Supersingular Isogeny Di e{Hellman Authenticated Key Exchange
RSA, Di e-Hellman, and the Math Behind...
Transcript of RSA, Di e-Hellman, and the Math Behind...
RSA, Diffie-Hellman, and the Math Behind Them
Dan Zollers
Fortego U
July 16, 2020
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Dan Zollers
Who am I?
Analyst with Fortego
Studied math in graduate school (UMD)
Play a mean game of Goldeneye (N64)
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Dan Zollers
Who am I?
Analyst with Fortego
Studied math in graduate school (UMD)
Play a mean game of Goldeneye (N64)
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Dan Zollers
Who am I?
Analyst with Fortego
Studied math in graduate school (UMD)
Play a mean game of Goldeneye (N64)
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSA and Diffie-Hellman
What is RSA?
An asymmetric cryptographic algorithm often used for keysharing and digital signatures
Co-invented by Ron Rivest, Adi Shamir and Leonard Adleman(and Clifford Cocks!)
Derives security from the difficulty of factoring large numbersinto primes
What is Diffie-Hellman?
A secure key “exchange” algorithm
Co-invented by Whitfield Diffie, Martin Hellman and RalphMerkle
Derives security from the difficulty of solving “Discrete log”problems
But first...
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSA and Diffie-Hellman
What is RSA?
An asymmetric cryptographic algorithm often used for keysharing and digital signatures
Co-invented by Ron Rivest, Adi Shamir and Leonard Adleman(and Clifford Cocks!)
Derives security from the difficulty of factoring large numbersinto primes
What is Diffie-Hellman?
A secure key “exchange” algorithm
Co-invented by Whitfield Diffie, Martin Hellman and RalphMerkle
Derives security from the difficulty of solving “Discrete log”problems
But first...
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSA and Diffie-Hellman
What is RSA?
An asymmetric cryptographic algorithm often used for keysharing and digital signatures
Co-invented by Ron Rivest, Adi Shamir and Leonard Adleman(and Clifford Cocks!)
Derives security from the difficulty of factoring large numbersinto primes
What is Diffie-Hellman?
A secure key “exchange” algorithm
Co-invented by Whitfield Diffie, Martin Hellman and RalphMerkle
Derives security from the difficulty of solving “Discrete log”problems
But first...
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSA and Diffie-Hellman
What is RSA?
An asymmetric cryptographic algorithm often used for keysharing and digital signatures
Co-invented by Ron Rivest, Adi Shamir and Leonard Adleman(and Clifford Cocks!)
Derives security from the difficulty of factoring large numbersinto primes
What is Diffie-Hellman?
A secure key “exchange” algorithm
Co-invented by Whitfield Diffie, Martin Hellman and RalphMerkle
Derives security from the difficulty of solving “Discrete log”problems
But first...
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSA and Diffie-Hellman
What is RSA?
An asymmetric cryptographic algorithm often used for keysharing and digital signatures
Co-invented by Ron Rivest, Adi Shamir and Leonard Adleman(and Clifford Cocks!)
Derives security from the difficulty of factoring large numbersinto primes
What is Diffie-Hellman?
A secure key “exchange” algorithm
Co-invented by Whitfield Diffie, Martin Hellman and RalphMerkle
Derives security from the difficulty of solving “Discrete log”problems
But first...
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSA and Diffie-Hellman
What is RSA?
An asymmetric cryptographic algorithm often used for keysharing and digital signatures
Co-invented by Ron Rivest, Adi Shamir and Leonard Adleman(and Clifford Cocks!)
Derives security from the difficulty of factoring large numbersinto primes
What is Diffie-Hellman?
A secure key “exchange” algorithm
Co-invented by Whitfield Diffie, Martin Hellman and RalphMerkle
Derives security from the difficulty of solving “Discrete log”problems
But first...
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSA and Diffie-Hellman
What is RSA?
An asymmetric cryptographic algorithm often used for keysharing and digital signatures
Co-invented by Ron Rivest, Adi Shamir and Leonard Adleman(and Clifford Cocks!)
Derives security from the difficulty of factoring large numbersinto primes
What is Diffie-Hellman?
A secure key “exchange” algorithm
Co-invented by Whitfield Diffie, Martin Hellman and RalphMerkle
Derives security from the difficulty of solving “Discrete log”problems
But first...
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSA and Diffie-Hellman
What is RSA?
An asymmetric cryptographic algorithm often used for keysharing and digital signatures
Co-invented by Ron Rivest, Adi Shamir and Leonard Adleman(and Clifford Cocks!)
Derives security from the difficulty of factoring large numbersinto primes
What is Diffie-Hellman?
A secure key “exchange” algorithm
Co-invented by Whitfield Diffie, Martin Hellman and RalphMerkle
Derives security from the difficulty of solving “Discrete log”problems
But first...
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSA and Diffie-Hellman
What is RSA?
An asymmetric cryptographic algorithm often used for keysharing and digital signatures
Co-invented by Ron Rivest, Adi Shamir and Leonard Adleman(and Clifford Cocks!)
Derives security from the difficulty of factoring large numbersinto primes
What is Diffie-Hellman?
A secure key “exchange” algorithm
Co-invented by Whitfield Diffie, Martin Hellman and RalphMerkle
Derives security from the difficulty of solving “Discrete log”problems
But first...
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Division
Let a and b be two integers.
b divides a if there is another integer c so that a = bc
We also say b is a divisor of a, or write b|aOr that a is a multiple of b
For any integers a and b, with b > 0, we can write
a = qb + r
where 0 ≤ r < b. (r is called the remainder)
Note that b divides a precisely when r = 0.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Division
Let a and b be two integers.
b divides a if there is another integer c so that a = bc
We also say b is a divisor of a, or write b|aOr that a is a multiple of b
For any integers a and b, with b > 0, we can write
a = qb + r
where 0 ≤ r < b. (r is called the remainder)
Note that b divides a precisely when r = 0.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Division
Let a and b be two integers.
b divides a if there is another integer c so that a = bc
We also say b is a divisor of a, or write b|a
Or that a is a multiple of b
For any integers a and b, with b > 0, we can write
a = qb + r
where 0 ≤ r < b. (r is called the remainder)
Note that b divides a precisely when r = 0.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Division
Let a and b be two integers.
b divides a if there is another integer c so that a = bc
We also say b is a divisor of a, or write b|aOr that a is a multiple of b
For any integers a and b, with b > 0, we can write
a = qb + r
where 0 ≤ r < b. (r is called the remainder)
Note that b divides a precisely when r = 0.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Division
Let a and b be two integers.
b divides a if there is another integer c so that a = bc
We also say b is a divisor of a, or write b|aOr that a is a multiple of b
For any integers a and b, with b > 0, we can write
a = qb + r
where 0 ≤ r < b. (r is called the remainder)
Note that b divides a precisely when r = 0.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Division
Let a and b be two integers.
b divides a if there is another integer c so that a = bc
We also say b is a divisor of a, or write b|aOr that a is a multiple of b
For any integers a and b, with b > 0, we can write
a = qb + r
where 0 ≤ r < b. (r is called the remainder)
Note that b divides a precisely when r = 0.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Division
For example, here are all of the (positive) divisors of 42:
1, 2, 3, 6, 7, 14, 21, 42
40 is not divisible by 3, but the remainder when 40 is divided by 3is 1, since 40 = 13 · 3 + 1.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Division
For example, here are all of the (positive) divisors of 42:
1, 2, 3, 6, 7, 14, 21, 42
40 is not divisible by 3, but the remainder when 40 is divided by 3is 1, since 40 = 13 · 3 + 1.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Greatest Common Divisor
The greatest common divisor of a and b is the largest integerthat divides both a and b.
Example:
gcd(12, 8) = 4
Often denoted gcd(a, b) or just (a, b)
It is always at least 1 since 1 divides every integer
If gcd(a, b) = 1, we say a and b are coprime
Finding all of the divisors of an integer is tedious. Is there a goodway to compute gcd(a, b)?
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Greatest Common Divisor
The greatest common divisor of a and b is the largest integerthat divides both a and b. Example:
gcd(12, 8) = 4
Often denoted gcd(a, b) or just (a, b)
It is always at least 1 since 1 divides every integer
If gcd(a, b) = 1, we say a and b are coprime
Finding all of the divisors of an integer is tedious. Is there a goodway to compute gcd(a, b)?
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Greatest Common Divisor
The greatest common divisor of a and b is the largest integerthat divides both a and b. Example:
gcd(12, 8) = 4
Often denoted gcd(a, b) or just (a, b)
It is always at least 1 since 1 divides every integer
If gcd(a, b) = 1, we say a and b are coprime
Finding all of the divisors of an integer is tedious. Is there a goodway to compute gcd(a, b)?
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Greatest Common Divisor
The greatest common divisor of a and b is the largest integerthat divides both a and b. Example:
gcd(12, 8) = 4
Often denoted gcd(a, b) or just (a, b)
It is always at least 1 since 1 divides every integer
If gcd(a, b) = 1, we say a and b are coprime
Finding all of the divisors of an integer is tedious. Is there a goodway to compute gcd(a, b)?
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Greatest Common Divisor
The greatest common divisor of a and b is the largest integerthat divides both a and b. Example:
gcd(12, 8) = 4
Often denoted gcd(a, b) or just (a, b)
It is always at least 1 since 1 divides every integer
If gcd(a, b) = 1, we say a and b are coprime
Finding all of the divisors of an integer is tedious. Is there a goodway to compute gcd(a, b)?
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Greatest Common Divisor
The greatest common divisor of a and b is the largest integerthat divides both a and b. Example:
gcd(12, 8) = 4
Often denoted gcd(a, b) or just (a, b)
It is always at least 1 since 1 divides every integer
If gcd(a, b) = 1, we say a and b are coprime
Finding all of the divisors of an integer is tedious. Is there a goodway to compute gcd(a, b)?
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
The Euclidean Algorithm
Yes! One of the oldest known algorithms!
def euclid(a, b):
""" Euclidean Algorithm """
while b != 0:
a, b = b, a % b
return a
Figure: A Python implementation of the Euclidean Algorithm
Idea: Simultaneously replace a with b and b with the remainder ofa divided by b. When b takes the value 0, the gcd is the value of a.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
The Euclidean Algorithm
What is gcd(169, 65)?
(169, 65)
7→ (65, 39) 7→ (39, 26) 7→ (26, 13) 7→ (13, 0)
So gcd(169, 65) is 13.
The Python code on the previous slide immediately verifies that
gcd(2500000 − 1, 310000 − 11) = 5
on a modern computer.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
The Euclidean Algorithm
What is gcd(169, 65)?
(169, 65) 7→ (65, 39)
7→ (39, 26) 7→ (26, 13) 7→ (13, 0)
So gcd(169, 65) is 13.
The Python code on the previous slide immediately verifies that
gcd(2500000 − 1, 310000 − 11) = 5
on a modern computer.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
The Euclidean Algorithm
What is gcd(169, 65)?
(169, 65) 7→ (65, 39) 7→ (39, 26)
7→ (26, 13) 7→ (13, 0)
So gcd(169, 65) is 13.
The Python code on the previous slide immediately verifies that
gcd(2500000 − 1, 310000 − 11) = 5
on a modern computer.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
The Euclidean Algorithm
What is gcd(169, 65)?
(169, 65) 7→ (65, 39) 7→ (39, 26) 7→ (26, 13)
7→ (13, 0)
So gcd(169, 65) is 13.
The Python code on the previous slide immediately verifies that
gcd(2500000 − 1, 310000 − 11) = 5
on a modern computer.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
The Euclidean Algorithm
What is gcd(169, 65)?
(169, 65) 7→ (65, 39) 7→ (39, 26) 7→ (26, 13) 7→ (13, 0)
So gcd(169, 65) is 13.
The Python code on the previous slide immediately verifies that
gcd(2500000 − 1, 310000 − 11) = 5
on a modern computer.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
The Euclidean Algorithm
What is gcd(169, 65)?
(169, 65) 7→ (65, 39) 7→ (39, 26) 7→ (26, 13) 7→ (13, 0)
So gcd(169, 65) is 13.
The Python code on the previous slide immediately verifies that
gcd(2500000 − 1, 310000 − 11) = 5
on a modern computer.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
“Chekhov’s Gun”
Theorem (Bezout’s Identity)
Let d = gcd(a, b). Then there are integers x and y such that a
ax + by = d .
aThe quantity ax + by is called a linear combination of a and b.
For example, gcd(17, 5) = 1, and ...
17(−2) + 5(7) = 1.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
“Chekhov’s Gun”
Theorem (Bezout’s Identity)
Let d = gcd(a, b). Then there are integers x and y such that a
ax + by = d .
aThe quantity ax + by is called a linear combination of a and b.
For example, gcd(17, 5) = 1, and ...
17(−2) + 5(7) = 1.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular Arithmetic
Let n be a positive integer. We say a is congruent to b “mod” n,and write
a ≡ b (mod n)
if a and b have the same remainder when divided by n.
Or, equivalently, if n|a− b.
If a ≡ b (mod n), then there is some integer k such thatb = a + nk.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular Arithmetic
Let n be a positive integer. We say a is congruent to b “mod” n,and write
a ≡ b (mod n)
if a and b have the same remainder when divided by n.
Or, equivalently, if n|a− b.
If a ≡ b (mod n), then there is some integer k such thatb = a + nk.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular Arithmetic
Let n be a positive integer. We say a is congruent to b “mod” n,and write
a ≡ b (mod n)
if a and b have the same remainder when divided by n.
Or, equivalently, if n|a− b.
If a ≡ b (mod n), then there is some integer k such thatb = a + nk.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular ArithmeticExamples
6 ≡ 1 (mod 5)
17 ≡ 10 (mod 7)
250 ≡ 48 (mod 101)
n ≡ 0 (mod n)
Fun fact: for any integers a and b,
(a + b)2 ≡ a2 + b2 (mod 2).
(Can you see why?)
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular ArithmeticExamples
6 ≡ 1 (mod 5)
17 ≡ 10 (mod 7)
250 ≡ 48 (mod 101)
n ≡ 0 (mod n)
Fun fact: for any integers a and b,
(a + b)2 ≡ a2 + b2 (mod 2).
(Can you see why?)
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular ArithmeticProperties
Some happy little properties:
If a ≡ b (mod n), and b ≡ c (mod n), then a ≡ c (mod n).
If a ≡ a′ (mod n) and b ≡ b′ (mod n), then:
a + b ≡ a′ + b′ (mod n)
a− b ≡ a′ − b′ (mod n)
ab ≡ a′b′ (mod n)
ak ≡ a′k (mod n)
Every integer is congruent to exactly one of 0, 1, 2, . . . , n − 1(mod n).
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular ArithmeticProperties
Some happy little properties:
If a ≡ b (mod n), and b ≡ c (mod n), then a ≡ c (mod n).
If a ≡ a′ (mod n) and b ≡ b′ (mod n), then:
a + b ≡ a′ + b′ (mod n)
a− b ≡ a′ − b′ (mod n)
ab ≡ a′b′ (mod n)
ak ≡ a′k (mod n)
Every integer is congruent to exactly one of 0, 1, 2, . . . , n − 1(mod n).
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular ArithmeticProperties
Some happy little properties:
If a ≡ b (mod n), and b ≡ c (mod n), then a ≡ c (mod n).
If a ≡ a′ (mod n) and b ≡ b′ (mod n), then:
a + b ≡ a′ + b′ (mod n)
a− b ≡ a′ − b′ (mod n)
ab ≡ a′b′ (mod n)
ak ≡ a′k (mod n)
Every integer is congruent to exactly one of 0, 1, 2, . . . , n − 1(mod n).
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular ArithmeticProperties
Some happy little properties:
If a ≡ b (mod n), and b ≡ c (mod n), then a ≡ c (mod n).
If a ≡ a′ (mod n) and b ≡ b′ (mod n), then:
a + b ≡ a′ + b′ (mod n)
a− b ≡ a′ − b′ (mod n)
ab ≡ a′b′ (mod n)
ak ≡ a′k (mod n)
Every integer is congruent to exactly one of 0, 1, 2, . . . , n − 1(mod n).
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular ArithmeticInversion
We say that “a is invertible (mod n)” if there is an integer bsuch that
ab ≡ 1 (mod n).
This b is often denoted by a−1.
For example, 3−1 ≡ 5 (mod 7), since 3 · 5 = 15 has remainder 1when divided by 7.
Not every integer is invertible mod a given n: 3 is not invertiblemod 6. Is there a quick way to tell when an integer is invertible(mod n) ?
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular ArithmeticInversion
We say that “a is invertible (mod n)” if there is an integer bsuch that
ab ≡ 1 (mod n).
This b is often denoted by a−1.
For example, 3−1 ≡ 5 (mod 7), since 3 · 5 = 15 has remainder 1when divided by 7.
Not every integer is invertible mod a given n: 3 is not invertiblemod 6. Is there a quick way to tell when an integer is invertible(mod n) ?
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular ArithmeticInversion
We say that “a is invertible (mod n)” if there is an integer bsuch that
ab ≡ 1 (mod n).
This b is often denoted by a−1.
For example, 3−1 ≡ 5 (mod 7), since 3 · 5 = 15 has remainder 1when divided by 7.
Not every integer is invertible mod a given n: 3 is not invertiblemod 6. Is there a quick way to tell when an integer is invertible(mod n) ?
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular ArithmeticInversion
“a is invertible (mod n)” means that there is an integer x suchthat
ax ≡ 1 (mod n).
In other words, there is a y such that
ax + ny = 1.
Since gcd(a, n) divides the left hand side, it also divides 1, theright hand side, so
gcd(a, n) = 1.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular ArithmeticInversion
“a is invertible (mod n)” means that there is an integer x suchthat
ax ≡ 1 (mod n).
In other words, there is a y such that
ax + ny = 1.
Since gcd(a, n) divides the left hand side, it also divides 1, theright hand side, so
gcd(a, n) = 1.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular ArithmeticInversion
“a is invertible (mod n)” means that there is an integer x suchthat
ax ≡ 1 (mod n).
In other words, there is a y such that
ax + ny = 1.
Since gcd(a, n) divides the left hand side, it also divides 1, theright hand side, so
gcd(a, n) = 1.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular ArithmeticInversion
Conversely, if gcd(a, n) = 1, Bezout’s Identity asserts that thereare integers x and y so that ax + ny = 1, and in turn ax ≡ 1(mod n), so a is invertible (mod n).
Upshot: a is invertible (mod n) precisely when a and n arecoprime.
When n = p is prime, then 1, 2, . . . , p − 1 are all invertible(mod p).
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular ArithmeticInversion
Conversely, if gcd(a, n) = 1, Bezout’s Identity asserts that thereare integers x and y so that ax + ny = 1, and in turn ax ≡ 1(mod n), so a is invertible (mod n).
Upshot: a is invertible (mod n) precisely when a and n arecoprime.
When n = p is prime, then 1, 2, . . . , p − 1 are all invertible(mod p).
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular ArithmeticInversion
Conversely, if gcd(a, n) = 1, Bezout’s Identity asserts that thereare integers x and y so that ax + ny = 1, and in turn ax ≡ 1(mod n), so a is invertible (mod n).
Upshot: a is invertible (mod n) precisely when a and n arecoprime.
When n = p is prime, then 1, 2, . . . , p − 1 are all invertible(mod p).
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular ArithmeticInversion
Suppose gcd(a, n) = 1. How do we find a−1 (mod n)?
The Extended Euclidean Algorithm efficiently solves this problem.
Vague Idea: Carry out the Euclidean Algorithm, keeping track ofthe linear combinations of a and n that arise.
This results in x and y such that ax + ny = gcd(a, n). Whengcd(a, n) = 1, we have that
x ≡ a−1 (mod n).
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular ArithmeticInversion
Suppose gcd(a, n) = 1. How do we find a−1 (mod n)?
The Extended Euclidean Algorithm efficiently solves this problem.
Vague Idea: Carry out the Euclidean Algorithm, keeping track ofthe linear combinations of a and n that arise.
This results in x and y such that ax + ny = gcd(a, n). Whengcd(a, n) = 1, we have that
x ≡ a−1 (mod n).
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular ArithmeticInversion
Suppose gcd(a, n) = 1. How do we find a−1 (mod n)?
The Extended Euclidean Algorithm efficiently solves this problem.
Vague Idea: Carry out the Euclidean Algorithm, keeping track ofthe linear combinations of a and n that arise.
This results in x and y such that ax + ny = gcd(a, n). Whengcd(a, n) = 1, we have that
x ≡ a−1 (mod n).
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular ArithmeticInversion
Suppose gcd(a, n) = 1. How do we find a−1 (mod n)?
The Extended Euclidean Algorithm efficiently solves this problem.
Vague Idea: Carry out the Euclidean Algorithm, keeping track ofthe linear combinations of a and n that arise.
This results in x and y such that ax + ny = gcd(a, n). Whengcd(a, n) = 1, we have that
x ≡ a−1 (mod n).
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular ArithmeticExtended Euclidean Algorithm
gcd ax + ny
(n, a)
(a, r1 = n% a) n − aq1 = r1(r1, r2 = a% r1) a− q2r1 = r2
=⇒ a− q2(n − aq1) = r2=⇒ a(q2q1 + 1)− n = r2
. . . . . .(rN−1, 1) = 1 ax + ny = 1
Note: Even when gcd(n, a) = d 6= 1, we can use this algorithm tofind x and y so that
ax + ny = d .
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular ArithmeticExtended Euclidean Algorithm
gcd ax + ny
(n, a)
(a, r1 = n% a) n − aq1 = r1
(r1, r2 = a% r1) a− q2r1 = r2=⇒ a− q2(n − aq1) = r2=⇒ a(q2q1 + 1)− n = r2
. . . . . .(rN−1, 1) = 1 ax + ny = 1
Note: Even when gcd(n, a) = d 6= 1, we can use this algorithm tofind x and y so that
ax + ny = d .
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular ArithmeticExtended Euclidean Algorithm
gcd ax + ny
(n, a)
(a, r1 = n% a) n − aq1 = r1(r1, r2 = a% r1) a− q2r1 = r2
=⇒ a− q2(n − aq1) = r2=⇒ a(q2q1 + 1)− n = r2
. . . . . .(rN−1, 1) = 1 ax + ny = 1
Note: Even when gcd(n, a) = d 6= 1, we can use this algorithm tofind x and y so that
ax + ny = d .
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular ArithmeticExtended Euclidean Algorithm
gcd ax + ny
(n, a)
(a, r1 = n% a) n − aq1 = r1(r1, r2 = a% r1) a− q2r1 = r2
=⇒ a− q2(n − aq1) = r2
=⇒ a(q2q1 + 1)− n = r2. . . . . .
(rN−1, 1) = 1 ax + ny = 1
Note: Even when gcd(n, a) = d 6= 1, we can use this algorithm tofind x and y so that
ax + ny = d .
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular ArithmeticExtended Euclidean Algorithm
gcd ax + ny
(n, a)
(a, r1 = n% a) n − aq1 = r1(r1, r2 = a% r1) a− q2r1 = r2
=⇒ a− q2(n − aq1) = r2=⇒ a(q2q1 + 1)− n = r2
. . . . . .(rN−1, 1) = 1 ax + ny = 1
Note: Even when gcd(n, a) = d 6= 1, we can use this algorithm tofind x and y so that
ax + ny = d .
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular ArithmeticExtended Euclidean Algorithm
gcd ax + ny
(n, a)
(a, r1 = n% a) n − aq1 = r1(r1, r2 = a% r1) a− q2r1 = r2
=⇒ a− q2(n − aq1) = r2=⇒ a(q2q1 + 1)− n = r2
. . . . . .
(rN−1, 1) = 1 ax + ny = 1
Note: Even when gcd(n, a) = d 6= 1, we can use this algorithm tofind x and y so that
ax + ny = d .
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular ArithmeticExtended Euclidean Algorithm
gcd ax + ny
(n, a)
(a, r1 = n% a) n − aq1 = r1(r1, r2 = a% r1) a− q2r1 = r2
=⇒ a− q2(n − aq1) = r2=⇒ a(q2q1 + 1)− n = r2
. . . . . .(rN−1, 1) = 1 ax + ny = 1
Note: Even when gcd(n, a) = d 6= 1, we can use this algorithm tofind x and y so that
ax + ny = d .
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular ArithmeticExtended Euclidean Algorithm
gcd ax + ny
(n, a)
(a, r1 = n% a) n − aq1 = r1(r1, r2 = a% r1) a− q2r1 = r2
=⇒ a− q2(n − aq1) = r2=⇒ a(q2q1 + 1)− n = r2
. . . . . .(rN−1, 1) = 1 ax + ny = 1
Note: Even when gcd(n, a) = d 6= 1, we can use this algorithm tofind x and y so that
ax + ny = d .
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular ArithmeticExtended Euclidean Algorithm
Example: What is 44−1 (mod 113)?
(113, 44)
(44, 25) (−2)44 + 113 = 25
(25, 19) 44 + (−1)25 = 19=⇒ 44 + (−1)((−2)44 + 113) = 19=⇒ 3 · 44 + (−1)113 = 19
(19, 6) 25 + (−1)19 = 6=⇒ (−5)44 + 2 · 113 = 6
(6, 1) 19 + (−3)6 = 1=⇒ 18 · 44 + (−7)113 = 1
So 44−1 ≡ 18 (mod 113).
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular ArithmeticExtended Euclidean Algorithm
Example: What is 44−1 (mod 113)?(113, 44)
(44, 25) (−2)44 + 113 = 25
(25, 19) 44 + (−1)25 = 19=⇒ 44 + (−1)((−2)44 + 113) = 19=⇒ 3 · 44 + (−1)113 = 19
(19, 6) 25 + (−1)19 = 6=⇒ (−5)44 + 2 · 113 = 6
(6, 1) 19 + (−3)6 = 1=⇒ 18 · 44 + (−7)113 = 1
So 44−1 ≡ 18 (mod 113).
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular ArithmeticExtended Euclidean Algorithm
Example: What is 44−1 (mod 113)?(113, 44)
(44, 25) (−2)44 + 113 = 25
(25, 19) 44 + (−1)25 = 19=⇒ 44 + (−1)((−2)44 + 113) = 19=⇒ 3 · 44 + (−1)113 = 19
(19, 6) 25 + (−1)19 = 6=⇒ (−5)44 + 2 · 113 = 6
(6, 1) 19 + (−3)6 = 1=⇒ 18 · 44 + (−7)113 = 1
So 44−1 ≡ 18 (mod 113).
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular ArithmeticExtended Euclidean Algorithm
Example: What is 44−1 (mod 113)?(113, 44)
(44, 25) (−2)44 + 113 = 25
(25, 19) 44 + (−1)25 = 19=⇒ 44 + (−1)((−2)44 + 113) = 19=⇒ 3 · 44 + (−1)113 = 19
(19, 6) 25 + (−1)19 = 6=⇒ (−5)44 + 2 · 113 = 6
(6, 1) 19 + (−3)6 = 1=⇒ 18 · 44 + (−7)113 = 1
So 44−1 ≡ 18 (mod 113).
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular ArithmeticExtended Euclidean Algorithm
Example: What is 44−1 (mod 113)?(113, 44)
(44, 25) (−2)44 + 113 = 25
(25, 19) 44 + (−1)25 = 19=⇒ 44 + (−1)((−2)44 + 113) = 19=⇒ 3 · 44 + (−1)113 = 19
(19, 6) 25 + (−1)19 = 6=⇒ (−5)44 + 2 · 113 = 6
(6, 1) 19 + (−3)6 = 1=⇒ 18 · 44 + (−7)113 = 1
So 44−1 ≡ 18 (mod 113).
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Modular ArithmeticExtended Euclidean Algorithm
Example: What is 44−1 (mod 113)?(113, 44)
(44, 25) (−2)44 + 113 = 25
(25, 19) 44 + (−1)25 = 19=⇒ 44 + (−1)((−2)44 + 113) = 19=⇒ 3 · 44 + (−1)113 = 19
(19, 6) 25 + (−1)19 = 6=⇒ (−5)44 + 2 · 113 = 6
(6, 1) 19 + (−3)6 = 1=⇒ 18 · 44 + (−7)113 = 1
So 44−1 ≡ 18 (mod 113).
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Fermat’s Little Theorem
Theorem
Let p be a prime number. If a is any integer, then
ap ≡ a (mod p).
Further, if gcd(a, p) = 1, then
ap−1 ≡ 1 (mod p).
Example (p = 7, a = 2):
27−1 ≡ 26 ≡ 64 ≡ 1 (mod 7)
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Fermat’s Little Theorem
Theorem
Let p be a prime number. If a is any integer, then
ap ≡ a (mod p).
Further, if gcd(a, p) = 1, then
ap−1 ≡ 1 (mod p).
Example (p = 7, a = 2):
27−1 ≡ 26 ≡ 64 ≡ 1 (mod 7)
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Euler’s TheoremEuler’s Totient Function
To state Euler’s Theorem, we first need to define Euler’s Totientfunction (denoted by ϕ).
Definition
Let n ≥ 1 be an integer. We define ϕ(n) to be the number ofpositive integers less than or equal to n that are coprime to n.(We’ll say 1 is coprime to itself, so ϕ(1) = 1.)
For example, ϕ(12) = 4, as 1, 5, 7 and 11 are the positive integersless than 12 that are also coprime to 12.
Note that if p is prime then
ϕ(p) = p − 1.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Euler’s TheoremEuler’s Totient Function
To state Euler’s Theorem, we first need to define Euler’s Totientfunction (denoted by ϕ).
Definition
Let n ≥ 1 be an integer. We define ϕ(n) to be the number ofpositive integers less than or equal to n that are coprime to n.(We’ll say 1 is coprime to itself, so ϕ(1) = 1.)
For example, ϕ(12) = 4, as 1, 5, 7 and 11 are the positive integersless than 12 that are also coprime to 12.
Note that if p is prime then
ϕ(p) = p − 1.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Euler’s TheoremEuler’s Totient Function
To state Euler’s Theorem, we first need to define Euler’s Totientfunction (denoted by ϕ).
Definition
Let n ≥ 1 be an integer. We define ϕ(n) to be the number ofpositive integers less than or equal to n that are coprime to n.(We’ll say 1 is coprime to itself, so ϕ(1) = 1.)
For example, ϕ(12) = 4, as 1, 5, 7 and 11 are the positive integersless than 12 that are also coprime to 12.
Note that if p is prime then
ϕ(p) = p − 1.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Euler’s TheoremEuler’s Totient Function
It’s not too hard to show further that when p is prime and n ≥ 1,
ϕ(pn) = pn−1(p − 1).
Theorem (The Totient Function is Multiplicative)
If a and b are positive integers with gcd(a, b) = 1, then
ϕ(ab) = ϕ(a)ϕ(b).
This makes computing ϕ(n) easy when we can factor n into primesand prime powers.If p and q are distinct prime numbers, then
ϕ(pq) = (p − 1)(q − 1).
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Euler’s TheoremEuler’s Totient Function
It’s not too hard to show further that when p is prime and n ≥ 1,
ϕ(pn) = pn−1(p − 1).
Theorem (The Totient Function is Multiplicative)
If a and b are positive integers with gcd(a, b) = 1, then
ϕ(ab) = ϕ(a)ϕ(b).
This makes computing ϕ(n) easy when we can factor n into primesand prime powers.If p and q are distinct prime numbers, then
ϕ(pq) = (p − 1)(q − 1).
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Euler’s TheoremEuler’s Totient Function
It’s not too hard to show further that when p is prime and n ≥ 1,
ϕ(pn) = pn−1(p − 1).
Theorem (The Totient Function is Multiplicative)
If a and b are positive integers with gcd(a, b) = 1, then
ϕ(ab) = ϕ(a)ϕ(b).
This makes computing ϕ(n) easy when we can factor n into primesand prime powers.If p and q are distinct prime numbers, then
ϕ(pq) = (p − 1)(q − 1).
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Euler’s Theorem
Theorem (Euler’s Theorem)
Let n ≥ 2 be an integer. If a is an integer coprime to n, then
aϕ(n) ≡ 1 (mod n).
An important consequence: if x ≡ 1 (mod ϕ(n)), then
ax ≡ a (mod n).
Proof:
ax ≡ aϕ(n)k+1 ≡ (aϕ(n))ka ≡ 1ka ≡ a (mod n)
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Euler’s Theorem
Theorem (Euler’s Theorem)
Let n ≥ 2 be an integer. If a is an integer coprime to n, then
aϕ(n) ≡ 1 (mod n).
An important consequence: if x ≡ 1 (mod ϕ(n)), then
ax ≡ a (mod n).
Proof:
ax ≡ aϕ(n)k+1 ≡ (aϕ(n))ka ≡ 1ka ≡ a (mod n)
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSAFinally
The process:
Choose M to be some large integer (“The Modulus”)
Find e and d so that ed ≡ 1 (mod ϕ(M)).
By the consequence of Euler’s Theorem,
(me)d = med ≡ m (mod M)
Give anyone you like M and e. Keep d private.
Anyone can encrypt a message m by computing me (mod M).
Only you (?) can decrypt by computing (me)d ≡ m (mod M).
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSAFinally
The process:
Choose M to be some large integer (“The Modulus”)
Find e and d so that ed ≡ 1 (mod ϕ(M)).
By the consequence of Euler’s Theorem,
(me)d = med ≡ m (mod M)
Give anyone you like M and e. Keep d private.
Anyone can encrypt a message m by computing me (mod M).
Only you (?) can decrypt by computing (me)d ≡ m (mod M).
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSAFinally
The process:
Choose M to be some large integer (“The Modulus”)
Find e and d so that ed ≡ 1 (mod ϕ(M)).
By the consequence of Euler’s Theorem,
(me)d = med ≡ m (mod M)
Give anyone you like M and e. Keep d private.
Anyone can encrypt a message m by computing me (mod M).
Only you (?) can decrypt by computing (me)d ≡ m (mod M).
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSAFinally
The process:
Choose M to be some large integer (“The Modulus”)
Find e and d so that ed ≡ 1 (mod ϕ(M)).
By the consequence of Euler’s Theorem,
(me)d = med ≡ m (mod M)
Give anyone you like M and e. Keep d private.
Anyone can encrypt a message m by computing me (mod M).
Only you (?) can decrypt by computing (me)d ≡ m (mod M).
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSAFinally
The process:
Choose M to be some large integer (“The Modulus”)
Find e and d so that ed ≡ 1 (mod ϕ(M)).
By the consequence of Euler’s Theorem,
(me)d = med ≡ m (mod M)
Give anyone you like M and e. Keep d private.
Anyone can encrypt a message m by computing me (mod M).
Only you (?) can decrypt by computing (me)d ≡ m (mod M).
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSAFinally
The process:
Choose M to be some large integer (“The Modulus”)
Find e and d so that ed ≡ 1 (mod ϕ(M)).
By the consequence of Euler’s Theorem,
(me)d = med ≡ m (mod M)
Give anyone you like M and e. Keep d private.
Anyone can encrypt a message m by computing me (mod M).
Only you (?) can decrypt by computing (me)d ≡ m (mod M).
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSA
Questions you should ask:
What stops someone else from computing d and ruiningeverything?
What stops someone from computing m from me (mod M)some other way? (“The RSA Problem”)
Unsatisfying answer: we don’t know.The most efficient way we know to do this is to just computed .
How do you “find” e and d?
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSA
Questions you should ask:
What stops someone else from computing d and ruiningeverything?
What stops someone from computing m from me (mod M)some other way? (“The RSA Problem”)
Unsatisfying answer: we don’t know.The most efficient way we know to do this is to just computed .
How do you “find” e and d?
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSA
Questions you should ask:
What stops someone else from computing d and ruiningeverything?
What stops someone from computing m from me (mod M)some other way? (“The RSA Problem”)
Unsatisfying answer: we don’t know.The most efficient way we know to do this is to just computed .
How do you “find” e and d?
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSA
Questions you should ask:
What stops someone else from computing d and ruiningeverything?
What stops someone from computing m from me (mod M)some other way? (“The RSA Problem”)
Unsatisfying answer: we don’t know.The most efficient way we know to do this is to just computed .
How do you “find” e and d?
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSA
Questions you should ask:
What stops someone else from computing d and ruiningeverything?
What stops someone from computing m from me (mod M)some other way? (“The RSA Problem”)
Unsatisfying answer: we don’t know.The most efficient way we know to do this is to just computed .
How do you “find” e and d?
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSASecuring the parameters
The real process:
1 Pick your favorite two “large” and distinct prime numbers, pand q, and let M = pq
Large enough so that M is, say, a 2048 bit number.Also, keep p and q secret!Remember: ϕ(M) = (p − 1)(q − 1).
2 Pick any e such that gcd(e, (p − 1)(q − 1)) = 1.
e = 65537 is a very common choice.Don’t pick e “too small”, e.g. don’t pick e = 3.
3 You can compute d ≡ e−1 (mod ϕ(M)) with the extendedEuclidean algorithm
Because you know that ϕ(M) = (p − 1)(q − 1).There is no known efficient way to compute ϕ(M) withoutknowing p and q.Factoring M is hard (we think), thus (we think) RSA is secure!
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSASecuring the parameters
The real process:
1 Pick your favorite two “large” and distinct prime numbers, pand q, and let M = pq
Large enough so that M is, say, a 2048 bit number.
Also, keep p and q secret!Remember: ϕ(M) = (p − 1)(q − 1).
2 Pick any e such that gcd(e, (p − 1)(q − 1)) = 1.
e = 65537 is a very common choice.Don’t pick e “too small”, e.g. don’t pick e = 3.
3 You can compute d ≡ e−1 (mod ϕ(M)) with the extendedEuclidean algorithm
Because you know that ϕ(M) = (p − 1)(q − 1).There is no known efficient way to compute ϕ(M) withoutknowing p and q.Factoring M is hard (we think), thus (we think) RSA is secure!
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSASecuring the parameters
The real process:
1 Pick your favorite two “large” and distinct prime numbers, pand q, and let M = pq
Large enough so that M is, say, a 2048 bit number.Also, keep p and q secret!
Remember: ϕ(M) = (p − 1)(q − 1).
2 Pick any e such that gcd(e, (p − 1)(q − 1)) = 1.
e = 65537 is a very common choice.Don’t pick e “too small”, e.g. don’t pick e = 3.
3 You can compute d ≡ e−1 (mod ϕ(M)) with the extendedEuclidean algorithm
Because you know that ϕ(M) = (p − 1)(q − 1).There is no known efficient way to compute ϕ(M) withoutknowing p and q.Factoring M is hard (we think), thus (we think) RSA is secure!
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSASecuring the parameters
The real process:
1 Pick your favorite two “large” and distinct prime numbers, pand q, and let M = pq
Large enough so that M is, say, a 2048 bit number.Also, keep p and q secret!Remember: ϕ(M) = (p − 1)(q − 1).
2 Pick any e such that gcd(e, (p − 1)(q − 1)) = 1.
e = 65537 is a very common choice.Don’t pick e “too small”, e.g. don’t pick e = 3.
3 You can compute d ≡ e−1 (mod ϕ(M)) with the extendedEuclidean algorithm
Because you know that ϕ(M) = (p − 1)(q − 1).There is no known efficient way to compute ϕ(M) withoutknowing p and q.Factoring M is hard (we think), thus (we think) RSA is secure!
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSASecuring the parameters
The real process:
1 Pick your favorite two “large” and distinct prime numbers, pand q, and let M = pq
Large enough so that M is, say, a 2048 bit number.Also, keep p and q secret!Remember: ϕ(M) = (p − 1)(q − 1).
2 Pick any e such that gcd(e, (p − 1)(q − 1)) = 1.
e = 65537 is a very common choice.Don’t pick e “too small”, e.g. don’t pick e = 3.
3 You can compute d ≡ e−1 (mod ϕ(M)) with the extendedEuclidean algorithm
Because you know that ϕ(M) = (p − 1)(q − 1).There is no known efficient way to compute ϕ(M) withoutknowing p and q.Factoring M is hard (we think), thus (we think) RSA is secure!
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSASecuring the parameters
The real process:
1 Pick your favorite two “large” and distinct prime numbers, pand q, and let M = pq
Large enough so that M is, say, a 2048 bit number.Also, keep p and q secret!Remember: ϕ(M) = (p − 1)(q − 1).
2 Pick any e such that gcd(e, (p − 1)(q − 1)) = 1.
e = 65537 is a very common choice.
Don’t pick e “too small”, e.g. don’t pick e = 3.
3 You can compute d ≡ e−1 (mod ϕ(M)) with the extendedEuclidean algorithm
Because you know that ϕ(M) = (p − 1)(q − 1).There is no known efficient way to compute ϕ(M) withoutknowing p and q.Factoring M is hard (we think), thus (we think) RSA is secure!
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSASecuring the parameters
The real process:
1 Pick your favorite two “large” and distinct prime numbers, pand q, and let M = pq
Large enough so that M is, say, a 2048 bit number.Also, keep p and q secret!Remember: ϕ(M) = (p − 1)(q − 1).
2 Pick any e such that gcd(e, (p − 1)(q − 1)) = 1.
e = 65537 is a very common choice.Don’t pick e “too small”, e.g. don’t pick e = 3.
3 You can compute d ≡ e−1 (mod ϕ(M)) with the extendedEuclidean algorithm
Because you know that ϕ(M) = (p − 1)(q − 1).There is no known efficient way to compute ϕ(M) withoutknowing p and q.Factoring M is hard (we think), thus (we think) RSA is secure!
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSASecuring the parameters
The real process:
1 Pick your favorite two “large” and distinct prime numbers, pand q, and let M = pq
Large enough so that M is, say, a 2048 bit number.Also, keep p and q secret!Remember: ϕ(M) = (p − 1)(q − 1).
2 Pick any e such that gcd(e, (p − 1)(q − 1)) = 1.
e = 65537 is a very common choice.Don’t pick e “too small”, e.g. don’t pick e = 3.
3 You can compute d ≡ e−1 (mod ϕ(M)) with the extendedEuclidean algorithm
Because you know that ϕ(M) = (p − 1)(q − 1).There is no known efficient way to compute ϕ(M) withoutknowing p and q.Factoring M is hard (we think), thus (we think) RSA is secure!
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSASecuring the parameters
The real process:
1 Pick your favorite two “large” and distinct prime numbers, pand q, and let M = pq
Large enough so that M is, say, a 2048 bit number.Also, keep p and q secret!Remember: ϕ(M) = (p − 1)(q − 1).
2 Pick any e such that gcd(e, (p − 1)(q − 1)) = 1.
e = 65537 is a very common choice.Don’t pick e “too small”, e.g. don’t pick e = 3.
3 You can compute d ≡ e−1 (mod ϕ(M)) with the extendedEuclidean algorithm
Because you know that ϕ(M) = (p − 1)(q − 1).
There is no known efficient way to compute ϕ(M) withoutknowing p and q.Factoring M is hard (we think), thus (we think) RSA is secure!
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSASecuring the parameters
The real process:
1 Pick your favorite two “large” and distinct prime numbers, pand q, and let M = pq
Large enough so that M is, say, a 2048 bit number.Also, keep p and q secret!Remember: ϕ(M) = (p − 1)(q − 1).
2 Pick any e such that gcd(e, (p − 1)(q − 1)) = 1.
e = 65537 is a very common choice.Don’t pick e “too small”, e.g. don’t pick e = 3.
3 You can compute d ≡ e−1 (mod ϕ(M)) with the extendedEuclidean algorithm
Because you know that ϕ(M) = (p − 1)(q − 1).There is no known efficient way to compute ϕ(M) withoutknowing p and q.
Factoring M is hard (we think), thus (we think) RSA is secure!
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSASecuring the parameters
The real process:
1 Pick your favorite two “large” and distinct prime numbers, pand q, and let M = pq
Large enough so that M is, say, a 2048 bit number.Also, keep p and q secret!Remember: ϕ(M) = (p − 1)(q − 1).
2 Pick any e such that gcd(e, (p − 1)(q − 1)) = 1.
e = 65537 is a very common choice.Don’t pick e “too small”, e.g. don’t pick e = 3.
3 You can compute d ≡ e−1 (mod ϕ(M)) with the extendedEuclidean algorithm
Because you know that ϕ(M) = (p − 1)(q − 1).There is no known efficient way to compute ϕ(M) withoutknowing p and q.Factoring M is hard (we think), thus (we think) RSA is secure!
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSASignatures
RSA also provides us with a way to digitally sign information.
We can encrypt and decrypt because med = (me)d ≡ m (mod M).
But also, med = (md)e ≡ m (mod M)!
Signing a message m means sharing the value md (mod M).
Everyone gets our public key, (M, e), and can compute
m ≡ (md)e (mod M).
Since everyone knows that only we know d , they trust that wecreated (or “knew”, or “trusted”) the message m.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSASignatures
RSA also provides us with a way to digitally sign information.
We can encrypt and decrypt because med = (me)d ≡ m (mod M).
But also, med = (md)e ≡ m (mod M)!
Signing a message m means sharing the value md (mod M).
Everyone gets our public key, (M, e), and can compute
m ≡ (md)e (mod M).
Since everyone knows that only we know d , they trust that wecreated (or “knew”, or “trusted”) the message m.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSASignatures
RSA also provides us with a way to digitally sign information.
We can encrypt and decrypt because med = (me)d ≡ m (mod M).
But also, med = (md)e ≡ m (mod M)!
Signing a message m means sharing the value md (mod M).
Everyone gets our public key, (M, e), and can compute
m ≡ (md)e (mod M).
Since everyone knows that only we know d , they trust that wecreated (or “knew”, or “trusted”) the message m.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSASignatures
RSA also provides us with a way to digitally sign information.
We can encrypt and decrypt because med = (me)d ≡ m (mod M).
But also, med = (md)e ≡ m (mod M)!
Signing a message m means sharing the value md (mod M).
Everyone gets our public key, (M, e), and can compute
m ≡ (md)e (mod M).
Since everyone knows that only we know d , they trust that wecreated (or “knew”, or “trusted”) the message m.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
RSASignatures
RSA also provides us with a way to digitally sign information.
We can encrypt and decrypt because med = (me)d ≡ m (mod M).
But also, med = (md)e ≡ m (mod M)!
Signing a message m means sharing the value md (mod M).
Everyone gets our public key, (M, e), and can compute
m ≡ (md)e (mod M).
Since everyone knows that only we know d , they trust that wecreated (or “knew”, or “trusted”) the message m.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Diffie-Hellman Key Exchange
The Situation:
Alice and Bob want to communicate securely, and decide touse AES.
They both need to know the same key!
With no chance to create a key together in person, and notwanting to communicate a key over an insecure channel, whatcan they do?
They can perform a Diffie-Hellman Key Exchange! 1
1Really should be called something like “Key Generation”Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Diffie-Hellman Key Exchange
The Situation:
Alice and Bob want to communicate securely, and decide touse AES.
They both need to know the same key!
With no chance to create a key together in person, and notwanting to communicate a key over an insecure channel, whatcan they do?
They can perform a Diffie-Hellman Key Exchange! 1
1Really should be called something like “Key Generation”Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Diffie-Hellman Key Exchange
The Situation:
Alice and Bob want to communicate securely, and decide touse AES.
They both need to know the same key!
With no chance to create a key together in person, and notwanting to communicate a key over an insecure channel, whatcan they do?
They can perform a Diffie-Hellman Key Exchange! 1
1Really should be called something like “Key Generation”Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Diffie-Hellman Key Exchange
The Situation:
Alice and Bob want to communicate securely, and decide touse AES.
They both need to know the same key!
With no chance to create a key together in person, and notwanting to communicate a key over an insecure channel, whatcan they do?
They can perform a Diffie-Hellman Key Exchange! 1
1Really should be called something like “Key Generation”Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Diffie-Hellman Key Exchange
The Situation:
Alice and Bob want to communicate securely, and decide touse AES.
They both need to know the same key!
With no chance to create a key together in person, and notwanting to communicate a key over an insecure channel, whatcan they do?
They can perform a Diffie-Hellman Key Exchange! 1
1Really should be called something like “Key Generation”Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Diffie-Hellman Key ExchangeKey Creation
Here’s how this can work.
1 Alice and Bob agree on a “large” prime number p.
2 They also agree on an integer g with gcd(g , p) = 1.
Not strictly required, but it’s ideal if g is a generator(mod p).This means that for any integer n with gcd(n, p) = 1,
n ≡ gk (mod p)
for some integer k.It’s not obvious, but such a g exists for any prime number p.
3 Alice and Bob each choose secret (even from each other)“large” integers a and b less than p − 1.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Diffie-Hellman Key ExchangeKey Creation
Here’s how this can work.
1 Alice and Bob agree on a “large” prime number p.2 They also agree on an integer g with gcd(g , p) = 1.
Not strictly required, but it’s ideal if g is a generator(mod p).This means that for any integer n with gcd(n, p) = 1,
n ≡ gk (mod p)
for some integer k.It’s not obvious, but such a g exists for any prime number p.
3 Alice and Bob each choose secret (even from each other)“large” integers a and b less than p − 1.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Diffie-Hellman Key ExchangeKey Creation
Here’s how this can work.
1 Alice and Bob agree on a “large” prime number p.2 They also agree on an integer g with gcd(g , p) = 1.
Not strictly required, but it’s ideal if g is a generator(mod p).
This means that for any integer n with gcd(n, p) = 1,
n ≡ gk (mod p)
for some integer k.It’s not obvious, but such a g exists for any prime number p.
3 Alice and Bob each choose secret (even from each other)“large” integers a and b less than p − 1.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Diffie-Hellman Key ExchangeKey Creation
Here’s how this can work.
1 Alice and Bob agree on a “large” prime number p.2 They also agree on an integer g with gcd(g , p) = 1.
Not strictly required, but it’s ideal if g is a generator(mod p).This means that for any integer n with gcd(n, p) = 1,
n ≡ gk (mod p)
for some integer k .
It’s not obvious, but such a g exists for any prime number p.
3 Alice and Bob each choose secret (even from each other)“large” integers a and b less than p − 1.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Diffie-Hellman Key ExchangeKey Creation
Here’s how this can work.
1 Alice and Bob agree on a “large” prime number p.2 They also agree on an integer g with gcd(g , p) = 1.
Not strictly required, but it’s ideal if g is a generator(mod p).This means that for any integer n with gcd(n, p) = 1,
n ≡ gk (mod p)
for some integer k .It’s not obvious, but such a g exists for any prime number p.
3 Alice and Bob each choose secret (even from each other)“large” integers a and b less than p − 1.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Diffie-Hellman Key ExchangeKey Creation
Here’s how this can work.
1 Alice and Bob agree on a “large” prime number p.2 They also agree on an integer g with gcd(g , p) = 1.
Not strictly required, but it’s ideal if g is a generator(mod p).This means that for any integer n with gcd(n, p) = 1,
n ≡ gk (mod p)
for some integer k .It’s not obvious, but such a g exists for any prime number p.
3 Alice and Bob each choose secret (even from each other)“large” integers a and b less than p − 1.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Diffie-Hellman Key ExchangeKey Creation
1 Alice sends ga (mod p) to Bob.
2 Bob sends gb (mod p) to Alice.
3 Alice knows a, and so can compute (gb)a ≡ gab (mod p).
4 Bob knows b, and so can compute (ga)b ≡ gab (mod p).
5 Now, both Alice and Bob know gab (mod p), a shared secretthat never crossed the insecure communication channel! Thisvalue could serve as an AES key, for example.
Going from g x (mod p) to x is called the Discrete Logarithm, andthere is no known efficient algorithm to do this. So there is noknown easy way for an eavesdropper to compute a, b, ab or gab
from the information that crosses the insecure channel.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Diffie-Hellman Key ExchangeKey Creation
1 Alice sends ga (mod p) to Bob.
2 Bob sends gb (mod p) to Alice.
3 Alice knows a, and so can compute (gb)a ≡ gab (mod p).
4 Bob knows b, and so can compute (ga)b ≡ gab (mod p).
5 Now, both Alice and Bob know gab (mod p), a shared secretthat never crossed the insecure communication channel! Thisvalue could serve as an AES key, for example.
Going from g x (mod p) to x is called the Discrete Logarithm, andthere is no known efficient algorithm to do this. So there is noknown easy way for an eavesdropper to compute a, b, ab or gab
from the information that crosses the insecure channel.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Diffie-Hellman Key ExchangeKey Creation
1 Alice sends ga (mod p) to Bob.
2 Bob sends gb (mod p) to Alice.
3 Alice knows a, and so can compute (gb)a ≡ gab (mod p).
4 Bob knows b, and so can compute (ga)b ≡ gab (mod p).
5 Now, both Alice and Bob know gab (mod p), a shared secretthat never crossed the insecure communication channel! Thisvalue could serve as an AES key, for example.
Going from g x (mod p) to x is called the Discrete Logarithm, andthere is no known efficient algorithm to do this. So there is noknown easy way for an eavesdropper to compute a, b, ab or gab
from the information that crosses the insecure channel.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Diffie-Hellman Key ExchangeKey Creation
1 Alice sends ga (mod p) to Bob.
2 Bob sends gb (mod p) to Alice.
3 Alice knows a, and so can compute (gb)a ≡ gab (mod p).
4 Bob knows b, and so can compute (ga)b ≡ gab (mod p).
5 Now, both Alice and Bob know gab (mod p), a shared secretthat never crossed the insecure communication channel! Thisvalue could serve as an AES key, for example.
Going from g x (mod p) to x is called the Discrete Logarithm, andthere is no known efficient algorithm to do this. So there is noknown easy way for an eavesdropper to compute a, b, ab or gab
from the information that crosses the insecure channel.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Diffie-Hellman Key ExchangeKey Creation
1 Alice sends ga (mod p) to Bob.
2 Bob sends gb (mod p) to Alice.
3 Alice knows a, and so can compute (gb)a ≡ gab (mod p).
4 Bob knows b, and so can compute (ga)b ≡ gab (mod p).
5 Now, both Alice and Bob know gab (mod p), a shared secretthat never crossed the insecure communication channel! Thisvalue could serve as an AES key, for example.
Going from g x (mod p) to x is called the Discrete Logarithm, andthere is no known efficient algorithm to do this. So there is noknown easy way for an eavesdropper to compute a, b, ab or gab
from the information that crosses the insecure channel.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Diffie-Hellman Key ExchangeKey Creation
1 Alice sends ga (mod p) to Bob.
2 Bob sends gb (mod p) to Alice.
3 Alice knows a, and so can compute (gb)a ≡ gab (mod p).
4 Bob knows b, and so can compute (ga)b ≡ gab (mod p).
5 Now, both Alice and Bob know gab (mod p), a shared secretthat never crossed the insecure communication channel! Thisvalue could serve as an AES key, for example.
Going from g x (mod p) to x is called the Discrete Logarithm, andthere is no known efficient algorithm to do this. So there is noknown easy way for an eavesdropper to compute a, b, ab or gab
from the information that crosses the insecure channel.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Diffie-Hellman Key ExchangeExample
Parameters p = 101, g = 2
Alice chooses ... a = 7Bob chooses ... b = 9
Alice sends ... 27 ≡ 128 ≡ 27 (mod 101)Bob sends ... 29 ≡ 512 ≡ 7 (mod 101)
Alice computes ... 77 ≡ 90 (mod 101)Bob computes ... 279 ≡ 90 (mod 101)
So 90 is the shared secret.
Of course in practice all of these numbers would be much larger.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Diffie-Hellman Key ExchangeExample
Parameters p = 101, g = 2
Alice chooses ... a = 7Bob chooses ... b = 9
Alice sends ... 27 ≡ 128 ≡ 27 (mod 101)Bob sends ... 29 ≡ 512 ≡ 7 (mod 101)
Alice computes ... 77 ≡ 90 (mod 101)Bob computes ... 279 ≡ 90 (mod 101)
So 90 is the shared secret.
Of course in practice all of these numbers would be much larger.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Diffie-Hellman Key ExchangeExample
Parameters p = 101, g = 2
Alice chooses ... a = 7Bob chooses ... b = 9
Alice sends ... 27 ≡ 128 ≡ 27 (mod 101)Bob sends ... 29 ≡ 512 ≡ 7 (mod 101)
Alice computes ... 77 ≡ 90 (mod 101)Bob computes ... 279 ≡ 90 (mod 101)
So 90 is the shared secret.
Of course in practice all of these numbers would be much larger.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Diffie-Hellman Key ExchangeExample
Parameters p = 101, g = 2
Alice chooses ... a = 7Bob chooses ... b = 9
Alice sends ... 27 ≡ 128 ≡ 27 (mod 101)Bob sends ... 29 ≡ 512 ≡ 7 (mod 101)
Alice computes ... 77 ≡ 90 (mod 101)Bob computes ... 279 ≡ 90 (mod 101)
So 90 is the shared secret.
Of course in practice all of these numbers would be much larger.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Diffie-Hellman Key ExchangeExample
Parameters p = 101, g = 2
Alice chooses ... a = 7Bob chooses ... b = 9
Alice sends ... 27 ≡ 128 ≡ 27 (mod 101)Bob sends ... 29 ≡ 512 ≡ 7 (mod 101)
Alice computes ... 77 ≡ 90 (mod 101)Bob computes ... 279 ≡ 90 (mod 101)
So 90 is the shared secret.
Of course in practice all of these numbers would be much larger.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Diffie-Hellman Key ExchangeExample
Parameters p = 101, g = 2
Alice chooses ... a = 7Bob chooses ... b = 9
Alice sends ... 27 ≡ 128 ≡ 27 (mod 101)Bob sends ... 29 ≡ 512 ≡ 7 (mod 101)
Alice computes ... 77 ≡ 90 (mod 101)Bob computes ... 279 ≡ 90 (mod 101)
So 90 is the shared secret.
Of course in practice all of these numbers would be much larger.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Diffie-Hellman Key ExchangeGeneralizing
The Diffie-Hellman algorithm can be extended to any group,which is a collection of objects with a binary operation satisfying afew rules.
Some examples of groups:Notation Description Sample Elements
(Z,+) Integers, addition 0, 1, 2, 3
(R+, ·) Positive real numbers, product 1, π,√
2
((Z/pZ)× , ·), Invertible integers, product (mod p) 1, 2, p − 1
This last group is the one we used for Diffie-Hellman.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Diffie-Hellman Key ExchangeGeneralizing
The Diffie-Hellman algorithm can be extended to any group,which is a collection of objects with a binary operation satisfying afew rules.
Some examples of groups:Notation Description Sample Elements
(Z,+) Integers, addition 0, 1, 2, 3
(R+, ·) Positive real numbers, product 1, π,√
2
((Z/pZ)× , ·), Invertible integers, product (mod p) 1, 2, p − 1
This last group is the one we used for Diffie-Hellman.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Diffie-Hellman Key ExchangeElliptic Curves
An elliptic curve is the set of points (x , y) that solve an equationof the form
y2 = x3 + ax + b
together with a special point called ∞. 2
We could consider real solutions, integral solutions, or evensolutions (mod p).
2Technical point: we need 4a3 + 27b2 6= 0.Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Diffie-Hellman Key ExchangeElliptic Curves
An elliptic curve is the set of points (x , y) that solve an equationof the form
y2 = x3 + ax + b
together with a special point called ∞. 2
We could consider real solutions, integral solutions, or evensolutions (mod p).
2Technical point: we need 4a3 + 27b2 6= 0.Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Diffie-Hellman Key ExchangeElliptic Curves
There is a (non-obvious) way to “add” points on an elliptic curveto form a third, which turns any elliptic curve into a group.
The discrete log problem is “hard” for elliptic curves: given a pointg on an elliptic curve, and
a · g = g + g + · · ·+ g︸ ︷︷ ︸a times
,
for some integer a, it is difficult to recover a.
This makes it practical to use the Diffie-Hellman algorithm with anelliptic curve with solutions (mod p), with p a large prime.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Diffie-Hellman Key ExchangeElliptic Curves
There is a (non-obvious) way to “add” points on an elliptic curveto form a third, which turns any elliptic curve into a group.
The discrete log problem is “hard” for elliptic curves: given a pointg on an elliptic curve, and
a · g = g + g + · · ·+ g︸ ︷︷ ︸a times
,
for some integer a, it is difficult to recover a.
This makes it practical to use the Diffie-Hellman algorithm with anelliptic curve with solutions (mod p), with p a large prime.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Diffie-Hellman Key ExchangeElliptic Curves
There is a (non-obvious) way to “add” points on an elliptic curveto form a third, which turns any elliptic curve into a group.
The discrete log problem is “hard” for elliptic curves: given a pointg on an elliptic curve, and
a · g = g + g + · · ·+ g︸ ︷︷ ︸a times
,
for some integer a, it is difficult to recover a.
This makes it practical to use the Diffie-Hellman algorithm with anelliptic curve with solutions (mod p), with p a large prime.
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them
Questions?
Dan Zollers RSA, Diffie-Hellman, and the Math Behind Them