RSA, Diffie-Hellman, and the Math Behind Them

Dan Zollers

Fortego U

July 16, 2020

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Dan Zollers

Who am I?

Analyst with Fortego

Studied math in graduate school (UMD)

Play a mean game of Goldeneye (N64)

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Dan Zollers

Who am I?

Analyst with Fortego

Studied math in graduate school (UMD)

Play a mean game of Goldeneye (N64)

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Dan Zollers

Who am I?

Analyst with Fortego

Studied math in graduate school (UMD)

Play a mean game of Goldeneye (N64)

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSA and Diffie-Hellman

What is RSA?

An asymmetric cryptographic algorithm often used for keysharing and digital signatures

Co-invented by Ron Rivest, Adi Shamir and Leonard Adleman(and Clifford Cocks!)

Derives security from the difficulty of factoring large numbersinto primes

What is Diffie-Hellman?

A secure key “exchange” algorithm

Co-invented by Whitfield Diffie, Martin Hellman and RalphMerkle

Derives security from the difficulty of solving “Discrete log”problems

But first...

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSA and Diffie-Hellman

What is RSA?

An asymmetric cryptographic algorithm often used for keysharing and digital signatures

Co-invented by Ron Rivest, Adi Shamir and Leonard Adleman(and Clifford Cocks!)

Derives security from the difficulty of factoring large numbersinto primes

What is Diffie-Hellman?

A secure key “exchange” algorithm

Co-invented by Whitfield Diffie, Martin Hellman and RalphMerkle

Derives security from the difficulty of solving “Discrete log”problems

But first...

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSA and Diffie-Hellman

What is RSA?

An asymmetric cryptographic algorithm often used for keysharing and digital signatures

Co-invented by Ron Rivest, Adi Shamir and Leonard Adleman(and Clifford Cocks!)

Derives security from the difficulty of factoring large numbersinto primes

What is Diffie-Hellman?

A secure key “exchange” algorithm

Co-invented by Whitfield Diffie, Martin Hellman and RalphMerkle

Derives security from the difficulty of solving “Discrete log”problems

But first...

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSA and Diffie-Hellman

What is RSA?

An asymmetric cryptographic algorithm often used for keysharing and digital signatures

Co-invented by Ron Rivest, Adi Shamir and Leonard Adleman(and Clifford Cocks!)

Derives security from the difficulty of factoring large numbersinto primes

What is Diffie-Hellman?

A secure key “exchange” algorithm

Co-invented by Whitfield Diffie, Martin Hellman and RalphMerkle

Derives security from the difficulty of solving “Discrete log”problems

But first...

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSA and Diffie-Hellman

What is RSA?

An asymmetric cryptographic algorithm often used for keysharing and digital signatures

Co-invented by Ron Rivest, Adi Shamir and Leonard Adleman(and Clifford Cocks!)

Derives security from the difficulty of factoring large numbersinto primes

What is Diffie-Hellman?

A secure key “exchange” algorithm

Co-invented by Whitfield Diffie, Martin Hellman and RalphMerkle

Derives security from the difficulty of solving “Discrete log”problems

But first...

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSA and Diffie-Hellman

What is RSA?

An asymmetric cryptographic algorithm often used for keysharing and digital signatures

Co-invented by Ron Rivest, Adi Shamir and Leonard Adleman(and Clifford Cocks!)

Derives security from the difficulty of factoring large numbersinto primes

What is Diffie-Hellman?

A secure key “exchange” algorithm

Co-invented by Whitfield Diffie, Martin Hellman and RalphMerkle

Derives security from the difficulty of solving “Discrete log”problems

But first...

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSA and Diffie-Hellman

What is RSA?

An asymmetric cryptographic algorithm often used for keysharing and digital signatures

Co-invented by Ron Rivest, Adi Shamir and Leonard Adleman(and Clifford Cocks!)

Derives security from the difficulty of factoring large numbersinto primes

What is Diffie-Hellman?

A secure key “exchange” algorithm

Co-invented by Whitfield Diffie, Martin Hellman and RalphMerkle

Derives security from the difficulty of solving “Discrete log”problems

But first...

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSA and Diffie-Hellman

What is RSA?

An asymmetric cryptographic algorithm often used for keysharing and digital signatures

Co-invented by Ron Rivest, Adi Shamir and Leonard Adleman(and Clifford Cocks!)

Derives security from the difficulty of factoring large numbersinto primes

What is Diffie-Hellman?

A secure key “exchange” algorithm

Co-invented by Whitfield Diffie, Martin Hellman and RalphMerkle

Derives security from the difficulty of solving “Discrete log”problems

But first...

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSA and Diffie-Hellman

What is RSA?

An asymmetric cryptographic algorithm often used for keysharing and digital signatures

Co-invented by Ron Rivest, Adi Shamir and Leonard Adleman(and Clifford Cocks!)

Derives security from the difficulty of factoring large numbersinto primes

What is Diffie-Hellman?

A secure key “exchange” algorithm

Co-invented by Whitfield Diffie, Martin Hellman and RalphMerkle

Derives security from the difficulty of solving “Discrete log”problems

But first...

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Division

Let a and b be two integers.

b divides a if there is another integer c so that a = bc

We also say b is a divisor of a, or write b|aOr that a is a multiple of b

For any integers a and b, with b > 0, we can write

a = qb + r

where 0 ≤ r < b. (r is called the remainder)

Note that b divides a precisely when r = 0.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Division

Let a and b be two integers.

b divides a if there is another integer c so that a = bc

We also say b is a divisor of a, or write b|aOr that a is a multiple of b

For any integers a and b, with b > 0, we can write

a = qb + r

where 0 ≤ r < b. (r is called the remainder)

Note that b divides a precisely when r = 0.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Division

Let a and b be two integers.

b divides a if there is another integer c so that a = bc

We also say b is a divisor of a, or write b|a

Or that a is a multiple of b

For any integers a and b, with b > 0, we can write

a = qb + r

where 0 ≤ r < b. (r is called the remainder)

Note that b divides a precisely when r = 0.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Division

Let a and b be two integers.

b divides a if there is another integer c so that a = bc

We also say b is a divisor of a, or write b|aOr that a is a multiple of b

For any integers a and b, with b > 0, we can write

a = qb + r

where 0 ≤ r < b. (r is called the remainder)

Note that b divides a precisely when r = 0.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Division

Let a and b be two integers.

b divides a if there is another integer c so that a = bc

We also say b is a divisor of a, or write b|aOr that a is a multiple of b

For any integers a and b, with b > 0, we can write

a = qb + r

where 0 ≤ r < b. (r is called the remainder)

Note that b divides a precisely when r = 0.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Division

Let a and b be two integers.

b divides a if there is another integer c so that a = bc

We also say b is a divisor of a, or write b|aOr that a is a multiple of b

For any integers a and b, with b > 0, we can write

a = qb + r

where 0 ≤ r < b. (r is called the remainder)

Note that b divides a precisely when r = 0.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Division

For example, here are all of the (positive) divisors of 42:

1, 2, 3, 6, 7, 14, 21, 42

40 is not divisible by 3, but the remainder when 40 is divided by 3is 1, since 40 = 13 · 3 + 1.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Division

For example, here are all of the (positive) divisors of 42:

1, 2, 3, 6, 7, 14, 21, 42

40 is not divisible by 3, but the remainder when 40 is divided by 3is 1, since 40 = 13 · 3 + 1.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Greatest Common Divisor

The greatest common divisor of a and b is the largest integerthat divides both a and b.

Example:

gcd(12, 8) = 4

Often denoted gcd(a, b) or just (a, b)

It is always at least 1 since 1 divides every integer

If gcd(a, b) = 1, we say a and b are coprime

Finding all of the divisors of an integer is tedious. Is there a goodway to compute gcd(a, b)?

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Greatest Common Divisor

The greatest common divisor of a and b is the largest integerthat divides both a and b. Example:

gcd(12, 8) = 4

Often denoted gcd(a, b) or just (a, b)

It is always at least 1 since 1 divides every integer

If gcd(a, b) = 1, we say a and b are coprime

Finding all of the divisors of an integer is tedious. Is there a goodway to compute gcd(a, b)?

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Greatest Common Divisor

The greatest common divisor of a and b is the largest integerthat divides both a and b. Example:

gcd(12, 8) = 4

Often denoted gcd(a, b) or just (a, b)

It is always at least 1 since 1 divides every integer

If gcd(a, b) = 1, we say a and b are coprime

Finding all of the divisors of an integer is tedious. Is there a goodway to compute gcd(a, b)?

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Greatest Common Divisor

The greatest common divisor of a and b is the largest integerthat divides both a and b. Example:

gcd(12, 8) = 4

Often denoted gcd(a, b) or just (a, b)

It is always at least 1 since 1 divides every integer

If gcd(a, b) = 1, we say a and b are coprime

Finding all of the divisors of an integer is tedious. Is there a goodway to compute gcd(a, b)?

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Greatest Common Divisor

The greatest common divisor of a and b is the largest integerthat divides both a and b. Example:

gcd(12, 8) = 4

Often denoted gcd(a, b) or just (a, b)

It is always at least 1 since 1 divides every integer

If gcd(a, b) = 1, we say a and b are coprime

Finding all of the divisors of an integer is tedious. Is there a goodway to compute gcd(a, b)?

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Greatest Common Divisor

The greatest common divisor of a and b is the largest integerthat divides both a and b. Example:

gcd(12, 8) = 4

Often denoted gcd(a, b) or just (a, b)

It is always at least 1 since 1 divides every integer

If gcd(a, b) = 1, we say a and b are coprime

Finding all of the divisors of an integer is tedious. Is there a goodway to compute gcd(a, b)?

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

The Euclidean Algorithm

Yes! One of the oldest known algorithms!

def euclid(a, b):

""" Euclidean Algorithm """

while b != 0:

a, b = b, a % b

return a

Figure: A Python implementation of the Euclidean Algorithm

Idea: Simultaneously replace a with b and b with the remainder ofa divided by b. When b takes the value 0, the gcd is the value of a.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

The Euclidean Algorithm

What is gcd(169, 65)?

(169, 65)

7→ (65, 39) 7→ (39, 26) 7→ (26, 13) 7→ (13, 0)

So gcd(169, 65) is 13.

The Python code on the previous slide immediately verifies that

gcd(2500000 − 1, 310000 − 11) = 5

on a modern computer.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

The Euclidean Algorithm

What is gcd(169, 65)?

(169, 65) 7→ (65, 39)

7→ (39, 26) 7→ (26, 13) 7→ (13, 0)

So gcd(169, 65) is 13.

The Python code on the previous slide immediately verifies that

gcd(2500000 − 1, 310000 − 11) = 5

on a modern computer.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

The Euclidean Algorithm

What is gcd(169, 65)?

(169, 65) 7→ (65, 39) 7→ (39, 26)

7→ (26, 13) 7→ (13, 0)

So gcd(169, 65) is 13.

The Python code on the previous slide immediately verifies that

gcd(2500000 − 1, 310000 − 11) = 5

on a modern computer.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

The Euclidean Algorithm

What is gcd(169, 65)?

(169, 65) 7→ (65, 39) 7→ (39, 26) 7→ (26, 13)

7→ (13, 0)

So gcd(169, 65) is 13.

The Python code on the previous slide immediately verifies that

gcd(2500000 − 1, 310000 − 11) = 5

on a modern computer.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

The Euclidean Algorithm

What is gcd(169, 65)?

(169, 65) 7→ (65, 39) 7→ (39, 26) 7→ (26, 13) 7→ (13, 0)

So gcd(169, 65) is 13.

The Python code on the previous slide immediately verifies that

gcd(2500000 − 1, 310000 − 11) = 5

on a modern computer.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

The Euclidean Algorithm

What is gcd(169, 65)?

(169, 65) 7→ (65, 39) 7→ (39, 26) 7→ (26, 13) 7→ (13, 0)

So gcd(169, 65) is 13.

The Python code on the previous slide immediately verifies that

gcd(2500000 − 1, 310000 − 11) = 5

on a modern computer.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

“Chekhov’s Gun”

Theorem (Bezout’s Identity)

Let d = gcd(a, b). Then there are integers x and y such that a

ax + by = d .

aThe quantity ax + by is called a linear combination of a and b.

For example, gcd(17, 5) = 1, and ...

17(−2) + 5(7) = 1.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

“Chekhov’s Gun”

Theorem (Bezout’s Identity)

Let d = gcd(a, b). Then there are integers x and y such that a

ax + by = d .

aThe quantity ax + by is called a linear combination of a and b.

For example, gcd(17, 5) = 1, and ...

17(−2) + 5(7) = 1.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular Arithmetic

Let n be a positive integer. We say a is congruent to b “mod” n,and write

a ≡ b (mod n)

if a and b have the same remainder when divided by n.

Or, equivalently, if n|a− b.

If a ≡ b (mod n), then there is some integer k such thatb = a + nk.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular Arithmetic

Let n be a positive integer. We say a is congruent to b “mod” n,and write

a ≡ b (mod n)

if a and b have the same remainder when divided by n.

Or, equivalently, if n|a− b.

If a ≡ b (mod n), then there is some integer k such thatb = a + nk.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular Arithmetic

Let n be a positive integer. We say a is congruent to b “mod” n,and write

a ≡ b (mod n)

if a and b have the same remainder when divided by n.

Or, equivalently, if n|a− b.

If a ≡ b (mod n), then there is some integer k such thatb = a + nk.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular ArithmeticExamples

6 ≡ 1 (mod 5)

17 ≡ 10 (mod 7)

250 ≡ 48 (mod 101)

n ≡ 0 (mod n)

Fun fact: for any integers a and b,

(a + b)2 ≡ a2 + b2 (mod 2).

(Can you see why?)

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular ArithmeticExamples

6 ≡ 1 (mod 5)

17 ≡ 10 (mod 7)

250 ≡ 48 (mod 101)

n ≡ 0 (mod n)

Fun fact: for any integers a and b,

(a + b)2 ≡ a2 + b2 (mod 2).

(Can you see why?)

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular ArithmeticProperties

Some happy little properties:

If a ≡ b (mod n), and b ≡ c (mod n), then a ≡ c (mod n).

If a ≡ a′ (mod n) and b ≡ b′ (mod n), then:

a + b ≡ a′ + b′ (mod n)

a− b ≡ a′ − b′ (mod n)

ab ≡ a′b′ (mod n)

ak ≡ a′k (mod n)

Every integer is congruent to exactly one of 0, 1, 2, . . . , n − 1(mod n).

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular ArithmeticProperties

Some happy little properties:

If a ≡ b (mod n), and b ≡ c (mod n), then a ≡ c (mod n).

If a ≡ a′ (mod n) and b ≡ b′ (mod n), then:

a + b ≡ a′ + b′ (mod n)

a− b ≡ a′ − b′ (mod n)

ab ≡ a′b′ (mod n)

ak ≡ a′k (mod n)

Every integer is congruent to exactly one of 0, 1, 2, . . . , n − 1(mod n).

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular ArithmeticProperties

Some happy little properties:

If a ≡ b (mod n), and b ≡ c (mod n), then a ≡ c (mod n).

If a ≡ a′ (mod n) and b ≡ b′ (mod n), then:

a + b ≡ a′ + b′ (mod n)

a− b ≡ a′ − b′ (mod n)

ab ≡ a′b′ (mod n)

ak ≡ a′k (mod n)

Every integer is congruent to exactly one of 0, 1, 2, . . . , n − 1(mod n).

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular ArithmeticProperties

Some happy little properties:

If a ≡ b (mod n), and b ≡ c (mod n), then a ≡ c (mod n).

If a ≡ a′ (mod n) and b ≡ b′ (mod n), then:

a + b ≡ a′ + b′ (mod n)

a− b ≡ a′ − b′ (mod n)

ab ≡ a′b′ (mod n)

ak ≡ a′k (mod n)

Every integer is congruent to exactly one of 0, 1, 2, . . . , n − 1(mod n).

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular ArithmeticInversion

We say that “a is invertible (mod n)” if there is an integer bsuch that

ab ≡ 1 (mod n).

This b is often denoted by a−1.

For example, 3−1 ≡ 5 (mod 7), since 3 · 5 = 15 has remainder 1when divided by 7.

Not every integer is invertible mod a given n: 3 is not invertiblemod 6. Is there a quick way to tell when an integer is invertible(mod n) ?

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular ArithmeticInversion

We say that “a is invertible (mod n)” if there is an integer bsuch that

ab ≡ 1 (mod n).

This b is often denoted by a−1.

For example, 3−1 ≡ 5 (mod 7), since 3 · 5 = 15 has remainder 1when divided by 7.

Not every integer is invertible mod a given n: 3 is not invertiblemod 6. Is there a quick way to tell when an integer is invertible(mod n) ?

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular ArithmeticInversion

We say that “a is invertible (mod n)” if there is an integer bsuch that

ab ≡ 1 (mod n).

This b is often denoted by a−1.

For example, 3−1 ≡ 5 (mod 7), since 3 · 5 = 15 has remainder 1when divided by 7.

Not every integer is invertible mod a given n: 3 is not invertiblemod 6. Is there a quick way to tell when an integer is invertible(mod n) ?

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular ArithmeticInversion

“a is invertible (mod n)” means that there is an integer x suchthat

ax ≡ 1 (mod n).

In other words, there is a y such that

ax + ny = 1.

Since gcd(a, n) divides the left hand side, it also divides 1, theright hand side, so

gcd(a, n) = 1.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular ArithmeticInversion

“a is invertible (mod n)” means that there is an integer x suchthat

ax ≡ 1 (mod n).

In other words, there is a y such that

ax + ny = 1.

Since gcd(a, n) divides the left hand side, it also divides 1, theright hand side, so

gcd(a, n) = 1.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular ArithmeticInversion

“a is invertible (mod n)” means that there is an integer x suchthat

ax ≡ 1 (mod n).

In other words, there is a y such that

ax + ny = 1.

Since gcd(a, n) divides the left hand side, it also divides 1, theright hand side, so

gcd(a, n) = 1.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular ArithmeticInversion

Conversely, if gcd(a, n) = 1, Bezout’s Identity asserts that thereare integers x and y so that ax + ny = 1, and in turn ax ≡ 1(mod n), so a is invertible (mod n).

Upshot: a is invertible (mod n) precisely when a and n arecoprime.

When n = p is prime, then 1, 2, . . . , p − 1 are all invertible(mod p).

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular ArithmeticInversion

Conversely, if gcd(a, n) = 1, Bezout’s Identity asserts that thereare integers x and y so that ax + ny = 1, and in turn ax ≡ 1(mod n), so a is invertible (mod n).

Upshot: a is invertible (mod n) precisely when a and n arecoprime.

When n = p is prime, then 1, 2, . . . , p − 1 are all invertible(mod p).

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular ArithmeticInversion

Conversely, if gcd(a, n) = 1, Bezout’s Identity asserts that thereare integers x and y so that ax + ny = 1, and in turn ax ≡ 1(mod n), so a is invertible (mod n).

Upshot: a is invertible (mod n) precisely when a and n arecoprime.

When n = p is prime, then 1, 2, . . . , p − 1 are all invertible(mod p).

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular ArithmeticInversion

Suppose gcd(a, n) = 1. How do we find a−1 (mod n)?

The Extended Euclidean Algorithm efficiently solves this problem.

Vague Idea: Carry out the Euclidean Algorithm, keeping track ofthe linear combinations of a and n that arise.

This results in x and y such that ax + ny = gcd(a, n). Whengcd(a, n) = 1, we have that

x ≡ a−1 (mod n).

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular ArithmeticInversion

Suppose gcd(a, n) = 1. How do we find a−1 (mod n)?

The Extended Euclidean Algorithm efficiently solves this problem.

Vague Idea: Carry out the Euclidean Algorithm, keeping track ofthe linear combinations of a and n that arise.

This results in x and y such that ax + ny = gcd(a, n). Whengcd(a, n) = 1, we have that

x ≡ a−1 (mod n).

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular ArithmeticInversion

Suppose gcd(a, n) = 1. How do we find a−1 (mod n)?

The Extended Euclidean Algorithm efficiently solves this problem.

Vague Idea: Carry out the Euclidean Algorithm, keeping track ofthe linear combinations of a and n that arise.

This results in x and y such that ax + ny = gcd(a, n). Whengcd(a, n) = 1, we have that

x ≡ a−1 (mod n).

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular ArithmeticInversion

Suppose gcd(a, n) = 1. How do we find a−1 (mod n)?

The Extended Euclidean Algorithm efficiently solves this problem.

Vague Idea: Carry out the Euclidean Algorithm, keeping track ofthe linear combinations of a and n that arise.

This results in x and y such that ax + ny = gcd(a, n). Whengcd(a, n) = 1, we have that

x ≡ a−1 (mod n).

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular ArithmeticExtended Euclidean Algorithm

gcd ax + ny

(n, a)

(a, r1 = n% a) n − aq1 = r1(r1, r2 = a% r1) a− q2r1 = r2

=⇒ a− q2(n − aq1) = r2=⇒ a(q2q1 + 1)− n = r2

. . . . . .(rN−1, 1) = 1 ax + ny = 1

Note: Even when gcd(n, a) = d 6= 1, we can use this algorithm tofind x and y so that

ax + ny = d .

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular ArithmeticExtended Euclidean Algorithm

gcd ax + ny

(n, a)

(a, r1 = n% a) n − aq1 = r1

(r1, r2 = a% r1) a− q2r1 = r2=⇒ a− q2(n − aq1) = r2=⇒ a(q2q1 + 1)− n = r2

. . . . . .(rN−1, 1) = 1 ax + ny = 1

Note: Even when gcd(n, a) = d 6= 1, we can use this algorithm tofind x and y so that

ax + ny = d .

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular ArithmeticExtended Euclidean Algorithm

gcd ax + ny

(n, a)

(a, r1 = n% a) n − aq1 = r1(r1, r2 = a% r1) a− q2r1 = r2

=⇒ a− q2(n − aq1) = r2=⇒ a(q2q1 + 1)− n = r2

. . . . . .(rN−1, 1) = 1 ax + ny = 1

Note: Even when gcd(n, a) = d 6= 1, we can use this algorithm tofind x and y so that

ax + ny = d .

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular ArithmeticExtended Euclidean Algorithm

gcd ax + ny

(n, a)

(a, r1 = n% a) n − aq1 = r1(r1, r2 = a% r1) a− q2r1 = r2

=⇒ a− q2(n − aq1) = r2

=⇒ a(q2q1 + 1)− n = r2. . . . . .

(rN−1, 1) = 1 ax + ny = 1

Note: Even when gcd(n, a) = d 6= 1, we can use this algorithm tofind x and y so that

ax + ny = d .

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular ArithmeticExtended Euclidean Algorithm

gcd ax + ny

(n, a)

(a, r1 = n% a) n − aq1 = r1(r1, r2 = a% r1) a− q2r1 = r2

=⇒ a− q2(n − aq1) = r2=⇒ a(q2q1 + 1)− n = r2

. . . . . .(rN−1, 1) = 1 ax + ny = 1

Note: Even when gcd(n, a) = d 6= 1, we can use this algorithm tofind x and y so that

ax + ny = d .

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular ArithmeticExtended Euclidean Algorithm

gcd ax + ny

(n, a)

(a, r1 = n% a) n − aq1 = r1(r1, r2 = a% r1) a− q2r1 = r2

=⇒ a− q2(n − aq1) = r2=⇒ a(q2q1 + 1)− n = r2

. . . . . .

(rN−1, 1) = 1 ax + ny = 1

Note: Even when gcd(n, a) = d 6= 1, we can use this algorithm tofind x and y so that

ax + ny = d .

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular ArithmeticExtended Euclidean Algorithm

gcd ax + ny

(n, a)

(a, r1 = n% a) n − aq1 = r1(r1, r2 = a% r1) a− q2r1 = r2

=⇒ a− q2(n − aq1) = r2=⇒ a(q2q1 + 1)− n = r2

. . . . . .(rN−1, 1) = 1 ax + ny = 1

Note: Even when gcd(n, a) = d 6= 1, we can use this algorithm tofind x and y so that

ax + ny = d .

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular ArithmeticExtended Euclidean Algorithm

gcd ax + ny

(n, a)

(a, r1 = n% a) n − aq1 = r1(r1, r2 = a% r1) a− q2r1 = r2

=⇒ a− q2(n − aq1) = r2=⇒ a(q2q1 + 1)− n = r2

. . . . . .(rN−1, 1) = 1 ax + ny = 1

Note: Even when gcd(n, a) = d 6= 1, we can use this algorithm tofind x and y so that

ax + ny = d .

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular ArithmeticExtended Euclidean Algorithm

Example: What is 44−1 (mod 113)?

(113, 44)

(44, 25) (−2)44 + 113 = 25

(25, 19) 44 + (−1)25 = 19=⇒ 44 + (−1)((−2)44 + 113) = 19=⇒ 3 · 44 + (−1)113 = 19

(19, 6) 25 + (−1)19 = 6=⇒ (−5)44 + 2 · 113 = 6

(6, 1) 19 + (−3)6 = 1=⇒ 18 · 44 + (−7)113 = 1

So 44−1 ≡ 18 (mod 113).

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular ArithmeticExtended Euclidean Algorithm

Example: What is 44−1 (mod 113)?(113, 44)

(44, 25) (−2)44 + 113 = 25

(25, 19) 44 + (−1)25 = 19=⇒ 44 + (−1)((−2)44 + 113) = 19=⇒ 3 · 44 + (−1)113 = 19

(19, 6) 25 + (−1)19 = 6=⇒ (−5)44 + 2 · 113 = 6

(6, 1) 19 + (−3)6 = 1=⇒ 18 · 44 + (−7)113 = 1

So 44−1 ≡ 18 (mod 113).

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular ArithmeticExtended Euclidean Algorithm

Example: What is 44−1 (mod 113)?(113, 44)

(44, 25) (−2)44 + 113 = 25

(25, 19) 44 + (−1)25 = 19=⇒ 44 + (−1)((−2)44 + 113) = 19=⇒ 3 · 44 + (−1)113 = 19

(19, 6) 25 + (−1)19 = 6=⇒ (−5)44 + 2 · 113 = 6

(6, 1) 19 + (−3)6 = 1=⇒ 18 · 44 + (−7)113 = 1

So 44−1 ≡ 18 (mod 113).

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular ArithmeticExtended Euclidean Algorithm

Example: What is 44−1 (mod 113)?(113, 44)

(44, 25) (−2)44 + 113 = 25

(25, 19) 44 + (−1)25 = 19=⇒ 44 + (−1)((−2)44 + 113) = 19=⇒ 3 · 44 + (−1)113 = 19

(19, 6) 25 + (−1)19 = 6=⇒ (−5)44 + 2 · 113 = 6

(6, 1) 19 + (−3)6 = 1=⇒ 18 · 44 + (−7)113 = 1

So 44−1 ≡ 18 (mod 113).

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular ArithmeticExtended Euclidean Algorithm

Example: What is 44−1 (mod 113)?(113, 44)

(44, 25) (−2)44 + 113 = 25

(25, 19) 44 + (−1)25 = 19=⇒ 44 + (−1)((−2)44 + 113) = 19=⇒ 3 · 44 + (−1)113 = 19

(19, 6) 25 + (−1)19 = 6=⇒ (−5)44 + 2 · 113 = 6

(6, 1) 19 + (−3)6 = 1=⇒ 18 · 44 + (−7)113 = 1

So 44−1 ≡ 18 (mod 113).

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Modular ArithmeticExtended Euclidean Algorithm

Example: What is 44−1 (mod 113)?(113, 44)

(44, 25) (−2)44 + 113 = 25

(25, 19) 44 + (−1)25 = 19=⇒ 44 + (−1)((−2)44 + 113) = 19=⇒ 3 · 44 + (−1)113 = 19

(19, 6) 25 + (−1)19 = 6=⇒ (−5)44 + 2 · 113 = 6

(6, 1) 19 + (−3)6 = 1=⇒ 18 · 44 + (−7)113 = 1

So 44−1 ≡ 18 (mod 113).

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Fermat’s Little Theorem

Theorem

Let p be a prime number. If a is any integer, then

ap ≡ a (mod p).

Further, if gcd(a, p) = 1, then

ap−1 ≡ 1 (mod p).

Example (p = 7, a = 2):

27−1 ≡ 26 ≡ 64 ≡ 1 (mod 7)

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Fermat’s Little Theorem

Theorem

Let p be a prime number. If a is any integer, then

ap ≡ a (mod p).

Further, if gcd(a, p) = 1, then

ap−1 ≡ 1 (mod p).

Example (p = 7, a = 2):

27−1 ≡ 26 ≡ 64 ≡ 1 (mod 7)

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Euler’s TheoremEuler’s Totient Function

To state Euler’s Theorem, we first need to define Euler’s Totientfunction (denoted by ϕ).

Definition

Let n ≥ 1 be an integer. We define ϕ(n) to be the number ofpositive integers less than or equal to n that are coprime to n.(We’ll say 1 is coprime to itself, so ϕ(1) = 1.)

For example, ϕ(12) = 4, as 1, 5, 7 and 11 are the positive integersless than 12 that are also coprime to 12.

Note that if p is prime then

ϕ(p) = p − 1.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Euler’s TheoremEuler’s Totient Function

To state Euler’s Theorem, we first need to define Euler’s Totientfunction (denoted by ϕ).

Definition

Let n ≥ 1 be an integer. We define ϕ(n) to be the number ofpositive integers less than or equal to n that are coprime to n.(We’ll say 1 is coprime to itself, so ϕ(1) = 1.)

For example, ϕ(12) = 4, as 1, 5, 7 and 11 are the positive integersless than 12 that are also coprime to 12.

Note that if p is prime then

ϕ(p) = p − 1.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Euler’s TheoremEuler’s Totient Function

To state Euler’s Theorem, we first need to define Euler’s Totientfunction (denoted by ϕ).

Definition

Let n ≥ 1 be an integer. We define ϕ(n) to be the number ofpositive integers less than or equal to n that are coprime to n.(We’ll say 1 is coprime to itself, so ϕ(1) = 1.)

For example, ϕ(12) = 4, as 1, 5, 7 and 11 are the positive integersless than 12 that are also coprime to 12.

Note that if p is prime then

ϕ(p) = p − 1.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Euler’s TheoremEuler’s Totient Function

It’s not too hard to show further that when p is prime and n ≥ 1,

ϕ(pn) = pn−1(p − 1).

Theorem (The Totient Function is Multiplicative)

If a and b are positive integers with gcd(a, b) = 1, then

ϕ(ab) = ϕ(a)ϕ(b).

This makes computing ϕ(n) easy when we can factor n into primesand prime powers.If p and q are distinct prime numbers, then

ϕ(pq) = (p − 1)(q − 1).

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Euler’s TheoremEuler’s Totient Function

It’s not too hard to show further that when p is prime and n ≥ 1,

ϕ(pn) = pn−1(p − 1).

Theorem (The Totient Function is Multiplicative)

If a and b are positive integers with gcd(a, b) = 1, then

ϕ(ab) = ϕ(a)ϕ(b).

This makes computing ϕ(n) easy when we can factor n into primesand prime powers.If p and q are distinct prime numbers, then

ϕ(pq) = (p − 1)(q − 1).

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Euler’s TheoremEuler’s Totient Function

It’s not too hard to show further that when p is prime and n ≥ 1,

ϕ(pn) = pn−1(p − 1).

Theorem (The Totient Function is Multiplicative)

If a and b are positive integers with gcd(a, b) = 1, then

ϕ(ab) = ϕ(a)ϕ(b).

This makes computing ϕ(n) easy when we can factor n into primesand prime powers.If p and q are distinct prime numbers, then

ϕ(pq) = (p − 1)(q − 1).

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Euler’s Theorem

Theorem (Euler’s Theorem)

Let n ≥ 2 be an integer. If a is an integer coprime to n, then

aϕ(n) ≡ 1 (mod n).

An important consequence: if x ≡ 1 (mod ϕ(n)), then

ax ≡ a (mod n).

Proof:

ax ≡ aϕ(n)k+1 ≡ (aϕ(n))ka ≡ 1ka ≡ a (mod n)

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Euler’s Theorem

Theorem (Euler’s Theorem)

Let n ≥ 2 be an integer. If a is an integer coprime to n, then

aϕ(n) ≡ 1 (mod n).

An important consequence: if x ≡ 1 (mod ϕ(n)), then

ax ≡ a (mod n).

Proof:

ax ≡ aϕ(n)k+1 ≡ (aϕ(n))ka ≡ 1ka ≡ a (mod n)

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSAFinally

The process:

Choose M to be some large integer (“The Modulus”)

Find e and d so that ed ≡ 1 (mod ϕ(M)).

By the consequence of Euler’s Theorem,

(me)d = med ≡ m (mod M)

Give anyone you like M and e. Keep d private.

Anyone can encrypt a message m by computing me (mod M).

Only you (?) can decrypt by computing (me)d ≡ m (mod M).

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSAFinally

The process:

Choose M to be some large integer (“The Modulus”)

Find e and d so that ed ≡ 1 (mod ϕ(M)).

By the consequence of Euler’s Theorem,

(me)d = med ≡ m (mod M)

Give anyone you like M and e. Keep d private.

Anyone can encrypt a message m by computing me (mod M).

Only you (?) can decrypt by computing (me)d ≡ m (mod M).

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSAFinally

The process:

Choose M to be some large integer (“The Modulus”)

Find e and d so that ed ≡ 1 (mod ϕ(M)).

By the consequence of Euler’s Theorem,

(me)d = med ≡ m (mod M)

Give anyone you like M and e. Keep d private.

Anyone can encrypt a message m by computing me (mod M).

Only you (?) can decrypt by computing (me)d ≡ m (mod M).

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSAFinally

The process:

Choose M to be some large integer (“The Modulus”)

Find e and d so that ed ≡ 1 (mod ϕ(M)).

By the consequence of Euler’s Theorem,

(me)d = med ≡ m (mod M)

Give anyone you like M and e. Keep d private.

Anyone can encrypt a message m by computing me (mod M).

Only you (?) can decrypt by computing (me)d ≡ m (mod M).

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSAFinally

The process:

Choose M to be some large integer (“The Modulus”)

Find e and d so that ed ≡ 1 (mod ϕ(M)).

By the consequence of Euler’s Theorem,

(me)d = med ≡ m (mod M)

Give anyone you like M and e. Keep d private.

Anyone can encrypt a message m by computing me (mod M).

Only you (?) can decrypt by computing (me)d ≡ m (mod M).

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSAFinally

The process:

Choose M to be some large integer (“The Modulus”)

Find e and d so that ed ≡ 1 (mod ϕ(M)).

By the consequence of Euler’s Theorem,

(me)d = med ≡ m (mod M)

Give anyone you like M and e. Keep d private.

Anyone can encrypt a message m by computing me (mod M).

Only you (?) can decrypt by computing (me)d ≡ m (mod M).

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSA

Questions you should ask:

What stops someone else from computing d and ruiningeverything?

What stops someone from computing m from me (mod M)some other way? (“The RSA Problem”)

Unsatisfying answer: we don’t know.The most efficient way we know to do this is to just computed .

How do you “find” e and d?

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSA

Questions you should ask:

What stops someone else from computing d and ruiningeverything?

What stops someone from computing m from me (mod M)some other way? (“The RSA Problem”)

Unsatisfying answer: we don’t know.The most efficient way we know to do this is to just computed .

How do you “find” e and d?

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSA

Questions you should ask:

What stops someone else from computing d and ruiningeverything?

What stops someone from computing m from me (mod M)some other way? (“The RSA Problem”)

Unsatisfying answer: we don’t know.The most efficient way we know to do this is to just computed .

How do you “find” e and d?

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSA

Questions you should ask:

What stops someone else from computing d and ruiningeverything?

What stops someone from computing m from me (mod M)some other way? (“The RSA Problem”)

Unsatisfying answer: we don’t know.The most efficient way we know to do this is to just computed .

How do you “find” e and d?

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSA

Questions you should ask:

What stops someone else from computing d and ruiningeverything?

What stops someone from computing m from me (mod M)some other way? (“The RSA Problem”)

Unsatisfying answer: we don’t know.The most efficient way we know to do this is to just computed .

How do you “find” e and d?

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSASecuring the parameters

The real process:

1 Pick your favorite two “large” and distinct prime numbers, pand q, and let M = pq

Large enough so that M is, say, a 2048 bit number.Also, keep p and q secret!Remember: ϕ(M) = (p − 1)(q − 1).

2 Pick any e such that gcd(e, (p − 1)(q − 1)) = 1.

e = 65537 is a very common choice.Don’t pick e “too small”, e.g. don’t pick e = 3.

3 You can compute d ≡ e−1 (mod ϕ(M)) with the extendedEuclidean algorithm

Because you know that ϕ(M) = (p − 1)(q − 1).There is no known efficient way to compute ϕ(M) withoutknowing p and q.Factoring M is hard (we think), thus (we think) RSA is secure!

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSASecuring the parameters

The real process:

1 Pick your favorite two “large” and distinct prime numbers, pand q, and let M = pq

Large enough so that M is, say, a 2048 bit number.

Also, keep p and q secret!Remember: ϕ(M) = (p − 1)(q − 1).

2 Pick any e such that gcd(e, (p − 1)(q − 1)) = 1.

e = 65537 is a very common choice.Don’t pick e “too small”, e.g. don’t pick e = 3.

3 You can compute d ≡ e−1 (mod ϕ(M)) with the extendedEuclidean algorithm

Because you know that ϕ(M) = (p − 1)(q − 1).There is no known efficient way to compute ϕ(M) withoutknowing p and q.Factoring M is hard (we think), thus (we think) RSA is secure!

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSASecuring the parameters

The real process:

1 Pick your favorite two “large” and distinct prime numbers, pand q, and let M = pq

Large enough so that M is, say, a 2048 bit number.Also, keep p and q secret!

Remember: ϕ(M) = (p − 1)(q − 1).

2 Pick any e such that gcd(e, (p − 1)(q − 1)) = 1.

e = 65537 is a very common choice.Don’t pick e “too small”, e.g. don’t pick e = 3.

3 You can compute d ≡ e−1 (mod ϕ(M)) with the extendedEuclidean algorithm

Because you know that ϕ(M) = (p − 1)(q − 1).There is no known efficient way to compute ϕ(M) withoutknowing p and q.Factoring M is hard (we think), thus (we think) RSA is secure!

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSASecuring the parameters

The real process:

1 Pick your favorite two “large” and distinct prime numbers, pand q, and let M = pq

Large enough so that M is, say, a 2048 bit number.Also, keep p and q secret!Remember: ϕ(M) = (p − 1)(q − 1).

2 Pick any e such that gcd(e, (p − 1)(q − 1)) = 1.

e = 65537 is a very common choice.Don’t pick e “too small”, e.g. don’t pick e = 3.

3 You can compute d ≡ e−1 (mod ϕ(M)) with the extendedEuclidean algorithm

Because you know that ϕ(M) = (p − 1)(q − 1).There is no known efficient way to compute ϕ(M) withoutknowing p and q.Factoring M is hard (we think), thus (we think) RSA is secure!

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSASecuring the parameters

The real process:

1 Pick your favorite two “large” and distinct prime numbers, pand q, and let M = pq

Large enough so that M is, say, a 2048 bit number.Also, keep p and q secret!Remember: ϕ(M) = (p − 1)(q − 1).

2 Pick any e such that gcd(e, (p − 1)(q − 1)) = 1.

e = 65537 is a very common choice.Don’t pick e “too small”, e.g. don’t pick e = 3.

3 You can compute d ≡ e−1 (mod ϕ(M)) with the extendedEuclidean algorithm

Because you know that ϕ(M) = (p − 1)(q − 1).There is no known efficient way to compute ϕ(M) withoutknowing p and q.Factoring M is hard (we think), thus (we think) RSA is secure!

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSASecuring the parameters

The real process:

1 Pick your favorite two “large” and distinct prime numbers, pand q, and let M = pq

Large enough so that M is, say, a 2048 bit number.Also, keep p and q secret!Remember: ϕ(M) = (p − 1)(q − 1).

2 Pick any e such that gcd(e, (p − 1)(q − 1)) = 1.

e = 65537 is a very common choice.

Don’t pick e “too small”, e.g. don’t pick e = 3.

3 You can compute d ≡ e−1 (mod ϕ(M)) with the extendedEuclidean algorithm

Because you know that ϕ(M) = (p − 1)(q − 1).There is no known efficient way to compute ϕ(M) withoutknowing p and q.Factoring M is hard (we think), thus (we think) RSA is secure!

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSASecuring the parameters

The real process:

1 Pick your favorite two “large” and distinct prime numbers, pand q, and let M = pq

Large enough so that M is, say, a 2048 bit number.Also, keep p and q secret!Remember: ϕ(M) = (p − 1)(q − 1).

2 Pick any e such that gcd(e, (p − 1)(q − 1)) = 1.

e = 65537 is a very common choice.Don’t pick e “too small”, e.g. don’t pick e = 3.

3 You can compute d ≡ e−1 (mod ϕ(M)) with the extendedEuclidean algorithm

Because you know that ϕ(M) = (p − 1)(q − 1).There is no known efficient way to compute ϕ(M) withoutknowing p and q.Factoring M is hard (we think), thus (we think) RSA is secure!

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSASecuring the parameters

The real process:

1 Pick your favorite two “large” and distinct prime numbers, pand q, and let M = pq

Large enough so that M is, say, a 2048 bit number.Also, keep p and q secret!Remember: ϕ(M) = (p − 1)(q − 1).

2 Pick any e such that gcd(e, (p − 1)(q − 1)) = 1.

e = 65537 is a very common choice.Don’t pick e “too small”, e.g. don’t pick e = 3.

3 You can compute d ≡ e−1 (mod ϕ(M)) with the extendedEuclidean algorithm

Because you know that ϕ(M) = (p − 1)(q − 1).There is no known efficient way to compute ϕ(M) withoutknowing p and q.Factoring M is hard (we think), thus (we think) RSA is secure!

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSASecuring the parameters

The real process:

1 Pick your favorite two “large” and distinct prime numbers, pand q, and let M = pq

Large enough so that M is, say, a 2048 bit number.Also, keep p and q secret!Remember: ϕ(M) = (p − 1)(q − 1).

2 Pick any e such that gcd(e, (p − 1)(q − 1)) = 1.

e = 65537 is a very common choice.Don’t pick e “too small”, e.g. don’t pick e = 3.

3 You can compute d ≡ e−1 (mod ϕ(M)) with the extendedEuclidean algorithm

Because you know that ϕ(M) = (p − 1)(q − 1).

There is no known efficient way to compute ϕ(M) withoutknowing p and q.Factoring M is hard (we think), thus (we think) RSA is secure!

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSASecuring the parameters

The real process:

1 Pick your favorite two “large” and distinct prime numbers, pand q, and let M = pq

Large enough so that M is, say, a 2048 bit number.Also, keep p and q secret!Remember: ϕ(M) = (p − 1)(q − 1).

2 Pick any e such that gcd(e, (p − 1)(q − 1)) = 1.

e = 65537 is a very common choice.Don’t pick e “too small”, e.g. don’t pick e = 3.

3 You can compute d ≡ e−1 (mod ϕ(M)) with the extendedEuclidean algorithm

Because you know that ϕ(M) = (p − 1)(q − 1).There is no known efficient way to compute ϕ(M) withoutknowing p and q.

Factoring M is hard (we think), thus (we think) RSA is secure!

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSASecuring the parameters

The real process:

1 Pick your favorite two “large” and distinct prime numbers, pand q, and let M = pq

Large enough so that M is, say, a 2048 bit number.Also, keep p and q secret!Remember: ϕ(M) = (p − 1)(q − 1).

2 Pick any e such that gcd(e, (p − 1)(q − 1)) = 1.

e = 65537 is a very common choice.Don’t pick e “too small”, e.g. don’t pick e = 3.

3 You can compute d ≡ e−1 (mod ϕ(M)) with the extendedEuclidean algorithm

Because you know that ϕ(M) = (p − 1)(q − 1).There is no known efficient way to compute ϕ(M) withoutknowing p and q.Factoring M is hard (we think), thus (we think) RSA is secure!

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSASignatures

RSA also provides us with a way to digitally sign information.

We can encrypt and decrypt because med = (me)d ≡ m (mod M).

But also, med = (md)e ≡ m (mod M)!

Signing a message m means sharing the value md (mod M).

Everyone gets our public key, (M, e), and can compute

m ≡ (md)e (mod M).

Since everyone knows that only we know d , they trust that wecreated (or “knew”, or “trusted”) the message m.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSASignatures

RSA also provides us with a way to digitally sign information.

We can encrypt and decrypt because med = (me)d ≡ m (mod M).

But also, med = (md)e ≡ m (mod M)!

Signing a message m means sharing the value md (mod M).

Everyone gets our public key, (M, e), and can compute

m ≡ (md)e (mod M).

Since everyone knows that only we know d , they trust that wecreated (or “knew”, or “trusted”) the message m.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSASignatures

RSA also provides us with a way to digitally sign information.

We can encrypt and decrypt because med = (me)d ≡ m (mod M).

But also, med = (md)e ≡ m (mod M)!

Signing a message m means sharing the value md (mod M).

Everyone gets our public key, (M, e), and can compute

m ≡ (md)e (mod M).

Since everyone knows that only we know d , they trust that wecreated (or “knew”, or “trusted”) the message m.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSASignatures

RSA also provides us with a way to digitally sign information.

We can encrypt and decrypt because med = (me)d ≡ m (mod M).

But also, med = (md)e ≡ m (mod M)!

Signing a message m means sharing the value md (mod M).

Everyone gets our public key, (M, e), and can compute

m ≡ (md)e (mod M).

Since everyone knows that only we know d , they trust that wecreated (or “knew”, or “trusted”) the message m.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

RSASignatures

RSA also provides us with a way to digitally sign information.

We can encrypt and decrypt because med = (me)d ≡ m (mod M).

But also, med = (md)e ≡ m (mod M)!

Signing a message m means sharing the value md (mod M).

Everyone gets our public key, (M, e), and can compute

m ≡ (md)e (mod M).

Since everyone knows that only we know d , they trust that wecreated (or “knew”, or “trusted”) the message m.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Diffie-Hellman Key Exchange

The Situation:

Alice and Bob want to communicate securely, and decide touse AES.

They both need to know the same key!

With no chance to create a key together in person, and notwanting to communicate a key over an insecure channel, whatcan they do?

They can perform a Diffie-Hellman Key Exchange! 1

1Really should be called something like “Key Generation”Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Diffie-Hellman Key Exchange

The Situation:

Alice and Bob want to communicate securely, and decide touse AES.

They both need to know the same key!

With no chance to create a key together in person, and notwanting to communicate a key over an insecure channel, whatcan they do?

They can perform a Diffie-Hellman Key Exchange! 1

1Really should be called something like “Key Generation”Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Diffie-Hellman Key Exchange

The Situation:

Alice and Bob want to communicate securely, and decide touse AES.

They both need to know the same key!

With no chance to create a key together in person, and notwanting to communicate a key over an insecure channel, whatcan they do?

They can perform a Diffie-Hellman Key Exchange! 1

1Really should be called something like “Key Generation”Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Diffie-Hellman Key Exchange

The Situation:

Alice and Bob want to communicate securely, and decide touse AES.

They both need to know the same key!

With no chance to create a key together in person, and notwanting to communicate a key over an insecure channel, whatcan they do?

They can perform a Diffie-Hellman Key Exchange! 1

1Really should be called something like “Key Generation”Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Diffie-Hellman Key Exchange

The Situation:

Alice and Bob want to communicate securely, and decide touse AES.

They both need to know the same key!

With no chance to create a key together in person, and notwanting to communicate a key over an insecure channel, whatcan they do?

They can perform a Diffie-Hellman Key Exchange! 1

1Really should be called something like “Key Generation”Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Diffie-Hellman Key ExchangeKey Creation

Here’s how this can work.

1 Alice and Bob agree on a “large” prime number p.

2 They also agree on an integer g with gcd(g , p) = 1.

Not strictly required, but it’s ideal if g is a generator(mod p).This means that for any integer n with gcd(n, p) = 1,

n ≡ gk (mod p)

for some integer k.It’s not obvious, but such a g exists for any prime number p.

3 Alice and Bob each choose secret (even from each other)“large” integers a and b less than p − 1.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Diffie-Hellman Key ExchangeKey Creation

Here’s how this can work.

1 Alice and Bob agree on a “large” prime number p.2 They also agree on an integer g with gcd(g , p) = 1.

Not strictly required, but it’s ideal if g is a generator(mod p).This means that for any integer n with gcd(n, p) = 1,

n ≡ gk (mod p)

for some integer k.It’s not obvious, but such a g exists for any prime number p.

3 Alice and Bob each choose secret (even from each other)“large” integers a and b less than p − 1.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Diffie-Hellman Key ExchangeKey Creation

Here’s how this can work.

1 Alice and Bob agree on a “large” prime number p.2 They also agree on an integer g with gcd(g , p) = 1.

Not strictly required, but it’s ideal if g is a generator(mod p).

This means that for any integer n with gcd(n, p) = 1,

n ≡ gk (mod p)

for some integer k.It’s not obvious, but such a g exists for any prime number p.

3 Alice and Bob each choose secret (even from each other)“large” integers a and b less than p − 1.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Diffie-Hellman Key ExchangeKey Creation

Here’s how this can work.

1 Alice and Bob agree on a “large” prime number p.2 They also agree on an integer g with gcd(g , p) = 1.

Not strictly required, but it’s ideal if g is a generator(mod p).This means that for any integer n with gcd(n, p) = 1,

n ≡ gk (mod p)

for some integer k .

It’s not obvious, but such a g exists for any prime number p.

3 Alice and Bob each choose secret (even from each other)“large” integers a and b less than p − 1.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Diffie-Hellman Key ExchangeKey Creation

Here’s how this can work.

1 Alice and Bob agree on a “large” prime number p.2 They also agree on an integer g with gcd(g , p) = 1.

Not strictly required, but it’s ideal if g is a generator(mod p).This means that for any integer n with gcd(n, p) = 1,

n ≡ gk (mod p)

for some integer k .It’s not obvious, but such a g exists for any prime number p.

3 Alice and Bob each choose secret (even from each other)“large” integers a and b less than p − 1.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Diffie-Hellman Key ExchangeKey Creation

Here’s how this can work.

1 Alice and Bob agree on a “large” prime number p.2 They also agree on an integer g with gcd(g , p) = 1.

Not strictly required, but it’s ideal if g is a generator(mod p).This means that for any integer n with gcd(n, p) = 1,

n ≡ gk (mod p)

for some integer k .It’s not obvious, but such a g exists for any prime number p.

3 Alice and Bob each choose secret (even from each other)“large” integers a and b less than p − 1.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Diffie-Hellman Key ExchangeKey Creation

1 Alice sends ga (mod p) to Bob.

2 Bob sends gb (mod p) to Alice.

3 Alice knows a, and so can compute (gb)a ≡ gab (mod p).

4 Bob knows b, and so can compute (ga)b ≡ gab (mod p).

5 Now, both Alice and Bob know gab (mod p), a shared secretthat never crossed the insecure communication channel! Thisvalue could serve as an AES key, for example.

Going from g x (mod p) to x is called the Discrete Logarithm, andthere is no known efficient algorithm to do this. So there is noknown easy way for an eavesdropper to compute a, b, ab or gab

from the information that crosses the insecure channel.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Diffie-Hellman Key ExchangeKey Creation

1 Alice sends ga (mod p) to Bob.

2 Bob sends gb (mod p) to Alice.

3 Alice knows a, and so can compute (gb)a ≡ gab (mod p).

4 Bob knows b, and so can compute (ga)b ≡ gab (mod p).

5 Now, both Alice and Bob know gab (mod p), a shared secretthat never crossed the insecure communication channel! Thisvalue could serve as an AES key, for example.

Going from g x (mod p) to x is called the Discrete Logarithm, andthere is no known efficient algorithm to do this. So there is noknown easy way for an eavesdropper to compute a, b, ab or gab

from the information that crosses the insecure channel.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Diffie-Hellman Key ExchangeKey Creation

1 Alice sends ga (mod p) to Bob.

2 Bob sends gb (mod p) to Alice.

3 Alice knows a, and so can compute (gb)a ≡ gab (mod p).

4 Bob knows b, and so can compute (ga)b ≡ gab (mod p).

5 Now, both Alice and Bob know gab (mod p), a shared secretthat never crossed the insecure communication channel! Thisvalue could serve as an AES key, for example.

Going from g x (mod p) to x is called the Discrete Logarithm, andthere is no known efficient algorithm to do this. So there is noknown easy way for an eavesdropper to compute a, b, ab or gab

from the information that crosses the insecure channel.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Diffie-Hellman Key ExchangeKey Creation

1 Alice sends ga (mod p) to Bob.

2 Bob sends gb (mod p) to Alice.

3 Alice knows a, and so can compute (gb)a ≡ gab (mod p).

4 Bob knows b, and so can compute (ga)b ≡ gab (mod p).

5 Now, both Alice and Bob know gab (mod p), a shared secretthat never crossed the insecure communication channel! Thisvalue could serve as an AES key, for example.

Going from g x (mod p) to x is called the Discrete Logarithm, andthere is no known efficient algorithm to do this. So there is noknown easy way for an eavesdropper to compute a, b, ab or gab

from the information that crosses the insecure channel.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Diffie-Hellman Key ExchangeKey Creation

1 Alice sends ga (mod p) to Bob.

2 Bob sends gb (mod p) to Alice.

3 Alice knows a, and so can compute (gb)a ≡ gab (mod p).

4 Bob knows b, and so can compute (ga)b ≡ gab (mod p).

5 Now, both Alice and Bob know gab (mod p), a shared secretthat never crossed the insecure communication channel! Thisvalue could serve as an AES key, for example.

Going from g x (mod p) to x is called the Discrete Logarithm, andthere is no known efficient algorithm to do this. So there is noknown easy way for an eavesdropper to compute a, b, ab or gab

from the information that crosses the insecure channel.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Diffie-Hellman Key ExchangeKey Creation

1 Alice sends ga (mod p) to Bob.

2 Bob sends gb (mod p) to Alice.

3 Alice knows a, and so can compute (gb)a ≡ gab (mod p).

4 Bob knows b, and so can compute (ga)b ≡ gab (mod p).

5 Now, both Alice and Bob know gab (mod p), a shared secretthat never crossed the insecure communication channel! Thisvalue could serve as an AES key, for example.

Going from g x (mod p) to x is called the Discrete Logarithm, andthere is no known efficient algorithm to do this. So there is noknown easy way for an eavesdropper to compute a, b, ab or gab

from the information that crosses the insecure channel.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Diffie-Hellman Key ExchangeExample

Parameters p = 101, g = 2

Alice chooses ... a = 7Bob chooses ... b = 9

Alice sends ... 27 ≡ 128 ≡ 27 (mod 101)Bob sends ... 29 ≡ 512 ≡ 7 (mod 101)

Alice computes ... 77 ≡ 90 (mod 101)Bob computes ... 279 ≡ 90 (mod 101)

So 90 is the shared secret.

Of course in practice all of these numbers would be much larger.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Diffie-Hellman Key ExchangeExample

Parameters p = 101, g = 2

Alice chooses ... a = 7Bob chooses ... b = 9

Alice sends ... 27 ≡ 128 ≡ 27 (mod 101)Bob sends ... 29 ≡ 512 ≡ 7 (mod 101)

Alice computes ... 77 ≡ 90 (mod 101)Bob computes ... 279 ≡ 90 (mod 101)

So 90 is the shared secret.

Of course in practice all of these numbers would be much larger.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Diffie-Hellman Key ExchangeExample

Parameters p = 101, g = 2

Alice chooses ... a = 7Bob chooses ... b = 9

Alice sends ... 27 ≡ 128 ≡ 27 (mod 101)Bob sends ... 29 ≡ 512 ≡ 7 (mod 101)

Alice computes ... 77 ≡ 90 (mod 101)Bob computes ... 279 ≡ 90 (mod 101)

So 90 is the shared secret.

Of course in practice all of these numbers would be much larger.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Diffie-Hellman Key ExchangeExample

Parameters p = 101, g = 2

Alice chooses ... a = 7Bob chooses ... b = 9

Alice sends ... 27 ≡ 128 ≡ 27 (mod 101)Bob sends ... 29 ≡ 512 ≡ 7 (mod 101)

Alice computes ... 77 ≡ 90 (mod 101)Bob computes ... 279 ≡ 90 (mod 101)

So 90 is the shared secret.

Of course in practice all of these numbers would be much larger.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Diffie-Hellman Key ExchangeExample

Parameters p = 101, g = 2

Alice chooses ... a = 7Bob chooses ... b = 9

Alice sends ... 27 ≡ 128 ≡ 27 (mod 101)Bob sends ... 29 ≡ 512 ≡ 7 (mod 101)

Alice computes ... 77 ≡ 90 (mod 101)Bob computes ... 279 ≡ 90 (mod 101)

So 90 is the shared secret.

Of course in practice all of these numbers would be much larger.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Diffie-Hellman Key ExchangeExample

Parameters p = 101, g = 2

Alice chooses ... a = 7Bob chooses ... b = 9

Alice sends ... 27 ≡ 128 ≡ 27 (mod 101)Bob sends ... 29 ≡ 512 ≡ 7 (mod 101)

Alice computes ... 77 ≡ 90 (mod 101)Bob computes ... 279 ≡ 90 (mod 101)

So 90 is the shared secret.

Of course in practice all of these numbers would be much larger.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Diffie-Hellman Key ExchangeGeneralizing

The Diffie-Hellman algorithm can be extended to any group,which is a collection of objects with a binary operation satisfying afew rules.

Some examples of groups:Notation Description Sample Elements

(Z,+) Integers, addition 0, 1, 2, 3

(R+, ·) Positive real numbers, product 1, π,√

2

((Z/pZ)× , ·), Invertible integers, product (mod p) 1, 2, p − 1

This last group is the one we used for Diffie-Hellman.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Diffie-Hellman Key ExchangeGeneralizing

The Diffie-Hellman algorithm can be extended to any group,which is a collection of objects with a binary operation satisfying afew rules.

Some examples of groups:Notation Description Sample Elements

(Z,+) Integers, addition 0, 1, 2, 3

(R+, ·) Positive real numbers, product 1, π,√

2

((Z/pZ)× , ·), Invertible integers, product (mod p) 1, 2, p − 1

This last group is the one we used for Diffie-Hellman.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Diffie-Hellman Key ExchangeElliptic Curves

An elliptic curve is the set of points (x , y) that solve an equationof the form

y2 = x3 + ax + b

together with a special point called ∞. 2

We could consider real solutions, integral solutions, or evensolutions (mod p).

2Technical point: we need 4a3 + 27b2 6= 0.Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Diffie-Hellman Key ExchangeElliptic Curves

An elliptic curve is the set of points (x , y) that solve an equationof the form

y2 = x3 + ax + b

together with a special point called ∞. 2

We could consider real solutions, integral solutions, or evensolutions (mod p).

2Technical point: we need 4a3 + 27b2 6= 0.Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Diffie-Hellman Key ExchangeElliptic Curves

There is a (non-obvious) way to “add” points on an elliptic curveto form a third, which turns any elliptic curve into a group.

The discrete log problem is “hard” for elliptic curves: given a pointg on an elliptic curve, and

a · g = g + g + · · ·+ g︸ ︷︷ ︸a times

,

for some integer a, it is difficult to recover a.

This makes it practical to use the Diffie-Hellman algorithm with anelliptic curve with solutions (mod p), with p a large prime.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Diffie-Hellman Key ExchangeElliptic Curves

There is a (non-obvious) way to “add” points on an elliptic curveto form a third, which turns any elliptic curve into a group.

The discrete log problem is “hard” for elliptic curves: given a pointg on an elliptic curve, and

a · g = g + g + · · ·+ g︸ ︷︷ ︸a times

,

for some integer a, it is difficult to recover a.

This makes it practical to use the Diffie-Hellman algorithm with anelliptic curve with solutions (mod p), with p a large prime.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Diffie-Hellman Key ExchangeElliptic Curves

There is a (non-obvious) way to “add” points on an elliptic curveto form a third, which turns any elliptic curve into a group.

The discrete log problem is “hard” for elliptic curves: given a pointg on an elliptic curve, and

a · g = g + g + · · ·+ g︸ ︷︷ ︸a times

,

for some integer a, it is difficult to recover a.

This makes it practical to use the Diffie-Hellman algorithm with anelliptic curve with solutions (mod p), with p a large prime.

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them

Questions?

Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them