21/11/2022. Lecture 10. 18 RSA and electronic signature

Download (0)

Full text


21/11/2022. Lecture 10.

18 RSA and electronic signature

We briefly discussed an application of the asymmetric encryption (using RSA as the standard example) in a protocol of electronic signature.

19 Diffie–Hellman key exchange

In the class we discussed the classical protocol of key exchange suggested by Diffie and Hellman. In this protocol two parties (Alice and Bob) want to agree on a common secret key. To this end, they communicate via an open communication channel. The opponent (eavesdropper) can intercept all the messages sent by Alice and Bob to each other. We assume that the computational resources of the opponent are bounded, and the security of the protocol is based on the assumption that the problem of discrete logarithm (see below) cannot be resolved efficiently.

The public parameters of the protocol of Diffie and Hellman are a prime numberp and an integer numberg such that the degrees of this numbers

g mod p, g2 modp, g3 mod p, g4 mod p, . . . (1) cover the entier set of all possible non zero residues modulo p. In other words, for every integer number 1 ≤ y < p there exists an integer x such that

y=gx mod p

(Such a number g is called a generator of the group ((Z/pZ)×,·), which consists of the elements{1,2, . . . , p−1}with the operation of multiplication modulop.) The protocol is organised as follows:

• Alice chooses at random an integer number a co-prime with p and sends the numberma=ga modp to Bob

• Bob chooses at random an integer numberbco-prime withpand sends the numbermb=gb mod p to Alice

• Alice computesk= (mb)a mod p

• Alice computesk= (ma)b mod p


Observe that Alice and Bob end up with the same number (ga)b mod p= (gb)a mod p.

This numberkis taken as the secret key.

Observe that the eavesdropper can access the numbers ga mod p sent by Alice and gb mod p sent by Bob. It is believed in the cryptographic community that it is computationally hard to obtain (gab mod p) given two numbers (ga mod p) and (gb modp). More precisely, it is conjectured that no algorithm (deterministic or randomised) for a classical computer can do this task in polynomial time. However, this conjecture remains unproven.

It is known that there exists an algorithm for aquantum computer that computes in polynomial time the discrete logarithm, i.e., given (p, g, y) it finds anx such thatgx =y mod p.Using such an algorithm, an eavesdrop- per could attack the protocol of Diffie–Hellman. This is why inpost-quantum cryptography the researchers explore possible alternative to the protocol of Diffie and Hellman (these alternative would become necessary in case if quantum computers are eventually constructed).

In the class we discussed that the protocol of Diffie and Hellman is vulnerable to the attack of an active adversary that can not only eavesdrop but also spoof the messages that Alice and Bob send to each other (man- in-the-middle attack).

Security of the protocol of Diffie and Hellman depends on the fact that there are many differenty∈ {1,2, . . . , p−1}that can be represented asy= gx mod pfor a fixed g. Ideally, all values gx mod p forx= 1,2, . . . , p−1 should be different. Indeed, let us consider the case when the chosengis not a generator of (Z/pZ)×; assume that the list (1) consists not of all non-zero elements modulop but only ofk different elements andkp−1.

Exercise 1. Show that the value of k (the number of different elements in (1)) is equal to the order of g in (Z/pZ)×, i.e., to the minimal natural numberx such thatgx= 1 modp.

Given the valuesmaandmb, the adversary can find theirdiscrete logarithms a and b (the numbers such that ga =ma mod p and gb =mb mod p) by brute force search, by trying all values (gx mod p) in (1) forx= 1,2, . . . , k one by one. The smaller isk, the faster the brute force search works. Thus, with small k, the task of the attacher is simpler. This is why we prefer to use in this protocol a numbergsuch that the list (1) is maximally long (i.e., there are (p−1) different elements in this list).


It remains to show that for every prime numberpthere exists an integer g such that the order ofg in (Z/pZ)× is equal to p−1 (and the number of different elements in (1) is equal top−1).

In the class we started with a discussion of a few special cases: we found g generating the groups ((Z/17Z)×,·), ((Z/13Z)×,·), ((Z/19Z)×,·).

(We recommend to do these exercises before reading the proof of the next theorem.) Then we proved the following general theorem.

Theorem 1. If p is a prime number, then there exists an integer numberg such that the integer powersgx modp produce all elements in (Z/pZ)×. Proof. The core idea of the proof is the fact that in each field a polynomial of degreekcannot have more thankroots. Let us explain this proof in some detail.

Step 1. We begin the proof with a definition. Let us define theorder of an element x ∈ (Z/pZ)× (denoted Orp(x)) as the minimal integer number k ≥1 such that xk = 1 mod p. The theorem claims that for every prime number p there exists a g such that the order of g in (Z/pZ)× is equal to p−1.

Step 2. Letgbe any element in (Z/pZ)×. Since the set{1,2, . . . , p−1}is finite, the valuesg mod p, g2 mod p, g3 mod p, . . .cannot be all different;

starting from some moment, this series begins to repeat. Therefore, this sequence (powers ofgmodulop) is periodic with some periodk. The length of the period (the numberk) is in fact equal to the very first position in the sequence where we obtaingk= 1 mod p. In other words, the period of this sequence modulop is equal toOrp(g).

We know that for every prime number pand for everyg6= 0 modp we have gp−1 = 1 mod p. Hence, the period of g modulo p must divide the numberp−1. Our goal is to find agsuch thatOrp(g) not only dividesp−1 butis equal to p−1.

Step 3. We proceed with the following lemma.

Lemma 1. Let k0 be the least common multiple of Orp(1), Orp(2), Orp(3), . . . , Orp(p−1).

Then all element of the field are roots of the equationxk0 = 1 modp Proof. For every x ∈ {1,2, . . . , p−1} we have, by definition, xOrp(x) = 1 mod p. Sincek0 is a multiple of Orp(x), we have k0 =`·Orp(x), and

xk0 modp=x`·Orp(x) mod p= (xOrp(x))` mod p= 1` modp,


and we are done.

To conclude the proof of the theorem, it remains to find an element g such thatOrp(g) =k0.

Step 4. We need one more lemma:

Lemma 2. For all x, y ∈ (Z/pZ)× there exists an element z ∈ (Z/pZ)× such that the order of z is the least common multiple of the orders of x andy.

Proof. At first, we prove the lemma for a special case, assuming that gcd(Orp(x), Orp(y)) = 1.

SinceOrp(x) andOrp(y) are co-prime, we need a zsuch that Orp(z) =lcm(Orp(x), Orp(y)) =Orp(x)·Orp(y).

We know from the Extended Euclid Algorithm that if the numbersOrp(x) and Orp(y) are co-prime, then there exist u andv such that

u·Orp(x) +v·Orp(y) = 1.

We letz:= xv·yu mod p. It is easy to see that zOrp(x)·Orp(y) mod p= 1.

It remains to show thatk=Orp(x)·Orp(y) is the minimal natural number such thatzk = 1 modp.

It is clear that Orp(z) divides Orp(x) ·Orp(y). Hence, if Orp(z) <

Orp(x)·Orp(y), then in the sequence

z mod p, z2 mod p, z3 mod p, . . . , zOrp(x)·Orp(y) mod p (2) theones appear in a periodic way, at some positions

k0,2k0,3k0, . . . , Orp(x)·Orp(y).

Thus, if k0 < Orp(x)·Orp(y), then ones appear in (2) (among other posi- tions) at some positionOrp(x)·`(for some` < Orp(y)) or at some position Orp(y) ·` (for some ` < Orp(x)). In what follows we show that this is impossible.

Observe that for the numberz defined above we have

zOrp(x)= 1·yu·Orp(x) mod p=y1−v·Orp(y) mod p=y mod p.


Hence, the numbers

zOrp(x), z2·Orp(x), z3·Orp(x), z(Orp(y)−1)·Orp(x) coincide with

y, y2, , y3, . . . , y(Orp(y)−1)

modulo p, and they are all not equal to 1 modulo p. A similar argument implies that the numbers

zOrp(y), z2·Orp(y), z3·Orp(y), z(Orp(x)−1)·Orp(y)

are also not equal to 1 modulop. Now it is not hard to show that in the list of numbers

z, z2, z3, . . . , zOrp(x)·Orp(y) only the very last element is equal to 1 modulop, i.e.,

Orp(z) =Orp(x)·Orp(y).

It remains to consider the case

gcd(Orp(x), Orp(y))6= 1.

We will reduce the general case to the special case discussed above. We use the following trick. If `is a factor of Orp(y), thenOrp(y`) =Orp(y)/`. So if we can take`:=gcd(Orp(x), Orp(y)) and let y0 =y`, then

gcd(Orp(x), Orp(y0)) = 1 andlcm(Orp(x), Orp(y0)) =lcm(Orp(x), Orp(y)) (here lcm denote the least common multiplier). It remains to apply the argument explained above to the numbersx andy0, and we are done.

Step 5. Now we iterate an application of Lemma 2. First of all, we let x1 = 1. Now we apply Lemma 2 and find an x2 such that Orp(x2) is the least common multiple of the orders ofx1 and 2. Then we apply one more time Lemma 2 and find ax3 such thatOrp(x3) is the least common multiple of the orders of x2 and 3. Further, we find a x4 such that Orp(x4) is the least common multiple of the orders ofx3 and 4, and so on. Finally, we find an element xp−1 such that Orp(xp−1) is the least common multiple of the orders ofxp−2 andp−1. From this construction it follows that the order of the last constructed numberxp−1 is the least common multiple of the orders of all elements 1,2, . . . , p−1. In other words, we found an element xp−1

whose order is equal to the numberk0 from Lemma 1.


Step 5. Since all elements in{1, . . . , p−1} satisfy the equation xk0 = 1 modp,

the number k0 cannot be smaller than p−1 (a polynomial of degree k0 cannot have more thank0 roots). On the other hand, we know thatOrp(x) divides p−1 for each x. Thus, k0 is not less than p−1 and not greater thanp−1. We conclude that k0=p−1, i.e., we have got an elementxp−1

such thatOrp(xp−1) is equal to p−1. This means that x0 is a generating element of (Z/pZ)×, end we are done.


[1] J. Katz, Y. Lindell. Introduction to modern cryptography, CRC Press, 2021 [sections 9.3.1-9.3.3, 11.3-11.4, 13.4].

[2] B. Martin. Codage, cryptologie et applications. PPUR, 2004 [sections 21.1-21.2, 26.5].




Related subjects :