RSA Cryptosystem and Eisenstein Integers

Cahlen Humphreys
Abstract. Cryptology is a vital tool within the eld of information security that is in use by not only private industry but government institutions alike. The RSA cryptosystem relies on large prime numbers and a factoring problem to ensure encrypted data will not be compromised. Traditionally the RSA algorithm is implemented using the ordinary ring of integers Z. In the following we take particular properties needed to develop a fully functioning RSA cryptosystem and implement them in the Eisenstein integers Z[ ]. Namely, that it is a euclidean domain under a norm function, unique factorization, prime numbers, and a greatest common denominator algorithm.

1. Introduction The RSA cryptosystem is a public-key cryptography alogrithm in which security is dependent upon the diculty of factoring a number which is the product of two large primes. The RSA algorithm was originally described in 1977 by Ron Rivist, Adi Shamir, and Leonard Adleman hence the acronym RSA. The cryptoscheme itself is highly accessible which makes it a great platform for testing dierent kinds of integers. Generally, say Alice wants to communicate privately with Bob. Bob will create a public key using the RSA algorithm, and Alice will encrypt her message using the public-key provided by Bob. Bob then recieves this encrypted message and is able to decrypt it using his secret key [1]. We will explain this process in detail through the next few sections of this paper.

The Eisenstein integers are a commutative ring Z[ ], and are of the form z = a + b . They are named after the mathematician Gotthold Eisenstein, and are also know informally as Eulerian integers. In the complex plane Eisentstein integers from a triangle lattice, as in the picture above. The ring of Eisenstein integers form a Euclidean domain, and because of this we have the Euclidean algorithm, modularity, greatest commmon divisor, and even a sense of prime numbers, all of
1

CAHLEN HUMPHREYS

which are require for a functioning RSA cryptosystem. In this paper we will explain and prove properties of the Eisenstein integers along with explaining how the RSA algorithm works. The properties that we describe we require in order to have a functioning RSA cryptosystem. Namely, we show that Z[ ] is a Euclidean domain with unique factorization, explain what primality means in the sense of Eisenstein integers, and show an algorithm for determining the greatest common divisor of two Eisenstein integers. We then conclude with a brief discussion as to why it may or may not be feasible to even develop such a cryptosystem. 2. Denitions and Notation Definition 2.1 (Eisenstein Integer). Let = (1 + i 3)/2. We dene an Eisenstein integer as z = a + b , where a, b Z. We dene the set of all Eisenstein integers as Z[ ] = {a + b : a, b Z, = (1 + i 3)/2}. Definition 2.2 (Cameron, 2008). An ideal of a ring R is a subring S of R such that, for any s S and r R, we have rs, sr S [2]. Definition 2.3. A non-unit Eisenstein integer is said to be prime if its only non-unit divisors are of the form u where u {1, , 2 }. Further, every Eisenstein integer whose norm, N () is a rational prime is also an Eisenstein prime. Definition 2.4. Two elements , Z[ ] are said to be associates if there exist a unit Z[ ] such that = . Definition 2.5. Given Z[ ], we say that is prime if = where , Z[ ], and either is a unit or is a unit, but not both. 3. Eisenstein Integers Before we begin proving dierent theorems about the Eisenstein integers, we require some lemmas. These lemmas are primarily identities that will help us with Eisenstein arithmetic. Lemma 3.1. 2 = Proof. Indeed, 1 + i 3 1 + i 3 2 2 13i 3i 3 = 4 2 2i 3 = 4 1 i 3 = = . 2

2 =

Lemma 3.2. 2 + + 1 = 0

RSA CRYPTOSYSTEM AND EISENSTEIN INTEGERS

Proof. Indeed, 2 + + 1 = ++1 1 i 3 = 2 1 i 3 = 2 = 2 + 2 2 = 0. 1 + i 3 2 1 + i 3 2

+1 2 2

Lemma 3.3. =1 Proof. Indeed, = = 1 + i 3 2 1 i 3 2

1+3 4 = 1.

Lemma 3.4. + = 1 Proof. Indeed, + = = 1 + i 3 2 + 1 i 3 2

2 2 = 1.

Theorem 3.5. The set of Eisenstein integers Z[ ] form a commutative ring. Proof. First we will show that Z[ ] is closed under addition and multiplication. Let , Z[ ], then = a + b and = c + d . We then have that + = (a + b ) + (c + d ) = (a + c) + (b + d). It follows that since a, b, c, d Z, then u, v Z such that u = a + c and v = b + d, hence Z[ ] is closed under addition.

CAHLEN HUMPHREYS

More over, observe that = (a + b )(c + d ) = ac + bd 2 + bc + ad = ac + bd( 1) + bc + ad = ac bd bd + bc + ad = (ac bd) + (ad + bc bd). It follows that since a, b, c, d Z, then g, h Z such that g = ac bd and h = ad + bc bd, hence Z[ ] is closed under multiplication. Associative Law for Addition Let x, y, z Z[ ], where x = a + b , y = c + d , and z = e + f , and a, b, c, d, e, f Z. Then, (x + y ) + z = (a + b + c + d ) + e + f = (a + c + e) + (b + d + f ) = a + b + (c + d + e + f ) = x + ( y + z ). Additive Identity. Let x = a + b Z[ ], then we claim there exists y Z[ ] such that x + y = x = y + x. Indeed, x + y = a + b + 0 = (a + b ) + (0 + 0 ) = a + b, thus y = 0 + 0 Z[ ] since 0 Z. Additive Inverses. Let x = a + b Z[ ] be arbitrary. We claim that y Z[ ] such that x + y = 0. Indeed, x + y = 0 = x = y then x = a + b and y = a b , and since a, b Z, then certainly y = a b Z[ ]. Commutative Law for Addition. Let x, y Z[ ], where x = a + b and y = c + d and a, b, c, d Z. Then we claim that x + y = y + x. Indeed, x + y = (a + b ) + (c + d ) = (a + c) + (b + d) = (c + d ) + (a + b ) = y + x.

RSA CRYPTOSYSTEM AND EISENSTEIN INTEGERS

Associative Law for Multiplication. Let x, y, z Z[ ], where x = a + b , y = c + d , z = e + f , and a, b, c, d, e, f Z. Then we claim that (xy )z = x(yz ). Indeed, (xy )z = [(a + b )(c + d )](e + f ) = [ac + (bc + ad) + bd 2 ](e + f ) = ace + (bce + ade + acf ) + (bde + bcf + adf ) 2 + (bdf ) 3 = (a + b )[ce + (de + cf ) + df 2 )] = (a + b )[(c + d )(e + f )] = x(yz ) Multiplicative Identity. Let x Z[ ] be arbitrary, where x = a + b and a, b Z. We claim there y Z[ ], such that x y = x. Indeed, x y = x = y = 1, then y = 1 + 0 , and 1, 0 Z, thus y Z[ ]. Commutative Law for Multiplication Let x, y Z[ ], where x = a + b , y = c + d , and a, b, c, d Z. Then we claim that xy = yx. Indeed, xy = (a + b )(c + d ) = ac + (bc + ad) + bd 2 = (c + d )(a + b ) = yx. Distributive Law Let x, y, z Z, where x = a + b , y = c + d , z = e + f , and a, b, c, d, e, f Z. We claim that x(y + z ) = xy + xz and (x + y )z = xz + yz . Indeed, x(y + z ) = (a + b )[(c + d ) + (e + f )] = [(a + b )(c + d )] + [(a + b )(e + f )] = xy + xz, and (x + y )z = [(a + b ) + (c + d )](e + f ) = [(a + b )(e + f )] + [(c + d )(e + f )] = xz + yz. Since all axioms have been shown, it is proved that Z[ ] forms a commutative ring. We should note that it can also be easily proved that Z[ ] is a ring by using the subring test, since Z[ ] C. Theorem 3.6. The norm is multiplicative. That is, N ( ) = N ()N ( ).

CAHLEN HUMPHREYS

Proof. Let = a + b , then we have N () = = |a + b |2 = (a + b )(a + b ) = a2 + ab + ab + b2 = a2 + ab( + ) + b2 (1) = a + ab(1) + b = a ab + b . We must show that given , Z[ ], that N ( ) = N ()N ( ). So let , Z[ ], where = a + b and = c + d with a, b, c, d Z. Then = (ac bd) + (ad + bc bd) , which we showed in Theorem 3.5. Note the following, N ()N ( ) = (a2 ab + b2 )(c2 cd + d2 ) = (ac)2 a2 cd + (ad)2 abc2 + abcd abd2 + (bc)2 b2 cd + (bd)2 = (ac)2 + (ad)2 + (bc)2 + (bd)2 a2 cd b2 cd abc2 abd2 abcd, and also N ( ) = (ac bd)2 (ac bd)(ad + bc bd) + (ad + bc bd)2 = (ac)2 2abcd + (bd)2 [a2 cd + abc2 abcd abd2 b2 cd + (bd)2 ] + [(ad)2 + abcd abd2 + abcd + (bc)2 b2 cd abd2 b2 cd] = (ac)2 + (ad)2 + (bc)2 + (bd)2 a2 cd b2 cd abc2 abd2 abcd. Thus, we have that N ( ) = N ()N ( ), and hence the norm is multiplicative.
2 2 2 2

(Lemma 3.3) (Lemma 3.4)

Lemma 3.7. Given , Z[ ], there exists u, v Q such that / = u + v . Proof. We want to show that given two complex numbers , Z[ ], that / can be written as some complex number u + v , where u, v Q. So let , Z[ ], where = a + b and = c + d and a, b, c, d Z. Then c + d c + d a + b = = a + b a + b a + b ac + bd + ad + cb = 2 2 a ab + b ac + bd + ad + cb( 1) = a2 ab + b2 ac + bd + ad + (cb cb) = a2 ab + b2 ad cb ac + bd cb + 2 , = 2 a ab + b2 a ab + b2

(Lemma 3.3, = 1) (Lemma 3.4, = 1)

where u = (ac + bd cb)/(a2 ab + b2 ) and v = (ad cb)/(a2 ab b2 ).

RSA CRYPTOSYSTEM AND EISENSTEIN INTEGERS

Theorem 3.8. The commutative ring Z[ ] is a Euclidean domain under the norm N (a + b ) = a2 ab + b2 . Proof. We want to show that Z[ ] is a Euclidean domain. Let = a + b and = c + d , = 0, , Z[ ]. We know from above that there exist u, v Q such that / = u + v , by Lemma 3.7. Further, there exist k, j Z such that |v j | 1/2 and |u k | 1/2. Let p = u k and q = v j . Then / = u + v = (k + j ) + (p + q ). Thus, = (k + j ) + (p + q ). Observe that k + j Z[ ], so r = (p + q ) = (k + j ) Z[ ]. Therefore, = (k + j ) + r, and since the norm is multiplicative by Theorem 3.6 we have that N (r) = N ((p + q )) = N (p + q )N () = (p2 pq + q 2 )N (). Note that since |p| 1/2 and |q | 1/2, then 3 . 4 Therefore, N (r) (3/4)N () < N (), and we have proved that Z[ ] is a Euclidean domain. p2 pq + q 2 |p|2 + |p||q | + |q |2 Since Z[ ] is a Euclidean domain then we get a lot of nice properties, namely, the euclidean algorithm, unique factorization, modular arithmetic, greatest common divisors, and a sense of prime numbers. To begin with we show a few theorems from Cameron proving that a ring being a Euclidean domain implies that the ring is a principle ideal domain and also a unique factorization domain. Theorem 3.9 (Cameron, 2008). A Euclidean domain is a principle ideal domain [2]. Proof. Let R be a Euclidean domain. Take any ideal I R: we have to show that I is a principal ideal. The argument is similar to our determination of the ideals in Z. First, 0 I ; and, if I consists only of 0, then I = 0 , and so I is principal. So we may suppose that I contains some non-zero elements. Choose an element a I such that N (a) is as small as possible. (This depends on the fact that the values of N are non-negative inteers, so there is necessarily a smallest one.) We claim that I = a . As usual, we have to show that nay element of either set is contained in the other. First, take x a ; then x is of the form x = ar for some r R, and so x I (since a I and I is an ideal). Conversely, take x I . Since R is Euclidean, then x = aq + r, where r = 0 or N (r) < N (a). Now x I and aq I , so r = x aq I ; and, since a was chosen as an element of I with d(a) as small as possible, it cannot happen that N (r) < N (a), so we must have that r = 0, and x = aq a . Thus indeed I = a . Theorem 3.10 (Cameron, 2008). A Euclidean domain is a unique factorization domain [2].

CAHLEN HUMPHREYS

Proof. Let R be a Euclidean domain. Take a R with a = 0 and a not a unit. We show by induction on N (a) that a has a factorisation. In other words, we assume that any element b with N (b) < N (a) has a factorisation. If a is irreducible, then we have a factorisation (with only one factor!), so suppose that a = bc, where neither b nor c is a unit. Now by Theorem 3.8, N (b) N (a) and N (c) N (a). If N (b) < N (a) and N (c) < N (a), then by the inductive hypothesis, both b and c have factorisations; combining these gives a factorisation of a. So we can suppose that N (b) = N (a). But then a and b are associates and we have a contradiction. Therefore, by the last two theorems we nd that ED = PID ED = UFD which is exactly what we need for an RSA cryptosystem. The next thing we want to show are the group units of Z[ ]. Theorem 3.11. The group units of Z[ ] are 1, , and 2 . Proof. The group units of Z[ ] can be found when the norm is equal to 1. That is, when, N () = = a2 ab + b2 = 1. If a = 0, then we have that b2 = 1, and hence are group units. If b = 0 then we have that a2 = 1, and hence 1 are group unites. Now suppose that a, b = 0, and suppose that a and b have opposite signs, then we can rewrite 1 = a2 ab + b2 as 1 = (a + b)2 3ab. Note that (a + b)2 0 and 3ab 3, so we dont have any solutions. If a, b are of the same sign, then we can rewrite 1 = a2 ab + b2 as 1 = (a b)2 + ab. Therefore, since both are non-negative then it must be that a b = 0 and ab = 1, hence a = b = 1 and a = b = 1, which are the group units (1 ) and (1 + ), which by Lemma 3.2 are 2 . It follows that the group units for Z[ ] are 1, , and 2 . Now that we know what the group units of Z[ ] are we can discuss prime Eisenstein integers. They are fairly simple to pick up, and are actually quite similar to prime numbers in Z. We begin by proving a theorem. Theorem 3.12. If an ordinary integer p is a prime such that p 2 mod 3, then p is an Eisenstein prime. Proof. First, note that all Eisenstein integers are of the form a + bi 3 where a b mod 2. 2 Now we take the norm and get a + bi 3 a + bi 3 a bi 3 N = 2 2 2 = a2 + 3b2 . 4

RSA CRYPTOSYSTEM AND EISENSTEIN INTEGERS

So is the norm always an integer? Let both a and b be odd, then a = 2n + 1 and b = 2m + 1, and we get a2 + 3b2 = (2n + 1)2 + 3(2m + 1)2 = (4n2 + 4n + 2) + 3(4m2 + 4m + 2) = 4n2 + 4n + 12m2 + 12m + 8 0 mod 4. Similiarly, if they are both even then a = 2n and b = 2m and we have a2 + 3b2 = (2n)2 + 3(2m)2 = 4n2 + 12m2 0 mod 4, so indeed the norm is always an integer. Let p be a prime integer such that p 2 mod 3, are there any solutions such that a2 + 3b2 = 4p? Since p 2 mod 3, then there exists some k Z such that p = 3k + 2. Therefore, a2 + 3b2 = 4(3k + 2) which in turn is a2 + 3b2 = 12k + 8, and reducing both sides modulo 3 we get that a2 2 mod 3

which is impossible. Hence, if we are given an ordinary prime integer p that is congruent to 2 modulo 3, then p is an Eisenstein prime. So with the above theorem and Denition 2.3 we can list a few examples of Eisenstein primes. Example 3.13. Here we have some concrete examples of Eisenstein primes, and examples of ordinary primes which are not Eisenstein primes. Observe the rst category of primes in Z which are congruent 2 modulo 3, 2, 5, 11, 17, 23, 29, 41, 47, 53, 59, 71, 83, 89, 101, 107, 113, 131, 137, 149, 167, 173, 179, 191, 197, 227, 233, 239, 251, 257, 263, 269, 281, 293, 311, 317, 347, 353, 359, 383, 389, 401. By Theorem 3.12, we know that all of the above primes are also primes in Z[ ]. Below we have examples of ordinary primes in Z which are not primes in Z[ ] because they can be factored. In other words, primes in Z which are congruent to 0 or 1 modulo 3 are not primes in Z[ ]. 3 = (1 )(1 2 ) 7 = (2 )(2 2 ) 13 = (3 )(3 2 ) 19 = (3 2 )(3 2 2 )

Often considered the loneliest prime we have (1 ) Z[ ] as a special prime. Then the third category of primes in Z[ ], which we do not prove, is = a + b Z[ ] such that N () is a prime in Z, and N () 1 mod 3. These are the so called complex primes. One should note that just because we have a complex prime, that does not mean that the prime value in Z is also prime in Z[ ].

10

CAHLEN HUMPHREYS

A quick example would be that 2 + 3 is a complex prime in Z[ ]. We take the norm,

N (2 + 3 ) = 22 2(3) + 32 =46+9 = 2 + 9 =7 1 mod 3.

So indeed, 2 + 3 is prime in Z[ ], but since 7 is congruent 1 modulo 3 and can be factored

7 = (2 )(2 2 ),

and therefore 7 isnt prime in Z[ ], but 2 + 3 is prime Z[ ]. Example 3.14. In this example we want to nd the GCD of two Eisenstein integers, namely 5 + 7 and 4 + 5 . We will be following a template algorithm that is used to nd the GCD of two Gaussian integers. We begin by taking the norms of both rst

N (5 + 7 ) = 52 5(7) + 72 = 25 35 + 49 = 10 + 49 = 39

and

N (4 + 5 ) = 42 4(5) + 52 = 16 20 + 25 = 4 + 25 = 21.

RSA CRYPTOSYSTEM AND EISENSTEIN INTEGERS

11

Now we divide the integer with the largest norm by the integer with the smaller norm. Hence, 5 + 7 4 + 5 5 + 7 = 4 + 5 4 + 5 4 + 5 (5 + 7 )(4 + 5 ) = 16 + 25(1) + 20 + 20 (5 + 7 )(4 + 5 ) = 41 + 20( + 2 ) (5 + 7 )(4 + 5 ) = 41 + 20(1) 20 + 35 + 28 + 25 = 21 20 + 35 + 28 + 25(1 ) = 21 55 + 28 25 25 = 21 30 + 3 = 21 = 1.42 + 0.14. Note that in the above equality we used some identities from earlier lemmas we proved. Namely that 2 = , which implies that = 1 because 2 + +1 = 0. Now we round the closest integer values and get 1 + 0 = 1. Then our remainder is (5 + 7 ) (1)(4 + 5 ) = 1 + 2 and therefore 5 + 7 = (4 + 5 )( 1 ) + (1 + 2 )
a b q r

and we move on to the next step of the algorithm, essentially solving 4 + 5 = (1 + 2 )q1 + r1 for q1 and r1 .

12

CAHLEN HUMPHREYS

So we begin again, 4 + 5 4 + 5 1 + 2 = 1 + 2 1 + 2 1 + 2 (4 + 5 )(1 + 2 ) = 1 + 4 + 2( + ) 4 + 10 + 5 + 8 = 5 + 2(1) 14 + 5 + 8(1 ) = 3 6 3 = 3 = 2.

q1

This implies that 4 + 5 = (1 + 2 )(2 ) + 0

b r q1 r1

And we nd we get a clean division, hence in this case the remainder is 0, so our remainder in the equality before this is our greatest common divisor, which is 1+2 . For further clarity we should compute the last equality to make sure it is indeed true. 4 + 5 = (1 + 2 )(2 ) = 2 2 2 + 4 = 2 2(1 ) + 3 = 2 + 2 + 2 + 3 = 4 + 5. Lets also conrm that (1 + 2 )|(5 + 7 ), since we have that gcd (5 + 7, 4 + 5 ) = 1 + 2 . 5 + 7 5 + 7 1 + 2 = 1 + 2 1 + 2 1 + 2 (5 + 7 )(1 + 2 ) = 1 + 2 + 2 + 2 5 + 14 + 7 + 10 = 1 + 2(1) + 2( + ) 5 + 14(1) + 7 + 10(1 ) = 3 + 2(1) 19 + 7 10 10 = 1 = 9 3. Hence, we see that 1 + 2 divides 5 + 7 cleanly.

RSA CRYPTOSYSTEM AND EISENSTEIN INTEGERS

13

4. RSA Cryptosystem [1] The RSA cryptosystem takes advantage of the fact that it is very dicult to factor a number which is the product of two large primes. It is only natural to ask why is this so dicult? Prime numbers in Z are numbers that are only divisible by themselves and the unit 1. Therefore, if one is to choose two large prime numbers, call them p, q Z, then one must essentially test every prime number before p and q in order to rule them out. Since there are innitely many prime numbers [3] this becomes quite the process, and the computational power needed is usually more than one can aord. We now describe the RSA algorithm in the context of Z and point out certain properties which we have shown the Eisenstein integers to have. To begin, and to restate the former paragraph, one needs to choose two large prime numbers p, q Z. We then let N = pq , and denote N as the public modulus. Given N we utilize Eulers phi function and take (N ) = (p 1)(q 1), since both p and q are prime numbers. Now we choose our public exponent e such that 0 < e < (N ) and gcd ((N ), e) = 1. We need both (N ) and e to be coprime in order to determine our private key d, which is the multiplicative inverse d = (1/e) mod (N ). Thus, our public RSA key is (e, N ). Now say that Alice wants to send a message to Bob. She takes Bobs public RSA key (e, N ) and her message M < N and computes E = M e mod N , where E is our ciphertext. She sends E to Bob who in turn decrypts the message with the computation E d mod N . One should be able to utilize the RSA cryptosystem within the context of Eisenstein integers. In this paper we have shown a few dierent things that are required in order to have a functioning cryptosystem. In Section 3 we show proof that Z[ ] is a Euclidean domain under the norm fuction in Theorem 3.8. In Theorem 3.10 we take Camerons proof [2] and show that Z[ ] is a unique factorization domain by implication of being a Euclidean domain, and in doing so utilize the fact that it is also a Principle Ideal domain in Theorem 3.9. In Theorem 3.12 we prove ordinary rational primes that are congruent to 2 mod 3 are also Eisenstein primes. We follow that with examples of Eisenstein primes, and examples of ordinary rational primes which are not Eisenstein primes. Lastly, we show an example of how to nd the greatest common divisor of two Eisenstein integers.

5. Conclusion Throughout this paper we have described and proved dierent properties for the Eisenstein integers (Z[ ]), which are required in order to have a fully functioning RSA cryptosystem. We conclude that it is indeed possible to have an RSA cryptosystem utilizing such a set of integers, however we are not completely convinced that there is any immediate benet from developing one. More time and further research would be needed in order to come up with a completely accurate conclusion to the matter. Further, we did not come up with an analog to Eulers function in Z[ ], so we are not completely sure how this will aect the security of the cryptosystem.

14

CAHLEN HUMPHREYS

References
1. R. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and publickey cryptosystems, Communications of the ACM. 21 (2): 120-126. 1978. 2. Cameron, Peter J. Introduction to Algebra, Oxford University Press, USA. 2008. 3. Euclid. Elements, (Book IX, Proposition 20). 300 BC. Boise State University E-mail address : cahlenhumphreys@u.boisestate.edu