Slide 1Applications of RSAPublic-Key Applications: PrivacySignaturesPublic-Key CryptographyProperties of E and DRSASlide 8Property 1: D (E (M)) = MFinding e, d and nEuler’s Totient FunctionTotient ProductsFermat’s Little TheoremFermat’s Little Theorem ProofEuler’s TheoremEuler’s Theorem, cont.Proving Euler’s TheoremSlide 18RecapM and nM and n, contSlide 22Where’s ED?IdentityD (E (M)) = MSlide 26Movie BreakQuestionable Statements in RSA Paper: FinalistsOnly Two SubmissionsTwo “Questionable” Statements in RSA PaperSlide 31Who really invented RSA?RSA & Diffie-HellmanChargeDavid Evanshttp://www.cs.virginia.edu/evansCS588: Security and PrivacyUniversity of VirginiaComputer ScienceLecture 12:Non-secret Key Cryptosystems (How Euclid, Fermat and Euler Created E-Commerce)Real mathematics has no effects on war. No one has yet discovered any warlike purpose to be served by the theory of numbers.G. H. Hardy, The Mathematician’s Apology, 1940.CS588 Spring 2005 2Applications of RSA•Privacy: –Bob encrypts message to Alice using EA–Only Alice knows DA•Signatures: –Alice encrypts a message to Alice using DA–Bob decrypts using EA–Knows it was from Alice, since only Alice knows DA•Things you use every day: ssh, SSL, DNS, ...CS588 Spring 2005 3Public-Key Applications: Privacy•Alice encrypts message to Bob using Bob’s Private Key•Only Bob knows Bob’s Private Key  only Bob can decrypt messageEncryptDecryptPlaintextCiphertextPlaintextAliceBobBob’s Public KeyBob’s Private KeyCS588 Spring 2005 4Signatures•Bob knows it was from Alice, since only Alice knows Alice’s Private Key•Non-repudiation: Alice can’t deny signing message (except by claiming her key was stolen!)•Integrity: Bob can’t change message (doesn’t know Alice’s Private Key)EncryptDecryptPlaintextSignedMessagePlaintextAliceBobAlice’s Private KeyAlice’s Public KeyCS588 Spring 2005 5Public-Key Cryptography•Private procedure: E•Public procedure: D•Identity: E (D (m)) = D (E (m)) = m•Secure: cannot determine E from D•But didn’t know how to find suitable E and DCS588 Spring 2005 6Properties of E and DTrap-door one way function:1. D (E (M)) = M 2. E and D are easy to compute.3. Revealing E doesn’t reveal an easy way to compute DTrap-door one way permutation: also4. E (D (M)) = MCS588 Spring 2005 7RSAE(M) = Me mod nD(C) = Cdd mod n n = pqpqpp, qq are primedd is relatively prime to (p – 1)(q – 1)edd  1 (mod (p – 1)(q – 1))(redred things are secret)CS588 Spring 2005 8Properties of E and DTrap-door one way function:1. D (E (M)) = M 2. E and D are easy to compute.3. Revealing E doesn’t reveal an easy way to compute DTrap-door one way permutation: also4. E (D (M)) = MCS588 Spring 2005 9Property 1: D (E (M)) = ME(M) = Me mod nD(E(M)) = (Me mod n)d mod n = Med mod n (as in D-H proof)Can we choose e, d and n with this property: M  Med mod nequivalently: 1  Med-1 mod nCS588 Spring 2005 10Finding e, d and n•We are looking for e, d and n such that: Med-1  1 mod n•Euler’s Theorem: for a and n relatively prime:a (n)  1 mod n•Next:–What is  (n) –Proof of Euler’s Theorem–How it works for arbitrary M–Given  (n) how do we find e and dCS588 Spring 2005 11Euler’s Totient Function (n) = number of positive integers less than n that are relativelyprime to n•If n is prime,  (n) = n – 1–Proof by contradiction•What if n = pq where p and q are prime?CS588 Spring 2005 12Totient ProductsFor primes, p and q: n = pq (n) = numbers < n not relatively prime to pq = pq – 1 ; numbers less than pq – (q – 1) ; size of p, 2p, …, (q – 1)p – (p – 1) ; size of q, 2q, …, (p – 1)q = pq – 1 – (q – 1) – (p – 1) = pq – (p + q) + 1 = (p – 1) (q – 1) =  (p)  (q)CS588 Spring 2005 13Fermat’s Little TheoremIf n is prime and a is not divisible by n an-1  1 mod nCS588 Spring 2005 14Fermat’s Little Theorem ProofIf n is prime and a is not divisible by n: {a mod n, 2a mod n, … , (n-1)a mod n} = {1, 2, …, (n – 1) }Product of all elements in sets:a  2a  …  (n – 1) a  (n – 1)! mod n (n – 1)!an-1  (n – 1)! mod n an-1  1 mod n QED.CS588 Spring 2005 15Euler’s TheoremFor a and n relatively prime:a(n)  1 mod nPartial Proof:If n is prime,  (n) = n – 1 and an - 1  1 mod nby Fermat’s Little TheoremWhat if n is not prime?CS588 Spring 2005 16Euler’s Theorem, cont.For a and n relatively prime:a(n)  1 mod n (n) = number of numbers < n not relatively prime to nWe can write those numbers as:R = { x1, x2, … , x(n)}CS588 Spring 2005 17Proving Euler’s TheoremR = { x1, x2, … , x(n)} multiply by a mod n:S = { ax1 mod n, ax2 mod n, …, ax (n) mod n}S is a permutation of R:•a is relatively prime to n •a is relatively prime to all xi •axi is relatively prime to n –Hence all elements of S are in R.–There are no duplicates in S. If axi mod n = axj mod n then i = j. since a is relatively prime to nCS588 Spring 2005 18Proving Euler’s Theorem x1  x2 …  x (n) = ax1 mod n  ax2 mod n …  ax (n) mod n (ax1  ax2 …  ax(n)) mod n a (n)  x1  x2 …  x (n) mod n 1  a (n) mod n QED.CS588 Spring 2005 19Recap•We are looking for e, d and n such that: Med-1  1 mod n•Euler’s Theorem: 1  a (n) mod nfor a and n relatively prime•If n is prime,  (n) = n – 1.•For p and q prime,  (pq) =  (p) (q)ed – 1 =  (n) = (p-1)(q-1)What if M is not relatively prime to n?n = pqCS588 Spring 2005 20M and n•Suppose M and n not relatively prime:gcd (M, n)  1•Since n = pq and p and q are prime:gcd (M, p)  1 OR gcd (M, q)  1Case 1: M = cpgcd (M, q) = 1 (otherwise M is multiple of both p and q, but M < pq).So, M(q)  1 mod q(by Euler’s theorem, since M and q are relatively prime)CS588 Spring 2005 21M and n, contCase 1: M = cpgcd (M, q) = 1 (otherwise M is multiple of both p and q, but M < pq).So, M  (q)  1 mod q(by Euler’s theorem, since M and q are relatively prime)M (q)  1 mod q(M (q)) (p)  1 mod qM (q) (p)  1 mod qM (n)  1 mod qCS588 Spring 2005 22M and nM (n)  1 mod qM (n) = 1 + kq for some kM = cp recall gcd (M, p)  1M  M (n) = (1 + kq)cpM(n) + 1 = cp + kqcp = M + kcn M(n) + 1  M mod nCS588 Spring 2005 23Where’s ED?ed – 1 =  (n) = (p-1)(q-1)•So, we