RSA-type Algebra Structures

Abstract

RSA is a public key cryptosystem that is currently the most popularly used in information security. Development of RSA variants has attracted many researchers since its introduction in 1978 by Ron Rivest, Adi Shamir, and Leonard Adleman. In this paper, we propose an algebraic structure for RSA and show that the proposed structure covers all known RSA variants. The usefulness of the proposed structure is then proved by showing that, following the structure we can construct a RSA variant based on the Bergman ring. We compare the original RSA and its variants from the point of view of factoring the modulus to determine why the original RSA is widely used than its variants.

1. Introduction

The RSA cryptosystem, named after its inventors Ron Rivest, Adi Shamir, and Len Adleman, was introduced in 1978 and has been widely used for ensuring the privacy and authenticity of digital data. Since then, there has been concentration on two trends considering the RSA cryptosystem: (i) point out vulnerabilities of the cryptosystem, and (ii) develop its variants. Although there have been many variants of the RSA, cryptanalysis on those has not attracted many researchers as compared to the original RSA. We recall some remarkable results in cryptanalysing on low private exponent RSA in Section 2 after recalling the original RSA cryptosystem. In Section 3, we give an answer for the question why RSA variants are built on platform other than ℤn. Section IV devotes for an algebraic structure of RSA, we also show in this Section all known RSA cryptosystems having this algebraic structure. The usefulness of the structure is then made clear in Section V, where we recall the construction of Bergman ring based RSA. A slight comparison between known RSAs in Section 4 can help answer the question why the original RSA is preferred over its variants.

 

2. RSA and cryptanalysis on the RSA cryptosystem

2.1. The original RSA cryptosystem

For the convenience of the reader, we briefly describe the original RSA cryptosystem in the form of a theorem. The proof of this theorem and its working can be found in [1].

Theorem 2.1 Given p and q as two distinct primes. Let n = pq, φ(n) = (p - 1)(q - 1), and e, d be two integers such that ed ≡ 1 (mod φ(n)). Then, for all m ∈ ℤn, we have med = m (mod n).

This theorem ensures the encryption and decryption phases in the RSA cryptosystem as follows: a plaintext m ∈ ℤn is encrypted by computing me ≡ c (mod n) and c is in turn decrypted by calculating cd ≡ m (mod n).

2.2. Attacks on RSA

Although there has been no polynomial time algorithm for factoring an integer n into product of primes so far, there have been many attacks on the original RSA scheme. By considering the continued fraction expansion of Wiener showed in [2] that one can recover d for the case when A better result was considered by Boneh and Durfee [3] for the case when d < n0.292. In such a case, by solving the small inverse problem, d can be recovered. Lattice reduced algorithms, such as Gaussian or LLL algorithms can also be applied to recover d in some cases of low exponent private key [4]. However, so far, no devastating attack has ever been found.

A common attack on RSA is factoring the modulus n. Knowing n = pq, an attacker can calculate φ(n) = (p - 1)(q - 1) and then find the private key d = e-1(mod φ(n)). Factoring modulus n in the case p,q being weak primes was considered by A. Nitaj and T. Rachidi [5]. Currently, the fastest algorithm for the factoring a whole number n is the General Number Field Sieve algorithm [6], which has a complexity of

 

3. RSA variants

If n is a positive integer and where p1,p2,...,pk are distinct prime numbers and ri ∈ ℤ (i = 1,2,...,k), then we denote rad (n) = p1p2...pk. Apparently, the original RSA scheme still holds when n = rad(n)[7]. We first prove that n = rad(n) is the only form of n under that an RSA encryption scheme can be applied to all messages belonging to ℤn.

Proposition 3.1 Suppose that there exists a natural number k ≠ 1 such that the map

is a bijection. Then, n = rad(n).

Proof.

Suppose that where p1,p2,...,pk are distinct prime numbers and assume the contrary that n ≠ rad(n), then at least one of r1,r2,...,rk is larger than 1. Without loss of generality, we can assume r1 > 1. Considering it is obvious that x ≠ 0, Since k ≥ 2, then k(r1 - 1) > r1. It follows that F(x) = xk = 0, which contradicts the bijection of F.

Proposition 3.1 explains the reason for the two trends in developing RSA variants. For the first trend, the RSA cryptosystems are developed on the ring ℤn. For RSA cryptosystems where the modulus n is the product of distinct primes, some additional algorithms are applied to speed up the decryption or encryption process in the cryptosystem. The Batch RSA [8], Multi Prime RSA [7], DRSA [9] are examples of such cryptosystems. For RSA cryptosystems where the modulus n is not a product of distinct primes, the space of plaintexts must be reduced to a subset of ℤn instead of the entire ℤn. For example, in the MultiPower RSA cryptosystem [10], the modulus n has the form n = pkq with k ∈ ℤ, k, ≥ 2, where p,q are distinct primes and the space of plaintexts is the reduced residue group modulo n. This RSA variant was then combined with DRSA to increase the encryption verification performance [11-12]. Attacking to these RSA variants has been concerned by many authors, we refer the reader to [13-14] for cryptanalysing on MultiPower RSA.

In the second trend, platforms other than ℤn should be chosen for plaintexts. So far, there have been many variants of RSA constructed in this manner: In 1985, Varadharajan and Odoni constructed an extension of RSA to matrix rings [15]; In 1993, Demytko, proposed an elliptic curve-based RSA variant at EUROCRYPT [16]; In 2004, El-Kassar, Hatary, and Awad developed a modified RSA in the domains of Gaussian integers and polynomials over finite fields [17]. The critical equality med = m in those cryptosystems was obtained using different methods depending on the platforms. Here, we concentrate on an abstract model by proposing a semigroup platform together with conditions that ensure equality and then show that the model will cover all mentioned RSA cryptosystems.

From now on, if * is a binary operation on a set X, k is a positive integer, and x ∈ X, then we denote

 

4. Generic RSA scheme

4.1 A generic model for RSA

Let Y be a nonempty set and * be a binary operation on Y such that (Y, *) is a semigroup, and suppose that X ⊂ Y is a set of plaintexts. The equation med = m for all m ∈ X is a basic equation in RSA cryptosystems. We propose some conditions for establishing this equation as follows.

Proposition 4.1 Let Y, U, V be multiplicative semigroups, X be a nonempty subset of Y, and μ: Y → U, η: Y → V be two homomorphisms. Suppose that

(i) There exist groups U1 ⊂ U, U2 ⊂ U and V1 ⊂ V, V2 ⊂ V such that μ(X) ⊂ (U1 ∪ U2) and η(X) ⊂ (V1 ∪ V2).

(ii) The map θ : Y → U × V defined by θ(x) = (μ(x),η(x)) is an injective.

Let Ni = |Ui|, Mi = |Vi|(i = 1,2), L = lcm(N1,N2,M1,M2), and e, d be two chosen integers such that gcd(e, L) = 1 and ed ≡ 1(mod L). Then, we have xed = x for all x ∈ X.

Proof. Assume that x ∈ X.

For x ∈ X, since μ(x) ⊂ (U1 ∪ U2) and U1, U2 are groups, then (μ(x))i = μ(x) for all integers i satisfying i ≡ 1(mod lcm(N1,N2)). This implies that (μ(x))ed = μ(x). As μ is a homomorphism, μ(xed) = (μ(x))ed = μ(x).

Similarly, we have (η(x))ed = η(x).

Since μ(xed) = μ(x) and η(xed) = η(x), then θ(xed) = θ(x). Therefore, xed = x as θ is an injective.■

Using the symbols and hypothesis as in the above theorem, we propose a generic model for an RSA cryptosystem as follows.

The generic RSA cryptosystem

Key creation

- Choose e satisfying 1 < e < L and gcd(e, L) = 1.

- Find d = e-1 (mod L).

- Publish e as public key and keep d as private key.

Encryption

- A plaintext m ∈ X is encrypted by calculating c = me.

Decryption

- Ciphertext c is then decrypted by calculating cd = m.

From now on, if Y is a ring and x ∈ Y, we write for the ideal of Y generated by x and write Y/ for the quotient ring of Y by . Next, we show that our proposed model can cover all known RSA variants.

4.2 The original RSA

Consider the ring Y = ℤn, where n = pq is the product of two distinct primes p, q and X = Y. Since the ring isomorphism ℤn ≅ ℤp × ℤq, the projectors μ,η from Y to U = ℤp and V = ℤq satisfy the hypothesis in Proposition 4.1. Therefore, the equation med = m holds for all m ∈ X = ℤn, where e, d are integers that satisfy ed ≡ 1(mod L). In this case, we choose

U1 = {0}, U2 = ℤp\{0}, V1 = {0}, V2 = ℤq\{0},

then

N1 = |U1| = 1, N2 = |U2| = p - 1,

M1 = |V1| = 1, M2 = |V2| = q - 1,

L = lcm(p - 1, q - 1)

We achieve the original RSA cryptosystem.

4.3 The RSA on the quotient rings of polynomials

The ring of polynomials ℤp[x] is considered in this instance, where p is a prime number. Similar to the original RSA, let g(x), h(x) ∈ ℤp[x] be irreducible polynomials having degree r, s and f(x) = g(x). h(x). Consequently, the number of invertible elements in ℤp[x]/, ℤp[x]/ and ℤp[x]/ is pr - 1, ps - 1 and L = (pr - 1)(ps - 1), respectively. Therefore, m(x)ed = m(x) holds for all m(x) ∈ ℤp[x]/, where e, d are integers chosen such that gcd(e, L) = 1 and ed ≡ 1(mol L). The equation m(x)ed = m(x) ensures the encryption c(x) = (m(x))e and decryption (c(x))d = m(x). The RSA on the quotient rings of polynomials can be regarded as an instance of the proposed model mentioned in Section 4.1 where

Y = X = ℤp[x]/,

U = ℤp[x]/, V = ℤp[x]/,

U1 = {0}, U2 = U\U1,V1 = {0}, V2 = V\V1.

N1 = |U1| = 1, N2 = |U2| = pr - 1,

M1 = |V1| = 1, M2 = |V2| = ps - 1,

and μ, η are projectors from ℤp[x]/ onto ℤp[x]/, ℤp[x]/ respectively.

4.4 The RSA on the quotient ring of Gaussian integers

The Gaussian ring is defined by ℤ[i] = {a + bi : a, b ∈ ℤ} with common addition and multiplication. The norm on ℤ[i] is given by δ (a + bi) = a2 + b2. Euclidean division is valid on ℤ[i]; hence, ℤ[i] is an Euclidean ring. All units in ℤ[i] are 1, -1, i, -i. Euclidean division gives rise to the concept of primes in ℤ[i]. A number x ∈ ℤ[i] is prime in ℤ[i] if and only if x is a unit multiplied by one of the following:

(i) 1 + i,

(ii) a prime number p ∈ ℤ, where p ≡ 3(mod 4), or

(iii) u + vi ∈ ℤ[i], where q = u2 + v2 is a prime in ℤ with q ≡ 1(mod 4).

A prime x ∈ ℤ[i] is called type α, type p, or type π corresponding to cases (i), (ii), and (iii), respectively.

The Euler’s Phi function Φ:ℤ[i]\{0}⟶ℕ is a function in which for all x∈ℤ[i]\{0}, Φ(x) is the number of invertible elements in the quotient ring ℤ[i]/. Then, for prime element x∈ℤ[i], we have Φ(x)=δ(x) [18].

Let β, γ be two prime elements in ℤ[i] and η = β. γ, then Φ(η) = Φ(β). Φ(γ). The equation med = m holds for all m ∈ ℤ[i]/<η>, where e, d are integers chosen such that gcd(e, Φ(η)) = 1 and ed ≡ 1(mod Φ(η)). This ensures the encryption c = me and decryption cd = m for all plaintext m ∈ ℤ[i]/<η>.

The RSA on the quotient ring of Gaussian integers can be regarded as an instance of the proposed model described in Section 4.1 where

Y = X = ℤ[i]/<η>, U = ℤ[i]/<β>, V = ℤ[i]/<γ>,

U1 = {0}, U2 = U\U1, V1 = {0}, V2 = V\V1,

N1 = |U1| = 1, N2 = |U2| = Φ(β),

M1 = |V1| = 1, M2 = |V2| = Φ(γ),

L = lcm(Φ(β). Φ(γ),

and μ, η are projectors from Y = ℤ[i]/<η> to U = ℤ[i]/<β> and V = ℤ[i]/<γ>, respectively.

4.5 The RSA on the ring of matrices

Let p, q be two prime numbers, n = pq, and l be a positive integer. Let Ml(p), Ml(q), and Ml(n) denote the multiplicative groups of all non-singular l × l matrices having elements in ℤp, ℤq, and ℤn, respectively. The orders Np, Nq, and Nn of these groups can be shown by

and

respectively.

Choose two positive integers e, d satisfying gcd(e, Nn) = 1 and ed ≡ 1(mod Nn). The Lagrange theorem in group theorem implies that mNn = In, where In denotes the unit matrix in Ml(n); hence, med = m, for all m ∈ Ml(n). This ensures the encryption c = me and decryption cd = m for all plaintext m ∈ Ml(n). Since Ml(n) ≅ Ml(p) × Ml(q), the RSA variant on the ring of matrices is an instance of the model described in Section 3.1 where

Y = X = Ml(n), U = Ml(p), V = Ml(q),

U1 = {Ip}, U2 = Ml(p), V1 = {Iq}, V2 = Ml(q),

N1 = |U1| = 1, N2 = |U2| = Np,

M1 = |V1| = 1, M2 = |V2| = Nq,

and μ, η are projectors from Ml(n) to Ml(p) and Ml(q), respectively.

4.6 The RSA on the elliptic curve group

Let p > 3 be a prime, and let a, b be integers chosen such that 4a3 + 27b2 ≢ 0(mod p). The elliptic curve group modulo p, denoted by Ep (a, b), is a set of all pairs (x, y) ∈ ℤp × ℤp satisfying y2 = x3 + ax + b on ℤp, together with an element denoted ∞. The operation + on Ep(a, b) is defined such that ∞ is the identity element and for two points P(x1,y1), Q(x2,y2) ∈ Ep(a, b), the result R(x3,y3) = P + Q is determined as follows:

-If Q = ∞, then P + Q = Q + P = P.

-If x1 = x2 and y1 = -y2, then P + Q = ∞.

-Otherwise, where

A complementary elliptic curve group, denoted by is a set of all pairs (x, y) ∈ ℤp × ℤp satisfying y2 = x3 + ax + b, together with an element denoted ∞; however, y is of the form where u, v ∈ ℤp and v is a fixed quadratic non-residue. The operation + on is identically defined to that on Ep(a, b). The orders of Ep(a, b) and are denoted by |Ep(a, b)| and respectively. These numbers can be found by some polynomial time algorithms, for example, the algorithm considered in [19].

For RSA on the elliptic group, we choose two distinct primes p, q and let n = pq. Select two integers a, b such that gcd(4a3 + 27b2, n) = 1. Denote N1 = |Ep(a, b)|, and L = N1N2M1M2.

Choose two integers e, d such that ed ≡ 1(mod L), then the equation (+ed)(x, y) = (x, y) holds for all x ∈ ℤn and This equation ensures the encryption and decryption as in the original RSA.

We can apply the proposed model to this instance of RSA. Indeed, suppose that vp and vq are generators of multiplicative groups respectively. Then, are complementary elliptic groups of Ep(a, b) and Eq(a, b), respectively. Denote by w1, w2, and w3 elements in ℤn such that

w1 ≡ 1(mod p), w1 ≡ vq(mod q),

w2 ≡ vp(mod p), w1 ≡ 1(mod q),

and

w3 ≡ vp(mod p), w1 ≡ vq(mod q).

Then, for each x ∈ ℤn, one and only one of the following cases occurs:

x3 + ax + b = t2,

x3 + ax + b = t2w1,

x3 + ax + b = t2w2,

x3 + ax + b = t2w3.

Therefore, if we define

then for each x ∈ ℤn, there exists exactly one of the above sets containing an element with the first coordinate x.

It is well known that we can define a operation + on Therefore, two projectors are homomorphisms. Proposition 3.2 ensures that (+ed)(x, y) = (x, y) for all where e, d are integers satisfying ed ≡ 1(mol L11) with L11 = lcm(N1,M1).

Similar to the operation + on we can define a binary operations + on such that these sets become groups and

Proposition 4.1 ensures the equation (+ed)(x, y) = (x, y) for all if e, d satisfy ed ≡ 1(mol Lij) with Lij = lcm(Ni, Mj). In other words, the proposed model is applied to each group separately.

Because the operators + on are defined in a similar way, the first coordinates xk in the equation (xk, yk) = (+k)(x, y) are the same, and they do not depend on i, j, where Demytko [16] gave a formula for xk by setting in homogenous coordinates:

4.7 Comparison

Since there are many time polynomial algorithms (e.g., Berlekamp [20], Ben-Or [21], and Cantor–Zassenhaus [22]) for factoring a polynomial f(x) ∈ ℤp[x] into the product of irreducible polynomials, the RSA cryptosystem on the quotient ring of polynomials can be easily broken using these algorithms.

We compare the security among RSAs by evaluating the complexity of the brute-force algorithm for factoring the modulus n. For simplicity, we assume that the length of each plaintext is 1024 bits.

Table 1 shows the lengths of modulus as well as the number of operations involved in encryption processes in original RSA and those in its variants, where e is the public key.

Table 1.Lengths of modulus and number of operations involved in RSAs cryptosystem

For the original RSA cryptosystem, because a plaintext m ∈ ℤn has a length of 1024 bits, the modulus n must have the same length as m. Therefore, the algorithm for factoring n is applied for a 1024-bit number n.

For the RSA cryptosystem on the quotient ring of Gaussian integers, a plaintext m = a + bi has a length of 1024 bits, and therefore, both a and b have a length of 512 bits. Thus, the length of the value δ(m) = a2 + b2 does not exceed 1025 bits. Because m ∈ ℤ[i]/<η>, δ(η) must have a length less than 1025 bits. Hence, the length of modulus η is 512 bits. Factoring a 512-bit number η may be simpler than the case for the original RSA.

For the RSA on the ring of matrix, one can determine p, q by factoring n. Hence, we calculate Np, Nq by (1), (2), respectively, and then Nn by (3). Then, the private key d can be calculated from these values. Suppose that l ≥ 2, then a plaintext m ∈ Ml(n) is a matrix having at least four elements. Because m has a length of 1024 bits, each of its four elements must be 256 bits. Since each element belongs to ℤn, n must be 256 bits. Factoring n in this case is simpler than that in the original RSA.

In both the original RSA and the RSA on the elliptic curve group, each plaintext element x ∈ ℤn has the same bit length as modulus n. However, the encryption and decryption in RSA on the elliptic curve group requires more operations than those in the original RSA. In the original RSA, encrypting c ≡ me (mod n) requires 2log2e multiplications using a fast power algorithm. The numbers of operations in (4), (5), (6), and (7) are 11, 12, 21, and 5, respectively. Therefore, for the RSA on the elliptic curve group, the number of operations for encrypting a plaintext x to cipher text s using the equation (+e) (x, y) = (s, t) requires at least 5log2e multiplications.

In our cryptosystem mentioned in the next Section, a plaintext m is a matrix having four elements. Because m has a length of 1024 bits, each of its four elements must be 256 bits. Since each element belongs to ℤn, n must be 256 bits. Factoring n in this case is simpler than that in the original RSA.

The above argument shows that, for the same length of the modulus, the lengths of plaintexts and cipher texts in original RSA cryptosystems are shorter than those in its variants. This partially explains why the original RSA cryptosystem is more widely used compared to other RSA variants.

 

5. A new variant of RSA: probability RSA

Based on the proposed scheme, we developed a Bergman ring based cryptosystem analogue of RSA. We briefly describe this cryptosystem as follows.

Bergman [23] established that End (ℤp × ℤp2) is a semilocal ring with p5 elements, where p is a prime. Climent et al. [24] identified the elements of this ring as 2 × 2 matrices that form the ring

The multiplication and addition operations on this ring are defined as follows:

if and then

and

Now, let p, q be two distinct primes and n = pq. We denote

It is easy to verify that the multiplication defined by

is a binary operation on En.

We define the maps μ: En → Ep and η: En → Eq as follows.

where

ap,bp,cp,dp ∈ ℤ, 0 ≤ ap,bp,cp < p, 0 ≤ dp < p2,

ap ≡ a(mod p), bp ≡ b(mod p), cp ≡ qc(mod p),

aq,bq,cq,dq ∈ ℤ, 0 ≤ aq,bq,cq < q, 0 ≤ dq < q2,

aq ≡ a(mod q), bq ≡ b(mod q), cq ≡ pc(mod p),

and

dp = d(mod p2), dq ≡ d(mod q2).

Then, we can prove the following propositions.

Proposition 5.1 μ and η are homomorphisms and the map θ: En → Ep × Eq defined by θ(x) = (μ(x), η(x)) is an injective.

We denote by the set of all invertible elements in Ep and Eq, respectively. Further, are multiplicative groups with orders p3(p - 1)2 and q3(q - 1)2, respectively [24]. Applying the model proposed in Section 3.1 where

Y = En, U = Ep, V = Eq,

and

the equality med = m holds for all m ∈ X if e, d satisfy ed ≡ 1(mol L) with L = lcm(p3(p - 1)2, q3(q - 1)2). Therefore, we can construct the cryptosystem analogue of RSA. The details and the cryptanalysis of this cryptosystem were discussed in [25].

 

6. Conclusions

The equality med = m plays an important role in a RSA cryptosystem, it ensures encryption and decryption phases in the cryptosystem. The paper has proposed a algebraic structure, or a scheme, for constructing a RSA cryptosystem by proposing conditions which ensure that equality on a semigroup. Applying this scheme, the equalities in known RSAs are then established by uni-scheme, despite of the RSA platforms being quotient rings or groups. The usefulness of the proposed scheme is proved when constructing Bergman ring based RSA, which follows the proposed scheme and has some advantages compared to the original RSA. One may ask whether the proposed scheme will be applied for a future RSA variant. The answer is yes if that RSA variant built on a commutative group; we will look more closely at the answer in another article.