Theory of RSA. Hiroshi Toyoizumi 1. December 8,

Similar documents
Number Theory Proof Portfolio

Number Theory Notes Spring 2011

ECE596C: Handout #11

Lecture 4: Number theory

Basic elements of number theory

Basic elements of number theory

Congruence Classes. Number Theory Essentials. Modular Arithmetic Systems

Number Theory and Group Theoryfor Public-Key Cryptography

Mathematics of Cryptography

MATH 145 Algebra, Solutions to Assignment 4

ALG 4.0 Number Theory Algorithms:

CPSC 467b: Cryptography and Computer Security

ICS141: Discrete Mathematics for Computer Science I

This is a recursive algorithm. The procedure is guaranteed to terminate, since the second argument decreases each time.

For your quiz in recitation this week, refer to these exercise generators:

Public Key Cryptography

A Readable Introduction to Real Mathematics

Senior Math Circles Cryptography and Number Theory Week 2

Number theory (Chapter 4)

Elementary Number Theory MARUCO. Summer, 2018

Elementary Number Theory Review. Franz Luef

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

basics of security/cryptography

Applied Cryptography and Computer Security CSE 664 Spring 2017

CSC 474 Network Security. Outline. GCD and Euclid s Algorithm. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

4 Powers of an Element; Cyclic Groups

Part IA Numbers and Sets

CS 5319 Advanced Discrete Structure. Lecture 9: Introduction to Number Theory II

Outline. Some Review: Divisors. Common Divisors. Primes and Factors. b divides a (or b is a divisor of a) if a = mb for some m

Outline. AIT 682: Network and Systems Security. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

a the relation arb is defined if and only if = 2 k, k

CPSC 467b: Cryptography and Computer Security

Public Key Encryption

Numbers. Çetin Kaya Koç Winter / 18

AN ALGEBRAIC PROOF OF RSA ENCRYPTION AND DECRYPTION

2 More on Congruences

Number Theory & Modern Cryptography

Number Theory and Algebra: A Brief Introduction

Number Theory A focused introduction

Wilson s Theorem and Fermat s Little Theorem

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

A SURVEY OF PRIMALITY TESTS

Chapter 9 Basic Number Theory for Public Key Cryptography. WANG YANG

Introduction to Cybersecurity Cryptography (Part 5)

Math 412: Number Theory Lecture 13 Applications of

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

Homework #2 solutions Due: June 15, 2012

2 Arithmetic. 2.1 Greatest common divisors. This chapter is about properties of the integers Z = {..., 2, 1, 0, 1, 2,...}.

Introduction to Public-Key Cryptosystems:

Chapter 5.1: Induction

CPSC 467: Cryptography and Computer Security

Discrete Mathematics GCD, LCM, RSA Algorithm

Basic Algorithms in Number Theory

All variables a, b, n, etc are integers unless otherwise stated. Each part of a problem is worth 5 points.

Ma/CS 6a Class 2: Congruences

Introduction to Number Theory 1. c Eli Biham - December 13, Introduction to Number Theory 1

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Know the Well-ordering principle: Any set of positive integers which has at least one element contains a smallest element.

8. Given a rational number r, prove that there exist coprime integers p and q, with q 0, so that r = p q. . For all n N, f n = an b n 2

Number theory (Chapter 4)

CS March 17, 2009

Signature: (In Ink) UNIVERSITY OF MANITOBA TEST 1 SOLUTIONS COURSE: MATH 2170 DATE & TIME: February 11, 2019, 16:30 17:15

CS250: Discrete Math for Computer Science

CHAPTER 6. Prime Numbers. Definition and Fundamental Results

cse 311: foundations of computing Spring 2015 Lecture 12: Primes, GCD, applications

Introduction to Cryptography. Lecture 6

Introduction to Information Security

NUMBER THEORY AND CODES. Álvaro Pelayo WUSTL

Chapter 8 Public-key Cryptography and Digital Signatures

Chapter 8. Introduction to Number Theory

4 Number Theory and Cryptography

ECE 646 Lecture 5. Mathematical Background: Modular Arithmetic

Carmen s Core Concepts (Math 135)

Number theory. Myrto Arapinis School of Informatics University of Edinburgh. October 9, /29

3 The fundamentals: Algorithms, the integers, and matrices

The Chinese Remainder Theorem

Name: Mathematics 1C03

Beautiful Mathematics

a = mq + r where 0 r m 1.

8 Primes and Modular Arithmetic

Basic Algorithms in Number Theory

CRYPTOGRAPHY AND NUMBER THEORY

Topics in Cryptography. Lecture 5: Basic Number Theory

Math 4400/6400 Homework #8 solutions. 1. Let P be an odd integer (not necessarily prime). Show that modulo 2,

10 Modular Arithmetic and Cryptography

[Part 2] Asymmetric-Key Encipherment. Chapter 9. Mathematics of Cryptography. Objectives. Contents. Objectives

1 Overview and revision

OWO Lecture: Modular Arithmetic with Algorithmic Applications

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Introduction to Number Theory. The study of the integers

Iterated Encryption and Wiener s attack on RSA

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Ch 4.2 Divisibility Properties

9 Modular Exponentiation and Square-Roots

CPSC 467: Cryptography and Computer Security

A Guide to Arithmetic

Section Summary. Division Division Algorithm Modular Arithmetic

Ma/CS 6a Class 2: Congruences

1. Given the public RSA encryption key (e, n) = (5, 35), find the corresponding decryption key (d, n).

Transcription:

Theory of RSA Hiroshi Toyoizumi 1 December 8, 2005 1 E-mail: toyoizumi@waseda.jp

2 Introduction This is brief introduction of number theory related to the so-called RSA cryptography. This handout is based on A Friendly Introduction To Number Theory by Joseph H. Silverman, Prentice Hall College Div 2005.

Chapter 1 Basic Number Theory 1.1 Prime Number 1.2 Greatest Common Devisor Example 1.1. Find the greatest common devisor: Use Euclidean algorithm. 1. Divide 132 by 36 and find the remainder. gcd(36, 132). (1.1) 132 = 3 36 + 24. (1.2) 2. Divide 36 by the remainder 24, and then find the remainder. 36 = 1 24 + 12. (1.3) 3. Again, divide the remainder 24 by the remainder 12. Now we find there is no remainder. The previous remainder 12 is gcd(36,132). General Euclidean algorithm: Find gcd(a,b). Put r 1 = a and r 0 = b, then 24 = 2 12 + 0. (1.4) r 1 = q 1 r 0 + r 1 (1.5) r 0 = q 2 r 1 + r 2 (1.6)... (1.7) r n 3 = q n 1 r n 2 + r n 1 (1.8) r n 2 = q n r n 1 + r n (1.9) r n 1 = q n+1 r n. (1.10) (1.11) 3

4 CHAPTER 1. BASIC NUMBER THEORY Then, r(n) is gcd(a,b). Exercise 1.1. Find gcd(12345,67890). 1.3 Linear equation and extended GCD Find x and y satisfing ax + by = gcd(a,b), (1.12) where gcd(a,b) is the greatest common devisor of a and b. Example 1.2. Find x and y satisfing 22x + 60y = gcd(22,60). (1.13) By Euclidean algorithm, we have 60 = 2 22 + 16 22 = 1 16 + 6 16 = 2 6 + 4 6 = 1 4 + 2 4 = 2 2. Thus, gcd(22,60) = 2. We will extend this algorithm. 16 = 60 2 22 = a 2b 6 = 22 1 16 = b 1 (a 2b) = a + 3b 4 = 16 2 6 = (a 2b) 2( a + 3b) = 3a 8b 2 = 6 1 4 = ( a + 3b) 1 (3a 8b) = 4a + 11b 4 = 2 2. Thus, we can find 2 = 4a + 11b = 4 60 + 11 22 = 240 + 242 = 2. (1.14) Note that the pair ( 4,11) is not the unique solution!. Exercise 1.2. Find Find x and y satisfing ax + by = gcd(a,b), (1.15) where a = 12453,b = 2347.

1.4. RESIDUE CLASS 5 1.4 Residue Class Definition 1.1. When a b is divided by m, then we say that a b mod m. (1.16) 3 = 3 mod 7. (1.17) 13 = 6 mod 7. (1.18) Lemma 1.1. If a 1 b 1 mod m and a 2 b 2 mod m, we have a 1 + a 2 b 1 + b 2 mod m. (1.19) a 1 a 2 b 1 b 2 mod m. (1.20)

Chapter 2 Theorems 2.1 Fermat s Little Theorem How can you check this? The answer is this. 73 100 1 mod 101. (2.1) Theorem 2.1 (Fermat s Little Theorem). Let p be a prime number and a be an integer with Then, a 0 mod p. (2.2) a p 1 1 mod p. (2.3) Example 2.1. What is 2 35 mod 7? Remember 2 6 = 1 mod 7 by Fermat s Little Theorem. Then, 2 35 = 2 6 5+5 mod 7 = (2 6 ) 5 2 5 mod 7 = 1 5 2 5 mod 7 = 32 = 4 mod 7. Lemma 2.1. Let p be a prime number and a be an integer with Then, a 0 mod p. (2.4) {a,2a,3a,...,(p 1)a mod p} = {1,2,3,..., p 1 mod p}. (2.5) 6

2.2. EULER S FORMULA 7 Proof. It is enough to show a, 2a, 3a,...,(p 1)a mod p are different each other. We will show it by induction. Assume for some 1 j,k p 1. Then, ja ka mod p, (2.6) ( j k)a 0 mod p. (2.7) Since a 0 mod p, j k = 0 mod p. Since j k < p, j k = 0. Proof of Fermat s Little Theorem. By Lemma 2.1, {a,2a,3a,...,(p 1)a mod p} = {1,2,3,..., p 1 mod p}. (2.8) Thus, the product of all elements is equal, and Or, a 2a 3a (p 1)a 1 2 3 (p 1) mod p. (2.9) Since (p 1)! 0 mod p, we have a p 1 (p 1)! (p 1)! mod p. (2.10) a p 1 1 mod p. (2.11) Exercise 2.1. 9 794 mod 73. (2.12) Exercise 2.2. Find x which satisfies x 86 6 mod 29. (2.13) 2.2 Euler s Formula Definition 2.1. ϕ(m) = #{a : 1 a m,gcd(a,m) = 1}. (2.14) The function ϕ(m) is called Euler function. Example 2.2. ϕ(5) = #{1,2,3,4} = 4 (2.15) ϕ(8) = #{1,3,5,7} = 4. (2.16)

8 CHAPTER 2. THEOREMS Theorem 2.2 (Euler s formula). When gcd(a,m) = 1, we have a ϕ(m) 1 mod m. (2.17) Lemma 2.2. Let gcd(a,m) = 1, and 1 b 1 < b 2 < < b ϕ(m) m be the integer which is relatively prime to m. Then, {ab 1,ab 2,ab 3,...,ab ϕ(m) mod m} = {b 1,b 2,b 3,...,b ϕ(m) mod m}. (2.18) Proof. Assume m and ab j mod m have the common divisor p 1, i.e. m = pq, ab j = pr mod m, for some q and r. Since gcd(a,m) = 1, a shouldn t have the component p. Also b j is relatively prime to m. This is contradiction, so m and ab j are relatively prime. Thus, it is sufficient to prove all the elements in the left hand side are different. Suppose for some 1 j,k ϕ(m). Then, b j a b k a mod m, (2.19) (b j b k )a 0 mod m. (2.20) Since a and m are relatively prime, b j b k = 0 mod m. Since b j b k < m, b j b k = 0. Proof of Euler s formula. By Lemma 2.2, the product of all elements is equal, and a ϕ(m) B B mod m, (2.21) where B = b 1 b ϕ(m). Since all b i are relatively prime to m, B is also relatively prime to m. Thus a ϕ(m) 1 mod m. (2.22) Theorem 2.3. When gcd(m,n) = 1, we have ϕ(mn) = ϕ(m)ϕ(n). (2.23) Proof. By Definition, ϕ(mn) = #A = #{a : 1 a mn,gcd(a,m) = 1}. (2.24) Now ϕ(m)ϕ(n) = #B (2.25) = #{(b,c) : 1 b m,gcd(b,m) = 1,1 c n,gcd(c,n) = 1}. (2.26)

2.3. PRIME NUMBER 9 We will show that the elements in these sets has one-to-one relation as Pick a 1,a 2 A with a mod mn (a mod m,a mod n). (2.27) a 1 a 2 mod m, (2.28) a 1 a 2 mod n. (2.29) Hence, a 1 a 2 can be divided by m as well as n. Since m and n are relatively prime, a 1 a 2 should be divided by mn. Thus, a 1 a 2 mod mn. (2.30) On the other hand, from Chinese remainder theorem, given b and c, we know that at least one integer a such as a b mod m (2.31) a c mod n. (2.32) Thus the two set A and B are one-to-one, so the numbers of elements are equal. Example 2.3. ϕ(14) = 6, (2.33) ϕ(15) = 8, (2.34) ϕ(210) = 48. (2.35) 2.3 Prime Number Theorem 2.4. Prime numbers are infinitely many. Proof. Assume you have obtained the finite list of prime numbers. We show how to add a new prime number to the list. Suppose we have such list as Set A = {p 1, p 2,..., p r }. (2.36) a = p 1 p 2 p r + 1. (2.37) If a is a prime number, since a is larger than any prime numbers in A, you can add it to the list A. Suppose a is not a prime number, then we have prime numbers which divide a. Set q is the smallest of those prime numbers. Since a cannot be divided by any prime numbers in A, q is not on the list. In this way, we can keep adding a new prime number to our list.

Chapter 3 Theory of RSA 3.1 Power in Modular Problem 3.1. Estimate the following large power in modular: 7 327 mod 853 (3.1) Solution 3.1. First, find the the second power expression of 327. 327 = 256 + 71 = 256 + 64 + 4 + 3 = 256 + 64 + 4 + 2 + 1. Then, 7 327 = 7 256+64+4+2+1 = 7 256 7 64 7 4 7 2 7. (3.2) Now, recursively we obtain, 7 = 7 mod 853. 7 2 = 49 mod 853. 7 4 = 49 2 = 2401 = 695 mod 853. 7 8 = 695 2 = 483025 = 227 mod 853. 7 16 = 227 2 = 51529 = 349 mod 853. 7 32 = 349 2 = 121801 = 675 mod 853. 7 64 = 675 2 = 455625 = 123 mod 853. 7 128 = 123 2 = 15129 = 628 mod 853. 7 256 = 628 2 = 394384 = 298 mod 853. 10

3.2. POWER ROOT IN MODULAR 11 Using these relation in (3.2), we have Remark 3.1. If you have to estimate 7 327 = 298 123 695 49 7 = 286 mod 853. a k mod m, (3.3) in the same procedure above, it is only required as much steps as the order of log 2 (k). That means the above procedure is efficient for even large power k. Exercise 3.1. Estimate the following: 5 13 mod 23 (3.4) 3.2 Power Root in Modular Now we proceed to power root in modular. Problem 3.2. Given b, find x satisfying where gcd(b, m) = 1 and gcd(k, ϕ(m)) = 1. x k b mod m, (3.5) Solution to Problem 3.2. Continue replacing x = 0,1,2,... (Check how many steps will be required in worst case.) Another solution to Problem 3.2. We can use Euler function! 1. Estimate Euler function ϕ(m). 2. Find a pair of positive integer u and v which satisfy ku ϕ(m)v = gcd(k,ϕ(m)) = 1. (3.6) Here we can use extended Euclidian algorithm. 3. The solution is x = b u mod m. (3.7) Here we can use the procedure given in Section 3.1.

12 CHAPTER 3. THEORY OF RSA Here s why this will give us the solution? x k = (b u ) k = b uk = b 1+ϕ(m)v = b (b ϕ(m) ) v, where we used (3.26). Since gcd(b,m) = 1, we can use Euler s formula (Theorem 2.2), and Thus, we have b ϕ(m) = 1 mod m. (3.8) x k = b mod m. (3.9) Remark 3.2. The important point is how to estimate ϕ(m). If we know the factorization of m into prime, the estimation is relatively easy. For example, if we have the factorization, then we can use Theorem 2.3, and m = pq, (3.10) ϕ(m) = ϕ(p)ϕ(q) = (p 1)(q 1) (3.11) Indeed the factorization is known to be one of the notoriously hard problem. Example 3.1. Find x satisfying x 131 mod 1073. (3.12) First we need to find the factorization of 1073, which is 1073 = 29 37. Thus, ϕ(1073) = 28 36 = 1008. (3.13) Next, we need to find a pair of positive integers (u,v) satisfying We can find (u,v) by extended Euclidean algorithm and ku ϕ(m)v = 1. (3.14) 131u 1008v = 1. (3.15) 131 ( 277) 1008 ( 36) = 1. (3.16) The pair should be positive. If (x 1,y 1 ) is the solution of ax + by = 1. (3.17)

3.3. RSA 13 Then, (x 1 b,y 1 + a) is also the solution of the equation. a(x 1 b) + b(y 1 + a) = ax 1 + by 1 = 1. (3.18) Thus, we can adjust the pair by (u,v) = ( 277 + 1008, 36 + 131) = (731,95), (3.19) where, we have 131 731 1008 95 = 1. (3.20) Thus, we have x 758 u 758 731 905 mod 1073. (3.21) Exercise 3.2. Find the solutions: 1. x 329 = 452 mod 1147. (3.22) 2. x 113 = 347 mod 463. (3.23) 3.3 RSA Let a be the message to be encrypted. The following is the procedure to encrypt the message a. 1. Pick two large prime numbers p and q. 2. Set m = pq. 3. Derive the Euler function ϕ(m) as ϕ(m) = ϕ(p)ϕ(q) = (p 1)(q 1). (3.24) 4. Pick the encryption key k which is relatively prime to ϕ(m). 5. Encrypt the message a by b = a k (3.25) When you receive the encrypted message, you can decrypt the message by using the method described in Section 3.2.

14 CHAPTER 3. THEORY OF RSA 1. Find a pair of positive integer u and v which satisfy by extended Euclidian algorithm. 2. The solution is ku ϕ(m)v = gcd(k,ϕ(m)) = 1, (3.26) x = b u mod m. (3.27) Exercise 3.3. We know that the number 5192,2604,4222 are encrypted by m = 7081 and k = 1789. Decrypt the numbers.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback