Lecture 14. Encryption
Transcript of Lecture 14. Encryption
Copyright 2000-2017 Networking Laboratory
Lecture 14.
Encryption
T. H. Cormen, C. E. Leiserson and R. L. Rivest
Introduction to Algorithms, 3rd Edition, MIT Press, 2009
Sungkyunkwan University
Hyunseung Choo
Algorithms Networking Laboratory 2/49
Security Risks of Internet
Communication
Eavesdropping
Intermediaries listen in on private conversations
Solution: Encryption (public or private-key)
Manipulation
Intermediaries change information in a private communication
Solution: Methods for preserving data integrity (one-way hash
functions and Message Authentication Codes (MACs))
Impersonation
A sender or receiver communicates under false ID
Solution: Authentication (digital signature, etc)
Algorithms Networking Laboratory 3/49
Terminology
A sender (Bob) wants to send a message to a receiver (Alice) securely
wants to make sure no eavesdropper can read message.
Plaintext – original message
Encryption – process of disguising message to hide its contents
Ciphertext – encrypted message
Decryption – process of turning ciphertext back into plaintext
Cryptography – science of keeping messages secure
Cryptography – science of breaking ciphertext
Algorithms Networking Laboratory 4/49
Background:
Number-Theoretic Algorithm
Useful for public-key encryption schemes
Easy to find large primes
Difficult to factor products of large primes
Algorithms Networking Laboratory 5/49
Size of Inputs
Few inputs of large integers
Size of input = #bits
An algorithm with integer inputs a1, a2, …, ak is a
polynomial time algorithm if it runs time polynomial in lg a1,
lg a2 , …, lg ak; i.e., polynomial in the lengths of the binary-
encoded inputs
Algorithms Networking Laboratory 6/49
Cost of Operations
Arithmetic on large integers takes time
Cost is measured in terms of bit operations
Multiplying two -bit integers takes bit operations
Faster methods do exist, but we will use the others in this
lecture
)( 2
Algorithms Networking Laboratory 7/49
Review of Number Theory
For two integers d and a, d | a (d divides a) if a = kd, k Z. In this case,
a is a multiple of d, and d is a divisor of a (if d >= 0). Every integer
divides 0.
Examples: 2 | 8, 3 | 9, 2 | 10
Every integer a has the trivial divisors 1 and a.
Nontrivial divisors are called factors.
Examples: 2 is a factor of 8 and 10, 3 is a factor of 9.
An integer a > 1 with only trivial divisors is a prime number; otherwise,
a is a composite. The integers are neither prime nor
composite. There are infinitely many prime numbers.
} 2, 1, {0, numbers natural ofset N
}2 1, 0, 1,- 2,- ,{ integers ofset Z
1} 0, 1,- 2,- , {
Algorithms Networking Laboratory 8/49
Division Theorem
For any integer a and positive integer n, there are unique
integer q and r such that and a = qn + r
Example
n r 0
n) (mod b a then n), mod (b n) mod a( If
n a/n - a n mod aor n) mod (a n a/n a
______________ theis )n mod a(r
division theof ______________ theis )a/n( q
5 mod 13-
5 mod 22
Algorithms Networking Laboratory 9/49
Equivalence
If (a mod n) = (b mod n), then a is equivalent to b, modulo
n, denoted .
An equivalence class modulo n containing an integer a is
n) (mod b a
Z}.k |kn a{ a n
______________________________ 2
______________________________ 1
6 3 ______________________________ 0
aren modulo classes eequivalenc The
_________.____________________
are a b some and _, r _, q then 3,n 8, a if :Example
3
3
333
Algorithms Networking Laboratory 10/49
Common Divisors
If d | a and d | b, then d is a common divisor of a and b.
The greatest common divisor gcd(a, b) is the largest such
divisor d.
For example, some common divisors of 12 and 18 are 1, 2,
3 and 6. The greatest common divisor of 12 and 18 is 6.
otherwise ) b , a (min x 1
0 b 0,a if b
0 b 0,a if a
0 ba if 0
b) a,gcd(
Algorithms Networking Laboratory 11/49
Euclid’s Theorem
If a and b are any integers, not both zero, then gcd(a,b) is
the smallest positive element of the set
of linear combinations of a and b.
Example: gcd(9, 15) = 3
9x + 15y = 3
x = 2, y = -1
Z}y x,:by {ax
Algorithms Networking Laboratory 12/49
Relative Primes
Two integers a and b are relatively prime if gcd(a, b) = 1.
Integers are pairwise relatively prime
if
Example: 8, 9, and 25 are pairwise relatively prime.
knnn ,...,, 21
j. i allfor 1),gcd( ji nn
Algorithms Networking Laboratory 13/49
Unique Factorization
Theorem 33.7 For all primes p and all integers a and b, if
p | ab, then p | a or p | b.
Theorem 33.8 A composite integer a can be written in
exactly one way as a product of the form a =
where the are prime, , and the are
positive integers.
Examples:
,21
21re
r
eeppp
rppp 21ipie
1753255
5321350
53675
23
23
Algorithms Networking Laboratory 14/49
Finding the gcd
Given prime factorizations of positive integers a and b,
where some , may be 0.
Then gcd(a,b) =
Example:
However, factoring is not a polynomial time algorithm.
rr f
r
ffe
r
eepppbpppa 2121
2121 ,
ie if
.),min(),min(
2
),min(
12211 rr fe
r
fefeppp
15531753)675,255gcd( 011
Algorithms Networking Laboratory 15/49
Euclid’s Algorithm (1/2)
For any non-negative integer a and any positive integer b,
gcd(a, b) = gcd(b, a mod b)
b) mod a Euclid(b,return else 3
areturn then 2
0 b if 1
decreasingstrictly isargument second; b) Euclid(a,
Algorithms Networking Laboratory 16/49
Euclid’s Algorithm (2/2)
Example
6. 654) gcd(2322, Therefore,
6 0) gcd(6,
6 6) gcd(30, 56 654
6) gcd(30, 30) gcd(66, 6 230 654
30) gcd(66, 66) gcd(294, 30 466 654
66) gcd(294, 294) gcd(360, 66 1294 360
294) gcd(360, 360) gcd(654, 294 1360 654
360) gcd(654, 654) gcd(2322, 360 3654 2332
654.b 2333, aLet
Algorithms Networking Laboratory 17/49
Analysis
For any integer , if and , then
Euclid(a,b) makes fewer than k recursive calls.
Remember that
1k 0ba 1 kFb
operationsbit )O(
operations arithmetic )O(
calls recursive b) O(lgk
5log
5
55
2
51
5
3
1
1
21
bkb,
, bF b
, F FFF
k
kk
k
k
k, kkk
Algorithms Networking Laboratory 18/49
Extended Euclid (1/2)
Since , finding x and y will be
useful for computing modular multiplicative inverses
Running time same as Euclid algorithm.
Zy x,by, ax b)gcd(a,
y) x,return(d,
)y'b
a - x',y' ,(d' y) x,(d,
b) mod a Euclid(b,-Extended )y' , x',(d'
0) 1, (a,return then
0 b if
b) Euclid(a,-Extended
Algorithms Networking Laboratory 19/49
Extended Euclid (2/2)
Example
3 13 06
d 3y 6x
1y 0, x3,d
1 0 6/3 - 1 y 0, x 3, d
0) 1, (3,
0) Euclid(3,-Extended )y' , x',(d'
3) Euclid(6,-Extended y) x,(d,
Algorithms Networking Laboratory 20/49
Correctness of Extended-Euclid
y'b
ax'-y
y' x
byaxd'd
termsRearrange ; )y'b
a - b(x' ay'
TheoremDivision ; b)y'b
a - (a bx' d
Algorithm sEuclid' ; b) (a, gcd d
Theorem sEuclid'; b)y' mod (a bx'
b) mod a gcd(b, d'
Algorithms Networking Laboratory 21/49
Modular Arithmetic
n mod )(a a n mod a andn mod)(a n moda identities uses
(inverse) 1 n mod ab b n moda
n mod ab n) mod (b n) mod (a
n mod b)(a n) mod b( n) mod (a
2c12c2c2c
1-
Algorithms Networking Laboratory 22/49
Solving Modular Linear Equations
Theorem 33.23 If d | b and d = ax’ + ny’ (as computed by
Extended-Euclid) then one solution is x0 = x’(b / d) mod n.
Theorem 33.24 Given one solution x0 , there are exactly d
distinct solutions, modulo n, given by xi = x0 + i(n / d) for i =
0, 2, 3, …, d-1.
b | d iff Solvable
n) gcd(a, dLet
x.find 0; n b, a,Given
n) (mod b ax
Algorithms Networking Laboratory 23/49
Pseudo code
solution). one(only n moda gives n) (mod 1 ax Solving :Note
solutions" no"print else
n mod i(n/d)) (xprint
1-d to0 ifor
n mod (b/d)x' x then
b) | (d if
operations arithmetic ; n) Euclid(a,-Extended )y' , x'(d,
n)) gcd(a,O(lgn; n) b, nSolver(a,earEquatioModularLin
1-
0
0
Algorithms Networking Laboratory 24/49
Chinese Remainder Theorem
Find integers x that leave remainder 2, 3, 2 when divided
by 3, 5, 7 respectively. [Sun-Tsu, 100 A.D.]
Theorem 33.27 Let , where are pairwise
relatively prime and consider the correspondence
where
ink21 nnn n
),a ,...,a ,(a a k21
k. ..., 1, ifor n mod a a and , Z a Z, a iini i
Algorithms Networking Laboratory 25/49
Chinese Remainder Theorem
Theorem 33.27 (cont. )
n) (mod )ca c(a a
)n mod (mm c
k .., 1, ifor n/n m )n mod a ..., ,n mod (a
)a ..., ,(a a From )a ..., ,(a a From
)n mod ba ..., ,n mod b(a n mod ab
)n mod )b(a , ,n mod )b ((a n mod b)(a
)n mod )b(a , ,n mod )b ((a n mod b)(a
then
)b ..., ,b ,(b b and )a , ,a ,(a a If
kk11
i
1-
iii
iki
k1k1
kkk111
kkk111
kkk111
k21k21
Algorithms Networking Laboratory 26/49
Example
i
1
1-
11
1-
2
1-
2
11-
1
1-
1
21
21
21
n moduloor n moduloin can work weThus,
11 11(1) )n mod (mm c
9 11 mod 5 n mod m
1 5 mod 11 n mod m
11 n 5, n
5 m 11, m
3 a 2, a
55) (mod x a Find
11) (mod 3 a 5), (mod 2 aGiven
55) (mod 47
55) (mod 157
55) (mod 135 22
55) (mod 45 3 11 2a
45 5(9) )n mod (mm c 2
-1
222
Algorithms Networking Laboratory 27/49
Corollary 33.29
If are pairwise relatively prime and
then for all integers x and a
n , ,n ,n k21
n , ,n ,nn k21
n. mod a xiff n mod ax i
Algorithms Networking Laboratory 28/49
Euler’s phi function
Euler’s phi function is the size of
, the multiplicative group mod n.
Euler’s Theorem
For any integer
Fermat’s Theorem
If p is prime, then
1} n) gcd(a, : Z a{ Z nn
*
n
(n)
prime. is p if 1-p (p)
. Z a allfor n) (mod 1 a 1, n *
n
(n)
. Z a allfor p) (mod 1 a *
p
1-p
Algorithms Networking Laboratory 29/49
Repeated Squaring
Compare: ab mod n, where a and b are nonnegative
integer and n is a positive integer.
Let b = <bk, bk-1, …, b1, b0>
Compute ac mod n by doubling c for each i and incrementing c
when bi = 1.
Algorithms Networking Laboratory 30/49
Pseudo code(1/2)
dreturn n mod a) (d d
1c c then
1 b if
n mod d) (dd
2c c
0 downtok ifor
b of encodingbinary be b ,b ...., ,bb blet
1 d
0 c
n) b, tion(a,Exponentia-Modular
i
011-kk
Algorithms Networking Laboratory 31/49
Pseudo code(2/2)
Modular-Exponentiation(a=5, b=501, n=6) b = 111110101
i = 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 |
c = 0 1 | 2 3 | 6 7 | 14 15 | 30 31 | 62 - |124 125 | 250 - |
d = 1 5 | 1 5 | 1 5 | 1 5 | 1 5 | 1 - | 1 5 | 1 - |
Algorithms Networking Laboratory 32/49
Analysis
If a, b, n are -bit numbers, there are arithmetic
operations and bit operations.
)O(
)O( 3
Algorithms Networking Laboratory 33/49
Encryption – Symmetric Cryptography
Private Key
Alice and Bob share a key K the adversary does not know
Alice and Bob agree on cryptosysytem and key
Bob encrypts plaintext using key, sends ciphertext to Alice
Alice decrypts ciphertext with same key and reads the
message
Advantage: fast
Disadvantage: keys must be distributed secretly
Disadvantage: if key is compromised, all is lost
Disadvantage: number of needed keys is n2
Algorithms Networking Laboratory 34/49
Encryption – Public-Key Cryptography
Encryption key is public
Decryption key is private (secret)
Private key cannot be calculated from public key in a
reasonable amount of time
Algorithms Networking Laboratory 35/49
RSA Public-Key Cryptosystem
Rivest, Shamir, and Adleman, 1977
Most commonly used encryption and authentication
algorithm today
Used in Netscape, Microsoft browsers, Internet and
computing standards
Send encrypted messages
Append unforgeable digital signature
Based on ease of finding large primes and difficulty of
factoring their products
Algorithms Networking Laboratory 36/49
Public Key Cryptography
Each participant has
Public key – released to others
Secret key – kept secret
Example
Public and Secret functions are inverses
M =
M =
Must be able to reveal while remains uncomputable (or at least very to
compute)
Security depends on method of computing keys
RSA – factoring large integers
McEliecee – decoding linear code (NP-Complete)
El Gamal – discrete logarithm problem
Chor-Rivest – knapsack (NP-complete)
) ,( Bob ), ,( Alice BBAA SPSP
))M(( AA PS))M(( AA SP
AP AS
Algorithms Networking Laboratory 37/49
Protocol for Sending Encryption
Message M
Bob looks up Alice’s public key
Bob computes ciphertext message for his
original message M
Bob sends C to Alice (eavesdroppers do not have )
Alice computes
AP
)M(C AP
AS
M))M(()C( AAA PSS
Algorithms Networking Laboratory 38/49
Protocol for Sending a Signed Message M’
Alice computes digital signature
Alice sends (M’, ) to Bob
Bob check that
Message M’ is not encrypted
)M'(AS
' M))' M(()(' M AAA SPP
Algorithms Networking Laboratory 39/49
Protocol for Sending a Signed,
Encrypted Message M
Bob computes digital signature , and creates
new message
Bob computes and sends to Alice
Alice computes and then verifies
signature using
)M(BS
M, M'
)(M'P C A C
)C( M, AS
)( M BP
Algorithms Networking Laboratory 40/49
RSA Cryptosystem
Public and secret keys are created as follows
Select at random two large prime numbers p and q (say > 100
decimal digits each)
Compute n = pq
Select a small odd integer e that is relatively prime to
Computed (multiplicative inverse)
Publish pair P = (e, n) as RSA Public Key
Keep pairs S = (d, n) as RSA Secret Key
1)1)(q(p)( n
(n) mode d -1
)n (modM)M(P e
)n (modC)C(S d
Algorithms Networking Laboratory 41/49
Example of RSA Encryption
possible are messagedifferent 2419only :Note
2419) (mod M P(M)
2419) (mod M P(M)
2419) (1547, n) (d, S 6.
2419) (3, n) (e, P 5.
1 2320 mod 3 1547 (n) mod e d
1547 d
2320 mod 3 (n) mode d 4.
works3 e odd and small is e and 1 2320) gcd(e,such that e Find
2320 58*40 1)-1)(q-(p (n) .3
2419 pq n 2.
59 q 41, p 1.
1547
3
1-1-
Algorithms Networking Laboratory 42/49
Implementing RSA
Bob generates two large primes, p and q
probabilistic primality testing
Bob computes n = nq and
Bob chooses random e such that
Bob computes
Extended Euclidean Algorithm
Bob publishes n and e in a directory as his public key
)O((lgn) 3
1)-1)(q-(pn)(
(n)) e (1 1(n)) gcd(e,
(n) mode d -1
)O((lgn) 2
Algorithms Networking Laboratory 43/49
RSA Computation
Using public key P = (e, n) to transform messages M:
Using secret key S = (d, n) to transform ciphertext C:
Use Modular-Exponentiation:
Then Public key requires modular multiplications,
bit operations
Secret key requires modular multiplications, bit
operations
O(1) )O( 2
)O( )O( 3
nd O(1), e If
n) (modM)M( eP
n) (modC)C( dS
Algorithms Networking Laboratory 44/49
Correctness
hard is but this broken, is code then theq, and p inton factor can adversary theIf
n) (mod M M Theorem,Remainder Chinese thetoCorollary by the Thus,
pqn prime, are q and p
q) (mod MM
p) (mod M M
thusq,for Similarly
p) M(mod
Theorem sFermat' p) M(1)(mod
p) (mod)M(MM
thenp), (mod 0 M If
p) M(modM then p), (mod 0 M If
1)-1)(q-k(p 1 edThen
1)]-1)(q-[(p mode d Since
n modM n mod n) mod(MP(S(M))
n modM n mod n) mod(MP(S(M))
ed
ed
ed
1)-k(q1-ped
ed
1-
edde
eded
Algorithms Networking Laboratory 45/49
Primality Testing
Finding large primes
Density Of Primes
The prime distribution function specifies number of primes n
Theorem 33.37
for example,
The probability that randomly-chosen n is prime Thus, try odd
numbers near n to find a prime with high probability.
For example, 100-digit number . Try 115 odd numbers
near 10100. About 1/230 100-digit numbers are prime. Break input
message M into numerical blocks smaller than n.
(n)
1lnn/
)(lim
n
nn
lnn)(
nn
lnn
1
942,254,48)10( 9
2
lnn
230ln10100
Algorithms Networking Laboratory 46/49
Trial Division
Try all odd numbers 3,…, to test n for primality.
Running Time , but
(exponential)
This works well only for small n.
n
)n( )2()1lg( 2
nn
Algorithms Networking Laboratory 47/49
Pseudo
Z+= nonzero elements of . By
Fermat’s Theorem, if n is prime, then
for every .
IF some a violates, then n is composite.
Pseudo test tries formula for a=2. If satisfied, declare n prime.
Does not always work, but the numbers errantly declared prime
(base a pseudo primes) are rare.
Carmichael Numbers are composites that satisfy formula for
all . Very rare
Miller-Rabin randomized primality test overcomes this deficiency in
the pseudo test (tries random “a”s).
1}n ..., 2, {1,Zn
n) 1(moda 1n
nZa
*
nZa
Algorithms Networking Laboratory 48/49
Integer Factorizations
Trial division by all integers up to B to factor number up to
Pollard-Rho factors numbers up to (usually)
Works well in practice on numbers with small factors
Analysis: to find factor p
To factor -bit composite number n
Try all prime factors <
The run time is arithmetic operations
bit operations
2B4B
)p(
n
44
1
2
n334
1
2
n