Topic - 18

Quantum Computing and Information

RSA Algorithm
Dipan Kumar Ghosh
Indian Institute of Technology Bombay
Powai, Mumbai 400076
April 15, 2017

1 Introduction
Cryptography is the means of encrypting a message (known as plain text) by using a
code to covert to to a cipher text and transmitting the same over a public channel to an
intended recipient. At the receiving end, the receiver decrypts it to reconvert it to the
plain text.
Modern cryptography has four essential elements. The first and foremost is privacy of
data, i.e. the content of the data cannot be understood by anyone other than the person
or body for whom the message is intended. The second element is data integrity implying
that the information should not get altered during transit over a channel which may or
may not be secure. Over a public channel it may be safely assumed that the data may
be intercepted and/or altered by a person with mala fide intention.If this happens, the
sender and the receiver of the message should be aware of the possibility and take steps
to minimize such possibility. The third element is non-repudiation which means that the
sender should not be able to disown the fact of having sent such a message to the receiver
and the receiver should not be in a position to deny having received the same. The final
element of this process is authentication by which the sender and the receiver must be
able to confirm each other’s identity.
To achieve these, a set of procedures and protocols are established, which is given the
collective name of cryptography. Historically, codes and ciphers have existed from time
immemorial for communication with the armed forces or for communication between
lovers avoiding prying eyes and ears of nosy relatives and friends. Julius Caesar is known
to have used a simple code to communicate with his forces during Gallic wars. Queen
Elizabeth - I is reputed to have established a section for inventing and breaking codes.
It is believed that breaking of such a code of a letter written by her incarcerated cousin
c D. K. Ghosh, IIT Bombay 2

Mary, Queen of Scots, was used by Elizabeth to order execution of Mary.

There are two points that has to be appreciated in connection with the protocols. Firstly,
it is not necessary that the content of a message must remain a secret for ever. The
duration of secrecy is determined by the security needs of the problem. For instance,
for a secured communication over the internet for a financial transaction one needs that
the instruction to the bank should not broken during the time the transaction is being
made. Second point is that even though the data may be sent as ciphers over an insecure
channel, initially a protocol needs to be established over a secured channel.
Ideally, a code can be said to be perfectly secure if one cannot get information about the
plain text from the cipher text except by one who has a knowledge of the code. It may be
remarked that no code is really unbreakable; given enough time every code can be broken.
The closest example of an unbreakable code is Vernam cipher or a one time pad. As
the name suggests, the code can be used once, and only once, so that no conclusion can
be reached on the code by any repetitive pattern. From a more pedantic version of the
pad in which the sender and the receiver agree to use the word sequence in a mutually
agreed book to establish a code, a a more modern version consist of using a random
sequence of binary digits as the code. For instance, suppose the plain text P is a string
of binary digits P1 , P2 , . . . , Pn and the secret key K is a random sequence of binary digits
K1 , K2 , . . . , Kn , one can define the cipher text C to be given by C1 , C2 , . . . , Cn where

Ci = P i ⊕ Ki

where ⊕ stands for an addition modulo 2 for each i, as seen below

P 1001 1101 1010 1101
K 1100 1010 0110 1111
C 0101 0111 1100 0010
The plain text can be recovered from the cipher text by the inverse process P = C ⊕ K.
The code in practically unbreakable, if used only once. However if one uses it a second
time, say for a plain text Q to get cipher text R, the code can be broken as then we have
C ⊕ R = P ⊕ Q and the plain texts usually have some redundancies to enable one to
break it with this additional information.

RSA crypto-system was developed in 1977 by Ron Rivest, Adi Shamir and Leonard
Adleman of the MIT. The cryptosystem uses a public key encryption for securing and
transmitting sensitive data over the internet. The public key is linked to a private de-
cryption key which is only known to the person who receives the message. It also enables
one to authenticate the sender’s identity to the receiver. RSA uses what is known as a
trap-door function, f which is defined as a function which has two characteristics. The
function f is easy to compute, i.e., it can be computed in polynomial time. However, the
inverse of the function f −1 cannot be computed easily from a knowledge of f or vice versa.
The name trapdoor function has its origin in the fact that it is easy to fall through a trap
c D. K. Ghosh, IIT Bombay 3

door but is not easy to climb back to where one dropped from. (A closely related function
is a hash function which is almost impossible to invert.) In RSA the trap-door function is
multiplication of two large prime numbers, which is obviously easy to compute. However,
given the product, there is no known algorithm which can achieve prime factorization in
a polynomial time. Euclid’s
√ algorithm for factorization (given in the Appendix below)
requires of the order of N steps.
In deriving the encryption decryption we would need a few theorem from number theory.
Fermat’s Little Theorem:
For an prime number p and any integer a ∈ Z such that a 6= 0 mod p, i.e. p does not
divide a
ap−1 = 1 mod p
Consider a set S with elements 1, 2, 3 . . . , (p − 1). Let r and s be some integers in S, i.e.,
in the range 1, 2, . . . (p − 1). Suppose ra = sa mod p. Thus (r − s)a = kp, for some
integer k. Since p does not divide a, it must divide r − s, so that r = s mod p. However,
since both r and s are less than p, it implies that r = s. Thus if we multiply each element
of S with a, we would generate a sequence S 0 with elements

S 0 = a · 1, a · 2, a · 3, . . . , a · (p − 1)

No two elements of the above sequence can be the same as we have multiplied a with
different integers. It follows that the elements of S 0 , mod p must be identical to those of
S, though they may be differently ordered. Hence

S = aS mod p

We thus have

1 · 2 · 3 . . . (p − 1) = (a · 1)(a · 2)(a · 3) . . . (a · (p − 1)) mod p

= ap−1 (1 · 2 · 3 · · · (p − 1)) mod p

which implies
ap−1 = 1 mod p (1)
Euler’s Theorem:
We define Euler’s totient function φ(n) corresponding to any positive integer n as
the number of integers less than n which are relatively prime to n, i.e. which do not
have any common factor with n. The number 1 is counted as a member of this set. For
instance,corresponding to the number 18, the integers which do not have common factors
with 25 are 1,5,7,11,13 and 17, so that φ(18) = 6. Euler’s theorem state that for any
positive integer m, and an integer a such that a is coprime with m, we have

aφ(m) = 1 mod m
c D. K. Ghosh, IIT Bombay 4

The proof of Euler’s theorem is similar to that given for Fermat’s Little theorem. Consider
the set of all numbers less than m which are co-prime to m. By definition of the totient
function, there are φ(m) of them:

S = (1 ≡ b1 , b2 , . . . , bφ(m) )

where b1 < b2 < . . . < bφ(m) .(Note that if m is a prime, the numbers are simply
1, 2, . . . (m − 1). If we multiply the elements of S by a, we would get a set S 0 whose
elements, modulo m are the same as those of S, by argument parallel to that given in
Fermat’s theorem. Thus aS = aφ(m) S which gives

aφ(m) = 1 mod m (2)

Chinese Remainder Theorem:

If a set of integers m1 , m2 , . . . , mk are relatively primes (i.e., no pair of them have any
common factors) and a1 , a2 , . . . , ak are integers, then the system of equations

x = ai mod mi for 1 ≤ i ≤ k

has a unique solution mod M = m1 · m2 · · · mk and the solution is given by

k
X
x= ai Mi yi
i=1

where Mi = M/mi and yi = (Mi−1 )mod mi .

Before giving a formal proof we will illustrate the theorem with an example. Consider
the system of equations

x = 5 (mod 7)
x = 3 (mod 11)
x = 10 (mod 13)

According to the Chinese remainder theorem, this set of equations has a unique solution,
which can be obtained as follows. First we calculate M = 7 × 11 × 13 = 1001. The final
solution will consist of sum of three terms, mod 1001. To obtain each term, we calculate
M − 1, M2 and M3

M1 = 11 × 13 = 143
M2 = 7 × 13 = 91
M3 = 7 × 11 = 77

We then calculate y1 , y2 and y3 .

y1 = (M1 )−1 mod m1 = (143)−1 mod 7

c D. K. Ghosh, IIT Bombay 5

The solution for y1 is given by

143y1 = 1 mod 7
which gives y1 = 5. One can, in a similar fashion obtain y2 = 4 and y3 = −1. The unique
solution of the set of equations is then

x = a1 M1 y1 + a2 M2 y2 + a3 M3 y3
= 5 · 143 · 5 + 3 · 91 · 4 + 10 · 77 · (−1) = 4667

As the solution is modulus 1001, the final solution is x = 894 mod 1001. The formal proof
Q
of the theorem is obvious. Note that Mi = M/mi = j6=i mj . Thus gcd(Mi , mi ) = 1. By
the the Extended Euclid’s algorithm, this implies we can find an integer yi such that

Mi yi = 1(mod mi ) (3)

Note that, if we have n equations,

x = a1 M1 y1 + a2 M2 y2 + . . . + ak Mk yk

satisfies each of the congruences. This is because the i-th equation is given modulo mi .
So that in the above sum, each term, other than the i-th term has mi as a factor in the
definition of Mj (j 6= i), as a result of which each term is zero modulo mi . For the i−th
term we have x = ai Mi yi , which equals ai modulo mi by virtue of (4).
It is easy to show that the solution is unique. Suppose x0 and x0 are two solutions of the
equation system
x = ai (mod mi ) ∀i = 1, 2, . . . k
Each mi then divides x0 − x0 . However, each pair of mi and mj are coprimes. Thus we
must have,

x0 − x0 = m1 N1
x0 − x0 = m2 N2
......
0
x − x0 = mk Nk

where, N1 , N2 , . . . are integers. This implies x0 − x0 = 0 (mod m1 m2 . . . mk ), i.e.

x0 = x0 .
RSA Encryption and Decryption
Consider two primes p and q, whose product N is easily computable and is publicly known,
though p and q remain private for the receiver (Bob). Note that Euler’s totient function φ
for p is p − 1 and for q is q − 1 as being primes, each number which less than p is coprime
with p and likewise for q. The totient function for N = pq is φ(N ) = (p − 1)(q − 1)
because each multiple of p and q are to be subtracted from N − 1 to get φ(N ). As there
c D. K. Ghosh, IIT Bombay 6

are (p − 1) multiples of q less than N and (q − 1) multiples of P which are less than N .
Thus the totient function of N is

φ(N ) = (N − 1) − [(p − 1) + (q − 1)] = pq − p − q + 1 = (p − 1)(q − 1)

[Example N = 35 = 7 × 5. φ(7) = 6 and φ(5) = 4. Between 1 to 34, there are 4

factors of 7 and 6 factors of 5, i.e. a total of 10 numbers which are not cop rime to 35.
Hence φ(35) = 34 − 10 = 24 = (7 − 1)(5 − 1).]
For encryption, we choose a number e which is coprime with N , i.e. with (p − 1)(q − 1).
Note that since p and q are known only to Bob, without factorizing N (which is hard),
no one else can find φ(N ). According to Euler’s theorem, if we choose e to be coprime
with φ(N ), we have, by definition of coprimes,

gcd(e, φ(N )) = 1
Once e is chosen, Bob can publish (e, N ) as his public code and any sender, such as Alice
will then have to encode the message m which she wishes to send to Bob by this encoder
e, i.e. compute the cipher c corresponding to m as

c = me (mod N )

Bob also computes the decoder d which satisfies

ed = 1 (mod φ(N ))

which implies ed = kφ(N ) + 1. Note once again that only Bob has a knowledge of φ(N )
and he can easily find such a d. Since, for any m, we must get back the original m from
c by raising c to the power d, we must have

cd = med = m mod N

or, equivalently,
med−1 = 1 =⇒ mkφ(N ) = 1
Let us rewrite the above condition as

(mk(p−1) )(q−1) = 1

We have two cases. If m is not a multiple of q, we have by Fermat’s little theorem

(mk(p−1) )(q−1) = 1 (mod q)

Suppose, on the other hand, m is a multiple of q then mde = 1 (mod q. By interchanging

p and q and using parallel argument, we have

(mk(q−1) )(p−1) = 1 (mod p)

c D. K. Ghosh, IIT Bombay 7

if p does not divide m and mde = 1 if p divides m. Since p and q are both primes, we
have mde = 1 (mod N ). We have shown that x =≡ (me )d = m mod p and x =≡ (me )d =
m mod q. By the Chinese remainder theorem, the solution is unique.
Example:
Let p = 11 and q = 3, so that N = 33. We have (p − 1)(q − 1) = 10 × 2 = 20. We choose
e = 7 which is coprime with (p − 1)(q − 1). The pair (e, N ) = (7, 33) are public. The
decryption is obtained by taking ed = 1, mod 20, which makes d = 3.
Let us use it to encrypt m = 6. We have

c = m2 mod 33
= (6)7 = 30

To decrypt c = 30, we use d = 3. We have

cd = 303 mod 33 = (−3)3 mod 33 = −27 mod 33 = 6

which is what we started with.

APPENDIX

Euclid’s Algorithm:
Euclid’s algorithm calculates the greatest common divisor (gcd) of two numbers a and b.
Note that the greatest common divisor, by definition, is the greatest number which is a
factor of both a and b. The algorithm is based on two observations. Let b < a.

1. If b divides a then gcd(a, b) = b, because b is the largest factor of itself.

2. If b does not divide a, then let us divide a by b with q as the quotient and r as the
remainder: a = qb + r. Clearly, a common factor of a and b will also be a common
factor of r with b. Thus gcd(a, b) = gcd(b, r).

Euler’s algorithm uses the above to devise an algorithm of repeated division till the
division terminates. An example will illustrate the process. Consider the gcd of 35 with
84.
84 = 35× 2 + 14 gcd(84,35)= gcd(35,14)
35 =14× 2 + 7 gcd(35,14)= gcd(14,7)
14 = 7× 2 gcd(14,7)= 7
Yet another example, consider gcd of 958 and 35.
c D. K. Ghosh, IIT Bombay 8

r =a
0
q1
35 ) 958 ( 27
945 q
r =b 2
1 13 ) 35 ( 2
26 q
3
r 9 ) 13 ( 1 q
2 9 4
r 4)9 2 ( q
3 8 5
r 1 ) 4 (4
4 4
r =GCD 0
5
Euler’s algorithm starts by defining r0 = a and r1 = b. We define the successive long
divisions by the recursive formula

ri+1 = ri−1 − qi ri

The algorithm ends when rn = 0. The GCD is given by rn−1 . In the above example

r0 = a = 958
r1 = b = 35
r2 = 958 − 27 × 35 = 13
r3 = 35 − 2 × 13 = 9
r4 = 13 − 1 × 9 = 4
r5 = 9 − 2 × 4 = 1

The algorithm ends in the next step, giving r6 = 0 so that the gcd is r5 = 1.
Corollary: Extended Euler Algorithm
For two integers a and b, one can always find two integers x and y such that ax + by =
gcd(a, b), i.e. ax = gcd(a, b) mod b. (The proof of this is found in any algebra text book.
Though the pair x and y may not be unique, written in the second form (i.e. in terms of
mod b, the integer x is unique).
The algorithm works the same way as the Euler’s algorithm. However, we run the sequence
backward to get the gcd of a and b in terns of a and b. In the example above, the gcd is
r5 = 1. We can write,
c D. K. Ghosh, IIT Bombay 9

r5 = 1 = 9 − 2 × (4)
= 9 − 2 × (13 − 1 × 9) = 3 × 9 − 2 × 13
= 3 × (35 − 2 × 13) − 2 × 13 = 3 × 35 − 8 × 13
= 3 × 35 − 8 × (958 − 27 × 35)
= −8 × 958 + 219 × 35

Chinese Remainder Theorem:

If a set of integers m1 , m2 , . . . , mk are relatively primes (i.e., no pair of them have any
common factors) and a1 , a2 , . . . , ak are integers, then the system of equations

x = ai mod mi for 1 ≤ i ≤ k

has a unique solution mod M = m1 · m2 · · · mk and the solution is given by

k
X
x= ai Mi yi
i=1

where Mi = M/mi and yi = (Mi−1 )mod mi .

Before giving a formal proof we will illustrate the theorem with an example. Consider
the system of equations

x = 5 (mod 7)
x = 3 (mod 11)
x = 10 (mod 13)

According to the Chinese remainder theorem, this set of equations has a unique solution,
which can be obtained as follows. First we calculate M = 7 × 11 × 13 = 1001. The final
solution will consist of sum of three terms, mod 1001. To obtain each term, we calculate
M − 1, M2 and M3

M1 = 11 × 13 = 143
M2 = 7 × 13 = 91
M3 = 7 × 11 = 77

We then calculate y1 , y2 and y3 .

y1 = (M1 )−1 mod m1 = (143)−1 mod 7

The solution for y1 is given by
143y1 = 1 mod 7
c D. K. Ghosh, IIT Bombay 10

which gives y1 = 5. One can, in a similar fashion obtain y2 = 4 and y3 = −1. The unique
solution of the set of equations is then

x = a1 M1 y1 + a2 M2 y2 + a3 M3 y3
= 5 · 143 · 5 + 3 · 91 · 4 + 10 · 77 · (−1) = 4667

As the solution is modulus 1001, the final solution is x = 894 mod 1001. The formal proof
Q
of the theorem is obvious. Note that Mi = M/mi = j6=i mj . Thus gcd(Mi , mi ) = 1. By
the the Extended Euclid’s algorithm, this implies we can find an integer yi such that

Mi yi = 1(mod mi ) (4)

Note that, if we have n equations,

x = a1 M1 y1 + a2 M2 y2 + . . . + ak Mk yk

satisfies each of the congruences. This is because the i-th equation is given modulo mi .
So that in the above sum, each term, other than the i-th term has mi as a factor in the
definition of Mj (j 6= i), as a result of which each term is zero modulo mi . For the i−th
term we have x = ai Mi yi , which equals ai modulo mi by virtue of (4).
It is easy to show that the solution is unique. Suppose x0 and x0 are two solutions of the
equation system
x = ai (mod mi ) ∀i = 1, 2, . . . k
Each mi then divides x0 − x0 . However, each pair of mi and mj are coprimes. Thus we
must have,

x0 − x0 = m1 N1
x0 − x0 = m2 N2
......
0
x − x0 = mk Nk

where, N1 , N2 , . . . are integers. This implies x0 − x0 = 0 (mod m1 m2 . . . mk ), i.e.

x0 = x0 .
RSA Encryption and Decryption
Consider two primes p and q, whose product N is easily computable and is publicly known,
though p and q remain private for the receiver (Bob). Note that Euler’s totient function φ
for p is p − 1 and for q is q − 1 as being primes, each number which less than p is coprime
with p and likewise for q. The totient function for N = pq is φ(N ) = (p − 1)(q − 1)
because each multiple of p and q are to be subtracted from N − 1 to get φ(N ). As there
are (p − 1) multiples of q less than N and (q − 1) multiples of P which are less than N .
Thus the totient function of N is

φ(N ) = (N − 1) − [(p − 1) + (q − 1)] = pq − p − q + 1 = (p − 1)(q − 1)

c D. K. Ghosh, IIT Bombay 11

[Example N = 35 = 7 × 5. φ(7) = 6 and φ(5) = 4. Between 1 to 34, there are 4

factors of 7 and 6 factors of 5, i.e. a total of 10 numbers which are not cop rime to 35.
Hence φ(35) = 34 − 10 = 24 = (7 − 1)(5 − 1).]
For encryption, we choose a number e which is coprime with N , i.e. with (p − 1)(q − 1).
Note that since p and q are known only to Bob, without factorizing N (which is hard),
no one else can find φ(N ). According to Euler’s theorem, if we choose e to be coprime
with φ(N ), we have, by definition of coprimes,

gcd(e, φ(N )) = 1
Once e is chosen, Bob can publish (e, N ) as his public code and any sender, such as Alice
will then have to encode the message m which she wishes to send to Bob by this encoder
e, i.e. compute the cipher c corresponding to m as

c = me (mod N )

Bob also computes the decoder d which satisfies

ed = 1 (mod φ(N ))

which implies ed = kφ(N ) + 1. Note once again that only Bob has a knowledge of φ(N )
and he can easily find such a d. Since, for any m, we must get back the original m from
c by raising c to the power d, we must have

cd = med = m mod N

or, equivalently,
med−1 = 1 =⇒ mkφ(N ) = 1
Let us rewrite the above condition as

(mk(p−1) )(q−1) = 1

We have two cases. If m is not a multiple of q, we have by Fermat’s little theorem

(mk(p−1) )(q−1) = 1 (mod q)

Suppose, on the other hand, m is a multiple of q then mde = 1 (mod q. By interchanging

p and q and using parallel argument, we have

(mk(q−1) )(p−1) = 1 (mod p)

if p does not divide m and mde = m if p divides m. Since p and q are both primes, we
have mde = m (mod N ). We have shown that x =≡ (me )d = m mod p and x =≡ (me )d =
m mod q. By the Chinese remainder theorem, the solution is unique.
Example:
c D. K. Ghosh, IIT Bombay 12

Let p = 11 and q = 3, so that N = 33. We have (p − 1)(q − 1) = 10 × 2 = 20. We choose

e = 7 which is coprime with (p − 1)(q − 1). The pair (e, N ) = (7, 33) are public. The
decryption is obtained by taking ed = 1, mod 20, which makes d = 3.
Let us use it to encrypt m = 6. We have

c = m2 mod 33
= (6)7 = 30

To decrypt c = 30, we use d = 3. We have

cd = 303 mod 33 = (−3)3 mod 33 = −27 mod 33 = 6

which is what we started with.

APPENDIX

Euclid’s Algorithm:
Euclid’s algorithm calculates the greatest common divisor (gcd) of two numbers a and b.
Note that the greatest common divisor, by definition, is the greatest number which is a
factor of both a and b. The algorithm is based on two observations. Let b < a.

1. If b divides a then gcd(a, b) = b, because b is the largest factor of itself.

2. If b does not divide a, then let us divide a by b with q as the quotient and r as the
remainder: a = qb + r. Clearly, a common factor of a and b will also be a common
factor of r with b. Thus gcd(a, b) = gcd(b, r).

Euler’s algorithm uses the above to devise an algorithm of repeated division till the
division terminates. An example will illustrate the process. Consider the gcd of 35 with
84.
84 = 35× 2 + 14 gcd(84,35)= gcd(35,14)
35 =14× 2 + 7 gcd(35,14)= gcd(14,7)
14 = 7× 2 gcd(14,7)= 7
Yet another example, consider gcd of 958 and 35.
c D. K. Ghosh, IIT Bombay 13

r =a
0
q1
35 ) 958 ( 27
945 q
r =b 2
1 13 ) 35 ( 2
26 q
3
r 9 ) 13 ( 1 q
2 9 4
r 4)9 2 ( q
3 8 5
r 1 ) 4 (4
4 4
r =GCD 0
5
Euler’s algorithm starts by defining r0 = a and r1 = b. We define the successive long
divisions by the recursive formula

ri+1 = ri−1 − qi ri

The algorithm ends when rn = 0. The GCD is given by rn−1 . In the above example

r0 = a = 958
r1 = b = 35
r2 = 958 − 27 × 35 = 13
r3 = 35 − 2 × 13 = 9
r4 = 13 − 1 × 9 = 4
r5 = 9 − 2 × 4 = 1

The algorithm ends in the next step, giving r6 = 0 so that the gcd is r5 = 1.
Corollary: Extended Euler Algorithm
For two integers a and b, one can always find two integers x and y such that ax + by =
gcd(a, b), i.e. ax = gcd(a, b) mod b. (The proof of this is found in any algebra text book.
Though the pair x and y may not be unique, written in the second form (i.e. in terms of
mod b, the integer x is unique).
The algorithm works the same way as the Euler’s algorithm. However, we run the sequence
backward to get the gcd of a and b in terns of a and b. In the example above, the gcd is
r5 = 1. We can write,
c D. K. Ghosh, IIT Bombay 14

r5 = 1 = 9 − 2 × (4)
= 9 − 2 × (13 − 1 × 9) = 3 × 9 − 2 × 13
= 3 × (35 − 2 × 13) − 2 × 13 = 3 × 35 − 8 × 13
= 3 × 35 − 8 × (958 − 27 × 35)
= −8 × 958 + 219 × 35