Math 480: Open Source Mathematical Software

2016-05-25

William Stein

Lectures 26: Public key cryptography (part 2 of 3): RSA

Plan:

1. Homework/grading reminder.

2. Next week -- discussion

3. Today: explain RSA

4. Work on homework

WE will not meet next week. There are 9 assignments. You will be completely done with everything related to this class on Friday May 27 at 6pm.

Recall... the Diffie-Hellman key exchange:

• A and B agree on $g \in \ZZ/p\ZZ$.

• A and B choose random $a,b$ and send $g^a$ and $g^b$.

• The shared secret is $s = (g^a)^b = g^{ab} = (g^b)^a$, which both A and B can easily compute, but an eavesdropper (presumably) can't.

DH is simple, beautifully symmetric, and is useful for setting up an active secure channel for temporary communication:

• login to a website, ssh to a remote computer, etc.

DH does not solve a lot of interesting problems though. For example:

• B publishes some information -- a "public key" -- on their website.

• Anybody at any time, and without B having to do anything, can encrypt a message that only B can decrypt.

There is a solution to this problem, which also uses modular arithmetic. It's completely different than Diffie-Hellman!

## The RSA Cryptosystem

RSA = Rivest-Shamir-Adleman

(Errata: In the lecture yesterday I said GCHQ secretly also discovered DH, but actually they also discovered RSA.)

How RSA works. There's one basic idea from number theory that you have to know about to understand RSA.

Let $p$ be a prime. Fermat's Little Theorem says that for every integer $a$ coprime to $p$, we have $$a^{p-1} \equiv 1 \pmod{p}?$$

Try it out:

Proof: The cardinality of the finite group $(\ZZ/p\ZZ)^*$ is $p-1$ and it's a basic result in group theory that the order of any element of a group divides the cardinality of the group.

Similarly for component $n$, we have that if $\gcd(a,n)=1$, then $$a^{\varphi(n)} \equiv 1\pmod{n}$$ since $(\ZZ/n\ZZ)^*$ is a group of order $\varphi(n)$.

$\varphi(pq) = (p-1)\cdot (q-1)$

So A wants to send a secret message to B.... here's how.

• Step 1. Setup:

  • B secretly chooses two large prime numbers $p$ and $q$ at random and an integer $e$, and publishes $n=pq$ and $e$.

  • B knows $p$ and $q$, so B can compute $\varphi(n) = (p-1)(q-1)$, and also an integer $d$ such that $ed \equiv 1\pmod{\varphi(n)}$. Thus $ed = 1 + k \varphi(n)$ for some $k$.

• Step 2. Encryption:

  • A encodes the message as an integer $m$ modulo $n$.

  • Then A encrypts the message as $t = m^e\pmod{n}$.

• Step 3. Decryption:

  • B decrypts the message by using that $t^d = (m^e)^d = m^{ed} \equiv m^{1 + k \varphi(n)} \equiv m \pmod{n}$.

This last step uses that $m^{\varphi(n)} \equiv 1 \pmod{n}$.

Let's try it out!

Attacking RSA

To attack RSA the observer has to compute $m\pmod{n}$ given $m^e\pmod{n}$.

That is NOT the discrete log problem again! (Why?)

In theory, the attacker has all the information they need. They know $n$, so they can "just" factor $n$ to find $p,q$, then compute $\varphi(n)=(p-1)(q-1)$, and $d$ as above.

However... factoring large numbers seems to be really frickin' hard.

OK, now work on your homework...