RSA algorithms

Generate a public/private key pair:

1.
2.
3.
4.
5.

Generate two large distinct primes p and q

Compute n = pq and = (p 1)(q 1)
Select an e, 1 < e < , relatively prime to .
Compute the unique integer d, 1 < d < where ed 1.
Return public key (n, e) and private key d

Encryption with key (n, e)

1. Represent the message as an integer m {0, . . . , n 1}
2. Compute c = me mod n
Decryption with key d: compute m = cd mod n

An RSA example
Let p = 47, q = 71, then n = pq = 3337.
Encryption key e must have no factors in common with
(p 1)(q 1) = 46 70 = 3220 .
Choose e = 79 (randomly).
Compute d = 791 mod 3220 = 1019 (with extended Euclidean
algorithm).
Publish e and n, keep d secret, discard p and q.
Break message m into small blocks, e.g., m = 688 232 687 966 668.
First block encrypted as 68879 mod 3337 = 1570 = c1.
To decrypt: 15701019 mod 3337 = 688 = m1.

Greatest Common Divisor

For a, b N, gcd(a, b) denotes greatest common divisor.
Example 60 = 22 3 5, 14 = 2 7, gcd(60, 14) = 2
gcd can be computed quickly using Euclids algorithm.
gcd(60, 14) :
gcd(14, 4) :
gcd(4, 2)
:

60 = 4 14 + 4
14 = 3 4 + 2
4 = 22

Extended Euclids algorithm computes x, y Z such that

gcd(a, b) = xa + yb
Here 2 = 14 3(60 4 14) = 3 60 + 13 14
a, b N are relatively prime if gcd(a, b) = 1.

Extended Euclids Algorithm

Extend the algorithm to compute the integer coecients x and y
such that
d = gcd(a, b) = ax + by
The algorithm is
Extended-Euclid(a, b)
1 if b = 0
2 then return (a, 1, 0)
3 (d, x, y ) Extended-Euclid(b, a mod b)
4 (d, x, y) (d, y , x a/by )
5 return (d, x, y)
where q = a/b is the quotient of the division (for a = qb + r).

Euclids Algorithm
Euclids algorithm is based on the theorem
gcd(a, b) = gcd(b, a mod b) for any nonnegative integer a and
any positive integer b.
For example, gcd(55, 22) = gcd(22, 55 mod 22) = gcd(22, 11) = 11.
The algorithm is
Euclid(a, b)
1 if b = 0
2 then return a
3 else return Euclid(b, a mod b)
Euclid(30, 21) = Euclid(21, 9) = Euclid(9, 3) = Euclid(3, 0) = 3.

Extended Euclids Algorithm Example

Extended-Euclid(99, 78) = 3 = 99 (11) + 78 14
Extended-Euclid(a, b)
1 if b = 0
2 then return (a, 1, 0)
3 (d, x, y ) Extended-Euclid(b, a mod b)
4 (d, x, y) (d, y , x a/by )
5 return (d, x, y)

a
99
78
21
15
6
3

Each line shows one level of the recursion.

b
78
21
15
6
3
0

a/b
1
3
1
2
2

d
3
3
3
3
3
3

x
11
3
2
1
0
1

y
14
11
3
2
1
0

Fermats Little Theorem

Eulers Totient Function

Fermats little theorem: for a and n relatively prime and n prime

Eulers totient function (n) is the number of positive integers less

than n which are relatively prime to n.
(n) is the number of a {1, 2, . . . , n 1} with gcd(a, n) = 1.

an1 n 1
Example: 46 mod 7 = 16 16 16 mod 7 = 2 2 2 mod 7 = 1.

 (1) = 1.
 If p is a prime number, then (p) = p 1.
So that Fermats little theorem (for a and n relatively prime and
n prime) can be rewritten to
a(n) n 1
For two prime numbers p and q such that p = q and n = p q,
(n) = (p q) = (p) (q) = (p 1) (q 1)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
n
(n) 1 1 2 2 4 2 6 4 6 4 10 4 12 6 8

Fast Exponentiation
There is an ecient algorithm (cf. the literature!) for computing
powers modulo n in a monoid G = (H, , e) (where H is a set,
is an associative operation on H, and e H is a neutral element
such that e a = a e = a for all a H).
Let g G and e be a positive integer with binary expansion
e=

k


Fast Exponentiation (cont.)

k

g e = g i=0 ei2 =
following idea:

k

i=0(g

2 i ei

) =

0ik, ei=1 g

2i

yields the

1. Compute the successive squares g 2 for 0 i k.

i
2. Determine g e as the product of those g 2 for which ei = 1.
N.B.: we can compute g 2

i+1

= (g 2 )2 from g 2 by one squaring.

An example: 673 mod 100.

ei2i

(observe that the coecients ei are either 0 or 1)

i=0

Then
ge = g

k

i=0 ei 2

k


(g 2 )ei =

i=0

g2

0ik, ei=1

Fermat Test

 Binary expansion of exponent: 73 = 1 + 23 + 26.

 Determine successive squares of 6:
2
62 = 36
62 = 362 4 mod 100
3
4
62 16 mod 100
62 162 56 mod 100
5
6
62 562 36 mod 100
62 4 mod 100

673 6 62 62 6 16 (4) mod 100 16 mod 100.

Hence, 6 squares and 2 products instead of 72 multiplications modulo 100.

Fermat Test (cont.)

It is expensive to prove that a given positive integer is prime, but

there are ecient algorithms (primality tests) that prove the
primality of a positive integer with high probability.

Consider n = 341 = 11 31. Although n is composite we have

The Fermat Test is a primality test based on Fermats theorem in

the following version:

Therefore, if we use Fermat Test with n = 341 and a = 2, then we

obtain y = 1, which proves nothing.
On the other hand, if we use Fermat Test with n = 341 and a = 3,
then n is proven composite as

if n is a prime number, then an1 n 1 for all positive integers

a such that a and n are relatively prime (gcd(a, n) = 1).
Choose a positive integer a {1, 2, . . . , n 1}.
Compute y = an1 mod n (e.g. using fast exponentiation).
If y = 1, then n is composite (by the above theorem).
If y = 1, then we do not know whether n is prime or composite,
as the following example shows.

2340 341 1

3340 341 56
N.B.:

if the Fermat Test proves that n is composite, it does not nd a divisor of n. It only

shows that n lacks a property that all prime numbers have. Therefore, the Fermat Test cannot be
used as a factoring algorithm.