Fermat’s Little Theorem and Mental Poker

In this post we demonstrate another use of the Fermat’s Little Theorem.

How can two people play poker when they are not sitting face to face from each other? If the game of poker is played over long distance (e.g. via a telephone line or some electronic communication channel), there will be a need to ensure a fair game. For example, the two players must use the same deck of cards (ensuring that there will be no duplicates). The deck of cards will need to be well shuffled. Each player cannot see the cards of the other player. One solution is to use a trusted third party to do the shuffling and selecting of cards. If a third party cannot be found or it is felt that the third party cannot be trusted to be fair, then one should consider the cryptographic solution described in this post. This soultion was proposed by Rivest, Shamir and Adlemen in 1982 (the creators of the RSA algorithm).

The term mental poker refers to the game of poker played over long distance that has a mechanism for ensuring a fair game without the need for a trusted third party. Mental poker can also refer to other cryptographic games played over long distance without the need for a trusted third party (e.g. tossing a coin over long distance).

___________________________________________________________________________________________________________________

Setting Up the Deck of Cards

Let’s say that the players are Andy and Becky. Since they are not using a physical deck of cards, they need to represent the cards by numbers. Let’s say that they agree to number the cards as follows:

    \displaystyle \heartsuit 2=1020 \ \ \ \ \ \ \ \ \ \ \ \diamondsuit 2=2020  \ \ \ \ \ \ \ \ \ \ \ \spadesuit 2=3020 \ \ \ \ \ \ \ \ \ \ \ \clubsuit 2=4020

    \displaystyle \heartsuit 3=1030 \ \ \ \ \ \ \ \ \ \ \ \diamondsuit 3=2030  \ \ \ \ \ \ \ \ \ \ \ \spadesuit 3=3030 \ \ \ \ \ \ \ \ \ \ \ \clubsuit 3=4030

    \displaystyle \heartsuit 4=1040 \ \ \ \ \ \ \ \ \ \ \ \diamondsuit 4=2040  \ \ \ \ \ \ \ \ \ \ \ \spadesuit 4=3040 \ \ \ \ \ \ \ \ \ \ \ \clubsuit 4=4040

      \cdots \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \cdots \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \cdots \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \cdots

      \cdots \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \cdots \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \cdots \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \cdots

      \cdots \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \cdots \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \cdots \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \cdots

    \displaystyle \heartsuit Q=1120 \ \ \ \ \ \ \ \ \ \ \ \diamondsuit Q=2120  \ \ \ \ \ \ \ \ \ \ \spadesuit Q=3120 \ \ \ \ \ \ \ \ \clubsuit Q=4120

    \displaystyle \heartsuit K=1130 \ \ \ \ \ \ \ \ \ \ \ \diamondsuit K=2130  \ \ \ \ \ \ \ \ \ \spadesuit K=3130 \ \ \ \ \ \ \ \ \clubsuit K=4130

    \displaystyle \heartsuit A=1140 \ \ \ \ \ \ \ \ \ \ \ \diamondsuit A=2140  \ \ \ \ \ \ \ \ \ \ \spadesuit A=3140 \ \ \ \ \ \ \ \ \ \clubsuit A=4140

___________________________________________________________________________________________________________________

Setting Up the Pad Locks

The card numbers need to be encrypted before they can be passed between the two players. Here’s how it works.

Both players agree to choose a large prime number p. This number p needs to be larger than all the card numbers and the encrypted card numbers. The larger p is, the harder it will be for any one of the players to cheat.

Now each of the players needs to choose an encryption-decryption key (a padlock) that the player keeps secret. Let’s start with Andy. He chooses a pair of positive numbers a_0 and a_1 such that the following holds:

    a_0 \cdot a_1 \equiv 1 \ (\text{mod} \ p-1)

Equivalently the pair a_0 and a_1 satisfies the equation a_0 \cdot a_1=1+(p-1) \cdot k for some integer k. The number a_0 will be used for locking (encryption) and the number a_1 will be used for unlocking (decryption). Andy will also keep this pair of numbers away from Becky.

How will Andy use this padlock? Suppose that m is a number to be encrypted. To encrypt the number, Andy raises m to the power of a_0 and then finds the remainder upon division by p. He will call the remainder f_a(m). Using congruence notation, the following is the encryption function:

    f_a(m) \equiv m^{a_0} \ (\text{mod} \ p)

If Andy needs to recover m from the encrypted card number c=f_a(m), all he has to do is to raise c to the power of a_1 and then find the remainder upon division by p. Call the remainder g_a(c), which will be the original card number m. Using congruence notation, the following is the decryption function:

    g_a(c) \equiv c^{a_1} \ (\text{mod} \ p)

The decrypted number is the original number. Thus we have g_a(c)=m. A proof of this relies on the Fermat’s Little Theorem (see proof).

Because the numbers involved are usually large, no one will try to raise m to the power of a_0 and then divides by p to find the remainder. Instead, Andy should use special software. If software is not available, Andy can rely on congruence modulo arithmetic, which should also be done by a computer. See below for a demonstration of the congruence modulo arithmetic.

The other player Becky also needs a padlock. Specifically, she chooses a pair of numbers b_0 and b_1 that satisfy the following:

    b_0 \cdot b_1 \equiv 1 \ (\text{mod} \ p-1)

This pair of number serves the same purpose as the pair that belongs to Andy. Of course, b_0 and b_1 need to be kept secret from Andy. The following shows the encryption and decryption functions for Becky’s padlock.

    f_b(m) \equiv m^{b_0} \ (\text{mod} \ p)

    g_b(c) \equiv c^{b_1} \ (\text{mod} \ p)

___________________________________________________________________________________________________________________

How to Play the Game

Suppose the card numbers are m_1, m_2, m_3, \cdots, m_{52} (the above is one example of card number assigment). Andy then encrypts the card number using his encryption function f_a(m). The following lists the encrypted card numbers.

    \displaystyle f_a(m_1),\ f_a(m_2), \ f_a(m_3),\cdots,f_a(m_{52})

Andy then passes these encrypted card numbers to Becky. She shuffles the encrypted deck thorughly. She then chooses a 5-card hand for Andy. Becky then chooses another 5-card hand for herself. Becky uses her key to encrypt her 5-card hand. Becky passes both 5-card hands to Andy. The following shows what Becky passes to Andy.

    Andy’s 5-card hand: f_a(m_i) \equiv m_i^{a_0} \ (\text{mod} \ p) for 5 distinct values of i.

    Becky’s 5-card hand: f_b(f_a(m_j)) \equiv f_a(m_j)^{b_0} \ (\text{mod} \ p) for 5 distinct values of j.

Once Andy gets the two 5-card hands, he decrypts his own 5-card hand and gets back the original card numbers. He also decrypts Becky’s 5-card hand and passes that back to Becky.

    Andy’s 5-card hand: g_a(f_a(m_i)) \equiv (m_i^{a_0})^{a_1} \equiv m_i \ (\text{mod} \ p)

    Becky’s 5-card hand: g_a(f_b(f_a(m_j))) \equiv (f_a(m_j)^{b_0})^{a_1}=(f_a(m_j)^{a_1})^{b_0} \equiv m_j^{b_0} \ (\text{mod} \ p), which Andy passes back to Becky.

Once Becky’s recieves her 5-card hand back from Andy, she decrypts the cards immediately and gets back the original card numbers.

    Becky’s 5-card hand: g_b(m_j^{b_0}) \equiv (m_j^{b_0})^{b_1} \equiv m_j \ (\text{mod} \ p)

Now each of the players has a 5-card hand that is only known to himself or herself. If they need to select new cards from the deck, they can follow the same back-and-forth procedures of encrypting and decrypting.

How fair is the poker game played in this manner? How secure is the game? It is very fair and secure if the players follow the rules and do not cheat. It is obviously possible to cheat. When Andy passes the 52 encrypted card numbers to Becky, Becky certainly can try to break Andy’s lock by figuring out Andy’s a_0. When Becky passes her encrypted cards to Andy, he can try to figure out Becky’s b_0. For that to happen, the player who wants to cheat will need to have enormous amount of computational resources at the ready. Thus the prime number p should be large enough to make cheating an intractable problem. On the other hand, even when the prime number is of a moderate size, there has to be a fair amount of computational resources in order to play the game efficiently, with all the encrypting and decrypting that have to be done.


___________________________________________________________________________________________________________________

Fermat’s Little Theorem

We now use Fermat’s Little Theorem to show that the encryption-decryption key works correctly and accurately. We show the following:

    (m^{a_0})^{a_1} \equiv m \ (\text{mod} \ p) \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ (1)

For the descriptions of the numbers m, p, a_0 and a_1, see the above section Setting Up the Padlocks. First we state the Fermat’s Little Theorem.

Fermat’s Little Theorem
Let q be a prime number. Then for any integer a, a^q-a is an integer multiple of q (or q divides a^q-a). Using congruence notation, the theorem can be expressed as:

    a^q \equiv a \ (\text{mod} \ q)

If the integer a is not divisible by q, then we can divide out a and the theorem can be expressed as:

    a^{q-1} \equiv 1 \ (\text{mod} \ q)

For a proof and a fuller discussion of Fermat’s little theorem, see this post.

We now prove the property (1). Recall that the pair of positive integers a_0 and a_1 are keys to lock and unlock a number m. They are chosen such that a_0 \cdot a_1 \equiv 1 \ (\text{mod} \ p-1), or equivalently a_0 \cdot a_1=1+(p-1) \cdot k for some integer k. This integer k must be positive since a_0 and a_1 are both positive.

In the derivation below, we repeated use the fact that m^p \equiv m \ (\text{mod} \ p) (applying the Fermat’s Little Theorem).

    \displaystyle \begin{aligned} m&\equiv m^p \ (\text{mod} \ p)=m \cdot m^{p-1} \\&\equiv m^p \cdot m^{p-1} \ (\text{mod} \ p)=m \cdot m^{2(p-1)} \\&\equiv m^p \cdot m^{2(p-1)} \ (\text{mod} \ p)=m \cdot m^{3(p-1)} \\&\cdots \\&\cdots \\&\cdots \\&\equiv m^p \cdot m^{(k-1)(p-1)} \ (\text{mod} \ p)=m \cdot m^{k(p-1)} \\&=m \cdot m^{k(p-1)} \equiv m^{a_0 \cdot a_1} \ (\text{mod} \ p) \end{aligned}


___________________________________________________________________________________________________________________

Example of Congruence Calculation

For a numerical example, we use a small prime number p=55,049. Though a small prime number, it is large enough to make the illustration meaningful. Andy chooses a_0 \cdot a_1 such that a_0 \cdot a_1=1+(p-1) \cdot k for some integer k. Andy decides to use k=3817, leading to a_0=2,657 and a_1=79,081.

As illustration of how the calculation is done, let m=1020 (the number for \heartsuit 2 as indicated above).

To decrypt this card, Andy needs to raise 1020 to the 2657th power and then find the remainder upon division by p=50,049. This is the definition for 1010200^{269} modulo p. But the calculation is not easy to do directly without special software. We present here a “divide and conquer” approach that use the division algorithm in each step to reduce the exponent by half.

To start, note that 1020^2 \equiv 49518 \ (\text{mod} \ 55049), meaning that the remainder is 49518 when 1020^2 is divided by 55049. In the following series of steps, a congruence calculation is performed in each step (using the division algorithm) to reduce the exponent by half.

    \displaystyle \begin{aligned} 1020^{2657}&\equiv (1020^2)^{1328} \cdot 1020 \ (\text{mod} \ 55049) \\&\text{ } \\&\equiv 49518^{1328} \cdot 1020 \equiv (49518^2)^{664} \cdot 1020  \\&\text{ } \\& \equiv 39766^{664} \cdot 1020 \equiv (39766^2)^{332} \cdot 1020 \\&\text{ } \\& \equiv 52231^{332} \cdot 1020 \equiv (52231^2)^{166} \cdot 1020 \\&\text{ } \\&\equiv 14068^{166} \cdot 1020 \equiv (14068^2)^{83} \cdot 1020 \\&\text{ } \\& \equiv 7469^{83} \cdot 1020 \equiv (7469^2)^{41} \cdot 7469 \cdot 1020 \\&\text{ } \\& \equiv 21324^{41} \cdot 7469 \cdot 1020 \\&\text{ } \\&\equiv 21324^{41} \cdot 21618 \equiv (21324^2)^{20} \cdot 21324 \cdot 21618 \\&\text{ } \\&  \equiv 8236^{20} \cdot 21324 \cdot 21618 \\&\text{ } \\& \equiv 8236^{20} \cdot 1906 \equiv (8236^2)^{10} \cdot 1906 \\&\text{ } \\& \equiv 11328^{10} \cdot 1906 \equiv (11328^2)^{5} \cdot 1906 \\&\text{ } \\& \equiv 4365^5 \cdot 1906 \equiv (4365^2)^2 \cdot 4365 \cdot 1906 \\&\text{ } \\& \equiv 6271^2 \cdot 4365 \cdot 1906 \\&\text{ } \\&\equiv 6271^2 \cdot 7291  \\&\text{ } \\&\equiv 20455 \cdot 7291 \\&\text{ } \\&\equiv 9664 \ (\text{mod} \ 55049)  \end{aligned}

Thus the card number 1020 is encrypted as 9664. To recover the original card number from this encrypted number, Andy needs to raise 9664 to the power of a_1=79081. Here, we get an assist from Fermat’s Little Theorem in addition to the ‘divide and conquer” congruence arithmetic that is used above.

According to Fermat’s Little Theorem, 9664^{55048} \equiv 1 \ (\text{mod} \ 55049). Thus we have

    9664^{79081} \equiv 9664^{55048} \cdot 9664^{24033} \equiv 9664^{24033} \ (\text{mod} \ 55049)

With the help of Fermat’s Little Theorem, the exponent 79081 has come down to 24033. In the rest of the way, the “divide and conquer” approach is used.

    \displaystyle \begin{aligned} 9664^{24033}&\equiv (9664^2)^{12016} \cdot 9664 \ (\text{mod} \ 55049) \\&\text{ } \\&\equiv 29782^{12016} \cdot 9664 \equiv (29782^2)^{6008} \cdot 9664 \\&\text{ } \\&\equiv 8237^{6008} \cdot 9664 \equiv (8237^2)^{3004} \cdot 9664 \\&\text{ } \\&\equiv 27801^{3004} \cdot 9664 \equiv (27801^2)^{1502} \cdot 9664 \\&\text{ } \\&\equiv 7641^{1502} \cdot 9664 \equiv (7641^2)^{751} \cdot 9664 \\&\text{ } \\&\equiv  32941^{751} \cdot 9664 \equiv (32941^2)^{375} \cdot 32941 \cdot 9664 \\&\text{ } \\&\equiv 38642^{375} \cdot 32941 \cdot 9664 \\&\text{ } \\&\equiv 38642^{375} \cdot 48506 \equiv (38642^2)^{187} \cdot 38642 \cdot 48506 \\&\text{ } \\&\equiv 39^{187} \cdot 38642 \cdot 48506 \\&\text{ } \\&\equiv 39^{187} \cdot 5451 \equiv (39^2)^{93} \cdot 39 \cdot 5451 \\&\text{ } \\&\equiv 1521^{93} \cdot 39 \cdot 5451 \\&\text{ } \\&\equiv 1521^{93} \cdot 47442 \equiv (1521^2)^{46} \cdot 1521 \cdot 47442 \\&\text{ } \\&\equiv 1383^{46} \cdot 1521 \cdot 47442 \\&\text{ } \\&\equiv  1383^{46} \cdot 45092 \equiv (1383^2)^{23} \cdot 45092 \\&\text{ } \\&\equiv 41023^{23} \cdot 45092 \equiv (41023^2)^{11} \cdot 41023 \cdot 45092 \\&\text{ } \\&\equiv 38599^{11} \cdot 41023 \cdot 45092  \\&\text{ } \\&\equiv 38599^{11} \cdot 52618 \equiv (38599^2)^{5} \cdot 38599 \cdot 52618 \\&\text{ } \\&\equiv 36665^5 \cdot 38599 \cdot 52618  \\&\text{ } \\&\equiv 36665^5 \cdot 24376 \equiv (36665^2)^{2} \cdot 36665 \cdot 24376  \\&\text{ } \\&\equiv 25645^2 \cdot 36665 \cdot 24376  \\&\text{ } \\&\equiv 25645^2 \cdot 25525  \\&\text{ } \\&\equiv 50671 \cdot 25525  \\&\text{ } \\&\equiv 1020 \ (\text{mod} \ 55049)  \end{aligned}

In each step of the above calculation, the division algorithm is applied to reduce the exponent by half. For example, to go from the first line to the second line, 9664^2 is divided by 55049 to obtain the remainder 29782, i.e. 9664^2 \equiv 29782 \ (\text{mod} \ 55049). The number 1020 in the last line is the remainder when 50671 \cdot 25525 is divided by 55049.

___________________________________________________________________________________________________________________

\copyright \ 2013 \text{ by Dan Ma}

Advertisements

Fermat’s Little Theorem and RSA Algorithm

RSA is a cryptographic algorithm that is used to send and receive messages. We use the Fermat’s Little Theorem to prove that RSA works correctly and accurately. In other words, the decrypted message is indeed the original message from the sender. Mathematically we show that applying the encryption function and the decryption function successively produces the identity function.

To see how RSA works, see the previous post An Illustration of the RSA Algorithm.

___________________________________________________________________________________________________________________

RSA Algorithm

We first briefly describe the algorithm and then present the mathematical statement to validate.

Let N=p \cdot q where p and q are two prime numbers. Let \phi=(p-1) \cdot (q-1). Choose an integer e with 1<e<N such that e and \phi are relatively prime.

The public key consists of N and e where e is the encryption key. Once it is published, anyone can use it to encrypt messages to send to the creator of the public key. The following is the encryption function:

    f(M) \equiv M^e \ (\text{mod} \ N)

where M is a positive integer and is the original message.

The private key is a positive integer d that satisfies:

    d \cdot e \equiv 1 \ (\text{mod} \ \phi=(p-1) \cdot (q-1))

In other words, d is the multiplicative inverse of e in the modular arithmetic of modulo \phi. The above condition is equivalent to: de-1=(p-1) \cdot (q-1) \cdot k for some integer k.

The number d is the decryption key that will be used to decode messages. So it should remain private.

Once the creator of the public key receives an encrypted message C=f(M), he or she uses the following decryption function to obtain the original message M.

    g(C) \equiv C^d \ (\text{mod} \ N)

___________________________________________________________________________________________________________________

The Mathematical Statement to Validate

What we prove is that the decryption function is to undo the encryption function. Specifically, we prove the following:

    g(C)=g(f(M))=(M^e)^d=M^{ed} \equiv M \ (\text{Mod} \ N) \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ (1)

In other words, applying the decryption function g to the encryption function f produces the original message.

___________________________________________________________________________________________________________________

Fermat’s Little Theorem

In this section, we list out the tools we need to prove the correctness of RSA.

Theorem 1 (Fermat’s Little Theorem)
If p is a prime number and a is an integer such that a and p are relatively prime, then

    a^{p-1}-1 is an integer multiple of p

    or equivalently a^{p-1} \equiv 1 \ (\text{mod} \ p).

For a proof of Fermat’s little theorem, see this post.

Lemma 2 (Euclid’s Lemma)
Let a, b and d be integers where d \ne 0. Then if d divides a \cdot b (symbolically d \lvert a \cdot b), then either d \lvert a or d \lvert b.

Euclid’s Lemma is needed to prove the following Lemma.

Lemma 3
Let M be an integer. Let p and q be prime numbers with p \ne q.

Then if a \equiv M \ (\text{mod} \ p) and a \equiv M \ (\text{mod} \ q), then a \equiv M \ (\text{mod} \ p \cdot q).

Proof of Lemma 3
Suppose we have a \equiv M \ (\text{mod} \ p) and a \equiv M \ (\text{mod} \ q). Then for some integers i and j, we have:

    a=M+p \cdot i and a=M+q \cdot j.

Then p \cdot i=q \cdot j. This implies that p divides q \cdot j (p \lvert q \cdot j). By Euclid’s lemma, we have either p \lvert q or p \lvert j. Since p and q are distinct prime numbers, we cannot have p \lvert q. So we have p \lvert j and that j=p \cdot w for some integer w.

Now, a=M+q \cdot j=M+q \cdot p \cdot w, implying that a \equiv M \ (\text{mod} \ p \cdot q). \blacksquare

___________________________________________________________________________________________________________________

The Proof of (1)

We now prove the property (1) described above. We show that

    (M^e)^d=M^{ed} \equiv M \ (\text{Mod} \ N=p \cdot q)

We first show that M^{ed} \equiv M \ (\text{Mod} \ p) and M^{ed} \equiv M \ (\text{Mod} \ q). Then the desired result follows from Lemma 3.

To show M^{ed} \equiv M \ (\text{Mod} \ p), we consider two cases: M \equiv 0 \ (\text{Mod} \ p) or M \not \equiv 0 \ (\text{Mod} \ p).

Case 1. M \equiv 0 \ (\text{Mod} \ p). Then M is an integer multiple of p, say M=p \cdot w where w is an integer. Then M^{ed}=(p \cdot w)^{ed}=p \cdot p^{ed-1} \cdot w^{ed}. So both M and M^{ed} are integer multiples of p. Thus M^{ed} \equiv M \ (\text{Mod} \ p).

Case 2. M \not \equiv 0 \ (\text{Mod} \ p). This means that p and M are relatively prime (having no common divisor other than 1). Thus we can use Fermat’s Little Theorem. We have M^{p-1} \equiv 1 \ (\text{mod} \ p).

From the way the decryption key d is defined above, we have ed-1=(p-1) \cdot (q-1) \cdot k for some integer k. We then have:

    \displaystyle \begin{aligned} M^{ed}&=M^{ed-1} \cdot M \\&=M^{(p-1) \cdot (q-1) \cdot k} \cdot M \\&=(M^{p-1})^{(q-1) \cdot k} \cdot M \\&\equiv (1)^{(q-1) \cdot k} \cdot M \ (\text{Mod} \ p) \ * \\&\equiv M \ (\text{Mod} \ p) \end{aligned}

At the step with *, we apply Fermat’s Little Theorem. So we have M^{ed} \equiv M \ (\text{Mod} \ p).

The same reason reasoning can show that M^{ed} \equiv M \ (\text{Mod} \ q).

By Lemma 3, it follows that M^{ed} \equiv M \ (\text{Mod} \ N=p \cdot q). \blacksquare

___________________________________________________________________________________________________________________

\copyright \ 2013 \text{ by Dan Ma}

Revised August 9, 2014.

An Illustration of the RSA Algorithm

The following 617-digit number (all 617 digits starting with 251 and ending in 357) is a product of two prime numbers p and q. How long will it take to find these two prime factors?

    25195908475657893494027183240048398571429282126204
    03202777713783604366202070759555626401852588078440
    69182906412495150821892985591491761845028084891200
    72844992687392807287776735971418347270261896375014
    97182469116507761337985909570009733045974880842840
    17974291006424586918171951187461215151726546322822
    16869987549182422433637259085141865462043576798423
    38718477444792073993423658482382428119816381501067
    48104516603773060562016196762561338441436038339044
    14952634432190114657544454178424020924616515723350
    77870774981712577246796292638635637328991215483143
    81678998850404453640235273819513786365643912120103
    97122822120720357

The above number is a challenge to the public to come up with the two prime factors (see RSA challenge number and RSA factoring challenge). No one has been able to successfully meet the challenge. In fact, even with the current state of the art in supercomputing technology, it could take millions of years to factor a number as big as the one shown above. According to the organization that posed the challenge (RSA Laboratories), barring fundamental algorithmic or computing advances, the above number or other similarly sized number is expected to stay unfactored in the decades to come.

RSA is a cryptographic algorithm that is used to send and receive sensitive data. The name RSA stands for the last names of the creators of the algorithm – Ron Rivest, Adi Shamir and Leonard Adleman.

The algorithm uses a pair of large prime numbers in setting up a public key to encrypt and a private key to decrypt data. The public key is known to the public and includes a large integer N (such as the one indicated at the beginning of the post) that is a product of two prime numbers p and q. The private key is computed using two prime factors p and q and is needed to decrypt the messages encrypted by the public key. The RSA scheme is built on the monumental difficulty in factoring large numbers. Barring some system vulnerability that hackers can exploit, it is all but certain that messages sent via RSA scheme can only be read by the intended party – the legitimate party that possesses the private key.

This post gives an illustration of how the RSA algorithm work using much smaller prime numbers. The RSA algorithm is also an application of the Fermat’s Little Theorem (see the post Fermat’s Little Theorem and RSA Algorithm).

The example given below makes use of congruence arithmetic. If a, b and m are integers, the symbol a \equiv b \ (\text{mod } m) means that the difference a-b is divisible by m (we say that a is congruent to b modulo m). For example, 15 \equiv 3 \ (\text{mod } 12) (in terms of clock arithmetic, 6 hours after 9 o’clock is not 15th o’clock but is 3 o’clock). For more information about congruence relation and congruence arithmetic, see this blog post or this Wikipedia entry.

___________________________________________________________________________________________________________________

Example of RSA

The example uses small prime numbers to make the illustration easy to follow. The example has the following steps:

  1. Andy creates a public key and a private key. He gives the public key to Becky and keeps the private key to himself.
  2. Becky then uses the public key to encrypt a message and sends it to Andy.
  3. Andy then uses the private key to decrypt the message received from Becky.
  4. \text{ }

______________________________________________________
Step 1 – Generating the Public Key and Private Key

Choose two prime numbers p and q. In this example, let p=29 and q=47. Then calculate the following numbers:

    N=p \times q=1363

    (p-1) \times (q-1)=1288

Choose an integer e with 1<e<N such that e and (p-1) \times (q-1) are relatively prime (meaning the only common divisor is 1). For this example, Andy chooses e=11.

The public key consists of N=1363 and e=11, which Andy passes to Becky. Becky will use the public key to encrypt any message that she wishes to send to Andy (see Step 2 below). The number e is the encryption key.

Andy can also make the public key known to any one from whom Andy wishes to receive message.

The private key is the number d such that:

    e \cdot d \equiv 1 \ (\text{mod } (p-1) \cdot (q-1))

In this example, find the number d such that

    11 \cdot d \equiv 1 \ (\text{mod } 1288)

Specifically, we need to find the number d that satisfies 11d=1+1288 k for some integer k. When k=10, we have a solution d=1171.

The number d=1171 will be used to decrypt any message that will come from Becky. So Andy needs to keep d private and secure.

______________________________________________________
Step 2 – Encrypting a Message using the Public Key

Becky wishes to send a message T (in text) to Andy. Becky first translates T into an integer M (e.g. using a mapping to translate strings of letters and other symbols into blocks of numbers). This same mapping will be used by Andy to translate the decrypted message M back to the text message T. Note that the mapping for translating letters into numbers and back is not part of the RSA algorithm, which only encrypts and decrypts numeric messages.

Suppose the message is M=289. The following is the encryption function – the function that generates the encrypted message C

    f(M) \equiv M^e \ (\text{mod } N)

In this example, the encryption function is:

    f(M) \equiv 289^{11} \ (\text{mod } 1363)

The encrypted message is the number C=f(M) is the remainder that is obtained when 289^{11} is divided by N=1363. This can be done in a process using congruence arithemtic that can be described as “divide and conquer”. The process is to reduce the exponent by half in each step of the step by step approach.

First, note that 289^2 \equiv 378 \ (\text{mod} \ 1363) since 378 is the remainder when 289^2 is divided by 1363 (i.e. division algorithm). Then use the division algorithm successively as shown in the following:

    \displaystyle \begin{aligned} 289^{11}&\equiv (289^2)^5 \cdot 289 \ (\text{mod} \ 1363) \\&\text{ } \\&\equiv 378^5 \cdot 289 \equiv (378^2)^2 \cdot 378 \cdot 289 \\&\text{ } \\& \equiv 1132^2 \cdot 378 \cdot 289 \\&\text{ } \\&\equiv 1132^2 \cdot 202 \\&\text{ } \\&\equiv 204 \cdot 202 \\&\text{ } \\&\equiv 318 \ (\text{mod} \ 1363) \end{aligned}

In the “divide and conquer” approach, a congruence calculation in done in each step to reduce the exponent (applying the division algorithm). For example, to go from the first line to the second line, the remainder 378 is obtained when 289^2 is divided by 1363. The number 318 is the remainder when 204 \cdot 202 is divided by 1363.

______________________________________________________
Step 3 – Decrypting the Message Receiving from Becky

Andy receives the encrypted message C=318. To decrypt C, the private key d that is calculated in Step 1 above is used. The following is the decryption function – the function that generates the decrypted message M.

    g(C) \equiv C^d \ (\text{mod } N)

In particular, Any needs to find the number M=g(C) that satisfies the following:

    g(C) \equiv 318^{1171} \ (\text{mod } 1363)

The decrypted message M=g(C) is the remainder when 318^{1171} is divided by 1363. A “divide and conquer” approach can be used.

    \displaystyle \begin{aligned} 318^{1171}&\equiv (318^2)^{585} \cdot 318 \ (\text{mod} \ 1363) \\&\text{ } \\&\equiv 262^{585} \cdot 318 \equiv (262^2)^{292} \cdot 262 \cdot 318 \\&\text{ } \\& \equiv 494^{292} \cdot 262 \cdot 318 \\&\text{ } \\&\equiv 494^{292} \cdot 173 \equiv (494^2)^{146} \cdot 173 \\&\text{ } \\& \equiv 59^{146} \cdot 173 \equiv (59^2)^{73} \cdot 173 \\&\text{ } \\& \equiv 755^{73} \cdot 173 \equiv (755^2)^{36} \cdot 755 \cdot 173 \\&\text{ } \\& \equiv 291^{36} \cdot 755 \cdot 173 \\&\text{ } \\&\equiv 291^{36} \cdot 1130 \equiv (291^2)^{18} \cdot 1130 \\&\text{ } \\& \equiv 175^{18} \cdot 1130 \equiv (175^2)^{9} \cdot 1130 \\&\text{ } \\& \equiv 639^{9} \cdot 1130 \equiv (639^2)^{4} \cdot 639 \cdot 1130 \\&\text{ } \\& \equiv 784^{4} \cdot 639 \cdot 1130 \\&\text{ } \\&\equiv 784^{4} \cdot 1043 \equiv (784^2)^{2} \cdot 1043 \\&\text{ } \\& \equiv 1306^{2} \cdot 1043 \\&\text{ } \\&\equiv 523 \cdot 1043  \\&\text{ } \\&\equiv 289 \ (\text{mod} \ 1363) \end{aligned}

We just illustrates how Andy decrypts Becky’s message of C=318 to find the original message of M=289. The calculation is tedious if done manually but is simple for a computer.

___________________________________________________________________________________________________________________

Summary

We summarize the main steps in the above example.

______________________________________________________
Step 1 – Generating the Public Key and Private Key

Choose two prime numbers p and q. Then calculate the following numbers:

    N=p \times q

    (p-1) \times (q-1)

    Choose an integer e with 1<e<N such that e and (p-1) \times (q-1) are relatively prime (meaning the only common divisor is 1).

The public key consists of N and e, which Andy passes to Becky. Becky will use the public key to encrypt any message that she wishes to send to Andy. The number e is the encryption key.

Andy can also make the public key known to any one from whom Andy wishes to receive message.

The private key is the number d such that:

    e \cdot d \equiv 1 \ (\text{mod } (p-1) \cdot (q-1))

The number d is the decryption key and will be used to decrypt any message that will come from Becky. So Andy needs to keep d private and secure.

______________________________________________________
Step 2 – Encrypting a Message using the Public Key

Becky wishes to send a message T (in text) to Andy. Becky first translates T into an integer M (e.g. using a mapping to translate strings of letters and other symbols into blocks of numbers). This same mapping will be used by Andy to translate the decrypted message M back to the text message T.

The following is the encryption function – the function that generates the encrypted message C.

    f(M) \equiv M^e \ (\text{mod } N)

The encrypted message that Becky will send to Andy is C=f(M).

______________________________________________________
Step 3 – Decrypting the Message Receiving from Becky

Andy receives the encrypted message C. To decrypt C, the private key d that is calculated in Step 1 above is used. The following is the decryption function – the function that generates the decrypted message M.

    g(C) \equiv C^d \ (\text{mod } N)

The original message sent from Becky is M=g(C).

Note that M=g(f(M)). Thus the function f is the inverse function of g (and vice versa). This fact can be established by using Fermat’s Little Theorem (see the post Fermat’s Little Theorem and RSA Algorithm).

___________________________________________________________________________________________________________________

RSA Exercise

Suppose you are Andy. You set p=53 and q=67. You also choose e=7.

You give the public key N=3551 and e=7.

Becky sends you an encrypted message C=2691.

What is the original message?

___________________________________________________________________________________________________________________

More Information about RSA

A lot of information about RSA can be found online. Here’s a few useful links for introductory information.

___________________________________________________________________________________________________________________

\copyright \ 2013 \text{ by Dan Ma}

Revised August 9, 2014.

Sieve of Eratosthenes

The sieve of Eratosthenes is an easy to use algorithm for finding all prime numbers up to a certain limit. It is named after Eratosthenes of Cyrene, a Greek mathematician who lived in third century BC. In this post we illustrate the sieve of Eratosthenes in a series of diagrams.

The sieve identifies the prime numbers below a limit n by eliminating all composite numbers below n. The following describes the steps:

  • Start with a listing of all positive integers \le n.
  • \text{ }

  • Select the number 2 and mark all multiples of 2 that are greater than 2 (in the diagrams below we use shading), essentially marking all even integers in the listing (except for 2).
  • \text{ }

  • In each subsequent step, find the first number p greater than the previously selected number. Then mark all multiples of p that are greater than p, i.e., marking 2p, 3p, 4p, \cdots.
  • \text{ }

  • The process is stopped when multiples of x have been marked for all integers x \le \sqrt{n}.

The justification for \sqrt{n} in the above description is that any composite integer in the listing would have a prime divisor below \sqrt{n}. See the corollary at the end of the post.

The sieve of Eratosthenes is of course best done using using computer. We illustrate the process by finding all prime number below n=169.

___________________________________________________________________________________________________________________

We start with Figure 1 which is a listing of all integers below 169.

Figure 1 – Positive Integers Below 169

Next, in Figure 2, we shade all multiples of 2 that are above 2. In other words we shade all even integers below 169 (excluding 2).

Figure 2 – Multiples of 2 are Shaded

The first number greater than 2 that has not been shaded is 3. In Figure 3 below, we shade all multiples of 3 that are greater than 3 and that have not been previously shaded (e.g. 9, 15, etc).

Figure 3 – Multiples of 3 are Shaded

The first number greater than 3 that has not been shaded is 5. In Figure 4 below, we shade all multiples of 5 that are greater than 5 and that have not been previously shaded.

Figure 4 – Multiples of 5 are Shaded

The first number greater than 5 that has not been shaded is 7. In Figure 5 below, we shade all multiples of 7 that are greater than 7 and that have not been previously shaded (e.g. 49, 77, 91, etc).

Figure 5 – Multiples of 7 are Shaded

The first number greater than 7 that has not been shaded is 11. In Figure 6 below, we shade all multiples of 11 that are greater than 11 and that have not been previously shaded. In this step, we only need to shade 121 and 143.

Figure 6 – Multiples of 11 are Shaded

The first number greater than 11 that has not been shaded is 13. In Figure 7 below, we shade all multiples of 13 that are greater than 13 and that have not been previously shaded. In this step, we only need to shade 169.

Figure 7 – Multiples of 13 are Shaded

By the time we finish with Figure 7, all multiples of x have been shaded for all x \le 13=\sqrt{169}. So the remaining unshaded numbers are prime numbers. Note that for any integer in the above diagrams, if it is composite, it would have a prime divisor at or below 13 (see the corollary below).

Thus there are 39 prime numbers below 169 and they are:

    2, 3, 5, 7,

    11, 13, 17, 19,

    23, 29,

    31, 37,

    41, 43, 47,

    53, 59,

    61, 67,

    71, 73, 79,

    83, 89,

    97,

    101, 103, 107, 109,

    113,

    127,

    131, 137, 139,

    149,

    151, 157,

    163, 167

___________________________________________________________________________________________________________________

Why the Sieve Works

The marking or shading of multiples of numbers can stop at \sqrt{n} is justified by the following two lemmas.

Lemma 1
Let n be a composite integer greater than 1. Then n has a divisor d such that 1<d \le \sqrt{n}.

Proof.
Since n is composite, there are integers d and h such that n=d \cdot h with 1<d<n and 1<h<n. If one of d and h is \le \sqrt{n}, then we are done.

Suppose that both d>\sqrt{n} and h>\sqrt{n}. Then we have:

    n=d \cdot h>\sqrt{n} \cdot \sqrt{n}=n

Thus one of d and h is \le \sqrt{n}. \blacksquare

Lemma 2
Let n be a composite integer greater than 1. Then n has a prime divisor d such that 1<d \le \sqrt{n}.

Proof.
By Lemma 1, n has a divisor d such that 1<d \le \sqrt{n}. Since there can be only finitely many such divisors and since any finite set of real numbers has a least element, let d be the smallest divisor of n such that 1<d \le \sqrt{n}. Then d must be a prime number. If not, by Lemma 1 d would have a divisor w with 1<w \le \sqrt{d}<d. This would mean w is a divisor of n contradicting the fact that d is the smallest divisor of n. \blacksquare

Because of these two lemmas, in checking whether a positive integer is a prime number, we only need to check for divisors \le \sqrt{n}. We have the following corollary, which is the basis of the sieve of Eratosthenes.

Corollary
Let n be any integer greater than 2. Any composite number k in the following listing

    \left\{2,3,4,5,6, \cdots, n-1,n \right\}

has a prime factor p \le \sqrt{n}.

Thus in the process for the sieve of Eratosthenes for identifying the prime numbers \le n, we only need to eliminate the multiples of p for all p \le \sqrt{n}.

___________________________________________________________________________________________________________________

\copyright \ 2013 \text{ by Dan Ma}