Post on 26-Dec-2015
Numerical Alg. & Cryptography
2
Outline
Divisibility and primesModular arithmeticEuclid’s GCD algorithmMultiplicative inversesPowersFermat’s little theoremEuler’s theorem
Numerical Alg. & Cryptography
3
Facts About NumbersPrime number p:
p is an integer p 2 The only divisors of p are 1and p
Examples 2, 7, 19 are primes 3, 1, 6 are not primes
Prime decomposition of a positive integer n:
n p1e
1 … pke
k
Example: 200 23 52
Fundamental Theorem of ArithmeticThe prime decomposition of a positive integer is unique
Numerical Alg. & Cryptography
4
Greatest Common DivisorThe greatest common divisor (GCD) of two positive integers a and b, denoted gcd(a, b), is the largest positive integer that divides both a and bThe above definition is extended to arbitrary integersExamples:
gcd(18, 30) 6 gcd(0, 20) 20gcd(21, 49) 7
Two integers a and b are said to be relatively prime if
gcd(a, b) 1
Example: Integers 15 and 28 are relatively prime
Numerical Alg. & Cryptography
5
Modular ArithmeticModulo operator for a positive integer n
r a mod nequivalent to
a rknand
r a a/n nExample:
29 mod 13 3 13 mod 13 0 1 mod 13 1229 3 213 13 0 113 12 1 113
Modulo and GCD:gcd(a, b) gcd(b, a mod b)
Example: gcd(21, 12) 3 gcd(12, 21 mod 12) gcd(6, 9) 3
Numerical Alg. & Cryptography
6
Euclid’s GCD AlgorithmEuclid’s algorithm for computing the GCD repeatedly applies the formulagcd(a, b) gcd(b, a mod b)
Example gcd(412, 260) 4
a 412 260 152 108 44 20 4
b 260 152 108 44 20 4 0
Algorithm EuclidGCD(a, b)Input integers a and bOutput gcd(a, b)
if b = 0return a
elsereturn EuclidGCD(b, a mod b)
Numerical Alg. & Cryptography
7
AnalysisLet ai and bi be the arguments of the i-th recursive call of algorithm EuclidGCDWe have
ai2 bi1 ai mod ai1ai1
Sequence a1, a2, …, an decreases exponentially, namely
ai2 ½ ai for i 1Case 1 ai1½ ai ai2ai1½ ai
Case 2 ai1½ ai ai2ai mod ai1 = aiai1 ½ ai
Thus, the maximum number of recursive calls of algorithm EuclidGCD(a. b) is
1 2 log max(a. b)Algorithm EuclidGCD(a, b) executes O(log max(a, b)) arithmetic operations
Numerical Alg. & Cryptography
8
Multiplicative Inverses (1)The residues modulo a positive integer n are the set
Zn {0, 1, 2, …, (n1)}
Let x and y be two elements of Zn such that
xy mod n 1
We say that y is the multiplicative inverse of x in Zn and we write y x1
Example: Multiplicative inverses of the residues modulo 11
109876543210x
10578293461x1
Numerical Alg. & Cryptography
9
Multiplicative Inverses (2)Theorem
An element x of Zn has a multiplicative inverse if and only if x and n are relatively primeExample
The elements of Z10 with a multiplicative inverse are 1, 3, 5, 7
CorollaryIf is p is prime, every nonzero residue in Zp has a multiplicative inverse
TheoremA variation of Euclid’s GCD algorithm computes the multiplicative inverse of an element x of Zn or determines that it does not exist
9876543210x
9371x1
Numerical Alg. & Cryptography
10
PowersLet p be a primeThe sequences of successive powers of the elements of Zp exhibit repeating subsequences The sizes of the repeating subsequences and the number of their repetitions are the divisors of p 1Example (p 7)
x x2 x3 x4 x5 x6
1 1 1 1 1 1
2 4 1 2 4 1
3 2 6 4 5 1
4 2 1 4 2 1
5 4 6 2 3 1
6 1 6 1 6 1
Numerical Alg. & Cryptography
11
Fermat’s Little TheoremTheorem
Let p be a prime. For each nonzero residue x of Zp, we have xp1 mod p 1Example (p 5):14 mod 5 1 24 mod 1 16 mod 5 134 mod 1 81 mod 5 1 44 mod 1 256 mod 5 1
CorollaryLet p be a prime. For each nonzero residue x of Zp, the multiplicative inverse of x is xp2 mod p Proof x(xp2 mod p) mod p xxp2 mod p xp1 mod p 1
Numerical Alg. & Cryptography
12
Euler’s TheoremThe multiplicative group for Zn, denoted with Z*n, is the subset of elements of Zn relatively prime with n
The totient function of n, denoted with (n), is the size of Z*n
ExampleZ*10 { 1, 3, 7, 9 } (10) 4
If p is prime, we haveZ*p {1, 2, …, (p1)} (p) p1
TheoremFor each element x of Z*n, we have x(n) mod n 1
Example (n 10)3(10) mod 10 34 mod 10 81 mod 10 1
7(10) mod 10 74 mod 10 2401 mod 10 1
9(10) mod 10 94 mod 10 6561 mod 10 1
Numerical Alg. & Cryptography
13
The Fast Fourier Transform
0 1110987654321 1512 1413
0 1110987654321 1512 1413
Numerical Alg. & Cryptography
14
Outline and Reading
Polynomial Multiplication Problem Primitive Roots of Unity (§10.4.1)The Discrete Fourier Transform (§10.4.2)The FFT Algorithm (§10.4.3)Integer Multiplication (§10.4.4)Java FFT Integer Multiplication (§10.5)
Numerical Alg. & Cryptography
15
PolynomialsPolynomial:
In general,
432 43825)( xxxxxp
11
2210
1
0
)(
or
)(
nn
n
i
ii
xaxaxaaxp
xaxp
Numerical Alg. & Cryptography
16
Polynomial EvaluationHorner’s Rule:
Given coefficients (a0,a1,a2,…,an-1), defining polynomial
Given x, we can evaluate p(x) in O(n) time using the equation
Eval(A,x): [Where A=(a0,a1,a2,…,an-1)] If n=1, then return a0
Else, Let A’=(a1,a2,…,an-1) [assume this can be done in constant
time] return a0+x*Eval(A’,x)
1
0
)(n
i
ii xaxp
)))((()( 12210 nn xaaxaxaxaxp
Numerical Alg. & Cryptography
17
Polynomial Multiplication Problem
Given coefficients (a0,a1,a2,…,an-1) and (b0,b1,b2,…,bn-1) defining two polynomials, p() and q(), and number x, compute p(x)q(x).
Horner’s rule doesn’t help, since
where
A straightforward evaluation would take O(n2) time. The “magical” FFT will do it in O(n log n) time.
1
0
)()(n
i
ii xcxqxp
i
jjiji bac
0
Numerical Alg. & Cryptography
18
Polynomial Interpolation & Polynomial Multiplication
Given a set of n points in the plane with distinct x-coordinates, there is exactly one (n-1)-degree polynomial going through all these points.Alternate approach to computing p(x)q(x):
Calculate p() on 2n x-values, x0,x1,…,x2n-1. Calculate q() on the same 2n x values. Find the (2n-1)-degree polynomial that goes through the
points {(x0,p(x0)q(x0)), (x1,p(x1)q(x1)), …, (x2n-1,p(x2n-1)q(x2n-
1))}.
Unfortunately, a straightforward evaluation would still take O(n2) time, as we would need to apply an O(n)-time Horner’s Rule evaluation to 2n different points. The “magical” FFT will do it in O(n log n) time, by picking 2n points that are easy to evaluate…
Numerical Alg. & Cryptography
19
Primitive Roots of UnityA number is a primitive n-th root of unity, for n>1, if
n = 1 The numbers 1, , 2, …, n-1 are all distinct
Example 1: Z*
11:
2, 6, 7, 8 are 10-th roots of unity in Z*11
22=4, 62=3, 72=5, 82=9 are 5-th roots of unity in Z*11
2-1=6, 3-1=4, 4-1=3, 5-1=9, 6-1=2, 7-1=8, 8-1=7, 9-1=5
Example 2: The complex number e2i/n is a primitive n-th root of unity, where
x x^2 x^3 x^4 x^5 x^6 x^7 x^8 x^9 x^101 1 1 1 1 1 1 1 1 12 4 8 5 10 9 7 3 6 13 9 5 4 1 3 9 5 4 14 5 9 3 1 4 5 9 3 15 3 4 9 1 5 3 4 9 16 3 7 9 10 5 8 4 2 17 5 2 3 10 4 6 9 8 18 9 6 4 10 3 2 5 7 19 4 3 5 1 9 4 3 5 110 1 10 1 10 1 10 1 10 1
1i
Numerical Alg. & Cryptography
20
Properties of Primitive Roots of Unity
Inverse Property: If is a primitive root of unity, then -
1=n-1
Proof: n-1=n=1
Cancellation Property: For non-zero -n<k<n, Proof:
Reduction Property: If w is a primitve (2n)-th root of unity, then 2 is a primitive n-th root of unity.
Proof: If 1,,2,…,2n-1 are all distinct, so are 1,2,(2)2,…,(2)n-1
Reflective Property: If n is even, then n/2 = -1. Proof: By the cancellation property, for k=n/2:
Corollary: k+n/2= -k.
01
0
n
j
kj
01
11
1
1)1(
1
1)(
1
1)(1
0
kk
k
k
kn
k
nkn
j
kj
)1)(2/(0 2/2/02/02/01
0
)2/( nnnnn
j
jn n
Numerical Alg. & Cryptography
21
The Discrete Fourier Transform
Given coefficients (a0,a1,a2,…,an-1) for an (n-1)-degree polynomial p(x)The Discrete Fourier Transform is to evaluate p at the values
1,,2,…,n-1
We produce (y0,y1,y2,…,yn-1), where yj=p(j) That is,
Matrix form: y=Fa, where F[i,j]=ij.
The Inverse Discrete Fourier Transform recovers the coefficients of an (n-1)-degree polynomial given its values at 1,,2,…,n-1
Matrix form: a=F -1y, where F -1[i,j]=-ij/n.
1
0
n
i
ijij ay
Numerical Alg. & Cryptography
22
Correctness of the inverse DFT
The DFT and inverse DFT really are inverse operationsProof: Let A=F -1F. We want to show that A=I, where
If i=j, then
If i and j are different, then
1
0
1],[
n
k
kjki
njiA
Property)onCancellati(by 01
],[1
0
)(
n
k
kij
njiA
1111
],[1
0
01
0
nnnn
iiAn
k
n
k
kiki
Numerical Alg. & Cryptography
23
ConvolutionThe DFT and the inverse DFT can be used to multiply two polynomials
So we can get the coefficients of the product polynomial quickly if we can compute the DFT (and its inverse) quickly…
Pad with n 0's Pad with n 0's
[a0,a1,a2,...,an-1] [b0,b1,b2,...,bn-1]
DFT DFT
[a0,a1,a2,...,an-1,0,0,...,0] [b0,b1,b2,...,bn-1,0,0,...,0]
[y0,y1,y2,...,y2n-1] [z0,z1,z2,...,z2n-1]
ComponentMultiply
inverse DFT
[y0z0,y1z1,...,y2n-1z2n-1]
[c0,c1,c2,...,c2n-1]
(Convolution)
Numerical Alg. & Cryptography
24
The Fast Fourier TransformThe FFT is an efficient algorithm for computing the DFTThe FFT is based on the divide-and-conquer paradigm:
If n is even, we can divide a polynomial
into two polynomials
and we can write
Numerical Alg. & Cryptography
25
The FFT Algorithm
The running time is O(n log n). [inverse FFT is similar]
Numerical Alg. & Cryptography
26
Multiplying Big IntegersGiven N-bit integers I and J, compute IJ.Assume: we can multiply words of O(log N) bits in constant time.Setup: Find a prime p=cn+1 that can be represented in one word, and set m=(log p)/3, so that we can view I and J as n-length vectors of m-bit words.Finding a primitive root of unity.
Find a generator x of Z*p.
Then =xc is a primitive n-th root of unity in Z*p (arithmetic is
mod p)
Apply convolution and FFT algorithm to compute the convolution C of the vector representations of I and J.Then compute
K is a vector representing IJ, and takes O(n log n) time to compute.
1
0
2n
i
miicK
Numerical Alg. & Cryptography
27
Java Example: Multiplying Big Integers
Setup: Define BigInt class, and include essential parameters, including the prime, P, and primitive root of unity, OMEGA.
10;
Numerical Alg. & Cryptography
28
Java Integer Multiply Method
Use convolution to multiply two big integers, this and val:
Numerical Alg. & Cryptography
31
Non-recursive FFTThere is also a non-recursive version of the FFT Performs the FFT in place Precomputes all roots of unity Performs a cumulative collection of shuffles on A
and on B prior to the FFT, which amounts to assigning the value at index i to the index bit-reverse(i).
The code is a bit more complex, but the running time is faster by a constant, due to improved overhead
Numerical Alg. & Cryptography
32
Experimental ResultsLog-log scale shows traditional multiply runs in O(n2) time, while FFT versions are almost linear
Numerical Alg. & Cryptography
34
Outline
Traditional cryptographyStatistical attacksSecret-key encryptionPublic-key encryption
Numerical Alg. & Cryptography
35
EncryptionScenario:
Alice wants to send a message (plaintext p) to Bob. The communication channel is insecure and can be
eavesdropped If Alice and Bob have previously agreed on an encryption scheme (cipher), the message can be sent encrypted (ciphertext c)
Issues: What is a good encryption scheme? What is the complexity of encrypting/decrypting? What is the size of the ciphertext, relative to the plaintext? If Alice and Bob have never interacted before, how can they
agree on an encryption scheme?
ciphertextencrypt decrypt plaintextplaintext
Numerical Alg. & Cryptography
36
Traditional CryptographyCiphers were already studied in ancient timesCaesar’s cipher:
replace a with d replace b with e ... replace z with c
Caesar’s cipher is an example of a monoalphabetic substitution cipher, which permutes the charactersArmed with simple statistical knowledge, one can easily break a monoalphabetic substitution cipher
most frequent letters in English: e, t, o, a, n, i, ... most frequent digrams: th, in, er, re, an, ... most frequent trigrams: the, ing, and, ion, ...
The first description of the frequency analysis attack appears in a book written in the 9th century by the Arab philosopher al-Kindi
Numerical Alg. & Cryptography
37
Statistical AttacksArmed with statistical knowledge about the plaintext language, one can easily break a monoalphabetic substitution cipher
Most frequent characters in English: e, t, o, a, n, i, ... Most frequent digrams: th, in, er, re, an, ... Most frequent trigrams: the, ing, and, ion, ...
The first description of the frequency analysis attack appears in a book written in the 9th century by the Arab philosopher al-KindiExample (S. Singh, The Code Book, 1999):PCQ VMJYPD LBYK LYSO KBXBJXWXV BXV ZCJPO EYPD KBXBJYUXJ LBJOO KCPK. CP LBO LBCMKXPV XPV IYJKL PYDBL, QBOP KBO BXV OPVOV LBO LXRO CI SX'XJMI, KBO JCKO XPV EYKKOV LBO DJCMPV ZOICJO BYS, KXUYPD: “DJOXL EYPD, ICJ X LBCMKXPV XPV CPO PYDBLK Y BXNO ZOOP JOACMPLYPD LC UCM LBO IXZROK CI FXKL XDOK XPV LBO RODOPVK CI XPAYOPL EYPDK. SXU Y SXEO KC ZCRV XK LC AJXNO X IXNCMJ CI UCMJ SXGOKLU?”
OFYRCDMO, LXROK IJCS LBO LBCMKXPV XPV CPO PYDBLK
Numerical Alg. & Cryptography
38
Frequency Analysis (1)We identify the most common characters, digrams and trigrams in the ciphertextExamplePCQ VMJYPD LBYK LYSO KBXBJXWXV BXV ZCJPO EYPD KBXBJYUXJ LBJOO KCPK. CP LBO LBCMKXPV XPV IYJKL PYDBL, QBOP KBO BXV OPVOV LBO LXRO CI SX'XJMI, KBO JCKO XPV EYKKOV LBO DJCMPV ZOICJO BYS, KXUYPD: “DJOXL EYPD, ICJ X LBCMKXPV XPV CPO PYDBLK Y BXNO ZOOP JOACMPLYPD LC UCM LBO IXZROK CI FXKL XDOK XPV LBO RODOPVK CI XPAYOPL EYPDK. SXU Y SXEO KC ZCRV XK LC AJXNO X IXNCMJ CI UCMJ SXGOKLU?”
OFYRCDMO, LXROK IJCS LBO LBCMKXPV XPV CPO PYDBLKFirst guess:
LBO is THE
Numerical Alg. & Cryptography
39
Frequency Analysis (2)
Assuming LBO represents THE, we replace L with T, B with H, and O with E and get
PCQ VMJYPD THYK TYSE KHXHJXWXV HXV ZCJPE EYPD KHXHJYUXJ THJEE KCPK. CP THE THCMKXPV XPV IYJKT PYDHT, QHEP KHO HXV EPVEV THE LXRE CI SX'XJMI, KHE JCKE XPV EYKKEV THE DJCMPV ZEICJE HYS, KXUYPD: “DJEXT EYPD, ICJ X THCMKXPV XPV CPE PYDHTK Y HXNE ZEEP JEACMPTYPD TC UCM THE IXZREK CI FXKT XDEK XPV THE REDEPVK CI XPAYEPT EYPDK. SXU Y SXEE KC ZCRV XK TC AJXNE X IXNCMJ CI UCMJ SXGEKTU?”EFYRCDME, TXREK IJCS THE THCMKXPV XPV CPE PYDBTK
Numerical Alg. & Cryptography
40
DecryptionCode:
X Z A V O I D B Y G E R S P C F H J K L M N Q T U WA B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Ciphertext:PCQ VMJYPD LBYK LYSO KBXBJXWXV BXV ZCJPO EYPD KBXBJYUXJ LBJOO KCPK. CP LBO LBCMKXPV XPV IYJKL PYDBL, QBOP KBO BXV OPVOV LBO LXRO CI SX'XJMI, KBO JCKO XPV EYKKOV LBO DJCMPV ZOICJO BYS, KXUYPD: “DJOXL EYPD, ICJ X LBCMKXPV XPV CPO PYDBLK Y BXNO ZOOP JOACMPLYPD LC UCM LBO IXZROK CI FXKL XDOK XPV LBO RODOPVK CI XPAYOPL EYPDK. SXU Y SXEO KC ZCRV XK LC AJXNO X IXNCMJ CI UCMJ SXGOKLU?”
OFYRCDMO, LXROK IJCS LBO LBCMKXPV XPV CPO PYDBLKPlaintext:Now during this time Shahrazad had borne King Shahriyar three sons. On the thousand and first night, when she had ended the tale of Ma'aruf, she rose and kissed the ground before him, saying: “Great King, for a thousand and one nights I have been recounting to you the fables of past ages and the legends of ancient kings. May I make so bold as to crave a favour of your majesty?”Epilogue, Tales from the Thousand and One Nights
Numerical Alg. & Cryptography
41
Secret-Key EncryptionA secret-key cipher uses a unique key K to encrypt and decryptCaesar’s generalized cipher uses the modular addition of each character (viewed as an integer) with the key:
C[i]P[i]K mod m
P[i]C[i]K mod mMore secure secret-key encryption schemes have been devised in this centuryExamples:
DES 3DES IDEA BLOWFISH
With private-key encryption, a distinct secret key must be established for every pair of parties
Numerical Alg. & Cryptography
42
Public-Key EncryptionBob uses a pair of keys (KE,KD) and
makes key KE public keeps key KD private
Anyone can use the public key KE to encrypt a plaintext into a ciphertext sent to BobOnly Bob can decrypt the ciphertext using the private key KD
The most popular encryption scheme is RSA, named after its inventors Rivest, Shamir, and Adleman (1978)The RSA patent expired in 2000
ciphertextencrypt decrypt plaintextplaintext
public key private key
Numerical Alg. & Cryptography
43
RSA Cryptosystem
Bits PCs Memory
430 1 128MB
760 215,000 4GB
1,020 342106 170GB
1,620 1.61015 120TB
Numerical Alg. & Cryptography
44
OutlineEuler’s theorem (§10.1.3)RSA cryptosystem (§10.2.3) Definition Example Security Correctness
Algorithms for RSA Modular power (§10.1.4) Modular inverse (§10.1.5) Randomized primality testing (§10.1.6)
Numerical Alg. & Cryptography
45
Euler’s TheoremThe multiplicative group for Zn, denoted with Z*n, is the subset of elements of Zn relatively prime with n
The totient function of n, denoted with (n), is the size of Z*n
ExampleZ*10 { 1, 3, 7, 9 } (10) 4
If p is prime, we haveZ*p {1, 2, …, (p1)} (p) p1
Euler’s TheoremFor each element x of Z*n, we have x(n) mod n 1
Example (n 10)3(10) mod 10 34 mod 10 81 mod 10 1
7(10) mod 10 74 mod 10 2401 mod 10 1
9(10) mod 10 94 mod 10 6561 mod 10 1
Numerical Alg. & Cryptography
46
RSA CryptosystemSetup:
npq, with p and q primes
e relatively prime to(n)(p 1) (q 1)
d inverse of e in Z(n)
Keys: Public key: KE(n, e) Private key: KDd
Encryption: Plaintext M in Zn
C = Me mod n
Decryption: M = Cd mod n
Example Setup:
p7, q17 n717119 (n)61696 e5 d77
Keys: public key: (119, 5) private key: 77
Encryption: M19 C195 mod 119 = 66
Decryption: C6677 mod 119 = 19
Numerical Alg. & Cryptography
47
Complete RSA Example
M 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18C 1 8 27 9 15 51 13 17 14 10 11 23 52 49 20 26 18 2M 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36C 39 25 21 33 12 19 5 31 48 7 24 50 36 43 22 34 30 16M 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54C 53 37 29 35 6 3 32 44 45 41 38 42 4 40 46 28 47 54
Setup: p5, q11 n51155 (n)41040 e3 d2732781 240 + 1)
Encryption CM3 mod 55
Decryption MC27 mod 55
Numerical Alg. & Cryptography
48
SecurityThe security of the RSA cryptosystem is based on the widely believed difficulty of factoring large numbers
The best known factoring algorithm (general number field sieve) takes time exponential in the number of bits of the number to be factored
The RSA challenge, sponsored by RSA Security, offers cash prizes for the factorization of given large numbersIn April 2002, prizes ranged from $10,000 (576 bits) to $200,000 (2048 bits)
In 1999, a 512-bit number was factored in 4 months using the following computers:
160 175-400 MHz SGI and Sun 8 250 MHz SGI Origin 120 300-450 MHz Pentium II 4 500 MHz Digital/Compaq
Estimated resources needed to factor a number within one year
Bits PCs Memory
430 1 128MB
760 215,000 4GB
1,020 342106 170GB
1,620 1.61015 120TB
Numerical Alg. & Cryptography
49
CorrectnessWe show the correctness of the RSA cryptosystem for the case when the plaintext M does not divide n
Namely, we show that(Me)d mod nM
Since ed mod (n)1, there is an integer k such that
ed k(n)1
Since M does not divide n, by Euler’s theorem we haveM(n) mod n1
Thus, we obtain(Me)d mod n
Med mod nMk(n)1 mod nMMk(n) mod
nM (M(n))k mod nM (M(n) mod n)k mod
nM (1)k mod nM mod n
MSee the book for the proof of correctness in the case when the plaintext M divides n
Numerical Alg. & Cryptography
50
Algorithmic IssuesThe implementation of the RSA cryptosystem requires various algorithmsOverall
Representation of integers of arbitrarily large size and arithmetic operations on them
EncryptionModular power
DecryptionModular power
SetupGeneration of random numbers with a given number of bits (to generate candidates p and q)
Primality testing (to check that candidates p and q are prime)
Computation of the GCD (to verify that e and (n) are relatively prime)
Computation of the multiplicative inverse (to compute d from e)
Numerical Alg. & Cryptography
51
Modular PowerThe repeated squaring algorithm speeds up the computation of a modular power ap mod nWrite the exponent p in binaryp pb1 pb2 … p1 p0
Start withQ1 apb1 mod n
Repeatedly computeQi ((Qi1)2 mod n)apbi mod n
We obtainQb ap mod n
The repeated squaring algorithm performs O (log p) arithmetic operations
Example318 mod 19 (18 010)Q1 31 mod 19 3
Q2 32 mod 19)30 mod 19 = 9
Q3 92 mod 19)30 mod 19 = 81 mod 19 = 5
Q4 52 mod 19)31 mod 19 =(25 mod 19)3 mod 19 =18 mod 19 = 18
Q5 182 mod 19)30 mod 19 = (324 mod 19) mod 19 = 1719 + 1 mod 19 = 1
p511 0 0 1 0
2p5i 3 1 1 3 1
Qi 3 9 5 18 1
Numerical Alg. & Cryptography
52
Modular InverseTheorem
Given positive integers a and b, let d be the smallest positive integer such that
dia + jbfor some integers i and j.We have
dgcd(a,b)Example
a21 b15 d3 i3, j4 3321 + (4)15
6360 3
Given positive integers a and b, the extended Euclid’s algorithm computes a triplet (d,i,j) such that
dgcd(a,b) dia + jb
To test the existence of and compute the inverse of x Zn, we execute the extended Euclid’s algorithm on the input pair (x,n)Let (d,i,j) be the triplet returned
dix + jn
Case 1: d1
i is the inverse of x in Zn
Case 2: d1
x has no inverse in Zn
Numerical Alg. & Cryptography
53
Pseudoprimality TestingThe number of primes less than or equal to n is about n ln n
Thus, we expect to find a prime among, O(b) randomly generated numbers with b bits eachTesting whether a number is prime (primality testing) is believed to be a hard problemAn integer n2 is said to be a base-x pseudoprime if
xn1 mod n1 (Fermat’s little theorem)
Composite base-x pseudoprimes are rare: A random 100-bit integer is a composite base-2 pseudoprime
with probability less than 10-13
The smallest composite base-2 pseudoprime is 341
Base-x pseudoprimality testing for an integer n: Check whether xn1 mod n1 Can be performed efficiently with the repeated squaring
algorithm
Numerical Alg. & Cryptography
54
Randomized Primality Testing
Compositeness witness function witness(x, n) with error probability q for a random variable xCase 1: n is prime
witness w(x, n)falseCase 2: n is composite
witness w(x, n)false with probability q1
Algorithm RandPrimeTest tests whether n is prime by repeatedly evaluating witness(x, n)A variation of base- x pseudoprimality provides a suitable compositeness witness function for randomized primality testing (Rabin-Miller algorithm)
Algorithm RandPrimeTest(n, k)Input integer n,confidence parameter k and composite witness function witness(x,n) with error probability qOutput an indication of whether n is composite or prime with probability 2k
t klog2(1q)for i 1 to t
x random()if witness(x,n)= true
return “n is composite”return “n is prime”
Numerical Alg. & Cryptography
56
Outline and ReadingDigital signatures Definition (§10.2.2) RSA signature and verification (§10.2.3)
One-way hash functions Definition (§10.3.1) Applications (§10.3.2)
Key distribution Certificates (§10.3.5) Revocation (§10.3.5)
Numerical Alg. & Cryptography
57
Digital SignatureA digital signature is a string S associated with a message M and the author A of M that has the following propertiesIntegrity: S establishes that M has not been altered Nonrepudiation: S unequivocally identifies the author A of M and
proves that A did indeed sign MA digital signature scheme provides algorithms for
Signing a message by the author Verifying the signature of a message by the reader
A recently passed law in the US gives digital signatures the same validity of handwritten signaturesA public-key cryptosystem yields a digital signature scheme provided encrypt(KE, decrypt(KD, M))MSignature: Alice (author) computes Sdecrypt(KD,M) using her
private key KD and sends the pair (M,S) to Bob
Verification: Bob (reader) computes M´encrypt(KE, S) using Alice’s public key KE and checks that M´M
Numerical Alg. & Cryptography
58
RSA Digital SignatureSetup:
npq, with p and q primes
e relatively prime to(n)(p 1) (q 1)
d inverse of e in Z(n)
Keys: Public key: KE(n, e) Private key: KDd
Signature: Message M in Zn
Signature S = Md mod n
Verification: Check that M = Se mod n
Setup: p5, q11
n51155 (n)41040
e3 d2732781 240 +
1)
Keys: Public key: KE(55, 3) Private key: KD27
Signature: M51 S5127 mod 556
Verification: S63 mod 55216 mod 55 =
51
Numerical Alg. & Cryptography
59
One-Way Hash FunctionA one-way hash function is a function H with the following properties
M maps a string M of arbitrary length into an integer fH(M) with a fixed number of bits, called the fingerprint or digest of M
H can be computed efficiently Given an integer f, it is computationally infeasible to find a
string M such that that H(M)d Given a string M , it is computationally infeasible to find
another string M´ such that H(M)H(M´) (collision resistance) It is computationally infeasible to find two strings M and M´
such that H(M)H(M´) (strong collision resistance) Two widely used one-way hash functions are
MD5 (Message Digest 5, 1992), which uses a 128-bit (16 bytes) fingerprint
SHA-1 (Secure Hash Algorithm 1, 1995), which uses a 160-bit (20 bytes) fingerprint
Numerical Alg. & Cryptography
60
Coin Flipping Over the Net
Alice and Bob want to flip a random coin by communicating over the internetThe following protocol, based on a one-way hash function H, ensures the fairness of the outcome
Alice picks a random integer x, computes the fingerprint fH(x) and sends f to Bob
Bob sends to Alice his guess of whether x is odd or even Alice announces the result of the coin flip: heads if Bob has
guessed correctly and tails otherwise Alice sends to Bob integer x as a proof of the outcome of
the flip Bob verifies that fH(x)
Because of the strong-collision resistance property, it is computationally infeasible for Alice to cheat
Numerical Alg. & Cryptography
61
Digitally Signed Fingerprints
In the RSA digital signature scheme with modulus n, the message to be signed must be an integer in Zn , i.e., the message should have at most blog n bits To overcome the above restriction on the message length, we can use the fingerprint fH(M) of the message instead of the message itself, where H is a one-way hash function
Alice computes first fH(M) and then the signature S of f Bob first computes fH(M) and then verifies S
Since the one-way hash function H has the collision-resistance property, it is computationally infeasible to modify the message M while preserving the signature of the fingerprint fH(M)
fingerprintfH(M)
one-way hash sign signatureSf d mod n
messageM
Numerical Alg. & Cryptography
62
CertificatesPublic-key cryptography is based on the knowledge by each participant of the public key of the other participantsIt is complicated to securely distribute the public keys of all the participantsA certificate is a message of the type (name, public key) signed by a third-partyPublic-key infrastructure (PKI)
An entity trusted by all the participants, called certification authority (CA), issues to each participant a certificate (Name, KE) that authoritatively binds the participants to their public keys
Only the CA’s public key needs to be distributed securely Before sending an encrypted message to Bob or verifying a
message digitally signed by Bob, Alice determines Bob’s public key KE by using Bob’s certificate (Bob, KE)
Numerical Alg. & Cryptography
63
Web Server CertificatesA Web server certificate is used to authenticate the public key of a Web serverFields of a Web server certificate
Serial number Hash and signature schemes
(e.g., MD5 and RSA) Issuer (certification authority) Period of validity (from, to) Subject (URL and organization) Public key
The SSL (secure socket layer) protocol uses Web server certificates to provide encryption and authentication in a secure Web connection (https)
Numerical Alg. & Cryptography
64
Certificate RevocationIn certain circumstances, a certificate may have to be revoked before its expiration date
The private key of the subject has been compromised The certificate was incorrectly issued by the CA
Certificate Revocation List (CRL) Time-stamped list of all the unexpired certificates that have
been revoked by the CA Periodically published and signed by the CA
When presented with a certificate, one should Verify the CA’s signature on the certificate Check that the certificate has non been revoked by searching
in the latest available CRL
By default, Web browsers do not check the revocation status of a Web server certificate, which poses a security risk