Number Theory A focused introduction This is an explanation of RSA public key cryptography. We will start from first principles, but only the results that are needed to understand RSA are given. We begin with some definitions and notation. Definitions Let a, b, d be integers. If there is an integer n such that a = nd then we say d is a divisor of a (or d divides a) and we write d a. If d a and d b then d is a common divisor of a and b. If d is a common divisor of a and b such that if r is any other common divisor of a and b then r d then we call d the greatest common divisor of a and b and write (a, b) = d. If (a, b) = 1, we say a and b are relatively prime. Given integers a and b then any integer c which can be written in the form c = ma + nb for some integers m and n is called a linear combination of a and b. Note that any common divisor of a and b will also divide all linear combinations of a and b. To compute the greatest common divisor of two integers we use the Euclidean algorithm. The Euclidean Algorithm We are given a and b. We can divide a by b to get a = n 1 b + r 1 for some integers n 1 and r 1 with 0 r b 1. We can then divide b by r 1 to get b = n 2 r 1 + r 2 for some integers n 2 and r 2 with 0 r 2 r 1 1. We repeat this process of dividing the previous divisor by the remainder until the remainder is 0. This gives us a chain of equations like a = n 1 b + r 1 b = n 2 r 1 + r 2 r 1 = n 3 r 2 + r 3... r k 2 = n k r k 1 + r k r k 1 = n k+1 r k Then the last non-zero remainder, r k, is the greatest common divisor of a and b. 1
Example: We wish to find the greatest common divisor of 34 and 20. We compute 34 = 1 20 + 14 20 = 1 14 + 6 14 = 2 6 + 4 6 = 1 4 + 2 4 = 2 2 So the (34, 20) = 2. Proof To see why the Euclidean algorithm produces a common divisor, trace back up the chain of equations. Since r k 1 = n k+1 r k, we know r k divides r k 1. Since r k 2 = n k r k 1 + r k and r k divides both r k 1 and itself, we find that r k divides r k 2. Continuing up the chain we eventually find that r k divides both a and b so r k is a common divisor of a and b. To show that r k is the greatest common divisor, we need to show that any other common divisor of a and b divides r k. For this we also work our way up the chain of equations. Rewrite r k 2 = n k r k 1 +r k as r k = r k 2 n k r k 1. So r k is a linear combination of r k 2 and r k 1. We rewrite the next equation up the chain, r k 3 = n k 1 r k 2 + r k 1 as r k 1 = r k 3 n k 1 r k 2 so r k 1 is a linear combination of r k 2 and r k 3. We substitute this into our linear combination for r k to get r k = r k 2 n k (r k 3 n k 1 r k 2 ) = (n k 1 n k + 1)r k 2 n k r k 3 so r k is also a linear combination of r k 2 and r k 3. Working our way up the chain we eventually can write r k as a linear combination of a and b. But any common divisor of a and b must then also divide r k, so r k is the greatest common divisor of a and b. It is important to note that this proof shows that the greatest common divisor of two numbers can be written as a linear combination of the numbers. We will use this fact later. Our next topic is modular arithmetic. Definition a b (mod k) means k a b. Note that for each a there is exactly one b satisfying 0 b k 1 such that a b (mod k). Also note that a b (mod k) if and only if there is an integer n with a = nk + b. Lemmas If a b (mod k) and c d (mod k) then a + c b + d (mod k) and ac bd (mod k). 2
Proof Since a b and c d, we can find integers n and m such that a = nk + b and c = mk + d. Then a + c = (nk + b) + (mk + d) = b + d + (n + m)k and ac = (nk + b)(mk + d) = bd + (nm + nd + mb)k So addition and multiplication work the same in modular arithmetic as in ordinary arithmetic. So does subtraction, though we won t need this. Division is more troubling. Modular arithmetic is for integers so we can t deal with fractions. This means we have to be careful when carrying out algebraic manipulations for modular arithmetic that we are permitted to cancel out common terms. The basic theorem is the following. Theorem Suppose (a, d) = 1. Then ab ac (mod d) implies that b c (mod d). Proof Since (a, d) = 1, we can write 1 as a linear combination of a and d, 1 = ma + nd. Then 1 ma = nd so d 1 ma and ma 1 (mod d). Now we write ab ac (mod d) mab mac (mod d) b c (mod d) which is what we wanted to prove. Note that 2 1 2 3 (mod 4) but that 1 3 (mod 4). This is not a counterexample to the above theorem because (2, 4) = 2 1. Our next stop is the Euler φ-function (also called the totient function). Definition φ(n) is the number of integers from 1 to n 1 which are relatively prime to n. Examples If p is prime then φ(p) = p 1, since all the numbers from 1 to p 1 are relatively prime to p. If p and q are prime then φ(pq) = (p 1)(q 1). To see this note that the only numbers from 1 to pq 1 that are not relatively prime to pq are p, 2p,..., (q 1)p and q, 2q,..., (p 1)q. So there are (p 1) + (q 1) numbers that are not relatively prime to pq and that leaves (pq 1) [(p 1) (q 1)] = pq p q + 1 = (p 1)(q 1) numbers which are relatively prime to pq. 3
Theorem (Euler) Suppose (a, n) = 1. Then a φ(n) 1 (mod n). Proof List the numbers from 1 to n 1 which are relatively prime to n and call them a 1, a 2,..., a φ(n). Then aa j aa i (mod n) if i j, by our cancellation rule above. Furthermore, since (a, n) = 1 and (a i, n) = 1, (aa i, n) = 1 for all i and so aa 1, aa 2,..., aa φ(n) are φ(n) distinct numbers mod n which are relatively prime to n. So the list aa 1, aa 2,..., aa φ(n) must be the same as the list a 1, a 2,..., a φ(n), just in a different order. Accordingly if we multiply all the elements in each list we must get the same result. But then aa 1 aa 2 aa φ(n) a 1 a 2 a φ(n) (mod n) a φ(n) (a 1 a 2 a φ(n) ) a 1 a 2 a φ(n) (mod n) a φ(n) 1 (mod n) Corollary (Fermat) If p is prime and 1 a p 1 then a p 1 1 (mod p). This result is useful in primality testing. Note that a n 1 (mod n) doesn t guarantee that n is prime, but a n 1 (mod n) does guarantee that n is composite (not prime). Corollary (RSA) If p and q are prime and d e 1 (mod (p 1)(q 1)) and (a, p) = (a, q) = 1, then (a e ) d a (mod pq). (Note: the hypothesis (a, p) = (a, q) = 1 can be dropped at the cost of making the proof a fair bit longer.) Proof Since (a, p) = (a, q) = 1, (a, pq) = 1 and so a φ(pq) = a (p 1)(q 1) 1 Now de 1 (mod pq). (mod (p 1)(q 1)) so de = k(p q)(q 1) + 1 for some k. Then using the laws of exponents from College Algebra we get (a e ) d = a ed = a k(p 1)(q 1)+1 ( = a (p 1)(q 1)) k a 1 1 k a 1 a (mod pq) (mod pq) 4
This is the key to RSA public key encryption. Pick two large primes p and q. Compute n = pq and also (p 1)(q 1). Now pick a d relatively prime to (p 1)(q 1). Then the discussion following the Euclidean algorithm explains how to find an e with d e 1 (mod (p 1)(q 1)). Now publish n and e, but not p, q, (p 1)(q 1) or d. Then anyone wishing to send a number to you (and all computer messages are just a bunch of numbers) can send you a e mod n. When you receive this message you then raise it to the d th power mod n to recover the original message a. But for anyone to crack the code they need to be able to find d, which requires they factor n to find p and q. Since finding primes is much easier than factoring, you can find primes large enough that it takes so long for someone to factor n that your code is practically unbreakable. Of course, if someone knew how to factor numbers quickly, all this would fall apart. Lots of people have tried to come up with fast factoring routines, but no one has found any fast enough to make breaking RSA practical (at least in the published literature). On the other hand, there is no proof that such an algorithm doesn t exist. 5