Public-Key Cryptography: RSA and the Discrete Logarithm
Anchor (Master): Arora and Barak 2009 Computational Complexity: A Modern Approach (Cambridge) Ch. 10; Rivest, Shamir and Adleman 1978 A Method for Obtaining Digital Signatures and Public-Key Cryptosystems (CACM); Shor 1997 Polynomial-Time Algorithm for Prime Factorization and Discrete Logarithms (SIAM J. Comput.)
Intuition Beginner
Symmetric cryptography uses the same key to encrypt and decrypt. The problem: how do two people agree on a shared key without meeting? Public-key cryptography solves this elegantly. Everyone has two keys: a public key (shared with the world) and a private key (kept secret). Anyone can encrypt a message using your public key, but only you can decrypt it using your private key.
The trick relies on mathematical asymmetry. RSA uses the fact that multiplying two large primes is easy, but factoring their product is hard. Diffie-Hellman uses the fact that computing is easy, but recovering from (the discrete logarithm problem) is hard.
RSA works as follows. You pick two large primes and , multiply them to get , and publish along with an encryption exponent . To send you a message , someone computes . You decrypt by computing using a secret decryption exponent . The relationship between and involves Euler's totient function, and computing from and requires factoring , which is believed to be hard.
The beauty of public-key cryptography is that it transforms the key-distribution problem into a computational-hardness problem. Security is not absolute but conditional: if factoring is hard (or discrete log is hard), then the system is secure.
Visual Beginner
RSA key generation:
1. Pick primes p = 61, q = 53
2. Compute N = 61 * 53 = 3233
3. Compute phi(N) = (61-1)(53-1) = 3120
4. Choose e = 17 (coprime to 3120)
5. Compute d = e^(-1) mod 3120 = 2753
6. Public key: (N=3233, e=17)
Private key: d=2753
Encryption of m = 65:
c = 65^17 mod 3233 = 2790
Decryption:
m = 2790^2753 mod 3233 = 65
Diffie-Hellman key exchange:
Public: p = 23, g = 5
Alice picks a = 6, sends A = 5^6 mod 23 = 8
Bob picks b = 15, sends B = 5^15 mod 23 = 19
Shared secret: Alice computes 19^6 mod 23 = 2
Bob computes 8^15 mod 23 = 2| System | Hard problem | Quantum-safe? |
|---|---|---|
| RSA | Factoring | No (Shor's algorithm) |
| Diffie-Hellman | Discrete logarithm in | No (Shor's algorithm) |
| Elliptic curve DH | Elliptic curve discrete log | No (Shor's algorithm) |
| Learning With Errors | Lattice problem | Yes (believed) |
Worked example Beginner
We walk through RSA with toy parameters. Pick primes and .
Key generation. . . Choose (coprime to 20). Compute . We need . Testing: , so .
Public key: . Private key: .
Encryption. Message . Compute . , so . Then , so .
Decryption. Compute . , , so . , so . Correct.
Why it works. Euler's theorem says when . Since , we have .
Check your understanding Beginner
Formal definition Intermediate+
Definition (RSA assumption). Given a product of two random -bit primes and a public exponent coprime to , for every PPT algorithm :
where is chosen uniformly from .
Definition (discrete logarithm problem). Given a cyclic group of prime order , a generator , and for random , the discrete logarithm problem is to find .
Definition (CDH assumption). For a cyclic group with generator , given for random , no PPT algorithm can compute with non-negligible probability.
Definition (DDH assumption). For a cyclic group with generator , no PPT algorithm can distinguish from for random with non-negligible advantage.
Definition (IND-CPA security). A public-key encryption scheme is IND-CPA secure if no PPT adversary can win the following game with non-negligible advantage: (1) receives the public key , (2) submits two messages , (3) the challenger encrypts for random , (4) outputs a guess , and wins if .
Counterexamples to common slips
"RSA with is always insecure." RSA with small is vulnerable to specific attacks (e.g., Coppersmith's attack when is much smaller than ), but not inherently insecure when proper padding (OAEP) is used.
"Diffie-Hellman is the same as RSA." DH is based on the discrete logarithm problem in a group; RSA is based on factoring. They are different hardness assumptions, though both are broken by Shor's quantum algorithm.
"IND-CPA security means the encryption is unbreakable." IND-CPA only protects against passive eavesdroppers who see ciphertexts. It does not protect against chosen-ciphertext attacks (IND-CCA), which is the standard security requirement for real systems.
Key theorem with proof Intermediate+
Theorem (RSA correctness). Let for distinct primes , coprime to , and . Then for all , .
Proof. Since , we have for some integer . By Euler's theorem, for any coprime to . Therefore:
This works even when (i.e., when is a multiple of or ), by applying the Chinese Remainder Theorem: modulo , by Fermat's little theorem (if ; if then both sides are 0 mod ). Similarly mod . By CRT, .
Bridge. The RSA construction is the foundational reason public-key cryptography works: the algebraic structure of modular arithmetic provides a function that is a permutation (so decryption is always possible) yet one-way without the trapdoor (so only the private key holder can decrypt). This builds toward the Diffie-Hellman key exchange which achieves a different goal (key agreement rather than encryption) using a different algebraic structure (group exponentiation rather than ring exponentiation). The central insight is that trapdoor one-way functions arise from the gap between computing a function and inverting it, and this is exactly the pattern that appears again in 47.06.04 where digital signatures use the same RSA function in reverse (sign with , verify with ). Putting these together with the one-way function theory of 47.06.01 shows that public-key cryptography requires structured hardness assumptions (factoring, discrete log) that go beyond the generic OWF, and this structural requirement is the reason public-key primitives cannot be constructed from generic OWFs via black-box reductions.
Exercises Intermediate+
Lean formalization Intermediate+
Mathlib has the algebraic prerequisites for RSA (modular arithmetic, Euler's theorem, CRT in NumberTheory.ZMod and GroupTheory.Coset) but no formalization of cryptographic security notions or reduction proofs. A natural formalization target would be the RSA correctness proof (Proposition: ) using Mathlib's existing number theory. The security reduction (factoring implies RSA assumption) would require modelling PPT adversaries and negligible functions. This unit ships without a lean_module.
Advanced results Master
Three results sharpen our understanding of public-key cryptography's foundations and limitations.
Result 1 (random oracle model and beyond). The security of RSA-OAEP (RSA with Optimal Asymmetric Encryption Padding) was proven IND-CCA secure in the random oracle model by Bellare and Rogaway (1994), assuming the RSA problem is hard. Fujisaki, Okamoto, Pointcheval and Stern (2004) proved that any IND-CPA scheme can be transformed into an IND-CCA scheme in the random oracle model. However, Canetti, Goldreich and Halevi (1998) showed that there exist schemes secure in the random oracle model that are insecure when the random oracle is instantiated with any concrete hash function [Arora-Barak Ch. 10].
Result 2 (lattice-based cryptography and quantum resistance). Regev (2005) introduced the Learning With Errors problem and proved that solving LWE on average is as hard as solving worst-case lattice problems (GapSVP, SIVP) for quantum algorithms. This worst-case-to-average-case reduction is the foundational reason lattice-based cryptography is believed to be quantum-resistant. The NIST post-quantum standardisation process selected Kyber (key encapsulation) and Dilithium (signatures), both based on module-LWE [Shor 1997].
Result 3 (Impagliazzo's five worlds). Impagliazzo (1995) described five possible complexity-theoretic worlds, ordered by the strength of available cryptographic primitives. In Pessiland (NP is hard on average but one-way functions do not exist), no public-key cryptography is possible. In Minicrypt (OWFs exist but not trapdoor OWFs), symmetric cryptography exists but public-key cryptography does not. In Cryptomania (trapdoor OWFs exist), full public-key cryptography is available. The question of which world we inhabit is the central open problem of cryptographic foundations [Arora-Barak Ch. 10].
Synthesis. Public-key cryptography rests on structured hardness assumptions that go beyond generic one-way functions: factoring and discrete logarithm provide the algebraic structure needed for trapdoor operations, and this builds toward the quantum-resistance question where lattice problems replace number-theoretic problems as the hardness foundation. The central insight is that the algebraic structure enabling public-key encryption (modular exponentiation, group operations) is also the structure that quantum algorithms exploit (period finding), and this is exactly the pattern that appears again in 47.06.03 where zero-knowledge proofs require similar algebraic structure for their interaction protocols. Putting these together with the one-way function theory of 47.06.01 shows that the cryptographic landscape is stratified: generic OWFs yield symmetric cryptography, structured assumptions yield public-key cryptography, and quantum-resistant assumptions yield post-quantum cryptography, each layer requiring more specific and more structured hardness.
Full proof set Master
Proposition 1 (RSA correctness via CRT). For , , and any : .
Proof. It suffices to show and , then invoke CRT.
Case 1: . By Fermat's little theorem, . Since : .
Case 2: . Then and .
Similarly for . By CRT, since mod both and , and , we have .
Proposition 2 (DDH implies IND-CPA for ElGamal). If DDH holds in , then ElGamal encryption in is IND-CPA secure.
Proof. Consider the IND-CPA game: the adversary receives and challenge ciphertext .
Define hybrid : the real game with . Define hybrid : replace with for random . By DDH, and are indistinguishable, so .
In , the ciphertext is where is a uniform group element independent of everything else. So is uniformly distributed in , regardless of . The adversary's advantage in is exactly 0.
Since and are indistinguishable, the adversary's advantage in is at most negligibly more than 0.
Connections Master
47.06.01— One-way functions are the generic primitive; RSA and discrete logarithm are concrete instantiations that additionally provide the trapdoor property needed for public-key cryptography.21.01.04— Fermat's little theorem, Euler's theorem, and the Chinese Remainder Theorem are the number-theoretic foundations of RSA correctness.21.01.01— The Euclidean algorithm and Bézout's identity are used to compute the private key .47.06.03— Zero-knowledge proofs use the discrete logarithm setting for Schnorr protocols and other interactive proof systems.47.06.04— Digital signatures use the same RSA key generation in reverse: sign with the private exponent , verify with the public exponent .
Historical & philosophical context Master
Public-key cryptography was invented independently by Diffie and Hellman (1976) and by Merkle (1975, published 1978). RSA was proposed by Rivest, Shamir and Adleman in 1977. The Diffie-Hellman key exchange was the first practical method for establishing a shared secret over an insecure channel.
Shor's 1994 discovery of a polynomial-time quantum algorithm for factoring and discrete logarithm transformed the field. It demonstrated that the security of RSA and Diffie-Hellman is conditional not just on classical hardness but on the assumption that large-scale quantum computers cannot be built. This sparked the development of post-quantum cryptography, culminating in the NIST standardisation process (2017-2024).
The philosophical significance is that security in cryptography is always relative to a computational model and a set of hardness assumptions. What is secure today may not be secure tomorrow if those assumptions are broken—by classical algorithms, quantum algorithms, or new mathematics [Arora-Barak Ch. 10].
Bibliography Master
@book{arora2009computational,
author = {Arora, Sanjeev and Barak, Boaz},
title = {Computational Complexity: A Modern Approach},
publisher = {Cambridge University Press},
year = {2009},
}
@article{rivest1978method,
author = {Rivest, Ronald L. and Shamir, Adi and Adleman, Leonard},
title = {A Method for Obtaining Digital Signatures and Public-Key Cryptosystems},
journal = {Communications of the ACM},
volume = {21},
number = {2},
pages = {120--126},
year = {1978},
}
@article{shor1997polynomial,
author = {Shor, Peter W.},
title = {Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer},
journal = {SIAM Journal on Computing},
volume = {26},
number = {5},
pages = {1484--1509},
year = {1997},
}
@article{diffie1976new,
author = {Diffie, Whitfield and Hellman, Martin E.},
title = {New Directions in Cryptography},
journal = {IEEE Transactions on Information Theory},
volume = {22},
number = {6},
pages = {644--654},
year = {1976},
}
@article{regev2005lattices,
author = {Regev, Oded},
title = {On Lattices, Learning with Errors, Random Linear Codes, and Cryptography},
journal = {Journal of the ACM},
volume = {56},
number = {6},
year = {2009},
}