Spring 2025

Prof. Dr. Hasan F. ATEŞ

Özyeğin University, İstanbul, Turkey
[email protected]
Integers, Divisors, and Primes & Cryptography

Chapter’s Goal: Overview:

• introduce cryptography • cryptography
• properties of primes • commitment
• public/private keys • prime factorization
• congruence • how to find primes?
• number of primes • testing for primes
• public key cryptography
• congruence
• Euler’s algorithm
• applications

2
 Cryptography
want to send a secret message…
Plaintext
Hello world! Hello world!

Ciphertext
Encrypt $%kon*e34()\\& Decrypt
key

(shared secret)
 Example: Substitution code
Replace each symbol in the plain text by another
one, e.g.
instead of
a b c d e f g h i j k l mn o p q r s t u v wx y z
c f x z u g l j p q man vt h e b y w s r o ki dc

use

hello world ⇒juaatcotbaz key

Key exchange
How do we “break” substitution code?
If spaces are left intact, may use word lengths and
locations (syntax)
Otherwise, may start with letter frequencies…
Another example: One-time pads
1. Convert the plaintext message into binary
• may use any mapping, e.g., convert the alphabetical
sequence number of each letter to binary, and pad with
zeros to obtain a fixed length binary number, e.g.,
o “a” is the first letter, so its sequence number is 1, which
is 1 in binary as well
o if we use 5 bits for each character, “a” gets represented
by 00001, and “b” by 00010, etc.
• use standards, e.g. ASCII or Unicode
 ASCII Codes

So, we can represent the plaintext: “hello world” as the number:

h e l l o w o r l d
104 101 108 108 111 032 119 111 114 108 100 or the binary number:
h e l l o w o r l d
01101000 01100101 01101100 01101100 01101111 00100000 01110111 01101111 01110010 01101100 01100100
Another example: One-time pads
To encrypt:
1. Convert the plaintext message into binary

2. Create a random sequence of bits, this is your one-time pad,

and also your key

3. Take a bit-by-bit exclusive-OR of the binary message and the

one-time pad, this is your ciphertext

To decrypt (decipher):
4. XOR the ciphertext with the one-time pad again.
(Based on: a ⊕ (x ⊕ x) = a ⊕ 0 = a, ∀a)
Another example: One-time pads
Plaintext Message: MONDAY
• Convert the plaintext message into binary
Let’s use ASCII: M: 077, O: 079, N: 078, D: 068, A: 065, Y: 089
Binary: 01001101 01001111 01001110 01000100 01000001 01011001

• Create a random sequence of bits, this is your one-time pad, and also
your key
Key: 11000001 00010010 01111111 00000001 01000101 11110000

• Take a bit-by-bit exclusive-OR of the binary message and the one-time

pad, this is your ciphertext
Ciphertext: 10001100 …

• To decipher, XOR the ciphertext with the one-time pad again

Do it yourself!
Last move in chess
Alice and Bob playing on-line chess.

They want to stop and restart later,

• but they don’t want to give an advantage to

the one who will make the first move when
they restart.

What can they do?

Last move in chess
First, convert the move into a number (e.g., c4c5
can simply be converted into a 12-digit number
with ASCII.)
then, create two prime numbers, p & q,
• the first prime, p, contains the move as its
first digits
• choose the second one, q, as a one digit
longer prime.

Multiply p and q, N = p⋅q, send N.

Can Alice change her move after sending N?

YES NO

NO

The number N contains all the information about

her move. It is in the first (e.g., 12-digits) of the
smaller prime factor of N.
Prime Factorization
Fundamental Theorem of Arithmetic:

Every positive integer can be written as the

product of primes, and this factorization is unique
up to the order of the prime factors.

Therefore, p & q are the unique prime factors of N.

Can Bob recover Alice’s move from N?

YES NO

Yes!

But, he needs to find the prime factors of a very

large number N which is the product of two very
large primes of similar size.
How do we find prime factors of N?
CandidatePrimeFactor = 2

1 if CandidatePrimeFactor | N
CandidatePrimeFactor is a prime factor of N
N ← (N / CandidatePrimeFactor)
Go to 1
else
CandidatePrimeFactor = next prime
if(CandidatePrimeFactor*CandidatePrimeFactor) > N
Done
else Go to 1

For very large numbers, a hopelessly difficult task with the current technology!
How to test for primes?
def divides(d,n):
return(n%d == 0)

def LD(n):
for i in range(2,n+1):
if divides(i,n):
return i

def primes0(n):
if n<1:
return "error"
elif n==1:
return False
else:
return (LD(n)==n)
How to test for primes?
import math

def LDP(n):
for i in range(2,int(math.sqrt(n)+1)):
if primes0v2(i) and divides(i,n):
return i
return -1
finds the smallest prime that divides n

def primes0v2(n):
if n<1:
return "error"
elif n==1:
return False
else:
return (LDP(n)==-1)
or, may use sieve to generate primes…
def mark(xl, k, m):
if len(xl)==0:
return []
if k==m:
return [0]+mark(xl[1:],1,m)
else:
return [xl[0]]+mark(xl[1:],k+1,m)

def sieve(xl):
if len(xl)==0:
return []
if xl[0]==0:
return sieve(xl[1:])

return [xl[0]]+sieve(mark(xl[1:],1,xl[0]))
Another application: finding twin primes
listPrimes = list(filter(lambda x: primes0v2(x),
range(2,100)))

def primePairs(listPrimes):
list_twins = []

for i in range(len(listPrimes)-1):
if listPrimes[i+1] == listPrimes[i]+2:

list_twins.append((listPrimes[i],listPrimes[i+1]))

return list_twins

primePairs(listPrimes)
>> [(3, 5), (5, 7), (11, 13), (17, 19), (29, 31), (41, 43),
(59, 61), (71, 73)]
How do we find prime factors of N?
def factors(n):
if n<1:
return "argument not positive"
elif n==1:
return []

p = LDP(n)
if p==-1:
p = n

return [p]+factors(n//p)

Try with; e.g., Mersenne primes: 2^n – 1 (n = 17, 19, 31, 61,
89, ...)
How do we find prime factors of N?
• Products of two large primes of similar size are the most difficult integers to
factor in practice using the existing algorithms

• There used to be a $200,000 prize for factoring RSA-2048, a 2048 bit (617
decimal digits) number!

• The previous largest such semiprime factored was RSA-768, a 768-bit

number with 232 decimal digits, on December 12, 2009

• This factorization was a collaboration of several research institutions,

spanning two years and taking the equivalent of almost 2000 years of
computing on a single-core 2.2 GHz AMD Opteron.

• The factorization was completed with a highly optimized implementation of

the general number field sieve algorithm run on hundreds of machines.

• In February 2020, RSA-250 was factored by the same team.

RSA-240 (240 digits)
12462036678171878406583504460810659043482037465
16788057548187888832896668011882108550360395702
72508747509864768438458621054865537970253930571
89121768431828636284694840530161441643046806687
56994152469931857041830305125495943713721590292
36099
=
50943595228583991455505102358084371413264838202
41114731866602965218212064697467006203164434788
73837606252372049619334517
*
24462420883831815056781313902400289665380209257
89314014520412213365584770951781552582188977350
30590669041302045908071447
RSA-2048 (617 digits)
25195908475657893494027183240048398571429282126
20403202777713783604366202070759555626401852588
07844069182906412495150821892985591491761845028
08489120072844992687392807287776735971418347270
26189637501497182469116507761337985909570009733
04597488084284017974291006424586918171951187461
21515172654632282216869987549182422433637259085
14186546204357679842338718477444792073993423658
48238242811981638150106748104516603773060562016
19676256133844143603833904414952634432190114657
54445417842402092461651572335077870774981712577
24679629263863563732899121548314381678998850404
45364023527381951378636564391212010397122822120
720357
Last move in chess
Alice converts her next move into a number

then, creates two prime numbers, p & q,

• the first prime, p, contains the move as its
first digits
• the second one, q, must be one digit longer
than p

then, multiplies p and q, N = p⋅q, and sends N to

Bob.
Can Bob recover Alice’s move from N?
Yes!

But, he needs to find the prime factors of a very

large number N which is the product of two very
large primes of similar size.

And, this takes a long time and large computing

power!
Can Alice change her move after sending N?
No.

The number N contains all the information about

her move. It is in the first four digits of the smaller
prime factor of N.
&&
Fundamental Theorem of Arithmetic:
Every positive integer can be written as the
product of primes, and this factorization is unique
up to the order of the prime factors.
Can Alice cheat?
• Can she try to send a different pair, (p’,q’) next
morning?
• No! Bob can easily multiply p’ and q’ and see
that p’⋅q’ ≠ N
• Why?
• Fundamental Theorem of Arithmetic
Complexity “Safe Deposit Box”

p × q =N
3564640… × 7523088…

data

“safe deposit box”

What about using a one-time pad instead?
Alice suggests that instead of using the prime numbers
technique, she can encrypt her move (perhaps with other
text added) using the one-time pad method, and send this
to Bob in the evening.

Next morning, she can send the key to Bob so that he can
decrypt the message and see the move.

Should Bob accept this proposition?

YES NO
 Verify a password without knowing it!

p|N?
p passwords
database
N
Yes/No

gets stored
When establishing an account:
Select large primes p and q and compute N
p⋅q=N knowing only N, it is
hard to determine p…
password given to the machine
only the customer knows
erased
How to find the primes?
We know that there are arbitrarily large primes.
How many 200 digit primes?
Remember: the number of primes between 1 and n is:
n
π(n) ∼ so,
ln(n)
10 200
10199
–
____________________
≈ 1.95 ⋅10197
200ln10 199ln10
Compare with all 200 digit integers: 10200 – 10199 = 9⋅10199

9⋅ 10 199
≈ 460 thus, among 200 digit integers
_____________

1.95 ⋅10 approximately one in every 460 is prime!

197
How to find the primes?
How do find a 200 digits prime starting with 1167?

• Fill the remaining 196 numbers randomly.

• Test if the number is prime

If not, do it again with another set of random numbers.

…
In approximately 460 trials, a prime can be found!

How to test for primes?

 Fermat’s Little Theorem

If p is prime and a is an integer, then p | (ap – a)

Fermat’s Little Theorem

Lemma: if p is prime and 0 < k < p, then p |

Proof:
p(p-1)(p-2)…(p-k+1)
= _________________________
k(k-1)(k-2)…1

p divides the numerator, but not the denominator, so it

divides the ratio.
Proof of Fermat’s Theorem by Induction
If p is prime and a is an integer, then p | ap – a

Proof:
Base Case: a = 0, trivial.
Assume that p | ap – a, (true for a, have to show that true for (a + 1) also)

(a + 1)p = ap + ap -1 +…+ a+1

subtracting (a + 1) from both sides of the equation:

(a + 1)p – (a + 1) = ap + ap -1 +…+ a + 1 – (a + 1)

= (ap – a) + ap-1 + … + a

The first term is divisible by p by the induction hypothesis.

All other terms are divisible by p by the lemma.
thus, it is true for a +1, completing the proof.
Fermat’s test for prime numbers

For a = 2, check if: p | 2p – 2

Since, except for p = 2, all primes are odd, we may as well

test if:
p | 2p-1 – 1

Reason: 2p – 2 = 2 ⋅ (2p-1 – 1) and p is odd,

thus, in order to divide 2p – 2, p must divide 2p-1 – 1.
How to compute large powers?
Computing e.g., 2100 requires a large number of steps.

However, we can use successive squaring to cut these steps.

For example:
22 = 4
(22)2 = 24 = 16
(24)2 = 28 = 256
(28)2 = 216 = 65536
(216)2 = 232 = 4294967296
(232)2 = 264 = 18446744073709551616

264⋅232⋅24 = 2100 in 7 steps.

How to avoid large numbers?
Dealing with numbers having very large number of digits
may be problematic.

While computing e.g., 25 | 224 – 1, instead of computing 224

first, we can use the remainders from division by 25.

As before,
22 = 4
(22)2 = 24 = 16
(24)2= 28 = 256, but at this point we can
divide 256 by 25 and use the remainder 6 to continue! So,
(28)2= 216 = 36 (mod 25)!
How to avoid large numbers?
That is, we replace 28 by 6, and squaring it gives us 36.

36 is equivalent to 216 as far as division by 25 is concerned.

Moreover, we can get the remainder of 36/25 which is 11,

and use it as well.

So, 224 = 216 * 28 is equivalent to 11x6 = 66 and 66 – 1 = 65 is

not divisible by 25, hence 25 is not prime.
How to avoid large numbers?
Try these for applying the Fermat’s test to determine if the
number p =
509435952285839914555051023580843714132648382024
111473186660296521821206469746700620316443478873
837606252372049619334517

is prime.

Note that 2^(p-1) can’t be computed in Python!

But, you can compute large powers of 2 mod p.

Are there false positives?
Yes!
There are composite numbers n which can divide 2n-1 - 1.

Observation:
A positive integer n > 1 is prime iff (if and only if) it passes
the Fermat’s test n | an-1 – 1 a {2, … ,(n-1)}.

We may try random a’s, but there exists composite numbers

that pass the test for a large number of a’s (Carmichael
numbers.)
Miller-Rabin Test
Example: is 561 prime?
Fermat’s test: 561|a560 – 1 ?
Use the identity x2 – 1 = (x – 1)(x + 1) to expand
a560 – 1 = (a280 – 1)(a280 + 1)
= (a140 – 1)(a140 + 1)(a280 + 1)
= (a70 – 1)(a70 + 1)(a140 + 1)(a280 + 1)
= (a35 – 1)(a35 + 1)(a70 + 1)(a140 + 1)(a280 + 1)
So, if 561 is prime, at least one of the statements:
561|a35 – 1, or 561|a35 + 1, or 561|a70 + 1, or 561|a140 + 1, or 561|
a280 + 1 must be true.
The Miller-Rabin test: given an odd integer n > 1, to test its
primality, choose an integer a, 1<a<n and consider an-1 – 1
expanded to factors as above, one of these must be divisible by n
Miller-Rabin Test
Can there be false positives?
YES!

But the probability of this happening is < 0.5.

So, if we test for k a’s, the chances of classifying a

composite as a prime < 2-k.

For example, k = 100, the error probability < 10-30. A very

small chance!

This test is widely used in practice.

Public Key Cryptography

public key private key

secret message
in the box!
Public Key Cryptography
The math behind the RSA algorithm!

Alice may set up a “public key system” as follows:

1. She starts by finding two 100-digit prime numbers p & q
2. She computes: m = p⋅q
3. She finds two 200-digit numbers d & e such that
(p – 1)(q – 1) is a divisor of (e⋅d – 1)

m & e: public information

p, q & d: closely guarded secrets, actually she has no use of p&q after
this system set-up!

d: private key
e: public key
Sending a message to Alice
Bob wants to send a secret message to Alice.

1. He converts the message into a non-negative

integer x.
x ≤ m, if not, divide it into parts and send each
part as a separate message. public info
2. He computes: r ≡ xe (mod m)
3. He sends r to Alice Alice’s public key
Receiving a message
Having received r, Alice,

computes: a ≡ rd (mod m)
Alice’s private key

a is the message x
Congruence

If integers a and b give the same remainder when

divided by another positive integer m, then

a ≡ b (mod m)

(a is congruent to b modulo m)

Clearly, m | (b – a)
Properties of the congruence relation

Reflexive: a ≡ a (mod m)

Symmetric: a ≡ b (mod m) ⇒ b ≡ a (mod m)

Transitive: a ≡ b (mod m), b ≡ c (mod m)

⇒ a ≡ c (mod m)
Properties of the congruence relation

if a ≡ b (mod m) and c ≡ d (mod m),

Addition: a + c ≡ b + d (mod m)
Subtraction: a - c ≡ b - d (mod m)
Multiplication: a ∙ c ≡ b ∙ d (mod m)
also: k ∙ a ≡ k ∙ b (mod m), ∀k∈Z

Fermat’s theorem: if p is prime, ap ≡ a (mod p)

 Thursday + Friday = ?
Represent each day with a number from 0 to 6:
Sunday →0 Sunday
Monday →1
Tuesday →2 Saturday Monday
Wednesday →3
Thursday →4 Friday Tuesday
Friday →5
Saturday →6 Thursday Wednesday
and use mod 7 arithmetic…
So,
Thursday + Friday = ( 4 + 5 ) mod 7 = 2 = Tuesday
Modular Arithmetic
Addition and multiplication are
commutative: a+b=b+a
a⋅b=b⋅a
associative: a + (b + c) = (a + b) + c
a ⋅ (b ⋅ c) = (a ⋅ b) ⋅ c
distributive: a⋅(b + c) = a ⋅ b + a ⋅c
Subtraction is inverse of addition: (a + b) – b = a
0 is the identity element for addition: a + 0 = a
1 for multiplication: a⋅1=a
What about division?
 Division in Modular Arithmetic
Tuesday / Wednesday = ?

2 / 3 is a fraction!

Another try, let’s say the result is X, i.e.,

Tuesday / Wednesday = X
then,
X ∙ Wednesday = Tuesday (or X ∙ 3 = 2)
By trial and error, we can find: X = Wednesday or
Tuesday / Wednesday = Wednesday
Is the solution unique?
 Division in Modular Arithmetic
Is the solution unique?

Assume there are two solutions: X and Y

then,
X ⋅ Wednesday = Y ⋅ Wednesday or
(X – Y) ⋅ Wednesday = Sunday which implies
X=Y
Why?
Does this hold if the modulus were not a prime number?

TRUE FALSE
Division in Modular Arithmetic
Actually,
X ⋅ Wednesday = Y ⋅ Wednesday implies
(X – Y) ⋅ Wednesday = 0 (Sunday) + k ⋅ 7 (mod 7)
Since both (X – Y) and Wednesday are < 7; and 7 is a
prime number, the above equation can’t be satisfied unless
k = 0 and hence, X = Y.

If the modulus is not prime, (X – Y) or Wednesday or both

may contain some of its factors, e.g., if modulus is 6,
(X – Y) ⋅ Wednesday = 0 + k ⋅ 6
can be satisfied with k = 1, and (X – Y) = 2 as well.
“Prime Field”

A modular arithmetic system with

numbers 0, 1, …,(p – 1), where the
modulus, p, is a prime number.
Division in Modular Arithmetic
What is 53 / 2 mod 234,527?

We need to test numbers from 1 to 234,526 to find

X in X⋅2 = 53 mod 234,527

Alternatively, if we can find the number b where

b = 1 / 2, we can compute the result as: b⋅53.

So, in general, how to solve a ⋅ x ≡ 1 (mod p)?

(where, a = 2 and p = 234,527 for this example.)
a ⋅ x ≡ 1 (mod p) ?

Will revisit after Euclidean algorithm…

Back to public key cryptography…
ciphertext plaintext
Remember: r ≡ xe (mod m) & x ≡ rd (mod m)
public key private key
Why r d (mod m) = x ed (mod m) = x ?

Since 0 ≤ x < m, it suffices to show that:

m | (xed – x)

And, since m = p ⋅ q, it is sufficient to show that:

p | (xed – x) and q | (xed – x)

(xed – x) is divisible by p
p & q are selected such that (p – 1)(q – 1) | (ed – 1)

so, (p – 1) | (ed – 1) or

ed = (p – 1)⋅k + 1, k ∊ N, so

xed – x = x (p – 1)⋅k + 1 - x = x (x (p – 1)⋅k – 1)

(x(p – 1) – 1) | (x (p – 1)⋅k – 1) (Exercise: show that: (a – 1) | (ak – 1))

(xp – x) | x(x (p – 1)⋅k – 1)

p | xp – x by Fermat’s Theorem

∴ p | x(x (p – 1)⋅k – 1) and p | (xed – x)

Same derivation works for q as well,
∴ m | (xed – x) or xed = x (mod m)
How to find two keys e & d?
Choose one of them, say e, at random from the range:
1,…, (p – 1)(q – 1) – 1.

Must make sure that the selected number is relatively

prime to (p – 1)(q – 1)

How to do this check?

Euclidean Algorithm

If not relatively prime, choose another one and test again.

How to compute xe mod m?
As discussed before in the topics: “how to compute large
powers” and “how to avoid large numbers”.
GCD & LCM:

Greatest common divisor (gcd) & least common multiple (lcm)

gcd(3,6) = 3 gcd(6,6) = 6 gcd(4,9) = 1 gcd(4,6) = 2 gcd(a,0) = a

Two integers, a and b are relatively prime if gcd(a,b) = 1

lcm(1,6) = 6 lcm(6,6) = 6 lcm(4,9) = 36 lcm(4,6) = 12 lcm(5,6) = 30

64
GCD

gcd of two integers can be found by using their prime

factorizations.

Ex:
54 = 2 * 3^3
900 = 2^2 * 3^2 * 5^2
gcd(54, 900) = 2 * 3^2 = 18

But, it is very difficult to find the factorization for large

numbers!! How else can we find gcd ?

65
The Eucledian Algorithm
Given two positive integers a and b, how do we
find their GCD?

1 if a > b, then interchange a and b

if a > 0
r ≔ remainder of b/a
b=r
go to 1
else (i.e, a = 0)
gcd = b
stop
The Eucledian Algorithm: Examples

gcd(300, 18) = gcd (18, 300) = gcd(18, 12) = gcd(12, 18) = gcd(12, 6)
= gcd(6, 12) = gcd(6, 0) = gcd(0, 6) = 6

gcd(101, 100) = gcd(1, 100) = gcd(1, 0) = 1.

gcd(89, 55) = gcd(34, 55) = gcd(34, 21) = gcd(13, 21) = gcd(13, 8) =

gcd(5, 8) = gcd(5, 3) = gcd(2, 3) = gcd(2, 1) = gcd(0, 1) = 1.

67
Euclidian Algorithm Visual – GCD(1071, 462)

1071

147
462 147

147
21

462 462 147

68
The Eucledian Algorithm: Python

#Assumes x>y and both are positive

def gcd(x,y):
if y==0:
return x

return gcd(y, x%y)

69
 GCD Theorem:
Let d = gcd (a, b). Then, d can be written in the
form:
d = a⋅k + b⋅l

where, k & l ∈ Z (i.e., integers which are not

necessarily positive.)

70
Back to a⋅x ≡ 1 (mod p) where p is a prime?

gcd(a, p) = ?
Since, p is prime, and 1 ≤ a < p,
gcd(a, p) = 1

The theorem states that there are two integers, k and l, such that
ak + pl = 1

or
ak = 1 (mod p)

k may not be between 1 and (p – 1); but, we can always use mod p
x = k (mod p)

ax = ak = 1 (mod p)
 What is 53/2 (mod 234,527)?
If we can find an x for which 2⋅x = 1 (mod 234,527), the answer will
be:
53⋅x (mod 234,527)
So, let’s consider:
gcd(2, 234,527) = gcd(1, 2) = 1
Thus, there must be integers k and l such that: 2⋅k + 234,527 ⋅l = 1
or, 2k = 1 (mod 234,527), that is k and x are the same.
2k = 234,528 is a solution (by inspection).
So, k = 117,264
And, x = k = ½ = 117,264

Finally, 53/2 = ½ * 53 = 117,264⋅53 (mod 234,527) = 117,290

 a⋅x ≡ 1 (mod p) where p is a prime

gcd(a, p) = 1
Thus, there must be integers k and l such that:

a⋅k + p⋅l = 1 or a⋅k = 1 (mod p)

So, an integer k = (lp + 1) / a will work.

Here, l must be chosen to find an integer k.

For a = 2, since p is always odd (except for 2), for l = 1, k is always an

integer.
Public Key Cryptography
Alice may set up a “public key system” as follows:
1. She starts by finding two 100-digit prime numbers p & q
2. She computes m = p⋅q
3. She finds two large, e.g., 200-digit, numbers d & e such that
(p – 1)(q – 1) is a divisor of (e⋅d – 1)

m & e: public information

p, q & d: closely guarded secrets, actually she has no use of p&q after
this system set-up!

d: private key
e: public key
Sending a message to Alice
Bob wants to send a secret message to Alice.

1. He converts the message into a non-negative

integer x.
x ≤ m, if not, divide it into parts and send each
part as a separate message. public info
2. He computes: r ≡ xe (mod m)
3. He sends r to Alice Alice’s public key
Receiving a message
Having received r, Alice,

computes: a ≡ rd (mod m)
Alice’s private key

a is the message x
How to find two keys e & d?
Choose e, at random from the range: 1,…, [(p – 1)(q – 1) – 1].

Make sure that the selected number is relatively prime to (p – 1)(q – 1),
i.e., check if gcd(e, (p-1)(q-1)) = 1.

If the selected e is not relatively prime, choose another one. And try
again.

If yes, according to the GCD Theorem, there exist two integers k and l
such that:
ek – (p – 1)(q – 1) l = 1

Or, (p – 1)(q – 1) | (ek – 1). Find a k that satisfies this equation.

Then, if we choose d = k (mod (p – 1)(q – 1)),

(p – 1)(q – 1) | (ed – 1) and d is a suitable private key.
How to send signed messages?
Bob:
encrypts his message with his private key,
adds his signature “Bob”,
encrypts the whole thing again with Alice’s public key,
sends it to Alice

Alice:
decrypts the received message with her private key,
sees signature “Bob”,
decrypts the rest with Bob’s public key

Similar techniques for authentication, watermarking, etc.

Security of RSA protocol
No exact proof of its security.

Since 1977 no successful attacks!

An intruder intercepts Bob’s message and wants to decipher it.

He knows r (the message). Also, Alice’s public key, e and the number
m are known.
Two ways of attack:
1. Figure out the private key, d
2. Determine x, knowing the remainder of xe (mod m)
No theorem stating that doing these are impossible!

But, if one can break the RSA system, the same algorithm can be
used to find the prime factors of m…
Real life uses
SSL

HTTPS

Uses longer than 100-digit primes (> 200 for commercial,

>400 for military)

May use this algorithm to send the key for a simpler

encryption system (like one-time pad) to make the
computations easier.
 • Encryption basics
• Properties of primes
• Congruence
• Public-private keys
• Euler’s algorithm

Study Bee