Professional Documents
Culture Documents
In order to understand why RSA works, we need two ideas from class: the Extended
Euclidean Algorithm and the method of successive squaring. We also need two new
ideas: Fermat’s Little Theorem and the Chinese Remainder Theorem.
The Euclidean algorithm is a way to find the greatest common divisor of two positive
integers, a and b. First let me show the computations for a=210 and b=45.
Divide 210 by 45, and get the result 4 with remainder 30, so 210=4·45+30.
Divide 45 by 30, and get the result 1 with remainder 15, so 45=1·30+15.
Divide 30 by 15, and get the result 2 with remainder 0, so 30=2·15+0.
The greatest common divisor of 210 and 45 is 15.
The extended Euclidean algorithm is an algorithm to compute integers and such that
ax+by= gcd( a, b)
RSA, which based on the great difficulty of integer factorization, is the most widely-used
public-key cryptosystem used in electronic commerce. Euclid algorithm and extended
Euclid algorithm are the best algorithms to solve the public key and private key in RSA.
Extended Euclid algorithm is improved by eliminating the negative integer operation,
which reduces the computing resources occupied by RSA, hence has an important
application value
Example
60 = 3220 - 40 * 79 (step 1)
19 = 79 - 1 * 60 (step 2)
= 79 - 1*(3220 – 40*79)
= 79 - 3220 + 40*79
= -3220 + 41*79
3 = 60 - 3*19 (step 3)
= (3220 - 40*79) - 3(-3220 + 41*79)
= 3220 – 40*79 +3*3220 -123*79
= 4*3220 – 163*79
1 = 19 – 6*3 (step 4)
= (-3220 + 41*79) – 6(4*3220 –163*79)
= -3220 + 41*79 -24 *3220 + 978*79
= -25*3220 + 1019*79
The final equation means that d = 1019 is the multiplicative inverse of e = 79 mod 3220,
which can also be written as
1019 = 79^-1mod 3220
Example:
Decrypt the ciphertext 175 115 029 171 using n = 187 and e = 7 to confirm that the
original message is found. Solution: We first need to factor n. We run through the list of
primes: 2, 3,5,7,11,13,... until we find a divisor of n. We find that n = 11 · 17. This means
that φ = 10 · 16 = 160. Since gcd(7,160) = 1 we can use the Extended Euclidean
Algorithm to find integers d and k so that 7d−160k = 1.
160 = 22(7)+67
= 1(6)+1
Now working backwards :
1 =7−1(6)
=7−1(160−22(7))
=23(7)−1(160)
175^4≡ 166(mod187)
175^8≡ 67(mod187),
175^16≡ 1 (mod187)
⇒175^23≡ 1·166·144·175(mod187)
≡ 10(mod187).
115^2 ≡ 135(mod187),
115^4 ≡ 86(mod187)
115^8 ≡ 103(mod187),
115^16 ≡ 137(mod187)
⇒115^23 ≡ 137·86·135·115(mod187)
≡ 4(mod187).
29^2 ≡ 93(mod187),
29^4 ≡ 47(mod187)
29^8 ≡ 152(mod187),
29^16 ≡ 103(mod187)
⇒29^23 ≡ 103·47·93·29(mod187)
≡ 24(mod187).
171^2 ≡ 69(mod187),
171^4 ≡ 86(mod187)
171^8 ≡ 103(mod187),
171^16 ≡ 137(mod187)
⇒171^23 ≡ 137·86·69·171(mod187)
≡ 18(mod187).
010 004 024 018, which in letters is KEYS.This confirms that the encryption/decryption
algorithm works in this case.
Fermat’s Little Theorem:
RSA is a cryptographic algorithm that is used to send and receive messages. We use
the Fermat’s Little Theorem to prove that RSA works correctly and accurately. In other
words, the decrypted message is indeed the original message from the sender.
Mathematically we show that applying the encryption function and the decryption
function successively produces the identity function.
To see how RSA works, see the previous post An Illustration of the RSA Algorithm.
____________________________________
RSA Algorithm
We first briefly describe the algorithm and then present the mathematical statement to
validate.
Let N=p . q where p and q are two prime numbers. Let φ =(p-1) . (q-1). Choose an
integer e with 1<e<N such that e and φ are relatively prime.
The public key consists of N and e where e is the encryption key. Once it is published,
anyone can use it to encrypt messages to send to the creator of the public key. The
following is the encryption function:
The number d is the decryption key that will be used to decode messages. So it should
remain private.
Once the creator of the public key receives an encrypted message C = f (M), he or she
uses the following decryption function to obtain the original message M.
____________________________________
What we prove is that the decryption function is to undo the encryption function.
Specifically, we prove the following:
In other words, applying the decryption function g to the encryption function f produces
the original message.
____________________________________
In this section, we list out the tools we need to prove the correctness of RSA.
Theorem 1 (Fermat’s Little Theorem)
If p is a prime number and a is an integer such that a and p are relatively prime, then
Lemma 3
Let M be an integer. Let p and q be prime numbers with p # q.,
Proof of Lemma 3
Suppose we have a ≡ M ( mod p) and
a ≡ M (mod q). Then for some integers i and j, we have:
Then p . i=q . j. This implies that p divides q. j (p \ q . j). By Euclid’s lemma, we have
either p \ q or p \ j. Since p and q are distinct prime numbers, we cannot have p \ q. So
we have p \ j and that j=p . w for some integer w.
____________________________________
(M^e)^d=M^ed ≡ M ( Mod N = p . q)
We first show that M^ed ≡ M (Mod p) and M^ed ≡ M ( Mod q). Then the desired result
follows from Lemma 3.
To show M^ed ≡ M ( Mod p), we consider two cases: M ≡ 0 (Mod p) or M # 0 (Mod p).
Case 1. M ≡ 0 ( Mod p). Then M is an integer multiple of p, say M=p . w where w is an
integer. Then
M^ed =(p . w)^ed =p . p^ed-1 . w^ed . So both M and M^{ed} are integer multiples of
p. Thus M^{ed} ≡ M (Mod p).
Case 2. M # 0 ( Mod p). This means that p and M are relatively prime (having no
common divisor other than 1). Thus we can use Fermat’s Little Theorem. We have
M^p-1≡ ( mod p).
From the way the decryption key d is defined above, we have ed-1=(p-1) . (q-1) k . for
some integer k. We then have:
M^ ed =M^ed-1 . M
=M^(p-1) (q-1) . k .M
=(M^p-1)^(q-1) .k . M
≡ (1)^{(q-1) . k . M ( Mod p) *
≡ M ( Mod p)
At the step with *, we apply Fermat’s Little Theorem. So we have M^{ed} M ≡(Mod p).
The same reason reasoning can show that M^ed ≡ M ( Mod q).
____________________________________
Chinese Remainder Theorem
Solution:
List all the integers that are congruent to 3 (mod 11), up to 5×11: 3, 14,25,36,47. The
only one that is also congruent to 4 (mod 5) is 14. Since gcd(5,11) = 1, the Chinese
Remainder Theorem guarantees us that x ≡14 (mod 55) is the only solution. There is a
more general version of the Chinese Remainder Theorem, but we don’t need it to
understand RSA encryption.
1. Let p and q be very be two very large primes of nearly the same size such
that gcd (p1, q-1) = 2.
2. Compute N = p*q.
3. Pick two random integers dp and dq such that gcd (dp, p-1)=1, gcd (dq,
q-1)=1 and dp==dq mod 2.
4. Find a d such that d==dp mod p-1 and d==dq mod q-1.
The public key is <N, e> and the private key is <p, q, dp, dq>. Since
gcd (dp, p-1) =1 and d==dp mod p-1, we have gcd (d, p-1)=1.
Similarly, gcd (d, q-1)=1. Hence gcd (d, phi (N))=1 and by step 5, e can be
computed.
To apply the Chinese Remainder Theorem in step 4, the respective moduli
have to be relatively prime in pairs for a solution to necessarily exist. We
observe that p-1 and q-1 are even and that we cannot directly apply the
Chinese Remainder Theorem. However, gcd ((p-1)/2, (q-1)/2)=1.
Since gcd (dp, p-1)=1 and gcd (dq, q-1)=1, essentially dp, dq are odd integers
and dp-1, dq-1 are even integers. We have gcd (d, p-1)=1, which implies that d
is odd and d-1 is even.
To find a solution to
d==dp mod p-1,
d==dq mod q-1.
We find a solution to d-1==dp –1 mod p-1, d-1==dq –1 mod q-1. By applying the
cancellation law and taking the common factor 2 out, we have x=d’== (d-1)/2==(dp
–1)/2 mod( p-1)/2, x=d’==(d-1)/2==(dq –1)/2 mod( q-1)/2. Using Chinese Remainder
Theorem we find d such that d = (2*d’) +1.
RSA-CRT Decryption
Example
. Choose p = 7, q = 11,
gcd (p-1, q-1) = 2,
N = p*q
= 7*11 = 77,
phi (N) = (p-1)*(q-1) = 6*10 = 60.
Let dp = 5, gcd (dp , p-1) = gcd (5,6) = 1.
dq = 3, gcd (dq , q-1) = gcd (3,10) = 1.
We are to find d such that d==5 mod 6, d==3 mod 10.
We cannot apply the Chinese Remainder theorem since gcd (6,10) ≠ 1, hence
we convert the system of congruences in such a manner that the cancellation law
can be applied Therefore, we have d-1==5-1 mod 6, d-1==3-1 mod 10.
On applying the cancellation law,
(d-1)/2==(5-1)/2 mod (6/2),
(d-1)/2==(3-1)/2 mod (10/2).
x = d’= (d-1)/2== 2 mod 3,
x = d’= (d-1)/2== 1 mod 5.
Solving using Chinese Remainder Theorem, M = 3*5 = 15,
M1 =15/3 = 5,
M2 = 15/5=3.
5*N1==1 mod 3, N1=2,
3*N2==1 mod 5, N2=2.
We have, d’ = x = 2*5*2 + 1*3*2
= 26(mod 15) = 11.
Therefore d’ = 11 and d = (2*d’)+1
= (2*11) +1 = 23, d = 23.
Now we find, e such that
e*d==1 mod phi(N),
e*23==1 mod 60, e = 47.
Let the plaintext M=5. C=547 mod 77 = 3.
For decryption, we find M = Mp mod p = cd mod p,
M = Mq mod q = cd mod q.
Mp = 35 mod 7 = 243 mod 7 = 5,
Mq = 33 mod 11= 27 mod 11 = 5.
Using the Chinese Remainder Theorem, M = 7*11 = 77,
M1 = 77/7 = 11,
M2 = 77/11 = 7.
11*N1==1 mod 7,
N1=2,
7*N2==1 mod 11, N2=8.
x = 5*11*2 + 5*7*8
= 390 mod 77 =5.
Thus x = M = 5, as desired. In this specific example (Mp and Mq)=5 is a
common solution and it is not necessary to further apply the Chinese Remainder
Theorem.
We now turn our attention to another RSA variant, the Rebalanced RSA-CRT.
The main aim of Rebalanced RSA-CRT is to speed up RSA decryption by
shifting the work to the encrypter. This behavior is particularly useful for RSA
decryption in mobile devices like cell phones whose life is limited by its battery.
Rebalanced RSA-CRT decryption is over three times faster than the standard
RSA. The only difference between RSA-CRT and Rebalanced RSA-CRT is in
choosing the values of dp and dq. In Rebalanced RSA-CRT, the size of e and
d are of the order of phi (N), where as in standard RSA, e is usually a 16-bit
or 32-bit integer. According to [6], the size of dp and dq should be at least
160-bits to achieve a security of 280. As a result, for Rebalanced RSA-CRT we
always choose (dp and dq) > 160-bits. The remaining steps are same as that
for RSA-CRT. The main drawback with this scheme is that the task of the
encrypter is enormous, even for a high-end computer. A variant of Rebalanced
RSA-CRT exists with encryption three times faster than the original Rebalanced
RSA-CRT.