Are the structures (groups/rings) that RSA operations are performed on actually R-modules?

Question

Paolo, in Algebra: chapter 0, defines a left-$R$-module as a ring, $R$, an abelian group, $M$, and a map $(R \times M \rightarrow M)$ such that:

$r(m+n) = rm+rn$

$(r+s)m = rm+sm$

$(rs)m = r(sm)$

$1m = m$

where $m,n\in M$ and $r,s\in R$

In the definition of RSA in Katz/Lindell's Intro to Modern Crypto, key generation results in: $N,e,d,p,q$.

Let $\ell=(p-1)(q-1)$

So, now we have two commutative rings, $\mathbb{Z}_\ell$ and $\mathbb{Z}_N$ and have a map from exponentiation:

$\mathit{Exp}(m,k) = m^k \mathit{~mod~} N$

We can see that:

$(mn)^r = m^r * n^r$

$m^{(r+s)} = m^r * m^s$

$(m^r)^s = m^{(r*s)}$

$m^1 = m$

where $m,n\in \mathbb{Z}_N$ and $r,s\in \mathbb{Z}_\ell$

This perfectly matches the properties of an $R$-module when you use multiplication ($*$) as the operation for the abelian group, $\mathbb{Z}_N^*$, and exponentiation as the $R$-module map (though I may have mixed up right/left here). I find that this definition makes RSA much easier to understand. Despite this, I've never seen the structure of RSA described as a module. Why is this? Am I wrong and the structure of RSA is not a module? Or maybe the concept of modules is usually not known by students entering cryptography?

Answer 1

Or maybe the concept of modules is usually not known by students entering cryptography?

I believe this is more likely; modules are a rather arcane subject, and one which even people decently educated in mathematics may not have come across (I haven't, or if I had, it's been so long that I've forgotten).

Of course, there are times where it makes sense to use arcane concepts when more common ones are available; however that's when those arcane concepts give insights that the common ones don't. What insights do the idea of 'modules' give into how RSA works? For example, would that show how the specific relationship between $d$ and $e$ lead to them being inverses of each other?

Answer 2

Beside what's in these other two answers, a reason not to study RSA in the question's way is that it tends to lead to a definition restricted to plaintext in $\mathbb Z_N^*$, rather than plaintext in the whole $\mathbb Z_N$. The later is possible with a proof of RSA using modular arithmetic and (a simplified version of) the Chinese Remainder Theorem.

This restriction to $\mathbb Z_N^*$ can be dealt with, by arguing that RSA only is secure for random plaintext anyway, and that random plaintext (or randomized plaintext as used in practice) almost certainly is in $\mathbb Z_N^*$ for $N$ large enough to be hard to factor. Some authors do this, some others just sweep the issue of plaintext restriction under the rug.

But it's nice to not need that argument, and be able to introduce textbook RSA in a way that works with artificially small $N$ and any plaintext in $[0,N)$. And it's nice to use towards this a proof that matches practice, which (for performance reasons) typically uses the CRT approach during decryption and signature generation.

Answer 3

Most students starting in cryptography either have a computer science background or a mathematics background. In either case, the students are at a fairly basic level.

Computer science students typically do not know abstract algebra, but know basic number theory. This is sufficient for teaching RSA.

Mathematics students often know basic abstract algebra. This is sufficient for teaching RSA. I would expect modules to appear in a second algebra course, not in a first course.

In other words: explaining RSA in terms of a module structure where the ring is the endomorphism ring requires a level of mathematical sophistication that students typically do not have at the point where they first encounter RSA.

However, if this level of mathematical sophistication buys us some understanding from a cryptographic point of view, it could be worthwhile to introduce it, even if it would be additional work for students.

I find that introducing abstract algebraic structures is a great help in many cases, such as understanding index calculus or more practical things like the number theoretic transform.

However, my claim is that in this case abstraction does not buy us any additional understanding, from a cryptographic point of view. (It may very well buy you a better understanding of your second abstract algebra course. In fact, I think this is close to a fairly standard example when teaching modules: an abelian group with scalar multiplication by endomorphisms.)

• It does not help me explain the relation between the two inverse endomorphisms.
• It does not help me explain the relation between factoring and the RSA problem, security-wise.
• It does not help me explain the relation between the algebraic structure and common computational speed-up tricks.
• It is certainly no help understanding the construction of secure schemes based on textbook RSA.

On the contrary, I find that it is much more natural to start with the automorphisms of a cyclic group (which we know is correspond to exponentiation and the Pohlig-Hellman cipher, which may already have appeared as an example of a weak block cipher), explain what we want, observe that exponentiation does not work in a finite field, and then observe that the integers modulo a product of two distinct primes have properties that seem to make it work.

You can also immediately relate the concrete properties of the exponentiation as a number theoretic thing to various factorisation algorithms, which you will also want to study.

Which is a long-winded way of saying that the other two answers are correct.