Public Key Cryptography 2

RSA

Lemma 1

Let s and t be relatively prime. Then

Proof: Let be given byFirst we show that actually maps

Then we show is an isomorphism.

€

U(st) ≈U(s)⊕U(t)

€

:U(st) →U(s)⊕U(t)

€

(x) = (xmod s,xmod t)

€

U(st) to U(s)⊕U(t)

Example

Let s = 8, t = 15, so that st = 120.(83) = (83 mod 8, 83 mod 15)

= (3,8)(29) = (29 mod 8, 29 mod 15)

= (5,14)(83•29) = (7) = (7,7)

= (3•5 mod 8, 8•14 mod 15)= (83)•(29)

Choose any x in U(st). Then gcd(x,st) = 1.There exist integers a, b with ax + bst = 1.Then 1 is a linear combination of x and s,so gcd(x,s) =1.Hence x mod s is in U(s).Similarly x mod t is in U(t).

€

:U(st) →U(s)⊕U(t)

is one-to-one

Suppose (x) = (y) where 0 ≤ x ≤ y < st. Then (x mod s,x mod t) = (y mod s,y mod t) So x mod s = y mod s and x mod t = y mod tHence s and t both divide y–x. But s, t are relatively prime, sost divides y–x as well.Also 0 ≤ y–x < st, so y–x = 0.It follows that is one-to-one.

is onto

Choose any (xs,xt) inThere exist integers a, b with as + bt = 1.Let x = (btxs + asxt ) mod st.In moment, we will show that x is in U(st).Then x = btxs + asxt + stn for some n. Sox mod s = (1•xs + 0•xt + 0•n) mod s = xs

x mod t = (0•xs + 1•xt + 0•n) mod t = xt

So (x) = (xs, xt), and is onto.

€

U(s)⊕U(t)

gcd(x,st)=1

Example: The inverse of

(x) = (x mod 8, x mod 15) Suppose (x) = (3,8). Find x.First write 2•8+(-1)•15 = 1Then x = (-1•15)(3) + (2•8)(8) = -45 + 128

= 83

To show gcd(x,st) = 1:

Given xs in U(s), xt in U(t), x = (btxs + asxt) where as+bt = 1. Set y = (btxs

-1+ asxt-1).

Now xy = (btxs + asxt)(btxs-1+ asxt

-1), soxy mod s = (1•xs+ 0)(1• xs

-1 + 0) mod s = 1.xy mod t = (0 + 1•xt)(0 + 1•xt

-1) mod t = 1.Now s | xy–1, t |xy–1, and gcd(s,t)=1 implies st | xy–1, so xy mod st = 1.Hence x and st are relatively prime.

is Operation Preserving

(x)(y) = (x mod s,x mod t)(y mod s,y mod t)= (xy mod s,xy mod t)= (xy)

Since is one-to-one, onto, and operation preserving, is an isomorphism.

Therefore,

€

U(st) ≈U(s)⊕U(t)

Theorem: (Gauss)

Let p be an odd prime, n > 0.

Corollary 1. For odd prime p,

Corollary 2. Let p and q be odd primes.

Proof:

€

U(pn ) ≈ Z(pn − pn−1)

€

U(p) ≈ Z(p−1)

€

U(pq) ≈ Z p−1 ⊕Zq−1

€

U(pq) ≈U(p)⊕U(q) ≈Z p−1 ⊕Zq−1

RSA Recipe

Choose (large) odd primes p,qLet N = p•q, m = lcm(p-1,q-1)Choose E relatively prime to mLet D = E-1 in U(m)To encode message M: C = ME mod NTo decode message C: M = CD mod N

Public Keyis E, N

Private Keyis D, N

Will RSA work?

M = lcm(p-1,q-1) = h(p-1) = k(q-1) for some integers h, k.ED + sM = 1 for some integer s.So, ED mod (p-1) = ED mod (q-1) = 1

Also, isomorphism Let . Then .

€

φ :U(N) →Z p−1 ⊕Zq−1

€

φ(m) = (a,b)

€

φ(mk ) = (ka,kb)

Will RSA work?

M = lcm(p-1,q-1) = h(p-1) = k(q-1) for some integers h, k.

We claimLet be an isomorphism.Say . Then

So as required.€

φ :U(N) →Z p−1 ⊕Zq−1

€

φ(x) = (a,b)

€

=(h(p−1)a,k(q−1)b) = (0,0) = φ(1)

€

φ(xM ) = (Ma,Mb)

€

xM =1

€

xM =1 for all x ∈U(N).

Operation Preserving

One-to-One

Encoding, Decoding are inverses

Recall that E and D are inverses mod M.So ED = 1+sM for some integer s.Let x in U(N) be a message. In U(N),y = xE is the encrypted message.The decrypted message is z = yD = xED = x1+sM = x•(xM)s = xRSA works!

How to break RSA

Everyone is given E, N.Factor N into p•q

Note p and q are large.Let M = lcm(p-1,q-1)

= (p-1)(q-1)gcd(p-1,q-1)

Let D = E-1 mod MEuclidean Algorithm