A First Course in Number Theory

2.7 Public Key Cryptography

Cryptographyis the art and science of sending secret messages. The message that we want to send is called the plaintext. The sender uses a key to encipher, or encrypt, it into ciphertext, and the ciphertext is transmitted

to the receiver, who uses another key to decipher, or decrypt, it back into plaintext. By writing letters and punctuation marks as numbers, we can assume that the plaintext is a positive integer P, and that it is encrypted as a different positive integer C. The problem is to invent keys that make it impossible or computationally infeasible for an enemy to decipher an intercepted message.Cryptanalysisis the art and science of deciphering an intercepted message without knowledge of the decrypting key.

Classically, cryptography uses secret keys that are known only to sender and receiver. If the enemy discovers the encrypting key and intercepts the ciphertext, then he might be able to compute the decrypting key and re- cover the plaintext.

Here is an example of asecret key cryptosystem. Letpbe an odd prime, and letebe an integer such that (e, p−1) = 1. Suppose that the plaintext P is an integer such that 0 < P < p. Let the ciphertext C be the least nonnegative residue ofP^emodulop, that is, we construct Cby the rule

C≡P^e (mod p) and

0< C < p.

The encrypting key for this cipher consists of the prime numberpand the integer e. To decrypt this cipher, we use elementary number theory. Since (e, p−1) = 1, there exists an integerdsuch that ed≡1 (modp−1). It is easy to compute d. We can use the Euclidean algorithm, for example.

The decrypting key consists of the prime pand the integer d. Sinceed= 1 + (p−1)kfor some integerk, and sinceP^p−1≡1 (modp) by Fermat’s theorem, it follows that

C^d≡P^ed≡P^1+(p−1)k≡P(P^p−1)^k ≡P (mod p).

Thus, we can decrypt the ciphertextCby computing the least nonnegative residue ofC^dmodulop. An enemy who learns the encrypting key will break the cipher.

For example, ifp= 17 ande= 3, then the plaintextP = 10 is encrypted as

P³= 10³≡14 (mod 17),

and so the ciphertext isC= 14. Since 3·11≡1 (mod 16), it follows that d= 11 is a decrypting key. We observe that

C¹¹= 14¹¹≡10 =P (mod 17).

There is a more sophisticated idea in cryptography that produces secure ciphers even if the encrypting key is known. Indeed, the encrypting key can be made public, so that anyone can encrypt and send a message, but the decrypting key cannot be computed from knowledge of the encrypting key.

78 2. Congruences

This is called a public key cryptosystem. Here is an example. We choose two different large primespandq, and let

m=pq.

Since we knowpandq, it is easy to calculateϕ(m) = (p−1)(q−1). Pick an integerethat is relatively prime toϕ(m). We publish the numbersmande.

The plaintext must be a positive integerPthat is less thanmand relatively prime to m If m is a large number, then almost all positive integers less than m are relatively prime to m (Exercise 4), so we can assume that (P, m) = 1. The ciphertext will be the unique integerC such that

C≡P^e (mod m) and

0< C < m.

It is important to note that we disclose neitherϕ(m) nor the prime factors p andq of m. These are kept secret. However, since we know ϕ(m), it is easy, by using the Euclidean algorithm, for example, to compute an integer dsuch that

ed≡1 (modϕ(m)), that is,

ed= 1 +ϕ(m)k

for some integer k. To decrypt the ciphertext C, we simply compute the least nonnegative residue of

C^d (modm).

Since (P, m) = 1, Euler’s theorem tells us that

C^d≡P^ed≡P^1+ϕ(m)k≡P (modm).

The decryption key requires the integers dand m. It is not enough to know e and m. To compute d, one must know both e and ϕ(m). Since ϕ(m) = (p−1)(q−1), this requires a knowledge of the primes p and q such that m = pq, that is, we must be able to factor m. If the primes p andqare large (such as several thousand digits each), then it is impossible with state-of-the-art computer hardware and our current knowledge about factoring large numbers to find the prime factors ofmin a reasonable time, for example, a million years. We know the prime factorspandq, and so we can computeϕ(m), but an opponent who wants to intercept and decrypt the message will fail, since he does not know the primes and cannot factor m. Indeed, the following result shows that knowing ϕ(m) is equivalent to knowing the prime factors ofm.

Theorem 2.19 Letmbe an integer that is the product of two prime num- bers. The prime divisors of mare the roots of the quadratic equation

x²−(m+ 1−ϕ(m))x+m= 0, and soϕ(m)determines the prime factors ofm.

Proof. Ifm=pq,then

ϕ(m) = (p−1)(q−1) =pq−p−q+ 1 =m−p−m p + 1, and so

p−(m+ 1−ϕ(m)) +m p = 0.

Equivalently,pandqare the solutions of the quadratic equation x²−(m+ 1−ϕ(m))x+m= 0.

This completes the proof.2

For example, ifm= 221 andϕ(m) = 192, then the quadratic equation x²−30x+ 221 = 0

has solutionsx= 13 andx= 17, and 221 = 13·17.

This method, known as theRSA cryptosystem, is called apublic key cryp- tosystem, since the encryption key is made available to everyone, and the encrypted message can be transmitted through public channels. Only the possessor of the prime factors ofmcan decrypt the message. RSA is simple, but useful, and is the basis of many commercially valuable cryptosystems.

Exercises

1. Consider the secret key cryptosystem constructed from the prime p= 947 and the encoding keye= 167. Encipher the plaintextP = 2.

Find a decrypting key and decipher the ciphertextC= 3.

2. Consider the primes p = 53 and q = 61. Let m = pq. Prove that e= 7 is relatively prime toϕ(m). Find a positive integerdsuch that ed≡1 (modϕ(m)).

3. The integer 6059 is the product of two distinct primes, andϕ(6059) = 5904. Use Theorem 2.19 to compute the prime divisors of 6059.

4. The probability that an integer chosen at random between 1 andnis relatively prime tonisϕ(n)/n. Letn=pq, wherepandqare distinct primes greater than x. Prove that the probability that a randomly chosen positive integer up toxis relatively prime tonis greater than (1−1/x)². Ifx= 200, this probability is greater than 0.99.

80 2. Congruences