Download Theory Behind RSA

Theory behind RSA
by
Mehmet Gunes
Introduction
 Objective:
– To understand how the RSA algorithm works.
– To review the number theory behind the RSA algorithm.
 RSA Algorithm
 Elementary Number Theory
 Greatest Common Divisor
 Modular Arithmetic
 Fermat’s Little Theorem
 Euler’s Identity
 Analyzing RSA
Rivest, Shamir, Adelman (RSA)
 Choose 2 large prime numbers, p and q
 Compute n=p*q and z=(p-1)*(q-1)
 Choose d, relatively prime to z
 Find e, such that e*d=1 mod z
(e*d mod z = 1)
 This produces Public key (n, e) and
Private key (n, d), the two keys that are
used in the Encoding and Decoding.
RSA: Encryption, decryption
Given (n,e) and (n,d) as computed above
To encrypt bit pattern, m, compute
c = m e mod n (remainder when m e is divided by n)
To decrypt received bit pattern, c, compute
m = c d mod n (remainder when c d is divided by n)
Magic
d
m = (m e mod n) mod n
happens!
Example
P=7; q=11
 n=77; z=60
d=13; e=37; k=6
Test message = CAT
Using A=1, etc and 5-bit representation:
–
00011 00001 10100
 Since k=6, regroup the bits (arrange right to left so that any
padding needed will put 0's on the left and not change the
value. 3 leading zeros added to fill the block):
– 000000 110000 110100




– decimal equivalent: 0 48 52
 Each raised to the power 37 mod 77: 0 27 24
 Each raised to the power 13 mod 77: 0 48 52
Elementary Number Theory
 Given positive integers a and b: a | b
indicates that a divides b or b is a multiple of a.
Then, there is some integer k, such that b = a*k
 Properties
– a | b and b | c  a | c
– a | b and a | c  a | ( i*b + j*c )  integers i and j
– a | b and b | a  a = b or a = -b
Elementary Number Theory
 An integer p is said to be prime if p ≥ 2 and its
only divisors are 1 and p.
– If p is prime and d | p then either d = 1 or d = p.
 An integer greater than 2 that is not prime is said to
be composite.
Eg. Prime: 5, 11, 101, 98711 Composite: 25, 10403 (=101*103)
Theorem: Let n > 1 be an integer. Then there is a
unique set of prime numbers {p1,…pk} and
positive integer exponents {e1,…ek}, such that
n = p1e1··· pkek
(prime decomposition)
Elementary Number Theory
 Euclid: There are infinitely many primes.
 Proof. If not, list them out: p1, p2, …, pk
Then p1* p2 *… *pk+1 is 1 greater than a multiple
of p1, p2, …, pk, so must be divisible by a prime
not on the list.
 The largest known prime is 213,466,917-1, which has
4,053,946 digits
 Primality: Simply start checking for divisibility
by 2, 3, 4, 5, 6, 7, … A number n is prime if it isn’t
divisible by any number up to n
 Determining whether a number is prime is a much
easier question than factoring it.
The Greatest Common Divisor (GCD)
 gcd (a,b) is the largest integer that divides both a
and b.
gcd (a,b) = c
such that if d | a and d | b then d | c
 If gcd (a,b) = 1, then a and b are relatively prime.
 Properties
– gcd (a, 0) = gcd (0, a) = a
– gcd (a, b) = gcd (|a|, |b|)
– gcd (a, b) = gcd (b, a−rb)
Modular Arithmetic (Zn)
 Definition: a  b (mod n)  n | (b - a)
Alternatively, a = qn + b
 Properties
– a  a (mod n)
[Reflexive]
– a  b (mod n)  b  a (mod n) [Symmetric]
– a  b (mod n) and b  c (mod n)
 a  c (mod n) [Transitive]
Modular Arithmetic (Zn)
 Definition: An equivalence class mod n
[a] = { x: x  a (mod n)} = { a + qn | q  Z}
 Representation of Zn (Positive Representation) :
Choose the smallest positive integer in the class [a]
then the representation is
{0,1,…,n-1}.
 Corollary: Let x > 0 be an element of Zn such that
gcd (x, n) = 1. Then
Zn = {i·x : i = 0, 1, …, n-1}
Modular Arithmetic (Zn)
It is possible to perform arithmetic with equivalence classes
mod n.
– [a] + [b] = [a+b]
– [a] * [b] = [a*b]
If you replace a and b by numbers equivalent to a or b mod n
you end of with the sum/product being in the same
equivalence class.
– a1  a2 (mod n) and b1  b2 (mod n)  a1+ b1  a2 + b2 (mod n)
– a1* b1  a2 * b2 (mod n)
–(a + q1n) + (b + q2n) = a + b + (q1 + q2)n
–(a + q1n) * (b + q2n) = a * b + (b*q1 + a*q2 + q1* q2)n
Euclid’s GCD algorithm
EuclidGCD (a,b):
if b = 0 then return a
return EuclidGCD (b, a mod b)
Eg. gcd (412, 260)
1
2
3
4
5
6
7
a 412 260
152
108
44
20
4
b 260 152
108
44
20
4
0
Extended Euclid algorithm
ExtendedEuclidGCD (a,b):
if b = 0 then return (a,1,0)
q = a mod b
Let r be the integer such that a = r·b+q
(d,k,l) = ExtendedEuclidGCD(b,q)
return EuclidGCD (d, l, k-l·r)
Eg. ExtendedEuclidGCD (412, 260) (d,i,j) such that d = gcd (a,b) = i*a+j*b
1
2
3
4
5
6
7
a
412
260
152
108
44
20
4
b
260
152
108
44
20
4
0
r
1
1
1
2
2
5
i
12
-7
5
-2
1
0
1
j
-19
12
-7
5
-2
1
0
Modular Inverses
 Definition:
– x is the additive inverse of a mod n, if a+x  0 (mod n)
– x is the multiplicative inverse of a mod n, if a*x  1
(mod n)
 Theorem: The equation a*x  1 (mod n) has a
solution iff gcd (a,n) = 1.
 Proof:
By the Extended Euclidean Algorithm, there exist x and y
such that ax + ny = gcd (a,n).
When gcd (a,n) = 1, we get a*x + n*y = 1.
Taking this equation mod n, we see that a*x  1 (mod n)
Fermat’s Little Theorem
Theorem: Let p be a prime and x be an integer such
that x mod p  0. Then xp-1  1 (mod p).
More generally, if x  Zp, then xp  x (mod p).
Proof: Assume that 0 < x < p and x mod p  0, then
{1,2,…p-1}  {x·1, x ·2, …x(p-1)}
[Corollary]
1·2 · · ·(p-1) = (p-1)!
(x·1) · (x·2) · · · (x·(p-1))  (p-1)!
(mod p)
xp-1·(p-1)!  (p-1)!
(mod p)
Since p is prime, every nonnull element in Zp has a
multiplicative inverse.
Thus, we can cancel (p-1)! Terms from both sides.
xp-1  1 (mod p)
Euler phi function
 Definition: The number of positive integers less
than or equal to n that are relatively prime to n.
phi(n) = #{a: 0 < a < n and gcd(a,n) = 1}
 Properties:
– (p) = p-1,
for prime number p.
– (p*q) = (p-1)*(q-1) for prime numbers p and q.
– (p^e) = (p-1)*p^(e-1)
–  (m*n) =  (m)* (n) for gcd(m,n) = 1.
 Eg.
– (15) = (3)* (5) = 2*4 = 8. #{1,2,4,7,8,11,13,14}
– (9) = (3-1)*3^(2-1) = 2*3 = 6
#{1,2,4,5,7,8}
Euler’s Identity
 The number of elements in Zn that have
multiplicative inverses is equal to phi(n).
 Theorem:
Let Zn* be the elements of Zn with inverses.
If a  Zn*, then a(n)  1 (mod n).
 Proof: The same proof presented for
Fermat’s theorem can be used to prove this
theorem.
Analyzing RSA
 The running time of RSA encryption, decryption, signature
and verification is simple
–Each operation requires a constant number of modular
exponentiations that can be performed with FastExponention
Analyzing RSA
 Selection of two random primes can be done
by testing random integers for primality.
 Selection of e can be done by picking
random primes less than (n) that does not
divide (n). (Small primes i.e. 17 will work)
 Computing multiplicative inverse d of e in
Z(n) can be done using extended Euclid
algorithm.
Analyzing RSA
 RSA is based on Fermat’s Little Theorem and depends on
being able to find large primes quickly, whereas anyone
given the product of two large primes “cannot” factor the
number in a reasonable time.
 Even if we know e we cannot figure out d unless we know
(n). To find (n), we need to factor n.
 While there is no proof that factorization is computationally
difficult, no easy solution is found yet by famous
mathematicians.
 However, we are secure unless some technological
breakthrough factors 200 digit numbers in feasible time.
Even then we only need to choose n with 300 or 400 digits.
References
•R.L. Rivest, A. Shamir, L. Adleman, “A Method for
Obtaining Digital Signatures and Public-Key
Cryptosystems”, 1978
•“Number Theory and Cryptography”
•Jeremy R. Johnson, “Modular Arithmetic and the
RSA Public Key Cryptosystem”
•George T. Gilbert, “Prime Numbers: A Recent
Discovery, Secure Communications, and Million
Dollar Prizes”
•“RSA Algorithm”, http://www.di-mgt.com.au/rsa_alg.html