python
def sign(privK, m):
s = (m ** privK.d) % privK.n
return s
```
---
# Verification of the signature
- having message `m` and the signature `s`
- elevate `m` at `e` of the public key from the signer
- evaluate at modulus of `n`
---
### Example
- public key from the singer person `e=7, n=33`
- message `m=5`
- signature `s=26`
- verification `v = 26**7 % 33 = 5`
- check that we have recovered the message (that `m` is equivalent to `v`) `m = 5 = v = 5`
### Naive code
```python
def verifySign(pubK, s, m):
v = (s ** pubK.e) % privK.n
return v==m
```
---
# Homomorphic Multiplication
- from two values $a$ and $b$
- encrypted are $a_{encr}$ and $b_{encr}$
- we can compute the multiplication of the two encrypted values, obtaining the result encrypted
- the encrypted result from the multiplication is calculated doing: $c_{encr} = a_{encr} * b_{encr} mod n$
- we can decrypt $c_{encr}$ and we will obtain $c$, equivalent to $a * b$
- Why:
```
((a^e mod n) * (b^e mod n)) mod n =
= (a^e * b^e mod n) mod n = (a*b)^e mod n
```
---
### Example
- PubK: `e=7, n=33`
- PrivK: `d=3, n=33`
- `a = 5`
- `b = 8`
- `a_encr = 5^7 mod 33 = 78125 mod 33 = 14`
- `b_encr = 8^7 mod 33 = 2097152 mod 33 = 2`
- `c_encr = (14 * 2) mod 33 = 28 mod 33 = 28`
- `c = 28 ^ 3 mod 33 = 21952 mod 33 = 7`
- `c = 7 = a * b % n = 5 * 8 % 33 = 7`, on `5*8 mod 33 = 7`
- take a `n` enough big, if not the result will be cropped by the modulus
---
### Naive code
```python
def homomorphic_mul(pubK, a, b):
c = (a*b) % pubK.n
return c
```
---
# Small demo
[...]
# And now... practical implementation
- full night long
- big ints are your friends