Chapter 11 - Sections 5-7elise/courses/cs631/presentation.pdf · 11.5 11.6 11.7 Outline 1 11.5 A...
Transcript of Chapter 11 - Sections 5-7elise/courses/cs631/presentation.pdf · 11.5 11.6 11.7 Outline 1 11.5 A...
11.511.611.7
Chapter 11Sections 5-7
Sam Demorest
April 15, 2015
Sam Demorest Chapter 11
11.511.611.7
Outline
1 11.5A Naive ExampleAn algorithm for improvementAn example of Algorithm 11.4
2 11.6Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
3 11.7Public Key CryptosystemsTheorem 11.33
Sam Demorest Chapter 11
11.511.611.7
A Naive ExampleAn algorithm for improvementAn example of Algorithm 11.4
Example 11.51: Modulo Exponentiation
Example 11.51 provides us with an inefficient example of moduloexponentiation. We are asked to calculate ([7]20)11.
We can read this as: 711%20
([7]20)11 = [1977326743]20 = [3]20
Sam Demorest Chapter 11
11.511.611.7
A Naive ExampleAn algorithm for improvementAn example of Algorithm 11.4
Algorithm 11.4
1
1From the Neapolitan textSam Demorest Chapter 11
11.511.611.7
A Naive ExampleAn algorithm for improvementAn example of Algorithm 11.4
Example 11.52: Algorithm 11.4 in Action
Calculating ([m]n)k with the following conditions:
n = 257,m = 5, k = 45.
We can express 45 as 0b101101
{b5, b4, b3, b2, b1, b0} = {1, 0, 1, 1, 0, 1}in the table on the next slide, ki is represented as[bjbj−1 . . . bi ]2
In the next slide, we see a table of values calculates as thesteps involved in Algorithm 11.4 are performed.
Sam Demorest Chapter 11
11.511.611.7
A Naive ExampleAn algorithm for improvementAn example of Algorithm 11.4
Example 11.52: Algorithm 11.4 in Action
Calculating ([m]n)k with the following conditions:
n = 257,m = 5, k = 45.
We can express 45 as 0b101101
{b5, b4, b3, b2, b1, b0} = {1, 0, 1, 1, 0, 1}in the table on the next slide, ki is represented as[bjbj−1 . . . bi ]2
In the next slide, we see a table of values calculates as thesteps involved in Algorithm 11.4 are performed.
Sam Demorest Chapter 11
11.511.611.7
A Naive ExampleAn algorithm for improvementAn example of Algorithm 11.4
Example 11.52: Algorithm 11.4 in Action
Calculating ([m]n)k with the following conditions:
n = 257,m = 5, k = 45.
We can express 45 as 0b101101
{b5, b4, b3, b2, b1, b0} = {1, 0, 1, 1, 0, 1}in the table on the next slide, ki is represented as[bjbj−1 . . . bi ]2
In the next slide, we see a table of values calculates as thesteps involved in Algorithm 11.4 are performed.
Sam Demorest Chapter 11
11.511.611.7
A Naive ExampleAn algorithm for improvementAn example of Algorithm 11.4
Example 11.52: Algorithm 11.4 in Action
Calculating ([m]n)k with the following conditions:
n = 257,m = 5, k = 45.
We can express 45 as 0b101101
{b5, b4, b3, b2, b1, b0} = {1, 0, 1, 1, 0, 1}
in the table on the next slide, ki is represented as[bjbj−1 . . . bi ]2
In the next slide, we see a table of values calculates as thesteps involved in Algorithm 11.4 are performed.
Sam Demorest Chapter 11
11.511.611.7
A Naive ExampleAn algorithm for improvementAn example of Algorithm 11.4
Example 11.52: Algorithm 11.4 in Action
Calculating ([m]n)k with the following conditions:
n = 257,m = 5, k = 45.
We can express 45 as 0b101101
{b5, b4, b3, b2, b1, b0} = {1, 0, 1, 1, 0, 1}in the table on the next slide, ki is represented as[bjbj−1 . . . bi ]2
In the next slide, we see a table of values calculates as thesteps involved in Algorithm 11.4 are performed.
Sam Demorest Chapter 11
11.511.611.7
A Naive ExampleAn algorithm for improvementAn example of Algorithm 11.4
Example 11.52: Algorithm 11.4 in Action
Calculating ([m]n)k with the following conditions:
n = 257,m = 5, k = 45.
We can express 45 as 0b101101
{b5, b4, b3, b2, b1, b0} = {1, 0, 1, 1, 0, 1}in the table on the next slide, ki is represented as[bjbj−1 . . . bi ]2
In the next slide, we see a table of values calculates as thesteps involved in Algorithm 11.4 are performed.
Sam Demorest Chapter 11
11.511.611.7
A Naive ExampleAn algorithm for improvementAn example of Algorithm 11.4
Algorithm Value Calculations
Theorem 11.26 After each iteration of the for-i loop in Algorithm11.4, a = ([m]n)ki . Since k0 = k , this means the final value of a is([m]n)k .
Sam Demorest Chapter 11
11.511.611.7
A Naive ExampleAn algorithm for improvementAn example of Algorithm 11.4
Algorithm Value Calculations
Theorem 11.26 After each iteration of the for-i loop in Algorithm11.4, a = ([m]n)ki . Since k0 = k , this means the final value of a is([m]n)k .
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
Why Large Primes?
Factoring primes is in the NP class of problems.
This makes encryption algorithms that rely on the difficulty ofprime factorization relatively secure.
Finding large primes can occur in polynomial time (as we willsee).
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
Why Large Primes?
Factoring primes is in the NP class of problems.
This makes encryption algorithms that rely on the difficulty ofprime factorization relatively secure.
Finding large primes can occur in polynomial time (as we willsee).
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
Why Large Primes?
Factoring primes is in the NP class of problems.
This makes encryption algorithms that rely on the difficulty ofprime factorization relatively secure.
Finding large primes can occur in polynomial time (as we willsee).
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
Prime Distribution
The Prime Distribution Function (π): The prime distributionfunction π(n) is the number of primes less than or equal to n.
Theorem 11.27:
limn→∞
π(n)
n/ ln n= 1
Due to this theorem, for large values of n, the distribution functioncan be approximated as n/ ln n, and so the probability of arandomly chosen large number being prime can be approximatedto:
n/ ln nn = 1
ln n
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
Prime Distribution
The Prime Distribution Function (π): The prime distributionfunction π(n) is the number of primes less than or equal to n.Theorem 11.27:
limn→∞
π(n)
n/ ln n= 1
Due to this theorem, for large values of n, the distribution functioncan be approximated as n/ ln n, and so the probability of arandomly chosen large number being prime can be approximatedto:
n/ ln nn = 1
ln n
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
Prime Distribution
The Prime Distribution Function (π): The prime distributionfunction π(n) is the number of primes less than or equal to n.Theorem 11.27:
limn→∞
π(n)
n/ ln n= 1
Due to this theorem, for large values of n, the distribution functioncan be approximated as n/ ln n, and so the probability of arandomly chosen large number being prime can be approximatedto:
n/ ln nn = 1
ln n
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
Primality Testing
Finding a polynomial-time algorithm to determine primalityhas traditionally been a challenge.
The best we had for a long time was the Miller-RabinRandomized Primality Test, which is an efficient probabilisticmethod of determining primality.
In 2002, Agrawal, Kayal, and Saxena developed apolynomial-time deterministic (rather than probabilistic) testfor primality.
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
Primality Testing
Finding a polynomial-time algorithm to determine primalityhas traditionally been a challenge.
The best we had for a long time was the Miller-RabinRandomized Primality Test, which is an efficient probabilisticmethod of determining primality.
In 2002, Agrawal, Kayal, and Saxena developed apolynomial-time deterministic (rather than probabilistic) testfor primality.
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
Primality Testing
Finding a polynomial-time algorithm to determine primalityhas traditionally been a challenge.
The best we had for a long time was the Miller-RabinRandomized Primality Test, which is an efficient probabilisticmethod of determining primality.
In 2002, Agrawal, Kayal, and Saxena developed apolynomial-time deterministic (rather than probabilistic) testfor primality.
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
Miller-Rabin Randomized Primality Test
This test is fast and will always determine a truly primenumber to be prime.
The major disadvantage of this algorithm is that it maydetermine a composite number to be prime (with a lowprobability of this happening).
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
Miller-Rabin Randomized Primality Test
This test is fast and will always determine a truly primenumber to be prime.
The major disadvantage of this algorithm is that it maydetermine a composite number to be prime (with a lowprobability of this happening).
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
Modulo Congruence
Definition
Let f(x) and g(x) be polynomials with integral coefficients. If thecoefficients of each power of x are congruent modulo n, we saythat f(x) and g(x) are congruent modulo n, and we write:
f (x) ≡ g(x) mod n.
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
An example from the book: 11.55
(6x2 + 9x + 1) ≡ (2x2 + x − 3) mod 4
This is true because of the following equivalencies:
6 ≡ 2 mod 49 ≡ 1 mod 4
1 ≡ −3 mod 4
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
An example from the book: 11.55
(6x2 + 9x + 1) ≡ (2x2 + x − 3) mod 4
This is true because of the following equivalencies:
6 ≡ 2 mod 49 ≡ 1 mod 4
1 ≡ −3 mod 4
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
Lemma 11.2
Lemma 11.2: If n is prime then for all integers m,
(x −m)n ≡ (xn −m) mod n.
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
Relative Primality
Definition
Two positive integers are relative primes or coprimes if they shareno common factors except 1.
Theorem 11.28
Theorem
Suppose m and n are relatively prime. Then n is prime if and onlyif:
(x −m)n ≡ (xn −m) mod n
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
Relative Primality
Definition
Two positive integers are relative primes or coprimes if they shareno common factors except 1.
Theorem 11.28
Theorem
Suppose m and n are relatively prime. Then n is prime if and onlyif:
(x −m)n ≡ (xn −m) mod n
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
Theorem 11.29
Theorem 11.29
Theorem
Suppose n and r are prime. Then for all integers m,
(x −m)n ≡ (xn −m) mod (x r − 1, n)
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
AKS Algorithm for Determining Primality
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
Proof of correctness
Theorem 11.30
Theorem
If a prime number is the input to the AKS algorithm, the algorithmreturns true.
Proof: If n is prime, then for all r < n,
gcd(n, r) = 1,
which demonstrates that the first while loop will not return false.Since n and r are by definition coprime (as n is prime), Theorem11.29 dictates that false cannot be returned in the second whileloop.
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
Proof of correctness
Theorem 11.30
Theorem
If a prime number is the input to the AKS algorithm, the algorithmreturns true.
Proof: If n is prime, then for all r < n,
gcd(n, r) = 1,
which demonstrates that the first while loop will not return false.Since n and r are by definition coprime (as n is prime), Theorem11.29 dictates that false cannot be returned in the second whileloop.
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
Lemmas 11.3 & 11.4
Lemma 11.3: Suppose g(x) is a polynomial with integercoefficients and n is prime. Then
[g(x)]n ≡ g(xn) mod n
Lemma 11.4: Suppose g(x) is a polynomial with integercoefficients, and n and r are prime. Then,
[g(x)]n ≡ g(xn) mod (x r − 1, n)
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
Lemma 11.5 & Lemma 11.6
Lemma 11.5: If r and q are prime, q divides r -1, andq ≥ 4
√r log2(n), then q|ordr (n) if and only if:
nr−1q 6≡ 1 mod r .
Lemma 11.6: If n is composite, q is prime, and q divides q|ordr (n),then there is a prime factor p of n such that:
q|ordr (p).
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
Lemma 11.7
Lemma 11.7: Suppose the second while loop in the AKS algorithmis exited due to the value of switch being true. If p is as in Lemma11.6, and we let l = b2
√r log2 nc, then there is a polynomial:
g(x) = (x − 1)k1(x − 2)k2 . . . (x − l)kl
with the property:
Jg(x) = {m | g(x)m ≡ g(xm) mod (x r − 1, p)},then,
Jg(x) is closed under multiplication.
There is an integer such that for
m ≡ k mod r ,then
m ≡ k mod a.Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
Theorem 11.31
Theorem 11.31: If a composite number is the input to the AKSPrimality Test, the algorithm returns false.Proof: We must consider the exit conditions for the first while loopin this algorithm. If the first while loop is exited because of itsreturn statement, we are done and false is returned. The loop canalso be exited if r = n− a, in wich case n must be prime. We mustassume that a composite number is entered and the while loop isexited because the variable switch has a value of true.
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
Theorem 11.31, Cont.
Owing to Lemma 11.5, q|ordr (n). Let us suppose a contradictionwhere the algorithm returns true. Then 1 ≤ m ≤ 1 = b2
√r log2 nc,
(x −m)n ≡ (nn −m) mod (x r − 1, n), which implies(x −m)n ≡ (xn −m) mod (x r − 1, p), which means
[g(x)]n ≡ g(xn) mod (x r − 1, p).
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
Theorem 11.31, Cont.
Therefore, n ∈ Jg(x) where Jg(x) is defined in Lemma 11.7. Also,p ∈ Jg(x), and trivially 1 ∈ Jg(x) due to Lemma 11.4.Consider the set:
E = {nipj |0 ≤ i , j ≤ b√rc}.
Owing to Lemma 11.7, E ∈ Jg(x), and
|E | = (1 + b√rc)2 > r .
. Then by the pigeonhole principle, there are two elements nipj
and nhpk in E with i 6= h or j 6= k such that
nipj ≡ nhpk mod r , andnipj ≡ nhpk mod a where a is as it was in Lemma 11.7.
.Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
Theorem 11.31, Cont.
Since p|n, n is composite, and i , j ≤ b√rc,
nipj ≤ n√r(n2
)√r= n2
√r
2√r . Similarly, since h, k ≤ b
√rc,
nhpk ≤ n2√r
2√r .
Since a > n2√r
2 ,
nipj = nhpk mod r
Since p|n and either i 6= h or j 6= k , this implies for some integers ≥ 1 that n = ps . However, in the first part of the algorithm, wechecked whether n is in the form ps for s ≥ 2. Therefore s = 1and n is prime. This is a contradiction, and the theorem is proved.
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
Lemmas 11.8 & 11.9
Lemma 11.8: Let qmbe the largest prime factor of m. Then thereexists a positive constant c and integer N such that for n > N∣∣∣{p | p is prime, p ≤ n, and qp−1 > n2/3}
∣∣∣ ≥ c nlog2 n
.
Lemma 11.9: Let π(m) be the number of primes less than or equalto m. Then for m ≥ 1,
m6 log2 m
≤ π(m) ≤ 8mlog2 m
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
Lemma 11.10
Lemma 11.10: Given positive integers m and n, the product
(n − 1)(n2 − 1) . . . (nm − 1)
has at most m2 log2 n prime factors, and there are m terms.
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
Theorem 11.32
Theorem 11.32
Theorem
There exists positive constants c1 and c2 and integer N such thatfor every n > N there is a prime r in the interval(
c1(log2 n)6, c2(log2 n)6)
such that the largest prime factor q of r - 1 satisfies
q ≥ 4r1/2 log2 n and nr−1q 6≡ 1 mod r .
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
Worst Case Time Complexity for AKS Test
Basic operation: one-bit manipulation
Input size: The number of bits s required to encode n, whichis given by s = blog2 nc+ 1
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
Worst Case Time Complexity for AKS Test
Basic operation: one-bit manipulation
Input size: The number of bits s required to encode n, whichis given by s = blog2 nc+ 1
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
AKS Worst-Time Proof
The AKS algorithm has many steps involved in it, the first ofwhich is determining whether n is a perfect power in the form k j .The number of roots checked here is O(s), where s is the inputsize, and n1/2, n1/3, . . . , n1/m, where m = blog2 nc.The timecomplexity of determining each root is O(s2). Therefore, this looptakes a total of O(s3) operations.
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
AKS Worst-Time Proof, Cont.
Theorem 11.32 allows us to determine that the number of passesthrough the first while loop is in O(s6). Since r < n, according toAlgorithm 11.1, the time complexity for gcd(n, r) is in O(s2).Determining if r is prime and finding the largest prime factor ofr − 1 takes O(r1/2s2), which Theorem 11.32 dictates is inO(s3s2) = O(s5) time. Thus, the total work in this loop is inO(s6s5) = O(s11).
Sam Demorest Chapter 11
11.511.611.7
Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test
AKS Worst-Time Proof, Cont.
Second While Loop: The number of passes through this loop is√r ∗ s, and owing to Theorem 11.32, tis means there will be
O(ss3) = O(s4) passes. Following Theorem 11.29, the complexityof finding congruence is O(rs2) if Fast Fourier multiplication isutilized. Thus, again owing to Theorem 11.32, the time complexityof each pass is O(s6s2) = O(s8). Therefore, the total timecomplexity of the second while loop is O(s8s4) = O(s12), which isthe dominating term in the polynomial expressing the complexityof this algorithm.
Sam Demorest Chapter 11
11.511.611.7
Public Key CryptosystemsTheorem 11.33
How Asymmetric Cryptosystems Work
Requires a public key and a private key.
Public and Private keys are inverses of each other.
Generally, a message is encrypted using the recipient’s publickey. Only the holder of the private key would then be able todecrypt this.
Sometimes a message is encrypted using the sender’s privatekey. Only the sender’s public key then can decrypt this. Thisis used to verify the identity of a sender (assuming the privatekey has not been compromised), and is called “signing” amessage.
Sam Demorest Chapter 11
11.511.611.7
Public Key CryptosystemsTheorem 11.33
How Asymmetric Cryptosystems Work
Requires a public key and a private key.
Public and Private keys are inverses of each other.
Generally, a message is encrypted using the recipient’s publickey. Only the holder of the private key would then be able todecrypt this.
Sometimes a message is encrypted using the sender’s privatekey. Only the sender’s public key then can decrypt this. Thisis used to verify the identity of a sender (assuming the privatekey has not been compromised), and is called “signing” amessage.
Sam Demorest Chapter 11
11.511.611.7
Public Key CryptosystemsTheorem 11.33
How Asymmetric Cryptosystems Work
Requires a public key and a private key.
Public and Private keys are inverses of each other.
Generally, a message is encrypted using the recipient’s publickey. Only the holder of the private key would then be able todecrypt this.
Sometimes a message is encrypted using the sender’s privatekey. Only the sender’s public key then can decrypt this. Thisis used to verify the identity of a sender (assuming the privatekey has not been compromised), and is called “signing” amessage.
Sam Demorest Chapter 11
11.511.611.7
Public Key CryptosystemsTheorem 11.33
How Asymmetric Cryptosystems Work
Requires a public key and a private key.
Public and Private keys are inverses of each other.
Generally, a message is encrypted using the recipient’s publickey. Only the holder of the private key would then be able todecrypt this.
Sometimes a message is encrypted using the sender’s privatekey. Only the sender’s public key then can decrypt this. Thisis used to verify the identity of a sender (assuming the privatekey has not been compromised), and is called “signing” amessage.
Sam Demorest Chapter 11
11.511.611.7
Public Key CryptosystemsTheorem 11.33
Definitions
Definition
Encryption is the process of taking a readable message, andalgorithmically transforming it into something that is readable onlyunder special circumstances.
Definition
Cyphertext is the encoding of the message once it has beenencrypted using the recipient’s public key.
Definition
Decryption is the process of taking a cyphertext message andapplying an algorithm to transform that cyphertext back into areadable message.
Sam Demorest Chapter 11
11.511.611.7
Public Key CryptosystemsTheorem 11.33
The RSA Cryptosystem
1 Discover two very large prime numbers, p and q.
2 Compute
n = pqϕ(n) = (p − 1)(q − 1).
ϕ(n) comes from Theorem 11.17.
3 Select a smaller prime number g that is coprime with ϕ(n).
4 Compute the multiplicative inverse [h]ϕ(n) of [g ]ϕ(n). It hasbeen shown that [g ]ϕ(n)[h]ϕ(n) = [1]ϕ(n), and Corollary 11.8has shown that [h]ϕ(n) exists and is unique.
5 Let the public key pkey = (n, g), and the private (secret) keyskey = (n, h).
Sam Demorest Chapter 11
11.511.611.7
Public Key CryptosystemsTheorem 11.33
RSA Corrolaries
The set of permissible messages is Zn. The function correspondingto the public key pkey = (n, g) is
pub(b) = bg
where b ∈ Zn and the function corresponding to the private keyskey = (n, h) is
sec(b) = bh
These values must be inverses, otherwise the algorithm will notfunction as intended.
Sam Demorest Chapter 11
11.511.611.7
Public Key CryptosystemsTheorem 11.33
Theorem 11.33
Theorem
The functions pub(b) = bg and sec(b) = bh are inverses of eachother.
Proof: We are making the claim thatpub(sec(b)) = sec(pub(b)) = bgh for any b ∈ Zn.We need only show bgh = b.Let m ∈ b. As such, mgh ∈ bgh. We must show
[mgh]p = [m]p
Continued. . .
Sam Demorest Chapter 11
11.511.611.7
Public Key CryptosystemsTheorem 11.33
11.33 Proof Cont.
Since g and h are multiplicative inversesmod ϕ(n) = (p − 1)(q − 1), [gh](p−1)(q−1) = [1](p−1)(q−1), whichmeans there is an integer k such that:
gh = 1 + k(p − 1)(q − 1)
There are two cases we must consider.Case 1: Assume [m]p 6= [0]p. Then we haveContinued...
Sam Demorest Chapter 11
11.511.611.7
Public Key CryptosystemsTheorem 11.33
11.33 Proof Cont.
[mgh]p = [m1+k(p−1)(q−1)]p
= [m]p(
[m]p−1p
)k(q−1)
= [m]p[1]k(q−1)p
= [m]p
The third equality above is due to Theorem 11.22. Continued...
Sam Demorest Chapter 11
11.511.611.7
Public Key CryptosystemsTheorem 11.33
11.33 Proof Cont.
Case 2: If [m]p = [0]p,
[mgh]p = [m]ghp = [0]ghp = [0]p = [m]p.
This establishes that [mgh]q ≡ [m]q (Equality 11.32). Due to this,we can see that:
mgh ≡ m mod p andmgh ≡ m mod q. Therefore,mgh ≡ m mod n, which means
bgh = b.
Sam Demorest Chapter 11