Abstract Representation: Your Ancient Heritage

1
15-251
Great Theoretical Ideas in Computer Science
2
Modular Arithmetic and the RSA Cryptosystem
Lecture 16 (October 18, 2007)
p-1
1
?p
3
Starring
Adleman
Shamir
Rivest
Euler
Fermat
4
Public Key Cryptography
-----BEGIN PGP PUBLIC KEY BLOCK----- Version
PGP 8.1 - not licensed for commercial use
www.pgp.com mQGiBEOedR4RBAC6bfed3ULzOwVF/BouyO8k
fs8wkOmk3vaMF66JyeEJqyImaVh pVhU7lst6QtXTyAF734Ft
ClM/9Dq9Dn7GDoO3E9nGVO7wJ1OTX4lgkoiM68WWG
eioT958Hg0zq0KquHUBFMKldcnr0e0Q6uCgwIYM7oH60/WX8
e2WnvycwCgzba0 kRzxNtmw9w9IEQUk9pa2CK8D/2FjRxtEDN6
nY7/l1wUrkMjI/uXYnsNWwrIAbwHp qhUZQYst27XpwNplAmI6
YuS3OL4vgURj1hVcnNG2bZXjbt4Fg3RLhrTV/jiuL
ohBayAAdZZ472Cja118xp700GVTF96jYc8dIoxNx1AgHzQUf
fj3GnscAzo7ud3 HyYHA/9sI6Gijh/ubr1qTzHwZPdilDjfnEy
QwR6forUUegwCO0YawsC2lG6F7MG q3RHnJSwI3DiH/gY5bYk
3XxhinkKxqk54DiL6vrHIw/E9J6RazYocicLRZ6XjO
JPXpK8s2v64pH5gyrsfANwSTTyECPx/hp2G0BW/mtMUJqFPM
0tU2FtcGxlIFNl Y3VyZUJsYWNrYm94IFBHUCBrZXk8aW5mb0B
lbGRvcy5jb20wkkEEBECABMCmQEF AkOedaQJEKl84ZsqNet0
AAAROgCggFcJOrmvNvpdmADv0iEzVUVcigAoJDD9wbm
WOq7M06k4rSOZSj2me0GuQINBEOedaQQCADEjAiyYQKYsZ9Awf
oZ82qfxcb39u9P cvbtONRW/UkasoMBJsBKwVgucN6XiinK
nbgDO7nGdDT9CWw6JZeMg1xbM21Z wmRbesFqY/VXDpmHE3x7
UBFGvHA6fjZX/Kf8egwUfQ4eGbYzmvxbs7Gjh090oZ
E90xo9Uyd2AzxZw4Y8npNsxviD2GmFv4TijeCUjpE/jUZnLnv
BZ0pj0OdDdbY8a gVoUCVB3IC16TM6aLGnbNemrj5uv1h3Tzx
SenazDhnnqPywBtOTs0WlxNRLGycV emIavRaRX6p8PJhMG8Sc
Vci16JOEBZjMmCB7pNvqrMvVeMPm5HXPYWBPAAICB/98
YGRV7zIRNjABGtyfTFe/33UAS8DjCU0jTDKAkpfFNXTBMiZ2w
6ewqzG1MIp1yFI IVG4ZiwE/NzuVSw8qTiM2QC/URkQuGoeRlM
LnW0Q/ECbfLyIBgXPatM99mSuMEn bE/oKFGqaPQFNxmOjdvN
HCOVQxN6MZpH0FAOoH0Dn3PasIGfqfP1/oX7WhnraBOG
NLpZRtRuEEoLC9e0WxcWuldYevkCm/7nNvG15N0evTXHc1GXR
HO/MnjBDhaxUWJ kUjeXsfKRF3ftcT6FK9FKvaJaoT891HtqXE
CzBzksRMYIf//fHM/X/sC7dctRoPg toWhdjVsgG6LZKua7WRw
wkYEGBECABAFAkOedaQJEKl84ZsqNet0AAClZQCeO/j6
lgFT70PtDgN4yQVf4pDQSgkAnRbRTzcQjdddx7f74i4WgCcUf2
XE nyli -----END PGP PUBLIC KEY BLOCK-----

• -----BEGIN PGP PRIVATE KEY BLOCK-----
• Version PGP 8.1 - not licensed for commercial
  use www.pgp.com
• lQHNBEOedR4RBAC6bfed3ULzOwVF/BouyO8kfs8wkOmk3vaMF6
  6JyeEJqyImaVh pVhU7lst6QtXTyAF734FtClM/9Dq9Dn7GDo
  O3E9nGVO7wJ1OTX4lgkoiM68WWG eioT958Hg0zq0KquHUBF
  MKldcnr0e0Q6uCgwIYM7oH60/WX8e2WnvycwCgzba0
  kRzxNtmw9w9IEQUk9pa2CK8D/2FjRxtEDN6nY7/l1wUrkMjI/u
  XYnsNWwrIAbwHp qhUZQYst27XpwNplAmI6YuS3OL4vgURj1
  hVcnNG2bZXjbt4Fg3RLhrTV/jiuL ohBayAAdZZ472Cja11
  8xp700GVTF96jYc8dIoxNx1AgHzQUffj3GnscAzo7ud3
  HyYHA/9sI6Gijh/ubr1qTzHwZPdilDjfnEyQwR6forUUegwCO
  0YawsC2lG6F7MG q3RHnJSwI3DiH/gY5bYk3XxhinkKxqk54Di
  L6vrHIw/E9J6RazYocicLRZ6XjO JPXpK8s2v64pH5gyrsfA
  NwSTTyECPx/hp2G0BW/mtMUJqFPP8DAwKvgRN08aTW
  1WAW5/ak/URD4OAOT6OXlyg4YwhaJodb9vfwck4V8bnNLVNhbX
  BsZSBTZWN1cmVC bGFja2JveCBQR1Aga2V5PGluZm9AZWxkb3M
  uY29tPp0DJgRDnnWkEAgAxIwIsmEC mLGfQMH6GfNqn8XG9/bv
  T/nL/m7TjUVv1JGrKDASbASsPlYLnDel4opyp24Azu5x
  nQ0/QlsOifmXjINcWzNtWcJkW3rBamP1Vw6ZhxN8e1ARRrxwOn
  42V/yn/HoMFH0O Hhm2M5r8W/rOxo4dPdKPmRPdMaPVMndgM8W
  cOGPJ6TbMb4g9hphbE4o3glI6fhP 41GZy57wWdKY9DnQ3W2P
  GoFaFAlQdyAtekzOmixp2/jXpq4br9Yd088Unp2sw4Z
  56j8sAbTk7NFpcTUSxsnFXpiGr0WkVqfDyYTBvEnFXIteiThA
  WYzJgge6Tb6qzL 1XjD5uR1z2FgTwACAgf/fGBkVe8yETYwARr
  cn0xXv991AEvA4wlNI0/gygJKXxTV 0wTImdsOnsKsxtTCKdch
  SCFRuGYsBPzc7lUsPKk4jNkAv1EZELhqHkZTC51tEPxA
  m3/i8iAYFz2rTPfZkrjBJ2xP6ChRqmj0BTcZjo3bzRwjlUMTej
  GaR9BQDqB9A59z 2rCBn6nz9f6F1oZ62gThjS6WUbUbhBKCwv
  fntFsXFrpXWHr5Apv5zbxteTdHr0 1x3NRl0RzvzJ4wQ4WsVF
  iZFI3l7HykRd37XEhSvRSr2iWqE/PdR7alxAswc5LET
  GCH//3xzP1/7Au3XLUaD4LaFoXY1bIBui2Srmu1kcP8DAwIYqv
  VK6L5Df2CejmTt hiA1DBnNck4dF7gPOaYku6Rfw27EOvhWmdZ
  1pp13uw2Tm6SEBoG7rkq1a01UWEjs PhUPkfxhVT6qHd4Bs3EO
  GSh7sNFsv8IbbAyP3rPOtbt3m9t02xEzKl5ZOqD85EZC
  HYK/l6lLD8pUX2dJQqZwTN4lkdl99HOf7XYPxHvCmbh1S1CgTM
  3H2wc5M7QROMhr jxPIu0kJUONw1PX5TuLGU6BOjii0VLzljLH
  gi7uuTRxE7P4GqPV3FmvGANSGFiN 4751R1IBLnL0EMfOrFkH
  ikCxQvIDiHvsHinSuguqHvtN6CA2WZLKN3mWtQmq1K
  9tuuXf7Ko6LJb2yetoEpCL31RRaxeRMX oQP9
• -----END PGP PRIVATE KEY BLOCK-----

5
Public Key Cryptography
Use private key to decrypt E(K) and get back K
1024-bit secret K used for secure session
E(K) the secret Kencrypted using Alices
public key
Securechannelusing secret K
6
The RSA Cryptosystem

• Rivest, Shamir, and Adelman (1978)
• RSA is one of the most used cryptographic
  protocols on the net.
• Your browser uses it to establish a secure
  session with a site.

7
Pick secret, random large primes p,q Publish
n pq ?(n) ?(p) ?(q) (p-1)(q-1) Pick
random e ? Z?(n) Publish e Compute d
inverse of e in Z?(n) Hence, ed 1 mod ?(n)
Private Key d
Mumbo jumbo
More Mumbo jumbo
8
p,q random primes, e random ? Z?(n) n pq ed
1 mod ?(n)
(n,e) is my public key. Use it to send me a
message.
9
p,q prime, e random ? Z?(n) n pq ed 1
mod ?(n)
n,e
message m
me mod n
(me)d ?n m
10
But how does it all work?

• What is f(n)?
• What is Zf(n)?
• Why do all the steps work?

To understand this, we need a little number
theory...
11
MAX(a,b) MIN(a,b) ab
12
nm means that m is an integer multiple of
n. We say that n divides m.
13
Greatest Common Divisor GCD(x,y) greatest k
1 s.t. kx and ky. Least Common
Multiple LCM(x,y) smallest k 1 s.t. xk and
yk.
14
Fact GCD(x,y) LCM(x,y) x y
You can useMAX(a,b) MIN(a,b) abto prove
the above fact
15
(a mod n) means the remainder when a is divided
by n. If a dn r with 0 r mod n)and d (a div n)
16

• Defn Modular equivalenceof integers a and b
• a ? b mod n ? (a mod n) (b mod n)? n(a-b)
• Written as a ?n b, and spoken
• a and b are equivalent modulo n
• 31 ? 81 mod 2
• 31 ?2 81

17
?n is an equivalence relation In other words, it
is Reflexive a ?n a Symmetric (a ?n b) ?
(b ?n a) Transitive (a ?n b and b ?n c) ? (a
?n c)
18
a ?n b ? n(a-b) a and b are equivalent modulo
n ?n induces a natural partition of the
integers into n classes. a and b are said to be
in the same residue class or congruence class
precisely when a ?n b.
19
a ?n b ? n(a-b) a and b are equivalent modulo
n Define Residue class i the set of all
integers that are congruent to i modulo n.
20
Residue Classes Mod 3 0 , -6, -3, 0,
3, 6, .. 1 , -5, -2, 1, 4, 7, .. 2
, -4, -1, 2, 5, 8, .. -6 , -6, -3,
0, 3, 6, .. 7 , -5, -2, 1, 4, 7,
.. -1 , -4, -1, 2, 5, 8, ..
21
Fact equivalence mod n implies equivalence mod
any divisor of n. If (x ?n y) and (kn) Then x
?k y Example 10 ?6 16 ? 10 ?3 16
22
If (x ?n y) and (kn) then x ?k y
Proof
23

• Fundamental lemma of plus, minus, and times mod
  n
• If (x ?n y) and (a ?n b). Then
• x a ?n y b
• x - a ?n y b
• x a ?n y b

24
Proof of 3 xa yb (mod n)
(The other two proofs are similar)
25
Fundamental lemma of plus minus, and times modulo
n When doing plus, minus, and times modulo n,
I can at any time in the calculation replace a
number with a number in the same residue class
modulo n
26
Please calculate 249 504 mod 251
when working mod 251 -2 2 -4 247
27
A Unique Representation System Modulo n We
pick exactly one representative from each
residue class. We do all our calculations using
these representatives.
28
Unique representation system modulo 3 Finite
set S 0, 1, 2 and defined on S
29
Unique representation system modulo 3 Finite
set S 0, 1, -1 and defined on S
30
Perhaps the most convenient set of
representatives The reduced system modulo
n Zn 0, 1, 2, , n-1 Define operations n
and n a n b (ab mod n) a n b (ab mod n)
31
Zn 0, 1, 2, , n-1 a n b (ab mod n)
a n b (ab mod n) Closed x, y ? Zn, x n y
? Zn Associative x, y, z ? Zn , then (x n y)
n z x n (y n z) Commutative x, y ? Zn
then x n y y n x
32
Zn 0, 1, 2, , n-1 a n b (ab mod n)
a n b (ab mod n) Closed x, y ? Zn, x n y
? Zn Associative x, y, z ? Zn , then (x n y)
n z x n (y n z) Commutative x, y ? Zn
then x n y y n x
33
Zn 0, 1, 2, , n-1 a n b (ab mod n)
a n b (ab mod n) n and n are
commutative and associative binary operators
from Zn Zn ? Zn
34
The reduced system modulo 3 Z3 0, 1, 2 Two
binary, associative operators on Z3
35
The reduced system modulo 2 Z2 0, 1 Two
binary, associative operators on Z2
36
The Boolean interpretation of Z2 Z2 0,
1 Two binary, associative operators on Z2
37
The reduced system Z4 0,1,2,3
38
The reduced system Z5 0,1,2,3,4
39
The reduced system Z6 0,1,2,3,4,5
40
The reduced system Z6 0,1,2,3,4,5
An operator has the permutation property if each
row and each column has a permutation of the
elements.
41
For every n, n on Zn has the permutation
property
An operator has the permutation property if each
row and each column has a permutation of the
elements.
42
What about multiplication?Does 6 on Z6 have the
permutation property?
No
An operator has the permutation property if each
row and each column has a permutation of the
elements.
43
What about 8 on Z8?
Which rows have the permutation property?
44
A visual way to understand multiplication and
the permutation property.
45
The multiples of c modulo n is the set 0, c, c
n c, c n c n c, . kc mod n 0 k n-1
46
There are exactly 8 distinct multiples of 3
modulo 8.
hit all numbers ? row 3 has the permutation
property
47
There are exactly 2 distinct multiples of 4
modulo 8
row 4 does not have permutation property for 8
on Z8
48
There is exactly 1 distinct multiple of 8 modulo
8
49
There are exactly 4 distinct multiples of 6
modulo 8
50
There are exactly LCM(n,c)/c
n/GCD(c,n)distinct multiples of c modulo
n henceonly those values of c with GCD(c,n)
1have the permutation propertyfor n on Zn
51
Theorem There are exactly k n/GCD(c,n)
LCM(c,n)/c distinct multiples of c modulo n, and
these are ci mod n 0 i
Proof Clearly, c/GCD(c,n) 1 is a whole
number ck cn/GCD(c,n) n(c/GCD(c,n)) ?n 0 ?
There are k distinct multiples of c mod n
c0, c1, c2, , c(k-1) Also, k all the
factors of n missing from c ? cx ?n cy ?
nc(x-y) ? k(x-y) ? x-y k There are k
multiples of c. Hence exactly k.
52
Fundamental lemma of plus, minus, and times
modulo n If (x ?n y) and (a ?n b). Then 1) x
a ?n y b2) x - a ?n y - b3) x a ?n y b
53
Is there a fundamental lemma of division modulo
n? cx ?n cy ? x ?n y ? Of course not! If
c0mod n, cx ?n cy for all x and y. Canceling
the c is like dividing by zero.
54
Lets fix that! Repaired fundamental lemma of
division modulo n? if c ? 0 mod n, thencx ?n
cy ? x ?n y ?
63 ?10 68, but not 3 ?10 8.
Bummer!
22 ?6 25, but not 2 ?6 5.
55
When cant I divide by c? Theorem There are
exactly n/GCD(c.n) distinct multiples of c modulo
n. Corollary If GCD(c,n) 1, then the number
of multiples of c is less than n. Corollary If
GCD(c,n) 1 then you cant always divide by
c. Proof There must exist distinct x,ythat cxcy (but x?y). Hence cant divide.
56
Fundamental lemma of division modulo n if
GCD(c,n)1, then ca ?n cb ? a ?n b Proof
57
Corollary for general c cx ?n cy ? x
?n/GCD(c,n) y
58
Fundamental lemma of division modulo n. If
GCD(c,n)1, then ca ?n cb ? a ?n b Consider the
set Zn x ? Zn GCD(x,n) 1 Multiplication
over this set Zn will have the cancellation
property.
59
Z6 0, 1,2,3,4,5Z6 1,5
60
What are the properties of Zn

• For n on Zn we showed the following properties
• Closure
• x, y ? Zn ? x n y ? Zn
• Associativity
• x, y, z? Zn ? ( x n y ) n z x n ( y n z )
• Commutativity
• x, y ? Zn ? x n y y n x

What about n on Zn ?
61
All these 3 properties hold for n on Zn.Lets
show closure x,y ? Zn ? x n y ? Zn
First, a simple fact Suppose GCD(x,n) 1 and
GCD(y,n) 1 Let z xy. Clearly, GCD(z, n) 1.
Also, define z (xy mod n). Then
GCD(z,n)1
62
All these 3 properties hold for n on Zn.Lets
show closure x,y ? Zn ? x n y ? Zn
Proof Let z xy. Let z z mod n. Then z
z kn. Suppose z not in Z_n. Then GCD(z, n)
1.and hence GCD(z, n) 1. Hence there exists
a prime p1 s.t. pz and pn. pz ? px or py.
(say px) Hence pn, px, so GCD(x,n)
1. Contradiction of x ? Zn
63
Z12 0 x 1,5,7,11
64
Z15
65
Z5 1,2,3,4
Z5 \ 0
For all primes p, Zp Zp \ 0, since all 0 x 66
Euler Phi Function ?(n) Define ?(n) size of
Zn number of 1 k prime to n. p prime ? Zp 1,2,3,,p-1? ?(p)
p-1
67
Z12 0 x 1,5,7,11
?(12) 4
68
Theorem if p,q distinct primes then f(pq)
(p-1)(q-1)
How about p 3, q 5?
69
Theorem if p,q distinct primes then f(pq)
(p-1)(q-1)

• pq of numbers from 1 to pq
• p of multiples of q up to pq
• q of multiples of p up to pq
• 1 of multiple of both p and q up to pq
• f(pq) pq p q 1 (p-1)(q-1)

70
Additive and Multicative Inverses
71
The additive inverse of a ? Zn is the unique b
? Zn such that a n b ?n 0. We denote this
inverse by a. It is trivial to calculate
-a (n-a).
72
The multiplicative inverse of a ? Zn is the
unique b ? Zn such that a n b ?n 1. We
denote this inverse by a-1 or 1/a. The
unique inverse of amust exist because the a
row contains a permutation of the elements and
hence contains a unique 1.
73
Efficient algorithm to compute a-1 from a and
n. Run Extended Euclidean Algorithmon the
numbers a and n. It will give two integers r
and s such that ra sn gcd(a,n) 1 Taking
both sides modulo n, we obtain ra ?n 1 Output
r, which is the inverse of a
74
Euclid(A,B) If B0 then return A else
return Euclid(B, A mod B)
Euclid(67,29) 67 229 67 mod 29
9 Euclid(29,9) 29 39 29 mod 9
2 Euclid(9,2) 9 42 9 mod 2
1 Euclid(2,1) 2 21 2 mod 1
0 Euclid(1,0) outputs 1
75
Let denote the number r67 s29.
Calculate all intermediate values in this
representation.
Extended Euclid Algorithm
67 29 Euclid(67,29)
9 2 9 Euclid(29,9) 21 3 2 Euclid(9,2) 1
4 1 Euclid(2,1) 0
2 0 Euclid(1,0) outputs 1
1367 3029
76
Zn 0, 1, 2, , n-1 Zn x ? Zn GCD(x,n)
1 Define n and n a n b (ab mod n)
a n b (ab mod n) c n ( a n b) ?n (c n
a) n (cn b)

• Closed
• Associative
• 0 is identity
• Additive Inverses
• Cancellation
• Commutative

• Closed
• Associative
• 1 is identity
• Multiplicative Inverses
• Cancellation
• Commutative

77
Fundamental Lemmas until now

• For x, y, a, b in Zn, (x ?n y) and (a ?n b). Then
• 1) x a ?n y b 2) x - a ?n y - b 3) x a
  ?n y b
• For a,b,c in Zn
• then ca ?n cb ? a ?n b

78
Fundamental lemma of powers? If (a ?n b) Then xa
?n xb ? NO! (2 ?3 5) , but it is not the case
that 22 ?3 25
79
By the permutation property, two names for the
same set Zn aZn where aZn a n x x
? Zn, a ? Zn
Example Z5
80

• Two products on the same set
• Zn aZn
• aZn a n x x ? Zn, a ? Zn
• x ?n ? ax as x ranges over Zn
• x ?n ? x (asize of Zn) Commutativity
• 1 asize of Zn Cancellation
• a?(n) 1

81
Eulers Theorem a ? Zn, a?(n) ?n 1 Fermats
Little Theorem p prime, a ? Zp? ap-1 ?p 1
82
(Correct) Fundamental lemma of powers. Suppose x
? Zn, and a,b,n are naturals. If a ??(n) b
Then xa ?n xb Equivalently, xa ?n xa mod ?(n)
83
How do you calculate
Fundamental lemma of powers. Suppose x ? Zn,
and a,n are naturals. xa ?n xa mod ?(n)

• 24444444441 mod 5

xa (mod n) xa mod ?(n) (mod n)
84
Defining negative powers Suppose x ? Zn, and
a,n are naturals. x-a is defined to be the
multiplicative inverse of xa x-a (xa)-1
85
Rule of integer exponents Suppose x,y ? Zn, and
a,b are integers. (xy)-1 ?n x-1 y-1 Xa Xb ?n
Xab Can use Lecture 13 to do fast
exponentiation!
86
Zn 0, 1, 2, , n-1 Zn x ? Zn GCD(x,n)
1

• Closed
• Associative
• 0 is identity
• Additive InversesFast and -
• Cancellation
• Commutative

• Closed
• Associative
• 1 is identity
• Multiplicative InversesFast and /
• Cancellation
• Commutative

87
Fundamental lemma of powers. Suppose x ? Zn,
and a,b,n are naturals. If a ??(n) b Then xa ?n
xb Equivalently, xa ?n xa mod ?(n)
88
Euler Phi Function ?(n) size of Zn p prime
? Zp 1,2,3,,p-1? ?(p) p-1 f(pq)
(p-1)(q-1) if p,q distinct primes
89
Back to our dramatis personae
Adleman
Shamir
Rivest
Euler
Fermat
90
The RSA Cryptosystem
91
Pick secret, random large primes p,q Publish
n pq ?(n) ?(p) ?(q) (p-1)(q-1) Pick
random e ? Z?(n) Publish e Compute d
inverse of e in Z?(n) Hence, ed 1 mod ?(n)
Private Key d
92
p,q random primes, e random ? Z?(n) n pq ed
1 mod ?(n)
n,e is my public key. Use it to send me a
message.
93
p,q prime, e random ? Z?(n) n pq ed 1
mod ?(n)
n, e
message m
me mod n
(me)d ?n m
94

• Working modulo integer n
• Definitions of Zn, Zn
• and their properties
• Fundamental lemmas of ,-,,/
• When can you divide out
• How to calculate c-1 mod n.
• Fundamental lemma of powers
• Euler phi function ?(n) Zn
• Eulers theorem
• Fermats little theorem
• RSA algorithm

Heres What You Need to Know