<h1> CS70: Note 7 <h1>

<h2>Public Key Cryptography</h2>

In this note, we discuss a very nice and important application of modular arithmetic: <i>the RSA public-key
cryptosystem</i>, named after its inventors Ronald Rivest, Adi Shamir and Leonard Adleman.

The basic setting for cryptography is typically described via a cast of three characters: Alice and Bob, who
with to communicate confidentially over some (insecure) link, and Eve, an eavesdropper who is listening in
and trying to discover what they are saying. Let’s assume that Alice wants to transmit a message x (written
in binary) to Bob. She will apply her encryption function E to x and send the encrypted message E(x) over
the link; Bob, upon receipt of E(x), will then apply his decryption function D to it and thus recover the
original message: i.e., D(E(x)) = x.

Since the link is insecure, Alice and Bob have to assume that Eve may get hold of E(x). (Think of Eve
as being a “sniffer" on the network.) Thus ideally we would like to know that the encryption function E is
chosen so that just knowing E(x) (without knowing the decryption function D) doesn’t allow one to discover
anything about the original message x

For centuries cryptography was based on what are now called private-key protocols. In such a scheme,
Alice and Bob meet beforehand and together choose a secret codebook, with which they encrypt all future
correspondence between them. (This codebook plays the role of the functions E and D above.) Eve’s only
hope then is to collect some encrypted messages and use them to at least partially figure out the codebook.

<i>Public-key</i> schemes such as RSA, first invented in the 1970s, are significantly more subtle and tricky: they
allow Alice to send Bob a message without ever having met him before! This almost sounds impossible,
because in this scenario there is a symmetry between Bob and Eve: why should Bob have any advantage over
Eve in terms of being able to understand Alice’s message? The central idea behind the RSA cryptosystem
is that Bob is able to implement a <i>digital lock</i>, to which only he has the key. Now by making this digital
lock public, he gives Alice (or, indeed, anybody else) a way to send him a secure message which only he
can open

Here is how the digital lock is implemented in the RSA scheme. Each person has a <i>public key</i> known to the
whole world, and a <i>private key</i> known only to him- or herself. When Alice wants to send a message x to
Bob, she encodes it using Bob’s public key. Bob then decrypts it using his private key, thus retrieving x. Eve
is welcome to see as many encrypted messages for Bob as she likes, but she will not be able to decode them
(under certain basic assumptions explained later in this Note).

The RSA scheme is based heavily on modular arithmetic. Let p and q be two large primes (typically having,
say, 512 bits each), and let N = pq. We will think of messages to Bob as numbers modulo N, excluding the
trivial values 0 and 1. (Larger messages can always be broken into smaller pieces and sent separately.)

Also, let e be any number that is relatively prime to (p−1)(q−1). (Typically e is a small value such as 3.)
Then Bob’s public key is the pair of numbers (N,e). This pair is published to the whole world. (Note,
however, that the numbers p and q are not public; this point is crucial and we will return to it below.)

What is Bob’s private key? This will be the number d, which is the inverse of e mod (p−1)(q−1). (This
inverse is guaranteed to exist because e and (p−1)(q−1) are coprime.)

We are now in a position to describe the encryption and decryption functions:
<ul>
    <li>[Encryption]: When Alice wants to send a message x (assumed to be an integer mod N) to Bob, she
computes the value E(x) = x
        e mod N and sends this to Bob.</li>
<li>[Decryption]: Upon receiving the value y = E(x), Bob computes D(y) = y
d mod N; this will be equal
    to the original message x.</li>
</ul>

Example: Let $p = 5$, $q = 11$, and $N = pq = 55$. (In practice, p and q would be much larger.) Then we can
choose $e = 3$, which is relatively prime to $(p−1)(q−1) = 40$. Thus Bob’s public key is $(55,3)$. His private
key is $d \equiv 3^
{−1}\mod 40 \equiv 27$. For any message x that Alice (or anybody else) wishes to send to Bob, the
encryption of $x$ is $y \equiv x^
{3} \mod 55$, and the decryption of $y$ is $x \equiv y^
{27} \mod 55$. So, for example, if the message
is $x = 13$, then the encryption is $y = 133 = 52 mod 55, and this is decrypted as 5227 = 13 mod 55.