Public Key Cryptography The RSA Cryptosystem
by William M. Faucette Department of Mathematics State University of West Georgia
The RSA Cryptosystem The granddaddy of all public key cryptosystems, the RSA cryptosystem is named for its creators, Rivest, Shamir, and Adleman. RSA was first described in 1978.
A Little Number Theory In order to describe the RSA crypto- system, we first need to get a little background in some elementary number theory.
Relatively Prime Numbers Two natural numbers n and m are relatively prime if n and m have no common factor greater than 1.
Relatively Prime Numbers For example, 24 and 25 are relatively prime, as are 2310 and 2873. If you don’t believe me, factor them!
The Euler Phi Function For any natural number n, the Euler phi function of n, denoted (n),is the number of natural numbers less than or equal to n which are relatively prime to n.
The Euler Phi Function For example, we have (1)=1 since 1 is relatively prime to 1 (2)=1 since 1 is relatively prime to 2 (3)=2 since 1, 2 are relatively prime to 3 (10)=4 since 1, 3, 7, 9 are relatively prime to 10.
The Euler Phi Function If p is a prime number, then (p)=p-1, since every number less than p is relatively prime to p.
The Euler Phi Function Similarly, (pk)=pk-pk-1= pk-1(p-1). This is easy to see since the only prime factor of pk is p, so the only numbers which have a common factor with pkare the multiples of p.
The Euler Phi Function Since one out of every p numbers is a multiple of p, the number of multiples of p less than or equal to pk is pk-1. So, (pk)=pk-pk-1= pk-1(p-1).
The Euler Phi Function Although it’s not at all obvious, the Euler phi function is multiplicative. That is, if n and m are relatively prime, then (nm)= (n) (m)
The Euler Phi Function One proof of this result uses the Chinese Remainder Theorem to show that there is a one-to-one correspondence between numbers less than or equal to the product nm which are relatively prime to nm and ordered pairs of numbers which are (1) less than or equal to n and relatively prime to n and (2) less than or equal to m and relatively prime to m.
The Euler Phi Function We won’t prove this result. If you’re interested, consult pages 21–22 in the book A Course in Number Theory and Cryptography by Neal Koblitz
The Euler Phi Function In particular, if n is the product of two prime numbers p and q, we have
The Euclidean Algorithm The Euclidean Algorithm allows the efficient computation of the greatest common divisor of two natural numbers. This algorithm is easily implemented on present-day computers even with extremely large numbers.
The Euclidean Algorithm Suppose we wish to compute the greatest common divisor, denoted gcd, of two natural numbers, a and b, with b<a. First, you divide a by b, getting a quotient q1 and a remainder r1.
The Euclidean Algorithm Next, you divide b by r1, getting a quotient q2 and a remainder r2.
The Euclidean Algorithm From now on, you divide rn-1 by rn, getting a quotient qn+1 and a remainder rn+1.
The Euclidean Algorithm Since 0≤rn+1<rn, eventually the remainder is 0. The last nonzero remainder in this process is the greatest common divisor of a and b.
The Euclidean Algorithm In fact, so that this algorithm works exponentially quickly.
Repeated Squaring Method The repeated squaring method allows the efficient computation of the modular exponentiation of a large number to a large power. This algorithm is easily implemented on present-day computers even with extremely large numbers.
Repeated Squaring Method Algorithm: We wish to compute bn mod m • First, write n as a natural number in base 2. Here, each ni is either 0 or 1.
Repeated Squaring Method Algorithm: We wish to compute bn mod m • Set a=1 if n0=0 and set a=b if n0=1. • Square b and set b1b2 mod m. • If n1=1, multiply a by b1 and reduce mod m. • Square b1 and set b2 b12 mod m. • If n2=1, multiply a by b2 and reduce mod m.
Repeated Squaring Method Algorithm: We wish to compute bn mod m • At the jth step, you have computed bj b2^j mod m. • If nj=1, multiply a by bj. • After the (k1)-st step, a = bn mod m
Finding Large Prime Numbers In order to implement the RSA algorithm, we must have a technique for finding large prime numbers.
Finding Large Prime Numbers Since the security of the RSA algorithm itself is based on the fact that it is computationally infeasible to factor large numbers, we must have some other method of determining whether a large number is prime.
Primality Tests According to Fermat’s Little Theorem, if p is a prime number and a is a number relatively prime to p, then
Primality Tests If n is not prime, it is still possible that the equation holds, but not likely, for a relatively prime to n. If this equation holds, we say that n is a pseudoprime base a.
Primality Tests Theorem: If, for a given n, Fermat’s Little Theorem fails for a single base a, then it fails for at least half of the possible bases a in (Z/nZ)*.
Primality Tests Algorithm: • Take a large odd integer n. • Choose a random a with 0<a<n. • Compute gcd(a,n). • If gcd(a,n)>1, then n is composite.
Primality Tests Algorithm: • If gcd(a,n)=1, then raise a to the (n1)-st power. • If Fermat’s Little Theorem fails, then n is composite. • If Fermat’s Little Theorem holds, then nmight be prime.
Primality Tests Algorithm: • Next, choose k different bases a1, a2, . . . , ak and suppose that n might be prime with respect to each of these bases. Then by our theorem, there is 1 chance in 2k that n might still be composite.
Primality Tests Algorithm: • This gives us a probabilistic method of choosing large prime numbers, unless …
Primality Tests It is possible that, for a given n,Fermat’s Little Theorem holds for all bases a. In fact, such numbers exist. They are called Carmichael numbers. In 1992, it was shown by Alford, Granville, and Pomerance that there are infinitely many Carmichael numbers.
Shameless Plug for my Alma Mater This result was proven while Alford, Granville, and Pomerance were on the mathematics faculty of The University of Georgia.
Primality Tests So, we might want to look at a better primality test.
Primality Tests Another primality test involves some quantities called Jacobi symbols, and in order to define them, we must talk about Legendre symbols.
Legendre and Jacobi Symbols Let p be an odd prime number and let a be a natural number. We define the Legendre symbol to be 0 if p divides a, 1 if a is a square mod p, and 1 is a is not a square mod p.
Legendre and Jacobi Symbols If n is not prime, we can factor n uniquely as a product of primes p11 . . . prr. We define the Jacobi symbol by
Legendre and Jacobi Symbols Legendre and Jacobi symbols are easily computed by present-day computers using the Law of Quadratic Reciprocity. For further information, consult any text on elementary number theory.
Primality Tests For a prime number p, it is known that
Primality Tests Theorem: If n is composite, the equation fails for at least half of the possible bases a in (Z/nZ)*.