Outline
- RSA
- Quiz
- Tests for Primes
Introduction
- Last week, we learned some of the number theory needed to understand how the RSA public key crypto-system works.
- So far we've shown that if `a, b` are `n` digit numbers, the extended Euclidean algorithm is an `O(n)` algorithm to find `d, x, y` such that
`d=gcd(a,b) = ax+by`.
- We've learned that the modular equation `ax equiv b mod n` either has `d=gcd(a,n)` solutions, if `d|b`, or no solutions, otherwise.
- We've given an algorithm to find these solutions if they exist.
- We've proven the Chinese Remainder Theorem, which gives us a method to go from a sequence of modular constraints `a equiv b_i mod n_i` for `i=1,...,m`, to
an `a mod n_1 cdot n_2 cdots n_m` which satisfies all of these constraints.
- We've given a condition for `ZZ_n^\star` to be cyclic (`n` must be of the form 2,4, `p^e`, `2p^e` for some `e in NN` (Theorem #)). We called a generator `g` for `ZZ_n^\star`, when its cyclic, a primitive root. For such a generator, the equation `g^x equiv a mod n` has a solution `x= i\n\d_{n,g} (a)` called the discrete logarithm of `a mod n`.
- Finally, we showed for such primitive roots that: `g^x equiv g^y (mod n)` holds if and only if the equation `x equiv y mod phi(n)` holds (Theorem ##).
- We next talk about the last ingredient we need for RSA: square roots mod some number.
Square Roots
Theorem. If `p` is an odd prime, and `e ge 1`, then the equation `x^2 equiv 1 (mod p^e)`
has only two solutions, `x = 1` and `x = -1`.
Proof. Let `n = p^e`. Theorem (#) implies `ZZ_n^star` has a generator `g`. So the above equation can be rewritten as `g^((i\n\d(x))2) equiv g^(i\n\d(1)) mod n`. Note `i\n\d(1) = 0`, so Theorem (##) implies this is equation is equivalent to `2 cdot i\n\d(x) equiv 0 mod phi(n)`, a modular linear equation we can solve. We know `phi(n) = p^e(1- 1/p) = (p-1)p^(e-1)`. If `d` is
`gcd(2, phi(n))`, then `d=2` (as if `p` is odd, `2` divides `p-1`) and `d | 0`. So we know this equation has two solutions, which we can compute using our algorithm or by inspection as `1` and `-1`.
- A number `x` is a nontrivial square root of `1 mod n`,
if it is a square root but not equivalent to `+-1 mod n`. For example `6 mod 35`.
Corollary. If there exists a nontrivial square root of `1` modulo `n`, then `n` is composite.
Public Key Cryptosystems
- We now apply what we've learned to public key cryptography.
- In public key cryptography, we have two participants Alice and Bob (i.e., A
and B) who want to exchange messages securely.
- Each has a public key `P_A`, `P_B` which they let everyone know.
- They also each have a private key `S_A`, `S_B` which only they know.
- Each of these keys is a permutation in some space of strings and the
public keys are inverses of the private keys. That is, `M = P_A(S_A(M)) = S_A(P_A(M))`.
Here `M` is the message.
- If Alice wants to send Bob a message `M`. She computes some hash function of
`M`, `h(M)` and signs this with her private key to make `S_A(h(M))`. She
concatenates this to `M` to make `langle M, S_A(h(M)) rangle`. Then she
sends `P_B(langle M, S_A(h(M)) rangle)` to Bob.
- To decode, Bob applies his private key to get
`S_B(P_B( langle M, S_A(h(M)) rangle)) = langle M, S_A(h(M)) rangle`.
- To check this is from Alice, he applies her public key to the end
`P_A(S_A(h(M))) = h(M)` then he computes the hash of the message received
and verifies it equal `h(M)`.
RSA
- RSA (Rivest, Shamir, and Adleman 1977) is a particular public key cryptoscheme.
- It creates public keys and private keys as follows:
- Select two large prime numbers `p` and `q` such that `p ne q`.
(For instance, the primes might be 512 bits each.)
- Compute `n = pq`.
- Select a small odd integer e that is relatively
prime to `phi(n) = (p-1)(q-1)`.
- Compute the multiplicative inverse `d` of `e mod phi(n)`.
- Publish the pair `P = (e, n)` as the RSA public key.
- Keep secret the pair `S= (d, n)` as the RSA secret key.
- To apply a key to a message `0 le M< n`, we compute
either `P(M) = M^e mod n` or `S(C) = C^d mod n`. Here `C` is suppose to mean ciphertext.
Correctness of RSA
Theorem. The RSA functions `P` and `S` on the last slides define inverse transformations.
Proof. `P(S(M)) = S(P(M))= M^(ed) mod n`. Since `e` and `d` are multiplicative
inverses modulo `phi(n) = (p-1)(q-1)`, `ed = 1+k(p-1)(q-1)`
for some `k`. If `M equiv 0 mod n`, then `M^(ed) equiv 0 mod n` so we are done. If `M` is not congruent to `0 mod p`,
we have
`M^(ed) equiv M(M^(p-1))^(k(q-1)) mod p`
`equiv M(1)^(k(q-1)) mod p`
`equiv M mod p`
and a similar result holds `mod q`. By the Chinese Remainder Theorem,
this implies `M^(ed) equiv M (mod n)`.
Quiz
Which of the following statements is true?
- `ZZ_7^star` has a subgroup of size 4.
- `18x equiv 9 mod 81` has no solutions.
- There exists a number `a mod 105` such that `a equiv 2 mod 3`, `a equiv 4 mod 5`, `a equiv 6 mod 7`.
Testing for Primes
- One key component of RSA is to use large primes chosen at random.
- It turns out that primes are not too rare since it is known that `pi(n)` = the number of primes less than `n` grows as `n/(log n)`.
- However, we still need a way to check if an odd number is prime.
- One brute force approach is to try to divide each number up to `sqrt(n)`.
This is exponential in the number of bits of `n`.
- Recall if `n` is prime then `a^(n-1) equiv 1 mod n`.
- A number `n` is pseudo-prime for `a`, if it is composite but `a^(n-1) equiv 1 mod n`.
- It turns out pseudo-primes are rare, so we could almost check for primality by checking
this equation for different values for `a`.
- Unfortunately, there are even rarer numbers called Carmichael numbers.
- These are defined as composite numbers such that the equation `a^(n-1) equiv 1 mod n` holds for all nonzero `a` that are relatively prime to `n`.
- Carmichael numbers are rare since one can show they
need to be a product of at least three distinct prime number.
- For example, `561 = 3 cdot 11 cdot 17` is a Carmichael Number. One can check for each nonzero
`a` relatively prime to `561` that `a^(560) equiv 1 mod 561` (probably want to do using a program).
Miller Rabin Primality Testing
- Idea:
- Try several randomly chosen values for `a`.
- While computing each modular exponentiation we check,
if we ever see a nontrivial square root of `1 mod n`.
If so, we know for sure the number is composite.
- The Non-Trivial Square root testing is done by the following routine:
Witness(a,n)
1 let n - 1 = 2^t*u, where t >= 1 and u is odd
2 x_0 = Modular-Exponentiation(a, u, n)
3 for i = 1 to t:
4 x_i = (x_(i-1))^2 mod n
5 if x_i = 1 and x_(i-1) != 1 and x_(i-1) != n-1:
6 return true
7 if x_t != 1:
8 return true
9 return false
Miller Rabin continued
Miller-Rabin(n, s)
1 for j = 1 to s
2 a = Random(1, n - 1)
3 if Witness(a, n):
4 return "Composite"
5 return "Prime"
Effeciently Computing Powers Mod n
- The primality algorithm relies on being able to compute `a^x mod n` in time some polynomial in `|a|`, |x|, `|n|`.
- We can do this with the code below:
Exp-Mod(a, x, n)
c := (Exp-Mod(a, floor(x/2), n))^2 mod n
if x is even return c;
else
return a * c mod n;
- As an example, let's see step by step how to compute `3^560 mod 561`:
Exp-Mod(3, 560, 561)
= (Exp-Mod(3, 280, 561))^2 mod 561
= ((Exp-Mod(3, 140, 561))^2 mod 561)^2 mod 561
= (((Exp-Mod(3, 70, 561))^2 mod 561)^2 mod 561)^2 mod 561
= ((((Exp-Mod(3, 35, 561))^2 mod 561)^2 mod 561)^2 mod 561)^2 mod 561
Let c = Exp-Mod(3, 35, 561) then
c=
= 3 * (Exp-Mod(3, 17, 561))^2 mod 561
= 3 * (3 * (Exp-Mod(3, 8, 561))^2 mod 561)^2 mod 561
... to save writing we note Exp-Mod(3, 8, 561) = 3^4 * 3^4 = 81*81 = 390 mod 561
= 3 * (3 * (390)^2 mod 561)^2 mod 561
= 3 * (207 mod 561) ^2 mod 561
= 78 mod 561
Plugging in for c in the above
= ((((c)^2 mod 561)^2 mod 561)^2 mod 561)^2 mod 561
= (((474)^2 mod 561)^2 mod 561)^2 mod 561
= ((276)^2 mod 561)^2 mod 561
= 441^2 mod 561
= 375 mod 561.
- Notice this isn't 1, but we just said 561 is Carmichael. This is still okay as `gcd(3, 561) = 3 ne 1`.
Error Rate
- If Miller-Rabin says composite, we know the number is composite.
- If it says prime, there is some error rate given by the next theorem:
Theorem. If `n` is composite, then the number of witnesses to
compositeness is at least `(n-1)/2`.
Proof. We show the number of non-witnesses is at most `(n-1)/2`. First,
any non-witness must be in `ZZ_n^(star)` as it must satisfy `a^(n-1) equiv 1 mod n`,
i.e., `a cdot a^(n-2) equiv 1 mod n`; thus, it has an inverse. So we know
`gcd(a,n) | 1` and hence `gcd(a, n) = 1`. Next we show that all
non-witnesses are contained in a proper subgroup of `ZZ_n^(star)`. This implies the Theorem.
There two cases to consider:
- There is an `x in ZZ_n^(star)` such that `x^(n-1) ne 1 mod n`. In this case, we note all the `b` such that
`b^(n-1) equiv 1 mod n` form a group. To see this note, `1` is in this group. As `b \cdot b^{n-2} equiv 1 mod n` and
`(b^{n-2})^{n-1} equiv b^{(n-2)cdot(n-1)} equiv (b^{n-1})^{n-2} equiv 1^{n-2} equiv 1 mod n`.
the inverse of `b`, `b^{-1} = b^{n-2}`, satisfies `(b^{-1})^{n-1} equiv 1 mod n`. Finally, given `b`, `c` satisfying the property,
`(b \cdot c)^{n-1} equiv (b^{n-1}) (c^{n-1}) equiv 1 cdot 1 equiv 1 mod n`,
So this set is a group. Since it does not contain `x`, it is a proper subgroup of `ZZ_n^(star)`.
- The number `n` is Carmichael number. In this case, `x^(n-1) equiv 1 mod n` for all `x in ZZ_n^(star)`. i.e, such that `gcd(x, n) = 1`. We show this case next.
Miller-Rabin Correctness -- The Carmichael Number Case
- Suppose `n` is a Carmichael number.
- First, notice `n` can't be a prime power. To see this suppose `n = p^e`.
Since `n` is odd, `p` must also be odd, so `ZZ_n^star` will be cyclic,
so has a generator `g` and by assumption we have `g^(n-1) equiv 1 mod n`.
On the other hand, `o\r\d(g) = phi(n) = (p-1)p^(e-1)` and the discrete logarithm
theorem implies `n-1 equiv 0 mod phi(n)`. I. e., `(p-1)p^(e-1) | p^e - 1`, which is impossible
as the left hand-side is divisible by `p`, but the right hand side is not.
- So suppose `n` is odd, not a prime power and composite.
We can then decompose it as `n =n_1 cdot n_2` where `n_1` and `n_2` have different prime factors.
- Define `t` and `u` so that `n - 1 = 2^t u` and `u` is odd.
- The Witness procedure we gave computes the sequence:
`X = langle a^u, a^(2u), a^((2^2)u), ..., a^((2^t)u) rangle` (all mod n)
- Call a pair `(v, j)` acceptable if `v in ZZ_n^star` and `v^((2^j)u) equiv -1 mod n`.
- For example, `v = n-1` and `j=0` is acceptable.
- Pick an acceptable pair `(v, j)` (from above we know there is one) with the largest possible value `j le t`.
- Then one can show
`B = {x in ZZ_n^star |x^((2^j)u) equiv +-1 mod n}`
is a proper subgroup of `ZZ_n^star`.
Miller-Rabin Correctness -- Finish The Carmichael Number Case
- Every non-witness must be a member of `B`, since the sequence `X` produced by a
non-witness must be all `1`'s or else have a `-1` no later than the `j`th position, by the maximality of `j`.
- We now use the existence of `v` such that `v^((2^j)u) equiv -1 mod n` to show there exists a `w` in `ZZ_n^star setminus B`.
- Since `v^((2^j)u) equiv -1 mod n` we have `v^((2^j)u) equiv -1 mod n_1`.
- So we can find by the Chinese Remainder Theorem a `w` such that
`w equiv v mod n_1` and `w equiv 1 mod n_2`.
- In which case, `w^((2^j)u) equiv -1 mod n_1` and `w^((2^j)u) equiv 1 mod n_2`.
- So using Chinese Remainder theorem (which says `x equiv a mod n iff x equiv a mod n_i` for each `n_i` ), we get `w^((2^j)u)` is not congruent to `+-1 mod n`.
- So `w` is not in `B`. Nevertheless, one can show its `gcd(w, n) = 1` using the
Chinese Remainder Theorem together with the fact that `v` is in `ZZ_n^star` . So `w` is in `ZZ_n^star` completing the proof.