new public key (rsa) encryption · 2009. 2. 23. · logo1 overview needed theorems rsa encryption...

logo1

Overview Needed Theorems RSA Encryption

Public Key (RSA) Encryption

Bernd Schroder

Bernd Schroder Louisiana Tech University, College of Engineering and Science


logo1


Encryption and Decryption

1. Simple idea: “You” want to send communications that“they” won’t understand, even if the transmission isintercepted.

2. Internet commerce. “You”: Provider and client. “They”:Hackers, identity thieves.

3. Intelligence. “You”: Operative and correspondingintelligence agency. “They”: Another intelligence agency.

4. War. “You”: Field commander and central command.“They”: Opposing army.



logo1


Encryption and Decryption1. Simple idea: “You” want to send communications that

“they” won’t understand, even if the transmission isintercepted.






logo1




2. Internet commerce.

“You”: Provider and client. “They”:Hackers, identity thieves.





logo1




2. Internet commerce. “You”: Provider and client.

“They”:Hackers, identity thieves.





logo1









logo1





3. Intelligence.

“You”: Operative and correspondingintelligence agency. “They”: Another intelligence agency.




logo1





3. Intelligence. “You”: Operative and correspondingintelligence agency.

“They”: Another intelligence agency.4. War. “You”: Field commander and central command.

“They”: Opposing army.



logo1









logo1






4. War.

“You”: Field commander and central command.“They”: Opposing army.



logo1






4. War. “You”: Field commander and central command.

“They”: Opposing army.



logo1









logo1


Caesarian Cipher

1. In Caesar’s times most people, including Romans, wereilliterate.

2. But that did not make written communications safe. Therewere literate barbarians.

3. Caesarian cipher: Scramble the letters of the alphabet. Forexample, “hello” becomes “ygaap”.

4. To send the message you need to know how to encode themessage: h → y, e → g, l → a, o → p.

5. To read the message you need to know how to decode it:y → h, g → e, a → l, p → o.

6. But for this one, as soon as you can encode, you candecode, too.

7. So sender and recipient must keep the code private, whichis why this is called “private key encryption”.



logo1


Caesarian Cipher1. In Caesar’s times most people, including Romans, were

illiterate.

2. But that did not make written communications safe. Therewere literate barbarians.








logo1



illiterate.2. But that did not make written communications safe.

Therewere literate barbarians.








logo1



illiterate.2. But that did not make written communications safe. There

were literate barbarians.








logo1




were literate barbarians.3. Caesarian cipher: Scramble the letters of the alphabet.

Forexample, “hello” becomes “ygaap”.







logo1




were literate barbarians.3. Caesarian cipher: Scramble the letters of the alphabet. For

example, “hello” becomes “ygaap”.







logo1





example, “hello” becomes “ygaap”.4. To send the message you need to know how to encode the

message:

h → y, e → g, l → a, o → p.5. To read the message you need to know how to decode it:

y → h, g → e, a → l, p → o.6. But for this one, as soon as you can encode, you can

decode, too.7. So sender and recipient must keep the code private, which

is why this is called “private key encryption”.



logo1






message: h → y, e → g, l → a, o → p.






logo1






message: h → y, e → g, l → a, o → p.5. To read the message you need to know how to decode it:



is why this is called “private key encryption”.



logo1







y → h, g → e, a → l, p → o.





logo1








decode, too.




logo1









is why this is called “private key encryption”.Bernd Schroder Louisiana Tech University, College of Engineering and Science


logo1


Problems With Private Key Encryption

1. If one of the owners of the key reveals the key, allcommunications are compromised.

2. One captured centurion jeopardizes legions. (“Windtalkers”.)

3. One captured operative jeopardizes a spy network.4. It does not matter how sophisticated the private key code

is. From the encoding process, you can find the decodingprocess. (Enigma.)

5. But somehow, even though the encoding mechanism forinternet transactions is public, internet transactions areconsidered safe???



logo1


Problems With Private Key Encryption1. If one of the owners of the key reveals the key, all

communications are compromised.

2. One captured centurion jeopardizes legions. (“Windtalkers”.)






logo1



communications are compromised.2. One captured centurion jeopardizes legions.

(“Windtalkers”.)






logo1



communications are compromised.2. One captured centurion jeopardizes legions. (“Wind

talkers”.)






logo1




talkers”.)3. One captured operative jeopardizes a spy network.

4. It does not matter how sophisticated the private key codeis. From the encoding process, you can find the decodingprocess. (Enigma.)




logo1




talkers”.)3. One captured operative jeopardizes a spy network.4. It does not matter how sophisticated the private key code





logo1






5. But somehow, even though the encoding mechanism forinternet transactions is public, internet transactions areconsidered safe

???



logo1









logo1


Public Key Encryption

1. The problems with private key encryption would beresolved if the decoding mechanism could not be (easily)obtained from the encoding mechanism.1.1 One captured centurion’s code would not reveal what the

others are sending (did not happen).1.2 One captured operative would not be a problem (did not

happen until late 1970s).1.3 Internet transmissions could be considered safe. (We do

consider them as safe as can be.)2. But how do you get something like that?3. Make breaking the code depend on being able to solve a

hard problem, like the factorization of a large number.



logo1


Public Key Encryption1. The problems with private key encryption would be

resolved if the decoding mechanism could not be (easily)obtained from the encoding mechanism.

1.1 One captured centurion’s code would not reveal what theothers are sending (did not happen).

1.2 One captured operative would not be a problem (did nothappen until late 1970s).

1.3 Internet transmissions could be considered safe. (We doconsider them as safe as can be.)

2. But how do you get something like that?3. Make breaking the code depend on being able to solve a




logo1



resolved if the decoding mechanism could not be (easily)obtained from the encoding mechanism.1.1 One captured centurion’s code would not reveal what the

others are sending (did not happen).

1.2 One captured operative would not be a problem (did nothappen until late 1970s).






logo1





happen until late 1970s).






logo1





happen until late 1970s).1.3 Internet transmissions could be considered safe.

(We doconsider them as safe as can be.)





logo1






consider them as safe as can be.)





logo1






consider them as safe as can be.)2. But how do you get something like that?

3. Make breaking the code depend on being able to solve ahard problem, like the factorization of a large number.



logo1






consider them as safe as can be.)2. But how do you get something like that?3. Make breaking the code depend on being able to solve a




logo1


Proposition.

Let x,m ∈N have no common factors. Then for allc ∈ N that are not divisible by m, we have that cx 6≡ 0 (mod m).Moreover, there is a y ∈ N so that xy ≡ 1 (mod m).

Proof. Let b ∈ N be so that bx ≡ 0 (mod m). Then m|bx.Because x and m do not have any common factors, m|b. Hence,if c is not divisible by m, then cx 6≡ 0 (mod m).Now consider {xy : y = 1, . . . ,m−1}. For any two distincty1,y2 ∈ {1, . . . ,m−1} with y1 < y2 we have that m - (y2− y1).Hence, x(y2− y1) 6≡ 0 (mod m), which means thatxy1 6≡ xy2 (mod m). But then A :=

{[xy]m : y = 1, . . . ,m−1

}has m−1 distinct elements and [0]m is not one of them. Thereare exactly m−1 equivalence classes modulo m that are not[0]m. So A =

{[z]m : z = 1, . . . ,m−1

}and [1]m ∈ A. Hence there

is a y ∈ {1, . . . ,m−1} so that [x]m · [y]m = [1]m, that is, so thatxy ≡ 1 (mod m).



logo1


Proposition. Let x,m ∈N have no common factors.

Then for allc ∈ N that are not divisible by m, we have that cx 6≡ 0 (mod m).Moreover, there is a y ∈ N so that xy ≡ 1 (mod m).


{[xy]m : y = 1, . . . ,m−1


{[z]m : z = 1, . . . ,m−1





logo1


Proposition. Let x,m ∈N have no common factors. Then for allc ∈ N that are not divisible by m, we have that cx 6≡ 0 (mod m).

Moreover, there is a y ∈ N so that xy ≡ 1 (mod m).


{[xy]m : y = 1, . . . ,m−1


{[z]m : z = 1, . . . ,m−1





logo1


Proposition. Let x,m ∈N have no common factors. Then for allc ∈ N that are not divisible by m, we have that cx 6≡ 0 (mod m).Moreover, there is a y ∈ N so that xy ≡ 1 (mod m).


{[xy]m : y = 1, . . . ,m−1


{[z]m : z = 1, . . . ,m−1





logo1



Proof.

Let b ∈ N be so that bx ≡ 0 (mod m). Then m|bx.Because x and m do not have any common factors, m|b. Hence,if c is not divisible by m, then cx 6≡ 0 (mod m).Now consider {xy : y = 1, . . . ,m−1}. For any two distincty1,y2 ∈ {1, . . . ,m−1} with y1 < y2 we have that m - (y2− y1).Hence, x(y2− y1) 6≡ 0 (mod m), which means thatxy1 6≡ xy2 (mod m). But then A :=

{[xy]m : y = 1, . . . ,m−1


{[z]m : z = 1, . . . ,m−1





logo1



Proof. Let b ∈ N be so that bx ≡ 0 (mod m).

Then m|bx.Because x and m do not have any common factors, m|b. Hence,if c is not divisible by m, then cx 6≡ 0 (mod m).Now consider {xy : y = 1, . . . ,m−1}. For any two distincty1,y2 ∈ {1, . . . ,m−1} with y1 < y2 we have that m - (y2− y1).Hence, x(y2− y1) 6≡ 0 (mod m), which means thatxy1 6≡ xy2 (mod m). But then A :=

{[xy]m : y = 1, . . . ,m−1


{[z]m : z = 1, . . . ,m−1





logo1



Proof. Let b ∈ N be so that bx ≡ 0 (mod m). Then m|bx.

Because x and m do not have any common factors, m|b. Hence,if c is not divisible by m, then cx 6≡ 0 (mod m).Now consider {xy : y = 1, . . . ,m−1}. For any two distincty1,y2 ∈ {1, . . . ,m−1} with y1 < y2 we have that m - (y2− y1).Hence, x(y2− y1) 6≡ 0 (mod m), which means thatxy1 6≡ xy2 (mod m). But then A :=

{[xy]m : y = 1, . . . ,m−1


{[z]m : z = 1, . . . ,m−1





logo1



Proof. Let b ∈ N be so that bx ≡ 0 (mod m). Then m|bx.Because x and m do not have any common factors, m|b.

Hence,if c is not divisible by m, then cx 6≡ 0 (mod m).Now consider {xy : y = 1, . . . ,m−1}. For any two distincty1,y2 ∈ {1, . . . ,m−1} with y1 < y2 we have that m - (y2− y1).Hence, x(y2− y1) 6≡ 0 (mod m), which means thatxy1 6≡ xy2 (mod m). But then A :=

{[xy]m : y = 1, . . . ,m−1


{[z]m : z = 1, . . . ,m−1





logo1



Proof. Let b ∈ N be so that bx ≡ 0 (mod m). Then m|bx.Because x and m do not have any common factors, m|b. Hence,if c is not divisible by m, then cx 6≡ 0 (mod m).

Now consider {xy : y = 1, . . . ,m−1}. For any two distincty1,y2 ∈ {1, . . . ,m−1} with y1 < y2 we have that m - (y2− y1).Hence, x(y2− y1) 6≡ 0 (mod m), which means thatxy1 6≡ xy2 (mod m). But then A :=

{[xy]m : y = 1, . . . ,m−1


{[z]m : z = 1, . . . ,m−1





logo1



Proof. Let b ∈ N be so that bx ≡ 0 (mod m). Then m|bx.Because x and m do not have any common factors, m|b. Hence,if c is not divisible by m, then cx 6≡ 0 (mod m).Now consider {xy : y = 1, . . . ,m−1}.

For any two distincty1,y2 ∈ {1, . . . ,m−1} with y1 < y2 we have that m - (y2− y1).Hence, x(y2− y1) 6≡ 0 (mod m), which means thatxy1 6≡ xy2 (mod m). But then A :=

{[xy]m : y = 1, . . . ,m−1


{[z]m : z = 1, . . . ,m−1





logo1



Proof. Let b ∈ N be so that bx ≡ 0 (mod m). Then m|bx.Because x and m do not have any common factors, m|b. Hence,if c is not divisible by m, then cx 6≡ 0 (mod m).Now consider {xy : y = 1, . . . ,m−1}. For any two distincty1,y2 ∈ {1, . . . ,m−1} with y1 < y2 we have that m - (y2− y1).

Hence, x(y2− y1) 6≡ 0 (mod m), which means thatxy1 6≡ xy2 (mod m). But then A :=

{[xy]m : y = 1, . . . ,m−1


{[z]m : z = 1, . . . ,m−1





logo1



Proof. Let b ∈ N be so that bx ≡ 0 (mod m). Then m|bx.Because x and m do not have any common factors, m|b. Hence,if c is not divisible by m, then cx 6≡ 0 (mod m).Now consider {xy : y = 1, . . . ,m−1}. For any two distincty1,y2 ∈ {1, . . . ,m−1} with y1 < y2 we have that m - (y2− y1).Hence, x(y2− y1) 6≡ 0 (mod m)

, which means thatxy1 6≡ xy2 (mod m). But then A :=

{[xy]m : y = 1, . . . ,m−1


{[z]m : z = 1, . . . ,m−1





logo1



Proof. Let b ∈ N be so that bx ≡ 0 (mod m). Then m|bx.Because x and m do not have any common factors, m|b. Hence,if c is not divisible by m, then cx 6≡ 0 (mod m).Now consider {xy : y = 1, . . . ,m−1}. For any two distincty1,y2 ∈ {1, . . . ,m−1} with y1 < y2 we have that m - (y2− y1).Hence, x(y2− y1) 6≡ 0 (mod m), which means thatxy1 6≡ xy2 (mod m).

But then A :={[xy]m : y = 1, . . . ,m−1


{[z]m : z = 1, . . . ,m−1





logo1




{[xy]m : y = 1, . . . ,m−1

}has m−1 distinct elements

and [0]m is not one of them. Thereare exactly m−1 equivalence classes modulo m that are not[0]m. So A =

{[z]m : z = 1, . . . ,m−1





logo1




{[xy]m : y = 1, . . . ,m−1

}has m−1 distinct elements and [0]m is not one of them.

Thereare exactly m−1 equivalence classes modulo m that are not[0]m. So A =

{[z]m : z = 1, . . . ,m−1





logo1




{[xy]m : y = 1, . . . ,m−1

}has m−1 distinct elements and [0]m is not one of them. Thereare exactly m−1 equivalence classes modulo m that are not[0]m.

So A ={[z]m : z = 1, . . . ,m−1





logo1




{[xy]m : y = 1, . . . ,m−1


{[z]m : z = 1, . . . ,m−1

}

and [1]m ∈ A. Hence thereis a y ∈ {1, . . . ,m−1} so that [x]m · [y]m = [1]m, that is, so thatxy ≡ 1 (mod m).



logo1




{[xy]m : y = 1, . . . ,m−1


{[z]m : z = 1, . . . ,m−1

}and [1]m ∈ A.

Hence thereis a y ∈ {1, . . . ,m−1} so that [x]m · [y]m = [1]m, that is, so thatxy ≡ 1 (mod m).



logo1




{[xy]m : y = 1, . . . ,m−1


{[z]m : z = 1, . . . ,m−1


is a y ∈ {1, . . . ,m−1} so that [x]m · [y]m = [1]m

, that is, so thatxy ≡ 1 (mod m).



logo1




{[xy]m : y = 1, . . . ,m−1


{[z]m : z = 1, . . . ,m−1





logo1


Theorem.

Fermat’s Little Theorem. Let p be a prime number.Then for every a ∈ N we have that ap ≡ a (mod p). Moreover,for every a ∈ N that is not divisible by p we have thatap−1 ≡ 1 (mod p).

Proof. Let a ∈ N. We prove ap ≡ a (mod p) by induction on a.Base step a = 1: obvious.Induction step.

(a+1)p =p

∑k=0

(pk

)ak1p−k = 1+ap +

p−1

∑k=1

(pk

)ak

≡ 1+ap (mod p)≡ 1+a (mod p)

Now let a ∈ N be so that p - a. There is a b ∈ N withab ≡ 1 (mod p). Hence ap ≡ a (mod p) impliesapb ≡ ab (mod p), which implies ap−1 ≡ 1 (mod p).



logo1


Theorem. Fermat’s Little Theorem.

Let p be a prime number.Then for every a ∈ N we have that ap ≡ a (mod p). Moreover,for every a ∈ N that is not divisible by p we have thatap−1 ≡ 1 (mod p).


(a+1)p =p

∑k=0

(pk

)ak1p−k = 1+ap +

p−1

∑k=1

(pk

)ak





logo1


Theorem. Fermat’s Little Theorem. Let p be a prime number.

Then for every a ∈ N we have that ap ≡ a (mod p). Moreover,for every a ∈ N that is not divisible by p we have thatap−1 ≡ 1 (mod p).


(a+1)p =p

∑k=0

(pk

)ak1p−k = 1+ap +

p−1

∑k=1

(pk

)ak





logo1


Theorem. Fermat’s Little Theorem. Let p be a prime number.Then for every a ∈ N we have that ap ≡ a (mod p).

Moreover,for every a ∈ N that is not divisible by p we have thatap−1 ≡ 1 (mod p).


(a+1)p =p

∑k=0

(pk

)ak1p−k = 1+ap +

p−1

∑k=1

(pk

)ak





logo1


Theorem. Fermat’s Little Theorem. Let p be a prime number.Then for every a ∈ N we have that ap ≡ a (mod p). Moreover,for every a ∈ N that is not divisible by p we have thatap−1 ≡ 1 (mod p).


(a+1)p =p

∑k=0

(pk

)ak1p−k = 1+ap +

p−1

∑k=1

(pk

)ak





logo1



Proof.

Let a ∈ N. We prove ap ≡ a (mod p) by induction on a.Base step a = 1: obvious.Induction step.

(a+1)p =p

∑k=0

(pk

)ak1p−k = 1+ap +

p−1

∑k=1

(pk

)ak





logo1



Proof. Let a ∈ N.

We prove ap ≡ a (mod p) by induction on a.Base step a = 1: obvious.Induction step.

(a+1)p =p

∑k=0

(pk

)ak1p−k = 1+ap +

p−1

∑k=1

(pk

)ak





logo1



Proof. Let a ∈ N. We prove ap ≡ a (mod p) by induction on a.

Base step a = 1: obvious.Induction step.

(a+1)p =p

∑k=0

(pk

)ak1p−k = 1+ap +

p−1

∑k=1

(pk

)ak





logo1



Proof. Let a ∈ N. We prove ap ≡ a (mod p) by induction on a.Base step a = 1: obvious.

Induction step.

(a+1)p =p

∑k=0

(pk

)ak1p−k = 1+ap +

p−1

∑k=1

(pk

)ak





logo1




(a+1)p =p

∑k=0

(pk

)ak1p−k = 1+ap +

p−1

∑k=1

(pk

)ak





logo1




(a+1)p

=p

∑k=0

(pk

)ak1p−k = 1+ap +

p−1

∑k=1

(pk

)ak





logo1




(a+1)p =p

∑k=0

(pk

)ak1p−k

= 1+ap +p−1

∑k=1

(pk

)ak





logo1




(a+1)p =p

∑k=0

(pk

)ak1p−k = 1+ap +

p−1

∑k=1

(pk

)ak





logo1




(a+1)p =p

∑k=0

(pk

)ak1p−k = 1+ap +

p−1

∑k=1

(pk

)ak

≡ 1+ap (mod p)

≡ 1+a (mod p)




logo1




(a+1)p =p

∑k=0

(pk

)ak1p−k = 1+ap +

p−1

∑k=1

(pk

)ak





logo1




(a+1)p =p

∑k=0

(pk

)ak1p−k = 1+ap +

p−1

∑k=1

(pk

)ak


Now let a ∈ N be so that p - a.

There is a b ∈ N withab ≡ 1 (mod p). Hence ap ≡ a (mod p) impliesapb ≡ ab (mod p), which implies ap−1 ≡ 1 (mod p).



logo1




(a+1)p =p

∑k=0

(pk

)ak1p−k = 1+ap +

p−1

∑k=1

(pk

)ak


Now let a ∈ N be so that p - a. There is a b ∈ N withab ≡ 1 (mod p).

Hence ap ≡ a (mod p) impliesapb ≡ ab (mod p), which implies ap−1 ≡ 1 (mod p).



logo1




(a+1)p =p

∑k=0

(pk

)ak1p−k = 1+ap +

p−1

∑k=1

(pk

)ak


Now let a ∈ N be so that p - a. There is a b ∈ N withab ≡ 1 (mod p). Hence ap ≡ a (mod p)

impliesapb ≡ ab (mod p), which implies ap−1 ≡ 1 (mod p).



logo1




(a+1)p =p

∑k=0

(pk

)ak1p−k = 1+ap +

p−1

∑k=1

(pk

)ak


Now let a ∈ N be so that p - a. There is a b ∈ N withab ≡ 1 (mod p). Hence ap ≡ a (mod p) impliesapb ≡ ab (mod p)

, which implies ap−1 ≡ 1 (mod p).



logo1




(a+1)p =p

∑k=0

(pk

)ak1p−k = 1+ap +

p−1

∑k=1

(pk

)ak





logo1


RSA Encryption

1. R. Rivest, A. Shamir, L. Adleman, (1978) A Method forObtaining Digital Signatures and Public-KeyCryptosystems, Communications of the ACM 21, 120-126

2. p, q: fixed, distinct prime numbers3. n := pq (must be hard to factor, so large, proprietary prime

numbers are used)4. ϕ(n) := (p−1)(q−1)5. e ∈

{2, . . . ,ϕ(n)−1

}must be so that

(e,ϕ(n)

)= 1 (there

is an efficient algorithm to check e)6. d is so that de ≡ 1

(mod ϕ(n)

), (there is an efficient

algorithm to find d)7. (n,e) is the public key (disseminated)8. d is the private key (kept secret)



logo1


RSA Encryption1. R. Rivest, A. Shamir, L. Adleman, (1978) A Method for

Obtaining Digital Signatures and Public-KeyCryptosystems, Communications of the ACM 21, 120-126



{2, . . . ,ϕ(n)−1

}must be so that

(e,ϕ(n)

)= 1 (there


(mod ϕ(n)





logo1




2. p, q: fixed, distinct prime numbers

3. n := pq (must be hard to factor, so large, proprietary primenumbers are used)

4. ϕ(n) := (p−1)(q−1)5. e ∈

{2, . . . ,ϕ(n)−1

}must be so that

(e,ϕ(n)

)= 1 (there


(mod ϕ(n)





logo1





numbers are used)

4. ϕ(n) := (p−1)(q−1)5. e ∈

{2, . . . ,ϕ(n)−1

}must be so that

(e,ϕ(n)

)= 1 (there


(mod ϕ(n)





logo1





numbers are used)4. ϕ(n) := (p−1)(q−1)

5. e ∈{

2, . . . ,ϕ(n)−1}

must be so that(e,ϕ(n)

)= 1 (there


(mod ϕ(n)





logo1






{2, . . . ,ϕ(n)−1

}must be so that

(e,ϕ(n)

)= 1

(thereis an efficient algorithm to check e)

6. d is so that de ≡ 1(mod ϕ(n)





logo1






{2, . . . ,ϕ(n)−1

}must be so that

(e,ϕ(n)

)= 1 (there

is an efficient algorithm to check e)

6. d is so that de ≡ 1(mod ϕ(n)





logo1






{2, . . . ,ϕ(n)−1

}must be so that

(e,ϕ(n)

)= 1 (there


(mod ϕ(n)

),

(there is an efficientalgorithm to find d)

7. (n,e) is the public key (disseminated)8. d is the private key (kept secret)



logo1






{2, . . . ,ϕ(n)−1

}must be so that

(e,ϕ(n)

)= 1 (there


(mod ϕ(n)


algorithm to find d)

7. (n,e) is the public key (disseminated)8. d is the private key (kept secret)



logo1






{2, . . . ,ϕ(n)−1

}must be so that

(e,ϕ(n)

)= 1 (there


(mod ϕ(n)


algorithm to find d)7. (n,e) is the public key (disseminated)

8. d is the private key (kept secret)



logo1






{2, . . . ,ϕ(n)−1

}must be so that

(e,ϕ(n)

)= 1 (there


(mod ϕ(n)





logo1


Sending Messages

1. The message is a large number m smaller than n (or astring of numbers). Group letters in blocks and encodethem with numbers. Make sure a cryptoquote styleapproach is unlikely to break the code.

2. Encrypted message: c :≡ me (mod n) (use the positiverepresentative smaller than n for convenience).

3. Decrypted message: Representative of[cd]

n that is in{0, . . . ,n−1}.

Why does this work?

Theorem. RSA encryption. With notation as above, ifc ≡ me (mod n), then cd ≡ m (mod n).



logo1


Sending Messages1. The message is a large number m smaller than n (or a

string of numbers).

Group letters in blocks and encodethem with numbers. Make sure a cryptoquote styleapproach is unlikely to break the code.



n that is in{0, . . . ,n−1}.

Why does this work?




logo1



string of numbers). Group letters in blocks and encodethem with numbers.

Make sure a cryptoquote styleapproach is unlikely to break the code.



n that is in{0, . . . ,n−1}.

Why does this work?




logo1



string of numbers). Group letters in blocks and encodethem with numbers. Make sure a cryptoquote styleapproach is unlikely to break the code.



n that is in{0, . . . ,n−1}.

Why does this work?




logo1






n that is in{0, . . . ,n−1}.

Why does this work?

Theorem.

RSA encryption. With notation as above, ifc ≡ me (mod n), then cd ≡ m (mod n).



logo1






n that is in{0, . . . ,n−1}.

Why does this work?

Theorem. RSA encryption.

With notation as above, ifc ≡ me (mod n), then cd ≡ m (mod n).



logo1






n that is in{0, . . . ,n−1}.

Why does this work?




logo1


Proof.

cd ≡ (me)d ≡ med (mod n).Now, de ≡ 1

(mod (p−1)(q−1)

), so de ≡ 1

(mod p−1

)and

de ≡ 1(mod q−1

). That is, there are x and y so that

ed = 1+ x(p−1) = 1+ y(q−1).Case 1: p - m. By Fermat’s Little Theorem, used in the last step,we obtain cd ≡ med = m1+x(p−1) =

(mp−1)x m ≡ m (mod p).

Case 2: p|m. If m is a multiple of p, thencd ≡ med ≡ 0ed ≡ 0 ≡ m (mod p).Similarly, we prove that cd ≡ m (mod q), which impliescd ≡ m (mod n).



logo1


Proof. cd

≡ (me)d ≡ med (mod n).Now, de ≡ 1

(mod (p−1)(q−1)

), so de ≡ 1

(mod p−1

)and

de ≡ 1(mod q−1







logo1


Proof. cd ≡ (me)d

≡ med (mod n).Now, de ≡ 1

(mod (p−1)(q−1)

), so de ≡ 1

(mod p−1

)and

de ≡ 1(mod q−1







logo1


Proof. cd ≡ (me)d ≡ med (mod n).

Now, de ≡ 1(mod (p−1)(q−1)

), so de ≡ 1

(mod p−1

)and

de ≡ 1(mod q−1







logo1


Proof. cd ≡ (me)d ≡ med (mod n).Now, de ≡ 1

(mod (p−1)(q−1)

), so de ≡ 1

(mod p−1

)and

de ≡ 1(mod q−1

).

That is, there are x and y so thated = 1+ x(p−1) = 1+ y(q−1).Case 1: p - m. By Fermat’s Little Theorem, used in the last step,we obtain cd ≡ med = m1+x(p−1) =





logo1



(mod (p−1)(q−1)

), so de ≡ 1

(mod p−1

)and

de ≡ 1(mod q−1


ed = 1+ x(p−1) = 1+ y(q−1).

Case 1: p - m. By Fermat’s Little Theorem, used in the last step,we obtain cd ≡ med = m1+x(p−1) =





logo1



(mod (p−1)(q−1)

), so de ≡ 1

(mod p−1

)and

de ≡ 1(mod q−1


ed = 1+ x(p−1) = 1+ y(q−1).Case 1: p - m.

By Fermat’s Little Theorem, used in the last step,we obtain cd ≡ med = m1+x(p−1) =





logo1



(mod (p−1)(q−1)

), so de ≡ 1

(mod p−1

)and

de ≡ 1(mod q−1


ed = 1+ x(p−1) = 1+ y(q−1).Case 1: p - m. By Fermat’s Little Theorem, used in the last step,we obtain

cd ≡ med = m1+x(p−1) =(mp−1)x m ≡ m (mod p).




logo1



(mod (p−1)(q−1)

), so de ≡ 1

(mod p−1

)and

de ≡ 1(mod q−1


ed = 1+ x(p−1) = 1+ y(q−1).Case 1: p - m. By Fermat’s Little Theorem, used in the last step,we obtain cd

≡ med = m1+x(p−1) =(mp−1)x m ≡ m (mod p).




logo1



(mod (p−1)(q−1)

), so de ≡ 1

(mod p−1

)and

de ≡ 1(mod q−1


ed = 1+ x(p−1) = 1+ y(q−1).Case 1: p - m. By Fermat’s Little Theorem, used in the last step,we obtain cd ≡ med

= m1+x(p−1) =(mp−1)x m ≡ m (mod p).




logo1



(mod (p−1)(q−1)

), so de ≡ 1

(mod p−1

)and

de ≡ 1(mod q−1


ed = 1+ x(p−1) = 1+ y(q−1).Case 1: p - m. By Fermat’s Little Theorem, used in the last step,we obtain cd ≡ med = m1+x(p−1)

=(mp−1)x m ≡ m (mod p).




logo1



(mod (p−1)(q−1)

), so de ≡ 1

(mod p−1

)and

de ≡ 1(mod q−1



(mp−1)x m

≡ m (mod p).Case 2: p|m. If m is a multiple of p, thencd ≡ med ≡ 0ed ≡ 0 ≡ m (mod p).Similarly, we prove that cd ≡ m (mod q), which impliescd ≡ m (mod n).



logo1



(mod (p−1)(q−1)

), so de ≡ 1

(mod p−1

)and

de ≡ 1(mod q−1







logo1



(mod (p−1)(q−1)

), so de ≡ 1

(mod p−1

)and

de ≡ 1(mod q−1




Case 2: p|m.

If m is a multiple of p, thencd ≡ med ≡ 0ed ≡ 0 ≡ m (mod p).Similarly, we prove that cd ≡ m (mod q), which impliescd ≡ m (mod n).



logo1



(mod (p−1)(q−1)

), so de ≡ 1

(mod p−1

)and

de ≡ 1(mod q−1




Case 2: p|m. If m is a multiple of p, then

cd ≡ med ≡ 0ed ≡ 0 ≡ m (mod p).Similarly, we prove that cd ≡ m (mod q), which impliescd ≡ m (mod n).



logo1



(mod (p−1)(q−1)

), so de ≡ 1

(mod p−1

)and

de ≡ 1(mod q−1




Case 2: p|m. If m is a multiple of p, thencd

≡ med ≡ 0ed ≡ 0 ≡ m (mod p).Similarly, we prove that cd ≡ m (mod q), which impliescd ≡ m (mod n).



logo1



(mod (p−1)(q−1)

), so de ≡ 1

(mod p−1

)and

de ≡ 1(mod q−1




Case 2: p|m. If m is a multiple of p, thencd ≡ med

≡ 0ed ≡ 0 ≡ m (mod p).Similarly, we prove that cd ≡ m (mod q), which impliescd ≡ m (mod n).



logo1



(mod (p−1)(q−1)

), so de ≡ 1

(mod p−1

)and

de ≡ 1(mod q−1




Case 2: p|m. If m is a multiple of p, thencd ≡ med ≡ 0ed

≡ 0 ≡ m (mod p).Similarly, we prove that cd ≡ m (mod q), which impliescd ≡ m (mod n).



logo1



(mod (p−1)(q−1)

), so de ≡ 1

(mod p−1

)and

de ≡ 1(mod q−1




Case 2: p|m. If m is a multiple of p, thencd ≡ med ≡ 0ed ≡

0 ≡ m (mod p).Similarly, we prove that cd ≡ m (mod q), which impliescd ≡ m (mod n).



logo1



(mod (p−1)(q−1)

), so de ≡ 1

(mod p−1

)and

de ≡ 1(mod q−1




Case 2: p|m. If m is a multiple of p, thencd ≡ med ≡ 0ed ≡ 0 ≡

m (mod p).Similarly, we prove that cd ≡ m (mod q), which impliescd ≡ m (mod n).



logo1



(mod (p−1)(q−1)

), so de ≡ 1

(mod p−1

)and

de ≡ 1(mod q−1




Case 2: p|m. If m is a multiple of p, thencd ≡ med ≡ 0ed ≡ 0 ≡ m (mod p).

Similarly, we prove that cd ≡ m (mod q), which impliescd ≡ m (mod n).



logo1



(mod (p−1)(q−1)

), so de ≡ 1

(mod p−1

)and

de ≡ 1(mod q−1







logo1


Why Is It Safe?

1. To break the code, an attacker would need d.2. d can be generated from e and ϕ(n).3. ϕ(n) can be generated from p and q.4. p and q can in principle be obtained from n. But that’s the

key to safety. Factoring large numbers is hard.5. There might be fast factorization algorithms (that would

win a Clay Millennium Prize).6. Quantum computers could do it (but we can’t build them

yet).7. So for the time being, public key encryption is safe. (In my

opinion, it will be a while.)



logo1


Why Is It Safe?1. To break the code, an attacker would need d.

2. d can be generated from e and ϕ(n).3. ϕ(n) can be generated from p and q.4. p and q can in principle be obtained from n. But that’s the







logo1


Why Is It Safe?1. To break the code, an attacker would need d.2. d can be generated from e and ϕ(n).

3. ϕ(n) can be generated from p and q.4. p and q can in principle be obtained from n. But that’s the







logo1


Why Is It Safe?1. To break the code, an attacker would need d.2. d can be generated from e and ϕ(n).3. ϕ(n) can be generated from p and q.

4. p and q can in principle be obtained from n. But that’s thekey to safety. Factoring large numbers is hard.

5. There might be fast factorization algorithms (that wouldwin a Clay Millennium Prize).

6. Quantum computers could do it (but we can’t build themyet).

7. So for the time being, public key encryption is safe. (In myopinion, it will be a while.)



logo1


Why Is It Safe?1. To break the code, an attacker would need d.2. d can be generated from e and ϕ(n).3. ϕ(n) can be generated from p and q.4. p and q can in principle be obtained from n.

But that’s thekey to safety. Factoring large numbers is hard.






logo1


Why Is It Safe?1. To break the code, an attacker would need d.2. d can be generated from e and ϕ(n).3. ϕ(n) can be generated from p and q.4. p and q can in principle be obtained from n. But that’s the

key to safety.

Factoring large numbers is hard.5. There might be fast factorization algorithms (that would






logo1



key to safety. Factoring large numbers is hard.






logo1




win a Clay Millennium Prize).





logo1





yet).




logo1





yet).7. So for the time being, public key encryption is safe.

(In myopinion, it will be a while.)



logo1









new public key (rsa) encryption · 2009. 2. 23. · logo1 overview needed theorems rsa encryption...

Documents