Number Theory & Asymmetric Cryptography

Transcription

1 Number Theory & Asymmetric Cryptography

2 Modular Arithmetic Notations Ζ={, 2, 1, 0,1,2,, } Ζ m ={0,1, 2,,m 2, m 1} a b mod m a=b+km, integer k

3 Addition mod m Given a b mod m and c d mod m (a+c) (b+d) mod m a b=km,c d=lm, integers k,l (a+c)=b+d+(k+l)m=(b+d)+ jm Examples (25+ 15) (1+3) 0 mod 4 (25+15) (4+1) 5 mod 7

4 Multiplication mod m a b mod m,c d mod ac bd mod m ac=( b+km)( d+lm)=bd+(bl+ kd+klm) m Example 26 2 mod 4,11 3 mod =286 2 mod 4 2 3=6 2 mod 4

5 What about division? Is division possible in Z m? (A long detour necessary at this point) Group, Abelian Group, Ring and Field Field Ring Abelian Group Group

6 Group, Ring and Field Group: Addition is closed, and associative, additive identity and additive inverse exist Abelian group: Addition is also commutative Ring: Multiplication is closed, associative, commutative, and distributive; multiplicative identity exists Field: Every element except additive identity has multiplicative inverse In Z m additive identity is 0, multiplicative identity is 1. Its a Ring. Is Z m a Field?

7 Multiplicative Inverse Consider m = 5, or {0,1,2,3,4} 2*3 = 3*2 = 1 mod 5. So 2 3 (3 and 2 are multiplicative inverses in Z5 ) 4*4 = 1 mod 5, or 4 4 obviously, 1 1 Z 5 is clearly a field (all elements except additive identity have a multiplicative inverse) Consider m = 6, or {0,1,2,3,4,5} 5 5, 1 1 No inverses for 2,3 and 4? (why?) Z 6 is not a Field (it is a Ring) (As we shall see soon) the reason for this is that 6 is not a prime mumber

8 Basic Theorems of Arithmetic Any number can be represented as a product of powers of primes. Let p i be the i th prime n= i=1 If n= i=1 pi e i,e i 0 n i pi,m= i=1 pi m i lcm(m,n)= i=1 pi max(n i,m i ) pi min(n i,m i ) gcd(m,n)= i=1 60= ,18= lcm(60,18)= =180 gcd(60,18)= =6

9 GCD Definitions gcd(m,n) represented as (m,n) If a = kb, where k is an integer, we say b a (b divides a) s = (m,n) is the largest positive integer satisfying s m and s n If s=(m,n)=1, m and n are relatively prime Euclidean algorithm used for finding gcd

10 GCD Properties If (m,n)=1, m a, n a then mn a Example (5,6)=1 : a number divisible by both 5 and 6 has to be divisible by 30 (9,6) not equal to 1 : a number divisible by both six and 9 does not have to be divisible by 54 (example, 18) A useful result: If (m,n)=1, x=a mod m, and x=a mod n, then x=a mod mn (x-a) divisible by m and n. So it has to be divisible by mn

11 Bezout's Representation s = (a,b) = ia+jb (where i and j are integers) s (the gcd) is the smallest positive integer that can be written as a combination of a and b Practical Implications: If coins are minted in only two denominations a and b can we accomplish any transaction How can you measure 1 foot with two sticks one 9 feet long and the other 7 feet long? We can because (7,9)=1. 1 = 4*7 + (-3)*9

12 Algorithm for GCD Basic idea - if a = qb + c then (a,b) = (b,c) Let s = (a,b) and t = (b,c) s a, s b, t b, t c c = a qb = s(a 1 -qb 1 ) or s c As s b and s c and t is the largest integer that divides both b and c, so s<=t a = qb+c = t(qb 2 +c 2 ) or t a As t b and t a and s is the largest integer that divides both a and b, so t<=s t<=s and s<=t possible only if s=t (a,b)=(b,c ) if a=qb+c

13 Euclidean Algorithm (a,b)=(b,c ) if a=qb+c (a 0, a 1 ),a 0 >a 1 Let a 0 =q 1 a 1 +a 2 (a 0, a 1 )=(a 1, a 2 ) Let a 1 =q 2 a 2 +a 3 (a 1, a 2 )=(a 2, a 3 ) and so on until we can trivially find the GCD by inspection

14 (457, 283) Euclidean Algorithm

15 Euclidean Algorithm (457, 283) 457 = 1* {or (457,283)=(283,174)}

16 Euclidean Algorithm (457, 283) 457 = 1* = 1* = 1* = 1* = 1* = 2* = 10*2 + 1

17 Euclidean Algorithm (457, 283) 457 = 1* = 1* = 1* = 1* = 1* = 2* = 10* = 2*1 + 0, or (457,283) = (2,1) = 1

18 Euclidean Algorithm (457, 283) 457 = 1* = 1* = 1* = 1* = 1* = 2* = 10* = 21-10*2 (Bezout Representation) 2 = 2*1 + 0 (457,283) =(283,174) = (174,109) = (109,65) = (65,44) = (44,21) = (21,2) = (2,1) = 1

19 Backtracking for Bezout (457, 283) 457 = 1* = 1* = 1* = 1* = 1* = 2* = 21-10*(44-2*21) 21 = 10* = 21-10*2 2 = 2*1 + 0 or (457,283) = (2,1) = 1

20 Backtracking Euclid (457, 283) 457 = 1* = 135*457 + (-218)* = 1* = 1* = 1* = 1* = 2* = 21-10*(44-2*21) 21 = 10* = 21-10*2 2 = 2*1 + 0 or (457,283) = (2,1) = 1

21 Modular Inverse Does inverse of a exist in Z m? aa 1 1 mod m Let b=a 1 ab 1 mod m ab=1+km 1=( b)a+km (a,m)=1 Inverse exists only if (a,m)=1 Else we can not get a Bezout representation linking 1, a and m (like 1 = xa+ym) If (a,m)=1 we can use extended Euclidean algorithm to find the inverse of a in Z m

22 Multiplicative Inverse of 283 in Z 457 (457, 283) 457 = 1* = 135*457 + (-218)* = 1* = 1* = 1* = 1* = 2* = 21-10*(44-2*21) 21 = 10* = 21-10*2 2 = 2*1 + 0 or (457,283) = (2,1) = 1

23 Multiplicative Inverse of 283 in Z 457 (457, 283) 457 = 1* = 135*457 + (-218)* = 1* (-218*283) = 1 + (-135)* = 1* (-218*283) = 1 mod = 1* = 239 mod = 1* (239*283) = 1 mod = 2* = 10* = 21-10*2 2 = 2*1 + 0 or (457,283) = (2,1) = 1

24 Multiplicative Inverse of 283 in Z 457 (457, 283) 457 = 1* = 135*457 + (-218)* = 1* (-218*283) = 1 + (-135)* = 1* (-218*283) = 1 mod = 1* = 239 mod = 1* (239*283) = 1 mod is the inverse of 283 mod 457 Check: 239*283 = = *457

25 Extended Euclid Algorithm d=(a,b)=ak+bl EE Algorithm returns d,k,l u=[a 1 0]; v=[b 0 1]; while (v(0)!= 0) do y=floor(u(0)/v(0)); w=u-y*v; u=v; v=w; endwhile d=u(0); k=u(1); l=u(2); a=457,b=283 u(0) u(1) u(2) v(o) v(1) v(2) =135*457 + (-218)*283

26 End of Detour Now we know why inverses do not exist for 2,3 and 4 in Z 6 Note that (5,6)=1 (That's why 5 has an inverse in Z 6 )

27 Prime Modulus What if m is prime? We have Zm = {0,1,2,...,m-1} Every number is relatively prime to a prime number So every number 1... m-1 has an inverse Zm is a FIELD if m is prime Normally we call it prime field Zp

28 RECAP Z m = {0,1,2,...,m-1} Z m is a group, and ring Multiplicative inverse of a exists only if (a,m)=1; GCD computed using Euclidean algorithm Multiplicative Inverse using Extended Euclidean Algorithm If m = p (a prime) then Z p is a field All elements (except additive identity 0) have a multiplicative inverse.

29 Square and Multiply Algorithm for Exponentiation Compute y = a x mod n Get binary representation of x Let b(r)b(r-1)...b(0) represent bits of x z=1; for i=r downto 0 z=z*z mod n if (b(i)==1) z=z*a mod n endif endfor

30 Example Compute y = mod 87 43= b ; r=5; a=36; n=87;z=1 Step Beginning End of step 1. b5=1, z=1 z=z*z*a = 36 mod b4=0,z=36 z=z*z=78 mod b3=1,z=78 z=z*z*a=45 mod b2=0,z=45 z=z*z=24 mod b1=1,z=24 z=z*z*a=30 mod b0=1,z=30 z=z*z*a=36 mod = 36 mod 87

31 Public Key Cryptography Symmetric cryptography requires every pair of interacting entities to share a secret Asymmetric cryptography is useful in establishing pair-wise secrets Every entity begins by generating a key pair Let Alice's key pair be (R A,U A ) The private key RA is a secret known only to Alice The public key UA is made know to everyone

32 Public key Algorithms Two algorithms (E() and D()) were defined for symmetric ciphers A public key algorithm (for example, RSA) refers to a system with up to 6 different sub-algorithms Key pair generation algorithm Encryption algorithm Decryption algorithm Signing algorithm Verification algorithm Key-exchange algorithm Not all 6 by necessary for every public-key system Key pair generation is necessary for all. Some do only encryption and decryption, some do only signing/verification, some do only key-exchange

33 Key Generation Algorithm Alice chooses a random private key RA And computes the corresponding public UA It should be impractical for anyone to compute the private key given the public key Even while the relationship between (R A,U A ) is one-toone Example: Private key is two randomly chosen large primes p and q The public key is n=pq

34 Encryption Algorithm Any one with knowledge of Alice's public key can send a secret message to Alice To send a secret P, the sender (say, Bob) Uses an encryption algorithm C=Enc(P,U A ) Cipher-text C sent to Alice

35 Decryption Algorithm Only the entity with the corresponding private key can decrypt the cipher-text C=Enc(P,UA ) can be decrypted using the Dec() algorithm as P = Dec(C,R A ) As only Alice is privy to her private key R A, only Alice can decrypt C Can Alice confirm the identity of the sender?

36 Signing/Verification Algorithms To sign a message (typically the hash of a message) Alice uses the signing algorithm Sig() Let M be the message hash to be signed The signature S is computed as S=Sig(M,R A ) Anyone with access to Alice's public key can verify the signature using algorithm Ver() Algorithm Ver(M,S,UA ) returns TRUE only if S was computed using the corresponding private key, and the same message. If TRUE, the verifier concludes that the message was signed by Alice.

37 Inputs and Outputs In symmetric cryptography the inputs and outputs (to E()/D()) were bit-strings of fixed sizes, with no special interpretation In asymmetric cryptography the inputs and outputs to the five algorithms are seen as numbers belonging to a finite field/ring/group The sizes of inputs/outputs are also more substantial (typically few thousand bits)

38 Field, Ring, and Group (Once Again) Finite sets (of numbers/elements) Group: Addition is closed, associative Additive inverse exists; additive identity exists Abelian Group are subsets of Groups, where Group Abelian Group Ring Field Addition is also commutative Rings are subsets of Abelian Groups Multiplication is closed, associative, distributive, and commutative A multiplicative identity exists Fields are subsets of Rings Every element except the additive identity has a multiplicative inverse

39 Rings and Fields We limit ourselves to one type of finite sets Set of integers modulo m Z m = (0,1,2,...,m-1) With modular addition and multiplication Z m is a Field if m is prime; Ring if m is not prime

40 Prime Number Theorem Prime Numbers Number of prime numbers less than n is approx. n/log(n) Ψ(n) n/log (n) Prime numbers are dense Any number can be represented as a product of powers of primes n=π i=1 p i a i For example 10= = =

41 Euler Totient Two numbers are relatively prime if they have no common factors their GCD is 1. example (9,14)=1,(7,22)=1, etc Positive integers <n (or elements of Zn ) that are relatively prime to n are totatives of n The Euler Totient Function Phi(n) is the count of the totatives of n If n=π a i=1 p i i then Φ(n)=Π a i=1 p 1 i i ( p i 1)

42 Euler Totient n=π a i =1 p i i Φ(n)=Π a i=1 p 1 i i ( p i 1) n=12=2 2 3 Φ(12)=2 1 (2 1)3 0 (3 1)=4 n=15= Φ(15)=(3 1)(5 1) n=13=13 Φ(13)=(13 1) We are particularly interested in two cases Case 1: n is a prime p the Euler totient is p-1 all elements in Z p except 0 are totatives Case 2: n=pq where p and q are primes: the Euler totient is (p-1)(q-1) Only (p-1)(q-1) of n=pq elements of Z p are totatives

43 Example, m=35 = 5x7 Zm ={0,1,2,3,..., 34} 7 multiples of 5, and 5 multiples of 7, are obviously not totatives 7 multiples of 5 are 0,5,10,15,20,25,30 5 multiples of 7 are 0,7,14,21,28 0 is in both = 11 numbers are not totatives = 24 = (5-1)(7-1) numbers are totatives {1,2,3,4,6,8, 9,11,12,13,16,17, 18,19,22,23,24,26, 27,29,31,32,33,34} are the 24 totatives of 35.

44 For General m=pq More generally p multiples of q are not totatives q multiples of p are not totatives 0 is in both p+q-1 are not totatives pq-(p+q-1) = (p-1)(q-1) numbers are totatives

45 Multiplicative Inverses All totatives of Z m have multiplicative inverses modulo m Totatives of 35 {01,02,03,04,06,08,09,11,12,13,16,17,18,19,22,23,24,26,27,29,31,32,33,34} (Corresponding) Multiplicative inverses {01,18,12,09,06,22,04,16,03,27,11,33,02,24,08,32,19,31,13,29,26,23,17,34} (1,1),(2,18),(3,12)... are inverses mod 35 If m is prime are numbers in Z m (except 0) have multiplicative inverses If m=pq then only the (p-1)(q-1) totatives have multiplicative inverses mod mod 35 a.a 1 35 k+1 1 mod 35 where k is some integer

46 Set of Totatives Consider the set of Φ(m) totatives {a 1 a 2 a Φ(m) } of m What happens when you multiply a totative with another? The result has to be a totative. Why? a i a j =x can NOT have any factor common with m x too has to be a totative Example mod 35, mod 35 Any power of a totative also has to be a totative For e.g. in mod 35, ,32 3 8, ,32 5 2

47 Permutation of Totative Set Set of Φ(m) totatives {a 1, a 2, a Φ(m) } of m Choose any a=a i from the set Multiply every number in the set by a to get {a 1 a, a 2 a, a Φ(m) a} Now {a 1 a, a 2 a, a Φ(m) a} is a PERMUTATION of {a 1, a 2, a Φ(m) }. Why? Pick two indexes i, j {1 Φ(m)} a i a a j a (a i a j )a 0 mod m Or m divides (a i a j )a. As a has no common factors with m we need m to divide a i a j Which can only happen if a i a j =0 or i= j

48 Euler Fermat's Theorem Φ(m)Totatives {a 1, a 2, a Φ(m) } of m {a 1 a,a 2 a, a Φ(m) a} is a PERMUTATION of {a 1, a 2, a Φ(m) } Multiply all elements together in both sides. The result in both sides should be the same if one side is a permutation of the other {a 1 a a 2 a a Φ(m) a} {a 1 a 2 a Φ(m) } mod m a Φ(m) {a 1 a 2 a Φ(m) } {a 1 a 2 a Φ(m) } mod m a Φ(m) 1 mod m. if a is relatively prime to m Fermat's Theorem (special case of Euler-Fermat Theorem) a p 1 1 mod p if p is prime

49 Euler Fermat's Theorem Fermat's Theorem a p 1 1 mod p a a k (p 1) 1 mod p a a k (p 1)+ 1 a mod p a Euler Fermat's Theorem a Φ(m) 1 mod m. if (a, m)=1 a k Φ(m) 1 mod m. if (a,m)=1 a k Φ(m)+1 a mod m. if (a,m)=1 However, if m= pq then we can show that a k Φ(m)+1 a mod m, EVEN IF (a, m) 1

50 Proof a k Φ(m)+1 a mod m a if Φ(m)=( p 1)(q 1). a k Φ(m)+1 =a k( p 1)(q 1)+ 1 a mod p a k Φ(m)+1 =a k ( p 1)(q 1)+1 a mod q Thus, a k Φ(m)+1 a mod m= pq

51 Summary a k Φ(m)+1 a mod m forall a :Useful for RSA a p 1 1 mod p Fermat's Little Theorem

52 Simplifying Modular Expressions Given x y mod m, simplifying involves removing all multiples of m from x removing all multiples of Φ(m)from the exponent y x y mod m=(x mod m) y mod Φ(m) mod m Examples mod 23 Φ(23)=22 ; 241 mod 23=11; 456 mod 22= mod 23=11 16 mod mod 119 (Φ(119=7.17)=6.16=96) 241 mod 119=3 ; 456 mod 96= mod 119=3 72 mod 119

53 Difficult Inverse Problems Factorization Problem Given two primes p, q trivial to compute n= pq Difficult to find p or q given n Discrete logarithm Problem prime p, g generator of Z p Given p, g,α g a mod p Infeasible to find a

54 Choosing a Prime We know factorization is a difficult problem Given a number p Can we say if it is a prime w/o factorizing? Yes How? Probabilistic Primality Testing We can confirm if a number is a prime with a vanishingly small probability of failure Choosing a prime is NOT a hard problem

55 Probabilistic Primality Check (PPC) Given a number p ' If p ' is a prime we know a p ' 1 mod p' 1 a But, if a p ' 1 mod p' 1 for some a we can not say it will be true for all a Solution: Choose n random a' s for the test if the test passes every time probability that p ' is NOT a prime is <1/2 n Why? If the test fails for even for one a Ζ p ' it should fail for atleast half the possible elements in Ζ p'

56 PPC Assume test passes for a=a 1 a n and fails for a=x a 1 p ' 1 a 2 p ' 1 a n p ' 1 1 mod p' x p ' 1 1 mod p' In this case the test should also fail for x a 1, x a 2,, x a n If the test fails even once it should fail atleast as many times as it passes! the probability of false choice with one test is 1 /2 with n tests it reduces to 1/2 n

57 PPC Algorithm IsPrime(p) count =0 while (count < n) a=rand() if a p mod p a count+=1 else break endif endwhile if (count=n) return TRUE

58 Algorithm to Pick n-digit Prime Generate random n-bit odd number p while (!IsPrime(p)) p+=2; //next odd number return p

59 Diffie-Helman Key Exchange prime p, g Z p generator: both known to all Alice chooses random a Z p Bob chooses random b Z p Alice to Bob α g a mod p Bob to Alice β g b mod p Alice computes K AB β a g ab Bob computes K AB α b g ab

60 RSA Key Pair Generation 1. Choose two large primes p, q 2. Compute n= pq,ϕ(n)=(p 1)(q 1) 3. Choose a small e such that (e,ϕ(n))=1 4. Find d where de 1 mod ϕ(n) 5. Destroy p,q,ϕ(n) public (modulus and exponent) n, e private (exponent) d

61 RSA Encryption/Decryption Alice's public keys n,e, private exponent d To send a secret P to Alice, Bob computes C P e mod n Alice decrypts C as P C d mod n Why does this work? C d (P e ) d P (ed) P k ϕ(n)+1 P mod n As d and e are multiplicative inverses mod ϕ(n)

62 RSA Signing / Verification To sign a hash M, Alice computes S M d mod n Any one can verify M S e mod n

63 RSA Example Key Pair Generation p=1009, q=503 n=pq=507527,ϕ(n)=( p 1)(q 1)= e =5, d= ( mod =1) public (modulus and exponent) n=507527, e=5 private (exponent) d = Encryption P= C= P e mod n= mod =32110 P=C d mod n= mod =423621

64 El Gamal Key Generation p, g, known to all Alice chooses random private key a Public key is α=g a mod p Example p=79, g=7 Alice chooses a=43,α g a mod 79 Alice's private key 43, Alice's public key 48

65 El Gamal Encryption/Decryption To send a secret value P to Alice Bob chooses random k Z p C P α k mod p, μ g k mod p C,μ sent to Alice who can compute x μ a α k mod p P Cx 1 mod p

66 Primes are Dense Recall. Total number of primes less than N is roughly N/ log(n) Total number of primes with 150 or less digits is e148 Total number of primes with 149 or less digits is e147 Total number of 150 digit primes is e148 (one in every 387 numbers) On an average we need to test about 387/4 = 97 numbers (test if it is a prime) before we hit upon a 150 digit prime

67 El Gamal Encryption/Decryption Example p=79, g=7, a=43, α=48, P=21, k=5 μ g k mod 79 α k mod 79 C P α k mod 79 Alice computes μ a mod p and mod p and P C (μ a ) mod p

68 El Gamal Signing/Verification To sign a hash M Alice chooses random k Z p μ g k mod p S (M a μ)k 1 mod p 1 Anyone can verify relationship between ( M, S,μ, α) α μ μ S g a μ g k (M a μ) k 1 g M mod p Example p=79, a=43, α=48, M =12, k=5 μ g k mod 79 k 1 47 mod p 1 S (M a μ)k 1 ( ) mod 78. α μ μ S mod p g h mod p.

69 Complexity Multiplication/Division/Square-root of n-bit number O(n 2) Modular Mutiplication: (one multiplication and one division) is also O(n 2 ) Computing exponent: Order of r (r to 2r) modular multiplications (MM), where r is the number of bits in the exponent a b mod m, where a,b,m are n-bit integers: Complexity O(n 3 ) Computing GCD (both numbers are n-bit numbers): About n steps where each step has 1-2 MMs. Complexity O(n 3 ) Computing Multiplicative Inverse: Same as GCD with exended Euclidean Algorithm. Complexity O(n 3 )

70 Complexity of El Gamal Encryption: Two exponentiations Decryption: One exponentiation, one multiplicative Inverse Signing: One exponentiation, One multiplicative Inverse Verification: Two exponentiations Key Generation : One exponentiation All have the same O(n 3 ) complexity

71 Complexity of RSA Encryption: Exponentiation with the small public exponent (3-bit exponent implies only 3-6 modular multiplications). Complexity O(n 2 ) Decryption: Exponentiation with n-bit private exponent. Complexity O(n 3 ) Signing: Exponentiation with n-bit private exponent. Complexity O(n 3 ) Verification: Exponentiation with the small public exponent. Complexity O(n 2 ) Key Generation: O(n 4). Why?

72 Primes are Dense Recall. Total number of primes less than N is roughly N/ log(n) Total number of primes with 150 or less digits is e148 Total number of primes with 149 or less digits is e147 Total number of 150 digit primes is e148 (one in every 387 numbers) On an average we need to test about 387/4 = 97 numbers (test if it is a prime) before we hit upon a 150 digit prime

73 Complexity of Finding n-bit Prime Average distance between 2 n-bit primes is O(n). So O(n) PPCs (probabilistic primality checks) to determine a prime. Most PPCs will fail soon (in one or two Fermat tests - which requires one exponentiation) The successful check will be require about 100 exponentiations Complexity of O(n) failing PPCs is O(n 4) (each failing PPC calls for 1-2 exponentiation) Passing PPC is 100*O(n 3 ) (can be ignored for large n)

74 More on Choosing Primes RSA: If modulus n is a 2000 bit number it is advisable to choose a 1001 bit and a 999 bit prime for p and q. Do not choose p and q close to each other (999 and 1001 is the farthest you can get) p-1 and and q-1 should have at least one very large factor Actually the complexity of one factorization algorithm will depend only on the size of the largest factor of p-1 or q-1 El Gamal/Diffie Hellman Choosing p close to 2 m lends itself to fast algorithms for MM. All these optimizations not possible for RSA as every one works on a different modulus m=pq

75 Primes are Dense Recall. Total number of primes less than N is roughly N/ log(n) Total number of primes with 150 or less digits is e148 Total number of primes with 149 or less digits is e147 Total number of 150 digit primes is e148 (one in every 387 numbers) On an average we need to test about 387/4 = 97 numbers (test if it is a prime) before we hit upon a 150 digit prime

76 Factorization RSA relies on the assumption that factorization is hard Brute force factorization of n = pq: Check all primes less than n. For 300 digit n (around 150 digit p and q) around 1e147 primes have to be tested - highly impractical Attacker complexity of 1e20 may be acceptable (equivalent to 64-bit symmetric cipher) Many sophisticated algorithms have been developed for factorization We will just need to increase the key lengths as sophistication of attacks improve

77 Simple Factoring Algorithms Fermat s factorization is effective if the two prime factors (p and q) are close to each other Pollards p 1 algorithm is efficient in scenarios where either p 1 or q 1 is comprised of many small factors William s p + 1 algorithm is efficient when p + 1 or q + 1 is comprised entirely of small factors Care should be taken to ensure that p and q are not close - for example choosing 148-digit q and 150 digit p Also necessary to ensure that p 1, q 1, p + 1, q + 1 do not have small factors. These requirements makes secure key generation even more complex for RSA.

78 Advanced Factoring Algorithms Dixons random squares, number field sieves All of them try to determine some special relationships If we can find two numbers x and y such that x 2 y 2 mod n and x! y mod n and x! y mod n, then we can easily factorize n Note that x 2 y 2 mod n n divides (x y)(x + y) x! y mod n n does not divide (x y) x! y mod n n does not divide (x + y) So (n, x + y) and (n, x y) should give the factors of n

79 Attacking the Discrete Log Problem Shank s Algorithm Pohlig-Helman Algorithm (works well if p 1 has no large factors) Index Calculus method Number-field seive

80 Order of a Number in Z p The order of a Zp is the minimum value r for which a r 1 mod p The maximum order is p 1. Also referred to as full order. Generators have full order. The order of any number divides p 1 As p 1 is always even at the minimum we should have 4 orders: p 1, 1, 2, and (p 1)/2 In Z11 2,6,7 and 8 have full order (p 1 = 10); 3,4,5 and 9 have order (p 1)/2 = 5; 10 has order 2; 1 has order 1;

81 Order Divides p-1 The order of 1 is always 1; order of p 1 is always 2 (irrespective of p) The number of elements with full order (the number of generators) is Φ(p 1) The number of elements with order (p 1)/d is Φ((p 1)/d)). The order of any number divides p 1

82 Schnorr Signature Scheme DSA is a variant of the Schnorr Scheme Public p, q, gq, hash function H(). Large prime p (say 1024-bits) Prime q (p 1) (say 160-bit prime) Choose gq Z p, where g q has order q. Z p will contain Φ(q) = q 1 numbers of order q Alice s private key a Zp, public key α g a q mod p.

83 Schnorr Signature To sign a message M Alice chooses a random 1 k q 1 and calculates: r = H(M. gq k) mod q s = (k + ar) mod q Signature is r. s (both r and s are 160-bit quantities) Verifier (who has α = gq a mod p) can calculate x g s q α r mod q g k+ar q g -ar q g k q mod q And verify that H(M. x) = r. Note that The signature size is small (equivalent to 2 hashes) All computations (for signing and verification) use smaller modulus q

84 Summary of Complexity O(n 2): RSA encryption/signature verification: O(n 3): RSA decryption/signing, EL Gamal encryption/signing/decryption/verification/key generation O(n 4 ): RSA key generation All of the above are very much practical though (thats why we use them). No polynomial complexity algorithms exist for factorization/solving discrete log. Increasing complexity: each step by a factor of Symmetric encryption/hashing RSA encryption/verification RSA signing, encryption, all of El Gamal RSA key generation