Notes by Gene Cooperman, © 2009 (may be freely copied as long as this copyright notice remains)
f(x): plaintext ---> encrypted text f-1(x): encrypted text ---> plaintext
f() is public.
f-1() is private.
f() on the Internet. Now anybody can encrypt a message
and send it to you securely. You use
f-1() to decrypt it.
You have your own public key,
f(). Someone else has their own
Write your signature,
s. Include a date, time and purpose
in your signature so that
no one can try to re-use your signature on a later document.
f-1(s). (You know
f-1() as the private part of your key.)
m = g(f-1(s)), and send it to the other person.
That person knows his or her private key
So, he or she can compute
f(g-1(m)) = s, and
verify that it was signed by you.
No one else knows
f-1(). So, no one else
can forge your digital signature
f(x) = xe mod N
(There are certain restrictions on
N discussed below.)
Compute your private key
d such that
xed mod N = x mod N
(It would be tempting if
d=e-1 mod N satisfied the
above equation, but that turns out not to work.)
Now, your private decryption function is:
f-1(x) = xd mod N
f-1(f(x)) = x
As we will see,
N will be chosen as the product of two large
q. We will need to know
order to compute
d. We publish only
N, but not
q is believed to
be very hard. So, no one else can discover our private key
A note about "modulo": The text (and others) sometimes
P = Q (mod N) to mean
P mod N = Q mod N.
Addition and multiplication of large numbers is easy. Modulo is an operation that can be done before or after.
Exponentiation can be done by repeated squaring. Given
x, x2, x4, x8, x16, …,
is easy. For a general
n not a power of 2), represent
n in binary. Now,
n is a sum of powers of 2.
Negation, and therefore subtraction, modulo N is also easy.
-x mod N = (-x + N) mod N.
Example: -2 mod 3 = 1 mod 3, and hence
(2 mod 3) + (1 mod 3) = 0 mod 3,
as we expect.
We will also need multiplicative inverse, but we defer that below.
(xe)d = x mod N
Assume you chose
N = p q for two large primes,
We will show that
d = e-1 mod (p-1)(q-1)
xed mod N = x mod N for all
Equivalently, we need to show for some
xed = x1 + k(p-1)(q-1), and
x(p-1)(q-1) mod N = 1, and then we're done.
Next, we invoke
Fermat's Little Theorem (from Section 1.3):
p is prime,
then for every
a < p, ap-1 = 1 mod p.
So, we need to show
x(p-1)(q-1) mod N = 1.
To do this, we'll show
x(p-1)(q-1) mod p = 1
x(p-1)(q-1) mod q = 1 and then conclude that
x(p-1)(q-1) mod pq = 1 (recalling
x(p-1)(q-1) mod p = (x(p-1))(q-1) mod p.
q-1 copies of
x(p-1) under multiplication, and
mod p to each one.
x(p-1) mod p = 1 by
Fermat's Little Theorem, and so
x(p-1)(q-1) mod p = 1.
x(p-1)(q-1) mod p = 1 means
x(p-1)(q-1) = 1 + kp
for some constant
Similarly, we could have shown that
x(p-1)(q-1) mod q = 1.
x(p-1)(q-1) mod q = 1 means
x(p-1)(q-1) = 1 + k'q
for some constant
Combining the two equations for
1+kp = 1+k'q, or
kp = k'q.
q are both prime, the mystery integer
kp=k'q must have prime factors that include both
The only way to solve this is to make
kp=k'q=cpq for some
x(p-1)(q-1) = 1 + kp = 1 + cpq.
x(p-1)(q-1) is equal to 1 modulo
xed mod N = x1 + k(p-1)(q-1) mod N = x mod N.
Instead of computing
d as above,
it would have been tempting to instead choose
d = e-1 mod N,
and to blindly assume that
xed mod N = 1. Unfortunately,
this is not true. Consider that
xe(e-1) mod N
= x1+kN mod N ≠ x mod N in general. (Try
N=3 for an example where it's not equal.)
Nevertheless, we do need to compute multiplicative inverses to compute
the correct definition of
d = e-1 mod (p-1)(q-1).
e, the number
e-1 mod (p-1)(q-1) is defined such that:
e-1 e = 1 + k(p-1)(q-1) for some integer k.
(p-1)(q-1), we wish to find
k such that
e-1 e - k (p-1)(q-1) = 1.
This requires the extended Euclidean algorithm, which we present it
in a canonical form.
Solve: Given constant integers
a x + b y = 1 for integers
(Without loss of generality assume
b ≤ a. Otherwise,
y) to make it true.)
bhave a common factor
f ≠ 1, then
ax+by=1can't be solved. This is because we have
f ((a/f)x + (b/f)y) = 1. But 1 cannot be written as the product of an integer
f ≠ 1and an integer
((a/f)x + (b/f)y). So, assume that
bare relatively prime.
b > 0, then solve the equivalent simpler equation
(a-b) x + b (x+y) = 1
(a-b) < a. Given
b, after solving the simpler equation, we have found values for
(x+y). From this, we can go back and find values for
x and yin the original equation.)
b = 0, then choose the solution:
x = 1,
y = 0, and
d = a.
The initial step (step 1 above) required that
no common factor. In our application, that means that
have no common factor. This is another restriction on
in addition to
N=pq for two large primes,
For your own interest, the Extended Euclidean Algorithm is itself a special case of The Chinese Remainder Theorem.
See http://www.murky.org/blg/poker-by-phone/ for a description of how to use some of these ideas to play Poker with a friend over the telephone.