- 240 Views
- Uploaded on
- Presentation posted in: General

CHAPTER 6: NUMBER THEORY Topics : - prime numbers, relative prime numbers, modular arithmetic, discovering primes, finding inverses

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

CHAPTER 6: NUMBER THEORY

Topics: - prime numbers, relative prime numbers,

modular arithmetic, discovering primes, finding inverses

of large primes, Euclid’s algorithm, Fermat’s theorem,

& Euler’s totient function.

Motivation: - public key cryptography is based on large

primes that have to be generated & tested using modular

arithmetic.

Fermat & Euler’s work is used to prime or relatively

prime numbers. Euclid’s algorithm finds multiplicative

inverses that are needed to find appropriate encryption

keys in public key cryptography.

Chapter 6: Number Theory

Prime Numbers in Cryptography

Numbers used - Non-negative integers

Prime # - A positive integer > 1 is prime iff it is evenly

divisible (zero remainder) by only two other numbers =

1 & itself.

Divisor- If a & b are positive integers, and b 0, b is a

divisor of a (b divides a) if a = mb for some integer m,

such that a/b = m.

Divisors of 36: 1, 2, 3, 4, 6, 9, 12, 18, & 36 (not a prime #).

Divisors of 17 are: 1 & 17 (i.e., 17 is a prime #).

Chapter 6: Number Theory

Properties of Divisors

Notation - b|a means b divides a with no remainder,

or b is a divisor of a.

If a|1, then a = 1 (if a divides 1, a must be 1 - any larger a

would produce a non-integer - fractional result).

If a|b and b|a, then a = b (if not =, one of the divisions

would produce a fraction - 2|4, but 4|2 isn’t true).

a|0 for all a 0 (i.e., 0/5 = 0, but 0/0 0).

Chapter 6: Number Theory

More Properties of Divisors

If a|k and a|l, then a|(mk + nl) for arbitrary m & n

That is, since a|k, then k must be of the form k = ak1.

If a|l, then l is of the form l = al1, for some integers, k1

and l1. Then: For a|(mk + nl), and substituting for k

& l, we have a|(mak1 + nal1) = a|a(mk1 + nl1), so a

divides (mk + nl). Example:

If a = 6; k = 36; l = 54, m = 2; n = 3

6|36 = 6: 6|54 = 9, and so does 6|(2x36 + 3x54)

and = (2x6x6 + 3x6x9) = 6(2x6 + 3x9), 6|(2x36 + 3x54)

This is of the form a|(m x k + n x l)

Chapter 6: Number Theory

Prime Numbers - Special Cases of Divisors

Prime = Integer p > 1 with only divisors being 1 & p.

Also means a prime is a whole number that is not the

product of 2 smaller integers.

Primes < 100 = 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37,

41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97.

Primes < 2000, see Stallings, pg 237.

Primes: 1st 10,000, see http://www.utm.edu/research/

primes/lists/small/10000.html.

1 is not considered a prime.

Chapter 6: Number Theory

Relatively Prime Numbers

Two numbers are relatively prime if their gcd (greatest

common divisor) or gcf (greatest common factor) = 1.

gcd (a, b) means the greatest common divisor of a & b.

If gcd (a, b) = c, then c is a divisor of a & b (i.e., c|a, c|b),

and any divisor of c is a divisor of a & b

(i.e., d|c means d|a & d|b).

Chapter 6: Number Theory

GCD Example

Given: The following pairs, find the gcds:

gcd (10,100) = 10

gcd (24, 36) = 12

gcd (a, 0) = a, since all pos integers > 0 divide 0

GCD Method:

Find factors of each number, then match up their

common factors.

Chapter 6: Number Theory

Common Factors Method

gcd (102, 5292)

102 = 2 x 51 = 2 x 3 x 17= 2 x 3 x 17 = 21 x 31 x 171

5292 = 2 x 2646 = 2 x 2 x 1323 = 2 x 2 x 27 x 49

2 x 2 x 3 x 9 x 7 x 7 = 2 x 2 x 3 x 3 x 3 x 7 x 7 = 22 x 33 x 72

So, 102 = 20 x 21 x 31 x 171

5292 = 20 x 22 x 33 x 72

Common factors are 2, and 3 (7 & 17 are not common)

Since gcd(gcf) > 1, the numbers are not relatively prime.

Chapter 6: Number Theory

Common Factors

The case we are interested in is gcd = 1

Consider gcd (5, 14)

Factors of 5 are 1, 5

Factors of 14 are: 1, 2, 7, and 14

They share only the one common factor = 1,

thus 5 &14 are relatively prime!

Chapter 6: Number Theory

Common Factors – Another Method

Step 1:Form 14/5 = 2, remainder 4

Step 2:Form 5/4 = 1, remainder 1

Step 3:Form 4/1 = 4, remainder 0

Last divisor = gcd = 1

This is an iterative method, where the factors are

successively removed.

Step 1 begins with a division, then the quotient is

Discarded, the divisor is brought down to Step 2 and the remainder from the previous step becomes the new divisor. Terminates when the remainder is 0.

Chapter 6: Number Theory

Euclid’s Algorithm - greatest common factors

For x & y, with x > y: (x, y) and (x - y, y) have same gcd.

Example: (100,10)gcf = 10

(100-10,10) = (90,10)gcf = 10

(90-10,10) = (80,10)gcf = 10

…….

(20-10, 10) = (10,10)gcf = 10

(10-10, 10) = (0,10)no gcf

terminates with y = gcf

This is because if d|x & d|y, then y = kd & x = jd, so

x - y = jd - kd = (j - k)d (i.e., differences have same gcd).

Chapter 6: Number Theory

Euclid’s Algorithm - greatest common factors

The same behavior holds in modulo arithmetic.

In modulo arithmetic: gcd(a, b) = gcd(a, a mod b)

Example:gcd(100,10) = gcd(100, 100 mod 10)

100 mod 10; 100/10 = 10, R = 0

True because if d = gcd(a, b), then d|a & d|b.

If 10 = gcd(100,10), then 10|100 & 10|10.

This means d is a divisor of a & b and also a divisor

of a mod b.

Chapter 6: Number Theory

Euclid’s Algorithm - gcd of X, Y

Given X and Y, where X > Y

1If Y = 0, done with gcd = X

R = X mod Y

X = Y

Y = R

GOTO 1

Chapter 6: Number Theory

Euclid’s Algorithm - gcd of X, Y

Example: gcd 595, 408

595/408 = 1, R = 187 (x mod y = 187)

408/187 =2, R = 34

187/34 =5, R = 17

34/17 =2, R = 0

17/0 Y is = 0

Stopgcd 595, 408 = 17

Note: Computationally intense for large numbers.

Chapter 6: Number Theory

Discovering Primes

Many methods, oldest = Sieve of Eratosthenes. Given the

first 100 numbers (1-100)

1. Remove 1 since it is not a prime by definition

2. Test 2 to see if it is only divisible by 1 and itself. Keep 2,

it passes.

3. Cross out every number divisible by 2 since they are

composite numbers with 2 as a factor.

4. Test 3. Keep 3, it passes.

5. Eliminate all multiples of 3 since they contain 3 as a

factor

6. Test 5. Keep 5, it passes. (we didn’t do 4 - a factor of 2).

Repeat this process for all numbers up to 100.

Chapter 6: Number Theory

Example - Sieve of Eratosthenes

1 is eliminated, so starting matrix is:

02 03 04 05 06 07 08 09 10

11 12 13 14 15 16 17 18 19 20

21 22 23 24 25 26 27 28 29 30

31 32 33 34 35 36 37 38 39 40

41 42 43 44 45 46 47 48 49 50

51 52 53 54 55 56 57 58 59 60

61 62 63 64 65 66 67 68 69 70

71 72 73 74 75 76 77 78 79 80

81 82 83 84 85 86 87 88 89 90

91 92 93 94 95 96 97 98 99 100

Chapter 6: Number Theory

Example - Sieve of Eratosthenes

Test 2, retain 2, eliminate all multiples of 2

since they are composite numbers with 2 as a factor.

02 03 05 07 09

11 13 15 17 19

21 23 25 27 29

31 33 35 37 39

41 43 45 47 49

51 53 55 57 59

61 63 65 67 69

71 73 75 77 79

81 83 85 87 89

91 93 95 97 99

Chapter 6: Number Theory

Example - Sieve of Eratosthenes

Test 3, retain 3, eliminate multiples of 3.

02 03 05 07

11 13 17 19

23 25 29

31 35 37

41 43 47 49

53 55 59

61 65 67

71 73 77 79

83 85 89

91 95 97

Chapter 6: Number Theory

Example - Sieve of Eratosthenes

Test 5, retain 5, eliminate multiples of 5.

02 03 05 07

11 13 17 19

23 29

31 37

41 43 47 49

53 59

61 67

71 73 77 79

83 89

91 97

Chapter 6: Number Theory

Example - Sieve of Eratosthenes

Test 7, retain 7, eliminate multiples of 7.

02 03 05 07

11 13 17 19

23 29

31 37

41 43 47

53 59

61 67

71 73 79

83 89

97

Chapter 6: Number Theory

Example - Sieve of Eratosthenes

Test 11, retain 11, eliminate multiples of 11 (there aren’t any).

We could go on, but all the remaining # are also primes.

02 03 05 07

11 13 17 19

23 29

31 37

41 43 47

53 59

61 67

71 73 79

83 89

97

Chapter 6: Number Theory

Example - Sieve of Eratosthenes

We have discovered all the primes less than 100. The

sieve computationally intensive (and dull)!

02 03 05 07

11 13 17 19

23 29

31 37

41 43 47

53 59

61 67

71 73 79

83 89

97

Chapter 6: Number Theory

Computing Primes - Some Properties

There are infinitely many primes. Why?

Suppose you have a finite set of primes. Just multiply

them all together and add 1. The result will not be

divisible by any of the primes in your set (the remainder

will always be one when you divide). It is not in your set

and you have a new prime!

Example: the set is 2,3,5,7 - all primes

2x3x5x7 = 210 + 1 = 211; is it prime - yep!

2x3x5x7x11 = 2,310 + 1 = 2311; is it prime - yep!

Chapter 6: Number Theory

Computing Primes - More Properties

Primes thin out for larger primes (result of multiplying).

3 digit primes 25 in 100 (1 out of 4 numbers - 25%)

10 digit primes , 1 in 23 - 4.3%

100 digit primes, 1 in 230 - .43%

Going through all of them like the sieve does is too slow.

We need 100 - 150 digit primes. If we guess a 150 digit

number, we have 1 chance in 230 of it being a prime.

This is computationally feasible.

Chapter 6: Number Theory

Primes - More Properties

This also means you must generate and test candidate

Prime numbers.

If you test 230 150 digit numbers, the probability it will

be a prime is about .63.

So, on average you will need to test about 230 numbers

before you find a prime.

Chapter 6: Number Theory

Modulo Arithmetic

Given the positive integers, a & n; a/n = produces a

quotient + remainder.

Or a = n(q) + r, 0 < r < n; for 5/3 = 1 + 2 or 1, 2. Consider

the reals expressed from 0 to some large value (q+1)n:

Chapter 6: Number Theory

Modulo Arithmetic

a, a positive integer, can appear anywhere on the line.

If a is a multiple of n it will appear in the same location as one of the

n’s with r = 0.

If a is not a multiple of n, it appears between 2 n’s, and the

distance between the lower n and a = r, the remainder

or residue.

Chapter 6: Number Theory

Modulo Arithmetic

The same relationship can be expressed in modulo

(or modular) arithmetic.

That is, a modulo n, or a mod n = the remainder of a/n.

If a = 17, n = 7, then a/n = 2 + 3, so 7 mod 17 = 3

17/7 = Q of 2, R or 3

This is clock arithmetic

(i.e., 12 hours then repeat with no carry).

Chapter 6: Number Theory

Modulo Arithmetic - Properties

Congruence: If a mod n = b mod n, a & b are congruent.

Notation: a b mod n (a is congruent to b mod n)

a b mod n if n|(a-b); If n divides a-b

a b mod n implies a mod n = b mod n; as above

a b mod n implies b = a mod n

a b mod n and b c mod n implies a mod n

Chapter 6: Number Theory

Modulo Arithmetic - Properties

Arithmetic operations (normal operations hold)

[(a mod n) + (b mod n)] mod n = (a + b) mod n

[(a mod n) - (b mod n)] mod n = (a - b) mod n

[(a mod n) x (b mod n)] mod n = (a x b) mod n

See Stallings, page 111 for worked examples.

Chapter 6: Number Theory

Inverses - Preliminaries

Observe that if (a + b) (a + c) mod n, then b c mod n

For a = 5; b = 23; c = 7, n = 8

If (5 + 23) (5 + 7) mod 8; then 23 7 mod 8. Is this true?

Part 1: Is (5 + 23) (5 + 7) mod 8?

(5 + 23) = 28; 28/8 = 3, 4 (i.e., r = 4), and

(5 + 7) mod 8 = 12 mod 8 = 12/8 = 1, 4 (i.e., r = 4) OK!

Part 2: Is 23 7 mod 8?

23/8 = 2, 7 (i.e., r = 7), and

7 mod 8 = 0, 7 (i.e., r = 7) OK!So, what is the point?

Chapter 6: Number Theory

Inverses

This is true because there is an additive inverse.

It is the number you would have to subtract from the

original number to get 0. That is:

(a + b) - a -a + (a + c) mod n, or b c mod n

Chapter 6: Number Theory

Inverses - Key for Asymmetrical Encryption/Decryption

Rules for Addition, Modulo 10

0 1 2 3 4 5 6 7 8 9

+

0

1

2

3

4

5

6

7

8

9

0

1

2

3

4

5

6

7

8

9

1

2

3

4

5

6

7

8

9

0

2

3

4

5

6

7

8

9

0

1

3

4

5

6

7

8

9

0

1

2

4

5

6

7

8

9

0

1

2

3

5

6

7

8

9

0

1

2

3

4

6

7

8

9

0

1

2

3

4

5

7

8

9

0

1

2

3

4

5

6

8

9

0

1

2

3

4

5

6

7

9

0

1

2

3

4

5

6

7

8

Chapter 6: Number Theory

Inverses in Cryptography

We will use one number to encrypt and its inverse to

decrypt.

Consider an input string to be encrypted = 3692.

Add a constant mod 10 to map the string to a new string

(character by character).

(3 + 6) mod 10 = 9

(6 + 6) mod 10 = 2

(9 + 6) mod 10 = 5

(2 + 6) mod 10 = 8 The encrypted string for 3692 = 9258

Chapter 6: Number Theory

Inverses in Cryptography

Now use the additive inverse of 6; it is 6 + x = 0; x = 4

to decrypt (inverse is taken from the table).

(9 + 4) mod 10 = 3

(2 + 4) mod 10 = 6

(5 + 4) mod 10 = 9

(8 + 4) mod 10 = 2 The encrypted string is decrypted!

This is a simple substitution cipher (e.g., Caesar). The

only difference is numbers were used instead of letters.

But – easy to break – lets do something harder!

Chapter 6: Number Theory

Inverses in Cryptography - Multiplicative

0 1 2 3 4 5 6 7 8 9

x

0

1

2

3

4

5

6

7

8

9

0

0

0

0

0

0

0

0

0

0

0

1

2

3

4

5

6

7

8

9

0

2

4

6

8

0

2

4

6

8

0

3

6

9

2

5

8

1

4

7

0

4

8

2

6

0

4

8

2

6

5

0

0

5

0

5

0

5

0

5

0

6

2

8

4

0

6

2

8

4

0

7

4

1

8

5

2

9

6

3

8

0

6

4

2

0

8

6

4

2

0

9

8

7

6

5

4

3

2

1

If this works like addition, we should be able to encrypt

and decrypt. Trouble is, it only works part of the time.

We can encrypt/decrypt some, but not all, numbers.

Chapter 6: Number Theory

Multiplicative Inverses in Cryptography

Encrypt the string 8732 using a muliplicative constant of:

5 mod 10

(8 x 5) mod 10 = 0; (40/10 = 4, 0)

(7 x 5) mod 10 = 5; (35/10 = 3, 5)

(3 x 5) mod 10 = 5; (15/10 = 1, 5)

(2 x 5) mod 10 = 0; (10/10 = 1, 0)

So the encrypted string would be 0550.

Trouble is, half the characters mapped to 0 and half to 5.

We might guess this is a problem since results are not

unique.

Chapter 6: Number Theory

Multiplicative Inverses in Cryptography

However, if we use 3 mod 10 we get unique results:

(8 x 3) mod 10 = 4; (24/10 = 2, 4)

(7 x 3) mod 10 = 1; (21/10 = 2, 1)

(3 x 3) mod 10 = 9; (9/10 = 0, 9)

(2 x 3) mod 10 = 6; (6/10 = 0, 6)

The result is 4196.

This looks better, but do inverses work?

Can we decrypt?

Chapter 6: Number Theory

Multiplicative Inverses in Cryptography

The multiplicative inverse of n is m, where (n x m) mod 10

= 1.

The multiplicative inverse of 3 is (3 x m) mod 10 = 1;

so m = 7. Decrypting 4196 (previous slide) using 7 :

(4 x 7) mod 10 = 8

(1 x 7) mod 10 = 7

(9 x 7) mod 10 = 3

(6 x 7) mod 10 = 2; So… the inverse decrypts the cipher!

What is the condition that makes 3 work and 5 not work?

Chapter 6: Number Theory

Multiplicative Inverses in Cryptography

Why 3 works.

If (a x b) (a x c) mod n, then b c mod n, if and only if (iff) a is relatively prime to n.

Because ((a-1) x a x b) ((a-1) x a x c) mod n = b c mod n,

This is in accordance with Fermat’s theorem.

That is, a mod n will not produce a complete & unique set of residues if a & n have any factors in common except 1!

Chapter 6: Number Theory

Finding Multiplicative Inverses - Fermat

For any prime p and any element a < p;

ap mod p = a OR ap-1 mod p = 1

Also…the inverse of a is x where ax mod p = 1

Substituting ax mod p = 1 = ap-1 mod p

So x = ap-1 mod p/a mod p = ap-2 mod p

The inverse of 3 mod 5 = 3-1 mod 5 = 35-2 mod 5

33 mod 5 = 27 mod 5 = Q = 5, R = 2

And 25-2 mod 5 = 23 mod 5 = 8 mod 5 = 3

Chapter 6: Number Theory

Multiplicative Inverses in Cryptography

So what is the implication for cryptography?

We use one number to encrypt and a second number,

the inverse to decrypt – but only if an inverse exists.

A number and its inverse are used as the keys.

They are asymmetrical (i.e., public key cryptography).

Finding inverses of the simple integer was easy, but how

do we find inverses for large keys (56, 90, 128 bits)?

Chapter 6: Number Theory

Finding Multiplicative Inverses

Use an extended version of Euclid’s gcd algorithm.

For the notation GCD (d, f) = 1, d has a multiplicative

inverse mod f such that for d < f, there exists a d-1,

such that d x d-1 = 1 mod f.

This is the same as de = 1 mod (n),

Euclid’s gcd algorithm is given in detail by Stallings

(page 119).

Chapter 6: Number Theory

Multiplicative Inverses by Euclid’s Algorithm

Euclid (d, f)

1(X1,X2,X3) (1, 0, f); (Y1, Y2, Y3) (0, 1, d)

2IF Y3 = 0, RETURN X3 = GCD (d, f); No inverse

3If Y3 = 1, RETURN Y3 = GCD (d, f); Y2 = d-1 mod f

4Q = X3/Y3

5(T1,T2,T3) (X1 - QY1, X2 - QY2, X3 - QY3)

6(X1,X2,X3) (Y1,Y2,Y3)

7(Y1,Y2,Y3) (T1,T2,T3)

8GOTO 2

Relationships that hold during computation:

fT1 + dT2 = T3;fX1 + dX2 = X3;fY1 + dY2 = Y3

X3 & Y3 are comparable to X & Y in the original Euclid’s algorithm.

Chapter 6: Number Theory

Euler’s Totient Function

We need to know how many numbers less than n are

relatively prime to n. For n = 10, we know 1, 3, 7, and 9

are relatively prime to 10.

Generally, the number of positive integers that are

relatively prime to a number n is (n), where is

Euler’s Totient Function.

A number less than or equal to and relatively prime to a

number is called a totative. The Totient Function, then, is

simply the number of totatives of n.

Chapter 6: Number Theory

Euler’s Totient Function

For example, the totient of 4 is defined as the number of

numbers that are relatively prime to 4. Those numbers

are 1 and 3.

2 isn’t a totative of 4 since it divides 4. So.. (4) = 2.

Similarly:(20) = 1, 3, 7, 9, 11, 13, 17, 19 = 8

(24) = 1, 5, 7, 11, 13, 17, 19, 23 = 8

See Stallings, page 241 for the 1st 30 totatives

(i.e., n = 1-30).

Chapter 6: Number Theory

Euler’s Totient Function

For cryptography we are interested in certain totatives.

If n is a prime number then all the integers (1, 2, 3….n-1)

are relatively prime to n, so (n) = n-1.

The gcd for any prime number n, for any number less

than n, is = 1, so all numbers less than n are relatively

prime to n.

If n is a product of two primes, p and q, such that n = pq,

there are (p-1)(q-1) numbers relatively prime to n and

(n) = (p-1)(q-1).

Chapter 6: Number Theory

Theorems Important in Cryptography

Fermat's theorem:

an-1 = 1 mod n; if a and n are relatively prime.

Also

(a)(an-1) = (a)(1 mod n) or simply that an = a mod n,

if n & a are relatively prime.

Chapter 6: Number Theory

Theorems Important in Cryptography

Euler's Theorem:

a(n) = 1 mod n; if a and n are relatively prime

That is, if n is prime, then (n) = n-1, so (n) can be

substituted in Fermat's Theorem and be = 1 mod n.

We will use these to test candidate numbers for key

generation.

Chapter 6: Number Theory

Modulo Exponentiation

We would expect modulo exponentiation to operate

similar to modulo multiplication since exponentiation

is a repeated form of multiplication.

That is:

212 = 2x2x2x2x2x2x2x2x2x2x2x2 = 4096, and

212 = 6 mod 10; 4096/10 = Q + R = 409 + 6

Chapter 6: Number Theory

Modulo Exponentiation

In exponentiation, like multiplication, not all numbers

have inverses.

We also know that numbers without inverses cannot be

used to encrypt because they give ambiguous results.

The characteristics of prime numbers, and modular

arithmetic as well as the functions and theorems we

have described form the mathematical basis for public

key cryptography.

Chapter 6: Number Theory

Rivest, Shamir, and Adelman (RSA) Algorithm

RSA is a public key algorithm that uses two keys, one

public and one private. Keys are variable in length and

typically on the order of 512 bits long. The algorithm is:

1. Generate two prime numbers, p & q, say 512 bits long.

2. Multiply the prime numbers p & q together; p x q = n.

3. Keep p & q secret.

4. Generate a public key:

a. Compute the totient of n: (n) = (p-1)(q-1).

b. Choose a number e, relatively prime to (n).

The public key is [e, n].

Chapter 6: Number Theory

The RSA Algorithm - contd

5. Generate a private key.

a. Find the multiplicative inverse d = e mod (n)

(Euclid’s extended algorithm).

The private key is [d, n]

6. To encrypt a message, m < n, use the public key e and

compute:

me mod n = c

7. To decrypt the encrypted message, compute:

m = cd mod n using the private key d

Chapter 6: Number Theory

The RSA Algorithm - contd

RSA’s capability to encrypt and decrypt comes from

number theory.

It derives its strength from the difficulty in factoring

large prime numbers n into the factors p & q, which are

kept secret is computationally infeasible for large n

(recall n = p x q; where p & q > 512 bits).

Chapter 6: Number Theory

Selecting p, q, and e

We know that we have to pick the primes p & q, and

then e.

From these we compute (p-1), (q-1), n, (n), and d.

We already said we could find q and p by trying some

large numbers and test them for primality.

We know e must be relatively prime to (p-1)(q-1).

Finally, we compute de = 1 mod (n) using Euler’s

extended algorithm.

Chapter 6: Number Theory

- Selecting e – Two Options
- Pick p & q, choose e at random and test for primality
- with (p-1)(q-1).
- If the primality test fails, select another e.
- Select e first, then select p-1 & q-1 to be relatively
- prime to e.
- Many times e is selected first. Moreover, e is often picked
- to be 3.
- It turns out RSA security is not weakened by either a
- small e or even if e is always the same number.

Chapter 6: Number Theory

Advantage of Picking a small e

The advantage is that if e, the public key, is small,

operations with the public key are fast.

Two popular values of e are 3 and 65537 (216 = 1).

3 because it only takes 2 multiplies to encrypt.

65537 takes 17 multiplies to encrypt.

A 512 bit number takes about 768 multiplies (average).

There are some precautions in using 3. Short messages

need to be padded (easy) and messages encrypted with

the same key should not be sent to more than 2 recipients.

Chapter 6: Number Theory

The Strength of the RSA Algorithm

Only the public key = [e, n] is known, p & q and the

private key must be kept secret. p & q are often discarded

after being used.

To find the private key an adversary must find the

exponential inverse of e in (de = 1 mod (n)).

Creating the keys is relatively easy since two large primes

p & q were used to create n order 512-1024 bits.

Chapter 6: Number Theory

The Strength of the RSA Algorithm

Finding d requires that the adversary find p & q by

factoring n.

Factoring a 512 bit number is formidable - required on

the order of 30,000 MIP-Years in 1995, but is no

longer considered secure.

I a paper published last year, a design was presented for a

device costing $10k to factor a key in 10 minutes.

Even 1024 bit numbers may be suspect.

Chapter 6: Number Theory

Factoring 1024 bit Numbers

February 2003 saw a paper claiming to factor 1024 bit

RSA numbers using a new design.

Cost $10M and would factor 1024 bit keys in one year.

Reference: http://www.wisdom.weizmann.ac.il/

%7Etromer/papers/twirl.pdf

Chapter 6: Number Theory