为什么RSA加解密互逆
已知 p , q 均为质数 n = p q e d ≡ 1 ( m o d λ ( n ) ) λ ( n ) = l c m ( p − 1 , q − 1 ) e 与 λ ( n ) 互素 已知p,q均为质数\\ \begin{align} n&=pq\\ ed &\equiv 1 \pmod{\lambda(n)}\\ \lambda(n)&=lcm(p-1, q-1)\\ &e与\lambda(n)互素 \end{align} 已知p,q均为质数nedλ(n)=pq≡1(modλ(n))=lcm(p−1,q−1)e与λ(n)互素
证明加解密互逆
c
≡
m
e
(
m
o
d
n
)
m
≡
c
d
(
m
o
d
n
)
c
d
≡
(
m
e
)
d
≡
m
e
d
≡
m
1
+
k
λ
(
n
)
≡
m
⋅
m
λ
(
n
)
≡
m
⋅
1
≡
m
(
m
o
d
n
)
接下来就是证明
m
λ
(
n
)
≡
1
(
m
o
d
n
)
由于
λ
(
n
)
=
l
c
m
(
p
−
1
,
q
−
1
)
则有
{
m
λ
(
n
)
≡
1
(
m
o
d
p
)
m
λ
(
n
)
≡
1
(
m
o
d
q
)
变换之后
{
m
λ
(
n
)
=
1
+
k
1
p
m
λ
(
n
)
=
1
+
k
2
q
再次变换
{
2
m
λ
(
n
)
−
2
=
k
1
p
+
k
2
q
m
2
λ
(
n
)
=
(
1
+
k
1
p
)
(
1
+
k
2
q
)
=
1
+
k
1
p
+
k
2
q
+
k
1
k
2
p
q
c\equiv m^e \pmod{n}\\ m\equiv c^d \pmod{n}\\ c^d\equiv (m^e)^d \equiv m^{ed} \equiv m^{1+k\lambda(n)} \equiv m \cdot m^{\lambda(n)} \equiv m \cdot 1 \equiv m \pmod{n}\\ 接下来就是证明m^{\lambda(n)}\equiv 1 \pmod{n}\\ 由于\lambda(n)=lcm(p-1,q-1)\\ 则有\left \{ \begin{align} m^{\lambda(n)}\equiv 1 \pmod{p}\\ m^{\lambda(n)}\equiv 1 \pmod{q}\\ \end{align} \right. \\ 变换之后 \left \{ \begin{array}{c} m^{\lambda(n)} = 1 + k_1p\\ m^{\lambda(n)} = 1 + k_2q\\ \end{array} \right. \\ 再次变换\left \{ \begin{array}{c} 2m^{\lambda(n)} - 2 = k_1p + k_2q\\ m^{2\lambda(n)} = (1 + k_1p)(1 + k_2q) = 1 + k_1p + k_2q + k_1k_2pq \end{array} \right.\\
c≡me(modn)m≡cd(modn)cd≡(me)d≡med≡m1+kλ(n)≡m⋅mλ(n)≡m⋅1≡m(modn)接下来就是证明mλ(n)≡1(modn)由于λ(n)=lcm(p−1,q−1)则有{mλ(n)≡1(modp)mλ(n)≡1(modq)变换之后{mλ(n)=1+k1pmλ(n)=1+k2q再次变换{2mλ(n)−2=k1p+k2qm2λ(n)=(1+k1p)(1+k2q)=1+k1p+k2q+k1k2pq
带入后得到
m
2
λ
(
n
)
=
1
+
(
2
m
λ
(
n
)
−
2
)
+
k
1
k
2
p
q
=
2
m
λ
(
n
)
−
1
+
k
1
k
2
p
q
m
2
λ
(
n
)
−
2
m
λ
(
n
)
+
1
=
k
1
k
2
p
q
(
m
λ
(
n
)
−
1
)
2
=
k
1
k
2
p
q
\begin{aligned} m^{2\lambda(n)} &= 1 + (2m^{\lambda(n)} - 2) + k_1k_2pq\\ &= 2m^{\lambda(n)} - 1 + k_1k_2pq\\ m^{2\lambda(n)} - 2m^{\lambda(n)} + 1 &= k_1k_2pq \\ (m^{\lambda(n)}-1)^2 &= k_1k_2pq\\ \end{aligned}
m2λ(n)m2λ(n)−2mλ(n)+1(mλ(n)−1)2=1+(2mλ(n)−2)+k1k2pq=2mλ(n)−1+k1k2pq=k1k2pq=k1k2pq
则有
(
m
λ
(
n
)
−
1
)
2
≡
0
(
m
o
d
p
q
)
m
λ
(
n
)
−
1
≡
0
(
m
o
d
p
q
)
m
λ
(
n
)
≡
1
(
m
o
d
p
q
)
(m^{\lambda(n)}-1)^2 \equiv 0 \pmod{pq}\\ m^{\lambda(n)}-1 \equiv 0 \pmod{pq}\\ m^{\lambda(n)} \equiv 1 \pmod{pq}
(mλ(n)−1)2≡0(modpq)mλ(n)−1≡0(modpq)mλ(n)≡1(modpq)
即证
后来才发现,过程搞复杂了其实只要在这一步,移动一下就好
{
m
λ
(
n
)
−
1
=
k
1
p
m
λ
(
n
)
−
1
=
k
2
q
\left \{ \begin{array}{c} m^{\lambda(n)}-1 = k_1p\\ m^{\lambda(n)}-1 = k_2q\\ \end{array} \right.\\
{mλ(n)−1=k1pmλ(n)−1=k2q
9.2 Perform encryption and decryption using the RSA algorithm, as in Figure 9.5, for the following:
a.
p
=
3
;
q
=
7
,
e
=
5
;
M
=
10
p=3;q=7,e=5;M=10
p=3;q=7,e=5;M=10
n
=
p
q
=
21
ϕ
(
n
)
=
(
p
−
1
)
(
q
−
1
)
=
2
×
6
=
12
e
x
g
c
d
:
{
x
=
ϕ
(
n
)
=
12
y
=
e
=
5
x
−
2
y
=
2
−
2
x
+
5
y
=
1
d
=
5
e
n
c
r
y
p
t
:
C
≡
M
e
(
m
o
d
n
)
1
0
5
≡
1
6
2
×
10
≡
(
−
5
)
2
×
10
≡
25
×
10
≡
40
≡
19
(
m
o
d
21
)
d
e
c
r
y
p
t
:
M
≡
C
d
(
m
o
d
n
)
1
9
5
≡
(
−
2
)
5
≡
−
32
≡
−
11
≡
10
(
m
o
d
21
)
\begin{array}{l} n=pq=21\\ \phi(n)=(p-1)(q-1)=2\times6=12\\ exgcd:\left\{ \begin{align} x&=\phi(n)=12\tag{(1)}\\ y&=e=5\tag{(2)}\\ x-2y&=2\tag{(3)=(1)-2(2)}\\ -2x+5y&=1\tag{(4)=(2)-2(3)}\\ \end{align}\right.\\ d=5\\ encrypt: C \equiv M^e \pmod{n} \\ 10^5\equiv16^2 \times 10 \equiv (-5)^2 \times10 \equiv 25 \times 10 \equiv 40 \equiv 19 \pmod{21} \\ decrypt: M \equiv C^d \pmod{n} \\ 19^5 \equiv (-2)^5 \equiv -32 \equiv -11 \equiv 10 \pmod{21} \end{array}
n=pq=21ϕ(n)=(p−1)(q−1)=2×6=12exgcd:⎩
⎨
⎧xyx−2y−2x+5y=ϕ(n)=12=e=5=2=1((1))((2))((3)=(1)-2(2))((4)=(2)-2(3))d=5encrypt:C≡Me(modn)105≡162×10≡(−5)2×10≡25×10≡40≡19(mod21)decrypt:M≡Cd(modn)195≡(−2)5≡−32≡−11≡10(mod21)
b.
p
=
5
;
q
=
13
,
e
=
5
;
M
=
8
p=5;q=13,e=5;M=8
p=5;q=13,e=5;M=8
n
=
p
q
=
65
ϕ
(
n
)
=
(
p
−
1
)
(
q
−
1
)
=
4
×
12
=
48
e
x
g
c
d
:
{
x
=
ϕ
(
n
)
=
48
y
=
e
=
5
x
−
9
y
=
3
−
x
+
10
y
=
2
2
x
−
19
y
=
1
d
=
48
−
19
=
29
e
n
c
r
y
p
t
:
C
≡
M
e
(
m
o
d
n
)
8
5
≡
6
4
2
×
8
≡
(
−
1
)
2
×
8
(
m
o
d
65
)
d
e
c
r
y
p
t
:
M
≡
C
d
(
m
o
d
n
)
8
29
≡
6
4
14
×
8
≡
(
−
1
)
14
×
8
≡
8
(
m
o
d
65
)
\begin{array}{l} n=pq=65\\ \phi(n)=(p-1)(q-1)=4\times12=48\\ exgcd:\left\{ \begin{align} x&=\phi(n)=48\\ y&=e=5\\ x-9y&=3\\ -x+10y&=2\\ 2x-19y&=1\\ \end{align}\right.\\ d=48-19=29\\ encrypt: C \equiv M^e \pmod{n} \\ 8^5\equiv 64^2 \times 8 \equiv (-1)^2 \times 8\pmod{65} \\ decrypt: M \equiv C^d \pmod{n} \\ 8^{29} \equiv 64^{14} \times 8 \equiv (-1)^{14} \times 8 \equiv 8\pmod{65} \end{array}
n=pq=65ϕ(n)=(p−1)(q−1)=4×12=48exgcd:⎩
⎨
⎧xyx−9y−x+10y2x−19y=ϕ(n)=48=e=5=3=2=1d=48−19=29encrypt:C≡Me(modn)85≡642×8≡(−1)2×8(mod65)decrypt:M≡Cd(modn)829≡6414×8≡(−1)14×8≡8(mod65)
c.
p
=
7
;
q
=
17
,
e
=
11
;
M
=
11
p=7;q=17,e=11;M=11
p=7;q=17,e=11;M=11
n
=
p
q
=
119
ϕ
(
n
)
=
(
p
−
1
)
(
q
−
1
)
=
6
×
16
=
96
e
x
g
c
d
:
{
x
=
ϕ
(
n
)
=
96
y
=
e
=
11
x
−
8
y
=
8
−
x
+
9
y
=
3
3
x
−
26
y
=
2
−
4
x
+
35
y
=
1
d
=
35
e
n
c
r
y
p
t
:
C
≡
M
e
(
m
o
d
n
)
1
1
1
1
≡
12
1
5
×
11
≡
2
5
×
11
≡
114
(
m
o
d
119
)
d
e
c
r
y
p
t
:
M
≡
C
d
(
m
o
d
n
)
11
4
35
(
m
o
d
119
)
c
r
t
:
{
11
4
35
≡
4
m
o
d
7
11
4
35
≡
11
m
o
d
17
e
x
g
c
d
:
{
x
=
17
y
=
7
x
−
2
y
=
3
−
2
x
+
5
y
=
1
11
4
35
≡
5
×
4
×
17
+
5
×
11
×
7
≡
11
(
m
o
d
119
)
\begin{array}{l} n=pq=119\\ \phi(n)=(p-1)(q-1)=6\times16=96\\ exgcd:\left\{ \begin{align} x&=\phi(n)=96\\ y&=e=11\\ x-8y&=8\\ -x+9y&=3\\ 3x-26y&=2\\ -4x+35y&=1\\ \end{align}\right.\\ d=35\\ encrypt: C \equiv M^e \pmod{n} \\ 11^11\equiv 121^{5} \times 11 \equiv 2^5 \times 11 \equiv 114\pmod{119} \\ decrypt: M \equiv C^d \pmod{n} \\ 114^{35}\pmod{119} \\ \begin{array}{l} crt:\left\{ \begin{array}{l} 114^{35} &\equiv 4 \mod 7 \\ 114^{35} &\equiv 11 \mod 17 \end{array}\right. \\ exgcd:\left\{ \begin{array}{cl} x&=17\\ y&=7 \\ x-2y&=3 \\ -2x+5y&=1\\ \end{array}\right. \\ \end{array} \\ 114^{35} \equiv 5\times4\times17+5\times11\times7\equiv 11\pmod{119} \\ \end{array}
n=pq=119ϕ(n)=(p−1)(q−1)=6×16=96exgcd:⎩
⎨
⎧xyx−8y−x+9y3x−26y−4x+35y=ϕ(n)=96=e=11=8=3=2=1d=35encrypt:C≡Me(modn)1111≡1215×11≡25×11≡114(mod119)decrypt:M≡Cd(modn)11435(mod119)crt:{1143511435≡4mod7≡11mod17exgcd:⎩
⎨
⎧xyx−2y−2x+5y=17=7=3=111435≡5×4×17+5×11×7≡11(mod119)
d.
p
=
7
;
q
=
13
,
e
=
11
;
M
=
2
p=7;q=13,e=11;M=2
p=7;q=13,e=11;M=2
n
=
p
q
=
91
ϕ
(
n
)
=
(
p
−
1
)
(
q
−
1
)
=
6
×
12
=
72
e
x
g
c
d
:
{
x
=
ϕ
(
n
)
=
72
y
=
e
=
11
x
−
6
y
=
6
−
x
+
7
y
=
5
2
x
−
13
y
=
1
d
=
72
−
13
=
59
e
n
c
r
y
p
t
:
C
≡
M
e
(
m
o
d
n
)
2
1
1
≡
37
×
16
≡
57
×
4
≡
46
(
m
o
d
91
)
d
e
c
r
y
p
t
:
M
≡
C
d
(
m
o
d
n
)
4
6
59
(
m
o
d
91
)
c
r
t
:
{
4
6
59
≡
2
m
o
d
7
4
6
59
≡
2
m
o
d
13
斌头剩余定理
:
4
6
59
≡
2
m
o
d
91
\begin{array}{l} n=pq=91\\ \phi(n)=(p-1)(q-1)=6\times12=72\\ exgcd:\left\{ \begin{align} x&=\phi(n)=72\\ y&=e=11\\ x-6y&=6\\ -x+7y&=5\\ 2x-13y&=1\\ \end{align}\right.\\ d=72-13=59\\ encrypt: C \equiv M^e \pmod{n} \\ 2^11\equiv 37 \times 16 \equiv 57 \times 4 \equiv 46 \pmod{91} \\ decrypt: M \equiv C^d \pmod{n} \\ 46^{59}\pmod{91} \\ crt:\left\{ \begin{array}{l} 46^{59} &\equiv 2 \mod 7 \\ 46^{59} &\equiv 2 \mod 13 \end{array}\right. \\ 斌头剩余定理:46^{59} \equiv 2 \mod 91 \end{array}
n=pq=91ϕ(n)=(p−1)(q−1)=6×12=72exgcd:⎩
⎨
⎧xyx−6y−x+7y2x−13y=ϕ(n)=72=e=11=6=5=1d=72−13=59encrypt:C≡Me(modn)211≡37×16≡57×4≡46(mod91)decrypt:M≡Cd(modn)4659(mod91)crt:{46594659≡2mod7≡2mod13斌头剩余定理:4659≡2mod91
e. p = 17 ; q = 23 , e = 9 ; M = 7 p=17;q=23,e=9;M=7 p=17;q=23,e=9;M=7
n = p q = 391 ϕ ( n ) = ( p − 1 ) ( q − 1 ) = 16 × 22 = 352 e x g c d : { x = ϕ ( n ) = 352 y = e = 9 x − 39 y = 1 d = 352 − 39 = 313 e n c r y p t : C ≡ M e ( m o d n ) 7 9 ≡ 61 ( m o d 391 ) d e c r y p t : M ≡ C d ( m o d n ) 6 1 313 ≡ 7 ( m o d 119 ) \begin{array}{l} n=pq=391\\ \phi(n)=(p-1)(q-1)=16\times22=352\\ exgcd:\left\{ \begin{align} x&=\phi(n)=352\\ y&=e=9\\ x-39y&=1\\ \end{align}\right.\\ d=352-39=313\\ encrypt: C \equiv M^e \pmod{n} \\ 7^9 \equiv 61 \pmod{391} \\ decrypt: M \equiv C^d \pmod{n} \\ 61^{313} \equiv7 \pmod{119} \\ \end{array} n=pq=391ϕ(n)=(p−1)(q−1)=16×22=352exgcd:⎩ ⎨ ⎧xyx−39y=ϕ(n)=352=e=9=1d=352−39=313encrypt:C≡Me(modn)79≡61(mod391)decrypt:M≡Cd(modn)61313≡7(mod119)
9.3 In a public-key system using RSA, you intercept the ciphertext C = 20 sent to user whose public key is e=13, n=77. What is the plaintext M?
n = 77 = 7 × 11 p = 7 , q = 11 ϕ ( n ) = 6 × 10 = 60 e = 13 e x g c d : { x = 60 y = 13 x − 4 y = 8 − x + 5 y = 5 2 x − 9 y = 3 − 3 x + 14 y = 2 5 x − 23 y = 1 d = 60 − 23 = 37 m = c d m o d n m = 2 0 37 ≡ 48 ( m o d 77 ) \begin{array}{l} n=77=7\times11\\ p=7,q=11\\ \phi(n)=6\times10=60\\ e=13\\ exgcd:\left\{ \begin{array}{l} x&=60\\ y&=13\\ x-4y&=8\\ -x+5y&=5\\ 2x-9y&=3\\ -3x+14y&=2\\ 5x-23y&=1 \end{array}\right.\\ d=60-23=37\\ m=c^{d}\mod n\\ m=20^{37}\equiv 48 \pmod{77} \end{array} n=77=7×11p=7,q=11ϕ(n)=6×10=60e=13exgcd:⎩ ⎨ ⎧xyx−4y−x+5y2x−9y−3x+14y5x−23y=60=13=8=5=3=2=1d=60−23=37m=cdmodnm=2037≡48(mod77)
9.4 In an RSA system, the public key of a given user is e=65, n=2881.What is the private key of this user? Hint: First use trial-and-error to determine p and q; then use the extended Euclidean algorithm to find the multiplicative inverse of 31 modulo ϕ ( n ) \phi(n) ϕ(n).
n = 43 × 67 = 2881 p = 43 , q = 67 ϕ ( n ) = 42 × 66 = 2772 e x g c d : { x = 2772 y = 65 x − 42 y = 42 − x + 43 y = 23 2 x − 85 y = 19 − 3 x + 128 y = 4 14 x − 597 y = 3 − 17 x + 725 y = 1 私钥 d = 725 e x g c d : { x = 2772 y = 31 x − 89 y = 13 − 2 x + 179 y = 5 5 x − 447 y = 3 − 7 x + 626 y = 2 12 x − 1073 y = 1 ( 31 ) − 1 ≡ 1699 m o d 2772 \begin{array}{l} n=43\times67=2881 \\ p=43, q=67 \\ \phi(n)=42\times66=2772\\ exgcd: \left\{ \begin{array}{cl} x&=2772\\ y&=65\\ x-42y&=42\\ -x+43y&=23\\ 2x-85y&=19\\ -3x+128y&=4\\ 14x-597y&=3\\ -17x+725y&=1 \end{array}\right.\\ 私钥d=725\\ exgcd: \left\{ \begin{array}{cl} x&=2772\\ y&=31\\ x-89y&=13\\ -2x+179y&=5\\ 5x-447y&=3\\ -7x+626y&=2\\ 12x-1073y&=1\\ \end{array}\right.\\ (31)^{-1}\equiv 1699 \mod 2772 \end{array} n=43×67=2881p=43,q=67ϕ(n)=42×66=2772exgcd:⎩ ⎨ ⎧xyx−42y−x+43y2x−85y−3x+128y14x−597y−17x+725y=2772=65=42=23=19=4=3=1私钥d=725exgcd:⎩ ⎨ ⎧xyx−89y−2x+179y5x−447y−7x+626y12x−1073y=2772=31=13=5=3=2=1(31)−1≡1699mod2772