RSA Encryption

Zeph Grunschlag

Announcements
HW5 due now HW6 will go up by tonight Solutions to midterm available online Midterm 2 moved from Monday 4/8 to Wednesday 4/10 Midterms returned at end of class
Median: 71, Avg.: 68, Stdev.: = 14 Hi: 95, Low: 33 A ! 78 > B ! 62 > C ! 46 > D
2

Agenda
RSA Cryptography
A useful and basically unbreakable method for encoding messages

Needed for implementing RSA:

Fast Exponentiation Extended Eulers Algorithm Modular inverses FLT (Fermats Little Theorem) CRT (Chinese Remainder Theorem)
3

RSA Cryptography
Most internet shopping sites offer a secure connection option that allows shoppers to disclose personal information such as credit card, address, etc. without fear that a snoop on the communication will be able to tell whats happening:
Mr. Snoop Snoopy Snoop
#24@ &3240 msP28*

Last Name: Smiley

RSA Cryptography
There are several encryption methods. Perhaps the simplest unbreakable system is the RSA (Rivest, Shamir, Adleman) system. FrogsRUs.com provides a large number N (e.g. 1024 bit binary number) and an encryption exponent e. Usually the N, e server communicates these directly to web browser behind the scenes.
5

RSA Cryptography
Mr. Smileys browser then converts his message into numbers, as in the modular encryption that we saw before. The letters are then put together into number blocks with each block less than N. Mr. Smileys browser exponentiates each number block by the exponent e modulo N and broadcasts these garbled blocks back to FrogsRUs.com
6

RSA Cryptography
N = 4559, e = 13. Smiley Transmits: Last name Smiley
m e mod N

RSA Cryptography
N = 4559, e = 13. Smiley Transmits: Last name Smiley L A S T N A M E S M I L E Y
m e mod N

RSA Cryptography
N = 4559, e = 13. Smiley Transmits: Last name Smiley L A S T N A M E S M I L E Y
2301 1920 0014 0113 0500 1913 0912 0525

m e mod N

RSA Cryptography
N = 4559, e = 13. Smiley Transmits: Last name Smiley L A S T N A M E S M I L E Y
2301 1920 0014 0113 0500 1913 0912 0525 230113 mod 4559, 192013 mod 4559,

m e mod N

10

RSA Cryptography
N = 4559, e = 13. Smiley Transmits: Last name Smiley L A S T N A M E S M I L E Y
2301 1920 0014 0113 0500 1913 0912 0525 230113 mod 4559, 192013 mod 4559, 1443 0116 1478 2150 3906 4256 1445 2462

m e mod N

11

RSA Cryptography
FrogsRUs.com receives the encrypted blocks n = m e mod N. They have a private decryption exponent d which when applied to n recovers the original blocks m : (m e mod N )d mod N = m For N = 4559, e = 13 the decryptor d = 3397.

12

RSA Cryptography
N = 4559, d = 3397
1443 0116 1478 2150 3906 4256 1445 2462

13

RSA Cryptography
N = 4559, d = 3397
1443 0116 1478 2150 3906 4256 1445 2462 14433397 mod 4559, 01163397 mod 4559,

14

RSA Cryptography
N = 4559, d = 3397
1443 0116 1478 2150 3906 4256 1445 2462 14433397 mod 4559, 01163397 mod 4559, 2301 1920 0014 0113 0500 1913 0912 0525

15

RSA Cryptography
N = 4559, d = 3397
1443 0116 1478 2150 3906 4256 1445 2462 14433397 mod 4559, 01163397 mod 4559, 2301 1920 0014 0113 0500 1913 0912 0525

16

RSA Cryptography
N = 4559, d = 3397
1443 0116 1478 2150 3906 4256 1445 2462 14433397 mod 4559, 01163397 mod 4559, 2301 1920 0014 0113 0500 1913 0912 0525

LA S T

N A M E

S M I L E Y

17

RSA Cryptography
The key to security of RSA cryptosystem: The public key (N,e) must be such that it is very difficult for Snoop Snoopy Snoop to figure out what d is, yet very simple for FrogsRUs.com to come up with.

18

Fast Modular Exponentiation

In order to implement RSA exponentiation relative some modulo needs to be done a lot. So this operation better be doable, and fast. Q: How is it even possible to compute 14433397 mod 4559 ? After all, 14433397 has approximately 33974 digits!
19

Fast Modular Exponentiation

A: By taking the mod after each multiplication. EG, a more lucid example: 233 mod 30

20

Fast Modular Exponentiation

A: By taking the mod after each multiplication. EG, a more lucid example: 233 mod 30 -73 (mod 30)

21

Fast Modular Exponentiation

A: By taking the mod after each multiplication. EG, a more lucid example: 233 mod 30 -73 (mod 30) (-7)2 (-7) (mod 30)

22

Fast Modular Exponentiation

A: By taking the mod after each multiplication. EG, a more lucid example: 233 mod 30 -73 (mod 30) (-7)2 (-7) (mod 30) 49 (-7) (mod 30)

23

Fast Modular Exponentiation

A: By taking the mod after each multiplication. EG, a more lucid example: 233 mod 30 -73 (mod 30) (-7)2 (-7) (mod 30) 49 (-7) (mod 30) 19(-7) (mod 30)

24

Fast Modular Exponentiation

A: By taking the mod after each multiplication. EG, a more lucid example: 233 mod 30 -73 (mod 30) (-7)2 (-7) (mod 30) 49 (-7) (mod 30) 19(-7) (mod 30) -133 (mod 30)

25

Fast Modular Exponentiation

A: By taking the mod after each multiplication. EG, a more lucid example: 233 mod 30 -73 (mod 30) (-7)2 (-7) (mod 30) 49 (-7) (mod 30) 19(-7) (mod 30) -133 (mod 30) 17 (mod 30)
26

Fast Modular Exponentiation

Therefore, 233 mod 30 = 17. Q: What if had to figure out 2316 mod 30. Same way tedious: need to multiply 15 times. Is there a better way?

27

Fast Modular Exponentiation

A: Better way. Notice that 16 = 2222 so that 2316 = 232222 = (((232)2)2)2 Therefore: 2316 mod 30

28

Fast Modular Exponentiation

A: Better way. Notice that 16 = 2222 so that 2316 = 232222 = (((232)2)2)2 Therefore: 2316 mod 30 (((-72)2)2)2 (mod 30)

29

Fast Modular Exponentiation

A: Better way. Notice that 16 = 2222 so that 2316 = 232222 = (((232)2)2)2 Therefore: 2316 mod 30 (((-72)2)2)2 (mod 30) (((49)2)2)2 (mod 30)

30

Fast Modular Exponentiation

A: Better way. Notice that 16 = 2222 so that 2316 = 232222 = (((232)2)2)2 Therefore: 2316 mod 30 (((-72)2)2)2 (mod 30) (((49)2)2)2 (mod 30) (((-11)2)2)2 (mod 30)

31

Fast Modular Exponentiation

A: Better way. Notice that 16 = 2222 so that 2316 = 232222 = (((232)2)2)2 Therefore: 2316 mod 30 (((-72)2)2)2 (mod 30) (((49)2)2)2 (mod 30) (((-11)2)2)2 (mod 30) ((121)2)2 (mod 30)

32

Fast Modular Exponentiation

A: Better way. Notice that 16 = 2222 so that 2316 = 232222 = (((232)2)2)2 Therefore: 2316 mod 30 (((-72)2)2)2 (mod 30) (((49)2)2)2 (mod 30) (((-11)2)2)2 (mod 30) ((121)2)2 (mod 30) ((1)2 )2 (mod 30)

33

Fast Modular Exponentiation

A: Better way. Notice that 16 = 2222 so that 2316 = 232222 = (((232)2)2)2 Therefore: 2316 mod 30 (((-72)2)2)2 (mod 30) (((49)2)2)2 (mod 30) (((-11)2)2)2 (mod 30) ((121)2)2 (mod 30) ((1)2 )2 (mod 30) (1)2 (mod 30)

34

Fast Modular Exponentiation

A: Better way. Notice that 16 = 2222 so that 2316 = 232222 = (((232)2)2)2 Therefore: 2316 mod 30 (((-72)2)2)2 (mod 30) (((49)2)2)2 (mod 30) (((-11)2)2)2 (mod 30) ((121)2)2 (mod 30) ((1)2 )2 (mod 30) (1)2 (mod 30) 1(mod 30) Which implies that 2316 mod 30 = 1. Q: How bout 2325 mod 30 ?
35

Fast Modular Exponentiation

A: The previous method of repeated squaring works for any exponent thats a power of 2. 25 isnt. However, we can break 25 down as a sum of such powers: 25 = 16 + 8 + 1. Apply repeated squaring to each part, and multiply the results together. Previous calculation: 238 mod 30 = 2316 mod 30 = 1 Thus: 2325 mod 30 2316+8+1 (mod 30)

36

Fast Modular Exponentiation

A: The previous method of repeated squaring works for any exponent thats a power of 2. 25 isnt. However, we can break 25 down as a sum of such powers: 25 = 16 + 8 + 1. Apply repeated squaring to each part, and multiply the results together. Previous calculation: 238 mod 30 = 2316 mod 30 = 1 Thus: 2325 mod 30 2316+8+1 (mod 30) 2316238231 (mod 30)
37

Fast Modular Exponentiation

A: The previous method of repeated squaring works for any exponent thats a power of 2. 25 isnt. However, we can break 25 down as a sum of such powers: 25 = 16 + 8 + 1. Apply repeated squaring to each part, and multiply the results together. Previous calculation: 238 mod 30 = 2316 mod 30 = 1 Thus: 2325 mod 30 2316+8+1 (mod 30) 2316238231 (mod 30) 1123 (mod 30) Final answer: 2325 mod 30 = 23
38

Fast Modular Exponentiation

Q: How could we have figured out the decomposition 25 = 16 + 8 + 1 from the binary (unsigned) representation of 25?

39

Fast Modular Exponentiation

A: 25 = (11001)2 This means that 25 = 116+18+04+02+11 = 16+8+1 Can tell which powers of 2 appear by where the 1s are. This follows from the definition of binary representation.

40

Fast Modular Exponentiation Pseudocode

fastExponentiation(integer m, pos. integers e, N) unun-1 un-2 u2 u1 u0 = representInBinary(e) squarePower0= m mod N for( i = 0 to n-1) squarePoweri+1 = squarePoweri 2 mod N power = 1 for(i = 0 to n) if (ui == 1 ) power = power squarePoweri mod N return power
41

Modular Inverses
Recall the simple encryption function f (a) = (3a + 9) mod 26 We made the claim that an inverse function is given by: g (a) = (9a 3) mod 26 Check this: g (f (a )) g(3a+9) (mod 26) 9(3a+9)-3 (mod 26) 27a+81-3 (mod 26) 27a+78 (mod 26) a (mod 26). So for a in the range [0,25] we have g (f (a )) = a and so g and f are inverses of each other.
42

Modular Inverses
How could one have inverted f methodically? Do simpler example: f (a ) = 3a mod 26 Look for constant x and an inverse of the form: g(a ) = xa Then condition g(f (a )) a (mod 26) gives: g(f (a )) x3a (mod 26) a (mod 26) If we can solve this for a=1, it will work for all other x as well. So plug in a=1 to get: 3x 1 (mod 26) I.e. we wish to find an inverse of 3 modulo 26.
43

Modular Inverses
DEF: The inverse of e modulo N is the number d between 1 and N-1 such that de 1 (mod N) if such a number exists. Q: What is the inverse of 3 modulo 26?

44

Modular Inverses
A: 9 because 93 = 27 1 (mod 26). Q: What is the inverse of 4 modulo 8?

45

Modular Inverses
A: Trick Question! No inverse can exist because 4x is always 0 or 4 modulo 8! THM1: e has an inverse modulo N if and only if e and N are relatively prime. This will follow from the following useful fact. THM2: If a and b are positive integers, the gcd of a and b can be expressed as an integer combination of a and b. I.e., there are integers s,t for which gcd(a,b) = sa + tb
46

Modular Inverses Example

514 - 323 =1 implies: gcd(14,23) = 1
Any number dividing both 14 and 23 must divide 1

The inverse of 14 modulo 23 is 5

514 =1+ 323 514 1 (mod 23)

An inverse of 23 modulo 14 is -3
-323 =1- 514 -323 1 (mod 14) 1123 1 (mod 14) The inverse is 11
47

Modular Inverses
Proof of THM1 using THM2: If an inverse d exists for e modulo N, we have de 1 (mod N) so that for some k, de = 1 +kN, so 1 = de kN. This equation implies that any number dividing both e and N must divide 1, so must be 1, so e,N are relatively prime.
48

Modular Inverses
On the other hand, suppose that e,N are relatively prime. Using THM2, write 1 = se + tN. Rewrite this as se = 1-tN. Evaluating both sides mod N gives se 1 (mod N) . Therefore s is seemingly the inverse e except that it may be in the wrong range so set d = s mod N.
49

Extended Euclidean Algorithm

A constructive version of THM2 which gives s and t will give explicit inverses. This is what the extended Euclidean algorithm does. The extended Euclidean algorithm works the same as the regular Euclidean algorithm except that we keep track of more details namely the quotient q = x/y in addition to the remainder r = x mod y. This allows us to backtrack and write the gcd(a,b) as a linear combination of a and b.
50

Extended Euclidean Algorithm Examples

gcd(33,77)
Step

x = qy + r
-

gcd = ax+by

33 77

51

Extended Euclidean Algorithm Examples

gcd(33,77)
Step

x = qy + r
-

gcd = ax+by

0 1

33 77

33=077+33 77 33

52

Extended Euclidean Algorithm Examples

gcd(33,77)
Step

x = qy + r
-

gcd = ax+by

0 1 2

33 77

33=077+33 77 33 77=233+11 33 11

53

Extended Euclidean Algorithm Examples

gcd(33,77)
Step

x = qy + r
-

gcd = ax+by

0 1 2 3

33 77

33=077+33 77 33 77=233+11 33 11 33=311+0 11 0

54

Extended Euclidean Algorithm Examples

gcd(33,77)
Step

x = qy + r
-

gcd = ax+by

0 1 2 3

33 77

33=077+33 77 33 77=233+11 33 11 33=311+0 11 0 Solve for r. Plug it in.

55

Extended Euclidean Algorithm Examples

gcd(33,77)
Step

x = qy + r
-

gcd = ax+by

0 1 2 3

33 77

33=077+33 77 33 77=233+11 33 11 33=311+0 11 0 11 = 77 - 233 Solve for r. Plug it in.

56

Extended Euclidean Algorithm Examples

gcd(33,77)
Step

x = qy + r
-

gcd = ax+by
11= 77 - 2(33-077) =

0 1 2 3

33 77

33=077+33 77 33 77=233+11 33 11 33=311+0 11 0

-233 + 177

11 = 77 - 233 Solve for r. Plug it in.

57

Therefore s = -2 and t = 1

Extended Euclidean Algorithm Examples

gcd(244,117):
Step

x = qy + r
-

x y 244 117

gcd = ax+by

58

Extended Euclidean Algorithm Examples

gcd(244,117):
Step

0 1

x y 244 117 244=2117+10 117 10

x = qy + r

gcd = ax+by

59

Extended Euclidean Algorithm Examples

gcd(244,117):
Step

0 1 2

x y 244 117 244=2117+10 117 10 117=1110+7 10 7

x = qy + r

gcd = ax+by

60

Extended Euclidean Algorithm Examples

gcd(244,117):
Step

0 1 2 3

x y 244 117 244=2117+10 117 10 117=1110+7 10 7 10=7+3 7 3

x = qy + r

gcd = ax+by

61

Extended Euclidean Algorithm Examples

gcd(244,117):
Step

0 1 2 3 4

x y 244 117 244=2117+10 117 10 117=1110+7 10 7 10=7+3 7 3 7=23+1 3 1

x = qy + r

gcd = ax+by

62

Extended Euclidean Algorithm Examples

gcd(244,117):
Step

0 1 2 3 4 5

x y 244 117 244=2117+10 117 10 117=1110+7 10 7 10=7+3 7 3 7=23+1 3 1 3=31+0 1 0

x = qy + r

gcd = ax+by

63

Extended Euclidean Algorithm Examples

gcd(244,117):
Step

0 1 2 3 4 5

x y gcd = ax+by 244 117 244=2117+10 117 10 117=1110+7 10 7 10=7+3 7 3 1=7-23 7=23+1 3 1 3=31+0 1 0 Solve for r. Plug it in. x = qy + r
64

Extended Euclidean Algorithm Examples

gcd(244,117):
Step

0 1 2 3 4 5

x y 244 117 244=2117+10 117 10 117=1110+7 10 7

10=7+3 7=23+1 3=31+0

x = qy + r

gcd = ax+by

7 3 1

3 1 0

1=7-2(10-7) = -210+37 1=7-23

Solve for r. Plug it in.

65

Extended Euclidean Algorithm Examples

gcd(244,117):
Step

0 1 2 3 4 5

x y 244 117 244=2117+10 117 10

117=1110+7 10=7+3 7=23+1 3=31+0

x = qy + r

gcd = ax+by

10 7 3 1

7 3 1 0

1=-210+3(117-1110) = 3117-3510 1=7-2(10-7) = -210+37 1=7-23

Solve for r. Plug it in.

66

Extended Euclidean Algorithm Examples

gcd(244,117):
Step

x = qy + r
-

0 1 2 3 4 5

x y 244 117
10 7 3 1 0

gcd = ax+by
1= 3117-35(244- 2117) =

244=2117+10 117 117=1110+7 10=7+3 7=23+1 3=31+0

-35244+73117
1=7-2(10-7) = -210+37 1=7-23

10 7 3 1

1=-210+3(117-1110) = 3117-3510

Solve for r. Plug it in.

67

Extended Euclidean Algorithm Examples inverse of 244

gcd(244,117):
Step

modulo 117

x = qy + r
-

0 1 2 3 4 5

x y 244 117
10 7 3 1 0

gcd = ax+by
1= 3117-35(244- 2117) =

244=2117+10 117 117=1110+7 10=7+3 7=23+1 3=31+0

-35244+73117
1=7-2(10-7) = -210+37 1=7-23

10 7 3 1

1=-210+3(117-1110) = 3117-3510

Solve for r. Plug it in.

68

Extended Euclidean Algorithm

Summary: Extended Euclidean algorithm works by keeping track of how remainder r results from dividing x by y. Last such equation gives gcd in terms of last x and y. By repeatedly inserting r into the last equation, one can get the gcd in terms of bigger and bigger values of x,y until at the very top is reached, which gives the gcd in terms of the inputs a,b.
69

Exponential Inverses
Finding modular inverses is good enough for decoding simple modular cryptography. However, in RSA encryption consists of exponentiating modulo N, i.e. m e mod N. We want to find a different exponent d based on e and N which will give us back m, i.e. we want m de mod N =m. In other words, we want an exponential inverse for e modulo N.
70

Exponential Inverses. Prime Modulii

To tackle the general problem, start first with the case of N a prime number. Exponentiation modulo a prime number is well understood. EG: Consider exponentiating 3 modulo 7:

1. 2. 3. 4. 5. 6.

31 mod 7 32 mod 7 33 mod 7 34 mod 7 35 mod 7 36 mod 7

= = = = = =

3 2 6 4 5 1

7. 37 mod 7 = 3 8. 38 mod 7 = 2 9. 39 mod 7 = 6 10.310 mod 7 = 4 11.311 mod 7 = 5 12.312 mod 7 = 1

71

Exponential Inverses. Prime Modulii

Exponentiating to the p -1 power results in 1. Therefore, any further exponentiation results in a cycling, with repetitions occurring every 6 exponentiations. Fermats Little Theorem says that this effect happens for all rel-prime numbers under prime modulus:
31 mod 7 32 mod 7 33 mod 7 34 mod 7 35 mod 7 36 mod 7 = = = = = = 3 2 6 4 5 1

1. 2. 3. 4. 5. 6.

7. 37 mod 7 = 3 8. 38 mod 7 = 2 9. 39 mod 7 = 6 10.310 mod 7 = 4 11.311 mod 7 = 5 12.312 mod 7 = 1

72

Fermats

Little

Theorem

THM (FLT): Suppose that p is a prime number. If a is not divisible by p then a p1 1 (mod p) . Furthermore, all numbers satisfy a p a (mod p) . EG: Compute 9100 mod 17: p =17, so p-1 = 16. 100 = 616+4. Therefore, 9100=9616+4=(916)6(9)4 . So mod 17 we have 9100 (916)6(9)4 (mod 17) (1)6(9)4 (mod 17) (81)2 (mod 17) (-4)2 (mod 17) 16
73

Exponential Inverses. Prime Modulii

COR: If e is relatively prime to p 1, where p is prime, then its exponential inverse modulo p exists and is the inverse of d modulo p-1. Proof. Supposing de 1 (mod p-1). Then for some k, de = 1+k (p-1). So if a is any number not divisible by p, FLT implies: ade a1+k(p-1) (mod p) a (mod p) In other words, exponentiating by de doesnt change numbers, modulo p, so by definition, d and e are exponential inverses.
74

Exponential Inverses. Prime Modulii

EG: Find the exponential inverse of 3 modulo 11. p =11, so p-1 = 10. The inverse of 3 modulo 10 is 7, which is the answer.

75

Exponential Inverses. Next Step

Q: Why dont we just use a prime number as our base N since its so easy to find the decryptor d ?

76

Exponential Inverses. Next Step

A: Because its so easy to find the decryptor d! Recall, this is a public cryptosystem. The key (N,e) is available to all customers. There is no way of restricting customers to the benevolent non-hackers. If a prime N were used, Mr. Snoop could simple shop once, analyze the communication stream to find out what N and e were, and decrypt other customers communications by finding the inverse of e modulo N-1. RSA uses next simplest case: N = pq a product of two (different) primes.
77

Exponential Inverses. Next Step

If we know what p and q are, then well be able to find the exponential inverse.
. Factoring large But thats a big numbers is a surprisingly difficult problem. No-one knows how to do this in polynomial time, except on theoretical Quantum Computers.

78

Exponential Inverses. Product of Two Primes

However, FrogsRUs.com is the one coming up with N, so it knows what p and q are. FrogsRUs would like to make sure that it knows how to decrypt. So lets see how to do this. We need one more important number theory fact:

79

Chinese Remainder Theorem

Old Folk Tale: Chinese Emperor used to count his army by giving a series of tasks. 1. All troops should form groups of 3. Report back the number of soldiers that were not able to do this. 2. Now form groups of 5. Report back. 3. Now form groups of 7. Report back. 4. Etc. At the end, if product of all group numbers is sufficiently large, can ingeniously figure out how many troops.
80

Chinese Remainder Theorem

81

Chinese Remainder Theorem

mod 3:

N mod 3 = 1
82

Chinese Remainder Theorem

mod 5:

N mod 5 = 2
83

Chinese Remainder Theorem

mod 7:

N mod 7 = 2
84

Chinese Remainder Theorem

Secret inversion formula (for N < 105 = 357): N a (mod 3) N b (mod 5) N c (mod 7) Implies that N = (-35a + 21b + 15c) mod 105. So in our case a = 1, b = 2, c = 2 gives: N = (-351 + 212 + 152) mod 105 = (-35 + 42 + 30) mod 105 = 37 mod 105 = 37
85

Chinese Remainder Theorem

How did I come up with the secret formula? For any x, a, b, and c satisfying x a (mod 3) x b (mod 5) x c (mod 7) Chinese Remainder Theorem says that this is enough information to uniquely determine x modulo 357. Proof, gives an algorithm for finding x i.e. the secret formula.

86

Chinese Remainder Theorem Example

1. Find three numbers l,m,n with following
properties
l 1(mod 3), l 0(mod 5), l 0(mod 7) m0(mod 3), m 1(mod 5), m 0(mod 7) n 0(mod 3), n 0(mod 5), n 1(mod 7)

2. Then y = al+bm +cn [secret formula] satisfies

y al+bm +cn (mod 3) a1+0 + 0 (mod 3) a (mod 3) Similarly, y b (mod 5) Similarly, y c (mod 7)

3. This will imply x y (mod 357)

87

Chinese Remainder Theorem Example

Find three numbers l,m,n: Standard trick. EG, to find l : a) Multiply together all modulii different from 3. Result: 57 = 35 b) Find an inverse of this number mod 3: In this case its easy. 35 2(mod 3) so find an inverse of 2 [2 or anything congruent to 2(mod 3)]. Practice shows that should choose inverse of smallest magnitude: 1. c) l is the product of (a) and (b): l = -35 l is 0 mod 5 and 7 since its divisible by 57. But (c) guarantees that its 1 modulo 3! 88

Chinese Remainder Theorem Example

Similarly, m = 21 and n = 15. So our solution to all three congruences is: x = -35a + 21b + 15c If we want to guarantee a solution between 0 and 104, just compute x mod 105 . The same tricks can be generalized to prove:
89

Chinese Remainder Theorem

THM (CRT): Let m1, m2, , mn be pairwise relatively prime positive integers. Then there is a unique solution x in [0,m1m2mn-1] to the system of congruences: x a1 (mod m1 ) x a2 (mod m2 )

x an (mod mn )
90

RSA Cryptosystem Final Piece

Now we can define how to find the exponential inverse modulo N=pq and use CRT to prove the method correct. THM: Given e and distinct prime numbers p,q. Suppose that e is relatively prime to (p-1)(q-1). Then the exponential inverse of e is the inverse of e modulo (p-1)(q-1).
91

RSA Cryptosystem Final Piece

EG: e=5,p=5, q=7. Find the inverse of 5 modulo (5-1)(7-1) = 24. 5 is its own inverse since 55=25 is 1 mod 24. So the theorem states that any number m should satisfy m 25 m (mod 35). Try for example m = 3, using the fact that 25 is 11001 in binary: 1. 31 mod 35 = 3 6. 325 mod 35 16+8+1 mod 35 2 = 3 2. 3 mod 35 = 9 = 11163 mod 35 3. 34 mod 35 = 11 = 1763 mod 35 4. 38 mod 35 = 16 = 13 mod 35 = 92 3 5. 316 mod 35 = 11

RSA Cryptosystem Proof of Decryption

Proof that d is inverse of e mod (p-1)(q-1): We can therefore find k such that de = 1+k (p-1)(q-1). Does mde equal itself modulo N = pq ? mde m 1+k(p-1)(q-1) (mod pq). m 1m k(p-1)(q-1) (mod pq) m m k(p-1)(q-1) (mod pq)
93

RSA Cryptosystem Proof of Decryption

mde m m k(p-1)(q-1) (mod pq) So mod p: mde m(m p-1) k(q-1)(mod p) If m relatively prime to p apply FLT: mde m(1) k(q-1)(mod p) m (mod p) Otherwise, m 0 (mod p) so that mde 0de 0 m (mod p) Either case mde m (mod p). Similar argument: mde m (mod q).
94

RSA Cryptosystem Proof of Decryption

So we have the system of congruences: mde m (mod p) mde m (mod q) Setting x = mde . CRT states that x m (mod p) x m (mod q) has a unique solution (mod pq). But another apparent solution is x = m. Therefore: mde m (mod pq)
95