Grade
11/12 Math Circles
Cryptography, Part 2
Introduction
In the previous lesson, we discussed various methods for encrypting
and decrypting messages in such a way that no one but the intended
recipient can remove the encryption and recover the original message.
However, all of these methods had the same drawback: both sender and
receiver are required to exchange a shared, secret key before
they begin communicating. Because of the symmetry between the secret
information the sender and receiver have, these methods of encryption
are all grouped under the term symmetric key cryptography
nowadays.
At the end of the previous lesson, we mentioned that in the 1970s, a
whole new way of performing cryptography was invented, known as
public key cryptography. Without the discovery of this form of
cryptography, secure communication over the internet would have been
impossible to implement! The goal of this lesson is to explain how
public key cryptography works in the abstract, before introducing one of
the first and most common methods for public key cryptography, known as
the RSA cryptosystem.
Public Key
Cryptography
The idea behind public key cryptography was invented independently in
the 1970s by two different people: Whitfield Diffie, an American
academic, and James Ellis, who worked for the British government. For a
long time, credit for public key cryptography went to Diffie, because
Ellis could not share his government work with the general public.
That’s the nature of this top-secret business!
The big breakthrough here is that encryption and decryption do not
have to use the same key. Suppose for a moment that Nick can generate a
pair of keys, which we call a public key and a private
key. As the name suggests, the private key is kept secret and never
revealed to anybody (even to Shefaza, who Nick wishes to communicate
with). On the other hand, the public key is published in
public, where everyone can see (not just Shefaza).
Anyone wishing to encrypt a message to Nick would use his public key
on their plaintext to generate the ciphertext. Now the catch is that
Nick’s public key can only be used for encryption, and not for
decryption! Nick’s private key, on the other hand, is good only for
decryption, and cannot be used to encrypt messages.
In Simon Singh’s excellent book on cryptography, The Code
Book, he gives a useful metaphor explaining how public key
cryptography works. Suppose Nick has an unlimited supply of identical
open padlocks (copies of the public key), but has only one key for
opening these padlocks (the private key). Anyone wanting to send a
secret message to Nick would pick up one of his unlocked padlocks from
some public location. Then, they can put the message in a box and lock
it with the padlock. Since Nick has the only key, he is the only one who
can remove the locked padlock and read the message in the box.
Notice that public key cryptography removes the problem of getting
keys from Nick to Shefaza. Nick can just publish his public key online,
and Shefaza can download it at her convenience in order to send
encrypted messages to Nick. Nick doesn’t have to worry that his public
key is so widely available, because it can’t be used for decrypting
messages. In the same way, if you want to send your credit card number
to a company over the internet, you just need to download the company’s
public key, and then you’re ready to encrypt.
Both Diffie and Ellis started out by defining public key cryptography
in theoretical terms, but there was still work to do. For starters, is
it even possible to describe a workable cipher that uses public and
private keys? No matter how the cipher works, we have two basic
requirements:
It must be very hard to decrypt a message without the private
key, even if you know the public key. In other words, the
process of encryption must be easy to do, but extremely hard to
undo.
There must be an additional, special piece of information (the
private key) that suddenly makes decryption very easy.
The goal of this lesson is to look at the RSA cryptosystem,
which was the first proposed cipher meeting both of these requirements.
In order to understand this cryptosystem, we will first have to take a
look at a fascinating branch of math known as number theory.
This is the branch of math that studies properties of integers
and prime numbers, which we introduce below.
Prime Numbers
Mathematicians have a fancy name for the numbers .
We call them the integers. The positive integers are
(the integers
that happen to be positive). Not all integers are created equal, though!
The coolest ones are the prime numbers. A positive integer
is called prime if its
only positive factors are and
. For instance, both and are prime.
Positive integers that aren’t prime are called composite.
For example, is composite
because , so that
and are both factors of different from and . There is one exception to this rule:
even though satisfies the
definition of prime number as we’ve just stated it, we actually say that
is neither prime nor
composite.
Stop and Think
Why would we not wish to consider a prime number?
Unique Prime
Factorization
Prime numbers are special because they form the building blocks for
all positive integers. To be specific, every positive integer larger
than is either itself prime, or
can be written as a product of two or more prime numbers. In fact, this
can be done in exactly one way (except for rearranging the order of the
factors, like when ).
Why might prime numbers be useful for public key cryptography? It
turns out that it’s a whole lot easier to multiply numbers together than
it is to break up a number into its prime factors.
Stop and Think
To see how hard factorization can be, see how long it takes you (by
hand) to decide whether is
prime, or if not, to find its prime factors!
Therefore, if the public key uses a number with large prime factors,
and the private key involves the factors themselves, it would be a lot
easier to calculate the public key knowing the private key than to find
the secret prime factors, knowing only the public key. However, this
comes with a word of caution: at the moment, all we know for certain is
that the fastest-known tricks for factoring are monumentally slower than
the fastest-known tricks for multiplying two numbers together. If
someone ever comes along with a technique for fast factoring, the
security of RSA will be completely destroyed!
Greatest Common
Divisors
Another important ingredient in RSA is the idea of the greatest
common divisor (or gcd) of two integers. First, we need an
official definition of what it means for an integer to divide another
one. If and are integers, we say that divides , and write , if we can find another integer
such that .
Example 1
Note that , because
. (Here .)
Likewise, note that
because . (Here
.) We have
too, because .
On the other hand, does not
divide (and we write ). If it did, then we would have
for some integer , so that . But is not an integer.
Given two integers and , we can then talk about their greatest
common divisor. This will be an integer such that is a common divisor of and , in the sense that and . But must also be the greatest such
integer, meaning that no integer larger than divides both and . We will use to refer to the greatest
common divisor of and .
Example 2
How can we calculate the gcd of two integers? One way to do it is to
factor both of those integers as products of primes.
For example, if we wanted to calculate , we can write From this, we take
all the primes that are common to both factorizations, and multiply them
together to get the gcd. Here, we get .
Exercise 1
Compute the following greatest common divisors by factoring the
integers as products of primes.
Exercise 1 Solution
Both and are prime numbers, so they have no
prime factors in common. Note that divides every number, and so must be the largest number that divides
both the primes and . In other words, .
We try to factor both of
and into primes by trial
divison. Afteunnumbered exsolnr some time, we get Only is a prime common to both
factorizations, and so .
Again, we aim to factor both and into primes. With some
trial-and-error division, we get We see that the overlap between the two
factorizations is two s and an
, so .
In solving these exercises, you may have come to appreciate that
calculating gcds in this way can become difficult when the numbers
become large, equivalent in difficulty to factoring an integer into its
product of primes. If there were no better way to calculate a gcd, then
RSA would become impossible to use, since a gcd calculation is part of
the process of setting up the public and private keys!
So now we discuss the efficient calculation of gcds, using a
technique known as the Euclidean algorithm.
The Euclidean
Algorithm
The basic procedure behind the Euclidean algorithm is division with
remainder, which you may recognize from previous mathematical studies.
Given two positive integers and
, we can always find unique
integers and such that , and where . The integer is called
the quotient of the division, and is called the remainder.
The thought behind this process may be illustrated with an example.
Suppose we wished to divide by
with remainder. We take and keep subtracting until doing it one more time would
give something negative: This last number we arrive at is
our remainder, so that . The
number of times we subtracted is
our quotient, so that in this
case. Writing it out in the required format, we get .
If you have a calculator in hand, there is a substantial shortcut:
typing in divided by gives . The value of is just the integer you get when
ignoring what comes after the decimal point (in this case, as already
noted, ). To get , you can then just calculate .
All right, so we’ve talked about divison with remainder, but how does
it relate to calculating the gcd of two numbers? The answer lies in
doing division with remainder repeatedly. Earlier, we verified that
. What happens if
we divide by with remainder? We get Here, the remainder
is , which is the same as the gcd!
Then, we can take and divide it
by with remainder, to end up with
We finish with
a remainder of , because actually divides .
Okay, but why are we doing this? To make the point, let’s try this
with and , where you hopefully verified that
in Exercise 1.
First, we divide by with remainder: Here, the remainder
is . Now, let’s divide by the remainder, : Next, let’s take and divide it by the new remainder,
: Finally, we divide by this newest remainder, : We’ve now reached a remainder of , and the last remainder before that,
, is actually the gcd of and .
In both cases, the last remainder we reached before was the gcd of the two numbers! Does
this always work? The answer is yes, but the proof of this fact is not
all that relevant to our purposes, so our time is better spent on other
topics.
Now, we started out by saying that this procedure is more efficient
at calculating gcds than prime factorization. However, the computation
of using the Euclidean
algorithm used a bunch of steps, and it was easier to compute this
particular gcd using prime factorizations. The savings in time comes
when the numbers are much larger.
Exercise 2
Use the Euclidean algorithm to calculate the following gcds:
(this was
done in Exercise 1 in another way)
Exercise 2 Solution
We start by dividing
by with remainder, which
gives us Next, we take
and divide it by the remainder : Continuing, we take and divide it by the new remainder
: We now
continue this process of taking the divisor from the previous step and
dividing it by the remainder from the previous step, until we reach a
remainder of . From here, the last
non-zero remainder is our gcd (in this case, ). We conclude that , which should
confirm one of your answers from Exercise 1!
As above, we repeatedly perform divisions with remainder,
starting with by , and then dividing the divisor from
each step by the remainder from that same step. The last non-zero
remainder is , and so .
Back-Substitution
(Extended Euclidean Algorithm)
Once we have run the Euclidean algorithm on two integers and to calculate , the work we’ve done has one
extra side benefit: we can use it to find integers and such that . In other words, we
can use the calculations to write as a sum of a multiple of and a multiple of . This will also be useful when we
discuss the RSA cryptosystem.
Let’s explain how this works using the computation we carried out
earlier.
Example 3
When we verified that using the Euclidean algorithm, we performed the following
divisions with remainder: We would now like to use
these calculations to find integers and such that . Let’s
ignore the last line of this computation, and focus on the first three.
We re-write each of these equations so that the remainder is by itself
on one side of the equation, and write the three equations in reverse
order (the order in which we’ll be using them): Notice that the first
equation gives as the sum of a
multiple of and a multiple of
(to be specific, ). We’d like to
write as a multiple of plus a multiple of , in the end. To help with this, we use
the second equation to substitute for the number in the first equation, replacing with a multiple of plus a multiple of . When this is done, we will have
written as a multiple of plus a multiple of as well: Notice at every
step that we’ve collected the terms in such a way that we’re always
working with multiples of and
. Finally, we use the third
equation from the re-arranged Euclidean algorithm work to substitute for
the number , replacing it with a
multiple of plus a multiple of
. This will allow us to write
as a multiple of plus a multiple of , as we wish: Again, note how
we always collect the terms in such a way that we’re working with
multiples of and . We now conclude that a solution to
is
given by and .
The technique used in the previous example is often called the
Extended Euclidean algorithm, and it relies on a process of
back substitution using the work from the ordinary Euclidean
algorithm. The best way to get a feel for how this works is to try a
couple examples yourself:
Exercise 3
Using the Extended Euclidean algorithm, find integers and satisfying each of the following
equations:
(Hint: We calculated using the Euclidean
algorithm earlier.)
Exercise 3 Solution
Earlier in the lesson, we checked that using the following
divisions with remainder: When we ignore the last
line and re-write the first one with the remainder by itself, we have already
written as a multiple of plus a multiple of . Thus, we see that a solution to is and .
Here, we must first calculate using the Euclidean
algorithm. We do this with the following divisions with remainder: The last non-zero
remainder is , so this verifies
. Now, we ignore
the last line and solve for the remainder in each of the first two
equations, writing them in reverse order: If we substitute the
second equation into the first in place of , we can then write as a multiple of plus a multiple of , as needed: We now see that an
integer solution to
is .
The Euler Function
There is one more important gcd-related ingredient to RSA that we
must discuss. This tool is called the Euler phi function. (By
the way, “Euler" is pronounced like “oiler", rather than “you-ler".)
Given a positive integer , we
define to be the number of
integers between and such that .
Example 4
To see a couple examples of Euler phi function calculations, notice
that . This is because
do not share any common
prime factors with , so that for . But , so exactly four
numbers between and satisfy .
On the other hand, note that , because do
not share any prime factors in common with , while do.
You might already guess that it’s hard to take an exhaustive approach
like the one above to calculate when is large. You might be hoping that
there’s a formula for calculating , and if so, your hopes are about
to come true! The only catch is that we need the prime factorization of
in order to make the
calculation.
For RSA, it turns out we only need one special case of this
formula.
Example 5
To work up to the formula needed for RSA, let’s start with
calculating , where is a prime number. By definition of a
prime, has no positive factors
except for and . So, if we take any integer with , then notice that is a factor of , so it
must be equal to either or . But, if , then must be a factor of , which cannot happen if is smaller than .
Hence, we must have for all integers
between and , and , so for any prime .
Example 6
For the setup of RSA, we will be interested in calculating in the case where , where and are distinct prime numbers. Suppose we
are given an integer such that
. What can the
possible values for be?
Since the gcd must divide , there
still aren’t too many possibilities. Indeed, the only options are and .
Furthermore, since we’ve taken , the only way we can have is if , since must divide , and no number larger than can do that.
If , then must be a multiple of . It’s easy to count up how many of
those there are in the range of possible values for . Indeed, we can have all
the way up to . There are
exactly numbers listed here, but
we already counted
elsewhere, so we only get
numbers for which .
Similarly, if ,
then must be a multiple of , which means we could have . All the numbers (except for ) are different from the ones on the list of multiples
of , because none of are divisible by . This
is where the assumption that and
are different is important! This
gives us additional integers
in the desired range such that
.
Now, if we want to count the number of integers such that and , we can do it by elimination. We start with the full list of
integers between and , then subtract off the ones for which
the gcd is equal to either , , or . This gives us such positive integers.
However, since , we can
write the final answer in a more pleasing way by factoring. We find that
when and and are distinct primes.
As we will see, a number of
the form described in Example 6 and the value of are both important parts of the
private key in RSA. Part of the security of RSA is based around the fact
that cannot be computed
quickly without knowing the prime factors of .
Modular Arithmetic,
A.K.A. Clock Arithmetic
Our final ingredient in RSA is a way of performing arithmetic, which
you use whenever you perform calculations with time. If it is 10 o’clock
now and your friend wants to meet you in three hours, you do the mental
addition, get an answer of 13 o’clock, but then silently change that
answer to 1 o’clock because clocks only have 12 hours on them.
When you get to 12, you “loop" around and start back at 1 again. When
you do this, mathematicians would say you are doing arithmetic “modulo
12". If we wanted to write this calculation mathematically, we would say
Out
loud, we would read it as “ plus
is congruent to modulo ". We use the sign rather than the sign to signal that we’re working with
modular arithmetic, and the signals that the looping around happens when we get to
.
If you think about this a little more deeply, the same thing happens
when we work with minutes too. If you have ever listened to CBC Radio,
you may hear the host announce the time as “45 minutes past the hour, or
15 minutes past the hour in Newfoundland". The island of Newfoundland
has the charming quirk of setting their clocks half an hour ahead of the
rest of Atlantic Canada, which means national radio hosts have to do a
lot of clock arithmetic.
If you start with minutes
past the hour and add minutes,
you’ll end up with minutes.
Since there are only minutes in
an hour, we’ll have to loop around and start counting back at when we hit minutes. This way, we get the correct
answer of minutes past the hour,
rather than saying “ minutes past
the hour". Here, we’re doing calculations “modulo ". To write this mathematically,
Calculations involving time are done modulo or modulo , but there’s nothing stopping us from
doing arithmetic modulo other integers, like . If we add and modulo , we first get , but we know we can loop around and
start again when we get to , so we
can actually say (Thinking about a hypothetical seven-hour clock helps with
visualizing this.)
Since we loop around every time we get to , adding (or subtracting) multiples of
from an integer does not change
the result modulo . Therefore, we
can say all of the following things: All of , , and differ from each other by a multiple
of , which is why all of these are
“the same" modulo .
Officially, we would define two integers and to be congruent modulo if their difference is a multiple of
, or in other words, if . Similarly, given two
integers and and any positive integer , we would define to mean that , building off of the
examples above.
One of the best features of this definition (from the point of view
of RSA) is that the operations of addition, subtraction, and
multiplication all behave nicely with respect to congruence modulo . For instance, we noted that and , so and can be used interchangeably in
calculations, and so can and
. For example, and because .
What really makes RSA work is that the powers of a number often
behave unpredictably in modular arithmetic.
Example 7
If we work modulo , let’s
see how the powers of behave:
Each time, notice how we
choose to write the final result of the computation as an integer
between and , because that’s the simplest way to
represent an integer modulo
(think of it like the way we always report minutes in the hour between
and ).
Writing the answers in this way, notice how unpredictable the list of
powers of is after the first few
steps: . Suppose we were to try to find an exponent such that , if one exists at
all. How would you find it, other than exhaustively computing powers of
? The fact that no one knows an
easy way to solve such problems computationally is another feature RSA
uses to guarantee security.
The RSA
Cryptosystem
At last, we have everything we need to describe the first working
example of public key cryptography. Here, the plaintext and ciphertext
will be numbers, not strings of letters. This might seem strange
compared to our examples from the previous lesson, but makes perfect
sense in our digital age. Everything stored in computers is a sequence
of s and s. In other words, every piece of data
is represented by a number (admittedly, one in base rather than our usual base ). Therefore, every message you send
with your computer can be represented as a number.
For Nick and Shefaza to use public key cryptography, remember that
Nick needs to set up both a public key (for others to send encrypted
messages to Nick), and a private key (so that Nick can decrypt the
messages he receives).
To create a public key, Nick will perform the following steps:
Choose two different, very large prime numbers and .
Multiply and together to obtain an integer . At the same time, calculate to use later. To
encrypt and decrypt messages, we will be working modulo .
Choose an encryption exponent , an integer between and , such that . (We would make this gcd calculation using the Euclidean
algorithm.)
At this point, Nick can tell everyone the values of and : this will be his public key. To
calculate his private key, there is only one more step:
Find integers and such that , and choose the
solution so that . (To obtain these values of and , we would run the Extended Euclidean
algorithm on and . Some adjustment may be needed to
obtain a value of in the desired
range, though.)
Nick’s private key is the number . At this point, he should lock away (or
destroy) the values of and
and never tell them to
anyone. If he did, the private key would be compromised. Why? If Nick
ever told anyone the value of , they could compute the value of
in the same way Nick did, using
just and , because is already public information.
Likewise, if Nick ever leaked the value of either of or , then someone could easily get the
other prime factor through ordinary division. As we know, it’s easy to
calculate when you know
and (that’s how Nick did it in the first
place), and we just explained why leaking the value of is a very bad thing.
The last thing we need to do is describe how encryption and
decryption work. Let’s say Shefaza wants to send as a plaintext ( for “message"), where is between and . She can look up the public numbers and , and then calculate the unique number
between and such that (Here, is for
“ciphertext".) Shefaza would then send to Nick.
To decrypt, Nick takes and
calculates the unique integer
between and such that Notice Nick is
the only one who knows what is,
so he is the only one able to do this. Somewhat magically, it turns out
that , resulting in a
successful decryption!
The proof that RSA works depends on some mathematical results called
Euler’s theorem and the Chinese Remainder Theorem, and
to give that proof would make this already-long lesson even longer! So,
we will leave the justification out.
For now, we just illustrate with a single example, and leave it to
you to try some more!
Example 8
Let’s say Nick chooses the primes and . (In reality,
these primes should have hundreds of digits, but this is easier to
follow.) He would then compute
Let’s also suppose Nick chooses for his encryption exponent (you can easily check that ). Nick would go ahead and
publish and for his public key. Then, to
calculate his private key, he would run the Extended Euclidean algorithm
to find that has a
solution with and . So, as it turns out, Nick’s
decryption exponent is also .
Now, let’s say Shefaza comes along and wants to send as a plaintext. She computes modulo :
Shefaza sends as a
ciphertext. When Nick receives this ciphertext, he computes modulo : So Nick retrieves
, the same as the plaintext
Shefaza started with. Cool!
Exercise 4
Try this for yourself! Choose primes and , and calculate the public and private
keys. If you have a friend to try this with, have them send you a
ciphertext and try to decrypt it.
Exercise 4 Solution
Answers will vary.