Lecture 8 : Trapdoor Permutations and Discrete Log

Recall that RSA is a candidate trapdoor permutation (TDP) with the following algorithms: • Key-generation: On input 1, – Pick two k-bit primes p and q and let N = pq. – Find e relatively prime to φ(pq) = (p− 1)(q − 1) – Let d be such that ed ≡ 1 mod φ(N = pq). Recall that φ() is the Euler’s totient function. Such a d exists since e is relatively prime to N – Output PK = (N, e) and SK = d • Eval(PK , x): If x / ∈ ZN fail, else output x mod N • Invert(PK ,SK , y): If y / ∈ ZN , fail else output y mod N RSA is a permutation and Invert() is correct, that is ∀x ∈ ZN Invert((N, e), d,Eval((N, e), x)) = x We will try to see why the correctness holds. Recall Lagrange’s theorem: Theorem 1 (Lagrange). Let H,G be finite groups under the same operation such that H ⊆ G then the cardinality of H divides the cardinality of G that is, #H | #G Theorem 2 (Euler). If a and N are relatively prime then a ≡ 1 mod N Since ed ≡ 1 mod φ(N), we have that ed = lφ(N) + 1 for some l. By Euler’s theorem, we have that x ≡ 1 mod N . (From now on, we will implicitly assume mod N when we are dealing with elements of ZN ) (x) = x = x = x.x = x