Theory of RSA. Hiroshi Toyoizumi 1. December 8,

Transcription

1 Theory of RSA Hiroshi Toyoizumi 1 December 8, toyoizumi@waseda.jp

2 2 Introduction This is brief introduction of number theory related to the so-called RSA cryptography. This handout is based on A Friendly Introduction To Number Theory by Joseph H. Silverman, Prentice Hall College Div 2005.

3 Chapter 1 Basic Number Theory 1.1 Prime Number 1.2 Greatest Common Devisor Example 1.1. Find the greatest common devisor: Use Euclidean algorithm. 1. Divide 132 by 36 and find the remainder. gcd(36, 132). (1.1) 132 = (1.2) 2. Divide 36 by the remainder 24, and then find the remainder. 36 = (1.3) 3. Again, divide the remainder 24 by the remainder 12. Now we find there is no remainder. The previous remainder 12 is gcd(36,132). General Euclidean algorithm: Find gcd(a,b). Put r 1 = a and r 0 = b, then 24 = (1.4) r 1 = q 1 r 0 + r 1 (1.5) r 0 = q 2 r 1 + r 2 (1.6)... (1.7) r n 3 = q n 1 r n 2 + r n 1 (1.8) r n 2 = q n r n 1 + r n (1.9) r n 1 = q n+1 r n. (1.10) (1.11) 3

4 4 CHAPTER 1. BASIC NUMBER THEORY Then, r(n) is gcd(a,b). Exercise 1.1. Find gcd(12345,67890). 1.3 Linear equation and extended GCD Find x and y satisfing ax + by = gcd(a,b), (1.12) where gcd(a,b) is the greatest common devisor of a and b. Example 1.2. Find x and y satisfing 22x + 60y = gcd(22,60). (1.13) By Euclidean algorithm, we have 60 = = = = = 2 2. Thus, gcd(22,60) = 2. We will extend this algorithm. 16 = = a 2b 6 = = b 1 (a 2b) = a + 3b 4 = = (a 2b) 2( a + 3b) = 3a 8b 2 = = ( a + 3b) 1 (3a 8b) = 4a + 11b 4 = 2 2. Thus, we can find 2 = 4a + 11b = = = 2. (1.14) Note that the pair ( 4,11) is not the unique solution!. Exercise 1.2. Find Find x and y satisfing ax + by = gcd(a,b), (1.15) where a = 12453,b = 2347.

5 1.4. RESIDUE CLASS Residue Class Definition 1.1. When a b is divided by m, then we say that a b mod m. (1.16) 3 = 3 mod 7. (1.17) 13 = 6 mod 7. (1.18) Lemma 1.1. If a 1 b 1 mod m and a 2 b 2 mod m, we have a 1 + a 2 b 1 + b 2 mod m. (1.19) a 1 a 2 b 1 b 2 mod m. (1.20)

6 Chapter 2 Theorems 2.1 Fermat s Little Theorem How can you check this? The answer is this mod 101. (2.1) Theorem 2.1 (Fermat s Little Theorem). Let p be a prime number and a be an integer with Then, a 0 mod p. (2.2) a p 1 1 mod p. (2.3) Example 2.1. What is 2 35 mod 7? Remember 2 6 = 1 mod 7 by Fermat s Little Theorem. Then, 2 35 = mod 7 = (2 6 ) mod 7 = mod 7 = 32 = 4 mod 7. Lemma 2.1. Let p be a prime number and a be an integer with Then, a 0 mod p. (2.4) {a,2a,3a,...,(p 1)a mod p} = {1,2,3,..., p 1 mod p}. (2.5) 6

7 2.2. EULER S FORMULA 7 Proof. It is enough to show a, 2a, 3a,...,(p 1)a mod p are different each other. We will show it by induction. Assume for some 1 j,k p 1. Then, ja ka mod p, (2.6) ( j k)a 0 mod p. (2.7) Since a 0 mod p, j k = 0 mod p. Since j k < p, j k = 0. Proof of Fermat s Little Theorem. By Lemma 2.1, {a,2a,3a,...,(p 1)a mod p} = {1,2,3,..., p 1 mod p}. (2.8) Thus, the product of all elements is equal, and Or, a 2a 3a (p 1)a (p 1) mod p. (2.9) Since (p 1)! 0 mod p, we have a p 1 (p 1)! (p 1)! mod p. (2.10) a p 1 1 mod p. (2.11) Exercise mod 73. (2.12) Exercise 2.2. Find x which satisfies x 86 6 mod 29. (2.13) 2.2 Euler s Formula Definition 2.1. ϕ(m) = #{a : 1 a m,gcd(a,m) = 1}. (2.14) The function ϕ(m) is called Euler function. Example 2.2. ϕ(5) = #{1,2,3,4} = 4 (2.15) ϕ(8) = #{1,3,5,7} = 4. (2.16)

8 8 CHAPTER 2. THEOREMS Theorem 2.2 (Euler s formula). When gcd(a,m) = 1, we have a ϕ(m) 1 mod m. (2.17) Lemma 2.2. Let gcd(a,m) = 1, and 1 b 1 < b 2 < < b ϕ(m) m be the integer which is relatively prime to m. Then, {ab 1,ab 2,ab 3,...,ab ϕ(m) mod m} = {b 1,b 2,b 3,...,b ϕ(m) mod m}. (2.18) Proof. Assume m and ab j mod m have the common divisor p 1, i.e. m = pq, ab j = pr mod m, for some q and r. Since gcd(a,m) = 1, a shouldn t have the component p. Also b j is relatively prime to m. This is contradiction, so m and ab j are relatively prime. Thus, it is sufficient to prove all the elements in the left hand side are different. Suppose for some 1 j,k ϕ(m). Then, b j a b k a mod m, (2.19) (b j b k )a 0 mod m. (2.20) Since a and m are relatively prime, b j b k = 0 mod m. Since b j b k < m, b j b k = 0. Proof of Euler s formula. By Lemma 2.2, the product of all elements is equal, and a ϕ(m) B B mod m, (2.21) where B = b 1 b ϕ(m). Since all b i are relatively prime to m, B is also relatively prime to m. Thus a ϕ(m) 1 mod m. (2.22) Theorem 2.3. When gcd(m,n) = 1, we have ϕ(mn) = ϕ(m)ϕ(n). (2.23) Proof. By Definition, ϕ(mn) = #A = #{a : 1 a mn,gcd(a,m) = 1}. (2.24) Now ϕ(m)ϕ(n) = #B (2.25) = #{(b,c) : 1 b m,gcd(b,m) = 1,1 c n,gcd(c,n) = 1}. (2.26)

9 2.3. PRIME NUMBER 9 We will show that the elements in these sets has one-to-one relation as Pick a 1,a 2 A with a mod mn (a mod m,a mod n). (2.27) a 1 a 2 mod m, (2.28) a 1 a 2 mod n. (2.29) Hence, a 1 a 2 can be divided by m as well as n. Since m and n are relatively prime, a 1 a 2 should be divided by mn. Thus, a 1 a 2 mod mn. (2.30) On the other hand, from Chinese remainder theorem, given b and c, we know that at least one integer a such as a b mod m (2.31) a c mod n. (2.32) Thus the two set A and B are one-to-one, so the numbers of elements are equal. Example 2.3. ϕ(14) = 6, (2.33) ϕ(15) = 8, (2.34) ϕ(210) = 48. (2.35) 2.3 Prime Number Theorem 2.4. Prime numbers are infinitely many. Proof. Assume you have obtained the finite list of prime numbers. We show how to add a new prime number to the list. Suppose we have such list as Set A = {p 1, p 2,..., p r }. (2.36) a = p 1 p 2 p r + 1. (2.37) If a is a prime number, since a is larger than any prime numbers in A, you can add it to the list A. Suppose a is not a prime number, then we have prime numbers which divide a. Set q is the smallest of those prime numbers. Since a cannot be divided by any prime numbers in A, q is not on the list. In this way, we can keep adding a new prime number to our list.

10 Chapter 3 Theory of RSA 3.1 Power in Modular Problem 3.1. Estimate the following large power in modular: mod 853 (3.1) Solution 3.1. First, find the the second power expression of = = = Then, = = (3.2) Now, recursively we obtain, 7 = 7 mod = 49 mod = 49 2 = 2401 = 695 mod = = = 227 mod = = = 349 mod = = = 675 mod = = = 123 mod = = = 628 mod = = = 298 mod

11 3.2. POWER ROOT IN MODULAR 11 Using these relation in (3.2), we have Remark 3.1. If you have to estimate = = 286 mod 853. a k mod m, (3.3) in the same procedure above, it is only required as much steps as the order of log 2 (k). That means the above procedure is efficient for even large power k. Exercise 3.1. Estimate the following: 5 13 mod 23 (3.4) 3.2 Power Root in Modular Now we proceed to power root in modular. Problem 3.2. Given b, find x satisfying where gcd(b, m) = 1 and gcd(k, ϕ(m)) = 1. x k b mod m, (3.5) Solution to Problem 3.2. Continue replacing x = 0,1,2,... (Check how many steps will be required in worst case.) Another solution to Problem 3.2. We can use Euler function! 1. Estimate Euler function ϕ(m). 2. Find a pair of positive integer u and v which satisfy ku ϕ(m)v = gcd(k,ϕ(m)) = 1. (3.6) Here we can use extended Euclidian algorithm. 3. The solution is x = b u mod m. (3.7) Here we can use the procedure given in Section 3.1.

12 12 CHAPTER 3. THEORY OF RSA Here s why this will give us the solution? x k = (b u ) k = b uk = b 1+ϕ(m)v = b (b ϕ(m) ) v, where we used (3.26). Since gcd(b,m) = 1, we can use Euler s formula (Theorem 2.2), and Thus, we have b ϕ(m) = 1 mod m. (3.8) x k = b mod m. (3.9) Remark 3.2. The important point is how to estimate ϕ(m). If we know the factorization of m into prime, the estimation is relatively easy. For example, if we have the factorization, then we can use Theorem 2.3, and m = pq, (3.10) ϕ(m) = ϕ(p)ϕ(q) = (p 1)(q 1) (3.11) Indeed the factorization is known to be one of the notoriously hard problem. Example 3.1. Find x satisfying x 131 mod (3.12) First we need to find the factorization of 1073, which is 1073 = Thus, ϕ(1073) = = (3.13) Next, we need to find a pair of positive integers (u,v) satisfying We can find (u,v) by extended Euclidean algorithm and ku ϕ(m)v = 1. (3.14) 131u 1008v = 1. (3.15) 131 ( 277) 1008 ( 36) = 1. (3.16) The pair should be positive. If (x 1,y 1 ) is the solution of ax + by = 1. (3.17)

13 3.3. RSA 13 Then, (x 1 b,y 1 + a) is also the solution of the equation. a(x 1 b) + b(y 1 + a) = ax 1 + by 1 = 1. (3.18) Thus, we can adjust the pair by (u,v) = ( , ) = (731,95), (3.19) where, we have = 1. (3.20) Thus, we have x 758 u mod (3.21) Exercise 3.2. Find the solutions: 1. x 329 = 452 mod (3.22) 2. x 113 = 347 mod 463. (3.23) 3.3 RSA Let a be the message to be encrypted. The following is the procedure to encrypt the message a. 1. Pick two large prime numbers p and q. 2. Set m = pq. 3. Derive the Euler function ϕ(m) as ϕ(m) = ϕ(p)ϕ(q) = (p 1)(q 1). (3.24) 4. Pick the encryption key k which is relatively prime to ϕ(m). 5. Encrypt the message a by b = a k (3.25) When you receive the encrypted message, you can decrypt the message by using the method described in Section 3.2.

14 14 CHAPTER 3. THEORY OF RSA 1. Find a pair of positive integer u and v which satisfy by extended Euclidian algorithm. 2. The solution is ku ϕ(m)v = gcd(k,ϕ(m)) = 1, (3.26) x = b u mod m. (3.27) Exercise 3.3. We know that the number 5192,2604,4222 are encrypted by m = 7081 and k = Decrypt the numbers.