Week 7 An Application to Cryptography

Similar documents
Public Key Cryptography

CRYPTOGRAPHY AND NUMBER THEORY

Lecture 1: Introduction to Public key cryptography

Cryptography. P. Danziger. Transmit...Bob...

Chapter 8 Public-key Cryptography and Digital Signatures

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

10 Modular Arithmetic and Cryptography

Public-Key Cryptosystems CHAPTER 4

10 Public Key Cryptography : RSA

Cryptography. pieces from work by Gordon Royle

CIS 551 / TCOM 401 Computer and Network Security

Mathematics of Cryptography

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

Public Key Cryptography

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

2 More on Congruences

Number theory (Chapter 4)

The RSA public encryption scheme: How I learned to stop worrying and love buying stuff online

An Introduction to Cryptography

RSA RSA public key cryptosystem

CRYPTOGRAPHY AND LARGE PRIMES *

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

NUMBER THEORY FOR CRYPTOGRAPHY

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

8.1 Principles of Public-Key Cryptosystems

MEETING 6 - MODULAR ARITHMETIC AND INTRODUCTORY CRYPTOGRAPHY

Number Theory & Modern Cryptography

Simple Math: Cryptography

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Discrete Mathematics GCD, LCM, RSA Algorithm

University of Regina Department of Mathematics & Statistics Final Examination (April 21, 2009)

ASSIGNMENT Use mathematical induction to show that the sum of the cubes of three consecutive non-negative integers is divisible by 9.

Ma/CS 6a Class 3: The RSA Algorithm

Lecture Notes, Week 6

Introduction to Modern Cryptography. Benny Chor

My brief introduction to cryptography

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Eindhoven University of Technology MASTER. Kleptography cryptography with backdoors. Antheunisse, M. Award date: 2015

Encryption: The RSA Public Key Cipher

Homework 4 for Modular Arithmetic: The RSA Cipher

Mathematics of Public Key Cryptography

An Introduction to Probabilistic Encryption

Introduction to Cryptography. Lecture 8

Question: Total Points: Score:

Introduction to Modern Cryptography. Benny Chor

RSA ENCRYPTION USING THREE MERSENNE PRIMES

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

ICS141: Discrete Mathematics for Computer Science I

Cryptography and Secure Communication Protocols

Cryptography: A Fairy Tale for Mathematicians and Starring Mathematicians!

ASYMMETRIC ENCRYPTION

THE RSA CRYPTOSYSTEM

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

The RSA cryptosystem and primality tests

Chapter 4 Asymmetric Cryptography

Asymmetric Cryptography

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

AN INTRODUCTION TO CRYPTOGRAPHY A. LANGUASCO

Review. CS311H: Discrete Mathematics. Number Theory. Computing GCDs. Insight Behind Euclid s Algorithm. Using this Theorem. Euclidian Algorithm

Attacks on RSA & Using Asymmetric Crypto

Public-Key Encryption: ElGamal, RSA, Rabin

MATH 158 FINAL EXAM 20 DECEMBER 2016

CPSC 467b: Cryptography and Computer Security

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Cryptography IV: Asymmetric Ciphers

Practice Assignment 2 Discussion 24/02/ /02/2018

Candidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.

NUMBER THEORY AND CRYPTOGRAPHY

Public-key Cryptography and elliptic curves

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

THE RSA ENCRYPTION SCHEME

EE4.07 Coding Theory

Public Key Encryption

Methods of Public-Key Cryptography. Émilie Wheeler

Theory of Computation Chapter 12: Cryptography

Lecture V : Public Key Cryptography

Solution to Midterm Examination

Cryptography and Number Theory

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Notes 10: Public-key cryptography

Public-key Cryptography and elliptic curves

THE CUBIC PUBLIC-KEY TRANSFORMATION*

OWO Lecture: Modular Arithmetic with Algorithmic Applications

Biomedical Security. Some Security News 9/17/2018. Erwin M. Bakker. Blockchains are not safe for voting (slashdot.org) : From: paragonie.

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

CPSC 467b: Cryptography and Computer Security

Integers and Division

Math.3336: Discrete Mathematics. Mathematical Induction

Math 430 Midterm II Review Packet Spring 2018 SOLUTIONS TO PRACTICE PROBLEMS

CPSC 467b: Cryptography and Computer Security

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

Discrete mathematics I - Number theory

CPSC 467: Cryptography and Computer Security

MATHEMATICS EXTENDED ESSAY

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Transcription:

SECTION 9. EULER S GENERALIZATION OF FERMAT S THEOREM 55 Week 7 An Application to Cryptography Cryptography the study of the design and analysis of mathematical techniques that ensure secure communications in the presence of malicious adversaries is the only known practical means for protecting information transmitted through public communications networks such as those using telephone lines, microwaves or satellites. In the language of cryptography, where codes are called ciphers, theinformationtobe concealed is called plaintext. After transformation to a secret form, a message is called ciphertext. The process of converting from plaintext to ciphertext is called encrypting or enciphering, while the reverse process of changing from ciphertext back to plaintext is called decrypting or deciphering. One of the earliest cryptographic systems was used by the Roman emperor Julius Caesar around 50 B.C. He wrote to Marcus Cicero using a simple substitution cipher in which each letter of the alphabet is replaced by the letter which occurs three places down the alphabet, with the last three letters cycled back to the first three. If we write the ciphertext equivalent underneath the plaintext letter, the substitution alphabet for the Caesar cipher is: Plaintext: A B C D E F G H I J K L M Ciphertext: D E F G H I J K L M N O P Plaintext: N O P Q R S T U V W X Y Z Ciphertext: Q R S T U V W X Y Z A B C Table 9.2: Substitution alphabet for the Caesar cipher For example, the plaintext message CAESAR WAS GREAT is transformed into the ciphertext FDHVDU ZDV JUHDW. The Caesar cipher can be described very easily using congruences. Any plaintext is first expressed numerically by translating the characters of the text into digits by means of some correspondence like the following: A B C D E F G H I J K L M 01 02 03 04 05 06 07 08 09 10 11 12 13 N O P Q R S T U V W X Y Z 14 15 16 17 18 19 20 21 22 23 24 25 26 Table 9.3: Numerical expression of plaintext

SECTION 9. EULER S GENERALIZATION OF FERMAT S THEOREM 56 If is the digital equivalent of a plaintext letter, and is the digital equivalent of the corresponding ciphertext letter, then +3(mod 26) For instance, the letters of the above message are converted to their equivalents C A E S A R W A S G R E A T 03 01 05 19 01 18 23 01 19 07 18 05 01 20 Table 9.4: Caesar was great Using the congruence +3 (mod 26),thisbecomestheciphertext06040822042126 04 22 10 21 08 04 23. To recover the plaintext, the procedure is simply reversed by means of the congruence 3 + 23 (mod 26) The Caesar cipher is very simple and hence extremely insecure. Caesar himself soon abandoned this scheme, not only because of its insecurity, but also because he didn t trust Cicero, with whom he necessarily shared the secret of the cipher. Any substitution cipher is insecure, even if the substitution results from a random scrambling of the alphabet, because different letters occur with different frequencies, and by studying these frequencies and the possible positions of vowels, the secret is soon revealed, especially with the use of computers. In April 2006, fugitive Mafia boss Bernardo Provenzano was captured in Sicily partly because of cryptanalysis of his messages written in the Caesar cipher with a shift of 4. In conventional cryptographic systems, such as the Caesar cipher, the sender and receiver jointly have a secret key. The sender uses the key to encrypt the plaintext to be sent, and the receiver uses the same key to decrypt the ciphertext obtained. Public-key cryptography differs from conventional cryptography in that it uses two keys, an encryption key and a decryption key. Although the two keys effect inverse operations and are therefore related, there is no easily computed method of deriving the decryption key from the encryption key. Thustheencryptionkeycanbemadepublicwithout compromising the decryption key; each user can encrypt messages, but only the intended recipient (whose decryption key is kept secret) can decipher them. A major advantage of a public-key cryptosystem is that it is unnecessary for each sender and receiver to exchange a key in advance of their decision to communicatewitheachother. In 1977, R. Rivest, A. Shamir and L. Adleman proposed a public-key cryptosystem which uses only elementary ideas from number theory. Their enciphering system is called RSA, after the initials of the inventors. Its security depends on the assumption that in the current state of computer technology, the factorisation of composite numbers with large prime factors is prohibitively time-consuming, and MUCH slower than generating MUCH larger prime numbers.

SECTION 9. EULER S GENERALIZATION OF FERMAT S THEOREM 57 Each user of the RSA system chooses a pair of distinct primes, and, large enough that the factorisation of their product =, called the encryption modulus, isbeyondall current computational capabilities. For instance, the user call him Bob may pick and with approximately 200 digits each, so that has approximately 400 digits. Having selected, Bob then chooses a random positive integer, theencryption exponent, satisfying ( ( )) = 1. While there are many suitable choices for, an obvious suggestion is to pick to be any prime larger that both and. (This will ensure that ( ( )) = 1. Why?)The pair ( ) is placed in a public file, analogous to a telephone directory, as Bob s personal encryption key. This will allow anyone else say Alice in the communications network to encrypt and send a message to Bob. Notice that while is revealed, the listed public key does not mention the (private) factors and. The encryption process begins with Alice converting her message into an integer by means of a digital alphabet in which each letter, number or punctuation mark of the plaintext is replaced by a two-digit integer. One standard procedure is to use the assignment A=01 K=11 U=21 1=31 B=02 L=12 V=22 2=32 C=03 M=13 W=23 3=33 D=04 N=14 X=24 4=34 E=05 O=15 Y=25 5=35 F=06 P=16 Z=26 6=36 G=07 Q=17 =27 7=37 H=08 R=18 =28 8=38 I=09 S=19?=29 9=39 J=10 T=20 0=30!=40 Table 9.5: Digital alphabet with 00 indicating a space between words. In this scheme, the message is transformed into the numerical string The brown fox is quick. = 2008050002181523140006152400091900172109031128 It is assumed that the plaintext number is less than, where is the encryption modulus, otherwise it would be impossible to distinguish from any larger integer congruent to (mod ). If the message is too long to be handled as a single number,then can be broken up into blocks of digits 1, 2,..., of the appropriate size. Each block would be sent separately.

SECTION 9. EULER S GENERALIZATION OF FERMAT S THEOREM 58 Looking up Bob s encryption key ( ) in the public directory, Alice disguises the plaintext number as a ciphertext number by raising to the th power and then reducing the result modulo, thatis, (mod ) where is a least residue of. Thus is the ciphertext that is transmitted. A 200-character message can be encrypted in seconds on a computer. Recall that the public encryption exponent was originally selected so that ( ( )) = 1. At the other end, Bob deciphers the transmitted information by first determining the integer, thesecret recovery exponent, forwhich 1(mod ( )) Since ( ( )) = 1, this linear congruence has a unique solution modulo ( ). In fact, the Euclidean algorithm will produce as a solution to in the equation + ( ) =1 The recovery exponent can be calculated only by someone who knows both and ( ) = ( 1)( 1), hence who knows the prime factors and of. Thus, is secure from an illegitimate third party Eve whose knowledge is limited to the public-key ( ). Bob can now retrieve from by simply calculating (mod ). Because =1+ ( ) for some integer, it follows from Euler s Theorem (Theorem 9.1) that ( ) 1+ ( ) ( ( ) ) 1 (mod ) whenever ( ) =1. In other words, raising the ciphertext number to the th power and reducing it modulo recovers the original plaintext number. The assumption that ( ) =1wasmadeinordertouseEuler stheorem.intheunlikely (unlikely because is almost prime) event that and are not relatively prime, then either or ; assume. Then ( ) 0 (mod ) and ( ) ( ( ) ) ( ( ) ) ( ) (mod ), sothat ( ) and ( ). Since ( ) =1, ( ) and the desired congruence ( ) (mod ) follows. Cryptanalysis is the process by which Eve, on receiving some ciphertext, determines the original message without prior knowledge of the (private) key. Cryptology is the study of both cryptography and cryptanalysis. Example: (using small numbers to get an illustration that is easy to handle) Encrypt and then decrypt the message NO EXIT using the encryption modulus =29 53 = 1537 and encryption exponent =47. (Thus the public-key is ( ) =(1537 47)). Note that ( ) = (29) (53) = 28 52 = 1456, hence ( ( )) = 1 as required.

SECTION 9. EULER S GENERALIZATION OF FERMAT S THEOREM 59 Solution We begin by translating the message into its digital equivalent using the substitution mentioned earlier. This yields the plaintext number = 14150005240920 We want each plaintext block to be an integer less than 1537. To be sure of this we split into blocks containing exactly one digit less than the encryption modulus, i.e. five 3-digit blocks, where we add a 0 at the end to fill the block. The encryption is = 141 500 052 409 200 141 47 658 (mod 1537) 500 47 1408 (mod 1537) 052 47 953 (mod 1537) 409 47 801 (mod 1537) 200 47 707 (mod 1537) Thus the ciphertext that is transmitted (in blocks of the same size now it does not matter that the block size is the same as the number of digits of, because the numbers are still least residues of ) is 0658 1408 0953 0801 0707 The authorised recipient knows the secret recovery exponent. Itistheuniqueinteger satisfying the congruence 1(mod ( )) and we know that ( ) = 1456. Thusweneedthesolutionto 47 1 (mod 1456) which is =31(use the Euclidean algorithm). Hence the recipient decrypts the message as follows: 658 31 141 (mod 1537) 1408 31 500 (mod 1537) 953 31 52 052 (mod 1537) 801 31 409 (mod 1537) 707 31 200 (mod 1537) We must add a 0 in front of 52 (in front, not at the back, so as not to change 52) because we know each block has size exactly three. This gives the original message 141 500 052 409 200.

SECTION 9. EULER S GENERALIZATION OF FERMAT S THEOREM 60 When substituting letters for digits, we simply discard the useless 0 (or string of 0 s) at the end. For the RSA cryptosystem to be secure it must not be computably feasible to recover the plaintext from the information assumed to be known to a third party, namely the listed public-key ( ). The direct method of attack would be to attempt to factor,ahugeinteger, because once the factors are determined, the recovery exponent can be calculated from ( ) and. The confidence in the RSA system rests on the expected amount of computer time needed to factor the product of two large primes. Factoring is computationally MUCH more difficult than distinguishing between primes and composites. On today s fastest computers, a 200 digit number can routinely be tested for primality in less than 10 minutes, whereas the running time required to factor a composite number of the same size is prohibitive. It has been estimated that the quickest factoring algorithm known can use approximately (1 2)10 23 computer operations to resolve an integer with 200 digits into its prime factors. Assuming that each operation takes 10 6 seconds, the factorisation time would be about (3 8)10 9 years. As an example, consider the Mersenne numbers. For prime, M( ) denotes the integer 2 1. If M( ) is prime, it is a Mersenne prime, otherwise it is a Mersenne number. Thereare49 prime numbers for which it is known that M( ) is prime, the largest being M(74 207 281). Foralmostallotherprimenumbers 74 207 281 it is known that M( ) is not prime. As of October 2016, the composite Mersenne number with largest proven prime factors is 2 1193 1, which is known to have a factors with 104 and 251 digits that was proven prime. This illustrates the enormous difference in the size of the largest known Mersenne prime and the size of the largest known composite Mersenne number whose factors are known. When used in practice, RSA is generally combined with further enhancements to improve its security. The above section on cryptography was adapted from D. M. Burton, Elementary Number Theory (fourth ed.), McGraw-Hill, New York, 1998. See Burton for other encryption algorithms.

Section 10 Primitive roots Warning: The work is getting harder all the time. Don t fall behind. 10.1 The Order of modulo By now we know that (12) = (2 2 ) (3) = 2 1 (3 1) = 4 and indeed, 1, 5, 7 and 11 are the only least residues (mod 12) relatively prime to 12. Hence by Euler s Theorem (Theorem 9.1), whenever ( 12) = 1, that is, the least residue of is one of the numbers 1 5 7 11, wehave 4 1(mod 12). However, we also have 1 2 1(mod 12) 5 2 25 1 (mod 12) 7 2 49 1 (mod 12) 11 2 121 1(mod 12) Thus, although it is true that (12) 1(mod 12)if ( 12) = 1, itisnottruethat (12) is the smallest positive integer such that 1(mod 12). Definition If ( ) =1, then the smallest positive integer such that 1(mod ) is called the order of modulo, written ord. Example: Since (9) = 6, we know that 4 6 1(mod 9), but what is the order of 4 modulo 9? We know that it is at most 6, but is there a smaller integer such that 4 1(mod 9)? Yes, ord 9 4=3because 4 2 16 7(mod 9) 4 3 28 1(mod 9) 61

SECTION 10. PRIMITIVE ROOTS 62 Recall that (13) = 12 and consider the least residues of (mod 13) for {1 2 12}. 2 3 4 5 6 7 8 9 10 11 12 1 1 1 1 1 1 1 1 1 1 1 1 2 4 8 3 6 12 11 9 5 10 7 1 3 9 1 3 9 1 3 9 1 3 9 1 4 3 12 9 10 1 4 3 12 9 10 1 5 12 8 1 5 12 8 1 5 12 8 1 6 10 8 9 2 12 7 3 5 4 11 1 7 10 5 9 11 12 6 3 8 4 2 1 8 12 5 1 8 12 5 1 8 12 5 1 9 3 1 9 3 1 9 3 1 9 3 1 10 9 12 3 4 1 10 9 12 3 4 1 11 4 5 3 7 12 2 9 8 10 6 1 12 1 12 1 12 1 12 1 12 1 12 1 Table 10.1: Least residues of (mod 13) for {1 2 12} There are two questions to be considered:?1 Which powers of are congruent to 1 (mod 13)? Compare them with the order (the powers of in the columns with boldfaced 1s) of (mod 13).?2 Which numbers occur as orders of (mod 13)? Compare them with (13). These questions are answered in the next two theorems. Theorem 10.1 If ( ) =1and ord =, then 1(mod ) if and only if. Proof. If = for some Z, then ( ) 1 1(mod ) Conversely, suppose 1(mod ). Since is the smallest positive integer such that 1 (mod ), wehave. Dividing by we get Thus = + for some 1 and 0 1 + ( ) 1 (mod ). Since is the smallest positive integer such that 1(mod ), 1(mod ) with 0 is only possible if =0.Thus = and the result follows.

SECTION 10. PRIMITIVE ROOTS 63 Theorem 10.2 If ( ) =1and ord =, then ( ). Proof. By Euler s Theorem (Theorem 9.1), ( ) 1(mod ) and so by Theorem 10.1, ( ). Example: Determine ord 18 5 and ord 13 2. Solution First determine (18): Since 18 = 2 3 2, (18) = 18( 1)( 2 )=6. By Theorem 10.2, the only 2 3 possible orders of 5(mod 18)are 1 2 3 or 6. Obviously ord 18 5 6= 1. Since 5 2 7(mod 18), 5 3 7 5 17 1(mod 18),and 5 6 17 2 ( 1) 2 1(mod 18), ord 18 5=6. Determine (13): Since 13 is prime, (13) = 12. By Theorem 10.2, the only possible orders of 2(mod 13)are 1 2 3 4 6 or 12. Since 2 2 4(mod 13), 2 3 8(mod 13), 2 4 3(mod 13), 2 6 3 2 2 12 1 (mod 13), ord 13 2=12= (13). (Note: This shows that (Z 13 {[0]} ) is a cyclic group with generator [2].) The previous two theorems have a very useful application: Theorem 10.3 If and are odd primes and ( 1), then either ( 1) or =2 +1 for some integer. Proof. Since ( 1), wehave 1(mod ). By Theorem 10.1, ord. This means that has order 1 or (mod ). If the order is 1, then 1(mod ) and so ( 1). If the order of (mod ) is, then by Theorem 10.2, ( ). But ( ) = 1 since is prime, hence ( 1). Then 1= for some integer. Since 1 is even, it follows that =2 for some integer and we therefore have shown that =2 +1. Corollary 10.1 Any prime divisor of 2 1 is of the form 2 +1. This means that to test whether a number 2 1 isamersenneprime,weonlyhaveto consider as possible divisors of 2 1 the prime numbers of the form 2 +1.

SECTION 10. PRIMITIVE ROOTS 64 Example: Suppose we want to factor 2 19 1. What is the smallest possible prime number that we need to consider? Solution Any positive divisor (prime or otherwise) of 2 19 1 is of the form 38 +1, N. 1 2 3 4 5 38 +1 39 77 115 153 191 Of these, only 191 is prime, so the smallest possible prime divisor (hence the smallest possible proper divisor) of 2 19 1 is 191. (Continuing in this way, and only calculating 2 19 (mod ) if is a prime of the form 38 +1 2 19 1, we soon show that 2 19 1=524287is prime.) Another application of Theorems 10.1 and 10.2 gives the following criterion for an integer to be prime. Theorem 10.4 Let 1 and suppose that for every prime factor of 1 there is an integer such that ( ) 1 1(mod ) and ( ) ( 1) 6 1(mod ). Then is prime. Proof. To show is prime we need only show that ( ) = 1, which would follow if we can prove that 1 ( ). Suppose this is not the case. Then there is a prime andanexponent 0such that 1, but - ( ). By the hypothesis, for this prime there exists an integer that satisfies conditions ( ) and ( ) above. Note that ( ) is only possible if ( ) =1, otherwise ( ) - 1. Therefore ord is defined. Let =ord. By Theorem 10.2, ( ). From Theorem 10.1 and ( ), ( 1). Butfrom Theorem 10.1 and ( ), - ( 1). Thisimpliesthat. But ( ) and so ( ), a contradiction. Even though this test itself is impractical if is large (because one has to find an for every prime factor of 1), Theorem 10.4 is the basis of all modern primality tests whether they are as simple as the test above or something as elaborate such as the methods using elliptic curves or number fields. Note that if is prime, then ( ) in the statement of Theorem 10.4 holds it is Fermat s Theorem. After studying the next section we will also know that ( ) holds if is prime, hence Theorem 10.4 gives a necessary and sufficient condition for a number to be prime.

SECTION 10. PRIMITIVE ROOTS 65 Theorem 10.5 If ord =, then (mod ) if and only if (mod ) Proof. Suppose (mod ). We may assume that (forotherwisewejustswitch and ). Also, ( ) =1(otherwise ord is not defined) and so we may divide both sides of the congruence by to get 1(mod ). ByTheorem10.1, ( ) and thus (mod ). Conversely, suppose (mod ). Then = + for some integer, and because 1(mod ). + ( ) (mod )

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback