Download rsa

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
Document related concepts

Birkhoff's representation theorem wikipedia , lookup

Modular representation theory wikipedia , lookup

Polynomial greatest common divisor wikipedia , lookup

Factorization of polynomials over finite fields wikipedia , lookup

Fundamental theorem of algebra wikipedia , lookup

Transcript 
Algorithmic Number Theory and
Cryptography
(CS 303)
Modular Arithmetic and the RSA Public Key Cryptosystem
Jeremy R. Johnson
1
Introduction
• Objective: To understand what a public key cryptosystem is
and how the RSA algorithm works. To review the number
theory behind the RSA algorithm.
–
–
–
–
–
Public Key Cryptosystems
RSA Algorithm
Modular Arithmetic
Euler’s Identity
Chinese Remainder Theorem
References: Rivest, Shamir, Adelman.
2
Modular Arithmetic (Zn)
Definition: a  b (mod n)  n | (b - a)
Alternatively, a = qn + b
Properties (equivalence relation)
– a  a (mod n)
[Reflexive]
– a  b (mod n)  b  a (mod n) [Symmetric]
– a  b (mod n) and b  c (mod n)  a  c (mod n) [Transitive]
Definition: An equivalence class mod n
[a] = { x: x  a (mod n)} = { a + qn | q  Z}
3
Modular Arithmetic (Zn)
It is possible to perform arithmetic with equivalence classes
mod n.
– [a] + [b] = [a+b]
– [a] * [b] = [a*b]
In order for this to make sense, you must get the same answer
(equivalence) class independent of the choice of a and b. In other
words, if you replace a and b by numbers equivalent to a or b mod n you
end of with the sum/product being in the same equivalence class.
a1  a2 (mod n) and b1  b2 (mod n)  a1+ b1  a2 + b2 (mod n)
a1* b1  a2 * b2 (mod n)
(a + q1n) + (b + q2n) = a + b + (q1 + q2)n
(a + q1n) * (b + q2n) = a * b + (b*q1 + a*q2 + q1* q2)n
4
Representation of Zn
The equivalence classes [a] mod n, are typically represented
by the representatives a.
•
Positive Representation: Choose the smallest positive
integer in the class [a] then the representation is {0,1,…,n1}.
•
Symmetric Representation: Choose the integer with the
smallest absolute value in the class [a]. The representation
is {-(n-1)/2 ,…, n/2 }. When n is even, choose the
positive representative with absolute value n/2.
E.G. Z6 = {-2,-1,0,1,2,3}, Z5 = {-2,-1,0,1,2}
•
5
Modular Inverses
Definition: x is the inverse of a mod n, if ax  1 (mod n)
The equation ax  1 (mod n) has a solution iff gcd(a,n) = 1.
By the Extended Euclidean Algorithm, there exist x and y such that ax
+ ny = gcd(a,n). When gcd(a,n) = 1, we get ax + ny = 1. Taking this
equation mod n, we see that ax  1 (mod n)
By taking the equation mod n, we mean applying the mod n
homomorphism: m Z  Zm, which maps the integer a to the
equivalence class [a]. This mapping preserves sums and products.
I.E.
m(a+b) = m(a) + m(b), m(a*b) = m(a) * m(b)
6
Fermat’s Theorem
Theorem: If a  0  Zp, then ap-1  1 (mod p). More generally, if
a  Zp, then ap  a (mod p).
Proof: Assume that a  0  Zp. Then
a * 2a * … (p-1)a = (p-1)! * ap-1
Also, since a*i  a*j (mod p)  i  j (mod p), the numbers
a, 2a, …, (p-1)a are distinct elements of Zp. Therefore they
are equal to 1,2,…,(p-1) and their product is equal to
(p-1)! mod p. This implies that
(p-1)! * ap-1  (p-1)! (mod p)  ap-1  1 (mod p).
7
Euler phi function
• Definition: phi(n) = #{a: 0 < a < n and gcd(a,n) = 1}
• Properties:
–
–
–
–
(p) = p-1, for prime p.
(p^e) = (p-1)*p^(e-1)
 (m*n) =  (m)* (n) for gcd(m,n) = 1.
(p*q) = (p-1)*(q-1)
• Examples:
– (15) = (3)* (5) = 2*4 = 8. = #{1,2,4,7,8,11,13,14}
– (9) = (3-1)*3^(2-1) = 2*3 = 6 = #{1,2,4,5,7,8}
8
Euler’s Identity
• The number of elements in Zn that have multiplicative
inverses is equal to phi(n).
• Theorem: Let (Zn)* be the elements of Zn with inverses
(called units). If a  (Zn)*, then a(n)  1 (mod n).
Proof. The same proof presented for Fermat’s theorem can be
used to prove this theorem.
9
Chinese Remainder Theorem
Theorem: If gcd(m,n) = 1, then given a and b there exist an
integer solution to the system:
x  a (mod m) and x = b (mod n).
Proof:
Consider the map x  (x mod m, x mod n).
This map is a 1-1 map from Zmn to Zm  Zn, since if x and y map
to the same pair, then x  y (mod m) and x  y (mod n).
Since gcd(m,n) = 1, this implies that x  y (mod mn).
Since there are mn elements in both Zmn and Zm  Zn, the map
is also onto. This means that for every pair (a,b) we can
find the desired x.
10
Alternative Interpretation of CRT
• Let Zm  Zn denote the set of pairs (a,b) where a  Zm and b
 Zn. We can perform arithmetic on Zm  Zn by performing
componentwise modular arithmetic.
– (a,b) + (c,d) = (a+b,c+d)
– (a,b)*(c,d) = (a*c,b*d)
• Theorem: Zmn  Zm  Zn. I.E. There is a 1-1 mapping from
Zmn onto Zm  Zn that preserves arithmetic.
– (a*c mod m, b*d mod n) = (a mod m, b mod n)*(c mod m, d mod n)
– (a+c mod m, b+d mod n) = (a mod m, b mod n)+(c mod m, d mod n)
– The CRT implies that the map is onto. I.E. for every pair (a,b) there is
an integer x such that (x mod m, x mod n) = (a,b).
11
Constructive Chinese Remainder
Theorem
Theorem: If gcd(m,n) = 1, then there exist em and en
(orthogonal idempotents)
–
–
–
–
em 
em 
en 
en 
1 (mod m)
0 (mod n)
0 (mod m)
1 (mod n)
It follows that a*em + b* en  a (mod m) and  b (mod n).
Proof.
Since gcd(m,n) = 1, by the Extended Euclidean Algorithm,
there exist x and y with m*x + n*y = 1. Set em = n*y and en =
m*x
12
Public Key Cryptosystem
Let M be a message and let C be the encrypted message
(ciphertext). A public key cryptosystem has a separate
method E() for encrypting and D() decrypting.
• D(E(M)) = M
• Both E() and D() are easy to compute
• Publicly revealing E() does not make it easy to determine
D()
• E(D(M)) = M - needed for signatures
The collection of E()’s are made publicly available but the D()’s
remain secret. Called a one-way trap-door function (hard
to invert, but easy if you have the secret information)
13
RSA Public Key Cryptosystem
Based on the idea that it is hard to factor large numbers.
First encode M as an integer (e.g. use ASCII). Large messages
will need to be blocked.
• Choose n = p*q, the product of two large prime numbers.
• Choose e such that gcd(e,phi(n)) = 1.
• Choose d such that de  1 (mod  (n))
• E = (e,n) and E(M) = Me mod n
• D = (d,n) and D(M) = Md mod n
14
Correctness of the RSA Algorithm
Theorem: D(E(M)) = E(D(M)) = M.
Proof. D(E(M)) = (Me)d (mod n) = Med (mod n).
Since ed  1 (mod  (n)), ed = k*  (n) + 1, for some integer k.
Mk* (n)+1  (Mk* (n)+1 mod p, Mk* (n)+1 mod q)
= (Mk* (n) * M mod p, Mk* (n) * M mod q)
= (M(p-1)*(q-1)*k * M mod p, M(q-1)*(p-1)*k * M mod q) [since n = pq]
= ((M(p-1))(q-1)*k * M mod p, (M(q-1))(p-1)*k * M mod q)
= (M mod p, M mod q) [By Fermat’s theorem]
Therefore, by the CRT, Mk* (n)+1  M (mod n).
15
Related documents
REVIEW SENTENCE, FRAGMENT, RUN
REVIEW SENTENCE, FRAGMENT, RUN
Problem Set 8 The getting is
Problem Set 8 The getting is
Determine the number of odd binomial coefficients in the expansion
Determine the number of odd binomial coefficients in the expansion
[Part 2]
[Part 2]
Name: Math 111 - Midterm 1 Review Problems
Name: Math 111 - Midterm 1 Review Problems
MAS144 – Computational Mathematics and Statistics A (Statistics)
MAS144 – Computational Mathematics and Statistics A (Statistics)
Name: Math 4150 – Introduction to Number Theory Spring 2010 Test
Name: Math 4150 – Introduction to Number Theory Spring 2010 Test
(1) Find all prime numbers smaller than 100. (2) Give a proof by
(1) Find all prime numbers smaller than 100. (2) Give a proof by
Math 4707 Intro to combinatorics and graph theory
Math 4707 Intro to combinatorics and graph theory
TEST #2 Directions: Solve five of the following eight problems: three
TEST #2 Directions: Solve five of the following eight problems: three