Systems Architecture I September 4, 1997 Applied Symbolic Computation (CS 680/480) Lecture 5: Modular Arithmetic and the RSA Public Key Cryptosystem Jeremy R. Johnson April 25, 2001 April 2, 2001 Systems Architecture I

Systems Architecture I September 4, 1997 Introduction Objective: To understand what a public key cryptosystem is and how the RSA algorithm works. To review the number theory behind the RSA algorithm. Public Key Cryptosystems RSA Algorithm Modular Arithmetic Euler’s Identity Chinese Remainder Theorem References: Rivest, Shamir, Adelman. April 2, 2001 Systems Architecture I

Modular Arithmetic (Zn) Definition: a  b (mod n)  n | (b - a) Alternatively, a = qn + b Properties (equivalence relation) a  a (mod n) [Reflexive] a  b (mod n)  b  a (mod n) [Symmetric] a  b (mod n) and b  c (mod n)  a  c (mod n) [Transitive] Definition: An equivalence class mod n [a] = { x: x  a (mod n)} = { a + qn | q  Z} April 2, 2001 Systems Architecture I

Modular Arithmetic (Zn) It is possible to perform arithmetic with equivalence classes mod n. [a] + [b] = [a+b] [a] * [b] = [a*b] In order for this to make sense, you must get the same answer (equivalence) class independent of the choice of a and b. In other words, if you replace a and b by numbers equivalent to a or b mod n you end of with the sum/product being in the same equivalence class. a1  a2 (mod n) and b1  b2 (mod n)  a1+ b1  a2 + b2 (mod n) a1* b1  a2 * b2 (mod n) (a + q1n) + (b + q2n) = a + b + (q1 + q2)n (a + q1n) * (b + q2n) = a * b + (b*q1 + a*q2 + q1* q2)n April 2, 2001 Systems Architecture I

Systems Architecture I Representation of Zn The equivalence classes [a] mod n, are typically represented by the representatives a. Positive Representation: Choose the smallest positive integer in the class [a] then the representation is {0,1,…,n-1}. Symmetric Representation: Choose the integer with the smallest absolute value in the class [a]. The representation is {-(n-1)/2 ,…, n/2 } E.G. Z6 = {-2,-1,0,1,2,3}, Z5 = {-2,-1,0,1,2} April 2, 2001 Systems Architecture I

Systems Architecture I Modular Inverses Definition: x is the inverse of a mod n, if ax  1 (mod n) The equation ax  1 (mod n) has a solution iff gcd(a,n) = 1. By the Extended Euclidean Algorithm, there exist x and y such that ax + ny = gcd(a,n). When gcd(a,n) = 1, we get ax + ny = 1. Taking this equation mod n, we see that ax  1 (mod n) April 2, 2001 Systems Architecture I

Systems Architecture I Fermat’s Theorem Theorem: If a  0  Zp, then ap-1  1 (mod p). More generally, if a  Zp, then ap  a (mod p). Proof: Assume that a  0  Zp. Then a * 2a * … (p-1)a = (p-1)! * ap-1 Also, since a*i  a*j (mod p)  i  j (mod p), the numbers a, 2a, …, (p-1)a are distinct elements of Zp. Therefore they are equal to 1,2,…,(p-1) and their product is equal to (p-1)! mod p. This implies that (p-1)! * ap-1  (p-1)! (mod p)  ap-1  1 (mod p). April 2, 2001 Systems Architecture I

Systems Architecture I Euler phi function Definition: phi(n) = #{a: 0 < a < n and gcd(a,n) = 1} Properties: (p) = p-1, for prime p. (p^e) = (p-1)*p^(e-1)  (m*n) =  (m)* (n) for gcd(m,n) = 1. (p*q) = (p-1)*(q-1) Examples: (15) = (3)* (5) = 2*4 = 8. = #{1,2,4,7,8,11,13,14} (9) = (3-1)*3^(2-1) = 2*3 = 6 = #{1,2,4,5,7,8} April 2, 2001 Systems Architecture I

Systems Architecture I Euler’s Identity The number of elements in Zn that have multiplicative inverses is equal to phi(n). Theorem: Let (Zn)* be the elements of Zn with inverses (called units). If a  (Zn)*, then a(n)  1 (mod n). Proof. The same proof presented for Fermat’s theorem can be used to prove this theorem. April 2, 2001 Systems Architecture I

Chinese Remainder Theorem Theorem: If gcd(m,n) = 1, then given a and b there exist an integer solution to the system: x  a (mod m) and x = b (mod n). Proof: Consider the map x  (x mod m, x mod n). This map is a 1-1 map from Zmn to Zm  Zn, since if x and y map to the same pair, then x  y (mod m) and x  y (mod n). Since gcd(m,n) = 1, this implies that x  y (mod mn). Since there are mn elements in both Zmn and Zm  Zn, the map is also onto. This means that for every pair (a,b) we can find the desired x. April 2, 2001 Systems Architecture I

Alternative Interpretation of CRT Let Zm  Zn denote the set of pairs (a,b) where a  Zm and b  Zn. We can perform arithmetic on Zm  Zn by performing componentwise modular arithmetic. (a,b) + (c,d) = (a+b,c+d) (a,b)*(c,d) = (a*c,b*d) Theorem: Zmn  Zm  Zn. I.E. There is a 1-1 mapping from Zmn onto Zm  Zn that preserves arithmetic. (a*c mod m, b*d mod n) = (a mod m, b mod n)*(c mod m, d mod n) (a+c mod m, b+d mod n) = (a mod m, b mod n)+(c mod m, d mod n) The CRT implies that the map is onto. I.E. for every pair (a,b) there is an integer x such that (x mod m, x mod n) = (a,b). April 2, 2001 Systems Architecture I

Constructive Chinese Remainder Theorem Theorem: If gcd(m,n) = 1, then there exist em and en (orthogonal idempotents) em  1 (mod m) em  0 (mod n) en  0 (mod m) en  1 (mod n) It follows that a*em + b* en  a (mod m) and  b (mod n). Proof. Since gcd(m,n) = 1, by the Extended Euclidean Algorithm, there exist x and y with m*x + n*y = 1. Set em = n*y and en = m*x April 2, 2001 Systems Architecture I

Public Key Cryptosystem Let M be a message and let C be the encrypted message (ciphertext). A public key cryptosystem has a separate method E() for encrypting and D() decrypting. D(E(M)) = M Both E() and D() are easy to compute Publicly revealing E() does not make it easy to determine D() E(D(M)) = M - needed for signatures The collection of E()’s are made publicly available but the D()’s remain secret. Called a one-way trap-door function (hard to invert, but easy if you have the secret information) April 2, 2001 Systems Architecture I

RSA Public Key Cryptosystem Based on the idea that it is hard to factor large numbers. First encode M as an integer (e.g. use ASCII). Large messages will need to be blocked. Choose n = p*q, the product of two large prime numbers. Choose e such that gcd(e,phi(n)) = 1. Choose d such that de  1 (mod  (n)) E = (e,n) and E(M) = Me mod n D = (d,n) and D(M) = Md mod n April 2, 2001 Systems Architecture I

Correctness of the RSA Algorithm Theorem: D(E(M)) = E(D(M)) = M. Proof. D(E(M)) = (Me)d (mod n) = Med (mod n). Since ed  1 (mod  (n)), ed = k*  (n) + 1, for some integer k. Mk* (n)+1  (Mk* (n)+1 mod p, Mk* (n)+1 mod q) = (Mk* (n) * M mod p, Mk* (n) * M mod q) = (M(p-1)*(q-1)*k * M mod p, M(q-1)*(p-1)*k * M mod q) [since n = pq] = ((M(p-1))(q-1)*k * M mod p, (M(q-1))(p-1)*k * M mod q) = (M mod p, M mod q) [By Fermat’s theorem] Therefore, by the CRT, Mk* (n)+1  M (mod n). April 2, 2001 Systems Architecture I