RSA and Primality Testing

Joan Boyar, IMADA, University of Southern Denmark

Studieretningsprojekter 2010

1 / 81 Outline

Outline Symmetric key ■ Symmetric key cryptography Public key Number theory ■ RSA Public key cryptography RSA Modular ■ exponentiation Introduction to number theory RSA RSA ■ RSA Greatest common divisor Primality testing ■ Modular exponentiation Correctness of RSA Digital signatures ■ Greatest common divisor

■ Primality testing

■ Correctness of RSA

■ Digital signatures with RSA

2 / 81 Caesar cipher

Outline Symmetric key Public key Number theory A B C D E F G H I J K L M N O RSA 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 RSA Modular D E F G H I J K L M N O P Q R exponentiation RSA 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 RSA Greatest common divisor Primality testing P Q R S T U V W X Y Z Æ Ø Å Correctness of RSA Digital signatures 15 16 17 18 19 20 21 22 23 24 25 26 27 28 S T U V W X Y Z Æ Ø Å A B C 18 19 20 21 22 23 24 25 26 27 28 0 1 2

E(m)= m + 3(mod 29)

3 / 81 Symmetric key systems

Outline Suppose the following was encrypted using a Caesar cipher and the Symmetric key Public key Danish alphabet. The key is unknown. What does it say? Number theory RSA RSA Modular exponentiation RSA ZQOØQOØ, RI. RSA Greatest common divisor Primality testing Correctness of RSA Digital signatures

4 / 81 Symmetric key systems

5 / 81 Symmetric key systems

Outline Symmetric key ■ Caesar Cipher Public key Number theory ■ RSA RSA Modular ■ exponentiation RSA RSA ■ Enigma Greatest common divisor Primality testing ■ DES Correctness of RSA Digital signatures ■ Blowﬁsh

■ IDEA

■ Triple DES

■ AES

6 / 81 Public key cryptography

Outline Bob — 2 keys -PK ,SK Symmetric key B B Public key Number theory PK — Bob’s public key RSA B RSA SKB — Bob’s private (secret) key Modular exponentiation RSA For Alice to send m to Bob, RSA Greatest common Alice computes: c = E(m, PKB). divisor Primality testing Correctness of RSA To decrypt c, Bob computes: Digital signatures r = D(c, SKB). r = m

It must be “hard” to compute SKB from PKB.

7 / 81 Introduction to Number Theory

Outline Deﬁnition. Suppose a, b ZZ, a> 0. Symmetric key ∈ Public key Suppose c ZZ s.t. b = ac. Then a divides b. Number theory ∃ ∈ a b. RSA | RSA a is a factor of b. Modular exponentiation b is a multiple of a. RSA RSA e f means e does not divide f. Greatest common | divisor Primality testing Theorem. a, b, c ZZ. Then Correctness of RSA ∈ Digital signatures 1. if a b and a c, then a (b + c) | | | 2. if a b, then a bc c ZZ | | ∀ ∈ 3. if a b and b c, then a c. | | |

8 / 81 Outline Deﬁnition. p ZZ, p> 1. Symmetric key ∈ Public key p is prime if 1 and p are the only positive integers which divide p. Number theory RSA 2, 3, 5, 7, 11, 13, 17,... RSA p is composite if it is not prime. Modular exponentiation 4, 6, 8, 9, 10, 12, 14, 15, 16,... RSA RSA Greatest common divisor Primality testing Correctness of RSA Digital signatures

9 / 81 Outline Theorem. a ZZ, d IN Symmetric key ∈ ∈ Public key unique q,r, 0 r

10 / 81 Outline Deﬁnition. a b (mod m) — a is congruent to b modulo m Symmetric key ≡ Public key if m (a b). Number theory | − RSA RSA m (a b) k ZZ s.t. a = b + km. Modular | − ⇒ ∃ ∈ exponentiation RSA Theorem. a b (mod m) c d (mod m) RSA ≡ ≡ Greatest common Then a + c b + d (mod m) and ac bd (mod m). divisor ≡ ≡ Primality testing Correctness of RSA Digital signatures Proof.(of ﬁrst) k ,k s.t. ∃ 1 2 a = b + k1m c = d + k2m a + c = b + k1m + d + k2m = b + d +(k1 + k2)m

11 / 81 Outline Deﬁnition. a b (mod m) — a is congruent to b modulo m Symmetric key ≡ Public key if m (a b). Number theory | − RSA RSA m (a b) k ZZ s.t. a = b + km. Modular | − ⇒ ∃ ∈ exponentiation RSA Examples. RSA Greatest common divisor 1. 15 22 (mod 7)? 15 = 22 (mod 7)? Primality testing ≡ Correctness of RSA Digital signatures 2. 15 1 (mod 7)? 15=1(mod 7)? ≡ 3. 15 37 (mod 7)? 15 = 37 (mod 7)? ≡ 4. 58 22 (mod 9)? 58 = 22 (mod 9)? ≡

12 / 81 RSA — a public key system

Outline NA = pA qA, where pA,qA prime. Symmetric key Public key gcd(eA, (pA 1)(qA 1)) = 1. Number theory − − RSA eA dA 1 (mod (pA 1)(qA 1)). RSA ≡ − − Modular exponentiation ■ PKA =(NA,eA) RSA RSA ■ Greatest common SKA =(NA,dA) divisor Primality testing eA Correctness of RSA To encrypt: c = E(m, PKA)= m (mod NA). Digital signatures dA To decrypt: r = D(c, PKA)= c (mod NA). r = m.

13 / 81 RSA — a public key system

Example: p = 5, q = 11, e = 3, d = 27, m = 8. Then N = 55. e d = 81. So e d =1(mod 4 10). To encrypt m: c = 83 (mod 55) = 17. To decrypt c: r = 1727 (mod 55) = 8.

14 / 81 Security of RSA

Outline The primes p and q are kept secret with d . Symmetric key A A A Public key Number theory Suppose Eve can factor N . RSA A RSA Modular exponentiation Then she can ﬁnd pA and qA. RSA From them and eA, she ﬁnds dA. RSA Greatest common divisor Primality testing Then she can decrypt just like Alice. Correctness of RSA Digital signatures Factoring must be hard!

15 / 81 Factoring

Outline Symmetric key Theorem. N composite N has a prime divisor √N Public key ⇒ ≤ Number theory RSA RSA Factor(n) Modular exponentiation RSA for i = 2 to √n do RSA Greatest common check if i divides n divisor if it does then output (i,n/i) Primality testing Correctness of RSA endfor Digital signatures output -1 if divisor not found

Corollary There is an algorithm for factoring N (or testing primality) which does O(√N) tests of divisibility.

16 / 81 Factoring

Outline Symmetric key Check all possible divisors between 2 and √n. Public key Not ﬁnished in your grandchildren’s life time for n with 1024 bits. Number theory RSA RSA Problem The length of the input is n = log2(N + 1) . So the Modular n/2 ⌈ ⌉ exponentiation running time is O(2 ) — exponential. RSA RSA Greatest common Open Problem Does there exist a polynomial time factoring divisor Primality testing algorithm? Correctness of RSA Digital signatures Use primes which are at least 512 (or 1024) bits long. So 2511 p ,q < 2512. ≤ A A So p 10154. A ≈

17 / 81 RSA

Outline How do we implement RSA? Symmetric key Public key Number theory We need to ﬁnd: p ,q ,N ,e ,d . RSA A A A A A RSA We need to encrypt and decrypt. Modular exponentiation RSA RSA Greatest common divisor Primality testing Correctness of RSA Digital signatures

18 / 81 RSA — encryption/decryption

Outline k Symmetric key We need to encrypt and decrypt: compute a (mod n). Public key Number theory 2 RSA a (mod n) a a (mod n) — 1 modular multiplication RSA ≡ Modular exponentiation RSA RSA Greatest common divisor Primality testing Correctness of RSA Digital signatures

19 / 81 Modular Exponentiation

Outline Theorem. For all nonnegative integers, b, c, m, Symmetric key Public key b c (mod m)=(b (mod m)) (c (mod m)) (mod m). Number theory RSA 2 2 RSA Example: a a (mod n)=(a (mod n))(a (mod n)) (mod n). Modular exponentiation RSA RSA Greatest common divisor 83 (mod 55) = 8 82 (mod 55) Primality testing Correctness of RSA = 8 64 (mod 55) Digital signatures = 8 (9+55) (mod 55) = 72 + (8 55) (mod 55) = 17 + 55 + (8 55) (mod 55) = 17

20 / 81 RSA — encryption/decryption

21 / 81 RSA — encryption/decryption

22 / 81 RSA — encryption/decryption

Outline k Symmetric key We need to encrypt and decrypt: compute a (mod n). Public key Number theory a2 (mod n) a a (mod n) — 1 modular multiplication RSA ≡ RSA a3 (mod n) a (a a (mod n)) (mod n) — 2 mod mults Modular ≡ exponentiation Guess: k 1 modular multiplications. RSA − RSA Greatest common divisor This is too many! Primality testing eA dA 1 (mod (pA 1)(qA 1)). Correctness of RSA ≡ − − p and q have 512 bits each. Digital signatures A A ≥ So at least one of e and d has 512 bits. A A ≥ To either encrypt or decrypt would need 2511 10154 operations ≥ ≈ (more than number of atoms in the universe).

23 / 81 RSA — encryption/decryption

24 / 81 RSA — encryption/decryption

Outline k Symmetric key We need to encrypt and decrypt: compute a (mod n). Public key Number theory a2 (mod n) a a (mod n) — 1 modular multiplication RSA ≡ RSA a3 (mod n) a (a a (mod n)) (mod n) — 2 mod mults Modular ≡ 4 exponentiation How do you calculate a (mod n) in less than 3? RSA 4 2 2 RSA a (mod n) (a (mod n)) (mod n) — 2 mod mults Greatest common ≡ divisor Primality testing Correctness of RSA Digital signatures

25 / 81 RSA — encryption/decryption

Outline k Symmetric key We need to encrypt and decrypt: compute a (mod n). Public key Number theory a2 (mod n) a a (mod n) — 1 modular multiplication RSA ≡ RSA a3 (mod n) a (a a (mod n)) (mod n) — 2 mod mults Modular ≡ 4 exponentiation How do you calculate a (mod n) in less than 3? RSA 4 2 2 RSA a (mod n) (a (mod n)) (mod n) — 2 mod mults Greatest common ≡2s divisor In general: a (mod n)? Primality testing Correctness of RSA Digital signatures

26 / 81 RSA — encryption/decryption

Outline k Symmetric key We need to encrypt and decrypt: compute a (mod n). Public key Number theory a2 (mod n) a a (mod n) — 1 modular multiplication RSA ≡ RSA a3 (mod n) a (a a (mod n)) (mod n) — 2 mod mults Modular ≡ 4 exponentiation How do you calculate a (mod n) in less than 3? RSA 4 2 2 RSA a (mod n) (a (mod n)) (mod n) — 2 mod mults Greatest common ≡2s 2s s 2 divisor In general: a (mod n)? a (mod n) (a (mod n)) (mod n) Primality testing ≡ Correctness of RSA Digital signatures

27 / 81 RSA — encryption/decryption

Outline k Symmetric key We need to encrypt and decrypt: compute a (mod n). Public key Number theory a2 (mod n) a a (mod n) — 1 modular multiplication RSA ≡ RSA a3 (mod n) a (a a (mod n)) (mod n) — 2 mod mults Modular ≡ 4 exponentiation How do you calculate a (mod n) in less than 3? RSA a4 (mod n) (a2 (mod n))2 (mod n) — 2 mod mults RSA ≡ Greatest common a2s (mod n) (as (mod n))2 (mod n) divisor ≡ Primality testing In general: a2s+1 (mod n)? Correctness of RSA Digital signatures

28 / 81 RSA — encryption/decryption

Outline k Symmetric key We need to encrypt and decrypt: compute a (mod n). Public key Number theory a2 (mod n) a a (mod n) — 1 modular multiplication RSA ≡ RSA a3 (mod n) a (a a (mod n)) (mod n) — 2 mod mults Modular ≡ 4 exponentiation How do you calculate a (mod n) in less than 3? RSA a4 (mod n) (a2 (mod n))2 (mod n) — 2 mod mults RSA ≡ Greatest common a2s (mod n) (as (mod n))2 (mod n) divisor ≡ Primality testing a2s+1 (mod n) a ((as (mod n))2 (mod n)) (mod n) Correctness of RSA ≡ Digital signatures

29 / 81 Modular Exponentiation

k Outline Exp(a,k,n) {Compute a (mod n) } Symmetric key Public key if k < 0 then report error Number theory RSA if k = 0 then return(1) RSA Modular if k = 1 then return(a (mod n)) exponentiation if k is odd then return(a Exp(a,k 1,n) (mod n)) RSA − RSA if k is even then Greatest common divisor c Exp(a,k/2,n) ← Primality testing return((c c) (mod n)) Correctness of RSA Digital signatures

30 / 81 Modular Exponentiation

To compute 36 (mod 7): Exp(3, 6, 7) c Exp(3, 3, 7) ←

31 / 81 Modular Exponentiation

To compute 36 (mod 7): Exp(3, 6, 7) c Exp(3, 3, 7) 3 (Exp(3, 2, 7) (mod 7)) ← ←

32 / 81 Modular Exponentiation

To compute 36 (mod 7): Exp(3, 6, 7) c Exp(3, 3, 7) 3 (Exp(3, 2, 7)) (mod 7)) c′← Exp(3, 1, 7)← ←

33 / 81 Modular Exponentiation

To compute 36 (mod 7): Exp(3, 6, 7) c Exp(3, 3, 7) 3 (Exp(3, 2, 7)) (mod 7)) c′← Exp(3, 1, 7)← 3 ← ←

34 / 81 Modular Exponentiation

To compute 36 (mod 7): Exp(3, 6, 7) c Exp(3, 3, 7) 3 (Exp(3, 2, 7)) (mod 7)) c′← Exp(3, 1, 7)← 3 Exp←(3, 2, 7) (mod←7)) 3 3 (mod 7) 2 ← ←

35 / 81 Modular Exponentiation

To compute 36 (mod 7): Exp(3, 6, 7) c Exp(3, 3, 7) 3 (Exp(3, 2, 7)) (mod 7)) c′← Exp(3, 1, 7)← 3 Exp←(3, 2, 7) (mod←7)) 3 3 (mod 7) 2 c 3 2 (mod 7) ←6 ← ← ←

36 / 81 Modular Exponentiation

To compute 36 (mod 7): Exp(3, 6, 7) c Exp(3, 3, 7) 3 (Exp(3, 2, 7)) (mod 7)) c′← Exp(3, 1, 7)← 3 Exp←(3, 2, 7) (mod←7)) 3 3 (mod 7) 2 c 3 2 (mod 7) ←6 ← Exp←(3,6, 7) (6 6)← (mod 7) 1 ← ←

37 / 81 Modular Exponentiation

How many modular multiplications?

38 / 81 Modular Exponentiation

How many modular multiplications?

Divide exponent by 2 every other time. How many times can we do that?

39 / 81 Modular Exponentiation

How many modular multiplications?

Divide exponent by 2 every other time. How many times can we do that?

log2(k) ⌊So at most⌋ 2 log (k) modular multiplications. ⌊ 2 ⌋

40 / 81 RSA — a public key system

Try using N = 35, e = 11 to create keys for RSA. What is d? Try d = 11 and check it. Encrypt 4. Decrypt the result.

41 / 81 RSA — a public key system

Try using N = 35, e = 11 to create keys for RSA. What is d? Try d = 11 and check it. Encrypt 4. Decrypt the result. Did you get c = 9? And r = 4?

42 / 81 RSA

43 / 81 Greatest Common Divisor

Outline We need to ﬁnd: e ,d . Symmetric key A A Public key gcd(eA, (pA 1)(qA 1)) = 1. Number theory − − RSA eA dA 1 (mod (pA 1)(qA 1)). RSA ≡ − − Modular exponentiation RSA RSA Greatest common divisor Primality testing Correctness of RSA Digital signatures

44 / 81 Greatest Common Divisor

Outline We need to ﬁnd: e ,d . Symmetric key A A Public key gcd(eA, (pA 1)(qA 1)) = 1. Number theory − − e d 1 (mod (p 1)(q 1)). RSA A A ≡ A − A − RSA Choose random eA. Modular exponentiation Check that gcd(eA, (pA 1)(qA 1)) = 1. RSA − − RSA Find dA such that eA dA 1 (mod (pA 1)(qA 1)). Greatest common ≡ − − divisor Primality testing Correctness of RSA Digital signatures

45 / 81 The Extended Euclidean Algorithm

Outline Theorem. a, b IN. s, t ZZ s.t. sa + tb = gcd(a, b). Symmetric key ∈ ∃ ∈ Public key Proof. Let d be the smallest positive integer in Number theory RSA D = xa + yb x,y ZZ . { | ′ ∈ ′ } ′ ′ RSA d D d = x a + y b for some x ,y ZZ. Modular ∈ ⇒ ∈′ ′ exponentiation gcd(a, b) a and gcd(a, b) b, so gcd(a, b) x a, gcd(a, b) y b, and RSA | ′ ′ | | | RSA gcd(a, b) (x a + y b)= d. We will show that d gcd(a, b), so Greatest common | | d = gcd(a, b). Note a D. divisor ∈ Primality testing Suppose a = dq + r with 0 r

46 / 81 The Extended Euclidean Algorithm

Outline How do you ﬁnd d, s and t? Symmetric key Public key Number theory Let d = gcd(a, b). Write b as b = aq + r with 0 r

47 / 81 The Extended Euclidean Algorithm

Outline { Initialize} Symmetric key Public key d0 b s0 0 t0 1 Number theory ← ← ← d a s 1 t 0 RSA 1 ← 1 ← 1 ← RSA n 1 Modular ← exponentiation { Compute next d} RSA RSA while dn > 0 do Greatest common divisor begin Primality testing n n + 1 Correctness of RSA ← Digital signatures { Compute d d − (mod d − )} n ← n 2 n 1 q d − /d − n ←⌊ n 2 n 1⌋ d d − q d − n ← n 2 − n n 1 s q s − + s − n ← n n 1 n 2 tn qntn−1 + tn−2 end ← − s ( 1)ns − t ( 1)n 1t − ← − n 1 ← − n 1 gcd(a, b) d − ← n 1 48 / 81 The Extended Euclidean Algorithm

Outline Finding multiplicative inverses modulo m: Symmetric key Public key Number theory Given a and m, ﬁnd x s.t. a x 1 (mod m). RSA ≡ RSA Modular exponentiation Should also ﬁnd a k, s.t. ax =1+ km. RSA So solve for an s in an equation sa + tm = 1. RSA Greatest common divisor Primality testing This can be done if gcd(a,m) = 1. Correctness of RSA Just use the Extended Euclidean Algorithm. Digital signatures

49 / 81 Examples

Outline Calculate the following: Symmetric key Public key Number theory 1. gcd(6, 9) RSA RSA Modular 2. s and t such that s 6+ t 9= gcd(6, 9) exponentiation RSA RSA 3. gcd(15, 23) Greatest common divisor Primality testing 4. s and t such that s 15 + t 23 = gcd(15, 23) Correctness of RSA Digital signatures

50 / 81 RSA

51 / 81 Primality testing

Outline We need to ﬁnd: p ,q — large primes. Symmetric key A A Public key Number theory Choose numbers at random and check if they are prime? RSA RSA Modular exponentiation RSA RSA Greatest common divisor Primality testing Correctness of RSA Digital signatures

52 / 81 Questions

Outline Symmetric key Public key 1. How many random integers of length 154 are prime? Number theory RSA RSA Modular exponentiation RSA RSA Greatest common divisor Primality testing Correctness of RSA Digital signatures

53 / 81 Questions

Outline Symmetric key Public key 1. How many random integers of length 154 are prime? Number theory RSA x 10154 RSA About ln x numbers

54 / 81 Questions

Outline Symmetric key Public key 1. How many random integers of length 154 are prime? Number theory RSA x 10154 RSA About ln x numbers

55 / 81 Questions

Outline Symmetric key Public key 1. How many random integers of length 154 are prime? Number theory RSA x 10154 RSA About ln x numbers

56 / 81 Method 1

Outline Sieve of Eratosthenes: Symmetric key Public key Lists: Number theory RSA RSA 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 Modular exponentiation RSA RSA Greatest common divisor Primality testing Correctness of RSA Digital signatures

57 / 81 Method 1

58 / 81 Method 1

Outline Symmetric key Public key Sieve of Eratosthenes: Number theory Lists: RSA RSA Modular 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 exponentiation RSA 3 5 7 9 11 13 15 17 19 RSA Greatest common 5 7 11 13 17 19 divisor Primality testing Correctness of RSA Digital signatures

59 / 81 Method 1

60 / 81 Method 2

Outline Symmetric key Public key CheckPrime(n) Number theory RSA for i = 2 to n 1 do RSA − Modular check if i divides n exponentiation RSA if it does then output i RSA Greatest common endfor divisor output -1 if divisor not found Primality testing Correctness of RSA Digital signatures

Check all possible divisors between 2 and n (or √n). Our sun will die before we’re done!

61 / 81 Examples of groups

Outline Symmetric key ZZ, — sets Public key ℜ Number theory +, — operations RSA RSA Modular ZZ = 0, 1,...,n 1 — integers modulo n exponentiation n { − } RSA a + b a + b (mod n) — addition operation RSA ≡ Greatest common divisor Primality testing a (mod n) = remainder when a is divided by n Correctness of RSA 4+3= k 5 + 2 Digital signatures 4 + 3 2 (mod 5) ≡

62 / 81 Examples of groups

Outline ZZ, — sets Symmetric key ℜ Public key +, — operations Number theory RSA RSA ZZn = 0, 1,...,n 1 — integers modulo n Modular { − } exponentiation a + b a + b (mod n) — addition operation ≡ RSA 4 + 3 2 (mod 5) RSA ≡ Greatest common a b a b (mod n) — multiplication operation divisor ≡ Primality testing 4 3 2 (mod 5) Correctness of RSA ≡ Digital signatures Properties:

■ associative

■ commutative

■ identity

■ inverses (for addition) 63 / 81 Multiplicative inverses?

Outline Symmetric key a b =1+ kn n = 15 Public key Number theory RSA RSA Element Inverse Computation Modular exponentiation a = 0 no inverse RSA a =1 1 1 1 1 (mod 15) RSA ≡ Greatest common a =2 8 2 8 1 (mod 15) divisor ≡ Primality testing a = 3 no inverse Correctness of RSA a =4 4 4 4 1 (mod 15) Digital signatures ≡ a = 5 no inverse a = 6 no inverse a = 7 13 7 13 1 (mod 15) ≡ a =8 2 8 2 1 (mod 15) ≡ a = 11 11 11 11 1 (mod 15) ≡ a = 13 7 13 7 1 (mod 15) ≡ a = 14 14 14 14 1 (mod 15) ≡

64 / 81 Multiplicative inverses?

Outline ∗ Symmetric key ZZn = x 1 x n 1, gcd(x,n) = 1 Public key { | ≤ ≤ − } Number theory RSA RSA gcd — greatest common divisor Modular exponentiation RSA Extended Euclidean Algorithm — ﬁnd inverses RSA Greatest common divisor ∗ ZZn is the multiplicative group modulo n. Primality testing ∗ Correctness of RSA The elements in ZZn are relatively prime to n. Digital signatures

65 / 81 Examples

Outline Group: set with 1 operation Symmetric key Public key associative, identity, inverses Number theory RSA RSA Examples: Modular exponentiation RSA ■ ZZ, with +, not with RSA ℜ Greatest common −0 divisor ■ with Primality testing ℜ Correctness of RSA ■ Digital signatures ZZn with + ■ ZZ∗ with n

66 / 81 Deﬁnitions

Outline Subgroup: H G if H G and H is a group. Symmetric key ≤ ⊆ Public key Number theory Examples: RSA RSA Modular ■ Even integers with addition exponentiation RSA ■ ∗ RSA G = ZZ7 , H = 1, 2, 4 Greatest common { } divisor Primality testing Correctness of RSA H is the order of H. Digital signatures | | Theorem. [La Grange] For a ﬁnite group G, if H G, then H ≤ | | divides G . | |

67 / 81 Rabin–Miller Primality Testing

Outline In practice, use a randomized primality test. Symmetric key Public key Number theory Miller–Rabin primality test: RSA RSA Starts with Fermat test: Modular exponentiation RSA 214 (mod 15) 4 = 1. RSA ≡ Greatest common So 15 is not prime. divisor Primality testing Correctness of RSA Theorem. Suppose p is a prime. Then for all 1 a p 1, Digital signatures − ≤ ≤ − ap 1 (mod p) = 1.

68 / 81 Rabin–Miller Primality Test

Outline Fermat test: Symmetric key Public key Prime(n) Number theory RSA repeat r times RSA ∗ Modular Choose random a ZZn exponentiation − ∈ if an 1 (mod n) 1 then return(Composite) RSA ≡ RSA end repeat Greatest common divisor return(Probably Prime) Primality testing ∗ Correctness of RSA Carmichael Numbers Composite n. For all a ZZn, Digital signatures an−1 (mod n) 1. ∈ Example: 561 =≡ 3 11 17 If p is prime, √1 (mod p)= 1,p 1 . If p has > 1 distinct factors, {1 has− at} least 4 square roots. Example: √1 (mod 15) = 1, 4, 11, 14 { }

69 / 81 Rabin–Miller Primality Test

Outline Taking square roots of 1 (mod 561): Symmetric key Public key Number theory 50560 (mod 561) 1 RSA 280 ≡ RSA 50 (mod 561) 1 Modular 140 ≡ exponentiation 50 (mod 561) 1 RSA ≡ 5070 (mod 561) 1 RSA ≡ Greatest common 5035 (mod 561) 560 divisor ≡ Primality testing Correctness of RSA 2560 (mod 561) 1 Digital signatures ≡ 2280 (mod 561) 1 ≡ 2140 (mod 561) 67 ≡ 2 is a witness that 561 is composite.

70 / 81 Rabin–Miller Primality Test

Outline Miller–Rabin(n,k) Symmetric key Public key Calculate odd m such that n 1 = 2s m Number theory − RSA repeat k times RSA ∗ Choose random a ZZn Modular − ∈ exponentiation if an 1 (mod n) 1 then return(Composite) RSA (n−1)/2 ≡ RSA if a (mod n) n 1 then break Greatest common (n−1)/2 ≡ − divisor if a (mod n) 1 then return(Composite) Primality testing (n−1)/4 ≡ Correctness of RSA if a (mod n) n 1 then break − ≡ − Digital signatures if a(n 1)/4 (mod n) 1 then return(Composite) ≡ .... if am (mod n) n 1 then break ≡ − if am (mod n) 1 then return(Composite) end repeat ≡ return(Probably Prime)

71 / 81 Rabin–Miller Primality Test

Outline Analysis: Symmetric key Public key Number theory Suppose n is composite: RSA 1 RSA Probability a is not a witness 2 Modular ≤ exponentiation Show there exists at least one witness RSA RSA Show that the set of non-witnesses is a subgroup Greatest common divisor Order of subgroup divides order of group, Primality testing 1 so it’s 2 of the group Correctness of RSA ≤ Digital signatures

72 / 81 Rabin–Miller Primality Test

73 / 81 Conclusions about primality testing

Outline Symmetric key 1. Miller–Rabin is a practical primality test Public key Number theory RSA 2. There is a less practical deterministic primality test RSA Modular exponentiation 3. Randomized algorithms are useful in practice RSA RSA 4. Algebra is used in primality testing Greatest common divisor Primality testing 5. Number theory is not useless Correctness of RSA Digital signatures

74 / 81 Why does RSA work?

Outline Thm (The Chinese Remainder Theorem) Let m ,m ,...,m be Symmetric key 1 2 k Public key pairwise relatively prime. For any integers x1,x2,...,xk, there exists Number theory x ZZ s.t. x x (mod m ) for 1 i k, and this integer is RSA ∈ ≡ i i ≤ ≤ RSA uniquely determined modulo the product m = m m ...m . Modular 1 2 k exponentiation RSA RSA It is also efficiently computable. Greatest common divisor Primality testing Correctness of RSA CRT Algorithm Digital signatures For 1 i k, find u such that ≤ ≤ i u 1 (mod m ) i ≡ i u 0 (mod m ) for j = i i ≡ j Compute x Pk x u (mod m). ≡ i=1 i i How do you find each ui?

75 / 81 Outline ui 1 (mod mi) i Symmetric key ≡ ∀ Public key integers vi s.t. ui + vimi = 1. Number theory ⇒ ∃ u 0 (mod m ) j = i RSA i ≡ j ∀ RSA integers wi s.t. ui = wi(m/mi). Modular ⇒ ∃ exponentiation Thus, wi(m/mi)+ vimi = 1. RSA RSA Solve for the values vi and wi Greatest common divisor using the Extended Euclidean Algorithm. Primality testing Correctness of RSA Digital signatures (Note that this is where we need that the mi are pairwise relatively prime.) After each wi is found, the corresponding ui can be calculated.

The existence of the algorithm proves part of the theorem. What about uniqueness? Suppose x and y work. Look at x y. −

76 / 81 Chinese Remainder Theorem

Outline Example: Let m = 3, m = 5, and m = 7. Suppose Symmetric key 1 2 3 Public key x1 2 (mod 3) x2 3 (mod 5) x3 4 (mod 7) Number theory ≡ ≡ ≡ RSA RSA To calculate u1: Modular exponentiation w1(35) + v1(3) = 1 RSA w = 1; v = 12 RSA 1 − 1 Greatest common u =( 1)35 70 (mod 105) divisor 1 − ≡ Primality testing Correctness of RSA To calculate u2: Digital signatures w2(21) + v2(5) = 1 w = 1; v = 4 2 2 − u = (1)21 21 (mod 105) 2 ≡ To calculate u3:

w3(15) + v3(7) = 1 w = 1; v = 2 3 3 − u = (1)15 15 (mod 105) 3 ≡ So we can calculate x 2 70 + 3 21 + 4 15 53 (mod 105). ≡ ≡ 77 / 81 Fermat’s Little Theorem

Outline Why does RSA work? CRT + Symmetric key Public key Number theory Fermat’s Little Theorem: p is a prime, p a. RSA p−1 p | RSA Then a 1 (mod p) and a a (mod p). Modular ≡ ≡ exponentiation RSA RSA Greatest common divisor Primality testing Correctness of RSA Digital signatures

78 / 81 Correctness of RSA

Outline Consider x = D (E (m)). Symmetric key SA SA Public key Note k s.t. eAdA =1+ k(pA 1)(qA 1). Number theory ∃ eA dA − −eAdA RSA x (m (mod NA)) (mod NA) m ≡ − − ≡ ≡ RSA m1+k(pA 1)(qA 1) (mod N ). Modular A exponentiation RSA Consider x (mod pA). RSA − − − − − Greatest common x m1+k(pA 1)(qA 1) m (m(pA 1))k(qA 1) m 1k(qA 1) divisor ≡ ≡ ≡ ≡ Primality testing m (mod pA). Correctness of RSA Digital signatures Consider x (mod qA). x m1+k(pA−1)(qA−1) m (m(qA−1))k(pA−1) m 1k(pA−1) ≡ ≡ ≡ ≡ m (mod qA).

Apply the Chinese Remainder Theorem: gcd(p ,q ) = 1, x m (mod N ). A A ⇒ ≡ A So DSA (ESA (m)) = m.

79 / 81 Digital Signatures with RSA

Outline Suppose Alice wants to sign a document m such that: Symmetric key Public key Number theory ■ No one else could forge her signature RSA RSA Modular ■ It is easy for others to verify her signature exponentiation RSA RSA Note m has arbitrary length. Greatest common divisor RSA is used on ﬁxed length messages. Primality testing Alice uses a cryptographically secure hash function h, such that: Correctness of RSA Digital signatures ■ For any message m′, h(m′) has a ﬁxed length (512 bits?)

■ It is “hard” for anyone to ﬁnd 2 messages (m1,m2) such that h(m1)= h(m2).

80 / 81 Digital Signatures with RSA

Outline Then Alice “decrypts” h(m) with her secret RSA key (N ,d ) Symmetric key A A Public key Number theory dA s =(h(m)) (mod NA) RSA RSA Modular exponentiation RSA Bob veriﬁes her signature using her public RSA key (NA,eA) and h: RSA Greatest common eA divisor c = s (mod NA) Primality testing Correctness of RSA Digital signatures He accepts if and only if h(m)= c . eA This works because s (mod NA)=

dA eA eA dA ((h(m)) ) (mod NA)=((h(m)) ) (mod NA)= h(m).

81 / 81