Modular Exponentiation

We next give an algorithm based on repeated squaring to compute `a^b mod n` where `a` and `b` are nonnegative integers and `n>0`.
We assume the number are written in binary and we use a subscript to denote the `i`th bit of a number. For example, `b_i` for the `i`th bit of `b`.

Modular-Exponentiation(a, b, n)
1 d=1, k = length of b //k is high order bit
2 for i = k down to 0:
3     d = ( d * d ) mod n
4     if b_i = 1:
5          d = (d * a) mod n
6 return d

Public Key Cryptosystems

We now apply what we've learned to public key cryptography.
In public key cryptography, we have two participants Alice and Bob (i.e., A and B) who want to exchange messages securely.
Each has a public key `P_A`, `P_B` which they let everyone know.
They also each have a private key `S_A`, `S_B` which only they know.
Each of these keys is a permutation in some space of strings and the public keys are inverses of the private keys. That is, `M = P_A(S_A(M)) = S_A(P_A(M))`. Here `M` is the message.
If Alice wants to send Bob a message `M`. She computes some hash function of `M`, `h(M)` and signs this with her private key to make `S_A(h(M))`. She concatenates this to `M` to make `langle M, S_A(h(M)) rangle`. Then she sends `P_B(langle M, S_A(h(M)) rangle)` to Bob.
To decode, Bob applies his private key to get `S_B(P_B( langle M, S_A(h(M)) rangle)) = langle M, S_A(h(M)) rangle`.
To check this is from Alice, he applies her public key to the end `P_A(S_A(h(M))) = h(M)` then he computes the hash of the message received and verifies it equal `h(M)`.

RSA

RSA (Rivest, Shamir, and Adleman 1977) is a particular public key cryptoscheme.
It creates public keys and private keys as follows:
1. Select two large prime numbers `p` and `q` such that `p ne q`. (For instance, the primes might be 512 bits each.)
2. Compute `n = pq`.
3. Select a small odd integer e that is relatively prime to `phi(n) = (p-1)(q-1)`.
4. Compute the multiplicative inverse `d` of `e mod phi(n)`.
5. Publish the pair `P = (e, n)` as the RSA public key.
6. Keep secret the pair `S= (d, n)` as the RSA secret key.
To apply a key to a message `0 le M< n`, we compute either `P(M) = M^e mod n` or `S(C) = C^d mod n`. Here `C` is suppose to mean ciphertext.

Correctness of RSA

Theorem. The RSA functions `P` and `S` on the last slides define inverse transformations.

Proof. `P(S(M)) = S(P(M))= M^(ed) mod n`. Since `e` and `d` are multiplicative inverses modulo `phi(n) = (p-1)(q-1)`, `ed = 1+k(p-1)(q-1)` for some `k`. If `M equiv 0 mod n`, then `M^(ed) equiv 0 mod n` so we are done. If `M` is not congruent to `0 mod p`, we have
`M^(ed) equiv M(M^(p-1))^(k(q-1)) mod p`
`equiv M(1)^(k(q-1)) mod p`
`equiv M mod p`
and a similar result holds `mod q`. By the Chinese Remainder Theorem, this implies `M^(ed) equiv M (mod n)`.

Quiz

Which of the following is true?

For any finite group `(S, o+)` and any `a in S`, `o\r\d(a) = |langle a rangle|/2`.
The equation `ax equiv b (mod n)` either has `d` distinct solutions modulo `n`, where `d = gcd(a,n)`, or it has no solutions.
Given any `b,a in ZZ_n^star`, the equation `b^x equiv a mod n` has a solution `x`, where `0 le x < n`.

Testing for Primes

One key component of RSA is to use large primes chosen at random.
It turns out that primes are not too rare since it is known that `pi(n)` = the number of primes less than `n` grows as `n/(log n)`.
However, we still need a way to check if a odd number is prime.
One brute force approach is to try to divide each number up to `sqrt(n)`. This is exponential in the number of bits of `n`.
Recall if `n` is prime then `a^(n-1) equiv 1 mod n`.
A number `n` is pseudo-prime for `a`, if it is composite but `a^(n-1) equiv 1 mod n`.
It turns out pseudo-primes are rare, so we could almost check for primality by checking this equation for different values for `a`.
Unfortunately, there are even rarer numbers called Carmichael numbers which are composite, but such that this equation holds for all nonzero `a`. Carmichael numbers are rare since one can show they needs to be a product of at least three distinct prime number.
For example, `561 = 3 cdot 11 cdot 17` is a Carmichael Number. One can check for each nonzero `a` that `a^(560) equiv 1 mod 561` (probably want to do using a program).

Miller Rabin Primality Testing

Idea:
1. Try several randomly chosen values for `a`.
2. While computing each modular exponentiation we check, if we ever see a nontrivial square root of `1 mod n`. If so, we know for sure the number is composite.

The Non-Trivial Square root testing is done by the following routine:

Witness(a,n)
1 let n - 1 = 2^t*u, where t >= 1 and u is odd
2 x_0 = Modular-Exponentiation(a, u, n)
3 for i = 1 to t:
4     x_i = (x_(i-1))^2 mod n
5     if x_i = 1 and x_(i-1) != 1 and x_(i-1) = != n-1:
6         return true
7 if x_t != 1: 
8     return true
9 return false

Miller Rabin continued

Miller-Rabin(n, s)
1 for j = 1 to s
2    a = Random(1, n - 1)
3    if Witness(a, n):
4        return "Composite"
5 return "Prime"

Error Rate

If Miller-Rabin says composite, we know the number is composite.
If it says prime, there is some error rate given by the next theorem:

Theorem. If `n` is composite, then the number of witnesses to compositeness is at least `(n-1)/2`.

Proof. We show the number of non-witnesses is at most `(n-1)/2`. First, any non-witness must be in `ZZ_n^(star)` as it must satisfy `a^(n-1) equiv 1 mod n`, i.e., `a cdot a^(n-2) equiv 1 mod n`; thus, it has an inverse. So we know `gcd(a,n) | 1` and hence `gcd(a, n) = 1`. Next we show that all non-witnesses are contained in a proper subgroup of `ZZ_n^(star)`. This implies the Theorem. There two cases to consider:

There is an `x` such that `x^(n-1) ne 1 mod n`. Then we show all the `b` such that `b^(n-1) equiv 1 mod n` form a group and we're done.
The number `n` is Carmichael number, so `x^(n-1) equiv 1 mod n` for all `x in ZZ_n^(star)`. We'll describe this case next day.

Prime Checking, RSA

Outline