1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.

Slides:

Advertisements

Similar presentations

Advertisements

COMP 170 L2 Page 1 L06: The RSA Algorithm l Objective: n Present the RSA Cryptosystem n Prove its correctness n Discuss related issues.

Data encryption with big prime numbers

22C:19 Discrete Structures Integers and Modular Arithmetic

hap8.html#chap8ex5.

22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.

Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Copyright © Cengage Learning. All rights reserved.

Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 18 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

1 Intro to Induction Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.

Inverses and GCDs Supplementary Notes Prepared by Raymond Wong

Cryptography Lecture 11: Oct 12. Cryptography AliceBob Cryptography is the study of methods for sending and receiving secret messages. adversary Goal:

1 Inference Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.

1 Lecture #10 Public Key Algorithms HAIT Summer 2005 Shimrit Tzur-David.

Public Encryption: RSA

Cryptography & Number Theory

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.

Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.

Dr.Saleem Al_Zoubi1 Cryptography and Network Security Third Edition by William Stallings Public Key Cryptography and RSA.

Copyright © Cengage Learning. All rights reserved.

The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p ． q, where p and q are distinct primes Proposed.

Lecture 5 Overview Does DES Work? Differential Cryptanalysis Idea – Use two plaintext that barely differ – Study the difference in the corresponding.

Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.

The RSA Algorithm Rocky K. C. Chang, March

Copyright © Cengage Learning. All rights reserved. CHAPTER 11 ANALYSIS OF ALGORITHM EFFICIENCY ANALYSIS OF ALGORITHM EFFICIENCY.

Cryptography Lecture 6 Stefan Dziembowski

Introduction to Modular Arithmetic and Public Key Cryptography.

COMP 170 L2 Page 1 L05: Inverses and GCDs l Objective: n When does have an inverse? n How to compute the inverse? n Need: Greatest common dividers (GCDs)

RSA Implementation. What is Encryption ? Encryption is the transformation of data into a form that is as close to impossible as possible to read without.

Great Theoretical Ideas in Computer Science.

Extended Euclidean Algorithm Presented by Lidia Abrams Anne Cheng.

Prelude to Public-Key Cryptography Rocky K. C. Chang, February

Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer.

1 Lecture 9 Public Key Cryptography Public Key Algorithms CIS CIS 5357 Network Security.

MA/CSSE 473 Day 11 Primality testing summary Data Encryption RSA.

Cryptography Lecture 7: RSA Primality Testing Piotr Faliszewski.

Introduction to Algorithms Second Edition by Cormen, Leiserson, Rivest & Stein Chapter 31.

The Integers. The Division Algorithms A high-school question: Compute 58/17. We can write 58 as 58 = 3 (17) + 7 This forms illustrates the answer: “3.

Modular Arithmetic with Applications to Cryptography Lecture 47 Section 10.4 Wed, Apr 13, 2005.

Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.

Cryptography and Network Security Chapter 9 - Public-Key Cryptography

RSA Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013.

MA/CSSE 473 Day 10 Primality testing summary Data Encryption RSA.

Discrete Logarithm(s) (DLs) Fix a prime p. Let a, b be nonzero integers (mod p). The problem of finding x such that a x ≡ b (mod p) is called the discrete.

Lecture 8 Overview. Analysis of Algorithms Algorithms – Time Complexity – Space Complexity An algorithm whose time complexity is bounded by a polynomial.

Chinese Remainder Theorem Dec 29 Picture from ………………………

22C:19 Discrete Structures Integers and Modular Arithmetic Fall 2014 Sukumar Ghosh.

1 Network and Computer Security (CS 475) Modular Arithmetic and the RSA Public Key Cryptosystem Jeremy R. Johnson.

Scott CH Huang COM 5336 Cryptography Lecture 6 Public Key Cryptography & RSA Scott CH Huang COM 5336 Cryptography Lecture 6.

RSA The algorithm was publicly described in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman at MIT Partly used for PGP (Pretty Good Privacy) to encrypt.

Chapter 9 Public Key Cryptography and RSA. Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender.

1 Section Congruences In short, a congruence relation is an equivalence relation on the carrier of an algebra such that the operations of the algebra.

CS Modular Division and RSA1 RSA Public Key Encryption To do RSA we need fast Modular Exponentiation and Primality generation which we have shown.

Great Theoretical Ideas in Computer Science for Some.

Modular Arithmetic and the RSA Cryptosystem Great Theoretical Ideas In Computer Science John LaffertyCS Fall 2005 Lecture 9Sept 27, 2005Carnegie.

CS Lecture 14 Powerful Tools     !. Build your toolbox of abstract structures and concepts. Know the capacities and limits of each tool.

Copyright © Cengage Learning. All rights reserved. CHAPTER 8 RELATIONS.

Primality Testing. Introduction The primality test provides the probability of whether or not a large number is prime. Several theorems including Fermat’s.

Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas In Computer Science COMPSCI 102 Fall 2010 Lecture 16October 27, 2010Duke University Modular Arithmetic and the RSA Cryptosystem.

Data encryption with big prime numbers DANIEL FREEMAN, SLU.

Chapter 1 Algorithms with Numbers. Bases and Logs How many digits does it take to represent the number N >= 0 in base 2? With k digits the largest number.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.

Revision. Cryptography depends on some properties of prime numbers. One of these is that it is rather easy to generate large prime numbers, but much harder.

Advanced Algorithms Analysis and Design

Copyright © Cengage Learning. All rights reserved.

Presentation transcript:

1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong

2 e.g.1 (Page 3) Consider f 3 (x) = x. 7 3 f 3 (1) = = 3 f 3 (2) = = 6 f 3 (3) = = 2 Consider each non-zero x in Z 7 {0, 1, 2, 3, 4, 5, 6} f 3 (4) = = 5 f 3 (5) = = 1 f 3 (6) = = 4 x=1 x=2 x=3 x=4 x=5 x= A permutation of {1, 2, 3, 4, 5, 6} Why? This is because 7 is a prime number. ST

3 e.g.1 Illustration of Lemma 2.20 Lemma 2.20: 7 is a prime number. Consider a value 3 which is in Z 7. the function f 3 (x) = x. 7 3 is 1-to-1. In particular, f 3 (1), f 3 (2), f 3 (3), f 3 (4), f 3 (5), f 3 (6) (or , , , , , ) are a permutation of the set {1, 2, 3, …., 6}. Why is it correct? ST

4 Lemma 2.20: 7 is a prime number. Consider a value 3 which is in Z 7. the function f 3 (x) = x. 7 3 is 1-to-1. In particular, f 3 (1), f 3 (2), f 3 (3), f 3 (4), f 3 (5), f 3 (6) (or , , , , , ) are a permutation of the set {1, 2, 3, …., 6}. We prove by contradiction. Suppose that f 3 (x) is not 1-to-1. That is, there exist two integers x, y such that x  y and f 3 (x) = f 3 (y) ST x y … v … … … Since 7 is a prime number, by Corollary 2.17, we know that 3 has a multiplicative inverse in Z 7 (denoted by 3 -1 ) (i.e., = 1) Consider x = x. 7 1 = x. 7 ( ) = (x. 7 3) = f 3 (x) = f 3 (y) =(y. 7 3) =y. 7 ( ) =y. 7 1 =y Thus, we have x = y This leads to a contradiction!

5 e.g.2 (Page 5) Private-key cryptosystems ST x Encryption Decryption y y x f 3 (x) = x. 7 3 keyEncryption function a=3f a (x) e.g. 4 e.g. 5 keyDecryption function a=3f -1 a (x) e.g. 5 e.g. 4 Suppose that the encryption and decryption functions are known to the public. But the key is kept privately. Then, we can ensure that the encryption/decryption is secure.

6 e.g.2 Private-key cryptosystems ST x Encryption Decryption y y x f 3 (x) = x. 7 3 keyEncryption function a=3f a (x) e.g. 4 e.g. 5 keyDecryption function a=3f -1 a (x) e.g. 5 e.g. 4 I know that f 3 (x) is one-to-one. Given x, we can compute y = f 3 (x) efficiently. Since function f 3 (x) is a one-to-one function, f 3 (x) must have an inverse f -1 3 (x). However, knowing that the inverse f -1 3 (x) exists does not help in finding x (given y). Thus, given y, it might be hard to calculate (at the attacker side). Suppose that I am the attacker. However, knowing y does not provide enough information to recover x efficiently. Thus, we say that f 3 (x) is a one-way function.

7 e.g.2 Public-key cryptosystems x Encryption Decryption y y x Public key Encryption function Secret key Decryption function Suppose that the encryption and decryption functions are known to the public. But the secret-key is kept privately. Then, we should ensure that the encryption/decryption is secure. Suppose that the public key is known to the public. This secret key has some relationships with the public key. How can we ensure this statement? If we can ensure the following, we are confident to say that the encryption/decryption is secure. Given (1) the encryption function, (2) the decryption function and (3) the public key, it is difficult to derive the secret-key (at the attacker side) (i.e., it is not efficient to derive the secret-key). In this lecture, we will illustrate this concept for The public-key cryptosystem.

8 e.g.3 (Page 8) E.g., If 7  Z 11, then 7 5 mod 11 = Lemma 2.3: (a. b) mod 11 = ((a mod 11). (b mod 11)) mod 11 = ((a mod 11). b) mod 11 Note that 7 3 mod 11 = ( ) mod 11 = ((7. 7). 7) mod 11 = ([(7. 7) mod 11]. 7) mod 11 = (( ). 7) mod 11 = ( ) =

9 e.g.4 (Page 10) Illustration of Lemma 2.19 Lemma 2.19: (3 2 mod 7). 7 (3 4 mod 7) = mod 7 (3 4 mod 7) 2 = 3 4x2 mod = (3 4 ) 2 = 3 4x2

10 e.g.5 (Page 12) If a = 3, please find the following a 0 mod 7 a 1 mod 7 a 2 mod 7 a 3 mod 7 a 4 mod 7 a 5 mod 7 a 6 mod 7 a 7 mod 7 a 8 mod 7 a 9 mod 7 a 10 mod 7 a 11 mod 7 a 12 mod The pattern re- appear for every group of 6 elements

11 e.g.6 (Page 12) If a = 5, please find the following a 0 mod 7 a 1 mod 7 a 2 mod 7 a 3 mod 7 a 4 mod 7 a 5 mod 7 a 6 mod 7 a 7 mod 7 a 8 mod 7 a 9 mod 7 a 10 mod 7 a 11 mod 7 a 12 mod The pattern re- appear for every group of 6 elements We observe that a 6 mod 7 = 1 or a 7-1 mod 7 = 1

12 e.g.7 (Page 13) Illustration of Theorem 2.21 Theorem 2.21 (Fermat’s Little Theorem): 7 is a prime number. Then, for any non-zero a  Z 7, a 7-1 mod 7 = 1 Why is it correct?

13 e.g.7 Theorem 2.21 (Fermat’s Little Theorem): 7 is a prime number. Then, for any non-zero a  Z 7, a 7-1 mod 7 = 1 Lemma 2.20: 7 is a prime number. Consider a value 3 which is in Z 7. the function f 3 (x) = x. 7 3 is 1-to-1. In particular, f 3 (1), f 3 (2), f 3 (3), f 3 (4), f 3 (5), f 3 (6) (or , , , , , ) are a permutation of the set {1, 2, 3, …., 6}. Consider Lemma 2.20 We know that , , , , , (we call Group A) are a permutation of 1, 2, 3, 4, 5, 6 (we call Group B). ST Thus, we have the product of all numbers in Group A= the product of all numbers in Group B (1. 7 3). 7 (2. 7 3). 7 (3. 7 3). 7 (4. 7 3). 7 (5. 7 3). 7 (6. 7 3) = the product of all numbers in Group A (mod 7) = the product of all numbers in Group B (mod 7) Illustrate with a = 3.

14 e.g.7 Theorem 2.21 (Fermat’s Little Theorem): 7 is a prime number. Then, for any non-zero a  Z 7, a 7-1 mod 7 = 1 Consider Lemma 2.20 We know that , , , , , (we call Group A) are a permutation of 1, 2, 3, 4, 5, 6 (we call Group B). ST Thus, we have the product of all numbers in Group A= the product of all numbers in Group B (1. 7 3). 7 (2. 7 3). 7 (3. 7 3). 7 (4. 7 3). 7 (5. 7 3). 7 (6. 7 3) = the product of all numbers in Group A (mod 7) = the product of all numbers in Group B (mod 7) = = ( ). 7 ( ) = Let x = We have x. 7 (3 7-1 mod 7) = x ( ). 7 (3 7-1 mod 7) = Since 7 is a prime number, x has a multiplicative inverse x -1 in Z 7. Consider x. 7 (3 7-1 mod 7) = x x x. 7 (3 7-1 mod 7) = x x (x x). 7 (3 7-1 mod 7) = x x mod 7 = 1 Illustrate with a = 3.

15 e.g.8 (Page 14) Illustration of Corollary 2.22 Theorem 2.21 (Fermat’s Little Theorem): 7 is a prime number. Then, for any non-zero a  Z 7, a 7-1 mod 7 = 1 Corollary 2.22 (Fermat’s Little Theorem, Version 2): 7 is a prime number. Then, for any positive integer a that is not a multiple of 7, a 7-1 mod 7 = 1 Why is it correct? Consider a 7-1 mod 7 = (a. a. a. a. a. a) mod 7 = [(a mod 7). (a mod 7). (a mod 7). (a mod 7). (a mod 7). (a mod 7)] mod 7 = (a mod 7) 7-1 mod 7 If (a mod 7) is non-zero in Z 7, we have (a mod 7) 7-1 mod 7 = 1 i.e., a 7-1 mod 7 = 1 a is not a multiple of 7. Note that (a mod 7)  Z 7

16 e.g.9 (Page 15) Illustration of Corollary 2.X1 Corollary 2.X1 (Fermat’s Little Theorem, Version 2): 7 is a prime number. Consider a non-negative integer 15. Then, for any positive integer a that is not a multiple of 7, a 15 mod 7 = a 15 mod (7-1) mod 7 e.g., a 15 mod 7= a 15 mod (7-1) mod 7 = a 15 mod 6 mod 7 = a 3 mod 7 If a = 5, we have 5 15 mod 7 = 5 3 mod 7 = 6 Why is it correct? This proof is skipped. You can prove it by yourself.

17 e.g.10 (Page 19) 1.Choose 2 large prime numbers p and q 2.Set n = pq and T = (p-1)(q-1) 3.Choose e  1 so that gcd(e, T) = 1 4.Calculate d = e -1 mod T (i.e., the multiplicative inverse of e in Z T ) 5.Publish e, n as public key 6.Keep d as secret key Choose p = 5 q = 11 We can calculate n = = 55 T = (5-1)(11-1) = = 40 Choose e = 7 (Note: gcd(7, 40) = 1) We can find d = 7 -1 mod 40 We can use Extended GCD algorithm to find d = 23. Public key : (e, n) = (7, 55) Secret key : d = 23 Public key : (e, n) = (7, 55) Secret key : d = 23 p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T

18 e.g.11 (Page 20) x Encryption Decryption y y x Public key Encryption function Secret key Decryption function (e, n) = (7, 55) d = 23 y = x e mod nx = y d mod n Public key : (e, n) = (7, 55) Secret key : d = 23 p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T 12 y = 12 7 mod 55= mod 55 = 23 23

19 e.g.11 x Encryption Decryption y y x Public key Encryption function Secret key Decryption function (e, n) = (7, 55) d = 23 y = x e mod nx = y d mod n Public key : (e, n) = (7, 55) Secret key : d = 23 p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T 12 x = mod 55 x = mod 55 =

20 e.g.11 x Encryption Decryption y y x Public key Encryption function Secret key Decryption function (e, n) = (7, 55) d = 23 y = x e mod nx = y d mod n Can the encrypted value y be decrypted correctly? Is the following correct? “ (x e mod n) d mod n = x ” Is the following correct? “ x ed mod n = x ” Public key : (e, n) = (7, 55) Secret key : d = 23 p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T

21 e.g.12 (Page 21) Is the following correct? “ x ed mod n = x ”

22 e.g.12 Is the following correct? “ x ed mod n = x ” p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T We want to prove the following 1. Prove that, for all x, x mod p = x ed mod p 2. Prove that, for all x, x mod q = x ed mod q 3. Prove that, if 0  x < n, x = x ed mod n (by (1) and (2)) Consider d = e -1 mod T We can re-write it as follows. ed mod T = 1 We can further re-write it as follows. ed = Tk + 1 where k is an integer Consider x ed mod p = x Tk+1 mod p = x Tk x mod p = x (p-1)(q-1)k x mod p = (x (q-1)k ) p-1 x mod p = [((x (q-1)k ) p-1 mod p). (x mod p)] mod p Corollary 2.22 (Fermat’s Little Theorem, Version 2): p is a prime number. Then, for any positive integer a that is not a multiple of p, a p-1 mod p = 1 We consider two cases. (a) x (q-1)k is not a multiple of p (b) x (q-1)k is a multiple of p

23 e.g.12 Is the following correct? “ x ed mod n = x ” p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T We want to prove the following 1. Prove that, for all x, x mod p = x ed mod p 2. Prove that, for all x, x mod q = x ed mod q 3. Prove that, if 0  x < n, x = x ed mod n (by (1) and (2)) Consider x ed mod p = [((x (q-1)k ) p-1 mod p). (x mod p)] mod p We consider two cases. (a) x (q-1)k is not a multiple of p (b) x (q-1)k is a multiple of p Corollary 2.22 (Fermat’s Little Theorem, Version 2): p is a prime number. Then, for any positive integer a that is not a multiple of p, a p-1 mod p = 1

24 e.g.12 Is the following correct? “ x ed mod n = x ” p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T We want to prove the following 1. Prove that, for all x, x mod p = x ed mod p 2. Prove that, for all x, x mod q = x ed mod q 3. Prove that, if 0  x < n, x = x ed mod n (by (1) and (2)) Consider x ed mod p = [((x (q-1)k ) p-1 mod p). (x mod p)] mod p We consider two cases. (a) x (q-1)k is not a multiple of p (b) x (q-1)k is a multiple of p Corollary 2.22 (Fermat’s Little Theorem, Version 2): p is a prime number. Then, for any positive integer a that is not a multiple of p, a p-1 mod p = 1 = [1. (x mod p)] mod p = (x mod p) mod p = x mod p

25 e.g.12 Is the following correct? “ x ed mod n = x ” p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T We want to prove the following 1. Prove that, for all x, x mod p = x ed mod p 2. Prove that, for all x, x mod q = x ed mod q 3. Prove that, if 0  x < n, x = x ed mod n (by (1) and (2)) Consider x ed mod p = [((x (q-1)k ) p-1 mod p). (x mod p)] mod p We consider two cases. (a) x (q-1)k is not a multiple of p (b) x (q-1)k is a multiple of p We deduce that x (q-1)k mod p = 0 = [((x (q-1)k mod p) p-1 mod p). (x mod p)] mod p = [((0) p-1 mod p). (x mod p)] mod p = [0. (x mod p)] mod p = 0 We know that x (q-1)k is a multiple of p. Since p is prime, x is also a multiple of p. e.g. x 1000 is a multiple of 7 Since 7 is prime, x is also a multiple of 7. It can be shown by proof by contradiction. Since x is also a multiple of p, we have x mod p = 0 Thus, x mod p = x ed mod p

26 e.g.12 Is the following correct? “ x ed mod n = x ” p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T We want to prove the following 1. Prove that, for all x, x mod p = x ed mod p 2. Prove that, for all x, x mod q = x ed mod q 3. Prove that, if 0  x < n, x = x ed mod n (by (1) and (2)) The second proof is similar to the first proof.

27 e.g.12 Is the following correct? “ x ed mod n = x ” p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T We want to prove the following 1. Prove that, for all x, x mod p = x ed mod p 2. Prove that, for all x, x mod q = x ed mod q 3. Prove that, if 0  x < n, x = x ed mod n (by (1) and (2)) Before we prove this statement, we want to give some properties of prime numbers. If p and q are both prime numbers and both divides z, then pq divides z. e.g., p = 3, q = 11, z = 99 3, 11 both divides 99. We know that 33 (=pq) also divides 99. If p and q are not prime numbers and both divides z, then pq may not divide z. e.g., p = 6, q = 15, z = 60 6, 15 both divides 60. We know that 90 (=pq) does not divide 60.

28 e.g.12 Is the following correct? “ x ed mod n = x ” p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T We want to prove the following 1. Prove that, for all x, x mod p = x ed mod p 2. Prove that, for all x, x mod q = x ed mod q 3. Prove that, if 0  x < n, x = x ed mod n (by (1) and (2)) If p and q are both prime numbers and both divides z, then pq divides z. From (1), we know that x mod p = x ed mod p It can be re-written as follows. x ed =ip+x where i is an integer. It can further be re-written as follows. x ed – x =ip From (2), we know that x mod q = x ed mod q It can be re-written as follows. x ed =jq+x where j is an integer. It can further be re-written as follows. x ed – x =jq Let z = x ed - x We havez = ip ………………..(*) Thus, p divides z. Note that x ed – x (which is equal to z) We havez = jq ………………..(**) Thus, q divides z. Since p and q are both prime numbers and both divides z, pq divides z.

29 e.g.12 Is the following correct? “ x ed mod n = x ” p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T We want to prove the following 1. Prove that, for all x, x mod p = x ed mod p 2. Prove that, for all x, x mod q = x ed mod q 3. Prove that, if 0  x < n, x = x ed mod n (by (1) and (2)) Let z = x ed - x Since p and q are both prime numbers and both divides z, pq divides z.

30 e.g.12 Is the following correct? “ x ed mod n = x ” p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T We want to prove the following 1. Prove that, for all x, x mod p = x ed mod p 2. Prove that, for all x, x mod q = x ed mod q 3. Prove that, if 0  x < n, x = x ed mod n (by (1) and (2)) Let z = x ed - x Since p and q are both prime numbers and both divides z, pq divides z. We can write as follows. z = pqk where k is an integer z = nk x ed -x = nk x ed = nk + x Since 0  x < n, we can re-write the above as follows. x ed mod n = x

31 e.g.13 (Page 31) x Encryption Decryption y y x Public key Encryption function Secret key Decryption function (e, n) = (7, 55) d = 23 y = x e mod nx = y d mod n Can the encrypted value y be decrypted correctly? Is the following correct? “ (x e mod n) d mod n = x ” Is the following correct? “ x ed mod n = x ” Public key : (e, n) = (7, 55) Secret key : d = 23 p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T Yes

32 e.g.13 (Page 31) x Encryption Decryption y y x Public key Encryption function Secret key Decryption function (e, n) = (7, 55) d = 23 y = x e mod nx = y d mod n Why is this RSA algorithm secure? Public key : (e, n) = (7, 55) Secret key : d = 23 p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T Note that the public key, the encryption function and the decryption function is known to the public. If I am the attacker, after reading value y, I want to know the original value x. How can I derive the original value x?

33 e.g.13 x Encryption Decryption y y x Public key Encryption function Secret key Decryption function (e, n) = (7, 55) d = 23 y = x e mod nx = y d mod n Why is this RSA algorithm secure? Public key : (e, n) = (7, 55) Secret key : d = 23 p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T Note that the public key, the encryption function and the decryption function is known to the public. If I am the attacker, after reading value y, I want to know the original value x. How can I derive the original value x? First Way for Attack: Since I know that the formula y = x e mod n, if I have value y, I will try to calculate the e-th root (mod n) i.e., (x e mod n) 1/e mod n Slow Operation!

34 e.g.13 x Encryption Decryption y y x Public key Encryption function Secret key Decryption function (e, n) = (7, 55) d = 23 y = x e mod nx = y d mod n Why is this RSA algorithm secure? Public key : (e, n) = (7, 55) Secret key : d = 23 p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T Note that the public key, the encryption function and the decryption function is known to the public. If I am the attacker, after reading value y, I want to know the original value x. How can I derive the original value x? Second Way for Attack: Since I know value n (in the public key) and n = pq, I will try to factorize value n to find p and q such that n = pq. With p and q, I can derive d easily. With d, I can decrypt y by the decryption function. Factorization is a Slow Operation! Nobody know how to factor a number quickly!

35 e.g.14 (Page 38) If we only consider 1 only (not 0 in the base 2/binary representation), 50 is equal to (in base 10) = (in base 2) (e 5 e 4 e 3 e 2 e 1 e 0 ) 50 is equal to

36 e.g.15 (Page 39) Second approach e-1 multiplications Third approach 2 log 2 e multiplications If e = , then e-1 = If e = , then 2 log 2 e = 796

37 e.g.16 (Page 43) S T (0, 0) (0, 1) (0, 2) (0, 3) (0, 4) (1, 0) (1, 1) (1, 2) (1, 3) (1, 4) (2, 0) (2, 1) (2, 2) (2, 3) (2, 4) x (x mod 3, x mod 5) 15 elements

38 e.g.17 (Page 44) Illustration of Theorem 2.24 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and (= 14) These equations have the solution x = 14. Why is it correct?

39 e.g.17 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and (= 14) Now, we want to see how to construct a value of y such that (a) this value can be either in [0, 14] or not, (b) this value satisfies the equations “ y mod 3 = 2 ” and “ y mod 5 = 4 ”. We want to do the following. 1. Given the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”, there is at least one solution for these two equations. 2. This solution is one and only one. In the following, we want to construct a value of x such that (a) this value is between 0 and 14. (b) this value satisfies the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”. Since 3 and 5 are relatively prime, we have gcd(3, 5) = 1. 3 has a multiplicative inverse 3 -1 in Z 5 (i.e., mod 5= 1) 5 has a multiplicative inverse 5 -1 in Z 3. (i.e., mod 3 = 1) mod 5= mod 3 = 1

40 e.g.17 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and (= 14) Now, we want to see how to construct a value of y such that (a) this value can be either in [0, 14] or not, (b) this value satisfies the equations “ y mod 3 = 2 ” and “ y mod 5 = 4 ”. We want to do the following. 1. Given the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”, there is at least one solution for these two equations. 2. This solution is one and only one. In the following, we want to construct a value of x such that (a) this value is between 0 and 14. (b) this value satisfies the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ” mod 5= mod 3 = 1 We set y = This value satisfies the equations. Why? Consider y mod 3= ( ) mod 3 = [( mod 3) + ( mod 3) ] mod 3 = [(2. 1 mod 3) + 0 ] mod 3 = 2 Ok!

41 e.g.17 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and (= 14) Now, we want to see how to construct a value of y such that (a) this value can be either in [0, 14] or not, (b) this value satisfies the equations “ y mod 3 = 2 ” and “ y mod 5 = 4 ”. We want to do the following. 1. Given the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”, there is at least one solution for these two equations. 2. This solution is one and only one. In the following, we want to construct a value of x such that (a) this value is between 0 and 14. (b) this value satisfies the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ” mod 5= mod 3 = 1 We set y = This value satisfies the equations. Why? Consider y mod 5= ( ) mod 5 = [( mod 5) + ( mod 5) ] mod 5 = [0+ (4. 1 mod 5) ] mod 5 = 4 Ok!

42 e.g.17 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and (= 14) Now, we want to see how to construct a value of y such that (a) this value can be either in [0, 14] or not, (b) this value satisfies the equations “ y mod 3 = 2 ” and “ y mod 5 = 4 ”. We want to do the following. 1. Given the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”, there is at least one solution for these two equations. 2. This solution is one and only one. In the following, we want to construct a value of x such that (a) this value is between 0 and 14. (b) this value satisfies the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ” mod 5= mod 3 = 1 We set y = If we set x = (y mod 15) (NOTE: 15 = 3. 5), then x is between 0 and 14 and x satisfies the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”. We want to show that x must be between 0 and 14.

43 e.g.17 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and (= 14) Now, we want to see how to construct a value of y such that (a) this value can be either in [0, 14] or not, (b) this value satisfies the equations “ y mod 3 = 2 ” and “ y mod 5 = 4 ”. We want to do the following. 1. Given the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”, there is at least one solution for these two equations. 2. This solution is one and only one. In the following, we want to construct a value of x such that (a) this value is between 0 and 14. (b) this value satisfies the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”. If we set x = (y mod 15) (NOTE: 15 = 3. 5), then x is between 0 and 14 and x satisfies the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”. Since y mod 3 = 2, Now, we know that there is a value of y such that (a) this value can be either in [0, 14] or not, (b) this value satisfies the equations “ y mod 3 = 2 ” and “ y mod 5 = 4 ”. we can rewrite it as y = 3q 1 +2 where q 1 is an integer. Since y mod 5 = 4, we can rewrite it as y = 5q 2 +4 where q 2 is an integer. y = 3q 1 +2 y = 5q 2 +4

44 e.g.17 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and (= 14) Now, we want to see how to construct a value of y such that (a) this value can be either in [0, 14] or not, (b) this value satisfies the equations “ y mod 3 = 2 ” and “ y mod 5 = 4 ”. We want to do the following. 1. Given the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”, there is at least one solution for these two equations. 2. This solution is one and only one. In the following, we want to construct a value of x such that (a) this value is between 0 and 14. (b) this value satisfies the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”. If we set x = (y mod 15) (NOTE: 15 = 3. 5), then x is between 0 and 14 and x satisfies the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”. Now, we know that there is a value of y such that (a) this value can be either in [0, 14] or not, (b) this value satisfies the equations “ y mod 3 = 2 ” and “ y mod 5 = 4 ”. Since x = (y mod 15), we can rewrite it as y = 15q 3 +x where q 3 is an integer. y = 3q 1 +2 y = 5q 2 +4 x = y - 15q 3 = (3q 1 + 2) - 15q 3 = 3q q 3 = 3(q 1 - 5q 3 ) + 2 We can re-write as follows. x mod 3 = 2 Ok!

45 e.g.17 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and (= 14) Now, we want to see how to construct a value of y such that (a) this value can be either in [0, 14] or not, (b) this value satisfies the equations “ y mod 3 = 2 ” and “ y mod 5 = 4 ”. We want to do the following. 1. Given the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”, there is at least one solution for these two equations. 2. This solution is one and only one. In the following, we want to construct a value of x such that (a) this value is between 0 and 14. (b) this value satisfies the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”. If we set x = (y mod 15) (NOTE: 15 = 3. 5), then x is between 0 and 14 and x satisfies the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”. Now, we know that there is a value of y such that (a) this value can be either in [0, 14] or not, (b) this value satisfies the equations “ y mod 3 = 2 ” and “ y mod 5 = 4 ”. Since x = (y mod 15), we can rewrite it as y = 15q 3 +x where q 3 is an integer. y = 3q 1 +2 y = 5q 2 +4 x = y - 15q 3 = (5q 2 + 4) - 15q 3 = 5q q 3 = 5(q 2 - 3q 3 ) + 4 We can re-write as follows. x mod 5 = 4 Ok!

46 e.g.17 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and (= 14) We want to do the following. 1. Given the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”, there is at least one solution for these two equations. 2. This solution is one and only one. Before we go to the proof, we illustrate a concept. S T Consider a function f(x) from S to T where S and T has the same sizes. Suppose that, given a single value y, I know how to find the corresponding value x. xy Suppose that, given any value y, I know how to find the corresponding value x. This function must be a bijection function.

47 e.g.17 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and (= 14) We want to do the following. 1. Given the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”, there is at least one solution for these two equations. 2. This solution is one and only one. S T (0, 0) (0, 1) (0, 2) (2, 2) (2, 3) (2, 4) x (x mod 3, x mod 5) … … “ x mod 3 = 2 ” and “ x mod 5 = 4 ” Consider a function f(x) = (x mod 3, x mod 5) In the first part of the proof, we have already shown that we can find the value x from the two equations (or this pair (2, 4))

48 e.g.17 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and (= 14) We want to do the following. 1. Given the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”, there is at least one solution for these two equations. 2. This solution is one and only one. S T (0, 0) (0, 1) (0, 2) (2, 2) (2, 3) (2, 4) x (x mod 3, x mod 5) … … “ x mod 3 = 2 ” and “ x mod 5 = 4 ” Consider a function f(x) = (x mod 3, x mod 5) Similarly, we can find the value x from other two equations (or another pair (2, 3))

49 e.g.17 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and (= 14) We want to do the following. 1. Given the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”, there is at least one solution for these two equations. 2. This solution is one and only one. S T (0, 0) (0, 1) (0, 2) (2, 2) (2, 3) (2, 4) x (x mod 3, x mod 5) … … “ x mod 3 = 2 ” and “ x mod 5 = 4 ” Consider a function f(x) = (x mod 3, x mod 5) Similarly, we can find the value x from each possible two equations (or each pair (2, 3))

50 e.g.17 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and (= 14) We want to do the following. 1. Given the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”, there is at least one solution for these two equations. 2. This solution is one and only one. S T (0, 0) (0, 1) (0, 2) (2, 2) (2, 3) (2, 4) x (x mod 3, x mod 5) … … Consider a function f(x) = (x mod 3, x mod 5) According to the concept we just described, we know that this function is a bijection function. Note that S and T have the same sizes. We conclude that there is one and only one solution.

51 e.g.18 (Page 47) E.g., We want to find a solution x in Z 66 of the following equations. x mod 6 = 3 x mod 11 = 7 Step 1: (a) Find the multiplicative inverse 6 -1 of 6 in Z 11 (b) Find the multiplicative inverse of 11 in Z 6 Step 2: Construct y = Step 3: Find x = (y mod 66) where 66 is We can use the extended GCD algorithm and find the answer 6 -1 is 2 We can use the extended GCD algorithm and find the answer is 5 y = = 249 x = 249 mod 66 = 51

52 e.g.19 (Page 48) E.g. We are given the following functions. f(k) = 2 4 if k = 3 if k = 5 g(k) = 1 0 if k = 3 if k = 5 h(k) = 0 1 if k = 3 if k = 5 Find a single equation to express f(k) in terms of g(k) and h(k). We can express f(k) = 2. g(k) + 4. h(k) When k = 3, f(3) = 2. g(3) + 4. h(3) = = 2 Let us verify whether this equation is correct. When k = 5, f(5) = 2. g(5) + 4. h(5) = = 4

53 e.g.20 (Page 48) In the proof of Theorem 2.24 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and (= 14) In the proof of Theorem 2.24, we create a value y = Why are we so smart to create this “ magic ” formula? mod 5= mod 3 = 1

54 e.g.20 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and (= 14) y = mod 5= mod 3 = 1 Why are we so smart to create this “ magic ” formula? Consider the main set of equations. y mod 3 = 2 y mod 5 = 4 Step 1: We want to find a single equation to express y. Similarly, if we have two sets of equations, then we can express y in a single equation.  mod 3 = 1  mod 5 = 0  mod 3 = 0  mod 5 = 1 where  and  are integers. We can write y = 2  + 4  Consider y mod 3 Let us verify whether this equation is correct. = 2  + 4  mod 3 = [(2  mod 3) + (4  mod 3)] mod 3 = ( ) mod 3 = 2 Consider y mod 5 = 2  + 4  mod 5 = [(2  mod 5) + (4  mod 5)] mod 5 = ( ) mod 5 = 4

55 e.g.20 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and (= 14) y = mod 5= mod 3 = 1 Why are we so smart to create this “ magic ” formula? Consider the main set of equations. y mod 3 = 2 y mod 5 = 4 Step 1: We want to find a single equation to express y. Similarly, if we have two sets of equations, then we can express y in a single equation.  mod 3 = 1  mod 5 = 0  mod 3 = 0  mod 5 = 1 where  and  are integers. We can write y = 2  + 4  Step 2: We want to find  and  Consider   mod 3 = 1  mod 5 = 0  is a multiple of 5 (i.e.,  = 5q where q is an integer.) We know that  = 5q. Thus, 5q mod 3 = 1 q is a multiplicative inverse of 5 in Z 3 i.e., q = 5 -1 We have  = 5q =  =

56 e.g.20 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and (= 14) y = mod 5= mod 3 = 1 Why are we so smart to create this “ magic ” formula? Consider the main set of equations. y mod 3 = 2 y mod 5 = 4 Step 1: We want to find a single equation to express y. Similarly, if we have two sets of equations, then we can express y in a single equation.  mod 3 = 1  mod 5 = 0  mod 3 = 0  mod 5 = 1 where  and  are integers. We can write y = 2  + 4  Step 2: We want to find  and  Consider   mod 3 = 0  mod 5 = 1  is a multiple of 3 (i.e.,  = 3q where q is an integer.) We know that  = 3q. Thus, 3q mod 5 = 1 q is a multiplicative inverse of 3 in Z 5 i.e., q = 3 -1 We have  = 3q =  =  =

57 e.g.20 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and (= 14) y = mod 5= mod 3 = 1 Why are we so smart to create this “ magic ” formula? Consider the main set of equations. y mod 3 = 2 y mod 5 = 4 Step 1: We want to find a single equation to express y. Similarly, if we have two sets of equations, then we can express y in a single equation.  mod 3 = 1  mod 5 = 0  mod 3 = 0  mod 5 = 1 where  and  are integers. We can write y = 2  + 4  Step 2: We want to find  and   =  = Note that y = 2  + 4  =