AN ALGEBRAIC PROOF OF RSA ENCRYPTION AND DECRYPTION

Similar documents
Ma/CS 6a Class 4: Primality Testing

Iterated Encryption and Wiener s attack on RSA

Number Theory and Group Theoryfor Public-Key Cryptography

A Readable Introduction to Real Mathematics

Ma/CS 6a Class 4: Primality Testing

Homework #2 solutions Due: June 15, 2012

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

CPSC 467: Cryptography and Computer Security

MATH 145 Algebra, Solutions to Assignment 4

ECE596C: Handout #11

The security of RSA (part 1) The security of RSA (part 1)

Number Theory A focused introduction

For your quiz in recitation this week, refer to these exercise generators:

CPSC 467b: Cryptography and Computer Security

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Chapter 3 Basic Number Theory

ICS141: Discrete Mathematics for Computer Science I

Fall 2017 September 20, Written Homework 02

CPSC 467b: Cryptography and Computer Security

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?

Part V. Chapter 19. Congruence of integers

All variables a, b, n, etc are integers unless otherwise stated. Each part of a problem is worth 5 points.

Math 430 Midterm II Review Packet Spring 2018 SOLUTIONS TO PRACTICE PROBLEMS

MATH 3240Q Introduction to Number Theory Homework 5

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?

Notes on Systems of Linear Congruences

Basic elements of number theory

CPSC 467b: Cryptography and Computer Security

Basic elements of number theory

Ma/CS 6a Class 3: The RSA Algorithm

Exercises Exercises. 2. Determine whether each of these integers is prime. a) 21. b) 29. c) 71. d) 97. e) 111. f) 143. a) 19. b) 27. c) 93.

Know the Well-ordering principle: Any set of positive integers which has at least one element contains a smallest element.

1 Structure of Finite Fields

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

Mathematical Foundations of Public-Key Cryptography

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

COMP424 Computer Security

4. Congruence Classes

Number Theory Proof Portfolio

COMP239: Mathematics for Computer Science II. Prof. Chadi Assi EV7.635

Math 261 Spring 2014 Final Exam May 5, 2014

Solutions to Practice Final 3

Jong C. Park Computer Science Division, KAIST

DM49-2. Obligatoriske Opgave

Math.3336: Discrete Mathematics. Mathematical Induction

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

2.3 In modular arithmetic, all arithmetic operations are performed modulo some integer.

Public Key Cryptography

NUMBER THEORY AND CODES. Álvaro Pelayo WUSTL

Senior Math Circles Cryptography and Number Theory Week 2

Homework #2 Solutions Due: September 5, for all n N n 3 = n2 (n + 1) 2 4

7. Prime Numbers Part VI of PJE

10 Modular Arithmetic and Cryptography

SOLUTIONS Math 345 Homework 6 10/11/2017. Exercise 23. (a) Solve the following congruences: (i) x (mod 12) Answer. We have

4.4 Solving Congruences using Inverses

Discrete Mathematics with Applications MATH236

Theory of RSA. Hiroshi Toyoizumi 1. December 8,

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

Congruence Classes. Number Theory Essentials. Modular Arithmetic Systems

NET 311D INFORMATION SECURITY

Math 324, Fall 2011 Assignment 7 Solutions. 1 (ab) γ = a γ b γ mod n.

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Elementary Properties of the Integers

Numbers. Çetin Kaya Koç Winter / 18

Number Theory Math 420 Silverman Exam #1 February 27, 2018

Number theory. Myrto Arapinis School of Informatics University of Edinburgh. October 9, /29

CSE 20 DISCRETE MATH. Winter

Definition For a set F, a polynomial over F with variable x is of the form

Integers and Division

Prof. Ila Varma HW 8 Solutions MATH 109. A B, h(i) := g(i n) if i > n. h : Z + f((i + 1)/2) if i is odd, g(i/2) if i is even.

Definitions. Notations. Injective, Surjective and Bijective. Divides. Cartesian Product. Relations. Equivalence Relations

Beautiful Mathematics

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

INTEGERS. In this section we aim to show the following: Goal. Every natural number can be written uniquely as a product of primes.

Congruence of Integers

Implementation Tutorial on RSA

Number theory (Chapter 4)

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Number Theory and Algebra: A Brief Introduction

The number of ways to choose r elements (without replacement) from an n-element set is. = r r!(n r)!.

11 Division Mod n, Linear Integer Equations, Random Numbers, The Fundamental Theorem of Arithmetic

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I

Solution Sheet (i) q = 5, r = 15 (ii) q = 58, r = 15 (iii) q = 3, r = 7 (iv) q = 6, r = (i) gcd (97, 157) = 1 = ,

ALGEBRA. 1. Some elementary number theory 1.1. Primes and divisibility. We denote the collection of integers

COMP4109 : Applied Cryptography

CRYPTOGRAPHY AND NUMBER THEORY

In fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.

2 More on Congruences

Homework Problems, Math 134, Spring 2007 (Robert Boltje)

Math 109 HW 9 Solutions

3.2 Solving linear congruences. v3

CS March 17, 2009

Definition 6.1 (p.277) A positive integer n is prime when n > 1 and the only positive divisors are 1 and n. Alternatively

12x + 18y = 50. 2x + v = 12. (x, v) = (6 + k, 2k), k Z.

NUMBER THEORY FOR CRYPTOGRAPHY

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Introduction to Public-Key Cryptosystems:

[Part 2] Asymmetric-Key Encipherment. Chapter 9. Mathematics of Cryptography. Objectives. Contents. Objectives

Discrete Mathematics GCD, LCM, RSA Algorithm

Encryption: The RSA Public Key Cipher

Transcription:

AN ALGEBRAIC PROOF OF RSA ENCRYPTION AND DECRYPTION Recall that RSA works as follows. A wants B to communicate with A, but without E understanding the transmitted message. To do so: A broadcasts RSA method, encryption exponent e, modulus N, where N = pq, p and q are large primes, and gcd (e, φ (N)) = 1. (Here, φ (N) indicates the number of integers between 0 and N that are relatively prime to N.) B encrypts a message m by computing c = m e, and broadcasts c. A decrypts c by computing c d = (m e ) d, modulo N. (Here, d is the Bézout coefficient of e in the linear combination ed + tφ (N) = 1.) So RSA successfully encrypts and decrupts if m ed m (mod N). To show this, we proceed through several claims. Definition. Let Z n be the subset of Z n whose elements are relatively prime to n. Example. Z 35 = {1, 2, 3, 4, 6, 8, 9, 11, 12, 13, 16, 17, 18, 19, 22, 23, 24, 26, 27, 29, 31, 32, 33, 34}. Observe that φ (N) = 24 = (5 1) (7 1), where 35 = 5 7. Claim 1. Every a Z n has a multiplicative inverse s Z n; that is, as 1 (mod n). Proof. Let a Z n. By Theorem 1.35 in the text, there exist s, t Z such that as+nt = 1. Rewrite as n ( t) = as 1. By definition of divisibility, n (as 1). By definition of congruence, as 1 (mod n). That is, s is a multiplicative inverse of a. In addition, the linear combination as+nt = 1 shows that gcd (s, n) = 1, so s Z n, as claimed. Example (continued). It is easy to verify that the multiplicative inverse of 18 in Z 35 is 2. Claim 2. For every a Z n, the set S = {ab : b Z n} has φ (n) distinct elements. In fact, S = Z n. Proof. Let a Z n and compute S. For each b Z n, we have gcd (a, n) = gcd (b, n) = 1; by Exercise 1 below, gcd (ab, n) = 1. Hence each ab S is also an element of Z n, and S Z n. Since Z n has φ (n) elements, the only way S can have fewer is if ab = ac for distinct b, c Z n. By way of contradiction, assume that such b and c exist. By Claim 1, a has a multiplicative inverse s Z n. Multiply both sides of our congruence by s, and we see that s (ab) s (ac) = (sa) b = (sa) c = 1 b 1 c = b c. However, we chose b, c Z n to be distinct, so we have a contradiction. It must be that S has φ (n) distinct elements, and since we knew S Z n we actually have S = Z n. Example (continued). Let a = 13. Then the set S of Claim 2 is S = {13, 26, 4, 17, 8, 34, 12, 3, 16, 29, 33, 11, 24, 2, 6, 19, 32, 23, 1, 27, 18, 31, 9, 22}. This is precisely Z 35. 1

AN ALGEBRAIC PROOF OF RSA ENCRYPTION AND DECRYPTION 2 Claim 3. For every a Z n, there is some k N + such that a k 1 (mod n), and for the smallest such k there are k distinct powers of a, modulo n. Proof. Let a Z n and let T = {a, a 2, a 3,...}. By Exercise 2 below, for each a k we have gcd ( a k, n ) = 1. Each a k T is thus an element of Z n, so T Z n. Now, Z n is a finite set; to be precise, it has φ (n) elements. That forces T to be a finite set; there must be distinct i, j N such that a i a j (mod n). Without loss of generality, i < k. Since a i Z n, Claim 1 tells us it has a multiplicative inverse b Z n. Multiply both sides of the congruence by b, we see that a i b a j b = a i b ( a j i a i) b = a i b a j i ( a i b ) = 1 a j i. Recall that i < j, so j i N + and k = j i satisfies a k 1. By the Well-Ordering Property, we can identify a smallest positive k such that a k 1. To show that there are k distinct powers of a, modulo n, suppose that a i a j, where 0 < i j k. As before, 1 a j i. We chose k to be the smallest positive integer such that a k 1, and j i < k, so j i cannot be positive. Instead, j i = 0, which means i = j. In other words, a i a j only if i = j. So the powers a, a 2,... a k must all be distinct. Corollary. For any a Z 35, a s inverse is a power of itself. Example (continued). Let a = 13. The set T computed in the proof of Claim 3 is T = {13, 29, 27, 1}. So a 4 1. Notice that T = 4, a divisor of φ (35). Also, 13 3 27 is the multiplicative inverse of 13. Let s do another. Let a = 26. The set T computed in the proof of Claim 3 is T = {26, 11, 6, 16, 31, 1}. So a 6 1. Again, we notice that T = 6, a divisor of φ (35). Also, 26 5 31 is the multiplicative inverse of 26. Notice that if 26 2 26 4, then we would have 1 26 2, but we already saw that k = 6 is the smallest positive number such that 26 k 1. Claim 4. For every a Z n, the number of distinct powers of a in Z n is a divisor of φ (n). Proof. Let a, k, and T be as in the proof of Claim 3. Define U 1, U 2,... iteratively as follows: U 1 = T, and for i = 1, 2,..., if U 1 U i = Z n, then stop; otherwise, choose b i Z nthat is not in U 1 U i, and let U i+1 = { ab i, a 2 b i,..., a k b i }. We proceed through several subclaims. Subclaim 1. The sequence of U i s is finite. Subproof. Each U i+1 is defined using an element of Z n\ (U 1 U i ). As Z n has finitely many elements, we can create a new set with an element not already taken only finitely many times. Let U last be the last one generated.

Subclaim 2. Z n = U 1 U last. AN ALGEBRAIC PROOF OF RSA ENCRYPTION AND DECRYPTION 3 Subproof. Were this not the case, the iteration would continue beyond U last. Subclaim 3. If i j, then U i U j =. Subproof. By way of contradiction, assume i j and U i U j. Let c U i U j. By construction, there exist b i 1, b j 1 Z n and l, m N + such that c a l b i 1 a m b j 1. Without loss of generality, suppose i < j. By construction of the U s, we cannot have b j 1 U i, as that would contradict the choice of b j 1, which cannot be in U 1 U j 1, and U i would be among them. However, b j 1 a l m b i 1. If l m 0, then b j 1 U i, a contradiction, so we must have l m < 0. By Exercise 3 below, we know that b j 1 a k+(l m) b i 1. In this case k + (l m) > 0, and again b j 1 U i, a contradiction. Hence U i U j =. Subclaim 4. For each i = 1, 2,... we have U i = T. Subproof. For U 1 = T this is true by definition. Any other U i is constructed by multiplying a j b i 1 for some b i 1 Z n and some j = 1, 2,..., k. By Claim 2, a j b i 1 a l b i 1 if 1 j, l k and j l. Subclaim 2 tells us that the elements of Z n are all contained among the U s, which by Subclaim 3 have no common elements, and by Subclaim 4 are the same size. This is the basic model of division, so each U i divides Z n. In particular T = U 1 divides Z n = φ (n), and T is the number of distinct powers of a. Example (continued). Earlier we showed that in Z 35, with a = 13 we have U 1 = T = {13, 29, 27, 1}. Clearly Z 35 U 1 ; let b 1 = 2 Z 35\U 1. Then U 2 = {13 2, 29 2, 27 1, 1 2} = {26, 3, 34, 2}. Notice that U 1 U 2 =. Again, Z 35 U 1 U 2 ; let b 2 = 3 Z 35\ (U 1 U 2 ). Then U 3 = {13 3, 29 3, 27 3, 1 3} = {4, 17, 11, 3}. Notice that U 1 U 3 = U 2 U 3 =. Again, Z 35 U 1 U 2 U 3 ; let b 3 = 6 Z 35\ (U 1 U 2 U 3 ). Then U 4 = {13 6, 29 6, 27 6, 1 6} = {8, 34, 22, 6}. Notice that U 1 U 4 = U 2 U 4 = U 3 U 4 =. Again, Z 35 U 1 U 2 U 3 U 4 ; continuing in this fashion, we choose and construct b 4 = 9 and U 5 = {12, 16, 33, 9} b 5 = 18 and U 6 = {24, 32, 31, 18}. The iteration has ended, illustrating Subclaim 1. We have Z 35 = U 1 U 6, illustrating Subclaim 2. The U s are disjoint, illustrating Subclaim 3. ( Disjoint means their intersection is empty.) The U s all have T = 4 elements, illustrating Subclaim 4. In fact, φ (35) = 24 = 6 4 = (number of U s) T.

AN ALGEBRAIC PROOF OF RSA ENCRYPTION AND DECRYPTION 4 Claim 5 (Euler s Theorem). For any a Z n, a φ(n) 1 (mod n). Proof. By Claim 3, there is some k N + such that a k 1 (mod n), and the smallest such k is the number of distinct powers of a in {a, a 2,...}. By Claim 4, k φ (n). Choose q N such that kq = φ (n). By substitution, a φ(n) = a kq = ( a k) q 1 q = 1. Example (continued). Previously we saw that 13 4 1 (mod 35). Since 4 6 = 24, 13 φ(35) = 13 24 = 13 4 6 = ( 13 4) 6 1 6 = 1. Claim 6. The final step of the RSA algorithm deciphers B s message. Proof. As explained at the beginning, we need to show that m ed m (mod N). By construction, ed+tφ (N) = 1. Without loss of generality, we may assume d is positive and t is negative. Rewrite the equation as ed = 1 tφ (N). Let u = t > 0 and we have ed = 1 + uφ (N). By substitution into the congruence, m ed = m 1+uφ(N) = m 1 m uφ(n) = m ( m φ(n)) u = m 1 u = m. Example. This time we encrypt and decrypt the word DOGS a little more realistically. Pair the word s letters as DO and GS. Transform DO into the number 3 26 + 14 = 92 and transform GS into the number 6 26 + 18 = 174. Let p = 23 and q = 31 = N = pq = 713 and φ (N) = (23 1) (31 1) = 660. Choose e = 511; it is easy to verify that gcd (511, 660) = 1 via the Euclidean algorithm. The encryption is then DO: 92 511 92 1+2+4+8+16+32+64+128+256 92 GS: 174 511 50. B thus broadcasts 92 and 50 to A. To decrypt, A determines the decryption exponent d = 31 using the Euclidean algorithm, then computes 92 31 92 50 31 174. A then transforms the numbers back into letters by dividing by 26: 92 = 3 26 + 14 174 = 6 26 + 18. Observe that 3, 14, 6, 18 are precisely the numbers corresponding to D, O, G, S.

AN ALGEBRAIC PROOF OF RSA ENCRYPTION AND DECRYPTION 5 Exercises Exercise 1. Show that if gcd (a, n) = 1 and gcd (b, n) = 1, then gcd (ab, n) = 1. Exercise 2. Show that if gcd (a, n) = 1, then gcd ( a k, n ) = 1. Exercise 3. Show that if T = { a, a 2,..., a k} is a complete list of distinct powers of a modulo n, then x a k x (mod n). Exercise 4. For Z 35 and a = 13 compute the sets U 1, U 2,... U last of Claim 4. Exercise 5. Use the Euclidean algorithm to verify that 31 is the decryption exponent for N = 713 and e = 511.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback