1 Introduction to Cryptology

Transcription

1 U R a Scientist (CWSF-ESPC 2017) Mathematics and Cryptology Patrick Maidorn and Michael Kozdron (Department of Mathematics & Statistics) 1 Introduction to Cryptology While the phrase making and breaking secret codes appears widely in popular science writing and television programs, for professionals the correct term is cryptology. eavesdropper Alice Eve Bob communication channel secure key channel Formally, cryptography is the science and art of concealing the content of communications between parties where the channel between them is controlled in some way by an unfriendly third party. A cipher or cryptosystem is a method of message concealment where knowledge of the shared secret information (the key) permits efficient encipherment (or encryption) of plaintext and decipherment (or decryption) of ciphertext. Eve s activity is cryptanalysis. She attempts to recover the plaintext from the ciphertext without knowledge of the key. Cryptology is the combination and interaction of cryptography and cryptanalysis. To encode information means to represent it in forms that are not human readable. Some examples include JPEG images, morse code, and braille. One encodes information not to hide its content, but rather to make it amenable to the type of channel over which it is transmitted. However, a code book may be used as part of a cipher. For example, the Nazis used enigma machines to encrypt secret messages before and during the second world war. Based on the work of a team of Polish mathematicians in 1932, and several captured machines and code books, the Enigma was broken by the British at Bletchley Park in mid This, and other historical accounts, are detailed in Simon Singh s The Code Book (Doubleday, 1999). Classical cryptosystems (such as the Spartan scytale, Caesar shift, Alberti disk, Vigènere autokey, Enigma machine) are characterized by the fact that both the sender (Alice) and the receiver (Bob) must have knowledge of the secret key. Such systems are often called symmetric cryptosystems. The security of symmetric systems relies on the correspondents agreeing on the key information through a secure key channel. (For instance, if the enemy steals the code book, it becomes useless!) The need for an easy way to distribute the key, and to develop a secure cryptosystem in response to continual advances in computing, led to the idea of an asymmetric cryptosystem. Asymmetric cryptosystems, also called public-key cryptosystems, solve the key distribution problem while simultaneously providing a high level of security. This is accomplished by attaching a digital signature to the document in order to secure/verify the content and the sender s identity. Currently, RSA/DES/AES/PGP provide examples of unbreakable encryption. (Publicly, at least, these are unbreakable. ) In this sense, unbreakable means pragmatically unbreakable not theoretically unbreakable. The need to transmit vast amounts of data securely has contributed to/accounted for the widespread use of public-key cryptography, e.g., from sending credit card information over the web to talking on a cell phone. We may not think that we ever actively encrypt information, but we do so almost every time we check our , talk on our cell phones, or buy something online. 1

2 1.1 Letter-to-Number Equivalents Throughout these notes, we will represent the letters of the alphabet as numbers as following. A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Mathematics and Cryptology 2.1 Introduction to Modular Arithmetic When enciphering/deciphering messages using a Caesar shift we need to wrap our cipher alphabet. For instance, Caesar(+4) sends X to B. Modular arithmetic, informally called clock arithmetic, is the mathematical formulation of wrapping. Example. What time is 234 hours past 2:00 p.m.? Solution. Because 2 p.m. = 14:00 o clock, we see that = 248, or 248:00 o clock. However, 248 = so after 10 wraps, the clock will be back to where it started. Thus, 248:00 o clock is the same as 8:00 o clock, or 8 a.m. We write (mod 24) and say that 248 is congruent to 8 modulo (or mod) 24. Definition. Let m be a positive integer (the modulus of our arithmetic). We say that integers a and b are congruent modulo m if b a is evenly divisible by m, and write a b (mod m). In other words, a b (mod m) a b = km for some integer k. That is, start with the integer a, subtract b. The result is divisible by m. Example. Some examples include the following: 17 2 (mod 3), 17 5 (mod 3), 5 17 (mod 3), (mod 10), (mod 100), (mod 100), (mod 100), 23 2 (mod 5), 2 23 (mod 5), 23 3 (mod 5), (mod 5), 5 0 (mod 5), 0 0 (mod 5), and (mod 5). Remark. Some important properties of modular arithmetic are as follows. a a (mod m) m 0 (mod m) a b (mod m) b a (mod m) a b (mod m) a b + m (mod m) a b (mod m) a + m b (mod m) a b (mod m) a + c b + c (mod m) Example. Let m = 2. It then follows that (mod 2), and (mod 2). In fact, these are the only two classes (called equivalence 2

3 classes) of numbers mod 2. When you divide any number by 2, the remainder is either 0 or 1. This leads to binary arithmetic: = 0, = 1, = 1, = 0. Really, we mean (mod 2), (mod 2), (mod 2), and (mod 2). You can think about this as follows. Add two even numbers together the result is always even. Add two odd numbers together the result is always even. Add one odd and one even number together the result is always odd. Example. What numbers are congruent to 17 modulo 6? Solution. They are 17, , , , etc. That is, (mod 6), (mod 6), (mod 6), (mod 6). So are 17 6, , , etc. That is, (mod 6), 5 17 (mod 6), 1 17 (mod 6), 7 17 (mod 6). In fact, an exhaustive list is given by k as k ranges through Z. k k Note that 5 is the smallest positive number congruent to 17 modulo 6. Thus, we give it a special name 17 MOD 6 = 5. (In fact, 5 is the remainder when 17 is divided by 6.) Let m be a positive integer, and let b be an integer. There is exactly one pair of integers q (called the quotient of b divided by m) and r (called the remainder) satisfying 0 r < m such that b = qm + r. Of course, q and r can be found by long division. For instance, ) i.e., 1171 = Let b MOD m denote the remainder r. For instance, 1171 MOD 3 = 1. Let b DIV m denote the quotient q. For instance, 1171 DIV 3 = 390. We can imagine MOD and DIV just like + or or or so that we write b MOD m = r and b DIV m = q (as real equalities). The triple line in a b (mod m) signifies something funny, namely a congruence! 2.2 Caesar Shifts Example. Suppose that the key is 7 and the plaintext is THURSDAY. Determine the ciphertext. Solution. We find the ciphertext as follows. plaintext T H U R S D A Y x x (x + 7) MOD ciphertext A O B Y Z K H F 3

4 Example. Suppose that the key is 11 and the ciphertext is QCTOLJ. Determine the plaintext. Solution. We find the plaintext as follows. ciphertext Q C T O L J y y (y 11) MOD plaintext F R I D A Y Summary. If x is the numerical equivalent of a plaintext letter, then the shift of x by k can be computed by E(x) = (x+k) MOD 26. If y is the ciphertext numerical equivalent, then decipherment is achieved by D(y) = (y k) MOD More Modular Arithmetic Modular addition, subtraction, and multiplication all work like normal. There is no such thing as modular division. Theorem. Suppose that a b (mod m) and c d (mod m). Then a + c b + d (mod m) and ac bd (mod m). Proof. Suppose that a b = k 1 m and that c d = k 2 m. It then follows that (a + c) (b + d) = a b + c d = k 1 m + k 2 m = (k 1 + k 2 )m which implies (a + c) (b + d) is a multiple of m. That is, a + c b + d (mod m). Furthermore, which implies that ac = (b + k 1 m)(d + k 2 m) = bd + k 1 dm + k 2 bm + k 1 k 2 m 2 ac bd = (k 1 d + k 2 b + k 1 k 2 m)m and so ac bd is a multiple of m. That is, ac bd (mod m). Example. If x 4 5 (mod 26), find x. Solution. We ve shown that modular addition works like normal so we simply subtract 5 from each side of the congruency. This gives x 9 0 (mod 26). Since 26 is congruent to 0 modulo 26, we see that x = 35 works. So, too, do..., 17, 9, 35, 61,.... That is, x = k, k Z. Example. If 5x 1 (mod 3), find x. Solution. Subtracting 1 from both sides gives 5x 1 0 (mod 3). This means that we need to find a value of x such that 5x 1 is a multiple of 3. If x = 1, then 5( 1) 1 = 6 is a multiple of 3. Thus,..., 4, 1, 2, 5,... all work. That is, x = 1 + 3k, k Z. The integers 2, 3, 5, 6, 11, 13, 17, 19, 23, 29, 31,... are all prime. That is, each is divisible by only 1 and itself. In general, the positive integer p is prime if the only proper divisors of p are 1 and p. A number greater than 1 which is not prime is called composite. The number 1 is neither prime nor composite. 4

5 Theorem (Fundamental Theorem of Arithmetic). Every positive integer is either prime or is the product of primes. The factorization is unique up to the order of the factors. Example. We can write 588 as 588 = = = = = Definition. We say that two positive integers a and b are relatively prime if they have no common factors. Equivalently, a and b are relatively prime if gcd(a, b) = 1, i.e., if the greatest common divisor of a and b is 1. Note that the number 1 is relatively prime to every positive integer (including 1 itself) since gcd(a, 1) = 1 for all positive a Z. Example. The numbers 588 = and 605 = are relatively prime. Example. If 5x 1 (mod 6), find x. Solution. Subtracting 1 from both sides gives 5x 1 0 (mod 6). Clearly x = 1 and x = 5 both work. Therefore, all solutions are given by x 5 (mod 6). Example. If 4x 1 (mod 6), find x. Solution. Subtracting 1 from both sides gives 4x 1 0 (mod 6) so we simply need to find x such that 4x 1 is a multiple of 6. However, 4(0) 1 = 1, 4(1) 1 = 3, 4(2) 1 = 7, 4(3) 1 = 11, 4(4) 1 = 15, 4(5) 1 = 19, etc., so we see that there are NO solutions. Thus, we are led to ask the following question. When is there a solution to ax 1 (mod m)? Consider the following multiplication tables. (mod 2) (mod 3) (mod 4) Remark. Any two numbers multiplied modulo m give an answer equal to 0, 1, 2,..., or m 1. Therefore, to solve ax 1 (mod m) we only need to check x = 0, 1, 2,..., m 1. Example. Solve 3x 1 (mod 4) using the multiplication table above. Solution. We see that x = 3 works. Therefore, x 3 (mod 4). Example. Solve 2x 1 (mod 4) using the multiplication table above. Solution. There is no x that works. Example. Is there a solution of 13x 1 (mod 64)? Solution. Consider the 64 possible remainders after division by 64 (namely 0, 1, 2,..., 63). We see that x 0 so consider the following 63 numbers MOD MOD MOD 64 5

6 Either one (or more) of these numbers equals 1 (in which case there is a solution) or none of these numbers equals 1 (in which case there is no solution). If there is no solution, however, it must be the case that at least 2 of them are the same. Therefore, 13i 13j (mod 64) for some i j. This implies that 13(i j) 0 (mod 64) and so 13(i j) must be a multiple of 64. But 13 and 64 are relatively prime, so the only way for 13(i j) to be a multiple of 64 is if (i j) is a multiple of 64. However, this is impossible. Thus, we are forced to conclude that 1 must be in the list. That is, 13x 1 (mod 64) for some value of x between 1 and 63. (In fact, x = 5 works.) Theorem. The equation ax 1 (mod m) has a solution if and only if a and m are relatively prime. The solution in the range 1, 2, 3,..., m 1 is called the multiplicative inverse of a modulo m and is written a 1 MOD m. Example. Find 5 1 MOD 14. Solution. We must solve 5x 1 (mod 14) for x. We see that x 3 (mod 14). Therefore, 5 1 MOD 14 = 3. Note, in fact, that (mod 14). Example. Solve 4x (mod 9). Solution. We see that 4x (mod 9) implies 4x (mod 9). Thus, x = 2 works and so x 2 (mod 9). 2.4 Affine Ciphers An encipherment scheme of the form E(x) = (ax + b) MOD 26 is called an affine cipher. Here x is the numerical equivalent of the given plaintext letter, and a and b are (appropriately chosen) integers. Example. Encipher ITS COOL with E(x) = (5x + 8) MOD 26. Solution. Filling in the following table gives plain I T S C O O L x x (5x + 8) MOD cipher W Z U S A A L If y = E(x) = (ax + b) MOD 26, then we can solve for x in terms of y and so determine E 1 (y). That is, if y (ax + b) (mod 26), then y b ax (mod 26), or equivalently ax (y b) (mod 26). Using our earlier results, we see that if we multiply both sides by a 1 MOD 26, then x a 1 (y b) (mod 26) and so our decipherment function is E 1 (y) = a 1 (y b) MOD 26. Example. Decipher HPCCXAQ if the encipherment function is E(x) = (5x + 8) MOD 26. Solution. We begin by finding the decipherment function. Since 5x 1 (mod 26) is solved with x 21 (mod 26) we see 5 1 MOD 26 = 21. Therefore, E 1 (y) = 21(y 8) MOD 26 and so filling in our table gives cipher H P C C X A Q y y (y 8) (y 8) MOD plain F R E E D O M 6

7 Example. Suppose that an affine cipher E(x) = (ax + b) MOD 26 enciphers H as X and Q as Y. Find the cipher (that is, determine a and b). Solution. We see that H X means E(7) = 23 and Q Y means E(16) = 24. That is, a 7 + b 23 (mod 26) and a 16 + b 24 (mod 26). Subtracting gives 16a 7a 1 (mod 26) so that 9a 1 (mod 26). Therefore, a = 9 1 MOD 26 = 3. Finally, we substitute a = 3 into either of the earlier equations and solve for b, i.e., b 23 (mod 26) implies b = 2. In summary, E(x) = (3x + 2) MOD 26. Remark (The MOD-mod Connection ). The least non-negative solution of the congruence x b (mod m) is x = b MOD m. 2.5 Decimation Ciphers In the special case where b = 0, the affine cipher E(x) = ax MOD m is called a decimation cipher. The key idea in this subsection is that certain choices of a and m do not lead to valid substitutions. Example. Suppose that E(x) = 4x MOD 26. Determine the ciphertext alphabet. Solution. We begin with our table of numerical equivalents, and then determine 4x MOD 26. plain A B C D E F G H I J K L M x x x MOD cipher A E I M Q U Y C G K O S W plain N O P Q R S T U V W X Y Z x x x MOD cipher A E I M Q U Y C G K O S W The problem, of course, is that 4 and 26 are not relatively prime, and so this cyclic phenomenon occurs in the cipher alphabet. Since the numbers 0, 2, 4, 6, 8, 10, 12, 13, 14, 16, 18, 20, 22, 24 are not relatively prime with respect to the 26, the only possible choices for the decimation cipher E(x) = ax MOD 26 are a = 1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25. Therefore, we conclude that the decimation cipher is weaker than the simple shift cipher. If the cryptanalyst knows that a shift cipher has been used, then there are 25 possible shifts that need to be checked. However, if it is known that a decimation cipher has been used, then there are only 12 possible ciphers that need to be checked. 2.6 Summary of Valid Affine Ciphers The function E(x) = (ax+b) MOD 26 defines a valid affine cipher if a is relatively prime to 26, and b is an integer between 0 and 25, inclusive. If b = 0, then we refer to this cipher as a decimation cipher. (Note that since there are 12 valid choices of a and 26 valid choices of b, there are = 312 possible valid affine ciphers.) Also note that if a = 1, then E(x) = (x + b) MOD 26 is simply a Caesar (+b) shift cipher. 7

8 2.7 The Hill Cipher (for those familiar with matrices) The Hill cipher is an example of a polygraphic, or block cipher. Blocks of plaintext letters are enciphered as units. To begin, Alice and Bob agree on an invertible 2 2 key matrix A (so this is another example of a symmetric cryptosystem). Encipherment. For plaintext given in numerical equivalents x 1, x 2,..., x n 1, x n with n even, form the plaintext matrix [ ] x1 x X = 3 x n 1 x 2 x 4 x n and calculate the ciphertext matrix Y = AX MOD 26. That is, [ ] y1 y Y = 3 y n 1 y 2 y 4 y n and so the ciphertext is y 1, y 2,..., y n 1, y n. Decipherment. Begin by computing A 1 MOD 26. If the ciphertext is y 1, y 2,..., y n 1, y n, form the ciphertext matrix [ ] y1 y Y = 3 y n 1 y 2 y 4 y n and calculate X = A 1 Y MOD 26 so that the plaintext matrix is [ ] x1 x X = 3 x n 1 x 2 x 4 x n and the plaintext is x 1, x 2,..., x n 1, x n. Example. Encipher GO HOME using the key matrix [ ] 3 7 A =. 1 4 Solution. The plaintext GO HOME becomes X = and so the ciphertext is [ ] [ ] Y AX Converting back to numerical equivalents gives [ 6 7 ] [ ] M K P L M C Example. Decipher DXSD if it was enciphered with [ ] 5 4 A =. 1 5 [ ] (mod 26). 8

9 Solution. We begin by finding A 1 MOD 26. Since det[a] = 25 4 = 21 and since 21a 1 (mod 26) implies a 5 (mod 26), we conclude that (det[a]) 1 = 21 1 MOD 26 = 5. This gives [ ] [ ] A MOD 26 = 5 MOD 26 = Since the ciphertext is Y = [ 3 ] we know that X = A 1 Y MOD 26. Therefore, [ ] [ ] [ ] X Converting back to numerical equivalents gives DEAL. [ ] (mod 26). 2.8 Cryptanalysis of the Hill Cipher In the case of 2 2 matrices, since there are 26 2 = 676 two-letter blocks possible, the Hill cipher amounts to a monoalphabetic substitution on an alphabet of 676 letters. However, the English letter frequencies in the plaintext are disguised and so given only the ciphertext, frequency analysis is not really possible. However, a brute force attack may work. Assuming that the key matrix A is 2 2 means that the cryptanalyst needs to try out the inverse A 1 on the start of the ciphertext to see if sensible plaintext is produced. There are 26 4 = possible 2 2 matrices modulo 26, but obviously not all are invertible. Therefore, assuming that a computer takes one-tenth of a second to multiply a matrix by the first few terms of the ciphertext, it would take about 12 hours to check all possibilities. A matrix is invertible modulo 26 if and only if it is invertible modulo 2 and it is invertible modulo 13. The Chinese Remainder Theorem can then be used to show that the number of 2 2 matrices that is invertible modulo 26 is 26 4 (1 1 2 )( )( )( ) = This means that, once the invertible 2 2 matrices are determined, it would take approximately 4 hours to check all possibilities. However, if a little bit of the plaintext is known, then it is relatively straightforward to cryptanalyze. Example. Suppose that a ciphertext begins with WJMQ FMGG which corresponds to STAY HOME. Determine the key matrix. Solution. Since ST WJ and AY MQ, we know that [ ] [ ] [ ] A (mod 26) and A [ ] (mod 26). But because of the way matrix multiplication is defined, this is equivalent to [ ] [ ] A (mod 26)

10 Now, to solve for A, all we need to do is multiply both sides by [ ] MOD Unfortunately, this inverse does not exist since its determinant is 432 MOD 26 = 16 which is NOT relatively prime to 26. However, we also know that HO FM which means that [ ] [ ] 7 5 A (mod 26) Thus, we have [ ] [ ] A (mod 26). Since [ ] 1 [ ] MOD 26 = we conclude that and so [ ] [ ] [ ] [ ] A A [ 9 ] (mod 26). (mod 26) Remark. There is nothing that requires the key matrix to be 2 2. For instance, a 3 3 key matrix requires that the plaintext be grouped in threes; that is, x 1 x 4 x n 2 X = x 2 x 5 x n 1. x 3 x 6 x n The resulting Hill alphabet has 26 3 = letters. A 4 4 key matrix yields an alphabet of 26 4 = letters. There are general formulas to compute inverses of matrices, and these can be implemented on a computer. It is important to note that the formula for the inverse is nice only for 2 2 matrices. 2.9 Introduction to RSA and Public Key Cryptography In 1977, Ron Rivest, Adi Shamir, and Leonard Adleman from MIT published an algorithm for an asymmetric cryptosystem which eliminated the need for Alice and Bob to privately exchange keys. The RSA algorithm, which improved an earlier one that was devised by Ralph Merkle and Martin Hellman, is now the basis for all modern public cryptosystems. In 1997, declassified UK Government Communications Headquarters (GCHQ) documents revealed that an algorithm equivalent to RSA had been discovered by them in 1973, although it is not believed to have ever been implemented. We will explain the RSA cryptosystem first, and then in subsequent sections we ll explain the number theory that makes it work. In order to receive encrypted messages, Alice does the following. She 10

11 picks distinct primes p and q, computes m = p q, computes n = (p 1) (q 1) and chooses e relatively prime to n, computes d = e 1 MOD n (i.e., ed = kn + 1 for some k Z), and broadcasts m and e keeping d, p, q, and n secret. The encryption function is E(x) = x e MOD m, 0 x m 1. For Bob encipher a message to Alice. He uses y = E(x) = x e MOD m. For Alice to decipher a received message. She uses x = D(y) = y d MOD m. Note that this algorithm is designed for Bob to send encrypted messages to Alice. If Bob wants to receive encrypted messages from Alice, then he must choose his own values of p, q, and e. Question. Why does D(y) work? Answer. Since y x e (mod m), we have D(y) D(x e ) (mod m) x ed (mod m) x kn+1 (mod m) x k(p 1)(q 1)+1 (mod m) x (mod m). The last step is the crucial one and is true as a result of Fermat s little theorem. After seeing the algorithm there are several further questions to answer. How do you pick p, q, e? How do you compute d? What is Fermat s little theorem? Example. Alice chooses p = 37 and q = 41. She then computes m = pq = = 1517 and n = (p 1)(q 1) = = She then chooses e = 7. This choice is arbitrary. Since 1440 = , the numbers e = 11, e = 121, and e = 961 = 31 2 also work. She broadcasts 1517 and 7. She calculates d = e 1 MOD n = 7 1 MOD That is, 7d 1 0 (mod 1440) implies d 617 (mod 1440) so that d = 617 MOD 1440 = 823. Now, suppose that Bob wants to send the message 190 to Alice. He computes y = E(190) = MOD 1517 = 499 MOD 1517 and so he sends 499 to Alice. Suppose that Alice also receives the message 941 from Bob. To decipher the message, she computes x = D(y) = D(941) = MOD 1517 = (This last equality is not obvious. It follows from Fermat s little theorem which we will learn about shortly.) Remark. If you are familiar with different number bases, then the numbers in the previous example can actually be written in base 26 as sensical words. For example, Bob s number 190 corresponds to the message 190 = = = HI (base 26) and Alice s deciphered number 1304 corresponds to 1304 = = BYE (base 26). Except in trivial examples, it is virtually impossible to perform these calculations brute force, even with a computer. We will learn shortly see ways to simplify modular arithmetic calculations using methods such as the Extended Euclidean Algorithm. Question. Why is RSA secure? 11

12 Example. Suppose that Alice publishes the modulus m = and the exponent e = 11. Eve intercepts the message y = How can she recover the plaintext? Solution. If Eve can factor = pq, then she can compute n = (p 1)(q 1) and obtain d = 11 1 MOD n. She then can decipher by computing d MOD Answer. For the previous modulus, factoring is not too difficult. If the modulus is large (roughly 200 decimal digits), then factoring is infeasible. The conventional wisdom is that the only way to break RSA is to factor m. As long as this is true, then RSA is secure. As computers get faster, all that is needed is larger primes p and q. It is worth noting that a quantum computer will be able to break RSA in a matter of seconds. Researchers are currently trying to build such devices The Euclidean and Extended Euclidean Algorithms The first step for Alice in the RSA algorithm is to pick two distinct prime numbers p, q. The second step is for Alice to compute m = p q. The third step is for her to compute n = (p 1) (q 1) and then choose e relatively prime to n. Alice s fourth step is to compute d = e 1 MOD n. Thus, our immediate goal is to determine if two numbers are relatively prime. As a consequence, we will be able to perform steps three and four simultaneously. Example. Since = and = , we conclude gcd( , ) = = Let a and b be positive integers. We now develop an algorithm for finding gcd(a, b). Example. Let a = 285 and let b = We first try dividing the small number into the larger number: = Therefore, gcd(285, 54435) = 285. Example. Let a = 5628 and let b = This time, if we divide the smaller into the larger, we find 5628 = Therefore, 1092 = If d = gcd(5628, 1512), then d is also a divisor of That is, 1092 = d q 1 3 d q 2 = d(q 1 3q 2 ). Now, divide 1092 into 1512 so that 1512 = Therefore, gcd(1512, 1092) = gcd(1092, 420). Continue dividing to find 1092 = so that gcd(1092, 420) = gcd(420, 252). Next, 420 = so that gcd(420, 252) = gcd(252, 168). Since 252 = , we see that gcd(252, 168) = gcd(168, 84). Finally, 168 = so that gcd(168, 84) = 84. In summary, we have gcd(5628, 1512) = gcd(168, 84) = 84. We call this process the Euclidean algorithm. However, this sequence of steps actually gives more information. Back substituting we find: (i) = 1092 (ii) 1512 = (iii) 0 = (iv) 0 = (v) 0 = ( 1) (iv) + (v) : (vi) 0 = (2) (iii) + (vi) : (vii) 0 = 2 ( 1092) ( 5) (ii) + (vii) : (viii) ( 5) 1512 = ( 7) (7) (i) + (viii) = 84 12

13 In summary, = 84 = gcd(5628, 1512). This sequence of steps is known as the extended Eculidean algorithm. Theorem (Extended Euclidean Algorithm). If a and b are positive integers, then there exist integers s, t such that as + bt = gcd(a, b). Since a and b must be positive integers, it is necessarily the case that exactly one of s or t is positive and the other is negative. As a consequence of the extended Euclidean algorithm we find the following. Corollary. If a and b are relatively prime so that gcd(a, b) = 1, then b 1 MOD a, the inverse of b modulo a, is congruent to t (mod a) where s and t are the integer solutions to as + bt = 1. In fact, b 1 MOD a = t MOD a. Example. Show that 9973 and are relatively prime and find MOD Solution. Let a = , let b = Applying the extended Euclidean algorithm yields a = b b = = = which implies gcd(a, b) = gcd(b, 1647) = gcd(1647, 91) = gcd(91, 9) = 1. We now find b = 1647 b = = = which implies 0 = b = a b = 1 so that, in summary, 1096a b = 1, i.e., we have found s and t such that sa + tb = 1. Thus, MOD = Similarly, we deduce that MOD 9973 = 1096 MOD 9973 = 8877 since (mod 9973) Modular Exponentiation We will now develop a method for computing modular exponents. For example, suppose that we try and compute MOD 53. If we enter on a handheld calculator (such as a TI-Nspire), then we get an overflow error. The number is way too large for a calculator (and most other CAS software) to handle. We know, however, that working modulo 53 means that MOD 53 must be in the range from 0 to

14 Example. Compute 3 16 MOD 22. Solution. We will work with powers of 2. Notice that (mod 22). Therefore, 3 4 (3 2 ) (mod 22) and so 3 8 (3 4 ) (mod 22). Finally, 3 16 (3 8 ) (mod 22) which means that 3 16 MOD 22 = 3. Example. Compute 3 19 MOD 22. Solution. We can write 19 in terms of powers of 2 as 19 = which implies that 3 19 = = and so (mod 22). Thus, 3 19 MOD 22 = 15. It is worth noting that we could have computed 3 19 directly on a calculator and computed the remainder that way: 3 19 = = The technique, however, works just as easily for numbers too large for the calculator. Example. Compute MOD 100. Solution. We find (mod 100) (mod 100) (mod 100) (mod 100) (mod 100). Since 37 = , we conclude (mod 100) so that MOD 100 = Fermat s Little Theorem Using repeated exponentiation, we previously showed that 3 16 MOD 22 = 3. While this method will always work, it can be extremely tedious. For instance, to compute MOD 2393 would take 11 exponentiations and a lot of multiplications. A computer could handle this without much trouble, but it turns out that there is a much easier way that can be done quickly by hand! Consider the following chart. a m MOD m = m = 2 m = 3 m = 4 m = 5 m = 6 m = 7 a = a = a = a = a = a = a = 6 6 Notice that for all choices of a, we have a 2 a (mod 2), a 3 a (mod 3), a 5 a (mod 5), a 7 a (mod 7). The following result is known as Fermat s little theorem and was formulated by Pierre de Fermat around It was generalized by Leonhard Euler in

15 Theorem (Fermat s Little Theorem). If p is a prime number, then (i) a p a (mod p) for all integers a, and (ii) a p 1 1 (mod p) for all integers a that are relatively prime to p. Example. Calculate the following: (i) MOD 2393, (ii) MOD 2393, (iii) MOD 2393, and (iv) MOD 151. Solution. We begin by noting that both 2393 and 151 are prime. (You can check an online table of prime numbers for this step.) (i) Using the extended Euclidean algorithm, we find = 1. Therefore, 83 and 2393 are relatively prime so that part (ii) of FLT implies (mod 2393), i.e., MOD 2393 = 1. (ii) By part (i) of FLT, we find (mod 2393), i.e., MOD 2393 = 83. (iii) We can write 2396 = so that (mod 2393). Note that 83 4 = and 83 4 = , so that (mod 2393), i.e., MOD 2393 = 345. (iv) Notice that 305 = We can write (13 2 ) (mod 151). Noting that (mod 151) gives (mod 151) and so (mod 151), i.e., MOD 151 = 135. An easy consequence of Fermat s little theorem is the following. Corollary. If p is a prime number and k is a non-negative integer, then a k(p 1)+1 a (mod p) for all positive integers a that are relatively prime to p. Proof. Since a and p are relatively prime, we know from the second part of Fermat s little theorem that a p 1 1 (mod p). Therefore, a k(p 1) 1 k 1 (mod p) and so a k(p 1)+1 a k(p 1) a 1 a a (mod p) as required. Example. Compute MOD 29. Solution. We can write 197 = = 7(29 1) + 1 so that (29 1)+1 12 (mod 29). That is, MOD 29 = 12. Example. Compute MOD 31. Solution. We begin by noting that 31 is prime. Therefore, we try to write 125 as k 30+1 for some k. The closest we can manage is 121 = which means that (mod 31). Therefore, (mod 31) and so MOD 31 = 25. This next consequence of Fermat s little theorem is sometimes known as Euler s theorem. 15

16 Theorem (Euler s Theorem). If p, q are distinct prime numbers and a is any integer, then a k(p 1)(q 1)+1 a (mod pq) for all positive integers k. Example. Compute MOD 77. Solution. Since 77 is not prime, we need to factor 77. Since 77 = 7 11, we can take p = 7 and q = 11. Since (p 1)(q 1) = 6 10 = 60, we can write 121 = = 2(p 1)(q 1) + 1. Therefore, (7 1)(11 1)+1 25 (mod 77) and so MOD 77 = 25. Example. Compute MOD 77. Solution. We already know that (mod 77). 4 (mod 77) and so MOD 77 = 4. Therefore, RSA-129 Euler s theorem has important consequences for decryption in RSA. Notice that in the previous two examples, the modulus 77 was the product of distinct primes. The trick was to factor 77 as 7 11 and then compute (7 1)(11 1) = 60. We could then write 121 as which allowed the use of the theorem to compute MOD 77. Finding MOD 77 was then easy. Example. In August 1977, a problem appeared in Martin Gardner s Mathematical Games column in Scientific American. It was posed by Rivest, Shamir, and Adleman, and consisted of the following information. Alice broadcasts her public exponent e and her modulus m where e = 9007 and m = Eve has intercepted the ciphertext y = What is the plaintext? In order to decipher the message, one must factor the 129-digit m into the product of primes. This number became known as RSA-129. In April 1994, a team consisting of Derek Atkins, Michael Graff, Arjen Lenstra, and Paul Leyland succeeded in factoring RSA-129. They used the double large prime variation of the multiple polynomial quadratic sieve factoring method. The sieving step was carried out in 8 months by about 600 volunteers from more than 20 countries. The end result was RSA-129 = pq = When decrypted with the secret exponent d = e 1 MOD(p 1)(q 1) =

17 the plaintext x = y d MOD m reads Exercise. Write the plaintext as Using the following numerical equivalents of the letters A B C D E F G H I J K L M N O P Q R S T U V W X Y Z with 00 corresponding to a space, decode the message. Remark. A practical issue with RSA is that it is relatively slow to implement on a computer for the encryption of long messages. What is more commonly done in practice is that RSA is used to encrypt the key of some symmetric cryptosystem that is able to perform the encrypting-decrypting operations much faster. Thus, Alice and Bob can use a private key cryptosystem without having to ever meet to exchange the key. 3 References The material in these notes is based upon the University of Regina undergraduate course Math 124: An Introduction to the Art and Science of Secret Writing which has been taught a number of times during the previous decade by Michael Kozdron and Patrick Maidorn. The textbook for this course is Invitation to Cryptology by Thomas H. Barr (Pearson, 2002), and complete proofs of all the theorems mentioned in these notes may be found in that book. An electronic copy of these notes is available online at the following address. kozdron/research/ugradtalks/cwsf2017.pdf 17