# discrete mathematical structures discrete mathematical structures sixth edition. bernard kolman...

Post on 13-May-2020

6 views

Embed Size (px)

TRANSCRIPT

Discrete Mathematical Structures Sixth Edition

. BernardKolman Drexel University

. RobertC. Busby Drexel University

Sharon CutlerRoss Georgia Perimeter College. Upper Saddle River, NJ 07458

11.3 PublicKeyCryptology 449

11.3 Public KeY1Cryptoiogy In 1978, Ronald Rivest, Adi Shamir, and Leonard Adelman published "A Method for Obtaining Digital Signatures and Public Key Cryptosystems." In this paper, the authors describe a method of sending coded messages using a pair of publicly available integers. This method is widely called the RSA public key cryptosys- tern. We begin with a result on congruences that extends Fermat's Little Theorem (Theorem 3(b) of Section 9.6).

THEOREM 1 SllPpose that p and q are distinct primes and k is any integer. Then (a) For any integer a with GCD(a, pq) = 1,

ak(p-l)(q-l) == 1 (mod pq) (1)

(b) For any integer a,

ak(p-l)(q-I)+l == a (mod pq) (2)

Proof

(a) If GCD(a, pq) = 1, then a is not divisible by p or q; it is relatively prime to both. Thus by Fermat's Little Theorem, Theorem 3(b), Section 9.6, we have aP-1 == 1 (mod p), and so

ak(p-l)(q-l) == lk(q-I) = 1 (mod p). Similarly, ak(p-I)(q-I) == 1 (mod q). Thus there exist integers rand s with

ak(p-I)(q-I) = 1+ rp = 1 + sq. It follows that rp = sq, and since q is not divisible by p, s must be, say, s = pt. Then

ak(p-I)(q-I) = 1 + pqt

and

ak(p-I)(q-l) == 1 (mod pq).

(b) If a is relatively prime to pq, the result follows from (1) by multiplying both sides by a. If not, then a is divisible by either p or q or both. If a is divisible by pq, then both sides of (2) are congruent to 0 mod pq and are therefore congruent to each other. In the remaining case, a is divisible by exactly one of the integers p or q, and without loss of generality, we may suppose that it is p. Then a = bps, with s ~ 1 and b relatively prime to pq. We note for later reference that b must satisfy (2).

Since p is relatively prime to q, we can show as in the proof of part (a) that for some integer r, pk(p-l)(q-I) = 1+ rq. Multiplyingby p then shows that

pk(p-l)(q-I)+I == p (mod pq),

and therefore

(ps)k(p-I)(q-l)+1 = (pk(p-l)(q-l)+I)S ==pS (mod pq). Wesee that both b and pS satisfy(2), and thereforeso does their product a. .

L

--, 450 Chapter11 Groups and Coding

Example 1 Let P = 5 and q = 13. Since 28 is relativelyprime to 5 x 13 = 48 =4 x 12= (5 - 1) x (13 - 1),2848 == 1 (mod 65).

65 and. Example 2 Computethe remainderof 7293 after division by 65.

Solution

Weuse Theorem l(a), with p =5 and q = 13,so that 65 = pq. 293 = (48 x 6) +5,

and since 7 is relatively prime to 65,

7293= (748)6X 75 == 75 (mod 65).

But 73 == 343 == 18 (mod 65) and therefore

75 == 18x 49 = 882 == 37 (mod 65). The remainder of 7293after division by 65 is 37. .

We now construct a system in which we can make public a method of encoding messages to us (called a public key), but nevertheless be relatively sure that only we can decode these messages. Theorem 1 will playa major role in this effort. As a first step, we note that any message can be turned into a string of integers using a variety of methods. One way is to use the letters of the alphabet to represent a number base 26. Let A, B, ..., Z stand for the integers 0, 1, ..., 25. Then any pair of letters af3 can be regarded as the base 26 representation of the number (26a) + f3. In this way numbers in the range 0 to 675 can be used in place of any two-letter pair, and any message, when divided into two-letter pairs, can be represented by a sequence of integers in this range.

Example 3 Consider the message ACT FIRST. Separate the letters into pairs, and replace each pair with the number it represents in base 26. The pairs AC, TF, IR, and ST become, respectively, the integers 2, 499,225, and 487. If a message has an odd number of letters, we can add an agreed upon filler letter, say X, at the end. A variation of this method would be to replace triples of letters by the base 26 number they represent. Then we would use numbers in the range 0 to 25 X 262 + 25 x 26 + 25 = 17575. .

We now describe a method of encoding messages. Select two primes, p and q, and let m = pq and n = (p - l)(q - 1). Now choose any integer s that is relatively prime to n. We "publish" the integers m and s (that is, make them publicly available) and instruct anyone wishing to send us a secret message to proceed as follows: Divide the message into letter pairs af3 and represent each pair as a number x = (26a) + f3 in the range 0 to 675. Then replace each of these numbers x by the unique integer y between 0 and m - I for which y ==XS (mod m), and send us the resulting number sequence. For this procedure to produce unique results, m must be at least 675.

Decoding

Since s is chosen to be relatively prime to n, S, the remainder class of s mod n, has a multiplicative inverse t in the ring Zn' (See Section 9.6.) Thus for some integer t we havest == 1 (mod n) or st = 1+ k(p - l)(q - 1)forsomeintegerk. Wecan find t by using the Euclidean algorithm, as illustrated in Example 4 of Section 9.6.

--

11.3 PublicKey Cryptology 451

If we receive the integer y = XS (mod m), we compute l (mod m) and apply Theorem 1. Since m = pq, Theorem lea) guarantees that

l = xst = x1+k(p-IHq-l) ==x (mod m).

Since x does not exceed m, we have l (mod m) = x, so we have recovered the original integer x. We do this to all received integers, and thus decode the message.

Example 4 Letp = 19andq = 37. Sincem = pq =703> 675, we can use the RSA method to encode messages in groups of two letters. Here n = 18. 36 = 648. Choose s = 25, which is relatively prime to 648. Now we publish the integers 703 and 25 as ourpublickey.If someonewantsto sendus the messageGO,she firstcomputes 6 x 26 + 14 = 170 and then 17025 (mod 703). Note that 1702 = 28900 == 77 (mod 703). So

1704 == 772 = 305 (mod 703) 1708== 3052=229 (mod 703)

17016== 2292 = 419 (mod 703) It follows that

17025= 170161708170== 419.229.170 = 16311670== 664 (mod 703), so she sends 664.

To decode the message, we first find t. Using the Euclidean algorithm, we compute

648=25x25+23

25=lx23+2

23 = 11 x 2 + 1.

Thus

1 = 23 - 11 .2= 23 - 11(25- 23) = 12.23 - 11 .25 = 12(648- 25 . 25) - 11.25 = 12.648 - 311 .25.

Thust.= -311 == 337 (mod 648). Now we compute664337(mod 703). A seriesof computationssuch as those

used previouslyto find664 showsthat 664337== 170(mod703).Since6 x 26+ 14= 170,wecanthenrecovertheoriginalmessageGO. .

Security In the discussion of Bacon's code (Section 1.4), we noted that this method of coding is vulnerable to an attack based on an analysis of the frequency with which letters appear in ordinary language. By encoding pairs or triples of letters as we do with the public key method of this section, an attack by frequency analysis is much more difficult. But there are also other methods of attack on a public key cryptosystem.

In order to decode the message, someone must know t, which means that he must know n. This in turn requires him to know p and q. Thus the problem is to factor a number m, known to be the product of two primes. In Section 1.4, we showed that we can find the prime factors of m by trial and error if we divide n by all primes less than "j1ii. In Example 4, m = 703, and the square root of 703 is less than 27. Thus we need only divide by 2,3,5,7,11,13,17,19, and 23, at most

452 chapter 11 Groups and Coding

9 divisions, to find the prime factors. In practice, one chooses p and q to have something like 100 digits, that is, to be of the order of magnitude 10100,so that m is about 10200. A famous theorem about prime numbers, called appropriately the Prime Number Theorem, states that the number of primes less than or equal tom an integer m is approximately _1 ' and this approximation gets better as m getsn(m) larger. Thus, the number of primes less than -/Tn= 10100is about

10100 10100 10100= ~ _ > 1097. In(10100) 100 In(10) 230

Presently, the fastest known computer has a speed of about 36,000 gigaflops a second. With this computer it would take about 1083seconds, or about 1066billion years to do the required number of divisions. A similar enormous number of the world's largest hard drives would be required to just store these prime divisors, if we even knew what they all were.

The difficulty of factoring extremely large numbers provides some level of security, but even so, messages can be decoded if additional information leaks out. For example, the factorization can be found if n = (p - l)(q -1) becomes known. This follows from the fact that p and q are roots of the quadratic equation

0= (x - p)(x - q) = x2 - (p + q)x + pq = x2 - (p + q)x + m.

On the other hand,

so

n = (p -' l)(q - 1)= pq - (p + q) + 1= m - (p + q) + 1,

(p + q) = m - n + 1.

Wec~ thereforefindp andq by solvingthe equation0 = x2 + (n - m - l)x + m. Methods of coding for efficiency, for error detection and correction, or for se-

curity are an active area of mathematical research. In this book we have presented only some of the basic ideas and procedures.

11.3 Exercises

1. Verifythat 12704== 1 (mod 391).

2. Verify that lO577== 10 (mod 221).

In Exercises 3 through 6, compute the remainder when ak is divided by c for the given values.

3. a = 9, k = 199,c = 221 4. a = 17,k = 1123,c = 1189

5. a = 23, k = 3750,c = 3869

6. a = 12,k = 1540,c = 1649

7. Let p = 23 and q = 4l. (a) Computem = pq and n = (p - l)(q - 1). (