240 likes | 709 Views
Theory behind RSA. by Mehmet Gunes. Introduction. Objective: To understand how the RSA algorithm works. To review the number theory behind the RSA algorithm. RSA Algorithm Elementary Number Theory Greatest Common Divisor Modular Arithmetic Fermat’s Little Theorem Euler’s Identity
E N D
Theory behind RSA by Mehmet Gunes
Introduction • Objective: • To understand how the RSA algorithm works. • To review the number theory behind the RSA algorithm. • RSA Algorithm • Elementary Number Theory • Greatest Common Divisor • Modular Arithmetic • Fermat’s Little Theorem • Euler’s Identity • Analyzing RSA
Rivest, Shamir, Adelman (RSA) • Choose 2 large prime numbers, p and q • Compute n=p*q and z=(p-1)*(q-1) • Choose d, relatively prime to z • Find e, such that e*d=1 mod z (e*d mod z = 1) • This produces Public key (n, e) and Private key (n, d), the two keys that are used in the Encoding and Decoding.
d e m = c mod n c = m mod n Magic happens! d e m = (m mod n) mod n RSA: Encryption, decryption Given (n,e) and (n,d) as computed above To encrypt bit pattern, m, compute e (remainder when m is divided by n) To decrypt received bit pattern, c, compute d (remainder when c is divided by n)
P=7; q=11 n=77; z=60 d=13; e= 37; k=6 Test message = CAT Using A=1, etc and 5-bit representation: 00011 00001 10100 Since k=6, regroup the bits (arrange right to left so that any padding needed will put 0's on the left and not change the value. 3 leading zeros added to fill the block): 000000 110000 110100 decimal equivalent:0 48 52 Each raised to the power 37 mod 77:0 27 24 Each raised to the power 13 mod 77: 0 48 52 Example
Elementary Number Theory • Given positive integers a and b: a | b indicates that a divides b or b is a multiple of a. Then, there is some integer k, such that b = a*k • Properties • a | b andb | c a | c • a | b and a | c a | ( i*b + j*c ) integers i and j • a | b and b | a a = b or a = -b
Elementary Number Theory • An integer p is said to be prime if p ≥ 2 and its only divisors are 1 and p. • If p is prime and d | p then either d = 1 or d = p. • An integer greater than 2 that is not prime is said to be composite. Eg. Prime: 5, 11, 101, 98711 Composite: 25, 10403 (=101*103) Theorem: Let n > 1 be an integer. Then there is a unique set of prime numbers {p1,…pk} and positive integer exponents {e1,…ek}, such that n = p1e1··· pkek (prime decomposition)
Elementary Number Theory • Euclid: There are infinitely many primes. • Proof. If not, list them out: p1, p2, …, pk Then p1* p2 *… *pk+1 is 1 greater than a multiple of p1, p2, …, pk, so must be divisible by a prime not on the list. • The largest known prime is 213,466,917-1, which has 4,053,946 digits • Primality: Simply start checking for divisibility by 2, 3, 4, 5, 6, 7, … A number n is prime if it isn’t divisible by any number up to n • Determining whether a number is prime is a much easier question than factoring it.
The Greatest Common Divisor (GCD) • gcd (a,b) is the largest integer that divides both a and b. gcd (a,b) = c such that if d | a and d | b then d | c • If gcd (a,b) = 1, then a and b are relatively prime. • Properties • gcd (a, 0) = gcd (0, a) = a • gcd (a, b) = gcd (|a|, |b|) • gcd (a, b) = gcd (b, a−rb)
Modular Arithmetic (Zn) • Definition: a b (mod n) n | (b - a) Alternatively, a = qn + b • Properties • a a (mod n) [Reflexive] • a b (mod n) b a (mod n) [Symmetric] • a b (mod n) and b c (mod n) a c (mod n) [Transitive]
Modular Arithmetic (Zn) • Definition: An equivalence class mod n [a] = { x: x a (mod n)} = { a + qn | q Z} • Representation of Zn (Positive Representation) : Choose the smallest positive integer in the class [a] then the representation is {0,1,…,n-1}. • Corollary: Let x > 0 be an element of Zn such that gcd (x, n) = 1. Then Zn = {i·x : i = 0, 1, …, n-1}
Modular Arithmetic (Zn) It is possible to perform arithmetic with equivalence classes mod n. • [a] + [b] = [a+b] • [a] * [b] = [a*b] If you replace a and b by numbers equivalent to a or b mod n you end of with the sum/product being in the same equivalence class. • a1 a2 (mod n) and b1 b2 (mod n) a1+ b1 a2 + b2 (mod n) • a1* b1 a2 * b2 (mod n) • (a + q1n) + (b + q2n) = a + b + (q1 + q2)n • (a + q1n) * (b + q2n) = a * b + (b*q1 + a*q2 + q1* q2)n
Euclid’s GCD algorithm EuclidGCD (a,b): if b = 0 then return a return EuclidGCD (b, a mod b) Eg. gcd (412, 260)
Extended Euclid algorithm ExtendedEuclidGCD (a,b): if b = 0 then return (a,1,0) q = a mod b Let r be the integer such that a = r·b+q (d,k,l) = ExtendedEuclidGCD(b,q) return EuclidGCD (d, l, k-l·r) Eg. ExtendedEuclidGCD (412, 260) (d,i,j) such that d = gcd (a,b) = i*a+j*b
Modular Inverses • Definition: • x is the additive inverse of a mod n, if a+x 0 (mod n) • x is the multiplicative inverse of a mod n, if a*x 1 (mod n) • Theorem: The equation a*x 1 (mod n) has a solution iff gcd (a,n) = 1. • Proof: By the Extended Euclidean Algorithm, there exist x and y such that ax + ny = gcd (a,n). When gcd (a,n) = 1, we get a*x + n*y = 1. Taking this equation mod n, we see that a*x 1 (mod n)
Fermat’s Little Theorem Theorem: Let p be a prime and x be an integer such that x mod p 0. Then xp-1 1 (mod p). More generally, if x Zp, then xp x (mod p). Proof: Assume that 0 < x < p and x mod p 0, then {1,2,…p-1} {x·1, x ·2, …x(p-1)} [Corollary] 1·2 · · ·(p-1) = (p-1)! (x·1) · (x·2) · · · (x·(p-1)) (p-1)! (mod p) xp-1·(p-1)! (p-1)! (mod p) Since p is prime, every nonnull element in Zp has a multiplicative inverse. Thus, we can cancel (p-1)! Terms from both sides. xp-1 1 (mod p)
Euler phi function • Definition: The number of positive integers less than or equal to n that are relatively prime to n. phi(n) = #{a: 0 < a < n and gcd(a,n) = 1} • Properties: • (p) = p-1, for prime number p. • (p*q) = (p-1)*(q-1) for prime numbers p and q. • (p^e) = (p-1)*p^(e-1) • (m*n) = (m)* (n) for gcd(m,n) = 1. • Eg. • (15) = (3)* (5) = 2*4 = 8. #{1,2,4,7,8,11,13,14} • (9) = (3-1)*3^(2-1) = 2*3 = 6 #{1,2,4,5,7,8}
Euler’s Identity • The number of elements in Zn that have multiplicative inverses is equal to phi(n). • Theorem: Let Zn* be the elements of Zn with inverses. If a Zn*, then a(n) 1 (mod n). • Proof: The same proof presented for Fermat’s theorem can be used to prove this theorem.
Analyzing RSA • The running time of RSA encryption, decryption, signature and verification is simple • Each operation requires a constant number of modular exponentiations that can be performed with FastExponention
Analyzing RSA • Selection of two random primes can be done by testing random integers for primality. • Selection of e can be done by picking random primes less than (n) that does not divide (n). (Small primes i.e. 17 will work) • Computing multiplicative inverse d of e in Z(n) can be done using extended Euclid algorithm.
Analyzing RSA • RSA is based on Fermat’s Little Theorem and depends on being able to find large primes quickly, whereas anyone given the product of two large primes “cannot” factor the number in a reasonable time. • Even if we know e we cannot figure out d unless we know (n). To find (n), we need to factor n. • While there is no proof that factorization is computationally difficult, no easy solution is found yet by famous mathematicians. • However, we are secure unless some technological breakthrough factors 200 digit numbers in feasible time. Even then we only need to choose n with 300 or 400 digits.
References • R.L. Rivest, A. Shamir, L. Adleman, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems”, 1978 • “Number Theory and Cryptography” • Jeremy R. Johnson, “Modular Arithmetic and the RSA Public Key Cryptosystem” • George T. Gilbert,“Prime Numbers: A Recent Discovery, Secure Communications, and Million Dollar Prizes” • “RSA Algorithm”, http://www.di-mgt.com.au/rsa_alg.html