Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
RSA Encryption Zeph Grunschlag Copyright © Zeph Grunschlag, 2001-2002. Agenda RSA Cryptography A useful and basically unbreakable method for encoding messages Needed for implementing RSA: L13 Fast Exponentiation Extended Euler’s Algorithm Modular inverses FLT (Fermat’s Little Theorem) CRT (Chinese Remainder Theorem) 2 RSA Cryptography Most internet shopping sites offer a “secure connection” option that allows shoppers to disclose personal information such as credit card, address, etc. without fear that a snoop on the communication will be able to tell what’s happening: Mr. Snoop Snoopy Snoop …#24@ &3240 msP28*… L13 …Last Name: Smiley… 3 RSA Cryptography There are several encryption methods. Perhaps the simplest “unbreakable” system is the RSA (Rivest, Shamir, Adleman) system. FrogsRUs.com provides a large number N (e.g. 1024 bit binary number) and an encryption exponent e. Usually the N, e server communicates these directly to web browser behind the scenes. L13 4 RSA Cryptography Mr. Smiley’s browser then converts his message into numbers, as in the modular encryption that we saw before. The letters are then put together into number blocks with each block less than N. Mr. Smiley’s browser exponentiates each number block by the exponent e modulo N and broadcasts these garbled blocks back to FrogsRUs.com L13 5 RSA Cryptography N = 4559, e = 13. m e mod N Smiley Transmits: “Last name Smiley” L13 6 RSA Cryptography N = 4559, e = 13. m e mod N Smiley Transmits: “Last name Smiley” L A S T N A M E S M I L E Y L13 7 RSA Cryptography N = 4559, e = 13. m e mod N Smiley Transmits: “Last name Smiley” L A S T N A M E S M I L E Y L13 1201 1920 0014 0113 0500 1913 0912 0525 8 RSA Cryptography N = 4559, e = 13. m e mod N Smiley Transmits: “Last name Smiley” L A S T N A M E S M I L E Y L13 1201 1920 0014 0113 0500 1913 0912 0525 120113 mod 4559, 192013 mod 4559, … 9 RSA Cryptography N = 4559, e = 13. m e mod N Smiley Transmits: “Last name Smiley” L A S T N A M E S M I L E Y L13 1201 1920 0014 0113 0500 1913 0912 0525 120113 mod 4559, 192013 mod 4559, … 2853 0116 1478 2150 3906 4256 1445 2462 10 RSA Cryptography FrogsRUs.com receives the encrypted blocks n = m e mod N. They have a private decryption exponent d which when applied to n recovers the original blocks m : (m e mod N )d mod N = m For N = 4559, e = 13 the decryptor d = 3397. L13 11 RSA Cryptography N = 4559, d = 3397 2853 0116 1478 2150 L13 3906 4256 1445 2462 12 RSA Cryptography N = 4559, d = 3397 2853 0116 1478 2150 3906 4256 1445 28533397 mod 4559, 01163397 mod 4559, … L13 2462 13 RSA Cryptography N = 4559, d = 3397 2853 0116 1478 2150 3906 4256 1445 28533397 mod 4559, 01163397 mod 4559, … 1201 1920 0014 0113 0500 1913 0912 L13 2462 0525 14 RSA Cryptography N = 4559, d = 3397 2853 0116 1478 2150 3906 4256 1445 28533397 mod 4559, 01163397 mod 4559, … 1201 1920 0014 0113 0500 1913 0912 L13 2462 0525 15 RSA Cryptography N = 4559, d = 3397 2853 0116 1478 2150 3906 4256 1445 2462 28533397 mod 4559, 01163397 mod 4559, … 1201 1920 0014 0113 0500 1913 0912 0525 LA S T N A M E S M I L E Y L13 16 RSA Cryptography The key to security of RSA cryptosystem: The public key (N,e) must be such that it is very difficult for Snoop Snoopy Snoop to figure out what d is, yet very simple for FrogsRUs.com to come up with. L13 17 Fast Modular Exponentiation In order to implement RSA exponentiation relative some modulo needs to be done a lot. So this operation better be doable, and fast. Q: How is it even possible to compute 28533397 mod 4559 ? After all, 28533397 has approximately 3397·4 digits! L13 18 Fast Modular Exponentiation A: By taking the mod after each multiplication. EG, a more lucid example: 233 mod 30 L13 19 Fast Modular Exponentiation A: By taking the mod after each multiplication. EG, a more lucid example: 233 mod 30 -73 (mod 30) L13 20 Fast Modular Exponentiation A: By taking the mod after each multiplication. EG, a more lucid example: 233 mod 30 -73 (mod 30) (-7)2 ·(-7) (mod 30) L13 21 Fast Modular Exponentiation A: By taking the mod after each multiplication. EG, a more lucid example: 233 mod 30 -73 (mod 30) (-7)2 ·(-7) (mod 30) 49 · (-7) (mod 30) L13 22 Fast Modular Exponentiation A: By taking the mod after each multiplication. EG, a more lucid example: 233 mod 30 -73 (mod 30) (-7)2 ·(-7) (mod 30) 49 · (-7) (mod 30) 19·(-7) (mod 30) L13 23 Fast Modular Exponentiation A: By taking the mod after each multiplication. EG, a more lucid example: 233 mod 30 -73 (mod 30) (-7)2 ·(-7) (mod 30) 49 · (-7) (mod 30) 19·(-7) (mod 30) -133 (mod 30) L13 24 Fast Modular Exponentiation A: By taking the mod after each multiplication. EG, a more lucid example: 233 mod 30 -73 (mod 30) (-7)2 ·(-7) (mod 30) 49 · (-7) (mod 30) 19·(-7) (mod 30) -133 (mod 30) 17 (mod 30) L13 25 Fast Modular Exponentiation Therefore, 233 mod 30 = 17. Q: What if had to figure out 2316 mod 30. Same way tedious: need to multiply 15 times. Is there a better way? L13 26 Fast Modular Exponentiation A: Better way. Notice that 16 = 2·2·2·2 so that 2316 = 232·2·2·2 = (((232)2)2)2 Therefore: 2316 mod 30 L13 27 Fast Modular Exponentiation A: Better way. Notice that 16 = 2·2·2·2 so that 2316 = 232·2·2·2 = (((232)2)2)2 Therefore: 2316 mod 30 (((-72)2)2)2 (mod 30) L13 28 Fast Modular Exponentiation A: Better way. Notice that 16 = 2·2·2·2 so that 2316 = 232·2·2·2 = (((232)2)2)2 Therefore: 2316 mod 30 (((-72)2)2)2 (mod 30) (((49)2)2)2 (mod 30) L13 29 Fast Modular Exponentiation A: Better way. Notice that 16 = 2·2·2·2 so that 2316 = 232·2·2·2 = (((232)2)2)2 Therefore: 2316 mod 30 (((-72)2)2)2 (mod 30) (((49)2)2)2 (mod 30) (((-11)2)2)2 (mod 30) L13 30 Fast Modular Exponentiation A: Better way. Notice that 16 = 2·2·2·2 so that 2316 = 232·2·2·2 = (((232)2)2)2 Therefore: 2316 mod 30 (((-72)2)2)2 (mod 30) (((49)2)2)2 (mod 30) (((-11)2)2)2 (mod 30) ((121)2)2 (mod 30) L13 31 Fast Modular Exponentiation A: Better way. Notice that 16 = 2·2·2·2 so that 2316 = 232·2·2·2 = (((232)2)2)2 Therefore: 2316 mod 30 (((-72)2)2)2 (mod 30) (((49)2)2)2 (mod 30) (((-11)2)2)2 (mod 30) ((121)2)2 (mod 30) ((1)2 )2 (mod 30) L13 32 Fast Modular Exponentiation A: Better way. Notice that 16 = 2·2·2·2 so that 2316 = 232·2·2·2 = (((232)2)2)2 Therefore: 2316 mod 30 (((-72)2)2)2 (mod 30) (((49)2)2)2 (mod 30) (((-11)2)2)2 (mod 30) ((121)2)2 (mod 30) ((1)2 )2 (mod 30) (1)2 (mod 30) L13 33 Fast Modular Exponentiation A: Better way. Notice that 16 = 2·2·2·2 so that 2316 = 232·2·2·2 = (((232)2)2)2 Therefore: 2316 mod 30 (((-72)2)2)2 (mod 30) (((49)2)2)2 (mod 30) (((-11)2)2)2 (mod 30) ((121)2)2 (mod 30) ((1)2 )2 (mod 30) (1)2 (mod 30) 1(mod 30) Which implies that 2316 mod 30 = 1. Q: How ‘bout 2325 mod 30 ? L13 34 Fast Modular Exponentiation A: The previous method of repeated squaring works for any exponent that’s a power of 2. 25 isn’t. However, we can break 25 down as a sum of such powers: 25 = 16 + 8 + 1. Apply repeated squaring to each part, and multiply the results together. Previous calculation: 238 mod 30 = 2316 mod 30 = 1 Thus: 2325 mod 30 2316+8+1 (mod 30) L13 35 Fast Modular Exponentiation A: The previous method of repeated squaring works for any exponent that’s a power of 2. 25 isn’t. However, we can break 25 down as a sum of such powers: 25 = 16 + 8 + 1. Apply repeated squaring to each part, and multiply the results together. Previous calculation: 238 mod 30 = 2316 mod 30 = 1 Thus: 2325 mod 30 2316+8+1 (mod 30) 2316·238·231 (mod 30) L13 36 Fast Modular Exponentiation A: The previous method of repeated squaring works for any exponent that’s a power of 2. 25 isn’t. However, we can break 25 down as a sum of such powers: 25 = 16 + 8 + 1. Apply repeated squaring to each part, and multiply the results together. Previous calculation: 238 mod 30 = 2316 mod 30 = 1 Thus: 2325 mod 30 2316+8+1 (mod 30) 2316·238·231 (mod 30) 1·1·23 (mod 30) Final answer: 2325 mod 30 = 23 L13 37 Fast Modular Exponentiation Q: How could we have figured out the decomposition 25 = 16 + 8 + 1 from the binary (unsigned) representation of 25? L13 38 Fast Modular Exponentiation A: 25 = (11001)2 This means that 25 = 1·16+1·8+0·4+0·2+1·1 = 16+8+1 Can tell which powers of 2 appear by where the 1’s are. This follows from the definition of binary representation. L13 39 Fast Modular Exponentiation Pseudocode fastExponentiation(integer m, pos. integers e, N) unun-1 un-2 … u2 u1 u0 = representInBinary(e) squarePower0= m mod N for( i = 0 to n-1) squarePoweri+1 = squarePoweri 2 mod N power = 1 for(i = 0 to n) if (ui == 1 ) power = power · squarePoweri mod N return power L13 40 Modular Inverses Recall the simple encryption function f (a) = (3a + 9) mod 26 We made the claim that an inverse function is given by: g (a) = (9a – 3) mod 26 Check this: g (f (a )) g(3a+9) (mod 26) 9(3a+9)-3 (mod 26) 27a+81-3 (mod 26) 27a+78 (mod 26) a (mod 26). So for a in the range [0,25] we have g (f (a )) = a and so g and f are inverses of each other. L13 41 Modular Inverses How could one have inverted f methodically? Do simpler example: f (a ) = 3a mod 26 Look for constant x and an inverse of the form: g(a ) = xa Then condition g(f (a )) a (mod 26) gives: g(f (a )) x·3a (mod 26) a (mod 26) If we can solve this for a=1, it will work for all other x as well. So plug in a=1 to get: 3x 1 (mod 26) I.e. we wish to find an inverse of 3 modulo 26. L13 42 Modular Inverses DEF: The inverse of e modulo N is the number d between 1 and N-1 such that de 1 (mod N) if such a number exists. Q: What is the inverse of 3 modulo 26? L13 43 Modular Inverses A: 9 because 9·3 = 27 1 (mod 26). Q: What is the inverse of 4 modulo 8? L13 44 Modular Inverses A: Trick Question! No inverse can exist because 4x is always 0 or 4 modulo 8! THM1: e has an inverse modulo N if and only if e and N are relatively prime. This will follow from the following useful fact. THM2: If a and b are positive integers, the gcd of a and b can be expressed as an integer combination of a and b. I.e., there are integers s,t for which gcd(a,b) = sa + tb L13 45 Modular Inverses Example 5·14 - 3·23 =1 implies: gcd(14,23) = 1 Any number dividing both 14 and 23 must divide 1 The inverse of 14 modulo 23 is 5 5·14 =1+ 3·23 5·14 1 (mod 23) “An” inverse of 23 modulo 14 is -3 L13 -3·23 =1- 5·14 -3·23 1 (mod 14) 11·23 1 (mod 14) “The” inverse is 11 46 Modular Inverses Proof of THM1 using THM2: If an inverse d exists for e modulo N, we have de 1 (mod N) so that for some k, de = 1 +kN, so 1 = de – kN. This equation implies that any number dividing both e and N must divide 1, so must be 1, so e,N are relatively prime. L13 47 Modular Inverses On the other hand, suppose that e,N are relatively prime. Using THM2, write 1 = se + tN. Rewrite this as se = 1-tN. Evaluating both sides mod N gives se 1 (mod N) . Therefore s is seemingly the inverse e except that it may be in the wrong range so set d = s mod N. • L13 48 Extended Euclidean Algorithm A constructive version of THM2 which gives s and t will give explicit inverses. This is what the extended Euclidean algorithm does. The extended Euclidean algorithm works the same as the regular Euclidean algorithm except that we keep track of more details – namely the quotient q = x/y in addition to the remainder r = x mod y. This allows us to backtrack and write the gcd(a,b) as a linear combination of a and b. L13 49 Extended Euclidean Algorithm Examples gcd(33,77) Step x = qy + r 0 - L13 x y gcd = ax+by 33 77 50 Extended Euclidean Algorithm Examples gcd(33,77) Step x = qy + r 0 - 1 L13 x y gcd = ax+by 33 77 33=0·77+33 77 33 51 Extended Euclidean Algorithm Examples gcd(33,77) Step x = qy + r 0 - x y 33 77 1 33=0·77+33 77 33 2 77=2·33+11 33 11 L13 gcd = ax+by 52 Extended Euclidean Algorithm Examples gcd(33,77) Step x = qy + r 0 - x y 33 77 1 33=0·77+33 77 33 2 77=2·33+11 33 11 3 33=3·11+0 11 0 L13 gcd = ax+by 53 Extended Euclidean Algorithm Examples gcd(33,77) Step x = qy + r 0 - x y 33 77 1 33=0·77+33 77 33 2 77=2·33+11 33 11 3 33=3·11+0 11 0 L13 gcd = ax+by Solve for r. Plug it in. 54 Extended Euclidean Algorithm Examples gcd(33,77) Step x = qy + r 0 - x y gcd = ax+by 33 77 1 33=0·77+33 77 33 2 77=2·33+11 33 11 11 = 77 - 2·33 3 33=3·11+0 11 0 Solve for r. Plug it in. L13 55 Extended Euclidean Algorithm Examples gcd(33,77) Step x = qy + r 0 - x y gcd = ax+by 33 77 11= 77 - 2·(33-0·77) 1 33=0·77+33 77 33 2 77=2·33+11 33 11 11 = 77 - 2·33 3 33=3·11+0 11 0 Solve for r. Plug it in. = Therefore s = -2 and t = 1 L13 -2·33 + 1·77 56 Extended Euclidean Algorithm Examples gcd(244,117): Step x = qy + r 0 - L13 x y gcd = ax+by 244 117 57 Extended Euclidean Algorithm Examples gcd(244,117): Step 0 1 L13 x = qy + r x y gcd = ax+by 244 117 244=2·117+10 117 10 - 58 Extended Euclidean Algorithm Examples gcd(244,117): Step 0 1 2 L13 x = qy + r x y gcd = ax+by 244 117 244=2·117+10 117 10 117=11·10+7 10 7 - 59 Extended Euclidean Algorithm Examples gcd(244,117): Step 0 1 2 3 L13 x = qy + r x y gcd = ax+by 244 117 244=2·117+10 117 10 117=11·10+7 10 7 10=7+3 7 3 - 60 Extended Euclidean Algorithm Examples gcd(244,117): Step 0 1 2 3 4 L13 x = qy + r x y gcd = ax+by 244 117 244=2·117+10 117 10 117=11·10+7 10 7 10=7+3 7 3 7=2·3+1 3 1 - 61 Extended Euclidean Algorithm Examples gcd(244,117): Step 0 1 2 3 4 5 L13 x = qy + r x y gcd = ax+by 244 117 244=2·117+10 117 10 117=11·10+7 10 7 10=7+3 7 3 7=2·3+1 3 1 3=3·1+0 1 0 - 62 Extended Euclidean Algorithm Examples gcd(244,117): Step 0 1 2 3 4 5 L13 x = qy + r x y gcd = ax+by 244 117 244=2·117+10 117 10 117=11·10+7 10 7 10=7+3 7 3 1=7-2·3 7=2·3+1 3 1 3=3·1+0 1 0 Solve for r. Plug it in. - 63 Extended Euclidean Algorithm Examples gcd(244,117): Step 0 1 2 x = qy + r x y gcd = ax+by 244 117 244=2·117+10 117 10 117=11·10+7 10 7 - 3 10=7+3 7 3 1=7-2·(10-7) = -2·10+3·7 4 5 7=2·3+1 3 1 1 0 1=7-2·3 L13 3=3·1+0 Solve for r. Plug it in. 64 Extended Euclidean Algorithm Examples gcd(244,117): Step 0 1 2 x = qy + r x y gcd = ax+by 244 117 244=2·117+10 117 10 - 117=11·10+7 10 7 1=-2·10+3·(117-11·10) = 3·117-35·10 3 10=7+3 7 3 1=7-2·(10-7) = -2·10+3·7 4 5 7=2·3+1 3 1 1 0 1=7-2·3 L13 3=3·1+0 Solve for r. Plug it in. 65 Extended Euclidean Algorithm Examples gcd(244,117): Step x = qy + r 0 - 1 2 x gcd = ax+by 244 117 244=2·117+10 117 117=11·10+7 y 10 10 1= 3·117-35·(244- 2·117) = -35·244+73·117 7 1=-2·10+3·(117-11·10) = 3·117-35·10 3 10=7+3 7 3 1=7-2·(10-7) = -2·10+3·7 4 5 7=2·3+1 3 1 1 0 1=7-2·3 L13 3=3·1+0 Solve for r. Plug it in. 66 Extended Euclidean Algorithm Examples inverse of 244 modulo 117 gcd(244,117): Step x = qy + r 0 - 1 2 x gcd = ax+by 244 117 244=2·117+10 117 117=11·10+7 y 10 10 1= 3·117-35·(244- 2·117) = -35·244+73·117 7 1=-2·10+3·(117-11·10) = 3·117-35·10 3 10=7+3 7 3 1=7-2·(10-7) = -2·10+3·7 4 5 7=2·3+1 3 1 1 0 1=7-2·3 L13 3=3·1+0 Solve for r. Plug it in. 67 Extended Euclidean Algorithm Summary: Extended Euclidean algorithm works by keeping track of how remainder r results from dividing x by y. Last such equation gives gcd in terms of last x and y. By repeatedly inserting r into the last equation, one can get the gcd in terms of bigger and bigger values of x,y until at the very top is reached, which gives the gcd in terms of the inputs a,b. L13 68 Exponential Inverses Finding modular inverses is good enough for decoding simple modular cryptography. However, in RSA encryption consists of exponentiating modulo N, i.e. m e mod N. We want to find a different exponent d based on e and N which will give us back m, i.e. we want m de mod N =m. In other words, we want an exponential inverse for e modulo N. L13 69 Exponential Inverses. Prime Modulii To tackle the general problem, start first with the case of N a prime number. Exponentiation modulo a prime number is well understood. EG: Consider exponentiating 3 modulo 7: 1. 2. 3. 4. 5. 6. L13 31 mod 32 mod 33 mod 34 mod 35 mod 36 mod 7 7 7 7 7 7 = = = = = = 3 2 6 4 5 1 7. 37 mod 7 = 3 8. 38 mod 7 = 2 9. 39 mod 7 = 6 10.310 mod 7 = 4 11.311 mod 7 = 5 12.312 mod 7 = 1 70 Exponential Inverses. Prime Modulii Exponentiating to the p -1 power results in 1. Therefore, any further exponentiation results in a cycling, with repetitions occurring every 6 exponentiations. Fermat’s Little Theorem says that this effect happens for all rel-prime numbers under prime modulus: 1. 2. 3. 4. 5. 6. L13 31 mod 7 32 mod 7 33 mod 7 34 mod 7 35 mod 7 36 mod 7 = = = = = = 3 2 6 4 5 1 7. 37 mod 7 = 3 8. 38 mod 7 = 2 9. 39 mod 7 = 6 10.310 mod 7 = 4 11.311 mod 7 = 5 12.312 mod 7 = 1 71 Fermat’s Little Theorem THM (FLT): Suppose that p is a prime number. If a is not divisible by p then a p-1 1 (mod p) . Furthermore, all numbers satisfy a p a (mod p) . EG: Compute 9100 mod 17: p =17, so p-1 = 16. 100 = 6·16+4. Therefore, 9100=96·16+4=(916)6(9)4 . So mod 17 we have 9100 (916)6(9)4 (mod 17) (1)6(9)4 (mod 17) (81)2 (mod 17) (-4)2 (mod 17) 16 L13 72 Exponential Inverses. Prime Modulii COR: If e is relatively prime to p –1, where p is prime, then its exponential inverse modulo p exists and is the inverse of d modulo p-1. Proof. Supposing de 1 (mod p-1). Then for some k, de = 1+k (p-1). So if a is any number not divisible by p, FLT implies: ade a1+k(p-1) (mod p) a (mod p) In other words, exponentiating by de doesn’t change numbers, modulo p, so by definition, d and e are exponential inverses. • L13 73 Exponential Inverses. Prime Modulii EG: Find the exponential inverse of 3 modulo 11. p =11, so p-1 = 10. The inverse of 3 modulo 10 is 7, which is the answer. L13 74 Exponential Inverses. Next Step Q: Why don’t we just use a prime number as our base N since it’s so easy to find the decryptor d ? L13 75 Exponential Inverses. Next Step A: Because it’s so easy to find the decryptor d! Recall, this is a public cryptosystem. The key (N,e) is available to all customers. There is no way of restricting customers to the benevolent non-hackers. If a prime N were used, Mr. Snoop could simple shop once, analyze the communication stream to find out what N and e were, and decrypt other customer’s communications by finding the inverse of e modulo N-1. RSA uses next simplest case: N = pq –a product of two (different) primes. L13 76 Exponential Inverses. Next Step If we know what p and q are, then we’ll be able to find the exponential inverse. if But that’s a big . Factoring large numbers is a surprisingly difficult problem. No-one knows how to do this in polynomial time, except on theoretical Quantum Computers. L13 77 Exponential Inverses. Product of Two Primes However, FrogsRUs.com is the one coming up with N, so it knows what p and q are. FrogsRUs would like to make sure that it knows how to decrypt. So let’s see how to do this. We need one more important number theory fact: L13 78 Chinese Remainder Theorem Old Folk Tale: Chinese Emperor used to count his army by giving a series of tasks. 1. All troops should form groups of 3. Report back the number of soldiers that were not able to do this. 2. Now form groups of 5. Report back. 3. Now form groups of 7. Report back. 4. Etc. At the end, if product of all group numbers is sufficiently large, can ingeniously figure out how many troops. L13 79 Chinese Remainder Theorem L13 80 Chinese Remainder Theorem mod 3: N mod 3 = 1 L13 81 Chinese Remainder Theorem mod 5: N mod 5 = 2 L13 82 Chinese Remainder Theorem mod 7: N mod 7 = 2 L13 83 Chinese Remainder Theorem Secret inversion formula (for N < 105 = 3·5·7): N a (mod 3) N b (mod 5) N c (mod 7) Implies that N = (-35a + 21b + 15c) mod 105. So in our case a = 1, b = 2, c = 2 gives: N = (-35·1 + 21·2 + 15·2) mod 105 = (-35 + 42 + 30) mod 105 = 37 mod 105 = 37 L13 84 Chinese Remainder Theorem How did I come up with the secret formula? For any x, a, b, and c satisfying x a (mod 3) x b (mod 5) x c (mod 7) Chinese Remainder Theorem says that this is enough information to uniquely determine x modulo 3·5·7. Proof, gives an algorithm for finding x –i.e. the secret formula. L13 85 Chinese Remainder Theorem Example 1. Find three numbers l,m,n with following properties l 1(mod 3), l 0(mod 5), l 0(mod 7) m0(mod 3), m 1(mod 5), m 0(mod 7) n 0(mod 3), n 0(mod 5), n 1(mod 7) 2. Then y = al+bm +cn [secret formula] satisfies y al+bm +cn (mod 3) a·1+0 + 0 (mod 3) a (mod 3) Similarly, y b (mod 5) Similarly, y c (mod 7) 3. This will imply x y (mod 3·5·7) L13 86 Chinese Remainder Theorem Example Find three numbers l,m,n: Standard trick. EG, to find l : a) Multiply together all modulii different from 3. Result: 5·7 = 35 b) Find an inverse of this number mod 3: In this case it’s easy. 35 2(mod 3) so find an inverse of 2 [2 or anything congruent to 2(mod 3)]. Practice shows that should choose inverse of smallest magnitude: –1. c) l is the product of (a) and (b): l = -35 l is 0 mod 5 and 7 since it’s divisible by 5·7. But (c) guarantees that it’s 1 modulo 3! L13 87 Chinese Remainder Theorem Example Similarly, m = 21 and n = 15. So our solution to all three congruences is: x = -35a + 21b + 15c If we want to guarantee a solution between 0 and 104, just compute x mod 105 . The same tricks can be generalized to prove: L13 88 Chinese Remainder Theorem THM (CRT): Let m1, m2, … , mn be pairwise relatively prime positive integers. Then there is a unique solution x in [0,m1·m2···mn-1] to the system of congruences: x a1 (mod m1 ) x a2 (mod m2 ) x an (mod mn ) L13 89 RSA Cryptosystem Final Piece Now we can define how to find the exponential inverse modulo N=pq and use CRT to prove the method correct. THM: Given e and distinct prime numbers p,q. Suppose that e is relatively prime to (p-1)(q-1). Then the exponential inverse of e is the inverse of e modulo (p-1)(q-1). L13 90 RSA Cryptosystem Final Piece EG: e=5,p=5, q=7. Find the inverse of 5 modulo (5-1)(7-1) = 24. 5 is its own inverse since 5·5=25 is 1 mod 24. So the theorem states that any number m should satisfy m 25 m (mod 35). Try for example m = 3, using the fact that 25 is 11001 in binary: 1. 31 mod 35 = 3 6. 325 mod 35 = 316+8+1 mod 35 2. 32 mod 35 = 9 = 11·16·3 mod 35 3. 34 mod 35 = 11 = 176·3 mod 35 4. 38 mod 35 = 16 = 1·3 mod 35 91 =3 L13 5. 316 mod 35 = 11 RSA Cryptosystem Proof of Decryption Proof that d is inverse of e mod (p-1)(q-1): We can therefore find k such that de = 1+k (p-1)(q-1). Does mde equal itself modulo N = pq ? mde m 1+k(p-1)(q-1) (mod pq). m 1·m k(p-1)(q-1) (mod pq) m ·m k(p-1)(q-1) (mod pq) L13 92 RSA Cryptosystem Proof of Decryption mde m ·m k(p-1)(q-1) (mod pq) So mod p: mde m·(m p-1) k(q-1)(mod p) If m relatively prime to p apply FLT: mde m·(1) k(q-1)(mod p) m (mod p) Otherwise, m 0 (mod p) so that mde 0de 0 m (mod p) Either case mde m (mod p). Similar argument: mde m (mod q). L13 93 RSA Cryptosystem Proof of Decryption So we have the system of congruences: mde m (mod p) mde m (mod q) Setting x = mde . CRT states that x m (mod p) x m (mod q) has a unique solution (mod pq). But another apparent solution is x = m. Therefore: mde m (mod pq) • L13 94