| Previous | Table of Contents | Next |
Patents
The original Merkle-Hellman algorithm is patented in the United States [720] and worldwide (see Table 19.1). Public Key Partners (PKP) licenses the patent, along with other public-key cryptography patents (see Section 25.5). The U.S. patent will expire on August 19, 1997.
Soon after Merkle’s knapsack algorithm came the first full-fledged public-key algorithm, one that works for encryption and digital signatures: RSA [1328, 1329]. Of all the public-key algorithms proposed over the years, RSA is by far the easiest to understand and implement. (Martin Gardner published an early description of the algorithm in his “Mathematical Games” column in Scientific American [599].) It is also the most popular. Named after the three inventors—Ron Rivest, Adi Shamir, and Leonard Adleman—it has since withstood years of extensive cryptanalysis. Although the cryptanalysis neither proved nor disproved RSA’s security, it does suggest a confidence level in the algorithm.
| Table 19.1 Foreign Merkle-Hellman Knapsack Patents | ||
|---|---|---|
| Country | Number | Date of Issue |
| Belgium | 871039 | 5 Apr 1979 |
| Netherlands | 7810063 | 10 Apr 1979 |
| Great Britain | 2006580 | 2 May 1979 |
| Germany | 2843583 | 10 May 1979 |
| Sweden | 7810478 | 14 May 1979 |
| France | 2405532 | 8 Jun 1979 |
| Germany | 2843583 | 3 Jun 1982 |
| Germany | 2857905 | 15 Jul 1982 |
| Canada | 1128159 | 20 Jul 1982 |
| Great Britain | 2006580 | 18 Aug 1982 |
| Switzerland | 63416114 | 14 Jan 1983 |
| Italy | 1099780 | 28 Sep 1985 |
RSA gets its security from the difficulty of factoring large numbers. The public and private keys are functions of a pair of large (100 to 200 digits or even larger) prime numbers. Recovering the plaintext from the public key and the ciphertext is conjectured to be equivalent to factoring the product of the two primes.
To generate the two keys, choose two random large prime numbers, p and q. For maximum security, choose p and q of equal length. Compute the product:
Then randomly choose the encryption key, e, such that e and (p - 1)(q - 1) are relatively prime. Finally, use the extended Euclidean algorithm to compute the decryption key, d, such that
In other words,
Note that d and n are also relatively prime. The numbers e and n are the public key; the number d is the private key. The two primes, p and q, are no longer needed. They should be discarded, but never revealed.
To encrypt a message m, first divide it into numerical blocks smaller than n (with binary data, choose the largest power of 2 less than n). That is, if both p and q are 100-digit primes, then n will have just under 200 digits and each message block, mi , should be just under 200 digits long. (If you need to encrypt a fixed number of blocks, you can pad them with a few zeros on the left to ensure that they will always be less than n.) The encrypted message, c, will be made up of similarly sized message blocks, ci, of about the same length. The encryption formula is simply
To decrypt a message, take each encrypted block ci and compute
Since
the formula recovers the message. This is summarized in Table 19.2.
The message could just as easily have been encrypted with d and decrypted with e; the choice is arbitrary. I will spare you the number theory that proves why this works; most current texts on cryptography cover it in detail.
A short example will probably go a long way to making this clearer. If p = 47 and q = 71, then
| Table 19.2 RSA Encryption | |
|---|---|
| Public Key: | |
| n | product of two primes, p and q (p and q must remain secret) |
| e | relatively prime to (p - 1)(q - 1) |
| Private Key: | |
| d | e-1 mod ((p - 1)(q - 1)) |
| Encrypting: | |
| c = me mod n | |
| Decrypting: | |
| m = cd mod n | |
The encryption key, e, must have no factors in common with
Choose e (at random) to be 79. In that case
This number was calculated using the extended Euclidean algorithm (see Section 11.3). Publish e and n, and keep d secret. Discard p and q.
To encrypt the message
| Previous | Table of Contents | Next |