Notes by Gene Cooperman, © 2009 (may be freely copied as long as this copyright notice remains)
f(x): plaintext ---> encrypted text
f-1(x): encrypted text ---> plaintext
f() is public. f-1() is private.
Publish f() on the Internet. Now anybody can encrypt a message
and send it to you securely. You use f-1() to decrypt it.
You have your own public key, f(). Someone else has their own
public key, g().
Write your signature, s. Include a date, time and purpose
in your signature so that
no one can try to re-use your signature on a later document.
Then compute f-1(s). (You know
f-1() as the private part of your key.)
Then compute m = g(f-1(s)), and send it to the other person.
That person knows his or her private key g-1().
So, he or she can compute f(g-1(m)) = s, and
verify that it was signed by you.
No one else knows f-1(). So, no one else
can forge your digital signature f-1(s).
Publish e, N: Define f(x) = xe mod N
(There are certain restrictions on e and N discussed below.)
Compute your private key d such that xed mod N = x mod N
for all x.
(It would be tempting if d=e-1 mod N satisfied the
above equation, but that turns out not to work.)
Now, your private decryption function is:
f-1(x) = xd mod N
Verify that f-1(f(x)) = x
As we will see, N will be chosen as the product of two large
primes, p and q. We will need to know p and q in
order to compute d. We publish only N, but not p
and q. Factoring N into p and q is believed to
be very hard. So, no one else can discover our private key d.
A note about "modulo": The text (and others) sometimes
write P = Q (mod N) to mean P mod N = Q mod N.
Addition and multiplication of large numbers is easy. Modulo is an operation that can be done before or after.
Exponentiation can be done by repeated squaring. Given x, computing
x, x2, x4, x8, x16, …,
is easy. For a general xn (n not a power of 2), represent
n in binary. Now, n is a sum of powers of 2.
Negation, and therefore subtraction, modulo N is also easy.
-x mod N = (-x + N) mod N.
Example: -2 mod 3 = 1 mod 3, and hence (2 mod 3) + (1 mod 3) = 0 mod 3,
as we expect.
We will also need multiplicative inverse, but we defer that below.
d such that (xe)d = x mod NAssume you chose N = p q for two large primes, p and q.
We will show that
d = e-1 mod (p-1)(q-1)
satisfies xed mod N = x mod N for all x.
Equivalently, we need to show for some k that
xed = x1 + k(p-1)(q-1), and
x(p-1)(q-1) mod N = 1, and then we're done.
Next, we invoke
Fermat's Little Theorem (from Section 1.3):
If p is prime,
then for every a < p, ap-1 = 1 mod p.
So, we need to show x(p-1)(q-1) mod N = 1.
To do this, we'll show x(p-1)(q-1) mod p = 1
and x(p-1)(q-1) mod q = 1 and then conclude that
x(p-1)(q-1) mod pq = 1 (recalling N=pq).
But x(p-1)(q-1) mod p = (x(p-1))(q-1) mod p.
We have q-1 copies of x(p-1) under multiplication, and
we apply mod p to each one. x(p-1) mod p = 1 by
Fermat's Little Theorem, and so x(p-1)(q-1) mod p = 1.
So, x(p-1)(q-1) mod p = 1 means x(p-1)(q-1) = 1 + kp
for some constant k.
Similarly, we could have shown that x(p-1)(q-1) mod q = 1.
So, x(p-1)(q-1) mod q = 1 means x(p-1)(q-1) = 1 + k'q
for some constant k'.
Combining the two equations for x(p-1)(q-1),
we have 1+kp = 1+k'q, or
kp = k'q.
Since p and q are both prime, the mystery integer kp=k'q must have prime factors that include both p and q.
The only way to solve this is to make kp=k'q=cpq for some c.
So, x(p-1)(q-1) = 1 + kp = 1 + cpq.
So, x(p-1)(q-1) is equal to 1 modulo pq.
So, xed mod N = x1 + k(p-1)(q-1) mod N = x mod N.
Instead of computing d as above,
it would have been tempting to instead choose d = e-1 mod N,
and to blindly assume that xed mod N = 1. Unfortunately,
this is not true. Consider that
xe(e-1) mod N
= x1+kN mod N ≠ x mod N in general. (Try x=2, k=1,
and N=3 for an example where it's not equal.)
Nevertheless, we do need to compute multiplicative inverses to compute
the correct definition of d:
d = e-1 mod (p-1)(q-1).
Given e, the number e-1 mod (p-1)(q-1) is defined such that:
e-1 e = 1 + k(p-1)(q-1) for some integer k.
So, given e and (p-1)(q-1), we wish to find
e-1 and k such that e-1 e - k (p-1)(q-1) = 1.
This requires the extended Euclidean algorithm, which we present it
in a canonical form.
Solve: Given constant integers a and b,
solve a x + b y = 1 for integers x and y.
(Without loss of generality assume b ≤ a. Otherwise,
switch a and b (and x and y) to make it true.)
a and b have a common factor f ≠ 1,
then ax+by=1 can't
be solved. This is because we have f ((a/f)x + (b/f)y) = 1.
But 1 cannot be written as the product of an integer f ≠ 1 and
an integer ((a/f)x + (b/f)y). So, assume that a and b
are relatively prime.b > 0, then solve the equivalent simpler equation
(a-b) x + b (x+y) = 1 (a-b) < a.
Given (a-b) and b, after solving the simpler equation,
we have found values for x and (x+y).
From this, we can go back and find values for x and y
in the original equation.)b = 0, then choose the solution: x = 1, y = 0,
and d = a.The initial step (step 1 above) required that a and b have
no common factor. In our application, that means that e and (p-1)(q-1)
have no common factor. This is another restriction on e and N,
in addition to N=pq for two large primes, p and q.
For your own interest, the Extended Euclidean Algorithm is itself a special case of The Chinese Remainder Theorem.
See http://www.murky.org/blg/poker-by-phone/ for a description of how to use some of these ideas to play Poker with a friend over the telephone.