Notes by Gene Cooperman, © 2009 (may be freely copied as long as this copyright notice remains)
f(x): plaintext ---> encrypted text f-1(x): encrypted text ---> plaintext
f()
is public. f-1()
is private.
Publish f()
on the Internet. Now anybody can encrypt a message
and send it to you securely. You use f-1()
to decrypt it.
You have your own public key, f()
. Someone else has their own
public key, g()
.
Write your signature, s
. Include a date, time and purpose
in your signature so that
no one can try to re-use your signature on a later document.
Then compute f-1(s)
. (You know
f-1()
as the private part of your key.)
Then compute m = g(f-1(s))
, and send it to the other person.
That person knows his or her private key g-1()
.
So, he or she can compute f(g-1(m)) = s
, and
verify that it was signed by you.
No one else knows f-1()
. So, no one else
can forge your digital signature f-1(s)
.
Publish e
, N
: Define f(x) = xe mod N
(There are certain restrictions on e
and N
discussed below.)
Compute your private key d
such that xed mod N = x mod N
for all x
.
(It would be tempting if d=e-1 mod N
satisfied the
above equation, but that turns out not to work.)
Now, your private decryption function is:
f-1(x) = xd mod N
Verify that f-1(f(x)) = x
As we will see, N
will be chosen as the product of two large
primes, p
and q
. We will need to know p
and q
in
order to compute d
. We publish only N
, but not p
and q
. Factoring N
into p
and q
is believed to
be very hard. So, no one else can discover our private key d
.
A note about "modulo": The text (and others) sometimes
write P = Q (mod N)
to mean P mod N = Q mod N
.
Addition and multiplication of large numbers is easy. Modulo is an operation that can be done before or after.
Exponentiation can be done by repeated squaring. Given x
, computing
x, x2, x4, x8, x16, …
,
is easy. For a general xn
(n
not a power of 2), represent
n
in binary. Now, n
is a sum of powers of 2.
Negation, and therefore subtraction, modulo N is also easy.
-x mod N = (-x + N) mod N.
Example: -2 mod 3 = 1 mod 3, and hence (2 mod 3) + (1 mod 3) = 0 mod 3
,
as we expect.
We will also need multiplicative inverse, but we defer that below.
d
such that (xe)d = x mod N
Assume you chose N = p q
for two large primes, p
and q
.
We will show that
d = e-1 mod (p-1)(q-1)
satisfies xed mod N = x mod N
for all x
.
Equivalently, we need to show for some k
that
xed = x1 + k(p-1)(q-1)
, and
x(p-1)(q-1) mod N = 1
, and then we're done.
Next, we invoke
Fermat's Little Theorem (from Section 1.3):
If p
is prime,
then for every a < p, ap-1 = 1 mod p
.
So, we need to show x(p-1)(q-1) mod N = 1
.
To do this, we'll show x(p-1)(q-1) mod p = 1
and x(p-1)(q-1) mod q = 1
and then conclude that
x(p-1)(q-1) mod pq = 1
(recalling N=pq
).
But x(p-1)(q-1) mod p = (x(p-1))(q-1) mod p
.
We have q-1
copies of x(p-1)
under multiplication, and
we apply mod p
to each one. x(p-1) mod p = 1
by
Fermat's Little Theorem, and so x(p-1)(q-1) mod p = 1
.
So, x(p-1)(q-1) mod p = 1
means x(p-1)(q-1) = 1 + kp
for some constant k
.
Similarly, we could have shown that x(p-1)(q-1) mod q = 1
.
So, x(p-1)(q-1) mod q = 1
means x(p-1)(q-1) = 1 + k'q
for some constant k'
.
Combining the two equations for x(p-1)(q-1)
,
we have 1+kp = 1+k'q
, or
kp = k'q
.
Since p
and q
are both prime, the mystery integer kp=k'q
must have prime factors that include both p
and q
.
The only way to solve this is to make kp=k'q=cpq
for some c
.
So, x(p-1)(q-1) = 1 + kp = 1 + cpq
.
So, x(p-1)(q-1)
is equal to 1 modulo pq
.
So, xed mod N = x1 + k(p-1)(q-1) mod N = x mod N
.
Instead of computing d
as above,
it would have been tempting to instead choose d = e-1 mod N
,
and to blindly assume that xed mod N = 1
. Unfortunately,
this is not true. Consider that
xe(e-1) mod N
= x1+kN mod N ≠ x mod N
in general. (Try x=2
, k=1
,
and N=3
for an example where it's not equal.)
Nevertheless, we do need to compute multiplicative inverses to compute
the correct definition of d
:
d = e-1 mod (p-1)(q-1)
.
Given e
, the number e-1 mod (p-1)(q-1)
is defined such that:
e-1 e = 1 + k(p-1)(q-1)
for some integer k.
So, given e
and (p-1)(q-1)
, we wish to find
e-1
and k
such that e-1 e - k (p-1)(q-1) = 1
.
This requires the extended Euclidean algorithm, which we present it
in a canonical form.
Solve: Given constant integers a
and b
,
solve a x + b y = 1
for integers x
and y
.
(Without loss of generality assume b ≤ a
. Otherwise,
switch a
and b
(and x
and y
) to make it true.)
a
and b
have a common factor f ≠ 1
,
then ax+by=1
can't
be solved. This is because we have f ((a/f)x + (b/f)y) = 1
.
But 1 cannot be written as the product of an integer f ≠ 1
and
an integer ((a/f)x + (b/f)y)
. So, assume that a
and b
are relatively prime.b > 0
, then solve the equivalent simpler equation
(a-b) x + b (x+y) = 1
(a-b) < a
.
Given (a-b)
and b
, after solving the simpler equation,
we have found values for x
and (x+y)
.
From this, we can go back and find values for x and y
in the original equation.)b = 0
, then choose the solution: x = 1
, y = 0
,
and d = a
.The initial step (step 1 above) required that a
and b
have
no common factor. In our application, that means that e
and (p-1)(q-1)
have no common factor. This is another restriction on e
and N
,
in addition to N=pq
for two large primes, p
and q
.
For your own interest, the Extended Euclidean Algorithm is itself a special case of The Chinese Remainder Theorem.
See http://www.murky.org/blg/poker-by-phone/ for a description of how to use some of these ideas to play Poker with a friend over the telephone.