CPSC 467: Cryptography and Computer Security

Similar documents
CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

Lecture Notes, Week 6

CPSC 467b: Cryptography and Computer Security

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

CPSC 467: Cryptography and Computer Security

Basic elements of number theory

Basic elements of number theory

Number Theory and Group Theoryfor Public-Key Cryptography

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Some Facts from Number Theory

This is a recursive algorithm. The procedure is guaranteed to terminate, since the second argument decreases each time.

CPSC 467b: Cryptography and Computer Security

Elementary Number Theory Review. Franz Luef

CPSC 467b: Cryptography and Computer Security

Discrete Mathematics GCD, LCM, RSA Algorithm

cse 311: foundations of computing Spring 2015 Lecture 12: Primes, GCD, applications

Lecture 4: Number theory

Numbers. Çetin Kaya Koç Winter / 18

Applied Cryptography and Computer Security CSE 664 Spring 2018

cse 311: foundations of computing Fall 2015 Lecture 12: Primes, GCD, applications

Number Theory and Algebra: A Brief Introduction

Number Theory. Modular Arithmetic

2.3 In modular arithmetic, all arithmetic operations are performed modulo some integer.

A Guide to Arithmetic

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

OWO Lecture: Modular Arithmetic with Algorithmic Applications

Finite Fields. Mike Reiter

Topics in Cryptography. Lecture 5: Basic Number Theory

8 Primes and Modular Arithmetic

Public Key Encryption

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Mathematics for Cryptography

Mathematical Foundations of Public-Key Cryptography

Number Theory. Zachary Friggstad. Programming Club Meeting

COMS W4995 Introduction to Cryptography September 29, Lecture 8: Number Theory

CHAPTER 6. Prime Numbers. Definition and Fundamental Results

Basic Algorithms in Number Theory

CSC 474 Information Systems Security

Outline. Some Review: Divisors. Common Divisors. Primes and Factors. b divides a (or b is a divisor of a) if a = mb for some m

Outline. AIT 682: Network and Systems Security. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

Chapter 8. Introduction to Number Theory

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

LECTURE NOTES IN CRYPTOGRAPHY

Senior Math Circles Cryptography and Number Theory Week 2

CSC 474 Network Security. Outline. GCD and Euclid s Algorithm. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

CPSC 467b: Cryptography and Computer Security

Basic Algorithms in Number Theory

CIS 6930/4930 Computer and Network Security. Topic 5.1 Basic Number Theory -- Foundation of Public Key Cryptography

Q 2.0.2: If it s 5:30pm now, what time will it be in 4753 hours? Q 2.0.3: Today is Wednesday. What day of the week will it be in one year from today?

CIS 551 / TCOM 401 Computer and Network Security

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I

Chapter 4 Finite Fields

2 Arithmetic. 2.1 Greatest common divisors. This chapter is about properties of the integers Z = {..., 2, 1, 0, 1, 2,...}.

ECE596C: Handout #11

ECEN 5022 Cryptography

Number Theory A focused introduction

Security II: Cryptography exercises

Lecture 3.1: Public Key Cryptography I

A Few Primality Testing Algorithms

Chapter 5. Modular arithmetic. 5.1 The modular ring

CMPUT 403: Number Theory

An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p.

Introduction to Public-Key Cryptosystems:

Congruence Classes. Number Theory Essentials. Modular Arithmetic Systems

Algorithms (II) Yu Yu. Shanghai Jiaotong University

COMP239: Mathematics for Computer Science II. Prof. Chadi Assi EV7.635

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

A. Algebra and Number Theory

COT 3100 Applications of Discrete Structures Dr. Michael P. Frank

CS483 Design and Analysis of Algorithms

Mathematics of Cryptography

Lecture 6: Introducing Complexity

CS March 17, 2009

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

Encryption: The RSA Public Key Cipher

3 The fundamentals: Algorithms, the integers, and matrices

Modular Arithmetic and Elementary Algebra

CSE 311: Foundations of Computing. Lecture 12: Two s Complement, Primes, GCD

Chapter 5. Number Theory. 5.1 Base b representations

Discrete Mathematics and Probability Theory Summer 2014 James Cook Note 5

Public Key Cryptography

Lecture 14: Hardness Assumptions

Fast Fraction-Integer Method for Computing Multiplicative Inverse

NUMBER THEORY. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

LECTURE 4: CHINESE REMAINDER THEOREM AND MULTIPLICATIVE FUNCTIONS

Fall 2017 September 20, Written Homework 02

The next sequence of lectures in on the topic of Arithmetic Algorithms. We shall build up to an understanding of the RSA public-key cryptosystem.

10 Public Key Cryptography : RSA

Lecture 1: Introduction to Public key cryptography

#26: Number Theory, Part I: Divisibility

Computational Number Theory. Adam O Neill Based on

Cryptography IV: Asymmetric Ciphers

Introduction to Cryptography. Lecture 6

Discrete mathematics I - Number theory

Algorithms CMSC Basic algorithms in Number Theory: Euclid s algorithm and multiplicative inverse

Chinese Remainder Theorem

Transcription:

CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 9 September 30, 2015 CPSC 467, Lecture 9 1/47

Fast Exponentiation Algorithms Number Theory Needed for RSA Elementary Number Theory Quotient, remainder, and mod The mod relation GCD Multiplicative subgroup of Z n Discrete Logarithm CPSC 467, Lecture 9 2/47

Fast Exponentiation Algorithms CPSC 467, Lecture 9 3/47

Modular exponentiation The basic operation of RSA is modular exponentiation of big numbers, i.e., computing m e mod n for big numbers m, e, and n. The obvious way to compute this would be to compute first t = m e and then compute t mod n. This has two serious drawbacks. CPSC 467, Lecture 9 4/47

Computing m e the conventional way is too slow The simple iterative loop to compute m e requires e multiplications, or about 2 1024 operations in all. This computation would run longer than the current age of the universe (which is estimated to be 15 billion years). Assuming one loop iteration could be done in one microsecond (very optimistic seeing as each iteration requires computing a product and remainder of big numbers), only about 30 10 12 iterations could be performed per year, and only about 450 10 21 iterations in the lifetime of the universe. But 450 10 21 2 79, far less than e 1. CPSC 467, Lecture 9 5/47

The result of computing m e is too big to write down. The number m e is too big to store! This number, when written in binary, is about 1024 2 1024 bits long, a number far larger than the number of atoms in the universe (which is estimated to be only around 10 80 2 266 ). CPSC 467, Lecture 9 6/47

Controlling the size of intermediate results The trick to get around the second problem is to do all arithmetic modulo n, that is, reduce the result modulo n after each arithmetic operation. The product of two length l numbers is only length 2l before reduction mod n, so in this way, one never has to deal with numbers longer than about 2048 bits. Question to think about: Why is it correct to do this? CPSC 467, Lecture 9 7/47

Efficient exponentiation The trick to avoiding the first problem is to use a more efficient exponentiation algorithm based on repeated squaring. For the special case of e = 2 k, one computes m e mod n as follows: m 0 = m m 1 = (m 0 m 0 ) mod n m 2 = (m 1 m 1 ) mod n Clearly, m i = m 2i mod n for all i.. m k = (m k 1 m k 1 ) mod n. CPSC 467, Lecture 9 8/47

Combining the m i for general e For values of e that are not powers of 2, m e mod n can be obtained as the product modulo n of certain m i s. Express e in binary as e = (b s b s 1... b 2 b 1 b 0 ) 2. Then e = i b i2 i, so m e = m i b i 2 i = m b i 2 i = (m 2i ) b i = m i. i i i : b I =1 Since each b i {0, 1}, we include exactly those m i in the final product for which b i = 1. Hence, m e mod n = m i mod n. i : b I =1 CPSC 467, Lecture 9 9/47

Towards greater efficiency It is not necessary to perform this computation in two phases. Rather, the two phases can be combined together, resulting in slicker and simpler algorithms that do not require the explicit storage of the m i s. We give both a recursive and an iterative version. They re both based on the identities 1 { (m 2 m e ) e/2 if e is even; = (m 2 ) e/2 m if e is odd; 1 e/2 is the greatest integer less than or equal to e/2. CPSC 467, Lecture 9 10/47

A recursive exponentiation algorithm Here is a recursive version written in C notation, but it should be understood that the C programs only work for numbers smaller than 2 16. To handle larger numbers requires the use of big number functions. /* computes m^e mod n recursively */ int modexp( int m, int e, int n) { int r; if ( e == 0 ) return 1; /* m^0 = 1 */ r = modexp(m*m % n, e/2, n); /* r = (m^2)^(e/2) mod n */ if ( (e&1) == 1 ) r = r*m % n; /* handle case of odd e */ return r; } CPSC 467, Lecture 9 11/47

An iterative exponentiation algorithm This same idea can be expressed iteratively to achieve even greater efficiency. /* computes m^e mod n iteratively */ int modexp( int m, int e, int n) { int r = 1; while ( e > 0 ) { if ( (e&1) == 1 ) r = r*m % n; e /= 2; m = m*m % n; } return r; } CPSC 467, Lecture 9 12/47

Correctness The loop invariant is e > 0 (m e 0 0 mod n = rme mod n) (1) where m 0 and e 0 are the initial values of m and e, respectively. Proof of correctness: It is easily checked that (1) holds at the start of each iteration. If the loop exits, then e = 0, so r mod n is the desired result. Termination is ensured since e gets reduced during each iteration. CPSC 467, Lecture 9 13/47

A minor optimization Note that the last iteration of the loop computes a new value of m that is never used. A slight efficiency improvement results from restructuring the code to eliminate this unnecessary computation. Following is one way of doing so. /* computes m^e mod n iteratively */ int modexp( int m, int e, int n) { int r = ( (e&1) == 1 )? m % n : 1; e /= 2; while ( e > 0 ) { m = m*m % n; if ( (e&1) == 1 ) r = r*m % n; e /= 2; } return r; } CPSC 467, Lecture 9 14/47

Number Theory Needed for RSA CPSC 467, Lecture 9 15/47

Number theory overview In this and following sections, we review some number theory that is needed for understanding RSA. I will provide only a high-level overview. Further details are contained in course handouts and the textbooks. CPSC 467, Lecture 9 16/47

Bare-bones definitions The following definitions apply to the RSA parameters. p, q are distinct large primes of roughly the same length. n = pq. Z n = {0, 1,..., n 1}. φ(n) = (p 1)(q 1). [φ is Euler s totient function.] Z n are the numbers in Z n that are relatively prime to n (that is, not divisible by either p or q, which is most of them). Fact: Z n = φ(n). CPSC 467, Lecture 9 17/47

Example: Small RSA p = 11, q = 13. n = p q = 143. Z 143 = {0, 1, 2,..., 141, 142}. φ(143) = (p 1)(q 1) = 10 12 = 120. Z 143 = Z 143 M 11 M 13, where M 11 = {0, 11, 22, 33, 44, 55, 66, 77, 88, 99, 110, 121, 132}, M 13 = {0, 13, 26, 39, 52, 65, 78, 91, 104, 117, 130}. Z 143 = Z 143 M 11 M 13 + M 11 M 13 = 143 13 11 + 1 = 120 = φ(143). CPSC 467, Lecture 9 18/47

Summary of what is needed Here s a summary of the number theory needed to understand RSA and its associated algorithms. Greatest common divisor, Z n, modn, φ(n), Z n, and how to add, subtract, multiply, and find inverses mod n. Euler s theorem: a φ(n) 1 (mod n) for a Z n. How to generate large prime numbers: density of primes and testing primality. CPSC 467, Lecture 9 19/47

Generating the RSA modulus To generate an RSA modulus n, we find primes p and q of the desired lengths and compute n = pq. To find a large prime, repeatedly choose numbers of the desired length and test each for primality. We must show that the density of primes is large enough for this procedure to be feasible. CPSC 467, Lecture 9 20/47

Finding the RSA key pair The RSA key pair (e, d) is chosen to satisfy the modular equation ed 1 (mod φ(n)). To find (e, d): 1. Choose random e Z φ(n). Do this by repeatedly choosing e at random from Z φ(n) and using gcd to test membership in Z φ(n). 2. Solve the modular equation ed 1 (mod φ(n)) for d. Using Euler s theorem, we can show m ed m (mod n) for all m Z n. This implies D d (E e (m)) = m. To show that decryption works even in the rare case that m Z n Z n requires some more number theory that we will omit. CPSC 467, Lecture 9 21/47

Elementary Number Theory CPSC 467, Lecture 9 22/47

Quotient, remainder, and mod Quotient and remainder Theorem (division theorem) Let a, b be integers and assume b > 0. There are unique integers q (the quotient) and r (the remainder) such that a = bq + r and 0 r < b. Write the quotient as a b and the remainder as a mod b. Then a = b (a b) + (a mod b). Equivalently, a mod b = a b (a b). a b = a/b. 2 2 Here, / is ordinary real division and x, the floor of x, is the greatest integer x. In C, / is used for both and / depending on its operand types. CPSC 467, Lecture 9 23/47

Quotient, remainder, and mod The mod operator for negative numbers When either a or b is negative, there is no consensus on the definition of a mod b. By our definition, a mod b is always in the range [0... b 1], even when a is negative. Example, ( 5) mod 3 = ( 5) 3 (( 5) 3) = 5 3 ( 2) = 1. CPSC 467, Lecture 9 24/47

Quotient, remainder, and mod The mod operator % in C In the C programming language, the mod operator % is defined differently, so (a % b) (a mod b) when a is negative and b is positive. The C standard defines a % b to be the number r satisfying the equation (a/b) b + r = a, so r = a (a/b) b. C also defines a/b to be the result of rounding the real number a/b towards zero, so 5/3 = 1. Hence, 5 % 3 = 5 ( 5/3) 3 = 5 + 3 = 2. CPSC 467, Lecture 9 25/47

Quotient, remainder, and mod Divides We say that b divides a (exactly) and write b a in case a mod b = 0. Fact If d (a + b), then either d divides both a and b, or d divides neither of them. To see this, suppose d (a + b) and d a. Then by the division theorem, a + b = dq 1 and a = dq 2 for some integers q 1 and q 2. Substituting for a and solving for b, we get b = dq 1 dq 2 = d(q 1 q 2 ). But this implies d b, again by the division theorem. CPSC 467, Lecture 9 26/47

The mod relation The mod relation We just saw that mod is a binary operation on integers. Mod is also used to denote a relationship on integers: a b (mod n) iff n (a b). That is, a and b have the same remainder when divided by n. An immediate consequence of this definition is that a b (mod n) iff (a mod n) = (b mod n). Thus, the two notions of mod aren t so different after all! We sometimes write a n b to mean a b (mod n). CPSC 467, Lecture 9 27/47

The mod relation Mod is an equivalence relation The two-place relationship n is an equivalence relation. Its equivalence classes are called residue classes modulo n and are denoted by [b] n = {a a b (mod n)} or simply by [b]. For example, if n = 7, then [10] = {... 11, 4, 3, 10, 17,...}. Fact [a] = [b] iff a b (mod n). CPSC 467, Lecture 9 28/47

The mod relation Canonical names If x [b], then x is said to be a representative or name of the equivalence class [b]. Obviously, b is a representative of [b]. Thus, [ 11], [ 4], [3], [10], [17] are all names for the same equivalence class. The canonical or preferred name for the class [b] is the unique integer in [b] {0, 1,..., n 1}. Thus, the canonical name for [10] is 10 mod 7 = 3. CPSC 467, Lecture 9 29/47

The mod relation Mod is a congruence relation The relation n is a congruence relation with respect to addition, subtraction, and multiplication of integers. Fact For each arithmetic operation {+,, }, if a a (mod n) and b b (mod n), then a b a b (mod n). The class containing the result of a b depends only on the classes to which a and b belong and not the particular representatives chosen. Hence, we can perform arithmetic on equivalence classes by operating on their names. CPSC 467, Lecture 9 30/47

GCD Greatest common divisor Definition The greatest common divisor of two integers a and b, written gcd(a, b), is the largest integer d such that d a and d b. gcd(a, b) is always defined unless a = b = 0 since 1 is a divisor of every integer, and the divisor of a non-zero number cannot be larger (in absolute value) than the number itself. Question: Why isn t gcd(0, 0) well defined? CPSC 467, Lecture 9 31/47

GCD Computing the GCD gcd(a, b) is easily computed if a and b are given in factored form. Namely, let p i be the i th prime. Write a = p e i i Then gcd(a, b) = p min(e i,f i ) i. Example: 168 = 2 3 3 7 and 450 = 2 3 2 5 2, so gcd(168, 450) = 2 3 = 6. and b = p f i i. However, factoring is believed to be a hard problem, and no polynomial-time factorization algorithm is currently known. (If it were easy, then Eve could use it to break RSA, and RSA would be of no interest as a cryptosystem.) CPSC 467, Lecture 9 32/47

GCD Euclidean algorithm Fortunately, gcd(a, b) can be computed efficiently without the need to factor a and b using the famous Euclidean algorithm. Euclid s algorithm is remarkable, not only because it was discovered a very long time ago, but also because it works without knowing the factorization of a and b. CPSC 467, Lecture 9 33/47

GCD Euclidean identities The Euclidean algorithm relies on several identities satisfied by the gcd function. In the following, assume a > 0 and a b 0: gcd(a, b) = gcd(b, a) (2) gcd(a, 0) = a (3) gcd(a, b) = gcd(a b, b) (4) Identity 2 is obvious from the definition of gcd. Identity 3 follows from the fact that every positive integer divides 0. Identity 4 follows from the basic fact relating divides and addition on slide 26. CPSC 467, Lecture 9 34/47

GCD Computing GCD without factoring The Euclidean identities allow the problem of computing gcd(a, b) to be reduced to the problem of computing gcd(a b, b). The new problem is smaller as long as b > 0. The size of the problem gcd(a, b) is a + b, the sum of the absolute value of the two arguments. CPSC 467, Lecture 9 35/47

GCD An easy recursive GCD algorithm int gcd(int a, int b) { if ( a < b ) return gcd(b, a); else if ( b == 0 ) return a; else return gcd(a-b, b); } This algorithm is not very efficient, as you will quickly discover if you attempt to use it, say, to compute gcd(1000000, 2). CPSC 467, Lecture 9 36/47

GCD Repeated subtraction Repeatedly applying identity (4) to the pair (a, b) until it can t be applied any more produces the sequence of pairs (a, b), (a b, b), (a 2b, b),..., (a qb, b). The sequence stops when a qb < b. How many times you can subtract b from a while remaining non-negative? Answer: The quotient q = a/b. CPSC 467, Lecture 9 37/47

GCD Using division in place of repeated subtractions The amout a qb that is left after q subtractions is just the remainder a mod b. Hence, one can go directly from the pair (a, b) to the pair (a mod b, b). This proves the identity gcd(a, b) = gcd(a mod b, b). (5) CPSC 467, Lecture 9 38/47

GCD Full Euclidean algorithm Recall the inefficient GCD algorithm. int gcd(int a, int b) { if ( a < b ) return gcd(b, a); else if ( b == 0 ) return a; else return gcd(a-b, b); } The following algorithm is exponentially faster. int gcd(int a, int b) { if ( b == 0 ) return a; else return gcd(b, a%b); } Principal change: Replace gcd(a-b,b) with gcd(b, a%b). Besides collapsing repeated subtractions, we have a b for all but the top-level call on gcd(a, b). This eliminates roughly half of the remaining recursive calls. CPSC 467, Lecture 9 39/47

GCD Complexity of GCD The new algorithm requires at most in O(n) stages, where n is the sum of the lengths of a and b when written in binary notation, and each stage involves at most one remainder computation. The following iterative version eliminates the stack overhead: int gcd(int a, int b) { int aa; while (b > 0) { aa = a; a = b; b = aa % b; } return a; } CPSC 467, Lecture 9 40/47

Relatively prime numbers, Z n, and φ(n) Relatively prime numbers Two integers a and b are relatively prime if they have no common prime factors. Equivalently, a and b are relatively prime if gcd(a, b) = 1. Let Z n be the set of integers in Z n that are relatively prime to n, so Z n = {a Z n gcd(a, n) = 1}. CPSC 467, Lecture 9 41/47

Relatively prime numbers, Z n, and φ(n) Euler s totient function φ(n) φ(n) is the cardinality (number of elements) of Z n, i.e., φ(n) = Z n. Properties of φ(n): 1. If p is prime, then φ(p) = p 1. 2. More generally, if p is prime and k 1, then φ(p k ) = p k p k 1 = (p 1)p k 1. 3. If gcd(m, n) = 1, then φ(mn) = φ(m)φ(n). CPSC 467, Lecture 9 42/47

Relatively prime numbers, Z n, and φ(n) Example: φ(26) Can compute φ(n) for all n 1 given the factorization of n. φ(126) = φ(2) φ(3 2 ) φ(7) The 36 elements of Z 126 are: = (2 1) (3 1)(3 2 1 ) (7 1) = 1 2 3 6 = 36. 1, 5, 11, 13, 17, 19, 23, 25, 29, 31, 37, 41, 43, 47, 53, 55, 59, 61, 65, 67, 71, 73, 79, 83, 85, 89, 95, 97, 101, 103, 107, 109, 113, 115, 121, 125. CPSC 467, Lecture 9 43/47

Relatively prime numbers, Z n, and φ(n) A formula for φ(n) Here is an explicit formula for φ(n). Theorem Write n in factored form, so n = p e 1 1 pe k k, where p 1,..., p k are distinct primes and e 1,..., e k are positive integers. 3 Then φ(n) = (p 1 1) p e 1 1 1 (p k 1) p e k 1 k. For the product of distinct primes p and q, φ(pq) = (p 1)(q 1). 3 By the fundamental theorem of arithmetic, every integer can be written uniquely in this way up to the ordering of the factors. CPSC 467, Lecture 9 44/47

Discrete Logarithm CPSC 467, Lecture 9 45/47

Logarithms modp Let y = b x over the reals. The ordinary base-b logarithm is the inverse of exponentiation, so x = log b (y) The discrete logarithm is defined similarly, but now arithmetic is performed in Z p for a prime p. In particular, the base-b discrete logarithm of y modulo p is the least non-negative integer x such that y b x (mod p) (if it exists). We write x = log b (y) mod p. Fact (not needed yet): If b is a primitive root 4 of p, then log b (y) is defined for every y Z p. 4 We will talk about primitive roots later. CPSC 467, Lecture 9 46/47

Discrete log problem The discrete log problem is the problem of computing log b (y) mod p, where p is a prime and b is a primitive root of p. No efficient algorithm is known for this problem and it is believed to be intractable. However, the inverse of the function log b () mod p is the function power b (x) = b x mod p, which is easily computable. power b is believed to be a one-way function, that is a function that is easy to compute but hard to invert. CPSC 467, Lecture 9 47/47

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback