Introduction to Cryptography. Lecture 6

Similar documents
Topics in Cryptography. Lecture 5: Basic Number Theory

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Introduction to Cryptography. Lecture 8

Number Theory & Modern Cryptography

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

Numbers. Çetin Kaya Koç Winter / 18

CIS 551 / TCOM 401 Computer and Network Security

Number Theory and Group Theoryfor Public-Key Cryptography

Congruence Classes. Number Theory Essentials. Modular Arithmetic Systems

Public Key Cryptography

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Chapter 8 Public-key Cryptography and Digital Signatures

basics of security/cryptography

Number Theory. Modular Arithmetic

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

Discrete Mathematics GCD, LCM, RSA Algorithm

ECE596C: Handout #11

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Outline. Some Review: Divisors. Common Divisors. Primes and Factors. b divides a (or b is a divisor of a) if a = mb for some m

Outline. AIT 682: Network and Systems Security. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

Lecture 3.1: Public Key Cryptography I

Applied Cryptography and Computer Security CSE 664 Spring 2017

CSC 474 Network Security. Outline. GCD and Euclid s Algorithm. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

Introduction to Information Security

Public Key Encryption

CPSC 467b: Cryptography and Computer Security

Ma/CS 6a Class 3: The RSA Algorithm

Number Theory and Algebra: A Brief Introduction

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

Mathematical Foundations of Public-Key Cryptography

Basic elements of number theory

Basic elements of number theory

CIS 6930/4930 Computer and Network Security. Topic 5.1 Basic Number Theory -- Foundation of Public Key Cryptography

Applied Cryptography and Computer Security CSE 664 Spring 2018

Lecture 14: Hardness Assumptions

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Chapter 4 Asymmetric Cryptography

Asymmetric Cryptography

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Introduction to Public-Key Cryptosystems:

Biomedical Security. Some Security News 9/17/2018. Erwin M. Bakker. Blockchains are not safe for voting (slashdot.org) : From: paragonie.

ECEN 5022 Cryptography

CS483 Design and Analysis of Algorithms

CSC 474 Information Systems Security

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I

CPSC 467b: Cryptography and Computer Security

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

Computational Number Theory. Adam O Neill Based on

Public Key Cryptography

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

Mathematics of Cryptography

Introduction. will now introduce finite fields of increasing importance in cryptography. AES, Elliptic Curve, IDEA, Public Key

The RSA public encryption scheme: How I learned to stop worrying and love buying stuff online

Ma/CS 6a Class 2: Congruences

Lecture Notes, Week 6

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Public Key Algorithms

Outline. Number Theory and Modular Arithmetic. p-1. Definition: Modular equivalence a b [mod n] (a mod n) = (b mod n) n (a-b)

Cryptography. pieces from work by Gordon Royle

Encryption: The RSA Public Key Cipher

Chapter 4 Finite Fields

Discrete mathematics I - Number theory

CPSC 467: Cryptography and Computer Security

CSE 20 DISCRETE MATH. Winter

COMS W4995 Introduction to Cryptography September 29, Lecture 8: Number Theory

CS 5319 Advanced Discrete Structure. Lecture 9: Introduction to Number Theory II

ICS141: Discrete Mathematics for Computer Science I

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Elementary Number Theory MARUCO. Summer, 2018

10 Public Key Cryptography : RSA

ALG 4.0 Number Theory Algorithms:

CRYPTOGRAPHY AND NUMBER THEORY

CSc 466/566. Computer Security. 5 : Cryptography Basics

Biomedical Security. Overview 9/15/2017. Erwin M. Bakker

CPSC 467: Cryptography and Computer Security

ECE 646 Lecture 8. RSA: Genesis, Security, Implementation & Key Generation

Cryptography IV: Asymmetric Ciphers

Introduction to Modern Cryptography. Benny Chor

RSA: Genesis, Security, Implementation & Key Generation

Aspect of Prime Numbers in Public Key Cryptosystem

Ma/CS 6a Class 2: Congruences

RSA-256bit 數位電路實驗 TA: 吳柏辰. Author: Trumen

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

Public-Key Cryptosystems CHAPTER 4

Introduction to Elliptic Curve Cryptography. Anupam Datta

Lecture 1: Introduction to Public key cryptography

My brief introduction to cryptography

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

W3203 Discrete Mathema1cs. Number Theory. Spring 2015 Instructor: Ilia Vovsha. hcp://

2.3 In modular arithmetic, all arithmetic operations are performed modulo some integer.

Introduction to Cybersecurity Cryptography (Part 4)

RSA. Ramki Thurimella

OWO Lecture: Modular Arithmetic with Algorithmic Applications

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Transcription:

Introduction to Cryptography Lecture 6 Benny Pinkas page 1

Public Key Encryption page 2

Classical symmetric ciphers Alice and Bob share a private key k. System is secure as long as k is secret. Major problem: generating and distributing k. k Alice k Bob page 3

Diffie and Hellman: New Directions in Cryptography, 1976. We stand today on the brink of a revolution in cryptography. The development of cheap digital hardware has freed it from the design limitations of mechanical computing such applications create a need for new types of cryptographic systems which minimize the necessity of secure key distribution theoretical developments in information theory and computer science show promise of providing provably secure cryptosystems, changing this ancient art into a science. page 4

Diffie-Hellman Came up with the idea of public key cryptography public key Bob Alice Bob secret key Bob Everyone can learn Bob s public key and encrypt messages to Bob. Only Bob knows the decryption key and can decrypt. Key distribution is greatly simplified. page 5

Plan Basic number theory Divisors, modular arithmetic The GCD algorithm Groups References: Many books on number theory Almost all books on cryptography Cormen, Leiserson, Rivest, (Stein), Introduction to Algorithms, chapter on Number-Theoretic Algorithms. page 6

Divisors, prime numbers We work over the integers A non-zero integer b divides an integer a if there exists an integer c s.t. a=cb. Denoted as b a I.e. b divides a with no remainder Examples Trivial divisors: 1 a, a a Each of {1,2,3,4,6,8,12,24} divides 24 5 does not divide 24 Prime numbers An integer a is prime if it is only divisible by 1 and by itself. 23 is prime, 24 is not. page 7

Modular Arithmetic Modular operator: a mod b, (or a%b) is the remainder of a when divided by b I.e., the smallest r 0 s.t. integer q for which a = qb+r. (Thm: there is a single choice for such q,r) Examples 12 mod 5 = 2 10 mod 5 = 0-5 mod 5 = 0-1 mod 5 = 4 April 2011, 3 page 8

Modular congruency a is congruent to b modulo n (a b mod n) if (a-b) = 0 mod n Namely, n divides a-b In other words, (a mod n) = (b mod n) E.g., 23 12 mod 11 4-1 mod 5 There are n equivalence classes modulo n [3] 7 = {,-11,-4,3,10,17, } page 9

Greatest Common Divisor (GCD) d is a common divisor of a and b, if d a and d b. gcd(a,b) (Greatest Common Divisor), is the largest integer that divides both a and b. (a,b >= 0) gcd(a,b) = max k s.t. k a and k b. Examples: gcd(30,24) = 6 gcd(30,23) = 1 If gcd(a,b)=1 then a and b are denoted relatively prime. page 10

Facts about the GCD gcd(a,b) = gcd(b, a mod b) (interesting when a>b) Since (e.g., a=33, b=15) If c a and c b then c (a mod b) If c b and c (a mod b) then c a If a mod b = 0, then gcd(a,b)=b. Therefore, gcd(19,8) = gcd(8, 3) = gcd(3,2) = gcd(2,1) = 1 gcd(20,8) = gcd(8, 4) = 4 page 11

Euclid s algorithm Input: a>b>0 Output: gcd(a,b) Algorithm: 1. if (a mod b) = 0 return (b) 2. else return( gcd(b, a mod b) ) Complexity: O(log a) rounds Each round requires O(log 2 a) bit operations Actually, the total overhead can be shown to be O(log 2 a) page 12

The extended gcd algorithm Finding s, t such that gcd(a,b) = a s + b t Extended-gcd(a,b) /* output is (gcd(a,b), s, t) 1. If (a mod b=0) then return(b,0,1) 2. (d,s,t ) = Extended-gcd(b, a mod b) 3. (d,s,t) = (d, t, s - a/b t ) 4. return(d,s,t) Note that the overhead is as in the basic GCD algorithm page 13

Extended gcd algorithm Given a,b finds s,t such that gcd(a,b) = a s + b t In particular, if p is prime and a<p then gcd(a,p)=1, and therefore a s+p t=1. April 2011, 3 page 14

Extended gcd algorithm Given a,b finds s,t such that gcd(a,b) = a s + b t In particular, if p is prime and a<p then gcd(a,p)=1, and therefore a s+p t=1. This implies that (a s 1 mod p) April 2011, 3 page 15

Extended gcd algorithm Given a,b finds s,t such that gcd(a,b) = a s + b t In particular, if p is prime and a<p then gcd(a,p)=1, and therefore a s+p t=1. This implies that (a s 1 mod p) THM: There is no positive integer smaller than gcd(a,b) which can be represented as a linear combination of a,b. For example, a=12, b=8. 4= 1 12-1 8 There are no s,t for which 2=s 12 + t 8 Therefore if we find s,t such that as+tb=1, then we know that gcd(a,b)=1 April November 3, 2011 29, 2009 page 16

Groups Definition: a set G with a binary operation :G G G is called a group if: (closure) a,b G, it holds that a b G. (associativity) a,b,c G, (a b) c = a (b c). (identity element) e G, s.t. a G it holds that a e =a. (inverse element) a G a -1 G, s.t. a a -1 = e. A group is Abelian (commutative) if a,b G, it holds that a b = b a. Examples: Integers under addition (Z,+) = {,-3,-2,-1,0,1,2,3, } page 17

More examples of groups Addition modulo N (G, ) = ({0,1,2,,N-1}, +) page 18

More examples of groups Z p * Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Closure (the result of the multiplication is never divisible by p): sa+tp = 1 s b+t p = 1 ss (ab)+(sat +s bt+ tt p)p = 1 Therefore 1=gcd(ab,p). Trivial: associativity, existence of identity element. The extended GCD algorithm shows that an inverse always exists: sa+tp = 1 sa = 1-tp sa 1 mod p page 19

More examples of groups Z N * Multiplication modulo a composite number N (G, ) = ({a s.t. 1 a N-1 and gcd(a,n)=1}, ) E.g., Z 10* = ( {1,3,7,9}, ) Closure: sa+tn = 1 s b+t N = 1 ss (ab)+(sat +s bt+ tt N)N = 1 Therefore 1=gcd(ab,N). Associativity: trivial Existence of identity element: 1. Inverse element: as in Z p * page 20

Subgroups Let (G, ) be a group. (H, ) is a subgroup of G if (H, ) is a group H G For example, H = ( {1,2,4}, ) is a subgroup of Z 7*. Lagrange s theorem: If (G, ) is finite and (H, ) is a subgroup of (G, ), then H divides G 7 In our example: 3 6. page 21

Cyclic Groups Exponentiation is repeated application of a 3 = a a a. a 0 = 1. a -x = (a -1 ) x A group G is cyclic if there exists a generator g, s.t. a G, i s.t. g i =a. I.e., G= <g> = {1, g, g 2, g 3, } For example Z * 7 = <3> = {1,3,2,6,4,5} Not all a G are generators of G, but they all generate a subgroup of G. E.g. 2 is not a generator of Z * 7 The order of a group element a is the smallest j>0 s.t. a j =1 Lagrange s theorem for x Z p*, ord(x) p-1. page 22

Fermat s theorem Corollary of Lagrange s theorem: if (G, ) is a finite group, then a G, a G =1. Proof: a G generates a subgroup H of G. A H = 1 Lagrange theorem: H G A G = (A H ) G / H = 1 page 23

Fermat s theorem Corollary of Lagrange s theorem: if (G, ) is a finite group, then a G, a G =1. Corollary (Fermat s theorem): a Z * p, a p-1 =1 mod p. E.g., for all a Z 7*, a 6 =1, a 7 =a. Computing inverses: Given a G, how to compute a -1? Fermat s theorem: a -1 = a G -1 (= a p-2 in Z * p ) Or, using the extended gcd algorithm (for Z p * or Z N *): gcd(a,p) = 1 sa + tp = 1 sa = -tp + 1 s is a -1!! Which is more efficient? page 24

Computing in Z p * page 25

Groups we will use Z p * Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z * N Multiplication modulo a composite number N (G, ) = ({a s.t. 1 a N-1 and gcd(a,n)=1}, ) E.g., Z 10* = ( {1,3,7,9}, ) page 26

Euler s phi function Lagrange s Theorem: a in a finite group G, a G =1. Euler s phi function (aka, Euler s totient function), φ(n) = number of elements in Z * n φ(p) = p-1 for a prime p. n= i=1..k p e(i) i φ(n) = n i=1..k (1-1/p i ) φ(p 2 ) = p(p-1) for a prime p. n=pq φ(n) =(p-1)(q-1) (i.e. {x gcd(x,n)=1, 1 x n} Corollary: For Z n* (n=pq), Z n* = φ(n) =(p-1)(q-1). a Z n* it holds that a φ(n) =1 mod n For Z p* (prime p), a p-1 =1 mod p (Fermat s theorem). For Z n* (n=pq), a (p-1)(q-1) =1 mod n page 27

Finding prime numbers page 28

Finding prime numbers Prime number theorem: #{primes x} x / lnx as x How can we find a random k-bit prime? Choose x at random in {2 k,,2 k+1-1} (How many numbers in that range are prime? About 2 k+1 / ln2 k+1-2 k / ln2 k numbers, i.e. a 1/ ln(2 k ) fraction.) Test if x is prime (more on this later in the course) The probability of success is 1/ln(2 k ) = O(1/k). The expected number of trials is O(k). page 29

Finding generators How can we find a generator of Z p*? Pick a random number a [1,p-1], check if is a generator Naively, check whether 1 i p-2 a i 1 But we know that if a i =1 mod p then i p-1. Therefore need to only check i for which i p-1. Easy if we know the factorization of (p-1). In that case For all a Z p*, the order of a divides (p-1) For every integer divisor b of (p-1), check if a b =1 mod p. If none of these checks succeeds, then a is a generator, since its order must be p-1. page 30

Finding prime numbers of the right form How can we know the factorization of p-1? Easy, for example, if p=2q+1, and q is prime. How can we find a k-bit prime of this form? 1. Search for a prime number q of length k-1 bits. (Will be successful after about O(k) attempts.) 2. Check if 2q+1 is prime (we will see how to do this later in the course). 3. If not, go to step 1. page 31

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback