public key cryptography the rsa cryptosystem. by william m. faucette department of mathematics state...

Public Key Cryptography

The RSA Cryptosystem

by William M. Faucette

Department of MathematicsState University of West

Georgia


The granddaddy of all public key cryptosystems, the RSA cryptosystem is named for its creators, Rivest, Shamir, and Adleman.

RSA was first described in 1978.

A Little Number Theory

In order to describe the RSA cryptosystem, we first need to get a little background in some elementary number theory.

Relatively Prime Numbers


Two natural numbers n and m are relatively prime if n and m have no common factor greater than 1.


For example, 24 and 25 are relatively prime, as are 2310 and 2873.

If you don’t believe me, factor them!

The Euler Phi Function


For any natural number n, the Euler phi function of n, denoted (n),is the number of natural numbers less than or equal to n which are relatively prime to n.


For example, we have(1)=1 since 1 is relatively prime to

1(2)=1 since 1 is relatively prime to

2(3)=2 since 1, 2 are relatively prime

to 3(10)=4 since 1, 3, 7, 9 are relatively

prime to 10.


If p is a prime number, then (p)=p-1, since every number less than p is relatively prime to p.


Similarly, (pk)=pk-pk-1= pk-1(p-1). This is easy to see since the only

prime factor of pk is p, so the only numbers which have a common factor with pk are the multiples of p.


Since one out of every p numbers is a multiple of p, the number of multiples of p less than or equal to pk is pk-1.

So, (pk)=pk-pk-1= pk-1(p-1).


Although it’s not at all obvious, the Euler phi function is multiplicative. That is, if n and m are relatively prime, then

(nm)= (n) (m)


One proof of this result uses the Chinese Remainder Theorem to show that there is a one-to-one correspondence between numbers less than or equal to the product nm which are relatively prime to nm and ordered pairs of numbers which are (1) less than or equal to n and relatively prime to n and (2) less than or equal to m and relatively prime to m.


We won’t prove this result. If you’re interested, consult pages

21–22 in the book A Course in Number Theory and Cryptography by Neal Koblitz


In particular, if n is the product of two prime numbers p and q, we have

The Euclidean Algorithm


The Euclidean Algorithm allows the efficient computation of the greatest common divisor of two natural numbers.

This algorithm is easily implemented on present-day computers even with extremely large numbers.


Suppose we wish to compute the greatest common divisor, denoted gcd, of two natural numbers, a and b, with b<a.

First, you divide a by b, getting a quotient q1 and a remainder r1.


Next, you divide b by r1, getting a quotient q2 and a remainder r2.


From now on, you divide rn-1 by rn, getting a quotient qn+1 and a remainder rn+1.


Since 0≤rn+1<rn, eventually the remainder is 0. The last nonzero remainder in this process is the greatest common divisor of a and b.


In fact,

so that this algorithm works exponentially quickly.

Repeated Squaring Method


The repeated squaring method allows the efficient computation of the modular exponentiation of a large number to a large power.

This algorithm is easily implemented on present-day computers even with extremely large numbers.


Algorithm: We wish to compute bn mod m

First, write n as a natural number in base 2.

Here, each ni is either 0 or 1.



Set a=1 if n0=0 and set a=b if n0=1.

Square b and set b1b2 mod m.

If n1=1, multiply a by b1 and reduce mod m.

Square b1 and set b2 b12 mod m.

If n2=1, multiply a by b2 and reduce mod m.



At the jth step, you have computed bj b2^j mod m.

If nj=1, multiply a by bj.After the (k1)-st step, a = bn mod m

Finding Large Prime Numbers


In order to implement the RSA algorithm, we must have a technique for finding large prime numbers.


Since the security of the RSA algorithm itself is based on the fact that it is computationally infeasible to factor large numbers, we must have some other method of determining whether a large number is prime.

Primality Tests

Primality Tests

According to Fermat’s Little Theorem, if p is a prime number and a is a number relatively prime to p, then

Primality Tests

If n is not prime, it is still possible that the equation

holds, but not likely, for a relatively prime to n.

If this equation holds, we say that n is a pseudoprime base a.

Primality Tests

Theorem: If, for a given n, Fermat’s Little Theorem fails for a single base a, then it fails for at least half of the possible bases a in (Z/nZ)*.

Primality Tests

Algorithm: Take a large odd integer n. Choose a random a with 0<a<n. Compute gcd(a,n). If gcd(a,n)>1, then n is composite.

Primality Tests

Algorithm: If gcd(a,n)=1, then raise a to the

(n1)-st power. If Fermat’s Little Theorem fails,

then n is composite. If Fermat’s Little Theorem holds,

then n might be prime.

Primality Tests

Algorithm: Next, choose k different bases

a1, a2, . . . , ak and suppose that n might be prime with respect to each of these bases. Then by our theorem, there is 1 chance in 2k that n might still be composite.

Primality Tests

Algorithm: This gives us a probabilistic method

of choosing large prime numbers, unless …

Primality Tests

It is possible that, for a given n, Fermat’s Little Theorem holds for all bases a. In fact, such numbers exist. They are called Carmichael numbers.

In 1992, it was shown by Alford, Granville, and Pomerance that there are infinitely many Carmichael numbers.

Shameless Plug for my Alma Mater

This result was proven while Alford, Granville, and Pomerance were on the mathematics faculty of The University of Georgia.

Primality Tests

So, we might want to look at a better primality test.

Primality Tests

Another primality test involves some quantities called Jacobi symbols, and in order to define them, we must talk about Legendre symbols.

Legendre and Jacobi Symbols

Let p be an odd prime number and let a be a natural number. We define the Legendre symbol

to be 0 if p divides a, 1 if a is a square mod p, and 1 is a is not a square mod p.


If n is not prime, we can factor n uniquely as a product of primes p1

1 . . . pr

r. We define the Jacobi

symbol by


Legendre and Jacobi symbols are easily computed by present-day computers using the Law of Quadratic Reciprocity.

For further information, consult any text on elementary number theory.

Primality Tests

For a prime number p, it is known that

Primality Tests

Theorem: If n is composite, the equation

fails for at least half of the possible bases a in (Z/nZ)*.

Primality Tests

Algorithm: Take a large odd integer n. Choose a random a with 0<a<n. Compute gcd(a,n). If gcd(a,n)>1, then n is composite.

Primality Tests

Algorithm: If gcd(a,n)=1, then raise a to the

(n1)/2-th power Compute the Jacobi symbol (a/n). If these two numbers are not

congruent mod n, then n is composite.

If these two numbers are congruent mod n, then n might be prime.

Primality Tests

Algorithm: Next, choose k different bases

a1, a2, . . . , ak and suppose that n might be prime with respect to each of these bases. Then by our theorem, there is 1 chance in 2k that n might still be composite.

Primality Tests

Algorithm: This gives us a probabilistic

method of choosing large prime numbers.

How Big is “Large”?

Suppose we are using an N letter alphabet. Choose natural numbers k and l with k<l so that Nk and Nl have approximately 200 decimal digits.


Each user must choose his prime numbers p and q so that n=pq is between Nk and Nl.


In this way, every k digit number in the N symbol alphabet can be represented uniquely as a number in Z/nZ.


Further, every number in Z/nZ represents a unique l digit number in the N symbol alphabet.


In this way, we can use a k-graph technique to convert groups of k letters in the plaintext into a unique number in Z/nZ.


Then, using an l-graph technique, the ciphertext numerical string can then be converted into a unique sequence of groups of l letters.

The RSA Algorithm

The RSA Algorithm

Alice and Bob wish to exchange messages through the RSA Algorithm.

Alice chooses two large prime numbers, pA and qA. She does this using the probabilistic primality testing discussed earlier.

She then computes nA= pA qA and (nA)=(pA-1) (qA-1).

The RSA Algorithm

Alice next chooses a natural number eA which is relatively prime to (nA).

To do this, take any number of the right size and use the Euclidean Algorithm to find the gcd of that number and (nA). If the gcd is 1, stop. If not, increment the number by 1 and repeat the process.

The RSA Algorithm

Since eA is relatively prime to (nA), eA has a multiplicative inverse eA

1 in the quotient ring Z/(nA)Z.

Let dA= eA1. Then eA dA mod (nA).

The RSA Algorithm

Alice’s public enciphering key is then KE,A=(nA,eA). This key is published.

Alice’s private deciphering key is then KD,A=(nA,dA). This key is kept confidential.

The RSA Algorithm

Similarly, Bob chooses two large prime numbers, pB and qB. He does this using the probabilistic primality testing discussed earlier.

He then computes nB= pB qB and (nB)=(pB-1) (qB-1).

The RSA Algorithm

Bob also chooses a natural number eB which is relatively prime to (nB).

Do this using the same algorithm Alice used.

The RSA Algorithm

Since eB is relatively prime to (nB), eB has a multiplicative inverse eB

1 in the quotient ring Z/(nB)Z.

Let dB= eB1. Then eB dB mod (nB).

The RSA Algorithm

Bob’s public enciphering key is then KE,B=(nB,eB). This key is published.

Bob’s private deciphering key is then KD,B=(nB,dB). This key is kept confidential.

Exchanges Using RSA

Encoding using RSA

In order to encode a plaintext message using the RSA algorithm, Alice first converts the plaintext into a string of digits, as described earlier. Call this number P.

Encoding using RSA

Next, Alice raises P to the eB power and takes the remainder mod nB. She then sends the result, C, to Bob. Since only Bob knows the decoding key dB, only he can read the message.

Decoding using RSA

Once Bob receives the message C, he raises C to the dB power and reduces mod nB.

Since eBdB 1 mod nB, this second exponentiation returns P from C.

The decoding is completed by converting this string of digits back into characters.

The RSA Algorithm

The fact that only Bob knows dB means that only Bob can read the message. This takes care of confidentiality. What about the other three facets of data transfer?

Authenticity and Non-Repudiation

in the RSA Algorithm

Authenticity and Non-Repudiation in RSA

To guarantee authenticity and non-repudiation, Alice takes the string of digits P and does one of the following:

If nA<nB, she raises P to dA and reduces mod nA. She then raises the result to eB and reduces mod nB.


If nB<nA, she raises P to eB and reduces mod nB. She then raises the result to dA and reduces mod nA.

This gives the ciphertext C, which she sends to Bob.


To perform the decryption, Bob takes the ciphertext C and does one of the following:

If nB<nA, he raises C to eA and reduces mod nA. He then raises the result to dB and reduces mod nB.


If nA<nB, he raises C to dB and reduces mod nB. He then raises the result to eA and reduces mod nA.

This gives the plaintext P. The decoding is completed by converting this string of digits back into characters.


The key fact here is that Alice has used her private key dA in the encryption process. Since Bob knows Alice’s public key eA, he can use Alice’s public key as well as his own private deciphering key to get a readable message which he knows only Alice could have sent.

Integrity in RSA

Integrity in RSA

In order to ensure that a coded message hasn’t been tampered with in transmission, one uses a hash function.

Hash Functions

Roughly speaking, a hash function is an easily computable map f:x->h from a very long input x to a much shorter output h that has the property that f is one-to-one.

That is, two different plaintext messages go to two different hash values.

Integrity in RSA

If part of Alice’s signature consists of the hash value h=f(x), where x is the entire text of her message, then Bob can verify not only that the message was really sent by Alice, but also that it wasn’t tampered with during transmission.

Next Time . . .

In the next lecture, we will look at a second type of public key cryptography based on the use of the group of points on an elliptic curve. This is (appropriately enough) known as elliptic curve cryptography.

Thanks for Attending

public key cryptography the rsa cryptosystem. by william m. faucette department of mathematics state...

Documents