CS549: Cryptography and Network Security

Transcription

1 CS549: Cryptography and Network Security by Xiang-Yang Li Department of Computer Science, IIT Cryptography and Network Security 1

2 Notice This lecture note (Cryptography and Network Security) is prepared by Xiang-Yang Li. This lecture note has benefited from numerous textbooks and online materials. Especially the Cryptography and Network Security 2 nd edition by William Stallings and the Cryptography: Theory and Practice by Douglas Stinson. You may not modify, publish, or sell, reproduce, create derivative works from, distribute, perform, display, or in any way exploit any of the content, in whole or in part, except as otherwise expressly permitted by the author. The author has used his best efforts in preparing this lecture note. The author makes no warranty of any kind, expressed or implied, with regard to the programs, protocols contained in this lecture note. The author shall not be liable in any event for incidental or consequential damages in connection with, or arising out of, the furnishing, performance, or use of these. Cryptography and Network Security 2

3 Cryptography and Network Security Elementary Number Theory Xiang-Yang Li Cryptography and Network Security 3

4 Number theory Elementary number theory Main topic of this course divisibility, the Euclidean algorithm to compute greatest common divisors, factorization Fermat's little theorem and Euler's theorem, the Chinese remainder theorem and Euler's φ function are investigated; Analytic number theory Algebraic number theory Geometric number theory Computational number theory Cryptography and Network Security 4

5 Introduction to Number Theory Divisors b a if a=mb for an integer m b a and c b then c a b g and b h then b (mg+nh) for any integers m,n Prime number An integer p is a prime number if it has only positive divisors 1 and p Relatively prime numbers p and q No common positive divisors for p and q except 1 Cryptography and Network Security 5

6 Prime numbers Upto Largest known so far (till 2008, Jan 22) with digits method G10 found at 2008 Mersenne 47?? with digits (found 2006 using proof code G9) When 2 n -1is prime it is said to be a Mersenne prime (a French monk , conjecture 1644). Clearly n must be odd. How many prime numbers are there? Infinity ---- Euclid gave simple proof Proof by contradiction They were also irregularly placed (arbitrary gap) How many in the range [0,n] -- Theta( n / log n) Approximately, the nth prime n log n How many primes with d bits approximately? ~ Theta(2 d /d) Cryptography and Network Security 6

7 Determining Primes? How to determine if a given number n is prime? Deterministic Brute force testing Testing whether a number a n, for a in certain range Random testing A prime number should satisfy some properties If a number x does NOT have any of such properties, then this x is NOT a prime Otherwise, it may be a prime number Properties: for any number a>1, a does not divide x, More properties will be studied and used to design efficient methods Cryptography and Network Security 7

8 Greatest Common Divisor (GCD) Greatest common divisor gcd(a,b) The largest number that divides both a and b Euclid's algorithm Find the GCD of two numbers a and b, a<b Use fact if a and b have divisor d so does a-b, a-2b dma da da da da + b 2b 3b qb nb Cryptography and Network Security 8

9 GCD by factoring Integer n can be factored as n=p 1 a 1 p 2 a 2 p 3 a 3. p n a n where p i is prime number Based on this, we can find the GCD of two numbers A=p a 1 1 p a 2 2 p a 3 3. p a n n where p i is prime number B=p b 1 1 p b 2 2 p b 3 3. p b n n where p i is prime number Then GCD(A,B) is p 1 c 1 p 2 c 2 p 3 c 3. P n c n where c i = min(a i, b i ) For example, gcd(2*3, 3*7)=3; gcd(2*3,0)=6 Cryptography and Network Security 9

10 Cont. GCD (a,b) is given by: let g 0 =b g 1 =a g i+1 = g i-1 mod g i when g i =0 then gcd(a,b) = g i-1 The algorithm terminates in O(log b) rounds Why? Every round, the total number of bits of a and b is decreased by at least one What is a more precise complexity bound? Cryptography and Network Security 10

11 Properties For any two integers a and b Exist integers m and n: gcd(a,b) =ma+bn Example: a=2, b=3; we choose m=-1, n=1 so 2+3=1 a=6, b=11; we choose m=2, n=-1 so 2*6-11=1 Simple proof? Cryptography and Network Security 11

12 Extended Euclidean Algorithm input are two integers a and b, computes their greatest common divisor (gcd) as well as integers x and y such that ax + by =gcd(a, b). It later can also be used to compute the inverse of an integer a 1 mod n Cryptography and Network Security 12

13 Proof Assume we compute gcd(x 0,y 0 ), x 0 >y 0 Let X i =(x i,y i ); 0 x i -q i+1 y i+1 < y i Then X i =M i X i-1, where M i =(0,1; 1,-q i ) Assume the gcd algorithm terminates in n steps We have M n M n-1 M 1 X 0 =(gcd(x 0,y 0 ), 0) T Assume M n M n-1 M 1 =( ) Then ax 0 +by 0 =gcd(x 0,y 0 ) a c The above algorithm is to keep track of a,b,c,d, and x i,y i values. b d Cryptography and Network Security 13

14 Modular Arithmetic Congruence a b mod n says when divided by n that a and b have the same remainder It defines a relationship between all integers a a a b then b a (symmetric) a b, b c then a c (transitive) Cryptography and Network Security 14

15 Cont. addition (a+b) mod n (a mod n) + (b mod n) subtraction a-b mod n a+(-b) mod n multiplication a b mod n derived from repeated addition Possible: a*b 0 where neither a, b 0 mod n Example: 2*3 =0 mod 6 Cryptography and Network Security 15

16 Example Based on mod 7, we define the set of remainders {0, 1, 2, 3, 4, 5, 6} It also defines a relationship: 2=9 mod 7 2+8=3 mod 7 2-8=1 mod 7 Cryptography and Network Security 16

17 Group Theory For mod 7, we can define a group using all numbers {0,1,2,3,4,5,6} and operation + A group contains a set of elements and an operation #, such that Closure: a#b is an element in the group for any a and b Associativity. For all a, b and c in G, the equation (a #b)# c = a # (b# c) holds. Identity element : it has an special element 0: a#0=a for any element a Inverse element: For any element, there is an inverser. (-a) is called the negative a, such that (-a)#a= a#(-a)=0 Cryptography and Network Security 17

18 Addition and Multiplication Integers modulo n with addition and multiplication form a commutative ring with the laws of Associativity (a+b)+c a+(b+c) mod n Commutativity a+b b+a mod n Distributivity (a+b)*c (a*c)+(b*c) mod n Cryptography and Network Security 18

19 Ring (math) A ring is a set R equipped with two binary operations +: R R R and : R R R (where denotes the Cartesian product), called addition and multiplication To qualify as a ring, the set and two operations, (R, +, ), must satisfy the following requirements known as the ring axioms. [2] (R, +, ) is required to be an Abelian group under addition: Closure under addition. For all a, b in R, the result of the operation a + b is also in R. c[ ] 2. Associativity of addition. For all a, b and c in R, the equation (a + b) + c = a + (b + c) holds. 3. Existence of additive identity. There exists an element 0 in R, such that for all elements a in R, the equation 0 + a = a + 0 = a holds. 4. Existence of additive inverse. For each a in R, there exists an element b in R such that a + b = b + a = 0 5. Commutativity of addition. For all a, b in R, the equation a + b = b + a holds. (R, +, ) is required to be a monoid under multiplication: Closure under multiplication. For all a, b in R, the result of the operation a b is also in R. c[ ] 2. Associativity of multiplication. For all a, b, and c in R, the equation (a b) c = a (b c) holds. 3. Existence of multiplicative identity. There exists an element 1 in R, such that for all elements a in R, the equation 1 a = a 1 = a holds. The distributive laws: 1. For all a, b and c in R, the equation a (b + c) = (a b) + (a c) holds. 2. For all a, b and c in R, the equation (a + b) c = (a c) + (b c) holds. Cryptography and Network Security 19

20 4 th arithmetic operation: Division Division b/a mod n multiplied by inverse of a: b/a = b*a -1 mod n a -1* a 1 mod n mod 10 because 3*7 1 mod 10 What is the value of 20/3 mod 7? Value of 1/3 mod 6? Inverse does not always exist! Only when gcd(a,n)=1 Cryptography and Network Security 20

21 Euclid's Extended GCD Routine Theorem: If gcd(a,n)=1 then the inverse of a mod n always exists Can extend Euclid's algorithm to find inverse by keeping track of g i = u i.n + v i.a Extended Euclid's (or binary GCD) algorithm to find inverse of a number a mod n (where (a,n)=1) is: Cryptography and Network Security 21

22 Inverse Inverse(a,n) is given by: X=(x1,x2,x3)=(1,0,n); Y=(y1,y2,y3)=(0,1,a) If y3=0 return x3=gcd(a,n); no inverse If y3=1 return y3=gcd(a,n); y2=a -1 mod n Q=[x3/y3] T=X-Q*Y X=Y; Y=T Goto 2 nd step Cryptography and Network Security 22

23 When inverse exists If gcd(a,n)=1 inverse exists We can find x, y such that ax+ny=1 Then x= a -1 mod n If inverse exists gcd(a,n)=1 Let x be the inverse of a, i.e., ax=1 mod n Then x a=1+q n for some integer q Let gcd(a,n)=d. Then d (x a-q n ) Obviously d=1 since x a-q n =1 Cryptography and Network Security 23

24 Galois Field If n is constrained to be a prime number p then this (+, *, under mod p) forms a Galois field modulo p denoted GF(p) and all the normal laws associated with integer arithmetic work Field has some additional properties (in addition to be a ring) There is a special element 1, such that a*1=a There is another special element 0 such that a+0=a for any a For all element a, there is another number b such that a*b=1 For all element a, there is another element c such that a+c =0 Cryptography and Network Security 24

25 Common arithmetic operations Exponentiation Given a, e, and p, find b = a e mod p How to compute this efficiently? Discrete Logarithms Given a, b, and p, find x where a x = b mod p Value of x is denoted as (log a b mod p) How to compute this efficiently? Cryptography and Network Security 25

26 Efficient computing of exponential Compute a b mod n efficiently when b, n large? Example: compute a 1024 mod Simple approach: repetitively time a 1024 times? Efficient computation: Write number b in binary format as x k x k-1 x k-2.x 2 x 1 x 0 Let t 1 =a mod n. Then compute t i+1 = t i * t i mod n for i<k Then b [ xkxk 1xk 2... x2x1x0] a mod n = a mod n = = 0 i k 0 i k ( 2 ) xi [ a ] mod t x i i i mod n n Time complexity? Cryptography and Network Security 26

27 Efficient Computing of Discrete Log For real numbers, how to compute log a b? Example, log 3 27=3 How to compute log 3 27 mod 5? Find x such that 3 x = 27 mod 5 Thus, find x such that 3 x = 2 mod 5 Try numbers x=1, 2, 3, find x=3, 7,11,. Can we write a program to compute this quickly? Cryptography and Network Security 27

28 Relative primes Two numbers a and n are relative primes if gcd(a,n)=1 Consider all integers 0<a <n How many are relative prime to n? Equivalently, how many a such that a -1 mod n exists Typically Z n ={0,1,2,.,n-1} : all integers 0<= a < n Z n* ={a 0<= a < n, gcd(a,n)=1} All integers in Z n that are co-prime with n Also called reduced residue set mod n Cryptography and Network Security 28

29 Group formed by relative numbers Z n ={0,1,2,.,n-1} : all integers 0<= a < n (Z n,+) forms a group Need to show a special element 0, and inverse of an element a Z n* ={a 0<= a < n, gcd(a,n)=1} (Z n*,*) Need to show a special element 0, and inverse of an element a Cryptography and Network Security 29

30 Euler Totient Function If consider arithmetic modulo n, then a reduced set of residues is a subset of the complete set of residues modulo n which are relatively prime to n eg for n=10, the complete set of residues is {0,1,2,3,4,5,6,7,8,9} the reduced set of residues is {1,3,7,9} The number of elements in the reduced set of residues is called the Euler Totient function φ(n) Cryptography and Network Security 30

31 cont Compute φ(n) If factoring of n is known φ(n)=n Π(1-1/p i ) where p i is its prime factor Otherwise It is expensive! But not proved yet computing φ(n) when knowing fact n =pq but not the number p and q Conjectured to be a hard question But not proved yet. Equivalent to find p and q Cryptography and Network Security 31

32 cont Equivalency: given the fact that n is the production of two prime numbers p and q (but not knowing the values of p and q) finding p,q computing φ(n) Proof If we found p and q, then φ(n)=(p-1)(q-1) if we found φ(n), then solve p, q from equations n = p q ϕ( n) = ( p 1 )( q 1 ) Cryptography and Network Security 32

33 Euler's Theorem Theorem: Let gcd(a,n)=1 then a φ(n) mod n = 1 Proof: consider all reduced residues x i in Z n* ={x 0<= x < n, gcd(x,n)=1} Then ax i,1<=i <= φ(n) also form reduced residues set Using Π ax i = Π x i mod n Using Z n* and az * n are same sets! We have a φ(n) Π x i = Π x i mod n Thus, a φ(n) =1 mod n Using the fact that Π x i has inverse Cryptography and Network Security 33

34 Fermat's Little Theorem Theorem: Let p be a prime and gcd(a,p)=1 then a p-1 mod p = 1 Proof: similar to the proof of Euler s theorem But consider all integers in Z p Generally, for any prime number p a p mod p = a (true for any number a) Generally, for any number n=pq a φ(n)+1 mod n = a (true for any number a) Need to prove for the case gcd(a,n)>1 Do it yourself Cryptography and Network Security 34

35 Chinese Remainder Theorem (CRT) Computer science department organize students for graduation party 25 students a bus, all buses (except one with 20 students) are full 12 students a table for dinner, all tables are full, except one table only has 4 students We know that there are less 300 students How many students graduated? Cryptography and Network Security 35

36 Chinese Remainder Theorem (CRT) By Qin Jiushao Let m 1,m 2,.m k be pair-wise relative prime numbers Assume integer x= a i mod m i for 1<= I <= k Then x= Σ a i e i mod M Where M=Π m i ; M i =M/ m i e i = M i * (M i -1 mod m i ) Proof For each i, the integers m i and M/m i are coprime, and using the extended Euclidean algorithm we can find integers r and s such that r m i + s M/m i = 1. If we set e i = sm/m i, then we have e i =1 mod m i and e i =1 mod m j for j<>i. Cryptography and Network Security 36

37 General CRT Sometimes, the simultaneous congruences can be solved even if the m i 's are not pairwise coprime. a solution x exists if and only if a i a j (mod gcd(n i, n j )) for all i and j. All solutions x are congruent modulo the least common multiple of the n i. Methods: successive substitution Cryptography and Network Security 37

38 Example consider the simultaneous congruences x 3 (mod 4) x 5 (mod 6) Can be transformed to x 3 (mod 4) x 5 (mod 2) x 1 (mod 2) x 5 (mod 3) Then transformed to x 3 (mod 4) x 2 (mod 3) Using CRT X=11 (mod 12) Cryptography and Network Security 38

39 Testing Primality Cryptography and Network Security 39

40 Largest Primes Great Internet Mersenne Prime Search GIMPS (GIMP) ( digits ~ about 12.9 million digits, Aug 08) and ( ~only 11.1 million digits, Sept 08). Cryptography and Network Security 40

41 Primality Testing To check if exists integer a such that a n Primary school method Test a=2,3,4,5,6,.,n-1 Test a=2,3,4,5,, n 0.5 Test a=2,3,5,7,11,., p, where prime number p<=n 0.5 Two slow! Check almost n numbers Check n 0.5 numbers At least around (n/ln n) 0.5 numbers need be checked Example Number n~2 1024, then (n/ln n) 0.5 ~( /1024) 0.5 ~ Assume 2 30 numbers per second, takes about *16 = 2 27 days Any improvement? Cryptography and Network Security 41

42 Classification of Testing Primes The Quick Tests for Small Numbers and Probable Primes Finding Very Small Primes --- trivial division Fermat, Probable-Primality and Pseudoprimes Strong Probable-Primality and a Practical Test The Classical Tests N-1 Tests (and Pepin's Test for Fermats) N+1 Tests (and the Lucas-Lehmer Test for Mersennes) A Combined Test -- and more The General Purpose Tests Neoclassical Tests, especially APR and APR-CL Using Elliptic Curves, especially the ECPP Test A Polynomial Time Algorithm Cryptography and Network Security 42

43 Fermat Little Theorem Based Fermat's theorem gives us a powerful test for compositeness: Given n > 1, choose a > 1 and calculate a n-1 modulo n (there is a very easy way to do quickly by repeated squaring) If the result is not one modulo n, then n is composite. If it is one modulo n, then n might be prime so n is called a weak probable prime base a (or just an a- PRP). Some early articles call all numbers satisfying this test pseudoprimes, but now the term pseudoprime is properly reserved for composite probable-primes. Cryptography and Network Security 43

44 Carmichael number There may be relatively few pseudoprimes, but there are still infinitely many of them for every base a>1, so we need a tougher test. One way to make this test more accurate is to use multiple bases (check base 2, then 3, then 5,...). But still we run into an interesting obstacle called the Carmichael numbers. The composite integer n is a Carmichael number if a n-1 =1 (mod n) for every integer a relatively prime to n. Cryptography and Network Security 44

45 Strong probable-primality and a practical test A better way to make the Fermat test more accurate is to realize that if an odd number n is prime, then the number 1 has just two square roots modulo n: 1 and -1. So the square root of a n-1, a (n-1)/2 (since n will be odd), is either 1 or -1. Algorithm Write n-1 = 2 s d where d is odd and s is non-negative: n is a strong probable-prime base a (an a-sprp) if either a d = 1 (mod n) or (a d ) 2r = -1 (mod n) for some non-negative r less than s. It has been proven ([Monier80] and [Rabin80]) that the strong probable primality test is wrong no more than 1/4th of the time (3 out of 4 numbers which pass it will be prime). Cryptography and Network Security 45

46 Simple Fact Equation x 2 1 mod p has only solutions 1,-1 If p is prime number Simple proof: (x+1)(x-1) 0 mod p So if we find another solution, then p can not be prime number! Miller and Rabin 1975,1980 Randomly chosen integer a If a 2 1 mod p then p is not prime number Integer a is called the witness Otherwise p maybe, or maybe not a prime number Cryptography and Network Security 46

47 Witness Algorithm Witness(a,n) Let b k b k-1 b 1 b 0 be the binary code of n-1 Let d=1 For i=k downto 0 x=d; d=d*d mod n If d=1 and x 1, and x n-1 return TRUE If b i =1 then d=d*a mod n Endfor If d 1 then return TRUE Return FALSE Cryptography and Network Security 47

48 Facts Analyze the result of witness If returns TRUE, then n is not prime number Find other solutions for x 2 1 mod n Otherwise, n maybe prime number Given odd n and random a Witness fails with probability less than 0.5 Run witness algorithm s times If one time, it is TRUE Then n is not prime number Otherwise, Pr(n is prime)>1-2 -s Cryptography and Network Security 48

49 RANDOMIZED METHOD Cryptography and Network Security 49

50 Randomized Methods Las Vegas Method Always produces correct results (may not give answer sometimes) Runs in expected polynomial time Monte Carlo Method Always runs in polynomial time May produce incorrect results with a bounded probability Yes-Biased Monte Carlo Method Answer yes is always correct, but the answer no may be wrong No-biased Monte Carlo Method Answer no is always correct, but the answer yes may be wrong Cryptography and Network Security 50

51 Witness Algorithm Witness Algorithm is based on Monte Carlo Method (Yes-biased MC for Compositeness) It actually test compositeness, not primality When it reports yes, the number is always composite When it reports no, input may be composite, prime Probability Result Pr(input=composite ans=composite)= 1 Pr(ans=prime input=composite)<1/2 Pr(input=composite ans=prime) 1/4 Cryptography and Network Security 51

52 Time Complexity Each round of witness cost O(log n) Unit: integer multiplication and modular arithmetic So the primality testing cost O(s log n) The confidence is 1-2 -s if report prime The confidence is 1 if report non-prime Miller's Test [Miller76]: If the extended Riemann hypothesis is true, then if n is an a-sprp for all integers a with 1 < a < 2(log n) 2, then n is prime. Cryptography and Network Security 52

53 More on proving primes (N-1 test Theorem 1: Let n > 1. If for every prime factor q of n-1 there is an integer a such that a n-1 = 1 (mod n), and a (n-1)/q is not 1 (mod n); then n is prime. Cryptography and Network Security 53

54 N-1 test Theorem 2: Suppose n-1 = FR, where F>R, gcd(f,r) is one and the factorization of F is known. If for every prime factor q of F there is an integer a>1 such that a n-1 = 1 (mod n), and gcd(a (n-1)/q-1,n) = 1; then n is prime. Cryptography and Network Security 54

55 N+1 test for Mersenne number Lucas-Lehmer Test (1930): Let p be an odd prime. The Mersenne number M(p) = 2 p -1 is prime if and only if S(p-2) = 0 (mod M(p)) where S(0) = 4 and S(k+1) = S(k) 2-2. the complexity to O(p 2 log p log log p) or Õ(p 2 ) using fast multiplication using FFT Cryptography and Network Security 55

56 ECPP method What is the next big leap in primality proving? To switch from Galois groups to some other, perhaps easier to work with groups--in this case the points on Elliptic Curves modulo n. An Elliptic curve is a curve of genus one, that is a curve that can be written in the form E(a,b) : y 2 = x 3 + ax + b (with 4a b 2 not zero) for implementation Heuristically, the best version of ECPP is O((log n) 4 +eps) for some eps>0 But not guaranteed to run in poly time (same as another method APR) Cryptography and Network Security 56

57 Improved Deterministic methods Cryptography and Network Security 57

58 AKS method: Deterministic Poly- Time Method In 2002 Agrawal, Kayal and Saxena found a relatively simple deterministic algorithm which relies on no unproved assumptions. Agrawal, Head of CSE, IITK Kayal, Saxena (B.E. 2002), Indian Institute of Technology, Kanpur (IITK), PhD IITK 2006 Gödel Prize (in TCS every year from 1993) and the 2006 Fulkerson Prize (in DMath every 3 year from 1979) There has been a long list of research efforts devoted to find deterministic polynomial time methods for testing primes Cryptography and Network Security 58

59 Basics Theorem: Suppose that a and p are relatively prime integers with p > 1. p is prime if and only if (x-a) p = (x p -a) (mod p) where x is a variable Proof. If p is prime, then p divides the binomial coefficients pcr for r = 1, 2,... p-1. This shows that (x-a) p = (x p -a p ) (mod p), and the equation above follows via Fermat's Little Theorem. On the other hand, if p > 1 is composite, then it has a prime divisor q. Let q k be the greatest power of q that divides p. Then q k does not divide pcq and is relatively prime to a p-q, so the coefficient of the term x q on the left of the equation in the theorem is not zero, but it is on the right. Cryptography and Network Security 59

60 AKS method Input: Integer n > 1 if (n is has the form a b with b > 1) then output COMPOSITE r := 2 while (r < n) { if (gcd(n,r) is not 1) then output COMPOSITE if (r is prime greater than 2) then { let q be the largest factor of r-1 if (q > 4sqrt(r)log n) and (n (r-1)/q is not 1 (mod r)) then break } r := r+1 } for a = 1 to 2sqrt(r)log n { if ( (x-a) n is not (x n -a) (mod x r -1,n) ) then output COMPOSITE } output PRIME; Cryptography and Network Security 60

61 Time Complexity they proved would run in at most O((log n) 12 f(log log n)) time where f is a polynomial AKS also showed that if Sophie Germain primes have the expected distribution [HL23] (and they certainly should!), then the exponent 12 in the time estimate can be reduced to 6, bringing it much closer to the (probabilistic) ECPP method. But of course when actually finding primes it is the unlisted constants that make all of the difference! We will have to wait for efficient implementations of this algorithm (and hopefully clever restatements of the painful for loop) to see how it compares to the others for integers of a few thousand digits. Until then, at least we have learned that there is a polynomial-time algorithm for all integers that both is deterministic and relies on no unproved conjectures! Cryptography and Network Security 61

62 Other related topics Primitive root (Generator) And Quadratic Residue Cryptography and Network Security 62

63 Primitive Root Order of integer ord n (a) The order of a modulo n is the smallest positive k such that a k 1 mod n Primitive Root Integer a is a primitive root of n if the order of a modulo n is φ(n) Not all integers have primitive root Example n=pq for primes p and q Prime p has φ(p-1) primitive roots Cryptography and Network Security 63

64 example the congruence classes mod 14 of 1, 3, 5, 9, 11 and 13. n n^k (mod 14) (only the first instance of each cycle is shown) 1 : 1, 2 : 2, 4, 8 3 : 3, 9, 13, 11, 5, 1 4 : 4, 2, 8 5 : 5, 11, 13, 9, 3, 1 6 : 6, 8 7 : 7, 8 : 8, 9 : 9, 11, 1 10 : 10, 2, 6, 4, 12, 8 11 : 11, 9, 1 12 : 12, 4, 6, 2, 10, 8 13 : 13, 1 14 : 0, Thus 3, 5 are only 2 primitive roots of mod 14 Cryptography and Network Security 64

65 cont When primitive root exists Number n in format of p, 2p, p k, 2p k for some integer k and prime number p Otherwise the primitive root does not exist p = q a 1... q Find a PR for p such that Let a=2, i=1 1 1 If i>k, a is then a PR, otherwise go to step 3 ( p 1)/ q If a i 1 mod p let i=i+1 and go to step 2; otherwise let i=1, and a=a+1 and repeat this step 3. k a k Cryptography and Network Security 65

66 Finding PR of mod n compute Then determine Á(n) the different prime factors of, say Now, for every element m of Zn*, compute má(n )=p i Á(n) p 1 ; p 2 ; ; p k mod n, for all i A number m for which these k results are all different from 1 is a primitive root. Cryptography and Network Security 66

67 Primitive root It is easy to show that, if a is a primitive ax root mod gcd(x; p, is a Á(p)) primitive root if and = 1 only if Thus, if we had just chosen a at random, the probability that it would be a primitive root is about 0.45 (exact probability is ) Á(Á(n))=Á(n)= Á(p 1) p 1 Cryptography and Network Security 67

68 Primitive root If GRH is true, then for every prime p there exists a primitive root modulo p (a generator of the multiplicative group of integers modulo p) which is less than 70 (ln(p)) 2 ; this is often used in many proofs of time complexity. Cryptography and Network Security 68

69 Quadratic Residue Quadratic Residue Integer b is a quadratic residue of modulo integer n if and only if x 2 b mod n has a solution for x Number x is called the square root of b mod n Otherwise b is called quadratic nonresidue Given odd prime p, b is quadratic residue, iff b (p-1)/2 1 mod p b is quadratic nonresidue, iff b (p-1)/2-1 mod p These facts can be used to test primes with probability Cryptography and Network Security 69

70 Computing Square root mod p Given number a, find number x, x 2 =a mod p If p=3 mod 4, then x=a (p+1)/4 mod p is a solution. If p=5 mod 8, a (p-1)/4 =1 mod p then x= a (p+3)/8 mod p If p=5 mod 8, a (p-1)/4 =-1 mod p then x= 2a(4a) (p-5)/8 mod p If p=1 mod 8, h+1 2 x = a N s k p 1= 2 k h Here h is an odd number Cryptography and Network Security 70

71 Compute square-root mod p Find a solution to x 2 =a mod p if exists Let r=0, s=p-1; while s even, {r=r+1; s=s/2;} Choose random n such that n = 1 p Let z=n s mod p; x=a (s+1)/2 mod p; b=a s mod p; If b=1, return x as a solution Let m=1, y=b 2 mod p; while y<>1 {y= y 2 mod p; m=m+1;} If r=m then a is Quadratic non-residue; exit; Let x=xz 2r-m-1 mod p and b=bz 2r-m mod p and z=z 2r-m mod p Go to step 4 The expected running time is O(log 4 p) Cryptography and Network Security 71

72 Jacoby Symbol ( a n ) = Q k i = 1 ( a p i )e i Where n = p e 1 1 pe 2 p e k 2 k 1. ( a ) = 0 if a = 0 mod p p 2. ( a ) = 1 if a is QR mod p p 3. ( a ) = 1 if a is quadratic non-residue p of mod p Cryptography and Network Security 72

73 Compute it efficiently 1. if n is odd and m 1 = m 2 mod n then 2. if n is odd, then ( 2 ( 2 ) = 1 if n = 1; 1 mod 8, and n ) = 1 if n = 3; 3 mod 8 n 3. If n is odd then ( m m 1 2 n 4. if n and m are odd, then ( m ) = ( n ) if m = n = 3 mod 4 n m Otherwise ( m ) = ( n ) n m ( m 1 n ) = ( m 2 n ) ) = ( m 1 n )( m 2 n ) Cryptography and Network Security 73

74 Testing Primes (Solovay & Strassen) Choose a random integer a from [1,n-1] If ( a ) = a(n 1)=2 mod n then n answer n is prime Else answer n is composit e Cryptography and Network Security 74

75 Property If ( a n ) = a(n 1)=2 mod n Number a is called Euler-pseudo prime to the base n For any odd integer n, there are at most half of integers a from [1,n-1] that are Euler-pseudo prime to the base n Thus, Prob( ans=prime input n is composite ) < ½ Prob( input n is composite ans=prime ) bound? pr ob(ajb) = pr ob(bja)pr ob(a) pr ob(b) Cryptography and Network Security 75

76 Some hard questions Factoring, Discrete log Square-root Cryptography and Network Security 76

77 Some hard questions Some questions that are assumed to be hard, will be used as bases for cryptography Integer factorization Given n, find all its prime factors Discrete logarithm Given g, y, and p, find x such that g x y mod p Square root Given b, find x such that x 2 b mod n. Here n is not a prime number Cryptography and Network Security 77

78 Integer Factorization write an integer as product of prime numbers. For example, given the number 45, the prime factorization would be The factorization is always unique, according to the fundamental theorem of arithmetic Given two large prime numbers, it is easy to multiply them. However, given their product, it appears to be difficult to find the factors. This is relevant for many modern systems in cryptography. If a fast method were found for solving the integer factorization problem, then several important cryptographic systems would be broken. Although fast factoring is one way to break these systems, there may be other ways to break them that don't involve factoring. So it is possible that the integer factorization problem is truly hard, yet these systems can still be broken quickly. A rare exception is the BBS generator. It has been proved to be exactly as hard as integer factorization: if you can break the generator in polynomial time then you can factorize integers in polynomial time, and vice versa Cryptography and Network Security 78

79 Current state of the art If a large, n-bit number is the product of two primes that are roughly the same size, no polynomial time factoring algorithm is known the best known algorithms are sub-exponential, but super-polynomial: asymptotic running time by the general number field sieve (GNFS) algorithm, is Polynomial methods known for quantum computer! Cryptography and Network Security 79

80 Sub-exponential There are published algorithms that are faster than O((1+ε) b ) for all positive ε, i.e., sub-exponential, where b is the number of bits of the input Cryptography and Network Security 80

81 Factoring algorithms Special purpose its running time depends on the properties of unknown factors: size, special form, etc. Examples Trial division, Pollard's rho algorithm, Pollard's p-1 algorithm, Lenstra elliptic curve factorization, Congruence of squares, Special number field sieve General purpose running time depends solely on the size of the integer to be factored. This is the type of algorithm used to factor RSA numbers. Most general-purpose algorithms are based on the congruence of squares method. Examples: Quadratic sieve, General number field sieve Cryptography and Network Security 81

82 Factorization for Quantum Computers For an ordinary computer, general number field sieve (GNFS) is the best published algorithm for large n (more than about 100 digits). For a quantum computer, however, Peter Shor discovered an algorithm in 1994 that solves it in polynomial time. This will have significant implications for cryptography if a large quantum computer is ever built. Shor's algorithm takes only O(b 3 ) time and O(b) space on b-bit number inputs. In 2001, the first 7-qubit quantum computer became the first to run Shor's algorithm. It factored the number 15. Cryptography and Network Security 82

83 List of Algorithms Special-purpose A special-purpose factoring algorithm's running time depends on the properties of its unknown factors: size, special form, etc. Exactly what the running time depends on varies between algorithms. Trial division Pollard's rho algorithm Algebraic-group factorisation algorithms amongst which are Pollard's p 1 algorithm, Williams' p+1 algorithm and Lenstra elliptic curve factorization Fermat's factorization method Special number field sieve General-purpose A general-purpose factoring algorithm's running time depends solely on the size of the integer to be factored. This is the type of algorithm used to factor RSA numbers. Most general-purpose factoring algorithms are based on the congruence of squares method. Dixon's algorithm Continued fraction factorization (CFRAC) Quadratic sieve General number field sieve Shanks' square forms factorization (SQUFOF) Cryptography and Network Security 83

84 Discrete Logarithms Y g x mod p Given y, g, and p, compute x as log g (y) Time complexity O(e (ln p)1/3 (ln ln p) 2/3 ) Best known until now In other words, if p is large, then it is very hard to solve the discrete logarithm problem Several protocols are based on this ElGamal discrete log cryptosystem, Diffie-Hellman key exchange and the Digital Signature Algorithm. Current methods: the Pohlig-Hellman algorithm if p-1 is a product of small primes, so this should be avoided in those applications Cryptography and Network Security 84

85 Methods More sophisticated algorithms exist, usually inspired by similar algorithms for integer factorization. These algorithms run faster than the naive algorithm, but none of them runs in polynomial time. Baby-step giant-step (Also known as 'Little-Step Big-Step') Pollard's rho algorithm for logarithms Pollard's lambda algorithm (aka Pollard's kangaroo algorithm) Pohlig-Hellman algorithm Index calculus algorithm Number field sieve Cryptography and Network Security 85

86 Complexity Theory The input length of a problem is the number n of symbols used to characterize it Complexity of a method Function f(n) is order O(g(n)) if f(n)<=c* g(n), for all n>=n 0, for some c Function f(n) is order Ω(g(n)) if f(n)>=c* g(n), for all n>=n 0, for some c Function f(n) is order θ (g(n)) if c1* g(n) <=f(n)<=c2* g(n), for all n>=n 0, for some c1 and c2 Polynomial time algorithm (P) solves any instance of a particular problem with input length n in time O(p(n)), where p is a polynomial Cryptography and Network Security 86

87 Cont. Non-deterministic polynomial time algorithm (NP) is one for which any guess at the solution of an instance of the problem may be checked for validity in polynomial time. NP-complete problems are a subclass of NP problems for which it is known that if any such problem has a polynomial time solution, then all NP problems have polynomial solutions. Co-NP: the complements of NP problems. Cryptography and Network Security 87