Presentation is loading. Please wait.

Presentation is loading. Please wait.

Great Theoretical Ideas In Computer Science COMPSCI 102 Fall 2010 Lecture 16October 27, 2010Duke University Modular Arithmetic and the RSA Cryptosystem.

Published byBranden Chapman Modified over 8 years ago

Similar presentations

Presentation on theme: "Great Theoretical Ideas In Computer Science COMPSCI 102 Fall 2010 Lecture 16October 27, 2010Duke University Modular Arithmetic and the RSA Cryptosystem."— Presentation transcript:

1 Great Theoretical Ideas In Computer Science COMPSCI 102 Fall 2010 Lecture 16October 27, 2010Duke University Modular Arithmetic and the RSA Cryptosystem p-1 pp 1

2 Starring Rivest Shamir Adleman Euler Fermat

3 The RSA Cryptosystem Rivest, Shamir, and Adelman (1978) RSA is one of the most used cryptographic protocols on the net. Your browser uses it to establish a secure session with a site.

4 Pick secret, random large primes: p,q “Publish”: n = p*q  (n) =  (p)  (q) = (p-1)*(q-1) Pick random e  Z *  (n) “Publish”: e Compute d = inverse of e in Z *  (n) Hence, e*d = 1 [ mod  (n) ] “Private Key”: d Mumbo jumbo… More Mumbo jumbo…

5 n,e is my public key. Use it to send me a message. p,q random primes, e random  Z *  (n) n = p*q e*d = 1 [ mod  (n) ]

6 n, e p,q prime, e random  Z *  (n) n = p*q e*d = 1 [ mod  (n) ] message m m e [mod n] (m e ) d  n m

7 But how does it all work? What is φ (n)? What is Z φ (n) * ? … Why do all the steps work? To understand this, we need a little number theory...

8 MAX(a,b) + MIN(a,b) = a+b

9 n|m means that m is an integer multiple of n. We say that “n divides m”.

10 Greatest Common Divisor: GCD(x,y) = greatest k ≥ 1 s.t. k|x and k|y.

11 Least Common Multiple: LCM(x,y) = smallest k ≥ 1 s.t. x|k and y|k.

12 Fact: GCD(x,y) × LCM(x,y) = x × y

13 GCD(x,y) × LCM(x,y) = xy MAX(a,b) + MIN(a,b) = a+b

14 (a mod n) means the remainder when a is divided by n. If a = dn + r with 0 ≤ r < n Then r = (a mod n) and d = (a div n)

15 Defn: Modular equivalence of integers a and b a  b [mod n] (a mod n) = (b mod n)  n|(a-b) Written as a  n b, and spoken “a and b are equivalent modulo n”

16 31  81 [mod 2] 31  2 81

17  n is an equivalence relation In other words, Reflexive: a  n a Symmetric: (a  n b)  (b  n a) Transitive: (a  n b and b  n c)  (a  n c)

18 a  n b  n|(a-b) “a and b are equivalent modulo n”  n induces a natural partition of the integers into n classes. a and b are said to be in the same “residue class” or “congruence class” exactly when a  n b.

19 a  n b  n|(a-b) “a and b are equivalent modulo n” Define Residue class [i] = the set of all integers that are congruent to i modulo n.

20 Residue Classes Mod 3: [0] = { …, -6, -3, 0, 3, 6,..} [1] = { …, -5, -2, 1, 4, 7,..} [2] = { …, -4, -1, 2, 5, 8,..} [-6] = { …, -6, -3, 0, 3, 6,..} [7] = { …, -5, -2, 1, 4, 7,..} [-1] = { …, -4, -1, 2, 5, 8,..}

21 Fact: equivalence mod n implies equivalence mod any divisor of n. If (x  n y) and (k|n) Then: x  k y Example: 10  6 16  10  3 16

22 If (x  n y) and (k|n) then x  k y Proof:

23 Fundamental lemma of plus, minus, and times modulo n: If (x  n y) and (a  n b). Then 1) x + a  n y + b 2) x - a  n y – b 3) x * a  n y * b

24 Proof of 3: xa = yb (mod n) (The other two proofs are similar…)

25 Fundamental lemma of plus minus, and times modulo n: When doing plus, minus, and times modulo n, I can at any time in the calculation replace a number with a number in the same residue class modulo n

26 Please calculate: 249 * 504 mod 251 when working mod 251 -2 * 2 = -4 = 247

27 A Unique Representation System Modulo n: We pick exactly one representative from each residue class. We do all our calculations using these representatives.

28 Unique representation system modulo 3 Finite set S = {0, 1, 2} + and * defined on S: +012 0012 1120 2201 *012 0000 1012 2021

29 Unique representation system modulo 3 Finite set S = {0, 1, -1} + and * defined on S: +01 001 11 0 01 *01 0000 101 0 1

30 Perhaps the most convenient set of representatives: The reduced system modulo n: Z n = {0, 1, 2, …, n-1} Define operations + n and * n : a + n b = (a+b mod n) a * n b = (a*b mod n)

31 Z n = {0, 1, 2, …, n-1} a + n b = (a+b mod n) a * n b = (a*b mod n) [Closed] x, y  Z n  x + n y  Z n [Associative] x, y, z  Z n  ( x + n y ) + n z = x + n ( y + n z ) [Commutative] x, y  Z n  x + n y = y + n x

32 Z n = {0, 1, 2, …, n-1} a + n b = (a+b mod n) a * n b = (a*b mod n) [Closed] x, y  Z n  x * n y  Z n [Associative] x, y, z  Z n  ( x * n y ) * n z = x * n ( y * n z ) [Commutative] x, y  Z n  x * n y = y * n x

33 Z n = {0, 1, 2, …, n-1} a + n b = (a+b mod n) a * n b = (a*b mod n) + n and * n are commutative, associative binary operators from Z n X Z n  Z n :

34 The reduced system modulo 3 Z 3 = {0, 1, 2} Two binary, associative operators on Z 3 : +3+3 012 0012 1120 2201 *3*3 012 0000 1012 2021

35 The reduced system modulo 2 Z 2 = {0, 1} Two binary, associative operators on Z 2 : ` +2+2 01 001 110 *2*2 01 000 101

36 The Boolean interpretation of Z 2 Z 2 = {0, 1} Two binary, associative operators on Z 2 : ` + 2 XOR 01 001 110 * 2 AND 01 000 101

37 The reduced system Z 4 = {0, 1,2,3} +0123 00123 11230 22301 33012 *0123 00000 10123 20202 30321

38 The reduced system Z 5 = {0,1,2,3,4} +01234 001234 112340 223401 334012 440123 *01234 000000 101234 202413 303142 404321

39 The reduced system Z 6 = {0,1,2,3,4,5} +012345 0012345 1123450 2234501 3345012 4450123 5501234 *012345 000000 101234 202402 30 404204 505432

40 The reduced system Z 6 = {0,1,2,3,4,5} +012345 0012345 1123450 2234501 3345012 4450123 5501234 An operator has the permutation property if each row and each column has a permutation of the elements.

41 For every n, + n on Z n has the permutation property +012345 0012345 1123450 2234501 3345012 4450123 5501234 An operator has the permutation property if each row and each column has a permutation of the elements.

42 What about multiplication? Does * 6 on Z 6 have the permutation property? An operator has the permutation property if each row and each column has a permutation of the elements. *012345 0000000 1012345 2024024 3030303 4042042 5054321

43 *01234567 0 1 2 3 4 5 6 7 What about * 8 on Z 8 ? Which rows have the permutation property?

44 There are exactly 8 distinct multiples of 3 modulo 8. 7 53 1 0 6 2 4 hit all numbers  row 3 has the “permutation property”

45 There are exactly 2 distinct multiples of 4 modulo 8 7 53 1 0 6 2 4 row 4 does not have “permutation property” for * 8 on Z 8

46 There is exactly 1 distinct multiple of 8 modulo 8 7 53 1 0 6 2 4

47 There are exactly 4 distinct multiples of 6 modulo 8 7 53 1 0 6 2 4

48 There are exactly LCM(n,c)/c = n/GCD(c,n) distinct multiples of c modulo n and hence values of c with GCD(c,n) = 1 have the permutation property for * n on Z n

49 The multiples of c modulo n is the set: {0, c, c + n c, c + n c + n c, ….} = {kc mod n | 0 ≤ k ≤ n-1} 7 53 1 0 6 2 4 Multiples of 6

50 Theorem: There are exactly k = n/GCD(c,n) = LCM(c,n)/c distinct multiples of c modulo n: { c*i mod n | 0 ≤ i < k } Clearly, c/GCD(c,n)  1 is a whole number ck = n [c/GCD(c,n)]  n 0  There are ≤ k distinct multiples of c mod n: c*0, c*1, c*2, …, c*(k-1) Also, k = all the factors of n missing from c  cx  n cy  n|c(x-y)  k|(x-y)  x-y  k There are  k multiples of c. Hence exactly k.

51 Fundamental lemma of plus, minus, and times modulo n: If (x  n y) and (a  n b). Then 1) x + a  n y + b 2) x - a  n y - b 3) x * a  n y * b

52 Is there a fundamental lemma of division modulo n? cx  n cy  x  n y ? Of course not! If c=0[mod n], cx  n cy for all x and y. Canceling the c is like dividing by zero.

53 Let’s fix that! Repaired fundamental lemma of division modulo n? if c  0 [mod n], then cx  n cy  x  n y ? 6*3  10 6*8, but not 3  10 8. 2*2  6 2*5, but not 2  6 5. Bummer!

54 When can I divide by c? Theorem: There are exactly n/GCD(c,n) distinct multiples of c modulo n. Corollary: If GCD(c,n) > 1, then the number of multiples of c is less than n. Corollary: If GCD(c,n) > 1 then you can’t always divide by c. Proof: There must exist distinct x,y<n such that c*x=c*y (but x  y). Hence can’t divide.

55 Fundamental lemma of division modulo n: if GCD(c,n)=1, then ca  n cb  a  n b Proof:

56 Corollary for general c: cx  n cy  x  n/GCD(c,n) y

57 Fundamental lemma of division modulo n. If GCD(c,n)=1, then ca  n cb  a  n b Consider the set Z n * = {x  Z n | GCD(x,n) =1} Multiplication over this set Z n * will have the cancellation property.

58 Z 6 = {0, 1,2,3,4,5} Z 6 * = {1,5} +012345 0012345 1123450 2234501 3345012 4450123 5501234 *012345 0000000 1012345 2024024 3030303 4042042 5054321

59 What are the properties of Z n * For * n on Z n we showed the following properties: [Closure] x, y  Z n  x * n y  Z n [Associativity] x, y, z  Z n  ( x * n y ) * n z = x * n ( y * n z ) [Commutativity] x, y  Z n  x * n y = y * n x What about * n on Z n * ?

60 All these 3 properties hold for * n on Z n *. Let’s show “closure”: x,y  Z n *  x * n y  Z n * First, a simple fact: Suppose GCD(x,n) = 1 and GCD(y,n) = 1 Let z = xy. Clearly, GCD(z, n) = 1. Also, define z’ = (xy mod n). Then GCD(z’,n)=1

61 All these 3 properties hold for * n on Z n *. Let’s show “closure”: x,y  Z n *  x * n y  Z n * Proof: Let z = xy. Let z’ = z mod n. Then z = z’ + kn. Suppose z’ not in Z_n^*. Then GCD(z’, n) > 1. and hence GCD(z, n) > 1. Hence there exists a prime p>1 s.t. p|z’ and p|n. p|z  p|x or p|y. (say p|x) Hence p|n, p|x, so GCD(x,n) > 1. Contradiction of x  Z n *

62 What are the properties of Z n * For * n on Z n we showed the following properties: [Closure] x, y  Z n  x * n y  Z n [Associativity] x, y, z  Z n  ( x * n y ) * n z = x * n ( y * n z ) [Commutativity] x, y  Z n  x * n y = y * n x What about * n on Z n * ?

63 Z 12 * = {0 ≤ x < 12 | gcd(x,12) = 1} = {1,5,7,11} * 12 15711 1157 551 7 77 15 751

64 Z 15 * *12478111314 112478111314 2248 171113 4481 214711 771413411218 8812 413147 11 714213184 117114842 131187421

65 Z 5 * = {1,2,3,4} *5*5 1234 11234 22413 33142 44321 = Z 5 \ {0} For all primes p, Z p * = Z p \ {0}, since all 0 < x < p satisfy gcd(x,p) = 1

66 Euler Phi Function  (n) Define  (n) = size of Z n * = number of 1 ≤ k < n that are relatively prime to n. p prime  Z p * = {1,2,3,…,p-1}   (p) = p-1

67 Z 12 * = {0 ≤ x < 12 | gcd(x,12) = 1} = {1,5,7,11} * 12 15711 1157 551 7 77 15 751  (12) = 4

68 Theorem: if p,q distinct primes then  (pq) = (p-1)(q-1) How about p = 3, q = 5?

69 Theorem: if p,q distinct primes then  (pq) = (p-1)(q-1) pq = # of numbers from 1 to pq p = # of multiples of q up to pq q = # of multiples of p up to pq 1 = # of multiple of both p and q up to pq  (pq) = pq – p – q + 1 = (p-1)(q-1)

70 Additive and Multiplicative Inverses

71 The additive inverse of a  Z n is the unique b  Z n such that a + n b  n 0. We denote this inverse by “–a”. It is trivial to calculate: “-a” = (n-a).

72 The multiplicative inverse of a  Z n * is the unique b  Z n * such that a * n b  n 1. We denote this inverse by “a -1 ” or “1/a”. The unique inverse of “a” must exist because the “a” row contains a permutation of the elements and hence contains a unique 1. *1b34 11234 22413 a3142 44321

73 Efficient algorithm to compute a -1 from a and n. Run Extended Euclidean Algorithm on the numbers a and n. It will give two integers r and s such that ra + sn = gcd(a,n) = 1 Taking both sides modulo n, we obtain: ra  n 1 Output r, which is the inverse of a

74 Z n = {0, 1, 2, …, n-1} Z n * = {x  Z n | GCD(x,n) =1} Define + n and * n : a + n b = (a+b mod n) a * n b = (a*b mod n) c * n ( a + n b)  n (c * n a) + n (c* n b) 1.Closed 2.Associative 3.0 is identity 4.Additive Inverses 5.Cancellation 6.Commutative 1.Closed 2.Associative 3.1 is identity 4.Multiplicative Inverses 5.Cancellation 6.Commutative

75 Fundamental Lemmas until now For x, y, a, b in Z n, (x  n y) and (a  n b). Then 1) x + a  n y + b 2) x - a  n y - b 3) x * a  n y * b For a,b,c in Z n * then ca  n cb  a  n b

76 Fundamental lemma of powers? If (a  n b) Then x a  n x b ? NO! (2  3 5), but it is not the case that: 2 2  3 2 5

77 By the permutation property, two names for the same set: Z n * = aZ n * where aZ n * = {a * n x | x  Z n * }, a  Z n * *1234 11234 22413 a3142 44321 Example: Z 5 *

78 Two products on the same set: Z n * = aZ n * aZ n * = {a * n x | x  Z n * }, a  Z n *  x  n  ax [as x ranges over Z n * ]  x  n  x (a |Zn*| ) [Commutativity] 1 = a |Zn*| [Cancellation] a  (n) = 1

79 Euler’s Theorem a  Z n *, a  (n)  n 1 Fermat’s Little Theorem p prime, a  Z p *  a p-1  p 1

80 Fundamental lemma of powers. Suppose x  Z n *, and a,b,n are naturals. If a   (n) b Then x a  n x b Equivalently, x a mod  (n)  n x b mod  (n)

81 How do you calculate 2 4444444441 mod 5 Fundamental lemma of powers. Suppose x  Z n *, and a,b,n are naturals. If a   (n) b Then x a  n x b Equivalently, x a mod  (n)  n x b mod  (n) x a (mod n) = x a mod  (n) (mod n)

82 Defining negative powers Suppose x  Z n *, and a,n are naturals. x -a is defined to be the multiplicative inverse of x a x -a = (x a ) -1

83 Rule of integer exponents Suppose x,y  Z n *, and a,b are integers. (xy) -1  n x -1 y -1 X a X b  n X a+b

84 Z n = {0, 1, 2, …, n-1} Z n * = {x  Z n | GCD(x,n) =1} Quick raising to power. 1.Closed 2.Associative 3.0 is identity 4.Additive Inverses Fast + and - 5.Cancellation 6.Commutative 1.Closed 2.Associative 3.1 is identity 4.Multiplicative Inverses Fast * and / 5.Cancellation 6.Commutative

85 Fundamental lemma of powers. Suppose x  Z n *, and a,b,n are naturals. If a   (n) b Then x a  n x b Equivalently, x a mod  (n)  n x b mod  (n)

86 Euler Phi Function  (n) = size of Z n * p prime  Z p * = {1,2,3,…,p-1}   (p) = p-1  (pq) = (p-1)(q-1) if p,q distinct primes

87 The RSA Cryptosystem Rivest, Shamir, and Adelman (1978) RSA is one of the most used cryptographic protocols on the net. Your browser uses it to establish a secure session with a site.

88 Back to our dramatis personae Rivest Shamir Adleman Euler Fermat

89 The RSA Cryptosystem Rivest, Shamir, and Adelman (1978) RSA is one of the most used cryptographic protocols on the net. Your browser uses it to establish a secure session with a site.

90 Pick secret, random large primes: p,q “Publish”: n = p*q  (n) =  (p)  (q) = (p-1)*(q-1) Pick random e  Z *  (n) “Publish”: e Compute d = inverse of e in Z *  (n) Hence, e*d = 1 [ mod  (n) ] “Private Key”: d

91 n,e is my public key. Use it to send me a message. p,q random primes, e random  Z *  (n) n = p*q e*d = 1 [ mod  (n) ]

92 n, e p,q prime, e random  Z *  (n) n = p*q e*d = 1 [ mod  (n) ] message m m e [mod n] (m e ) d  n m

Download ppt "Great Theoretical Ideas In Computer Science COMPSCI 102 Fall 2010 Lecture 16October 27, 2010Duke University Modular Arithmetic and the RSA Cryptosystem."

Similar presentations

1 Lect. 12: Number Theory. Contents Prime and Relative Prime Numbers Modular Arithmetic Fermat’s and Euler’s Theorem Extended Euclid’s Algorithm.

1 Lect. 12: Number Theory. Contents Prime and Relative Prime Numbers Modular Arithmetic Fermat’s and Euler’s Theorem Extended Euclid’s Algorithm.
Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)

Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)
22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.

22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
and Factoring Integers (I)

and Factoring Integers (I)
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Complexity1 Pratt’s Theorem Proved. Complexity2 Introduction So far, we’ve reduced proving PRIMES  NP to proving a number theory claim. This is our next.

Complexity1 Pratt’s Theorem Proved. Complexity2 Introduction So far, we’ve reduced proving PRIMES  NP to proving a number theory claim. This is our next.
and Factoring Integers

and Factoring Integers
Chapter 4 – Finite Fields Introduction  will now introduce finite fields  of increasing importance in cryptography AES, Elliptic Curve, IDEA, Public.

Chapter 4 – Finite Fields Introduction  will now introduce finite fields  of increasing importance in cryptography AES, Elliptic Curve, IDEA, Public.
CSE 321 Discrete Structures Winter 2008 Lecture 8 Number Theory: Modular Arithmetic.

CSE 321 Discrete Structures Winter 2008 Lecture 8 Number Theory: Modular Arithmetic.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
CS555Spring 2012/Topic 61 Cryptography CS 555 Topic 6: Number Theory Basics.

CS555Spring 2012/Topic 61 Cryptography CS 555 Topic 6: Number Theory Basics.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
1 Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown Chapter 4 – Finite Fields.

1 Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown Chapter 4 – Finite Fields.
RSA and its Mathematics Behind

RSA and its Mathematics Behind
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Prelude to Public-Key Cryptography Rocky K. C. Chang, February 2014 1.

Prelude to Public-Key Cryptography Rocky K. C. Chang, February
Introduction to Algorithms Second Edition by Cormen, Leiserson, Rivest & Stein Chapter 31.

Introduction to Algorithms Second Edition by Cormen, Leiserson, Rivest & Stein Chapter 31.
Modular Arithmetic with Applications to Cryptography Lecture 47 Section 10.4 Wed, Apr 13, 2005.

Modular Arithmetic with Applications to Cryptography Lecture 47 Section 10.4 Wed, Apr 13, 2005.

Similar presentations

Ads by Google