 So in summary, we have a public key encryption algorithm. Remember public key encryption. Encrypt with one key, decrypt with another. So we don't have a shared secret. We have one secret key and one public key. And there are different algorithms to do public key encryption. RSA is one of them. The encryption is easy. The encryption is conceptually easy. Take your message, raise it to the power of some number e, mod by n and you get your ciphertext. Where m is an integer, less than n. So that's the condition there so far. So you treat your message as an integer. So you need to somehow map it to a number. And m must be less than n. Decryption is that we take the ciphertext, raise it to some power d and mod by the same n. And we need to get the same m back as we started with the input. The key generation steps are such that there's two reasons. One is we must choose the keys which really are the values of e, n and d. We must choose them such that we do get the same m back. It's no good if we encrypt, decrypt and get the wrong plaintext. So the key generation steps are chosen such that we will get the same m back. No matter what the value of the original plaintext. And the other reason they're chosen is so that attacks will be not possible in practice. So that's why the key generation steps are these three steps. So what we got to yesterday is we're trying to explain why we'll always get the same m back. So this was from yesterday, from Tuesday. If we start with some, these are the two equations for encryption and decryption. If we look at the decryption equation, when someone decrypts some ciphertext, the m that they get must be the same as the original plaintext. So what I've done is said, okay, if we take c, our ciphertext, raise to the power of d mod n, the answer will be some m prime. We need this m prime to be the same as the original m where c was obtained by taking the original m and raising to the power of e mod by n. So I substitute c with this part of the equation and we put m to the power of e mod n inside the brackets, raise to the power of d mod n and then we solve for this side as much as we can. And one of the characteristics of modular arithmetic with multiplication and therefore exponentiation is we can, and you can check, you can do the full expansion into multiplication. m to the power of e mod n all to the power of d is the same as m to the power of e to the power of d mod n and same with your normal arithmetic, m to the power of e to the power of d is m to the power of e times d. So that was the step I did from here to here. m to the power of e d mod n mod n, same. And as you should know with mod, when you mod a number and then you mod this, that answer with the same modulus, you'll get the original number back. So some number mod n mod n is the same as that number mod n once. Modding again doesn't change the value. 23 mod 10 is 13 or that's a bad example. 13 mod 10 is 3, mod 10 again we get 3, mod 10 again we get 3 and so on. So modding multiple times is the same as modding once. So that's why we effectively cancel out this mod n, we remove it. So what we get, the decrypted plaintext m prime will equal the original plaintext m raised to the power of e d mod n. What we need is values of e, d and n such that m equals m prime because our requirement is that the received plaintext m prime must be the same as the original plaintext m. So then we ask ourselves, what values of e, d and n can we choose such that m prime will always be the same as m? And that's when we take advantage of Fermat's theorem, is that right? Where we said Euler's theorem, correct. Euler's theorem, back in the number theory lecture notes said one form said, looking here, some integer to the power of some, actually this one. Euler's theorem says some integer a to the power of the totion of n plus 1 mod n is always equal to a. That's Euler's theorem. That's given, we know that. So if we have some integer, raised to the power of the totion of the modulus and plus 1, we'll get that integer back as the answer. We use that to satisfy the conditions for our RSA decryption because we see the RSA or this equation here has a similar structure. We want m prime and m to be the same. So the question is what values of e, d and n such that they will always be the same? Well, if we can write this equation, I'll just replace m prime with a, m with a and compare these two. We know this one's true. We've got an equation in this form. So that means if we set e, d to the totion of n plus 1 we get our equation in the form of Euler's theorem. In other words, if e, d equals the totion of n plus 1 then this equation would be m prime equals m to the totion of n plus 1 mod n which is in the format of Euler's theorem which tells us m will always be equal to m prime which is what we require. So this is leading us to the conditions for choosing the keys, the key generation steps. So the current state is we say e times d must equal the totion of n plus 1. The other way to think of that, if we take e, d and divide by the totion of n the remainder should be 1 because if we divide both sides by the totion of n this one will give us 1, this will give us e to the d divided by n or we think of it as a modulus. Let's consider that and continue with our equation. We rushed that last week. Why is this true? e times d, let's have an example just to the right. Let's say we have 21, if 21 equals 20 plus 1 we can think of that as 21 mod 20 equals 1. Mod 20, remember we effectively divide and what's the remainder? If we have 20 plus 1, if we mod this by 20 the remainder will always be this plus part. So if 20 plus 1 mod by 20 the remainder would be 1. So that's the concept we're using there. e to the d, no e times d equals the totion of n plus 1 so if we mod this by the totion of n the remainder will always be 1. So we can write it e times d mod the totion of n equals 1. So that's the condition so far for key generation. The next step is choose an e, d and n such that that is true. Choose e, d and n such that this equation is always true. Well to find an answer this says e and d are multiplicative inverses when you times them together and you get 1 as the answer. In our normal arithmetic you times 2 numbers together and you get 1 as the answer then we say they're inverses of each other. The same concept. When does a number have a multiplicative inverse coming back to our number theory a number has a multiplicative inverse when that number is relatively prime with the totion of n. So we need to choose some number say e which will have a multiplicative inverse d and the conditions is choose an e. So let's say we choose any e. Not all values have a multiplicative inverse in the totion of n. The values that we know do are those that are relatively prime with the totion of n. So choose an e such that I will note here at rp relatively prime e and the totion of n are relatively prime. In other words the greatest common divisor of these two values is 1 equals 1. If we want to be able to find a multiplicative inverse we need to choose an e which is relatively prime with the totion of n or has a greatest common divisor with the totion of n of 1. And there are multiple values there. And if we can choose an e which meets that requirement then we can find a d and then we have values that make sure that RSA decryption will always work. Once we can choose an e we can calculate a d. There are algorithms to do that reasonably efficiently. To calculate the multiplicative inverse there are algorithms that would do it for us when we have large numbers. What we've done is shown for RSA to work we must choose an e which is relatively prime with the totion of n or the greatest common divisor of e and the totion of n equals 1. If you go back to your lecture notes that's what we did this step too. We chose an e where the greatest common divisor of the totion of n and e is 1. So that's why we did this step to make sure that the decryption will always work. We can calculate d, that's step 3 and therefore RSA always is successful if we choose our numbers according to this key generation steps. The first step, why did we choose two primes finding the totion of n for a large n is hard unless n is the multiplication of two primes that we know of. That's why we chose the first step. So calculating the totion of n for an arbitrary n we can not always do. We can only do it quickly if n is the multiplication of two primes that we know and that leads us to the first step. So, should be able to prove RSA in the exam in next year. Prove that RSA works is something you should be able to do in an exam. Let's attack RSA which you should be able to do in an exam as well or let's look at the avenues for attack. What can an attacker do to A, try and find the plaintext and B, try and find the private key and then we'll look at why is RSA secure? Let's have a look what we require for RSA. What we just went through is the first one. We said for RSA to be able to decrypt we must be able to find values of E, D and N really the key values such that m to the power of E, D, mod n is equal to m for all m less than n. And that's true when we choose them according to that key generation step. The other requirement is that the normal user when they encrypt something it should be easy to calculate m to the power of E, mod n. And when they decrypt something it should be easy to decrypt. When I say easy it means it needs to be fast to do it with computer when we use large numbers. So that's the requirement to make it practical. If it takes 10 years to encrypt a file with RSA then it's not very practical. So we need it in the order of milliseconds, for example. So it should be practical to use that step two. Step one is saying it always decrypts successfully. Step three is saying that the attacker should not be able to find the secret values. Should not be able to find D given E and N. Let's see what the attacker can try and do. Has everyone got the lecture notes in the copy centre? I put them in on Tuesday after someone reminded me in the lecture. They're still not there? Okay, so you've got blank paper. Yes, so someone reminded me there's the new batch of lecture notes which cover these topics are in the... Well, I put them in the copy centre on Tuesday. Choose the afternoon after the lecture. Has anyone checked today? Yes, they're online as well. But the new handout should be in the copy centre. Yes, bound. As the instructions I gave them, it should be bound but maybe it's taking a long time to copy. Sorry about that. You have to survive for today at least. Let's attack RSA. Let's find our example. We had an example. A simple example we went through on Tuesday. We said that to generate the key we choose two prime numbers, P and Q. I chose 17 and 11. Okay, the small numbers so I can calculate. I calculated N, just multiply the values together. I get 187. And then I calculate the totion of N and I use this property that the totion of some number which is where we know the two prime factors. We know the prime factors of N. They are 17 and 11. Then the totion of that number is the totion of those two prime numbers multiplied together. So we can simply calculate the totion of N to be 160. Totion of 17 times the totion of 11. 16 times 10. So this is what I do to generate my keys. I selected some E, some integer which is relatively prime with 160. I chose 7. There are multiple answers I could have chose. I could have chose 3, 7, 9, 11. I chose 7. Okay, so you need to choose one. We'll talk about which one's appropriate later. Once I choose E then I calculate D such that E times D mod 160 equals 1. And we go through and you find quite quickly that 7 times 23 is 161. 161 mod 160 is 1. It gives us our key pair. The public key of B, some user B who generated this key. We think of E is 7, N is 187. And the private key of B, D is 23, N is 187. The same value as the public value. So in fact the private value is D. By private we must not tell anyone what the value of D is. E and N we tell everyone. It's public but D must be kept secret. Turns out also P and Q should be kept secret. Don't tell anyone P and Q. So we'll look at what the attacker can do. One last step we did. We encrypted something last lecture. We took some message, 88. We used the encryption algorithm, 88 to the power of E mod 187 using the calculator 11. And then we sent the ciphertext 11 to B and B decrypted 11 to the power of the secret value D mod 187 and with our calculator we found it was correctly 88 original M. Let's attack and see what the attacker can try. First we'll try if they have the ciphertext only. So A sent a message to B and the attacker intercepted. But what was the message? Well it was C equals 11 in our case. The attacker intercepts. What can they do? Well we look at what the attacker knows. The values that they know. The known information to the attacker. The algorithm is known. That's common. We assume the attacker knows what algorithm is used. RSA. So they know all the steps of the algorithm. What else do they know? They know C equals 11. They've just intercepted the ciphertext. What other information does the attacker know at the start? Any other values? E and N. So they effectively, well they know the public key. By definition it's public. The attacker can know it. The public key of B which was E equal to 7 and N 187. So that's known to the attacker. This public key is known. They don't know the private key. In particular they don't know D. Currently they don't know M. How do they find M? Find the message. Try and find M given those values in the algorithm. Well remember we know the algorithm. So M. What does B do to get M? B takes C to the power of D mod N. That's what B does. So the attacker knows these values. The equation for decrypting is you take the ciphertext raised to the power of D mod N and you get M. That's no good for the attacker. Not yet at least. Because look at the values that they know. There are too many unknowns. They know N. That's good. They know C. They want to find M. They're missing D. You cannot solve that equation. If there are two unknowns and four variables you cannot solve it without other information. So what can the attacker do now? They want to find M. To find M they'll need these three variables. They know C and N. C is 11. N is 187. Therefore they need to find D. If the attacker can find D they'll easy to find the message. They'll make 11 to the power of whatever value D is. Mod by 187 and they'll get the message. So the challenge now for the attacker is to find D. But let's make it a little bit easier for the attacker. We'll come back to we'll see some approaches to find D in a moment or how they can do it. Let's go through them now and then we'll make it easier. What about brute force? Brute force is if to find D try all possible values. So, remember the message in practice would have some meaning. So a brute force could be take your ciphertext, raise to the power of 1, mod N. Do we get a message that has some meaning? If not raise to the power of 2, 3, 4, 5 and keep going until we get a message that has some meaning. So a brute force try all possible values of D. So that's the brute force in this case. How do we stop a brute force? Make D large. Make it large enough even if you have to try all possible values it would take forever to do so. So that will be one requirement that D should be large. We know normally 100 bits or more if it's 100 bits long it should be long enough because it will require 2 to the power of 100 operations which would take too long to calculate. So brute force will not help if we make D large enough but let's make it easier for the attacker. Let's say they have obtained a message from prior communications and the corresponding ciphertext. So let's give them some more information to give you a value. Okay? Let's go through. I was going to make it easier but let's go for the full way. Alright? How do we find D? Well, you're right that in the key generation step the attacker knows these steps. They know that the user created their key this way. So they want to find D. Well, how do they find D? They know that D times E mod the totion of N equals 1. Let's write that down. The other thing that we know is that E times D mod the totion of N is 1. And we know E is 7. So we know that 7 times D mod the totion of N and we know N is 187 equals 1. So this is known to the attacker. So now from the attacker's perspective if they can find D here they will break RSA. What do you need to do as the attacker now? What's your next step? No brute force. Let's be smarter. Correct but go slower. From this equation what do we do now? What's the totion of 187? Because I gave the answer last lecture. Let's look at the steps that we need to take. We need to know the totion of 187. How do we do that? Let's say I ask you to do it manually. You take 1, is it relatively prime with 187? 2, 3? That's like a brute force attack. Try all possible values of 1 up until N-1. But you know there's a faster way. How do you quickly find the totion of 187? Find the primes. That is factor 187 into its primes. So that will quickly find us the answer. What are the primes? The prime factors of 187. So you know because we went through the answer last week because that's what we did with generating the key. But the attacker's challenge is given N, remember this is N to find the totion of N we've got two approaches. One is to factor it into its primes. Once we factor it into its primes then we can quickly calculate the totion of N because it's just the prime 1 minus 1 times prime 2 minus 1, p minus 1 times q minus 1 in our setup. What's the other approach? Really brute force of simply for all values of N have an algorithm to find let's say how can we describe it? The totion of N is generally check whether the numbers are relatively prime 1 and 187 2 and 187 relatively prime between 2 and 187 3 and 187 up to 186 and 187 187 So two ways to find the totion of some number. One is the slow way take every number up until that number one less and check if it's relatively prime with that. 1 and 187 are they relatively prime? 2 and 187 3 and 187 up to 186 and 187 count them and you have the totion. The other way which is a little bit easier is to factor that number N into its primes and then we can immediately calculate the totion of N. Okay in the exam I could say here's 187 find the answer, find the totion you can. The problem is we can't do either if N is large enough if N is very big factoring N into its primes is considered a problem that's too hard to solve it takes too long and the other way of trying 1 up to N minus 1 again is if N is very big there's no known algorithm that can do that in reasonable time. So although we can do it with 187 if we chose bigger values instead of 187 a 4000 bit value factoring or doing the direct solving of the totion is impossible. Let's see the lecture notes that describe that and this was also mentioned in one of the last slides in the number theory lecture notes you'll see in the last slide there there's something about the computational complexity there are three problems we listed which are hard that is take too long if we have large numbers factor N into its two prime factors that was one we just saw and determined the totion of N directly so the brute force on the totion of N that's the attacks and I'll go back to the number theory let's find it we've said that integer factorization take N break it into p times q is too hard to solve if N is large enough I'll give you some more statistics later but we mentioned that N which was about 230 digits long took 2000 years to solve of computer power was done in parallel nowadays N is typically 2000 bits 4000 bits long solving Euler's totion given some N without factoring N to into its primes is also considered hard in fact harder than factorization so if it took you 1000 years to do the factorization it would take you longer to do the totion solving directly so no use trying that and this is where the security of RSA comes in if we choose large enough numbers we can't solve these problems with 187 it's easy but choose a 4000 bit number for N factoring it can't be done in reasonable time calculating the totion by looking at the numbers relatively prime with N can't be done with reasonable time so we can't do that as long as we have large numbers so any other ways to find D if we can't do that so if we can't find the totion of N then we don't know what we mod by and therefore so this is an unknown and D is an unknown and we cannot solve that equation we've got two unknowns so if we can't find the totion of N we can't find D if we can't find D we cannot decrypt and RSA so far is secure any other attacks you can try how else in the exam are you going to break RSA how are you going to try and break it let's give you and now let's make it easier for you that is the attacker and give you some more information we said in this case the attacker knew the ciphertext and the public key their aim to find M the original message and to find M you need to find D so in fact if you find the private key you can find M easily so the aim really is to find D and we said that if we try to do it by getting the totion of N we cannot do that but let's give the attacker more information let's give them a known pair of ciphertext and plaintext let me give you a value so what does the attacker know from before we knew some ciphertext 11 we knew E was 7 N was 187 and let's say we've somehow captured a message of plaintext M and the corresponding ciphertext which was created using the same keys we've captured as the attacker M1 equals some other value 17 and the corresponding ciphertext when we encrypt M1 using the same key is 85 a known pair of plaintext ciphertext for the attacker again the challenge find D if you can find D you can find M how do you find D so this is easier for the attacker because we also give them a known plaintext ciphertext pair that is M1 17 was encrypted using the key and we got the plaintext 85 so we know a value of M well let's look at our equations and see what we can do we know that we want to find D we know that M equals C to the power of D mod N so what does the attacker know in this equation they know the M they know C they know N they don't know D we're trying to find D we have an equation here four variables three known one unknown easy to solve how do we solve that so you have an equation four variables three of them are known one is unknown you should be able to solve the equation write what do you do to solve the equation that is find D if you know MCNN in terms of what operation do you need to do to get D log we know C to the power of something mod N equals something what's the inverse we want to find the exponent and that's what a logarithm does a logarithm gives us the exponent in this case and we call it a discrete log when we have a modulus going back to the way to write it the discrete log of in base C with mod N of M equals D I'll write D at the front so I know C as the attacker I know M I know M we have those values above we have M is 17 C is 85 we know those three variables so all we do is solve the discrete logarithm and that's another hard problem if the values are large enough yes, yes there is we'll talk about some typical values but yes we can roughly know the size of D it's about the size of N so it's about maybe 2,000 bits long so yes we can know approximately the size of D and maybe even exactly the size but we don't know the value if it's 2,000 bits long you've got 2 to the power of 2,000 possible values so brute forcing D trying all possible values of D won't help here so we need to solve the discrete logarithm coming back to our number theory our last slide we said another problem which is hard is solving discrete logarithms so solving a discrete log takes longer or comparable time to integer factorisation so if it takes you 2 million years to factor the integers it's going to take about 2 million years to solve the discrete log and a bit longer to solve Euler's Totion so therefore we can't break RSA as long as we have the numbers large enough and that are the main attacks or the avenues for attacks and that leads to the reason why RSA is secure in general because even though mathematically we can find Euler's Totion factor numbers, discrete logarithms in practice we can't do it in reasonable time so RSA's security depends upon these mathematical problems that is no one knows any algorithm to solve the mathematical problems for breaking RSA if you can come up with an algorithm for factoring some large number into its primes you'll rule the world that is you can break into banks steal money do what you like but no one at this stage there's no known algorithm for doing so any questions so far on RSA so we've saw three avenues one is to break, let's go back one was the two different approaches to solving the Totion the brute force approach takes too long factor the N into its primes and then the Totion is easy but factoring into primes takes too long so those two won't work if N is large enough and then the third one was in fact we can easily know that RSA and plaintext solve a discrete logarithm again if our numbers are large enough too long so RSA is considered secure what have we got next of these three problems integer factorization solving oil as Totion discrete logarithms it's generally considered that the easiest of the three is integer factorization that it's if you're going to do an attack on RSA try and factor N into its primes because that will be the fastest of the three approaches but still if N is large enough faster still means impossible so the measurement of the security of RSA is usually measured in terms of how long it takes to factor some number into its primes let's go back to the RSA lecture notes here's some values that reported and getting old so there was a competition people have tried in the past given some large N factor into its two primes and in 1991 the largest value that was done was around 100 digits 330 bits 330 bits are about 100 decimal digits but then people come up with better algorithms and with faster computers in 2009 someone reported that they could factor a 232 digit number into its primes it took 2,000 years on a single core computer at that stage so of course they had many computers but equivalent to using one computer for 2,000 years and they could factor this number into its primes and that's with N so this is in fact the length of N in RSA 768 bits at that stage of course computers got faster about every two years they get double the speed the recommended values for N in RSA the typical values are 1,024 2048 4096 bits of N and recommended today is usually 2048 or 4096 most new applications would be 2048 bits so 768 bits took a lot of effort even though it's five years ago increasing the bits one extra bit effectively doubles the effort remember so from 768 up to 1,000 is another 250 bits so the amount of effort is 2 to the power of 250 times larger so still considered impossible so the attacks on RSA one is brute force D try all possible values of D how do you stop a brute force? make D large enough if D is larger than hundreds of bits then brute force is not possible and in fact the way to use RSA is make sure D is large enough of course the larger D is the slower the implementation is and we'll see some results on that shortly so brute force is not considered possible and then the mathematical attacks that we looked at factor N into its primes determine the totion directly without factoring or calculate the discrete log to determine D all considered impossible with large enough values there are some other attacks which are very specific attacks in certain circumstances timing attacks in particular operations turns out some of them are possible but there are counter measures that are not too hard to implement that make it secure against such attacks maybe at some performance penalty slows down the encryption but still makes it secure anyone who survived through RSA today and is still interested tomorrow lunchtime midday I'll give a presentation about one of the latest timing attacks so if you want to come let me know and I'll let you know the room at the end of the lecture today what have we missed we've gone through RSA how long does it take to encrypt with RSA everyone's done their homework most people have been doing I've seen about half of the submissions that's encrypt with RSA let's use our speed test you've used openSSL to do some encryption with different symmetric block ciphers it also supports RSA I have to remember that I'm sure everyone had similar problems with max and speed correct so my computer is doing some RSA encryptions don't worry too much about the private RSA and so on we'll give the summary results at the end it takes a bit of time it tries different lengths of keys a 512 bit think of the value of n now it's doing 1024 bits it does it slightly different from block ciphers and symmetric ciphers we'll see later that they are used differently than symmetric ciphers like AES but once we get to the end summary statistics now it's trying 2048 bits the longer the length of n the longer it takes to encrypt but it does 10 seconds for each I hope it just does 2048 and stops let's do 4096 another 20 seconds we'll get there everyone's done this in the homework but using different algorithms and you get different output with your algorithms you can print some output of what version of open SSL it used and then it gives a summary down the bottom for different length keys or different lengths of n from 512 up to 4096 bits we'll come back to why sign and verify but let's try and look at the fastest with 1000 start with the easy one 512 bits the fastest value the number of think of the number of encryptions per second 189,000 or about 190,000 encryptions per second you can do that that's in fact using the public key E so this operation is using some value raised to the power of E mod n the other one's sign is using D the private key which is much slower anyone want to guess why some number to the some random number to the power of E mod n sign is using some random number to the power of D mod n power of D mod n is much, much slower 15,000 versus 190,000 10 times slower anyone want to guess why so you remember you don't have them in front of you M to the power of E mod n results here and we're not going to explain why but this is the verify column and the other operation M equals C to the power of D mod n same N is the sign operation and what OpenSSL does is tries random values and tries to encrypt them we see sign is about 10 times slower less than, more than 10 times slower than the verify same mathematical operations number raised to the power of E mod n the difference in practice is that E is usually small small value and D is big large and as you may expect taking some number and raising it to a small value is faster than taking a number and raising it to a large value so signing uses the D value the private value 15,000 decryptions per second anyone remember their results of using AES, triple desks, camellia blowfish from your homework some people decrypted I think you probably get around and it's measured differently about 100 up to several hundred million megabytes per second 100 megabytes per second 100 million bytes per second it's hard to compare directly but 100 million 128 million bytes per second if your block is 128 bits gives us 8 million encryptions per second so with AES and those similar ciphers we're getting millions of encryptions per second with RSA we're getting about 15,000 per second in the worst case here so it's much much slower than a symmetric block cipher like maybe a thousand times slower so that's a problem with RSA it's very slow you increase your value of N but in 12 bits up to the much much more secure 4096 bits fine 86 encryptions per second from 15,000 down to 86 so very very slow with a larger value so this is the tradeoff increasing security by having a larger N decreases performance so you need to choose an appropriate tradeoff so you don't just choose but just key possible you make a consideration of also the performance now we will not go into details here but it turns out RSA is slow in terms of implementation people have made some optimizations that try and speed up the implementation and in fact OpenSSL uses some optimizations and the common optimization is instead of taking C and raising it to power of D you do an exponentiation with a large D that's very slow what they do is that they create two intermediate values instead of getting D they find there's Dp and Dq and they do a module I expect exponentiation with the two smaller values C to the power of Dp and then C to the power of Dq and it turns out it's not so much interest today but it turns out that it's much faster about four times faster instead of doing one number raised to a very very large number you do that number raised to a number half of that size twice so instead of raising to D you raise to a number of about half the length of D and then do it again it's about four times faster so there are ways to improve the implementation same calculations, same results at the end though same security level and it means that normally to improve the speed you don't just store N, E and D you store some intermediate values you store N, E and D you store P and Q and also some other intermediate values are often stored sorry, this is from the person who generates their key this is the step this is not from the attack this is going back where are we normally we generate when I generate my keys I get we've said E and N are my public key D and N are my private keys so I really need three values to store and use for later E, D and N but to speed up the implementation the algorithm uses some intermediate values and in fact when you generate your own key you have N, E and D but you also store the initial primes so when I generate my key I know P and Q because I chose them I store them and I know these intermediate values because I calculated them so in practice when you have your own key pair there are two public values N and E, you can tell anyone your values of N and E and the private values which are usually stored on your computer for yourself and must be kept secure of course the N and E which are made public but also D, P, Q and these intermediate values and they use just to speed up the implementation to make it faster when you generate your own key and you do it in another homework after the midterm you generate your key and you'll see these values so you can generate your key and see the actual values I'll see if I can find an example I've got an example key that I'll show to see those values and I've generated a key from a previous time so this is I use OpenSSL to generate my own key pair and I made that the public information available to others so this is my private key information and we can look at the values P key input is my key and let's output into text this is my private key and it's encoded there not encrypted encoded but later it shows me the actual values my modulus N 2048 bits of course it's not shown in binary it's shown in hexadecimal here but you can count the digits 2048 bits that's N E we say the public exponent it's the exponent and it's one made public that's E here's the decimal value 65,537 and that's very common most implementations of RSA will use the same value of E and it's public so it doesn't matter if everyone in the world has the same value and it turns out that this value is good for implementation purposes it's considered secure and also fast other values the larger it gets the poorer the performance so E is usually known or fixed then the private exponent which is my D my value of D is the same length of N there's my D you need to guess that value if you don't know it and then the following values are also private to me remember with the key generation we choose two primes prime 1 and prime 2 OpenSSL chose them for me and these are the prime numbers they're about a thousand bits long so one thousand the prime multiplied by another gives us our 2048 bit value of N so a thousand and twenty four bits a thousand and twenty four bits for the two primes again these must be kept private the primes must be kept private secret and then the exponent 1 and the other values exponent 2R and the coefficient they are these intermediate values which are used to speed up the implementation so that's where in a private key we store all these values I don't show anyone my values the values of N and E I put in another file and make them available to everyone on a website and an email or however and then you can use my public key some final points about the performance of RSA how fast it is to implement again, generally it's very slow so there are some optimizations to try and speed it up we've seen a couple we're using modular arithmetic so in fact we take one number, raise it to the power of some other large number that can be very slow so there are some properties of modular arithmetic that can speed that up choosing E typically you choose a fixed value so there are some popular values nowadays 65,537 is the default in most cases doesn't make it any less secure but it makes the performance faster usually if it's too small E there are some special attacks but you can usually overcome them by adding some counter measures so nothing practical choosing D of course it cannot be too small the larger D is the slower the encryption using D is but there are some algorithms to make it reasonable using even a large D so there are some algorithms that speed up the implementation the Chinese remainder theorem and Fermat's theorem can help with the implementation choosing P and Q choose two large prime numbers is not easy even for a computer so what they usually do is you choose two large random numbers a thousand bits long and apply some tests to see if they are in fact prime and the tests may not be 100% they may even give some probability of confidence that they are indeed primes finding large primes is a slow task so usually they choose large numbers and then test if it is prime so the generation of P and Q may take a little bit of time when you generate your keys with OpenSSL you can actually see it takes in some cases maybe a second or so to generate them and that brings us to the end of RSA it's a very important algorithm it's the main public key algorithm used and it's still used widely even though there are some special attacks it's still considered secure in the general case so it's important to know how it works when we come towards the end of the course we'll see when you connect to a website and using HTTPS you often see that secure icon in your browser to show you've got a secure connection one part of that is you get a certificate from the web server trying to confirm this is in fact the right web server it's not something pretending to be that web server those certificates make use of RSA commonly so we'll see them come up in practice later let's stop there for today we still have one remaining lecture before the midterm Thursday so you're going to have a long new year break but come back Thursday and Thursday there are a few slides I skipped over before here we will not go on any further so we'll stop there but there are a few slides that we need to recover that we skipped over we'll go back to them and then maybe have some examples and talk about the exam on the lecture on Thursday