Discrete MathematicalStructuresSixth Edition

. BernardKolmanDrexel University

. RobertC. BusbyDrexel University

Sharon CutlerRossGeorgia Perimeter College.Upper Saddle River, NJ 07458

11.3 PublicKeyCryptology 449

11.3Public KeY1CryptoiogyIn 1978, Ronald Rivest, Adi Shamir, and Leonard Adelman published "A Methodfor Obtaining Digital Signatures and Public Key Cryptosystems." In this paper,the authors describe a method of sending coded messages using a pair of publiclyavailable integers. This method is widely called the RSA public key cryptosys-tern. We begin with a result on congruences that extends Fermat's Little Theorem(Theorem 3(b) of Section 9.6).

THEOREM 1 SllPpose that p and q are distinct primes and k is any integer. Then(a) For any integer a with GCD(a, pq) = 1,

ak(p-l)(q-l) == 1 (mod pq) (1)

(b) For any integer a,

ak(p-l)(q-I)+l == a (mod pq) (2)

Proof

(a) If GCD(a, pq) = 1, then a is not divisible by p or q; it is relatively primeto both. Thus by Fermat's Little Theorem, Theorem 3(b), Section 9.6, wehave aP-1 == 1 (mod p), and so

ak(p-l)(q-l) == lk(q-I) = 1 (mod p).

Similarly, ak(p-I)(q-I) == 1 (mod q). Thus there exist integers rand swith

ak(p-I)(q-I) = 1+ rp = 1 + sq.

It follows that rp = sq, and since q is not divisible by p, s must be, say,s = pt. Then

ak(p-I)(q-I) = 1 + pqt

and

ak(p-I)(q-l) == 1 (mod pq).

(b) If a is relatively prime to pq, the result follows from (1) by multiplyingboth sides by a. If not, then a is divisible by either p or q or both. If a isdivisible by pq, then both sides of (2) are congruent to 0 mod pq and aretherefore congruent to each other. In the remaining case, a is divisible byexactly one of the integers p or q, and without loss of generality, we maysuppose that it is p. Then a = bps, with s ~ 1 and b relatively prime topq. We note for later reference that b must satisfy (2).

Since p is relatively prime to q, we can show as in the proof of part(a) that for some integer r, pk(p-l)(q-I) = 1+ rq. Multiplyingby p thenshows that

pk(p-l)(q-I)+I == p (mod pq),

and therefore

(ps)k(p-I)(q-l)+1 = (pk(p-l)(q-l)+I)S ==pS (mod pq).

Wesee that both b and pS satisfy(2), and thereforeso does their producta. .

L

--,450 Chapter11 Groups and Coding

Example 1 Let P = 5 and q = 13. Since 28 is relativelyprime to 5 x 13 =48 =4 x 12= (5 - 1) x (13 - 1),2848 == 1 (mod 65).

65 and.Example 2 Computethe remainderof 7293 after division by 65.

Solution

Weuse Theorem l(a), with p =5 and q = 13,so that 65 = pq.

293 = (48 x 6) +5,

and since 7 is relatively prime to 65,

7293= (748)6X 75 == 75 (mod 65).

But 73 == 343 == 18 (mod 65) and therefore

75 == 18x 49 = 882 == 37 (mod 65).

The remainder of 7293after division by 65 is 37. .We now construct a system in which we can make public a method of encoding

messages to us (called a public key), but nevertheless be relatively sure that onlywe can decode these messages. Theorem 1 will playa major role in this effort. Asa first step, we note that any message can be turned into a string of integers usinga variety of methods. One way is to use the letters of the alphabet to representa number base 26. Let A, B, ..., Z stand for the integers 0, 1, ..., 25. Thenany pair of letters af3 can be regarded as the base 26 representation of the number(26a) + f3. In this way numbers in the range 0 to 675 can be used in place ofany two-letter pair, and any message, when divided into two-letter pairs, can berepresented by a sequence of integers in this range.

Example 3 Consider the message ACT FIRST. Separate the letters into pairs, and replaceeach pair with the number it represents in base 26. The pairs AC, TF, IR, andST become, respectively, the integers 2, 499,225, and 487. If a message has anodd number of letters, we can add an agreed upon filler letter, say X, at the end.A variation of this method would be to replace triples of letters by the base 26number they represent. Then we would use numbers in the range 0 to 25 X 262 +25 x 26 + 25 = 17575. .

We now describe a method of encoding messages. Select two primes, p andq, and let m = pq and n = (p - l)(q - 1). Now choose any integer s thatis relatively prime to n. We "publish" the integers m and s (that is, make thempublicly available) and instruct anyone wishing to send us a secret message toproceed as follows: Divide the message into letter pairs af3 and represent eachpair as a number x = (26a) + f3 in the range 0 to 675. Then replace eachof these numbers x by the unique integer y between 0 and m - I for whichy ==XS (mod m), and send us the resulting number sequence. For this procedureto produce unique results, m must be at least 675.

Decoding

Since s is chosen to be relatively prime to n, S, the remainder class of s mod n, hasa multiplicative inverse t in the ring Zn' (See Section 9.6.) Thus for some integer twe havest == 1 (mod n) or st = 1+ k(p - l)(q - 1)forsomeintegerk. Wecanfind t by using the Euclidean algorithm, as illustrated in Example 4 of Section 9.6.

--

11.3 PublicKey Cryptology 451

If we receive the integer y = XS (mod m), we compute l (mod m) and applyTheorem 1. Since m = pq, Theorem lea) guarantees that

l = xst = x1+k(p-IHq-l) ==x (mod m).

Since x does not exceed m, we have l (mod m) = x, so we have recovered theoriginal integer x. We do this to all received integers, and thus decode the message.

Example 4 Letp = 19andq = 37. Sincem = pq =703> 675, we can use the RSA methodto encode messages in groups of two letters. Here n = 18. 36 = 648. Chooses = 25, which is relatively prime to 648. Now we publish the integers 703 and 25as ourpublickey.If someonewantsto sendus the messageGO,she firstcomputes6 x 26 + 14 = 170 and then 17025 (mod 703). Note that 1702 = 28900 ==

77 (mod 703). So

1704 == 772 = 305 (mod 703)

1708== 3052=229 (mod 703)

17016== 2292 = 419 (mod 703)

It follows that

17025= 170161708170== 419.229.170 = 16311670== 664 (mod 703),

so she sends 664.To decode the message, we first find t. Using the Euclidean algorithm, we

compute

648=25x25+23

25=lx23+2

23 = 11 x 2 + 1.

Thus

1 = 23 - 11 .2= 23 - 11(25- 23) = 12.23 - 11 .25= 12(648- 25 . 25) - 11.25 = 12.648 - 311 .25.

Thust.= -311 == 337 (mod 648).Now we compute664337(mod 703). A seriesof computationssuch as those

used previouslyto find664 showsthat 664337== 170(mod703).Since6 x 26+14= 170,wecanthenrecovertheoriginalmessageGO. .

SecurityIn the discussion of Bacon's code (Section 1.4), we noted that this method ofcoding is vulnerable to an attack based on an analysis of the frequency with whichletters appear in ordinary language. By encoding pairs or triples of letters as wedo with the public key method of this section, an attack by frequency analysis ismuch more difficult. But there are also other methods of attack on a public keycryptosystem.

In order to decode the message, someone must know t, which means that hemust know n. This in turn requires him to know p and q. Thus the problem isto factor a number m, known to be the product of two primes. In Section 1.4, weshowed that we can find the prime factors of m by trial and error if we divide n byall primes less than "j1ii. In Example 4, m = 703, and the square root of 703 isless than 27. Thus we need only divide by 2,3,5,7,11,13,17,19, and 23, at most

452 chapter 11 Groups and Coding

9 divisions, to find the prime factors. In practice, one chooses p and q to havesomething like 100 digits, that is, to be of the order of magnitude 10100,so thatm is about 10200. A famous theorem about prime numbers, called appropriatelythe Prime Number Theorem, states that the number of primes less than or equal toman integer m is approximately _1 ' and this approximation gets better as m getsn(m)larger. Thus, the number of primes less than -/Tn= 10100is about

10100 10100 10100= ~ _ > 1097.In(10100) 100 In(10) 230

Presently, the fastest known computer has a speed of about 36,000 gigaflops asecond. With this computer it would take about 1083seconds, or about 1066billionyears to do the required number of divisions. A similar enormous number of theworld's largest hard drives would be required to just store these prime divisors, ifwe even knew what they all were.

The difficulty of factoring extremely large numbers provides some level ofsecurity, but even so, messages can be decoded if additional information leaks out.For example, the factorization can be found if n = (p - l)(q -1) becomes known.This follows from the fact that p and q are roots of the quadratic equation

0= (x - p)(x - q) = x2 - (p + q)x + pq = x2 - (p + q)x + m.

On the other hand,

so

n = (p -' l)(q - 1)= pq - (p + q) + 1= m - (p + q) + 1,

(p + q) = m - n + 1.

Wec~ thereforefindp andq by solvingthe equation0 = x2 + (n - m - l)x + m.Methods of coding for efficiency, for error detection and correction, or for se-

curity are an active area of mathematical research. In this book we have presentedonly some of the basic ideas and procedures.

11.3 Exercises

1. Verifythat 12704== 1 (mod 391).

2. Verify that lO577== 10 (mod 221).

In Exercises 3 through 6, compute the remainder when ak isdivided by c for the given values.

3. a = 9, k = 199,c = 2214. a = 17,k = 1123,c = 1189

5. a = 23, k = 3750,c = 3869

6. a = 12,k = 1540,c = 1649

7. Let p = 23 and q = 4l.(a) Computem = pq and n = (p - l)(q - 1).(b) Let s = 41. Find t such that st == 1 (mod n).

8. Using m and s from Exercise 7 and pairs of letters, applythe RSA method to encode the message BEAR.

9. Using m and s from Exercise 7 and pairs of letters, applythe RSA method to decode the message 371, 640.

-- -

In Exercises 10 through 12, use the RSA method, pairs of let-ters, and the public key m = 779, s = 49.

10. Encode the message STOP.

11. Encode the message NO.

12. Encode the message EXIT.

In Exercises 13 through 15, use the RSA method, triples of let-ters, and the public key m = 19781,s = 19.

13. Encode the message RUN.

14. Encode the message YES.

15. Encode the message END.

16. The public key m = 779, s = 49 has been published.Suppose you discover that n for this cryptosystem is 720.Find p and q.

- --

17. The public key m = 19781, s = 19 has been pub-lished. Suppose you discover that n for this cryptosystemis 19500. Find p and q.

18. Use the information from Exercise 16 to decode the mes-

sage 142, 525.

KeyIdeas for Review 453

19. Use the information from Exercise 17 to decode the mes-sage 14032.

Tips for Proofs

The proofs in this chapter rely heavily on earlier results. Many of the conceptsdeveloped throughout the book are applied here to the problems of coding anddecoding. In Section 11.1, we pointed out the similarity of proving two numbersequal to proving two sets are the same. Analogous proofs could be developed forany relation that has the antisymmetric property such as "is less than" and "is asubset of."

In Section 11.2, Theorem 2 we use a one-to-one, onto function to "match"the elements of two sets in order to show that they have the same number of ele-ments. This is also a technique that can be used in solving counting problems ifthe cardinality of one of the sets used is known.

. Key Ideas for Review

. Message: finite sequence of characters from a finite alpha-bet.Word: sequence ofO's and 1's

. (m, n) encoding function: one-to-one functione: Bm -+ Bn, m < n

. Codeword:elementin Ran(e).Weightof x, Ixl: numberof1'sinx

. Parity check code: see page 431. Hamming distance between x and y, 8(x, y): Ix EByl. Theorem (Properties of the Distance Function): Let x, y,and z be elements of Bm. Then

(a) 8(x, y) = 8(y, x).(b) 8(x, y) ~ O.

(c) 8(x,y) = o ifandonlyifx =y.(d) 8(x, y) :::8(x, z) + 8(z, y).

. Minimum distance of an (m, n) encoding function: min-imum of the distances between all distinct pairs of codewords. Theorem: An (m, n) encoding function e: Bm -+ Bn candetect k or fewer errors if and only if its minimum distanceis at least k + 1.. Group code: (m, n) encoding function e: Bm -+ Bn suchthat e(Bm) = (e(b) I b e Bm} is a subgroup of Bn. Theorem: The minimum distance of a group code is theminimum weight of a nonzero code word.. Mod-2 sum of Boolean matrices D and E, D EBE: see page435

-- -

. Mod-2 Boolean product of Boolean matrices D and E, D*E:

see page 435 .. Theorem: Let m and n be nonnegative integers with m < n,r = n - m, and let H be an n x r Boolean matrix. Then thefunction f H: Bn -+ Br defined by

is a homomorphism from the group Bn to the group Br.· Group code eH corresponding to parity check matrix H: seepage 437

. (n, m) decoding function: see page 440. Maximum likelihood decoding function associated with e:see page 441· Theorem: Suppose that e is an (m, n) encoding functionand d is a maximum likelihood decoding function associ-ated with e. Then (e, d) can correct k or fewer errors if andonly if the minimum distance is at least 2k + 1.

. Decoding procedure for a group code: see page 443. Decoding procedure for a group code given by a paritycheck matrix: see page 446. RSA public key cryptosystem: see page 450. Theorem: Suppose that p and q are distinct primes and k isany integer. Then

(a) For any integer a with GCD(a, pq) = 1,

ak(p-I)(q-I) == 1 (mod pq).

(b) For any integer a,

ak(p-l)(q-I)+l ==a (mod pq).

454 Chapter 11 Groups and Coding

. Chapter 11 Self-Test

1. What is the relationship between the minimum distanceof an (m, n) encoding function and the number of errorsit can detect?

2. Why is it important that the left cosets of e(Bm) form apartition of Bn?

3. What is the maximum likelihood referred to in the name

of the decoding functions in this chapter?

4. What are three general reasons for encoding a message?

5. Consider the (3, 4) parity check code. For each of thereceived words, determine whether an error will be de-tected.

(a) 1101 (b) 1010 (c) 1111 (d) 0011

6. Consider the (m, 3m) encoding function with m = 4. Foreach of the received words, determine whether an errorwill be detected.

(a) 00110010001I (b) 1I011I001l01(c) 010111010011

7. Let e be the (3, 5) encoding function defined by

e(ooo) = 00000 e(I00) = 01010

e(OOI) = 1I1I0 e(10l) = 10100

e(010) = 01101 e(1lO) =0011Ie(Oll) = 10011 e(1lI) = 11001.

How many errors will e detect?

8. Show that the (3,5) encoding function in Problem 7 is agroup code.

9. Let e be the encoding function defined in Problem 7and let d be an associated maximum likelihood decodingfunction. Determine the number of errors that (e, d) willcorrect.

10. Let

be a parity check matrix. Decode 0110 relative to a max-imum likelihood decoding function associated with e H.

11. Compute the remainder when 581226is divided by 91.

12. Use the RSA method, pairs of letters, and the public keym = 91, S = 25 to encode the message LAST.

--