Public Key Encryption

Similar documents
Algorithmic Number Theory and Cryptography (CS 303)

Algorithmic Number Theory and Cryptography (CS 303)

L29&30 - RSA Cryptography

Wilson s Theorem and Fermat s Theorem

p 1 MAX(a,b) + MIN(a,b) = a+b n m means that m is a an integer multiple of n. Greatest Common Divisor: We say that n divides m.

Mathematics Explorers Club Fall 2012 Number Theory and Cryptography

Discrete Mathematics & Mathematical Reasoning Multiplicative Inverses and Some Cryptography

Cryptography. 2. decoding is extremely difficult (for protection against eavesdroppers);

An interesting class of problems of a computational nature ask for the standard residue of a power of a number, e.g.,

Data security (Cryptography) exercise book

Final exam. Question Points Score. Total: 150

CHAPTER 2. Modular Arithmetic

Assignment 2. Due: Monday Oct. 15, :59pm

The number theory behind cryptography

Number Theory and Security in the Digital Age

Cryptography Math 1580 Silverman First Hour Exam Mon Oct 2, 2017

MAT Modular arithmetic and number theory. Modular arithmetic

Solutions for the Practice Final

Primitive Roots. Chapter Orders and Primitive Roots

NUMBER THEORY AMIN WITNO

Diffie-Hellman key-exchange protocol

Sheet 1: Introduction to prime numbers.

Math 127: Equivalence Relations

Public Key Cryptography Great Ideas in Theoretical Computer Science Saarland University, Summer 2014

Number Theory and Public Key Cryptography Kathryn Sommers

Fermat s little theorem. RSA.

University of British Columbia. Math 312, Midterm, 6th of June 2017

Math 319 Problem Set #7 Solution 18 April 2002

Introduction. and Z r1 Z rn. This lecture aims to provide techniques. CRT during the decription process in RSA is explained.

Cryptography, Number Theory, and RSA

Introduction to Modular Arithmetic

1.6 Congruence Modulo m

Applications of Fermat s Little Theorem and Congruences

Application: Public Key Cryptography. Public Key Cryptography

Number Theory. Konkreetne Matemaatika

Solutions for the Practice Questions

MAT199: Math Alive Cryptography Part 2

MATH 324 Elementary Number Theory Solutions to Practice Problems for Final Examination Monday August 8, 2005

b) Find all positive integers smaller than 200 which leave remainder 1, 3, 4 upon division by 3, 5, 7 respectively.

Practice Midterm 2 Solutions

EE 418: Network Security and Cryptography

LECTURE 3: CONGRUENCES. 1. Basic properties of congruences We begin by introducing some definitions and elementary properties.

MAT 302: ALGEBRAIC CRYPTOGRAPHY. Department of Mathematical and Computational Sciences University of Toronto, Mississauga.

Lecture 32. Handout or Document Camera or Class Exercise. Which of the following is equal to [53] [5] 1 in Z 7? (Do not use a calculator.

Solutions to Problem Set 6 - Fall 2008 Due Tuesday, Oct. 21 at 1:00

Linear Congruences. The solutions to a linear congruence ax b (mod m) are all integers x that satisfy the congruence.

Modular Arithmetic. Kieran Cooney - February 18, 2016

Solutions to Exam 1. Problem 1. a) State Fermat s Little Theorem and Euler s Theorem. b) Let m, n be relatively prime positive integers.

Xor. Isomorphisms. CS70: Lecture 9. Outline. Is public key crypto possible? Cryptography... Public key crypography.

6. Find an inverse of a modulo m for each of these pairs of relatively prime integers using the method

1 Introduction to Cryptology

SOLUTIONS TO PROBLEM SET 5. Section 9.1

Exam 1 7 = = 49 2 ( ) = = 7 ( ) =

Degree project NUMBER OF PERIODIC POINTS OF CONGRUENTIAL MONOMIAL DYNAMICAL SYSTEMS

The Chinese Remainder Theorem

ON THE EQUATION a x x (mod b) Jam Germain

MA/CSSE 473 Day 9. The algorithm (modified) N 1

Discrete Math Class 4 ( )

CS70: Lecture 8. Outline.

Multiples and Divisibility

DUBLIN CITY UNIVERSITY

The Chinese Remainder Theorem

SOLUTIONS FOR PROBLEM SET 4

The Chinese Remainder Theorem

Public-key Cryptography: Theory and Practice

MATH 13150: Freshman Seminar Unit 15

Number Theory/Cryptography (part 1 of CSC 282)

Solution: Alice tosses a coin and conveys the result to Bob. Problem: Alice can choose any result.

Problem Set 6 Solutions Math 158, Fall 2016

CMPSCI 250: Introduction to Computation. Lecture #14: The Chinese Remainder Theorem David Mix Barrington 4 October 2013

DUBLIN CITY UNIVERSITY

Public Key Cryptography

Modular Arithmetic: refresher.

ON SPLITTING UP PILES OF STONES

ALGEBRA: Chapter I: QUESTION BANK

CS1800 Discrete Structures Fall 2016 Profs. Aslam, Gold, Ossowski, Pavlu, & Sprague 7 November, CS1800 Discrete Structures Midterm Version C

Number Theory - Divisibility Number Theory - Congruences. Number Theory. June 23, Number Theory

ElGamal Public-Key Encryption and Signature

x 8 (mod 15) x 8 3 (mod 5) eli 2 2y 6 (mod 10) y 3 (mod 5) 6x 9 (mod 11) y 3 (mod 11) So y = 3z + 3u + 3w (mod 990) z = (990/9) (990/9) 1

Discrete Square Root. Çetin Kaya Koç Winter / 11

To be able to determine the quadratic character of an arbitrary number mod p (p an odd prime), we. The first (and most delicate) case concerns 2

Solutions for the 2nd Practice Midterm

arxiv: v3 [math.co] 4 Dec 2018 MICHAEL CORY

Permutation Groups. Every permutation can be written as a product of disjoint cycles. This factorization is unique up to the order of the factors.

Distribution of Primes

Constructions of Coverings of the Integers: Exploring an Erdős Problem

MA 111, Topic 2: Cryptography

Cryptography CS 555. Topic 20: Other Public Key Encryption Schemes. CS555 Topic 20 1

UNIVERSITY OF MANITOBA DATE: December 7, FINAL EXAMINATION TITLE PAGE TIME: 3 hours EXAMINER: M. Davidson

CMPSCI 250: Introduction to Computation. Lecture #14: The Chinese Remainder Theorem David Mix Barrington 24 February 2012

Carmen s Core Concepts (Math 135)

PT. Primarity Tests Given an natural number n, we want to determine if n is a prime number.

Congruence. Solving linear congruences. A linear congruence is an expression in the form. ax b (modm)

CMath 55 PROFESSOR KENNETH A. RIBET. Final Examination May 11, :30AM 2:30PM, 100 Lewis Hall

Calculators will not be permitted on the exam. The numbers on the exam will be suitable for calculating by hand.

The congruence relation has many similarities to equality. The following theorem says that congruence, like equality, is an equivalence relation.

Calculators will not be permitted on the exam. The numbers on the exam will be suitable for calculating by hand.

17. Symmetries. Thus, the example above corresponds to the matrix: We shall now look at how permutations relate to trees.

MATH 135 Algebra, Solutions to Assignment 7

The covering congruences of Paul Erdős. Carl Pomerance Dartmouth College

Transcription:

Math 210 Jerry L. Kazdan Public Key Encryption The essence of this procedure is that as far as we currently know, it is difficult to factor a number that is the product of two primes each having many, say 100, digits. Some Introductory Number Theory I assume you know what a prime number is. Euclid s Elements contains the first proof that there are infinitely many prime numbers. Although it is completely elementary, it is not obvious. The proof shows that if you know the first n primes, 2 = p 1 < p 2 < < p n, then it concludes there is a larger prime. Note: it doesn t exhibit a larger prime but just shows that a larger prime exists. Here is the beautiful reasoning. Let N = p 1 p 2 p n + 1. Either N is prime or it isn t. If it is prime, then we are done. If it isn t, then it is divisible by a prime. However, it is clearly not divisible by any of p 1, p 2,..., p n since upon division, they all give a remainder of 1. Thus it is divisible by some prime larger than p n. Notation: We write a b (mod n) to mean that the integers a and b have the same remainder when divided by n. This is equivalent to saying that a b is divisible by n. Here are some immediate consequences. Obviously the only possible remainders after dividing by n are 0, 1, 2,...,n 1. If a b (mod n) and c d (mod n) then a + c b + d (mod n). If a b (mod n) and then ac bc (mod n) for any integer c. A natural question is, if ab 0 (mod n), does it follow that either a 0 (mod n) or b 0 (mod n) (or both)? This is false, as illustrated by the simple counterexample 2 3 0 (mod 6), although neither 2 nor 3 are divisible by 6. However, if n is a prime number, this is true. Theorem If p is a prime and ab 0 (mod p), then either a 0 (mod n) or b 0 (mod n) (or both). One reasonable approach to proving this is to use the fact that every integer n can be factored into a product of primes, as 52 = 2 2 13, and this factoring is unique except for possibly reordering the way this product is presented, as 52 = 13 2 2. However, the customary proof of this factorization into a product of primes uses this theorem so the reasoning would be circular. We ll simply accept the result. Corollary If b and n have no common factors and ab 0 (mod n), then a is divisible by n, that is, a 0 (mod n). 1

Fermat s Little Theorem and Euler s Generalization Fermat: If p is a prime and the integer a that is not a multiple of p, then a p 1 1 (mod p). An immediate consequence is a p a (mod p) for any a. Proof: Using the previous theorem we first assert that the integers a, 2a, 3a,... (p 1)a are all distinct mod p. To see this, assume that ka la (mod p) for some integers k l. This means that (k l)a is a multiple of p. But a is not divisible by p. Thus k l must be divisible by p. Since 1 l < k < p 1, this is impossible. Since a, 2a, 3a,... (p 1)a are all distinct mod p, then mod p they must just be 1, 2,...,p 1, possibly in some other order, so (a)(2a)(3a) (p 1)a (1)(2) (p 1) (mod p), that is [a p 1 1](1)(2) (p 1) 0 (mod p). (1) Since (1)(2) (p 1) is not divisible by p, then a p 1 1 mod p, as we wished to prove. One can use this for the interesting (and useful to cryptography) application to show that certain numbers n are not prime without factoring them. For instance, one can show that n = 1763 is not a prime. If it were a prime, then by Fermat with a = 2, 2 1762 1 (mod 1763). But by a direct computation 2 1762 742 (mod 1763). This crude test is fairly efficient even for candidates n having several hundred digits. Euler generalized Fermat s theorem to (mod n) where n is not necessarily a prime. The above proof of Fermat s Theorem fails since equation (1) becomes [a p 1 1](1)(2) (n 1) 0 (mod n), (2) which may be trivially true because (1)(2) (n 1) may be divisible by n, as happens even when n = 6. However, Euler observed that the above proof of Fermant s result still works if in the product (a)(2a)(3a) (n 1)a one includes only the factor ka when k and n have no common divisors (other than 1). For any integer let φ(n) be the number of integers 1, 2,..., n 1 that have no common divisors with n (we call this the Euler φ function). Example 1. If p is a prime, since none of 1, 2,..., p 1 have a common divisor with p, then φ(p) = p 1. Example 2. We compute φ(10). Now 10 = 2 5 The only integers 1, 2,..., 9 that have a common factor with 10 are those that are divisible by either 2 or 5. These are the integers 2, 4, 6, 8, and 5. These are 4 + 1 = 5 integers so φ(10) = 9 5 = 4. 2

Example 3. Say n = pq, where p and q are distinct primes. We will compute φ(n). This is like the previous example. Which numbers 1, 2,..., pq 1 have a common divisor with pq? divisors can only be multiples of p or q, so they are: p, 2p, 3p,..., (q 1)p and q, 2q, 3q,..., (p 1)q. These common Thus (q 1) + (p 1) integers are not relatively prime to pq so the rest are. The number is φ(pq) = (pq 1) [(q 1) + (p 1] = pq p q + 1, that is φ(pq) = (p 1)(q 1) = φ(p)φ(q). Euler s Generalization: If a is relatively prime to n, then a φ(n) 1 (mod n). Consequently a φ(n)+1 a (mod n). Proof This just imitates the above proof of Fermant s Theorem. In equation (1) only use the factors k j a where k j and n have no common divisor (other than 1). Obviously k 1 = 1. There are φ(n) such factors. Then equation (1) is replaced by (a)(k 2 a)(k 3 a) (k φ(n) a) (1)(k 1 ) (k φ(n) ) (mod n), that is [a φ(n) 1](1)(k 2 ) (k φ(n) ) 0 (mod n). Since none of k 1, k 2,... k φ(n) have any common factors with n (other than 1), we conclude that a φ(n) 1 must be divisible by n, as desired. Special Case If a is relatively prime to pq for any distinct primes p, q, then a (p 1)(q 1) 1 (mod pq). The next corollary states that if n = pq we can drop the assumption that a is relatively prime to pq. Corollary Let n = pq, where p and q are primes. Then for any integers a and k we have a kφ(n)+1 a (mod n). [If n = p and k = 1 this is Fermat s Theorem]. Exercise: If n = 10, verify this with a = 8 and a = 6. Proof of the Corollary case 1. If a is divisible by both p and q, the assertion is obvious. case 2. If a is not divisible by either p or q, then a is relatively prime to n = pq so this follows from the special case of Euler s generalization of Fermat s theorem. case 3. If a is divisible by one of p and q, say p but not q, then clearly a kφ(n)+1 a = a[a kφ(n) 1] is divisible by p. 3

Since a is not divisible by q, then by Fermat s theorem a φ(q) = a q 1 1 (mod q) so a kφ(n) = [a φ(q) ] kφ(p) 1 kφ(p) 1 (mod q). In other words, a kφ(n) 1 is divisible by q. Consequently a kφ(n)+1 a (mod q). Thus a φ(n)+1 a is divisible by both p and q so it is divisible by pq. QED Computing a k (mod n) efficiently (to encrypt messages) We need to be efficient since computing a k directly. For instance 12 15 is too large to compute on most calculators. The idea is to observe that if you have computed b (mod n), then it is easy to compute b 2 (mod n). To use this observation write k as a sum of powers of 2, that is, in base 2. For instance, to compute 12 15 (mod 6) write 15 = 2 3 + 2 2 + 2 1 + 2 0 = base 2 1111. Then 12 15 12 (23) 12 (22) 12 (21) 12 (20). Notice that each of the factors on the right side is the square of the factor to its right; for instance 12 (22) = [12 (21) ] 2, so, beginning from the final factor on the right, one can efficiently compute the successive factors mod 6. As an exercise, carry this out on a small calculator where computing 12 15 directly would be impossible. The following is a recipe that carries out this procedure to compute a k (mod n) efficiently. It is straightforward to make this into a computer program. x = 1 (initialize the answer x) while k > 0 repeat: e = 0 if k is even, e = 1 if k is odd, so e = k 2[k/2] (here [k/2] means the largest integer in k/2, so [5/2] = 2 and [6/2] = 3). If e = 1, replace x by ax and reduce mod n (if e = 0 do nothing). Replace a by a 2 and reduce this mod n. Replace k by (k e)/2, that is, drop the unit digit in the binary expansion of k and shift the remaining digits one place to the right. When done (so k = 0), then x a k (mod n), as desired. You might find it interesting to ponder how this implements the procedure; I d use it to compute both 12 15 (mod 6) and 12 13 (mod 6) on a hand calculator. 4

Alice Bob (by Rivest, Shamir, & Adelman) Task: Alice wants to send a message to Bob, say in a letter, but wants to keep its contents a secret from anyone along the way who might steal the letter and read it. She uses public key cryptography. This relies on the widely believed but unproved assumption that it is difficult to factor a large number (say 200 digits) that is the product of two large primes. Public, known to everyone: (n, e) = Bob s public key, where n = p q, where p and q are primes known only to Bob. e: satisfying e < n and relatively prime to φ(n) = (p 1)(q 1). e is the public exponent. An essential ingredient here is that there is a trusted repository for public keys. If you look there, the keys you get will be valid. Private, known only to Bob: The above primes p and q. The private exponent d with the property that ed 1 is divisible by (p 1)(q 1), that is, ed 1 (mod φ(n)), which is equivalent to ed = kφ(n) + 1 for some integer k. Example 4: p = 23, q = 97 so n = pq = 2231 (p 1)(q 1) = 22 96 = 2112 so say e = 5. We want ed 1 = k(p 1)(q 1) for some k, that is, 5d = 1 + 2112 k. k = 2 works so d = 4225/5 = 845 is OK. Example 5: p = 97, q = 109 so n = pq = 10573 and (p 1)(q 1) = 96 108 = 10368 so say e = 11. We want ed 1 = k(p 1)(q 1) for some k, that is, 11d = 1 + 10368 k. k = 9 works so d = 8483 is OK. For those who know more algebra, since ed 1 (mod φ(n)), d is the multiplicative inverse of e and can always be found using the Euclidean algorithm. 5

Alice Encrypts the message for Bob: Say the message has been transformed into an integer 0 M < n (if the message is longer than n digits, then first break it into smaller p;arts, each of which has less than n digits). Her encrypted message is: m M e (mod n) (trapdoor function). Bob Decrypts the message: He computes m d (mod n). Claim: m d = M, so Bob has recovered Alice s message. Proof: Since m = M e, then m d (mod n)) M ed (mod n). But d was chosen so that ed 1 (mod φ(n)). Consequently ed = kφ(n) + 1 for some integer k. Thus by the Corollary M ed = M kφ(n)+1 M (mod n). Trapdoor Functions for Private Communication The above encryption/decryption procedure satisfies the criteria proposed earlier by Diffie and Hellman (1976). It will change any positive integer x into a unique positive integer y. It has an inverse that changes y back to x. Efficient algorithms exist to compute both the forward function and its inverse. If only the function and its forward algorithm are known, it is computably infeasible to discover the inverse algorithm. Digital Signatures: Alice want to send her signature to Bob to send her some money. The signature is not secret. Bob wants to know that: 1. The signature has not been tampered with. 2. It really is from Alice. Procedure: Alice makes a digital signature s S d (mod n) where (n, d) are Alice s own private key and S < n is her public signature. She sends both s and S to Bob. Bob computes x s e (mod n), where (n, e) are Alice s public key. If x = S, then he is assured the message is both authentic and from Alice. Proof: x s e (mod n) S ed (mod n) S (mod n) 6

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback