## RSA

This module demonstrates step-by-step encryption or decryption with the RSA method. The sender uses the public key of the recipient for encryption; the recipient uses his associated private key to decrypt.

## Prime factors

The security of RSA is based on the fact that it is easy to
calculate the product *n* of two large primes *p* and
*q*.
However, it is very difficult to determine only from the product
*n* the two primes that yield the product.
This decomposition is also called the factorization of *n*.

As a starting point for RSA choose two primes *p* and
*q*.

For the algorithm to work, the two primes must be different.

For demonstration we start with small primes.
To make the factorization difficult, the primes must be much
larger.
Currently, values of *n* with several thousand binary digits
are used for secure communication.

## Public key

The product *n* is also called module in the RSA method.
The public key consists of the module *n* and an exponent
*e*.

This *e* may even be pre-selected and the same for all
participants.

## Secret key

RSA uses the Euler φ function of *n* to calculate the
secret key.
This is defined as

Here it is used that *p* and *q* are different.
Otherwise, the φ function would calculate differently.

It is important for RSA that the value of the φ function is
coprime to *e* (the largest common divisor must be 1).

To determine the value of φ(*n*), it is not enough to
know *n*.
Only with the knowledge of *p* and *q* we can
efficiently determine φ(*n*).

The secret key also consists of *n* and a *d* with the
property that *e* × *d* is a multiple of
φ(*n*) plus one.

Expressed in formulas, the following must apply:

e × d = 1 (mod φ(*n*))

In this case, the mod expression means equality with regard to a
residual class. It is *x* = *y* (mod *z*) if and
only if there is an integer a with *x* − *y* =
*z* × *a*.

For the chosen values of *p*, *q*, and *e*, we get
*d* as:

This *d* can always be determined (if *e* was chosen
with the restriction described above)—for example with the
extended Euclidean algorithm.

## Encryption and decryption

Internally, this method works only with numbers (no text), which
are between 0 and *n*.

Encrypting a message *m* (number) with the public key
(*n*, *e*) is calculated:

*m'* := *m*^{e} (mod *n*)

Decrypting with the private key (*n*, *d*) is done
analogously with

*m''* := *m'*^{d} (mod *n*).

This is

*m''* = *m*^{e × d} (mod
*n*).

RSA now exploits the property that

*x*^{a} = *x*^{b}
(mod *n*)

if

*a* = *b* (mod φ(*n*))

As *e* and *d* were chosen appropriately, it is

*m''* = *m*.

The order does not matter. You could also first raise a message with the private key, and then power up the result with the public key—this is what you use with RSA signatures.

## Messages

In the following two text boxes, you can see how the encryption and decryption works for concrete input (numbers).

## Used library

This page uses the library BigInteger.js to work with big numbers.

As a result, you can calculate arbitrarily large numbers in JavaScript, even those that are actually used in RSA applications.

The security of RSA is based on the fact that it is not possible at present to factorize the product of two large primes in a reasonable time. However, this is only a reasonable assumption, but no certain knowledge: So far, there is no known fast method. We do not know if factoring is at least as severe as other severe problems, and whether it is NP-complete.

### Attack with quantum computers

Due to the principle, a quantum computer with a sufficient number of entangled quantum bits (Qbits) can quickly perform a factorization because it can simultaneously test every possible factor simultaneously. So far, however, there is no known quantum computer, which has just an approximately large computing capacity. Thus, effective quantum computers are currently a myth that will probably not be ready for production in the next few years. However, factoring may be over in 20 years and RSA loses its security.

### Size of prime factors

The larger the prime factors are, the longer actual algorithms will take and the more Qbits will be needed in future quantum computers. At the moment, the product should consist of at least 4096 binary digits to be secure.

### Reuse of primes

Prime numbers may not be reused! If you have two products each consisting of two primes and you know that one of the primes used is the same, then this shared prime can be determined quickly with the Euclidean algorithm. And by dividing the products by this shared prime, one obtains the other prime number.

Early implementations of RSA made this mistake to reduce the time it takes to find a prime number. Also on resource-constrained devices it came in recent times due to lack of entropy. Current implementations should not commit this error anymore.

### Choice of primes

Basically, the primes have to be selected randomly enough. If only *n*/2-bit numbers are used for an n-bit number, this considerably reduces the search space for attackers. However, neither of the two primes may be too small to avoid an early hit via a brute-force attack with all primes. A clever choice between the two extremes is necessary and not trivial. The two primes should not be too close to each other, but also not too far apart.

### Other great implementations of RSA in the browser

https://www.cs.drexel.edu/~jpopyack/Courses/CSP/Fa17/notes/10.1_Cryptography/RSAWorksheetv4e.html

This let the user see how (*N*, *e*, *d*) can be chosen (like we do here too), but also translates text messages into numbers.

Here you can input the message as text (it is assumed the user already has chosen *N*, *e*, and *d*).

Both are from 2012, use no arbitrary long-number library (but pure JavaScript), and look didactically very well.

### References

- https://en.wikipedia.org/wiki/RSA_(cryptosystem)
- https://en.wikipedia.org/wiki/Integer_factorization
- https://en.wikipedia.org/wiki/NP_(complexity)
- https://en.wikipedia.org/wiki/Quantum_computing
- The CrypTool book, chap. 4 with further references