​How RSA encryption works

In order to understand why RSA works, we need two ideas from class: the Extended
Euclidean Algorithm and the method of successive squaring. We also need two new
ideas: Fermat’s Little Theorem and the Chinese Remainder Theorem.

The Euclidean algorithm

The Euclidean algorithm is a way to find the greatest common divisor of two positive
integers, a and b. First let me show the computations for a=210 and b=45.
Divide 210 by 45, and get the result 4 with remainder 30, so 210=4·45+30.
Divide 45 by 30, and get the result 1 with remainder 15, so 45=1·30+15.
Divide 30 by 15, and get the result 2 with remainder 0, so 30=2·15+0.
The greatest common divisor of 210 and 45 is 15.

Extended Euclidean Algorithm

The extended Euclidean algorithm is an algorithm to compute integers and such that
ax+by= gcd( a, b)

Extended Euclidean Algorithm and RSA

RSA, which based on the great difficulty of integer factorization, is the most widely-used
public-key cryptosystem used in electronic commerce. Euclid algorithm and extended
Euclid algorithm are the best algorithms to solve the public key and private key in RSA.
Extended Euclid algorithm is improved by eliminating the negative integer operation,
which reduces the computing resources occupied by RSA, hence has an important
application value

​Example

Choose 2 prime numbers, e.g., p = 47 and q = 71

Compute, n = p * q = 47 * 71 = 3337
Compute, z = (p-1)(q-1) = 46 * 70 = 3220
Note: p-1 = 46 = 2 * 23, q-1 = 70 = 2 * 5 * 7
Choose e relatively prime to 3220
e = 79 which does not
contain any common factors
with p-1, q-1
Compute d such that
d * e = 1 mod 3220, which can
be written as, d = e^-1 mod 3220
By Extended Euclidean Algorithm, determine that d = 1019
Public key = (e, n) = (79, 3337)
Private key = (d,n) = (1019, 3337)

Extended Euclidean Algorithm

Example for e = 69, z = 3220

3220/79 = 40 R 60 => 60 = 3220

- 79 * 40 (step 1)
79/60 = 1 R 19 =>19 = 79 - 60 * 1 (step 2)
60/19 =3R3 =>3 = 60 - 19 * 3 (step 3)
19/3 =6R1 =>1 = 19 - 3 * 6 (step 4)

Applying the Extended Euclidean

Algorithm, we get:

60 = 3220 - 40 * 79 (step 1)

19 = 79 - 1 * 60 (step 2)
= 79 - 1*(3220 – 40*79)
= 79 - 3220 + 40*79
= -3220 + 41*79

3 = 60 - 3*19 (step 3)
= (3220 - 40*79) - 3(-3220 + 41*79)
= 3220 – 40*79 +3*3220 -123*79
= 4*3220 – 163*79

1 = 19 – 6*3 (step 4)
= (-3220 + 41*79) – 6(4*3220 –163*79)
= -3220 + 41*79 -24 *3220 + 978*79
= -25*3220 + 1019*79

The final equation means that d = 1019 is the multiplicative inverse of e = 79 mod 3220,
which can also be written as
1019 = 79^-1mod 3220

The public key is (e, 3337) = (79, 3337)

The private key is (d,3337) = (1019, 3337)

Example:

Decrypt the ciphertext 175 115 029 171 using n = 187 and e = 7 to confirm that the
original message is found. Solution: We first need to factor n. We run through the list of
primes: 2, 3,5,7,11,13,... until we find a divisor of n. We find that n = 11 · 17. This means
that φ = 10 · 16 = 160. Since gcd(7,160) = 1 we can use the Extended Euclidean
Algorithm to find integers d and k so that 7d−160k = 1.

160 = 22(7)+67
= 1(6)+1
Now working backwards :
1 =7−1(6)
=7−1(160−22(7))
=23(7)−1(160)

This tells us that the private decryption key is d=23.

We decrypt using M≡C^23(mod187).

175^2≡ 144(mod187),

175^4≡ 166(mod187)

175^8≡ 67(mod187),

175^16≡ 1 (mod187)

⇒175^23≡ 1·166·144·175(mod187)

≡ 10(mod187).

115^2 ≡ 135(mod187),

115^4 ≡ 86(mod187)

115^8 ≡ 103(mod187),

115^16 ≡ 137(mod187)

⇒115^23 ≡ 137·86·135·115(mod187)

≡ 4(mod187).

29^2 ≡ 93(mod187),
29^4 ≡ 47(mod187)

29^8 ≡ 152(mod187),

29^16 ≡ 103(mod187)

⇒29^23 ≡ 103·47·93·29(mod187)

≡ 24(mod187).

171^2 ≡ 69(mod187),

171^4 ≡ 86(mod187)

171^8 ≡ 103(mod187),

171^16 ≡ 137(mod187)

⇒171^23 ≡ 137·86·69·171(mod187)

≡ 18(mod187).

We retrieve the original message:

010 004 024 018, which in letters is KEYS.This confirms that the encryption/decryption
algorithm works in this case.
​Fermat’s Little Theorem​:

If p is prime and a is an integer not divisible by p, then ap−1 ≡ 1 (mod p).

Example: Let’s take p = 7 and a = 3. Then:

31 ≡ 3 (mod 7)
32 ≡ 2 (mod 7)
33 ≡ 6 (mod 7)
34 ≡ 4 (mod 7)
35 ≡ 5 (mod 7)
36 ≡ 1 (mod 7)
This last line is an example of Fermat’s Little Theorem.

Fermat’s Little Theorem and RSA Algorithm

RSA is a cryptographic algorithm that is used to send and receive messages. We use
the Fermat’s Little Theorem to prove that RSA works correctly and accurately. In other
words, the decrypted message is indeed the original message from the sender.
Mathematically we show that applying the encryption function and the decryption
function successively produces the identity function.

To see how RSA works, see the previous post An Illustration of the RSA Algorithm.
____________________________________

RSA Algorithm

We first briefly describe the algorithm and then present the mathematical statement to
validate.

Let N=p . q where p and q are two prime numbers. Let φ =(p-1) . (q-1). Choose an
integer e with 1<e<N such that e and φ are relatively prime.

The public key consists of N and e where e is the encryption key. Once it is published,
anyone can use it to encrypt messages to send to the creator of the public key. The
following is the encryption function:

f(M) ≡ M^e (mod N)

where M is a positive integer and is the original message.

The private key is a positive integer d that satisfies:

d . e ≡1 (mod φ =(p-1) . (q-1))

In other words, d is the multiplicative inverse of e in the modular arithmetic of modulo

\phi. The above condition is equivalent to: de-1=(p-1) . (q-1) . k for some integer k.

The number d is the decryption key that will be used to decode messages. So it should
remain private.

Once the creator of the public key receives an encrypted message ​C = f (M),​ he or she
uses the following decryption function to obtain the original message M.

g(C) ≡C^d (mod N)

____________________________________

The Mathematical Statement to Validate

What we prove is that the decryption function is to undo the encryption function.
Specifically, we prove the following:

g(C)=g(f(M))=(M^e)^d=M^ed ≡M (Mod N) (1)

In other words, applying the decryption function g to the encryption function f produces
the original message.

____________________________________

Fermat’s Little Theorem

In this section, we list out the tools we need to prove the correctness of RSA.
Theorem 1 (Fermat’s Little Theorem)

If p is a prime number and a is an integer such that a and p are relatively prime, then

a^p-1 -1 is an integer multiple of p

or equivalently a^p-1 ≡1 (mod p).

For a proof of Fermat’s little theorem, see this post.

Lemma 2 (Euclid’s Lemma)

Let a, b and d be integers where d # 0. Then if d divides a . b (symbolically d \ a . b),

then either d \ a or d \ b.

Euclid’s Lemma is needed to prove the following Lemma.

Lemma 3
Let M be an integer. Let p and q be prime numbers with p # q.,

Then if a ≡ M (mod p) and a ≡M (mod q), then a ≡M ( mod p . q).

Proof of Lemma 3
Suppose we have a ≡ M ( mod p) and
a ≡ M (mod q). Then for some integers i and j, we have:

a=M+p. i and a=M+q . j.

Then p . i=q . j. This implies that p divides q. j (p \ q . j). By Euclid’s lemma, we have
either p \ q or p \ j. Since p and q are distinct prime numbers, we cannot have p \ q. So
we have p \ j and that j=p . w for some integer w.

Now, a=M+q . j = M+q . p . w, implying that a ≡ M (mod p . q). ■

____________________________________

The Proof of (1)

We now prove the property (1) described above. We show that

(M^e)^d=M^ed ≡ M ( Mod N = p . q)

We first show that M^ed ≡ M (Mod p) and M^ed ≡ M ( Mod q). Then the desired result
follows from Lemma 3.

To show M^ed ≡ M ( Mod p), we consider two cases: M ≡ 0 (Mod p) or M # 0 (Mod p).
Case 1. M ≡ 0 ( Mod p). Then M is an integer multiple of p, say M=p . w where w is an
integer. Then
M^ed =(p . w)^ed =p . p^ed-1 . w^ed . So both M and M^{ed} are integer multiples of
p. Thus M^{ed} ≡ M (Mod p).

Case 2. M # 0 ( Mod p). This means that p and M are relatively prime (having no
common divisor other than 1). Thus we can use Fermat’s Little Theorem. We have
M^p-1≡ ( mod p).

From the way the decryption key d is defined above, we have ed-1=(p-1) . (q-1) k . for
some integer k. We then have:

M^ ed =M^ed-1 . M
=M^(p-1) (q-1) . k .M
=(M^p-1)^(q-1) .k . M
≡ (1)^{(q-1) . k . M ( Mod p) ​*
≡ M ( Mod p)

At the step with ​*,​ we apply Fermat’s Little Theorem. So we have M^{ed} M ≡(Mod p).

The same reason reasoning can show that M^ed ≡ M ( Mod q).

By Lemma 3, it follows that M^{ed} ≡ M (Mod N=p . q). ■

____________________________________
​Chinese Remainder Theorem

Let m1 and m2 be two integers with

gcd(m1,m2) = 1. Let a1 and a2 be any integers. Then the system: x ≡a1 (mod m1) x
≡a2 (mod m2) has exactly one solution (mod m1m2). Example: Solve the system below:
x ≡4 (mod 5)
x ≡3 (mod 11)

​Solution:

List all the integers that are congruent to 3 (mod 11), up to 5×11: 3, 14,25,36,47. The
only one that is also congruent to 4 (mod 5) is 14. Since gcd(5,11) = 1, the Chinese
Remainder Theorem guarantees us that x ≡14 (mod 55) is the only solution. There is a
more general version of the Chinese Remainder Theorem, but we don’t need it to
understand RSA encryption.

Chinese Remainder Theorem in RSA-CRT and Rebalanced RSA-CRT

In RSA-CRT, it is a common practice to employ the Chinese Remainder

Theorem during decryption. It results in a decryption much faster than modular
exponentiation. RSA-CRT differs from the standard RSA in key generation and
decryption. The value of d, the secret exponent cannot be made short. As soon
as d< N0.292, RSA system can be totally broken. Keeping this in mind we make
use of the following scheme.
​RSA-CRT key generation

1. Let p and q be very be two very large primes of nearly the same size such
that gcd (p1, q-1) = 2.

2. Compute N = p*q.

3. Pick two random integers dp and dq such that gcd (dp, p-1)=1, gcd (dq,
q-1)=1 and dp==dq mod 2.

4. Find a d such that d==dp mod p-1 and d==dq mod q-1.

5. Compute e=d-1 (mod Phi (N)).

The public key is <N, e> and the private key is <p, q, dp, dq>. Since
gcd (dp, p-1) =1 and d==dp mod p-1, we have gcd (d, p-1)=1.
Similarly, gcd (d, q-1)=1. Hence gcd (d, phi (N))=1 and by step 5, e can be
computed.
To apply the Chinese Remainder Theorem in step 4, the respective moduli
have to be relatively prime in pairs for a solution to necessarily exist. We
observe that p-1 and q-1 are even and that we cannot directly apply the
Chinese Remainder Theorem. However, gcd ((p-1)/2, (q-1)/2)=1.
Since gcd (dp, p-1)=1 and gcd (dq, q-1)=1, essentially dp, dq are odd integers
and dp-1, dq-1 are even integers. We have gcd (d, p-1)=1, which implies that d
is odd and d-1 is even.
To find a solution to
d==dp mod p-1,
d==dq mod q-1.
We find a solution to d-1==dp –1 mod p-1, d-1==dq –1 mod q-1. By applying the
cancellation law and taking the common factor 2 out, we have x=d’== (d-1)/2==(dp
–1)/2 mod( p-1)/2, x=d’==(d-1)/2==(dq –1)/2 mod( q-1)/2. Using Chinese Remainder
Theorem we find d such that d = (2*d’) +1.

RSA-CRT Decryption

Since RSA-CRT encryption is same as that of the standard RSA encryption

procedure, we now turn our attention to RSA-CRT decryption. Let M be the
plaintext and C the ciphertext. Theorem: If C is not divisible by p and dp==d
mod p-1, then Cdp==Cd (mod p). For decryption we find 1. Mp=Cdp(mod p)=
Cd(mod p) and Mq=Cdq(mod q)= Cd(mod q). 2. Then using Chinese Remainder
Theorem, we find a solution for
M=Mp(mod p)= Cd(mod p),
M=Mq=Cdq(mod q)= Cd(mod q).
We now illustrate the scheme using an over simplified

Example

. Choose p = 7, q = 11,
gcd (p-1, q-1) = 2,
N = p*q
 = 7*11 = 77,
phi (N) = (p-1)*(q-1) = 6*10 = 60.
Let dp = 5, gcd (dp , p-1) = gcd (5,6) = 1.
dq = 3, gcd (dq , q-1) = gcd (3,10) = 1.
We are to find d such that d==5 mod 6, d==3 mod 10.
We cannot apply the Chinese Remainder theorem since gcd (6,10) ≠ 1, hence
we convert the system of congruences in such a manner that the cancellation law
can be applied Therefore, we have d-1==5-1 mod 6, d-1==3-1 mod 10.
On applying the cancellation law,
(d-1)/2==(5-1)/2 mod (6/2),
(d-1)/2==(3-1)/2 mod (10/2).
x = d’= (d-1)/2== 2 mod 3,
x = d’= (d-1)/2== 1 mod 5.
Solving using Chinese Remainder Theorem, M = 3*5 = 15,
M1 =15/3 = 5,
M2 = 15/5=3.
5*N1==1 mod 3, N1=2,
3*N2==1 mod 5, N2=2.
We have, d’ = x = 2*5*2 + 1*3*2
= 26(mod 15) = 11.
Therefore d’ = 11 and d = (2*d’)+1
= (2*11) +1 = 23, d = 23.
Now we find, e such that
e*d==1 mod phi(N),
e*23==1 mod 60, e = 47.
Let the plaintext M=5. C=547 mod 77 = 3.
 For decryption, we find M = Mp mod p = cd mod p,
M = Mq mod q = cd mod q.
Mp = 35 mod 7 = 243 mod 7 = 5,
Mq = 33 mod 11= 27 mod 11 = 5.
Using the Chinese Remainder Theorem, M = 7*11 = 77,
M1 = 77/7 = 11,
M2 = 77/11 = 7.
11*N1==1 mod 7,
N1=2,
7*N2==1 mod 11, N2=8.
x = 5*11*2 + 5*7*8
= 390 mod 77 =5.
Thus x = M = 5, as desired. In this specific example (Mp and Mq)=5 is a
common solution and it is not necessary to further apply the Chinese Remainder
Theorem.
We now turn our attention to another RSA variant, the Rebalanced RSA-CRT.
The main aim of Rebalanced RSA-CRT is to speed up RSA decryption by
shifting the work to the encrypter. This behavior is particularly useful for RSA
decryption in mobile devices like cell phones whose life is limited by its battery.
Rebalanced RSA-CRT decryption is over three times faster than the standard
RSA. The only difference between RSA-CRT and Rebalanced RSA-CRT is in
choosing the values of dp and dq. In Rebalanced RSA-CRT, the size of e and
d are of the order of phi (N), where as in standard RSA, e is usually a 16-bit
or 32-bit integer. According to [6], the size of dp and dq should be at least
160-bits to achieve a security of 280. As a result, for Rebalanced RSA-CRT we
always choose (dp and dq) > 160-bits. The remaining steps are same as that
for RSA-CRT. The main drawback with this scheme is that the task of the
encrypter is enormous, even for a high-end computer. A variant of Rebalanced
RSA-CRT exists with encryption three times faster than the original Rebalanced
RSA-CRT.