 So we've gone through the RSA algorithm. We've looked at the steps for generating the key, encryption, decryption, which use the same algorithm, but just use our parameters in a different order. We do what's called modular exponentiation. Exponentiation, raise a number to a power mod n. And we've seen that the key generation is performed in these steps. Why? Because it produces values such that we can always decrypt. The way that e and d and n are chosen are such that if we take some message and raise to the power e mod by n, the result, when we raise to the power some other number d mod by the same n, gives us the original message. We need that for successful decryption. And the other reason they chose in that way is so that it's secure, so that even with one of those values, e and n, the attacker cannot find the other value d. Yeah, OK. Here's my public key. Find my private key. So the next five minutes, if you can solve this, then you're on the way to at least one question in the exam next week. So my public key, find my private key. Doesn't take long. It takes a little bit of guessing. And you'll get my private key. But it requires some knowledge of the algorithm. So the public key we usually denote as both the exponent e, in my case 7, and the modulus n, 299. Give you three or four minutes to find my private key. Just the private key. No ciphertext. Just find my private key. You don't need a laptop. No, you do it in your brain faster than you can program. This is what you'd be doing in the exam next week. So look at the algorithm and see, OK, given e and n, try and find the private key. So think of what's known, what's unknown, and then how do you get from those knowns to unknowns? So what value are you trying to find? Don't yell out the answer. But if you have the answer, then let me know. And I'll come and check. Everyone try, because if you can do this, you've got probably one part of a question in the exam successful. And you can focus on other parts in studying over the next week. What are you looking for? What parameter? I've given you pu, the public key of me. I want you to find my private key, but specifically what value or what parameter? D is the one that's secret or private. We often write the private key, the private key in the corresponding key pair. Some value D equals what? That's your challenge. Often because when we use the value D, we also use the same value n. We often write n as part of the private key as well. But it's the same n. You know that n. Find D. So the secret thing is D and is not secret. It's public. Put your hand up when you have an answer. This is, problems like this are similar to what's in the upcoming exam. You need about five minutes to solve it in the exam and then you can do the other questions. Sometimes it requires a little bit of guessing. So think about what's the next step. You want to find D, then you calculate what? Calculate P and Q. That may help. But you need to be aware what P and Q are related to. Go back to how the keys were generated. These are the steps I use to come up with the key. I came up with my value of public key, E equals 7, n is 299. And my private key D, I'm not telling you, and the same n, 299. I come up with these values following these steps. So you as the attacker, you need to find my value of D and you know the steps that I used. So it shouldn't be too hard. Keep trying. Let me know when you have... Don't tell everyone. When you have D, put your hand up. Come on, if you can find D, you can break RSA. RSA is used when you visit a secure website. The certificates to confirm that the web server is who it says it is, is usually using RSA. Email. Some email applications use RSA. Many different applications use RSA. So you know the algorithm, find my private key. So think what step you're going to do next. There's no ciphertext, no message. So you can ignore the encryption and decryption parts. All I'm giving you is the public key. This is of no help because I haven't given you a ciphertext and I haven't given you and therefore finding some message isn't going to be impossible. So this equation is of no help. The encryption, same as decryption. There is no ciphertext. So it's not about decrypting ciphertext. It's about finding the private value for my key pair. So focus on the key generation steps. Try and generate the keys in the same way that I would have done it. To do so, you need to work backwards a little bit. So don't worry about the encryption and decryption algorithms, focus on the key generation algorithm. No use, no use. Focus on how I generated the key. Just delete this line. I'm not going to help you in this problem. In others it may, but not in this one. If you don't know where to start and you want to write something down, focus on these three steps. That's what I did to generate these keys. I chose two primes, p and q. I calculated n. I selected some e, which is relatively prime with a totient of n. That is, the totient of n and e have a greatest common divisor of 1. Then I calculated some d, which is a multiplicative inverse of e. That's what I did, and I ended up with e equals 7. n is 299, d is, I'm not going to tell you yet. So given those steps, try and find my value of d. Let me check, I don't think so. Got a value yet? Anyone got a value of d? It's not a trick question, you can get it. And you need to be able to get it to solve the exam questions. Exams will be similar to this, the RSA questions. The last step I see some people try and takes a few attempts. Let's get people started for those that haven't got anywhere. Now, what I did, the first thing I did is I chose two primes, p and q, to calculate n. Then I calculated the totient of n. I select an e relatively prime with a totient of n and then calculate d. You're looking for d. You know e. So let's write down the things that you know as the attacker. You know that e and d are multiplicative inverses in the totient of n. You know e times d is 1 when we mod by the totient of n. That's what the third step in the key generation tells us, that when we multiply e and d together, we'll get 1 when we mod by the totient of n. We know e, we know n, we want to find d. So 7 times something mod the totient of n and we know n is 299 equals 1. e times d, 7 times d will be the same as 1 when we mod by the totient of n. Or in other words, 7 times d mod the totient of n equals 1. The remainder we won. That's effectively what this third step says. d equals the inverse of e, the multiplicative inverse of e in mod the totient of n. d is an unknown. So to find d, you now need to find the totient of 299. Two ways, the long way and the short way. You need to find the short way. So next step, find the totient of 299. Do you want to have a value? Sorry? What's your value for d? I don't have a value for d. You don't need one. It's not the first one, but it's close, I think. Let's try. So now I'm trying to find d. I need to know the totient of 299. Remember the definition is that it's the number of numbers less than 299, which are relatively prime with 299. That's the definition of the totient. But counting all of those numbers, one up to 298, and checking if they're relatively prime, takes too long, or at least for this exercise, without a computer. We need to take advantage of the fact that 299, the other knowledge we have, is n equals p times q, where these are primes. And the totient of n, in general, is the totient of p times q. When p and q are prime numbers, the totient is easy to find. Turns out it's the totient of p times the totient of q. And the totient of a prime number is that number minus 1. So this is the first thing that we take advantage of in RSA, one of the properties of the totient function, Euler's totient function. The totient of a prime number, p, equals p minus 1. OK, we'll check in a moment. p and q are both primes. That's how I chose them when I generated my key. So the totient of p times q is, in fact, p minus 1 times q minus 1. So the totient of n is p minus 1 times q minus 1. I know n is 299. We're trying to find the totient of 299. The quick way to find it is to find p and q. Because if you know p and q, the totient of 299 will be p minus 1 times q minus 1. So the next step that you need to solve is n is 299, which equals p times q. Remember, p and q are both prime numbers. What are two primes that when we multiply them together, we get 299? That's the challenge here. We factor 299 into its primes. Any number can be factored into primes. We know that 299 has two prime factors, because that's how I chose it according to the algorithm. How do you solve that? How do you factor that into its primes? Yeah, I think that's correct. I forget. Yeah, that's correct, good. Primes found d, but before we get there, how do you factor 299 into its primes in the brute force? Well, yeah, intelligent brute force. Let's try some primes. That is, 299 divided by some prime number should equal some other prime number, prime integer, or an integer. Yes, it's that number. So 299, let's try some primes. What's the smallest prime? 2. Does 299 divided by 2? No. So 2 is not a prime factor. What about 3? Does it divide by 3? No, because 300 divides by 3. Does it divide by 5? No. What's the next prime? 7. So you try 7. 209 divided by 7. Do you get an integer? Try. Calculate ahead. No. 11 is the next prime. It doesn't divide by 11. 13, it does divide by 13. What do you get when you divide 299 by 13? 23. 23. So we've found p and q, p, 13, q, 23. Doesn't matter the order. Not important here. Now it's easy. So the first step was easy. The first step, well I did nothing. I just wrote from the algorithm that this is what I need to solve. The next step, find the totion of 299, involved some thinking, involved trying some different primes. And we eventually got the answer. Now that tells us the totion of 299 is p minus 1 times q minus 1. 12 times 22. 264. So we took advantage of this characteristic of our totion function. The totion of 2 primes multiplied together is p minus 1 times q minus 1. Now go back to what we know. 7 times d mod the totion of 299 equals 1. Let's write it again. Sometimes something, our d, mod the totion of 299, which is 264, equals 1. Where there's something here is d. And it's an integer. Again, how are you going to find d? What number multiplied by 7, mod 264, gives us a remainder of 1? Well, think, 7 times d, we can test, at least in the manual approach. 7 times something, maybe we try does it equal 265. Because if 7 times our d equals 265, and then 265 mod 264, we'll get 1. So if we have an integer multiplied by 7 and get 265, we've found our d. So then the question is, does 265 evenly divide by 7? Now you try, 265 divided by 7, do we get an integer? You have to try calculator or brain, and no, you don't. Let's get a calculator just to confirm for everyone. Yeah, so in fact, there are algorithms that will do this quite quickly, that will find this. We're going to go through the brute force approach, which is try numbers increasingly. That is, so yes, you can speed it up from what we're going to do. Where am I? 265 divided by 7. If we get an integer, then that integer is d, because 265 mod 264 gives us 1. We don't get an integer. That says 37.85 times 7 equals 265, but we need an integer here. So there is no such integer that gives us that. So the next one we can try if we try the naive approach, 7 times some integer gives us what, 264 times 2 plus 1, because we know 264 times 2 plus 1 mod 264 gives us a remainder of this plus 1. When we mod this by 264, we'll get 1. So do we have an integer that, when we take 264 times 2 plus 1 divided by 7, do we get an integer? Is it a naive way to solve this? If we do, then that's our value of d, and let's test. 264 times 2 plus 1 doesn't divide by 7, no. So let's try another one, 264 times 3 plus 1. Again when we mod that by 264, the remainder will be 1. Does it divide by 7? No, not very lucky. Keep trying. Divide by 7. Okay, yes, 7 times 151 mod 264 equals 1. This one didn't work, this one didn't work. Eventually we got 7 times 151 is 264 times 4 plus 1. That is we've found d. And I did it in the, well, just trying all multiples of 264 plus 1. You can do it faster than that. We're finished, we've found d, because we've found a number when we times by e and mod by the totion of n, we get 1. d is 151, e is 7, multiply together, mod by the totion of n gives us our remainder of 1. So we've been successful in finding my private value. There was, well, what steps did we do? The calculations we did, find the prime factors of n, that was 1 step. Calculate p minus 1 times q minus 1, that's another step, that's easy. That's just a multiplication, anyone can do that if you know p and q. So this is easy. And the last step was finding d and it took us a few attempts. It turns out there are algorithms that will do this, a computer can do this very quickly for large numbers. So it's not, although it takes us a little bit of time on paper, it's not so slow when we use a computer or an algorithm to solve that. The slow part when we use larger numbers was the first calculation. Take n, find its prime factors. We could do it here, easy. One more example, I've got a value that I'll show you as quickly. Here's my public key. So in the previous example, I gave you my public key and you found my private value d, effectively my private key, meaning this key pair is insecure. It's easy to find the secret value. Your exam question is more along the lines of this. Here's my public key, here's the modulus n, here's e, 65,537, same, you've got e and n, now find d. So you use the same steps. You take n, which is not in decimal but in hexadecimal here. It's a 2048 bit number, n. You find that and then you find the two prime factors, p times q equals this value. Calculator is allowed, but it's not going to help you because it's going to take you millions of years to find it. Yeah, I'll have a shorter one than 2048 bits, I won't expect you to spend a million years in the exam to find the primes. I was only joking, I will not give you this in the exam. Same approach is used to attack the security of RSA lies in the fact that factoring a prime, a factoring a large number into its two primes is practically impossible if that number is large enough and 2048 bits is considered large enough. 2048 bits is considered large enough in most cases. So this number is large enough that when you try and find p and q it would take too long. So then you can't find d. So that's where the security of RSA comes in. If we have large enough values, you can't find d even if you know e and n. You may expect questions like this in the exam, either find the private value, find some message given some ciphertext, so there are some other approaches to try. To demonstrate that you know the algorithm for RSA and you know the avenues for attack. And just to finish on RSA, I think we finished with this last week. We had in the example a 2048 bit value of n, a 768 bit value of n took about 2000 years of a single core CPU that was five or six years ago. 1024 bits is considered strong. It's a 2048 is recommended just to be safe. 4096 bits is sometimes used. So n is large enough such that attacks are not possible. Let's just go back and recap and see if we've missed anything on RSA to finish this topic. We went through the why we chose the keys or the values the way we did. So we've gone through an example to show why we choose the values this way and why that helps or make sure the encryption always works. We've gone through several examples now, one today, one in the previous lectures. In an implementation of RSA in software, to make it faster there's some variations. It's the same algorithm, but it's split into multiple steps. And after the midterm, you'll have a task to use OpenSSL to generate your public and private key. That was my public key that I created, the exponent and the modulus. After the midterm, you'll see the case when you generate your own private key. I will not show you mine. When you generate your private key, it's not just DNN, but the software stores some other values to help in the calculations. So you'll see that in the example after the midterm, not needed for now. It turns out RSA is practical to use, but only for short messages. Because remember we take some message, raise it to the power. If we have a long message, it can be very slow. We either need to do it multiple times, we need to do it multiple times. And it turns out it's much slower than a block cipher, a symmetric block cipher. So RSA is considered secure. There are some mathematical attacks. We've seen one in play there, but there are others as well. There are some what's called timing attacks that take advantage of measuring what the computer is doing possible. But they're very easy to add countermeasures that stop such attacks. So still, there are attacks which are known, but you can modify the implementations such those attacks will not be successful at the expense of some loss in performance. So even though there are some known attacks, they have some known countermeasures which are practical to implement. So RSA is still considered secure and that completes this topic on RSA. Diffie-Hellman is another example of a public key algorithm and there are others as well. We'll mention them after the midterm. We'll see Diffie-Hellman when we look at key exchange and key management. Any questions on RSA and public key encryption in general? Easy. You need to know the algorithm. In the exam, it's not given. It's the key generation, encryption and decryption, you need it in your head. Guaranteed there'll be a question on it. I think it's an important enough but also simple enough algorithm that they should remember it.