Ch - Algorithms with numbers Addition Basic arithmetic Addition ultiplication Division odular arithmetic factoring is hard Primality testing 53+35=88 Cost? (n number of bits) O(n) ultiplication al-khwārizmī 3x=3 Cost? O(n 2 ) Operations determining parity (even or odd) addition duplation (doubling a number, left shift) mediation (halving a number, rounding down, right shift) al-khwārizmī Division Cost? O(n 2 ) Can we do better? Cost?
odular arithmetic A system for dealing with restricted ranges of integers odular arithmetic Addition x+y mod N, assuming x, y <N O(n), n - number of bits N has (size of input) (x+y mod N = x+y or x+y-n) ultiplication x*y mod N? Ron Rivest, Adi Shamir, Leonard Adleman (977) Algorithm for public-key cryptography, based on the presumed difficulty of the factoring problem. 2002 A.. Turing Award is one of the most used cryptographic protocols on the net. Your browser uses it to establish a secure session with a site. Needed for implementing : FLT (Fermat s Little Theorem) Fast Exponentiation Extended Euclidean Algorithm odular inverses CRT (Chinese Remainder Theorem) Turing Lecture on Early Days, Ronald L. Rivest Turing Lecture on Early Days, Ronald L. Rivest Turing Lecture on Early Days, Ronald L. Rivest In April 202, the factorization of 3 is achieved. 2
public-key cryptosystem In a public-key cryptosystem, everyone has a public key and a secret key. Suppose Alice and Bob are two participants. Alice P A, S A Bob P B, S B The keys specify - functions from message to itself: = S A (P A ()) = P A (S A ()) Encryption: encrypt Communication decrypt P A channel S A Digital signatures: S A Alice Communication channel S A () P A Bob =? Accept Bob P A () Alice algorithm Select at random 2 large prime numbers p & q; (p & q might be, say, 00 decimal digits each.) Compute n: n = pq; Select an odd integer e that is relatively prime to φ(n) = (p-)(q-); Compute d as the multiplicative inverse of e, modulo φ(n); (de mod φ(n)) Publish P = (e, n) as the public key; Keep secret S = (d, n) as the secret key. If Z n ={0,,,n-}, P() = e mod n S(C) = C d mod n, C=P(). example Pick p = 7, q=7. n=pq=3337. φ(n) = (p-)(q-)=6*70=3220, choose e=79 (at random). d =79 - mod 3220 = 09. P A =(79, 3337). S A =(09, 3337). essage: = 6882326879666683 = 688 232 687 966 668 3 = 688 688 79 mod 3337 = 570 =C 2 = 232 232 79 mod 3337 = 2756 =C2 C = 570 2756 209 2276 223 58 C = 570 570 09 mod 3337 = 688 = C2 = 58 58 09 mod 3337 = 3 =2 Another example n = 559, e = 3. m e mod n Smiley Transmits: Last name Smiley L A S T N A E S I L E Y 20 920 00 03 0500 93 092 0525 20 3 mod 559, 920 3 mod 559, 07 06 78 250 3906 256 5 262 Bob receives the encrypted blocks c = m e mod n. He have a private decryption exponent d which when applied to c recovers the original blocks m : (m e mod n ) d mod n = m For n = 559, e = 3 the decryptor d = 3397. 3
The Department offers aster of Science and Bachelor of Science degrees in Computer Science. The University of Akron attracts many non-traditional students who may be unable to attend classes during the day. Our department offers classes at times that accommodate these students as well as traditional full-time students. The Department offers aster of Science and Bachelor of Science degrees in Computer Science. The University of Akron attracts many non-traditional students who may be unable to attend classes during the day. Our department offers classes at times that accommodate these students as well as traditional n = 559, d = 3397 07 06 78 250 3906 256 5 262 07 3397 mod 559, 06 3397 mod 559, 20 920 00 03 0500 93 092 0525 L A S T N A E S I L E Y full-time students. d %n S A Alice SHA256 A hash func Signed document Digital Signatures SHA256 A hash func Communication channel S A () -integer of 256 bits d %n verify P A =? Bob Accept d %n -signature? == ( d %n) e %n Technical difficulties: How do we know the algorithm works correctly? How to pick large prime numbers? Compute pq How to choose e Compute d How to compute e, C d Can any one break the code? If I want to encrypt credit card numbers, how big my p and q should be? If I want to encrypt words of four random characters from ASCII set, how big my p and q should be? How to pick large prime numbers? Primality testing Hard, but much easier than factoring. Fermat s Little Theorem(~60): If p is prime, then a, s.t. a<p, a p- (mod p). p p? The numbers make us fail are called Fermat pseudoprime -extremely rare (ex. 2 30 =mod3; Carmichael number 56, 2 560 =mod56)
Lagrange s Prime Number Theorem Theorem: The number of prime numbers between and x is about x/lnx. Not only are primes easy to detect, but they are also relatively abundant. Carmichael number A number c is a Carmichael number if it is not a prime, and still for all prime divisors d of c it so happens that d-divides c-. The smallest Carmichael number is 56 = 3 7. If c is a Carmichael number and a is relatively prime to c, then a c- mod c. Primality testing Primality testing Fermat's Last Theorem Fermat's Last Theorem states that x n + y n = z n has no non-zero integer solutions for x, y and z when n > 2. Technical difficulties: How do we know the algorithm works correctly? How to pick large prime numbers? Compute pq How to choose e Compute d How to compute e, C d? Can any one break the code? 5
odular exponentiation How to compute e, C d? In order to implement, exponentiation relative some modulo needs to be done a lot. So this operation better be doable, and fast. Q: How is it even possible to compute 2853 3397 mod 559? After all, 2853 3397 has approximately 3397 digits! odular exponentiation A: By taking the mod after each multiplication. For example: 23 3 mod 30-7 3 (mod 30) (-7) 2 (-7) (mod 30) 9 (-7) (mod 30) 9 (-7) (mod 30) -33 (mod 30) 7 (mod 30) odular exponentiation Therefore, 23 3 mod 30 = 7. Q: What if had to figure out 23 6 mod 30. Same way tedious: need to multiply 5 times. Is there a better way? odular exponentiation A: Better way. Notice that 6 = 2 2 2 2 so that 23 6 = 23 2 2 2 2 = (((23 2 ) 2 ) 2 ) 2 Therefore: 23 6 mod 30 (((-7 2 ) 2 ) 2 ) 2 (mod 30) (((9) 2 ) 2 ) 2 (mod 30) (((-) 2 ) 2 ) 2 (mod 30) ((2) 2 ) 2 (mod 30) (() 2 ) 2 (mod 30) () 2 (mod 30) (mod 30) Which implies that 23 6 mod 30 =. Q: How about 23 25 mod 30? odular exponentiation A: The previous method of repeated squaring works for any exponent that s a power of 2. 25 isn t. However, we can break 25 down as a sum of such powers: 25 = 6 + 8 +. Apply repeated squaring to each part, and multiply the results together. Previous calculation: 23 8 mod 30 = 23 6 mod 30 = Thus: 23 25 mod 30 23 6+8+ (mod 30) 6
odular exponentiation odular exponentiation How do we compute x y mod m, m>0? repeated squaring algorithm: x 25 mod N Cost? polynomial time (n=logn) mod-exp(x, y, m) if y = 0 then return() else z = mod-exp(x, y div 2, m) if y mod 2 = 0 then return(z * z mod m) else return(x * z * z mod m) odular Inverse Compute d? GCD Greatest common divisor Example: Euclid Algorithm If a,b Z +, apply division (mod) repeatedly as follows: a = q b + r, where 0 < r < b b=q 2 r +r 2, where 0<r 2 <r r = q 3 r 2 +r 3, where 0<r 3 <r 2 r k-2 = q k r k- +r k, where 0<r k- <r k r k- = q k+ r k Then,r k = GCD(a,b). Proof: () r k a, r k b (2) if d a, d b, then d r k. 7
Recursion Theorem a,b N, b 0, gcd(a,b) = gcd(b, a mod b). Proof : Let d = gcd(a,b). d a, d b. d a-qb = a mod b d b, d a mod b d gcd(b, a mod b). Computing GCD Euclid gcd(x,y) { if y = 0 then return(x) else return(gcd(y,x mod y)) } Let d = gcd(b, a mod b). d b, d a mod b. d a-qb, d b d a d gcd(a,b). gcd(a,b) = gcd(b, a mod b). Euclid Algorithm Extended Euclidean Algorithm Example: Computing gcd(25, 87) 25 = *87 + 38 87 = 2*38 + 38 = 3* + 5 = 2*5 + 5 = 5* gcd(25,87)= gcd(25,87) = 2*5 = 2*(38 3*) = 2*38 + 7* = 2*38 + 7*(87 2 38) = 7*87 6 38 = 7 87 6 (25 87) = 6 25 + 23 87 = = 25*( 6) + 87*23 = as + bt obtain gcd(a,b) and x,y, s.t. gcd(a,b) = ax+by. Extended-Euclid (a,b) if (b==0) return (a,,0); (d,x,y )=Extended-Euclid(b, a mod b); (d,x,y)=(d, y, x - a/b y ); return (d,x,y); Ex: a b q x y d 2 260 2-9 260 52-7 2 52 08 08 2 5-2 -7 5 20 2-2 20 5 0 demo 0 0 Cost? Theorem: The algorithm above correctly computes the gcd of x and y in time O(n), where n is the total number of bits in the input (x; y) ultiplicative Inverse ultiplicative inverse x of a, modulo n: ax = mod n. ax = kn+ If gcd(a,n)=, ax-kn = gcd(a,n). ax+ny = gcd(a,n). Therefore, x can be found using extended Euclidean algorithm. Is the multiplicative inverse unique? 8
Theorem: ultiplicative Inverse n>, if gcd(a,n)=, then ax= (mod n) has a unique positive solution, modulo n. Example: a = 79; n = 3220. x = 09. ax = 8050 = 25*3220+. x = -220. ax = -73879 = -5*3220+. Technical difficulties: How do we know the algorithm works correctly? How to pick large prime numbers? Compute pq How to choose e Compute d How to compute e, C d? Can any one break the code? How do we know works correctly? http://en.wikipedia.org/wiki/_factoring_c hallenge#the_prizes_and_records Chinese Remainder Theorem (~700 old) Project rsa35 package demo. Ch2 9