Skip to content
Browse files

Added actual files to repo.

  • Loading branch information...
1 parent cc55b73 commit 9e6d37e08aff55a4de24b53fc046eb9074689bb8 @pfranusic committed
View
17 README
@@ -0,0 +1,17 @@
+# why-RSA-works/README
+# Copyright 2012 Peter Franusic.
+# All rights reserved.
+#
+
+This directory contains LaTeX source files for an article titled "Why RSA Works".
+The article describes the math behind the RSA algorithm.
+The makefile script assumes that the pdflatex program is installed.
+
+To generate a PDF of the article:
+
+ $ make why-RSA-works.pdf
+
+To generate a tarfile of the sources:
+
+ $ make why-RSA-works.tar
+
View
85 block-diagram.tex
@@ -0,0 +1,85 @@
+%%%% why-RSA-works/block-diagram.tex
+%%%% Copyright 2012 Peter Franusic.
+%%%% All rights reserved.
+%%%%
+%%
+%% 2 3 4 5 6 7
+%% 6789012345678901234567890123456789012345678901234567890123456
+%% Alice's Alice's
+%% public key private key
+%% {---------} {---------}
+%% n e n d
+%% | | | |
+%% | | | |
+%% | | | |
+%% +-------------+ +-------------+
+%% m | | c | | y
+%% --------| m # x |--------| m # x' |--------
+%% | | | |
+%% +-------------+ +-------------+
+%%
+%% An RSA cryptosystem
+
+% graphic macro definitions
+
+\setlength{\unitlength}{0.05in} % for pictures
+\newsavebox{\bigblock}
+\savebox{\bigblock}(16,12)[bl]{
+ \put( 0, 0){\line(1,0){16}}
+ \put( 0, 12){\line(1,0){16}}
+ \put( 0, 0){\line(0,1){12}}
+ \put(16, 0){\line(0,1){12}}}
+\newsavebox{\smallblock}
+\savebox{\smallblock}(9,12)[bl]{
+ \put( 0, 0){\line(1,0){ 9}}
+ \put( 0, 12){\line(1,0){ 9}}
+ \put( 0, 0){\line(0,1){12}}
+ \put( 9, 0){\line(0,1){12}}}
+
+% The block diagram
+\begin{picture}(90,45)(0,0)
+% Box around picture
+%\put( 0.0, 0.0){\line(1,0){90}}
+%\put( 0.0, 42.0){\line(1,0){90}}
+%\put( 0.0, 0.0){\line(0,1){42}}
+%\put( 90.0, 0.0){\line(0,1){42}}
+% Transmitter
+\put( 18.0, 37.0){\textsf{Alice's}}
+\put( 16.2, 34.0){\textsf{public key}}
+\put( 16.8, 28.0){$\overbrace{\phantom{XXXX}}$}
+\put( 14.0, 11.0){\usebox{\bigblock}}
+\put( 18.0, 16.5){\large{\texttt{modex}}}
+\put( 8.0, 18.0){$m$}
+\put( 6.0, 17.0){\vector(1,0){8}}
+\put( 17.3, 27.0){$n$}
+\put( 18.0, 26.0){\vector(0,-1){3}}
+\put( 25.3, 27.0){$e$}
+\put( 26.0, 26.0){\vector(0,-1){3}}
+\put( 33.5, 18.0){$c$}
+\put( 15.5, 7.0){\textsf{transmitter}}
+\put( 18.8, 4.0){\textsf{(Bob)}}
+% Channel
+\put( 30.0, 17.0){\vector(1,0){28}}
+\put( 39.0, 37.0){\textsf{insecure}}
+\put( 39.0, 34.0){\textsf{channel}}
+\put( 36.4, 28.0){$\overbrace{\phantom{XXXXXX}}$}
+\put( 44.0, 17.0){\circle{2}}
+\put( 44.0, 16.0){\line(0,-1){5.5}}
+\put( 40.5, 7.0){\textsf{sniffer}}
+\put( 41.0, 4.0){\textsf{(Eve)}}
+% Receiver
+\put( 62.0, 37.0){\textsf{Alice's}}
+\put( 59.7, 34.0){\textsf{private key}}
+\put( 60.8, 28.0){$\overbrace{\phantom{XXXX}}$}
+\put( 58.0, 11.0){\usebox{\bigblock}}
+\put( 62.0, 16.5){\large{\texttt{modex}}}
+\put( 53.0, 18.0){$c$}
+\put( 61.3, 27.0){$n$}
+\put( 62.0, 26.0){\vector(0,-1){3}}
+\put( 69.3, 27.0){$d$}
+\put( 70.0, 26.0){\vector(0,-1){3}}
+\put( 76.5, 18.0){$y$}
+\put( 74.0, 17.0){\vector(1,0){8}}
+\put( 62.0, 7.0){\textsf{receiver}}
+\put( 62.5, 4.0){\textsf{(Alice)}}
+\end{picture}
View
30 conclusions.tex
@@ -0,0 +1,30 @@
+%%%% why-RSA-works/conclusions.tex
+%%%% Copyright 2012 Peter Franusic.
+%%%% All rights reserved.
+%%%%
+
+So why does RSA work?
+Why is it that we can take some message $m$,
+run it through two modex operations, and come out with the same $m$?
+There are several reasons.
+First of all, RSA computations are done in a commutative ring
+and the multiplicative association property holds in commutative rings.
+This property tells us that
+the two exponentiations $(m^e)^d$ are the same as the one exponentiation $m^{ed}$.
+
+A second reason is that exponents $e$ and $d$ are chosen
+such that they satisfy the multiples-plus-one condition $ed = k\lambda + 1$.
+This insures that $ed$ is one of the identity columns
+in the exponential table of ring $\mathcal{R}_n$.
+
+A third reason is that the exponential table contains
+repeating blocks of columns where $m^a=m^{k\lambda+a}$.
+This is the wallpaper pattern that we saw in Table \ref{modex-33}.
+This pattern is the reason for the multiples-plus-one condition.
+
+Finally, RSA works because it relies on the intractability of the factoring problem.
+A huge RSA modulus $n$ cannot be factored expeditiously.
+Given that $n$ is the product of two distinct huge random primes,
+it is virtually impossible to factor $n$ in any reasonable amount of time,
+even if the factoring effort is distributed across thousands of computers.
+
View
56 exponent-arithmetic.tex
@@ -0,0 +1,56 @@
+%%%% why-RSA-works/exponent-arithmetic.tex
+%%%% Copyright 2012 Peter Franusic.
+%%%% All rights reserved.
+%%%%
+
+RSA uses exponential notation in the ring $\mathcal{R}_n$.
+Exponential notation is simply a mathematical shorthand for writing
+a series of multiplications using the $\otimes$ operator.
+The multiplicative association property allows us to derive
+two rules for doing arithmetic with exponents.
+
+Consider the set of three equations below.
+The left side of the first equation is the expression $m^2 \otimes m^3$.
+We can replace the $m^2$ with $(m \otimes m)$.
+We can also replace the $m^3$ with $(m \otimes m \otimes m)$.
+The right side of the first equation shows this.
+The multiplicative association property says that we can
+ignore the parentheses and simply count the number of $m$'s that are multiplied.
+There are 5 and we show this in the second equation.
+Note that 5 is the sum of 2 plus 3.
+So instead of expanding the expression $m^2 \otimes m^3$
+we can simply add 2 and 3, as shown in the third equation.
+\begin{eqnarray*}
+ m^2 \otimes m^3 &=& (m \otimes m) \otimes (m \otimes m \otimes m) \\
+ &=& m^5 \\
+ &=& m^{2 + 3}
+\end{eqnarray*}
+
+\paragraph{Exponent addition rule:} In general, when we have an expression of the form
+$m^e \otimes m^d$ in the ring $\mathcal{R}_n$ we can simply add the exponents.
+\[ m^e \otimes m^d = m^{e + d} \]
+
+Consider the set of four equations below.
+The left side of the first equation is the expression $(m^2)^3$.
+This means three copies of $m^2$ are multiplied using the $\otimes$ operator.
+The right side of the first equation shows this.
+In the second equation, we replace each $m^2$ with $(m \otimes m)$.
+The multiplicative association property says that we can
+ignore the parentheses and simply count the number of $m$'s that are multiplied.
+There are 6 and we show this in the third equation.
+Note that 6 is the product of 2 times 3.
+Instead of expanding the expression $(m^2)^3$
+we can simply multiply 2 and 3, as shown in the fourth equation.
+\begin{eqnarray*}
+ (m^2)^3 &=& m^2 \otimes m^2 \otimes m^2 \\
+ &=& (m \otimes m) \otimes (m \otimes m) \otimes (m \otimes m) \\
+ &=& m^6 \\
+ &=& m^{2 \times 3}
+\end{eqnarray*}
+
+\paragraph{Exponent multiplication rule:} In general, when we have an expression of the form
+$(m^e)^d$ in the ring $\mathcal{R}_n$ we can simply multiply the exponents.
+\begin{equation} \label{eq:expo-mult}
+ (m^e)^d = m^{ed}
+\end{equation}
+
View
49 exponential-notation.tex
@@ -0,0 +1,49 @@
+%%%% why-RSA-works/exponential-notation.tex
+%%%% Copyright 2012 Peter Franusic.
+%%%% All rights reserved.
+%%%%
+
+Let's say we're given three elements $a,b,c$ which are members of the set $Z_n$.
+We're also given the expression $a \otimes b \otimes c$.
+The question is this: How do we compute this expression?
+Do we first multiply $a$ and $b$ and then multiply $c$?
+Or do we multiply $b$ and $c$ and then multiply $a$?
+The answer is that either way is correct.
+It doesn't matter what order we multiply the elements.
+This is because the ring $\mathcal{R}_n$ has the property of \emph{multiplicative association}.
+The multiplicative association property says that
+when we have a series of $\otimes$ operations,
+we can do the operations in whatever order we want.
+The answer will be the same.
+\begin{eqnarray*}
+ a \otimes b \otimes c &=& (a \otimes b) \otimes c \\
+ &=& a \otimes (b \otimes c)
+\end{eqnarray*}
+
+The modex function is represented mathematically using \emph{exponential notation}.
+Exponential notation is an efficient way to describe a series of multiplications of the same value.
+For example, the value $m$ can be multiplied by itself any number of times.
+We use exponential notation to describe this.
+Remember that it doesn't matter in what order the $m$'s are multiplied together.
+\begin{eqnarray*}
+ \overbrace{m}^1 &=& m^1 \\
+ \overbrace{m \otimes m}^2 &=& m^2 \\
+ \overbrace{m \otimes m \otimes m}^3 &=& m^3 \\
+ \overbrace{m \otimes m \otimes m \otimes m}^4 &=& m^4 \\
+ &\vdots&
+\end{eqnarray*}
+
+RSA uses the exponential notation $m^e$.
+The value $m$ is the \emph{message} integer.
+The value $e$ is the \emph{encryptor} exponent.
+The exponential notation $m^e$ means that $e$ copies of $m$ are multiplied together
+using the $\otimes$ operator in the ring $\mathcal{R}_n$.
+\[ m^e \quad = \quad \overbrace{m \otimes m \otimes m \, \cdots \otimes m \otimes m}^e \]
+
+RSA also uses the exponential notation $c^d$.
+The value $c$ is the \emph{ciphertext} integer.
+The value $d$ is the \emph{decryptor} exponent.
+The exponential notation $c^d$ means that $d$ copies of $c$ are multiplied together
+using the $\otimes$ operator in the ring $\mathcal{R}_n$.
+\[ c^d \quad = \quad \overbrace{c \otimes c \otimes c \, \cdots \otimes c \otimes c}^d \]
+
View
46 exponential-tables.tex
@@ -0,0 +1,46 @@
+%%%% why-RSA-works/exponential-tables.tex
+%%%% Copyright 2012 Peter Franusic.
+%%%% All rights reserved.
+%%%%
+
+%% Define an exponential product and give an example.
+We now take a closer look at exponential products $m^a$ in the ring $\mathcal{R}_n$.
+When $n$ is very small we can compute exponential products by hand.
+As an example we compute $7^3$ in the ring $\mathcal{R}_{15}$ using Table \ref{otimes-15}.
+\[ 7^3 \quad = \quad 7 \otimes 7 \otimes 7 \quad = \quad (7 \otimes 7) \otimes 7 \quad
+= \quad 4 \otimes 7 \quad = \quad 13 \]
+
+%% Define an exponential table and give an example.
+We can go on to calculate the exponential product
+of each pair of elements in $Z_{15}$ and put them all in a table.
+Table \ref{modex-15} specifies the exponential products $m^a$ in the ring $\mathcal{R}_{15}$.
+The product of $7^3$ is at the intersection of row 7 and column 3.
+\vspace{2ex}
+%%%% modex table
+\begin{table}[!h]
+ \begin{center}
+ \input{modex-15.tex}
+ \caption{$m^a \quad (\mathcal{R}_{15})$}
+ \label{modex-15}
+ \end{center}
+\end{table}
+
+%% Define a cycle and point out examples in the table.
+Now consider the product sequence in row 3 (shown below).
+Notice how the sequence starts at 1 and then repeats itself.
+The shortest repetitive part of a sequence is called a \emph{cycle}.
+The cycle in row 3 is (3, 9, 12, 6).
+The \emph{period} of this cycle is 4.
+\[ 1 \quad \overbrace{3 \quad 9 \quad 12 \quad 6}
+ \quad \overbrace{3 \quad 9 \quad 12 \quad 6} \quad \cdots \]
+
+%% Define an identity column and point out examples in the table.
+Each row in Table \ref{modex-15} is a sequence that starts with 1 followed by a series of cycles.
+Each cycle in the various rows has a period of either 1 or 2 or 4.
+Remarkably, all of the cycles line up vertically in such a way
+as to provide what may be called \emph{identity columns}.
+Consider columns 1, 5, 9, and 13. These are the identity columns in the table.
+Each is identical to the row number column on the left side of the table.
+So for any $m \in Z_{15}$ we have
+\[ m^1 = m^5 = m^9 = m^{13} \]
+
View
88 factor-ops.tex
@@ -0,0 +1,88 @@
+%%%% why-RSA-works/factor-ops.tex
+%%%% Copyright 2012 Peter Franusic.
+%%%% All rights reserved.
+%%%%
+%% This is LaTeX source code for a figure that contains four curves.
+%% The curves are specified by LaTeX and Lisp expressions shown below.
+%% The labels of the curves are TD, QS, NFS, and Shor.
+%% TD = Trial Division factoring algorithm.
+%% QS = Quadratic Sieve factoring algorithm.
+%% NFS = Number Field Sieve factoring algorithm.
+%% Shor = Peter Shor's factoring algorithm for quantum computers.
+%% The curves are overlayed on a 64 by 30 grid pattern.
+%% The x-axis has lines every 4 grids, with labels {128,256,384,...,1204}.
+%% The y-axis has lines every 3 grids, with labels {6,12,18,24,30}.
+%%
+%% In the Lisp code below, the expt function will accept integer exponents
+%% greater than 128 but not floating-point exponents.
+%% E.g., (expt 2 129) returns 680564733841876926926749214863536422912,
+%% but (expt 2 129.0) causes an error message to be printed.
+%%
+%% TD curve:
+%% $y = \log \left( \sqrt{2^x} \right)$
+%% (setf y (log (sqrt (expt 2 x)) 10))
+%%
+%% QS curve:
+%% $y = \log \left( e^{\left( \left( \ln \; 2^{x} \right)^{\frac{1}{2}}\; \cdot \;
+%% \left( \ln \; \left( \ln \; 2^{x} \right) \right)^{\frac{1}{2}} \right)} \right)$
+%% (setf y (log (exp (* (expt (log (expt 2 x)) 1/2) (expt (log (log (expt 2 x))) 1/2))) 10))
+%%
+%% NFS curve:
+%% $y = \log \left( e^{\left( \left( \ln \; 2^{x} \right)^{\frac{1}{3}}\; \cdot \;
+%% \left( \ln \; \left( \ln \; 2^{x} \right) \right)^{\frac{2}{3}} \right)} \right)$
+%% (setf y (log (exp (* (expt (log (expt 2 x)) 1/3) (expt (log (log (expt 2 x))) 2/3))) 10))
+%%
+%% Shor curve:
+%% $y = \log \left( \left( \ln \left( 2^{x} \right) \right)^{3} \right)$
+%% (setf y (log (expt (log (expt 2 x)) 3) 10))
+%%
+
+\setlength{\unitlength}{1.6mm}
+\begin{picture}(64,30)
+\linethickness{0.075mm}
+
+%% grid pattern
+%% \multiput (x,y) (dx,dy) {n} {object}
+\multiput (0,0) (8,0) {9} {\line(0,1){30}} % x divisions
+\multiput (0,0) (0,6) {6} {\line(1,0){64}} % y divisions
+
+%% y-axis labels
+%% 6 12 18 24 30
+\put (-2.5, 29.5){\scriptsize\textsf{30}}
+\put (-2.5, 23.5){\scriptsize\textsf{24}}
+\put (-2.5, 17.5){\scriptsize\textsf{18}}
+\put (-2.5, 11.5){\scriptsize\textsf{12}}
+\put (-2.2, 5.5){\scriptsize\textsf{ 6}}
+
+%% x-axis labels
+%% 128 256 384 512 640 768 896 1024
+\put( 6.8,-2.0){\scriptsize\textsf{128}}
+\put(14.8,-2.0){\scriptsize\textsf{256}}
+\put(22.8,-2.0){\scriptsize\textsf{384}}
+\put(30.8,-2.0){\scriptsize\textsf{512}}
+\put(38.8,-2.0){\scriptsize\textsf{640}}
+\put(46.8,-2.0){\scriptsize\textsf{768}}
+\put(54.8,-2.0){\scriptsize\textsf{896}}
+\put(62.0,-2.0){\scriptsize\textsf{1024}}
+
+\thicklines
+
+%% TD curve
+%% \qbezier (start-x,start-y) (pull-x,pull-y) (stop-x,stop-y)
+\put (7.0, 26.0) {\textsf{TD}}
+\qbezier (0.00, 0.00) (6.25, 15.00) (12.50, 30.00)
+
+%% QS curve
+\put (42.5, 25.0) {\textsf{QS}}
+\qbezier (0.00, 0.00) (7.00, 15.00) (64.00,29.65)
+
+% NFS curve
+\put (50.0, 13.25) {\textsf{NFS}}
+\qbezier (0.00,0.00) (5.50, 9.00) (64.00,13.58)
+
+%% Shor curve
+\put (51.0, 9.25) {\textsf{Shor}}
+\qbezier (0.00,0.00) ( 0.50,4.50) ( 8.00,5.84)
+\qbezier (8.00,5.84) (24.00,8.00) (64.00,8.55)
+
+\end{picture}
View
57 hard-problems.tex
@@ -0,0 +1,57 @@
+%%%% why-RSA-works/hard-problems.tex
+%%%% Copyright 2012 Peter Franusic.
+%%%% All rights reserved.
+%%%%
+
+%%%% Note that RSA trades the problem of key distribution for different problems
+%%%% that are considered \emph{hard}.
+
+The security of RSA is based on several hard problems.
+The most prominent of these is \emph{integer factorization}.
+The problem is to write an algorithm that computes the prime factors of some huge integer $n$
+and does it using a small number of computing operations.
+An algorithm is ``fast'' if it requires only a few operations to complete the solution.
+It is a hard problem to write an algorithm that is fast enough
+to factor a 1024-bit RSA modulus within any reasonable amount of time.
+
+Four factoring algorithms are graphed in Figure \ref{factor-ops}.
+They are, from slowest to fastest: Trial Division (TD), the Quadratic Sieve (QS),
+the Number Field Sieve (NFS), and Peter Shor's algorithm for quantum computers.\cite{Shor}
+The graph plots the number of operations required to factor some modulus $n$.
+For example, it will take roughly $10^{12}$ operations
+to factor a 768-bit modulus using the NFS algorithm.
+This is about 1500 years on a single core 2.2 GHz AMD Opteron processor with 2 GB RAM.\cite{RSA-768}
+%%%% Trial Division (TD): $\mathcal{O}(\sqrt{N})$ operations.
+%%%% Quadratic Sieve (QS): $\mathcal{O}(e^{(\ln N)^{1/2}(\ln (\ln N))^{1/2}})$ operations.
+%%%% Number Field Sieve (NFS): $\mathcal{O}(e^{(\ln N)^{1/3}(\ln (\ln N))^{2/3}})$ operations.
+%%%% Quantum algorithm (Shor): $\mathcal{O}((\ln N)^3)$ operations.
+
+%%%% Graph of factoring times
+%%%% Present three graphs: TD, QS, NFS.
+%%%% Bits on linear scale, operations on log scale.
+
+\begin{figure}[h]
+\vspace{4ex}
+\begin{center}
+\input{factor-ops.tex}
+\vspace{2ex}
+\caption{$\log_{10}$ operations per $\log_2 n$}
+\label{factor-ops}
+\end{center}
+\end{figure}
+
+An RSA cryptosystem can be broken if the modulus can be factored.
+That is, if Eve can factor $n$ into $p$ and $q$, she can easily compute $d$.
+She first computes the Carmichael function value $\lambda=\lcm(p-1,q-1)$.
+Then she computes $d$ such that $ed=k\lambda + 1$.
+Trouble is, factoring a huge integer takes a \emph{very} long time.
+
+Eve can try to solve the RSA problem\cite{RSA-problem} and
+compute the $e^{th}$ root of $m^e$,
+i.e., compute $m = \sqrt[e]{m^e}$.
+But computing roots takes just as long as factoring.
+There are other algorithms that can theoretically break RSA
+but they're all just as slow as integer factorization.
+The point is that Eve will not be able break an RSA cryptosystem with a huge modulus
+in any reasonable amount of time.
+
View
52 huge-integers.tex
@@ -0,0 +1,52 @@
+%%%% why-RSA-works/huge-integers.tex
+%%%% Copyright 2012 Peter Franusic.
+%%%% All rights reserved.
+%%%%
+
+Figure \ref{block-diagram} shows an RSA cryptosystem.
+It consists of a transmitter, a receiver, and a sniffer in between.
+Tradition has it that \emph{Bob} is the transmitter, \emph{Alice} is the receiver,
+and \emph{Eve} is the sniffer. (\emph{Eavesdropper}, get it?)
+The twin engines of the system are the modular exponentiation (modex) functions.
+
+RSA uses \emph{huge} integers.
+By huge we mean integers with over 300 decimal digits.
+It would take over four lines to print a 300 digit integer on this page.
+Happily, we can represent huge integers with single letters.
+Each of the letters in the figure represents a huge integer.
+These are: \mbox{message $m$}, \mbox{modulus $n$}, \mbox{encryptor $e$},
+\mbox{ciphertext $c$}, \mbox{decryptor $d$}, and \mbox{output $y$}.
+
+%%%% Figure: Block diagram
+\vspace{-3ex}
+\begin{figure}[h]
+\begin{center}
+\input{block-diagram.tex}
+\caption{An RSA cryptosystem}
+\label{block-diagram}
+\end{center}
+\end{figure}
+
+Bob generates encrypted messages and transmits them to Alice.
+He originates \mbox{message $m$},
+computes the modex function using \mbox{modulus $n$} and \mbox{encryptor $e$},
+then writes \mbox{ciphertext $c$} into the insecure channel.
+The public \mbox{key $(n,e)$} was generated and published by Alice
+prior to any transmission by Bob.
+
+Alice receives encrypted messages from Bob and decrypts them.
+She reads \mbox{ciphertext $c$} from the insecure channel,
+computes the modex function using \mbox{modulus $n$} and \mbox{decryptor $d$},
+then writes \mbox{output $y$}.
+The magic of RSA is that \mbox{output $y$} is identical to \mbox{message $m$}.
+I.e., \mbox{$y=m$}.
+Alice generated and secured her private \mbox{key $(n,d)$} prior to
+receiving any ciphertext from Bob.
+
+Eve is the threat that exists on every insecure channel.
+She attempts to read messages that are meant to be read only by Alice.
+But Eve is defeated by RSA encryption.
+She can intercept ciphertext $c$ but she won't be able to compute $y$
+because she doesn't have access to decryptor $d$.
+Only Alice has access to decryptor $d$.
+
View
34 intro.tex
@@ -0,0 +1,34 @@
+%%%% why-RSA-works/intro.tex
+%%%% Copyright 2012 Peter Franusic.
+%%%% All rights reserved.
+%%%%
+
+Arthur C. Clarke once quipped that
+``any sufficiently advanced technology is indistinguishable from magic.''
+Cryptography is the magic that
+transmogrifies a meaningful message into gibberish and then back again.
+For thousands of years, military-grade cryptography was the exclusive domain of
+diplomats and generals, partly due to the high cost of keeping secret keys secret.
+But around 1975 something happened to change all that: \emph{public-key} cryptography was invented.
+Public-key cryptography dramatically reduces the cost of secret key management.
+
+The Rivest-Shamir-Adleman algorithm (RSA) is a well-established computational method
+for public-key cryptography.\cite{RSA-paper}
+We offer the reader an understanding of why RSA works.
+A simple proof of the RSA identity is developed using an illustrative approach.
+Table \ref{modex-33} is particularly revealing.
+
+The scope of the article is limited to understanding the RSA identity.
+The discussion therefore omits related topics such as multi-prime RSA, key generation,
+conversion of text to integers and integers to text, padding of cleartext messages,
+various speed-ups such as Montgomery reduction and the Chinese remainder theorem,
+and the latest factoring algorithms.
+RSA authentication is not covered because the math is identical to that of RSA encryption.
+
+The presentation differs in several ways from conventional treatments of the RSA algorithm.
+The algebraic equations utilize ring notation and equal signs
+rather than modular notation and equivalence signs.
+Instead of Euler's totient function and Fermat's little theorem,
+a proof of the RSA identity employs the Carmichael function
+and a corollary from the literature.\cite{ray-attack}
+
View
121 main.tex
@@ -0,0 +1,121 @@
+%%%% why-RSA-works/main.tex
+%%%% Copyright 2012 Peter Franusic.
+%%%% All rights reserved.
+%%%%
+
+\documentclass{article}
+%\pagestyle{empty}
+
+%%%% Various environments
+\usepackage{verbatim}
+\usepackage{graphicx}
+\usepackage{latexsym}
+\usepackage{amssymb}
+
+%%%% Easy-vision mode
+\usepackage[usenames]{color}
+\pagecolor{black}
+\color{green}
+
+%%%% math-mode commands
+\newcommand{\lcm}{\mathrm{lcm}}
+
+%%%% PDF metadata
+\pdfinfo
+{ /Title (Why RSA Works)
+ /Author (Peter Franusic)
+ /Subject (Rivest-Shamir-Adleman algorithm)
+ /Keywords (RSA, Carmichael, public-key, cryptography)
+}
+
+%%%% European-style paragraphs
+%%%% IMPORTANT: \begin{document} must follow for this to work.
+\setlength{\parindent}{0pt}
+\setlength{\parskip}{1.3ex}
+
+%%%% Title block
+\title{\textbf{\huge{Why RSA Works}}}
+\author{Peter Franu\v si\'c
+ \footnote{
+ Copyright 2012 Peter Franu\v si\'c.
+ All rights reserved.
+ Email: \texttt{pete@sargo.com}}}
+\date{}
+
+\begin{document}
+
+%% Title page
+\maketitle
+\thispagestyle{empty}
+\vspace{8ex}
+\input{intro.tex}
+
+\newpage
+\section{Huge integers}
+\input{huge-integers.tex}
+
+\newpage
+\section{Simulation}
+\input{simulation.tex}
+
+\newpage
+\section{Rings}
+\input{rings.tex}
+
+\section{The set $Z_n$}
+\input{set-Zn.tex}
+
+\newpage
+\section{The $\oplus$ operator}
+\input{oplus-operator.tex}
+
+\newpage
+\section{The $\otimes$ operator}
+\input{otimes-operator.tex}
+
+\newpage
+\section{Exponential notation}
+\input{exponential-notation.tex}
+
+\newpage
+\section{The modex function}
+\input{modex-function.tex}
+
+\newpage
+\section{Exponent arithmetic}
+\input{exponent-arithmetic.tex}
+
+\newpage
+\section{Multiple-plus-one}
+\input{multiple-plus-one.tex}
+
+\newpage
+\section{Exponential tables}
+\input{exponential-tables.tex}
+
+\newpage
+\section{Wallpaper}
+\input{wallpaper.tex}
+
+\newpage
+\section{Mappings}
+\input{mappings.tex}
+
+\newpage
+\section{A simple proof}
+\input{simple-proof.tex}
+
+\newpage
+\section{Hard problems}
+\input{hard-problems.tex}
+
+\newpage
+\section{Conclusions}
+\input{conclusions.tex}
+
+\newpage
+%%%% References
+\input{references.tex}
+
+\end{document}
+
View
49 makefile
@@ -0,0 +1,49 @@
+# why-RSA-works/makefile
+# Copyright 2012 Peter Franusic.
+# All rights reserved.
+#
+
+MISC= README \
+ makefile \
+
+TEXS= block-diagram.tex \
+ conclusions.tex \
+ exponent-arithmetic.tex \
+ exponential-notation.tex \
+ exponential-tables.tex \
+ factor-ops.tex \
+ hard-problems.tex \
+ huge-integers.tex \
+ intro.tex \
+ main.tex \
+ mappings.tex \
+ modex-15.tex \
+ modex-33-arrows.tex \
+ modex-33-cols.tex \
+ modex-33.tex \
+ modex-function.tex \
+ mult-plus-one.tex \
+ multiple-plus-one.tex \
+ oplus-15.tex \
+ oplus-operator.tex \
+ otimes-15.tex \
+ otimes-operator.tex \
+ references.tex \
+ rings.tex \
+ set-Zn.tex \
+ simple-proof.tex \
+ simulation.tex \
+ wallpaper.tex \
+
+
+why-RSA-works.pdf: ${TEXS}$
+ pdflatex main.tex
+ pdflatex main.tex
+ mv main.pdf why-RSA-works.pdf
+
+why-RSA-works.tar: ${TEXS}$ ${MISC}$
+ tar -cvf why-RSA-works.tar ${MISC}$ ${TEXS}$ why-RSA-works.pdf
+
+clean:
+ rm *~ *.aux *.log
+
View
107 mappings.tex
@@ -0,0 +1,107 @@
+%%%% why-RSA-works/mappings.tex
+%%%% Copyright 2012 Peter Franusic.
+%%%% All rights reserved.
+%%%%
+
+%% The goal of this section is to present RSA encryption and decrypttion as two mappings
+%% and try to explain why this works.
+%% Leverage the modex-33 table to provide a concrete example.
+%% Perhaps offer a theorem which asserts: If $e$ is relatively prime to $\lambda$,
+%% then column $e$ will contain all elements of $Z_n$.
+
+%% Introduce the two mappings $m \to m^3$ and $c \to c^7$.
+RSA encryption maps an integer $m$ to an integer $m^e$.
+Likewise, RSA decryption maps an integer $c$ to an integer $c^d$.
+This is demonstrated in Table \ref{modex-33-cols}, where $e=3$ and $d=7$.
+In the encryption procedure,
+every element in the $m$ column maps to a unique element in the $m^3$ column.
+And in the decryption procedure,
+every element in the $c$ column maps to a unique element in the $c^7$ column.
+
+%%%% modex-33 columns and arrows
+\begin{table}[!h]
+ \begin{center}
+ \input{modex-33-cols.tex}
+ \caption{$m \to c \to y \quad (\mathcal{R}_{33})$}
+ \label{modex-33-cols}
+ \end{center}
+\end{table}
+\input{modex-33-arrows.tex}
+
+% Give an example of $m \to y$.
+The table also illustrates an example.
+First $m=13$ is mapped to $m^3=19$ which then becomes $c$.
+Subsequently $c=19$ is mapped to $c^7=13$ which then becomes $y$.
+The final result, $y=13$, is identical to the original, $m=13$.
+This is how RSA works, no matter which $m$ one starts with, no matter how large $n$ is.
+The final $y$ will always be identical to the original $m$.
+
+%% Here's a question we haven't really answered:
+%% Why are the elements in columns $e$ and $d$ arranged the way they are?
+%% We know that $(m^e)^d=m$ for all $m$ by way of the proof.
+%% But how did the elements in columns $e$ and $d$ get in the right order?
+
+\newpage
+
+%% Point out that some $c=m$.
+Some of the values in column $m$ are the same as their corresponding value in $m^3$.
+For example, $10 \to 10$. There are 9 of these, out of a total of 33.
+That means that 28 percent of the ciphertexts are identical to their plaintext messages.
+This would be unacceptable, of course,
+except that the percentage is infinitesimal for huge values of $n$.
+
+%% Point out that each column contains every element in $Z_n$.
+Columns $m^3$ and $c^7$ each contain every element in $Z_{33}$.
+This is a requirement in order to make the two mappings work, so that $y=m$,
+Every element in $m$ needs to map to a unique element in $m^3$,
+and every element in $c$ must map to a unique element in $c^7$.
+If this were not the case,
+if some element in $Z_{33}$ was not in column $m^3$,
+or if some element in $Z_{33}$ was in column $m^3$ more than once,
+then RSA would not work for every $m$ in $Z_{33}$.
+
+%% Point out that some columns \emph{do not} contain every element,
+%% and that neither column number shares a prime factor with $\lambda$.
+Refer again to Table \ref{modex-33} in the Wallpaper section.
+Many of the columns do not contain every element in $Z_{33}$.
+These are columns 0, 2, 4, 5, 6, 8, 10, 12, 14, 15, 16, 18, 20, 22, 24, 25, 26, 28, 30, and 32.
+That's 20 out of 33 columns, or 61 percent.
+In each of these columns, some elements of $Z_{33}$ are missing and some appear more than once.
+For example, the element 1 appears more that once in each of these columns.
+
+It turns out that for each of these columns (except column 0),
+the column number shares a prime factor with $\lambda=10$.
+The prime factors of 10 are 2 and 5.
+So if a column number is a multiple of 2 or a multiple of 5,
+the column itself won't contain every element in $Z_{33}$.
+Notice that neither 3 nor 7 shares a prime factor with $\lambda$.
+
+%% Define the greatest common divisor function and give an example.
+We can use the \emph{greatest common divisor} function ($\gcd$)
+to determine if two integers share a prime factor.
+When the two integers are small we can compute the greatest common divisor by hand.
+As an example we compute the gcd of 6468 and 7560 by hand.
+First we list the prime factors of 6468 and the prime factors of 7560.
+Then we list the prime factors that are common to both.
+Finally, we compute the product of these common factors.
+This gives us the gcd.
+\begin{center}
+\begin{tabular}{lcl}
+ Factors of 6468 &=& $2 \cdot 2 \cdot 3 \cdot 7 \cdot 7 \cdot 11$ \\
+ Factors of 7560 &=& $2 \cdot 2 \cdot 2 \cdot 3 \cdot 3 \cdot 3 \cdot 5 \cdot 7$ \\
+ Common to both &=& $2 \cdot 2 \cdot 3 \cdot 7$ \\
+ $\gcd(6468,7560)$ &=& 84
+\end{tabular}
+\end{center}
+
+Most implementations of the gcd function return 1 if no prime factors are shared.
+Therefore, if the $\gcd$ function returns anything greater than 1,
+we are assured that the two numbers share one or more prime factors.
+RSA uses the $\gcd$ function during key generation
+in order to select an encryptor $e$ that shares no prime factors with $\lambda$.
+
+%% Point out that this pair of column numbers meets the multiples-plus-one condition.
+%% Finally, we note that $e=3$ and $d=7$ meet the multiples-plus-one condition.
+%% That is, $ed=k\lambda+1$ where $\lambda=10$.
+%% \[ ed = (3)(7) = 21 = 2 \cdot 10 + 1 \]
+
View
27 modex-15.tex
@@ -0,0 +1,27 @@
+%%%% why-RSA-works/modex-15.tex
+%%%% Copyright 2012 Peter Franusic.
+%%%% All rights reserved.
+%%%%
+\begin{footnotesize}
+\begin{tabular}
+ {c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c}
+ & \phantom{X}
+ & 0 & 1 & 2 & 3 & 4 & 5 & 6 & 7 & 8 & 9 & 10 & 11 & 12 & 13 & 14 \\
+ & & \phantom{10} & & & & & & & & & & & & & & \\
+ 0 & & 1 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 \\
+ 1 & & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 \\
+ 2 & & 1 & 2 & 4 & 8 & 1 & 2 & 4 & 8 & 1 & 2 & 4 & 8 & 1 & 2 & 4 \\
+ 3 & & 1 & 3 & 9 & 12 & 6 & 3 & 9 & 12 & 6 & 3 & 9 & 12 & 6 & 3 & 9 \\
+ 4 & & 1 & 4 & 1 & 4 & 1 & 4 & 1 & 4 & 1 & 4 & 1 & 4 & 1 & 4 & 1 \\
+ 5 & & 1 & 5 & 10 & 5 & 10 & 5 & 10 & 5 & 10 & 5 & 10 & 5 & 10 & 5 & 10 \\
+ 6 & & 1 & 6 & 6 & 6 & 6 & 6 & 6 & 6 & 6 & 6 & 6 & 6 & 6 & 6 & 6 \\
+ 7 & & 1 & 7 & 4 & 13 & 1 & 7 & 4 & 13 & 1 & 7 & 4 & 13 & 1 & 7 & 4 \\
+ 8 & & 1 & 8 & 4 & 2 & 1 & 8 & 4 & 2 & 1 & 8 & 4 & 2 & 1 & 8 & 4 \\
+ 9 & & 1 & 9 & 6 & 9 & 6 & 9 & 6 & 9 & 6 & 9 & 6 & 9 & 6 & 9 & 6 \\
+ 10 & & 1 & 10 & 10 & 10 & 10 & 10 & 10 & 10 & 10 & 10 & 10 & 10 & 10 & 10 & 10 \\
+ 11 & & 1 & 11 & 1 & 11 & 1 & 11 & 1 & 11 & 1 & 11 & 1 & 11 & 1 & 11 & 1 \\
+ 12 & & 1 & 12 & 9 & 3 & 6 & 12 & 9 & 3 & 6 & 12 & 9 & 3 & 6 & 12 & 9 \\
+ 13 & & 1 & 13 & 4 & 7 & 1 & 13 & 4 & 7 & 1 & 13 & 4 & 7 & 1 & 13 & 4 \\
+ 14 & & 1 & 14 & 1 & 14 & 1 & 14 & 1 & 14 & 1 & 14 & 1 & 14 & 1 & 14 & 1 \\
+\end{tabular}
+\end{footnotesize}
View
97 modex-33-arrows.tex
@@ -0,0 +1,97 @@
+%%%% why-RSA-works/modex-33-arrows.tex
+%%%% Copyright 2012 Peter Franusic.
+%%%% All rights reserved.
+%%%%
+
+\vspace{-385pt}
+\setlength{\unitlength}{1pt} % default value is 1pt
+\begin{picture}(345,375)
+
+% Put box around picture.
+%% \put( 0, 0){\line(1,0){345}} % bottom
+%% \put( 0,375){\line(1,0){345}} % top
+%% \put( 0, 0){\line(0,1){375}} % left
+%% \put(345, 0){\line(0,1){375}} % right
+
+% Draw arrows to map m to m^3.
+\put( 80,343.5){\vector(1,0){16}} % 0
+\put( 80,334.0){\vector(1,0){16}} % 1
+\put( 80,324.5){\vector(1,0){16}} % 2
+\put( 80,315.0){\vector(1,0){16}} % 3
+\put( 80,305.5){\vector(1,0){16}} % 4
+\put( 80,296.0){\vector(1,0){16}} % 5
+\put( 80,286.5){\vector(1,0){16}} % 6
+\put( 80,277.0){\vector(1,0){16}} % 7
+\put( 80,267.5){\vector(1,0){16}} % 8
+\put( 80,258.0){\vector(1,0){16}} % 9
+\put( 80,248.5){\vector(1,0){16}} % 10
+\put( 80,239.0){\vector(1,0){16}} % 11
+\put( 80,229.5){\vector(1,0){16}} % 12
+\put( 80,220.0){\vector(1,0){16}} % 13
+\put( 80,210.5){\vector(1,0){16}} % 14
+\put( 80,201.0){\vector(1,0){16}} % 15
+\put( 80,191.5){\vector(1,0){16}} % 16
+\put( 80,182.0){\vector(1,0){16}} % 17
+\put( 80,172.5){\vector(1,0){16}} % 18
+\put( 80,163.0){\vector(1,0){16}} % 19
+\put( 80,153.5){\vector(1,0){16}} % 20
+\put( 80,144.0){\vector(1,0){16}} % 21
+\put( 80,134.5){\vector(1,0){16}} % 22
+\put( 80,125.0){\vector(1,0){16}} % 23
+\put( 80,115.5){\vector(1,0){16}} % 24
+\put( 80,106.0){\vector(1,0){16}} % 25
+\put( 80, 96.5){\vector(1,0){16}} % 26
+\put( 80, 87.0){\vector(1,0){16}} % 27
+\put( 80, 77.5){\vector(1,0){16}} % 28
+\put( 80, 68.0){\vector(1,0){16}} % 29
+\put( 80, 58.5){\vector(1,0){16}} % 30
+\put( 80, 49.0){\vector(1,0){16}} % 31
+\put( 80, 39.5){\vector(1,0){16}} % 32
+
+% Draw arrows to map c to c^3.
+\put(180,343.5){\vector(1,0){16}} % 0
+\put(180,334.0){\vector(1,0){16}} % 1
+\put(180,324.5){\vector(1,0){16}} % 2
+\put(180,315.0){\vector(1,0){16}} % 3
+\put(180,305.5){\vector(1,0){16}} % 4
+\put(180,296.0){\vector(1,0){16}} % 5
+\put(180,286.5){\vector(1,0){16}} % 6
+\put(180,277.0){\vector(1,0){16}} % 7
+\put(180,267.5){\vector(1,0){16}} % 8
+\put(180,258.0){\vector(1,0){16}} % 9
+\put(180,248.5){\vector(1,0){16}} % 10
+\put(180,239.0){\vector(1,0){16}} % 11
+\put(180,229.5){\vector(1,0){16}} % 12
+\put(180,220.0){\vector(1,0){16}} % 13
+\put(180,210.5){\vector(1,0){16}} % 14
+\put(180,201.0){\vector(1,0){16}} % 15
+\put(180,191.5){\vector(1,0){16}} % 16
+\put(180,182.0){\vector(1,0){16}} % 17
+\put(180,172.5){\vector(1,0){16}} % 18
+\put(180,163.0){\vector(1,0){16}} % 19
+\put(180,153.5){\vector(1,0){16}} % 20
+\put(180,144.0){\vector(1,0){16}} % 21
+\put(180,134.5){\vector(1,0){16}} % 22
+\put(180,125.0){\vector(1,0){16}} % 23
+\put(180,115.5){\vector(1,0){16}} % 24
+\put(180,106.0){\vector(1,0){16}} % 25
+\put(180, 96.5){\vector(1,0){16}} % 26
+\put(180, 87.0){\vector(1,0){16}} % 27
+\put(180, 77.5){\vector(1,0){16}} % 28
+\put(180, 68.0){\vector(1,0){16}} % 29
+\put(180, 58.5){\vector(1,0){16}} % 30
+\put(180, 49.0){\vector(1,0){16}} % 31
+\put(180, 39.5){\vector(1,0){16}} % 32
+
+% Draw 3 lines for m^3 to c.
+\put(114, 220){\line(1,0){23}} % upper horz.
+\put(137, 163){\line(0,1){57}} % vertical
+\put(137, 163){\vector(1,0){26}} % lower horz.
+
+% Draw 3 lines for c^3 to y.
+\put(211, 163){\line(1,0){23}} % lower horz.
+\put(234, 163){\line(0,1){57}} % vertical
+\put(234, 220){\vector(1,0){26}} % upper horz.
+
+% The End
+\end{picture}
View
44 modex-33-cols.tex
@@ -0,0 +1,44 @@
+%%%% why-RSA-works/modex-33-cols.tex
+%%%% Copyright 2012 Pete Franusic.
+%%%% All rights reserved.
+%%%%
+\begin{footnotesize}
+\begin{tabular}{ccccccccc}
+ $m$ & & $m^3$ & \phantom{XXXXX} &
+ $c$ & & $c^7$ & \phantom{XXXXX} & $y$ \\
+ & & & & & & & & \\
+ 0 & & 0 & & 0 & & 0 & & 0 \\
+ 1 & & 1 & & 1 & & 1 & & 1 \\
+ 2 & & 8 & & 2 & & 29 & & 2 \\
+ 3 & & 27 & & 3 & & 9 & & 3 \\
+ 4 & & 31 & & 4 & & 16 & & 4 \\
+ 5 & & 26 & & 5 & & 14 & & 5 \\
+ 6 & & 18 & & 6 & & 30 & & 6 \\
+ 7 & & 13 & & 7 & & 28 & & 7 \\
+ 8 & & 17 & & 8 & & 2 & & 8 \\
+ 9 & & 3 & & 9 & & 15 & & 9 \\
+ 10 & & 10 & & 10 & & 10 & & 10 \\
+ 11 & & 11 & & 11 & & 11 & & 11 \\
+ 12 & & 12 & & 12 & & 12 & & 12 \\
+ 13 & & 19 & & 13 & & 7 & & 13 \\
+ 14 & & 5 & & 14 & & 20 & & 14 \\
+ 15 & & 9 & & 15 & & 27 & & 15 \\
+ 16 & & 4 & & 16 & & 25 & & 16 \\
+ 17 & & 29 & & 17 & & 8 & & 17 \\
+ 18 & & 24 & & 18 & & 6 & & 18 \\
+ 19 & & 28 & & 19 & & 13 & & 19 \\
+ 20 & & 14 & & 20 & & 26 & & 20 \\
+ 21 & & 21 & & 21 & & 21 & & 21 \\
+ 22 & & 22 & & 22 & & 22 & & 22 \\
+ 23 & & 23 & & 23 & & 23 & & 23 \\
+ 24 & & 30 & & 24 & & 18 & & 24 \\
+ 25 & & 16 & & 25 & & 31 & & 25 \\
+ 26 & & 20 & & 26 & & 5 & & 26 \\
+ 27 & & 15 & & 27 & & 3 & & 27 \\
+ 28 & & 7 & & 28 & & 19 & & 28 \\
+ 29 & & 2 & & 29 & & 17 & & 29 \\
+ 30 & & 6 & & 30 & & 24 & & 30 \\
+ 31 & & 25 & & 31 & & 4 & & 31 \\
+ 32 & & 32 & & 32 & & 32 & & 32 \\
+\end{tabular}
+\end{footnotesize}
View
45 modex-33.tex
@@ -0,0 +1,45 @@
+%%%% why-RSA-works/modex-33.tex
+%%%% Copyright 2012 Peter Franusic.
+%%%% All rights reserved.
+%%%%
+\begin{footnotesize}
+\begin{tabular}
+ {c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c}
+ & \phantom{X}
+ & 0 & 1 & 2 & 3 & 4 & 5 & 6 & 7 & 8 & 9 & 10 & 11 & 12 & 13 & 14 & 15 & 16 & 17 & 18 & 19 & 20 & 21 & 22 & 23 & 24 & 25 & 26 & 27 & 28 & 29 & 30 & 31 & 32 \\
+ & & \phantom{99} & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & \\
+ 0 & & 1 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 \\
+ 1 & & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 \\
+ 2 & & 1 & 2 & 4 & 8 & 16 & 32 & 31 & 29 & 25 & 17 & 1 & 2 & 4 & 8 & 16 & 32 & 31 & 29 & 25 & 17 & 1 & 2 & 4 & 8 & 16 & 32 & 31 & 29 & 25 & 17 & 1 & 2 & 4 \\
+ 3 & & 1 & 3 & 9 & 27 & 15 & 12 & 3 & 9 & 27 & 15 & 12 & 3 & 9 & 27 & 15 & 12 & 3 & 9 & 27 & 15 & 12 & 3 & 9 & 27 & 15 & 12 & 3 & 9 & 27 & 15 & 12 & 3 & 9 \\
+ 4 & & 1 & 4 & 16 & 31 & 25 & 1 & 4 & 16 & 31 & 25 & 1 & 4 & 16 & 31 & 25 & 1 & 4 & 16 & 31 & 25 & 1 & 4 & 16 & 31 & 25 & 1 & 4 & 16 & 31 & 25 & 1 & 4 & 16 \\
+ 5 & & 1 & 5 & 25 & 26 & 31 & 23 & 16 & 14 & 4 & 20 & 1 & 5 & 25 & 26 & 31 & 23 & 16 & 14 & 4 & 20 & 1 & 5 & 25 & 26 & 31 & 23 & 16 & 14 & 4 & 20 & 1 & 5 & 25 \\
+ 6 & & 1 & 6 & 3 & 18 & 9 & 21 & 27 & 30 & 15 & 24 & 12 & 6 & 3 & 18 & 9 & 21 & 27 & 30 & 15 & 24 & 12 & 6 & 3 & 18 & 9 & 21 & 27 & 30 & 15 & 24 & 12 & 6 & 3 \\
+ 7 & & 1 & 7 & 16 & 13 & 25 & 10 & 4 & 28 & 31 & 19 & 1 & 7 & 16 & 13 & 25 & 10 & 4 & 28 & 31 & 19 & 1 & 7 & 16 & 13 & 25 & 10 & 4 & 28 & 31 & 19 & 1 & 7 & 16 \\
+ 8 & & 1 & 8 & 31 & 17 & 4 & 32 & 25 & 2 & 16 & 29 & 1 & 8 & 31 & 17 & 4 & 32 & 25 & 2 & 16 & 29 & 1 & 8 & 31 & 17 & 4 & 32 & 25 & 2 & 16 & 29 & 1 & 8 & 31 \\
+ 9 & & 1 & 9 & 15 & 3 & 27 & 12 & 9 & 15 & 3 & 27 & 12 & 9 & 15 & 3 & 27 & 12 & 9 & 15 & 3 & 27 & 12 & 9 & 15 & 3 & 27 & 12 & 9 & 15 & 3 & 27 & 12 & 9 & 15 \\
+ 10 & & 1 & 10 & 1 & 10 & 1 & 10 & 1 & 10 & 1 & 10 & 1 & 10 & 1 & 10 & 1 & 10 & 1 & 10 & 1 & 10 & 1 & 10 & 1 & 10 & 1 & 10 & 1 & 10 & 1 & 10 & 1 & 10 & 1 \\
+ 11 & & 1 & 11 & 22 & 11 & 22 & 11 & 22 & 11 & 22 & 11 & 22 & 11 & 22 & 11 & 22 & 11 & 22 & 11 & 22 & 11 & 22 & 11 & 22 & 11 & 22 & 11 & 22 & 11 & 22 & 11 & 22 & 11 & 22 \\
+ 12 & & 1 & 12 & 12 & 12 & 12 & 12 & 12 & 12 & 12 & 12 & 12 & 12 & 12 & 12 & 12 & 12 & 12 & 12 & 12 & 12 & 12 & 12 & 12 & 12 & 12 & 12 & 12 & 12 & 12 & 12 & 12 & 12 & 12 \\
+ 13 & & 1 & 13 & 4 & 19 & 16 & 10 & 31 & 7 & 25 & 28 & 1 & 13 & 4 & 19 & 16 & 10 & 31 & 7 & 25 & 28 & 1 & 13 & 4 & 19 & 16 & 10 & 31 & 7 & 25 & 28 & 1 & 13 & 4 \\
+ 14 & & 1 & 14 & 31 & 5 & 4 & 23 & 25 & 20 & 16 & 26 & 1 & 14 & 31 & 5 & 4 & 23 & 25 & 20 & 16 & 26 & 1 & 14 & 31 & 5 & 4 & 23 & 25 & 20 & 16 & 26 & 1 & 14 & 31 \\
+ 15 & & 1 & 15 & 27 & 9 & 3 & 12 & 15 & 27 & 9 & 3 & 12 & 15 & 27 & 9 & 3 & 12 & 15 & 27 & 9 & 3 & 12 & 15 & 27 & 9 & 3 & 12 & 15 & 27 & 9 & 3 & 12 & 15 & 27 \\
+ 16 & & 1 & 16 & 25 & 4 & 31 & 1 & 16 & 25 & 4 & 31 & 1 & 16 & 25 & 4 & 31 & 1 & 16 & 25 & 4 & 31 & 1 & 16 & 25 & 4 & 31 & 1 & 16 & 25 & 4 & 31 & 1 & 16 & 25 \\
+ 17 & & 1 & 17 & 25 & 29 & 31 & 32 & 16 & 8 & 4 & 2 & 1 & 17 & 25 & 29 & 31 & 32 & 16 & 8 & 4 & 2 & 1 & 17 & 25 & 29 & 31 & 32 & 16 & 8 & 4 & 2 & 1 & 17 & 25 \\
+ 18 & & 1 & 18 & 27 & 24 & 3 & 21 & 15 & 6 & 9 & 30 & 12 & 18 & 27 & 24 & 3 & 21 & 15 & 6 & 9 & 30 & 12 & 18 & 27 & 24 & 3 & 21 & 15 & 6 & 9 & 30 & 12 & 18 & 27 \\
+ 19 & & 1 & 19 & 31 & 28 & 4 & 10 & 25 & 13 & 16 & 7 & 1 & 19 & 31 & 28 & 4 & 10 & 25 & 13 & 16 & 7 & 1 & 19 & 31 & 28 & 4 & 10 & 25 & 13 & 16 & 7 & 1 & 19 & 31 \\
+ 20 & & 1 & 20 & 4 & 14 & 16 & 23 & 31 & 26 & 25 & 5 & 1 & 20 & 4 & 14 & 16 & 23 & 31 & 26 & 25 & 5 & 1 & 20 & 4 & 14 & 16 & 23 & 31 & 26 & 25 & 5 & 1 & 20 & 4 \\
+ 21 & & 1 & 21 & 12 & 21 & 12 & 21 & 12 & 21 & 12 & 21 & 12 & 21 & 12 & 21 & 12 & 21 & 12 & 21 & 12 & 21 & 12 & 21 & 12 & 21 & 12 & 21 & 12 & 21 & 12 & 21 & 12 & 21 & 12 \\
+ 22 & & 1 & 22 & 22 & 22 & 22 & 22 & 22 & 22 & 22 & 22 & 22 & 22 & 22 & 22 & 22 & 22 & 22 & 22 & 22 & 22 & 22 & 22 & 22 & 22 & 22 & 22 & 22 & 22 & 22 & 22 & 22 & 22 & 22 \\
+ 23 & & 1 & 23 & 1 & 23 & 1 & 23 & 1 & 23 & 1 & 23 & 1 & 23 & 1 & 23 & 1 & 23 & 1 & 23 & 1 & 23 & 1 & 23 & 1 & 23 & 1 & 23 & 1 & 23 & 1 & 23 & 1 & 23 & 1 \\
+ 24 & & 1 & 24 & 15 & 30 & 27 & 21 & 9 & 18 & 3 & 6 & 12 & 24 & 15 & 30 & 27 & 21 & 9 & 18 & 3 & 6 & 12 & 24 & 15 & 30 & 27 & 21 & 9 & 18 & 3 & 6 & 12 & 24 & 15 \\
+ 25 & & 1 & 25 & 31 & 16 & 4 & 1 & 25 & 31 & 16 & 4 & 1 & 25 & 31 & 16 & 4 & 1 & 25 & 31 & 16 & 4 & 1 & 25 & 31 & 16 & 4 & 1 & 25 & 31 & 16 & 4 & 1 & 25 & 31 \\
+ 26 & & 1 & 26 & 16 & 20 & 25 & 23 & 4 & 5 & 31 & 14 & 1 & 26 & 16 & 20 & 25 & 23 & 4 & 5 & 31 & 14 & 1 & 26 & 16 & 20 & 25 & 23 & 4 & 5 & 31 & 14 & 1 & 26 & 16 \\
+ 27 & & 1 & 27 & 3 & 15 & 9 & 12 & 27 & 3 & 15 & 9 & 12 & 27 & 3 & 15 & 9 & 12 & 27 & 3 & 15 & 9 & 12 & 27 & 3 & 15 & 9 & 12 & 27 & 3 & 15 & 9 & 12 & 27 & 3 \\
+ 28 & & 1 & 28 & 25 & 7 & 31 & 10 & 16 & 19 & 4 & 13 & 1 & 28 & 25 & 7 & 31 & 10 & 16 & 19 & 4 & 13 & 1 & 28 & 25 & 7 & 31 & 10 & 16 & 19 & 4 & 13 & 1 & 28 & 25 \\
+ 29 & & 1 & 29 & 16 & 2 & 25 & 32 & 4 & 17 & 31 & 8 & 1 & 29 & 16 & 2 & 25 & 32 & 4 & 17 & 31 & 8 & 1 & 29 & 16 & 2 & 25 & 32 & 4 & 17 & 31 & 8 & 1 & 29 & 16 \\
+ 30 & & 1 & 30 & 9 & 6 & 15 & 21 & 3 & 24 & 27 & 18 & 12 & 30 & 9 & 6 & 15 & 21 & 3 & 24 & 27 & 18 & 12 & 30 & 9 & 6 & 15 & 21 & 3 & 24 & 27 & 18 & 12 & 30 & 9 \\
+ 31 & & 1 & 31 & 4 & 25 & 16 & 1 & 31 & 4 & 25 & 16 & 1 & 31 & 4 & 25 & 16 & 1 & 31 & 4 & 25 & 16 & 1 & 31 & 4 & 25 & 16 & 1 & 31 & 4 & 25 & 16 & 1 & 31 & 4 \\
+ 32 & & 1 & 32 & 1 & 32 & 1 & 32 & 1 & 32 & 1 & 32 & 1 & 32 & 1 & 32 & 1 & 32 & 1 & 32 & 1 & 32 & 1 & 32 & 1 & 32 & 1 & 32 & 1 & 32 & 1 & 32 & 1 & 32 & 1 \\
+\end{tabular}
+\end{footnotesize}
View
60 modex-function.tex
@@ -0,0 +1,60 @@
+%%%% why-RSA-works/modex-function.tex
+%%%% Copyright 2012 Peter Franusic.
+%%%% All rights reserved.
+%%%%
+
+The term \emph{modex} is a contraction of modular exponentiation.
+The modex function performs exponentiation in the ring $\mathcal{R}_n$.
+It performs the equivalent of a series of $\otimes$ operations.
+
+The RSA cryptosystem in Figure \ref{block-diagram} uses two modex functions:
+one in the transmitter and the other in the receiver.
+Both modex functions have three inputs and one output.
+We specify the output equation for each.
+
+\paragraph{Receiver output equation:}
+The receiver's modex function takes the inputs $c,n,d$ and computes the output $y$.
+The modex output $y$ is the equivalent of $d$ copies of $c$ multiplied together using
+the $\otimes$ operator in the ring $\mathcal{R}_n$.
+\begin{equation} \label{eq:rx-out}
+ y = c^d
+\end{equation}
+
+\paragraph{Transmitter output equation:}
+The transmitter takes the inputs $m,n,e$ and computes the output $c$.
+The modex output $c$ is the equivalent of $e$ copies of $m$ multiplied together using
+the $\otimes$ operator in the ring $\mathcal{R}_n$.
+\begin{equation} \label{eq:tx-out}
+ c = m^e
+\end{equation}
+
+\vspace{4ex}
+
+The modex function doesn't actually multiply $e$ copies of $m$ in order to compute $m^e$.
+This would take eons for huge values of $e$.
+Instead, modex actually uses a method called \emph{square-and-multiply}.
+A register $r$ is first initialized to $m$.
+Then it's repeatedly squared $(r \otimes r)$ and multiplied $(r \otimes m)$
+depending on the number of bits in $e$ and the value of each bit.
+For example, if $e$ is 1024 bits long, there'll be 1023 squares and about 512 multiplies.
+A lot less than $2^{1024}$ multiplies.
+
+The modex function uses the $\otimes$ operator in the ring $\mathcal{R}_n$.
+Recall that the $\otimes$ operator takes two integers, multiplies them,
+then subtracts some multiple of $n$ so that the result is in $Z_n$.
+That is, $a \otimes b = ab - kn$.
+The subtraction step is called \emph{reduction} and may be implemented
+by taking the remainder of a division.
+The product $ab$ is divided by $n$, the quotient is $k$, and the remainder is $ab-kn$.
+But division is time consuming, and
+most modex implementations do not use division for the reduction step.
+Instead, they use a faster method called \emph{Montgomery reduction},
+which replaces slow divisions with fast truncations.
+
+The modex function can be very time-consuming to compute.
+Square-and-multiply and Montgomery reduction are two \emph{speed-ups}
+that are used to shorten the compute time. There are others.
+The enumeration and details of these speed-ups are outside the scope of this paper,
+but they are well-documented in the literature.
+\cite{Koc}\cite{Schneier}\cite{HAC}
+
View
14 mult-plus-one.tex
@@ -0,0 +1,14 @@
+%%%% why-RSA-works/mult-plus-one.tex
+%%%% Copyright 2012 Peter Franusic.
+%%%% All rights reserved.
+%%%%
+\begin{tabular}{llll}
+$911 \cdot 191 = 174001$ & $931 \cdot 971 = 904001$ & $951 \cdot 551 = 524001$ & $971 \cdot 931 = 904001$ \\
+$913 \cdot 977 = 892001$ & $933 \cdot 597 = 557001$ & $953 \cdot 617 = 588001$ & $973 \cdot 37 = 36001$ \\
+$917 \cdot 253 = 232001$ & $937 \cdot 873 = 818001$ & $957 \cdot 93 = 89001$ & $977 \cdot 913 = 892001$ \\
+$919 \cdot 679 = 624001$ & $939 \cdot 459 = 431001$ & $959 \cdot 439 = 421001$ & $979 \cdot 619 = 606001$ \\
+$921 \cdot 481 = 443001$ & $941 \cdot 661 = 622001$ & $961 \cdot 641 = 616001$ & $981 \cdot 421 = 413001$ \\
+$923 \cdot 987 = 911001$ & $943 \cdot 807 = 761001$ & $963 \cdot 27 = 26001$ & $983 \cdot 647 = 636001$ \\
+$927 \cdot 863 = 800001$ & $947 \cdot 283 = 268001$ & $967 \cdot 303 = 293001$ & $987 \cdot 923 = 911001$ \\
+$929 \cdot 169 = 157001$ & $949 \cdot 549 = 521001$ & $969 \cdot 129 = 125001$ & $989 \cdot 909 = 899001$ \\
+\end{tabular}
View
59 multiple-plus-one.tex
@@ -0,0 +1,59 @@
+%%%% why-RSA-works/multiple-plus-one.tex
+%%%% Copyright 2012 Peter Franusic.
+%%%% All rights reserved.
+%%%%
+
+RSA uses two integers as exponents.
+One is the encryptor $e$ and the other is the decryptor $d$.
+In order for RSA to work, the product $ed$ must satisfy a strict condition.
+The condition is that the product $ed$ must have a \emph{multiple-plus-one} form.
+The product must be able to be written in the form $k\lambda+1$.
+The reason for this condition will become apparent later.
+For now, however, we need to understand what the expression $k\lambda+1$ means.
+
+%% This paragraph shall introduce Table \ref{mult-plus-one} below.
+Table \ref{mult-plus-one} contains some examples of multiple-plus-one products.
+Each product ends in 001.
+Each product is a multiple of 1000, plus one.
+In the first example, the product 174001 is equal to $174 \cdot 1000 + 1$.
+
+\vspace{2ex}
+%%%% multiple-plus-one table
+\begin{table}[!ht]
+ \begin{small}
+ \input{mult-plus-one.tex}
+ \end{small}
+ \caption{Multiples of 1000, plus one}
+ \label{mult-plus-one}
+\end{table}
+\vspace{2ex}
+
+%% This paragraph shall introduce $\lambda$.
+The Greek letter $\lambda$ (pronounced \textsf{LAM duh})
+is specified in the RSA literature.\cite{RSA-standard}
+We use $\lambda$ here as an integer constant.
+It typically has a huge value, almost as large as modulus $n$.
+In the context of Table \ref{mult-plus-one} it has a small value, $\lambda=1000$.
+The products can therefore be written like this:
+\begin{eqnarray*}
+ 911 \cdot 191 &=& 174 \lambda + 1 \\
+ 913 \cdot 977 &=& 892 \lambda + 1 \\
+ 917 \cdot 253 &=& 232 \lambda + 1 \\
+ & \vdots &
+\end{eqnarray*}
+
+%% This paragraph shall explain that $k$ is some unspecified positive integer.
+The products in the table can be written in the form $k\lambda+1$.
+The symbol $k$ signifies some positive integer.
+Its value is not important.
+The term $k\lambda$ simply means \emph{some integer multiple of $\lambda$}.
+This meaning of $k$ allows the multiple-plus-one condition to be stated succinctly.
+
+%% This paragraph shall formally state the condition.
+\paragraph{Multiple-plus-one condition:}
+Given positive integers $e$, $d$, and $\lambda$,
+the product $ed$ shall be an integer multiple of $\lambda$, plus one.
+\begin{equation} \label{eq:inv-pair}
+ ed = k\lambda + 1
+\end{equation}
+
View
27 oplus-15.tex
@@ -0,0 +1,27 @@
+%%%% why-RSA-works/oplus-15.tex
+%%%% Copyright 2012 Peter Franusic.
+%%%% All rights reserved.
+%%%%
+\begin{footnotesize}
+\begin{tabular}
+ {c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c}
+ & \phantom{X}
+ & 0 & 1 & 2 & 3 & 4 & 5 & 6 & 7 & 8 & 9 & 10 & 11 & 12 & 13 & 14 \\
+ & & & & & & & & & & & & & & & & \\
+ 0 & & 0 & 1 & 2 & 3 & 4 & 5 & 6 & 7 & 8 & 9 & 10 & 11 & 12 & 13 & 14 \\
+ 1 & & 1 & 2 & 3 & 4 & 5 & 6 & 7 & 8 & 9 & 10 & 11 & 12 & 13 & 14 & 0 \\
+ 2 & & 2 & 3 & 4 & 5 & 6 & 7 & 8 & 9 & 10 & 11 & 12 & 13 & 14 & 0 & 1 \\
+ 3 & & 3 & 4 & 5 & 6 & 7 & 8 & 9 & 10 & 11 & 12 & 13 & 14 & 0 & 1 & 2 \\
+ 4 & & 4 & 5 & 6 & 7 & 8 & 9 & 10 & 11 & 12 & 13 & 14 & 0 & 1 & 2 & 3 \\
+ 5 & & 5 & 6 & 7 & 8 & 9 & 10 & 11 & 12 & 13 & 14 & 0 & 1 & 2 & 3 & 4 \\
+ 6 & & 6 & 7 & 8 & 9 & 10 & 11 & 12 & 13 & 14 & 0 & 1 & 2 & 3 & 4 & 5 \\
+ 7 & & 7 & 8 & 9 & 10 & 11 & 12 & 13 & 14 & 0 & 1 & 2 & 3 & 4 & 5 & 6 \\
+ 8 & & 8 & 9 & 10 & 11 & 12 & 13 & 14 & 0 & 1 & 2 & 3 & 4 & 5 & 6 & 7 \\
+ 9 & & 9 & 10 & 11 & 12 & 13 & 14 & 0 & 1 & 2 & 3 & 4 & 5 & 6 & 7 & 8 \\
+ 10 & & 10 & 11 & 12 & 13 & 14 & 0 & 1 & 2 & 3 & 4 & 5 & 6 & 7 & 8 & 9 \\
+ 11 & & 11 & 12 & 13 & 14 & 0 & 1 & 2 & 3 & 4 & 5 & 6 & 7 & 8 & 9 & 10 \\
+ 12 & & 12 & 13 & 14 & 0 & 1 & 2 & 3 & 4 & 5 & 6 & 7 & 8 & 9 & 10 & 11 \\
+ 13 & & 13 & 14 & 0 & 1 & 2 & 3 & 4 & 5 & 6 & 7 & 8 & 9 & 10 & 11 & 12 \\
+ 14 & & 14 & 0 & 1 & 2 & 3 & 4 & 5 & 6 & 7 & 8 & 9 & 10 & 11 & 12 & 13 \\
+\end{tabular}
+\end{footnotesize}
View
46 oplus-operator.tex
@@ -0,0 +1,46 @@
+%%%% why-RSA-works/oplus-operator.tex
+%%%% Copyright 2012 Peter Franusic.
+%%%% All rights reserved.
+%%%%
+
+When $n$ is small, the $\oplus$ operator can be specified using a table.
+Table \ref{oplus-15} specifies the $\oplus$ operator for the ring $\mathcal{R}_{15}$.
+The table is a 15 by 15 block of integers. There are 15 rows and 15 columns.
+Recall that rows run left and right, columns run up and down.
+Row numbers are specified by the extra column along the left side of the block.
+Column numbers are specified by the extra row along the top of the block.
+Note the diagonal stripe pattern that is visible in the table.
+
+\vspace{2ex}
+%%%% oplus-15 table
+\begin{table}[!ht]
+ \begin{center}
+ \input{oplus-15.tex}
+ \caption{$a \oplus b \quad (\mathcal{R}_{15})$}
+ \label{oplus-15}
+ \end{center}
+\end{table}
+
+Table \ref{oplus-15} specifies the value of $a \oplus b$ for every possible pair of $a$ and $b$.
+For example, let $a=10$ and $b=12$.
+The value of $10 \oplus 12$ is specified at the intersection of row $10$ and column $12$.
+This value is $7$. Therefore $10 \oplus 12 = 7$.
+
+Notice that every element in the table is in the set $Z_{15}$.
+This demonstrates the \emph{additive closure} property of rings.
+The additive closure property states that for every pair of elements $a$ and $b$ in $Z_n$,
+the sum $a \oplus b$ is also an element in $Z_n$.
+\[ a \oplus b \in Z_n \]
+
+The value of $a \oplus b$ can also be specified using a rule.
+To compute $10 \oplus 12$ we first calculate $10 + 12$ to get 22.
+Since 22 is not an element in $Z_{15}$ we subtract the modulus 15, i.e. $22 - 15 = 7$.
+Since $7 \in Z_{15}$ we stop and 7 is our final result.
+
+In general, the $\oplus$ operator takes two integers $a$ and $b$,
+adds them together using normal addition,
+then subtracts some multiple of $n$ such that the final value is in $Z_n$.
+The term $kn$ signifies some multiple of $n$. That is, $kn=0n,1n,2n,3n,\ldots$
+We simply use whichever $kn$ works in order to get closure, where $a \oplus b \in Z_n$.
+\[ a \oplus b = a + b - kn \]
+
View
27 otimes-15.tex
@@ -0,0 +1,27 @@
+%%%% why-RSA-works/otimes-15.tex
+%%%% Copyright 2012 Peter Franusic.
+%%%% All rights reserved.
+%%%%
+\begin{footnotesize}
+\begin{tabular}
+ {c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c@{ }c}
+ & \phantom{X}
+ & 0 & 1 & 2 & 3 & 4 & 5 & 6 & 7 & 8 & 9 & 10 & 11 & 12 & 13 & 14 \\
+ & & & & & & & & & & & & & & & & \\
+ 0 & & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 \\
+ 1 & & 0 & 1 & 2 & 3 & 4 & 5 & 6 & 7 & 8 & 9 & 10 & 11 & 12 & 13 & 14 \\
+ 2 & & 0 & 2 & 4 & 6 & 8 & 10 & 12 & 14 & 1 & 3 & 5 & 7 & 9 & 11 & 13 \\
+ 3 & & 0 & 3 & 6 & 9 & 12 & 0 & 3 & 6 & 9 & 12 & 0 & 3 & 6 & 9 & 12 \\
+ 4 & & 0 & 4 & 8 & 12 & 1 & 5 & 9 & 13 & 2 & 6 & 10 & 14 & 3 & 7 & 11 \\
+ 5 & & 0 & 5 & 10 & 0 & 5 & 10 & 0 & 5 & 10 & 0 & 5 & 10 & 0 & 5 & 10 \\
+ 6 & & 0 & 6 & 12 & 3 & 9 & 0 & 6 & 12 & 3 & 9 & 0 & 6 & 12 & 3 & 9 \\
+ 7 & & 0 & 7 & 14 & 6 & 13 & 5 & 12 & 4 & 11 & 3 & 10 & 2 & 9 & 1 & 8 \\
+ 8 & & 0 & 8 & 1 & 9 & 2 & 10 & 3 & 11 & 4 & 12 & 5 & 13 & 6 & 14 & 7 \\
+ 9 & & 0 & 9 & 3 & 12 & 6 & 0 & 9 & 3 & 12 & 6 & 0 & 9 & 3 & 12 & 6 \\
+ 10 & & 0 & 10 & 5 & 0 & 10 & 5 & 0 & 10 & 5 & 0 & 10 & 5 & 0 & 10 & 5 \\
+ 11 & & 0 & 11 & 7 & 3 & 14 & 10 & 6 & 2 & 13 & 9 & 5 & 1 & 12 & 8 & 4 \\
+ 12 & & 0 & 12 & 9 & 6 & 3 & 0 & 12 & 9 & 6 & 3 & 0 & 12 & 9 & 6 & 3 \\
+ 13 & & 0 & 13 & 11 & 9 & 7 & 5 & 3 & 1 & 14 & 12 & 10 & 8 & 6 & 4 & 2 \\
+ 14 & & 0 & 14 & 13 & 12 & 11 & 10 & 9 & 8 & 7 & 6 & 5 & 4 & 3 & 2 & 1 \\
+\end{tabular}
+\end{footnotesize}
View
47 otimes-operator.tex
@@ -0,0 +1,47 @@
+%%%% why-RSA-works/otimes-operator.tex
+%%%% Copyright 2012 Peter Franusic.
+%%%% All rights reserved.
+%%%%
+
+When $n$ is small, the $\otimes$ operator can be specified using a table.
+Table \ref{otimes-15} specifies the $\otimes$ operator for the ring $\mathcal{R}_{15}$.
+The format is the same as Table \ref{oplus-15}. The values, of course, are different.
+Note the rose-like pattern visible in the table.
+The table is symmetrical about the diagonals.
+If we ignore column 0, then
+row 1 is the reverse of row 14, row 2 is the reverse of row 13, etc.
+
+\vspace{2ex}
+%%%% otimes-15 table
+\begin{table}[!ht]
+ \begin{center}
+ \input{otimes-15.tex}
+ \caption{$a \otimes b \quad (\mathcal{R}_{15})$}
+ \label{otimes-15}
+ \end{center}
+\end{table}
+
+Table \ref{otimes-15} specifies the value of $a \otimes b$ for every possible pair of $a$ and $b$.
+For example, let $a=11$ and $b=8$.
+The value of $11 \otimes 8$ is specified at the intersection of row $11$ and column $8$.
+This value is $13$. Therefore $11 \otimes 8 = 13$.
+
+Notice that every element in the table is in the set $Z_{15}$.
+This demonstrates the \emph{multiplicative closure} property of rings.
+The multiplicative closure property states that for every pair of elements $a$ and $b$ in $Z_n$,
+the product $a \otimes b$ is also an element in $Z_n$.
+\[ a \otimes b \in Z_n \]
+
+The value of $a \otimes b$ can also be specified using a rule.
+To compute $11 \otimes 8$ we first calculate $11 \times 8$ to get 88.
+Since 88 is not an element in $Z_{15}$ we subtract a multiple of the modulus, $kn$.
+In this case, $kn = 5 \times 15 = 75$. Therefore $88 - 75 = 13$.
+And $13 \in Z_{15}$ so 13 is our final result.
+
+In general, the $\otimes$ operator takes two integers $a$ and $b$,
+multiplies them together using normal multiplication,
+then subtracts some multiple of $n$ such that the final value is in $Z_n$.
+In other words, we subtract whichever $kn$ works in order to get closure,
+where $a \otimes b \in Z_n$.
+\[ a \otimes b = ab - kn \]
+
View
47 references.tex
@@ -0,0 +1,47 @@
+%%%% why-RSA-works/references.tex
+%%%% Copyright 2012 Peter Franusic.
+%%%% All rights reserved.
+%%%%
+
+\begin{thebibliography}{99}
+
+\bibitem{RSA-paper}
+ R. L. Rivest, A. Shamir, and L. Adleman.
+ A method for obtaining digital signatures and public-key cryptosystems.
+ \emph{Communications of the ACM}, 21(2):120-126.
+
+\bibitem{ray-attack}
+ Andreas de Vries. The ray attack, an inefficient trial to break RSA cryptosystems.
+ FH S\"udwestfalen University of Applied Sciences, Haldener StraBe 182, D-58095 Hagen, 2003.
+
+\bibitem{wiki-Rings}
+ Ring (mathematics). \emph{Wikipedia}, \verb$www.wikipedia.com$.
+
+\bibitem{Koc}
+ \c Cetin Kaya Ko\c c. High-speed RSA implementation. RSA Labs, 1994.
+
+\bibitem{Schneier}
+ Bruce Schneier. \emph{Applied Cryptography}. John Wiley \& Sons, 1994.
+
+\bibitem{HAC}
+ A. Menezes, P. van Oorschot, and S. Vanstone.
+ \emph{Handbook of Applied Cryptography}. CRC Press, 1996.
+
+\bibitem{RSA-standard}
+ PKCS \#1 v2.1: RSA cryptography standard. RSA Labs, 2002.
+
+\bibitem{Shor}
+ Peter W. Shor,
+ ``Polynomial-Time Algorithms for Prime Factorization and
+ Discrete Logarithms on a Quantum Computer,'' 1996.
+
+\bibitem{RSA-768}
+ Thorsten Kleinjung et al.
+ Factorization of a 768-bit RSA modulus.
+ Version 1.4, February 18, 2010.
+
+\bibitem{RSA-problem}
+ Ronald L. Rivest and Burt Kaliski. RSA problem. RSA Labs, 2003.
+
+\end{thebibliography}
+
View
26 rings.tex
@@ -0,0 +1,26 @@
+%%%% why-RSA-works/rings.tex
+%%%% Copyright 2012 Peter Franusic.
+%%%% All rights reserved.
+%%%%
+
+RSA uses mathematical structures called rings.
+A \emph{ring} is a set equipped with two binary operators.\cite{wiki-Rings}
+The ring displays several well-defined algebraic properties,
+including both additive closure and multiplicative closure.
+
+Recall that a set is simply a collection of elements.
+These elements can be anything, but in the case of RSA, the elements are integers.
+RSA uses sets with a finite number of elements.
+The number of elements in a set is called the \emph{modulus}.
+The modulus is represented by the symbol $n$.
+
+A binary operator is something that takes two elements and computes a third.
+Rings use two binary operators, which we denote here as
+$\oplus$ (pronounced \textsf{OH plus}) and $\otimes$ (pronounced \textsf{OH times}).
+The $\oplus$ operator is similar to addition.
+The $\otimes$ operator is similar to multiplication.
+
+In general, we say that the ring $\mathcal{R}_n$
+consists of the set $Z_n$, the $\oplus$ operator, and the $\otimes$ operator.
+\[ \mathcal{R}_n = (Z_n,\oplus,\otimes) \]
+
View
31 set-Zn.tex
@@ -0,0 +1,31 @@
+%%%% why-RSA-works/set-Zn.tex
+%%%% Copyright 2012 Peter Franusic.
+%%%% All rights reserved.
+%%%%
+
+A finite set $Z_n$ can be specified in several different ways.
+When a set has just a few elements, they can be explicitly enumerated, listed within curly brackets.
+For example, the set $Z_{15}$ consists of the 15 integers starting with 0 and ending with 14.
+\[ Z_{15} = \{0,1,2,3,4,5,6,7,8,9,10,11,12,13,14\} \]
+
+When a set has a huge number of elements, they cannot be enumerated.
+But if a set consists entirely of sequential elements, it can be specified
+by listing the first few elements, an ellipsis, and the last few elements.
+For example, the set $Z_n$ consists of a sequence of $n$ integers,
+starting with 0 and ending with $(n-1)$.
+\[ Z_n = \{0,1,2,3,\ldots,(n-2),(n-1)\} \]
+
+When RSA generates a pair of keys, it selects some modulus $n$
+that is the product of two distinct primes $p$ and $q$.
+The term \emph{product} means that we multiply $p$ times $q$.
+Instead of writing $p \times q$ we use the abbreviation $pq$.
+\[ n = pq \]
+
+The term \emph{distinct} means that $p$ and $q$ are different from each other.
+That is, $p \ne q$.
+Recall that a \emph{prime} is any integer greater than 1
+that cannot be divided evenly by any other integer except 1 and itself.
+The first five primes are 2, 3, 5, 7, and 11.
+In the example of $Z_{15}$ above, the modulus $15$ is
+the product of the two distinct primes $3$ and $5$.
+
View
46 simple-proof.tex
@@ -0,0 +1,46 @@
+%%%% why-RSA-works/simple-proof.tex
+%%%% Copyright 2012 Peter Franusic.
+%%%% All rights reserved.
+%%%%
+
+We need to convince ourselves that RSA works under a broad set of conditions.
+That is, we need to demonstrate that we can start with any $m \in Z_n$,
+perform two modex operations on it, and get $m$ back.
+Here's the set of conditions:
+\begin{itemize}
+\item two prime integers $p$ and $q$ such that $p \ne q$
+\item the ring $\mathcal{R}_n = (Z_n,\oplus,\otimes)$ where $n=pq$
+\item exponential notation in $\mathcal{R}_n$ (e.g. $m^3 = m \otimes m \otimes m$)
+\item the Carmichael function value $\lambda=\lcm(p-1,q-1)$
+\item two integers $e$ and $d$ such that $ed=k\lambda + 1$
+\item an integer $m$ such that $m \in Z_n$
+\end{itemize}
+
+Refer to the RSA cryptosystem of Figure \ref{block-diagram}.
+The message $m$ is presented at the input of Bob's transmitter.
+The message $y$ is produced at the output of Alice's receiver.
+We will demonstrate that $y=m$.
+
+The receiver output equation (\ref{eq:rx-out}) states that $y=c^d$.
+This is what we begin our proof with.
+In the following steps, we will modify the right side of this equation.
+\[ y = c^d \]
+
+The transmitter output equation (\ref{eq:tx-out}) states that $c=m^e$.
+We replace $c$ in the equation above with $(m^e)$.
+\[ y = (m^e)^d \]
+
+The exponent multiplication rule (\ref{eq:expo-mult}) states that $(m^e)^d=m^{ed}$.
+We replace $(m^e)^d$ in the equation above with $m^{ed}$.
+\[ y = m^{ed} \]
+
+The multiple-plus-one condition (\ref{eq:inv-pair}) states that $ed=k\lambda + 1$.
+We replace $ed$ in the equation above with $k\lambda + 1$.
+\[ y = m^{k\lambda + 1} \]
+
+The Carmichael identity (\ref{eq:carm-id}) states that $m=m^{k\lambda + 1}$.
+We replace $m^{k\lambda + 1}$ in the equation above with $m$.
+\[ y = m \]
+
+QED
+
View
61 simulation.tex
@@ -0,0 +1,61 @@
+%%%% why-RSA-works/simulation.tex
+%%%% Copyright 2012 Peter Franusic.
+%%%% All rights reserved.
+%%%%
+
+We can simulate RSA messaging using a Lisp interpreter.
+Our version of Lisp uses a question mark for the prompt.
+Lisp commands may be variable names or compound expressions.
+The interpreter reads each command, evaluates it, and prints the result.
+
+Alice must precompute three integers before Bob can send her RSA encrypted messages.
+These are \mbox{modulus $n$}, \mbox{encryptor $e$}, and \mbox{decryptor $d$}.
+Some examples have been precomputed and are displayed below in decimal format.
+Note that \mbox{modulus $n$} has 56 decimal digits. This turns out to be 186 bits.
+A typical RSA modulus has at least 1024 bits, but we use 186 bits here for the sake of brevity.
+\begin{quote}
+\begin{verbatim}
+? n
+97397795163266888271167242107545263613895906874319587249
+? e
+10306926753200670273346978999454444249925952109333797079
+? d
+46445936998769783647957439537275126296124161350172130481
+\end{verbatim}
+\end{quote}
+
+A typical RSA message is an AES-128 session key.
+This is a random 128-bit integer used by the AES algorithm to encrypt a high bandwidth session.
+Here $m$ has 39 decimal digits, or 128 bits.
+Normally $m$ would be padded with extra random bits to make it about the same size as $n$,
+but we've omitted padding steps in this demonstration for the sake of clarity.
+\begin{quote}
+\begin{verbatim}
+? m
+325004947599823818213341565111207349415
+\end{verbatim}
+\end{quote}
+
+Bob commands his Lisp interpreter to compute \mbox{ciphertext $c$}.
+Lisp computes the modex function with inputs $m$, $e$, $n$,
+assigns this value to the variable $c$, then prints the result.
+Note that, whereas $m$ has only 39 digis, \mbox{ciphertext $c$} has 56 digits,
+the same as $n$.
+\begin{quote}
+\begin{verbatim}
+? (setf c (modex m e n))
+65406940630722215589598713946252700262213080283568050086
+\end{verbatim}
+\end{quote}
+
+Alice commands her Lisp interpreter to compute \mbox{output $y$}.
+Lisp computes the modex function with inputs $c$, $d$, $n$,
+assigns this value to the variable $y$, then prints the result.
+Note that $y$ is identical to $m$. \emph{Magic!}
+\begin{quote}
+\begin{verbatim}
+? (setf y (modex c d n))
+325004947599823818213341565111207349415
+\end{verbatim}
+\end{quote}
+
View
98 wallpaper.tex
@@ -0,0 +1,98 @@
+%%%% why-RSA-works/wallpaper.tex
+%%%% Copyright 2012 Peter Franusic.
+%%%% All rights reserved.
+%%%%
+
+%%%% The goal here is to introduce the Carmichael identity.
+%%%% We look at a modex table where a visible pattern is readily apparent.
+%%%% We define the Carmichael function value and set forth the wallpaper theorem
+%%%% and the Carmichael identity.
+
+%% Introduce the modex-33 table and point out the wallpaper pattern.
+We now consider a larger exponentiation table.
+Table \ref{modex-33} specifies exponential products $m^a$ in the ring $\mathcal{R}_{33}$.
+The table is small enough to fit on a page
+yet big enough for us to visually perceive a \emph{wallpaper} pattern.
+There appear to be three identical strips of wallpaper side by side.
+Each strip is 10 columns wide and runs from top to bottom.
+
+%% modex-33 table
+\begin{table}[!h]
+\hspace{-9ex}
+ \input{modex-33.tex}
+ \caption{$m^a \quad (\mathcal{R}_{33})$}
+ \label{modex-33}
+\end{table}
+
+%% Develop the equation that describes the pattern.
+Notice that this table also contains identity columns.
+They are columns 1, 11, 21, and 31.
+Also notice that column 2 is the same as columns 12 and 22,
+column 3 is the same as columns 13 and 23, and so on.
+In fact, the entire block of columns 1 through 10 is repeated in columns 11 through 20,
+and this block pattern continues to repeat for columns beyond 20.
+
+\newpage
+
+We can easily represent this wallpaper pattern with an equation.
+Any column $a$ is the same as column $10+a$ and column $20+a$ and so on.
+We use the notation $k \cdot 10$ to denote some multiple of 10.
+So for any $m \in Z_{33}$ and any integer $a > 0$ we have
+\[ m^a = m^{k \cdot 10 + a} \]
+
+%% Define the Carmichael function value and give the equation.
+Each row in Table \ref{modex-33} is a sequence of exponential products.
+Each sequence is a 1 followed by a series of cycles.
+These cycles have various periods.
+For this table the periods are 1, 2, 5, and 10.
+The period of the longest cycle is symbolized by $\lambda$.
+This is also known as the \emph{Carmichael function value}.
+For this particular exponential table we have $\lambda=10$.
+However, for any two distinct primes $p$ and $q$,
+it turns out that the Carmichael function value $\lambda$
+is the \emph{least common multiple} of $p-1$ and $q-1$.
+\[ \lambda = \lcm(p-1,q-1) \]
+
+%% Describe how to compute an lcm and give an example.
+When $p$ and $q$ are small we can compute the Carmichael function value by hand.
+For example, let $p=11$ and $q=13$ so that $\lambda=\lcm(10,12)$.
+The multiples of 10 are 10, 20, 30, etc.
+The multiples of 12 are 12, 24, 36, etc.
+The multiples that are common to both are 60, 120, 180, etc.
+The least of these is 60.
+\begin{center}
+\begin{tabular}{lcl}
+ Multiples of 10 &=& 10, 20, 30, 40, 50, 60, 70, 80, 90, 100, 110, 120, \ldots \\
+ Multiples of 12 &=& 12, 24, 36, 48, 60, 72, 84, 96, 108, 120, 132, \ldots \\
+ Common to both &=& 60, 120, 180, \ldots \\
+ $\lcm(10,12)$ &=& 60
+\end{tabular}
+\end{center}
+
+%% Substitute the 10 with $\lambda$.
+We described the wallpaper pattern of Table \ref{modex-33}
+using the equation $m^a=m^{k \cdot 10 + a}$. We can replace the 10 with $\lambda$.
+This gives us $m^a=m^{k\lambda + a}$.
+This equation holds for primes $p=3$ and $q=11$.
+But does it hold for \emph{any} pair of primes?
+We assert that it does and we offer the following theorem without proof.
+
+\paragraph{Wallpaper theorem:}
+Given two distinct primes $p$ and $q$, the ring $\mathcal{R}_{pq}$,
+the Carmichael function value $\lambda=\lcm(p-1,q-1)$,
+any $m \in Z_{pq}$, any integer $a > 0$, and any integer $k \ge 0$, then
+\[ m^a = m^{k\lambda + a} \]
+
+RSA uses a special case of the Wallpaper theorem where $a=1$.
+We call this special case the \emph{Carmichael identity}.
+The $m^a$ on the left side is replaced by $m$, since $m^1=m$.
+The $m^{k\lambda + a}$ on the right side is replaced by $m^{k\lambda + 1}$.
+
+\paragraph{Carmichael identity:}
+Given two distinct primes $p$ and $q$, the ring $\mathcal{R}_{pq}$,
+the Carmichael function value $\lambda=\lcm(p-1,q-1)$,
+any $m \in Z_{pq}$, and any integer $k \ge 0$, then
+\begin{equation} \label{eq:carm-id}
+ m = m^{k\lambda + 1}
+\end{equation}
+
View
BIN why-RSA-works.pdf
Binary file not shown.

0 comments on commit 9e6d37e

Please sign in to comment.
Something went wrong with that request. Please try again.