Cryptology T-79.5501
Lecture 8
Kaisa Nyberg
Department of Computer Science
Aalto University School of Science
25 February 2016
Lecture 8
The RSA Cryptosystem
Tools: Euclid’s Algorithm
Chinese Remainder Theorem
Euler’s Phi-function
Quadratic Residues and Square Roots
T-79.5501 Cryptology
Spring 2016
2/19
PART II: Public Key Cryptography
T-79.5501 Cryptology
Spring 2016
3/19
The RSA Cryptosystem
◮
A public-key cryptosystem presented by R. Rivest, A. Shamir
and L. Adleman in 1978.
◮
Let p and q be two distinct odd primes, and n = pq. Then
Φ(n) = (p − 1)(q − 1). Let P = C = Zn , and define
K = {(n, p, q, a, b) | ab ≡ 1 (mod φ(n))}.
For K = (n, p, q, a, b) ∈ K, x ∈ P and y ∈ C, define
◮
eK (x)
=
x b mod n, and
dK (y )
=
y a mod n.
The values n and b comprise the public key, and the values p, q
and a comprise the private key.
T-79.5501 Cryptology
Spring 2016
4/19
dK (eK (x)) = x
◮
Claim: (x b )a = x (mod n), for all x ∈ Zn .
◮
It suffices to show that (x b )a = x mod p, for all x ∈ Zn , for any p
that divides n such that gcd(p, n/p) = 1 (see CRT below).
◮
Since ab = 1 + k (p − 1) for some integer k , we obtain
(x b )a = x ab = x 1+k (p−1) = x(x p−1 )k = x
(mod p),
if x 6= 0 mod p. Clearly, the equality holds also for any x ≡ 0
(mod p).
T-79.5501 Cryptology
Spring 2016
5/19
RSA is Efficient
◮
Generate two large primes, p and q, such that p 6= q
◮
Calculate n = pq and φ(n) = (p − 1)(q − 1)
◮
Generate random b, 1 < b < φ(n), such that gcd(b, φ(n)) = 1
◮
Calculate a = b−1 mod φ(n)
◮
Note. Sometimes a is generated first, and then b is calculated as
its inverse modφ(n).
◮
Note. The encryption and decryption operations can be
computed efficiently using the Square and Multiply Algorithm.
◮
Note. The parameters can be generated efficiently. The next
topic is to present efficient tests for prime number generation.
T-79.5501 Cryptology
Spring 2016
6/19
Repetition, Textbook 5.2
◮
Prime decomposition of integer
◮
greatest common divisor
◮
Euclid’s algorithm for computing gcd(a, b)
◮
Extended Euclidean Algorithm
ri = si a + ti b
for computing rm = gcd(a, b) and s and t such that
gcd(a, b) = sa + tb
T-79.5501 Cryptology
Spring 2016
7/19
Chinese Remainder Theorem
Problem: Assume m1 and m2 are coprime. Given x1 and x2 , how to
find x, such that 0 ≤ x < m1 m2 and
x1
=
x mod m1
x2
=
x mod m2
Solution: Using the Extended Euclidean Algorithm find s and t such
that s · m1 + t · m2 = 1. Then
x
=
x · (s · m1 + t · m2 ) = x · s · m1 + x · t · m2
=
(x2 + k · m2 ) · s · m1 + (x1 + ℓ · m1 ) · t · m2 .
It follows that
x = x mod (m1 m2 ) = (x2 · s · m1 + x1 · t · m2 ) mod (m1 m2 )
T-79.5501 Cryptology
Spring 2016
8/19
Chinese Remainder Theorem (general case)
Theorem: Assume m1 , m2 , . . . , mt are mutually coprime. Denote
M = m1 m2 . . . mk . Given x1 , x2 , . . . , xk there exists a unique x,
0 ≤ x < M, such that
x1
=
x mod m1
x2
=
..
.
x mod m2
xk
=
x mod mk .
x can be computed as
x = (x1 u1 M1 + x2 u2 M2 + . . . + xk uk Mk ) mod M,
where Mi = (m1 m2 · · · mk )/mi and ui = Mi−1 mod mi .
Proof: For the case k = 2, see the previous page. The general case
was presented at the lecture, see also textbook.
T-79.5501 Cryptology
Spring 2016
9/19
The Chinese Remainder Theorem: Example
Let m1 = 7, m2 = 11, m3 = 13. Then M = 1001.
Problem: Compute x, 0 ≤ x ≤ 1000 such that
5
=
x mod 7
3
=
x mod 11
10 =
x mod 13.
Solution:
M1 = m2 m3 = 143; M2 = m1 m3 = 91; M3 = m1 m2 = 77.
u1 = M1−1 mod m1 = 143−1 mod 7 = 3−1 mod 7 = 5,
u2 = M2−1 mod m2 = 3−1 mod 11 = 4,
u3 = (−1)−1 mod 13 = −1.
Then x = (5 · 5 · 143 + 3 · 4 · 91 + 10 · (−1) · 77) mod 1001 = 894.
T-79.5501 Cryptology
Spring 2016
10/19
Euler’s Totient Function
Textbook, Section 1.1.3, Definition 1.3: Euler’s phi-function is defined
as follows.
Definition 1.3 (Stinson) Suppose a ≥ 1 and m ≥ 2 are integers. If
gcd(a, m) = 1 then we say that a and m are relatively prime. The
number of integers in Zm that are relatively prime to m is denoted by
φ(m).
We set φ(1) = 1. The function
m 7→ φ(m), m ≥ 1
is called the Euler’s phi-function, or Euler’s totient function. Clearly,
for m prime, we have φ(m) = m − 1. Further, we state the following
fact without proof, and leave the proof as an easy exercise.
Fact. If m is a prime power, say, m = pe , where p is prime and p > 1,
then φ(m) = m(1 − p1 ) = pe − pe−1 .
T-79.5501 Cryptology
Spring 2016
11/19
Multiplicative Property
Proposition. Suppose that m ≥ 1 and n ≥ 1 are integers such that
gcd(m, n) = 1. Then φ(m × n) = φ(m) × φ(n).
Proof. If m = 1 or n = 1, then the claim holds. Suppose now that
m > 1 and n > 1, and denote:
A =
B
C
=
=
{a | 1 ≤ a < m, gcd(a, m) = 1}
{b | 1 ≤ b < n, gcd(b, n) = 1}
{c | 1 ≤ c < m × n, gcd(c, m × n) = 1}.
Then we have that |A| = φ(m), |B| = φ(n), and |C| = φ(m × n). We
will show next that C has equally many elements as the set
A × B = {(a, b) | a ∈ A, b ∈ B}, from which the claim follows.
T-79.5501 Cryptology
Spring 2016
12/19
Proof, cont’d
Since gcd(m, n) = 1, we can use the Chinese Remainder Theorem,
by which the mapping
χ : Zmn → Zm × Zn , χ(x) = (x mod m, x mod n)
is bijective. Now we observe that A ⊂ Zm , B ⊂ Zn , and C ⊂ Zm×n .
Moreover, it holds that x ∈ C if and only if χ(x) ∈ A × B, which we
see by writing the following chain of equivalences:
gcd(x, m × n) = 1 ⇔
⇔
gcd(x, m) = 1 and gcd(x, n) = 1
gcd(x mod m, m) = 1 and gcd(x mod n, n) = 1.
T-79.5501 Cryptology
Spring 2016
13/19
Stinson, Theorem 1.2
The results are summerized in the following theorem
Theorem 1.2 Suppose m is a positive integer and
m=
k
Y
piei ,
i=1
where the integers pi are distinct primes and ei > 0, 1 ≤ i ≤ k . Then
φ(m) =
k
Y
(piei − piei −1 ).
i=1
Example.
φ(18) = φ(2 · 32 ) = φ(2)φ(32 ) = (2 − 1)(3 − 1)31 = 6.
this means that the number of invertible integers modulo 18 is six.
They are 1, 5, 7, 111,13, 17.
T-79.5501 Cryptology
Spring 2016
14/19
Quadratic Residues and Euler’s Criterion
◮
Definition: (Quadratic Residue mod odd integer) Suppose that
n is an odd integer and x is an integer, 1 ≤ x ≤ n − 1. If there is
y ∈ Zn such that y 2 ≡ x (mod n) the x is called a quadratic
residue modn. Otherwise x is called a quadratic non-residue
modn.
◮
Theorem (Euler’s criterion) Let p be an odd prime. Then x is a
quadratic residue modp if and only if
x
◮
p−1
2
≡ 1 (mod p).
Proof. Assume first that x is a quadratic residue. Let y be such
p−1
that y 2 mod p = x. Then x 2 = y p−1 ≡ 1 (mod p), by Fermat’s
theorem. Assume next that x satisfies Euler’s criterion. Let α be
a primitive element and k be such that αk mod p = x. It then
p−1
follows that αk 2 mod p = 1, which is possible only if
t
k p−1
2 = t(p − 1) for some integer t ≥ 1. So k = 2t. Then y = α
is a square root of x.
T-79.5501 Cryptology
Spring 2016
15/19
Square Roots
◮
A quadratic residue x, 1 ≤ x ≤ p − 1, has exactly two square
roots modulo p.
Proof. Let a and b be two square roots of x mod p. Then
a2 mod p = x = b2 mod p
from where we obtain that p divides a2 − b2 = (a − b)(a + b).
Since p is prime, this is possible only if p divides a − b or a + b.
Thus either a ≡ b (mod p) or a ≡ −b (mod n).
◮
The square roots of 1 modulo p are ±1, that is, 1 and p − 1.
◮
If n is a composite number, then a quadratic residue has more
than two square roots. In particular, x = 1 has non-trivial square
roots different from ±1.
T-79.5501 Cryptology
Spring 2016
16/19
Computing Square Roots Modulo Prime
◮
Suppose p is an odd prime and x is a quadratic residue modulo
p. Then x has exactly two square roots. If b is one square root,
then p − b is the second square root of x.
◮
Suppose p ≡ 3 (mod 4). Then
b=x
p+1
4
is a square root of x, since then
b2 = x
p+1
2
=x ·x
mod p
p+1
4
p−1
2
is an integer and
=x
(mod p)
by Euler’s criterion.
◮
For p ≡ 1 (mod 4) no such efficient deterministic algorithm is
known.
T-79.5501 Cryptology
Spring 2016
17/19
Square Roots Modulo A Composite Integer
◮
Let n = pq, where p and q are distinct primes.
◮
Let x, 1 ≤ x ≤ n − 1, be a quadratic residue modulo n.
◮
Then x is also quadratic residue mod p, and there is bp ,
0 ≤ bp ≤ p − 1, such that bp2 ≡ x (mod p). Similarly, there is bq ,
0 ≤ bq ≤ q − 1, such that bq2 ≡ x (mod q).
◮
Using the CRT we can find b, 1 ≤ b ≤ n, such that b ≡ bp
(mod p) and b ≡ bq (mod q). Then b2 ≡ x (mod n).
◮
If x 6= 0 (mod p) and x 6= 0 (mod q) it has two square roots of
modp and two square roots modq. Hence x has four square
roots modn.
◮
Let ±1, ±w be the four square roots of 1 modn. If b is one
square root of x modn, then the four square roots of x are ±b,
±wb.
T-79.5501 Cryptology
Spring 2016
18/19
Square Roots Example
Example. Find the square roots of 1 modulo
n = 402038951687077 = 20051107 · 20050711,
where the factors are primes. To find one non-trivial square root, we
use the CRT to compute b such that
b
≡
1 (mod 20051107)
b
≡
−1 (mod 20050711)
We get 20050711−1 mod 20051107 = 8860969 and
20051107−1 mod 20050711 = 19163917. Using CRT we get
b
=
1 · 8860969 · 20050711 + (−1) · 19163917 · 20051107
=
46701494489160.
The second nontrivial square root of 1 is −b = 355337457197917.
T-79.5501 Cryptology
Spring 2016
19/19