Outline

• RSA
• Quiz
• Tests for Primes

Introduction

• Last week, we learned some of the number theory needed to understand how the RSA public key crypto-system works.
• So far we've shown that if `a, b` are `n` digit numbers, the extended Euclidean algorithm is an `O(n)` algorithm to find `d, x, y` such that `d=gcd(a,b) = ax+by`.
• We've learned that the modular equation `ax equiv b mod n` either has `d=gcd(a,n)` solutions, if `d|b`, or no solutions, otherwise.
• We've given an algorithm to find these solutions if they exist.
• We've proven the Chinese Remainder Theorem, which gives us a method to go from a sequence of modular constraints `a equiv b_i mod n_i` for `i=1,...,m`, to an `a mod n_1 cdot n_2 cdots n_m` which satisfies all of these constraints.
• We've given a condition for `ZZ_n^\star` to be cyclic (`n` must be of the form 2,4, `p^e`, `2p^e` for some `e in NN` (Theorem #)). We called a generator `g` for `ZZ_n^\star`, when its cyclic, a primitive root. For such a generator, the equation `g^x equiv a mod n` has a solution `x= i\n\d_{n,g} (a)` called the discrete logarithm of `a mod n`.
• Finally, we showed for such primitive roots that: `g^x equiv g^y (mod n)` holds if and only if the equation `x equiv y mod phi(n)` holds (Theorem ##).
• We next talk about the last ingredient we need for RSA: square roots mod some number.

Square Roots

Theorem. If `p` is an odd prime, and `e ge 1`, then the equation `x^2 equiv 1 (mod p^e)` has only two solutions, `x = 1` and `x = -1`.

Proof. Let `n = p^e`. Theorem (#) implies `ZZ_n^star` has a generator `g`. So the above equation can be rewritten as `g^((i\n\d(x))2) equiv g^(i\n\d(1)) mod n`. Note `i\n\d(1) = 0`, so Theorem (##) implies this is equation is equivalent to `2 cdot i\n\d(x) equiv 0 mod phi(n)`, a modular linear equation we can solve. We know `phi(n) = p^e(1- 1/p) = (p-1)p^(e-1)`. If `d` is `gcd(2, phi(n))`, then `d=2` (as if `p` is odd, `2` divides `p-1`) and `d | 0`. So we know this equation has two solutions, which we can compute using our algorithm or by inspection as `1` and `-1`.

• A number `x` is a nontrivial square root of `1 mod n`, if it is a square root but not equivalent to `+-1 mod n`. For example `6 mod 35`.

Corollary. If there exists a nontrivial square root of `1` modulo `n`, then `n` is composite.

Public Key Cryptosystems

• We now apply what we've learned to public key cryptography.
• In public key cryptography, we have two participants Alice and Bob (i.e., A and B) who want to exchange messages securely.
• Each has a public key `P_A`, `P_B` which they let everyone know.
• They also each have a private key `S_A`, `S_B` which only they know.
• Each of these keys is a permutation in some space of strings and the public keys are inverses of the private keys. That is, `M = P_A(S_A(M)) = S_A(P_A(M))`. Here `M` is the message.
• If Alice wants to send Bob a message `M`. She computes some hash function of `M`, `h(M)` and signs this with her private key to make `S_A(h(M))`. She concatenates this to `M` to make `langle M, S_A(h(M)) rangle`. Then she sends `P_B(langle M, S_A(h(M)) rangle)` to Bob.
• To decode, Bob applies his private key to get `S_B(P_B( langle M, S_A(h(M)) rangle)) = langle M, S_A(h(M)) rangle`.
• To check this is from Alice, he applies her public key to the end `P_A(S_A(h(M))) = h(M)` then he computes the hash of the message received and verifies it equal `h(M)`.

RSA

• RSA (Rivest, Shamir, and Adleman 1977) is a particular public key cryptoscheme.
• It creates public keys and private keys as follows:
  1. Select two large prime numbers `p` and `q` such that `p ne q`. (For instance, the primes might be 512 bits each.)
  2. Compute `n = pq`.
  3. Select a small odd integer e that is relatively prime to `phi(n) = (p-1)(q-1)`.
  4. Compute the multiplicative inverse `d` of `e mod phi(n)`.
  5. Publish the pair `P = (e, n)` as the RSA public key.
  6. Keep secret the pair `S= (d, n)` as the RSA secret key.
• To apply a key to a message `0 le M< n`, we compute either `P(M) = M^e mod n` or `S(C) = C^d mod n`. Here `C` is suppose to mean ciphertext.

Correctness of RSA

Theorem. The RSA functions `P` and `S` on the last slides define inverse transformations.

Proof. `P(S(M)) = S(P(M))= M^(ed) mod n`. Since `e` and `d` are multiplicative inverses modulo `phi(n) = (p-1)(q-1)`, `ed = 1+k(p-1)(q-1)` for some `k`. If `M equiv 0 mod n`, then `M^(ed) equiv 0 mod n` so we are done. If `M` is not congruent to `0 mod p`, we have
`M^(ed) equiv M(M^(p-1))^(k(q-1)) mod p`
`equiv M(1)^(k(q-1)) mod p`
`equiv M mod p`
and a similar result holds `mod q`. By the Chinese Remainder Theorem, this implies `M^(ed) equiv M (mod n)`.

Quiz

Which of the following statements is true?

1. `ZZ_7^star` has a subgroup of size 4.
2. `18x equiv 9 mod 81` has no solutions.
3. There exists a number `a mod 105` such that `a equiv 2 mod 3`, `a equiv 4 mod 5`, `a equiv 6 mod 7`.

Testing for Primes

• One key component of RSA is to use large primes chosen at random.
• It turns out that primes are not too rare since it is known that `pi(n)` = the number of primes less than `n` grows as `n/(log n)`.
• However, we still need a way to check if an odd number is prime.
• One brute force approach is to try to divide each number up to `sqrt(n)`. This is exponential in the number of bits of `n`.
• Recall if `n` is prime then `a^(n-1) equiv 1 mod n`.
• A number `n` is pseudo-prime for `a`, if it is composite but `a^(n-1) equiv 1 mod n`.
• It turns out pseudo-primes are rare, so we could almost check for primality by checking this equation for different values for `a`.
• Unfortunately, there are even rarer numbers called Carmichael numbers.
• These are defined as composite numbers such that the equation `a^(n-1) equiv 1 mod n` holds for all nonzero `a` that are relatively prime to `n`.
• Carmichael numbers are rare since one can show they need to be a product of at least three distinct prime number.
• For example, `561 = 3 cdot 11 cdot 17` is a Carmichael Number. One can check for each nonzero `a` relatively prime to `561` that `a^(560) equiv 1 mod 561` (probably want to do using a program).

Miller Rabin Primality Testing

• Idea:
  1. Try several randomly chosen values for `a`.
  2. While computing each modular exponentiation we check, if we ever see a nontrivial square root of `1 mod n`. If so, we know for sure the number is composite.
• The Non-Trivial Square root testing is done by the following routine:

  Witness(a,n)
  1 let n - 1 = 2^t*u, where t >= 1 and u is odd
  2 x_0 = Modular-Exponentiation(a, u, n)
  3 for i = 1 to t:
  4     x_i = (x_(i-1))^2 mod n
  5     if x_i = 1 and x_(i-1) != 1 and x_(i-1) != n-1:
  6         return true
  7 if x_t != 1: 
  8     return true
  9 return false
  

Miller Rabin continued

Miller-Rabin(n, s)
1 for j = 1 to s
2    a = Random(1, n - 1)
3    if Witness(a, n):
4        return "Composite"
5 return "Prime"

Effeciently Computing Powers Mod n

• The primality algorithm relies on being able to compute `a^x mod n` in time some polynomial in `|a|`, |x|, `|n|`.
• We can do this with the code below:

  Exp-Mod(a, x, n)
     c := (Exp-Mod(a, floor(x/2), n))^2 mod n
     if x is even return c;
     else
       return a * c mod n;
  

• As an example, let's see step by step how to compute `3^560 mod 561`:

  Exp-Mod(3, 560, 561) 
  = (Exp-Mod(3, 280, 561))^2 mod 561
  = ((Exp-Mod(3, 140, 561))^2 mod 561)^2 mod 561
  = (((Exp-Mod(3, 70, 561))^2 mod 561)^2 mod 561)^2 mod 561
  = ((((Exp-Mod(3, 35, 561))^2 mod 561)^2 mod 561)^2 mod 561)^2 mod 561
  Let c = Exp-Mod(3, 35, 561) then
  c=
  = 3 * (Exp-Mod(3, 17, 561))^2 mod 561
  = 3 * (3 * (Exp-Mod(3, 8, 561))^2 mod 561)^2 mod 561
  ... to save writing we note Exp-Mod(3, 8, 561) = 3^4 * 3^4 = 81*81 = 390 mod 561
  = 3 * (3 * (390)^2 mod 561)^2 mod 561
  = 3 * (207 mod 561) ^2 mod 561
  = 78 mod 561
  Plugging in for c in the above
  = ((((c)^2 mod 561)^2 mod 561)^2 mod 561)^2 mod 561
  = (((474)^2 mod 561)^2 mod 561)^2 mod 561
  = ((276)^2 mod 561)^2 mod 561
  = 441^2 mod 561
  = 375 mod 561.
  

• Notice this isn't 1, but we just said 561 is Carmichael. This is still okay as `gcd(3, 561) = 3 ne 1`.

Error Rate

• If Miller-Rabin says composite, we know the number is composite.
• If it says prime, there is some error rate given by the next theorem:

Theorem. If `n` is composite, then the number of witnesses to compositeness is at least `(n-1)/2`.

Proof. We show the number of non-witnesses is at most `(n-1)/2`. First, any non-witness must be in `ZZ_n^(star)` as it must satisfy `a^(n-1) equiv 1 mod n`, i.e., `a cdot a^(n-2) equiv 1 mod n`; thus, it has an inverse. So we know `gcd(a,n) | 1` and hence `gcd(a, n) = 1`. Next we show that all non-witnesses are contained in a proper subgroup of `ZZ_n^(star)`. This implies the Theorem. There two cases to consider:

1. There is an `x in ZZ_n^(star)` such that `x^(n-1) ne 1 mod n`. In this case, we note all the `b` such that `b^(n-1) equiv 1 mod n` form a group. To see this note, `1` is in this group. As `b \cdot b^{n-2} equiv 1 mod n` and
   `(b^{n-2})^{n-1} equiv b^{(n-2)cdot(n-1)} equiv (b^{n-1})^{n-2} equiv 1^{n-2} equiv 1 mod n`.
   the inverse of `b`, `b^{-1} = b^{n-2}`, satisfies `(b^{-1})^{n-1} equiv 1 mod n`. Finally, given `b`, `c` satisfying the property,
   `(b \cdot c)^{n-1} equiv (b^{n-1}) (c^{n-1}) equiv 1 cdot 1 equiv 1 mod n`,
   So this set is a group. Since it does not contain `x`, it is a proper subgroup of `ZZ_n^(star)`.
2. The number `n` is Carmichael number. In this case, `x^(n-1) equiv 1 mod n` for all `x in ZZ_n^(star)`. i.e, such that `gcd(x, n) = 1`. We show this case next.

Miller-Rabin Correctness -- The Carmichael Number Case

• Suppose `n` is a Carmichael number.
• First, notice `n` can't be a prime power. To see this suppose `n = p^e`. Since `n` is odd, `p` must also be odd, so `ZZ_n^star` will be cyclic, so has a generator `g` and by assumption we have `g^(n-1) equiv 1 mod n`. On the other hand, `o\r\d(g) = phi(n) = (p-1)p^(e-1)` and the discrete logarithm theorem implies `n-1 equiv 0 mod phi(n)`. I. e., `(p-1)p^(e-1) | p^e - 1`, which is impossible as the left hand-side is divisible by `p`, but the right hand side is not.
• So suppose `n` is odd, not a prime power and composite. We can then decompose it as `n =n_1 cdot n_2` where `n_1` and `n_2` have different prime factors.
• Define `t` and `u` so that `n - 1 = 2^t u` and `u` is odd.
• The Witness procedure we gave computes the sequence:
  `X = langle a^u, a^(2u), a^((2^2)u), ..., a^((2^t)u) rangle` (all mod n)
• Call a pair `(v, j)` acceptable if `v in ZZ_n^star` and `v^((2^j)u) equiv -1 mod n`.
• For example, `v = n-1` and `j=0` is acceptable.
• Pick an acceptable pair `(v, j)` (from above we know there is one) with the largest possible value `j le t`.
• Then one can show
  `B = {x in ZZ_n^star |x^((2^j)u) equiv +-1 mod n}`
  is a proper subgroup of `ZZ_n^star`.

Miller-Rabin Correctness -- Finish The Carmichael Number Case

• Every non-witness must be a member of `B`, since the sequence `X` produced by a non-witness must be all `1`'s or else have a `-1` no later than the `j`th position, by the maximality of `j`.
• We now use the existence of `v` such that `v^((2^j)u) equiv -1 mod n` to show there exists a `w` in `ZZ_n^star setminus B`.
• Since `v^((2^j)u) equiv -1 mod n` we have `v^((2^j)u) equiv -1 mod n_1`.
• So we can find by the Chinese Remainder Theorem a `w` such that `w equiv v mod n_1` and `w equiv 1 mod n_2`.
• In which case, `w^((2^j)u) equiv -1 mod n_1` and `w^((2^j)u) equiv 1 mod n_2`.
• So using Chinese Remainder theorem (which says `x equiv a mod n iff x equiv a mod n_i` for each `n_i` ), we get `w^((2^j)u)` is not congruent to `+-1 mod n`.
• So `w` is not in `B`. Nevertheless, one can show its `gcd(w, n) = 1` using the Chinese Remainder Theorem together with the fact that `v` is in `ZZ_n^star` . So `w` is in `ZZ_n^star` completing the proof.