WEBVTT
00:00:00.500 --> 00:00:02.660
The following content is
provided under a Creative
00:00:02.660 --> 00:00:04.180
Commons license.
00:00:04.180 --> 00:00:06.520
Your support will help
MIT OpenCourseWare
00:00:06.520 --> 00:00:10.880
continue to offer high quality
educational resources for free.
00:00:10.880 --> 00:00:13.500
To make a donation or
view additional materials
00:00:13.500 --> 00:00:17.396
from hundreds of MIT courses,
visit MIT OpenCourseWare
00:00:17.396 --> 00:00:18.021
at ocw.mit.edu.
00:00:23.120 --> 00:00:26.280
PROFESSOR: So let's get ready.
00:00:26.280 --> 00:00:29.000
If good, you should
receive some handouts.
00:00:29.000 --> 00:00:36.767
So the TAs are walking around,
so you should slowly get those.
00:00:36.767 --> 00:00:38.600
This is the second
lecture on number theory,
00:00:38.600 --> 00:00:40.990
and we're going to cover
for a lot of stuff.
00:00:40.990 --> 00:00:42.510
And actually, we're
going to start
00:00:42.510 --> 00:00:48.540
with encryption, which is an
application of number theory.
00:00:48.540 --> 00:00:51.914
And we'll take that as a theme
throughout the whole lecture.
00:00:51.914 --> 00:00:54.455
And so, in this way, you can
see how useful number theory is.
00:00:58.410 --> 00:01:02.040
Now, encryption--
yeah, what is it?
00:01:02.040 --> 00:01:04.680
So let's first talk
about it a little bit.
00:01:04.680 --> 00:01:06.820
Maybe some of you
have heard about it.
00:01:06.820 --> 00:01:11.100
Cryptology in general is the
art of hiding information.
00:01:11.100 --> 00:01:13.660
And encryption is
a very useful tool.
00:01:13.660 --> 00:01:15.420
I'll only give a very
high level overview.
00:01:15.420 --> 00:01:17.544
I mean, if you really want
to know more about this,
00:01:17.544 --> 00:01:22.401
you should do a class in
crypto, or practical security.
00:01:22.401 --> 00:01:23.275
So what's encryption?
00:01:29.520 --> 00:01:32.970
The idea is usually
that, beforehand, we're
00:01:32.970 --> 00:01:39.490
going to share a
whole bunch of keys.
00:01:39.490 --> 00:01:47.370
So keys are exchanged between
a receiver and a sender.
00:01:47.370 --> 00:01:51.140
And the whole idea is that
if I want to transmit, like,
00:01:51.140 --> 00:01:54.380
a message to one
of you, well, there
00:01:54.380 --> 00:01:56.820
could be someone
in the middle who
00:01:56.820 --> 00:01:59.560
wants to intercept
my message, and wants
00:01:59.560 --> 00:02:01.060
to find out what I'm saying.
00:02:01.060 --> 00:02:02.690
So I do not like this.
00:02:02.690 --> 00:02:07.560
And in order to avoid it,
I will use encryption,
00:02:07.560 --> 00:02:13.600
which is some kind of algorithm
that actually transforms
00:02:13.600 --> 00:02:17.790
my message m-- my plain
message-- by using
00:02:17.790 --> 00:02:21.800
some kind of algorithm, E.
Some encryption algorithm--
00:02:21.800 --> 00:02:26.760
it can be a function as
well-- that uses the keys
00:02:26.760 --> 00:02:32.040
in order to transform this
into an encryption, which
00:02:32.040 --> 00:02:33.850
we call m prime here.
00:02:33.850 --> 00:02:38.370
So the plain text is, in the
clear, all the information
00:02:38.370 --> 00:02:41.260
that I want to convey to
one of you, for example.
00:02:41.260 --> 00:02:48.480
And m prime is somehow
a complete-- well,
00:02:48.480 --> 00:02:52.190
a mixture of bits,
out of which I'm not
00:02:52.190 --> 00:02:55.240
able to distill any information
about the plain text.
00:02:55.240 --> 00:02:58.080
So encryption to a very
special kind of thing.
00:02:58.080 --> 00:03:01.420
We're not going to talk about
the precise definitions here,
00:03:01.420 --> 00:03:05.650
but we just take the
ID into this lecture.
00:03:05.650 --> 00:03:10.810
Now, decryption is transforming
the cypher text back
00:03:10.810 --> 00:03:11.830
into the plain text.
00:03:11.830 --> 00:03:17.190
So we will start with
the encryption, m prime,
00:03:17.190 --> 00:03:19.820
and we have some kind
of decryption algorithm.
00:03:19.820 --> 00:03:24.050
And again, we can make use
of the keys we exchanged.
00:03:24.050 --> 00:03:27.910
And we transform it back
into the plain message.
00:03:27.910 --> 00:03:30.340
So only if I know the
keys, I can actually
00:03:30.340 --> 00:03:35.060
transform back the encrypted
version into the plain version.
00:03:35.060 --> 00:03:38.980
So in encryption schemes we
like both these algorithms
00:03:38.980 --> 00:03:41.430
to be is really efficient.
00:03:41.430 --> 00:03:45.680
And the security of such a
scheme-- well, the first kind
00:03:45.680 --> 00:03:48.780
of intuition that
we can get is well,
00:03:48.780 --> 00:03:51.800
if I'm a man in the
middle somewhere,
00:03:51.800 --> 00:03:55.740
intercepting an encrypted
message-- m prime--
00:03:55.740 --> 00:03:58.840
I should not be able to
get any information about m
00:03:58.840 --> 00:04:02.400
if I have no knowledge
about those keys.
00:04:02.400 --> 00:04:05.552
So this is the
example that we're
00:04:05.552 --> 00:04:10.160
going to take throughout
this whole lecture.
00:04:10.160 --> 00:04:17.440
So let's start with a
first possible scheme.
00:04:17.440 --> 00:04:25.380
Turing, who lived around
1936-- he was 24 years old--
00:04:25.380 --> 00:04:29.760
and he lived to
about-- actually,
00:04:29.760 --> 00:04:32.780
I think he was about
54 when he died.
00:04:32.780 --> 00:04:37.600
In any case, Turing was the one
who first originally proposed
00:04:37.600 --> 00:04:40.350
to use number theory
in cryptography.
00:04:40.350 --> 00:04:44.280
And before he joined the British
army, before the Second World
00:04:44.280 --> 00:04:49.270
War, he actually
proposed a scheme,
00:04:49.270 --> 00:04:50.700
but it got never published.
00:04:50.700 --> 00:04:52.480
So here in this
class, we are going
00:04:52.480 --> 00:04:56.000
to try to think about what
he could have thought about.
00:04:56.000 --> 00:04:59.540
So we will have a
first scheme, which
00:04:59.540 --> 00:05:04.510
we will call Turing's
code, version number one.
00:05:04.510 --> 00:05:07.490
And the whole idea
is that we're going
00:05:07.490 --> 00:05:11.520
to translate a message first
of all into a prime number,
00:05:11.520 --> 00:05:13.430
because we want to use numbers.
00:05:13.430 --> 00:05:14.930
We're here in
number theory class,
00:05:14.930 --> 00:05:17.230
so we want to use some
tricks with numbers in order
00:05:17.230 --> 00:05:18.810
to encrypt it.
00:05:18.810 --> 00:05:19.800
So let's do this.
00:05:24.620 --> 00:05:27.780
So for example, let's
take the word victory.
00:05:30.460 --> 00:05:33.270
We can map this into an integer.
00:05:33.270 --> 00:05:38.850
For example, we could
say, well, m is 22,
00:05:38.850 --> 00:05:42.250
where I map V to--
because I know
00:05:42.250 --> 00:05:46.600
V is the 22nd letter in the
alphabet, I just start with 22.
00:05:46.600 --> 00:05:52.890
I is the ninth letter in the
alphabet, so I append 09.
00:05:52.890 --> 00:05:57.470
C is the third letter in the
alphabet, I append 3-- 03.
00:05:57.470 --> 00:06:02.820
I continue like this
and in end, over here
00:06:02.820 --> 00:06:06.240
I've mapped Y to
the 25th letter.
00:06:06.240 --> 00:06:09.820
Because it's the 25th letter
of alphabet, I write 25.
00:06:09.820 --> 00:06:12.520
It turns out, I can just
add a couple of digits
00:06:12.520 --> 00:06:15.030
more, if I specially
compute those.
00:06:15.030 --> 00:06:18.630
In this case, I could
add 13, and then it
00:06:18.630 --> 00:06:20.250
changes into a prime number.
00:06:23.990 --> 00:06:26.000
Now we are not going to
talk about why this is,
00:06:26.000 --> 00:06:27.810
and how this can
be done, and so on.
00:06:27.810 --> 00:06:31.350
But it turns out that the
prime numbers are densely
00:06:31.350 --> 00:06:35.090
distributed over the integers,
and it's really possible to,
00:06:35.090 --> 00:06:39.110
just with a few extra
digits-- by selecting them
00:06:39.110 --> 00:06:41.820
in a smart way-- to actually
create a prime number.
00:06:41.820 --> 00:06:45.100
And also verify that it is a
prime number very efficiently.
00:06:45.100 --> 00:06:49.880
So it's very easy to compute--
to translate such a word
00:06:49.880 --> 00:06:51.490
into a prime number.
00:06:51.490 --> 00:06:53.600
So this is how it all starts.
00:06:53.600 --> 00:06:56.950
And just like in an
encryption scheme,
00:06:56.950 --> 00:07:04.490
beforehand we are going
to exchange a key.
00:07:04.490 --> 00:07:13.730
So we exchange the secret
prime in this example,
00:07:13.730 --> 00:07:15.790
which we call k.
00:07:15.790 --> 00:07:20.030
And the encryption
is very simple.
00:07:20.030 --> 00:07:24.210
We are just going to
multiply m with k.
00:07:24.210 --> 00:07:27.050
Now, you may wonder why this
is such a fantastic idea.
00:07:27.050 --> 00:07:29.750
But let's just bear with me.
00:07:29.750 --> 00:07:33.970
So m is this first prime
number, and we multiply it
00:07:33.970 --> 00:07:35.480
by a second prime
number, and that's
00:07:35.480 --> 00:07:38.810
going to be our encryption.
00:07:38.810 --> 00:07:40.132
Now how do we decrypt?
00:07:40.132 --> 00:07:42.090
That seems to be pretty
straightforward, right?
00:07:42.090 --> 00:07:44.560
How do we do it?
00:07:44.560 --> 00:07:47.350
We start off with m prime.
00:07:47.350 --> 00:07:50.490
I know we have exchanged
this secret prime k,
00:07:50.490 --> 00:07:54.110
so if I receive from
you this message--
00:07:54.110 --> 00:07:57.050
this encrypted message--
well, I know the key, k.
00:07:57.050 --> 00:07:59.820
So I just divide it by k.
00:07:59.820 --> 00:08:05.030
Well, which is m k
divided k, and I get m.
00:08:05.030 --> 00:08:07.730
So that's pretty
straightforward.
00:08:07.730 --> 00:08:10.880
Now, as it turns out actually--
and I'll write it up here,
00:08:10.880 --> 00:08:16.900
because we need it later-- that
it's not so trivial to actually
00:08:16.900 --> 00:08:23.020
just give an m prime to
figure out what m is, or k.
00:08:23.020 --> 00:08:26.450
m prime is a product of two
very large prime numbers,
00:08:26.450 --> 00:08:28.996
and that turns out to be
a really hard problem.
00:08:28.996 --> 00:08:30.370
Up to now, nobody
has really been
00:08:30.370 --> 00:08:34.159
able to get a really efficient
algorithm to solve that.
00:08:34.159 --> 00:08:36.610
So we may think this is secure.
00:08:36.610 --> 00:08:45.630
So let me write it down
It's hard to factor
00:08:45.630 --> 00:08:48.460
a product of two large primes.
00:08:57.850 --> 00:08:59.830
You will actually
need this also,
00:08:59.830 --> 00:09:02.970
when we come to the final
encryption scheme-- RSA
00:09:02.970 --> 00:09:05.580
that we will discuss,
which is widely used.
00:09:13.241 --> 00:09:14.740
But something is
wrong here, though.
00:09:14.740 --> 00:09:16.510
This seems to be
too simple, right?
00:09:16.510 --> 00:09:19.040
So what can we do if
we have like, say,
00:09:19.040 --> 00:09:22.970
suppose I intercept
two encrypted messages.
00:09:22.970 --> 00:09:23.680
What can I do?
00:09:31.800 --> 00:09:35.900
So suppose I have
a first message, m
00:09:35.900 --> 00:09:39.920
prime 1, which is the product
of a first plain message
00:09:39.920 --> 00:09:41.800
times the key, k.
00:09:41.800 --> 00:09:44.490
And I have a second
message that is
00:09:44.490 --> 00:09:49.480
encrypted by using the same
key, which is m 2 times k.
00:09:49.480 --> 00:09:51.730
Does anybody have an idea
what I could do here?
00:09:51.730 --> 00:09:55.400
AUDIENCE: Find the GCD and
that would give you the key.
00:09:55.400 --> 00:09:58.680
PROFESSOR: Yeah, you
could find the GCD
00:09:58.680 --> 00:10:04.000
of m 1 prime and m 2 prime.
00:10:04.000 --> 00:10:05.720
I've intercepted those two.
00:10:05.720 --> 00:10:08.220
Now, m 1 is a prime number.
00:10:08.220 --> 00:10:10.160
k is prime number, and
2 is a prime number.
00:10:10.160 --> 00:10:11.970
k is a prime number
here, also, right?
00:10:11.970 --> 00:10:16.690
So they're all relatively
prime towards one another.
00:10:16.690 --> 00:10:23.080
The GCD of these two-- well, the
greatest common divisor is k.
00:10:23.080 --> 00:10:27.390
So just by calculating the GCD
of the two encrypted messages,
00:10:27.390 --> 00:10:33.070
I'll be able to figure
out what k is-- the key.
00:10:33.070 --> 00:10:35.800
Well, if I know
the key, then I can
00:10:35.800 --> 00:10:38.440
do the decryption
of any cypher text,
00:10:38.440 --> 00:10:42.360
any encryption of a message
that I can intercept.
00:10:42.360 --> 00:10:44.730
So this is not secure.
00:10:44.730 --> 00:10:47.030
So how can we change this?
00:10:47.030 --> 00:10:53.870
Can we create a different
kind of encryption scheme?
00:10:53.870 --> 00:10:56.710
Let's do something
much more difficult,
00:10:56.710 --> 00:11:01.550
and then we will get into
modular arithmetic and things
00:11:01.550 --> 00:11:02.387
like that.
00:11:02.387 --> 00:11:03.095
So let's do this.
00:11:08.290 --> 00:11:11.950
So Turing's code,
version number two--
00:11:11.950 --> 00:11:15.420
we try to do something much
more complicated than just
00:11:15.420 --> 00:11:17.050
multiplying by prime.
00:11:17.050 --> 00:11:19.230
So let's do the following.
00:11:19.230 --> 00:11:27.270
So beforehand, we're
going to exchange not only
00:11:27.270 --> 00:11:33.890
a secret prime k, but we will
also exchange a public prime.
00:11:33.890 --> 00:11:39.430
So we exchange-- by public
we mean that anybody
00:11:39.430 --> 00:11:40.630
can see this prime.
00:11:40.630 --> 00:11:42.790
It's common knowledge.
00:11:42.790 --> 00:11:54.240
A public prime p, and
also a secret prime k.
00:11:54.240 --> 00:11:57.780
Let's see whether
this would work.
00:11:57.780 --> 00:11:58.595
We have encryption.
00:12:01.490 --> 00:12:04.680
Well, we're going to start
out exactly the same way.
00:12:07.870 --> 00:12:11.450
First of all, I should tell you
how a message is represented.
00:12:11.450 --> 00:12:19.360
The message is going to be
represented as a number, m,
00:12:19.360 --> 00:12:25.270
in the range from 0, 1,
all the way to p minus 1.
00:12:25.270 --> 00:12:31.988
And we will compute the
encryption as follows.
00:12:31.988 --> 00:12:38.970
m is going to be the
remainder of m times k,
00:12:38.970 --> 00:12:42.930
after dividing out as many
multiples of p as possible.
00:12:42.930 --> 00:12:45.560
So notice we do kind
of the same thing.
00:12:45.560 --> 00:12:47.830
We just multiply
by k, but now we
00:12:47.830 --> 00:12:51.730
just take the remainder
after taking out
00:12:51.730 --> 00:12:55.080
as many multiples of p.
00:12:55.080 --> 00:12:58.650
Well, let's see whether
we can do the decryption.
00:12:58.650 --> 00:13:01.950
It seems to be, like, a
next level of complexity.
00:13:01.950 --> 00:13:04.900
So maybe that'll
help us here, right?
00:13:04.900 --> 00:13:06.750
So how will we do decryption?
00:13:06.750 --> 00:13:09.630
Well, somehow we would
like to divide by k.
00:13:09.630 --> 00:13:11.940
But we cannot really
do that, right?
00:13:11.940 --> 00:13:15.570
This does not make any sense.
00:13:15.570 --> 00:13:17.990
So the decryption-- we
have no idea at this point
00:13:17.990 --> 00:13:19.410
how to do this.
00:13:19.410 --> 00:13:23.070
And now we can get into
modular arithmetic,
00:13:23.070 --> 00:13:26.220
because it turns out that
we can sort of divide by k.
00:13:26.220 --> 00:13:29.790
There exists what we call
multiplicative inverse
00:13:29.790 --> 00:13:31.720
of k modulo p.
00:13:31.720 --> 00:13:34.580
And I will explain all
those terminologies to you.
00:13:34.580 --> 00:13:39.260
And then we will be
able to take m prime,
00:13:39.260 --> 00:13:42.320
and transform it back to m.
00:13:42.320 --> 00:13:48.160
So we will be able to get a
lot of this machinery going.
00:13:48.160 --> 00:13:52.250
So let's find out
how this works.
00:13:52.250 --> 00:13:58.510
So first of all, last time we
saw that we defined a and b
00:13:58.510 --> 00:13:59.870
to be relatively prime.
00:13:59.870 --> 00:14:03.030
So let me repeat that.
00:14:03.030 --> 00:14:07.400
So a and b are relatively
prime if and only
00:14:07.400 --> 00:14:13.190
if-- that's how we define
it-- if the GCD of a and b
00:14:13.190 --> 00:14:13.810
is equal to 1.
00:14:13.810 --> 00:14:17.610
And in last lecture
and in the recitation,
00:14:17.610 --> 00:14:19.860
you got a different
proof, I think.
00:14:19.860 --> 00:14:25.300
And we proved that,
actually, the GCD of a and b
00:14:25.300 --> 00:14:28.560
is equal to the smallest
positive linear combination
00:14:28.560 --> 00:14:30.780
of a and b.
00:14:30.780 --> 00:14:32.880
So that means that
one, in particular,
00:14:32.880 --> 00:14:34.500
is a linear
combination of a and b.
00:14:34.500 --> 00:14:39.010
So there exists
integers-- s and t--
00:14:39.010 --> 00:14:44.041
such that s times a,
plus t times b equals 1.
00:14:44.041 --> 00:14:46.290
It turns out that it can
also go the other way around,
00:14:46.290 --> 00:14:51.930
because if I can write one as
a linear combination of a b,
00:14:51.930 --> 00:14:54.060
well I cannot get much
lower than that, right?
00:14:54.060 --> 00:14:56.730
So that's really the smallest
possible that I can achieve.
00:14:56.730 --> 00:15:00.080
So the GCD must be equal to 1.
00:15:00.080 --> 00:15:01.940
So this is a property
that we will be using.
00:15:06.130 --> 00:15:09.910
And from this property,
we can already figure out
00:15:09.910 --> 00:15:10.940
an interesting property.
00:15:10.940 --> 00:15:13.500
So suppose we have a
linear combination that
00:15:13.500 --> 00:15:15.100
looks like this.
00:15:15.100 --> 00:15:17.720
Then you can imagine
that, sort of,
00:15:17.720 --> 00:15:22.260
that s times a is equal
to 1, plus or minus
00:15:22.260 --> 00:15:26.300
some linear multiple of b.
00:15:26.300 --> 00:15:30.200
So it's sort of-- s times
a is sort of equal to 1,
00:15:30.200 --> 00:15:33.480
you can say, up to
a multiple of b.
00:15:33.480 --> 00:15:39.000
So you can see a sort
of as an inverse of s.
00:15:39.000 --> 00:15:42.380
Because s times a is
equal to one, sort of.
00:15:42.380 --> 00:15:45.660
So this is what we're going
to use-- this kind of feeling.
00:15:45.660 --> 00:15:50.745
And in order to do that, we
are going to define congruency.
00:15:55.230 --> 00:15:58.300
So that's the first
definition for this lecture.
00:15:58.300 --> 00:16:10.940
We say x is congruent
to y modulo n,
00:16:10.940 --> 00:16:18.160
if-- which we denote as
follows-- x with three bars,
00:16:18.160 --> 00:16:22.460
y in between brackets, mod n.
00:16:22.460 --> 00:16:31.330
And we say that this is
the case if n divides
00:16:31.330 --> 00:16:34.150
the difference between x and y.
00:16:34.150 --> 00:16:36.845
So let's have a look
at some examples.
00:16:44.580 --> 00:16:49.130
So let's take 31,
and I would like
00:16:49.130 --> 00:16:53.250
to show to you that
this is congruent to 16
00:16:53.250 --> 00:16:57.570
modulo, between brackets, 5.
00:16:57.570 --> 00:16:58.550
Why is this?
00:16:58.550 --> 00:17:02.910
Well, I take the difference
between 31 and 16, which is 15,
00:17:02.910 --> 00:17:08.700
and I know that 15 is 3 times
5, so 5 divides this difference.
00:17:08.700 --> 00:17:12.210
And then by definition,
we can write it like this.
00:17:12.210 --> 00:17:14.390
And we say-- that's
the definition--
00:17:14.390 --> 00:17:17.730
31 is congruent to 16 modulo 5.
00:17:17.730 --> 00:17:24.290
Another example is-- no, we
will stick with this example.
00:17:24.290 --> 00:17:26.569
It's pretty clear.
00:17:26.569 --> 00:17:31.920
So once we have defined this,
we can continue and talk
00:17:31.920 --> 00:17:34.310
about this inverse that
I was talking about.
00:17:34.310 --> 00:17:39.020
So we like to, sort of, explain
in this encryption scheme
00:17:39.020 --> 00:17:42.540
how we can divide by k.
00:17:42.540 --> 00:17:46.310
Actually, we would like to
multiply by an inverse of k.
00:17:46.310 --> 00:17:50.420
And we're going to
use this framework.
00:17:50.420 --> 00:17:54.140
So we'll have a
new definition that
00:17:54.140 --> 00:17:56.950
talks about the
multiplicative inverse.
00:17:56.950 --> 00:17:59.180
So it's a new concept.
00:17:59.180 --> 00:18:01.780
And you'll give a
couple of examples.
00:18:01.780 --> 00:18:15.350
So the multiplicative
inverse of x modulo n
00:18:15.350 --> 00:18:24.240
is a number, which we
denote by x and then minus 1
00:18:24.240 --> 00:18:27.290
on top of here.
00:18:27.290 --> 00:18:34.960
It's a number in the interval 0,
1, all the way up to n minus 1.
00:18:34.960 --> 00:18:41.800
Such that x times
x inverse-- so x
00:18:41.800 --> 00:18:44.190
times its
multiplicative inverse--
00:18:44.190 --> 00:18:49.440
is congruent to 1 modulo n.
00:18:49.440 --> 00:18:52.810
So this is the definition
for a multiplicative inverse.
00:18:52.810 --> 00:18:55.180
So let's have some examples.
00:19:00.440 --> 00:19:02.890
So let's do that over here.
00:19:02.890 --> 00:19:10.690
For example, we have that 2
times 3-- which equals 6--
00:19:10.690 --> 00:19:15.900
is equal to 1 modulo 5.
00:19:15.900 --> 00:19:16.680
Why is this?
00:19:16.680 --> 00:19:20.310
Well, 6 minus 1
is divisible by 5,
00:19:20.310 --> 00:19:24.720
so I know is congruent
to 1 modulo 5.
00:19:24.720 --> 00:19:27.130
So what does this mean?
00:19:27.130 --> 00:19:29.160
Well, we can say
that two is actually
00:19:29.160 --> 00:19:36.460
equal to the multiplicative
inverse of 3 modulo 5.
00:19:36.460 --> 00:19:42.060
We can also say that write 3
is the multiplicative inverse
00:19:42.060 --> 00:19:45.450
of 2 modulo 5.
00:19:45.450 --> 00:19:48.800
Let's have another example, just
to make it a little bit more
00:19:48.800 --> 00:19:51.150
clear.
00:19:51.150 --> 00:19:54.370
We know that 5
times 5 equals 25,
00:19:54.370 --> 00:19:57.370
and this is
congruent to 1 modulo
00:19:57.370 --> 00:20:03.150
6, because 25 is
1 plus 4 times 6.
00:20:03.150 --> 00:20:05.040
So now we see something
funny happening,
00:20:05.040 --> 00:20:11.030
because 5 is actually equal to
its own multiplicative inverse
00:20:11.030 --> 00:20:11.720
modulo 6.
00:20:18.470 --> 00:20:21.310
So are there any questions
about these concepts?
00:20:21.310 --> 00:20:24.630
Because these are really
basic for the whole lecture,
00:20:24.630 --> 00:20:27.073
and this is what you really
need to understand if you do
00:20:27.073 --> 00:20:29.990
all the problem sets as well.
00:20:29.990 --> 00:20:32.160
Are there any questions?
00:20:32.160 --> 00:20:36.910
So now we can
actually start talking
00:20:36.910 --> 00:20:44.670
about this second version of the
Turing code that we invented.
00:20:44.670 --> 00:20:46.450
Let's have a look
at this remainder.
00:20:46.450 --> 00:20:48.430
So let's write it out again.
00:20:48.430 --> 00:20:53.750
The remainder of m times
k, after dividing out
00:20:53.750 --> 00:20:56.230
as many multiples of p.
00:20:56.230 --> 00:21:02.030
Well, we know that this is
congruent to m times k modulo
00:21:02.030 --> 00:21:03.990
p.
00:21:03.990 --> 00:21:06.020
So why is this?
00:21:06.020 --> 00:21:08.562
Well, we just apply the
definition over here.
00:21:08.562 --> 00:21:10.270
We take the difference
between those two.
00:21:10.270 --> 00:21:14.810
So here we have the
remainder of m times k,
00:21:14.810 --> 00:21:18.930
after dividing out as
many multiples of p.
00:21:18.930 --> 00:21:22.470
And if you subtract
that from m times k,
00:21:22.470 --> 00:21:26.350
well then we have something
that is a multiple of p,
00:21:26.350 --> 00:21:28.560
because that's what
we divided out.
00:21:28.560 --> 00:21:32.570
So the difference
is a multiple of p,
00:21:32.570 --> 00:21:34.810
so that means that p
divides the difference.
00:21:34.810 --> 00:21:37.950
And that's the definition of
saying that this remainder is
00:21:37.950 --> 00:21:40.540
congruent m k modulo p.
00:21:40.540 --> 00:21:44.750
So this is kind of
interesting, because now we
00:21:44.750 --> 00:21:48.570
can rewrite over there--
well, not really rewrite,
00:21:48.570 --> 00:21:53.240
but we can use this to analyze
the encryption over here.
00:21:53.240 --> 00:21:58.640
So m prime is equal
to this remainder.
00:21:58.640 --> 00:22:00.070
And we get a
beautifully equation.
00:22:00.070 --> 00:22:04.260
We see that the encryption is
congruent to the plain message,
00:22:04.260 --> 00:22:06.930
times the key modulo p.
00:22:06.930 --> 00:22:09.140
So how do I do decryption?
00:22:09.140 --> 00:22:12.330
I can use the multiplicative
inverse of k, right?
00:22:12.330 --> 00:22:15.510
So then I can divide k out.
00:22:18.770 --> 00:22:20.640
So let's write this out as well.
00:22:20.640 --> 00:22:25.410
So suppose I have a
multiplicative inverse--
00:22:25.410 --> 00:22:33.230
k to the power minus 1-- that
is congruent to 1 modulo p.
00:22:33.230 --> 00:22:34.710
Why do I do this?
00:22:34.710 --> 00:22:36.870
Why am I writing this out?
00:22:36.870 --> 00:22:39.950
Because you will see
that it is not always
00:22:39.950 --> 00:22:42.840
possible to have a
multiplicative inverse.
00:22:42.840 --> 00:22:45.170
That's going to be
really a big problem.
00:22:45.170 --> 00:22:50.380
And that's where all
these other functions
00:22:50.380 --> 00:22:53.330
come in-- the Euler totient
function and Euler's theorem,
00:22:53.330 --> 00:22:55.020
and so on.
00:22:55.020 --> 00:22:56.910
So it's not really
always the case.
00:22:56.910 --> 00:22:58.410
We'll give an
example in a moment.
00:22:58.410 --> 00:23:02.610
But suppose that we have a
multiplicative inverse-- modulo
00:23:02.610 --> 00:23:08.130
p-- well, then I'm
able to easily compute.
00:23:08.130 --> 00:23:13.810
I take m prime, I multiply
it with k inverse.
00:23:13.810 --> 00:23:21.630
Well, I'm substituting for
m prime, m times k-- times
00:23:21.630 --> 00:23:22.600
k inverse.
00:23:22.600 --> 00:23:24.500
I still have this left.
00:23:24.500 --> 00:23:29.690
Now I can say that this
is equal to 1 modulo p.
00:23:32.220 --> 00:23:39.030
So this is equal, or is
congruent, to m modulo p.
00:23:39.030 --> 00:23:41.440
So now we see how we
can do decryption.
00:23:41.440 --> 00:23:45.090
We simply use the
multiplicative inverse of k.
00:23:45.090 --> 00:23:48.700
And as in the first
Turing code, we
00:23:48.700 --> 00:23:51.710
are able to somehow
divide out-- so where
00:23:51.710 --> 00:23:54.346
did I have it-- to divide out k.
00:23:54.346 --> 00:23:56.470
I did it very differently--
I have a very different
00:23:56.470 --> 00:24:01.090
mathematical structure-- but the
idea is, essentially, the same.
00:24:01.090 --> 00:24:04.720
I have a multiplicative
inverse of k,
00:24:04.720 --> 00:24:07.710
and if I multiply this
with the encryption,
00:24:07.710 --> 00:24:10.920
I will get the plain
message, modulo p.
00:24:10.920 --> 00:24:13.660
So, am I finished
now is the question.
00:24:13.660 --> 00:24:21.150
Well, I know that m is in the
range of 0, 1, all the way up
00:24:21.150 --> 00:24:23.480
to p minus 1.
00:24:23.480 --> 00:24:29.150
So this means that I
can also rewrite m as--
00:24:29.150 --> 00:24:32.300
and I use a similar trick
as what I did over here--
00:24:32.300 --> 00:24:39.090
I can rewrite m as they
remainder of m prime times k
00:24:39.090 --> 00:24:45.210
inverse, after dividing out as
many copies of p as possible.
00:24:45.210 --> 00:24:48.590
So what we did here
is to first prove
00:24:48.590 --> 00:24:53.290
that the difference between
those two is a multiple of p.
00:24:53.290 --> 00:24:56.730
That's essentially
what congruent modulo p
00:24:56.730 --> 00:24:59.350
means-- that's the definition.
00:24:59.350 --> 00:25:02.890
So now that I know that the
difference is a multiple of p,
00:25:02.890 --> 00:25:09.350
and if I know that m is actually
in this range up to p minus 1,
00:25:09.350 --> 00:25:12.460
I can use what we
learned last lecture--
00:25:12.460 --> 00:25:16.230
and what the book was talking
about-- that the definition
00:25:16.230 --> 00:25:20.400
of the remainder of m prime
times k inverse-- this thing--
00:25:20.400 --> 00:25:22.350
after finding out
as many copies of p,
00:25:22.350 --> 00:25:25.440
is exactly this plain message m.
00:25:25.440 --> 00:25:27.234
OK, so now we the decryption.
00:25:27.234 --> 00:25:28.150
So this is decryption.
00:25:30.870 --> 00:25:35.040
And that sounds great.
00:25:35.040 --> 00:25:38.520
So now, of course, we
are wondering, well,
00:25:38.520 --> 00:25:43.170
if we can do this, can we also
attack this scheme, right?
00:25:43.170 --> 00:25:46.920
Can we do something bad with it?
00:25:46.920 --> 00:25:49.380
Well, it can be used
to break this code,
00:25:49.380 --> 00:25:52.730
but in a slightly
more complicated way.
00:25:55.700 --> 00:25:59.750
So let's see where I put that.
00:25:59.750 --> 00:26:04.290
Right, so what we are
going to use, now-- so when
00:26:04.290 --> 00:26:06.700
we talk about
security, and so on,
00:26:06.700 --> 00:26:08.560
you can think of
all kinds of ways
00:26:08.560 --> 00:26:10.940
to break an encryption scheme.
00:26:10.940 --> 00:26:14.620
So we started out with,
in the first version,
00:26:14.620 --> 00:26:17.140
well, what if I just
know the encryption?
00:26:17.140 --> 00:26:21.940
And then, well, I cannot know
anything about the plain text,
00:26:21.940 --> 00:26:25.720
simply because I know that it's
very hard to factor a product
00:26:25.720 --> 00:26:27.080
of two large primes.
00:26:27.080 --> 00:26:29.920
Then I said, but suppose
I know a little bit more
00:26:29.920 --> 00:26:30.660
as an adversary.
00:26:30.660 --> 00:26:33.580
Suppose I have a
plain message together
00:26:33.580 --> 00:26:37.430
with an encrypted message.
00:26:37.430 --> 00:26:39.600
Well, then I could
do this GCD trick
00:26:39.600 --> 00:26:43.000
and figure out and
break the scheme.
00:26:43.000 --> 00:26:45.310
And now we're going to
do something similar.
00:26:45.310 --> 00:26:52.290
And we say, well, suppose that
I do not know two encryptions,
00:26:52.290 --> 00:26:55.470
but I know a plain message.
00:26:55.470 --> 00:26:59.000
And in corresponding,
encrypted message.
00:26:59.000 --> 00:27:03.170
So if I know such a pair,
which is-- I mean, in practice,
00:27:03.170 --> 00:27:06.220
such type of information
will be leaked.
00:27:06.220 --> 00:27:07.740
Then in this case,
I can break it.
00:27:07.740 --> 00:27:12.700
So we call this the known
the plain text attack.
00:27:12.700 --> 00:27:21.760
And it assumes that we
know-- as an adversary,
00:27:21.760 --> 00:27:31.010
I know a message-- a plain
message, m-- and also
00:27:31.010 --> 00:27:40.330
an encryption of this
message, m prime.
00:27:40.330 --> 00:27:42.300
And m prime, according
to this scheme,
00:27:42.300 --> 00:27:47.590
is the remainder of m times
k, after the dividing out
00:27:47.590 --> 00:27:51.480
as many multiples
of p as possible.
00:27:51.480 --> 00:27:54.330
Now, we saw-- now,
suppose I know these two.
00:27:54.330 --> 00:27:56.550
I'm going to show
you how to break it.
00:27:56.550 --> 00:27:59.750
So let's have a look.
00:27:59.750 --> 00:28:04.860
The encryption, m prime, is
congruent to m times k modulo
00:28:04.860 --> 00:28:06.160
p.
00:28:06.160 --> 00:28:09.100
We just proved it over here.
00:28:09.100 --> 00:28:11.740
And what do we know?
00:28:11.740 --> 00:28:14.400
We know that p is
a public prime.
00:28:14.400 --> 00:28:16.590
I know p.
00:28:16.590 --> 00:28:24.290
Since it's a prime, I know that
the GCD of m and p equals 1.
00:28:24.290 --> 00:28:26.630
So these two are
relatively prime.
00:28:26.630 --> 00:28:29.500
So now if they are
relatively prime--
00:28:29.500 --> 00:28:31.620
and that's what
we wrote up here--
00:28:31.620 --> 00:28:35.080
we know that there exists
this linear combination
00:28:35.080 --> 00:28:43.310
of, in this case, m and
p that is equal to 1.
00:28:43.310 --> 00:28:45.740
And this way we
can figure out how
00:28:45.740 --> 00:28:51.590
to compute the inverse-- the
multiplicative inverse of m.
00:28:51.590 --> 00:28:54.020
So that's what
we're going to do.
00:28:54.020 --> 00:29:01.870
So we can compute and the
multiplicative inverse, such
00:29:01.870 --> 00:29:09.250
that m times m inverse is
congruent to 1 modulo p.
00:29:12.040 --> 00:29:15.190
So now we can do the next step.
00:29:15.190 --> 00:29:17.780
So what could I do next?
00:29:17.780 --> 00:29:21.890
So let's see, if I
have such an inverse,
00:29:21.890 --> 00:29:25.530
then I can take my
encrypted message
00:29:25.530 --> 00:29:30.330
that I have as an
attacker, which is m prime.
00:29:30.330 --> 00:29:33.310
I know m, and
since p was public,
00:29:33.310 --> 00:29:36.150
I can compute this
multiplicative inverse.
00:29:36.150 --> 00:29:40.370
So I could just
compute this product,
00:29:40.370 --> 00:29:46.350
and I know that this is actually
equal to, well, k times m times
00:29:46.350 --> 00:29:47.580
m inverse.
00:29:47.580 --> 00:29:51.370
This is again equal to--
congruent to 1 modulo p.
00:29:51.370 --> 00:29:55.700
So this is equal to k modulo p.
00:29:55.700 --> 00:29:59.080
So now, all of a sudden,
I know k modulo p,
00:29:59.080 --> 00:30:01.060
because I know those two.
00:30:01.060 --> 00:30:06.990
So if I know k, I can compute
its multiplicative inverse.
00:30:06.990 --> 00:30:13.230
So I can compute k
inverse modulo p.
00:30:13.230 --> 00:30:15.930
And if I know k
inverse, again, I
00:30:15.930 --> 00:30:20.690
can use it to decrypt any
other encrypted message
00:30:20.690 --> 00:30:22.290
that I receive.
00:30:22.290 --> 00:30:25.220
So for all future
encrypted messages,
00:30:25.220 --> 00:30:28.460
I do not need anymore
the plain messages.
00:30:28.460 --> 00:30:32.990
I've already used-- just
by using one plain message
00:30:32.990 --> 00:30:37.280
encryption pair, I have been
able to compute the secret key,
00:30:37.280 --> 00:30:39.990
and the whole scheme is broken.
00:30:39.990 --> 00:30:46.890
So security is kind of
an interesting science.
00:30:46.890 --> 00:30:49.040
We can always think
of more tricks
00:30:49.040 --> 00:30:53.480
to break schemes, or
other assumptions,
00:30:53.480 --> 00:30:56.070
that we haven't
thought about before.
00:30:56.070 --> 00:31:02.120
And so now, let's talk about--
so what did we do here?
00:31:04.750 --> 00:31:10.900
We have been talking about
encryption-- these two schemes.
00:31:10.900 --> 00:31:14.050
We talked about
modular arithmetic.
00:31:14.050 --> 00:31:16.060
We talked about
congruence, and also
00:31:16.060 --> 00:31:18.060
the multiplicative inverse.
00:31:18.060 --> 00:31:22.490
And we showed how to use that
to break Turing's code, version
00:31:22.490 --> 00:31:24.080
number two.
00:31:24.080 --> 00:31:26.910
So we need something
much more fundamental
00:31:26.910 --> 00:31:30.300
in order to create a scheme
that is really secure.
00:31:30.300 --> 00:31:32.070
And that's what we're
going to do now.
00:31:32.070 --> 00:31:35.820
We're going to start off with
Euler's totient function,
00:31:35.820 --> 00:31:38.780
and improve a related theorem.
00:31:38.780 --> 00:31:43.070
And with that we will be
able to actually explain
00:31:43.070 --> 00:31:46.490
RSA algorithm, which is a
famous algorithm invented here
00:31:46.490 --> 00:31:52.760
at MIT in 1977, by Rivest,
Shamir, and Adleman.
00:31:52.760 --> 00:31:55.820
And they actually also
got the Turing Award
00:31:55.820 --> 00:31:58.600
for this a few years ago.
00:31:58.600 --> 00:32:03.200
And it's widely
used in practice.
00:32:03.200 --> 00:32:05.070
But we will be able
to actually explain
00:32:05.070 --> 00:32:08.770
this algorithm with just this
fundamental piece of number
00:32:08.770 --> 00:32:09.490
theory.
00:32:09.490 --> 00:32:10.962
So that's really exciting.
00:32:10.962 --> 00:32:11.670
So let's do this.
00:32:16.390 --> 00:32:20.425
So we're going to first define
Euler's totient function.
00:32:31.290 --> 00:32:33.580
And it's related to this
multiplicative inverse.
00:32:48.510 --> 00:32:52.890
This function is
denoted phi of n,
00:32:52.890 --> 00:33:10.350
and it denote the
number of the integers
00:33:10.350 --> 00:33:16.460
in 1, 2, 3-- all the way
up to n minus 1, that
00:33:16.460 --> 00:33:29.400
are relatively prime to n.
00:33:29.400 --> 00:33:35.280
So this just drops out of
the air, you may think.
00:33:35.280 --> 00:33:40.830
But this is a
fundamental quantity,
00:33:40.830 --> 00:33:43.830
and Euler's theorem is what
we will try to prove next.
00:33:43.830 --> 00:33:45.750
But let's give a
couple of examples
00:33:45.750 --> 00:33:50.350
about this, just to
see how it works.
00:33:53.430 --> 00:33:58.070
So for example, let's
take n to be equal to 12.
00:33:58.070 --> 00:34:02.270
What would be the value of
Euler's totient function,
00:34:02.270 --> 00:34:05.150
evaluated for 12?
00:34:05.150 --> 00:34:15.010
So if you take 12, we have the
following numbers to consider.
00:34:15.010 --> 00:34:23.480
1, 2, 3, 4, 5, 6, 7,
8, 9, 10,11, and 12.
00:34:23.480 --> 00:34:24.900
So now, let's have a look.
00:34:27.996 --> 00:34:29.729
You want to count
the integers that
00:34:29.729 --> 00:34:31.850
are relatively prime to 12.
00:34:34.429 --> 00:34:37.230
Well, 1 is relatively
prime to 12.
00:34:37.230 --> 00:34:38.179
Why is that?
00:34:38.179 --> 00:34:42.570
Because to GCD of 12
and 1 is equal to 1,
00:34:42.570 --> 00:34:44.770
and that's the definition
of being relatively prime.
00:34:44.770 --> 00:34:47.510
So this is a good number.
00:34:47.510 --> 00:34:52.730
The GCD of 12 and 2, well
both are divisible by 2.
00:34:52.730 --> 00:34:55.685
So they're not relatively
prime, because the GCD
00:34:55.685 --> 00:34:56.909
is at least two.
00:34:56.909 --> 00:34:59.120
In this case, equal to 2.
00:34:59.120 --> 00:35:01.388
3 also divides 12.
00:35:01.388 --> 00:35:03.410
4 divides 12.
00:35:03.410 --> 00:35:07.020
5 is relatively prime
with respect to 12.
00:35:07.020 --> 00:35:11.500
6 actually is
dividing 12 as well.
00:35:11.500 --> 00:35:16.680
7 is relatively prime,
and 11 over here as well.
00:35:16.680 --> 00:35:19.510
And all the others have
a greatest common divisor
00:35:19.510 --> 00:35:21.390
that's larger than 1.
00:35:21.390 --> 00:35:26.010
So here we see that the Euler's
totient function evaluated
00:35:26.010 --> 00:35:28.100
in 12 is equal to 4.
00:35:28.100 --> 00:35:31.720
There are one, two,
three, four integers
00:35:31.720 --> 00:35:34.250
that are relatively prime.
00:35:34.250 --> 00:35:36.800
OK, so let's have
a different one.
00:35:36.800 --> 00:35:39.200
Say, n equals 15.
00:35:39.200 --> 00:35:42.040
It's little bit different,
because here you
00:35:42.040 --> 00:35:45.013
may think this is kind
of coincidental that 1,
00:35:45.013 --> 00:35:48.870
5, 7, and 11 are
actually, also, primes.
00:35:48.870 --> 00:35:50.780
But for 15 it looks a
little bit different.
00:35:55.300 --> 00:36:01.150
So let's write out
all the numbers.
00:36:01.150 --> 00:36:02.590
Again, let's have a look.
00:36:02.590 --> 00:36:04.750
Well, one is the
greatest common divisor
00:36:04.750 --> 00:36:08.290
equal to 1, with respect to 15.
00:36:08.290 --> 00:36:13.240
2 is also relatively
prime, with respect to 15.
00:36:13.240 --> 00:36:14.416
3 is dividing 15.
00:36:14.416 --> 00:36:20.200
4-- yeah, 4 and 15 have greatest
common divisor equal to 1.
00:36:20.200 --> 00:36:23.400
So that's relatively prime.
00:36:23.400 --> 00:36:25.200
5 is not.
00:36:25.200 --> 00:36:25.930
6 is not.
00:36:25.930 --> 00:36:27.540
7 is relatively prime.
00:36:27.540 --> 00:36:31.260
8-- again, this is only
divisible by power of 2,
00:36:31.260 --> 00:36:35.780
and this has no
power of 2 in it.
00:36:35.780 --> 00:36:41.750
9, 10 are-- this one is
divisible by 5, divisible by 3.
00:36:41.750 --> 00:36:44.520
11 is, again, relatively prime.
00:36:44.520 --> 00:36:48.100
And then we have 13 is
relatively prime as well.
00:36:48.100 --> 00:36:50.460
And 14 as well, because
this is 2 times 7,
00:36:50.460 --> 00:36:52.240
and this is 3 times 5.
00:36:52.240 --> 00:36:53.880
So how many do we see now?
00:36:53.880 --> 00:36:57.722
1, 2, 3, 4, 5, 6, 7, 8.
00:37:01.660 --> 00:37:04.570
So the Euler's totient
function evaluated in 15
00:37:04.570 --> 00:37:05.540
is actually equal to 8.
00:37:05.540 --> 00:37:10.240
Now, it turns out
that this function has
00:37:10.240 --> 00:37:13.560
really nice properties,
and you can easily
00:37:13.560 --> 00:37:18.610
calculate-- if you know
the decomposition of n
00:37:18.610 --> 00:37:21.340
into its primes, and
powers of primes--
00:37:21.340 --> 00:37:28.190
you can easily compute
this number, phi of n.
00:37:28.190 --> 00:37:30.300
Now, you will be able to
find this in the book.
00:37:30.300 --> 00:37:31.160
You should read it.
00:37:31.160 --> 00:37:35.340
And also, problem
set talks about this.
00:37:35.340 --> 00:37:38.820
But for now, let's
just talk about this
00:37:38.820 --> 00:37:40.950
is an abstract notion,
because that's all
00:37:40.950 --> 00:37:43.370
that we will use
in this lecture.
00:37:43.370 --> 00:37:44.940
But you will have
a few exercises
00:37:44.940 --> 00:37:48.170
to talk about computing
this kind of stuff.
00:37:48.170 --> 00:37:58.410
OK, so let's talk about Euler's
totient function and Euler's
00:37:58.410 --> 00:37:59.140
theorem.
00:37:59.140 --> 00:38:04.325
So let me use this blackboard.
00:38:14.260 --> 00:38:17.800
Now, this is really
an exciting theorem.
00:38:17.800 --> 00:38:20.110
And it's a little
bit hard to prove.
00:38:20.110 --> 00:38:24.810
So why we'll need a little
bit more time to do this.
00:38:24.810 --> 00:38:27.430
Euler's theorem
says the following.
00:38:27.430 --> 00:38:34.750
If the GCD of n and
k is equal to 1,
00:38:34.750 --> 00:38:42.520
then k to the power [INAUDIBLE]
the Euler's totient function
00:38:42.520 --> 00:38:50.280
evaluated in n is actually
congruent to 1 modulo n.
00:38:50.280 --> 00:38:52.340
So this is what we're
going to prove here.
00:38:52.340 --> 00:38:54.920
So why is this so interesting?
00:38:54.920 --> 00:38:57.760
Well, we'll talk about
an application which
00:38:57.760 --> 00:39:00.160
is a direct consequence of
this theorem, which we'll
00:39:00.160 --> 00:39:02.550
call Fermat's little theorem.
00:39:02.550 --> 00:39:07.430
And that, in turn, we will use
to explain the RSA algorithm,
00:39:07.430 --> 00:39:11.480
and show how the decryption
works, and so on.
00:39:11.480 --> 00:39:13.000
So how can we prove this?
00:39:21.450 --> 00:39:37.570
It will start with
a first lemma,
00:39:37.570 --> 00:39:41.310
and then we're going to do a few
tricks-- mathematical tricks,
00:39:41.310 --> 00:39:42.510
you will see it.
00:39:42.510 --> 00:39:48.960
So the first lemma
is that if I know
00:39:48.960 --> 00:39:52.120
that the GCD-- which is
what we are assuming,
00:39:52.120 --> 00:39:55.646
the statement of the theorum--
if I know that the GCD of n
00:39:55.646 --> 00:40:04.480
and k equals 1, then I
know that and a times k--
00:40:04.480 --> 00:40:12.720
if a times k is congruent
to b times k modulo n,
00:40:12.720 --> 00:40:17.890
then this applies that a
is congruent to b modulo n.
00:40:17.890 --> 00:40:21.435
All this seems to be kind
of a straightforward lemma.
00:40:21.435 --> 00:40:24.180
I will only talk
about its proof.
00:40:24.180 --> 00:40:25.550
So how do we do it?
00:40:25.550 --> 00:40:29.790
Well, first of all, I know that
the GCD of n and k equals 1.
00:40:29.790 --> 00:40:36.440
So that means that I can create
a multiplicative inverse,
00:40:36.440 --> 00:40:41.970
because I know that there's
such a linear combination that
00:40:41.970 --> 00:40:46.240
will ends up to 1.
00:40:46.240 --> 00:40:50.140
So I have the
multiplicative inverse.
00:40:50.140 --> 00:40:55.330
I multiply both sides with
this, and then I will end up to,
00:40:55.330 --> 00:40:57.230
a is congruent to b modulo n.
00:40:57.230 --> 00:40:59.300
And actually, you can
use some of the facts
00:40:59.300 --> 00:41:02.670
on your sheet to prove this.
00:41:02.670 --> 00:41:05.280
And in the problem
set, you probably
00:41:05.280 --> 00:41:09.020
have seen that there
are a number of problems
00:41:09.020 --> 00:41:09.875
related to this.
00:41:13.080 --> 00:41:15.610
So you will recognize this,
and prove a few of these things
00:41:15.610 --> 00:41:17.410
yourself.
00:41:17.410 --> 00:41:24.570
OK, so this is-- so let me see.
00:41:29.380 --> 00:41:31.960
So let me see what
we have done here.
00:41:34.610 --> 00:41:37.680
Actually, I noticed that
I've missed one statement
00:41:37.680 --> 00:41:40.600
that I would like to
explicitly mention.
00:41:40.600 --> 00:41:43.510
I mean, I've used
it a few times.
00:41:43.510 --> 00:41:45.740
Let me do that first.
00:41:45.740 --> 00:41:56.740
Which is that, we know that if
the GCD of n and k equals 1,
00:41:56.740 --> 00:42:02.460
then-- this is if, and
only if, the case-- if k
00:42:02.460 --> 00:42:09.780
has a multiplicative inverse--
I've not yet explicitly stated
00:42:09.780 --> 00:42:16.400
it-- and we can
easily see this--
00:42:16.400 --> 00:42:21.000
let me just give a quick
proof to show how this works.
00:42:23.960 --> 00:42:31.050
Well, if the GCD is
equal to 1, then we
00:42:31.050 --> 00:42:34.090
use the statement up there.
00:42:34.090 --> 00:42:37.530
So this is if,
and only if, there
00:42:37.530 --> 00:42:40.470
exists a linear combination.
00:42:40.470 --> 00:42:46.250
So an s and a t, such that
n times s plus k times t
00:42:46.250 --> 00:42:48.170
equals 1.
00:42:48.170 --> 00:42:56.450
Well, then I also know that
there exists a t such that,
00:42:56.450 --> 00:43:01.280
actually, the difference
between 1 and k times t
00:43:01.280 --> 00:43:03.740
is divisible by n.
00:43:03.740 --> 00:43:10.716
So n divides the difference
of k times t minus 1.
00:43:10.716 --> 00:43:12.080
So why is that?
00:43:12.080 --> 00:43:14.570
Well, if I look at the
difference between k times
00:43:14.570 --> 00:43:17.580
t and 1, the difference
is n times s.
00:43:17.580 --> 00:43:20.640
And n times s is divisible by n.
00:43:20.640 --> 00:43:24.480
So now, by the
definition of congruence,
00:43:24.480 --> 00:43:26.710
I just apply the
definition over here.
00:43:26.710 --> 00:43:28.390
We have written it out here.
00:43:28.390 --> 00:43:37.470
We can say that k times t
is congruent to 1 modulo n.
00:43:37.470 --> 00:43:41.970
And this is the definition of
the multiplication inverse.
00:43:41.970 --> 00:43:46.000
So we have essentially
shown that if the greatest
00:43:46.000 --> 00:43:48.650
common divisors in
any case equal to 1,
00:43:48.650 --> 00:43:52.380
then it has a
multiplicative inverse.
00:43:52.380 --> 00:43:58.300
OK, we have been using
this property over
00:43:58.300 --> 00:44:02.990
here because we assume that
the greatest common divisor is
00:44:02.990 --> 00:44:03.860
equal to 1.
00:44:03.860 --> 00:44:08.720
So we now know that there exists
a multiplicative inverse of k.
00:44:08.720 --> 00:44:13.440
We use that one to
multiply away, essentially,
00:44:13.440 --> 00:44:15.870
the k out of this
equation, and get
00:44:15.870 --> 00:44:19.320
a is congruent to b modulo n.
00:44:19.320 --> 00:44:24.160
Also note that we use
the property over here.
00:44:24.160 --> 00:44:32.520
We said that we wanted to
compute, what was it again?
00:44:32.520 --> 00:44:37.480
Over here-- we started off
with the GCD of m and p
00:44:37.480 --> 00:44:40.280
to be equal to 1, and I know p.
00:44:40.280 --> 00:44:43.920
And now I can compute the
multiplicative inverse of m.
00:44:43.920 --> 00:44:46.930
And I should have
said why it exists.
00:44:46.930 --> 00:44:49.950
And it exists
because of that lemma
00:44:49.950 --> 00:44:53.140
that I just mentioned up here.
00:44:53.140 --> 00:44:55.395
OK, so now let's go
back to Euler's theorem.
00:44:58.030 --> 00:45:01.070
This first lemma we are going
to use to prove a second lemma,
00:45:01.070 --> 00:45:03.030
and that second
lemma we can finally
00:45:03.030 --> 00:45:04.850
use to prove the theorem.
00:45:07.610 --> 00:45:15.570
All right, so this lemma I
will put on a separate board,
00:45:15.570 --> 00:45:18.205
because it contains quite
a number of steps to prove.
00:45:26.400 --> 00:45:38.430
So the lemma states that, if we
suppose that the GCD of n and k
00:45:38.430 --> 00:45:44.090
equals 1-- so it's the same
assumptions as before-- if it
00:45:44.090 --> 00:45:53.580
lets k1 all the way up to k r to
be those integers in the range
00:45:53.580 --> 00:45:59.970
1, 2, 3, and so
on, to n minus 1,
00:45:59.970 --> 00:46:05.000
that are relatively
prime-- so these denote
00:46:05.000 --> 00:46:15.640
the integers relatively
prime to n-- then
00:46:15.640 --> 00:46:18.555
we can prove a very
interesting property.
00:46:21.270 --> 00:46:24.690
Now, notice by the
way, that r in here
00:46:24.690 --> 00:46:28.780
is equal to this value of
the Euler's totient function
00:46:28.780 --> 00:46:30.380
evaluated in n.
00:46:30.380 --> 00:46:33.080
Because this counts
the total number
00:46:33.080 --> 00:46:40.390
of numbers that are relatively
prime with respect to n.
00:46:40.390 --> 00:46:44.200
So now we can prove
something really spectacular.
00:46:44.200 --> 00:46:48.830
We can show that the
set that contains
00:46:48.830 --> 00:46:54.350
all of these remainders--
the remainder of k 1 times k,
00:46:54.350 --> 00:46:57.170
after dividing out this
many multiples of n
00:46:57.170 --> 00:47:06.840
as possible, all the way to
the remainder off k r times k,
00:47:06.840 --> 00:47:12.590
after dividing out as many
multiples of n as possible,
00:47:12.590 --> 00:47:18.810
this set is actually equal
to the set k 1 up to k r.
00:47:18.810 --> 00:47:20.910
So this is what
we're going to prove.
00:47:20.910 --> 00:47:23.280
And we'll do it in two steps.
00:47:23.280 --> 00:47:29.630
We first show that this
set has exactly r numbers.
00:47:29.630 --> 00:47:32.570
So the cardinality of
that set is equal to r.
00:47:32.570 --> 00:47:36.150
So that will be our
first step in the proof.
00:47:36.150 --> 00:47:42.400
And over here we will show that
every remainder is actually
00:47:42.400 --> 00:47:46.420
relatively prime to n, so
it must be part of this set.
00:47:46.420 --> 00:47:49.580
So we will show that this
is a subset of this set
00:47:49.580 --> 00:47:51.770
in a second part of the proof.
00:47:51.770 --> 00:47:55.450
And combining those two, we
are able to prove equality.
00:47:55.450 --> 00:47:56.435
Why's that?
00:47:56.435 --> 00:48:00.680
Well I have r distinct
elements in this set,
00:48:00.680 --> 00:48:04.290
I have r distinct elements
in this set, this one
00:48:04.290 --> 00:48:05.450
is a subset of this.
00:48:05.450 --> 00:48:08.890
So that can only happen
if they are equal.
00:48:08.890 --> 00:48:12.910
So this is the
method for the proof.
00:48:16.030 --> 00:48:31.290
I should-- so we'll start
with the first part.
00:48:34.180 --> 00:48:40.470
And the way to do that is to
see whether it is possible
00:48:40.470 --> 00:48:47.840
that any two remainders
in that set, can they
00:48:47.840 --> 00:48:48.860
be equal to one another?
00:48:48.860 --> 00:48:50.870
We will show that
that's not possible.
00:48:50.870 --> 00:48:54.490
So if it's not possible,
then all these remainders
00:48:54.490 --> 00:48:55.470
must be different.
00:48:55.470 --> 00:48:57.790
And we have exactly r of those.
00:48:57.790 --> 00:48:59.650
So let's do this.
00:48:59.650 --> 00:49:04.690
So the proof for
1 is as follows.
00:49:04.690 --> 00:49:07.550
Let's assume that we
he have to remainders.
00:49:07.550 --> 00:49:17.330
Say, k i times k, and a
remainder k j times k,
00:49:17.330 --> 00:49:19.210
after dividing out as
many multiples of n.
00:49:19.210 --> 00:49:22.000
And supposed that they
are equal to one another.
00:49:22.000 --> 00:49:25.120
We're going to show
that this can only
00:49:25.120 --> 00:49:29.120
happen if k i is equal to k j.
00:49:29.120 --> 00:49:31.867
And if you can see
that, well then
00:49:31.867 --> 00:49:34.200
we know that all these different
remainders are actually
00:49:34.200 --> 00:49:35.500
different from one another.
00:49:35.500 --> 00:49:37.880
And if they're all
different from one another,
00:49:37.880 --> 00:49:39.870
then we must have exactly r.
00:49:39.870 --> 00:49:44.140
Because we have k 1
up to k r in here.
00:49:44.140 --> 00:49:48.610
OK let's see where
we can do this.
00:49:48.610 --> 00:49:52.210
Well, if you know that
these two remainders are
00:49:52.210 --> 00:49:56.280
equal to one another, we can
look at them with respect
00:49:56.280 --> 00:49:58.940
to these definitions over here.
00:49:58.940 --> 00:50:05.110
And we can show that k
i times k is actually
00:50:05.110 --> 00:50:10.640
congruent to k j
times k modulo n.
00:50:10.640 --> 00:50:12.170
So why is this?
00:50:12.170 --> 00:50:15.620
Well, these two
remainders are the same.
00:50:15.620 --> 00:50:19.370
And k i times k is
equal to this remainder,
00:50:19.370 --> 00:50:21.270
plus a multiple of n.
00:50:21.270 --> 00:50:25.650
This k j times k is equal
to this remainder plus,
00:50:25.650 --> 00:50:27.350
a multiple of n.
00:50:27.350 --> 00:50:32.179
So the difference between those
two is also a multiple of n.
00:50:32.179 --> 00:50:33.845
And that's the
definition of congruence.
00:50:36.880 --> 00:50:42.510
So now we can use
our first lemma,
00:50:42.510 --> 00:50:46.040
which is stated over here.
00:50:46.040 --> 00:50:48.800
We know that we assumed
in Euler's theorem
00:50:48.800 --> 00:50:52.570
that the GCD of n
and k is equal to 1.
00:50:52.570 --> 00:50:57.170
If a times k is congruent
to b times k modulo n,
00:50:57.170 --> 00:50:59.910
then we know that's a is
congruent to b modulo n.
00:50:59.910 --> 00:51:03.420
So let's apply it over
here, and take for a k
00:51:03.420 --> 00:51:07.270
i, and for b we can take k j.
00:51:07.270 --> 00:51:16.010
So now we see that key k i
is congruent to k j modulo n.
00:51:16.010 --> 00:51:19.300
And from this we will
conclude-- and that
00:51:19.300 --> 00:51:23.900
takes an extra step-- that k
i is actually equal to k j.
00:51:23.900 --> 00:51:25.950
So how can we do this?
00:51:25.950 --> 00:51:30.870
Well, we know that k i and k
j are both in the range from 1
00:51:30.870 --> 00:51:33.810
all the way up to n minus 1.
00:51:33.810 --> 00:51:38.000
So if I look at the
difference between those
00:51:38.000 --> 00:51:39.950
two-- so by definition
of congruence
00:51:39.950 --> 00:51:46.780
I know that n divides
k i minus k j.
00:51:46.780 --> 00:51:52.790
I know that this one is in the
range from 0 up to n minus 1.
00:51:52.790 --> 00:51:55.850
This one is in the range
of 0 up to n minus 1.
00:51:55.850 --> 00:52:00.510
The only way how a difference
of two numbers in this range
00:52:00.510 --> 00:52:05.250
can be divisible by n, is if
this thing is equal to zero.
00:52:05.250 --> 00:52:09.170
And that means that
k i equals k j.
00:52:09.170 --> 00:52:11.200
So now we are done
with the first part,
00:52:11.200 --> 00:52:14.040
because we have shown
that if I take any two
00:52:14.040 --> 00:52:18.990
remainders over here it
must be that they can only
00:52:18.990 --> 00:52:21.425
be equal to one another
if, actually, the k i is
00:52:21.425 --> 00:52:22.300
equal to the k j.
00:52:22.300 --> 00:52:24.570
So actually we're looking
at the same remainder.
00:52:24.570 --> 00:52:27.950
So they remainders in this
set are all different,
00:52:27.950 --> 00:52:30.680
and there are
exactly r of those.
00:52:30.680 --> 00:52:32.690
So now we go to the
second part of the proof.
00:52:49.520 --> 00:52:52.370
And notice that we
are-- so far we've only
00:52:52.370 --> 00:52:54.470
been proving the second
lemma, and we still
00:52:54.470 --> 00:52:56.990
need to go to Euler's
theorem as well.
00:52:56.990 --> 00:52:58.375
So it still takes a few steps.
00:53:02.560 --> 00:53:05.430
So how do we do the second part?
00:53:05.430 --> 00:53:09.200
Well, we saw in last
lecture that we were
00:53:09.200 --> 00:53:14.640
explaining Euclid's algorithm.
00:53:14.640 --> 00:53:18.650
And we used, essentially,
this property.
00:53:18.650 --> 00:53:22.080
We said that the greatest
common divisor between n
00:53:22.080 --> 00:53:28.460
and the remainder of
say, k i times k and n,
00:53:28.460 --> 00:53:33.750
is actually equal to the
greatest common divisor of n
00:53:33.750 --> 00:53:36.265
and k i times k.
00:53:39.090 --> 00:53:40.340
So why is this, again?
00:53:40.340 --> 00:53:46.320
Well, the remaining is
actually equal to k i times k,
00:53:46.320 --> 00:53:48.680
minus a multiple of n, right?
00:53:48.680 --> 00:53:53.080
So the greatest common
divisor is therefore--
00:53:53.080 --> 00:53:55.720
between n and this-- is the same
as the greatest common divisor
00:53:55.720 --> 00:53:57.840
between n and k i times k.
00:53:57.840 --> 00:54:00.210
So you should have to
look at last lecture.
00:54:00.210 --> 00:54:04.250
And now we are pretty much done.
00:54:04.250 --> 00:54:04.790
Why is this?
00:54:04.790 --> 00:54:07.800
Because we have assumed that
the greatest common divisor
00:54:07.800 --> 00:54:11.631
between n and k is equal to 1.
00:54:11.631 --> 00:54:15.150
And k i, in the
statement of the lemma,
00:54:15.150 --> 00:54:17.180
is relatively prime to n.
00:54:17.180 --> 00:54:20.770
And that means, according to
the definition over there,
00:54:20.770 --> 00:54:23.830
that the greatest common
divisor between k i and n
00:54:23.830 --> 00:54:25.330
is also equal to 1.
00:54:25.330 --> 00:54:35.450
So we know that both
these greatest common
00:54:35.450 --> 00:54:39.220
divisors are equal to 1.
00:54:39.220 --> 00:54:43.592
So that means that there is
no common divisor between n
00:54:43.592 --> 00:54:47.600
and these, except 1 of course.
00:54:47.600 --> 00:54:49.320
So what does this say?
00:54:49.320 --> 00:54:52.470
Well, this means that
this remainder, according
00:54:52.470 --> 00:54:55.830
to our definition, is
relatively prime to n,
00:54:55.830 --> 00:54:59.171
because this greatest common
divisor is equal to 1.
00:54:59.171 --> 00:55:05.420
So if it is an integer
relatively prime to n,
00:55:05.420 --> 00:55:08.460
then it must be one
of those k i's, k j's
00:55:08.460 --> 00:55:11.820
in this set that is
stated in the lemma.
00:55:11.820 --> 00:55:16.290
So this shows that it must be
part of this set over here.
00:55:16.290 --> 00:55:20.160
So if proven, the fact
[? is ?] that the set of all
00:55:20.160 --> 00:55:25.350
the remainders is a subset
of the set k 1 of the k r.
00:55:25.350 --> 00:55:28.260
So now we're done.
00:55:28.260 --> 00:55:34.730
So now that we have shown
this particular lemma,
00:55:34.730 --> 00:55:40.420
we can continue and
prove Euler's theorem.
00:55:40.420 --> 00:55:43.460
And I'll probably need
to wipe out some of this.
00:55:52.750 --> 00:55:56.360
So let's use this lemma
to prove this theorem.
00:55:56.360 --> 00:55:57.920
So this is really a neat trick.
00:56:02.350 --> 00:56:09.510
So the proof of Euler's
theorem is as follows.
00:56:09.510 --> 00:56:14.130
We're going to take the product
of all those k i's over there,
00:56:14.130 --> 00:56:17.670
and see where we can
find a nice relationship.
00:56:17.670 --> 00:56:23.540
So we take k 1 times k
2, all the way times k r.
00:56:23.540 --> 00:56:27.290
And we know, because those two
sets are actually the same,
00:56:27.290 --> 00:56:30.310
that this is equal
to the remainder--
00:56:30.310 --> 00:56:37.230
the first remainder--
k 1 times k,
00:56:37.230 --> 00:56:39.520
after dividing out as
many multiples of n.
00:56:39.520 --> 00:56:42.340
And we go all the way
up to the final one,
00:56:42.340 --> 00:56:47.980
the remainder of k r
times k, dividing out
00:56:47.980 --> 00:56:50.280
as many multiples of n.
00:56:50.280 --> 00:56:55.800
So now we can see that--
well, we've already
00:56:55.800 --> 00:56:59.480
shown that each of
those remainders
00:56:59.480 --> 00:57:01.650
is congruent to, in
this case, this one
00:57:01.650 --> 00:57:05.210
is congruent to k
1 times k modulo n.
00:57:05.210 --> 00:57:08.190
And this one is congruent
to k r times k modulo n.
00:57:08.190 --> 00:57:09.650
So let's write it out.
00:57:09.650 --> 00:57:12.430
So it's k 1 times k.
00:57:12.430 --> 00:57:16.140
And then we have k 2 times k.
00:57:16.140 --> 00:57:23.890
And finally we have
k r times k modulo n.
00:57:23.890 --> 00:57:26.910
So let's regroup those.
00:57:26.910 --> 00:57:30.580
We see k 1, k 2, all the
way up to k r reappearing.
00:57:35.660 --> 00:57:39.770
And we have a k here,
a k here, and we
00:57:39.770 --> 00:57:42.630
have that r times--
so we have times
00:57:42.630 --> 00:57:47.990
k to the power r modulo n.
00:57:47.990 --> 00:57:52.250
So now we are able to, again,
use this particular lemma
00:57:52.250 --> 00:57:53.990
over here.
00:57:53.990 --> 00:57:55.560
So what do we do?
00:57:55.560 --> 00:58:01.115
Well, we know that k 1
is relatively prime to n.
00:58:01.115 --> 00:58:04.590
And k 2 is as well,
all the way up to k r.
00:58:04.590 --> 00:58:08.450
So this whole product is also
relatively prime, with respect
00:58:08.450 --> 00:58:09.979
to n.
00:58:09.979 --> 00:58:11.770
That means that the
greatest common divisor
00:58:11.770 --> 00:58:17.060
of this whole product
with n is equal to 1.
00:58:17.060 --> 00:58:21.920
So that means that I can
divide out this whole product.
00:58:21.920 --> 00:58:25.190
We have-- so let's do this.
00:58:25.190 --> 00:58:28.300
We have 1 times this product.
00:58:28.300 --> 00:58:33.960
We take this for a,
and we take this for b.
00:58:33.960 --> 00:58:38.770
And then we can divide
this whole thing out
00:58:38.770 --> 00:58:40.600
according to this
particular lemma,
00:58:40.600 --> 00:58:44.760
by using the multiplicative
inverse of that product.
00:58:44.760 --> 00:58:49.690
So now we see that the 1 is
equal to k to the power r
00:58:49.690 --> 00:58:51.720
modulo n.
00:58:51.720 --> 00:58:56.010
And remember, in our
theorem, r over here
00:58:56.010 --> 00:59:02.500
in this lemma-- r is
actually equal to the Euler's
00:59:02.500 --> 00:59:04.740
totient function in n.
00:59:04.740 --> 00:59:09.780
So now this equation
proves the whole theorem.
00:59:09.780 --> 00:59:15.890
OK, so now I'm going
to talk about RSA,
00:59:15.890 --> 00:59:17.890
which is the last part here.
00:59:17.890 --> 00:59:20.080
So maybe you all
would like to have
00:59:20.080 --> 00:59:24.430
a little break of a couple of
minutes, just to relax a bit.
00:59:24.430 --> 00:59:26.540
And then-- and shake
hands with your neighbors,
00:59:26.540 --> 00:59:30.150
and jump up in the
air if you'd like to.
00:59:30.150 --> 00:59:33.590
All right let's start
with the RSA algorithm.
00:59:33.590 --> 00:59:37.480
So we have done everything
up to this point.
00:59:37.480 --> 00:59:42.150
And we are actually-- we have
done these two over here.
00:59:42.150 --> 00:59:45.300
We still have to talk about
Fermat's little theorem.
00:59:45.300 --> 00:59:48.990
But then we can go for RSA,
and it uses this consequence
00:59:48.990 --> 00:59:52.470
of Euler's theorem.
00:59:52.470 --> 01:00:04.130
So Fermat's little
theorem is actually
01:00:04.130 --> 01:00:08.154
talking about what happens
if n is a prime number.
01:00:11.640 --> 01:00:14.340
It says, well,
suppose p is a prime.
01:00:19.830 --> 01:00:25.100
And if you have k in the
range 1, 2, all the way up
01:00:25.100 --> 01:00:32.010
to p minus 1, then we
can conclude that k
01:00:32.010 --> 01:00:37.770
to the power of p minus 1
is congruent to 1 modulo n.
01:00:37.770 --> 01:00:44.150
And we can directly prove
this by using Euler's theorem.
01:00:44.150 --> 01:00:46.340
So how do we do this?
01:00:46.340 --> 01:00:49.300
Well, we know that p is prime.
01:00:49.300 --> 01:00:57.380
So the numbers 1, 2, all
the way up to p minus 1,
01:00:57.380 --> 01:01:01.880
are actually
relatively prime to p.
01:01:05.000 --> 01:01:05.710
So why is that?
01:01:05.710 --> 01:01:06.920
Well, p is prime.
01:01:06.920 --> 01:01:10.257
So the greatest common divisor
between any of those with p
01:01:10.257 --> 01:01:10.840
is equal to 1.
01:01:10.840 --> 01:01:14.640
That's the definition
of relatively prime.
01:01:14.640 --> 01:01:21.070
And we know that
we can now apply
01:01:21.070 --> 01:01:23.370
Euler's theorem
over here, and see
01:01:23.370 --> 01:01:31.640
that k to the power phi of
p is, of course, congruent
01:01:31.640 --> 01:01:34.390
to 1 modulo p.
01:01:34.390 --> 01:01:36.430
That's Euler's theorem.
01:01:36.430 --> 01:01:39.510
But now, since we know that
these are the exact ones that
01:01:39.510 --> 01:01:42.930
are relatively prime,
we can explicitly
01:01:42.930 --> 01:01:46.290
compute the Euler's
totient function of p.
01:01:46.290 --> 01:01:48.250
Because there are p
minus 1 numbers that
01:01:48.250 --> 01:01:50.480
are relatively prime to p.
01:01:50.480 --> 01:01:53.530
So that's the
definition over here.
01:01:53.530 --> 01:01:57.870
So the number of integers in
the range 1 up to p minus 1--
01:01:57.870 --> 01:02:00.040
they're all relatively prime.
01:02:00.040 --> 01:02:09.060
So we know that 5 p
is equal to p minus 1.
01:02:09.060 --> 01:02:14.140
So now we have shown that
k to the power of p minus 1
01:02:14.140 --> 01:02:18.320
is congruent to 1 modulo k.
01:02:18.320 --> 01:02:22.260
This is kind of interesting
because we can use this theorem
01:02:22.260 --> 01:02:26.170
also to compute the
multiplicative inverse of k,
01:02:26.170 --> 01:02:27.830
in this particular case.
01:02:27.830 --> 01:02:31.430
So how do we do this?
01:02:31.430 --> 01:02:35.250
We just take k,
and we look at what
01:02:35.250 --> 01:02:41.690
happens if you multiply k with
k to the power of p minus 2.
01:02:41.690 --> 01:02:46.340
Well, this is equal to k to
the power p minus 1, which
01:02:46.340 --> 01:02:56.047
is congruent to 1 modulo p
according to Fermat's theorem.
01:02:56.047 --> 01:02:57.630
So now, when we look
at the definition
01:02:57.630 --> 01:03:01.220
of multiplicative
inverse over here,
01:03:01.220 --> 01:03:05.240
we see that k to
the power p minus 2
01:03:05.240 --> 01:03:07.755
is actually the
multiplicative inverse of k.
01:03:10.350 --> 01:03:15.240
So k inverse is actually
equal to k to the power
01:03:15.240 --> 01:03:22.340
p minus 2 modulo k.
01:03:22.340 --> 01:03:25.180
All right, so this theorem
we're going to use now
01:03:25.180 --> 01:03:26.290
in the description of RSA.
01:03:29.850 --> 01:03:36.440
As I said, it was only
decades later, after Turing,
01:03:36.440 --> 01:03:40.480
Rivest, Shamir, and Adleman
were the first to really show
01:03:40.480 --> 01:03:42.430
how number theory
could be applied so
01:03:42.430 --> 01:03:44.900
successfully in cryptography.
01:03:44.900 --> 01:03:48.850
And they essentially showed
the first public key encryption
01:03:48.850 --> 01:03:52.130
scheme in which a sender and
receiver do not necessarily
01:03:52.130 --> 01:03:54.250
have to exchange a secret key.
01:03:54.250 --> 01:03:55.460
That's not necessary.
01:03:55.460 --> 01:03:59.140
So they had a public key method.
01:03:59.140 --> 01:04:04.880
And that's still used today,
and it's a great inventions.
01:04:04.880 --> 01:04:07.820
So how does the RSA work?
01:04:07.820 --> 01:04:10.300
Again, we have to talk
with an encryption scheme
01:04:10.300 --> 01:04:12.830
about what happens beforehand.
01:04:12.830 --> 01:04:17.320
So beforehand, we need to
generate this public key
01:04:17.320 --> 01:04:19.660
and a secret key.
01:04:19.660 --> 01:04:32.320
So the idea is that the receiver
creates a public key, and also
01:04:32.320 --> 01:04:33.250
a secret key.
01:04:36.910 --> 01:04:39.020
He will publish the public
key, and he will keep
01:04:39.020 --> 01:04:40.760
the secret key for himself.
01:04:40.760 --> 01:04:43.750
And now anybody can
use the public key
01:04:43.750 --> 01:04:46.680
to encrypt a message.
01:04:46.680 --> 01:04:49.690
The encrypted message
is sent to the receiver,
01:04:49.690 --> 01:04:52.930
and he's going to use his
secret key to get back
01:04:52.930 --> 01:04:55.890
to the plain message.
01:04:55.890 --> 01:04:57.880
So how is he going to do this?
01:04:57.880 --> 01:05:00.860
Well in the first
step, the idea is
01:05:00.860 --> 01:05:05.730
to generate two distinct primes.
01:05:05.730 --> 01:05:10.190
Turns out that this can be
done in a very efficient way.
01:05:10.190 --> 01:05:14.020
There are lots of primes
among the integers.
01:05:14.020 --> 01:05:15.710
So you just sample.
01:05:15.710 --> 01:05:21.150
And it turns out that
you can test primality
01:05:21.150 --> 01:05:23.756
with a pretty high
probability, very efficiently.
01:05:23.756 --> 01:05:25.130
And recently,
actually, there has
01:05:25.130 --> 01:05:29.094
been a deterministic
algorithm that is polynomial.
01:05:29.094 --> 01:05:30.510
And a number of
bits of the primes
01:05:30.510 --> 01:05:33.710
that can actually tell you
whether you have a prime
01:05:33.710 --> 01:05:34.220
or not.
01:05:34.220 --> 01:05:35.050
So you can do this.
01:05:37.700 --> 01:05:41.760
Two, we're going to create
the product of these two
01:05:41.760 --> 01:05:42.790
distinct primes.
01:05:42.790 --> 01:05:47.000
And that's where our
assumption is going to help us.
01:05:47.000 --> 01:05:51.470
That it is hard to factor a
product of two large primes.
01:05:51.470 --> 01:05:54.740
That's going to be the
underlying hardness assumption
01:05:54.740 --> 01:05:57.110
of the RSA encryption scheme.
01:05:59.660 --> 01:06:02.840
So let n be this.
01:06:02.840 --> 01:06:11.790
Three, we are going to
select an integer e,
01:06:11.790 --> 01:06:16.960
such that the greatest
common divisor of e
01:06:16.960 --> 01:06:22.060
with the product p
minus 1 times q minus 1
01:06:22.060 --> 01:06:25.850
is actually equal to 1.
01:06:25.850 --> 01:06:30.470
And the public-- and once
we have created this,
01:06:30.470 --> 01:06:40.270
the public key is going
to be a pair that consists
01:06:40.270 --> 01:06:44.650
of e itself together with n.
01:06:44.650 --> 01:06:46.670
So that's the public key.
01:06:46.670 --> 01:06:51.800
And the secret key is going
to be computed as follows,
01:06:51.800 --> 01:06:54.315
in step four.
01:06:54.315 --> 01:06:55.315
We are going to compute.
01:06:58.750 --> 01:07:09.290
d, such that d times e
is congruent to 1 modulo
01:07:09.290 --> 01:07:16.010
that product of p minus
1 times q minus 1.
01:07:16.010 --> 01:07:17.260
Can we do this?
01:07:17.260 --> 01:07:21.180
Yeah, because the greatest
common divisor between e
01:07:21.180 --> 01:07:23.860
and that product is equal to 1.
01:07:23.860 --> 01:07:26.770
And we have shown over
here that, therefore, it
01:07:26.770 --> 01:07:28.790
has a multiplicative inverse.
01:07:28.790 --> 01:07:32.820
And first of all, we know
that the solution d exists,
01:07:32.820 --> 01:07:36.070
and we can also
efficiently compute it.
01:07:36.070 --> 01:07:48.030
So the secret key is
going to be the pair that
01:07:48.030 --> 01:07:51.730
consists of d and also n.
01:07:51.730 --> 01:07:53.530
So how does it work?
01:07:53.530 --> 01:07:58.720
The sender knows the
public key, e and n,
01:07:58.720 --> 01:08:00.690
and uses those to
encrypt a message.
01:08:00.690 --> 01:08:02.340
I will explain it in a moment.
01:08:02.340 --> 01:08:07.510
And then the receiver knows
the secret key, d and n,
01:08:07.510 --> 01:08:10.130
and then is able to decrypt.
01:08:10.130 --> 01:08:15.050
OK, so let's see how
encryption works.
01:08:15.050 --> 01:08:18.170
And then we will have to
do a lot of mathematics
01:08:18.170 --> 01:08:21.060
to get the decryption going.
01:08:21.060 --> 01:08:27.330
So m prime, which is computed--
so the encrypted plain text is
01:08:27.330 --> 01:08:31.410
computed as the remainder
of m to the power e--
01:08:31.410 --> 01:08:33.870
which is part of
the public key--
01:08:33.870 --> 01:08:38.850
and then dividing out as many
multiples of n as possible.
01:08:38.850 --> 01:08:43.859
It turns out-- and we are going
to prove this-- that decryption
01:08:43.859 --> 01:08:46.720
works as follows.
01:08:46.720 --> 01:08:50.760
We can compute m
by using m prime.
01:08:50.760 --> 01:08:52.880
So we receive m prime.
01:08:52.880 --> 01:08:54.100
What do we do?
01:08:54.100 --> 01:08:58.000
We're going to take m prime,
raise it to the power d-- which
01:08:58.000 --> 01:09:01.710
is part of the secret
key-- and then dividing out
01:09:01.710 --> 01:09:04.890
as many multiples of n.
01:09:04.890 --> 01:09:08.200
Now, why would that work?
01:09:08.200 --> 01:09:09.240
Why would this work?
01:09:09.240 --> 01:09:12.979
So let's prove this
step over here.
01:09:15.590 --> 01:09:20.439
Well, it turns out that they
can apply Fermat's theorem,
01:09:20.439 --> 01:09:23.430
and the idea is as follows.
01:09:23.430 --> 01:09:24.790
So let's have a look.
01:09:24.790 --> 01:09:31.100
We know that m prime is equal
to the remainder of m raised
01:09:31.100 --> 01:09:35.450
to the power e, which
is congruent to m
01:09:35.450 --> 01:09:39.029
to the power e, modulo n.
01:09:39.029 --> 01:09:42.200
We've seen this now a
number of times, right?
01:09:42.200 --> 01:09:45.310
So what does this imply?
01:09:45.310 --> 01:09:52.939
This implies that m prime to
the power d is actually equal--
01:09:52.939 --> 01:09:57.900
is congruent to m to the
power e, to the power d.
01:09:57.900 --> 01:10:00.390
So I just raised this
side to the power d,
01:10:00.390 --> 01:10:03.030
and I raised this
side to the power d.
01:10:03.030 --> 01:10:08.390
And I still-- and
I know, now, that m
01:10:08.390 --> 01:10:11.540
prime to the power d is
equal to m to the power e d--
01:10:11.540 --> 01:10:15.420
congruent to m to the
power e d modulo n.
01:10:15.420 --> 01:10:19.970
So now we know that there
exists an integer r.
01:10:19.970 --> 01:10:23.450
We are going to use the
fact that we have that e
01:10:23.450 --> 01:10:26.280
and p minus 1 times q
minus 1 as a greatest
01:10:26.280 --> 01:10:28.020
common divisor over 1.
01:10:28.020 --> 01:10:35.290
So we know that e times
d is actually equal to 1,
01:10:35.290 --> 01:10:40.320
plus r times p minus
1, times q minus 1.
01:10:40.320 --> 01:10:46.310
Actually, what I use here is
the fact-- is this over here.
01:10:46.310 --> 01:10:48.710
By definition of
congruency, I know
01:10:48.710 --> 01:10:51.390
that the difference
between those two-- d times
01:10:51.390 --> 01:10:55.430
e and 1-- is divisible
by this product.
01:10:55.430 --> 01:10:57.590
So I know that there
exists an integer such
01:10:57.590 --> 01:11:02.070
that e times d equals 1, plus
a multiple of that product.
01:11:02.070 --> 01:11:04.860
That's how it works.
01:11:04.860 --> 01:11:08.800
So we know that m
prime to the power
01:11:08.800 --> 01:11:14.670
d-- we already saw that it is
equal to m to the power e d,
01:11:14.670 --> 01:11:17.410
which is congruent
to-- well, we just
01:11:17.410 --> 01:11:20.960
replace e d by 1 plus
r times this multiple.
01:11:20.960 --> 01:11:25.220
So we have m to the
power 1, times m
01:11:25.220 --> 01:11:31.026
to the power-- this part--
r p minus 1, q minus 1.
01:11:35.220 --> 01:11:45.450
So now we're finally going
get to Fermat's theorem.
01:11:45.450 --> 01:11:48.820
We know that n is the
products of p and q,
01:11:48.820 --> 01:11:52.260
and I'm not actually
sure I do this here.
01:11:55.130 --> 01:12:00.870
So let's apply Fermat's theorem
and see how we can use this.
01:12:00.870 --> 01:12:08.320
So if m is not
congruent to 0 modulo p,
01:12:08.320 --> 01:12:11.580
well then we can apply
Fermat's theorem.
01:12:11.580 --> 01:12:12.080
Where is it?
01:12:12.080 --> 01:12:14.480
It's over here.
01:12:14.480 --> 01:12:18.830
We can only apply this if
k is in the range from 1
01:12:18.830 --> 01:12:21.640
to p minus 1 is
not equal to zero.
01:12:21.640 --> 01:12:27.020
So if m is not equal to 0--
not congruent to 0 modulo p--
01:12:27.020 --> 01:12:30.700
then we can apply
the theorem and state
01:12:30.700 --> 01:12:37.960
that m to the power p minus
1 is congruent to 1 modulo p.
01:12:37.960 --> 01:12:42.440
And in the same way,
we can do this for q.
01:12:42.440 --> 01:12:48.880
So if this is not
true-- modulo q-- then m
01:12:48.880 --> 01:12:54.120
to the power q minus 1 is
congruent to 1 modulo q.
01:12:54.120 --> 01:12:56.840
So here we have used
Fermat's theorem twice.
01:12:59.890 --> 01:13:04.330
Now we can apply what
we have learned before,
01:13:04.330 --> 01:13:07.990
which is what we
wrote down over here.
01:13:07.990 --> 01:13:13.110
And prime to the power d is
congruent to this modulo n.
01:13:13.110 --> 01:13:17.890
Now n is p times q, so let's
have a look at what that means.
01:13:17.890 --> 01:13:23.140
It means that since n
is a product of p and q,
01:13:23.140 --> 01:13:27.730
we can also look at
this congruent modulo p.
01:13:27.730 --> 01:13:32.170
So in particular, we know
that m prime to the power
01:13:32.170 --> 01:13:39.190
d is congruent to m times
m r p minus 1 times q minus
01:13:39.190 --> 01:13:42.280
1 modulo p.
01:13:42.280 --> 01:13:43.540
Why is that?
01:13:43.540 --> 01:13:46.670
Well, we know that n
divides this difference
01:13:46.670 --> 01:13:49.270
by the definition of congruency.
01:13:49.270 --> 01:13:52.450
n is equal to p times q.
01:13:52.450 --> 01:13:56.270
So if n is dividing
this difference,
01:13:56.270 --> 01:13:58.770
also p is dividing
this difference.
01:13:58.770 --> 01:14:01.140
So that's why we can write
it m prime to the power d
01:14:01.140 --> 01:14:05.380
is congruent to this
thing, modulo p.
01:14:05.380 --> 01:14:08.560
And of course, we can
repeat this for q.
01:14:11.100 --> 01:14:12.940
So let me write
this out as well.
01:14:17.930 --> 01:14:18.890
So there it is.
01:14:21.600 --> 01:14:28.400
So now we can there use what
we have figured out over here.
01:14:28.400 --> 01:14:33.560
So we know that if
m is not equal to 0,
01:14:33.560 --> 01:14:38.180
then this thing over
here cancels out.
01:14:38.180 --> 01:14:43.000
Because m to the power p
minus 1 is congruent to 1.
01:14:43.000 --> 01:14:47.690
So we have that m
prime to the power
01:14:47.690 --> 01:14:55.490
d is congruent to m
modulo p, if m is not
01:14:55.490 --> 01:14:57.460
congruent to 0 modulo p, right?
01:14:57.460 --> 01:14:59.550
Because if m is not
congruent to zero,
01:14:59.550 --> 01:15:01.150
we have this
particular equation.
01:15:01.150 --> 01:15:04.100
We plug it in over
here, this all cancels,
01:15:04.100 --> 01:15:06.840
and we just are left with m.
01:15:06.840 --> 01:15:12.080
Now, if m is equal-- is
congruent-- to 0 modulo p,
01:15:12.080 --> 01:15:16.050
then we can see that
it is equal to 0.
01:15:16.050 --> 01:15:18.210
So it's equal to 0.
01:15:18.210 --> 01:15:21.600
So this actually
holds for any case.
01:15:21.600 --> 01:15:27.680
Now we can do the same for
q-- the same argument--
01:15:27.680 --> 01:15:30.680
and show that this must hold.
01:15:30.680 --> 01:15:35.110
So now we know that p
divides the difference
01:15:35.110 --> 01:15:38.225
of m prime d minus m.
01:15:38.225 --> 01:15:43.190
q is another prime that
divides this difference.
01:15:43.190 --> 01:15:49.280
And the only way that's possible
is if the product of p and q
01:15:49.280 --> 01:15:55.130
is dividing this particular
number-- this difference.
01:15:55.130 --> 01:15:58.230
And we have two different
primes dividing the same number,
01:15:58.230 --> 01:16:00.290
so the product
must [? divided. ?]
01:16:00.290 --> 01:16:08.770
So p times q divides
m prime d minus m.
01:16:08.770 --> 01:16:12.040
Oh, but p times q is equal to n.
01:16:12.040 --> 01:16:14.230
So now we're almost
done, because now we
01:16:14.230 --> 01:16:18.010
can state-- by the
definition of congruency--
01:16:18.010 --> 01:16:26.350
that m prime to the power d
is congruent to m modulo n.
01:16:26.350 --> 01:16:32.200
Now, since m is a message that's
in the range of-- so I did not
01:16:32.200 --> 01:16:35.030
write it down here--
so m is a message
01:16:35.030 --> 01:16:40.440
which is in the range of 0
all the way up to n minus 1.
01:16:40.440 --> 01:16:43.440
We know, and we have seen it
before with Turing's code,
01:16:43.440 --> 01:16:47.200
that we can rewrite this
and say that m equals
01:16:47.200 --> 01:16:50.960
the remainder of m
prime to the power
01:16:50.960 --> 01:16:57.100
d, after multiplying out as
many multiples of n as possible.
01:16:57.100 --> 01:16:58.060
So here you go.
01:16:58.060 --> 01:17:02.180
So this is the decryption
rule, and it works.
01:17:02.180 --> 01:17:06.640
We have shown that this
equation truly holds.
01:17:06.640 --> 01:17:10.250
So RSA has really
withstood the test of time.
01:17:10.250 --> 01:17:13.250
It's already out there
for many decades,
01:17:13.250 --> 01:17:15.322
and it's still widely used.
01:17:15.322 --> 01:17:17.030
I wanted to talk a
little bit about this,
01:17:17.030 --> 01:17:19.580
but there seemed not
to be enough time.
01:17:19.580 --> 01:17:26.570
But I'd just like to mention
that only 2009 Craig Gentry
01:17:26.570 --> 01:17:32.250
proved a beautiful theorem,
and was able to evaluate
01:17:32.250 --> 01:17:33.250
Boolean circuits.
01:17:33.250 --> 01:17:37.650
Or, say, certain types of
programs under encryption.
01:17:37.650 --> 01:17:41.040
So you can sort of add
and multiply cypher text
01:17:41.040 --> 01:17:45.310
encryptions together, and it
is as if you multiply them
01:17:45.310 --> 01:17:46.700
at the plain text level.
01:17:46.700 --> 01:17:50.720
That was a fantastic-- that
was an enormous open problem.
01:17:50.720 --> 01:17:52.030
And he solved it.
01:17:52.030 --> 01:17:55.850
And only a few months
earlier, in 2010,
01:17:55.850 --> 01:17:59.810
in joint work with Craig and
some other colleagues at IBM,
01:17:59.810 --> 01:18:02.570
we showed it with
very simple arithmetic
01:18:02.570 --> 01:18:07.120
that just uses modulo p and
modulo 2 kind of things.
01:18:07.120 --> 01:18:11.450
We could show a
construction this
01:18:11.450 --> 01:18:13.490
has such a property--
such an encryption
01:18:13.490 --> 01:18:15.100
scheme of the integers.
01:18:15.100 --> 01:18:18.130
So there's still a lot of
stuff going on in this area.
01:18:18.130 --> 01:18:21.780
And really, we use this
type of very basic stuff.
01:18:21.780 --> 01:18:25.450
The problem in cryptography
is to show that it is secure.
01:18:25.450 --> 01:18:28.330
So you have to show
that breaking the scheme
01:18:28.330 --> 01:18:32.190
needs to be reduced to
some really hard problem.
01:18:32.190 --> 01:18:34.920
And that is always the
really difficult part
01:18:34.920 --> 01:18:37.200
of such type of research.
01:18:37.200 --> 01:18:40.950
OK, well, have lots of
fun with recitation.