public key cryptography the rsa cryptosystem. by william m. faucette department of mathematics state...
TRANSCRIPT
Public Key Cryptography
The RSA Cryptosystem
by William M. Faucette
Department of MathematicsState University of West
Georgia
The RSA Cryptosystem
The RSA Cryptosystem
The granddaddy of all public key cryptosystems, the RSA cryptosystem is named for its creators, Rivest, Shamir, and Adleman.
RSA was first described in 1978.
A Little Number Theory
In order to describe the RSA crypto- system, we first need to get a little background in some elementary number theory.
Relatively Prime Numbers
Relatively Prime Numbers
Two natural numbers n and m are relatively prime if n and m have no common factor greater than 1.
Relatively Prime Numbers
For example, 24 and 25 are relatively prime, as are 2310 and 2873.
If you don’t believe me, factor them!
The Euler Phi Function
The Euler Phi Function
For any natural number n, the Euler phi function of n, denoted (n),is the number of natural numbers less than or equal to n which are relatively prime to n.
The Euler Phi Function
For example, we have(1)=1 since 1 is relatively prime to
1(2)=1 since 1 is relatively prime to
2(3)=2 since 1, 2 are relatively prime
to 3(10)=4 since 1, 3, 7, 9 are relatively
prime to 10.
The Euler Phi Function
If p is a prime number, then (p)=p-1, since every number less than p is relatively prime to p.
The Euler Phi Function
Similarly, (pk)=pk-pk-1= pk-1(p-1). This is easy to see since the only
prime factor of pk is p, so the only numbers which have a common factor with pk are the multiples of p.
The Euler Phi Function
Since one out of every p numbers is a multiple of p, the number of multiples of p less than or equal to pk is pk-1.
So, (pk)=pk-pk-1= pk-1(p-1).
The Euler Phi Function
Although it’s not at all obvious, the Euler phi function is multiplicative. That is, if n and m are relatively prime, then
(nm)= (n) (m)
The Euler Phi Function
One proof of this result uses the Chinese Remainder Theorem to show that there is a one-to-one correspondence between numbers less than or equal to the product nm which are relatively prime to nm and ordered pairs of numbers which are (1) less than or equal to n and relatively prime to n and (2) less than or equal to m and relatively prime to m.
The Euler Phi Function
We won’t prove this result. If you’re interested, consult pages
21–22 in the book A Course in Number Theory and Cryptography by Neal Koblitz
The Euler Phi Function
In particular, if n is the product of two prime numbers p and q, we have
The Euclidean Algorithm
The Euclidean Algorithm
The Euclidean Algorithm allows the efficient computation of the greatest common divisor of two natural numbers.
This algorithm is easily implemented on present-day computers even with extremely large numbers.
The Euclidean Algorithm
Suppose we wish to compute the greatest common divisor, denoted gcd, of two natural numbers, a and b, with b<a.
First, you divide a by b, getting a quotient q1 and a remainder r1.
The Euclidean Algorithm
Next, you divide b by r1, getting a quotient q2 and a remainder r2.
The Euclidean Algorithm
From now on, you divide rn-1 by rn, getting a quotient qn+1 and a remainder rn+1.
The Euclidean Algorithm
Since 0≤rn+1<rn, eventually the remainder is 0. The last nonzero remainder in this process is the greatest common divisor of a and b.
The Euclidean Algorithm
In fact,
so that this algorithm works exponentially quickly.
Repeated Squaring Method
Repeated Squaring Method
The repeated squaring method allows the efficient computation of the modular exponentiation of a large number to a large power.
This algorithm is easily implemented on present-day computers even with extremely large numbers.
Repeated Squaring Method
Algorithm: We wish to compute bn mod m
First, write n as a natural number in base 2.
Here, each ni is either 0 or 1.
Repeated Squaring Method
Algorithm: We wish to compute bn mod m
Set a=1 if n0=0 and set a=b if n0=1.
Square b and set b1b2 mod m.
If n1=1, multiply a by b1 and reduce mod m.
Square b1 and set b2 b12 mod m.
If n2=1, multiply a by b2 and reduce mod m.
Repeated Squaring Method
Algorithm: We wish to compute bn mod m
At the jth step, you have computed bj b2^j mod m.
If nj=1, multiply a by bj.After the (k1)-st step, a = bn mod m
Finding Large Prime Numbers
Finding Large Prime Numbers
In order to implement the RSA algorithm, we must have a technique for finding large prime numbers.
Finding Large Prime Numbers
Since the security of the RSA algorithm itself is based on the fact that it is computationally infeasible to factor large numbers, we must have some other method of determining whether a large number is prime.
Primality Tests
Primality Tests
According to Fermat’s Little Theorem, if p is a prime number and a is a number relatively prime to p, then
Primality Tests
If n is not prime, it is still possible that the equation
holds, but not likely, for a relatively prime to n.
If this equation holds, we say that n is a pseudoprime base a.
Primality Tests
Theorem: If, for a given n, Fermat’s Little Theorem fails for a single base a, then it fails for at least half of the possible bases a in (Z/nZ)*.
Primality Tests
Algorithm: Take a large odd integer n. Choose a random a with 0<a<n. Compute gcd(a,n). If gcd(a,n)>1, then n is composite.
Primality Tests
Algorithm: If gcd(a,n)=1, then raise a to the
(n1)-st power. If Fermat’s Little Theorem fails,
then n is composite. If Fermat’s Little Theorem holds,
then n might be prime.
Primality Tests
Algorithm: Next, choose k different bases
a1, a2, . . . , ak and suppose that n might be prime with respect to each of these bases. Then by our theorem, there is 1 chance in 2k that n might still be composite.
Primality Tests
Algorithm: This gives us a probabilistic method
of choosing large prime numbers, unless …
Primality Tests
It is possible that, for a given n, Fermat’s Little Theorem holds for all bases a. In fact, such numbers exist. They are called Carmichael numbers.
In 1992, it was shown by Alford, Granville, and Pomerance that there are infinitely many Carmichael numbers.
Shameless Plug for my Alma Mater
This result was proven while Alford, Granville, and Pomerance were on the mathematics faculty of The University of Georgia.
Primality Tests
So, we might want to look at a better primality test.
Primality Tests
Another primality test involves some quantities called Jacobi symbols, and in order to define them, we must talk about Legendre symbols.
Legendre and Jacobi Symbols
Let p be an odd prime number and let a be a natural number. We define the Legendre symbol
to be 0 if p divides a, 1 if a is a square mod p, and 1 is a is not a square mod p.
Legendre and Jacobi Symbols
If n is not prime, we can factor n uniquely as a product of primes p1
1 . . . pr
r. We define the Jacobi
symbol by
Legendre and Jacobi Symbols
Legendre and Jacobi symbols are easily computed by present-day computers using the Law of Quadratic Reciprocity.
For further information, consult any text on elementary number theory.
Primality Tests
For a prime number p, it is known that
Primality Tests
Theorem: If n is composite, the equation
fails for at least half of the possible bases a in (Z/nZ)*.
Primality Tests
Algorithm: Take a large odd integer n. Choose a random a with 0<a<n. Compute gcd(a,n). If gcd(a,n)>1, then n is composite.
Primality Tests
Algorithm: If gcd(a,n)=1, then raise a to the
(n1)/2-th power Compute the Jacobi symbol (a/n). If these two numbers are not
congruent mod n, then n is composite.
If these two numbers are congruent mod n, then n might be prime.
Primality Tests
Algorithm: Next, choose k different bases
a1, a2, . . . , ak and suppose that n might be prime with respect to each of these bases. Then by our theorem, there is 1 chance in 2k that n might still be composite.
Primality Tests
Algorithm: This gives us a probabilistic
method of choosing large prime numbers.
How Big is “Large”?
Suppose we are using an N letter alphabet. Choose natural numbers k and l with k<l so that Nk and Nl have approximately 200 decimal digits.
How Big is “Large”?
Each user must choose his prime numbers p and q so that n=pq is between Nk and Nl.
How Big is “Large”?
In this way, every k digit number in the N symbol alphabet can be represented uniquely as a number in Z/nZ.
How Big is “Large”?
Further, every number in Z/nZ represents a unique l digit number in the N symbol alphabet.
How Big is “Large”?
In this way, we can use a k-graph technique to convert groups of k letters in the plaintext into a unique number in Z/nZ.
How Big is “Large”?
Then, using an l-graph technique, the ciphertext numerical string can then be converted into a unique sequence of groups of l letters.
The RSA Algorithm
The RSA Algorithm
Alice and Bob wish to exchange messages through the RSA Algorithm.
Alice chooses two large prime numbers, pA and qA. She does this using the probabilistic primality testing discussed earlier.
She then computes nA= pA qA and (nA)=(pA-1) (qA-1).
The RSA Algorithm
Alice next chooses a natural number eA which is relatively prime to (nA).
To do this, take any number of the right size and use the Euclidean Algorithm to find the gcd of that number and (nA). If the gcd is 1, stop. If not, increment the number by 1 and repeat the process.
The RSA Algorithm
Since eA is relatively prime to (nA), eA has a multiplicative inverse eA
1 in the quotient ring Z/(nA)Z.
Let dA= eA1. Then eA dA mod (nA).
The RSA Algorithm
Alice’s public enciphering key is then KE,A=(nA,eA). This key is published.
Alice’s private deciphering key is then KD,A=(nA,dA). This key is kept confidential.
The RSA Algorithm
Similarly, Bob chooses two large prime numbers, pB and qB. He does this using the probabilistic primality testing discussed earlier.
He then computes nB= pB qB and (nB)=(pB-1) (qB-1).
The RSA Algorithm
Bob also chooses a natural number eB which is relatively prime to (nB).
Do this using the same algorithm Alice used.
The RSA Algorithm
Since eB is relatively prime to (nB), eB has a multiplicative inverse eB
1 in the quotient ring Z/(nB)Z.
Let dB= eB1. Then eB dB mod (nB).
The RSA Algorithm
Bob’s public enciphering key is then KE,B=(nB,eB). This key is published.
Bob’s private deciphering key is then KD,B=(nB,dB). This key is kept confidential.
Exchanges Using RSA
Encoding using RSA
In order to encode a plaintext message using the RSA algorithm, Alice first converts the plaintext into a string of digits, as described earlier. Call this number P.
Encoding using RSA
Next, Alice raises P to the eB power and takes the remainder mod nB. She then sends the result, C, to Bob. Since only Bob knows the decoding key dB, only he can read the message.
Decoding using RSA
Once Bob receives the message C, he raises C to the dB power and reduces mod nB.
Since eBdB 1 mod nB, this second exponentiation returns P from C.
The decoding is completed by converting this string of digits back into characters.
The RSA Algorithm
The fact that only Bob knows dB means that only Bob can read the message. This takes care of confidentiality. What about the other three facets of data transfer?
Authenticity and Non-Repudiation
in the RSA Algorithm
Authenticity and Non-Repudiation in RSA
To guarantee authenticity and non-repudiation, Alice takes the string of digits P and does one of the following:
If nA<nB, she raises P to dA and reduces mod nA. She then raises the result to eB and reduces mod nB.
Authenticity and Non-Repudiation in RSA
If nB<nA, she raises P to eB and reduces mod nB. She then raises the result to dA and reduces mod nA.
This gives the ciphertext C, which she sends to Bob.
Authenticity and Non-Repudiation in RSA
To perform the decryption, Bob takes the ciphertext C and does one of the following:
If nB<nA, he raises C to eA and reduces mod nA. He then raises the result to dB and reduces mod nB.
Authenticity and Non-Repudiation in RSA
If nA<nB, he raises C to dB and reduces mod nB. He then raises the result to eA and reduces mod nA.
This gives the plaintext P. The decoding is completed by converting this string of digits back into characters.
Authenticity and Non-Repudiation in RSA
The key fact here is that Alice has used her private key dA in the encryption process. Since Bob knows Alice’s public key eA, he can use Alice’s public key as well as his own private deciphering key to get a readable message which he knows only Alice could have sent.
Integrity in RSA
Integrity in RSA
In order to ensure that a coded message hasn’t been tampered with in transmission, one uses a hash function.
Hash Functions
Roughly speaking, a hash function is an easily computable map f:x->h from a very long input x to a much shorter output h that has the property that f is one-to-one.
That is, two different plaintext messages go to two different hash values.
Integrity in RSA
If part of Alice’s signature consists of the hash value h=f(x), where x is the entire text of her message, then Bob can verify not only that the message was really sent by Alice, but also that it wasn’t tampered with during transmission.
Next Time . . .
In the next lecture, we will look at a second type of public key cryptography based on the use of the group of points on an elliptic curve. This is (appropriately enough) known as elliptic curve cryptography.
Thanks for Attending