27 Functions of Number Theory Applications 27.15 Chinese Remainder Theorem 27.17 Other Applications

§27.16 Cryptography

Keywords:: Euler–Fermat theorem, cryptography, number theory, prime numbers, public key codes
Referenced by:: §23.20(iii), Other Changes
Permalink:: http://dlmf.nist.gov/27.16
Update (effective with 1.0.1):: The data in the second paragraph of this section was updated to 2010.
Reported 2011-01-07 by Francois Grieu

Applications to cryptography rely on the disparity in computer time required to find large primes and to factor large integers.

For example, a code maker chooses two large primes and of about 400 decimal digits each. Procedures for finding such primes require very little computer time. The primes are kept secret but their product , an 800-digit number, is made public. For this reason, these are often called public key codes. Messages are coded by a method (described below) that requires only the knowledge of . But to decode, both factors and must be known. With the most efficient computer techniques devised to date (2010), factoring an 800-digit number may require billions of years on a single computer. For this reason, the codes are considered unbreakable, at least with the current state of knowledge on factoring large numbers.

To code a message by this method, we replace each letter by two digits, say , , $\dots$ , , and divide the message into pieces of convenient length smaller than the public value . Choose a prime that does not divide either or . Like , the prime is made public. To code a piece , raise to the power and reduce $x^{r}$ modulo to obtain an integer (the coded form of ) between 1 and . Thus, $y\equiv x^{r}\;\;(\mathop{{\rm mod}}n)$ and $1\leq y<n$ .

To decode, we must recover from . To do this, let denote the reciprocal of modulo $\mathop{\phi\/}\nolimits\!\left(n\right)$ , so that $rs=1+t\mathop{\phi\/}\nolimits\!\left(n\right)$ for some integer . (Here $\mathop{\phi\/}\nolimits\!\left(n\right)$ is Euler’s totient (§27.2).) By the Euler–Fermat theorem (27.2.8), $x^{{\mathop{\phi\/}\nolimits\!\left(n\right)}}\equiv 1\;\;(\mathop{{\rm mod}}n)$ ; hence $x^{{t\mathop{\phi\/}\nolimits\!\left(n\right)}}\equiv 1\;\;(\mathop{{\rm mod}}n)$ . But $y^{s}\equiv x^{{rs}}\equiv x^{{1+t\mathop{\phi\/}\nolimits\!\left(n\right)}}% \equiv x\;\;(\mathop{{\rm mod}}n)$ , so $y^{s}$ is the same as modulo . In other words, to recover from we simply raise to the power and reduce modulo . If and are known, and $y^{s}$ can be determined (mod ) by straightforward calculations that require only a few minutes of machine time. But if and are not known, the problem of recovering from seems insurmountable.

For further information see Apostol and Niven (1994, p. 24), and for other applications to cryptography see Menezes et al. (1997) and Schroeder (2006).

© 2010–2013 NIST / Privacy Policy / Disclaimer / Feedback; Version 1.0.6; Release date 2013-05-06 Math-Image version (See MathML) . A Printed Companionis available. 27.15 Chinese Remainder Theorem 27.17 Other Applications