Cryptography

Cryptology (from the Greek kryptos 'hidden' and logos 'word') is the science of secure communications. Cryptology is split into two subdivisions: cryptography and cryptoanalysis. The cryptographer seeks to find methods to ensure the secrecy, integrity, and/or authenticity of messages. The cryptoanalyst seeks to undo the former's work by breaking the cryptographer's cyphertext/cryptogram (encrypted plaintext) or by forging coded signals that will be accepted as authentic by the receiver. Labs. Part 1. Binary numbers and applications to cryptography

Binary Numbers Conversion from Decimal to Binary Binary Addition o Binary Addition. Example 1. o Binary Addition. Example 2. o Binary Addition. Example 3. Parity Addition o Parity Addition. Example 1. o Parity Addition. Example 2. o Parity Addition. Example 3. Comparing Binary and Parity Addition Parity Addition of Many Numbers HBO Application HBO Application: the Next Month A variant on the HBO Application

Start the Lab 1 Part 2. Modular arithmetic and the RSA algorithm

Modular Arithmetic Modular Multiplication Modular Multiplication of Many Numbers Calculating Powers Fast Modular Powers Modular Calculator Modular Arithmetic and Fermat Modular Arithmetic and Fermat - the Proof Fermat's Little Theorem RSA Cryptography RSA Cryptography Practice Decryption for RSA

Why RSA is Hard to Break? Prime Factorization

Start the Lab 2 Binary Numbers How would we count if we could only have two digits: 0 and 1? The beginning is easy. We could suggest the we would denote 0 by 0 and 1 by 1. But what should we do next? Let's think carefully about our usual base-10 (decimal) notation. When we write 2095, we mean 2 * 1000 + 0 * 100 + 9 * 10 + 5 * 1. Or, if we like using exponents, 2095 = 2 * 103 + 0 * 102 + 9 * 101 + 5 * 100. Note that each digit in the sum is a number between zero and nine; there is no need for symbols greater than 9, because ten times 10k is reckoned for by adding one to the 10k+1 place. Binary representation works on the same principle, except that each place now represents a power of 2, i.e., 2k. So the binary number 1101 represents 1*23+1*22+0*21+1*20=8+4+0+1=13. Note that we only need digits 0 and 1 for binary representation (just as we only needed digits 0 to 9 in decimal representation), because two times 2k is reckoned for by adding one to the 2k+1 place. Practice ConversionfromBinarytoDecimals Conversion from Decimals to Binary There are two methods of converting decimals to binary. Here we present both methods using the number 85 as an example. First method. We are trying to represent the number 85 as the sum of powers of two starting from the largest. Find the largest power of 2 which is not more than 85. It is 64 = 2 6. Subtract it: 85 - 26 = 21. The result will always be less than the power of two that was subtracted (can you figure out why?). Now we need to represent 21 as the sum of

powers of 2. Continue as before: the biggest power of two which is not more then 21 is 16 = 24. Subtract it: 21 - 24 = 5. Now we need to represent 5 as the sum of powers of 2. Continue as before: the largest power of two which is not more then 5 is 4 = 2 2. Subtract it: 5 - 22 = 1. We can represent 1 as 20. We got that 85 = 26 + 24 + 22 + 20. This is the same as: 85 = 1 * 26 + 0 * 25 + 1 * 24 + 0 * 23 + 1 * 22 + 0 * 21 + 1 * 20. The binary representation of 85 is given by the coefficients in this representation listed one after another, starting with the highest power of 2: 1010101. Second method. This method is based on two observations. First observation: the last digit in the binary representation is always the remainder of the number when divided by two. That is, it is 1 if the number is odd, and 0 if it is even. Second observation: if we erase the last digit of a binary number, then we get a new binary number which is equal to half the original number, with the fraction of 1/2 dropped if the original number was odd. For example, consider the number n whose binary representation is abcd is equal to a * 23 + b * 22 + c * 21 + d * 20. Then note that n = 2 * (a * 22 + b * 21 + c * 20) + d. So n is even if d=0 and odd if d=1 (first observation). Also note that if we divide n by two and drop any fraction of 1/2 (if d is odd), then we get a * 2 2 + b * 21 + c * 20, which has binary representation abc, which is what you get if you erase the last binary digit of n (second observation). Although we only proved our observations with 4-digit binary numbers, the same argument works no matter how many digits we have. The number 85 is odd. Hence, the last digit is 1. Subtract 1, we get 84. Then dividing 84 by 2 we get 42. Binary representation of 42 will get us all other digits in front of the last. So [binary represenation of 85]=[binary representation of 42]1. The number 42 is even, hence its last binary digit is 0. Dividing 42 by 2 we get 21. So [binary represenation of 85]=[binary representation of 21]01. 21's last binary digit is 1 (as it is odd). Subtract 1 and divide by two again: we get 10.

So [binary represenation of 85]=[binary representation of 10]101. 10's last binary digit is 0. 10/2 = 5 So [binary represenation of 85]=[binary representation of 5]0101. 5's last binary digit is 1. Then 4/2 = 2. So [binary represenation of 85]=[binary representation of 2]10101. 2's last binary digit is 0. Dividing 2 by 2, we get 1. So [binary represenation of 85]=[binary representation of 1]010101. Now the binary digit 1 represents the number 1. So the binary represenation of 85 is 1010101. Below there is an interactive window in which you can practice; it generates random numbers for you to convert them to binary: Practice ConversionfromDecimalstoBinary Binary Addition Now that we know binary numbers, we will learn how to add them. Binary addition is much like your normal everyday addition (decimal addition), except that it carries on a value of 2 instead of a value of 10. For example: in decimal addition, if you add 8 + 2 you get ten, which you write as 10; in the sum this gives a digit 0 and a carry of 1. Something similar happens in binary addition when you add 1 and 1; the result is two (as always), but since two is written as 10 in binary, we get, after summing 1 + 1 in binary, a digit 0 and a carry of 1. Therefore in binary: 0+0=0 0+1=1 1+0=1 1 + 1 = 10 (which is 0 carry 1) Example. Suppose we would like to add two binary numbers 10 and 11. We start from the last digit. Adding 0 and 1, we get 1 (no carry). That means the last digit of the answer will be one. Then we move one digit to the left: adding 1 and 1 we get 10. Hence, the answer is 101. Note that binary 10 and 11 correspond to 2 and 3 respectively. And the binary sum 101 corresponds to decimal 5: is the binary addition corresponds to our regular addition. More examples:

1 + 11 = ?. Show the answer and an explanation 1010 + 11 = ?. Show the answer and an explanation 100101 + 10101 = ?. Show the answer and an explanation Binary Addition. Example 1.

Problem: 1 + 11 = ?. Answer: 1 + 11 = 100. Explanation: 1 1

If we take the first column from the right, we get the binary addition of 1 and 1, which is: 1 + 1 = 10 = 0 carry 1 The rightmost digit of our answer is therefore 0. The second column from the right becomes: 0 + 1 + 1 (from the carry). In binary addition: 0 + 1 + 1 = 10 = 0 carry 1 Therefore, the second rightmost digit is a 0 and a 1 is carried to the next column. The next column doesn't exist (there are no numbers), therefore the 1 drops into the next slot of the answer. So our answer is: 100! Binary Addition. Example 2. Problem: 1010 + 11 = ?. Answer: 1010 + 11 = 1101. Explanation: 1 + 0 1 1 0 1

For the first column (from the right) we have 0 + 1. In binary addition: 0 + 1 = 1,

and the rightmost digit of the answer is 1. For the second column, we have 1 + 1. In binary addition: 1 + 1 = 0 carry 1 . Therefore, the second digit (from the right) in the answer is 0 and we carry 1 to the next column. The next column now contains 0 + 0 + 1 (from the carry). In binary addition: 0 + 0 + 1 = 1, so that the next digit that we can fill in for the answer is 1. The final column contains 1 + 0. In binary addition: 1+0=1. There are no more columns so our final answer is 1 1 0 1! Binary Addition. Example 3. Problem: 100101 + 10101 = ?. Answer: 100101 + 10101 = 111010. Explanation: 1 + 0 1 0 0 1 1 0 0 1 1

first column (from the right!) : second column : third column : fourth column : fifth column : sixth column : Therefore the answer is 1 1 1 0 1 0!

1 + 1 = 0 carry 1 0 + 0 + 1 (carried) = 1 1 + 1 + no carry = 0 carry 1 0 + 0 + 1 (carried) = 1 0 + 1 + no carry = 1 1 + 0 + no carry = 1

Parity Addition

There is another additive operation on binary numbers that is very useful. It is called "parity" addition or "XOR" (The word XOR originated from exclusive-OR). We still call it addition because this operation has many properties in common with standard decimal (or binary) addition: it is commutative and associative, and "adding" zero to a number doesn't change the number. Parity addition is similar to binary addition, except that there is never a carry. To distinguish them we will denote the parity addition by addition we have: 0 0 1 1 0=0 1=1 0=1 1=0. . For parity

We can formulate the rule: parity adding two identical digits gives 0, while parity adding two different digits gives 1. (Note: many software developers have adopted the word "XOR" in their language. For example: Tomorrow I will go to the movie xor to the park. This means that I will go to exactly one of them, not both.) To distinguish this addition from binary addition people use a special symbol for parity addition or each time they say explicitly that they use parity addition. (The default addition, or what is meant by addition if no additional qualifier is given, for binary numbers is the addition we've learned on preceding pages.) Note. When we parity add two binary numbers of different length, we add leading zeros to the smaller number, so both numbers would become the same length. Sometimes, we say that we parity add binary strings. Example. Suppose we would like to parity add the two binary numbers 10 and 11. We can start from the last digit or the first digits - this doesn't matter as there is no carry. We add each column separately. For the last column, adding 0 and 1, we get 1 (no carry). That means the last digit of the answer will be 1. Then we move one digit to the left: adding 1 and 1 we get 0. Hence, the answer is 01. Note that leading zero gives us an important information: that the digits we added in that column were the same; hence, when we parity add numbers we keep leading zeros in the answer. Try and solve the examples from the previous page using Parity Addition:

01

11 = ?. Show the answer and an explanation

1010 0011 = ?. Show the answer and an explanation 100101 010101 = ?. Show the answer and an explanation Parity Addition. Example 1.

Problem: 01 Answer: 01 Explanation:

11 = ?. 11 = 10.

0 1

1 1

Remember that parity addition does not have a carry! If we take the first column from the right, we get in parity addition : 1 1 = 0 no carry The rightmost digit of our answer is therefore 0. Second column from the right: 0 1 = 1. So our answer is: 1 0! (Note that since there are no carries here, we don't have to start from the right: we can do the parity addition in every column separately, without worrying about carries from other columns.) Parity Addition. Example 2. Problem: 1010 Answer: 1010 Explanation: 1 0 0 0 1 1 0 1 0011 = ?. 0011 = 1001.

Remember that parity addition does not have a carry! In parity addition: 1 1 = 0 no carry first column (from the right) : 0 second column : 1 third column : 0 1=1 1=0 0=0

fourth column : So our answer is: 1 0 0 1!

1=1

Parity Addition. Example 3. Problem: 100101 Answer: 100101 Explanation: 1 0 0 1 0 0 1 1 0 0 1 1 010101 = ?. 010101 = 110000.

first column (from the right) : second column : third column : fourth column : fifth column : sixth column : So our answer is: 1 1 0 0 0 0!

1 0 1 0 0 1

1=0 0=0 1=0 0=0 1=1 0=1

Comparing Binary and Parity Addition Question: What is common between binary and parity addition? Answer: The word addition: these operations share some properties. For example, for both operations the order of two numbers doesn't matter. Nevertheless, these are completely different operations: the results needn't have anything in common. (Except the last digit - can you figure out why?) Notice how greatly the answers differ for binary and parity addition for our three examples:

0 1 and 1 1 1 0 1 0 and 0 0 1 1 1 0 0 1 0 1 and 0 1 0 1 0 1

01 and 11= 1010 and 0011= 100101 and 010101=

Binary Addition 100 1101 111010

Parity Addition 10 1001 110000

Parity Addition of several numbers Suppose we want to parity add several numbers. We can proceed in a natural way: add first two, then add the third one to the result, then add the forth one to the last result and so on. As there is no carry on, we perform all additions by columns. That means that we can parity add several numbers by columns too. Hence, all the properties of parity addition of several numbers are seen when we use one digit numbers. Let us make a table for parity adding three different one-digit numbers. We consider all possible cases in the table below: A 0 0 0 1 0 1 1 1 B 0 0 1 0 1 0 1 1 C 0 1 0 0 1 1 0 1 A B 0 0 1 1 1 1 0 0 (A B) C 0 1 1 1 0 0 0 1

Looking at this table see that the result is 1 if we parity add one or three ones; and the result is zero if we parity add zero or two ones. The following simple rule is true: the result is 1 if we add odd number of ones, and 0 if we add even number of ones. HBO Application

You just studied binary and parity addition because these operations are used in many applications, in cryptography and elsewhere. The encryption method that you will be learning here uses parity addition. We discuss a toy example here: in order to be able to transmit some movie channels to their customers, local cable companies subscribing to the movie service must have a password to unscramble the signal sent to them by the television station. As explained in class, the password is broadcast itself, encrypted differently for each subscriber. Each subscriber has a key, consisting of a binary string of (say) 20 digits. The password itself is also a binary string with 20 entries. The television station sends out an enormous string that contains, in successive 20digit strings, the XOR addition of the password and every acceptable key, in random order. Therefore the concatenated string may look like this: (password (password key3) (password key7) (password key6) (password key5) (password key1) key4)

Parity addition has the neat property that if you parity add the (password key) to the key, then you will get back the password. For example: password: your key: password password your key : (password 10110110111010 01011011110011 your key: 11101101001001 11101101001001 01011011110011 your key 10110110111010 key) key

your key : your key)

NOTE: password = (password

You can exploit this as follows: parity add your 20-digit keyword to every one of the 20-digit pieces in the long string sent out by the station. One of them will be the password. We denote password by pwd. password pwd key2 our key junk key2 password y pwd key4 our key junk key4 password y pwd key7 our key junk key7 password yo password key1 ur key pwd your y pwd key1 y key your our key key password junk

In a tool below you see a stream of 45 binary strings; they respresent the TV station transmission. Enter the key you got in class (or in email) in the text field and click on one of the strings (If you did not get one you can use the key: 00001000000100010010). You will see the parity addition of these numbers. If you get the password, the signal will get unscrambled. After you get the password you can use it to calculate other subscribers' passwords. Calculate three passwords from the first column.

HBO Application: the Next Month The next month HBO changes the password to a new one. Suppose you are not subscribed any more. This means that HBO will not send the password parity-added to your key in this month's stream. But on the previous page you calculated three other keys. If those customers are still subscribed, then their keys should work. Try using the keys you calculated from the previous page to get the new password and unscramble the signal below.

A Variant on the HBO Application It may be frustrating to check all the binary strings in a stream; the stream could be much bigger; and hardware design could be such that it is unrealistic to check many strings. (It is easy to parity add our key to a lot of strings, but the process of auto-detecting which one of these results in a clear picture may take a long time if we need to check a LOT of strings.) Here we present another version of HBO encryption that incorporates the same idea with a twist, so that it would still apply in these circumstances. Imagine that HBO sends a large stream of binary strings. One of the strings is a password. Some of the strings are keys parity-added with the password, others are junk strings. (In this scenario, HBO wants to send extra junk to make it more secure---it will take too long to go through all the strings and figure out which one gives a clear picture). All those strings are sent in random order, hence it is unrealistic to find the password by trying them one after another. The strategy for the subscriber is to parity-add his/her key to all the numbers in the string. (Remember, the parity-addition part is fast, the verification of a clear picture is slow.) Let us see what happens in this case. Usually you will find that most of the new 20-digit strings you obtain are quite different from any of the old strings, except for the two strings that you get when you add your key to the password or to the (password your key). password key2 password password key7 password ur key yo password key1

pwd key2 ur key not one of the originals

yo password ur key password ur key

yo pwd key7 ur key yo not one of the originals

yo pwd key

your pwd key1 your key ur key not one of the password originals

yo

This gives you two matches. One of them is the Password to unlock the channels! In a challenge problem on the homework, you examine the possibility of getting more than two matches. The following is a chain of randomized strings including the password, the password XOR-added with keys, and junk. When you type in your key, you will get the parity addition of your key to every element of the chain. If you don't type in a mistake, then you will see two overlaps between the original collection of strings and the collection of strings plus your key; one of them is the password. (To decide which one, you would try decrypting with each, That means you need to try only two, not many of them.) Type in one of the three keys you calculated earlier. (Those are keys of the subscribers who still pay). This decoder is a device that allows you not to check each string in a stream one by one, but reduce the number of input strings you need to check. Compare the time you spent for finding a password on this page and on a previous page. This decoder box is used when your stream consists not of 45 strings as on the previous page, but of a very big number of strings. Modular Arithmetic RSA cryptography (named for its inventors Rivest, Shamir, and Adelman) exploits properties and interrelations of humongous numbers, constructed as large powers of huge numbers. Through a neat mathematical trick called modular arithmetic, the computer avoids working with the humongous numbers themselves. Let's first learn about modular arithmetic before tackling RSA itself. The number X (mod Y) is the remainder when X is divided by Y. (Remember X (mod Y) is pronounced X modulo Y.) For example: because: 7 modulo 3 is 1

7=2*3+1 That is, when you divide 7 by 3, you get a remander of 1. The "modulo Y" terminology can also be used in the following way: Z = X (mod Y), meaning that Z and X have the same remainder when divided by Y. For example: 7 = 25 (mod 3)

because:

7=2*3+1 25 = 8 * 3 + 1

Modular Multiplication The beauty of modular arithmetic is that you never need to manipulate any huge numbers. How big 'huge' is depends on the modular base. For instance, when you take products of many numbers and you want to find their remainder modulo n, you never need to worry about numbers bigger than the square of n. First a couple of examples: Pick any two numbers x and y, and look at their remainders (mod 7): a = x (mod 7) b = y (mod 7) . Compare the remainder modulo 7 of the products xy and ab: xy (mod 7) with ab (mod 7) Modular multiplication of many numbers On a previous page you saw that to multiply two numbers modulo A we can first take the remainders of those two numbers modulo A, and then to multiply. That means we do not need to multiply numbers bigger than A. If we want to multiply many numbers modulo A, we can first reduce all numbers to their remainders. Then, we can take any pair of them, multiply and reduce again. Let us now exploit this. For example, suppose we want to find X = 36 * 53 * 91 * 17 * 22 (mod 29) . Start by reducing every factor to its remainder after division by 29:

Calculating Powers Rapidly We have just seen how to compute products in modular arithmetic (mod n) without ever looking at numbers larger than the square of n.

For powers ax (mod n) there is an even neater trick, which saves a lot of work, especially when x is large (and we'll need that in the RSA encryption algorithm later). This trick is based on the method of calculating powers independently of modular arithmetic. Suppose we would like to calculate 1143. The straightforward method would be to multiply 11 by 11, then to multiply the result by 11, and so forth. This would require 42 multiplications. We can save a lot of multiplications if we do the following: First write 43 as a sum of powers of 2: 43 = 32 + 8 + 2 + 1 That means that Now 1143 = 1132 * 118 * 112 * 11 .

The calculation of the sequence 11, 112, 114, 118, 1116, 1132 requires 5 multiplications as each following term is the square of the previous. Now the calculation of the 43rd power requires three more multiplications. So, the trick allowed us to reduce the number of multiplications from 42 to 8. In case of modular arithmetic each multiplication is done with small numbers as we always reduce them. For example, if we want to compute 1143 (mod 13), we need to do eight multiplications of numbers less than 13. Note that 1143 is a humongous number. (Can you compare it with the number of seconds since the Big Bang ?) Modular Powers Let us compute 1143 (mod 13). As we saw before we start with squaring this number: 112 (mod 13) = 121 (mod 13) = 4 (mod 13) 114 (mod 13) = (112)2 (mod 13) = 42 (mod 13) = 16 (mod 13) = 3 (mod 13) 118 (mod 13) = (114)2 (mod 13) = 32 (mod 13) = 9 (mod 13) 1116 (mod 13) = (118)2 (mod 13) = 92 (mod 13) = 81 (mod 13) = 3 (mod 13) 1132 (mod 13) = (1116)2 (mod 13) = 32 (mod 13) = 9 (mod 13) Putting this together (remember that 43 = 32 + 8 + 2 +1), we get 1143 (mod 13) = 11 * 4 * 9 * 9 (mod 13)

Now we do our usual modular multiplication: 11 * 4 * 9 * 9 (mod 13) = 44 * 81 (mod 13) = 5 * 3 (mod 13) = 2 (mod 13). In the applet below you can see the process of calculating modular powers for other numbers. To submit your input you need to click enter in the modulo field. In practice, the modular base n can be much larger (for an RSA algorithm one uses numbers n with around 300 digits!), so that we still can have huge numbers. The important thing is that all the tricks we have just seen ensure that once n is fixed, we have a ceiling for exactly how huge the numbers can become that we have to compute with. Given such a ceiling, it is then possible to write computer programs to do all the computations carefully, so that there is never any round-off error. In practice, the power that is used is comparable with the base (that is it could be 300 digits). But as the number of multiplications is much less than the power itself, the operation of getting a number to a 300-digit power modulo a 300-digit number is very fast. Modular Calculator Here we present a tool to help you with your problem sets. The calculator below allows you to do modular multiplication and modular powers. It also keeps track of the answers. Currently, the modular multiplication part of the applet can't correctly handle very big numbers, that is for correct results keep the numbers you multiply below 45,000. Modular Arithmetic and Fermat You may have heard of Fermat's last theorem. Its proof involves modular arithmetic (and much more!). Fermat also used modular arithmetic to discover many other interesting things about numbers. For instance: can you find two numbers x and y so that the sum of their squares, x2 + y2, is exactly 3 more than a multiple of 4, that is x2 + y2 = 4n + 3 or x2 + y2 = 3 (mod 4) ? Try it! (Please choose x and y between 0 and 9999 to prevent overflow).

Modular Arithmetic and Fermat the Proof For an arbitrary number z, you have four possiblities:

z = 0 (mod 4) , z = 1 (mod 4) , z = 2 (mod 4) , z = 3 (mod 4) Fill in the table for the four possible squares: (input your answer and hit return) Therefore, however you choose x and y, x2 and y2 are either 0 or 1 (mod 4) So x2 + y2 (mod 4) can be: 0+0=0 0+1=1 1+0=1 1+1=2 but it can never equal 3! Can you figure out whether the sum of 3 squares can ever be 7 more than a multiple of 8, or x2 + y2 + z2 = 7 (mod 8) ? Fermat's Little Theorem The crux to the RSA algorithm is another discovery by Fermat, called Fermat's little theorem. It is a statement about powers in modular arithmetic in the special case where the modular base is a prime number. The theorem is stated like this: If p is a prime number, then (p-1) a = 1 (mod p) (unless a is a multiple of p) We proved this theorem in class, but just in case you'd like to check: try it out here, for a few values of p, and several values of a each time. Try also what happens if p is not prime ... (HINT: try setting a value for p and changing values for a)

RSA Cryptography Fermat's little theorem was used by Rivest, Shamir, and Adelman to design a fascinating encryption algorithm, in which you can tell anyone

you like how the encryption works, although this knowledge is not sufficient to be able to decrypt; decryption is only possible for the chosen few who have extra information. Let's see how this works on a simple example. Let's assume that the text we want to encrypt is: WHATEVER First we have to translate this text into numbers. To do this, we shall use a hash code, which replaces every character by an integer. (We'll see more examples on the next page.) For the word whatever this gives: 23 8 1 20 5 22 5 18 To encrypt this text, we will replace every number x by another number y, according to a simple rule. The key to this encryption rule is given by two numbers n and r. The number n is chosen in a very particular way: n is the product of two primes p and q. Suppose we choose n = 29 * 37 = 1073. Let's take r = 25. To encrypt x we just compute: y = xr (mod n). To decrypt y we need a decryption key, which takes the form of a number s. In this particular case, with this choice of n and r, the choice s = 121 is an appropriate decryption key. The decryption then works via a simple formula, analogous to the encryption: we compute ys (mod n) and this gives us x back again! (We'll come back below to why this happens.) RSA Cryptography Practice Here we shall illustrate the encryption and decryption that was described on the previous page. Type a short sentence in the input field

and then press enter; you will see the hash code in the window below it. This gives an integer representation of each character of the word. We are using a hash code with only the numbers 1 through 29 in this simple example. Letters are represented by numbers 1 through 26 independently of the case (that is 'A' and 'a' are represented by 1, and so on), space is represented by the number 27, period by 28, and all the other symbols by 29. Pressing the Encrypt next character button will give you the encryption for each of the successive integers in the hash code, computed via the formula y = xr (mod n), where n and r are from the previous page, namely y = x25 (mod 1073). Pressing the Decrypt next character button will, on the other hand, compute ys (mod n), which in this case is y121 (mod 1073) for each of these encrypted integers; you can check that these are the original integers back again! Note. You may have noticed that the letter A corresponds to 1 in a hash code. Hence, it is always enctypted as 1. In real RSA systems we never encrypt letter by letter, we encrypt the large block of several letters at once. The reason we want large blocks is that encrypting letter by letter we have the same encryption for the same letter (this is called a substitution cipher), hence we can use frequency analysis to decrypt. The larger the blocks the less patterns will be kept in the result. Decryption for RSA The decryption illustrated on the previous page is possible because r and s have a very special relationship. With p = 29, and q = 37, we compute: m = (p-1) * (q-1) = 1008 and then we have chosen r and s so that: r*s = 25 * 121 = 3025 = 1 (mod m) Let's see how this explains why ys = x (mod n). We have ys = (xr)s = xr*s (mod n). Now r*s is 1 + some multiple of m: r*s = L(p-1)(q-1) + 1, so that: ys = xL(p-1)(q-1)+1 (mod n).

Now Fermat's little theorem tells us that: xp = x (mod p). Multiplying both sides by xp-1, we get xp-1 * xp = xp-1 * x (mod p). That is, x2(p1)+1 =xp (mod p), and so x2(p-1)+1=x (mod p). If we again multiply both sides by by xp-1, we shall obtain x3(p-1)+1 = xp=x (mod p). In fact, xN(p1)+1 =x (mod p) for all N. Thus xL(p-1)(q-1)+1 = x (mod p), since we can set N=L(q-1). By the same principle (but with q in place of p), we have x M(q-1)+1 = x (mod q) for all x and all M. Thus xL(p-1)(q-1)+1 = x (mod q), since we can set M=L(p-1). From the last two boldfaced congruences, we know that xL(p-1)(q-1)+1-x is divisible both by p and by q. These are two distinct primes, so xL(p-1)(q1)+1 -x is divisible by pq=n, i.e., xL(p-1)(q-1)+1 = x (mod n), Recall that rs=L(p-1)(q-1)+1, so xrs = x (mod n), and since y=xr, ys = x (mod n). This explains why the RSA algorithm works. Why RSA is Hard to Break? Why is such a code hard to break? If you know n and r (the public encryption key), all you have to do is find an appropriate s and you can decrypt! The problem is to find s such that rs = 1 (mod (p-1)(q-1)). This would be easy (using the Euclidean algorithm) if you knew r and (p-1)(q-1). Outsiders only know r and n, but they do not know p and q, even though they know the product n=p*q. So outsiders have no easy way of computing (p-1)(q-1). Finding p and q amounts to factoring the number n that you were given.

Can you crack the following code? Here n = 3071, r = 17. The following is an encrypted text. Fill in your guess for s; the computer will compute all the ys(mod n) and attempt to translate the resulting numbers back to letters (this may fail if some of the numbers do not make sense in the hash code because they are too big; those numbers are just decoded to the default '?'). Try it! Can you crack the code? NOTE: Here, we use a different hash code than the one we used before to represent each character as an integer: the ASCII code. It transforms the letter "A" to 65, "B" to 66,..., "Z" to 90, Space to 32, "?" to 63... We also use the charcter "?" for all other characters that are not in the following table: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z ? ! . - Spac e 6 6 6 6 6 7 7 7 7 7 7 7 7 7 7 8 8 8 8 8 8 8 8 8 8 9 6 3 4 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 3 3 6 5 32

Did you find the previous one easy? Here is another one: n = 1441499, r = 103. Can you decipher the following encrypted text? Prime Factorization We've seen that the security of RSA is based on the fact that it is hard to factor numbers which are the products of large primes. So how hard is it to find the prime factors of large numbers? The below applet factors numbers. It uses the following algorithm: first factor out all powers of 2, the number which is left is odd; then check if the number divides by every odd number trying them one after another. Try to plug some small integers (e.g., 15, 17, 32, 99, etc...) to familiarize yourself with how it works. The time depends very much on your computer power. It also depends on the value of prime factors. It is easy to factor a big number if the factors are small. Below you can see different numbers which are products of two large primes. Next number is about 10 time bigger than the previous one. Try them one after another and see how long it takes.

7 digit number 8 digit number 9 digit number 10 digit number 11 digit number 12 digit number 13 digit number 14 digit number 15 digit number

1407673 13309117 137937281 1438671211 14698154927 135677280727 1389864140741 13472900573921 130062255272767

Let us estimate how the time may increase. Suppose A is the product of two 4 digit primes, and B is a product of two 5 digit primes. Suppose that each 5 digit prime is about 10 times bigger than the corresponding 4 digit prime. Hence to find the first factor our algorithm has to check about 10 times more numbers. As our product is bigger and the numbers we use to check are bigger, each check takes more time on average. So, we see that adding a few digits on to our prime numbers makes factoring the product much, much harder. This is why RSA is considered to be secure. PrimeFactorizationMachine This Java applet implements a basic routine to factor an arbitrarily large integer. The routine starts by extracting any factors of 2. After this, only odd numbers are tested up to the limit=Sqrt(number) + 1. The prime factors are displayed and the result is verified by direct BigInteger multiplication of the factors.