Modular Arithmetic with Applications to Cryptography Lecture 47 Section 10.4 Wed, Apr 13, 2005

Congruence Modulo m We say that two integers a and b are congruent modulo m if a – b is a multiple of m (m > 0). Write a  b (mod m). For example, 2  7 (mod 5). This is the “relational” notation. Congruence modulo m is an equivalence relation on Z.

Operator Notation We can also treat mod as an operator, like the % operator in C. Then a mod m is the smallest nonnegative integer b such that a  b (mod m). For example, 100 mod 7 = 2. The relation a  b (mod m) is equivalent to the relation a mod m = b mod m.

Congruence Modulo m Theorem: Let a, b, and m be integers with m > 0. Then the following statements are equivalent. m  (a – b) a  b (mod m) a = b + km for some integer k a mod m = b mod m

Modular Arithmetic Theorem: Let a, b, c, d, and m be integers with m > 0. If a  c (mod m) and b  d (mod m), then a + b  c + d (mod m) a – b  c – d (mod m) ab  cd (mod m) In other words, modular addition, subtraction, and multiplication is consistent with ordinary arithmetic.

Modular Arithmetic Proof of ab  cd (mod m): Let a = c + um for some integer u and let b = d + vm for some integer v. Then ab = (c + um)(d + vm) = cd + cvm + dum + uvm 2 = cd + (cv + du + uvm)m. Therefore, ab  cd (mod m).

Example For example, 100  2 (mod 7) and 80  3 (mod 7). Therefore, = 180  5 (mod 7) 100 – 80 = 20  -1  6 (mod 7) 100  80 = 8000  6 (mod 7)

Raising to Powers Using the principle of Exercise 26 in Section 9.5, there is a very fast algorithm for computing a n mod m.

Raising to Powers We modify this to be

Example Find mod =   Compute 14 2 mod 27 = mod 27 = 7 2 mod 49 = mod 27 = 22 2 mod 27 = (-5) 2 mod 27 = mod 27 = 25 2 mod 27 = (-2) 2 mod 27 = mod 27 = 4 2 mod 27 = mod 27 = 16 2 mod 27 = 13

Example So, mod 27 = (22  16  13) mod 27 = 13.

Example What are the last 4 digits of ? So =    2 64  2 32  2 8. Using the same method as in the last example, we get mod = 9376.

Modular Division Modular division is a little tricky. That is because, in general, the quotient of two integers is not an integer, and in modular arithmetic we use only integers.

Modular Division What is the “defining property” of ½? It is the fact that if you multiply it by 2, you get 1. That is, it is the solution to the equation 2x = 1.

Modular Division Analogously, we may define “½” mod m to be the solution to the congruence 2x  1 (mod m), if there is a unique solution.

Modular Division For example, if m = 5, then ½ is 3 since 2  3  1 (mod 5). We call 3 the (multiplicative) inverse of 2. Modulo 5, dividing by 2 is the same as multiplying by 3. For example, 4/2  4  3  12  2 (mod 5) and 3/2  3  3  9  4 (mod 5).

The Extended Euclidean Algorithm The question is how to find inverses in general. We use the extended Euclidean algorithm. Recall the basic Euclidean algorithm: Given integers A and B, B > 0, let a = A, b = B. while b  0 Apply quot-rem theorem: a = qb + r, 0  r < b. Let a = b, b = r. a is the gcd of A and B.

The Euclidean Algorithm For example, find the gcd of and 19314: = 1  = 3  = 8  = 1  = 11  58 Thus, gcd(25520, 19314) = 58.

The Euclidean Algorithm We may present this in the form of a table: abqr

The Extended Euclidean Algorithm The extended Euclidean algorithm adds two more columns to this table, labeled s and t. In row -1, initialize s -1 to 1 and t -1 to 0. In row 0, initialize s 0 to 0 and t 0 to 1. In each succeeding row, compute s n and t n recursively: s n = s n – 2 – q n  s n – 1 t n = t n – 2 – q n  t n – 1

Example Apply this to A = and B = abqrst

The Extended Euclidean Algorithm In each row, it is the case that As n + Bt n = r n. In particular, in the second-to-last row, we see that  (-28)  37 = 58, which is the gcd of and

The Extended Euclidean Algorithm Theorem: Let a and b be integers, not both 0. The smallest positive element in the set {as + bt  s, t  Z } is the gcd of a and b.

Modular Inverses Now we can find inverses modulo m. Theorem: The integer a has an inverse modulo m if and only if gcd(a, m) = 1. Proof (  ): Suppose gcd(a, m) = 1. Apply the extended Euclidean algorithm to find s and t such that as + mt = 1.

Modular Inverses Then consider corresponding congruence modulo m: as + mt  1 (mod m) as  1 (mod m) Thus, s is the inverse of a, modulo m.

Example Find the inverse of 10, modulo 27. Apply the extended Euclidean algorithm to get s = -8 and t = 3, implying that 10(-8) + 27(3) = 1. Thus, 10(-8)  1 (mod 27). So, 10(19)  1 (mod 27). Therefore, for example, 5/10  5(19)  95  14 (mod 27).

The RSA Cryptosystem The RSA cryptosystem was named after Ronald Rivest, Adi Shamir, and Leonard Adleman, who are now quite rich. It is a “public-key” cryptosystem. The encryption key can be made public without revealing the decryption key. Thus, anyone can encrypt a message and send it, but only holders of the private decryption key can decrypt them.

The RSA Cryptosystem The RSA cryptosystem begins with two large primes p and q. “Large” means at least 100 digits long. Theorem: Let a be any integer not divisible by p or q. Then a (p – 1)(q – 1)  1 (mod pq).

The RSA Cryptosystem For example, if p = 37 and q = 41, then pq = 1517 and (p – 1)(q – 1) = Let a = 7. A simple computation verifies that  1 (mod 1517).

The RSA Cryptosystem Next, choose an integer e that is relatively prime to (p – 1)(q – 1). This is the encryption key. The public key is the pair (pq, e). Use the extended Euclidean algorithm to find the inverse of e, modulo (p – 1)(q – 1). Call it d, the decryption key.

The RSA Cryptosystem Let M be the plaintext message, expressed as an integer between 0 and pq – 1. For example, ASCII may be used. Longer messages are broken into blocks of such integers. Encrypt M to the ciphertext C as follows: C = M e mod pq.

The RSA Cryptosystem The decryption procedure is similar. Given the ciphertext C, recover M as follows: M = C d mod pq. Why does this work? Why does this recover M? Why can’t the enemy obtain d from e.

Why RSA Recovers M Since e and d are inverses modulo (p – 1)(q – 1), then ed = 1 + k(p – 1)(q – 1), for some integer k. Thus, C d  (M e ) d  M ed  M 1 + k(p – 1)(q – 1)  M  (M k ) (p – 1)(q – 1)  M (mod pq).

Why RSA Is Secure How would the enemy obtain d from e? He would use the extended Euclidean algorithm. To do so, he would have to know (p – 1)(q – 1). This cannot easily be obtained without a knowledge of p and q. p and q can be obtained only by factoring pq.

RSA and Tractability Encryption and decryption require raising an integer to a high power, modulo m. This operation can be done very efficiently. On the other hand, breaking the code requires factoring a large number, which is of order  (2 n ), where n is the number of bits in pq.

The Security of RSA Clearly, the enemy could break the code if he knew p and q. He could also break the code if he knew the value of (p – 1)(q – 1). He would then know pq – (p + q) + 1, so he could determine p + q. From knowledge of pq and p + q, it is easy to determine p and q.

RSA Example Let p = 37 and q = 41. Then pq = 1517 and (p – 1)(q – 1) = Choose e = 7. Compute d = 823. Publish the key (1517, 7).

RSA Example Alice wants to send Bob the message “ATTACK AT DAWN” In ASCII, this is the plaintext 65, 84, 84, 65, 67, 75, 32, 65, 84, 32, 69, 65, 87, 78 Let’s encrypt only 65 for this example. Compute M e = 65 7 mod 1517 = 1094 = C. Transmit 1094.

RSA Example Bob receives the ciphertext 1094, 1194, 1194, 1094, 1483, 926, 870, 1094, 1194, 870, 56, 1094, 143, 918 Let’s decrypt only 1094 for this example. A simple calculation shows that C d = mod 1517 = 65 = ‘A’

The Security of RSA Suppose we were given the numbers = 1517 and = 76. How would we find 37 and 41? Consider the quadratic equation (x – 37)(x – 41) = x 2 – 76x = 0. We could use the quadratic formula to find the two roots, 37 and 41.