An Application Example: The RSA Cryptosystem - Cryptography in C and C++

Cryptography Reference

In-Depth Information

2. Now A would like to send an encrypted message M to B (0

≤

M < n B ) .

Since A has received from B his public key

e B ,n B

, A calculates

C = M e B mod n B

and sends the encrypted value C to B .

3. After B has obtained the encrypted message C from A , then B decodes this

message by calculating

C = M d B mod n B

d B ,n B

. Now B possesses the plain text M of the

using his secret key

message.

1mod φ ( n ) , there

exists an integer k such that d · e =1+ k · φ ( n ) . We thus obtain

It is not difficult to see why this works. Because d

≡

M φ ( n ) k

C d

≡ M de

≡ M 1+ k · φ ( n )

≡ M ·

≡ M mod n,

(17.3)

where we have made use of the theorem of Euler quoted on page 177, from

which we deduce that M φ ( n )

≡ 1mod n if gcd( M, n ) = 1 . For the more

theoretically interesting case that gcd( M, n ) > 1 , equation (17.3) holds as well:

For relatively prime p and q , we have the isomorphism

Z Z p × Z q . Since

ve ≡ 1 mod gcd( p − 1 ,q− 1) , it follows that M ve

= M in

Z p and in Z q

(obviously for M =0 as well), and therefore also in Z n .

An alternative to key generation is the use of univeral exponents λ :=

lcm( p

1) instead of φ ( n ) . The basis for this is the following theorem

of Carmichael: Let λ () denote the Carmichael function, defined by λ ( n ) :=

lcm ( λ (2 a 0 ) ,φ ( p a 1 ) ,...,φ ( p a r )) for all n =2 a 0 φ ( p a 1 )

−

1 ,q

−

φ ( p a r ) , where the

···

p i are distinct prime numbers and

λ 2 t := 2 t − 1

if t < 3 ,

2 t − 2

if t ≥ 3 .

Then for all a ∈ Z × n , we have a λ ( m )

≡ 1mod n . For a proof, see page 15 of

[Kran]. As above, this can also be extended to the case gcd( M, n )=1 , since from

ev =1+ kλ ( n ) we have ve ≡ 1 mod gcd( p − 1 ,q− 1) , and so in

Z p and

Z q we

have M ve = M . On account of the isomorphism

Z Z

Z q , this holds in

as well. The advantage of using λ lies in a smaller exponent e , since λ is always a

proper divisor of ( p

1) . In practice, this advantage is negligible, since

gcd( p − 1 ,q− 1) for random values of p and q is small with high probability.

It is clear that the security of the RSA algorithm depends on the ease of

factorability of n .If n can be factored into its components p and q , then the secret

key d can be determined from the public key e . Conversely, the factorization

of n can be easily accomplished if both key components d and e are known: If

k := de − 1 , then k is a multiple of φ ( n ) , and therefore we have k = r · 2 t with

−

1)( q

−

Cryptography in C and C++

Search WWH ::

Custom Search

Home