Notes on RSA

University of Pennsylvania ScholarlyCommons Departmental Papers (CIS) Department of Computer & Information Science 5-1-2010 Notes on RSA Jean H. Gallier University of Pennsylvania, [email protected] Gallier, J., Notes on RSA, 2010 his paper is posted at ScholarlyCommons. htp://repository.upenn.edu/cis_papers/602 For more information, please contact [email protected]. 5.9. PUBLIC KEY CRYPTOGRAPHY; THE RSA SYSTEM 329 of 2p − 1, the algorithm will produce 2p − 1 in binary as opposed to 0 but this exception can be handled easily. For example 916 mod 25 − 1 = = = = = = = 11100101002 (mod 25 − 1) 101002 + 111002 (mod 25 − 1) 1100002 (mod 25 − 1) 100002 + 12 (mod 25 − 1) 100012 (mod 25 − 1) 100012 17. The Lucas-Lehmer test applied to N = 127 = 27 − 1 yields the following steps, if we denote Sk mod 2p − 1 by rk : r0 = 4, r1 = 42 − 2 = 14 (mod 127), i.e. r1 = 14 r2 = 142 − 2 = 194 (mod 127), i.e. r2 = 67 r3 = 672 − 2 = 4487 (mod 127), i.e. r3 = 42 r4 = 422 − 2 = 1762 (mod 127), i.e. r4 = 111 r5 = 1112 − 2 = 12319 (mod 127), i.e. r5 = 0. As r5 = 0, the Lucas-Lehmer test confirms that N = 127 = 27 − 1 is indeed prime. 5.9 Public Key Cryptography; The RSA System Ever since written communication was used, people have been interested in trying to conceal the content of their messages from their adversaries. This has led to the development of techniques of secret communication, a science known as cryptography. The basic situation is that one party, A, say Albert, wants to send a message to another party, J, say Julia. However, there is a danger that some ill-intentioned third party, Machiavelli, may intercept the message and learn things that he is not supposed to know about and as a result, do evil things. The original message, understandable to all parties, is known as the plain text. To protect the content of the message, Albert encrypts his message. When Julia receives the encrypted message, she must decrypt it in order to be able to read it. Both Albert and Julia share some information that Machiavelli does not have, a key. Without a key, Machiavelli, is incapable of decrypting the message and thus, to do harm. There are many schemes for generating keys to encrypt and decrypt messages. We are going to describe a method involving public and private keys known as the RSA Cryptosystem, named after its inventors, Ronald Rivest, Adi Shamir and Leonard Adleman (1978), 330 CHAPTER 5. PARTIAL ORDERS, GCD’S, RSA, LATTICES based on ideas by Diffie and Hellman (1976). We highly recommend reading the orginal paper by Rivest, Shamir and Adleman [51]. It is beautifully written and easy to follow. A very clear, but concise exposition can also be found in Kobliz [40]. An encyclopedic coverage of cryptography can be found in Menezes van Oorschot and Vanstone’s Handbook [43]. The RSA system is widely used in practice, for example in SSL (Secure Socket Layer), which in turn is used in https (secure http). Any time you visit a “secure site” on the internet (to read e-mail or to order a merchandise), your computer generates a public key and a private key for you and uses them to make sure that your credit card number and other personal data remains secret. Interestingly, although one might think that the mathematics behind such a scheme are very advanced and complicated, this is not so. In fact, little more than the material of Section 5.4 is needed! Therefore, in this section, we are going to explain the basics of RSA. The first step is to convert the plain text of characters into an integer. This can be done easily by assigning distinct integers to the distinct characters, for example by converting each character to its ASCII code. From now on, we will assume that this conversion has been performed. The next and more subtle step is to use modular arithmetic. We pick a (large) positive integer, m, and perform arithmetic modulo m. Let us explain this step in more details. Recall that for all a, b ∈ Z, we write a ≡ b (mod m) iff a − b = km, for some k ∈ Z, and we say that a and b are congruent modulo m. We already know that congruence is an equivalence relation but it also satisfies the following properties: Proposition 5.39 For any positive integer, m, for all a1 , a2 , b1 , b2 ∈ Z, the following properties hold: If a1 ≡ b1 (mod m) and a2 ≡ b2 (mod m), then (1) a1 + a2 ≡ b1 + b2 (mod m) (2) a1 − a2 ≡ b1 − b2 (mod m) (3) a1 a2 ≡ b1 b2 (mod m). Proof . We only check (3), leaving (1) and (2) as easy exercises. Since a1 ≡ b1 (mod m) and a2 ≡ b2 (mod m), we have a1 = b1 + k1 m and a2 = b2 + k2 m, for some k1 , k2 ∈ Z, and so a1 a2 = (b1 + k1 m)(b2 + k2 m) = b1 b2 + (b1 k2 + k1 b2 + k1 mk2 )m, which means that a1 a2 ≡ b1 b2 (mod m). A more elegant proof consists in observing that a1 a2 − b1 b2 = a1 (a2 − b2 ) + (a1 − b1 )b2 = (a1 k2 + k1 b2 )m, as claimed. 5.9. PUBLIC KEY CRYPTOGRAPHY; THE RSA SYSTEM 331 Proposition 5.39 allows us to define addition subtraction and multiplication on equivalence classes modulo m. If we denote by Z/mZ the set of equivalence classes modulo m and if we write a for the equivalence class of a, then we define a+b = a+b a−b = a−b ab = ab. The above make sense because a + b does not depend on the representatives chosen in the equivalence classes a and b, and similarly for a − b and ab. Of course, each equivalence class, a, contains a unique representative from the set of remainders, {0, 1, . . . , m − 1}, modulo m, so the above operations are completely determined by m × m tables. Using the arithmetic operations of Z/mZ is called modular arithmetic. For an arbitrary m, the set Z/mZ is an algebraic structure known as a ring. Addition and subtraction behave as in Z but multiplication is stranger. For example, when m = 6, 2·3 = 0 3 · 4 = 0, since 2 · 3 = 6 ≡ 0 (mod 6), and 3 · 4 = 12 ≡ 0 (mod 6). Therefore, it is not true that every nonzero element has a multiplicative inverse. However, we know from Section 5.4 that a nonzero integer, a, has a multiplicative inverse iff gcd(a, m) = 1 (use the Bezout identity). For example, 5 · 5 = 1, since 5 · 5 = 25 ≡ 1 (mod 6). As a consequence, when m is a prime number, every nonzero element not divisible by m has a multiplicative inverse. In this case, Z/mZ is more like Q, it is a finite field . However, note that in Z/mZ we have 1� + 1 +��· · · + 1� = 0 m times (since m ≡ 0 (mod m)), a phenomenom that does not happen in Q (or R). The RSA methods uses modular arithmetic. One of the main ingredients of public key cryptography is that one should use an encryption function, f : Z/mZ → Z/mZ, which is easy to compute (i.e, can be computed efficiently) but such that its inverse, f −1 , is practically impossible to compute unless one has special additional information. Such functions are usually referred to as trapdoor one-way functions. Remarkably, exponentiation modulo m, that is, the function, x �→ xe mod m, is a trapdoor one-way function for suitably chosen m and e. Thus, we claim that (1) Computing xe mod m can be done efficiently 332 CHAPTER 5. PARTIAL ORDERS, GCD’S, RSA, LATTICES (2) Finding x such that xe ≡ y (mod m) with 0 ≤ x, y ≤ m−1, is hard, unless one has extra information about m. The function that finds an eth root modulo m is sometimes called a discrete logarithm. We will explain shortly how to compute xe modm efficiently using the square and multiply method also known as repeated squaring. As to the second claim, actually, no proof has been given yet that this function is a one-way function but, so far, this has not been refuted either. Now, what’s the trick to make it a trapdoor function? What we do is to pick two distinct large prime numbers, p and q (say over 200 decimal digits), which are “sufficiently random” and we let m = pq. Next, we pick a random, e, with 1 < e < (p − 1)(q − 1), relatively prime to (p − 1)(q − 1). Since gcd(e, (p − 1)(q − 1)) = 1, we know from the discussion just before Theorem 5.22 that there is some d, with 1 < d < (p − 1)(q − 1), such that ed ≡ 1 (mod (p − 1)(q − 1)). Then, we claim that to find x such that xe ≡ y (mod m), we simply compute y d mod m, and this can be done easily, as we claimed earlier. The reason why the above “works” is that xed ≡ x (mod m), (∗) for all x ∈ Z, which we will prove later. Setting up RSA In, summary to set up RSA for Albert (A) to receive encrypted messages, perform the following steps: 1. Albert generates two distinct large and sufficiently random primes, pA and qA . They are kept secret. 2. Albert computes mA = pA qA . This number called the modulus will be made public. 3. Albert picks at random some eA , with 1 < eA < (pA − 1)(qA − 1), so that gcd(eA , (pA − 1)(qA − 1)) = 1. The number eA is called the encryption key and it will also be public. 4. Albert computes the inverse, dA = e−1 A modulo mA , of eA . This number is kept secret. The pair, (dA , mA ), is Albert’s private key and dA is called the decryption key. 5.9. PUBLIC KEY CRYPTOGRAPHY; THE RSA SYSTEM 333 5. Albert publishes the pair, (eA , mA ), as his public key. Encrypting a message Now, if Julia wants to send a message, x, to Albert, she proceeds as follows: First, she splits x into chunks, x1 , . . . , xk , each of length at most mA − 1, if necessary (again, I assume that x has been converted to an integer in a preliminary step). Then, she looks up Albert’s public key, (eA , mA ), and she computes yi = EA (xi ) = xei A mod mA , for i = 1, . . . , k. Finally, she sends the sequence y1 , . . . , yk to Albert. This encrypted message is known as the cyphertext. The function EA is Albert’s encryption function. Decrypting a message In order to decrypt the message, y1 , . . . , yk , that Julia sent him, Albert uses his private key, (dA , mA ), to compute each xi = DA (yi ) = yidA mod mA , and this yields the sequence x1 , . . . , xk . The function DA is Albert’s decryption function. Similarly, in order for Julia to receive encrypted messages, she must set her own public key, (eJ , mJ ), and private key, (dJ , mJ ), by picking two distinct primes pJ and qJ and eJ , as explained earlier. The beauty of the scheme is that the sender only needs to know the public key of the recipient to send a message but an eavesdropper is unable to decrypt the encoded message unless he somehow gets his hands on the secret key of the receiver. Let us give a concrete illustration of the RSA scheme using an example borrowed from Silverman [54] (Chapter 18). We will write messages using only the 26 upper-case letters A, B, . . ., Z, encoded as the integers A = 11, B = 12, . . ., Z = 36. It would be more convenient to have assigned a number to represent a blank space but to keep things as simple as possible we will not do that. Say Albert pick the two primes, pA = 12553 and qA = 13007, so that mA = pA qA = 163, 276, 871 and (pA − 1)(qA − 1) = 163, 251, 312. Albert also pick eA = 79921, relatively prime to (pA − 1)(qA − 1) and then finds the inverse, dA , of eA modulo (pA − 1)(qA − 1) using the extended Euclidean Algorithm (more details will be given in Section 5.11) which turns out to be dA = 145, 604, 785. One can check that 145, 604, 785 · 79921 − 71282 · 163, 251, 312 = 1, which confirms that dA is indeed the inverse of eA modulo 163, 251, 312. Now, assume that Albert receives the following message, broken in chunks of at most 9 digits, since mA = 163, 276, 871 has 9 nine digits: 334 CHAPTER 5. PARTIAL ORDERS, GCD’S, RSA, LATTICES 145387828 47164891 152020614 27279275 35356191. Albert decrypts the above messages using his private key, (dA , mA ), where dA = 145, 604, 785, using the repeated squaring method (described in Section 5.11) and finds that 145387828145,604,785 47164891145,604,785 152020614145,604,785 27279275145,604,785 35356191145,604,785 ≡ ≡ ≡ ≡ ≡ 30182523 (mod 163, 276, 871) 26292524 (mod 163, 276, 871) 19291924 (mod 163, 276, 871) 30282531 (mod 163, 276, 871) 122215 (mod 163, 276, 871) which yields the message 30182523 26292524 19291924 30282531 122215, and finally, translating each two digits numeric code to its corresponding character, to the message THOMPSONISINTROUBLE or, in more readable format Thompson is in trouble It would be instructive to encrypt the decoded message 30182523 26292524 19291924 30282531 122215 using the public key, eA = 79921. If everything goes well, we should get our original message 145387828 47164891 152020614 27279275 35356191 back! Let us now explain in more detail how the RSA system works and why it is correct. 5.10 Correctness of The RSA System We begin by proving the correctness of the inversion formula (∗). For this, we need a classical result known as Fermat’s Little Theorem. This result was first stated by Fermat in 1640 but apparently no proof was published at the time and the first known proof was given by Leibnitz (1646-1716). This is basically the proof suggested in Problem 5.14. A different proof was given by Ivory in 1806 and this is the proof that we will give here. It has the advantage that it can be easily generalized to Euler’s version (1760) of Fermat’s Little Theorem. 5.10. CORRECTNESS OF THE RSA SYSTEM 335 Theorem 5.40 (Fermat’s Little Theorem) If p is any prime number, then the following two equivalent properties hold: (1) For every integer, a ∈ Z, if a is not divisible by p, then we have ap−1 ≡ 1 (mod p). (2) For every integer, a ∈ Z, we have ap ≡ a (mod p). Proof . (1) Consider the integers a, 2a, 3a, · · · , (p − 1)a and let r1 , r2 , r3 , · · · , rp−1 be the sequence of remainders of the division of the numbers in the first sequence by p. Since gcd(a, p) = 1, none of the numbers in the first sequence is divisible by p, so 1 ≤ ri ≤ p − 1, for i = 1, . . . , p − 1. We claim that these remainders are all distinct. If not, then say ri = rj , with 1 ≤ i < j ≤ p − 1. But then, since ai ≡ ri (mod p) and aj ≡ rj (mod p), we deduce that aj − ai ≡ rj − ri (mod p), and since ri = rj , we get, a(j − i) ≡ 0 (mod p). This means that p divides a(j − i), but gcd(a, p) = 1 so, by Euclid’s proposition (Proposition 5.20), p must divide j − i. However 1 ≤ j − i < p − 1, so we get a contradiction and the remainders are indeed all distinct. Since there are p − 1 distinct remainders and since they are all nonzero, we must have {r1 , r2 , . . . , rp−1 } = {1, 2, . . . , p − 1}. Using property (3) of congruences (see Proposition 5.39), we get a · 2a · 3a · · · (p − 1)a ≡ 1 · 2 · 3 · · · (p − 1) (mod p), that is, (ap−1 − 1) · (p − 1)! ≡ 0 (mod p). 336 CHAPTER 5. PARTIAL ORDERS, GCD’S, RSA, LATTICES Again, p divides (ap−1 − 1) · (p − 1)!, but since p is relatively prime to (p − 1)!, it must divide ap−1 − 1, as claimed. (2) If gcd(a, p) = 1, we proved in (1) that ap−1 ≡ 1 (mod p), from which we get ap ≡ a (mod p), since a ≡ a (mod p). If a is divisible by p, then a ≡ 0 (mod p), which implies ap ≡ 0 (mod p), and thus, that ap ≡ a (mod p). Therefore, (2) holds for all a ∈ Z and we just proved that (1) implies (2). Finally, if (2) holds and if gcd(a, p) = 1, as p divides ap − a = a(ap−1 − 1), it must divide ap−1 − 1, which shows that (1) holds and so, (2) implies (1). It is now easy to establish the correctness of RSA. Proposition 5.41 For any two distinct prime numbers, p and q, if e and d are any two positive integers such that, 1. 1 < e, d < (p − 1)(q − 1), 2. ed ≡ 1 (mod (p − 1)(q − 1)), then for every x ∈ Z, we have xed ≡ x (mod pq). Proof . Since p and q are two distinct prime numbers, by Euclid’s proposition it is enough to prove that both p and q divide xed − x. We show that xed − x is divisible by p, the proof of divisibility by q being similar. By condition (2), we have ed = 1 + (p − 1)(q − 1)k, with k ≥ 1, since 1 < e, d < (p − 1)(q − 1). Thus, if we write h = (q − 1)k, we have h ≥ 1 and xed − x ≡ ≡ ≡ ≡ ≡ x1+(p−1)h − x (mod p) x((xp−1 )h − 1) (mod p) x(xp−1 − 1)((xp−1 )h−1 + (xp−1 )h−2 + · · · + 1) (mod p) (xp − x)((xp−1 )h−1 + (xp−1 )h−2 + · · · + 1) (mod p) 0 (mod p), 5.11. ALGORITHMS FOR COMPUTING POWERS AND INVERSES MODULO M 337 since xp − x ≡ 0 (mod p), by Fermat’s Little Theorem. Remark: Of course, Proposition 5.41 holds if we allow e = d = 1, but this not interesting for encryption. The number (p − 1)(q − 1) turns out to be the number of positive integers less than pq which are relatively prime to pq. For any arbitrary positive integer, m, the number of positive integers less than m which are relatively prime to m is given by the Euler φ function (or Euler totient), denoted φ (see Problems 5.22 and 5.26 or Niven, Zuckerman and Montgomery [46], Section 2.1, for basic properties of φ). Fermat’s Little Theorem can be generalized to what is known as Euler’s Formula (see Problem 5.22): For every integer, a, if gcd(a, m) = 1, then aφ(m) ≡ 1 (mod m). Since φ(pq) = (p − 1)(q − 1), when gcd(x, φ(pq)) = 1, Proposition 5.41 follows from Euler’s Formula. However, that argument does not show that Proposition 5.41 holds when gcd(x, φ(pq)) > 1 and a special argument is required in this case. It can be shown that if we replace pq by a positive integer, m, that is square-free (does not contain a square factor) and if we assume that e and d are chosen so that 1 < e, d < φ(m) and ed ≡ 1 (mod φ(m)), then xed ≡ x (mod m) for all x ∈ Z (see Niven, Zuckerman and Montgomery [46], Section 2.5, Problem 4). We see no great advantage in using this fancier argument and this is why we used the more elementary proof based on Fermat’s Little Theorem. Proposition 5.41 immediately implies that the decrypting and encryting RSA functions DA and EA are mutual inverses, for any A. Furthermore, EA is easy to compute but, without extra information, namely, the trapdoor dA , it is practically impossible to compute DA = EA−1 . That DA is hard to compute without a trapdoor is related to the fact that factoring a large number, such as mA , into its factors, pA and qA , is hard. Today, it is practically impossible to factor numbers over 300 decimal digits long. Although no proof has been given so far, it is believed that factoring will remain a hard problem. So, even if in the next few years it becomes possible to factor 300 digits numbers, it will still be impossible to factor 400 digits numbers. RSA has the peculiar property that it depends both on the fact that primality testing is easy but that factoring is hard. What a stroke of genius! 5.11 Algorithms for Computing Powers and Inverses modulo m First, we explain how to compute xn mod m efficiently, where n ≥ 1. Let us first consider computing the nth power, xn , of some positive integer. The idea is to look at the parity of 338 CHAPTER 5. PARTIAL ORDERS, GCD’S, RSA, LATTICES n and to proceed recursively. If n is even, say n = 2k, then xn = x2k = (xk )2 , so, compute xk recursively and then square the result. If n is odd, say n = 2k + 1, then xn = x2k+1 = (xk )2 · x, so, compute xk recursively, square it, and multiply the result by x. What this suggests is to write n ≥ 1 in binary, say n = b� · 2� + b�−1 · 2�−1 + · · · + b1 · 21 + b0 , where bi ∈ {0, 1} with b� = 1 or, if we let J = {j | bj = 1}, as � n= 2j . j∈J Then, we have xn ≡ x � j∈J 2j = � j x2 mod m. j∈J This suggests computing the residues, rj , such that j x2 ≡ rj (mod m), because then, xn ≡ r� · · · r0 (mod m), where we can compute this latter product modulo m two terms at a time. For example, say we want to compute 999179 mod 1763. First, we observe that 179 = 27 + 25 + 24 + 21 + 1, and we compute the powers modulo 1763: 9992 999 1 ≡ 143 (mod 1763) 22 ≡ 1432 ≡ 1056 (mod 1763) 3 ≡ 10562 ≡ 920 (mod 1763) 9992 24 ≡ 9202 ≡ 160 (mod 1763) 9992 5 ≡ 1602 ≡ 918 (mod 1763) 9992 6 ≡ 9182 ≡ 10 (mod 1763) 9992 7 ≡ 102 ≡ 100 (mod 1763). 999 5.11. ALGORITHMS FOR COMPUTING POWERS AND INVERSES MODULO M 339 Consequently, 999179 ≡ ≡ ≡ ≡ ≡ 999 · 143 · 160 · 918 · 100 (mod 1763) 54 · 160 · 918 · 100 (mod 1763) 1588 · 918 · 100 (mod 1763) 1546 · 100 (mod 1763) 1219 (mod 1763), and we find that 999179 ≡ 1219 (mod 1763). Of course, it would be impossible to exponentiate 999179 first and then reduce modulo 1763. As we can see, the number of multiplications needed is O(log2 n), which is quite good. The above method can be implemented without actually converting n to base 2. If n is even, say n = 2k, then n/2 = k and if n is odd, say n = 2k + 1, then (n − 1)/2 = k, so we have a way of dropping the unit digit in the binary expansion of n and shifting the remaining digits one place to the right without explicitly computing this binary expansion. Here is an algorithm for computing xn mod m, with n ≥ 1, using the repeated squaring method. An Algorithm to Compute xn mod m Using Repeated Squaring begin u := 1; a := x; while n > 1 do if even(n) then e := 0 else e := 1; if e = 1 then u := a · u mod m; a := a2 mod m; n := (n − e)/2 endwhile; u := a · u mod m end The final value of u is the result. The reason why the algorithm is correct is that after j j rounds through the while loop, a = x2 mod m and � i u= x2 mod m, i∈J | i<j with this product interpreted as 1 when j = 0. Observe that the while loop is only executed n − 1 times to avoid squaring once more unnecessarily and the last multiplication a · u is performed outside of the while loop. Also, if we delete the reductions modulo m, the above algorithm is a fast method for computing 340 CHAPTER 5. PARTIAL ORDERS, GCD’S, RSA, LATTICES the nth power of an integer x and the time speed-up of not performing the last squaring step is more significant. We leave the details of the proof that the above algorithm is correct as an exercise. Let us now consider the problem of computing efficiently the inverse of an integer, a, modulo m, provided that gcd(a, m) = 1. We mentioned in Section 5.4 how the Extended Euclidean Algorithm can be used to find some integers, x, y, such that ax + by = gcd(a, b), where a and b are any two positive integers. The details are worked out in Problem 5.17 and another version is explored in Problem 5.18. In our situation, a = m and b = a and we only need to find y (we would like a positive integer). When using the Euclidean algorithm for computing gcd(m, a), with 2 ≤ a < m, we compute the following sequence of quotients and remainders: m = aq1 + r1 a = r 1 q2 + r 2 r 1 = r 2 q3 + r 3 .. .. . . rk−1 = rk qk+1 + rk+1 .. .. . . rn−3 = rn−2 qn−1 + rn−1 rn−2 = rn−1 qn + 0, with n ≥ 3, 0 < r1 < b, qk ≥ 1, for k = 1, . . . , n, and 0 < rk+1 < rk , for k = 1, . . . , n − 2. Observe that rn = 0. If n = 2, we just have two divisions, m = aq1 + r1 a = r 1 q2 + 0 with 0 < r1 < b, q1 , q2 ≥ 1 and r2 = 0. Thus, it is convenient to set r−1 = m and r0 = a. In Problem 5.17, it is shown that if we set x−1 y−1 x0 y0 xi+1 yi+1 = = = = = = 1 0 0 1 xi−1 − xi qi+1 yi−1 − yi qi+1 , 5.11. ALGORITHMS FOR COMPUTING POWERS AND INVERSES MODULO M 341 for i = 0, . . . , n − 2, then mxn−1 + ayn−1 = gcd(m, a) = rn−1 , and so, if gcd(m, a) = 1, then rn−1 = 1 and we have ayn−1 ≡ 1 (mod m). Now, yn−1 may be greater than m or negative but we already know how to deal with that from the discussion just before Theorem 5.22. This suggests reducing modulo m during the recurrence and we are led to the following recurrence: y−1 y0 zi+1 yi+1 yi+1 = = = = = 0 1 yi−1 − yi qi+1 zi+1 mod m if zi+1 ≥ 0 m − ((−zi+1 ) mod m) if zi+1 < 0, for i = 0, . . . , n − 2. It is easy to prove by induction that ayi ≡ ri (mod m) for i = 0, . . . , n − 1 and thus, if gcd(a, m) > 1, then a does not have an inverse modulo m, else ayn−1 ≡ 1 (mod m) and yn−1 is the inverse of a modulo m such that 1 ≤ yn−1 < m, as desired. Note that we also get y0 = 1 when a = 1. We will leave this proof as an exercise (see Problem 5.57). Here is an algorithm obtained by adapting the algorithm given in Problem 5.17. An Algorithm for Computing the Inverse of a modulo m Given any natural number, a, with 1 ≤ a < m and gcd(a, m) = 1, the following algorithm returns the inverse of a modulo m as y: begin y := 0; v := 1; g := m; r := a; pr := r; q := �g/pr�; r := g − pr q; (divide g by pr, to get g = pr q + r) if r = 0 then y := 1; g := pr else 342 CHAPTER 5. PARTIAL ORDERS, GCD’S, RSA, LATTICES r = pr; while r �= 0 do pr := r; pv := v; q := �g/pr�; r := g − pr q; (divide g by pr, to get g = pr q + r) v := y − pv q; if v < 0 then v := m − ((−v) mod m) else v = v mod m endif g := pr; y := pv endwhile; endif; inverse(a) := y end For example, we used the above algorithm to find that dA = 145, 604, 785 is the inverse of eA = 79921 modulo (pA − 1)(qA − 1) = 163, 251, 312. The remaining issues are how to choose large random prime numbers, p, q, and how to find a random number, e, which is relatively prime to (p − 1)(q − 1). For this, we rely on a deep result of number theory known as the Prime Number Theorem. 5.12 Finding Large Primes; Signatures; Safety of RSA Roughly speaking, the Prime Number Theorem ensures that the density of primes is high enough to guarantee that there are many primes with a large specified number of digits. The relevant function is the prime counting function, π(n). Definition 5.14 The prime counting function, π, is the function defined so that π(n) = number of prime numbers, p, such that p ≤ n, for every natural number, n ∈ N. Obviously, π(0) = π(1) = 0. We have π(10) = 4 since the primes no greater than 10 are 2, 3, 5, 7 and π(20) = 8 since the primes no greater than 20 are 2, 3, 5, 7, 11, 13, 17, 19. The growth of the function π was studied by Legendre, Gauss, Tschebycheff and Riemann between 1808 and 1859. By then, it was conjectured that π(n) ∼ n , ln(n) 5.12. FINDING LARGE PRIMES; SIGNATURES; SAFETY OF RSA for n large, which means that lim π(n) n�→∞ � 343 n = 1. ln(n) However, a rigorous proof had to wait until 1896. Indeed, in 1896, Jacques Hadamard and Charles de la Vallée-Poussin independendly gave a proof of this “most wanted theorem,” using methods from complex analysis. These proofs are difficult and although more elementary proofs were given later, in particular by Erdös and Selberg (1949), those proofs are still quite hard. Thus, we content ourselves with a statement of the theorem. Theorem 5.42 (Prime Number Theorem) For n large, the number of primes, π(n), no larger than n is approximately equal to n/ ln(n), which means that � n lim π(n) = 1. n�→∞ ln(n) For a rather detailed account of the history of the Prime Number Theorem (for short, PNT ), we refer the reader to Ribenboim [50] (Chapter 4). As an illustration of the use of the PNT, we can estimate the number of primes with 200 decimal digits. Indeed this is the difference of the number of primes up to 10200 minus the number of primes up to 10199 , which is approximately 10199 10200 − ≈ 1.95 · 10197 . 200 ln 10 199 ln 10 Thus, we see that there is a huge number of primes with 200 decimal digits. Since the number of natural numbers with 200 digits is 10200 − 10199 = 9 · 10199 , the proportion of 200 digits numbers that are prime is 1.95 · 10197 1 ≈ . 199 9 · 10 460 Consequently, among the natural numbers with 200 digits, roughly one in every 460 is a prime! � Beware that the above argument is not entirely rigorous because the Prime Number Theorem only yields an approximation of π(n) but sharper estimates can be used to say how large n should be to guarantee a prescribed error on the probability, say 1%. The implication of the above fact is that if we wish to find a random prime with 200 digits, we pick at random some natural number with 200 digits and test whether it is prime. If this number is not prime, then we discard it and try again, and so on. On the average, after 460 trials, a prime should pop up! This leads us the question: How do test for primality? 344 CHAPTER 5. PARTIAL ORDERS, GCD’S, RSA, LATTICES Primality testing has also been studied for a long time. Remarkably, Fermat’s Little Theorem yields a test for non-primality. Indeed, if p > 1 fails to divide ap−1 − 1 for some natural number, a, where 2 ≤ a ≤ p − 1, then p cannot be a prime. The simplest a to try is a = 2. From a practical point of view, we can compute ap−1 mod p using the method of repeated squaring and check whether the remainder is 1. But what if p fails the Fermat test? Unfortunately, there are natural numbers, p, such that p divides 2p−1 − 1 and yet, p is composite. For example p = 341 = 11 · 31 is such a number. Actually, 2340 being quite big, how do we check that 2340 − 1 is divisible by 341? We just have to show that 2340 − 1 is divisible by 11 and by 31. We can use Fermat’s Little Theorem! Since 11 is prime, we know that 11 divides 210 − 1. But, 2340 − 1 = (210 )34 − 1 = (210 − 1)((210 )33 + (210 )32 + · · · + 1), so 2340 − 1 is also divisible by 11. As to divisibility by 31, observe that 31 = 25 − 1, and 2340 − 1 = (25 )68 − 1 = (25 − 1)((25 )67 + (25 )66 + · · · + 1), so 2340 − 1 is also divisible by 31. A number, p, which is not a prime but behaves like a prime in the sense that p divides 2 − 1, is called a pseudo-prime. Unfortunately, the Fermat test gives a “false positive” for pseudo-primes. p−1 Rather than simply testing whether 2p−1 − 1 is divisible by p, we can also try whether 3p−1 − 1 is divisible by p and whether 5p−1 − 1 is divisible by p, etc. Unfortunately, there are composite natural numbers, p, such that p divides ap−1 − 1, for all positive natural numbers, a, with gcd(a, p) = 1. Such numbers are known as Carmichael numbers. The smallest Carmichael number is p = 561 = 3 · 11 · 17. The reader should try proving that, in fact, a560 − 1 is divisible by 561 for every positive natural number, a, such that gcd(a, 561) = 1, using the technique that we used to prove that 341 divides 2340 − 1. It turns out that there are infinitely many Carmichael numbers. Again, for a thorough introduction to primality testing, pseudo-primes, Carmichael numbers and more, we highly recommend Ribenboim [50] (Chapter 2). An excellent (but more terse) account is also given in Kobliz [40] (Chapter V). Still, what do we do about the problem of false positives? The key is to switch to probabilistic methods. Indeed, if we can design a method which is guaranteed to give a false positive with probablity less than 0.5, then we can repeat this test for randomly chosen a’s and reduce the probability of false positive considerably. For example, if we repeat the experiment 100 times, the probability of false positive is less than 2−100 < 10−30 . This is probably less than the probability of hardware failure! 5.12. FINDING LARGE PRIMES; SIGNATURES; SAFETY OF RSA 345 Various probabilistic methods for primality testing have been designed. One of them is the Miller-Rabin test, another the APR test, yet another the Solovay-Strassen test. Since 2002, it is known that primality testing can be done in polynomial time. This result, due to Agrawal, Kayal and Saxena and known as the AKS test solved a long-standing problem, see Dietzfelbinger [17] and Crandall and Pomerance [12] (Chapter 4). Remarkably, Agrawal and Kayal worked on this problem for their senior project in order to complete their bachelor’s degree! It remains to be seen whether this test is really practical for very large numbers. A very important point to make is that these primality testing methods do not provide a factorization of m when m is composite. This is actually a crucial ingredient for the security of the RSA scheme. So far, it appears (and it is hoped!) that factoring an integer is a much harder problem than testing for primality and all known methods are incapable of factoring natural numbers with over 300 decimal digits (it would take centuries). For a comprehensive exposition of the subject of primality-testing, we refer the reader to Crandall and Pomerance [12] (Chapter 4) and again, to Ribenboim [50] (Chapter 2) and Kobliz [40] (Chapter V). Going back to the RSA method, we now have ways of finding the large random primes p and q by picking at random some 200 digits numbers and testing for primality. Rivest, Shamir and Adleman also recommend to pick p and q so that they differ by a few decimal digits, that both p − 1 and q − 1 should contain large prime factors and that gcd(p − 1, q − 1) should be small. The public key, e, relatively prime to (p − 1)(q − 1) can also be found by a similar method: Pick at random a number, e < (p − 1)(q − 1), which is large enough (say, greater than max{p, q}) and test whether gcd(e, (p − 1)(q − 1)) = 1, which can be done quickly using the Extended Euclidean Algorithm. If not, discard e and try another number, etc. It is easy to see that such an e will be found in no more trials than it takes to find a prime, see Lovász, Pelikán and Vesztergombi [41] (Chapter 15), which contains one of the simplest and clearest presentation of RSA that we know of. Kobliz [40] (Chapter IV) also provides some details on this topic as well as Menezes van Oorschot and Vanstone’s Handbook [43]. If Albert receives a message coming from Julia, how can he be sure that this message does not come from an imposter? Just because the message is signed “Julia” does not mean that it comes from Julia; it could have been sent by someone else pretending to be Julia, since all that is needed to send a message to Albert is Albert’s public key, which is known to everybody. This leads us to the issue of signatures. There are various schemes for adding a signature to an encypted message to ensure that the sender of a message is really who he/she claims to be (with a high degree of confidence). The trick is to make use of the keys of the sender. We propose two scenarios: 1. The sender, Julia, encrypts the message, x, to be sent with her own private key, (dJ , mJ ), creating the message DJ (x) = y1 . Then, Julia adds her signature, “Julia”, at the end of the message y1 , encrypts the message “y1 Julia” using Albert’s public key, 346 CHAPTER 5. PARTIAL ORDERS, GCD’S, RSA, LATTICES (eA , mA ), creating the message y2 = EA (y1 Julia), and finally sends the message y2 to Albert. When Albert receives the encrypted message, y2 , claiming to come from Julia, first he decrypts the message using his private key, (dA , mA ). He will see an encrypted message, DA (y2 ) = y1 Julia, with the legible signature, Julia. He will then delete the signature from this message and decrypts the message y1 using Julia’s public key, (eJ , mJ ), getting x = EJ (y1 ). Albert will know whether someone else faked this message if the result is garbage. Indeed, only Julia could have encrypted the original message, x, with her private key, which is only known to her. An eavesdropper who is pretending to be Julia would not know Julia’s private key and so, would not have encrypted the original message to be sent using Julia’s secret key. 2. The sender, Julia, first adds her signature, “Julia”, to the message, x, to be sent and then, she encrypts the message “x Julia” with Albert’s public key, (eA , mA ), creating the message y1 = EA (x Julia). Julia also encrypts the original message, x, using her private key, (dJ , mJ ) creating the message y2 = DJ (x), and finally she sends the pair of messages (y1 , y2 ). When Albert receives a pair of messages, (y1 , y2 ), claimed to have been sent by Julia, first Albert decrypts, y1 using his private key, (dA , mA ), getting the message DA (y1 ) = x Julia. Albert finds the signature, Julia, and then decrypts y2 using Julia’s public key, (eJ , mJ ), getting the message x� = EJ (y2 ). If x = x� , then Albert has serious assurance that the sender is indeed Julia and not an imposter. The last topic that we would like to discuss is the security of the RSA scheme. This is a difficult issue and many researchers have worked on it. As we remarked earlier, the security of RSA hinges on the fact that factoring is hard. It has been shown that if one has a method for breaking the RSA scheme (namely, to find the secret key, d), then there is a probabilistic method for finding the factors, p and q, of m = pq (see Kobliz [40], Chapter IV, Section 2, or Menezes van Oorschot and Vanstone’s [43], Section 8.2.2). If p and q are chosen to be large enough, factoring m = pq will be practically impossible and so, it is unlikely that RSA can be cracked. However, there may be other attacks and, at the present, there is no proof that RSA is fully secure. Observe that since m = pq is known to everybody, if somehow one can learn N = (p − 1)(q − 1), then p and q can be recovered. Indeed N = (p − 1)(q − 1) = pq − (p + q) + 1 = m − (p + q) + 1 and so, pq = m p + q = m − N + 1, and p and q are the roots of the quadratic equation X 2 − (m − N + 1)X + m = 0. 5.13. DISTRIBUTIVE LATTICES, BOOLEAN ALGEBRAS, HEYTING ALGEBRAS347 Thus, a line of attack is to try to find the value of (p − 1)(q − 1). For more on the security of RSA, see Menezes van Oorschot and Vanstone’s Handbook [43]. 5.13 Distributive Lattices, Boolean Algebras, Heyting Algebras If we go back to one of our favorite examples of a lattice, namely, the power set, 2X , of some set, X, we observe that it is more than a lattice. For example, if we look at Figure 5.6, we can check that the two identities D1 and D2 stated in the next definition hold. Definition 5.15 We say that a lattice, X, is a distributive lattice if (D1) and (D2) hold: D1 D2 a ∧ (b ∨ c) = (a ∧ b) ∨ (a ∧ c) a ∨ (b ∧ c) = (a ∨ b) ∧ (a ∨ c). Remark: Not every lattice is distributive but many lattices of interest are distributive. It is a bit surprising that in a lattice, (D1) and (D2) are actually equivalent, as we now show. Suppose (D1) holds, then (a ∨ b) ∧ (a ∨ c) = ((a ∨ b) ∧ a) ∨ ((a ∨ b) ∧ c) = a ∨ ((a ∨ b) ∧ c) = a ∨ ((c ∧ (a ∨ b)) = a ∨ ((c ∧ a) ∨ (c ∧ b)) = a ∨ ((a ∧ c) ∨ (b ∧ c)) = (a ∨ (a ∧ c)) ∨ (b ∧ c) = ((a ∧ c) ∨ a) ∨ (b ∧ c) = a ∨ (b ∧ c) (D1) (L4) (L1) (D1) (L1) (L2) (L1) (L4) which is (D2). Dually, (D2) implies (D1). The reader should prove that every totally ordered poset is a distributive lattice. The lattice N+ under the divisibility ordering also turns out to be a distributive lattice. Another useful fact about distributivity is that in any lattice a ∧ (b ∨ c) ≥ (a ∧ b) ∨ (a ∧ c). This is because in any lattice, a ∧ (b ∨ c) ≥ a ∧ b and a ∧ (b ∨ c) ≥ a ∧ c. Therefore, in order to establish distributivity in a lattice it suffices to show that a ∧ (b ∨ c) ≤ (a ∧ b) ∨ (a ∧ c). Another important property of distributive lattices is the following: