RSA

[close]
[close]
RSA
From Wikipedia, the free encyclopedia
Jump to: navigation <#mw-head>, search <#p-search>
This article is about an algorithm for public-key encryption. For the
U.S. encryption and network security company, see RSA Security
<http://en.wikipedia.org/wiki/RSA_Security>. For the Republic of South
Africa, see South Africa <http://en.wikipedia.org/wiki/South_Africa>.
For other uses, see RSA (disambiguation)
<http://en.wikipedia.org/wiki/RSA_%28disambiguation%29>.
In cryptography <http://en.wikipedia.org/wiki/Cryptography>, *RSA*
(which stands for Rivest <http://en.wikipedia.org/wiki/Ron_Rivest>,
Shamir <http://en.wikipedia.org/wiki/Adi_Shamir> and Adleman
<http://en.wikipedia.org/wiki/Leonard_Adleman> who first publicly
described it) is an algorithm <http://en.wikipedia.org/wiki/Algorithm>
for public-key cryptography
<http://en.wikipedia.org/wiki/Public-key_cryptography>.^[1]
<#cite_note-rsa-0> It is the first algorithm known to be suitable for
signing <http://en.wikipedia.org/wiki/Digital_signature> as well as
encryption, and was one of the first great advances in public key
cryptography. RSA is widely used in electronic commerce
<http://en.wikipedia.org/wiki/Electronic_commerce> protocols, and is
believed to be secure given sufficiently long keys and the use of
up-to-date implementations.
Contents
[hide <#>]
* 1 History <#History>
* 2 Operation <#Operation>
o 2.1 Key generation <#Key_generation>
o 2.2 Encryption <#Encryption>
o 2.3 Decryption <#Decryption>
o 2.4 A worked example <#A_worked_example>
o 2.5 Using the Chinese remainder algorithm
<#Using_the_Chinese_remainder_algorithm>
o 2.6 Attacks against plain RSA <#Attacks_against_plain_RSA>
o 2.7 Padding schemes <#Padding_schemes>
o 2.8 Signing messages <#Signing_messages>
* 3 Security and practical considerations
<#Security_and_practical_considerations>
o 3.1 Integer factorization and RSA problem
<#Integer_factorization_and_RSA_problem>
o 3.2 Key generation <#Key_generation_2>
o 3.3 Timing attacks <#Timing_attacks>
o 3.4 Adaptive chosen ciphertext attacks
<#Adaptive_chosen_ciphertext_attacks>
o 3.5 Side-channel analysis attacks
<#Side-channel_analysis_attacks>
* 4 Proofs of correctness <#Proofs_of_correctness>
o 4.1 Concise proof using Euler's Theorem
<#Concise_proof_using_Euler.27s_Theorem>
o 4.2 Proof using Fermat's Little Theorem and Chinese
Remainder Theorem
<#Proof_using_Fermat.27s_Little_Theorem_and_Chinese_Remainder_Theore
m>
* 5 See also <#See_also>
* 6 Notes <#Notes>
* 7 References <#References>
* 8 External links <#External_links>
[edit
<http://en.wikipedia.org/w/index.php?title=RSA&action=edit&section=1>]
History
Clifford Cocks <http://en.wikipedia.org/wiki/Clifford_Cocks>, a British
mathematician <http://en.wikipedia.org/wiki/Mathematician> working for
the UK <http://en.wikipedia.org/wiki/United_Kingdom> intelligence agency
GCHQ
<http://en.wikipedia.org/wiki/Government_Communications_Headquarters>,
described an equivalent system in an internal document in 1973, but
given the relatively expensive computers needed to implement it at the
time, it was mostly considered a curiosity and, as far as is publicly
known, was never deployed. His discovery, however, was not revealed
until 1998 due to its top-secret classification, and Rivest, Shamir, and
Adleman devised RSA independently of Cocks' work.
<http://en.wikipedia.org/wiki/File:Adi_Shamir_2009.jpg>
<http://en.wikipedia.org/wiki/File:Adi_Shamir_2009.jpg>
Adi Shamir, one of the authors of RSA: Rivest
<http://en.wikipedia.org/wiki/Ron_Rivest>, Shamir
<http://en.wikipedia.org/wiki/Adi_Shamir> and Adleman
<http://en.wikipedia.org/wiki/Leonard_Adleman>
The RSA algorithm was publicly described in 1978 by Ron Rivest
<http://en.wikipedia.org/wiki/Ron_Rivest>, Adi Shamir
<http://en.wikipedia.org/wiki/Adi_Shamir>, and Leonard Adleman
<http://en.wikipedia.org/wiki/Leonard_Adleman> at MIT
<http://en.wikipedia.org/wiki/Massachusetts_Institute_of_Technology>;
the letters *RSA* are the initials of their surnames, listed in the same
order as on the paper.^[2] <#cite_note-SIAM-1>
MIT <http://en.wikipedia.org/wiki/Massachusetts_Institute_of_Technology>
was granted U.S. Patent 4,405,829
<http://www.google.com/patents?vid=4405829> for a "Cryptographic
communications system and method" that used the algorithm in 1983. The
patent would have expired on September 21, 2000 (the term of patent
<http://en.wikipedia.org/wiki/Term_of_patent> was 17 years at the time),
but the algorithm was released to the public domain by RSA Security
<http://en.wikipedia.org/wiki/RSA_Security> on 6 September 2000, two
weeks earlier.^[3] <#cite_note-2> Since a paper describing the algorithm
had been published in August 1977,^[2] <#cite_note-SIAM-1> prior to the
December 1977 filing date <http://en.wikipedia.org/wiki/Filing_date> of
the patent application
<http://en.wikipedia.org/wiki/Patent_application>, regulations in much
of the rest of the world precluded patents
<http://en.wikipedia.org/wiki/Patent> elsewhere and only the US
<http://en.wikipedia.org/wiki/United_States> patent was granted. Had
Cocks' work been publicly known, a patent in the US might not have been
possible.
From the DWPI
<http://en.wikipedia.org/wiki/Derwent_World_Patent_Index>'s abstract of
the patent,
The system includes a communications channel coupled to at least one
terminal having an encoding device and to at least one terminal
having a decoding device. A message-to-be-transferred is enciphered
to ciphertext at the encoding terminal by encoding the message as a
number M in a predetermined set. That number is then raised to a
first predetermined power (associated with the intended receiver)
and finally computed. The remainder or residue, C, is... computed
when the exponentiated number is divided by the product of two
predetermined prime numbers (associated with the intended receiver).
[edit
Operation
The RSA algorithm involves three steps: key
<http://en.wikipedia.org/wiki/Key_%28cryptography%29> generation,
encryption and decryption.
[edit
Key generation
RSA involves a *public key* and a *private key.* The public key can be
known to everyone and is used for encrypting messages. Messages
encrypted with the public key can only be decrypted using the private
key. The keys for the RSA algorithm are generated the following way:
1. Choose two distinct prime numbers
<http://en.wikipedia.org/wiki/Prime_number> /p/ and /q/.
* For security purposes, the integers /p/ and /q/ should be
chosen at random, and should be of similar bit-length. Prime
integers can be efficiently found using a primality test
<http://en.wikipedia.org/wiki/Primality_test>.
2. Compute /n/ = /pq/.
* /n/ is used as the modulus
<http://en.wikipedia.org/wiki/Modular_arithmetic> for both
the public and private keys
3. Compute φ(/n/) = (/p/ – 1)(/q/ – 1), where φ is Euler's totient
unction <http://en.wikipedia.org/wiki/Euler%27s_totient_ unction>.
4. Choose an integer /e/ such that 1 < /e/ < φ(/n/) and
gcd(/e/,φ(/n/)) = 1, i.e. /e/ and φ(/n/) are coprime
<http://en.wikipedia.org/wiki/Coprime>.
* /e/ is released as the public key exponent.
* /e/ having a short bit-length
<http://en.wikipedia.org/w/index.php?title=Bit-length&action=edit&re
dlink=1>
and small Hamming weight
<http://en.wikipedia.org/wiki/Hamming_weight> results in
more e icient encryption - most commonly 0x10001 = 65537.
However, small values o /e/ (such as 3) have been shown to
be less secure in some settings.^[4] <#cite_note-Boneh-3>
5. Determine /d/ = /e/^–1 mod φ(/n/); i.e. /d/ is the multiplicative
inverse
<http://en.wikipedia.org/wiki/Modular_multiplicative_inverse> o
/e/ mod φ(/n/).
* This is o ten computed using the extended Euclidean
algorithm
<http://en.wikipedia.org/wiki/Extended_Euclidean_algorithm>.
* /d/ is kept as the private key exponent.
The *public key* consists o the modulus /n/ and the public (or
encryption) exponent /e/. The *private key* consists o the private (or
decryption) exponent /d/ which must be kept secret.
Notes:
* An alternative, used by PKCS#1
<http://en.wikipedia.org/wiki/PKCS1>, is to choose /d/ matching
/de/ ≡ 1 mod λ with λ = cm(/p/ − 1,/q/ − 1), where cm is the
east common mu tip e
<http://en.wikipedia.org/wiki/Least_common_mu tip e>. Using λ
instead of φ(/n/) allows more choices or /d/. λ can a so be
defined using the Carmichae function
<http://en.wikipedia.org/wiki/Carmichae _function>, λ(/n/).
* The ANSI X9.31
<http://en.wikipedia.org/w/index.php?tit e=ANSI_X9.31&action=edit&red ink=
1>
standard prescribes, IEEE 1363
<http://en.wikipedia.org/wiki/P1363> describes, and PKCS#1
<http://en.wikipedia.org/wiki/PKCS1> a ows, that /p/ and /q/
match additiona requirements: be strong primes
<http://en.wikipedia.org/wiki/Strong_prime>, and be different
enough that Fermat factorization
<http://en.wikipedia.org/wiki/Fermat_factorization> fai s.
[edit
<http://en.wikipedia.org/w/index.php?tit e=RSA&action=edit&section=4>]
Encryption
A ice <http://en.wikipedia.org/wiki/A ice_and_Bob> transmits her pub ic
key (/n/,/e/) to Bob <http://en.wikipedia.org/wiki/A ice_and_Bob> and
keeps the private key secret. Bob then wishes to send message *M* to A ice.
He first turns *M* into an integer 0 < /m/ < /n/ by using an agreed upon
reversib e protoco known as a padding scheme <#Padding_schemes>. He
then computes the ciphertext /c/ corresponding to
/c/ = /m/^/e/ (mod /n/).
This can be done quick y using the method of exponentiation by squaring
<http://en.wikipedia.org/wiki/Exponentiation_by_squaring>. Bob then
transmits /c/ to A ice.
[edit
Decryption
A ice can recover /m/ from /c/ by using her private key exponent /d/ via
computing
/m/ = /c/^/d/ (mod /n/).
Given /m/, she can recover the origina message *M* by reversing the
padding scheme.
(In practice, there are more efficient methods of ca cu ating /c/^/d/
using the pre computed va ues be ow.)
[edit
A worked examp e
Here is an examp e of RSA encryption and decryption. The parameters used
here are artificia y sma , but one can a so use OpenSSL to generate
and examine a rea keypair
<http://en.wikibooks.org/wiki/Transwiki:Generate_a_keypair_using_OpenSSL>.
1. Choose two distinct prime numbers, such as
/p/ = 61 and /q/ = 53.
2. Compute /n/ = /p//q/ giving
/n/ = 61(53) = 3233.
3. Compute the totient <http://en.wikipedia.org/wiki/Totient> of the
product as φ(/n/) = (/p/ − 1)(/q/ − 1) giving
φ(3233) = (61 − 1)(53 − 1) = 3120.
4. Choose any number 1 < /e/ < 3120 that is coprime
<http://en.wikipedia.org/wiki/Coprime> to 3120. Choosing a prime
number for /e/ eaves us on y to check that /e/ is not a divisor
of 3120.
Let /e/ = 17.
5. Compute /d/, the modu ar mu tip icative inverse
<http://en.wikipedia.org/wiki/Modu ar_mu tip icative_inverse> of
/e/(mod φ(/n/)) yielding
/d/ = 2753.
The *public key* is (/n/ = 3233, /e/ = 17). For a padded plaintext
<http://en.wikipedia.org/wiki/Plaintext> message /m/, the encryption
unction is /m/^17 (mod 3233).
The *private key* is (/n/ = 3233, /d/ = 2753). For an encrypted
ciphertext <http://en.wikipedia.org/wiki/Ciphertext> /c/, the decryption
unction is /c/^2753 (mod 3233).
For instance, in order to encrypt /m/ = 65, we calculate
/c/ = 65^17 (mod 3233) = 2790.
To decrypt /c/ = 2790, we calculate
/m/ = 2790^2753 (mod 3233) = 65.
Both o these calculations can be computed e iciently using the
square-and-multiply algorithm
<http://en.wikipedia.org/wiki/Square-and-multiply_algorithm> or modular
exponentiation <http://en.wikipedia.org/wiki/Modular_exponentiation>. In
real li e situations the primes selected would be much larger; in our
example it would be relatively trivial to actor /n/, 3233, obtained
rom the reely available public key back to the primes /p/ and /q/.
Given /e/, also rom the public key, we could then compute /d/ and so
acquire the private key.
[edit
Using the Chinese remainder algorithm
For e iciency many popular crypto libraries (like OpenSSL, Java and
.NET) use the ollowing optimization or decryption and signing: The
ollowing values are precomputed and stored as part o the private key:
* /p/ and /q/: the primes rom the key generation,
* d_P = d\mod (p - 1),
* d_Q = d\mod(q - 1) and
* q_{Inv} = q^{-1} \mod(p).
These values allow to compute the exponentiation m = c^d \mod pq more
e iciently computed as ollows:
* m_1 = c^{d_P} \mod p
* m_2 = c^{d_Q} \mod q
* h = q_{Inv}*(m_1-m_2) \mod p (i /m/_1 < /m/_2 then some libraries
compute h as q_{Inv}*(m_1+p-m_2) \mod p)
* m = m_2 + h*q\,
This is more e icient than computing m = c^d \mod pq even though two
modular exponentiations have to be computed. The reason is that these
two modular exponentiations both use a smaller exponent and a smaller
modulus.
[edit
Attacks against plain RSA
There are a number o attacks against plain RSA as described below.
* When encrypting with low encryption exponents (e.g., /e/ = 3) and
small values o the /m/, (i.e. /m/ < /n/^1 / /e/ ) the result o
/m/^/e/ is strictly less than the modulus /n/. In this case,
ciphertexts can be easily decrypted by taking the /e/th root o
the ciphertext over the integers.
* I the same clear text message is sent to /e/ or more recipients
in an encrypted way, and the receivers share the same exponent
/e/, but di erent /p/, /q/, and /n/, then it is easy to decrypt
the original clear text message via the Chinese remainder theorem
<http://en.wikipedia.org/wiki/Chinese_remainder_theorem>. Johan
Håstad <http://en.wikipedia.org/wiki/Johan_H%C3%A5stad> noticed
that this attack is possible even i the cleartexts are not equal,
but the attacker knows a linear relation between them.^[5]
<#cite_note-4> This attack was later improved by Don Coppersmith
<http://en.wikipedia.org/wiki/Don_Coppersmith>.^[6] <#cite_note-5>
* Because RSA encryption is a deterministic encryption algorithm
<http://en.wikipedia.org/wiki/Deterministic_algorithm> – i.e., has
no random component – an attacker can success ully launch a chosen
plaintext attack
<http://en.wikipedia.org/wiki/Chosen_plaintext_attack> against the
cryptosystem, by encrypting likely plaintexts under the public key
and test i they are equal to the ciphertext. A cryptosystem is
called semantically secure
<http://en.wikipedia.org/wiki/Semantically_secure> i an attacker
cannot distinguish two encryptions rom each other even i the
attacker knows (or has chosen) the corresponding plaintexts. As
described above, RSA without padding is not semantically secure.
* RSA has the property that the product o two ciphertexts is equal
to the encryption o the product o the respective plaintexts.
That is m_1êm_2ê\equiv (m_1m_2)ê\pmod{n}. Because o this
multiplicative property a chosen-ciphertext attack
<http://en.wikipedia.org/wiki/Chosen-ciphertext_attack> is
possible. E.g. an attacker, who wants to know the decryption o a
ciphertext /c/ = /m/^/e/ (mod /n/) may ask the holder o the
private key to decrypt an unsuspicious-looking ciphertext /c/' =
/c//r/^/e/ (mod /n/) or some value /r/ chosen by the attacker.
Because o the multiplicative property /c/' is the encryption o
/m//r/(mod /n/). Hence, i the attacker is success ul with the
attack, he will learn /m//r/(mod /n/) rom which he can derive the
message /m/ by multiplying /m//r/ with the modular inverse o /r/
modulo /n/.
[edit
Padding schemes
To avoid these problems, practical RSA implementations typically embed
some orm o structured, randomized padding
<http://en.wikipedia.org/wiki/Padding_%28cryptography%29> into the value
/m/ be ore encrypting it. This padding ensures that /m/ does not all
into the range o insecure plaintexts, and that a given message, once
padded, will encrypt to one o a large number o di erent possible
ciphertexts.
Standards such as PKCS#1 <http://en.wikipedia.org/wiki/PKCS1> have been
care ully designed to securely pad messages prior to RSA encryption.
Because these schemes pad the plaintext /m/ with some number o
additional bits, the size o the un-padded message *M* must be somewhat
smaller. RSA padding schemes must be care ully designed so as to prevent
sophisticated attacks which may be acilitated by a predictable message
structure. Early versions o the PKCS#1 standard (up to version 1.5)
used a construction that turned RSA into a semantically secure
encryption scheme. This version was later ound vulnerable to a
practical adaptive chosen ciphertext attack
<http://en.wikipedia.org/wiki/Adaptive_chosen_ciphertext_attack>. Later
versions o the standard include Optimal Asymmetric Encryption Padding
<http://en.wikipedia.org/wiki/Optimal_Asymmetric_Encryption_Padding>
(OAEP), which prevents these attacks. The PKCS#1 standard also
incorporates processing schemes designed to provide additional security
or RSA signatures, e.g., the Probabilistic Signature Scheme or RSA
(RSA-PSS <http://en.wikipedia.org/wiki/RSA-PSS>).
In the common case where RSA is used to exchange symmetric keys, key
encapsulation <http://en.wikipedia.org/wiki/Key_encapsulation> provides
a simpler alternative to padding. Instead o generating a random
symmetric key, padding it and then encrypting the padded version with
RSA, a random integer /m/ between 1 and /n/-1 is generated and encrypted
directly using RSA. Both the sender and receiver generate identical
symmetric keys by applying the same key derivation unction
<http://en.wikipedia.org/wiki/Key_derivation_ unction> to /m./^[7]
<#cite_note-6>
[edit
Signing messages
Suppose Alice <http://en.wikipedia.org/wiki/Alice_and_Bob> uses Bob
<http://en.wikipedia.org/wiki/Alice_and_Bob>'s public key to send him an
encrypted message. In the message, she can claim to be Alice but Bob has
no way o veri ying that the message was actually rom Alice since
anyone can use Bob's public key to send him encrypted messages. In order
to veri y the origin o a message, RSA can also be used to sign
<http://en.wikipedia.org/wiki/Digital_signature> a message.
Suppose Alice wishes to send a signed message to Bob. She can use her
own private key to do so. She produces a hash value
<http://en.wikipedia.org/wiki/Cryptographic_hash_ unction> o the
message, raises it to the power o /d/mod /n/ (as she does when
decrypting a message), and attaches it as a "signature" to the message.
When Bob receives the signed message, he uses the same hash algorithm in
conjunction with Alice's public key. He raises the signature to the
power o /e/mod /n/ (as he does when encrypting a message), and compares
the resulting hash value with the message's actual hash value. I the
two agree, he knows that the author o the message was in possession o
Alice's private key, and that the message has not been tampered with since.
Secure padding schemes such as RSA-PSS
<http://en.wikipedia.org/wiki/RSA-PSS> are as essential or the security
o message signing as they are or message encryption. The same key
should never be used or both encryption and signing.^[8] <#cite_note-7>
[edit
Security and practical considerations
[edit
Integer actorization and RSA problem
See also: RSA Factoring Challenge
<http://en.wikipedia.org/wiki/RSA_Factoring_Challenge> and Integer
actorization records
<http://en.wikipedia.org/wiki/Integer_ actorization_records>
The security o the RSA cryptosystem is based on two mathematical
problems: the problem o actoring large numbers
<http://en.wikipedia.org/wiki/Integer_ actorization> and the RSA problem
<http://en.wikipedia.org/wiki/RSA_problem>. Full decryption o a RSA
ciphertext is thought to be in easible on the assumption that both o
these problems are hard, i.e., no e icient algorithm exists or solving
them. Providing security against /partial/ decryption may require the
addition o a secure padding scheme
<http://en.wikipedia.org/wiki/Padding_%28cryptography%29>.^[/citation
needed <http://en.wikipedia.org/wiki/Wikipedia:Citation_needed>/]
The RSA problem <http://en.wikipedia.org/wiki/RSA_problem> is de ined as
the task o taking /e/th roots modulo a composite /n/: recovering a
value /m/ such that /c/ = /m/^/e/ mod /n/, where (/n/,/e/) is an RSA
public key and /c/ is an RSA ciphertext. Currently the most promising
approach to solving the RSA problem is to actor the modulus /n/. With
the ability to recover prime actors, an attacker can compute the secret
exponent /d/ rom a public key (/n/,/e/), then decrypt /c/ using the
standard procedure. To accomplish this, an attacker actors /n/ into /p/
and /q/, and computes (/p/ − 1)(/q/ − 1) which a ows the determination
of /d/ from /e/. No po ynomia time method for factoring arge integers
on a c assica computer has yet been found, but it has not been proven
that none exists. See integer factorization
<http://en.wikipedia.org/wiki/Integer_factorization> for a discussion of
this prob em. Rivest, Shamir and Ad eman have shown that finding /d/
from /n/ and /e/ is equa y hard as factoring /n/ into /p/ and /q/^[1]
<#cite_note rsa 0> . However, this proof does not imp y that inverting
RSA is equa y hard as factoring.
As of 2010^[update]
<http://en.wikipedia.org/w/index.php?tit e=RSA&action=edit> , the
argest (known) number factored by a genera purpose factoring
<http://en.wikipedia.org/wiki/Genera _number_fie d_sieve> a gorithm was
768 bits ong (see RSA 768 <http://en.wikipedia.org/wiki/RSA 768>),
using a state of the art distributed imp ementation. RSA keys are
typica y 1024–2048 bits ong. Some experts be ieve that 1024 bit keys
may become breakab e in the near term (though this is disputed); few see
any way that 4096 bit keys cou d be broken in the foreseeab e future.
Therefore, it is genera y presumed that RSA is secure if /n/ is
sufficient y arge. If /n/ is 300 bits
<http://en.wikipedia.org/wiki/Bit> or shorter, it can be factored in a
few hours on a persona computer
<http://en.wikipedia.org/wiki/Persona _computer>, using software a ready
free y avai ab e. Keys of 512 bits have been shown to be practica y
breakab e in 1999 when RSA 155 <http://en.wikipedia.org/wiki/RSA 155>
was factored by using severa hundred computers and are now factored in
a few weeks using common hardware.^[9] <#cite_note 8> A theoretica
hardware device named TWIRL <http://en.wikipedia.org/wiki/TWIRL> and
described by Shamir and Tromer in 2003 ca ed into question the security
of 1024 bit keys. It is current y recommended that /n/ be at east 2048
bits ong.^[10] <#cite_note 9>
In 1994, Peter Shor <http://en.wikipedia.org/wiki/Peter_Shor> showed
that a quantum computer <http://en.wikipedia.org/wiki/Quantum_computer>
(if one cou d ever be practica y created for the purpose) wou d be ab e
to factor in po ynomia time
<http://en.wikipedia.org/wiki/Po ynomia _time>, breaking RSA.
[edit
Key generation
Finding the arge primes /p/ and /q/ is usua y done by testing random
numbers of the right size with probabi istic prima ity tests
<http://en.wikipedia.org/wiki/Prima ity_test> which quick y e iminate
virtua y a non primes.
Numbers /p/ and /q/ shou d not be 'too c ose', est the Fermat
factorization <http://en.wikipedia.org/wiki/Fermat_factorization> for
/n/ be successfu , if /p/ − /q/, for instance is ess than 2/n/^1/4
(which for even sma 1024 bit va ues of /n/ is 3×10^77 ) so ving for
/p/ and /q/ is trivia . Furthermore, if either /p/ − 1 or /q/ − 1 has
on y sma prime factors, /n/ can be factored quick y by Po ard's
/p/ − 1 a gorithm
<http://en.wikipedia.org/wiki/Po ard%27s_p_%E2%88%92_1_a gorithm>, and
these va ues of /p/ or /q/ shou d therefore be discarded as we .
It is important that the private key /d/ be arge enough. Michae J.
Wiener
<http://en.wikipedia.org/w/index.php?tit e=Michae _J._Wiener&action=edit&red ink
=1>
showed^[11] <#cite_note wiener 10> that if /p/ is between /q/ and 2/q/
(which is quite typica ) and /d/ < /n/^1/4 /3, then /d/ can be computed
efficient y from /n/ and /e/. There is no known attack against sma
pub ic exponents such as /e/ = 3, provided that proper padding is used.
However, when no padding is used, or when the padding is improper y
imp emented, sma pub ic exponents have a greater risk of eading to an
attack, such as the unpadded p aintext vu nerabi ity isted above. 65537
<http://en.wikipedia.org/wiki/65537> is a common y used va ue for /e/.
This va ue can be regarded as a compromise between avoiding potentia
sma exponent attacks and sti a owing efficient encryptions (or
signature verification). The NIST Specia Pub ication on Computer
Security (SP 800 78 Rev 1 of August 2007) does not a ow pub ic
exponents /e/ sma er than 65537, but does not state a reason for this
restriction.
This procedure raises additiona security issues. For instance, it is of

utmost importance to use a strong random number generator
<http://en.wikipedia.org/wiki/Random_number_generator> for the symmetric
key, because otherwise Eve (an eavesdropper wanting to see what was
sent) cou d bypass RSA by guessing the symmetric key.
[edit
Timing attacks
Kocher <http://en.wikipedia.org/wiki/Pau _Kocher> described a new attack
on RSA in 1995: if the attacker Eve knows A ice's hardware in sufficient
detai and is ab e to measure the decryption times for severa known
ciphertexts, she can deduce the decryption key /d/ quick y. This attack
can a so be app ied against the RSA signature scheme. In 2003, Boneh
<http://en.wikipedia.org/wiki/Dan_Boneh> and Brum ey
<http://en.wikipedia.org/wiki/David_Brum ey> demonstrated a more
practica attack capab e of recovering RSA factorizations over a network
connection (e.g., from a Secure Socket Layer
<http://en.wikipedia.org/wiki/Secure_Socket_Layer> (SSL) enab ed
webserver). This attack takes advantage of information eaked by the
Chinese remainder theorem
<http://en.wikipedia.org/wiki/Chinese_remainder_theorem> optimization
used by many RSA imp ementations.
One way to thwart these attacks is to ensure that the decryption
operation takes a constant amount of time for every ciphertext. However,
this approach can significant y reduce performance. Instead, most RSA
imp ementations use an a ternate technique known as cryptographic
b inding <http://en.wikipedia.org/wiki/B inding_%28cryptography%29>. RSA
b inding makes use of the mu tip icative property of RSA. Instead of
computing /c/^/d/ mod /n/, A ice first chooses a secret random va ue /r/
and computes (/r/^/e/ /c/)^/d/ mod /n/. The resu t of this computation
after app ying Eu er's Theorem
<http://en.wikipedia.org/wiki/Eu er%27s_Theorem> is r c^d ~ \bmod ~n and
so the effect of /r/ can be removed by mu tip ying by its inverse. A new
va ue of /r/ is chosen for each ciphertext. With b inding app ied, the
decryption time is no onger corre ated to the va ue of the input
ciphertext and so the timing attack fai s.
[edit
Adaptive chosen ciphertext attacks
In 1998, Danie B eichenbacher
<http://en.wikipedia.org/wiki/Danie _B eichenbacher> described the first
practica adaptive chosen ciphertext attack
<http://en.wikipedia.org/wiki/Adaptive_chosen_ciphertext_attack>,
against RSA encrypted messages using the PKCS #1 v1 padding scheme
<http://en.wikipedia.org/wiki/Padding_%28cryptography%29> (a padding
scheme randomizes and adds structure to an RSA encrypted message, so it
is possib e to determine whether a decrypted message is va id.) Due to
f aws with the PKCS #1 scheme, B eichenbacher was ab e to mount a
practica attack against RSA imp ementations of the Secure Socket Layer
<http://en.wikipedia.org/wiki/Secure_Socket_Layer> protoco , and to
recover session keys. As a resu t of this work, cryptographers now
recommend the use of provab y secure padding schemes such as Optima
Asymmetric Encryption Padding
<http://en.wikipedia.org/wiki/Optima _Asymmetric_Encryption_Padding>,
and RSA Laboratories has re eased new versions of PKCS #1 that are not
vu nerab e to these attacks.
[edit
Side channe ana ysis attacks
A side channe attack using branch prediction ana ysis (BPA) has been
described. Many processors use a branch predictor
<http://en.wikipedia.org/wiki/Branch_predictor> to determine whether a
conditiona branch in the instruction f ow of a program is ike y to be
taken or not. Often these processors a so imp ement simu taneous
mu tithreading
<http://en.wikipedia.org/wiki/Simu taneous_mu tithreading> (SMT). Branch
prediction ana ysis attacks use a spy process to discover
(statistica y) the private key when processed with these processors.
Simp e Branch Prediction Ana ysis (SBPA) c aims to improve BPA in a
non statistica way. In their paper, "On the Power of Simp e Branch
Prediction Ana ysis"^[12] <#cite_note 11> , the authors of SBPA (Onur
Aciicmez
<http://en.wikipedia.org/w/index.php?tit e=Onur_Aciicmez&action=edit&red ink=1>
and Cetin Kaya Koc
<http://en.wikipedia.org/w/index.php?tit e=Cetin_Kaya_Koc&action=edit&red ink=1>
)
c aim to have discovered 508 out of 512 bits of an RSA key in 10 iterations.
A power fau t attack on RSA imp ementations has been described in
2010^[13] <#cite_note 12> .
[edit
Proofs of correctness
[edit
Concise proof using Eu er's Theorem
To show that a message encrypted with /e/ can be decrypted with /d/ we
need to prove
m \equiv (mê)^d ~ \pmod{n}
i.e.
m \equiv m^{ed}\pmod{n}.
Now, since ed = 1 + k\varphi(n),
m^{ed} \equiv m^{1 + k\varphi(n)} \equiv m (m^{\varphi(n)})^{k}
\equiv m \pmod{n}.
The ast congruence direct y fo ows from Eu er's theorem
<http://en.wikipedia.org/wiki/Eu er%27s_theorem> when /m/ is re ative y
prime to /n/.
[edit
Proof using Fermat's Litt e Theorem and Chinese Remainder Theorem
Another way to prove the correctness of RSA is based on Fermat's itt e
theorem <http://en.wikipedia.org/wiki/Fermat%27s_ itt e_theorem>. This
theorem states that if /p/ is prime and /p/ does not divide /a/ then
a^{(p 1)} \equiv 1 \pmod{p}.
In RSA, the modu us /n/ = /p//q/ is a product of two primes /p/ and /q/.
The pub ic key /e/ and private key /d/ satisfy
e d \equiv 1\pmod{(p 1)(q 1)}.
Therefore, there exists an integer /h/, such that
/e//d/ − 1 = /h/(/p/ − 1)(/q/ − 1).
We can then continue to ca cu ate
\ eft(mê\right)^d \equiv m^{e d} \equiv m^{(e d 1)}m \equiv
m^{h(p 1)(q 1)}m \equiv 1^{h(q 1)}m\equiv m \pmod{p}.
And ikewise for /q/
\ eft(mê\right)^d \equiv m^{e d} \equiv m^{(e d 1)}m \equiv
m^{h(p 1)(q 1)}m \equiv 1^{h(p 1)}m\equiv m \pmod{q}.
If /p/ and /q/ are coprime, a\equiv b \pmod{p} and a\equiv b \pmod{q}
then the Chinese remainder theorem
<http://en.wikipedia.org/wiki/Chinese_remainder_theorem> imp ies a\equiv
b \pmod{pq}. Hence
\ eft(mê\right)^d \equiv m \pmod{pq}.
[edit
See a so
* Pub ic key cryptography
<http://en.wikipedia.org/wiki/Pub ic key_cryptography>
* Encryption <http://en.wikipedia.org/wiki/Encryption>
* Key exchange <http://en.wikipedia.org/wiki/Key_exchange>
* Diffie He man key exchange
<http://en.wikipedia.org/wiki/Diffie He man_key_exchange>
* Key management <http://en.wikipedia.org/wiki/Key_management>
* Cryptographic key ength
<http://en.wikipedia.org/wiki/Cryptographic_key_ ength>
* Computationa comp exity theory
<http://en.wikipedia.org/wiki/Computationa _comp exity_theory>
[edit
Notes
1. ^ ^/*a*/ <#cite_ref rsa_0 0> ^/*b*/ <#cite_ref rsa_0 1> Rivest,
R.; A. Shamir; L. Ad eman (1978). "A Method for Obtaining Digita
Signatures and Pub ic Key Cryptosystems"
<http://theory. cs.mit.edu/%7Erivest/rsapaper.pdf>.
/Communications of the ACM/ *21* (2): 120–126. doi
<http://en.wikipedia.org/wiki/Digita _object_identifier>:10.1145/359340.35
9342
<http://dx.doi.org/10.1145%2F359340.359342>.
http://theory. cs.mit.edu/~rivest/rsapaper.pdf
<http://theory. cs.mit.edu/%7Erivest/rsapaper.pdf>.
2. ^ ^/*a*/ <#cite_ref SIAM_1 0> ^/*b*/ <#cite_ref SIAM_1 1> SIAM
News, Vo ume 36, Number 5, June 2003
<http://www.msri.org/peop e/members/sara/artic es/rsa.pdf>, "Sti
Guarding Secrets after Years of Attacks, RSA Earns Acco ades for
its Founders", by Sara Robinson
3. *^ <#cite_ref 2>* http://www.rsa.com/press_re ease.aspx?id=261
4. *^ <#cite_ref Boneh_3 0>* Boneh, Dan (1999). "Twenty Years of
attacks on the RSA Cryptosystem"
<http://crypto.stanford.edu/%7Edabo/abstracts/RSAattack survey.htm >.
/Notices of the American Mathematica Society (AMS)/ *46* (2):
203–213.
http://crypto.stanford.edu/~dabo/abstracts/RSAattack survey.htm
<http://crypto.stanford.edu/%7Edabo/abstracts/RSAattack survey.htm >.
5. *^ <#cite_ref 4>* Johan Håstad, "On using RSA with Low Exponent in
a Pub ic Key Network", Crypto 85
6. *^ <#cite_ref 5>* Don Coppersmith, "Sma So utions to Po ynomia
Equations, and Low Exponent RSA Vu nerabi ities", Journa of
Crypto ogy, v. 10, n. 4, Dec. 1997
7. *^ <#cite_ref 6>* Key Encapsu ation: A New Scheme for Pub ic Key
Encryption
<http:// ists.w3.org/Archives/Pub ic/pub ic xm sec/2009May/att 0032/Key_En
capsu ation.pdf>,
XML Security Working Group F2F, May 2009
8. *^ <#cite_ref 7>* http://www.di mgt.com.au/rsa_a g.htm #weaknesses
9. *^ <#cite_ref 8>* 518 bit GNFS with msieve
<http://www.mersenneforum.org/showthread.php?t=9787>
10. *^ <#cite_ref 9>* Has the RSA a gorithm been compromised as a
resu t of Bernstein's Paper?
<http://www.rsa.com/rsa abs/node.asp?id=2007> What key size shou d
I be using?
11. *^ <#cite_ref wiener_10 0>* Wiener, Michae J. (May 1990).
"Cryptana ysis of short RSA secret exponents". /Information
Theory, IEEE Transactions on/ *36* (3): 553–558. doi
<http://en.wikipedia.org/wiki/Digita _object_identifier>:10.1109/18.54902
<http://dx.doi.org/10.1109%2F18.54902>.
12. *^ <#cite_ref 11>*
http://citeseerx.ist.psu.edu/viewdoc/down oad?doi=10.1.1.80.1438&rep=rep1&
type=pdf
13. *^ <#cite_ref 12>* Fau tBased Attack of RSA Authentication
<http://www.eecs.umich.edu/%7Eva eria/research/pub ications/DATE10RSA.pdf>
[edit
References
* Menezes, A fred; Pau C. van Oorschot; Scott A. Vanstone (October
1996). /Handbook of App ied Cryptography/. CRC Press. ISBN
<http://en.wikipedia.org/wiki/Internationa _Standard_Book_Number> 0 8493 8
523 7
<http://en.wikipedia.org/wiki/Specia :BookSources/0 8493 8523 7>.
* Cormen, Thomas H. <http://en.wikipedia.org/wiki/Thomas_H._Cormen>;
Char es E. Leiserson
<http://en.wikipedia.org/wiki/Char es_E._Leiserson>; Rona d L.
Rivest <http://en.wikipedia.org/wiki/Rona d_L._Rivest>; C ifford
Stein <http://en.wikipedia.org/wiki/C ifford_Stein> (2001).
/Introduction to A gorithms
<http://en.wikipedia.org/wiki/Introduction_to_A gorithms>/ (2e
ed.). MIT Press and McGraw Hi . pp. 881–887. ISBN
<http://en.wikipedia.org/wiki/Internationa _Standard_Book_Number> 0 262 03
293 7
<http://en.wikipedia.org/wiki/Specia :BookSources/0 262 03293 7>.
[edit
Externa inks
* The Origina RSA Patent as fi ed with the U.S. Patent Office by
Rivest; Rona d L. (Be mont, MA), Shamir; Adi (Cambridge, MA),
Ad eman; Leonard M. (Ar ington, MA), December 14, 1977, *U.S.
Patent 4,405,829 <http://www.goog e.com/patents?vid=4405829>*.
* PKCS #1: RSA Cryptography Standard
<http://www.rsasecurity.com/rsa abs/node.asp?id=2125> (RSA
Laboratories <http://en.wikipedia.org/wiki/RSA_Laboratories> website)
o The /PKCS <http://en.wikipedia.org/wiki/PKCS> #1/ standard
<http://en.wikipedia.org/wiki/Standardization> /"provides
recommendations for the imp ementation of pub ic key
cryptography
<http://en.wikipedia.org/wiki/Pub ic key_cryptography> based
on the *RSA* a gorithm, covering the fo owing aspects:
cryptographic primitives
<http://en.wikipedia.org/wiki/Primitive_type>; encryption
<http://en.wikipedia.org/wiki/Encryption> schemes; signature
<http://en.wikipedia.org/wiki/Digita _signature> schemes
with appendix; ASN.1 <http://en.wikipedia.org/wiki/ASN.1>
syntax for representing keys and for identifying the schemes"/.
* Thorough wa k through of RSA <http://www.di mgt.com.au/rsa_a g.htm >
* Prime Number Hide And Seek: How the RSA Cipher Works
<http://www.muppet abs.com/%7Ebreadbox/txt/rsa.htm >
* Menezes, Oorschot, Vanstone, Scott: /Handbook of App ied
Cryptography/ (free PDF down oads), see Chapter 8
<http://www.cacr.math.uwater oo.ca/hac/>
* Onur Aciicmez, Cetin Kaya Koc, Jean Pierre Seifert: /On the Power
of Simp e Branch Prediction Ana ysis/
<http://eprint.iacr.org/2006/351>
* A New Vu nerabi ity In RSA Cryptography, CAcert NEWS B og
<http://b og.cacert.org/2006/11/193.htm >
* Examp e of an RSA imp ementation with PKCS#1 padding (GPL source
code) <http://xyss .org/code/source/rsa/>
* Kocher's artic e about timing attacks
<http://www.cryptography.com/resources/whitepapers/TimingAttacks.pdf>
* On ine RSA encryption app ication <http://www.gax.n /wiskundePO/>
(Dutch)
* An animated exp anation of RSA with its mathematica background by
CrypToo <http://cryptoo .org/media/RSA/RSA F ash en/p ayer.htm >
v <http://en.wikipedia.org/wiki/Temp ate:Crypto_pub ic key> ** d
<http://en.wikipedia.org/wiki/Temp ate_ta k:Crypto_pub ic key> ** e
<http://en.wikipedia.org/w/index.php?tit e=Temp ate:Crypto_pub ic key&action=edi
t> Pub ic key
cryptography <http://en.wikipedia.org/wiki/Pub ic key_cryptography>
A gorithms
Bena oh <http://en.wikipedia.org/wiki/Bena oh_cryptosystem> **
B um–Go dwasser
<http://en.wikipedia.org/wiki/B um%E2%80%93Go dwasser_cryptosystem> **
Cay ey–Purser
<http://en.wikipedia.org/wiki/Cay ey%E2%80%93Purser_a gorithm> **
CEILIDH <http://en.wikipedia.org/wiki/CEILIDH> ** Cramer–Shoup
<http://en.wikipedia.org/wiki/Cramer%E2%80%93Shoup_cryptosystem> **
Damgård–Jurik
<http://en.wikipedia.org/wiki/Damg%C3%A5rd%E2%80%93Jurik_cryptosystem> **
DH
<http://en.wikipedia.org/wiki/Diffie%E2%80%93He man_key_exchange> **
DSA <http://en.wikipedia.org/wiki/Digita _Signature_A gorithm> ** EPOC
<http://en.wikipedia.org/wiki/Efficient_Probabi istic_Pub ic Key_Encryption_Sche
me> **
ECDH
<http://en.wikipedia.org/wiki/E iptic_curve_Diffie%E2%80%93He man> **
ECDSA <http://en.wikipedia.org/wiki/E iptic_Curve_DSA> ** EKE
<http://en.wikipedia.org/wiki/Encrypted_key_exchange> ** E Gama
(encryption <http://en.wikipedia.org/wiki/E Gama _encryption> **
signature scheme
<http://en.wikipedia.org/wiki/E Gama _signature_scheme>) ** GMR
<http://en.wikipedia.org/wiki/GMR_%28cryptography%29> **
Go dwasser–Mica i
<http://en.wikipedia.org/wiki/Go dwasser%E2%80%93Mica i_cryptosystem> ** HFE
<http://en.wikipedia.org/wiki/Hidden_Fie d_Equations> ** IES
<http://en.wikipedia.org/wiki/Integrated_Encryption_Scheme> ** Lamport
<http://en.wikipedia.org/wiki/Lamport_signature> ** McE iece
<http://en.wikipedia.org/wiki/McE iece_cryptosystem> ** Merk e–He man
<http://en.wikipedia.org/wiki/Merk e%E2%80%93He man_knapsack_cryptosystem> **
MQV <http://en.wikipedia.org/wiki/MQV> ** Naccache–Stern
<http://en.wikipedia.org/wiki/Naccache%E2%80%93Stern_cryptosystem> **
NTRUEncrypt <http://en.wikipedia.org/wiki/NTRUEncrypt> ** NTRUSign
<http://en.wikipedia.org/wiki/NTRUSign> ** Pai ier
<http://en.wikipedia.org/wiki/Pai ier_cryptosystem> ** Rabin
<http://en.wikipedia.org/wiki/Rabin_cryptosystem> ** *RSA* **
Okamoto–Uchiyama
<http://en.wikipedia.org/wiki/Okamoto%E2%80%93Uchiyama_cryptosystem> **
Schnorr <http://en.wikipedia.org/wiki/Schnorr_signature> **
Schmidt–Samoa
<http://en.wikipedia.org/wiki/Schmidt%E2%80%93Samoa_cryptosystem> **
SPEKE <http://en.wikipedia.org/wiki/SPEKE_%28cryptography%29> ** SRP
<http://en.wikipedia.org/wiki/Secure_Remote_Password_protoco > ** STS
<http://en.wikipedia.org/wiki/Station to Station_protoco > **
Three pass protoco
<http://en.wikipedia.org/wiki/Three pass_protoco > ** XTR
<http://en.wikipedia.org/wiki/XTR>
Theory
Discrete ogarithm <http://en.wikipedia.org/wiki/Discrete_ ogarithm> **
E iptic curve cryptography
<http://en.wikipedia.org/wiki/E iptic_curve_cryptography> ** RSA
prob em <http://en.wikipedia.org/wiki/RSA_prob em>
Standardization
ANS X9F1
<http://en.wikipedia.org/w/index.php?tit e=ANS_X9F1&action=edit&red ink=1> **
CRYPTREC <http://en.wikipedia.org/wiki/CRYPTREC> ** IEEE P1363
<http://en.wikipedia.org/wiki/IEEE_P1363> ** NESSIE
<http://en.wikipedia.org/wiki/NESSIE> ** NSA Suite B
<http://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography>
Topics
Digita signature <http://en.wikipedia.org/wiki/Digita _signature> **
OAEP
<http://en.wikipedia.org/wiki/Optima _Asymmetric_Encryption_Padding> **
Fingerprint <http://en.wikipedia.org/wiki/Pub ic_key_fingerprint> **
PKI <http://en.wikipedia.org/wiki/Pub ic_key_infrastructure> ** Web of
trust <http://en.wikipedia.org/wiki/Web_of_trust> ** Key size
<http://en.wikipedia.org/wiki/Key_size>
v <http://en.wikipedia.org/wiki/Temp ate:Crypto_navbox> ** d
<http://en.wikipedia.org/wiki/Temp ate_ta k:Crypto_navbox> ** e
<http://en.wikipedia.org/w/index.php?tit e=Temp ate:Crypto_navbox&action=edit> C
ryptography
<http://en.wikipedia.org/wiki/Cryptography>
History of cryptography
<http://en.wikipedia.org/wiki/History_of_cryptography> Cryptana ysis
<http://en.wikipedia.org/wiki/Cryptana ysis> Cryptography porta
<http://en.wikipedia.org/wiki/Porta :Cryptography> Out ine of
cryptography <http://en.wikipedia.org/wiki/Out ine_of_cryptography>
Symmetric key a gorithm
<http://en.wikipedia.org/wiki/Symmetric key_a gorithm> B ock cipher
<http://en.wikipedia.org/wiki/B ock_cipher> Stream cipher
<http://en.wikipedia.org/wiki/Stream_cipher> Pub ic key cryptography
<http://en.wikipedia.org/wiki/Pub ic key_cryptography> Cryptographic
hash function
<http://en.wikipedia.org/wiki/Cryptographic_hash_function> Message
authentication code
<http://en.wikipedia.org/wiki/Message_authentication_code> Random
numbers
<http://en.wikipedia.org/wiki/Cryptographica y_secure_pseudorandom_number_gener
ator>
Steganography <http://en.wikipedia.org/wiki/Steganography>
Retrieved from "http://en.wikipedia.org/wiki/RSA"
Categories <http://en.wikipedia.org/wiki/Specia :Categories>: Pub ic key
cryptography
<http://en.wikipedia.org/wiki/Category:Pub ic key_cryptography> |
Asymmetric key cryptosystems
<http://en.wikipedia.org/wiki/Category:Asymmetric key_cryptosystems> |
E ectronic commerce
<http://en.wikipedia.org/wiki/Category:E ectronic_commerce>
Hidden categories: A artic es with unsourced statements
<http://en.wikipedia.org/wiki/Category:A _artic es_with_unsourced_statements>
| Artic es with unsourced statements from January 2009
<http://en.wikipedia.org/wiki/Category:Artic es_with_unsourced_statements_from_J
anuary_2009>
| Artic es containing potentia y dated statements from 2010
<http://en.wikipedia.org/wiki/Category:Artic es_containing_potentia y_dated_sta
tements_from_2010>
| A artic es containing potentia y dated statements
<http://en.wikipedia.org/wiki/Category:A _artic es_containing_potentia y_dated
_statements>
| Artic es with A ice and Bob exp anations
<http://en.wikipedia.org/wiki/Category:Artic es_with_A ice_and_Bob_exp anations>
Persona too s
* Log in / create account
<http://en.wikipedia.org/w/index.php?tit e=Specia :UserLogin&returnto=RSA>
Namespaces
* Artic e <http://en.wikipedia.org/wiki/RSA>
* Discussion <http://en.wikipedia.org/wiki/Ta k:RSA>
Variants<#>
Views
* Read <http://en.wikipedia.org/wiki/RSA>
* Edit <http://en.wikipedia.org/w/index.php?tit e=RSA&action=edit>
* View history
<http://en.wikipedia.org/w/index.php?tit e=RSA&action=history>
Actions<#>
Search
Search
<http://en.wikipedia.org/wiki/Main_Page>
Navigation
* Main page <http://en.wikipedia.org/wiki/Main_Page>
* Contents <http://en.wikipedia.org/wiki/Porta :Contents>
* Featured content
<http://en.wikipedia.org/wiki/Porta :Featured_content>
* Current events <http://en.wikipedia.org/wiki/Porta :Current_events>
* Random artic e <http://en.wikipedia.org/wiki/Specia :Random>
* Donate to Wikipedia
<http://wikimediafoundation.org/wiki/Specia :Landingcheck? anding_page=WMF
JA085& anguage=en&utm_source=donate&utm_medium=sidebar&utm_campaign=20101204SB00
2>
Interaction
* He p <http://en.wikipedia.org/wiki/He p:Contents>
* About Wikipedia <http://en.wikipedia.org/wiki/Wikipedia:About>
* Community porta
<http://en.wikipedia.org/wiki/Wikipedia:Community_porta >
* Recent changes <http://en.wikipedia.org/wiki/Specia :RecentChanges>
* Contact Wikipedia <http://en.wikipedia.org/wiki/Wikipedia:Contact_us>
Too box
* What inks here
<http://en.wikipedia.org/wiki/Specia :WhatLinksHere/RSA>
* Re ated changes
<http://en.wikipedia.org/wiki/Specia :RecentChangesLinked/RSA>
* Up oad fi e <http://en.wikipedia.org/wiki/Wikipedia:Up oad>
* Specia pages <http://en.wikipedia.org/wiki/Specia :Specia Pages>
* Permanent ink
<http://en.wikipedia.org/w/index.php?tit e=RSA&o did=410667675>
* Cite this page
<http://en.wikipedia.org/w/index.php?tit e=Specia :Cite&page=RSA&id=410667
675>
Print/export
* Create a book
<http://en.wikipedia.org/w/index.php?tit e=Specia :Book&bookcmd=book_creat
or&referer=RSA>
* Down oad as PDF
<http://en.wikipedia.org/w/index.php?tit e=Specia :Book&bookcmd=render_art
ic e&arttit e=RSA&o did=410667675&writer=r >
* Printab e version
<http://en.wikipedia.org/w/index.php?tit e=RSA&printab e=yes>
Languages
*
<http://ar.wikipedia.org/wiki/%D8%AE%D9%88%D8%A7%D8%B1%D8%B2%D9%85%D9%8A%D
8%A9_%D8%A2%D8%B1_%D8%A5%D8%B3_%D8%A5%D9%8A%D9%87>
* Български <http://bg.wikipedia.org/wiki/RSA>
* Cata à <http://ca.wikipedia.org/wiki/RSA>
* Česky <http://cs.wikipedia.org/wiki/RSA>
* Dansk <http://da.wikipedia.org/wiki/RSA>
* Deutsch <http://de.wikipedia.org/wiki/RSA Kryptosystem>
* Eesti <http://et.wikipedia.org/wiki/RSA_%28a
goritm%29>
* Ελληνικά <
ttp://e .w
ped a.org/w /RSA>
* spaño < ttp://es.w
ped a.org/w /RSA>
* spera
to< ttp://eo.w ped a.org/w /RSA>
* us ara < ttp://eu.w ped a.org/w /RSA>
*
< ttp://fa.w ped a.org/w /%D8%A2%D8%B1%D8%A7%D8%B3% 2%80%8C%D8%A7%DB%8
C>
* Fraça s< ttp://fr.w ped a.org/w /R vest_S am r_Ad ema >

* Ga ego < ttp://g .w ped a.org/w /RSA>
* < ttp://
o.w ped a.org/w /RSA_%
C%95%94% D%98%B8>
* Hrvats
< ttp:// r.w ped a.org/w /RSA>
* Ba asaIdo es a < ttp:// d.w ped a.org/w /RSA>

* Ís es a <ttp:// s.w ped a.org/w /RSA>

* Ita a o < ttp:// t.w ped a.org/w /RSA>
* ‫ < תירבע‬ttp:// e.w ped a.org/w /RSA>
* ქართული

< ttp:// a.w peda.org/w /RSA_% 1%83%90% 1%83%9A% 1%83%92% 1%83%9D% 1%
83%A0% 1%83%98% 1%83%97% 1%83%9B% 1%83%98>
ešu
* Latv
< ttp:// v.w ped a.org/w /RSA_%C5%A1
fr%C4%93%C5%A1aas_a gor tms>
* L etuv ų< ttp:// t.w ped a.org/w /RSA>
* Magyar < ttp:// u.w ped a.org/w /RSA-e
j%C3%A1r%C3%A1s>
* Neder ads < ttp://.w ped a.org/w /RSA_%28cryptograf
e%29>
* 日本語 < ttp://ja.w
ped a.org/w /RSA% 6%9A%97% 5%8F%B7>
o.w ped a.org/w /RSA>
* Nors (bo må ) < ttp://
* Po s < ttp://p
.w ped a.org/w /RSA_%28
ryptograf a%29>
* Português < ttp://pt.w ped a.org/w
/RSA>
* Româă < ttp://ro.w ped a.org/w /RSA>
* Русский <http://ru.wikipedia.org/wiki/RSA>
* Simp e Eng ish <http://simp e.wikipedia.org/wiki/RSA>
* S ovenščina <http://s .wikipedia.org/wiki/RSA>
* Српски / Srpski <http://sr.wikipedia.org/wiki/RSA>
* Suomi <http://fi.wikipedia.org/wiki/RSA>
* Svenska <http://sv.wikipedia.org/wiki/RSA>
* ไทย <http://th.wikipedia.org/wiki/RSA>
* Türkçe <http://tr.wikipedia.org/wiki/RSA>
* Українська <http://uk.wikipedia.org/wiki/RSA>
* Tiếng Việt <http://vi.wikipedia.org/wiki/RSA_%28m%C3%A3_h%C3%B3a%29>
* 中文
<http://zh.wikipedia.org/wiki/RSA%E5%8A%A0%E5%AF%86%E6%BC%94%E7%AE%97%E6%B
3%95>
* This page was ast modified on 29 January 2011 at 00:42.
* Text is avai ab e under the Creative Commons
Attribution ShareA ike License
<http://en.wikipedia.org/wiki/Wikipedia:Text_of_Creative_Commons_Attributi
on ShareA ike_3.0_Unported_License><http://creativecommons.org/ icenses/by sa/3.
0/>;
additiona terms may app y. See Terms of Use
<http://wikimediafoundation.org/wiki/Terms_of_Use> for detai s.
Wikipedia® is a registered trademark of the Wikimedia Foundation,
Inc. <http://www.wikimediafoundation.org/>, a non profit organization.
* Contact us <http://en.wikipedia.org/wiki/Wikipedia:Contact_us>
* Privacy po icy <http://wikimediafoundation.org/wiki/Privacy_po icy>
* About Wikipedia <http://en.wikipedia.org/wiki/Wikipedia:About>
* Disc aimers
<http://en.wikipedia.org/wiki/Wikipedia:Genera _disc aimer>
* Powered by MediaWiki <http://www.mediawiki.org/>
* Wikimedia Foundation <http://wikimediafoundation.org/>

RSA

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

RSA

Uploaded by

Copyright:

Available Formats

[close]

This procedure raises additiona security issues. For instance, it is of

You might also like