RSA cryptosystem - Proofs of correctness
RSA Introduction
Most of us know RSA cryptosystem which is the most widely spread cryptosystem even today. The system was invented by three scholars Ron Rivest, Adi Shamir, and Len Adleman and hence, it is termed as RSA cryptosystem. In RSA, the process of encryption and decryption is depicted in the following illustration.RSA Algorithm
Now let’s drill down this $encryption (E)$ and $decryption (D)$ process furthermore. As we all know the RSA algorithm [1] works as follows:- Choose two prime numbers $p$ and $q$,
- Compute the modulus in which the arithmetic will be done: $N = pq$,
- Pick a public encryption key $e \in Z_n$,
- Compute the private decryption key as $d$ such that $ed = 1\; mod\; \phi(N)$,
- Encryption of message $m: c = m^e\; mod\; N$,
- Decryption of ciphertext $c: m=c^d\; mod\; N$.
Proof
Our simple proof uses the Euler-Fermat Theorem. Let’s first have a look at it.Euler-Fermat Theorem
Let $n$ be a positive integer, and let $a$ be an integer that is relatively prime to $n$. Then
$$\Large a^{\phi(n)} \equiv 1 \; (mod \; n)$$
Where $\phi(n)$ is Euler’s totient function, which counts number of positive integers $\le n $ which are relatively prime to $n$. [2]
The number of integers in $Z_m$ , relatively prime to $m$ is denoted by $\phi(m)$.
It works for messages $m$ that are relatively prime to the modulus $n$, such that $gcd(m, n) = 1$ by definition where $gcd$ stands for greatest common divisor of $m$ and $n$.
Suppose $gcd(m, n) = 1$.
Since $e (encryption)$ and $d (decryption)$ are inverse functions, by definition,
$ed \equiv 1 (mod\; \phi(n))$
To get the $\phi(n)$, you have to use Euler's Totient Function. Let’s take an example[2] to clarify this.
$m = 6$, $Z_6 = \{0, 1, 2, 3, 4, 5\}$
$gcd(0, 6) = 6$
$gcd(1, 6) = 1$
$gcd(2, 6) = 2$
$gcd(3, 6) = 3$
$gcd(4, 6) = 2$
$gcd(5, 6) = 1$
So according to Euler's Phi Function $\phi(6) = 2$ which is the count of values $n \in Z_n$ such that $gcd(m, n) = 1$
Computing $\phi(m)$ for a large number which has $1024$ bits following the above naïve approach is not possible. So how can we compute this for really long numbers say $1000$ bits long numbers. Luckily there’s a way: Euler's Phi Function.
Theorem 6.3.1 Let $m$ have the following canonical factorization
$$\Large m = p_1^{e_1} \cdot p_2^{e_2}\cdot \ldots \cdot p_n^{e_n}$$,
Where the $p_i$ are distinct prime numbers and $e_i$ are positive integers, then
$$\Large \phi(m) = \prod_{i=1}^n (p_i^{e_i}-p_i^{e_i-1})$$ [3]
Notice the canonical use of prime factors above. Let’s take an example.
$m = 240, \phi(240) = ?$
Writing $m$ by its prime factors yields,
$$m = 2^4 · 3 · 5 $$
$$= p_1^{e_1} \cdot p_2^{e_2} \cdot p_3^{e_3}$$
Applying to the equation, $n = 3$ since only $3$ distinct prime factors exists above.
$$\phi(240) = (2^4 - 2^3) \cdot (3^1 - 3^0) \cdot (5^1 - 5^0) = 8 \cdot 2 \cdot 4 = 64$$, so you get $64$ lines where $gcd \equiv 1$
Given two integers $d$ and $e$, If $\exists$ an inverse function $d$ for $e$ then, $ed \equiv 1$ $(mod \phi(n))$ by definition.
$ed = 1 + k\cdot \phi(n)$ for some integer $k$.
If $c \equiv m^e (mod\; n)$ then,
$\large c^d \equiv m^{ed} \equiv m^{1+k \phi(n)} \equiv m \cdot (m^{\phi(n)})^k \equiv m \cdot 1^k,
$ since $\large m^{\phi(n)} \equiv 1 (mod \; n)$,
by the Euler-Fermat theorem, as $\large gcd(m, n)=1$
$\large \equiv m (mod\; n)$
Hence $m = c^d\; mod\; n$ is a unique integer in the range $0 \le m \lt n$.
References
[1] https://people.csail.mit.edu/rivest/Rsapaper.pdf
[2] https://www.amazon.com/Understanding-Cryptography-Textbook-Students-Practitioners/dp/3642446493
[3] https://www.youtube.com/watch?v=fq6SXByItUI
Comments
Post a Comment