Lecture 12. Inverses? Proof review. Claim: a − 1 ( mod m ) exists when gcd ( a , m ) = 1 . Fact: ax � = ay ( mod m ) for x � = y ∈ { 0 ,... m − 1 } Proof of Fact: Let ax = ay ( mod m ) , x � = y ∈ { 0 ,..., m − 1 } It’s Friday. ax = ay + km When does a have inverse ( mod m ) ? Will let out early today! a ( x − y ) = km When gcd ( a , m ) = 1! Consider prime factorization: 61A midterm makeup afterwards. a = a 1 ... a ℓ . Today: A bit of review, RSA, signature schemes. m = m 1 ... m z . Do any a i = m j ? Yes? No? No! gcd ( a , m ) = 1! Therefore a ( x − y ) = km only if factorization of ( x − y ) contains all factors of m . = ⇒ ( x − y ) ≥ m or ( x − y ) = 0. Contradiction. Excursion: Bijections. Modular arithmetic examples. Inverses: continued. f : S → T is one-to-one mapping . f : S → T is one-to-one mapping . one-to-one: f ( x ) � = f ( x ′ ) for x , x ′ ∈ S and x � = x ′ . Not 2 to 1! one-to-one: f ( x ) � = f ( x ′ ) for x , x ′ ∈ S and x � = y . Claim: a − 1 ( mod m ) exists when gcd ( a , m ) = 1 . f ( · ) is onto f ( · ) is onto Fact: ax � = ay ( mod m ) for x � = y ∈ { 0 ,... m − 1 } if for every y ∈ T there is x ∈ S where y = f ( x ) . if for every y ∈ T there is x ∈ S where y = f ( x ) . Consider T = { 0 a ( mod m ) , 1 a ( mod m ) ,...,... ( m − 1 ) a ( mod m ) } Bijection is one-to-one and onto function. Recall: f ( red ) = 1, f ( yellow ) = 2 , f ( blue ) = 3 Consider S = { 0 , 1 ,...,... ( m − 1 ) } Two sets have the same size One-to-one if inverse: g ( 1 ) = red , g ( 2 ) = yellow , g ( 3 ) = blue . S = T . Why? if and only if there is a bijection between them! Is f ( x ) = x + 1 ( mod m ) one-to-one? g ( x ) = x − 1 ( mod m ) . T ⊆ S since ax ( mod m | ) ∈ { 0 ,..., m − 1 } Same size? Onto: range is subset of domain. One-to-one mapping from S to T ! { red , yellow , blue } and { 1 , 2 , 3 } ? Is f ( x ) = ax ( mod m ) one-to-one? = ⇒ | T | ≥ | S | If gcd ( a , m ) = 1, ax � = ax ′ ( mod m ) . f ( red ) = 1, f ( yellow ) = 2, f ( blue ) = 3. Same set. { red , yellow , blue } and { 1 , 2 } ? Injective? Surjective? Why does a have inverse? T is S and therefore contains 1 ! ! ! f ( red ) = 1, f ( yellow ) = 2, f ( blue ) = 2. We tend to use one-to-one and onto. two to one! not one to one. Why am I excited? There is an x where ax = 1. Bijection is one-to-one and onto function. { red , yellow } and { 1 , 2 , 3 } ? There is an inverse of a ! ! ! Two sets have the same size f ( red ) = 1, f ( yellow ) = 2. if and only if there is a bijection between them! Misses 3. not onto.
Fermat from Bijection. RSA and Fermat. Fermat: a seeming excursion? Thm: m ed = m ( mod pq ) if ed = 1 ( mod ( p − 1 )( q − 1 )) RSA: Fermat’s Little Theorem: For prime p , and a �≡ 0 ( mod p ) , Seems like magic! a p − 1 ≡ 1 ( mod p ) . Alice: Fermat’s Little Theorem: For prime p , and a �≡ 0 ( mod p ) , Primes: p , q . N = pq . Proof: Consider T = { a · 1 ( mod p ) ,..., a · ( p − 1 ) ( mod p ) } . a p − 1 ≡ 1 ( mod p ) . Encryption Key: e where gcd ( e , ( p − 1 )( q − 1 ))) = 1 Decryption Key: d = e − 1 ( mod ( p − 1 )( q − 1 )) T is range of function f ( x ) = ax mod ( p ) for set S = { 1 ,..., p − 1 } . 3 6 ( mod 7 ) ? 1. Invertible function: one-to-one. 3 7 ( mod 7 ) ? 3. Message: m T ⊆ S since 0 �∈ T . Encryption: y = E ( m ) = m e ( mod N ) . Bob. p is prime. Decryption: D ( y ) = y d ( mod N ) . Alice. Involves exponents and gets 3 back. = ⇒ T = S . Seems like magic. Result: m ed ( mod N ) Product of elts of T = Product of elts of S . Corollary: a k ( p − 1 )+ 1 = a ( mod p ) Example: ( a · 1 ) · ( a · 2 ) ··· ( a · ( p − 1 )) ≡ 1 · 2 ··· ( p − 1 ) mod p , x = 2 Get a back when exponent is 1 ( mod p − 1 ) . p = 7 , 1 = 11 . N = 77 y = 2 7 ( mod 77 ) Bob. Since multiplication is commutative. A little like RSA. e = 7 gcd ( 7 , 60 ) = 1. y 43 = 2 ( mod 77 ) Alice. a ed ( mod ( p − 1 )( q − 1 )) is a a ( p − 1 ) ( 1 ··· ( p − 1 )) ≡ ( 1 ··· ( p − 1 )) mod p . d = 43 7 ∗ 43 = 1 ( mod 60 ) . Alice got Bob’s message! when exponent is 1 ( mod ( p − 1 )( q − 1 )) . Each of 2 ,... ( p − 1 ) has an inverse modulo p , mulitply by inverses to Want D ( E ( x )) = x Proof of Corollary. If a = 0, a k ( p − 1 )+ 1 = 0 ( mod m ) . get... Thm: x ed = x ( mod N ) Otherwise a 1 + k ( p − 1 ) ≡ a 1 ∗ ( a p − 1 ) k ≡ a ∗ ( 1 ) b ≡ a ( mod p ) a ( p − 1 ) ≡ 1 mod p . Alice got message back!!! Idea: Fermat removes the k ( p − 1 ) from the exponent! ...Decoding correctness... RSA decodes correctly.. Construction of keys.. .. Lemma 1: For any prime p and any a , b , 1. Find large (100 digit) primes p and q ? a 1 + b ( p − 1 ) ≡ a ( mod p ) Lemma 2: For any two different primes p , q and any x , k , Prime Number Theorem: π ( N ) number of primes less than x 1 + k ( p − 1 )( q − 1 ) ≡ x ( mod pq ) N .For all N ≥ 17 Lemma 2: For any two different primes p , q and any x , k , x 1 + k ( p − 1 )( q − 1 ) ≡ x ( mod pq ) Theorem: RSA correctly decodes! π ( N ) ≥ N / ln N . Recall Let a = x , b = k ( p − 1 ) and apply Lemma 1 with modulus q . x 1 + k ( p − 1 )( q − 1 ) ≡ x ( mod q ) Choosing randomly gives approximately 1 / ( ln N ) chance of D ( E ( x )) = ( x e ) d = x ed ≡ x ( mod pq ) , number being a prime. (How do you tell if it is prime? ... x 1 + k ( q − 1 )( p − 1 ) − x ≡ 0 mod ( q ) = ⇒ multiplie of q . cs170..Miller-Rabin test.. Primes in P ). Let a = x , b = k ( q − 1 ) and apply Lemma 1 with modulus p . where ed ≡ 1 mod ( p − 1 )( q − 1 ) = ⇒ ed = 1 + k ( p − 1 )( q − 1 ) For 1024 bit number, 1 in 710 is prime. x 1 + k ( p − 1 )( q − 1 ) ≡ x ( mod p ) x ed ≡ x k ( p − 1 )( q − 1 )+ 1 ≡ x ( mod pq ) . 2. Choose e with gcd ( e , ( p − 1 )( q − 1 )) = 1. x 1 + k ( q − 1 )( p − 1 ) − x ≡ 0 mod ( p ) = ⇒ multiplie of p . Use gcd algorithm to test. x 1 + k ( q − 1 )( p − 1 ) − x is multiple of p and q . 3. Find inverse d of e modulo ( p − 1 )( q − 1 ) . x 1 + k ( q − 1 )( p − 1 ) − x ≡ 0 mod ( pq ) = ⇒ x 1 + k ( q − 1 )( p − 1 ) = x mod pq . Use extended gcd algorithm. All steps are polynomial in O ( log N ) , the number of bits.
Security of RSA. Much more to it..... If Bobs sends a message (Credit Card Number) to Alice, Eve sees it. Security? Eve can send credit card again!! 1. Alice knows p and q . The protocols are built on RSA but more complicated; For example, several rounds of challenge/response. 2. Bob only knows, N (= pq ) , and e . Does not know, for example, d or factorization of N . One trick: Bob encodes credit card number, c , 3. Breaking this scheme = ⇒ factoring N . concatenated with random k -bit number r . Don’t know how to factor N . Never sends just c . Again, more work to do to get entire system. CS161...
Recommend
More recommend
