1 / 127

Introduction to RSA Cryptography: Secure Public Key Encryption

Learn about the RSA cryptosystem, which provides strong security guarantees by leveraging number theory concepts like modular exponentiation and prime factorization. Discover how to encrypt and decrypt messages using the RSA cipher.

drichey
Télécharger la présentation

Introduction to RSA Cryptography: Secure Public Key Encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chapter 00 Introducing Foundations

  2. Cryptography – The RSA Public Key Cryptosystem • The Rivest-Shamir-Adleman (RSA) cryptosystem uses • all the ideas we have introduced in this lecture note. • It derives very strong guarantees of security by ingeniously exploiting the wide gulf between • the polynomial-time computability of certain number-theoretic tasks • (modular exponentiation, • greatest common divisor, • primality testing) and • the intractability of others (factoring).

  3. Cryptography – The RSA Public Key Cryptosystem • How encrypt and decrypt message using the RSA cipher: • Pick two large integers p and q, • [say, in the order of several hundred digits each, and are virtually certain to be prime]. • In order to encrypt a message Musing the RSA cipher, a person needs to know the value of • pqand • integer e, both of which are made publicly available. • But only a person, who knows the individual values of p and q,can decrpt an encrypted message.

  4. RSA Cryptography

  5. RSA Cryptography Suppose Alice decides to set up an RSA cipher. She chooses two prime numbers, p = 5 and q = 11, and computes pq = 55, and a positive integer e = 3 that is relatively prime to (p-1)(q-1) = 40. The two numbers pq = 55 and e = 3 are the public key, which she may distributed widely. [The secret key is p and q.] [The effectiveness of the system is the secrecy of the cipher which has two distinct large integers p, q – say on the order of several hundred digits each – that are virtually certain to be prime. And pick a very large e which is relatively prime to (p -1)(q – 1).]

  6. RSA Cryptography Because the RSA cipher works only on numbers, Alice also informs people how she will interpret the numbers in the message they send her. Suppose that she encodes letters of the alphabet the same way as was done for the Caesar cipher: A = 1, B = 2, C = 3, …, Z = 26. Assume that the messages Alice receives consist of blocks, each of which is taken to be a single, numerically encoded letter of the alphabet.

  7. RSA Cryptography Someone who wants to send Alice a message breaks the message into blocks, each consisting of a single letter, and finds the numeric equivalent for each block. The plaintext M in a block is converted into ciphertext C, according to the following formula: C = Me mod pq. ……..(RSA 0.4.5) Since both pq and e are public keys, anyone who is given the keys and knows modular arithmetic can encrypt a message to send to Alice. (That is, Alice receives the ciphertext C for the plaintext M in a block of several blocks.)

  8. RSA Cryptography • Example 0.1.4.9 Encrypting a Message Using RSA Cryptography • Bob wants to send Alice the message HI. What is the ciphertext for his message (that is, the encrypted message)? • Bob will send his message in two blocks, one for the H and another for the I. • H is encoded as 08, or 8. The corresponding ciphertext is computed using formula (RSA 0.4.5 C = Me mod pq.) as follows: • C = 83 mod 55 • = 512 mod 55 • = 17. • I is encoded as 09, or 9. The corresponding ciphertext is • C = 93 mod 55 • = 729 mod 55 • = 14. • Accordingly, Bob sends Alice the message 17 14.

  9. RSA Cryptography Example 0.1.4.10 decrypting a Message Using RSA Cryptography To decrypt the message 17 14, Alice needs to compute the decryption key, a number dwhich is a positive inverse to e modulo (p – 1)(q – 1). She then obtains the plaintext message M from the encrypted message, namely the ciphertext C by the formula M = Cd mod pq. ……. (RSA 0.4.6) Because M + kpq M (mod pq), M must be taken to be less than pq, in order for the decryption to be guaranteed to produce the original message. Because p and q are normally taken to be so large (the order of several hundred digits each), this requirement does not cause problems. Long messages are broken into blocks of symbols to meet the restriction and several symbols are included in each block to present decryption based on knowledge of letter frequencies.

  10. RSA Cryptography Recall Example: Find a positive inverse for 3 modulo 40. That is, find a positive integer x such that 3x 1(mod 40), or equivalently x 3-1 (mod 40). Solution: Find a linear combination of 3 and 40 that equals 1. 40 = 13* 3 + 1. This implies that 1 = 1*40 – 13*3. gcd(40, 3) = 3 = 3 * 1 + 0. This implies that 0 = 1*3 – 3*1gcd(3, 1) = 1 = 0 * 0 + 1. This implies that 1 = 1*1 – 0*0gcd(1, 0) = 1. Take the 3rd equation, 1 = 1*1 – 0*0 = 1* 1 = 1 * (1 *40 -13 *3) since 40 = 13* 3 + 1. Then, 1 = 1 * (1 *40 -13 *3) yields (-13)* 3 = 1+ (-1)*40 , which is, by definition of congruence modulo n, (-13)* 31(mod 40), or, equivalently, (-13) 3-1 (mod 40). This result implies that -13 is an inverse for 3 mod 40. To find a positive inverse, compute 40 -13 which yields 27, and 27 (mod 40) because 27 – (-13) = 40. So, by Theorem 0.1.4.3(3), ab cd (mod n), 27 * 3 (-13) *3 (1 mod 40), and thus by the transitive property of congruence modulo n, 27 is a positive integer that is an inverse for 3 modulo 40.

  11. RSA Cryptography Example 0.1.4.10 Decrypting a Message Using RSA Cryptography Alice knows not only pq = 55 and e =3 as everyone has. In addition, Alice knows the secret key: p = 5 and q = 11. Therefore, (p -1)(q – 1) = 40. She needs to find the decryption key - a positive inverse for 3 modulo 40, which is to be 27 (as we obtained in previous Example). She then needs to compute M = Cd mod pq = 1727 mod 55. The residues obtain when 17 is raised to successively to 24 = 16. 27 = 16 + 8 + 2 + 1 = 24 + 23 + 2+ 1. 17 mod 55 = 17 172mod 55 = 14 174 mod 55 = (172)2 mod 55 = (172 mod 55)2 mod 55 = (14)2 mod 55 = 31 178 mod 55 = (174)2 mod 55 = (174 mod 55)2 mod 55 = (31)2 mod 55 = 26 1716 mod 55 = (178)2 mod 55 = (26)2 mod 55 = 16 Then 1727 = 1716 + 8 + 2 + 1 = 1716 * 178 * 172 * 171.

  12. RSA Cryptography Example 0.1.4.10 Decrypting a Message Using RSA Cryptography … 27 = 16 + 8 + 2 + 1 = 24 + 23 + 2+ 1. 17 mod 55 = 17 172 mod 55 = 14 174 mod 55 = (172)2 mod 55 = (172 mod 55)2 mod 55 = (14)2 mod 55 = 31 178 mod 55 = (174)2 mod 55 = (174 mod 55)2 mod 55 = (31)2 mod 55 = 26 1716 mod 55 = (178)2 mod 55 = (26)2 mod 55 = 16 Then 1727 = 1716 + 8 + 2 + 1 = 1716 + 178 + 172 + 171. Thus, 1727 mod 55 = (1716 * 178 * 172 * 171 ) mod 55 [(1716 mod 55)(178 mod 55)(172 mod 55)( 171 mod 55) ] (mod 55) (16 * 26 * 14 * 17) (mod 55) 99008 (mod 55) = 8 (mod 55) Hence 1727 mod 55 = 8, and thus the plaintext of the first part of Bob’s message is 8 or 08. In the last step Alice finds the letter correspond to 08, which is H.

  13. RSA Cryptography Example 0.1.4.10 Decrypting a Message Using RSA Cryptography Likewise, Alice 14, the result is 9, which corresponds to the letter I. She needs to find the decryption key, which is a positive inverse for 3 modulo 40. The positive inverse for 3 modulo 40 is to be 27 (as we obtained in previous Example). She then needs to compute M = Cd mod pq = 1427 mod 55. 27 = 16 + 8 + 2 + 1 = 24 + 23 + 2+ 1. 14 mod 55 = 14 142 mod 55 = 31 144 mod 55 = (142)2 mod 55 = (142 mod 55)2 mod 55 = (31)2 mod 55 = 26 148 mod 55 = (144)2 mod 55 = (144 mod 55)2 mod 55 = (26)2 mod 55 = 16 1716 mod 55 = (148)2 mod 55 = (16)2 mod 55 = 36 Then 1427 = 1416 + 8 + 2 + 1 = 1416 * 148 * 142 * 141. Thus, 1427 mod 55 = (1416 * 148 * 142 * 141 ) mod 55 [(1416 mod 55)(148 mod 55)(142 mod 55)( 141 mod 55) ] (mod 55) (36 * 16 * 31 * 14) (mod 55) ((36 * 16) mod 55 * (31 * 14) (mod 55)) mod 55 (26 * 45) mod 55 1274 (mod 55) 9 (mod 55). Hence 1427 mod 55 = 9, and thus the plaintext of the first part of Bob’s message is 9 or 09. In the last step Alice finds the letter correspond to 09, which is I. So Alice got Bob’s message is HI.

  14. Euclid’s Lemma Theorem 0.1.4.8 Euclid’s Lemma For all integer a, b, and c, if gcd(a, c) = 1 and a | bc, then a | b. The unique factorization theorem for the integers states that nay integer greater than 1 has a unique representation as a product of prime numbers, except possibly for the order in which the numbers are written. This follows quickly from Euclid’s lemma. Another application of Euclid’s lemma is a cancellation theorem for congruence modulo n. This theorem allows us – under certain circumstances – to divide out common factor in a congruence relation.

  15. Euclid’s Lemma Theorem 0.1.4.9 Cancellation Theorem for Modular Congruence For all integer a, b, c, and n with n > 1, if gcd(c, n) = 1 and ac bc (mod n), then a b (mod n). Proof: Suppose a, b, c, and n are any integers, gcd(c, n) = 1 and ac bc (mod n). We must show that a b (mod n). By definition of congruence modulo n, n | (ac – bc), that is, n | (a – b)c, since ac – bc = (a – b)c. Because gcd(c, n) = 1. We may apply Euclid’s lemma to obtain n | (a – b), and so, a b (mod n) by definition of congruence modulo n. QED

  16. Fermat’s Little Theorem Theorem 0.1.4.10 Fermat’s Little Theorem If p is any prime number and a is any integer such that p | a, then ap-1 1 (mod p). Proof: Suppose p is any prime number and a is any integer such that p|a. Note that a 0 because otherwise p would divide a. Consider the set of integers S = { a, 2a, 3a, …, (p-1)a }. We claim that no two elements of S are congruence modulo p. For suppose sa ra (mod p) for some integers s and r with 1 r < s p-1. Then by definition of congruence modulo p, p | (sa – ra), or equivalently, p | (s – r)a. Now, p | a by hypothesis, and because p is prime, gcd(a, p) = 1. Thus, by Euclid’s lemma, p | (s – r). But this is impossible because 0 < s – r < p. …

  17. Fermat’s Little Theorem Theorem 0.1.4.10 Fermat’s Little Theorem If p is any prime number and a is any integer such that p | a, then ap-1 1 (mod p). Proof: Continued … Consider the function F from S to the set T = {1, 2, 3, …, (p-1)} that sends each element of S to its reside modulo p. Then F is one-to-one because no two elements of S are congruence modulo p. We prove that if a function from one finite set to another is one-to-one, then it is also onto. Hence F is onto, and so the p-1 residues of the p-1 elements of S are exactly the numbers 1, 2, 3,., (p-1). It follows by Theorem 0.1.4.3(3) that a*2a*3a*…*(p-1)a [1*2*3*…*(p-1)] (mod p), or equivalently, ap-1(p-1)! (p-1)! (mod p). But because p is prime, p and (p-1)! are relatively prime. Thus, by the cancellation theorem for modular congruence (Theorem 0.1.4.9), ap-1 1 (mod p). QED

  18. Why Does the RSA Cipher Work? For the RSA cryptography method, the formula M = Cd mod pq. ……. (RSA 0.4.6) is supposed to produce the original plaintext message, M when the encrypted message is C. How can we be sure that it always does so? We require M < pq and we know that C = Me mod pq. ……..(RSA 0.4.5) By substitution, M = Cd mod pq = (Me mod pq)d mod pq = Med (mod pq) by theorem 0.1.4.3(4). And so, it suffices to show M Med (mod pq).

  19. Why Does the RSA Cipher Work? For the RSA cryptography method, the formula M = Cd mod pq. ……. (RSA 0.4.6) is supposed to produce the original plaintext message, M when the encrypted message is C. And so, it suffices to show M Med (mod pq). Recall that d was chosen to be a positive inverse for e modulo(p-1)(q-1), which exists because gcd(e, (p-1)(q-1)) = 1. In other words, ed 1 (mod(p-1)(q-1)), or equivalently, ed = 1 + k (p-1)(q-1) for some positive integer k. Therefore, Med = M1 + k (p-1)(q-1) = M(Mp-1 )k(q-1) = M(Mq-1 )k(p-1)

  20. Why Does the RSA Cipher Work? … Therefore, Med = M1 + k (p-1)(q-1) = M(Mp-1 )k(q-1) = M(Mq-1 )k(p-1) If p | M, then by Fermat’s little theorem, Mp-1 1 (mod p), and so Med = M(Mp-1 )k(q-1) M(1)k(q-1) (mod p) = M (mod p). Likewise, if q | M, then by Fermat’s little theorem, Mq-1 1 (mod q), and so Med = M(Mq-1 )k(p-1) M(1)k(p-1) (mod q) = M (mod q). Thus, if M is relatively prime to pq, Med M (mod p) and Med M (mod q) .

  21. Why Does the RSA Cipher Work? … If M is not relative prime to pq, then either p | M or q | M. Without loss of generality, assume p | M. It follows that Med 0 M (mod p), Moreover, because M < pq, q | M, and thus, as above Med 0 M (mod q). Therefore, in this case also, Med M (mod p) and Med M (mod q) . By Theorem 0.1.4.1, p | (Med – M) and q | (Med – M) , and by definition of divisibility, (Med – M) = pt for some integer t.

  22. Why Does the RSA Cipher Work? … and by definition of divisibility, (Med – M) = pt for some integer t. By substitution, q | pt, and since q and p are distinct prime numbers, Euclid’s lemma applies to give q | t. Thus, t = qu for some integer u by definition of divisibility. By substitution, M - Med = pt = p(qu) = (pq)u, where u is an integer, and so, pq | (M - Med)

  23. Why Does the RSA Cipher Work? … where u is an integer, and so, pq | (M - Med) by definition of divisibility. Thus M - Med0 (mod pq), by definition of congruence, or, equivalently, M Med(mod pq). Because M < pq, this last congruence implies that M Med(mod pq), and thus the RSA cipher gives the correct result. QED

  24. Another Approach to Presenting RSA ______________________________ Skip this approach.

  25. A typical setting for cryptography can be described via three characters: Alice and Bob, who wish to communicate in private, and Eve, in eavesdropper who will go to great lengths to find out what they are saying. Let’s say Alice wants to send a specific message x, written in binary (why not), to her friend Bob. She uses encryption function e(.) to encodes it as e(x), sends it over to Bob. Bob applies his decryption function d(.) to decode it: d(e(x)) = x. Here e(.) and d(.) are appropriate transformation of the messages. Ideally the encryption functions e(.) is so chosen that without knowing d(.). Eve cannot do anything with the information by knowing e(x) tells her little or nothing about what x might be. Alice pkeyfunceBob(.) skeyfuncdBob(.) Bob x = dBob (eBob (x)) eBob (x) x Decoder Encoder Eve

  26. For centuries, cryptography was based on what we now call private-key protocol. In such a scheme, Alice and Bob meet beforehand and together choose a secret codebook, with which they encrypt all future correspondence between them. Eve’s only hope, then, is to collect some encoded messages and use them to at least partially figure out the codebook. Alice pkeyfunceBob(.) skeyfuncdBob(.) Bob x = dBob (eBob (x)) eBob (x) x Decoder Encoder Eve

  27. Begin++++++++++++++++++++++++++++++++++++++++++++++++++++++ • Public-Key Cryptosystems • A public-key cryptosystem consists of • a set of permissible messages, • which might include all character sequences of some given length or less. • a set of participants such that • each participant has a public keyand a secret key • (i.e., each key consists of a pair of integers, • such as, a public key is pq and e, and • a secret key is p and q), and • a network for sending message among the participants.

  28. Public-Key Cryptosystems Let M = set of permissible messages (i.e., the set of all finite-length bit sequence.) Then each participant x’s public key pkeyx and secret key skeyx require to specify 1-1 functions pubx and secx, respectively, from M to M. Given the corresponding keys pkeyx or skeyx, the functions pubx and secx are assumed to be efficiently computable. For any participant they are a "matched pair” in that they specify functions that are inverses of each other. That is, for each b M b = secx ( pubx (b) ), b = pubx ( secx (b) ). [it suffices to show M Med (mod pq).]

  29. Each participant creates their own public and secret keys. • The secret keys, say p and q, are kept secret (The secret key of x is known only to x). • The public keys, say pq and e, can be revealed and therefore are known to all the participants. • For example, if Alice wants to send Bob a secret note of a plaintext message b, she and Bob do the following: • Alice computes c = pubBob (b) using Bob’s public key, pkeyBob . • The message c is called ciphertext. It is unreadable. e.g., c = be (mod pq) • 2. Alice sends ciphertext c to Bob. • 3. Bob computes b = secBob (c) using his secret key skeyBob e.g., b = cd (mod pq)

  30. Example 0.71: • Suppose Alice wants to send Bob the message “I am coming.”. The steps are as follows: • Alice computes • pubBob (“I am coming.”). • Suppose the result is “@!##%*(!”. • 2. Alice sends this message to Bob. Alice’s friends see “@!##%*(!”. • 3. Bob computes • secBob (“@!##%*(!”) = I am coming.

  31. The application of pubBob in step 1 is called encryption, thereby digitally locking it. while the application of secBob to quickly unlocking this digital lock in step 3 is called decryption. These steps are illustrated in the following. Eve Alice Alice’s friends Bob Alice encrypt decrypt Bob c c c b b skeyBob pkeyBob c = pubx (b) b = secx ( pubx (b) ),

  32. Note that since only Bob knows secBob(), and because pubBob () and secBob() are inverse functions, only he can decode the ciphertext c back to the original message b in any practical amount of time. The point is that Alice and Bob need only perform simple calculations to lock and unlock the message respectively – operations that any pocket computing device could handle. By contrast, to unlock the message without the secret key, Eve must perform operations like factoring large numbers, which requires more computation power than would be afforded by the world’s most powerful computers combined. This compelling guarantee enables secure Web commerce, such as sending credit card numbers to companies over the Internet. This method will work as long as it is not possible (or at least it is very difficult) to determine skeyx from pkeyx. That is, Bob’s digital signatures are authentic. ++++++++++++++++++++++++++++++++++++++++++++++++++++end

  33. Private-key schemes: one-time pad and AES (Advanced Encryption Standard) Consider an encryption function, e : (message) → (encoded messages). This function must be invertible – for decoding to be possible – and is therefore a bijection. Its inverse is the decryption function d(.). In the one-time pad,Alice and Bob secretly choose a binary string r of the same length – say, n bits – as the important message x that Alice will later send.Alice’s encryption function is then a bitwise exclusive-or, er (x) = x ExOR r: each position in the encoded message is the exclusive-or of the corresponding positions in x and r. For instance, if r = 01110010, the message 11110000 is scrambled thus: er (11110000) = 11110000 ExOR 01110010 = 1000 0010.

  34. This function er is a bijection from n-bit strings to n-bit strings, as evidenced by the fact that it is its own inverse! er (er (x) ) = (x ExOR r) ExOR r = x ExOR (r ExOR r) = x ExOr Õ, where Õ is the string of all zeros. = x. Thus Bob can decode Alice’s transmission by applying the same encryption function a second time dr (y) = y ExOR r, where y = er (x) = (x ExOR r), = x dr (1000 0010) = 1000 0010 ExOR 01110010 = 01110010

  35. How should Alice and Bob choose r for this scheme to be secure? Simple. They should pick r at random, flipping a coin and each bit, so that the resulting string is equally likely to be any element of {0, 1}n. This will ensure that if Eve intercepts the encoded message y = er (x), she gets no information about x. Suppose, for example, that Eve finds out y = 10; what can she deduce? She doesn’t know r, and the possible values it can take all correspond to different original messages x:

  36. Stealing info 10 from y, if x is 00, 01, 10 or 11, then r could be 10, 11, 00 and 01, respectively. messages x ExOR r y 00 01 e11 10 10 11 e10 e00 e01 For 8-bits code, possible cases are 28 = 10,000,000 (10 millions) 28 possible 8 bits info 28 Combination of e 8 bits info

  37. So given what Eve knows, all possibilities for x are equally likely! The downside of the one-time pad is that it has to be discarded after use, hence the name. A second message encoded with the same pad would not be secure, because if Eve knew x ExOR r and z ExOR r for two messages x and z, then she could take the exclusive-or to get x ExOR z, which might be important information – for example (1) it reveals whether the two messages begin or end the same, and (2) if one message contains a long sequence of zeros (as could easily be the case if message is an image), then corresponding part of the other message will be exposed. Therefore, the random string that Alice and Bob share has to be the combined length of all the messages they will need to exchange.

  38. The one-time pad is a toy cryptographic scheme. The advanced encryption standard (AES) is a very widely used cryptographic protocol. AES is once again private-key: Alice and Bob have to agree on a shared random string r. But this time the string r is of a small fixed size, 128 (i.e., 27) to be precise (variants with 192 (27+26) or 256 (28) bits also exist), and specifies a bijection er from 128-bit strings to 128-bit strings. The crucial different is that this function can be used repeatedly, so for instance a long message can be encoded by splitting it into segments of 128 bits and applying er to each segment. Certainly at present the general public does not know how to break the code – to recover x from er (x) – except using techniques that are not very much better than the brute-force approach of trying all possibilities for the shared string r.

  39. RSA • The RSA scheme is based heavily upon number theory. Think of • messages from Alice to Bob as numbers modulo N; • messages larger than N can be broken into smaller pieces. • The encryption function will then be a bijection on {0, 1, 2, 3, …, N - 1}, and the decryption function will be its inverse. • What values of N are appropriate, and what bijection should be used?

  40. Two Properties Pick any two very large primes p and q. Let N = p*q. For any e relatively prime to (p – 1)(q – 1): • The mapping x |→ xe mod N is a bijection on { 0, 1, 2, …, N – 1}. • The inverse mapping is easily realized: • Let d be the inverse of e modulo (p – 1)(q – 1), • i.e., d = e-1 mod (p-1)(q-1). • Then for all x ɛ {0, 1, 2, …, N – 1}, • ( xe )d ≡ x mod N.

  41. Property (Continued) • 1. The mapping x |→ xe mod N is a bijection on { 0, 1, 2, …, N – 1}. • This property tells us that the mapping x |→ xe mod N is a reasonable way to encode messages x; no information is lost. • If Bob publishes (N, e) as his public key, everyone else can use it to send him encrypted messages. d can be found using d = e-1 mod (p-1)(q-1). Then the original text x can be obtained by Bob applying his sKey d on his received cipertextxe from Alice using ( xe )d ≡ x mod N. That is x = ( xe )d .

  42. Two Properties (Continued) • 2. The inverse mapping is easily realized: • Let d be the inverse of e modulo (p – 1)(q – 1), • i.e., d = e-1 mod (p-1)(q-1). • Then for all x ɛ {0, 1, 2, …, N – 1}, ( xe )d ≡ x mod N. • The second property then tells us how decryption can be achieved. Bob should retain the value d as his secret key, with which he can decode all messages that come to him by simply raising them to the dth power modulo N. d can be found using d = e-1 mod (p-1)(q-1). Then the original text x can be obtained by Bob applying his sKey d (i.e., p and q) on his received cipertextxe from Alice using ( xe )d ≡ x mod N. That is x = ( xe )d .

  43. Example 0.72: Let N = 55 = 5*11. Choose encryption exponent e = 3, which satisfies the condition gcd(e, (p – 1)(q – 1)) = gcd(3, 40) = 1. The decryption exponent is then d = 3-1 mod 40 = 27. That is, 27 * 3 1 mod 40 if, and only if, 40 | (27*3 – 1). Now for any message x mod 55, the encryption of x is y = x3 mod 55, and the decryption of y is x = y27 mod 55. So, for example, if x = 13, then y = 133 mod 55 = 52. That is, 133 52 mod 55. and 13 = 5227 mod 55.

  44. GCD(40, 3) => 40 = 13 * 3 + 1 => 1 = 1 * 40 – 13 * 3 (3) GCD(3, 1) => 3 = 3 * 1 + 0 => 0 = 1 * 3 – 3 * 1 (2) GCD(1, 0) => 1 = 1 * 0 + 1 => 1 = 1 * 1 – 1 * 0 (1) From (1) we have 1 = 1 * 1 – 1 * 0 Replace 0 by (2) and yields 1 = 1 * 1 – 1 * (1 * 3 – 3 * 1 ) 1 = 1 * 1 – 1 * 3 + 3 * 1 1 = – 1 * 3 + 4 * 1 Replace 1 by (3) and yields 1 = – 1 * 3 + 4 * (1 * 40 – 13 * 3) 1 = – 1 * 3 + 4 * 40 – 52 * 3 1 = 4 * 40 – 53 * 3 (4) That is GCD(40, 3) = 1 = d = min{ (4, -53) | 4 * 40 – 53 * 3 = 1 > 0}. Consider 4 * 40 – 53 * 3 = 1 from (4). (4 * 40 – 53 * 3 )mod 40 1 mod 40 (4 * 40 mod 40 – 53 * 3 mod 40)mod 40 1 mod 40 (to be continued)

  45. GCD(40, 3) => 40 = 13 * 3 + 1 => 1 = 1 * 40 – 13 * 3 (3) GCD(3, 1) => 3 = 3 * 1 + 0 => 0 = 1 * 3 – 3 * 1 (2) GCD(1, 0) => 1 = 1 * 0 + 1 => 1 = 1 * 1 – 1 * 0 (1) Consider 4 * 40 – 53 * 3 = 1 from (4). (4 * 40 – 53 * 3 )mod 40 1 mod 40 (4 * 40 mod 40 – 53 * 3 mod 40)mod 40 1 mod 40 (0 – 53 * 3 mod 40)mod 40 1 mod 40 ( – 13 * 3 )mod 40 1 mod 40 27 * 3 1 mod 40 27 3-1 mod 40

  46. Show 13 = 5227 mod 55. 5227 mod 55 = (52 mod 55)27 mod 55 = (-3)27 mod 55 = (-3)9*3 mod 55 = (81 * 81 * -3)9*3 mod 55, where 81 = (-3)4 = (26 * 26 * -3)3 mod 55 = (52 * 13 * -3)3 mod 55 = (-3 * 13 * -3)3 mod 55 = (117)3 mod 55 = (7)3 mod 55 = (343) mod 55 = 13 Either this way or the way presented in the following slide.

  47. Show 13 = 5227 mod 55. 27 = 16 + 8 + 2 + 1 = 24 + 23 + 2 + 1 Then, 5227 = 5216 + 8 + 2 + 1 = 5216 * 528 * 522 * 521 We can find the residues obtained when 52 is raised to successively higher powers of 2, up to 24 = 16. 52 mod 55 = 52 522 mod 55 = 9 524 mod 55 = (522) 2 mod 55 = (522 mod 55 ) 2 mod 55 = 92 mod 55 = 26 528 mod 55 = (524) 2 mod 55 = (524 mod 55 ) 2 mod 55 = 262 mod 55 = 16 5216 mod 55 = (528) 2 mod 55 = (528 mod 55 ) 2 mod 55 = 162 mod 55 = 36 Thus, 5227mod 55= (5216 * 528 * 522 * 521 )mod 55 [(5216 mod 55) * (528 mod 55) * (522 mod 55) * (521mod 55)](mod 55) (36* 16* 9* 52) (mod 55)

  48. Let’s prove the assertion above and then examine the security of the scheme. Proof. If the mapping x |→ xe mod N is invertible, it must be a bijection; hence statement 2 implies statement 1. To prove statement 2, we start by observing that e is invertible modulo (p – 1)(q – 1) because it is relatively prime to this number. To see that ( xe )d ≡ x mod N, we examine the exponent: since ed ≡ 1 mod (p – 1) (q – 1), we can write ed in the form 1 + k(p-1)(q-1) for some k. Now we need to show that the difference xed – x = x1+k(p – 1)(q – 1) – x is always 0 modulo N. The second form of the expression is convenient because it can be simplified using Fermat’s little theorem. It is divisible by p (since xp-1 ≡ 1 mod p ) and likewise by q. Since p and q are primes, this expression must also be divisible by their product N. Hence xed – x = x1+k(p – 1)(q – 1) – x ≡ 0 ( mod N ) exactly as we need. QED

More Related