Public Key Cryptography

1
Public Key Cryptography

• The RSA Cryptosystem

2
by William M. Faucette

• Department of Mathematics
• State University of West Georgia

3
The RSA Cryptosystem
4
The RSA Cryptosystem

• The granddaddy of all public key cryptosystems,
  the RSA cryptosystem is named for its creators,
  Rivest, Shamir, and Adleman.
• RSA was first described in 1978.

5
A Little Number Theory

• In order to describe the RSA crypto- system, we
  first need to get a little background in some
  elementary number theory.

6
Relatively Prime Numbers
7
Relatively Prime Numbers

• Two natural numbers n and m are relatively prime
  if n and m have no common factor greater than 1.

8
Relatively Prime Numbers

• For example, 24 and 25 are relatively prime, as
  are 2310 and 2873.

If you dont believe me, factor them!
9
The Euler Phi Function
10
The Euler Phi Function

• For any natural number n, the Euler phi function
  of n, denoted ?(n),is the number of natural
  numbers less than or equal to n which are
  relatively prime to n.

11
The Euler Phi Function

• For example, we have
• ?(1)1 since 1 is relatively prime to 1
• ?(2)1 since 1 is relatively prime to 2
• ?(3)2 since 1, 2 are relatively prime to 3
• ?(10)4 since 1, 3, 7, 9 are relatively prime to
  10.

12
The Euler Phi Function

• If p is a prime number, then ?(p)p-1, since
  every number less than p is relatively prime to p.

13
The Euler Phi Function

• Similarly, ?(pk)pk-pk-1 pk-1(p-1).
• This is easy to see since the only prime factor
  of pk is p, so the only numbers which have a
  common factor with pk are the multiples of p.

14
The Euler Phi Function

• Since one out of every p numbers is a multiple of
  p, the number of multiples of p less than or
  equal to pk is pk-1.
• So, ?(pk)pk-pk-1 pk-1(p-1).

15
The Euler Phi Function

• Although its not at all obvious, the Euler phi
  function is multiplicative. That is, if n and m
  are relatively prime, then
• ?(nm) ?(n) ?(m)

16
The Euler Phi Function

• One proof of this result uses the Chinese
  Remainder Theorem to show that there is a
  one-to-one correspondence between numbers less
  than or equal to the product nm which are
  relatively prime to nm and ordered pairs of
  numbers which are (1) less than or equal to n and
  relatively prime to n and (2) less than or equal
  to m and relatively prime to m.

17
The Euler Phi Function

• We wont prove this result.
• If youre interested, consult pages 2122 in the
  book A Course in Number Theory and Cryptography
  by Neal Koblitz

18
The Euler Phi Function

• In particular, if n is the product of two prime
  numbers p and q, we have

19
The Euclidean Algorithm
20
The Euclidean Algorithm

• The Euclidean Algorithm allows the efficient
  computation of the greatest common divisor of two
  natural numbers.
• This algorithm is easily implemented on
  present-day computers even with extremely large
  numbers.

21
The Euclidean Algorithm

• Suppose we wish to compute the greatest common
  divisor, denoted gcd, of two natural numbers, a
  and b, with blta.
• First, you divide a by b, getting a quotient q1
  and a remainder r1.

22
The Euclidean Algorithm

• Next, you divide b by r1, getting a quotient q2
  and a remainder r2.

23
The Euclidean Algorithm

• From now on, you divide rn-1 by rn, getting a
  quotient qn1 and a remainder rn1.

24
The Euclidean Algorithm

• Since 0rn1ltrn, eventually the remainder is 0.
  The last nonzero remainder in this process is the
  greatest common divisor of a and b.

25
The Euclidean Algorithm

• In fact,
• so that this algorithm works exponentially
  quickly.

26
Repeated Squaring Method
27
Repeated Squaring Method

• The repeated squaring method allows the efficient
  computation of the modular exponentiation of a
  large number to a large power.
• This algorithm is easily implemented on
  present-day computers even with extremely large
  numbers.

28
Repeated Squaring Method

• Algorithm We wish to compute bn mod m
• First, write n as a natural number in base 2.
• Here, each ni is either 0 or 1.

29
Repeated Squaring Method

• Algorithm We wish to compute bn mod m
• Set a1 if n00 and set ab if n01.
• Square b and set b1???b2 mod m.
• If n11, multiply a by b1 and reduce mod m.
• Square b1 and set b2??? b12 mod m.
• If n21, multiply a by b2 and reduce mod m.

30
Repeated Squaring Method

• Algorithm We wish to compute bn mod m
• At the jth step, you have computed bj
  ??b2j mod m.
• If nj1, multiply a by bj.
• After the (k?1)-st step, a bn mod m

31
Finding Large Prime Numbers
32
Finding Large Prime Numbers

• In order to implement the RSA algorithm, we must
  have a technique for finding large prime numbers.

33
Finding Large Prime Numbers

• Since the security of the RSA algorithm itself is
  based on the fact that it is computationally
  infeasible to factor large numbers, we must have
  some other method of determining whether a large
  number is prime.

34
Primality Tests
35
Primality Tests

• According to Fermats Little Theorem, if p is a
  prime number and a is a number relatively prime
  to p, then

36
Primality Tests

• If n is not prime, it is still possible that the
  equation
• holds, but not likely, for a relatively prime to
  n.
• If this equation holds, we say that n is a
  pseudoprime base a.

37
Primality Tests

• Theorem If, for a given n, Fermats Little
  Theorem fails for a single base a, then it fails
  for at least half of the possible bases a in
  (Z/nZ).

38
Primality Tests

• Algorithm
• Take a large odd integer n.
• Choose a random a with 0ltaltn.
• Compute gcd(a,n).
• If gcd(a,n)gt1, then n is composite.

39
Primality Tests

• Algorithm
• If gcd(a,n)1, then raise a to the
  (n?1)-st power.
• If Fermats Little Theorem fails, then n is
  composite.
• If Fermats Little Theorem holds, then n might be
  prime.

40
Primality Tests

• Algorithm
• Next, choose k different bases a1, a2,
  . . . , ak and suppose that n might be prime with
  respect to each of these bases. Then by our
  theorem, there is 1 chance in 2k that n might
  still be composite.

41
Primality Tests

• Algorithm
• This gives us a probabilistic method of choosing
  large prime numbers, unless

42
Primality Tests

• It is possible that, for a given n, Fermats
  Little Theorem holds for all bases a. In fact,
  such numbers exist. They are called Carmichael
  numbers.
• In 1992, it was shown by Alford, Granville, and
  Pomerance that there are infinitely many
  Carmichael numbers.

43
Shameless Plug for my Alma Mater

• This result was proven while Alford, Granville,
  and Pomerance were on the mathematics faculty of
  The University of Georgia.

44
Primality Tests

• So, we might want to look at a better primality
  test.

45
Primality Tests

• Another primality test involves some quantities
  called Jacobi symbols, and in order to define
  them, we must talk about Legendre symbols.

46
Legendre and Jacobi Symbols

• Let p be an odd prime number and let a be a
  natural number. We define the Legendre symbol
• to be 0 if p divides a, 1 if a is a square mod p,
  and ?1 is a is not a square mod p.

47
Legendre and Jacobi Symbols

• If n is not prime, we can factor n uniquely as a
  product of primes p1?1 . . . pr?r. We
  define the Jacobi symbol by

48
Legendre and Jacobi Symbols

• Legendre and Jacobi symbols are easily computed
  by present-day computers using the Law of
  Quadratic Reciprocity.
• For further information, consult any text on
  elementary number theory.

49
Primality Tests

• For a prime number p, it is known that

50
Primality Tests

• Theorem If n is composite, the equation
• fails for at least half of the possible bases a
  in (Z/nZ).

51
Primality Tests

• Algorithm
• Take a large odd integer n.
• Choose a random a with 0ltaltn.
• Compute gcd(a,n).
• If gcd(a,n)gt1, then n is composite.

52
Primality Tests

• Algorithm
• If gcd(a,n)1, then raise a to the
  (n?1)/2-th power
• Compute the Jacobi symbol (a/n).
• If these two numbers are not congruent mod n,
  then n is composite.
• If these two numbers are congruent mod n, then n
  might be prime.

53
Primality Tests

• Algorithm
• Next, choose k different bases a1, a2,
  . . . , ak and suppose that n might be prime with
  respect to each of these bases. Then by our
  theorem, there is 1 chance in 2k that n might
  still be composite.

54
Primality Tests

• Algorithm
• This gives us a probabilistic method of choosing
  large prime numbers.

55
How Big is Large?

• Suppose we are using an N letter alphabet.
  Choose natural numbers k and l with kltl so that
  Nk and Nl have approximately 200 decimal digits.

56
How Big is Large?

• Each user must choose his prime numbers p and q
  so that npq is between Nk and Nl.

57
How Big is Large?

• In this way, every k digit number in the N symbol
  alphabet can be represented uniquely as a number
  in Z/nZ.

58
How Big is Large?

• Further, every number in Z/nZ represents a unique
  l digit number in the N symbol alphabet.

59
How Big is Large?

• In this way, we can use a k-graph technique to
  convert groups of k letters in the plaintext into
  a unique number in Z/nZ.

60
How Big is Large?

• Then, using an l-graph technique, the ciphertext
  numerical string can then be converted into a
  unique sequence of groups of l letters.

61
The RSA Algorithm
62
The RSA Algorithm

• Alice and Bob wish to exchange messages through
  the RSA Algorithm.
• Alice chooses two large prime numbers, pA and qA.
  She does this using the probabilistic primality
  testing discussed earlier.
• She then computes nA pA qA and
  ?(nA)(pA-1) (qA-1).

63
The RSA Algorithm

• Alice next chooses a natural number eA which is
  relatively prime to ?(nA).
• To do this, take any number of the right size and
  use the Euclidean Algorithm to find the gcd of
  that number and ?(nA). If the gcd is 1,
  stop. If not, increment the number by 1 and
  repeat the process.

64
The RSA Algorithm

• Since eA is relatively prime to ?(nA), eA has a
  multiplicative inverse eA?1 in the quotient ring
  Z/?(nA)Z.
• Let dA eA?1. Then eA dA ????mod ?(nA).

65
The RSA Algorithm

• Alices public enciphering key is then
  KE,A(nA,eA). This key is published.
• Alices private deciphering key is then
  KD,A(nA,dA). This key is kept confidential.

66
The RSA Algorithm

• Similarly, Bob chooses two large prime numbers,
  pB and qB. He does this using the probabilistic
  primality testing discussed earlier.
• He then computes nB pB qB and
  ?(nB)(pB-1) (qB-1).

67
The RSA Algorithm

• Bob also chooses a natural number eB which is
  relatively prime to ?(nB).
• Do this using the same algorithm Alice used.

68
The RSA Algorithm

• Since eB is relatively prime to ?(nB), eB has a
  multiplicative inverse eB?1 in the quotient ring
  Z/?(nB)Z.
• Let dB eB?1. Then eB dB ????mod ?(nB).

69
The RSA Algorithm

• Bobs public enciphering key is then
  KE,B(nB,eB). This key is published.
• Bobs private deciphering key is then
  KD,B(nB,dB). This key is kept confidential.

70
Exchanges Using RSA
71
Encoding using RSA

• In order to encode a plaintext message using the
  RSA algorithm, Alice first converts the plaintext
  into a string of digits, as described earlier.
  Call this number P.

72
Encoding using RSA

• Next, Alice raises P to the eB power and takes
  the remainder mod nB. She then sends the result,
  C, to Bob. Since only Bob knows the decoding key
  dB, only he can read the message.

73
Decoding using RSA

• Once Bob receives the message C, he raises C to
  the dB power and reduces mod nB.
• Since eBdB ??1 mod nB, this second exponentiation
  returns P from C.
• The decoding is completed by converting this
  string of digits back into characters.

74
The RSA Algorithm

• The fact that only Bob knows dB means that only
  Bob can read the message. This takes care of
  confidentiality. What about the other three
  facets of data transfer?

75
Authenticity and Non-Repudiation

• in the RSA Algorithm

76
Authenticity and Non-Repudiation in RSA

• To guarantee authenticity and non-repudiation,
  Alice takes the string of digits P and does one
  of the following
• If nAltnB, she raises P to dA and reduces mod nA.
  She then raises the result to eB and reduces mod
  nB.

77
Authenticity and Non-Repudiation in RSA

• If nBltnA, she raises P to eB and reduces mod nB.
  She then raises the result to dA and reduces mod
  nA.
• This gives the ciphertext C, which she sends to
  Bob.

78
Authenticity and Non-Repudiation in RSA

• To perform the decryption, Bob takes the
  ciphertext C and does one of the following
• If nBltnA, he raises C to eA and reduces mod nA.
  He then raises the result to dB and reduces mod
  nB.

79
Authenticity and Non-Repudiation in RSA

• If nAltnB, he raises C to dB and reduces mod nB.
  He then raises the result to eA and reduces mod
  nA.
• This gives the plaintext P. The decoding is
  completed by converting this string of digits
  back into characters.

80
Authenticity and Non-Repudiation in RSA

• The key fact here is that Alice has used her
  private key dA in the encryption process. Since
  Bob knows Alices public key eA, he can use
  Alices public key as well as his own private
  deciphering key to get a readable message which
  he knows only Alice could have sent.

81
Integrity in RSA
82
Integrity in RSA

• In order to ensure that a coded message hasnt
  been tampered with in transmission, one uses a
  hash function.

83
Hash Functions

• Roughly speaking, a hash function is an easily
  computable map fx-gth from a very long input x to
  a much shorter output h that has the property
  that f is one-to-one.
• That is, two different plaintext messages go to
  two different hash values.

84
Integrity in RSA

• If part of Alices signature consists of the hash
  value hf(x), where x is the entire text of her
  message, then Bob can verify not only that the
  message was really sent by Alice, but also that
  it wasnt tampered with during transmission.

85
Next Time . . .

• In the next lecture, we will look at a second
  type of public key cryptography based on the use
  of the group of points on an elliptic curve.
  This is (appropriately enough) known as elliptic
  curve cryptography.

86
Thanks for Attending