Although the original paper of Rivest, Shamir, and Adleman used Fermat's little theorem to explain why RSA works, it is common to find proofs that rely instead on Euler's theorem.
We want to show med m mod n, where n = pq is a product of two different prime numbers and e and d are positive integers satisfying ed 1 mod . Since e and d are positive, we can write for some nonnegative integer h. Assuming that m is relatively prime to n, we have
where the last congruence directly follows from Euler's theorem. When is not relatively prime to , the argument just given is invalid. However, the desired congruence is still true. Either m 0 mod p or m 0 mod q,
and these cases can be treated using the previous proof.
Numerous references which explain RSA using Euler's theorem deal with the case that the message m is not relatively prime to the modulus pq by a misleading probabilistic argument: the proportion of integers mod pq that have a factor in common with the modulus is 1 - (p-1)(q-1)/pq = 1/p + 1/q - 1/pq, which is very small when p and q are large so the chance of the message having a factor in common with the modulus can be considered remote in practice. What is misleading here is that, as the proof with Fermat's little theorem shows, nothing breaks down in the case of messages having a factor in common with the modulus: one has med m mod n for all m without exceptions. Therefore the correctness of RSA should really be considered an application of Fermat's little theorem rather than Euler's theorem, just as in the original RSA paper.
Notes
[1] Rivest, R.; A. Shamir; L. Adleman (1978). "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems" (http://theory.lcs. mit.edu/~rivest/rsapaper.pdf). Communications of the ACM 21 (2): 120–126. doi:10.1145/359340.359342. .
[2] SIAM News, Volume 36, Number 5, June 2003 (http://www.msri.org/people/members/sara/articles/rsa.pdf), "Still Guarding Secrets after Years of Attacks, RSA Earns Accolades for its Founders", by Sara Robinson
[3] http://www.google.com/patents?vid=4405829 [4] http://www.rsa.com/press_release.aspx?id=261
[5] Boneh, Dan (1999). "Twenty Years of attacks on the RSA Cryptosystem" (http://crypto.stanford.edu/~dabo/abstracts/RSAattack-survey. html). Notices of the American Mathematical Society (AMS) 46 (2): 203–213. .
[6] Namely, the values of m which are equal to -1, 0, or 1 modulo p while also equal to -1, 0, or 1 modulo q. There will be more values of m having c=m if p-1 or q-1 has other divisors in common with e-1 besides 2 because this gives more values of m such that
or respectively.
[7]
[7] Johan Håstad, "On using RSA with Low Exponent in a Public Key Network", Crypto 85 [8]
[8] Don Coppersmith, "Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities", Journal of Cryptology, v. 10, n. 4, Dec. 1997
[9] http://www.di-mgt.com.au/rsa_alg.html#weaknesses
[10] Gary L. Miller, "Riemann's Hypothesis and Tests for Primality" (http://www.cs.cmu.edu/~glmiller/Publications/Papers/Mi75.pdf) [11] 518-bit GNFS with msieve (http://www.mersenneforum.org/showthread.php?t=9787)
[12] RSA-512 certificates abused in-the-wild (http://blog.fox-it.com/2011/11/21/rsa-512-certificates-abused-in-the-wild/)
[13] Has the RSA algorithm been compromised as a result of Bernstein's Paper? (http://www.rsa.com/rsalabs/node.asp?id=2007) What key size should I be using?
[14] Wiener, Michael J. (May 1990). "Cryptanalysis of short RSA secret exponents". Information Theory, IEEE Transactions on 36 (3): 553–558. doi:10.1109/18.54902.
[15] Remote timing attacks are practical. (http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf). SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium.
[16] http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.80.1438&rep=rep1&type=pdf
[17] FaultBased Attack of RSA Authentication (http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf)
References
• Menezes, Alfred; Paul C. van Oorschot; Scott A. Vanstone (October 1996). Handbook of Applied Cryptography. CRC Press. ISBN 0-8493-8523-7.
• Cormen, Thomas H.; Charles E. Leiserson; Ronald L. Rivest; Clifford Stein (2001). Introduction to Algorithms (2e ed.). MIT Press and McGraw-Hill. pp. 881–887. ISBN 0-262-03293-7.
External links
• The Original RSA Patent as filed with the U.S. Patent Office by Rivest; Ronald L. (Belmont, MA), Shamir; Adi (Cambridge, MA), Adleman; Leonard M. (Arlington, MA), December 14, 1977, U.S. Patent 4405829 (http:// www.google.com/patents?vid=4405829).
• PKCS #1: RSA Cryptography Standard (http://www.rsasecurity.com/rsalabs/node.asp?id=2125) (RSA Laboratories website)
RSA (algorithm) 118 • The PKCS #1 standard "provides recommendations for the implementation of public-key cryptography based
on the RSA algorithm, covering the following aspects: cryptographic primitives; encryption schemes; signature schemes with appendix; ASN.1 syntax for representing keys and for identifying the schemes".
• Thorough walk through of RSA (http://www.di-mgt.com.au/rsa_alg.html)
• Prime Number Hide-And-Seek: How the RSA Cipher Works (http://www.muppetlabs.com/~breadbox/txt/rsa. html)
• Menezes, Oorschot, Vanstone, Scott: Handbook of Applied Cryptography (free PDF downloads), see Chapter 8 (http://www.cacr.math.uwaterloo.ca/hac/)
• Onur Aciicmez, Cetin Kaya Koc, Jean-Pierre Seifert: On the Power of Simple Branch Prediction Analysis (http:// eprint.iacr.org/2006/351)
• A New Vulnerability In RSA Cryptography, CAcert NEWS Blog (http://blog.cacert.org/2006/11/193.html) • Example of an RSA implementation with PKCS#1 padding (GPL source code) (http://polarssl.org/
source_code)
• Kocher's article about timing attacks (http://www.cryptography.com/resources/whitepapers/TimingAttacks. pdf)
• Online RSA encryption application (http://www.gax.nl/wiskundePO/) (Dutch)
• An animated explanation of RSA with its mathematical background by CrypTool (http://www.cryptool.org/ images/ct1/presentations/RSA/RSA-Flash-en/player.html)
S/MIME
S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of
MIME data. S/MIME is on an IETF standards track and defined in a number of documents, most importantly RFCs(3369,3370,3850,3851). S/MIME was originally developed by RSA Data Security Inc. The original specification used the IETF MIME specification[1] with the de facto industry standard PKCS#7 secure message format. Change control to S/MIME has since been vested in the IETF and the specification is now layered on Cryptographic Message Syntax, an IETF specification that is identical in most respects with PKCS #7. S/MIME functionality is built into the majority of modern email software and interoperates between them.
Function
S/MIME provides the following cryptographic security services for electronic messaging applications: authentication, message integrity, non-repudiation of origin (using digital signatures), privacy and data security (using encryption). S/MIME specifies the MIME type application/pkcs7-mime (smime-type "enveloped-data") for data enveloping (encrypting) where the whole (prepared) MIME entity to be enveloped is encrypted and packed into an object which subsequently is inserted into an application/pkcs7-mime MIME entity.
S/MIME certificates
Before S/MIME can be used in any of the above applications, one must obtain and install an individual key/certificate either from one's in-house certificate authority (CA) or from a public CA. The accepted best practice is to use separate private keys (and associated certificates) for signature and for encryption, as this permits escrow of the encryption key without compromise to the non-repudiation property of the signature key. Encryption requires having the destination party's certificate on store (which is typically automatic upon receiving a message from the party with a valid signing certificate). While it is technically possible to send a message encrypted (using the destination party certificate) without having one's own certificate to digitally sign, in practice, the S/MIME clients will require you install your own certificate before they allow encrypting to others.
A typical basic ("class 1") personal certificate verifies the owner's "identity" only insofar as it declares that sender is the owner of the "From:" email address in the sense that the sender can receive email sent to that address, and so merely proves that an email received really did come from the "From:" address given. It does not verify the person's name or business name. If a sender wishes to enable email recipients to verify the sender's identity in the sense that a received certificate name carries the sender's name or an organization's name, the sender needs to obtain a certificate ("class 2") from a CA who carries out a more in-depth identity verification process, and this involves making enquiries about the would-be certificate holder. For more detail on authentication, see digital signature.
Depending on the policy of the CA, your certificate and all its contents may be posted publicly for reference and verification. This makes your name and email address available for all to see and possibly search for. Other CAs only post serial numbers and revocation status, which does not include any of the personal information. The latter, at a minimum, is mandatory to uphold the integrity of the public key infrastructure.