RSA and Primality Testing
Joan Boyar, IMADA, University of Southern Denmark
Studieretningsprojekter 2010
1 / 81 Outline
Outline Symmetric key ■ Symmetric key cryptography Public key Number theory ■ RSA Public key cryptography RSA Modular ■ exponentiation Introduction to number theory RSA RSA ■ RSA Greatest common divisor Primality testing ■ Modular exponentiation Correctness of RSA Digital signatures ■ Greatest common divisor
■ Primality testing
■ Correctness of RSA
■ Digital signatures with RSA
2 / 81 Caesar cipher
Outline Symmetric key Public key Number theory A B C D E F G H I J K L M N O RSA 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 RSA Modular D E F G H I J K L M N O P Q R exponentiation RSA 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 RSA Greatest common divisor Primality testing P Q R S T U V W X Y Z Æ Ø Å Correctness of RSA Digital signatures 15 16 17 18 19 20 21 22 23 24 25 26 27 28 S T U V W X Y Z Æ Ø Å A B C 18 19 20 21 22 23 24 25 26 27 28 0 1 2
E(m)= m + 3(mod 29)
3 / 81 Symmetric key systems
Outline Suppose the following was encrypted using a Caesar cipher and the Symmetric key Public key Danish alphabet. The key is unknown. What does it say? Number theory RSA RSA Modular exponentiation RSA ZQOØQOØ, RI. RSA Greatest common divisor Primality testing Correctness of RSA Digital signatures
4 / 81 Symmetric key systems
Outline Suppose the following was encrypted using a Caesar cipher and the Symmetric key Public key Danish alphabet. The key is unknown. What does it say? Number theory RSA RSA Modular exponentiation RSA ZQOØQOØ, RI. RSA Greatest common divisor Primality testing Correctness of RSA What does this say about how many keys should be possible? Digital signatures
5 / 81 Symmetric key systems
Outline Symmetric key ■ Caesar Cipher Public key Number theory ■ RSA RSA Modular ■ exponentiation RSA RSA ■ Enigma Greatest common divisor Primality testing ■ DES Correctness of RSA Digital signatures ■ Blowfish
■ IDEA
■ Triple DES
■ AES
6 / 81 Public key cryptography
Outline Bob — 2 keys -PK ,SK Symmetric key B B Public key Number theory PK — Bob’s public key RSA B RSA SKB — Bob’s private (secret) key Modular exponentiation RSA For Alice to send m to Bob, RSA Greatest common Alice computes: c = E(m, PKB). divisor Primality testing Correctness of RSA To decrypt c, Bob computes: Digital signatures r = D(c, SKB). r = m
It must be “hard” to compute SKB from PKB.
7 / 81 Introduction to Number Theory
Outline Definition. Suppose a, b ZZ, a> 0. Symmetric key ∈ Public key Suppose c ZZ s.t. b = ac. Then a divides b. Number theory ∃ ∈ a b. RSA | RSA a is a factor of b. Modular exponentiation b is a multiple of a. RSA RSA e f means e does not divide f. Greatest common | divisor Primality testing Theorem. a, b, c ZZ. Then Correctness of RSA ∈ Digital signatures 1. if a b and a c, then a (b + c) | | | 2. if a b, then a bc c ZZ | | ∀ ∈ 3. if a b and b c, then a c. | | |
8 / 81 Outline Definition. p ZZ, p> 1. Symmetric key ∈ Public key p is prime if 1 and p are the only positive integers which divide p. Number theory RSA 2, 3, 5, 7, 11, 13, 17,... RSA p is composite if it is not prime. Modular exponentiation 4, 6, 8, 9, 10, 12, 14, 15, 16,... RSA RSA Greatest common divisor Primality testing Correctness of RSA Digital signatures
9 / 81 Outline Theorem. a ZZ, d IN Symmetric key ∈ ∈ Public key unique q,r, 0 r 10 / 81 Outline Definition. a b (mod m) — a is congruent to b modulo m Symmetric key ≡ Public key if m (a b). Number theory | − RSA RSA m (a b) k ZZ s.t. a = b + km. Modular | − ⇒ ∃ ∈ exponentiation RSA Theorem. a b (mod m) c d (mod m) RSA ≡ ≡ Greatest common Then a + c b + d (mod m) and ac bd (mod m). divisor ≡ ≡ Primality testing Correctness of RSA Digital signatures Proof.(of first) k ,k s.t. ∃ 1 2 a = b + k1m c = d + k2m a + c = b + k1m + d + k2m = b + d +(k1 + k2)m 11 / 81 Outline Definition. a b (mod m) — a is congruent to b modulo m Symmetric key ≡ Public key if m (a b). Number theory | − RSA RSA m (a b) k ZZ s.t. a = b + km. Modular | − ⇒ ∃ ∈ exponentiation RSA Examples. RSA Greatest common divisor 1. 15 22 (mod 7)? 15 = 22 (mod 7)? Primality testing ≡ Correctness of RSA Digital signatures 2. 15 1 (mod 7)? 15=1(mod 7)? ≡ 3. 15 37 (mod 7)? 15 = 37 (mod 7)? ≡ 4. 58 22 (mod 9)? 58 = 22 (mod 9)? ≡ 12 / 81 RSA — a public key system Outline NA = pA qA, where pA,qA prime. Symmetric key Public key gcd(eA, (pA 1)(qA 1)) = 1. Number theory − − RSA eA dA 1 (mod (pA 1)(qA 1)). RSA ≡ − − Modular exponentiation ■ PKA =(NA,eA) RSA RSA ■ Greatest common SKA =(NA,dA) divisor Primality testing eA Correctness of RSA To encrypt: c = E(m, PKA)= m (mod NA). Digital signatures dA To decrypt: r = D(c, PKA)= c (mod NA). r = m. 13 / 81 RSA — a public key system Outline NA = pA qA, where pA,qA prime. Symmetric key Public key gcd(eA, (pA 1)(qA 1)) = 1. Number theory − − RSA eA dA 1 (mod (pA 1)(qA 1)). RSA ≡ − − Modular exponentiation ■ PKA =(NA,eA) RSA RSA ■ Greatest common SKA =(NA,dA) divisor Primality testing eA Correctness of RSA To encrypt: c = E(m, PKA)= m (mod NA). Digital signatures dA To decrypt: r = D(c, PKA)= c (mod NA). r = m. Example: p = 5, q = 11, e = 3, d = 27, m = 8. Then N = 55. e d = 81. So e d =1(mod 4 10). To encrypt m: c = 83 (mod 55) = 17. To decrypt c: r = 1727 (mod 55) = 8. 14 / 81 Security of RSA Outline The primes p and q are kept secret with d . Symmetric key A A A Public key Number theory Suppose Eve can factor N . RSA A RSA Modular exponentiation Then she can find pA and qA. RSA From them and eA, she finds dA. RSA Greatest common divisor Primality testing Then she can decrypt just like Alice. Correctness of RSA Digital signatures Factoring must be hard! 15 / 81 Factoring Outline Symmetric key Theorem. N composite N has a prime divisor √N Public key ⇒ ≤ Number theory RSA RSA Factor(n) Modular exponentiation RSA for i = 2 to √n do RSA Greatest common check if i divides n divisor if it does then output (i,n/i) Primality testing Correctness of RSA endfor Digital signatures output -1 if divisor not found Corollary There is an algorithm for factoring N (or testing primality) which does O(√N) tests of divisibility. 16 / 81 Factoring Outline Symmetric key Check all possible divisors between 2 and √n. Public key Not finished in your grandchildren’s life time for n with 1024 bits. Number theory RSA RSA Problem The length of the input is n = log2(N + 1) . So the Modular n/2 ⌈ ⌉ exponentiation running time is O(2 ) — exponential. RSA RSA Greatest common Open Problem Does there exist a polynomial time factoring divisor Primality testing algorithm? Correctness of RSA Digital signatures Use primes which are at least 512 (or 1024) bits long. So 2511 p ,q < 2512. ≤ A A So p 10154. A ≈ 17 / 81 RSA Outline How do we implement RSA? Symmetric key Public key Number theory We need to find: p ,q ,N ,e ,d . RSA A A A A A RSA We need to encrypt and decrypt. Modular exponentiation RSA RSA Greatest common divisor Primality testing Correctness of RSA Digital signatures 18 / 81 RSA — encryption/decryption Outline k Symmetric key We need to encrypt and decrypt: compute a (mod n). Public key Number theory 2 RSA a (mod n) a a (mod n) — 1 modular multiplication RSA ≡ Modular exponentiation RSA RSA Greatest common divisor Primality testing Correctness of RSA Digital signatures 19 / 81 Modular Exponentiation Outline Theorem. For all nonnegative integers, b, c, m, Symmetric key Public key b c (mod m)=(b (mod m)) (c (mod m)) (mod m). Number theory RSA 2 2 RSA Example: a a (mod n)=(a (mod n))(a (mod n)) (mod n). Modular exponentiation RSA RSA Greatest common divisor 83 (mod 55) = 8 82 (mod 55) Primality testing Correctness of RSA = 8 64 (mod 55) Digital signatures = 8 (9+55) (mod 55) = 72 + (8 55) (mod 55) = 17 + 55 + (8 55) (mod 55) = 17 20 / 81 RSA — encryption/decryption Outline k Symmetric key We need to encrypt and decrypt: compute a (mod n). Public key Number theory a2 (mod n) a a (mod n) — 1 modular multiplication RSA ≡ RSA a3 (mod n) a (a a (mod n)) (mod n) — 2 mod mults Modular ≡ exponentiation RSA RSA Greatest common divisor Primality testing Correctness of RSA Digital signatures 21 / 81 RSA — encryption/decryption Outline k Symmetric key We need to encrypt and decrypt: compute a (mod n). Public key Number theory a2 (mod n) a a (mod n) — 1 modular multiplication RSA ≡ RSA a3 (mod n) a (a a (mod n)) (mod n) — 2 mod mults Modular ≡ exponentiation Guess: k 1 modular multiplications. RSA − RSA Greatest common divisor Primality testing Correctness of RSA Digital signatures 22 / 81 RSA — encryption/decryption Outline k Symmetric key We need to encrypt and decrypt: compute a (mod n). Public key Number theory a2 (mod n) a a (mod n) — 1 modular multiplication RSA ≡ RSA a3 (mod n) a (a a (mod n)) (mod n) — 2 mod mults Modular ≡ exponentiation Guess: k 1 modular multiplications. RSA − RSA Greatest common divisor This is too many! Primality testing eA dA 1 (mod (pA 1)(qA 1)). Correctness of RSA ≡ − − p and q have 512 bits each. Digital signatures A A ≥ So at least one of e and d has 512 bits. A A ≥ To either encrypt or decrypt would need 2511 10154 operations ≥ ≈ (more than number of atoms in the universe). 23 / 81 RSA — encryption/decryption Outline k Symmetric key We need to encrypt and decrypt: compute a (mod n). Public key Number theory a2 (mod n) a a (mod n) — 1 modular multiplication RSA ≡ RSA a3 (mod n) a (a a (mod n)) (mod n) — 2 mod mults Modular ≡ 4 exponentiation How do you calculate a (mod n) in less than 3? RSA RSA Greatest common divisor Primality testing Correctness of RSA Digital signatures 24 / 81 RSA — encryption/decryption Outline k Symmetric key We need to encrypt and decrypt: compute a (mod n). Public key Number theory a2 (mod n) a a (mod n) — 1 modular multiplication RSA ≡ RSA a3 (mod n) a (a a (mod n)) (mod n) — 2 mod mults Modular ≡ 4 exponentiation How do you calculate a (mod n) in less than 3? RSA 4 2 2 RSA a (mod n) (a (mod n)) (mod n) — 2 mod mults Greatest common ≡ divisor Primality testing Correctness of RSA Digital signatures 25 / 81 RSA — encryption/decryption Outline k Symmetric key We need to encrypt and decrypt: compute a (mod n). Public key Number theory a2 (mod n) a a (mod n) — 1 modular multiplication RSA ≡ RSA a3 (mod n) a (a a (mod n)) (mod n) — 2 mod mults Modular ≡ 4 exponentiation How do you calculate a (mod n) in less than 3? RSA 4 2 2 RSA a (mod n) (a (mod n)) (mod n) — 2 mod mults Greatest common ≡2s divisor In general: a (mod n)? Primality testing Correctness of RSA Digital signatures 26 / 81 RSA — encryption/decryption Outline k Symmetric key We need to encrypt and decrypt: compute a (mod n). Public key Number theory a2 (mod n) a a (mod n) — 1 modular multiplication RSA ≡ RSA a3 (mod n) a (a a (mod n)) (mod n) — 2 mod mults Modular ≡ 4 exponentiation How do you calculate a (mod n) in less than 3? RSA 4 2 2 RSA a (mod n) (a (mod n)) (mod n) — 2 mod mults Greatest common ≡2s 2s s 2 divisor In general: a (mod n)? a (mod n) (a (mod n)) (mod n) Primality testing ≡ Correctness of RSA Digital signatures 27 / 81 RSA — encryption/decryption Outline k Symmetric key We need to encrypt and decrypt: compute a (mod n). Public key Number theory a2 (mod n) a a (mod n) — 1 modular multiplication RSA ≡ RSA a3 (mod n) a (a a (mod n)) (mod n) — 2 mod mults Modular ≡ 4 exponentiation How do you calculate a (mod n) in less than 3? RSA a4 (mod n) (a2 (mod n))2 (mod n) — 2 mod mults RSA ≡ Greatest common a2s (mod n) (as (mod n))2 (mod n) divisor ≡ Primality testing In general: a2s+1 (mod n)? Correctness of RSA Digital signatures 28 / 81 RSA — encryption/decryption Outline k Symmetric key We need to encrypt and decrypt: compute a (mod n). Public key Number theory a2 (mod n) a a (mod n) — 1 modular multiplication RSA ≡ RSA a3 (mod n) a (a a (mod n)) (mod n) — 2 mod mults Modular ≡ 4 exponentiation How do you calculate a (mod n) in less than 3? RSA a4 (mod n) (a2 (mod n))2 (mod n) — 2 mod mults RSA ≡ Greatest common a2s (mod n) (as (mod n))2 (mod n) divisor ≡ Primality testing a2s+1 (mod n) a ((as (mod n))2 (mod n)) (mod n) Correctness of RSA ≡ Digital signatures 29 / 81 Modular Exponentiation k Outline Exp(a,k,n) {Compute a (mod n) } Symmetric key Public key if k < 0 then report error Number theory RSA if k = 0 then return(1) RSA Modular if k = 1 then return(a (mod n)) exponentiation if k is odd then return(a Exp(a,k 1,n) (mod n)) RSA − RSA if k is even then Greatest common divisor c Exp(a,k/2,n) ← Primality testing return((c c) (mod n)) Correctness of RSA Digital signatures 30 / 81 Modular Exponentiation k Outline Exp(a,k,n) {Compute a (mod n) } Symmetric key Public key if k < 0 then report error Number theory RSA if k = 0 then return(1) RSA Modular if k = 1 then return(a (mod n)) exponentiation if k is odd then return(a Exp(a,k 1,n) (mod n)) RSA − RSA if k is even then Greatest common divisor c Exp(a,k/2,n) ← Primality testing return((c c) (mod n)) Correctness of RSA Digital signatures To compute 36 (mod 7): Exp(3, 6, 7) c Exp(3, 3, 7) ← 31 / 81 Modular Exponentiation k Outline Exp(a,k,n) {Compute a (mod n) } Symmetric key Public key if k < 0 then report error Number theory RSA if k = 0 then return(1) RSA Modular if k = 1 then return(a (mod n)) exponentiation if k is odd then return(a Exp(a,k 1,n) (mod n)) RSA − RSA if k is even then Greatest common divisor c Exp(a,k/2,n) ← Primality testing return((c c) (mod n)) Correctness of RSA Digital signatures To compute 36 (mod 7): Exp(3, 6, 7) c Exp(3, 3, 7) 3 (Exp(3, 2, 7) (mod 7)) ← ← 32 / 81 Modular Exponentiation k Outline Exp(a,k,n) {Compute a (mod n) } Symmetric key Public key if k < 0 then report error Number theory RSA if k = 0 then return(1) RSA Modular if k = 1 then return(a (mod n)) exponentiation if k is odd then return(a Exp(a,k 1,n) (mod n)) RSA − RSA if k is even then Greatest common divisor c Exp(a,k/2,n) ← Primality testing return((c c) (mod n)) Correctness of RSA Digital signatures To compute 36 (mod 7): Exp(3, 6, 7) c Exp(3, 3, 7) 3 (Exp(3, 2, 7)) (mod 7)) c′← Exp(3, 1, 7)← ← 33 / 81 Modular Exponentiation k Outline Exp(a,k,n) {Compute a (mod n) } Symmetric key Public key if k < 0 then report error Number theory RSA if k = 0 then return(1) RSA Modular if k = 1 then return(a (mod n)) exponentiation if k is odd then return(a Exp(a,k 1,n) (mod n)) RSA − RSA if k is even then Greatest common divisor c Exp(a,k/2,n) ← Primality testing return((c c) (mod n)) Correctness of RSA Digital signatures To compute 36 (mod 7): Exp(3, 6, 7) c Exp(3, 3, 7) 3 (Exp(3, 2, 7)) (mod 7)) c′← Exp(3, 1, 7)← 3 ← ← 34 / 81 Modular Exponentiation k Outline Exp(a,k,n) {Compute a (mod n) } Symmetric key Public key if k < 0 then report error Number theory RSA if k = 0 then return(1) RSA Modular if k = 1 then return(a (mod n)) exponentiation if k is odd then return(a Exp(a,k 1,n) (mod n)) RSA − RSA if k is even then Greatest common divisor c Exp(a,k/2,n) ← Primality testing return((c c) (mod n)) Correctness of RSA Digital signatures To compute 36 (mod 7): Exp(3, 6, 7) c Exp(3, 3, 7) 3 (Exp(3, 2, 7)) (mod 7)) c′← Exp(3, 1, 7)← 3 Exp←(3, 2, 7) (mod←7)) 3 3 (mod 7) 2 ← ← 35 / 81 Modular Exponentiation k Outline Exp(a,k,n) {Compute a (mod n) } Symmetric key Public key if k < 0 then report error Number theory RSA if k = 0 then return(1) RSA Modular if k = 1 then return(a (mod n)) exponentiation if k is odd then return(a Exp(a,k 1,n) (mod n)) RSA − RSA if k is even then Greatest common divisor c Exp(a,k/2,n) ← Primality testing return((c c) (mod n)) Correctness of RSA Digital signatures To compute 36 (mod 7): Exp(3, 6, 7) c Exp(3, 3, 7) 3 (Exp(3, 2, 7)) (mod 7)) c′← Exp(3, 1, 7)← 3 Exp←(3, 2, 7) (mod←7)) 3 3 (mod 7) 2 c 3 2 (mod 7) ←6 ← ← ← 36 / 81 Modular Exponentiation k Outline Exp(a,k,n) {Compute a (mod n) } Symmetric key Public key if k < 0 then report error Number theory RSA if k = 0 then return(1) RSA Modular if k = 1 then return(a (mod n)) exponentiation if k is odd then return(a Exp(a,k 1,n) (mod n)) RSA − RSA if k is even then Greatest common divisor c Exp(a,k/2,n) ← Primality testing return((c c) (mod n)) Correctness of RSA Digital signatures To compute 36 (mod 7): Exp(3, 6, 7) c Exp(3, 3, 7) 3 (Exp(3, 2, 7)) (mod 7)) c′← Exp(3, 1, 7)← 3 Exp←(3, 2, 7) (mod←7)) 3 3 (mod 7) 2 c 3 2 (mod 7) ←6 ← Exp←(3, 6, 7) (6 6)← (mod 7) 1 ← ← 37 / 81 Modular Exponentiation k Outline Exp(a,k,n) {Compute a (mod n) } Symmetric key Public key if k < 0 then report error Number theory RSA if k = 0 then return(1) RSA Modular if k = 1 then return(a (mod n)) exponentiation if k is odd then return(a Exp(a,k 1,n) (mod n)) RSA − RSA if k is even then Greatest common divisor c Exp(a,k/2,n) ← Primality testing return((c c) (mod n)) Correctness of RSA Digital signatures How many modular multiplications? 38 / 81 Modular Exponentiation k Outline Exp(a,k,n) {Compute a (mod n) } Symmetric key Public key if k < 0 then report error Number theory RSA if k = 0 then return(1) RSA Modular if k = 1 then return(a (mod n)) exponentiation if k is odd then return(a Exp(a,k 1,n) (mod n)) RSA − RSA if k is even then Greatest common divisor c Exp(a,k/2,n) ← Primality testing return((c c) (mod n)) Correctness of RSA Digital signatures How many modular multiplications? Divide exponent by 2 every other time. How many times can we do that? 39 / 81 Modular Exponentiation k Outline Exp(a,k,n) {Compute a (mod n) } Symmetric key Public key if k < 0 then report error Number theory RSA if k = 0 then return(1) RSA Modular if k = 1 then return(a (mod n)) exponentiation if k is odd then return(a Exp(a,k 1,n) (mod n)) RSA − RSA if k is even then Greatest common divisor c Exp(a,k/2,n) ← Primality testing return((c c) (mod n)) Correctness of RSA Digital signatures How many modular multiplications? Divide exponent by 2 every other time. How many times can we do that? log2(k) ⌊So at most⌋ 2 log (k) modular multiplications. ⌊ 2 ⌋ 40 / 81 RSA — a public key system Outline NA = pA qA, where pA,qA prime. Symmetric key Public key gcd(eA, (pA 1)(qA 1)) = 1. Number theory − − RSA eA dA 1 (mod (pA 1)(qA 1)). RSA ≡ − − Modular exponentiation ■ PKA =(NA,eA) RSA RSA ■ Greatest common SKA =(NA,dA) divisor Primality testing eA Correctness of RSA To encrypt: c = E(m, PKA)= m (mod NA). Digital signatures dA To decrypt: r = D(c, PKA)= c (mod NA). r = m. Try using N = 35, e = 11 to create keys for RSA. What is d? Try d = 11 and check it. Encrypt 4. Decrypt the result. 41 / 81 RSA — a public key system Outline NA = pA qA, where pA,qA prime. Symmetric key Public key gcd(eA, (pA 1)(qA 1)) = 1. Number theory − − RSA eA dA 1 (mod (pA 1)(qA 1)). RSA ≡ − − Modular exponentiation ■ PKA =(NA,eA) RSA RSA ■ Greatest common SKA =(NA,dA) divisor Primality testing eA Correctness of RSA To encrypt: c = E(m, PKA)= m (mod NA). Digital signatures dA To decrypt: r = D(c, PKA)= c (mod NA). r = m. Try using N = 35, e = 11 to create keys for RSA. What is d? Try d = 11 and check it. Encrypt 4. Decrypt the result. Did you get c = 9? And r = 4? 42 / 81 RSA Outline NA = pA qA, where pA,qA prime. Symmetric key Public key gcd(eA, (pA 1)(qA 1)) = 1. Number theory − − RSA eA dA 1 (mod (pA 1)(qA 1)). RSA ≡ − − Modular exponentiation ■ PKA =(NA,eA) RSA RSA ■ Greatest common SKA =(NA,dA) divisor Primality testing eA Correctness of RSA To encrypt: c = E(m, PKA)= m (mod NA). Digital signatures dA To decrypt: r = D(c, PKA)= c (mod NA). r = m. 43 / 81 Greatest Common Divisor Outline We need to find: e ,d . Symmetric key A A Public key gcd(eA, (pA 1)(qA 1)) = 1. Number theory − − RSA eA dA 1 (mod (pA 1)(qA 1)). RSA ≡ − − Modular exponentiation RSA RSA Greatest common divisor Primality testing Correctness of RSA Digital signatures 44 / 81 Greatest Common Divisor Outline We need to find: e ,d . Symmetric key A A Public key gcd(eA, (pA 1)(qA 1)) = 1. Number theory − − e d 1 (mod (p 1)(q 1)). RSA A A ≡ A − A − RSA Choose random eA. Modular exponentiation Check that gcd(eA, (pA 1)(qA 1)) = 1. RSA − − RSA Find dA such that eA dA 1 (mod (pA 1)(qA 1)). Greatest common ≡ − − divisor Primality testing Correctness of RSA Digital signatures 45 / 81 The Extended Euclidean Algorithm Outline Theorem. a, b IN. s, t ZZ s.t. sa + tb = gcd(a, b). Symmetric key ∈ ∃ ∈ Public key Proof. Let d be the smallest positive integer in Number theory RSA D = xa + yb x,y ZZ . { | ′ ∈ ′ } ′ ′ RSA d D d = x a + y b for some x ,y ZZ. Modular ∈ ⇒ ∈′ ′ exponentiation gcd(a, b) a and gcd(a, b) b, so gcd(a, b) x a, gcd(a, b) y b, and RSA | ′ ′ | | | RSA gcd(a, b) (x a + y b)= d. We will show that d gcd(a, b), so Greatest common | | d = gcd(a, b). Note a D. divisor ∈ Primality testing Suppose a = dq + r with 0 r 46 / 81 The Extended Euclidean Algorithm Outline How do you find d, s and t? Symmetric key Public key Number theory Let d = gcd(a, b). Write b as b = aq + r with 0 r 47 / 81 The Extended Euclidean Algorithm Outline { Initialize} Symmetric key Public key d0 b s0 0 t0 1 Number theory ← ← ← d a s 1 t 0 RSA 1 ← 1 ← 1 ← RSA n 1 Modular ← exponentiation { Compute next d} RSA RSA while dn > 0 do Greatest common divisor begin Primality testing n n + 1 Correctness of RSA ← Digital signatures { Compute d d − (mod d − )} n ← n 2 n 1 q d − /d − n ←⌊ n 2 n 1⌋ d d − q d − n ← n 2 − n n 1 s q s − + s − n ← n n 1 n 2 tn qntn−1 + tn−2 end ← − s ( 1)ns − t ( 1)n 1t − ← − n 1 ← − n 1 gcd(a, b) d − ← n 1 48 / 81 The Extended Euclidean Algorithm Outline Finding multiplicative inverses modulo m: Symmetric key Public key Number theory Given a and m, find x s.t. a x 1 (mod m). RSA ≡ RSA Modular exponentiation Should also find a k, s.t. ax =1+ km. RSA So solve for an s in an equation sa + tm = 1. RSA Greatest common divisor Primality testing This can be done if gcd(a,m) = 1. Correctness of RSA Just use the Extended Euclidean Algorithm. Digital signatures 49 / 81 Examples Outline Calculate the following: Symmetric key Public key Number theory 1. gcd(6, 9) RSA RSA Modular 2. s and t such that s 6+ t 9= gcd(6, 9) exponentiation RSA RSA 3. gcd(15, 23) Greatest common divisor Primality testing 4. s and t such that s 15 + t 23 = gcd(15, 23) Correctness of RSA Digital signatures 50 / 81 RSA Outline NA = pA qA, where pA,qA prime. Symmetric key Public key gcd(eA, (pA 1)(qA 1)) = 1. Number theory − − RSA eA dA 1 (mod (pA 1)(qA 1)). RSA ≡ − − Modular exponentiation ■ PKA =(NA,eA) RSA RSA ■ Greatest common SKA =(NA,dA) divisor Primality testing eA Correctness of RSA To encrypt: c = E(m, PKA)= m (mod NA). Digital signatures dA To decrypt: r = D(c, PKA)= c (mod NA). r = m. 51 / 81 Primality testing Outline We need to find: p ,q — large primes. Symmetric key A A Public key Number theory Choose numbers at random and check if they are prime? RSA RSA Modular exponentiation RSA RSA Greatest common divisor Primality testing Correctness of RSA Digital signatures 52 / 81 Questions Outline Symmetric key Public key 1. How many random integers of length 154 are prime? Number theory RSA RSA Modular exponentiation RSA RSA Greatest common divisor Primality testing Correctness of RSA Digital signatures 53 / 81 Questions Outline Symmetric key Public key 1. How many random integers of length 154 are prime? Number theory RSA x 10154 RSA About ln x numbers 54 / 81 Questions Outline Symmetric key Public key 1. How many random integers of length 154 are prime? Number theory RSA x 10154 RSA About ln x numbers 55 / 81 Questions Outline Symmetric key Public key 1. How many random integers of length 154 are prime? Number theory RSA x 10154 RSA About ln x numbers 56 / 81 Method 1 Outline Sieve of Eratosthenes: Symmetric key Public key Lists: Number theory RSA RSA 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 Modular exponentiation RSA RSA Greatest common divisor Primality testing Correctness of RSA Digital signatures 57 / 81 Method 1 Outline Symmetric key Public key Sieve of Eratosthenes: Number theory Lists: RSA RSA Modular 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 exponentiation RSA 3 5 7 9 11 13 15 17 19 RSA Greatest common divisor Primality testing Correctness of RSA Digital signatures 58 / 81 Method 1 Outline Symmetric key Public key Sieve of Eratosthenes: Number theory Lists: RSA RSA Modular 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 exponentiation RSA 3 5 7 9 11 13 15 17 19 RSA Greatest common 5 7 11 13 17 19 divisor Primality testing Correctness of RSA Digital signatures 59 / 81 Method 1 Outline Symmetric key Public key Sieve of Eratosthenes: Number theory Lists: RSA RSA Modular 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 exponentiation RSA 3 5 7 9 11 13 15 17 19 RSA Greatest common 5 7 11 13 17 19 divisor Primality testing 7 11 13 17 19 Correctness of RSA Digital signatures 10154 — more than number of atoms in universe So we cannot even write out this list! 60 / 81 Method 2 Outline Symmetric key Public key CheckPrime(n) Number theory RSA for i = 2 to n 1 do RSA − Modular check if i divides n exponentiation RSA if it does then output i RSA Greatest common endfor divisor output -1 if divisor not found Primality testing Correctness of RSA Digital signatures Check all possible divisors between 2 and n (or √n). Our sun will die before we’re done! 61 / 81 Examples of groups Outline Symmetric key ZZ, — sets Public key ℜ Number theory +, — operations RSA RSA Modular ZZ = 0, 1,...,n 1 — integers modulo n exponentiation n { − } RSA a + b a + b (mod n) — addition operation RSA ≡ Greatest common divisor Primality testing a (mod n) = remainder when a is divided by n Correctness of RSA 4+3= k 5 + 2 Digital signatures 4 + 3 2 (mod 5) ≡ 62 / 81 Examples of groups Outline ZZ, — sets Symmetric key ℜ Public key +, — operations Number theory RSA RSA ZZn = 0, 1,...,n 1 — integers modulo n Modular { − } exponentiation a + b a + b (mod n) — addition operation ≡ RSA 4 + 3 2 (mod 5) RSA ≡ Greatest common a b a b (mod n) — multiplication operation divisor ≡ Primality testing 4 3 2 (mod 5) Correctness of RSA ≡ Digital signatures Properties: ■ associative ■ commutative ■ identity ■ inverses (for addition) 63 / 81 Multiplicative inverses? Outline Symmetric key a b =1+ kn n = 15 Public key Number theory RSA RSA Element Inverse Computation Modular exponentiation a = 0 no inverse RSA a =1 1 1 1 1 (mod 15) RSA ≡ Greatest common a =2 8 2 8 1 (mod 15) divisor ≡ Primality testing a = 3 no inverse Correctness of RSA a =4 4 4 4 1 (mod 15) Digital signatures ≡ a = 5 no inverse a = 6 no inverse a = 7 13 7 13 1 (mod 15) ≡ a =8 2 8 2 1 (mod 15) ≡ a = 11 11 11 11 1 (mod 15) ≡ a = 13 7 13 7 1 (mod 15) ≡ a = 14 14 14 14 1 (mod 15) ≡ 64 / 81 Multiplicative inverses? Outline ∗ Symmetric key ZZn = x 1 x n 1, gcd(x,n) = 1 Public key { | ≤ ≤ − } Number theory RSA RSA gcd — greatest common divisor Modular exponentiation RSA Extended Euclidean Algorithm — find inverses RSA Greatest common divisor ∗ ZZn is the multiplicative group modulo n. Primality testing ∗ Correctness of RSA The elements in ZZn are relatively prime to n. Digital signatures 65 / 81 Examples Outline Group: set with 1 operation Symmetric key Public key associative, identity, inverses Number theory RSA RSA Examples: Modular exponentiation RSA ■ ZZ, with +, not with RSA ℜ Greatest common −0 divisor ■ with Primality testing ℜ Correctness of RSA ■ Digital signatures ZZn with + ■ ZZ∗ with n 66 / 81 Definitions Outline Subgroup: H G if H G and H is a group. Symmetric key ≤ ⊆ Public key Number theory Examples: RSA RSA Modular ■ Even integers with addition exponentiation RSA ■ ∗ RSA G = ZZ7 , H = 1, 2, 4 Greatest common { } divisor Primality testing Correctness of RSA H is the order of H. Digital signatures | | Theorem. [La Grange] For a finite group G, if H G, then H ≤ | | divides G . | | 67 / 81 Rabin–Miller Primality Testing Outline In practice, use a randomized primality test. Symmetric key Public key Number theory Miller–Rabin primality test: RSA RSA Starts with Fermat test: Modular exponentiation RSA 214 (mod 15) 4 = 1. RSA ≡ Greatest common So 15 is not prime. divisor Primality testing Correctness of RSA Theorem. Suppose p is a prime. Then for all 1 a p 1, Digital signatures − ≤ ≤ − ap 1 (mod p) = 1. 68 / 81 Rabin–Miller Primality Test Outline Fermat test: Symmetric key Public key Prime(n) Number theory RSA repeat r times RSA ∗ Modular Choose random a ZZn exponentiation − ∈ if an 1 (mod n) 1 then return(Composite) RSA ≡ RSA end repeat Greatest common divisor return(Probably Prime) Primality testing ∗ Correctness of RSA Carmichael Numbers Composite n. For all a ZZn, Digital signatures an−1 (mod n) 1. ∈ Example: 561 =≡ 3 11 17 If p is prime, √1 (mod p)= 1,p 1 . If p has > 1 distinct factors, {1 has− at} least 4 square roots. Example: √1 (mod 15) = 1, 4, 11, 14 { } 69 / 81 Rabin–Miller Primality Test Outline Taking square roots of 1 (mod 561): Symmetric key Public key Number theory 50560 (mod 561) 1 RSA 280 ≡ RSA 50 (mod 561) 1 Modular 140 ≡ exponentiation 50 (mod 561) 1 RSA ≡ 5070 (mod 561) 1 RSA ≡ Greatest common 5035 (mod 561) 560 divisor ≡ Primality testing Correctness of RSA 2560 (mod 561) 1 Digital signatures ≡ 2280 (mod 561) 1 ≡ 2140 (mod 561) 67 ≡ 2 is a witness that 561 is composite. 70 / 81 Rabin–Miller Primality Test Outline Miller–Rabin(n,k) Symmetric key Public key Calculate odd m such that n 1 = 2s m Number theory − RSA repeat k times RSA ∗ Choose random a ZZn Modular − ∈ exponentiation if an 1 (mod n) 1 then return(Composite) RSA (n−1)/2 ≡ RSA if a (mod n) n 1 then break Greatest common (n−1)/2 ≡ − divisor if a (mod n) 1 then return(Composite) Primality testing (n−1)/4 ≡ Correctness of RSA if a (mod n) n 1 then break − ≡ − Digital signatures if a(n 1)/4 (mod n) 1 then return(Composite) ≡ .... if am (mod n) n 1 then break ≡ − if am (mod n) 1 then return(Composite) end repeat ≡ return(Probably Prime) 71 / 81 Rabin–Miller Primality Test Outline Analysis: Symmetric key Public key Number theory Suppose n is composite: RSA 1 RSA Probability a is not a witness 2 Modular ≤ exponentiation Show there exists at least one witness RSA RSA Show that the set of non-witnesses is a subgroup Greatest common divisor Order of subgroup divides order of group, Primality testing 1 so it’s 2 of the group Correctness of RSA ≤ Digital signatures 72 / 81 Rabin–Miller Primality Test Outline Analysis: Symmetric key Public key Number theory Suppose n is composite: RSA 1 RSA Probability a is not a witness 2 Modular ≤ exponentiation Show there exists at least one witness RSA RSA Show that the set of non-witnesses is a subgroup Greatest common divisor Order of subgroup divides order of group, Primality testing 1 so it’s 2 of the group Correctness of RSA ≤ Digital signatures 1 Probability answer is “Probably Prime” k ≤ 2 73 / 81 Conclusions about primality testing Outline Symmetric key 1. Miller–Rabin is a practical primality test Public key Number theory RSA 2. There is a less practical deterministic primality test RSA Modular exponentiation 3. Randomized algorithms are useful in practice RSA RSA 4. Algebra is used in primality testing Greatest common divisor Primality testing 5. Number theory is not useless Correctness of RSA Digital signatures 74 / 81 Why does RSA work? Outline Thm (The Chinese Remainder Theorem) Let m ,m ,...,m be Symmetric key 1 2 k Public key pairwise relatively prime. For any integers x1,x2,...,xk, there exists Number theory x ZZ s.t. x x (mod m ) for 1 i k, and this integer is RSA ∈ ≡ i i ≤ ≤ RSA uniquely determined modulo the product m = m m ...m . Modular 1 2 k exponentiation RSA RSA It is also efficiently computable. Greatest common divisor Primality testing Correctness of RSA CRT Algorithm Digital signatures For 1 i k, find u such that ≤ ≤ i u 1 (mod m ) i ≡ i u 0 (mod m ) for j = i i ≡ j Compute x Pk x u (mod m). ≡ i=1 i i How do you find each ui? 75 / 81 Outline ui 1 (mod mi) i Symmetric key ≡ ∀ Public key integers vi s.t. ui + vimi = 1. Number theory ⇒ ∃ u 0 (mod m ) j = i RSA i ≡ j ∀ RSA integers wi s.t. ui = wi(m/mi). Modular ⇒ ∃ exponentiation Thus, wi(m/mi)+ vimi = 1. RSA RSA Solve for the values vi and wi Greatest common divisor using the Extended Euclidean Algorithm. Primality testing Correctness of RSA Digital signatures (Note that this is where we need that the mi are pairwise relatively prime.) After each wi is found, the corresponding ui can be calculated. The existence of the algorithm proves part of the theorem. What about uniqueness? Suppose x and y work. Look at x y. − 76 / 81 Chinese Remainder Theorem Outline Example: Let m = 3, m = 5, and m = 7. Suppose Symmetric key 1 2 3 Public key x1 2 (mod 3) x2 3 (mod 5) x3 4 (mod 7) Number theory ≡ ≡ ≡ RSA RSA To calculate u1: Modular exponentiation w1(35) + v1(3) = 1 RSA w = 1; v = 12 RSA 1 − 1 Greatest common u =( 1)35 70 (mod 105) divisor 1 − ≡ Primality testing Correctness of RSA To calculate u2: Digital signatures w2(21) + v2(5) = 1 w = 1; v = 4 2 2 − u = (1)21 21 (mod 105) 2 ≡ To calculate u3: w3(15) + v3(7) = 1 w = 1; v = 2 3 3 − u = (1)15 15 (mod 105) 3 ≡ So we can calculate x 2 70 + 3 21 + 4 15 53 (mod 105). ≡ ≡ 77 / 81 Fermat’s Little Theorem Outline Why does RSA work? CRT + Symmetric key Public key Number theory Fermat’s Little Theorem: p is a prime, p a. RSA p−1 p | RSA Then a 1 (mod p) and a a (mod p). Modular ≡ ≡ exponentiation RSA RSA Greatest common divisor Primality testing Correctness of RSA Digital signatures 78 / 81 Correctness of RSA Outline Consider x = D (E (m)). Symmetric key SA SA Public key Note k s.t. eAdA =1+ k(pA 1)(qA 1). Number theory ∃ eA dA − −eAdA RSA x (m (mod NA)) (mod NA) m ≡ − − ≡ ≡ RSA m1+k(pA 1)(qA 1) (mod N ). Modular A exponentiation RSA Consider x (mod pA). RSA − − − − − Greatest common x m1+k(pA 1)(qA 1) m (m(pA 1))k(qA 1) m 1k(qA 1) divisor ≡ ≡ ≡ ≡ Primality testing m (mod pA). Correctness of RSA Digital signatures Consider x (mod qA). x m1+k(pA−1)(qA−1) m (m(qA−1))k(pA−1) m 1k(pA−1) ≡ ≡ ≡ ≡ m (mod qA). Apply the Chinese Remainder Theorem: gcd(p ,q ) = 1, x m (mod N ). A A ⇒ ≡ A So DSA (ESA (m)) = m. 79 / 81 Digital Signatures with RSA Outline Suppose Alice wants to sign a document m such that: Symmetric key Public key Number theory ■ No one else could forge her signature RSA RSA Modular ■ It is easy for others to verify her signature exponentiation RSA RSA Note m has arbitrary length. Greatest common divisor RSA is used on fixed length messages. Primality testing Alice uses a cryptographically secure hash function h, such that: Correctness of RSA Digital signatures ■ For any message m′, h(m′) has a fixed length (512 bits?) ■ It is “hard” for anyone to find 2 messages (m1,m2) such that h(m1)= h(m2). 80 / 81 Digital Signatures with RSA Outline Then Alice “decrypts” h(m) with her secret RSA key (N ,d ) Symmetric key A A Public key Number theory dA s =(h(m)) (mod NA) RSA RSA Modular exponentiation RSA Bob verifies her signature using her public RSA key (NA,eA) and h: RSA Greatest common eA divisor c = s (mod NA) Primality testing Correctness of RSA Digital signatures He accepts if and only if h(m)= c . eA This works because s (mod NA)= dA eA eA dA ((h(m)) ) (mod NA)=((h(m)) ) (mod NA)= h(m). 81 / 81