Arithmetic algorithms and the RSA

Grau-AA
Complexity of dealing with large integers.

We work with large single integers.

Input size: The size of an input is the number of bits required to

represent that input.
N: decimal representation of the integer
n number of bits needed in the binary representation (size of input)

If N ∈ Z, size |N| = n ∼ log N.

If an algorithm A has input integers a1 , a2 , . . . , ak , A is polynomial

time if it runs in time polynomial in log a1 + log a2 + . . . + log ak .
Review of Modular Arithmetic

Division Theorem: For any a ∈ Z and N ∈ Z+ , there are unique

integers q and r such that 0 ≤ r < N and a = qN + r .
q = ba/Nc is the quocient and r = a mod N is the remainder.
Given a, b ∈ Z, N ∈ Z+ ,
a is congruent with b modulo N
a mod N = b mod N
a ≡N b
iff N|(a − b).
N partition Z in N equivalence classes [a]N according to their
remainder modulo N:

[a]N = {a + kN|k ∈ Z}
Notice that

[a]N = [b]N iff a ≡N b

Hence,

ZN = {[a]N |a ∈ {0, 1 . . . , N − 1}} = {0, 1 . . . , N − 1}

Here, a ∈ ZN represents [a]N

(a + b) ≡N (a mod N) + (b mod N).
(a · b) ≡N (a mod N) · (b mod N).
(ab ) ≡N (a mod N)b .
Notice: that if (ab ) ≡N 1 then (a mod N)b ≡N 1

I a(bc) ≡N (ab)c (associativity)

I ab ≡N ba (commutativity)
I a(b + c) ≡N ab + ac (distributivity)
These operations can help in simplifying big calculations.
For example to compute 2285 mod 31:

2285 ≡31 (25 )57 ≡31 3257 ≡31 (32 mod 31)57 ≡31 157 ≡31 1
Modular Operations

Modular multiplication
INPUT: x, y , N ∈ N
OUTPUT: (x · y ) mod N.
To implement x · y mod N we must do a non-mod multiplication
x × y and divide by N, which needs O(n2 ) steps where
n = max{|x|, |y |, |N|}.
Modular exponentiation

Modular exponentiation
INPUT: Two n bit integers x and N, an integer exponent y
OUTPUT: x y mod N.
Obvious way: Multiply repeatedly by (x mod N),
x mod N → x 2 mod N → . . . → x y mod N
Modular exponentiation

Modular exponentiation
INPUT: Two n bit integers x and N, an integer exponent y
OUTPUT: x y mod N.
Obvious way: Multiply repeatedly by (x mod N),
x mod N → x 2 mod N → . . . → x y mod N
Total cost: O(y n2 ), but y = O(2|y | ). Then the cost is exponential!
Modular exponentiation

Modular exponentiation
INPUT: Two n bit integers x and N, an integer exponent y
OUTPUT: x y mod N.
Obvious way: Multiply repeatedly by (x mod N),
x mod N → x 2 mod N → . . . → x y mod N
Total cost: O(y n2 ), but y = O(2|y | ). Then the cost is exponential!
Clever way: Repeating squaring,
blog y c
x mod N → x 2 mod N → x 4 mod N → . . . → x 2 mod N
Modular Exponentiation

Function modexp(x, y , N)
if y = 0 then
return 1
end if
z := modexp(x, by /2c, N)
if y is even then
return z 2 mod N
else
return x · z 2 mod N
end if
Modular Exponentiation

Function modexp(x, y , N)
if y = 0 then
return 1
end if
z := modexp(x, by /2c, N)
if y is even then
return z 2 mod N
else
return x · z 2 mod N
end if
Complexity: n recursive calls, during each call it multiplies n bit
numbers (doing computation modulo N saves us here!)
Total running time O(n3 ).
Greatest Common Divisor
GCD
INPUT: a, b ∈ Z
QUESTION: Compute gcd (a, b)
Recall that given a, b ∈ Z, the gcd (a, b) is the largest integer
which divides a and b.
How to compute the gcd?
Greatest Common Divisor
GCD
INPUT: a, b ∈ Z
QUESTION: Compute gcd (a, b)
Recall that given a, b ∈ Z, the gcd (a, b) is the largest integer
which divides a and b.
How to compute the gcd?
Obvious approach: factor and multiply common factors.
Factoring
INPUT: N ∈ N
OUTPUT: Prime factors of N
Related problem:
Prime N
INPUT: N ∈ N
QUESTION: Decide if N is prime.
Factoring is a very difficult problem!
Greatest Common Divisor

Alternative: Use the following Theorem:

Theorem (Euclid)
For any a, b ∈ Z with a ≥ b, gcd (a, b) = gcd (a mod b, b).

Proof.
If c ∈ Z s.t. c|a and c|b then c|a − b ⇒ gcd(a, b) ≤ gcd(a − b, b).
If c ∈ Z s.t. c|a − b and c|b then c|a ⇒ gcd(a, b) ≥ gcd(a − b, b).
Therefore gcd(a, b) = gcd(a − b, b).
Euclid’s algorithm.

To compute gcd (a, b):

EUCLID(a, b)
if b = 0 then
return a
else
EUCLID(b, a mod b)
end if
Euclid’s algorithm.

To compute gcd (a, b):

EUCLID(a, b)
if b = 0 then
return a
else
EUCLID(b, a mod b)
end if

Example
EUCLID(30,21) =EUCLID(21,9)= EUCLID(9,3)=
EUCLID(3,0)= 3
Correctness of Euclid’s algorithm

Theorem
The algorithm EUCLID is correct. Moreover for any integers
a > b ≥ 0, the total time of EUCLID (a, b) is O(n3 ), where
n = max{|a|, |b|}.

Proof.
The correctness follows from the previous theorem + the fact that
each time we decrease b till it is 0, and then gcd (a, 0) = a.
On the other hand, notice that after two consecutive recursive calls
the length of both a and b decrease by at least one bit. Then the
base case will be reached within 2n recursive calls.
And since each call involves a O(n2 ) division, so the total time is
O(n3 ).
Extended Euclid

Theorem
If a and b are any integers, not both zero, then gcd(a, b) is the
smallest positive element of the set {ax + by |x, y ∈ Z} of linear
combinations of a and b.
An alternative and useful characterization of gcd (a, b):

Lemma
For any integers a and b, if d|a and d|b and d = ax + by for some
integers x and y , then necessarily d = gcd (a, b).

A small extension to Euclid’s algorithm is the key to dividing in the

modular world.
Extended Euclid

EXT-EUCLID(a, b)
if b = 0 then
return (a, 1, 0)
else
(d, x 0 , y 0 ) := EXT-EUCLID (b, a mod b)
return (d, y 0 , x 0 − ba/bcy 0 )
end if
Lemma
For any positive integers a and b, EXT-EUCLID (a, b) returns
(d, x, y ) s.t. gcd (a, b) = d = ax + by . The total time of
EXT-EUCLID (a, b) is O(n3 ), where n = max{|a|, |b|}.
Example

EXT-EUCLID(99,78)
(d, x1 , y1 ) := EXT-EUCLID (99, 78)
(d, x2 , y2 ) := EXT-EUCLID (78, 21)
(d, x3 , y3 ) := EXT-EUCLID (21, 15)
(d, x4 , y4 ) := EXT-EUCLID (15, 6)
(d, x5 , y5 ) := EXT-EUCLID (6, 3)
(d, x6 , y6 ) := EXT-EUCLID (3, 0)
Example

EXT-EUCLID(99,78)
(d, x1 , y1 ) := EXT-EUCLID (99, 78)
(d, x2 , y2 ) := EXT-EUCLID (78, 21)
(d, x3 , y3 ) := EXT-EUCLID (21, 15)
(d, x4 , y4 ) := EXT-EUCLID (15, 6)
(d, x5 , y5 ) := EXT-EUCLID (6, 3)
(d, x6 , y6 ) := EXT-EUCLID (3, 0) = (3, 1, 0)
Example

EXT-EUCLID(99,78)
(d, x1 , y1 ) := EXT-EUCLID (99, 78)
(d, x2 , y2 ) := EXT-EUCLID (78, 21)
(d, x3 , y3 ) := EXT-EUCLID (21, 15)
(d, x4 , y4 ) := EXT-EUCLID (15, 6)
(d, x5 , y5 ) := EXT-EUCLID (6, 3) = (3, 0, 1)
(d, x6 , y6 ) := EXT-EUCLID (3, 0) = (3, 1, 0)
Example

EXT-EUCLID(99,78)
(d, x1 , y1 ) := EXT-EUCLID (99, 78) = (3, −11, 14)
(d, x2 , y2 ) := EXT-EUCLID (78, 21) = (3, 3, −11)
(d, x3 , y3 ) := EXT-EUCLID (21, 15) = (3, −2, 3)
(d, x4 , y4 ) := EXT-EUCLID (15, 6) = (3, 1, −2)
(d, x5 , y5 ) := EXT-EUCLID (6, 3) = (3, 0, 1)
(d, x6 , y6 ) := EXT-EUCLID (3, 0) = (3, 1, 0)

Therefore gcd(99, 78) = 3 = (−11 × 99 + 78 × 14).

Modular division

I In real arithmetic:
I Every number a 6= 0 has an inverse 1/a.
I Dividing by a is the same as multiplying by 1/a
I In modular arithmetic,
x is the multiplicative inverse of a modulo N if a · x ≡N 1
(if it exists!)
Modular division

I In real arithmetic:
I Every number a 6= 0 has an inverse 1/a.
I Dividing by a is the same as multiplying by 1/a
I In modular arithmetic,
x is the multiplicative inverse of a modulo N if a · x ≡N 1
(if it exists!)

Lemma
For any N > 1, if gcd(a, N) = 1 then the equation a · x ≡N 1 has a
unique solution, modulo N. Otherwise it has no solution.

(a−1 mod N) denotes the multiplicative inverse of a modulo N,

when a and N are relatively prime.
Modular division

Modular division
INPUT: x, y , N ∈ N
OUTPUT: (x · y −1 ) mod N (if it exists!)
Modular division

Modular division
INPUT: x, y , N ∈ N
OUTPUT: (x · y −1 ) mod N (if it exists!)
Define, Z∗N = {a|a ∈ ZN ∧ gcd (a, N) = 1}.
Example: Z∗15 = {1, 2, 4, 7, 8, 11, 13, 14}
Notice that (Z∗N , ·N ) is an abelian group. Therefore,
∀a ∈ Z∗N , ∃a−1 ∈ Z∗N the multiplicative inverse such that
a · a−1 ≡ 1( mod N)
To compute the multiplicative inverse of a ∈ Z∗N : use
EXT-EUCLID(a, N) to get ax + Ny = 1 or ax ≡ 1( mod N)

Therefore, a−1 mod N can be computed in time O(n3 ).

Find the multiplicative inverse of 5 mod 11.

gcd(5, 11) = 1 ⇒ 5 has multiplicative inverse in Z∗11 :

EXT-EUCLID (5, 11) = (1, −2, 1) ⇒ 5 · (−2) ≡ 1( mod 11), and
−2 is the multiplicative inverse of 5 mod 11.
If gcd(a, N) > 1 ⇒ a does not have an inverse in Z∗N
When working in ZN , the only possible division is between
numbers relatively prime to N.
Example

Find the multiplicative inverse of 21 mod 91.

Notice 91 = 13 · 7 and 21 = 3 · 7 therefore gcd(91, 21) = 7 ⇒ 21
does’t have inverse mod 91.

Find the multiplicative inverse of 3 mod 32

Equivalent to solve 3x ≡ 1 mod 32 ⇒ x = 11.
Euler’s Totient function
Given N denote by φ(N), the Euler Totient function or Euler’s phi
function, defined as
Y 1
φ(N) = N (1 − )
p
p|N

where p|N is set of primes p 6= 1 dividing N.

Euler’s Totient function
Given N denote by φ(N), the Euler Totient function or Euler’s phi
function, defined as
Y 1
φ(N) = N (1 − )
p
p|N

where p|N is set of primes p 6= 1 dividing N.

The size of Z∗N is φ(N):

φ(N) = |Z∗N |

If N is prime ⇒ Z∗N = {1, . . . , N − 1} and φ(N) = N − 1.

If N is composite ⇒ φ(N) < N − 1.
If N = pq where p and q are prime then

1 1 (p − 1)(q − 1)
φ(N) = N(1 − )(1 − ) = pq = (p − 1)(q − 1).
p q pq
Examples.

Z∗45 ={1, 2, 4, 7, 8, 11, 13, 14, 16, 17, 19, 22, 23, 26, 28, 29,
31, 32, 34, 37, 38, 41, 43, 44}

As 45 = 3 × 3 × 5,
φ(45) = 45(1 − 13 )(1 − 51 ) = 24.
φ(35): As 35 = 5 × 7 ⇒ φ(35) = 4 × 6 = 24
Primality

Is N ∈ N prime? Erathostens sieve,

PRIME
INPUT: N ∈ N
QUESTION: Decide if N is prime.
√
for a = 2, 3, . . . , N do
if a|N then
return ”composite”
end if
end for
return ”prime”
Primality

Is N ∈ N prime? Erathostens sieve,

PRIME
INPUT: N ∈ N
QUESTION: Decide if N is prime.
√
for a = 2, 3, . . . , N do
if a|N then
return ”composite”
end if
end for
return ”prime”

Too slow!
Theorem (Euler)
For any integer N > 1, then

aφ(N) ≡ 1( mod N)

for all a ∈ Z∗N .

Theorem (Fermat)
If p is prime, then

ap−1 ≡ 1( mod p)
for all a ∈ Z∗p .
The Fermat Test

PRIMALITY(N)
Pick a positive integer a < N at random
if aN−1 ≡ 1( mod N) then
return yes
else
return no
end if
The Fermat Test

PRIMALITY(N)
Pick a positive integer a < N at random
if aN−1 ≡ 1( mod N) then
return yes {almost sure}
else
return no {sure}
end if
The Fermat Test

PRIMALITY(N)
Pick a positive integer a < N at random
if aN−1 ≡ 1( mod N) then
return yes {almost sure}
else
return no {sure}
end if
Time: O(n3 ).
Fermat’s little theorem

If N is prime,then for all a ∈ Z∗N , aN−1 ≡ 1 mod N.

Fermat only works in one direction:

If N is prime ⇒ ∀a ∈ Z∗N , aN−1 ≡ 1 mod N, but

∃N composite such that ∀a ∈ Z∗N , aN−1 ≡ 1( mod N):

The Carmichael numbers
Carmichael numbers are very rare (255 with value < 100000000)
561,1105, 1729, ...
For example 561 = 3 × 11 × 17
Theorem
If aN−1 6≡ 1 mod N for some a ∈ Z∗N , then this also happens with
at least half of the choices a < N.

Sketch of the proof.

Fix some value of a for which aN−1 6≡ 1 mod N (good witness of composite).
The key is to notice that every element b < N such that
b N−1 ≡N 1, has a twin, a · b (that is a good witness of composite):

(a · b)N−1 ≡N aN−1 · b N−1 ≡N aN−1 6≡N 1

All the elements a · b, for a fixed a but for different choices of b,
are distinct (if a · i 6≡N a · j then i 6≡N j).
The one-to-one function b −→ a · b shows that at least as many
elements fail the test as pass it (i.e. good witness of composite)
In a Carmichael-free univers

If N is prime, the previous Monte-Carlo algorithm always give the

correct answer, but
if N is composite it errs with probability ≤ 1/2.
The previous algorithm has one-side error, therefore amplifying k
times the algorithm, the probability of error goes down to ≤ 1/2k .

Reapeated-Fermat N, k
for i = 1 to k do
a := random (1, N − 1)
if aN−1 6≡ 1 mod N then
return non-prime {sure}
end if
end for
return prime {almost sure}
Taking into account the Carmichael numbers

Theorem
If N is an odd prime and e ≥ 1, then the equation
x 2 ≡ 1( mod N e ) has only two solutions x ≡ 1( mod N e ) and
x ≡ −1( mod N e ).

A number x ∈ Z is a nontrivial root of 1, modulo N, if it satisfies

x 2 ≡N 1, but x 6≡N ±1. Notice that −1 ≡N N − 1.

Corollary
If there exists a nontrivial square root of 1 modulo N, then N is
composite.

Example: 6 is a non-trivial root of 1 mod 35:

as 62 ≡ 1( mod 35) but 6 6= ±1( mod 35).
Taking into account the Carmichael numbers.

To assure that the check of primality would not be fooled by the

Carmichael numbers, given N to test for primality:
I generates several random values of a ∈ Z+
N,
I ∀a, checks if a N−1 ≡ 1 mod N,
I see if it discovers a x s.t. is a non-trivial square root of 1
mod N.

Example: 52 6≡ 1 mod 21
62 6≡ 1 mod 21
72 6≡ 1 mod 21
82 = 64 ≡ 1 mod 21
Therefore, 8 is a non-trivial root of 1 mod 21, so 21 is composite.
Witness to the compositeness of N

Given an odd integer N > 2, and a ∈ Z+ N , we say that a is a

witness to the compositeness of N, if either:
I aN−1 6≡ 1 mod N
I ∃xi = am , ∃m ∈ Z+
N s.t. xi is a non-trivial square root of 1
mod N

We define a function Witness (a, N) to test if aN−1 6≡ 1 mod N or

if we can find a non-trivial root of 1 mod N.
Let N > 2 be odd. Then N − 1 is even. Let N − 1 = 2t u with
t > 1 and u odd:
N − 1 = |101{z
· · · 1} 00 · · · 0}
| {z
u 2t

For input a ∈ Z+ N , to compute a

N−1 mod N:
u
first compute x0 = a mod N, and after square the result t times
(· · · (x0 )2 · · · )2 .
| {z }
t
To go from x0 = au mod N to xt ≡ aN−1 mod N,
2
we made t iterations xi := xi−1 mod N, and check if xi−1 is non
trivial root of 1 mod N.
 Witness(a, N)
Let N − 1 = 2t u where t ≥ 1 and u is odd
x :=modexp(a, u, N) {x = au mod N}
for i = 1 to t do
y := x 2 mod N
if (y = 1 ∧ x 6= 1 ∧ x 6= N − 1) then
return true {x is a non-trivial root of 1 mod N}
end if
x := y
end for
if y 6= 1 then
return true {aN−1 6≡ 1 mod N Fermat’s fail }
else
return false {a is not a witness}
end if
Note: If xi = 1 for some 0 ≤ i < t, Witness might not compute the rest of the
sequence. Each value xi+1 , ..., xt would be 1.
Example: Wish to test if a = 7 is a witness to N = 561
N − 1 = 560 = 100011 |{z} ⇒ u = 35, t = 4
| {z } 0000
u 2t

x0 = 735 mod 561 = 241

x1 = 2412 mod 561 = 298
x2 = 2982 mod 561 = 166
x3 = 1662 mod 561 = 67
x4 = 672 mod 561 = 1
Non-trivial root of 1 mod 561.

If n = lg N, the complexity of witness(a, N) is O(n3 ).

Miller-Rabin primality test.

Polynomial time Monte-Carlo algorithm to decide if a given N ∈ Z

is prime. The input to the algorithm would be N and the number s
of a ∈ Z that we will test for witness.
Miller-Rabin(N, s)
for i := 1 to s do
a := random (1, N − 1)
if witness (a, N) = true then
return non-prime {Definitely}
end if
end for
return prime. {Almost surely}

If N is a n-bit number, the complexity of the algorithm is O(sn3 ).

Correctness

Theorem
If N is an odd composite number, the number of witnesses to the
compositeness of N is ≥ N−1
2 .

Theorem
For any odd integer N > 2 and s ∈ Z+ the probability that
Miller-Rabin(N, s) errs is ≤ 2−s .

Proof.
If N composite, Miller-Rabin errs if misses to discover a witness in
the s iterations.
If N composite, each execution of the algorithm has probability
≥ 1/2 of discovering a witnes a.
The probability it misses in all iteractions is < 1/2s .
Generating random numbers

We need a fast algorithm for choosing random primes that are few
hundred bits long.

Theorem (Lagrange’s Prime Number Theorem)

Let π(N) be the number of primes less than or equal to N. Then,
π(N) ∼ lnNN , or more precisely,

π(N)
lim =1
N→∞ (N/ ln N)
Generating random numbers

We need a fast algorithm for choosing random primes that are few
hundred bits long.

Theorem (Lagrange’s Prime Number Theorem)

Let π(N) be the number of primes less than or equal to N. Then,
π(N) ∼ lnNN , or more precisely,

π(N)
lim =1
N→∞ (N/ ln N)

Primes are abundant!

Algorithm to generate a random n-bit prime

I Pick a random n-bit number N.

I Run a primality test on N.
I If it passes the test, output N; else repeat the process.

How fast is this algorithm?

 I If N has n-bits, the number of primes between the 2n possible
n
numbers is ln22n .
I The probability that a randomly choosen n-bit N ∈ Z is prime
n
is ≥ 1/n ( ln22n /2n = 1.442
n ).
I Therefore the expected number of Primality tests to be done
until to find a prime is O(n).
For example, to choose a prime of 2000 digits will require to test 2000
randomly chosen integers.

Exercise: We claim that since about a 1/n fraction of n-bit numbers are
prime, on average it is sufficient to draw O(n) random n-bit nubers
before hitting a prime. Show this claim.
To generate a n-bit prime:

1. Choose a random n-number N,

2. Run Miller-Rabin on N, if passes, output N, else repeat the
process.

With probability O(1/n), N will be prime ⇒ N will pass

Miller-Rabin.
Otherwise, with probability 1/2s Miller-Rabin errs .
To make small the failure error of Miller-Rabin take s = lg n.
We need in expectation n lg n runs to get a prime.
Cryptography

BOB

ALICE

$E(M)$
$M$ Encoder Decoder $M=D(E(M))$

EVE

A send a message M to B, E can eavesdrop M

How can we assure E can not recover M?
Private-Key Systems

Key r is secret. Both, A and B have a copy of r and Dr = Er−1

(dangerous)
To encrypt message M: compute X = E (M, r ) = Er (M)
To dencrypt X : compute
M = D(X , r ) = D(E (M, r ), r ) = Dr (Er (M)) = Er−1 (Er (M))
Public-Key Systems

(Diffie-Hellman) For each A there is a public key PA and a secret

key SA . To know PA does not help in discovering SA .
A wishes to send a message to B and E is eavesdropper.
Public Keys: PA , PB ,
Secret Keys: SA , SB
Secret and Public keys must have the following property:
For any person A, M = D(E (M, PA ), SA ) and
Y = E (D(Y , SA ), PA )
To send M from A (Alice) to B (Bob),
(1.-) A gets PB ,
(2.-) A computes the ciphertext C = E (M, PB )
(3.-) A sends C to B.

When B gets C : D(C , SB ) = D(E (M, PB ), SB ) = M

RSA Cryptosystem: How to choose PA and SA

RSA : Rivest-Shamir-Adleman
Change text into numbers modulo N (ASCII)
(messages larger than N can be broken into smaller pieces).

1. Select large p and q primes

2. Compute N = p · q
3. Compute φ(N) = (p − 1) · (q − 1)
4. Choose c ∈ Z∗φ(N)
5. Compute d such that cd ≡ 1 mod φ(N)
d ≡ c −1 mod φ(N)
6. PB = (c, N).
7. SB = (d, N).
RSA

I Bob chooses his public and secret Keys.

I Bob picks two large (n-bit) random primes p and q.
I His public key is PB = (c, N) where N = p · q and c is a 2n-bit
number relatively prime to (p − 1)(q − 1).
(A common choice is c = 3)
I His secret key is SB = (d, N) where d ≡ c −1 mod φ(N) can
be computed using the extended Euclid algorithm.
I Alice wishes to send the message x to Bob.
I She looks up his public key (N, c) and sends him
y = E (x, PB ) = x c mod N.
I He decodes the message by computing
D(y , SB ) = y d mod N = x.
Complexity of RSA

1. Select p,q primes (Miller-Rabin)

2. N = p · q (The heart to security is the difficulty to factorize N)
3. φ(N) = (p − 1) · (q − 1)
4. Choose c ∈ Z∗φ(N) select a prime in Zφ(N)
(or choose c ∈ {3, 5, 7, 11, . . .})
5. Compute d: cd ≡ 1 mod φ(N) (Use EXT-EUCLID (c, φ(N)) to
solve cd ≡ 1 mod φ(N))
Correctness of RSA

To see that for any X ∈ ZN , then X = D(E (X , PB ), SB ) or

X = E (D(X , SB ), PB ).
Theorem
Let p and q be primes and let N = pq. For any c ∈ Z∗φ(N) ,
φ(N) = (p − 1)(q − 1) and any integer x ∈ ZN we have:
1. The mapping x → x c mod N is a bijection from ZN to ZN .
2. (Inverse mapping) Let d = c −1 mod φ(N). Then for all
x∈ {0, . . . , N − 1}, (x c )d ≡ x mod N.
Proof of the correctness of RSA

As c ∈ Z∗φ(N) , d = c −1 mod φ(N) exists (φ(N) = (p − 1)(q − 1))

Since cd ≡φ(N) 1, ∃k ∈ N: cd = 1 + kφ(N) ⇒ x cd = x 1+kφ(N) .

By Fermat, x p−1 ≡p 1 and x q−1 ≡q 1
Then, x (p−1)(q−1) ≡p 1 and x (p−1)(q−1) ≡q 1
By the Chinese Remainder Theorem, x (p−1)(q−1) ≡N 1

Hence, x cd ≡N (x 1+kφ(N) ) ≡N x(x k(p−1)(q−1) ) ≡N x

(2 ⇒ 1) Since x → x c ( mod N) is invertible ( x c → x( mod N))

then it must be a bijection. 2
The Security of RSA

Given N, c and y ,
it is computationally intractable to determine x s.t.
y = x c mod N.
Note that:
I Eve can not experiment all the possible values of x (An
exponential number of possibilities!).
I She could not try to factor N to retrieve p and q and then
figure out d by inverting c modulo (p − 1)(q − 1) (Factoring
is hard!)
Example

M=2
1. Select large p and q
primes
1. p = 3, q = 17
2. Compute N = p · q
2. N = 3 × 17 = 51
3. Compute
3. φ(51) = 2 × 16 = 32
φ(n) = (p − 1) · (q − 1)
4. c = 3
4. Choose c ∈ Z∗φ(N)
5. d = 11
5. Compute d such that
cd ≡ 1 mod φ(N) 6. P = (3, 51)
6. PA = (c, N). 7. S = (11, 51)
7. SA = (d, N).
To encrypt: E (2, (3, 51)) = 23 mod 51 = 8

To decrypt: D(8, (11, 51)) = 811 mod 51

82 mod 51 = 64 mod 51 = 13
84 mod 51 = 169 mod 51 = 16
85 mod 51 = 16 × 8 mod 51 = 128 mod 51 = 26
810 mod 51 = 262 mod 51 = 13
811 mod 51 = 13 × 8 mod 51 = 2
The hidden history
The british GCHQ (Government Communication Headquarter)
discovered the public key scheme a few years before the
Stanford-MIT teams, but is was considered a national secret until
1997.
So, contrary to Diffie and Hellman (Public Key, discrete
logarithm,1976), Rivest, Shamir and Adleman (Public Key,
factorization,1977), the mathematicians of the british GCHQ, James
Ellis (1970) and Clifford Cocks (1973), remain basically unknown
to almost everybody.

The Code Book by Simon

Singh
Fourth State, 1999.