Great Theoretical Ideas in Computer Science for Some
Lecture 17 (March 18, 2008) Modular Arithmetic and the RSA Cryptosystem p-1 pp 1
Public Key Cryptography -----BEGIN PGP PRIVATE KEY BLOCK----- Version: PGP not licensed for commercial use: lQHNBEOedR4RBAC6bfed3ULzOwVF/BouyO8kfs8wkOmk3vaMF6+6JyeEJqyImaVh pVhU7lst6QtXTyAF734FtClM/9Dq9Dn7GDoO3E9+nGVO7wJ1OT+X4lgkoiM68WWG eioT958Hg0zq0KquHUBFM+Kldc+nr0e0Q6uCgwIYM7oH60/WX8e2WnvycwCgzba0 kRzxNtmw9w9IEQUk9pa2CK8D/2FjRxtEDN6nY7/l1wUrkMjI/uXYnsNWwrIAbwHp qhUZQYst27XpwNplAmI6YuS+3O+L4vgURj1hVcnNG+2bZXjbt4Fg3RLhrTV/jiuL ohBayAAdZZ4+72Cja1+18xp700GVTF96jYc8dIoxNx1AgHzQUffj3GnscAzo7ud3 HyYHA/9sI6Gijh/ubr1qTzHwZPdilDjfnEyQwR6+forUUegwCO0YawsC2lG6F7MG q3RHnJSwI3DiH/gY5bYk3XxhinkKxqk54DiL6vrHIw/E9J6RazY+ocicLRZ+6XjO JPXpK8s2v64pH5gyrsfANwSTTyECPx/hp2G+0BW/mtMU+JqFPP8DAwKvgRN08aTW 1WAW5/ak/URD4OAOT6OXlyg4YwhaJodb9vfwck4V8bnNLVNhbXBsZSBTZWN1cmVC bGFja2JveCBQR1Aga2V5PGluZm9AZWxkb3MuY29tPp0DJgRDnnWkEAgAxIwIsmEC mLGfQMH6GfNqn8XG9/bvT/nL/m7TjUVv1JGrKDASbASsPlYLnDel4opyp24Azu5x nQ0/QlsOifmXjINcWzNtWcJkW3rBamP1Vw6ZhxN8e1ARRrxwOn42V/yn/HoMFH0O Hhm2M5r8W/rOxo4dPdKPmRPdMaPVMndgM8WcOGPJ6TbMb4g9hphb+E4o3glI6fhP 41GZy57wWdKY9DnQ3W2PGoFaFAlQdyAtekzOmixp2/jXpq4+br9Yd088Unp2sw4Z 56j8sAbTk7NFpcTUSxsnFXpiGr0WkV+qfDyYTBvEnFXIteiThAWYzJgge6Tb6qzL 1XjD5uR1z2FgTwACAgf/fGBkVe8yETYwARrcn0xXv991AEvA4wlNI0/gygJKXxTV 0wTImdsOnsKsxtTCKdchSCFRuGYsBPzc7lUsPKk4jNkAv1EZELhqHkZTC51tEPxA m3/i8iAYFz2rTPfZkrjBJ2xP6ChRqmj0BTcZjo3bzRwjlUMTejGaR9BQDqB9A59z 2rCBn6nz9f6F+1oZ62gThjS6WUbUbhBKCwvfntFsXFrpXWHr5Apv+5zbxteTdHr0 1x3NRl0RzvzJ4wQ4WsVFiZFI3l7HykRd37XE+hSvRSr2iWqE/PdR7alxAswc5LET GCH//3xzP1/7Au3XLUaD4LaFoXY1bIBui2Srmu1kcP8DAwIYqvVK6L5Df2CejmTt hiA1DBnNck4dF7gPOaYku6Rfw27EOvhWmdZ1pp13uw2Tm6SEBoG7rkq1a01UWEjs PhUPkfxhVT6qHd4Bs3EOGSh7sNFsv8IbbAyP3rPOtbt3m9t02xEzKl5ZOqD85EZC HYK/l6lLD8pUX2dJQqZwTN4lkdl99HOf7XYPxHvCmbh1S1CgTM3H2wc5M7QROMhr -----END PGP PRIVATE KEY BLOCK BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP not licensed for commercial use: mQGiBEOedR4RBAC6bfed3ULzOwVF/BouyO8kfs8wkOmk3vaMF6+6JyeEJqyImaVh pVhU7lst6QtXTyAF734FtClM/9Dq9Dn7GDoO3E9+nGVO7wJ1OT+X4lgkoiM68WWG eioT958Hg0zq0KquHUBFM+Kldc+nr0e0Q6uCgwIYM7oH60/WX8e2WnvycwCgzba0 kRzxNtmw9w9IEQUk9pa2CK8D/2FjRxtEDN6nY7/l1wUrkMjI/uXYnsNWwrIAbwHp qhUZQYst27XpwNplAmI6YuS+3O+L4vgURj1hVcnNG+2bZXjbt4Fg3RLhrTV/jiuL ohBayAAdZZ4+72Cja1+18xp700GVTF96jYc8dIoxNx1AgHzQUffj3GnscAzo7ud3 HyYHA/9sI6Gijh/ubr1qTzHwZPdilDjfnEyQwR6+forUUegwCO0YawsC2lG6F7MG q3RHnJSwI3DiH/gY5bYk3XxhinkKxqk54DiL6vrHIw/E9J6RazY+ocicLRZ+6XjO JPXpK8s2v64pH5gyrsfANwSTTyECPx/hp2G+0BW/mtMU+JqFPM0tU2FtcGxlIFNl Y3VyZUJsYWNrYm94IFBHUCBrZXk8aW5mb0BlbGRvcy5jb20+wkkEEBECABMCmQEF AkOedaQJEKl84ZsqNet0AAAROgCggFcJOrmvNvpdmADv0iEzVUVci+gAoJDD9wbm WOq7M06k4rSOZSj2me0GuQINBEOedaQQCADEjAiyYQKYsZ9AwfoZ82qfxcb39u9P +cv+btONRW/UkasoMBJsBKw+VgucN6XiinKnbgDO7nGdDT9CWw6J+ZeMg1xbM21Z wmRbesFqY/VXDpmHE3x7UBFGvHA6fjZX/Kf8egwUfQ4eGbYzmvxb+s7Gjh090o+Z E90xo9Uyd2AzxZw4Y8npNsxviD2GmFv4TijeCUjp+E/jUZnLnvBZ0pj0OdDdbY8a gVoUCVB3IC16TM6aLGnb+Nemrj5uv1h3TzxSenazDhnnqPywBtOTs0WlxNRLGycV emIavRaRX6p8PJhMG8ScVci16JOEBZjMmCB7pNvqrMvVeMPm5HXPYWBPAAICB/98 YGRV7zIRNjABGtyfTFe/33UAS8DjCU0jT+DKAkpfFNXTBMiZ2w6ewqzG1MIp1yFI IVG4ZiwE/NzuVSw8qTiM2QC/URkQuGoeRlMLnW0Q/ECbf+LyIBgXPatM99mSuMEn bE/oKFGqaPQFNxmOjdvNHCOVQxN6MZpH0FAOoH0Dn3PasIGfqfP1/oX7WhnraBOG NLpZRtRuEEoLC9+e0WxcWuldYevkCm/7nNvG15N0evTXHc1GXRHO/MnjBDhaxUWJ -----END PGP PUBLIC KEY BLOCK-----
Public Key Cryptography Private Key Public Key P Secret M E P [M]
The RSA Cryptosystem Rivest, Shamir, and Adelman (1978) RSA is one of the most used cryptographic protocols on the net. Your browser uses it to establish a secure session with a site.
Pick secret, random large primes: p,q “Publish”: n = p*q (n) = (p) (q) = (p-1)*(q-1) Pick random e Z * (n) “Publish”: e Compute d = inverse of e in Z * (n) Hence, e*d = 1 [ mod (n) ] “Private Key”: d Mumbo jumbo… More Mumbo jumbo…
But how does it all work? What is φ (n)? What is Z φ (n) * ? … Why do all the steps work? To understand this, we need a little number theory...
MAX(a,b) + MIN(a,b) =a+b n|m means that: m is an integer multiple of n. (We say that “n divides m”.)
Greatest Common Divisor: GCD(x,y) = greatest k ≥ 1 such that k|x and k|y LCM(x,y) = smallest k ≥ 1 such that x|k and y|k You can use MAX(a,b) + MIN(a,b) = a+b to prove the above fact. Fact: GCD(x,y) × LCM(x,y) = x × y Least Common Multiple:
(a mod n) means: If a = dn + r with 0 ≤ r < n Then r = (a mod n) and d = (a div n) the remainder when a is divided by n Modulus
Modular Equivalence Written as a n b, and spoken “a and b are equivalent modulo n” 31 81 [mod 2] 31 2 81 a b [mod n] (a mod n) = (b mod n) n|(a-b) Example:
n is an Equivalence Relation In other words, it is: Reflexive: a n a Symmetric: (a n b) (b n a) Transitive: (a n b and b n c) (a n c) n induces a partition of Z into n classes a and b are said to be in the same “residue class” or “congruence class” when a n b
a n b n|(a-b) “a and b are equivalent modulo n” Define Residue class [i] = the set of all integers that are congruent to i modulo n [0] = { …, -6, -3, 0, 3, 6,..} [1] = { …, -5, -2, 1, 4, 7,..} [2] = { …, -4, -1, 2, 5, 8,..} [-6]= { …, -6, -3, 0, 3, 6,..} [7] = { …, -5, -2, 1, 4, 7,..} [-1] = { …, -4, -1, 2, 5, 8,..} Residue Classes Mod 3:
Fact: equivalence mod n implies equivalence mod any divisor of n. If (x n y) and (k|n) then: x k y Example: 10 6 16 10 3 16 Proof: x n y n|(x-y) k|(x-y) x k y
If (x n y) and (a n b), then: 1. x + a n y + b 2. x - a n y – b 3. x * a n y * b Fundamental lemma of plus, minus, and times mod n: When doing plus, minus, and times modulo n, you can at any time replace a number with a number in the same residue class modulo n What is (249)(504) mod 251? When working mod 251: (-2)(2) = -4 = 247
A Unique Representation System Modulo n: We pick exactly one representative from each residue class. We do all our calculations using these representatives.
* Unique Representation System Modulo 3 Finite set S = {0, 1, 2} + and * defined on S:
Unique Representation System Modulo 3 Finite set S = {0, 1, -1} + and * defined on S: *
Perhaps The Most Convenient Set of Representatives The reduced system modulo n: Z n = {0, 1, 2, …, n-1} Define operations + n and * n : a + n b = (a+b mod n) a * n b = (a*b mod n)
*2* The Reduced System Modulo 2 Z 2 = {0, 1} Two binary, associative operators on Z 2 :
The Reduced System Modulo 2 Z 2 = {0, 1} Two binary, associative operators on Z 2 : + 2 XOR * 2 AND
* The Reduced System Z 4 = {0,1,2,3}
The Reduced System Z 6 = {0,1,2,3,4,5} An operator has the permutation property if each row and each column has a permutation of the elements. For every n, + n on Z n has the permutation property
What about multiplication? Does * 6 on Z 6 have the permutation property? * NO!
* What about * 8 on Z 8 ? Which rows have the permutation property?
A visual way to understand multiplication and the “permutation property”.
The multiples of c modulo n is the set: {0, c, c + n c, c + n c + n c, ….} = {kc mod n | 0 ≤ k ≤ n-1} There are exactly 8 distinct multiples of 3 modulo 8: Hit all numbers row 3 has the “permutation property”
There are exactly 2 distinct multiples of 4 modulo
There is exactly 1 distinct multiple of 8 modulo
There are exactly 4 distinct multiples of 6 modulo
There number of distinct multiples of c modulo n is: LCM(n,c)/c = n/GCD(c,n) Hence only those values of c with GCD(c,n) = 1 have the permutation property for * n on Z n
Theorem: There are exactly k = n/GCD(c,n) = LCM(c,n)/c distinct multiples of c modulo n, and these are: { c*i mod n | 0 ≤ i < k } Proof: Clearly, c/GCD(c,n) ≥ 1 is a whole number ck =cn/GCD(c,n) =n(c/GCD(c,n)) n 0 So there are at most k multiples of c mod n: c*0, c*1, c*2, …, c*(k-1) Also, k = all the factors of n missing from c cx n cy n|c(x-y) k|(x-y) x-y ≥ k Hence, there are exactly k multiples of c.
If (x n y) and (a n b), then: 1. x + a n y + b 2. x - a n y – b 3. x * a n y * b Fundamental lemma of plus, minus, and times mod n:
Is there a fundamental lemma of division modulo n? cx n cy x n y ? Of course not! If c=0[mod n], cx n cy for all x and y. Canceling the c is like dividing by zero.
Let’s Fix That! Repaired fundamental lemma of division modulo n? if c 0 [mod n], then cx n cy x n y ? 6*3 10 6*8, but not 3 *2 6 2*5, but not 2 6 5 This also doesn’t work!
When Can’t I Divide By c? Theorem: There are exactly n/GCD(c.n) distinct multiples of c modulo n Corollary: If GCD(c,n) > 1, then the number of multiples of c is less than n Corollary: If GCD(c,n) > 1 then you can’t always divide by c. There must exist distinct x,y < n such that c*x=c*y (but x y). Hence can’t divide. Proof:
Fundamental lemma of division modulo n: if GCD(c,n)=1, then ca n cb a n b Proof: ca n cb n|(cb-ca) n|c(b-a) n|(b-a) a n b (because GCD(c,n)=1)
Fundamental lemma of division modulo n: if GCD(c,n)=1, then ca n cb a n b Consider the set: Z n * = {x Z n | GCD(x,n) =1} Multiplication over this set Z n * will have the cancellation property
Z 6 = {0, 1,2,3,4,5} Z 6 * = * {1,5}
Z 12 * = {0 ≤ x < 12 | gcd(x,12) = 1} = {1,5,7,11} *
Z 5 * = {1,2,3,4} = Z 5 \ {0} *5* For all primes p, Z p * = Z p \ {0}, since all 0 < x < p satisfy gcd(x,p) = 1
Euler Phi Function (n) Define (n) = size of Z n * (number of 1 ≤ k < n that are relatively prime to n) If p is prime, then (p) = p-1
Z 12 * = {0 ≤ x < 12 | gcd(x,12) = 1} = {1,5,7,11} * (12) = 4
Theorem: if p,q distinct primes then: (pq) = (p-1)(q-1) # of integers from 1 to pq: # of multiples of q up to pq: # of multiples of p up to pq: # of multiples of both p and q up to pq: Proof: (pq) = = (p-1)(q-1) pq p q 1 pq – p – q + 1
The additive inverse of a Z n is the unique b Z n such that a + n b n 0. We denote this inverse by “–a” It is trivial to calculate: “-a” = n-a Additive Inverse
The multiplicative inverse of a Z n * is the unique b Z n * such that a * n b n 1 Multiplicative Inverse We denote this inverse by “a -1 ” or “1/a” *1b a The unique inverse of “a” must exist because the “a” row contains a permutation of the elements and hence contains a unique 1.
Efficient Algorithm To Compute a -1 From a and n Run Extended Euclidean Algorithm on the numbers a and n It will give two integers r and s such that ra + sn = gcd(a,n) = 1 Taking both sides modulo n, we obtain: ra n 1 Output r, which is the inverse of a
If (x n y) and (a n b), then: 1. x + a n y + b 2. x - a n y – b 3. x * a n y * b Fundamental Lemmas Until Now For a,b,c in Z n * then ca n cb a n b
If (a n b) then x a n x b ? (2 3 5), but it is not the case that: 2 2 NO!
Euler’s Theorem: a Z n *, a (n) n 1 Fermat’s Little Theorem: p prime, a Z p * a p-1 p 1
Fundamental Lemma of Powers: If a (n) b Then x a n x b Equivalently, x a n x a mod (n)
What is mod 5? x a (mod n) = x a mod (n) (mod n) (5) 1 So mod 5 = 2
Negative Powers Suppose x Z n *, and a,n are naturals. x -a is defined to be the multiplicative inverse of x a x -a = (x a ) -1
Suppose x,y Z n *, and a,b are integers: (xy) -1 n x -1 y -1 X a X b n X a+b Rule of Integer Exponents
The RSA Cryptosystem
Pick secret, random large primes: p,q “Publish”: n = p*q (n) = (p) (q) = (p-1)*(q-1) Pick random e Z * (n) “Publish”: e Compute d = inverse of e in Z * (n) Hence, e*d = 1 [ mod (n) ] “Private Key”: d
n,e is my public key. Use it to send me a message. p,q random primes, e random Z * (n) n = p*q e*d = 1 [ mod (n) ]
n, e p,q prime, e random Z * (n) n = p*q e*d = 1 [ mod (n) ] message m m e [mod n] (m e ) d n m
Working modulo integer n Definitions of Z n, Z n * and their properties Fundamental lemmas of +,-,*,/ When can you divide out How to calculate c -1 mod n. Fundamental lemma of powers Euler phi function (n) = |Z n * | Euler’s theorem Fermat’s little theorem RSA algorithm Here’s What You Need to Know…