Security in Computing Chapter 12, Cryptography Explained Part 4

1

Security in ComputingChapter 12, Cryptography Explained

Part 4

Summary created byKirk Scott

2

• This set of overheads corresponds to the second portion of section 12.3 in the book

• The overheads for Chapter 12 roughly track the topics in the chapter

• Keep this in mind though:• On some topics I simply go over the book’s material• On other topics I expand on the book’s material in a

significant way• You are responsible not just for what’s in the book, but

also what’s in the overheads that’s not in the book

3

Euler’s Theorem and RSA Encryption

4

1. A Remark on Terminology

• In the original set of notes on the mathematics of encryption the algebraic terms group, ring, and field were introduced.

• The ring was noted as an intermediate structure, and up until this point the field was the structure of interest.

• If n is prime, all elements have an inverse, and addition and multiplication give a modular field.

• From this point on we are interested in the case where n is not prime.

5

• If n is not prime, then not all of the elements of the modular structure have an inverse.

• This is the key feature distinguishing a ring from a field.

• When referring to the algebraic structure formed by the operations and modulus where n is not prime, it is correct to refer to it as a ring instead of a field.

6

2. A Preliminary Result

• In previous sets of notes the following observations have been made:

• In a modular ring where n is not prime, there are repetitions in the multiplication table for factors of n.

• It was not shown that in general the factors are not invertible, but it was shown that it’s easy to find examples where such values are not invertible.

• It was also demonstrated that if n is prime, then all of the elements of the field are invertible.

7

• We are now interested in the case where n is not prime and the value a, in the ring, does not have any common factors with n.

• In other words, what if a and n are relatively prime?

• It is helpful to start this section by demonstrating that if they are relatively prime, then a is invertible.

8

• If a and n are relatively prime, you can state:• gcd(a, n) = 1• If this is the case, then it is also true that:• lcm(a, n) = an

9

• This demonstration relies on some of the same reasoning as the demonstration that a is invertible if n is prime.

• In other words, I will appeal to the modular multiplication table and claim the following:

• The only valid values that can appear in the table are 0 through n – 1.

• Every row has n – 1 entries. • Therefore, if there are no duplicates in a row, then the

value 1 must appear, which implies that the value is invertible.

10

• The proof is done by contradiction. • Suppose that for some value a, relatively

prime to n, there are values b and c such that:• ab ≡n ac• If this is the case, then there are values j and k

such that:• ab = jn + r and ac = kn + r

11

• ab = jn + r and ac = kn + r• Combining these two equations you get:• ab – ac = jn – kn• a(b – c) = n(j – k)

12

• a(b – c) = n(j – k)• Because b and c come from the ring, (b – c) < n. • Now consider the equation above. • It says that there is some multiple of n, n(j – k), which a is a

factor of, where the other factor, (b – c) is less than n. • This means that there is a common multiple of a and n which

is less than an. • This is a contradiction. • Therefore, conclude that it is not possible to have a duplicate

in the a row of the multiplication table, and a has an inverse.

13

3. Euler’s Totient

• In order to present Euler’s theorem, which comes next, it’s necessary to define Euler’s totient and give a few examples of it.

• Given some positive integer n, Euler’s totient is a function represented by Φ(n).

• The value of the function is defined to be the number of positive integers less than n that are relatively prime to n.

14

• The first example of Euler’s totient is the following:

• If n is prime, then Φ(n) = n – 1. • That is, if n is prime, all values less than it are

relatively prime to it.• Now consider the case where n is the product of

two prime factors, p and q. • A simple result is given here and explained below:• Φ(n) = Φ(pq) = (p – 1)(q – 1)

15

• Φ(n) = Φ(pq) = (p – 1)(q – 1)• If p and q are factors of n, then p and q are

not relatively prime to n. • Likewise, any multiples of p and q are not

relatively prime to n. • We would like to count up how many

multiples of p and q there are that are less than n.

16

• Φ(n) = Φ(pq) = (p – 1)(q – 1)• If n = pq, there are q – 1 multiples of p less than n• If n = pq, there are p – 1 multiples of q less than n• Informally, you may see this directly:• There are (p – 1) different multiples of p, values to

multiply the (q – 1) different multiples of q by, and all of these products are relatively prime to and less than pq = n.

17

• More formally:• Because p and q are both prime, they are relatively

prime, and no multiple of p or q less than pq = n will be the same.

• Multiples of p and q, the factors of n, are not relatively prime to n = pq.

• The number of values that are NOT relatively prime to n is the sum of the number of multiples of p and q less than n:

• p – 1 + q – 1

18

• The total number of values less than n is pq – 1.• Therefore, the total number of values that ARE

relatively prime to n is the total minus the number that aren’t relatively prime:

• pq – 1 – (p – 1 + q – 1) • = pq – p – q + 1 • = (p – 1)(q – 1)• The right hand expression is the desired result.

19

• For p, q prime, n = pq, the number of values less than n that are relatively prime to n is (p – 1)(q – 1)

• In summary, you can write the following sequence:• Φ(n) = Φ(pq) = Φ(p)Φ(q) = (p – 1)(q – 1)• It is not generally true that Euler’s totient of a

product is the product of the Euler’s totients of the factors, but it is true if there are two factors, each prime.

20

4. Euler’s Theorem• Euler’s theorem is stated as follows:• Let a, a < n be an element of the ring base n.• Let a and n be relatively prime• Let Euler’s totient, Φ(n), be defined as the number of positive

integers less than n that are relatively prime to n• Then the following holds:• aΦ(n) ≡n 1• Stated in words: • a raised to a power equal to the number of values less than n

that are relatively prime to n gives the multiplicative identity in the ring base n.

21

• There is a relationship between Fermat’s Little Theorem and Euler’s Theorem.

• You can use the same technique to come up with an expression for the inverse.

• Since a is relatively prime to n, a has an inverse in the ring

• Multiplying both sides of the equation of Euler’s theorem by the inverse gives:

• aΦ(n) - 1 ≡n a-1

22

• Fermat’s theorem is a specialized case of Euler’s. • In Fermat’s theorem you have to have n prime,

which implies that any a will be relatively prime to n.

• In Euler’s theorem you have to have a and n relatively prime.

• Euler’s theorem can be used to derive Fermat’s theorem.

23

• Start with Euler’s theorem:• aΦ(n) ≡n 1• Let n be prime:• Then Φ(n) = n – 1.• Substitute (n – 1) for Φ(n) in Euler’s result:• an-1 ≡n 1• Multiplying both sides by a gives Fermat’s result:• an ≡n a

24

Demonstrating Euler’s Theorem

• The proof of Euler’s theorem isn’t done with either contradiction or induction.

• You develop some expressions that allow you to write an equivalence that is easily verified.

• You then do some algebraic manipulations that can be verified.

• The manipulations result in this equivalence:• aΦ(n) ≡n 1• This is Euler’s result.

25

• Start by considering those elements of a modular ring, base n, which are relatively prime to n.

• There are Φ(n) of them by the definition of Euler’s totient.

• Let them be represented by subscripted r’s:• r1, r2, …, rΦ(n)

26

• Now for a given a, relatively prime to n, consider the result of multiplying each of the ri by a:

• ar1, ar2, …, arΦ(n)

• One of the ri is in fact a, so one of the products happens to be a times a

• This is true, but it has no particular consequence on the argument.

27

• ar1, ar2, …, arΦ(n)

• Since each of the factors of these products is relatively prime to n, then each product is also relatively prime to n.

• In other words, for an arbitrary ri, ari is relatively prime to n.

28

• If you took the modulus, base n, of this set of products, what you would get back is the set of ri’s, not necessarily in the same order.

• This can be shown using a technique that has already been used.

• We know that the multiplication of a times the r’s results in Φ(n) values that are relatively prime to n.

• The question is, are there any duplicates among the ari?

29

• Suppose there is a duplicate:• ari mod n = arj mod n

• You can write these equations expressing ari and arj:

• ari = kn + x, arj = cn + x• Subtracting one equation from the other

gives:• ari – arj = kn - cn

30

• ari – arj = kn - cn• Factoring gives:• a(ri – rj) = n(k – c)

• But (ri – rj) < n• And n(k – c) is obviously a multiple of n• This means that there is a multiple of a, a(ri –

rj), which is less than an, but which is a multiple of n.

31

• This is a contradiction.• a and n are supposed to be relatively prime.• This means that gcd(a, n) = 1• It also means that lcm(a, n) = an.• Notice that this argument is similar to the

argument used to show that there were no duplicates in a row of a modular multiplication table when n was prime.

32

• By the time I’ve finished the proof of the intermediate result, I’ve forgotten what the result was…

• Given this set of products, where a is one of the values relatively prime to n and the ri are the complete set of values relatively prime to n:

• ar1, ar2, …, arΦ(n)

• If you took the modulus of each element of the set, you would get a permutation of the ri.

33

• This means that there is a one-to-one correspondence between the ri’s and the arj’s.

• Another way of expressing this is that for some i, there is some j such that the following holds true:

• ri ≡n arj

34

• Now, continuing with the demonstration of Euler’s theorem overall…

• The property of reducibility over multiplication in a modular ring means that the product of the mods equals the mod of the product.

• Also, commutativity says that it doesn’t matter what order you multiply in.

35

• These properties allow me to write this equivalence:

• r1r2…rΦ(n) ≡n ar1ar2…arΦ(n)

• It doesn’t matter which ri specifically matches with which arj in the one-to-one correspondence

• Overall, the modular equivalence of the products of the ri’s and the ari’s holds

36

• r1r2…rΦ(n) ≡n ar1ar2…arΦ(n)

• The next step mainly consists of doing a substitution so that the representation of this result is more compact.

• Associativity allows me to rewrite the equivalence in this way:

• r1r2…rΦ(n) ≡n aa…ar1r2…rΦ(n)

37

• r1r2…rΦ(n) ≡n aa…ar1r2…rΦ(n)

• There are Φ(n) occurrences of the factor a, because there was one a for each ri.

• So the expression can be written:• r1r2…rΦ(n) ≡n aΦ(n)r1r2…rΦ(n)

38

• r1r2…rΦ(n) ≡n aΦ(n)r1r2…rΦ(n)

• Now represent the product of the ri’s in compact form:

• r1r2…rΦ(n) = R• Then the equivalence overall can be

represented in this compact form:• R ≡n aΦ(n)R

39

• All of the ri are relatively prime to n.

• Therefore, all of the ri are invertible in the modular ring base n.

• The inverse of the product is the product of the inverses.

• Therefore, the product of the ri, R, has an inverse, R-1, in the modular ring.

40

• This is where we’re at:• R ≡n aΦ(n)R• Multiplying on both sides by R-1 leads to the

desired result:• RR-1 ≡n aΦ(n)RR-1

• 1 ≡n aΦ(n)

• Or aΦ(n) ≡n 1• Namely, Euler’s theorem.

41

5. General Remarks on RSA Encryption

• RSA encryption is based on properties of algebraic structures, including Euler’s theorem.

• It is a public key encryption scheme, which means that some information is kept private as the decryption key and other information is made public as the encryption key.

• RSA encryption is based on taking powers in a modular ring.

42

• The public key is some value e, together with the base of the modular ring, n.

• Plaintext is encrypted by raising it to the power e, modulus n.

• The private key is some value d. • Ciphertext is decrypted by raising it to the

power d, modulus n.

43

• In the book’s description of this, plaintext is represented as P.

• In order to eliminate any possible confusion with mathematical symbols, in these overheads the plaintext message will be represented by M.

• Written using notation, RSA encryption can be represented as follows:

• C = Me mod n• M = Cd mod n = (Me)d mod n

44

• Recall that a successful cryptosystem has to satisfy three basic requirements:

• 1. It has to work.• 2. It has to be “easy” for authorized users; in

other words, the complexity of authorized transformations has to be acceptably low.

• 3. When the system is used properly, it presents the cryptanalyst with a high complexity or high expense problem to solve.

45

• For RSA encryption, accomplishing these goals depends on making the right choices for the base of the ring and the encryption and decryption keys.

• It is done in a clever way that depends on yet another round of mathematical results in order to achieve the desired results.

46

• 1. First you have to choose a number which will serve as n, the base of the ring used for the encryption.

• Let p and q be prime.• Let n = pq• In other words, n is not prime.• However, n is a special number, namely one

that is the product of two primes only.

47

• 2. Choose d such that d is relatively prime to (p – 1)(q – 1).

• This can also be stated as: gcd(d, (p – 1)(q – 1)) = 1.

• Remember that by definition (p – 1)(q – 1) itself can’t be prime.

48

• If d is relatively prime to (p – 1)(q – 1), d has an inverse in the ring with the base (p – 1)(q – 1).

• The easiest way to pick d relatively prime is simply to pick d prime.

• Keep in mind that the ring for encryption is base n, not base (p – 1)(q – 1).

49

• 4. Let e be the inverse of d in the ring with base (p – 1)(q – 1).

• In other words:• ed ≡(p-1)(q-1) 1• Again, keep in mind that the inverse we’ve chosen

is for the ring base (p – 1)(q – 1), even though the base of the ring for encryption is n.

• This is where the additional, clever mathematical results will come in.

50

• Now it can be shown how the scheme should work with these choices.

• Let M be the plaintext message to be encrypted.

• 1. The encryption is:• C = Me mod n

51

• 2. d and e were chosen so that• ed ≡(p-1)(q-1) 1. • This can be expressed as follows: • ed = k((p – 1)(q – 1)) + 1.

52

• 3. The decryption is:• Cd mod n = (Me)d mod n • = Med mod n • = Mk((p – 1)(q – 1)) + 1 mod n • = MkΦ(n) + 1 mod n

53

• = Mk((p – 1)(q – 1)) + 1 mod n • = MkΦ(n) + 1 mod n• In case you’re foggy on the last step:• n = pq• It was established earlier that for p, q prime,

Φ(n) = (p – 1)(q – 1).• e and d are chosen the way they are so that

you get this power on M.

54

• The sequence, again, looks like this:• Cd mod n • = (Me)d mod n • = Med mod n • = Mk((p – 1)(q – 1)) + 1 mod n • = MkΦ(n) + 1 mod n• The claim is that this last expression on the right is

equivalent to M, mod n. • The following section examines this claim.

55

6. Demonstrating that the RSA Scheme Works

• Before trying to formally demonstrate that RSA encryption works, it’s helpful to consider more closely what the expression at the end of the previous section means.

• We are interested in whether the following is true:

• MkΦ(n) + 1 ≡n M

56

• Showing this expression to be true:• MkΦ(n) + 1 ≡n M• *******• k is just a constant.• It arises in the expression in this way:• ed ≡(p-1)(q-1) 1 ed = k((p – 1)(q – 1)) + 1.• Φ(n) is Euler’s totient.• It is defined to be the number of values less than n

that are relatively prime to n.

57

Case 1: M is relatively prime to n

• Showing this expression to be true:• MkΦ(n) + 1 ≡n M• *******• Euler’s theorem is stated in this way, for a

relatively prime to n:• aΦ(n) ≡n 1• So if M is relatively prime to n, then:• MΦ(n) ≡n 1

58

• Showing this expression to be true:• MkΦ(n) + 1 ≡n M• *******• In this case the result for RSA follows easily.• Raise both sides to the kth power.• (MΦ(n))k ≡n 1k

• MkΦ(n) ≡n 1• Multiply both sides by 1.• MkΦ(n)M ≡n 1M• MkΦ(n) + 1 ≡n M

59

Case 2: M is not relatively prime to n

• The more challenging case is understanding what happens if M is not relatively prime to n.

• Remember that by definition, n is not prime. • It is the product of p and q.

60

• In the end, we’re going to discover that for n = pq, p and q prime, we do get the desired result.

• However, it is worth stepping back and recalling that if a is a factor of n, a is not invertible in the modular ring base n.

• It will turn out that if a is not relatively prime to n, a is also not invertible.

• This means that the desired result comes for a different reason than invertibility.

61

• It is helpful to look at an example again.• Let p = 2, q = 3, p and q prime• n = (2)(3) = 6• Φ(n) = (p – 1)(q – 1) = (1)(2) = 2• The values 0 < k < n that are relatively prime

to 6 are 1 and 5.

62

• 2 and 3 are factors of 6 and are not invertible.• 4 is not a factor of 6, but it is also not

relatively prime to 6.• 4 and 6 share a factor of 2.

63

• Here is the modular multiplication table for the ring base 6:

• • * 0 1 2 3 4 5• 0 0 0 0 0 0 0• 1 0 1 2 3 4 5• 2 0 2 4 0 2 4• 3 0 3 0 3 0 3• 4 0 4 2 0 4 2• 5 0 5 4 3 2 1

64

• These are the observations about the contents of the table:

• As expected, the row for 5, relatively prime to 6, is a permutation of all of the values.

• 5 is invertible and the row contains the value 1.

65

• As expected, the rows for 2 and 3, the factors of 6, do not contain the value 1.

• The row for 4 also doesn’t contain the value 1.• From this we conclude that in general a value

that is not relatively prime is not invertible.

66

• The observations about factors of n generally apply to values that are not relatively prime to n.

• The rows for 2, 3, and 4 each contain repetitions of the values 2, 3, and 4.

• The patterns of repetition do differ.

67

• The row for 3 contains repetitions of 0 and 3.• The rows for 2 and 4 contain repetitions of 0,

2, and 4.• The difference in patterns isn’t important to

the discussion.

68

• This is the critical observation—part 1:• It is true that there is nothing you can multiply those

values by to get 1 back.• However, the repetitions in the table clearly show

that there are values in the ring that you can multiply those values by to get the values themselves back.

• For decryption purposes, it’s not important to be able to get 1 back.

• It’s important to get the original value back.

69

• This is the critical observation—part 2:• Actually, we’re not really interested in what you

can multiply a value by in order to get that value back.

• As we will see, the numbers they can be multiplied by are already multiples of those values themselves.

• Therefore, there are powers which those values can be raised to which give those values back.

70

• We would like to see whether a message that is not relatively prime to n is decryptable in a ring base n.

• Try putting the values 2, 3, and 4 as the message M in a ring with base 6 and check (remember that kΦ(n) = 2):

• This should hold: MkΦ(n) + 1 ≡n M• 2Φ(n) + 1 ≡6 23 ≡6 8 ≡6 2

• 3Φ(n) + 1 ≡6 33 ≡6 27 ≡6 3• 4Φ(n) + 1 ≡6 43 ≡6 64 ≡6 4

71

• For these simple examples it appears that RSA decryption works, even for those values which aren’t relatively prime to n.

• This is where we stand:• 1. These values are not invertible.• 2. However, they are repeated in the

multiplication table.• 3. More importantly, all of them raised to the

special power Φ(n) + 1 give back M.

72

• This is what we would like to show in general:• The pattern of repetitions in the table is such that

for each row of a non-relatively prime element:• It is not necessary for the row to contain all

possible values of the ring, including a product of 1, implying there’s an inverse, in order to arrive at the same value again as a result of some product.

• You will hit a repetition of that element if the value is raised to the special power Φ(n) + 1.

73

• The proof of this given by Rivest, Shamir, and Adleman will be sketched out below.

• The heart of the proof and the potential source of confusion is this:

• The arguments involve more than one ring.• For n = pq, one step of the argument will involve the

ring base p, the next step will involve the ring base q.• These two steps will be combined to reach the

desired conclusion in the ring base n.

74

• Step 1: Thinking about p.• Start with some M and n = pq, p and q prime.• Since p is prime, Φ(p) = p – 1. • And since p is prime, Euler’s theorem says that

for any M:• Mp - 1 ≡p 1• Or:• Mp ≡p M

75

• Now we make a statement about n based on the result for p alone:

• Since n = pq (p and q prime), Φ(n) = (p – 1)(q – 1).

• That is, Φ(n) is just (p – 1) times an integral constant:

• Φ(n) = j(p – 1)

76

• At this is the point in the argument you are considering the ring base p.

• However, we want to see what happens if we raise M to the power Φ(n) in this ring.

• MΦ(n) • ≡p M(p – 1)(q – 1)

• ≡p Mj(p – 1)

• ≡p (M(p – 1))j

• ≡p 1j • ≡p 1

77

• This is the result of the previous overhead:• MΦ(n) ≡p 1• This implies that for any integral constant k the following also

holds:• MkΦ(n) ≡p (MΦ(n))k ≡p 1k ≡p 1• Multiplying both sides by M gives this result:• MkΦ(n) + 1 ≡p M• (All that really happened here was to trade k for j in the previous

discussion.)• Be careful to note that this is mod p, not mod n. • This is not the final result yet.

78

• This was the previous result:• MkΦ(n) + 1 ≡p M• You can go through an analogous set of steps

with q instead of p, giving this result:• MkΦ(n) + 1 ≡q M• These last two equivalences, one mod p and

one mod q, will lead to the desired result.

79

• The logic of the argument can be outlined in simpler form and then applied to the expressions in M.

• Consider the following setup. • We would like to show that:• If n = pq with p and q prime,• and if a ≡p r and a ≡q r,

• then a ≡pq r.

80

• To show: a ≡pq r.

• If a ≡p r and a ≡q r hold, then there exist j and k such that:

• a = jp + r and a = kq + r

81

• To show: a ≡pq r.• a = jp + r and a = kq + r• Or: (a – r) = jp and (a – r) = kq• This can be summarized as:• (a – r) is a common multiple of p and q.

82

• To show: a ≡pq r.• (a – r) = jp and (a – r) = kq• (a – r) is a common multiple of p and q.• Since p and q are prime, the lcm(p, q) = pq.• So take the lcm() case.• j = p or k = p.• (a – r) = pq.

83

• To show: a ≡pq r.• (a – r) = pq• Rearrange:• a = pq + r• And the result follows:• a mod pq = r• a ≡pq r

84

• In summary:• a ≡p r and a ≡q r implies that a ≡pq r.• In words• p and q are prime• n = pq• a is equivalent to r mod p and mod q• a is equivalent to r mod pq

85

• This is just what we need.• For the ring base n, there are just two rows in

the multiplication table that are factors, the rows for p and q

• These are the rows where duplicates can appear.

86

• By Euler’s theorem, these factors raised to Φ(n) + 1 in the “sub” rings base p and q are modularly equivalent to themselves.

• By the foregoing argument we found that these factors raised to Φ(n) + 1 in the “main” ring base n are also modularly equivalent to themselves.

• This whole affair works because RSA is based on n as the product of just 2 primes, p and q.

87

• Here is the result applied to the expressions in M:

• Given: MkΦ(n) + 1 ≡p M

• And given: MkΦ(n) + 1 ≡q M

• This implies that: MkΦ(n) + 1 ≡pq M

• Or: MkΦ(n) + 1 ≡n M• Since n = pq

88

A Recapitulation

• Euler’s theorem tells you directly that for the M that are relatively prime to n, raising them to the power kΦ(n) + 1 gives back M.

• This result tells you that for all of the M not relatively prime to n, raising them to the power kΦ(n) + 1 also gives back M.

89

• Here are the bits and pieces again, in terms of RSA encryption:

• n = pq, p and q prime• M is an arbitrary message, not necessarily

relatively prime to n• You choose e and d to be inverses in the

modular ring base (p – 1)(q – 1)• That means that ed = k[(p – 1)(q – 1)] + 1

90

• For n = pq, p and q prime, Φ(n) = (p – 1)(q – 1)• Therefore, ed = kΦ(n) + 1• From Euler’s theorem we know that raising a

relatively prime element a of the ring base n to the power kΦ(n) + 1 will give a back.

• From the most recent result we know that the same holds true when a is not relatively prime to n.

91

• The following sequence, finally, shows that encryption followed by decryption works (regardless of whether M is relatively prime to n or not).

• (Me)d • ≡n Med

• ≡n Mk((p – 1)(q – 1)) + 1

• ≡n MkΦ(n) + 1

• ≡n M

92

7. Examples

• Here is a simple example taken from a previous edition of the textbook:

• Let p = 11, q = 13 (both prime)• n = (11)(13) = 143• Φ(n) = (11 – 1)(13 – 1) = (10)(12) = 120• 120 = (p – 1)(q – 1) is the base of the ring

where we want e and d to be inverses of each other.

93

• In order for d to be invertible in the ring base 120, it has to be relatively prime to 120.

• Let d = 11, prime.• Observe that (11)(11) = 121. • That means that d-1 = e = 11 in the ring base 120. • It is simply a coincidence that 11 is its own inverse in this

ring.• It would obviously be unwise to have the encryption and

decryption keys be the same.• This may be why the book got rid of this example.

94

• This gives you all of the needed parameters in the correct relationships to each other in order to do encryption.

• Suppose you wanted to encrypt M = 7.• C = Me mod n = 711 mod 143 = 106• You can easily verify the decryption:• M = Cd mod n = 10611 mod 143 = 7

95

• With values this small it is not too difficult to work these kinds of problems with a pocket calculator.

• If you calculate powers by repeated multiplication, whenever a result gets large enough to threaten to overflow the calculator, make use of reducibility and find the modulus base n in order to bring it back into a reasonable range.

96

• The contents of this set of notes are a simplified and incomplete presentation of the ideas given in the original research article which presented RSA encryption.

• This presentation also makes use of the information as explained in the textbook.

97

• If you are interested in looking at the original article, here is its citation.

• You can find it in the library:• Rivest, R. L., A. Shamir, and L Adleman. A

Method for Obtaining Digital Signatures and Public Key Cryptosystems. Communications of the ACM, February 1978, V. 21, n. 2, pp. 120-126.

98

• I am giving the citation here because what follows is another example, lifted in its entirety from this original research paper.

• It is more representative of reality than the thumbnail example above because it uses larger numbers and includes the question of how a message is encoded, as opposed to simply encoding a decimal value like 7.

99

• Let p = 47, q = 59 (both prime)• n = (47)(59) = 2773• Φ(n) = (47 – 1)(59 – 1) = (46)(58) = 2668• Choose d relatively prime to 2668. • Let d = 157, prime.

100

• Observe that (157)(17) mod 2668 = 1. • That means that d-1 = e = 17 in the ring with

base 2668. • I have avoided the question of how to

compute the inverse, which is not completely trivial.

• See the next section.

101

• This gives you all of the needed parameters in the correct relationships to each other in order to do encryption.

• The authors suggest the following blocking scheme for encoding symbols as decimal numbers:

• Blank = 00, A = 01, B = 02, …, Z = 26

102

• Then they pick this message to encode:• ITS ALL GREEK TO ME• Julius Caesar, I, ii, 288, paraphrased; see below• Using the blocking scheme, this gives this

sequence of digits:• 0920 1900 0112 1200 0718 0505 1100 2015

0013 0500

103

• The digits are now given in blocks of 4 for a reason.

• Since the largest pair of digits for a single symbol is 26, the largest grouping of four digits would be 2626, which is less than 2773.

• That means that with n = 2773 you can encode four digits or two letters at a time in a block.

104

• Starting with the first block, M = 0920, encoding gives:• (920)17 mod 2773 = 948• The article gives the complete encoding as:• 0948 2342 1084 1444 2663 2390 0778 0774 0219

1655• The authors invite the reader to verify the decryption. • For example:• 948157 mod 2773 = 920, and so on.

105

• To conclude this section, here is more information for your liberal education.

• This is an explanation of the source of the phrase that the authors used for encryption.

• The Phrase Finder. www.phrases.org.uk• Re: It's all Greek to me. Posted by Barbara DuVall

on April 25, 2001 at 23:17:16: • In Reply to: Re: It's all Greek to me posted by

Arnie on February 29, 2000 at 08:40:06:

106

• Well, I'm pretty certain it's from William Shakepeare's play Julius Caesar. At any rate I'm including a direct quote from the play, Act I, Scene ii: The character Casca tells his companions Cassius and Brutus he couldn't understand anything Marc Antony said in a speech to the Roman populace because he didn't speak in Latin,

• "But those that understood him smiled at one another and shook their heads; but for mine own part, it was Greek to me."

107

8. Various Conceptual and Practical Issues with RSA Encryption

• It is worth taking a moment to consider:• What are the public and private keys of RSA

encryption?• What problem is RSA fundamentally based

on?• What are the real computational issues

involved in using RSA encryption?

108

• The public key consists of the values e and n. • Literally speaking, the private key consists of d

used with n• Only d is secret. • Notice, however, that n is the product of p and q• If p and q are known, given e, it is possible to find

d. (Invert in the ring base (p – 1)(q – 1). • Therefore, although d is the private key, the prime

factors of n, p and q, have to be kept secret.

109

• This fact reveals the fundamental problem that RSA encryption is based on, namely factorization.

• If you can factor n, part of the public key, into pq, then you’ve broken the code.

• This is not even an NP complete problem, but it is a computationally expensive one.

110

• Given some reasonably large n, you have to identify the prime numbers that are less than it and then test each to see whether it goes in evenly, leaving another prime as the other factor.

• This is the problem faced by the cryptanalyst, and with current hardware and algorithms the problem is hard enough to be the basis of an encryption system.

111

• The implementer of RSA encryption faces certain decisions and computational issues.

• These include:• 1. Picking p and q prime. • Although the algorithms are not simple, the

problem of finding primes is not insurmountable.

112

• 2. Choosing d relatively prime to (p – 1)(q – 1). • The easiest choice is for d simply to be prime.• Again, finding primes is not too hard. • Rivest, Shamir, and Adleman suggest choosing d

to be greater than max(p, q). • They state that the values of the parameters

should be large enough so that a cryptanalyst can’t find d by a direct (brute force) search.

113

• Finding e, the inverse of d, in the modular ring base n.

• As noted in a previous set of notes, Knuth has given a practical algorithm for finding the inverse, and there are various reasonably good algorithms for finding primes.

• It would probably be somewhat difficult for the average college student programmer to implement RSA encryption using a general purpose programming language.

114

• However, professional systems can be developed where the run-time complexity is of an order allowing it to be practically useful.

• The algorithms can also be implemented in hardware, which makes them very fast.

• Keep in mind that public key encryption is mainly useful for symmetric key exchange.

• Then symmetric encryption, which is less computationally intensive, can be used for data exchange.

115

• 5. Another practical issue concerns the magnitudes, or sizes of the values, that would render this a secure scheme.

• Rivest, Shamir, and Adleman suggest an n of around 200 decimal digits, and the textbook author says that p and q are typically nearly 100 decimal digits each.

116

• In a sense, it is the magnitude of the values that make the system secure, not the complexity of the problem it’s based on.

• These magnitudes are another reason why it would not be easy for a student programmer to implement such a system.

• The average programmer isn’t trained in the techniques of manipulating numeric values larger than those supported by the types of a high level language.

117

• Finally, you might ask, does RSA encryption have any cryptographic flaws or weaknesses?

• In a sense, its strength and weakness are one and the same.

• Fundamentally, it is based on factoring. • As long as finding the prime factorization of

some large n is a computationally expensive process, RSA will remain secure.

118

• When the time comes that either new algorithms or new hardware have rendered this a computationally tractable problem, RSA encryption will no longer be secure.

• As noted above, factoring isn’t even an NP complete problem.

119

• If you assume that things like Moore’s law will continue to be true, then most computational problems will eventually be amenable to solution in ways quicker than they are now.

• That means that any scheme, such as RSA encryption, is a pragmatic solution to a current problem, but at some point will be ineffective and will be replaced by something else.

• It is conceivable that its life span will be increased by increasing the size of the numbers involved.

120

• Here is a common expression in the English language that might be thought to summarize this point of view:

• “All things must pass.”• Here is another citation from the Phrasefinder

giving the source of the expression:• Origin: From the Bible. Matthew 24:6-8:

121

• And ye shall hear of wars and rumors of wars: see that ye be not troubled: for all these things must come to pass, but the end is not yet. For nation shall rise against nation, and kingdom against kingdom: and there shall be famines, and pestilences, and earthquakes, in divers places. All these are the beginning of sorrows.

122

The End