Cryptography: Algorithms on Numbers
description
Transcript of Cryptography: Algorithms on Numbers
![Page 1: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/1.jpg)
Cryptography: Algorithms on Numbers
![Page 2: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/2.jpg)
2
A Typical Setting
Encoder Decoder
Alice Bob
Eve
x x = d(e(x))e(x)
Goal: Design e() and d() so that without knowing d(), e(x) gives away very little information
Encryption Function e: <messages> <encoded messages>Decryption Function d: <encoded messages> <messages>
![Page 3: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/3.jpg)
3
Codes in History
405 BC: the Greek general LYSANDER OF
SPARTA was sent a coded message about an
impending Persian attack written on the inside
of a servant's belt. To decipher it, it had to be
wound on a staff (scytale). The spartans were
forewarned, and defeated the persians
Caeser’s cipher: message sent by Caeser to
Cicero during Gallic Wars
![Page 4: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/4.jpg)
4
Codes in History
1586 AD: Mary, Queen of Scotts
tried for plotting against Queen
Elizabeth of England
As evidence, Francis Walsingham
presented encrypted letters written
by Mary, supporting the plot.
![Page 5: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/5.jpg)
5
Codes in History: World War I
Jan 1917: Telegram sent by Arthur
Zimmerman, foreign secretary of
Germany: asking Mexican govt. to
attach United States
Feb 1917: Message was decoded by
British Intelligence and delivered to
president Woodrow Wilson
April 1917: US declares war on
Germany
![Page 6: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/6.jpg)
6
Codes in History: World War II
Enigma: GermanEncryption machine
Bombe: decryption machineBuilt by British Intelligence
Blechtley park: centerof British Intelligence
German submarine locations were communicated by encrypted messages using EnigmaMade it easy for Allied forces to destroy German submarines
Alan Turing: contributed significantly to Allied cryptography effort
![Page 7: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/7.jpg)
7
Secret Writing
Steganography: steganos=covered, graphein=to write (Chinese) hidden messages on silk, covered in wax (Italy) write message on hard boiled egg that penetrates and stays on the albumen Invisible ink that shows up on heating
Cryptography: kryptos=hidden, graphein=to write
![Page 8: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/8.jpg)
8
Private Key Protocols
![Page 9: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/9.jpg)
9
Private-Key Protocol
Alice and Bob meet beforehand and choose secret e() and d() functionsDisadvantage: Need to meet beforehand
Example:Choose secret string r, e.g. r=01110010
Encryptione(x) = x re.g. : e(11110000) = 11110000 01110010 = 10000010
Decryptiond(y) = y re.g.: d(10000010) = 10000010 01110010 = 11110000
Problem:e(x) e(x’) = (x r) (x r) = (x x’)Some information can come out by repeated use
![Page 10: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/10.jpg)
10
Private-Key Protocol: AES
Advanced Encryption Standard
(AES) Also known as Rijndael Block Cipher Developed by Belgian
mathematicians Vincent Rijmen
Joan Daemen Approved by the US Govt. in 2001 Repeated use possible Security not rigorously
established..
![Page 11: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/11.jpg)
11
Visual Cryptography
original
Share 1
Share 2 Share 3 Share 4
![Page 12: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/12.jpg)
12
Visual Cryptography
Shares 1, 2 Shares 1,3
Shares 3,4
![Page 13: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/13.jpg)
13
Public Key Protocol
Bob’s padlock (publicly available)
![Page 14: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/14.jpg)
14
Public Key Cryptosystems: RSA
Alice encrypts using Bob’s publicly available key e() Bob decodes using his private function d() Alice, Bob need not have met before Computation easy if e() and d() known
-----BEGIN PGP PUBLIC KEY BLOCK-----Version: 2.6.2
mQCNAzKEgQgAAAEEALoDOnC4PKs4+G5LBXm5aP4djv56wm9kOCzpk4eEcpm0jNtlIKyuAf1EXauFVCFSCri11hwUCXm5kv4x5bNYyE6NqxY29G9VU4Niwmt7L8dGIqHukS4FXcufA6sSMfoM8+oIzOv8d18dYhyf4PvAyl43EPgne/pw1c4T3nOFCCzVAAURtClEb25hbGQgQSBXYXRyb3VzIDx3YXRyb3VzQGNzLnJ1dGdlcnMuZWR1PokAlQMFEDLWfyakXBby1t0uxQEBRNYD/jbc7ujRpCSI6uVLdDprzaYiCMgAajLyK53zrMrEOj+zURDIMRVtPT2ugVHPUQFoXRMaXKi0IacI2WjetgHgaCwzra2swVj1sp2sFbr19bhDzTlf6gosbcmXcRzhGC76jVowphSfw6KN3/VAYyBxI/RtkDN/dKLrRDnniGSOM6X7iQCVAwUQMoSKmM4T3nOFCCzVAQE7dAP/SjXFV5XdvRLdjh6NoT2NIsaTceMnmXGsTAk4OM6DQztlM822uru9d0PoeTBu4som50T3C4BS6S54h7QoThwo96s0lgz7ljcQozW1fKMSGVD+BQ5DO81DNnsZeT48OEZueUEzrMiazPMrlpkZNf1meD1A2JvIThxQ3V71HwUvu5Q==i41f-----END PGP PUBLIC KEY BLOCK-----
![Page 15: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/15.jpg)
15
Rivest-Shamir-Adleman (RSA) Cryptosystem
Need the following tools Modular arithmetic Euclid’s algorithm Primality testing Generating random primes
![Page 16: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/16.jpg)
16
Two’s complement method for storing signed integers
n-bits used to represent numbers in the range [-2n-1,2n-1-1] Storing positive numbers in the range 0 to 2n-1-1: in regular binary with leading bit 0 Storing negative numbers -x with 1 ≤ x ≤ 2n-1:
Construct x in binary Flip all bits of x Add 1
Equivalent description: Store modulo 2n
Negative numbers get stored as 2n - x = 2n-1 - x + 1 Example: n=4
(5)10 = (0101)2
-5 stored as 1010+1 = 1011 Equivalently: 1111 - 0101 + 1 = 1010 + 1
![Page 17: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/17.jpg)
17
Integer Multiplication
1 3X 1 1
1 31 3
1 4 3
1 1 0 1X 1 0 1 1
(13)2
(11)2
1 1 0 1 1 1 0 1 0 0 0 0 1 1 0 1
1 0 0 0 1 1 1 1 (143)2
Time Complexity• Each row has n bits• n rows• O(n2) time
![Page 18: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/18.jpg)
18
Al-Khwarizmi’s method
Write #s next to each other Divide first # by 2, multiply
second by 2, rounding the result Keep going till first # gets down to
1 Strike out all rows in which first #
is even Add what remains in column 2
1 1 13
5 26
2 52
1 104
143
Combination of Binary and Decimal!
![Page 19: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/19.jpg)
19
Al-Khwarizmi’s method
Multiply (x,y)
Input: two n-bit #s x,y
Output: their product
If y=0, return 0 z = Multiply (x, y/2) If y is even return 2z Else return x+2z
Running Time Each recursive call halves y #bits
reduces by 1 O(n) recursive calls Each recursive call:
Division by 2: O(n) steps Test for odd/even: O(1) One addition: O(n) O(n) per recursive call
Recursive algorithm
Still O(n2) time overall
Can we muliply faster?Divide-and-Conquer approach givesa o(n2) time algorithm
![Page 20: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/20.jpg)
20
Integer Division
Divide(x,y)
Input: n-bit integers x,y, with y≥ 1
Output: Quotient q and remainder r
of x divided by y If x=0: return (q,r) = (0,0) (q,r) = divide(x/2,y) q = 2q, r = 2r If x is odd: r=r+1 If r ≥ y: r = r-y, q = q+1 return (q,r)
Example:
Divide(11,3):
11 = 3· 3 + 2
q = 3, r = 2
(1,2) = divide(5,3)
q = 2, r = 4
11 is odd => r=5
r=5 > 3 => r = 2, q = 3
![Page 21: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/21.jpg)
21
Factorization
Factors and prime numbers
Simplest algorithms for finding factors
![Page 22: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/22.jpg)
22
Prime Numbers
Definition A number a if prime if the only factors it has are 1 and aExamples 6 is not a prime: it has factors 2 and 3
5 is a prime
Checking for primality of number N Naive method: test all numbers 2 ,…, N-1 for factors Suffices to test only up to √N Too slow to do if N has 500 bit - 225 tests to make! Faster method based on Fermat’s theorem
1601-1665
•French lawyer, govt. official, did math in his spare time•Fermat’s last theorem took 357 years to be proved!
![Page 23: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/23.jpg)
23
Modular Arithmetic
Seconds: counted modulo 60Minutes: counted modulo 60Hours: counted modulo 12
Days of the week: counted modulo 7
Keeps numbers from getting too big
Computer Arithmetic: modulo 232
![Page 24: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/24.jpg)
24
Modular Arithmetic
x y (mod N) N divides (x-y)Complexity of computing x (mod N)
Examples: 253 13 (mod 60)59 -1 (mod 60)
Equivalence classes:Modular arithmetic deals with all integers but divides them intoN equivalence classes of the form {i+kN : k is an integer}
Equivalence classes modulo 3:
….. -9 -6 -3 0 3 6 9 …….….. -8 -5 -2 1 4 7 10 …….….. -7 -4 -1 2 5 8 11 ……..
![Page 25: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/25.jpg)
25
Modular Arithmetic
Substitution RuleIf x y (mod N) and x’ y’ (mod N), then:x + x’ y + y’ (mod N), and xx’ yy’ (mod N) Proof?
Example: 14 + 10 (mod 3) 2 + 1 (mod 3) 0 (mod 3)14 · 10 (mod 3) 2 · 1 (mod 3) 2 (mod 3)
Associative rule: x + (y + z) (x + y) + z (mod N) x(yz) (xy)z (mod N)
Commutative rule: x + y y + x (mod N) xy yx (mod N)
Distributive rule: x(y+z) xy + xz (mod N)
Example: (2)345 (25)69 (32)69 (1)69 1 (mod 31)
![Page 26: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/26.jpg)
26
Implementing modular addition and multiplication
Adding x and y mod N Compute x+y {0,..,2(N-1)} If sum exceeds N-1, subtract N Running time O(n), where n = log N
Multiplying x and y mod N Compute x · y {0,…,(N-1)2} Number of bits needed to store x · y ≤ 2n Divide x · y by N to find remainder O(n2) running time
![Page 27: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/27.jpg)
27
Modular Division
Multiplicative inverse in real arithmetic Every number a 0 has an inverse 1/a Example: inverse of 5 is 1/5 = 0.2 Division by number a 0 is equivalent to multiplying by 1/a Example: 10/5 = 10·(1/5) = 10 · (0.2) = 2
Multiplicative inverse modulo N x is the multiplicative inverse of a modulo N if ax 1 (mod N) Example: 2 · 3 1 (mod 5). So (2)-1 = 3 (mod 5) Sometimes there may be no inverse: (2)-1 (mod 6)? For any x, 2x (mod 6) is even - therefore there is no x such that 2x 1 (mod 6)
![Page 28: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/28.jpg)
28
Modular Exponentiation
Common operation: compute xy (mod N) Numbers can become huge:
x, y are 20-bit numbers => xy can be 10 million bits long Can be computed by repeated multiplications
x mod N x2 mod N …. xy mod N Take y multiplications Suppose y is 500 bits long? 2500 multiplications!
![Page 29: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/29.jpg)
29
Repeated Squaring
Modexp(x, y, N)
Input: n-bit integers x and N, and
integer exponent y
Output: xy mod N
If y=0: return 1 z = modexp(x, y/2, N) If y is even: return z2 mod N Else: return x·z2 mod N
Running Time Each recursive call halves the
exponent O(n) multiplications O(n3) time overall
xy =
(xy/2)2, if y is even
x· (xy/2)2, if y is odd
Recursive rule
![Page 30: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/30.jpg)
30
Greatest Common Divisor
Given numbers a, b:gcd(a,b) = largest number d that divides both a and b
Example1035 = 32 · 5· 23, 759 = 3 · 11 · 23gcd( 1035, 759) = 3 · 23 = 69
gcd can be computed by complete factorization, but no efficient algorithm is known for factorization
Euclid’s algorithm: First known algorithmin history
BC 325-265
![Page 31: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/31.jpg)
31
Useful properties for computing gcd
Symmetrygcd(x,y) = gcd(y,x)
Euclid’s RuleIf x, y are positive integers with x ≥ y, thengcd(x,y) = gcd (x mod y, y)
Examplegcd(24, 15) = gcd(23· 3, 3·5) = 3gcd(24 mod 15, 15) = gcd(9, 15) = gcd(32, 3·5) = 3
![Page 32: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/32.jpg)
32
Proof of Euclid’s Rule
Sufficient to show that gcd(x,y) = gcd(x-y, y): Suppose x = qy+r gcd(x,y) = gcd(x-y,y) = gcd(x-2y, y) = … = gcd(x-qy, y)
Suppose d divides x, y Then d divides x-y Therefore, gcd(x,y) ≤ gcd (x-y, y)
Suppose d divides x-y, y Then d divides x, y Therefore, gcd(x-y, y) ≤ gcd(x,y)
Therefore, gcd(x,y) = gcd(x-y, y)
Property: if d divides x,y,then d divides ax+by
![Page 33: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/33.jpg)
33
Euclid’s Algorithm
Euclid(a,b)Input: Integers a,b with a ≥ bOutput: gcd(a,b)
If b=0: return a return Euclid(b, a mod b)
Running Time: Need to know how fast the arguments are reducing
![Page 34: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/34.jpg)
34
Analysis of Euclid’s Algorithm
Lemma: If a ≥ b, then a mod b < a/2Proof:
Case I: b ≤ a/2 Case II: b > a/2a mod b < b ≤ a/2 Then, a mod b = a-b < a/2
Running Time: In two rounds, both arguments are halved #bits reduces by 1 for both arguments Base case reached in ≤ 2n recursive calls Each recursive call: O(n2) time division O(n3) time overall
aa/2b
a mod b
aa/2 b
a mod b
![Page 35: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/35.jpg)
35
Another Useful Property
Lemma: If d divides a and b, and d = ax+by for some integers x and y, then necessarily d = gcd(a,b)Proof Since d divides a and b, d ≤ gcd(a,b)Since gcd(a,b) divides a and b, gcd(a,b) divides ax+by = d gcd(a,b) ≤ dTherefore, gcd(a,b) = d
Example24·2 + 15·(-3) = 3, and 3 divides 24, 15gcd(24, 15) = 3
When can gcd(a,b) be expressed as ax+by?Always!!
![Page 36: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/36.jpg)
36
Extended Euclid’s Algorithm
Extended-euclid(a,b)Input: Positive integers a,b with a ≥ b ≥ 0Output: Integers x, y, d such that d = gcd(a,b) and ax+by=d
If b = 0: return (1,0,a) (x’, y’, d) = Extended-euclid(b, a mod b) return (y’, x’ - a/by’, d)
Example: a = 25, b = 1125 = 2· 11 + 3 gcd(25, 11) = gcd(11,3)11 = 3· 3 + 2 = gcd(3, 2)3 = 1· 2 + 1 = gcd(2, 1)2 = 2· 1 + 0 = gcd(1, 0)
= 1
![Page 37: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/37.jpg)
37
Example (contd.)
25 = 2· 11 + 311 = 3· 3 + 2 3 = 1· 2 + 1 2 = 2· 1 + 0
Extended-euclid(1,0) gives: ( 1, 0, 1)Extended-euclid(2,1) gives: ( 0, 1 - 2·0, 1) = ( 0, 1, 1)Extended-euclid(3,2) gives: ( 1, 0 - 1·1, 1) = ( 1, -1, 1)Extended-euclid(11,3) gives: ( -1, 1 - 3·(-1), 1) = ( -1, 4, 1)Extended-euclid(25,11) gives: ( 4, -1 - 2·4, 1) = (4, -9, 1)
25 · 4 + 11 · (-9) = 1
![Page 38: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/38.jpg)
38
Proof of Extended Euclid’s algorithm
Lemma: For any positive integers a and b, extended-euclid(a,b) returns integers a, y and d such that gcd(a,b) = d = ax + byProof: The computation of gcd is unchanged. So d = gcd(a,b)
Proof by induction on b:
Base case: b=0. Then gcd(a,0)=a = a·1 + b·0Induction: consider extended-euclid(a,b)Since a mod b < b, by induction, we have integers x’, y’ such thatgcd(b, a mod b) = bx’ + (a mod b)y’
= bx’ + (a - a/bb)y’= ay’ + b(x’ - a/by’)
Therefore, gcd(a,b) = gcd(b, a mod b) = ax + by,where x = y’, y = x’ - a/by’
![Page 39: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/39.jpg)
39
Modular Division
Recallx is the multiplicative inverse of a modulo N if ax 1 (mod N)Some times there is no inverse, e.g. (2)-1 (mod 6)
Modular division theorem For any a mod N, a has a multiplicative inverse modulo N if and only if gcd(a,N)=1. When this inverse exists, it can be computed in O(n3) time by the Extended-euclid algorithm.ProofSuppose (a,N)=1 Extended-euclid() algorithm gives us integers a, y s.t. ax + Ny = 1 Therefore, ax 1 (mod N)
Suppose there is an x s.t. ax 1 (mod N). Suppose gcd(a,N) = d. Then ax = Nq + 1 for some integer q d divides ax and Nq. Therefore, d divides 1, i.e., d=1
![Page 40: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/40.jpg)
40
Prime Numbers
Definition A number a if prime if the only factors it has are 1 and aExamples 6 is not a prime: it has factors 2 and 3
5 is a prime
Checking for primality of number N Naive method: test all numbers 2 ,…, N-1 for factors Suffices to test only up to √N Too slow to do if N has 500 bit - 225 tests to make! Faster method based on Fermat’s theorem
1601-1665
•French lawyer, govt. official, did math in his spare time•Fermat’s last theorem took 357 years to be proved!
![Page 41: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/41.jpg)
41
Fermat’s Little Theorem
Theorem (year 1640) If p is a prime, then for every 1 ≤ a < p,ap-1 1 (mod p).
Example p = 524 = 16 1 (mod 5)34 = 92 42 = 16 1 (mod 5)44 = 162 12 = 1 (mod 5)
p=7, a=336 (32)3 23 1 (mod 7)
![Page 42: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/42.jpg)
42
Effect of multiplying by a
p = 7, S = { 1, 2, 3, 4, 5, 6}Multiplying by a=3 has the effect of permuting the elements of S
1
2
3
4
5
6
12
3
45
6
S = { 1, 2, 3, 4, 5, 6} = { 3 · 1 mod 7, 3 · 2 mod 7, 3 · 3 mod 7, 3 · 4 mod 7, 3 · 5 mod 7, 3 · 6 mod 7 }
Multiplying the elements of both sets gives6! 36 · 6! mod 7Dividing by 6! (why can we do this?):36 1 (mod 7)
Can we do this for any p?
![Page 43: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/43.jpg)
43
Proof of Fermat’s Little Theorem
S = { 1, 2, …, p-1}Claim The numbers a · i mod p are distinct for i SProof Suppose a · i a · j mod p. Dividing by a, we have i j mod p
Therefore, S = { a · 1 mod p, a · 2 mod p, … , a · (p-1) mod p }Multiplying the elements of both sets(p-1)! ap-1 (p-1)! mod pDividing by (p-1)!, we get ap-1 1 (mod p)
![Page 44: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/44.jpg)
44
A “factorless” test for Primality
Is aN-1 1 mod N ?PickSome a
Pass
Fail
“prime”
“composite”
Problem Fermat’s test is not an if-and-only-if test Does not say what happens if N is not a prime Example: N=341 = 11·13 is not a prime, but 2340 1 mod 341 2 is a witness for 341 being composite If N is composite, are there a lot of witnesses? True for almost all composite numbers
![Page 45: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/45.jpg)
45
Example
N=928 4 (mod 9)38 0 (mod 9)48 7 (mod 9)58 7 (mod 9)68 0 (mod 9)78 4 (mod 9)88 1 (mod 9)
Algorithm makes a mistake only if it chooses a=8
let A = { a: aN-1 1 (mod N) }If we pick a not in A, aN-1 1 (mod N) : such a number is a “witness” for the non-primality of NHow many witnesses can there be for a composite number?
![Page 46: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/46.jpg)
46
Carmichael Numbers
Definition N is a carmichael number if for every number a < N, we have aN-1 1 (mod N)
Smallest carmichael number: 561 = 3 · 11 · 17Such numbers are exceedingly rare….
For almost all composite numbers, there are enough witnesses
![Page 47: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/47.jpg)
47
Using Fermat’s Little Theorem
Lemma If aN-1 1 mod N for some a relatively prime to N, then it must hold for at least half the choices of a < NProof Fix some value of a such that aN-1 1 mod N. Suppose b < NSatisfies the test, i.e., bN-1 1 mod N. Then, (a·b)N-1 aN-1·bN-1 aN-1 1 mod N
Let S be the set of all b < N that pass the test. Then, all the numbers a · b, where b S, fail the test. These numbers are distinct (why?).
Therefore, ignoring Carmichael numbers, we can assert the following:
If N is prime, then aN-1 1 (mod N) for all a < NIf N is not prime, then aN-1 1 (mod N) for at most half the values of a < N
![Page 48: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/48.jpg)
48
Test for Primality
Primality ( N)Input: Positive integer NOutput: yes/no Pick a positive integer a < N uniformly at random if aN-1 1 (mod N): return yes else: return no
Running Time O(n3)let A = { a: aN-1 1 (mod N) }
PropertyPr[ Primality(N) returns yes when N is prime] = 1Pr[ Primality(N) returns yes when N is not prime] Error
= |A|/(N-1) ≤ 1/2 probability
![Page 49: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/49.jpg)
49
Reducing the error probability
Primality2 (N)Input: Positive integer NOutput: yes/no
Pick positive integers a1, a2, …, ak < N at random If ai
N-1 1 (mod N) for all i=1, …, k:
– return yes Else: return no
Running Time O(kn3)
Pr[ Primality2(N) returns yes when N is not prime] ≤ 1/2k
For k=10, error probability ≤ 0.001
![Page 50: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/50.jpg)
50
RSA Protocol
Bob chooses his public and secret keys Pick two large n-bit random primes p and q His public key is (N,e), where N = pq, and e is any 2n-bit number relatively prime to (p-1)(q-1) His secret key is d = (e)-1 (mod (p-1)(q-1)), computed using Extended-euclid algorithm
Alice wishes to send message x to Bob She looks up his public key (N,e) She sends him y = xe mod N, computed using algorithm modexp
Bob decodes message y He computes x = yd mod N
![Page 51: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/51.jpg)
51
Example: RSA protocol
Let p = 5, q = 11Then, N = 5 · 11 = 55Let e = 3. Then, d = (e)-1 (mod 40) = 27 (mod 40)gcd( e, (p-1)(q-1)) = gcd( 3, 40) = 1
Encryption of message xy = x3 (mod 55)e.g. x = 13Then, y = 133 ( mod 55) 169 · 13 (mod 55)
4 · 13 (mod 55) 52 (mod 55)
Decryption of yx = y27 (mod 55)For y = 52, x = (52)27 mod 55 (-3)27 mod 55 13 mod 55
![Page 52: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/52.jpg)
52
Analyzing RSA
Property: Let p and q be two primes and N=pq. For any e relatively prime to (p-1)(q-1):1. The mapping x xe mod N is a bijection on {0, …, N-1}2. The inverse mapping is simple: let d = (e)-1 mod (p-1)(q-1). Then, for all x {0, …, N-1}: (xe)d x (mod N)
Property 1 every message is encoded in a unique manner - no information is lost
Property 2 decoding possible
![Page 53: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/53.jpg)
53
Proof
Property 2 the map in Prop. 1 is invertible it is a bijection– Suffices to prove property 2
ed 1 mod (p-1)(q-1) ed = 1+k(p-1)(q-1) for some integer k Then, xed - x = x1+k(p-1)(q-1) - x Statement true if x 0 (mod p) and x 0 (mod q) Suppose x 0 (mod p) and x 0 (mod q)
Then, xp-1 1 (mod p) and xq-1 1 (mod q) x1+k(p-1)(q-1) - x 0 (mod p) x1+k(p-1)(q-1) - x 0 (mod q) Therefore, pq=N divides xde - x
Suppose x 0 (mod p). Then x 0 (mod q) x1+k(p-1)(q-1) - x 0 (mod q), as before x1+k(p-1)(q-1) - x 0 (mod p), since p divides x Therefore, N=pq divides xde - x
![Page 54: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/54.jpg)
54
Security of RSA protocol
Given y = xe mod N, and (N,e), how can x be retrieved?
Blind guess? Too many choices Factor N to compute p, q and then find d=(e)-1 mod (p-1)(q-1) Factorization is believed to be hard Small errors in estimation of d can lead to significant # errors
p=5, q=11, N=55 e = 3. Then, d = (e)-1 (mod 40) = 27 (mod 40) Let x=13. Then y = x3 (mod 55) 52 (mod 55), y27 mod 55
13 Suppose d’=25 (slightly incorrect estimate of secret key) y25 mod 55 (-3)25 (-3)6X4+1 (14)4(-3) 32
![Page 55: Cryptography: Algorithms on Numbers](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813c70550346895da602cb/html5/thumbnails/55.jpg)
55
Authentication
Anyone can pretend to be Alice and send a message to Bob Using RSA to authenticate the message: digital signatures