RSA cryptosystem - Proofs of correctness

RSA Introduction

Most of us know RSA cryptosystem which is the most widely spread cryptosystem even today. The system was invented by three scholars Ron Rivest, Adi Shamir, and Len Adleman and hence, it is termed as RSA cryptosystem. In RSA, the process of encryption and decryption is depicted in the following illustration.






RSA Algorithm

Now let’s drill down this $encryption (E)$ and $decryption (D)$ process furthermore. As we all know the RSA algorithm [1] works as follows:

  • Choose two prime numbers $p$ and $q$,
  • Compute the modulus in which the arithmetic will be done: $N = pq$,
  • Pick a public encryption key $e \in Z_n$,
  • Compute the private decryption key as $d$ such that $ed = 1\; mod\; \phi(N)$,
  • Encryption of message $m: c = m^e\; mod\; N$,
  • Decryption of ciphertext $c: m=c^d\; mod\; N$.

Proof

Our simple proof  uses the Euler-Fermat Theorem. Let’s first have a look at it.

Euler-Fermat Theorem

Let $n$ be a positive integer, and let $a$ be an integer that is relatively prime to $n$. Then

$$\Large a^{\phi(n)} \equiv 1 \; (mod \; n)$$

Where $\phi(n)$ is Euler’s totient function, which counts number of positive integers $\le n $ which are relatively prime to $n$. [2] 


The number of integers in $Z_m$ , relatively prime to $m$ is denoted by $\phi(m)$.
It works for messages $m$ that are relatively prime to the modulus $n$, such that $gcd(m, n) = 1$ by definition where $gcd$ stands for greatest common divisor of $m$ and $n$.
 

Suppose $gcd(m, n) = 1$.
Since $e (encryption)$ and $d (decryption)$ are inverse functions, by definition,
$ed \equiv 1 (mod\; \phi(n))$

To get the $\phi(n)$, you have to use Euler's Totient Function. Let’s take an example[2] to clarify this.

$m = 6$, $Z_6 = \{0, 1, 2, 3, 4, 5\}$
$gcd(0, 6) = 6$
$gcd(1, 6) = 1$
$gcd(2, 6) = 2$
$gcd(3, 6) = 3$
$gcd(4, 6) = 2$
$gcd(5, 6) = 1$

So according to Euler's Phi Function $\phi(6) = 2$ which is the count of values $n \in Z_n$  such that $gcd(m, n) = 1$


Computing $\phi(m)$ for a large number which has $1024$ bits following the above naïve approach is not possible. So how can we compute this for really long numbers say $1000$ bits long numbers. Luckily there’s a way: Euler's Phi Function.


Theorem 6.3.1 Let $m$ have the following canonical factorization
$$\Large m = p_1^{e_1} \cdot p_2^{e_2}\cdot \ldots \cdot p_n^{e_n}$$,
Where the $p_i$ are distinct prime numbers and $e_i$ are positive integers, then
$$\Large \phi(m) = \prod_{i=1}^n (p_i^{e_i}-p_i^{e_i-1})$$ [3]

Notice the canonical use of prime factors above. Let’s take an example.
$m = 240, \phi(240) = ?$

Writing $m$ by its prime factors yields,
$$m = 2^4 · 3 · 5 $$
$$= p_1^{e_1} \cdot p_2^{e_2} \cdot p_3^{e_3}$$


Applying to the equation, $n = 3$ since only $3$ distinct prime factors exists above.
$$\phi(240) =  (2^4 - 2^3) \cdot (3^1 - 3^0) \cdot  (5^1 - 5^0) = 8 \cdot 2 \cdot 4 = 64$$, so you get $64$ lines where $gcd \equiv  1$

Given two integers $d$ and $e$, If $\exists$ an inverse function $d$ for $e$ then, $ed \equiv 1$ $(mod \phi(n))$ by definition.

$ed = 1 + k\cdot \phi(n)$ for some integer $k$.

If $c \equiv m^e (mod\; n)$ then,
$\large c^d \equiv m^{ed}  \equiv m^{1+k \phi(n)} \equiv m \cdot (m^{\phi(n)})^k \equiv m \cdot 1^k,
$ since $\large m^{\phi(n)} \equiv 1 (mod \; n)$,

by the Euler-Fermat theorem, as $\large gcd(m, n)=1$

$\large \equiv m (mod\; n)$
Hence $m = c^d\;  mod\; n$ is a unique integer in the range $0 \le m \lt n$.


References


[1] https://people.csail.mit.edu/rivest/Rsapaper.pdf
[2] https://www.amazon.com/Understanding-Cryptography-Textbook-Students-Practitioners/dp/3642446493
[3] https://www.youtube.com/watch?v=fq6SXByItUI




    Comments

    Popular posts from this blog

    Introducing Java Reactive Extentions in to a SpringBoot Micro Service

    Optimal binary search trees

    Combining the emissions of multiple Observables together using RxJava Zip operator in a Spring Boot Micro service