Modular Arithmetic with Applications to Cryptography

Lecture 47

Section 10.4

Wed, Apr 13, 2005

Congruence Modulo m

We say that two integers a and b are congruent modulo m if a – b is a multiple of m (m > 0).

Write a b (mod m). For example, 2 7 (mod 5). This is the “relational” notation. Congruence modulo m is an equivalence

relation on Z.

Operator Notation

We can also treat mod as an operator, like the % operator in C.

Then a mod m is the smallest nonnegative integer b such that a b (mod m).

For example, 100 mod 7 = 2. The relation a b (mod m) is equivalent to

the relation a mod m = b mod m.

Congruence Modulo m

Theorem: Let a, b, and m be integers with m > 0. Then the following statements are equivalent.m(a – b)a b (mod m)a = b + km for some integer ka mod m = b mod m

Modular Arithmetic

Theorem: Let a, b, c, d, and m be integers with m > 0. If a c (mod m) and b d (mod m), thena + b c + d (mod m)a – b c – d (mod m)ab cd (mod m)

In other words, modular addition, subtraction, and multiplication is consistent with ordinary arithmetic.

Modular Arithmetic

Proof of ab cd (mod m):Let a = c + um for some integer u and let b

= d + vm for some integer v.Then

• ab = (c + um)(d + vm)

= cd + cvm + dum + uvm2

= cd + (cv + du + uvm)m.

Therefore, ab cd (mod m).

Example

For example, 100 2 (mod 7) and 80 3 (mod 7).

Therefore, 100 + 80 = 180 5 (mod 7)100 – 80 = 20 -1 6 (mod 7)100 80 = 8000 6 (mod 7)

Raising to Powers

Using the principle of Exercise 26 in Section 9.5, there is a very fast algorithm for computing an mod m.

odd is if

even is if 22/

22/

naa

naa

n

nn

Raising to Powers

We modify this to be

odd is if modmod

even is ifmodmodmod 22/

22/

nmama

n m mama

n

nn

Example

Find 14100 mod 27. 14100 = 1464 1432 144. Compute

• 142 mod 27 = 7.• 144 mod 27 = 72 mod 49 = 22• 148 mod 27 = 222 mod 27 = (-5)2 mod 27 = 25• 1416 mod 27 = 252 mod 27 = (-2)2 mod 27 = 4• 1432 mod 27 = 42 mod 27 = 16• 1464 mod 27 = 162 mod 27 = 13

Example

So, 14100 mod 27 = (22 16 13) mod 27 = 13.

Example

What are the last 4 digits of 21000? So 21000 = 2512 2256 2128 264 232 28. Using the same method as in the last

example, we get 21000 mod 10000 = 9376.

Modular Division

Modular division is a little tricky. That is because, in general, the quotient of

two integers is not an integer, and in modular arithmetic we use only integers.

Modular Division

What is the “defining property” of ½? It is the fact that if you multiply it by 2, you

get 1. That is, it is the solution to the equation

2x = 1.

Modular Division

Analogously, we may define “½” mod m to be the solution to the congruence

2x 1 (mod m),

if there is a unique solution.

Modular Division

For example, if m = 5, then ½ is 3 since

2 3 1 (mod 5). We call 3 the (multiplicative) inverse of 2. Modulo 5, dividing by 2 is the same as

multiplying by 3. For example, 4/2 4 3 12 2 (mod

5) and 3/2 3 3 9 4 (mod 5).

The Extended Euclidean Algorithm

The question is how to find inverses in general.

We use the extended Euclidean algorithm. Recall the basic Euclidean algorithm:

Given integers A and B, B > 0, let a = A, b = B.

while b 0Apply quot-rem theorem: a = qb + r, 0 r < b.Let a = b, b = r.

a is the gcd of A and B.

The Euclidean Algorithm

For example, find the gcd of 25520 and 19314:25520 = 1 19314 + 620619314 = 3 6206 + 6966206 = 8 696 + 638696 = 1 638 + 58638 = 11 58

Thus, gcd(25520, 19314) = 58.

The Euclidean Algorithm

We may present this in the form of a table:

a b q r

25520 19314 1 6206

19314 6206 3 696

6206 696 8 638

696 638 1 58

638 58 11 0

The Extended Euclidean Algorithm

The extended Euclidean algorithm adds two more columns to this table, labeled s and t.

In row -1, initialize s-1 to 1 and t-1 to 0. In row 0, initialize s0 to 0 and t0 to 1. In each succeeding row, compute sn and tn

recursively:

sn = sn – 2 – qn sn – 1

tn = tn – 2 – qn tn – 1

Example

Apply this to A = 25520 and B = 19314.

a b q r s t

- - - - 1 0

- - - - 0 1

25520 19314 1 6206 1 -1

19314 6206 3 696 -3 4

6206 696 8 638 25 -33

696 638 1 58 -28 37

638 58 11 0 333 -440

The Extended Euclidean Algorithm

In each row, it is the case that

Asn + Btn = rn. In particular, in the second-to-last row, we

see that

25520 (-28) + 19314 37 = 58,

which is the gcd of 25520 and 19314.

The Extended Euclidean Algorithm

Theorem: Let a and b be integers, not both 0. The smallest positive element in the set

{as + bt s, t Z}

is the gcd of a and b.

Modular Inverses

Now we can find inverses modulo m. Theorem: The integer a has an inverse

modulo m if and only if gcd(a, m) = 1. Proof ():

Suppose gcd(a, m) = 1.Apply the extended Euclidean algorithm to

find s and t such that

as + mt = 1.

Modular Inverses

Then consider corresponding congruence modulo m:

as + mt 1 (mod m)

as 1 (mod m)Thus, s is the inverse of a, modulo m.

Example

Find the inverse of 10, modulo 27.Apply the extended Euclidean algorithm to

get s = -8 and t = 3, implying that10(-8) + 27(3) = 1.

Thus, 10(-8) 1 (mod 27).So, 10(19) 1 (mod 27).

Therefore, for example,5/10 5(19) 95 14 (mod 27).

The RSA Cryptosystem

The RSA cryptosystem was named after Ronald Rivest, Adi Shamir, and Leonard Adleman, who are now quite rich.

It is a “public-key” cryptosystem.The encryption key can be made public

without revealing the decryption key.Thus, anyone can encrypt a message and

send it, but only holders of the private decryption key can decrypt them.

The RSA Cryptosystem

The RSA cryptosystem begins with two large primes p and q.“Large” means at least 100 digits long.

Theorem: Let a be any integer not divisible by p or q. Then

a(p – 1)(q – 1) 1 (mod pq).

The RSA Cryptosystem

For example, if p = 37 and q = 41, then pq = 1517 and (p – 1)(q – 1) = 1440.

Let a = 7. A simple computation verifies that

71440 1 (mod 1517).

The RSA Cryptosystem

Next, choose an integer e that is relatively prime to (p – 1)(q – 1). This is the encryption key.

The public key is the pair (pq, e). Use the extended Euclidean algorithm to

find the inverse of e, modulo (p – 1)(q – 1). Call it d, the decryption key.

The RSA Cryptosystem

Let M be the plaintext message, expressed as an integer between 0 and pq – 1.

For example, ASCII may be used. Longer messages are broken into blocks of

such integers. Encrypt M to the ciphertext C as follows:

C = Me mod pq.

The RSA Cryptosystem

The decryption procedure is similar. Given the ciphertext C, recover M as

follows:

M = Cd mod pq. Why does this work?

Why does this recover M?Why can’t the enemy obtain d from e.

Why RSA Recovers M

Since e and d are inverses modulo (p – 1)(q – 1), then ed = 1 + k(p – 1)(q – 1), for some integer k.

Thus,Cd (Me)d Med

M1 + k(p – 1)(q – 1)

M (Mk)(p – 1)(q – 1)

M (mod pq).

Why RSA Is Secure

How would the enemy obtain d from e? He would use the extended Euclidean

algorithm. To do so, he would have to know (p – 1)(q

– 1). This cannot easily be obtained without a

knowledge of p and q. p and q can be obtained only by factoring

pq.

RSA and Tractability

Encryption and decryption require raising an integer to a high power, modulo m.

This operation can be done very efficiently. On the other hand, breaking the code

requires factoring a large number, which is of order (2n), where n is the number of bits in pq.

The Security of RSA

Clearly, the enemy could break the code if he knew p and q.

He could also break the code if he knew the value of (p – 1)(q – 1).

He would then know pq – (p + q) + 1, so he could determine p + q.

From knowledge of pq and p + q, it is easy to determine p and q.

RSA Example

Let p = 37 and q = 41. Then pq = 1517 and (p – 1)(q – 1) = 1440. Choose e = 7. Compute d = 823. Publish the key (1517, 7).

RSA Example

Alice wants to send Bob the message

“ATTACK AT DAWN” In ASCII, this is the plaintext

65, 84, 84, 65, 67, 75, 32, 65, 84, 32, 69, 65, 87, 78

Let’s encrypt only 65 for this example. Compute Me = 657 mod 1517 = 1094 = C. Transmit 1094.

RSA Example

Bob receives the ciphertext1094, 1194, 1194, 1094, 1483, 926, 870, 1094, 1194, 870, 56, 1094, 143, 918

Let’s decrypt only 1094 for this example. A simple calculation shows that

Cd = 1094823 mod 1517 = 65 = ‘A’

The Security of RSA

Suppose we were given the numbers 37 . 41 = 1517 and 37 + 41 = 76. How would we find 37 and 41?

Consider the quadratic equation

(x – 37)(x – 41) = x2 – 76x + 1517 = 0. We could use the quadratic formula to find

the two roots, 37 and 41.