



Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
An in-depth explanation of the rsa algorithm, including a proof that it works, methods for finding p, q, a, and b, and techniques for computing mb quickly. The document also covers the concept of z*n and the relationship between z*n and zn.
Typology: Study notes
1 / 7
This page cannot be seen from the preview
Don't miss anything!




This document is incomplete and in preliminary condition. Proof by Partha Dasgupta, based on a proof by Zvi M. Kedem Outline of RSA algorithm: p , q are distinct primes N = p q Define: = (p-1)(q-1) p-1)(q-1) )(p-1)(q-1) q-1)(q-1) ) Find a , b such that they are relatively prime to and a b = 1)(q-1) mod Encryption of message m: Ee(p-1)(q-1) m ) = m b mod n = C (p-1)(q-1) cipher) Decryption of C : Dd(p-1)(q-1) C) = y a^ mod n = m Encryption Key: e = (p-1)(q-1) b , n ) Decryption Key: d = (p-1)(q-1) a , n ) [Note, e and d are interchangeable] So in order for RSA to work we must have the property : (p-1)(q-1) m b ) a = m mod n - [1)(q-1) ] In this document (p-1)(q-1) 7 pages, large font text), we will Prove [1)(q-1) ] Show how to find p, q, a and b. Show how to compute m b^ fast Preliminaries: Z n = {0, 1)(q-1) , 2, … n-1)(q-1) } Z *n = { x < n -1)(q-1) | x and n are relatively prime} (n)n) = number of elements of Z n that are relatively prime to n. Hence (n)n) = | Z *n| How to find (n)?n)? All those number that are not multiples of p or q are in (p-1)(q-1) n). If we count all the multiples of p and q. 0, 1)(q-1)
p , 2 p , 3 p ,…. (p-1)(q-1) q -1)(q-1) ) p q -1)(q-1) q , 2 q , 3 q ,…. (p-1)(q-1) p -1)(q-1) ) q p -1)(q-1) hence (n)n) = pq – 1)(q-1) – (p-1)(q-1) q– 1)(q-1) ) – (p-1)(q-1) p– 1)(q-1) ) = pq – p – q +1)(q-1) = (p-1)(q-1) p– 1)(q-1) )(p-1)(q-1) q– 1)(q-1) ) Example: p =3, q =5 n =1)(q-1) 5. Now (n)n) = 24 = 8 = {1)(q-1) , 2, 4, 7, 8, 1)(q-1) 1)(q-1) , 1)(q-1) 3, 1)(q-1) 4} Claim 1: Zn is closed under multiplication mod n****. If a,b Zn then ab and n are relatively prime i.e. ab shares no primes with n. By definition of Zn a, b do not share primes with n. Their product, ab , gets its primes from a and b and therefore does not share primes with n. The product can be written as ab = n + . We just need to show that is in Z*n. But if it is not, then it shares primes with n and the right hand side is divisible by some prime that is a factor of n. But then, so is the left side, which is impossible as we showed that it is relatively prime with n. EndClaim Definition: Z *n = { b 1 , b 2 , … , b (n)n) } For any a Z n, Let Sa = { a b 1 mod n , a b 2 mod n, …, a b (n)n) mod n } Claim 2: Sa Z First , by Claim 1)(q-1) , all elements of Sa are in Z *n Second , no two elements can be the same. Suppose they were, then for some bi and bj (p-1)(q-1) bi < bj ) a bi = n + a bj = n + Subtracting, (p-1)(q-1) bi – bj ) a = (n) - ) n or x a = y n x a and y n are the “same product of primes. Since a and n do not share any common primes. All primes that form n has to appear in x. Hence x>= n. That is a contradiction, as bj <n.
If a and (n)n) are relatively prime, then a Z * (n)n) and from Corollary of Claim 2 we know that b exists (p-1)(q-1) and is a member of Z * (^) (p-1)(q-1) n)). Thus there exists a and b , both relatively prime to (n)n), such that: a b = k (n)n) + 1)(q-1) (p-1)(q-1) regular arithmetic) EndClaim Proof of RSA (n)for all messages in Zn)* Take a message m < n and choose a relatively prime to (p-1)(q-1) n) and find b such that a b =1)(q-1) mod (p-1)(q-1) n). Now compute (n)ma)b^ using modulo n arithmetic: (n)m a ) b = m k (n)n) + 1 = m k (n)n) m = m^ (n)n) m^ (n)n) … … m^ (n)n) m Take the modulo of the last term and since m^ (n)n) = 1)(q-1) mod n , then result is m. Hence (n)ma)b^ = m mod n Deficiency of this proof : The proof is for all messages in Zn If n=51)(q-1) 2 bit number, then the chance of a number being in Zn but not in Zn is about 1)(q-1) 0–25. That is negligible To fix this problem: There is a proof that all numbers in have the above property, but that proof is rather complex. EndProof How to really find a, b? We know that given a, b exists, but how to find them? Find a , relatively prime to (n)n) (p-1)(q-1) 3, 5, 7 etc – start with a small odd number and work your way up). Note that (n)n) is even.
Then find b using extended Euclidean algorithm as follows Extended Euclidean Algorithm: Given p and q, p>q the algorithm finds x and y , such that x p + y q = GCD(p-1)(q-1) p, q ) [note: regular arithmetic, x or y is negative] So we use it as follows: We provide (n)n) and a as input (p-1)(q-1) p and q ) and get x and y [note: GCD(p-1)(q-1) a,n ) = 1)(q-1) ] – that is we get the values of x and y, such that a*y + (n)n)*x = 1. Also note that a b = 1 mod (n)n) , that is a b = η (n)n)+1 or a b - η (n)n) = 1)(q-1) So b = y Hence in modulo arithmetic, b = y , if y is positive and b = (n)n) – y , if y is negative Now we need to find p, q and hence N. p and q are large prime numbers. So the problem is to find large prime numbers. There is no good deterministic way of doing this. However we can do it with probabilistic algorithms. Fact: There are lots of large prime numbers. The number of prime numbers below N is about N/(n)ln n) and hence for a random 2048 bit number, the probability of it being prime is about 0.0007(p-1)(q-1) one in 1)(q-1) 500). Claim 5: If p is prime, for any a < p, a p- 1 = 1 mod p Since p is prime, a Z* (^) p and (p-1)(q-1) p) = p – 1)(q-1) Thus ap-1)(q-1)^ = a(p-1)(q-1) p)^ = 1)(q-1) mod p EndClaim Claim 6: If p is prime, the equation x 2 = 1 mod p****. has only 2 solutions, 1 and p –1 (n)or –1 mod p ) Lets say the equation has 2 solutions, S 1)(q-1) and S 2. Thus S 1)(q-1) 2 = 1)(q-1) + kp
b[k] b[k-1] … b[1] b[0] is the binary representation of x result = 1 // start with the value of a^0 for i = k downto 0 { //from MSB to LSB temp = result; // store prev result for checking result = (result * result) mod n //square prev result if (result = 1) and (temp!=1) and (temp!=n-1) then p is not prime; //by Claim 6 break; if b[i] = 1 then result = (result*a) mod n //mult by a } // now we know n is possibly prime If the above test says “ possibly prime ” then the number p is not prime with probability 0.5. Hence if we run the test R times, then p is not prime, with probability (p-1)(q-1) 0.5) R
. If R = 1)(q-1) 00 and for all the 1)(q-1) 00 tests the result was “ possibly prime ”, then the chance of the number being not prime is a one in a million. So we select 1)(q-1) large number. Test for primality about 500 times. In about a 2000 choices, we will find a prime number. Do it again for another prime number. Now call them p and q. All this should take about 1)(q-1) -2 seconds. Definitely under 1)(q-1) 0 secs. And the rest, as they say is trivial Note that encryption and decryption uses the same fast exponenting algorithm as shown above.