Modular Arithmetic and The RSA Cryptosystem
Modular Arithmetic and The RSA Cryptosystem
Modular Arithmetic and The RSA Cryptosystem
p
1
Starring
Rivest
Shamir Adleman
Euler
Fermat
The RSA Cryptosystem
Rivest, Shamir, and Adelman (1978)
RSA is one of the most used
cryptographic protocols on the net. Your
browser uses it to establish a secure
session with a site.
Pick secret, random large primes: p,q
Publish: n = p*q
|(n) = |(p) |(q) = (p-1)*(q-1)
Pick random e e Z
*
|(n)
Publish: e
Compute d = inverse of e in Z
*
|(n)
Hence, e*d = 1 [ mod |(n) ]
Private Key: d
Mumbo jumbo
More Mumbo jumbo
n,e is my
public key.
Use it to
send me a
message.
p,q random primes, e random e Z
*
|(n)
n = p*q
e*d = 1 [ mod |(n) ]
n,
e
p,q prime, e random e Z
*
|(n)
n = p*q
e*d = 1 [ mod |(n) ]
messag
e m
m
e
[mod n]
(m
e
)
d
n
m
But how does it all work?
What is (n)?
What is Z
(n)
*
?
Why do all the steps work?
To understand this, we need a little
number theory...
MAX(a,b) + MIN(a,b) = a+b
n|m means that m is an integer
multiple of n.
We say that n divides m.
Greatest Common Divisor:
GCD(x,y) =
greatest k 1 s.t. k|x and k|y.
Least Common Multiple:
LCM(x,y) =
smallest k 1 s.t. x|k and y|k.
Fact:
GCD(x,y) LCM(x,y) = x y
GCD(x,y) LCM(x,y) = xy
MAX(a,b) + MIN(a,b) = a+b
(a mod n) means the
remainder when
a is divided by n.
If a = dn + r with 0 r < n
Then r = (a mod n)
and d = (a div n)
Defn: Modular equivalence
of integers a and b
a b [mod n]
if (a mod n) = (b mod n)
n|(a-b)
Written as a
n
b, and spoken
a and b are equivalent modulo n
31 81 [mod 2]
31
2
81
n
is an equivalence relation
In other words,
Reflexive:
a
n
a
Symmetric:
(a
n
b) ) (b
n
a)
Transitive:
(a
n
b and b
n
c) ) (a
n
c)
a
n
b $ n|(a-b)
a and b are equivalent modulo n
n
induces a natural partition of the
integers into n classes.
a and b are said to be in the same
residue class or congruence class
exactly when a
n
b.
a
n
b $ n|(a-b)
a and b are equivalent modulo n
Define
Residue class [i]
=
the set of all integers that are
congruent to i modulo n.
Residue Classes Mod 3:
[0] = { , -6, -3, 0, 3, 6, ..}
[1] = { , -5, -2, 1, 4, 7, ..}
[2] = { , -4, -1, 2, 5, 8, ..}
[-6] = { , -6, -3, 0, 3, 6, ..}
[7] = { , -5, -2, 1, 4, 7, ..}
[-1] = { , -4, -1, 2, 5, 8, ..}
Fact: equivalence mod n implies
equivalence mod any divisor of n.
If (x
n
y) and (k|n)
Then: x
k
y
Example: 10
6
16 ) 10
3
16
If (x
n
y) and (k|n)
then x
k
y
Proof:
Fundamental lemma of plus,
minus, and times modulo n:
If (x
n
y) and (a
n
b). Then
1) x + a
n
y + b
2) x - a
n
y b
3) x * a
n
y * b
Proof of 3: xa = yb (mod n)
(The other two proofs are similar)
Fundamental lemma of plus
minus, and times modulo n:
When doing plus, minus, and times
modulo n, I can at any time in the
calculation replace a number with
a number in the same residue class
modulo n
Please calculate:
249 * 504 mod 251
when working mod 251
-2 * 2 = -4 = 247
A Unique Representation
System Modulo n:
We pick exactly
one representative from
each residue class.
We do all our calculations using
these representatives.
Unique representation system
modulo 3
Finite set S = {0, 1, 2}
+ and * defined on S:
+ 0 1 2
0 0 1 2
1 1 2 0
2 2 0 1
* 0 1 2
0 0 0 0
1 0 1 2
2 0 2 1
Unique representation system
modulo 3
Finite set S = {0, 1, -1}
+ and * defined on S:
+ 0 1 -1
0 0 1 -1
1 1 -1 0
-1 -1 0 1
* 0 1 -1
0 0 0 0
1 0 1 -1
-1 0 -1 1
Perhaps the most convenient set of
representatives:
The reduced system modulo n:
Z
n
= {0, 1, 2, , n-1}
Define operations +
n
and *
n
:
a +
n
b = (a+b mod n)
a *
n
b = (a*b mod n)
Z
n
= {0, 1, 2, , n-1}
a +
n
b = (a+b mod n) a *
n
b = (a*b mod n)
[Closed]
x, y 2 Z
n
) x +
n
y 2 Z
n
[Associative]
x, y, z2 Z
n
) ( x +
n
y ) +
n
z = x +
n
( y +
n
z )
[Commutative]
x, y2 Z
n
) x +
n
y = y +
n
x
Z
n
= {0, 1, 2, , n-1}
a +
n
b = (a+b mod n) a *
n
b = (a*b mod n)
[Closed]
x, y 2 Z
n
) x *
n
y 2 Z
n
[Associative]
x, y, z2 Z
n
) ( x *
n
y ) *
n
z = x *
n
( y *
n
z )
[Commutative]
x, y2 Z
n
) x *
n
y = y *
n
x
Z
n
= {0, 1, 2, , n-1}
a +
n
b = (a+b mod n) a *
n
b = (a*b mod n)
+
n
and *
n
are
commutative,
associative
binary operators
from Z
n
X Z
n
! Z
n
:
The reduced system modulo 3
Z
3
= {0, 1, 2}
Two binary, associative operators on Z
3
:
+
3
0 1 2
0 0 1 2
1 1 2 0
2 2 0 1
*
3
0 1 2
0 0 0 0
1 0 1 2
2 0 2 1
The reduced system modulo 2
Z
2
= {0, 1}
Two binary, associative operators on Z
2
:
`
+
2
0 1
0 0 1
1 1 0
*
2
0 1
0 0 0
1 0 1
The Boolean interpretation of Z
2
Z
2
= {0, 1}
Two binary, associative operators on Z
2
:
`
+
2
XOR
0 1
0 0 1
1 1 0
*
2
AND
0 1
0 0 0
1 0 1
The reduced system
Z
4
= {0, 1,2,3}
+ 0 1 2 3
0 0 1 2 3
1 1 2 3 0
2 2 3 0 1
3 3 0 1 2
* 0 1 2 3
0 0 0 0 0
1 0 1 2 3
2 0 2 0 2
3 0 3 2 1
The reduced system
Z
5
= {0,1,2,3,4}
+ 0 1 2 3 4
0 0 1 2 3 4
1 1 2 3 4 0
2 2 3 4 0 1
3 3 4 0 1 2
4 4 0 1 2 3
* 0 1 2 3 4
0 0 0 0 0 0
1 0 1 2 3 4
2 0 2 4 1 3
3 0 3 1 4 2
4 0 4 3 2 1
The reduced system
Z
6
= {0,1,2,3,4,5}
+ 0 1 2 3 4 5
0 0 1 2 3 4 5
1 1 2 3 4 5 0
2 2 3 4 5 0 1
3 3 4 5 0 1 2
4 4 5 0 1 2 3
5 5 0 1 2 3 4
* 0 1 2 3 4 5
0 0 0 0 0 0
1 0 1 2 3 4
2 0 2 4 0 2
3 0
4 0 4 2 0 4
5 0 5 4 3 2
The reduced system
Z
6
= {0,1,2,3,4,5}
+ 0 1 2 3 4 5
0 0 1 2 3 4 5
1 1 2 3 4 5 0
2 2 3 4 5 0 1
3 3 4 5 0 1 2
4 4 5 0 1 2 3
5 5 0 1 2 3 4
An operator has
the permutation
property if each
row and each
column has a
permutation of
the elements.
For every n, +
n
on Z
n
has the
permutation property
+ 0 1 2 3 4 5
0 0 1 2 3 4 5
1 1 2 3 4 5 0
2 2 3 4 5 0 1
3 3 4 5 0 1 2
4 4 5 0 1 2 3
5 5 0 1 2 3 4
An operator has
the permutation
property if each
row and each
column has a
permutation of
the elements.
What about multiplication?
Does *
6
on Z
6
have the
permutation property?
An operator has
the permutation
property if each
row and each
column has a
permutation of
the elements.
* 0 1 2 3 4 5
0 0 0 0 0 0 0
1 0 1 2 3 4 5
2 0 2 4 0 2 4
3 0 3 0 3 0 3
4 0 4 2 0 4 2
5 0 5 4 3 2 1
* 0 1 2 3 4 5 6 7
0
1
2
3
4
5
6
7
What about *
8
on Z
8
?
Which rows have the permutation property?
There are exactly 8 distinct
multiples of 3 modulo 8.
7
5 3
1
0
6 2
4
hit all numbers row 3 has the permutation property
There are exactly 2 distinct
multiples of 4 modulo 8
7
5 3
1
0
6 2
4
row 4 does not have permutation property for *
8
on Z
8
There is exactly 1 distinct
multiple of 8 modulo 8
7
5 3
1
0
6 2
4
There are exactly 4 distinct
multiples of 6 modulo 8
7
5 3
1
0
6 2
4
There are exactly
LCM(n,c)/c = n/GCD(c,n)
distinct multiples of c modulo n
and hence
values of c with GCD(c,n) = 1
have the permutation property
for *
n
on Z
n
The multiples of c modulo n is the set:
{0, c, c +
n
c, c +
n
c +
n
c, .}
= {kc mod n | 0 k n-1}
7
5 3
1
0
6 2
4
Multiples of 6
Theorem: There are exactly
k = n/GCD(c,n) = LCM(c,n)/c
distinct multiples of c modulo n: { c*i mod n | 0 i < k }
Clearly, c/GCD(c,n) 1 is a whole number
ck = n [c/GCD(c,n)]
n
0
There are k distinct multiples of c mod n:
c*0, c*1, c*2, , c*(k-1)
Also, k = all the factors of n missing from c
cx
n
cy $ n|c(x-y) ) k|(x-y) ) x-y k
There are k multiples of c. Hence exactly k.
Fundamental lemma of plus,
minus, and times modulo n:
If (x
n
y) and (a
n
b). Then
1) x + a
n
y + b
2) x - a
n
y - b
3) x * a
n
y * b
Is there a fundamental lemma of
division modulo n?
cx
n
cy x
n
y ?
Of course not!
If c=0[mod n], cx
n
cy for all x and y.
Canceling the c is like dividing by zero.
Lets fix that!
Repaired fundamental lemma
of division modulo n?
if c = 0 [mod n], then
cx
n
cy x
n
y ?
6*3
10
6*8, but not 3
10
8.
2*2
6
2*5, but not 2
6
5.
When can I divide by c?
Theorem: There are exactly n/GCD(c.n)
distinct multiples of c modulo n.
Corollary: If GCD(c,n) > 1, then the number
of multiples of c is less than n.
Corollary: If GCD(c,n) > 1 then you cant
always divide by c.
Proof: There must exist distinct x,y<n such
that c*x=c*y (but x=y). Hence cant divide.
Fundamental lemma of division modulo n:
if GCD(c,n)=1, then ca
n
cb a
n
b
Proof:
Corollary for general c:
cx
n
cy x
n/GCD(c,n)
y
Fundamental lemma of division modulo n.
If GCD(c,n)=1, then ca
n
cb a
n
b
Consider the set
Z
n
*
= {x 2 Z
n
| GCD(x,n) =1}
Multiplication over this set Z
n
*
will
have the cancellation property.
Z
6
= {0, 1,2,3,4,5}
Z
6
*
= {1,5}
+ 0 1 2 3 4 5
0 0 1 2 3 4 5
1 1 2 3 4 5 0
2 2 3 4 5 0 1
3 3 4 5 0 1 2
4 4 5 0 1 2 3
5 5 0 1 2 3 4
* 0 1 2 3 4 5
0 0 0 0 0 0 0
1 0 1 2 3 4 5
2 0 2 4 0 2 4
3 0 3 0 3 0 3
4 0 4 2 0 4 2
5 0 5 4 3 2 1
What are the properties of Z
n
*
For *
n
on Z
n
we showed the following properties:
[Closure]
x, y 2 Z
n
x *
n
y 2 Z
n
[Associativity]
x, y, z2 Z
n
( x *
n
y ) *
n
z = x *
n
( y *
n
z )
[Commutativity]
x, y2 Z
n
x *
n
y = y *
n
x
What about *
n
on Z
n
*
?
All these 3 properties hold for *
n
on Z
n
*
.
Lets show closure: x,y e Z
n
*
x *
n
y e Z
n
*
First, a simple fact:
Suppose GCD(x,n) = 1 and GCD(y,n) = 1
Let z = xy. Clearly, GCD(z, n) = 1.
Also, define z = (xy mod n). Then GCD(z,n)=1
All these 3 properties hold for *
n
on Z
n
*
.
Lets show closure: x,y e Z
n
*
x *
n
y e Z
n
*
Proof: Let z = xy. Let z = z mod n. Then z = z + kn.
Suppose z not in Z_n^*. Then GCD(z, n) > 1.
and hence GCD(z, n) > 1.
Hence there exists a prime p>1 s.t. p|z and p|n.
p|z ) p|x or p|y. (say p|x)
Hence p|n, p|x, so GCD(x,n) > 1.
Contradiction of x 2 Z
n
*
What are the properties of Z
n
*
For *
n
on Z
n
we showed the following properties:
[Closure]
x, y 2 Z
n
x *
n
y 2 Z
n
[Associativity]
x, y, z2 Z
n
( x *
n
y ) *
n
z = x *
n
( y *
n
z )
[Commutativity]
x, y2 Z
n
x *
n
y = y *
n
x
What about *
n
on Z
n
*
?
Z
12
*
= {0 x < 12 | gcd(x,12) = 1}
= {1,5,7,11}
*
12
1 5 7 11
1 1 5 7 11
5 5 1 11 7
7 7 11 1 5
11 11 7 5 1
Z
15
*
* 1 2 4 7 8 11 13 14
1 1 2 4 7 8 11 13 14
2 2 4 8 14 1 7 11 13
4 4 8 1 13 2 14 7 11
7 7 14 13 4 11 2 1 8
8 8 1 2 11 4 13 14 7
11 11 7 14 2 13 1 8 4
13 13 11 7 1 14 8 4 2
14 14 13 11 8 7 4 2 1
Z
5
*
= {1,2,3,4}
*
5
1 2 3 4
1 1 2 3 4
2 2 4 1 3
3 3 1 4 2
4 4 3 2 1
= Z
5
\ {0}
For all primes p, Z
p
*
= Z
p
\ {0},
since all 0 < x < p satisfy gcd(x,p) = 1
Euler Phi Function |(n)
Define |(n) = size of Z
n
*
= number of 1 k < n that
are relatively prime to n.
p prime Z
p
*
= {1,2,3,,p-1}
u(p) = p-1
Z
12
*
= {0 x < 12 | gcd(x,12) = 1}
= {1,5,7,11}
*
12
1 5 7 11
1 1 5 7 11
5 5 1 11 7
7 7 11 1 5
11 11 7 5 1
|(12) = 4
Theorem: if p,q distinct primes
then |(pq) = (p-1)(q-1)
How about p = 3, q = 5?
Theorem: if p,q distinct primes
then |(pq) = (p-1)(q-1)
pq = # of numbers from 1 to pq
p = # of multiples of q up to pq
q = # of multiples of p up to pq
1 = # of multiple of both p and q up to pq
|(pq) = pq p q + 1 = (p-1)(q-1)
Additive and Multicative
Inverses
The additive inverse of a 2 Z
n
is the unique b2 Z
n
such that
a +
n
b
n
0.
We denote this inverse by a.
It is trivial to calculate:
-a = (n-a).
The multiplicative inverse of a2 Z
n
*
is
the unique b2 Z
n
*
such that
a *
n
b
n
1.
We denote this inverse by a
-1
or 1/a.
The unique inverse of a
must exist because the
a row contains a
permutation of the
elements and hence
contains a unique 1.
* 1 b 3 4
1 1 2 3 4
2 2 4 1 3
a 3 1 4 2
4 4 3 2 1
Efficient algorithm to
compute a
-1
from a and n.
Run Extended Euclidean Algorithm
on the numbers a and n.
It will give two integers r and s
such that ra + sn = gcd(a,n) = 1
Taking both sides modulo n,
we obtain: ra
n
1
Output r, which is the inverse of a
Z
n
= {0, 1, 2, , n-1}
Z
n
*
= {x 2 Z
n
| GCD(x,n) =1}
Define +
n
and *
n
:
a +
n
b = (a+b mod n) a *
n
b = (a*b mod n)
c *
n
( a +
n
b)
n
(c *
n
a) +
n
(c*
n
b)
<Z
n
, +
n
>
1. Closed
2. Associative
3. 0 is identity
4. Additive Inverses
5. Cancellation
6. Commutative
<Z
n
*
, *
n
>
1. Closed
2. Associative
3. 1 is identity
4. Multiplicative Inverses
5. Cancellation
6. Commutative
Fundamental Lemmas until now
For x, y, a, b in Z
n
, (x
n
y) and (a
n
b).
Then
1) x + a
n
y + b
2) x - a
n
y - b
3) x * a
n
y * b
For a,b,c in Z
n
*
then ca
n
cb ) a
n
b
Fundamental lemma of powers?
If (a
n
b)
Then x
a
n
x
b
?
NO!
(2
3
5) , but it is not the case
that: 2
2
3
2
5
By the permutation property, two
names for the same set:
Z
n
*
= aZ
n
*
where
aZ
n
*
= {a *
n
x | x 2 Z
n
*
}, a 2 Z
n
*
* 1 2 3 4
1 1 2 3 4
2 2 4 1 3
a 3 1 4 2
4 4 3 2 1
Example:
Z
5
*
Two products on the same set:
Z
n
*
= aZ
n
*
aZ
n
*
= {a *
n
x | x 2 Z
n
*
}, a 2 Z
n
*
[ x
n
H ax [as x ranges over Z
n
*
]
[x
n
[ x (a
size of Zn*
) [Commutativity]
1 = a
size of Zn*
[Cancellation]
a
u(n)
= 1
Eulers Theorem
a2 Z
n
*
, a
u(n)
n
1
Fermats Little Theorem
p prime, a2 Z
p
*
) a
p-1
p
1
Fundamental lemma of powers.
Suppose x2 Z
n
*
, and a,b,n are naturals.
If a
u(n)
b Then x
a
n
x
b
Equivalently,
x
a mod u(n)
n
x
b mod u(n)
How do you calculate
2
4444444441
mod 5
Fundamental lemma of
powers.
Suppose x2 Z
n
*
, and a,b,n
are naturals.
If a
u(n)
b Then x
a
n
x
b
Equivalently,
x
a mod u(n)
n
x
b mod u(n)
x
a
(mod n) = x
a mod u(n)
(mod n)
Defining negative powers
Suppose x 2 Z
n
*
, and a,n are naturals.
x
-a
is defined to be the multiplicative inverse
of x
a
x
-a
= (x
a
)
-1
Rule of integer exponents
Suppose x,y2 Z
n
*
, and a,b are integers.
(xy)
-1
n
x
-1
y
-1
X
a
X
b
n
X
a+b
Z
n
= {0, 1, 2, , n-1}
Z
n
*
= {x 2 Z
n
| GCD(x,n) =1}
Quick raising to power.
<Z
n
, +
n
>
1. Closed
2. Associative
3. 0 is identity
4. Additive Inverses
Fast + and -
5. Cancellation
6. Commutative
<Z
n
*
, *
n
>
1. Closed
2. Associative
3. 1 is identity
4. Multiplicative Inverses
Fast * and /
5. Cancellation
6. Commutative
Fundamental lemma of powers.
Suppose x2 Z
n
*
, and a,b,n are naturals.
If a
u(n)
b Then x
a
n
x
b
Equivalently,
x
a mod u(n)
n
x
b mod u(n)
Euler Phi Function
u(n) = size of Z
n
*
p prime ) Z
p
*
= {1,2,3,,p-1}
) |(p) = p-1
|(pq) = (p-1)(q-1)
if p,q distinct primes
The RSA Cryptosystem
Rivest, Shamir, and Adelman (1978)
RSA is one of the most used
cryptographic protocols on the net. Your
browser uses it to establish a secure
session with a site.
Back to our dramatis personae
Rivest
Shamir Adleman
Euler
Fermat
The RSA Cryptosystem
Rivest, Shamir, and Adelman (1978)
RSA is one of the most used
cryptographic protocols on the net. Your
browser uses it to establish a secure
session with a site.
Pick secret, random large primes: p,q
Publish: n = p*q
|(n) = |(p) |(q) = (p-1)*(q-1)
Pick random e e Z
*
|(n)
Publish: e
Compute d = inverse of e in Z
*
|(n)
Hence, e*d = 1 [ mod |(n) ]
Private Key: d
n,e is my
public key.
Use it to
send me a
message.
p,q random primes, e random e Z
*
|(n)
n = p*q
e*d = 1 [ mod |(n) ]
n,
e
p,q prime, e random e Z
*
|(n)
n = p*q
e*d = 1 [ mod |(n) ]
messag
e m
m
e
[mod n]
(m
e
)
d
n
m