Great Theoretical Ideas in Computer Science for Some

Lecture 17 (March 18, 2008) Modular Arithmetic and the RSA Cryptosystem p-1 pp 1

Public Key Cryptography -----BEGIN PGP PRIVATE KEY BLOCK----- Version: PGP not licensed for commercial use: lQHNBEOedR4RBAC6bfed3ULzOwVF/BouyO8kfs8wkOmk3vaMF6+6JyeEJqyImaVh pVhU7lst6QtXTyAF734FtClM/9Dq9Dn7GDoO3E9+nGVO7wJ1OT+X4lgkoiM68WWG eioT958Hg0zq0KquHUBFM+Kldc+nr0e0Q6uCgwIYM7oH60/WX8e2WnvycwCgzba0 kRzxNtmw9w9IEQUk9pa2CK8D/2FjRxtEDN6nY7/l1wUrkMjI/uXYnsNWwrIAbwHp qhUZQYst27XpwNplAmI6YuS+3O+L4vgURj1hVcnNG+2bZXjbt4Fg3RLhrTV/jiuL ohBayAAdZZ4+72Cja1+18xp700GVTF96jYc8dIoxNx1AgHzQUffj3GnscAzo7ud3 HyYHA/9sI6Gijh/ubr1qTzHwZPdilDjfnEyQwR6+forUUegwCO0YawsC2lG6F7MG q3RHnJSwI3DiH/gY5bYk3XxhinkKxqk54DiL6vrHIw/E9J6RazY+ocicLRZ+6XjO JPXpK8s2v64pH5gyrsfANwSTTyECPx/hp2G+0BW/mtMU+JqFPP8DAwKvgRN08aTW 1WAW5/ak/URD4OAOT6OXlyg4YwhaJodb9vfwck4V8bnNLVNhbXBsZSBTZWN1cmVC bGFja2JveCBQR1Aga2V5PGluZm9AZWxkb3MuY29tPp0DJgRDnnWkEAgAxIwIsmEC mLGfQMH6GfNqn8XG9/bvT/nL/m7TjUVv1JGrKDASbASsPlYLnDel4opyp24Azu5x nQ0/QlsOifmXjINcWzNtWcJkW3rBamP1Vw6ZhxN8e1ARRrxwOn42V/yn/HoMFH0O Hhm2M5r8W/rOxo4dPdKPmRPdMaPVMndgM8WcOGPJ6TbMb4g9hphb+E4o3glI6fhP 41GZy57wWdKY9DnQ3W2PGoFaFAlQdyAtekzOmixp2/jXpq4+br9Yd088Unp2sw4Z 56j8sAbTk7NFpcTUSxsnFXpiGr0WkV+qfDyYTBvEnFXIteiThAWYzJgge6Tb6qzL 1XjD5uR1z2FgTwACAgf/fGBkVe8yETYwARrcn0xXv991AEvA4wlNI0/gygJKXxTV 0wTImdsOnsKsxtTCKdchSCFRuGYsBPzc7lUsPKk4jNkAv1EZELhqHkZTC51tEPxA m3/i8iAYFz2rTPfZkrjBJ2xP6ChRqmj0BTcZjo3bzRwjlUMTejGaR9BQDqB9A59z 2rCBn6nz9f6F+1oZ62gThjS6WUbUbhBKCwvfntFsXFrpXWHr5Apv+5zbxteTdHr0 1x3NRl0RzvzJ4wQ4WsVFiZFI3l7HykRd37XE+hSvRSr2iWqE/PdR7alxAswc5LET GCH//3xzP1/7Au3XLUaD4LaFoXY1bIBui2Srmu1kcP8DAwIYqvVK6L5Df2CejmTt hiA1DBnNck4dF7gPOaYku6Rfw27EOvhWmdZ1pp13uw2Tm6SEBoG7rkq1a01UWEjs PhUPkfxhVT6qHd4Bs3EOGSh7sNFsv8IbbAyP3rPOtbt3m9t02xEzKl5ZOqD85EZC HYK/l6lLD8pUX2dJQqZwTN4lkdl99HOf7XYPxHvCmbh1S1CgTM3H2wc5M7QROMhr -----END PGP PRIVATE KEY BLOCK BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP not licensed for commercial use: mQGiBEOedR4RBAC6bfed3ULzOwVF/BouyO8kfs8wkOmk3vaMF6+6JyeEJqyImaVh pVhU7lst6QtXTyAF734FtClM/9Dq9Dn7GDoO3E9+nGVO7wJ1OT+X4lgkoiM68WWG eioT958Hg0zq0KquHUBFM+Kldc+nr0e0Q6uCgwIYM7oH60/WX8e2WnvycwCgzba0 kRzxNtmw9w9IEQUk9pa2CK8D/2FjRxtEDN6nY7/l1wUrkMjI/uXYnsNWwrIAbwHp qhUZQYst27XpwNplAmI6YuS+3O+L4vgURj1hVcnNG+2bZXjbt4Fg3RLhrTV/jiuL ohBayAAdZZ4+72Cja1+18xp700GVTF96jYc8dIoxNx1AgHzQUffj3GnscAzo7ud3 HyYHA/9sI6Gijh/ubr1qTzHwZPdilDjfnEyQwR6+forUUegwCO0YawsC2lG6F7MG q3RHnJSwI3DiH/gY5bYk3XxhinkKxqk54DiL6vrHIw/E9J6RazY+ocicLRZ+6XjO JPXpK8s2v64pH5gyrsfANwSTTyECPx/hp2G+0BW/mtMU+JqFPM0tU2FtcGxlIFNl Y3VyZUJsYWNrYm94IFBHUCBrZXk8aW5mb0BlbGRvcy5jb20+wkkEEBECABMCmQEF AkOedaQJEKl84ZsqNet0AAAROgCggFcJOrmvNvpdmADv0iEzVUVci+gAoJDD9wbm WOq7M06k4rSOZSj2me0GuQINBEOedaQQCADEjAiyYQKYsZ9AwfoZ82qfxcb39u9P +cv+btONRW/UkasoMBJsBKw+VgucN6XiinKnbgDO7nGdDT9CWw6J+ZeMg1xbM21Z wmRbesFqY/VXDpmHE3x7UBFGvHA6fjZX/Kf8egwUfQ4eGbYzmvxb+s7Gjh090o+Z E90xo9Uyd2AzxZw4Y8npNsxviD2GmFv4TijeCUjp+E/jUZnLnvBZ0pj0OdDdbY8a gVoUCVB3IC16TM6aLGnb+Nemrj5uv1h3TzxSenazDhnnqPywBtOTs0WlxNRLGycV emIavRaRX6p8PJhMG8ScVci16JOEBZjMmCB7pNvqrMvVeMPm5HXPYWBPAAICB/98 YGRV7zIRNjABGtyfTFe/33UAS8DjCU0jT+DKAkpfFNXTBMiZ2w6ewqzG1MIp1yFI IVG4ZiwE/NzuVSw8qTiM2QC/URkQuGoeRlMLnW0Q/ECbf+LyIBgXPatM99mSuMEn bE/oKFGqaPQFNxmOjdvNHCOVQxN6MZpH0FAOoH0Dn3PasIGfqfP1/oX7WhnraBOG NLpZRtRuEEoLC9+e0WxcWuldYevkCm/7nNvG15N0evTXHc1GXRHO/MnjBDhaxUWJ -----END PGP PUBLIC KEY BLOCK-----

Public Key Cryptography Private Key Public Key P Secret M E P [M]

The RSA Cryptosystem Rivest, Shamir, and Adelman (1978) RSA is one of the most used cryptographic protocols on the net. Your browser uses it to establish a secure session with a site.

Pick secret, random large primes: p,q “Publish”: n = p*q  (n) =  (p)  (q) = (p-1)*(q-1) Pick random e  Z *  (n) “Publish”: e Compute d = inverse of e in Z *  (n) Hence, e*d = 1 [ mod  (n) ] “Private Key”: d Mumbo jumbo… More Mumbo jumbo…

But how does it all work? What is φ (n)? What is Z φ (n) * ? … Why do all the steps work? To understand this, we need a little number theory...

MAX(a,b) + MIN(a,b) =a+b n|m means that: m is an integer multiple of n. (We say that “n divides m”.)

Greatest Common Divisor: GCD(x,y) = greatest k ≥ 1 such that k|x and k|y LCM(x,y) = smallest k ≥ 1 such that x|k and y|k You can use MAX(a,b) + MIN(a,b) = a+b to prove the above fact. Fact: GCD(x,y) × LCM(x,y) = x × y Least Common Multiple:

(a mod n) means: If a = dn + r with 0 ≤ r < n Then r = (a mod n) and d = (a div n) the remainder when a is divided by n Modulus

Modular Equivalence Written as a  n b, and spoken “a and b are equivalent modulo n” 31  81 [mod 2] 31  2 81 a  b [mod n]  (a mod n) = (b mod n)  n|(a-b) Example:

 n is an Equivalence Relation In other words, it is: Reflexive: a  n a Symmetric: (a  n b)  (b  n a) Transitive: (a  n b and b  n c)  (a  n c)  n induces a partition of Z into n classes a and b are said to be in the same “residue class” or “congruence class” when a  n b

a  n b  n|(a-b) “a and b are equivalent modulo n” Define Residue class [i] = the set of all integers that are congruent to i modulo n [0] = { …, -6, -3, 0, 3, 6,..} [1] = { …, -5, -2, 1, 4, 7,..} [2] = { …, -4, -1, 2, 5, 8,..} [-6]= { …, -6, -3, 0, 3, 6,..} [7] = { …, -5, -2, 1, 4, 7,..} [-1] = { …, -4, -1, 2, 5, 8,..} Residue Classes Mod 3:

Fact: equivalence mod n implies equivalence mod any divisor of n. If (x  n y) and (k|n) then: x  k y Example: 10  6 16  10  3 16 Proof: x  n y  n|(x-y)  k|(x-y)  x  k y

If (x  n y) and (a  n b), then: 1. x + a  n y + b 2. x - a  n y – b 3. x * a  n y * b Fundamental lemma of plus, minus, and times mod n: When doing plus, minus, and times modulo n, you can at any time replace a number with a number in the same residue class modulo n What is (249)(504) mod 251? When working mod 251: (-2)(2) = -4 = 247

A Unique Representation System Modulo n: We pick exactly one representative from each residue class. We do all our calculations using these representatives.

* Unique Representation System Modulo 3 Finite set S = {0, 1, 2} + and * defined on S:

Unique Representation System Modulo 3 Finite set S = {0, 1, -1} + and * defined on S: *

Perhaps The Most Convenient Set of Representatives The reduced system modulo n: Z n = {0, 1, 2, …, n-1} Define operations + n and * n : a + n b = (a+b mod n) a * n b = (a*b mod n)

*2* The Reduced System Modulo 2 Z 2 = {0, 1} Two binary, associative operators on Z 2 :

The Reduced System Modulo 2 Z 2 = {0, 1} Two binary, associative operators on Z 2 : + 2 XOR * 2 AND

* The Reduced System Z 4 = {0,1,2,3}

The Reduced System Z 6 = {0,1,2,3,4,5} An operator has the permutation property if each row and each column has a permutation of the elements. For every n, + n on Z n has the permutation property

What about multiplication? Does * 6 on Z 6 have the permutation property? * NO!

* What about * 8 on Z 8 ? Which rows have the permutation property?

A visual way to understand multiplication and the “permutation property”.

The multiples of c modulo n is the set: {0, c, c + n c, c + n c + n c, ….} = {kc mod n | 0 ≤ k ≤ n-1} There are exactly 8 distinct multiples of 3 modulo 8: Hit all numbers  row 3 has the “permutation property”

There are exactly 2 distinct multiples of 4 modulo

There is exactly 1 distinct multiple of 8 modulo

There are exactly 4 distinct multiples of 6 modulo

There number of distinct multiples of c modulo n is: LCM(n,c)/c = n/GCD(c,n) Hence only those values of c with GCD(c,n) = 1 have the permutation property for * n on Z n

Theorem: There are exactly k = n/GCD(c,n) = LCM(c,n)/c distinct multiples of c modulo n, and these are: { c*i mod n | 0 ≤ i < k } Proof: Clearly, c/GCD(c,n) ≥ 1 is a whole number ck =cn/GCD(c,n) =n(c/GCD(c,n))  n 0 So there are at most k multiples of c mod n: c*0, c*1, c*2, …, c*(k-1) Also, k = all the factors of n missing from c  cx  n cy  n|c(x-y)  k|(x-y)  x-y ≥ k Hence, there are exactly k multiples of c.

If (x  n y) and (a  n b), then: 1. x + a  n y + b 2. x - a  n y – b 3. x * a  n y * b Fundamental lemma of plus, minus, and times mod n:

Is there a fundamental lemma of division modulo n? cx  n cy  x  n y ? Of course not! If c=0[mod n], cx  n cy for all x and y. Canceling the c is like dividing by zero.

Let’s Fix That! Repaired fundamental lemma of division modulo n? if c  0 [mod n], then cx  n cy  x  n y ? 6*3  10 6*8, but not 3  *2  6 2*5, but not 2  6 5 This also doesn’t work!

When Can’t I Divide By c? Theorem: There are exactly n/GCD(c.n) distinct multiples of c modulo n Corollary: If GCD(c,n) > 1, then the number of multiples of c is less than n Corollary: If GCD(c,n) > 1 then you can’t always divide by c. There must exist distinct x,y < n such that c*x=c*y (but x  y). Hence can’t divide. Proof:

Fundamental lemma of division modulo n: if GCD(c,n)=1, then ca  n cb  a  n b Proof: ca  n cb  n|(cb-ca)  n|c(b-a)  n|(b-a)  a  n b (because GCD(c,n)=1)

Fundamental lemma of division modulo n: if GCD(c,n)=1, then ca  n cb  a  n b Consider the set: Z n * = {x  Z n | GCD(x,n) =1} Multiplication over this set Z n * will have the cancellation property

Z 6 = {0, 1,2,3,4,5} Z 6 * = * {1,5}

Z 12 * = {0 ≤ x < 12 | gcd(x,12) = 1} = {1,5,7,11} *

Z 5 * = {1,2,3,4} = Z 5 \ {0} *5* For all primes p, Z p * = Z p \ {0}, since all 0 < x < p satisfy gcd(x,p) = 1

Euler Phi Function  (n) Define  (n) = size of Z n * (number of 1 ≤ k < n that are relatively prime to n) If p is prime, then  (p) = p-1

Z 12 * = {0 ≤ x < 12 | gcd(x,12) = 1} = {1,5,7,11} *  (12) = 4

Theorem: if p,q distinct primes then:  (pq) = (p-1)(q-1) # of integers from 1 to pq: # of multiples of q up to pq: # of multiples of p up to pq: # of multiples of both p and q up to pq: Proof:  (pq) = = (p-1)(q-1) pq p q 1 pq – p – q + 1

The additive inverse of a  Z n is the unique b  Z n such that a + n b  n 0. We denote this inverse by “–a” It is trivial to calculate: “-a” = n-a Additive Inverse

The multiplicative inverse of a  Z n * is the unique b  Z n * such that a * n b  n 1 Multiplicative Inverse We denote this inverse by “a -1 ” or “1/a” *1b a The unique inverse of “a” must exist because the “a” row contains a permutation of the elements and hence contains a unique 1.

Efficient Algorithm To Compute a -1 From a and n Run Extended Euclidean Algorithm on the numbers a and n It will give two integers r and s such that ra + sn = gcd(a,n) = 1 Taking both sides modulo n, we obtain: ra  n 1 Output r, which is the inverse of a

If (x  n y) and (a  n b), then: 1. x + a  n y + b 2. x - a  n y – b 3. x * a  n y * b Fundamental Lemmas Until Now For a,b,c in Z n * then ca  n cb  a  n b

If (a  n b) then x a  n x b ? (2  3 5), but it is not the case that: 2 2  NO!

Euler’s Theorem: a  Z n *, a  (n)  n 1 Fermat’s Little Theorem: p prime, a  Z p *  a p-1  p 1

Fundamental Lemma of Powers: If a   (n) b Then x a  n x b Equivalently, x a  n x a mod  (n)

What is mod 5? x a (mod n) = x a mod  (n) (mod n)   (5) 1 So mod 5 = 2

Negative Powers Suppose x  Z n *, and a,n are naturals. x -a is defined to be the multiplicative inverse of x a x -a = (x a ) -1

Suppose x,y  Z n *, and a,b are integers: (xy) -1  n x -1 y -1 X a X b  n X a+b Rule of Integer Exponents

The RSA Cryptosystem

Pick secret, random large primes: p,q “Publish”: n = p*q  (n) =  (p)  (q) = (p-1)*(q-1) Pick random e  Z *  (n) “Publish”: e Compute d = inverse of e in Z *  (n) Hence, e*d = 1 [ mod  (n) ] “Private Key”: d

n,e is my public key. Use it to send me a message. p,q random primes, e random  Z *  (n) n = p*q e*d = 1 [ mod  (n) ]

n, e p,q prime, e random  Z *  (n) n = p*q e*d = 1 [ mod  (n) ] message m m e [mod n] (m e ) d  n m

Working modulo integer n Definitions of Z n, Z n * and their properties Fundamental lemmas of +,-,*,/ When can you divide out How to calculate c -1 mod n. Fundamental lemma of powers Euler phi function  (n) = |Z n * | Euler’s theorem Fermat’s little theorem RSA algorithm Here’s What You Need to Know…