# 1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.

## Presentation on theme: "1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong."— Presentation transcript:

1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong

2 e.g.1 (Page 3) Consider f 3 (x) = x. 7 3 f 3 (1) = 1. 7 3 = 3 f 3 (2) = 2. 7 3 = 6 f 3 (3) = 3. 7 3 = 2 Consider each non-zero x in Z 7 {0, 1, 2, 3, 4, 5, 6} f 3 (4) = 4. 7 3 = 5 f 3 (5) = 5. 7 3 = 1 f 3 (6) = 6. 7 3 = 4 x=1 x=2 x=3 x=4 x=5 x=6 1 2 3 4 5 6 3 6 2 5 1 4 A permutation of {1, 2, 3, 4, 5, 6} Why? This is because 7 is a prime number. ST 1 2 3 4 5 6 1 2 3 4 5 6

3 e.g.1 Illustration of Lemma 2.20 Lemma 2.20: 7 is a prime number. Consider a value 3 which is in Z 7. the function f 3 (x) = x. 7 3 is 1-to-1. In particular, f 3 (1), f 3 (2), f 3 (3), f 3 (4), f 3 (5), f 3 (6) (or 1. 7 3, 2. 7 3, 3. 7 3, 4. 7 3, 5. 7 3, 6. 7 3) are a permutation of the set {1, 2, 3, …., 6}. Why is it correct? ST 1 2 3 4 5 6 1 2 3 4 5 6

4 Lemma 2.20: 7 is a prime number. Consider a value 3 which is in Z 7. the function f 3 (x) = x. 7 3 is 1-to-1. In particular, f 3 (1), f 3 (2), f 3 (3), f 3 (4), f 3 (5), f 3 (6) (or 1. 7 3, 2. 7 3, 3. 7 3, 4. 7 3, 5. 7 3, 6. 7 3) are a permutation of the set {1, 2, 3, …., 6}. We prove by contradiction. Suppose that f 3 (x) is not 1-to-1. That is, there exist two integers x, y such that x  y and f 3 (x) = f 3 (y) ST x y … v … … … Since 7 is a prime number, by Corollary 2.17, we know that 3 has a multiplicative inverse in Z 7 (denoted by 3 -1 ) (i.e., 3. 7 3 -1 = 1) Consider x = x. 7 1 = x. 7 (3. 7 3 -1 ) = (x. 7 3). 7 3 -1 = f 3 (x). 7 3 -1 = f 3 (y). 7 3 -1 =(y. 7 3). 7 3 -1 =y. 7 (3. 7 3 -1 ) =y. 7 1 =y Thus, we have x = y This leads to a contradiction!

5 e.g.2 (Page 5) Private-key cryptosystems ST 1 2 3 4 5 6 1 2 3 4 5 6 x Encryption Decryption y y x f 3 (x) = x. 7 3 keyEncryption function a=3f a (x) e.g. 4 e.g. 5 keyDecryption function a=3f -1 a (x) e.g. 5 e.g. 4 Suppose that the encryption and decryption functions are known to the public. But the key is kept privately. Then, we can ensure that the encryption/decryption is secure.

6 e.g.2 Private-key cryptosystems ST 1 2 3 4 5 6 1 2 3 4 5 6 x Encryption Decryption y y x f 3 (x) = x. 7 3 keyEncryption function a=3f a (x) e.g. 4 e.g. 5 keyDecryption function a=3f -1 a (x) e.g. 5 e.g. 4 I know that f 3 (x) is one-to-one. Given x, we can compute y = f 3 (x) efficiently. Since function f 3 (x) is a one-to-one function, f 3 (x) must have an inverse f -1 3 (x). However, knowing that the inverse f -1 3 (x) exists does not help in finding x (given y). Thus, given y, it might be hard to calculate (at the attacker side). Suppose that I am the attacker. However, knowing y does not provide enough information to recover x efficiently. Thus, we say that f 3 (x) is a one-way function.

7 e.g.2 Public-key cryptosystems x Encryption Decryption y y x Public key Encryption function Secret key Decryption function Suppose that the encryption and decryption functions are known to the public. But the secret-key is kept privately. Then, we should ensure that the encryption/decryption is secure. Suppose that the public key is known to the public. This secret key has some relationships with the public key. How can we ensure this statement? If we can ensure the following, we are confident to say that the encryption/decryption is secure. Given (1) the encryption function, (2) the decryption function and (3) the public key, it is difficult to derive the secret-key (at the attacker side) (i.e., it is not efficient to derive the secret-key). In this lecture, we will illustrate this concept for The public-key cryptosystem.

8 e.g.3 (Page 8) E.g., If 7  Z 11, then 7 5 mod 11 = 7. 11 7. 11 7. 11 7. 11 7 Lemma 2.3: (a. b) mod 11 = ((a mod 11). (b mod 11)) mod 11 = ((a mod 11). b) mod 11 Note that 7 3 mod 11 = (7. 7. 7) mod 11 = ((7. 7). 7) mod 11 = ([(7. 7) mod 11]. 7) mod 11 = ((7. 11 7). 7) mod 11 = (7. 11 7). 11 7 = 7. 11 7. 11 7

9 e.g.4 (Page 10) Illustration of Lemma 2.19 Lemma 2.19: (3 2 mod 7). 7 (3 4 mod 7) = 3 2+4 mod 7 (3 4 mod 7) 2 = 3 4x2 mod 7 3 2. 3 4 = 3 2+4 (3 4 ) 2 = 3 4x2

10 e.g.5 (Page 12) If a = 3, please find the following a 0 mod 7 a 1 mod 7 a 2 mod 7 a 3 mod 7 a 4 mod 7 a 5 mod 7 a 6 mod 7 a 7 mod 7 a 8 mod 7 a 9 mod 7 a 10 mod 7 a 11 mod 7 a 12 mod 7 1 3 2 6 4 5 1 3 2 6 4 5 1 The pattern re- appear for every group of 6 elements

11 e.g.6 (Page 12) If a = 5, please find the following a 0 mod 7 a 1 mod 7 a 2 mod 7 a 3 mod 7 a 4 mod 7 a 5 mod 7 a 6 mod 7 a 7 mod 7 a 8 mod 7 a 9 mod 7 a 10 mod 7 a 11 mod 7 a 12 mod 7 1 5 4 6 2 3 1 5 4 6 2 3 1 The pattern re- appear for every group of 6 elements We observe that a 6 mod 7 = 1 or a 7-1 mod 7 = 1

12 e.g.7 (Page 13) Illustration of Theorem 2.21 Theorem 2.21 (Fermat’s Little Theorem): 7 is a prime number. Then, for any non-zero a  Z 7, a 7-1 mod 7 = 1 Why is it correct?

13 e.g.7 Theorem 2.21 (Fermat’s Little Theorem): 7 is a prime number. Then, for any non-zero a  Z 7, a 7-1 mod 7 = 1 Lemma 2.20: 7 is a prime number. Consider a value 3 which is in Z 7. the function f 3 (x) = x. 7 3 is 1-to-1. In particular, f 3 (1), f 3 (2), f 3 (3), f 3 (4), f 3 (5), f 3 (6) (or 1. 7 3, 2. 7 3, 3. 7 3, 4. 7 3, 5. 7 3, 6. 7 3) are a permutation of the set {1, 2, 3, …., 6}. Consider Lemma 2.20 We know that 1. 7 3, 2. 7 3, 3. 7 3, 4. 7 3, 5. 7 3, 6. 7 3 (we call Group A) are a permutation of 1, 2, 3, 4, 5, 6 (we call Group B). ST 1 2 3 4 5 6 1 2 3 4 5 6 Thus, we have the product of all numbers in Group A= the product of all numbers in Group B (1. 7 3). 7 (2. 7 3). 7 (3. 7 3). 7 (4. 7 3). 7 (5. 7 3). 7 (6. 7 3) = 1. 7 2. 7 3. 7 4. 7 5. 7 6 the product of all numbers in Group A (mod 7) = the product of all numbers in Group B (mod 7) Illustrate with a = 3.

14 e.g.7 Theorem 2.21 (Fermat’s Little Theorem): 7 is a prime number. Then, for any non-zero a  Z 7, a 7-1 mod 7 = 1 Consider Lemma 2.20 We know that 1. 7 3, 2. 7 3, 3. 7 3, 4. 7 3, 5. 7 3, 6. 7 3 (we call Group A) are a permutation of 1, 2, 3, 4, 5, 6 (we call Group B). ST 1 2 3 4 5 6 1 2 3 4 5 6 Thus, we have the product of all numbers in Group A= the product of all numbers in Group B (1. 7 3). 7 (2. 7 3). 7 (3. 7 3). 7 (4. 7 3). 7 (5. 7 3). 7 (6. 7 3) = 1. 7 2. 7 3. 7 4. 7 5. 7 6 the product of all numbers in Group A (mod 7) = the product of all numbers in Group B (mod 7) 1. 7 3. 7 2. 7 3. 7 3. 7 3. 7 4. 7 3. 7 5. 7 3. 7 6. 7 3 = 1. 7 2. 7 3. 7 4. 7 5. 7 6 1. 7 2. 7 3. 7 4. 7 5. 7 6. 7 3. 7 3. 7 3. 7 3. 7 3. 7 3 = 1. 7 2. 7 3. 7 4. 7 5. 7 6 (1. 7 2. 7 3. 7 4. 7 5. 7 6). 7 (3. 7 3. 7 3. 7 3. 7 3. 7 3) = 1. 7 2. 7 3. 7 4. 7 5. 7 6 Let x = 1. 7 2. 7 3. 7 4. 7 5. 7 6 We have x. 7 (3 7-1 mod 7) = x (1. 7 2. 7 3. 7 4. 7 5. 7 6). 7 (3 7-1 mod 7) = 1. 7 2. 7 3. 7 4. 7 5. 7 6 Since 7 is a prime number, x has a multiplicative inverse x -1 in Z 7. Consider x. 7 (3 7-1 mod 7) = x x -1. 7 x. 7 (3 7-1 mod 7) = x -1. 7 x (x -1. 7 x). 7 (3 7-1 mod 7) = x -1. 7 x 3 7-1 mod 7 = 1 Illustrate with a = 3.

15 e.g.8 (Page 14) Illustration of Corollary 2.22 Theorem 2.21 (Fermat’s Little Theorem): 7 is a prime number. Then, for any non-zero a  Z 7, a 7-1 mod 7 = 1 Corollary 2.22 (Fermat’s Little Theorem, Version 2): 7 is a prime number. Then, for any positive integer a that is not a multiple of 7, a 7-1 mod 7 = 1 Why is it correct? Consider a 7-1 mod 7 = (a. a. a. a. a. a) mod 7 = [(a mod 7). (a mod 7). (a mod 7). (a mod 7). (a mod 7). (a mod 7)] mod 7 = (a mod 7) 7-1 mod 7 If (a mod 7) is non-zero in Z 7, we have (a mod 7) 7-1 mod 7 = 1 i.e., a 7-1 mod 7 = 1 a is not a multiple of 7. Note that (a mod 7)  Z 7

16 e.g.9 (Page 15) Illustration of Corollary 2.X1 Corollary 2.X1 (Fermat’s Little Theorem, Version 2): 7 is a prime number. Consider a non-negative integer 15. Then, for any positive integer a that is not a multiple of 7, a 15 mod 7 = a 15 mod (7-1) mod 7 e.g., a 15 mod 7= a 15 mod (7-1) mod 7 = a 15 mod 6 mod 7 = a 3 mod 7 If a = 5, we have 5 15 mod 7 = 5 3 mod 7 = 6 Why is it correct? This proof is skipped. You can prove it by yourself.

17 e.g.10 (Page 19) 1.Choose 2 large prime numbers p and q 2.Set n = pq and T = (p-1)(q-1) 3.Choose e  1 so that gcd(e, T) = 1 4.Calculate d = e -1 mod T (i.e., the multiplicative inverse of e in Z T ) 5.Publish e, n as public key 6.Keep d as secret key Choose p = 5 q = 11 We can calculate n = 5. 11 = 55 T = (5-1)(11-1) = 4. 10 = 40 Choose e = 7 (Note: gcd(7, 40) = 1) We can find d = 7 -1 mod 40 We can use Extended GCD algorithm to find d = 23. Public key : (e, n) = (7, 55) Secret key : d = 23 Public key : (e, n) = (7, 55) Secret key : d = 23 p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T

18 e.g.11 (Page 20) x Encryption Decryption y y x Public key Encryption function Secret key Decryption function (e, n) = (7, 55) d = 23 y = x e mod nx = y d mod n Public key : (e, n) = (7, 55) Secret key : d = 23 p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T 12 y = 12 7 mod 55= 35831808 mod 55 = 23 23

19 e.g.11 x Encryption Decryption y y x Public key Encryption function Secret key Decryption function (e, n) = (7, 55) d = 23 y = x e mod nx = y d mod n Public key : (e, n) = (7, 55) Secret key : d = 23 p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T 12 x = 23 23 mod 55 x = 20880467999847912034355032910567 mod 55 = 12 23 12

20 e.g.11 x Encryption Decryption y y x Public key Encryption function Secret key Decryption function (e, n) = (7, 55) d = 23 y = x e mod nx = y d mod n Can the encrypted value y be decrypted correctly? Is the following correct? “ (x e mod n) d mod n = x ” Is the following correct? “ x ed mod n = x ” Public key : (e, n) = (7, 55) Secret key : d = 23 p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T

21 e.g.12 (Page 21) Is the following correct? “ x ed mod n = x ”

22 e.g.12 Is the following correct? “ x ed mod n = x ” p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T We want to prove the following 1. Prove that, for all x, x mod p = x ed mod p 2. Prove that, for all x, x mod q = x ed mod q 3. Prove that, if 0  x < n, x = x ed mod n (by (1) and (2)) Consider d = e -1 mod T We can re-write it as follows. ed mod T = 1 We can further re-write it as follows. ed = Tk + 1 where k is an integer Consider x ed mod p = x Tk+1 mod p = x Tk x mod p = x (p-1)(q-1)k x mod p = (x (q-1)k ) p-1 x mod p = [((x (q-1)k ) p-1 mod p). (x mod p)] mod p Corollary 2.22 (Fermat’s Little Theorem, Version 2): p is a prime number. Then, for any positive integer a that is not a multiple of p, a p-1 mod p = 1 We consider two cases. (a) x (q-1)k is not a multiple of p (b) x (q-1)k is a multiple of p

23 e.g.12 Is the following correct? “ x ed mod n = x ” p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T We want to prove the following 1. Prove that, for all x, x mod p = x ed mod p 2. Prove that, for all x, x mod q = x ed mod q 3. Prove that, if 0  x < n, x = x ed mod n (by (1) and (2)) Consider x ed mod p = [((x (q-1)k ) p-1 mod p). (x mod p)] mod p We consider two cases. (a) x (q-1)k is not a multiple of p (b) x (q-1)k is a multiple of p Corollary 2.22 (Fermat’s Little Theorem, Version 2): p is a prime number. Then, for any positive integer a that is not a multiple of p, a p-1 mod p = 1

24 e.g.12 Is the following correct? “ x ed mod n = x ” p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T We want to prove the following 1. Prove that, for all x, x mod p = x ed mod p 2. Prove that, for all x, x mod q = x ed mod q 3. Prove that, if 0  x < n, x = x ed mod n (by (1) and (2)) Consider x ed mod p = [((x (q-1)k ) p-1 mod p). (x mod p)] mod p We consider two cases. (a) x (q-1)k is not a multiple of p (b) x (q-1)k is a multiple of p Corollary 2.22 (Fermat’s Little Theorem, Version 2): p is a prime number. Then, for any positive integer a that is not a multiple of p, a p-1 mod p = 1 = [1. (x mod p)] mod p = (x mod p) mod p = x mod p

25 e.g.12 Is the following correct? “ x ed mod n = x ” p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T We want to prove the following 1. Prove that, for all x, x mod p = x ed mod p 2. Prove that, for all x, x mod q = x ed mod q 3. Prove that, if 0  x < n, x = x ed mod n (by (1) and (2)) Consider x ed mod p = [((x (q-1)k ) p-1 mod p). (x mod p)] mod p We consider two cases. (a) x (q-1)k is not a multiple of p (b) x (q-1)k is a multiple of p We deduce that x (q-1)k mod p = 0 = [((x (q-1)k mod p) p-1 mod p). (x mod p)] mod p = [((0) p-1 mod p). (x mod p)] mod p = [0. (x mod p)] mod p = 0 We know that x (q-1)k is a multiple of p. Since p is prime, x is also a multiple of p. e.g. x 1000 is a multiple of 7 Since 7 is prime, x is also a multiple of 7. It can be shown by proof by contradiction. Since x is also a multiple of p, we have x mod p = 0 Thus, x mod p = x ed mod p

26 e.g.12 Is the following correct? “ x ed mod n = x ” p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T We want to prove the following 1. Prove that, for all x, x mod p = x ed mod p 2. Prove that, for all x, x mod q = x ed mod q 3. Prove that, if 0  x < n, x = x ed mod n (by (1) and (2)) The second proof is similar to the first proof.

27 e.g.12 Is the following correct? “ x ed mod n = x ” p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T We want to prove the following 1. Prove that, for all x, x mod p = x ed mod p 2. Prove that, for all x, x mod q = x ed mod q 3. Prove that, if 0  x < n, x = x ed mod n (by (1) and (2)) Before we prove this statement, we want to give some properties of prime numbers. If p and q are both prime numbers and both divides z, then pq divides z. e.g., p = 3, q = 11, z = 99 3, 11 both divides 99. We know that 33 (=pq) also divides 99. If p and q are not prime numbers and both divides z, then pq may not divide z. e.g., p = 6, q = 15, z = 60 6, 15 both divides 60. We know that 90 (=pq) does not divide 60.

28 e.g.12 Is the following correct? “ x ed mod n = x ” p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T We want to prove the following 1. Prove that, for all x, x mod p = x ed mod p 2. Prove that, for all x, x mod q = x ed mod q 3. Prove that, if 0  x < n, x = x ed mod n (by (1) and (2)) If p and q are both prime numbers and both divides z, then pq divides z. From (1), we know that x mod p = x ed mod p It can be re-written as follows. x ed =ip+x where i is an integer. It can further be re-written as follows. x ed – x =ip From (2), we know that x mod q = x ed mod q It can be re-written as follows. x ed =jq+x where j is an integer. It can further be re-written as follows. x ed – x =jq Let z = x ed - x We havez = ip ………………..(*) Thus, p divides z. Note that x ed – x (which is equal to z) We havez = jq ………………..(**) Thus, q divides z. Since p and q are both prime numbers and both divides z, pq divides z.

29 e.g.12 Is the following correct? “ x ed mod n = x ” p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T We want to prove the following 1. Prove that, for all x, x mod p = x ed mod p 2. Prove that, for all x, x mod q = x ed mod q 3. Prove that, if 0  x < n, x = x ed mod n (by (1) and (2)) Let z = x ed - x Since p and q are both prime numbers and both divides z, pq divides z.

30 e.g.12 Is the following correct? “ x ed mod n = x ” p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T We want to prove the following 1. Prove that, for all x, x mod p = x ed mod p 2. Prove that, for all x, x mod q = x ed mod q 3. Prove that, if 0  x < n, x = x ed mod n (by (1) and (2)) Let z = x ed - x Since p and q are both prime numbers and both divides z, pq divides z. We can write as follows. z = pqk where k is an integer z = nk x ed -x = nk x ed = nk + x Since 0  x < n, we can re-write the above as follows. x ed mod n = x

31 e.g.13 (Page 31) x Encryption Decryption y y x Public key Encryption function Secret key Decryption function (e, n) = (7, 55) d = 23 y = x e mod nx = y d mod n Can the encrypted value y be decrypted correctly? Is the following correct? “ (x e mod n) d mod n = x ” Is the following correct? “ x ed mod n = x ” Public key : (e, n) = (7, 55) Secret key : d = 23 p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T Yes

32 e.g.13 (Page 31) x Encryption Decryption y y x Public key Encryption function Secret key Decryption function (e, n) = (7, 55) d = 23 y = x e mod nx = y d mod n Why is this RSA algorithm secure? Public key : (e, n) = (7, 55) Secret key : d = 23 p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T Note that the public key, the encryption function and the decryption function is known to the public. If I am the attacker, after reading value y, I want to know the original value x. How can I derive the original value x?

33 e.g.13 x Encryption Decryption y y x Public key Encryption function Secret key Decryption function (e, n) = (7, 55) d = 23 y = x e mod nx = y d mod n Why is this RSA algorithm secure? Public key : (e, n) = (7, 55) Secret key : d = 23 p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T Note that the public key, the encryption function and the decryption function is known to the public. If I am the attacker, after reading value y, I want to know the original value x. How can I derive the original value x? First Way for Attack: Since I know that the formula y = x e mod n, if I have value y, I will try to calculate the e-th root (mod n) i.e., (x e mod n) 1/e mod n Slow Operation!

34 e.g.13 x Encryption Decryption y y x Public key Encryption function Secret key Decryption function (e, n) = (7, 55) d = 23 y = x e mod nx = y d mod n Why is this RSA algorithm secure? Public key : (e, n) = (7, 55) Secret key : d = 23 p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e, T) = 1 d = e -1 mod T Note that the public key, the encryption function and the decryption function is known to the public. If I am the attacker, after reading value y, I want to know the original value x. How can I derive the original value x? Second Way for Attack: Since I know value n (in the public key) and n = pq, I will try to factorize value n to find p and q such that n = pq. With p and q, I can derive d easily. With d, I can decrypt y by the decryption function. Factorization is a Slow Operation! Nobody know how to factor a number quickly!

35 e.g.14 (Page 38) If we only consider 1 only (not 0 in the base 2/binary representation), 50 is equal to 1. 2 5 +1. 2 4 +1. 2 1 50 10 (in base 10) = 110010 2 (in base 2) (e 5 e 4 e 3 e 2 e 1 e 0 ) 50 is equal to 1. 2 5 +1. 2 4 +0. 2 3 +0. 2 2 +1. 2 1 +0. 2 0

36 e.g.15 (Page 39) Second approach e-1 multiplications Third approach 2 log 2 e multiplications If e = 10 120, then e-1 = 10 120 If e = 10 120, then 2 log 2 e = 796

37 e.g.16 (Page 43) S 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 T (0, 0) (0, 1) (0, 2) (0, 3) (0, 4) (1, 0) (1, 1) (1, 2) (1, 3) (1, 4) (2, 0) (2, 1) (2, 2) (2, 3) (2, 4) x (x mod 3, x mod 5) 15 elements

38 e.g.17 (Page 44) Illustration of Theorem 2.24 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and 3. 5-1 (= 14) These equations have the solution x = 14. Why is it correct?

39 e.g.17 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and 3. 5-1 (= 14) Now, we want to see how to construct a value of y such that (a) this value can be either in [0, 14] or not, (b) this value satisfies the equations “ y mod 3 = 2 ” and “ y mod 5 = 4 ”. We want to do the following. 1. Given the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”, there is at least one solution for these two equations. 2. This solution is one and only one. In the following, we want to construct a value of x such that (a) this value is between 0 and 14. (b) this value satisfies the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”. Since 3 and 5 are relatively prime, we have gcd(3, 5) = 1. 3 has a multiplicative inverse 3 -1 in Z 5 (i.e., 3. 3 -1 mod 5= 1) 5 has a multiplicative inverse 5 -1 in Z 3. (i.e., 5. 5 -1 mod 3 = 1) 3. 3 -1 mod 5= 1 5. 5 -1 mod 3 = 1

40 e.g.17 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and 3. 5-1 (= 14) Now, we want to see how to construct a value of y such that (a) this value can be either in [0, 14] or not, (b) this value satisfies the equations “ y mod 3 = 2 ” and “ y mod 5 = 4 ”. We want to do the following. 1. Given the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”, there is at least one solution for these two equations. 2. This solution is one and only one. In the following, we want to construct a value of x such that (a) this value is between 0 and 14. (b) this value satisfies the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”. 3. 3 -1 mod 5= 1 5. 5 -1 mod 3 = 1 We set y = 2. 5. 5 -1 + 4. 3. 3 -1 This value satisfies the equations. Why? Consider y mod 3= (2. 5. 5 -1 + 4. 3. 3 -1 ) mod 3 = [(2. 5. 5 -1 mod 3) + (4. 3. 3 -1 mod 3) ] mod 3 = [(2. 1 mod 3) + 0 ] mod 3 = 2 Ok!

41 e.g.17 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and 3. 5-1 (= 14) Now, we want to see how to construct a value of y such that (a) this value can be either in [0, 14] or not, (b) this value satisfies the equations “ y mod 3 = 2 ” and “ y mod 5 = 4 ”. We want to do the following. 1. Given the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”, there is at least one solution for these two equations. 2. This solution is one and only one. In the following, we want to construct a value of x such that (a) this value is between 0 and 14. (b) this value satisfies the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”. 3. 3 -1 mod 5= 1 5. 5 -1 mod 3 = 1 We set y = 2. 5. 5 -1 + 4. 3. 3 -1 This value satisfies the equations. Why? Consider y mod 5= (2. 5. 5 -1 + 4. 3. 3 -1 ) mod 5 = [(2. 5. 5 -1 mod 5) + (4. 3. 3 -1 mod 5) ] mod 5 = [0+ (4. 1 mod 5) ] mod 5 = 4 Ok!

42 e.g.17 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and 3. 5-1 (= 14) Now, we want to see how to construct a value of y such that (a) this value can be either in [0, 14] or not, (b) this value satisfies the equations “ y mod 3 = 2 ” and “ y mod 5 = 4 ”. We want to do the following. 1. Given the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”, there is at least one solution for these two equations. 2. This solution is one and only one. In the following, we want to construct a value of x such that (a) this value is between 0 and 14. (b) this value satisfies the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”. 3. 3 -1 mod 5= 1 5. 5 -1 mod 3 = 1 We set y = 2. 5. 5 -1 + 4. 3. 3 -1 If we set x = (y mod 15) (NOTE: 15 = 3. 5), then x is between 0 and 14 and x satisfies the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”. We want to show that x must be between 0 and 14.

43 e.g.17 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and 3. 5-1 (= 14) Now, we want to see how to construct a value of y such that (a) this value can be either in [0, 14] or not, (b) this value satisfies the equations “ y mod 3 = 2 ” and “ y mod 5 = 4 ”. We want to do the following. 1. Given the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”, there is at least one solution for these two equations. 2. This solution is one and only one. In the following, we want to construct a value of x such that (a) this value is between 0 and 14. (b) this value satisfies the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”. If we set x = (y mod 15) (NOTE: 15 = 3. 5), then x is between 0 and 14 and x satisfies the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”. Since y mod 3 = 2, Now, we know that there is a value of y such that (a) this value can be either in [0, 14] or not, (b) this value satisfies the equations “ y mod 3 = 2 ” and “ y mod 5 = 4 ”. we can rewrite it as y = 3q 1 +2 where q 1 is an integer. Since y mod 5 = 4, we can rewrite it as y = 5q 2 +4 where q 2 is an integer. y = 3q 1 +2 y = 5q 2 +4

44 e.g.17 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and 3. 5-1 (= 14) Now, we want to see how to construct a value of y such that (a) this value can be either in [0, 14] or not, (b) this value satisfies the equations “ y mod 3 = 2 ” and “ y mod 5 = 4 ”. We want to do the following. 1. Given the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”, there is at least one solution for these two equations. 2. This solution is one and only one. In the following, we want to construct a value of x such that (a) this value is between 0 and 14. (b) this value satisfies the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”. If we set x = (y mod 15) (NOTE: 15 = 3. 5), then x is between 0 and 14 and x satisfies the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”. Now, we know that there is a value of y such that (a) this value can be either in [0, 14] or not, (b) this value satisfies the equations “ y mod 3 = 2 ” and “ y mod 5 = 4 ”. Since x = (y mod 15), we can rewrite it as y = 15q 3 +x where q 3 is an integer. y = 3q 1 +2 y = 5q 2 +4 x = y - 15q 3 = (3q 1 + 2) - 15q 3 = 3q 1 + 2 - 15q 3 = 3(q 1 - 5q 3 ) + 2 We can re-write as follows. x mod 3 = 2 Ok!

45 e.g.17 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and 3. 5-1 (= 14) Now, we want to see how to construct a value of y such that (a) this value can be either in [0, 14] or not, (b) this value satisfies the equations “ y mod 3 = 2 ” and “ y mod 5 = 4 ”. We want to do the following. 1. Given the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”, there is at least one solution for these two equations. 2. This solution is one and only one. In the following, we want to construct a value of x such that (a) this value is between 0 and 14. (b) this value satisfies the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”. If we set x = (y mod 15) (NOTE: 15 = 3. 5), then x is between 0 and 14 and x satisfies the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”. Now, we know that there is a value of y such that (a) this value can be either in [0, 14] or not, (b) this value satisfies the equations “ y mod 3 = 2 ” and “ y mod 5 = 4 ”. Since x = (y mod 15), we can rewrite it as y = 15q 3 +x where q 3 is an integer. y = 3q 1 +2 y = 5q 2 +4 x = y - 15q 3 = (5q 2 + 4) - 15q 3 = 5q 2 + 4 - 15q 3 = 5(q 2 - 3q 3 ) + 4 We can re-write as follows. x mod 5 = 4 Ok!

46 e.g.17 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and 3. 5-1 (= 14) We want to do the following. 1. Given the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”, there is at least one solution for these two equations. 2. This solution is one and only one. Before we go to the proof, we illustrate a concept. S 0 1 2 T 0 1 2 Consider a function f(x) from S to T where S and T has the same sizes. Suppose that, given a single value y, I know how to find the corresponding value x. xy Suppose that, given any value y, I know how to find the corresponding value x. This function must be a bijection function.

47 e.g.17 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and 3. 5-1 (= 14) We want to do the following. 1. Given the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”, there is at least one solution for these two equations. 2. This solution is one and only one. S 0 1 2 12 13 14 T (0, 0) (0, 1) (0, 2) (2, 2) (2, 3) (2, 4) x (x mod 3, x mod 5) … … “ x mod 3 = 2 ” and “ x mod 5 = 4 ” Consider a function f(x) = (x mod 3, x mod 5) In the first part of the proof, we have already shown that we can find the value x from the two equations (or this pair (2, 4))

48 e.g.17 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and 3. 5-1 (= 14) We want to do the following. 1. Given the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”, there is at least one solution for these two equations. 2. This solution is one and only one. S 0 1 2 12 13 14 T (0, 0) (0, 1) (0, 2) (2, 2) (2, 3) (2, 4) x (x mod 3, x mod 5) … … “ x mod 3 = 2 ” and “ x mod 5 = 4 ” Consider a function f(x) = (x mod 3, x mod 5) Similarly, we can find the value x from other two equations (or another pair (2, 3))

49 e.g.17 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and 3. 5-1 (= 14) We want to do the following. 1. Given the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”, there is at least one solution for these two equations. 2. This solution is one and only one. S 0 1 2 12 13 14 T (0, 0) (0, 1) (0, 2) (2, 2) (2, 3) (2, 4) x (x mod 3, x mod 5) … … “ x mod 3 = 2 ” and “ x mod 5 = 4 ” Consider a function f(x) = (x mod 3, x mod 5) Similarly, we can find the value x from each possible two equations (or each pair (2, 3))

50 e.g.17 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and 3. 5-1 (= 14) We want to do the following. 1. Given the equations “ x mod 3 = 2 ” and “ x mod 5 = 4 ”, there is at least one solution for these two equations. 2. This solution is one and only one. S 0 1 2 12 13 14 T (0, 0) (0, 1) (0, 2) (2, 2) (2, 3) (2, 4) x (x mod 3, x mod 5) … … Consider a function f(x) = (x mod 3, x mod 5) According to the concept we just described, we know that this function is a bijection function. Note that S and T have the same sizes. We conclude that there is one and only one solution.

51 e.g.18 (Page 47) E.g., We want to find a solution x in Z 66 of the following equations. x mod 6 = 3 x mod 11 = 7 Step 1: (a) Find the multiplicative inverse 6 -1 of 6 in Z 11 (b) Find the multiplicative inverse 11 -1 of 11 in Z 6 Step 2: Construct y = 3. 11. 11 -1 + 7. 6. 6 -1 Step 3: Find x = (y mod 66) where 66 is 6. 11 We can use the extended GCD algorithm and find the answer 6 -1 is 2 We can use the extended GCD algorithm and find the answer 11 -1 is 5 y = 3. 11. 5 + 7. 6. 2 = 249 x = 249 mod 66 = 51

52 e.g.19 (Page 48) E.g. We are given the following functions. f(k) = 2 4 if k = 3 if k = 5 g(k) = 1 0 if k = 3 if k = 5 h(k) = 0 1 if k = 3 if k = 5 Find a single equation to express f(k) in terms of g(k) and h(k). We can express f(k) = 2. g(k) + 4. h(k) When k = 3, f(3) = 2. g(3) + 4. h(3) = 2. 1 + 4. 0 = 2 Let us verify whether this equation is correct. When k = 5, f(5) = 2. g(5) + 4. h(5) = 2. 0 + 4. 1 = 4

53 e.g.20 (Page 48) In the proof of Theorem 2.24 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and 3. 5-1 (= 14) In the proof of Theorem 2.24, we create a value y = 2. 5. 5 -1 + 4. 3. 3 -1 Why are we so smart to create this “ magic ” formula? 3. 3 -1 mod 5= 1 5. 5 -1 mod 3 = 1

54 e.g.20 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and 3. 5-1 (= 14) y = 2. 5. 5 -1 + 4. 3. 3 -1 3. 3 -1 mod 5= 1 5. 5 -1 mod 3 = 1 Why are we so smart to create this “ magic ” formula? Consider the main set of equations. y mod 3 = 2 y mod 5 = 4 Step 1: We want to find a single equation to express y. Similarly, if we have two sets of equations, then we can express y in a single equation.  mod 3 = 1  mod 5 = 0  mod 3 = 0  mod 5 = 1 where  and  are integers. We can write y = 2  + 4  Consider y mod 3 Let us verify whether this equation is correct. = 2  + 4  mod 3 = [(2  mod 3) + (4  mod 3)] mod 3 = (2. 1 + 4. 0) mod 3 = 2 Consider y mod 5 = 2  + 4  mod 5 = [(2  mod 5) + (4  mod 5)] mod 5 = (2. 0 + 4. 1) mod 5 = 4

55 e.g.20 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and 3. 5-1 (= 14) y = 2. 5. 5 -1 + 4. 3. 3 -1 3. 3 -1 mod 5= 1 5. 5 -1 mod 3 = 1 Why are we so smart to create this “ magic ” formula? Consider the main set of equations. y mod 3 = 2 y mod 5 = 4 Step 1: We want to find a single equation to express y. Similarly, if we have two sets of equations, then we can express y in a single equation.  mod 3 = 1  mod 5 = 0  mod 3 = 0  mod 5 = 1 where  and  are integers. We can write y = 2  + 4  Step 2: We want to find  and  Consider   mod 3 = 1  mod 5 = 0  is a multiple of 5 (i.e.,  = 5q where q is an integer.) We know that  = 5q. Thus, 5q mod 3 = 1 q is a multiplicative inverse of 5 in Z 3 i.e., q = 5 -1 We have  = 5q = 5. 5 -1  = 5. 5 -1

56 e.g.20 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and 3. 5-1 (= 14) y = 2. 5. 5 -1 + 4. 3. 3 -1 3. 3 -1 mod 5= 1 5. 5 -1 mod 3 = 1 Why are we so smart to create this “ magic ” formula? Consider the main set of equations. y mod 3 = 2 y mod 5 = 4 Step 1: We want to find a single equation to express y. Similarly, if we have two sets of equations, then we can express y in a single equation.  mod 3 = 1  mod 5 = 0  mod 3 = 0  mod 5 = 1 where  and  are integers. We can write y = 2  + 4  Step 2: We want to find  and  Consider   mod 3 = 0  mod 5 = 1  is a multiple of 3 (i.e.,  = 3q where q is an integer.) We know that  = 3q. Thus, 3q mod 5 = 1 q is a multiplicative inverse of 3 in Z 5 i.e., q = 3 -1 We have  = 3q = 3. 3 -1  = 5. 5 -1  = 3. 3 -1

57 e.g.20 Theorem 2.24: Since 3 and 5 are relatively prime integers, then the equations x mod 3 = 2 and x mod 5 = 4 have one and only one solution for an integer x between 0 and 3. 5-1 (= 14) y = 2. 5. 5 -1 + 4. 3. 3 -1 3. 3 -1 mod 5= 1 5. 5 -1 mod 3 = 1 Why are we so smart to create this “ magic ” formula? Consider the main set of equations. y mod 3 = 2 y mod 5 = 4 Step 1: We want to find a single equation to express y. Similarly, if we have two sets of equations, then we can express y in a single equation.  mod 3 = 1  mod 5 = 0  mod 3 = 0  mod 5 = 1 where  and  are integers. We can write y = 2  + 4  Step 2: We want to find  and   = 5. 5 -1  = 3. 3 -1 Note that y = 2  + 4  = 2. 5. 5 -1 + 4. 3. 3 -1

Download ppt "1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong."

Similar presentations