Public Key Encryption

Similar documents
CPSC 467b: Cryptography and Computer Security

ENEE 457: Computer Systems Security. Lecture 5 Public Key Crypto I: Number Theory Essentials

Number Theory and Group Theoryfor Public-Key Cryptography

Discrete Mathematics GCD, LCM, RSA Algorithm

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

CSC 474 Information Systems Security

This is a recursive algorithm. The procedure is guaranteed to terminate, since the second argument decreases each time.

Topics in Cryptography. Lecture 5: Basic Number Theory

Number Theory & Modern Cryptography

Number Theory. Modular Arithmetic

CPSC 467: Cryptography and Computer Security

Biomedical Security. Some Security News 9/17/2018. Erwin M. Bakker. Blockchains are not safe for voting (slashdot.org) : From: paragonie.

ALG 4.0 Number Theory Algorithms:

CIS 551 / TCOM 401 Computer and Network Security

basics of security/cryptography

Introduction to Public-Key Cryptosystems:

Introduction to Cryptography. Lecture 6

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Basic elements of number theory

Basic elements of number theory

Ma/CS 6a Class 4: Primality Testing

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Applied Cryptography and Computer Security CSE 664 Spring 2017

RSA Key Generation. Required Reading. W. Stallings, "Cryptography and Network-Security, Chapter 8.3 Testing for Primality

OWO Lecture: Modular Arithmetic with Algorithmic Applications

10 Public Key Cryptography : RSA

2.3 In modular arithmetic, all arithmetic operations are performed modulo some integer.

Congruence Classes. Number Theory Essentials. Modular Arithmetic Systems

Outline. Some Review: Divisors. Common Divisors. Primes and Factors. b divides a (or b is a divisor of a) if a = mb for some m

Outline. AIT 682: Network and Systems Security. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

CSc 466/566. Computer Security. 5 : Cryptography Basics

CSE 311: Foundations of Computing. Lecture 12: Two s Complement, Primes, GCD

ICS141: Discrete Mathematics for Computer Science I

ECE 646 Lecture 5. Mathematical Background: Modular Arithmetic

[Part 2] Asymmetric-Key Encipherment. Chapter 9. Mathematics of Cryptography. Objectives. Contents. Objectives

Numbers. Çetin Kaya Koç Winter / 18

Lecture 3.1: Public Key Cryptography I

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

Linear Congruences. The equation ax = b for a, b R is uniquely solvable if a 0: x = b/a. Want to extend to the linear congruence:

CSC 474 Network Security. Outline. GCD and Euclid s Algorithm. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

Finite Fields. Mike Reiter

Mathematical Foundations of Public-Key Cryptography

CIS 6930/4930 Computer and Network Security. Topic 5.1 Basic Number Theory -- Foundation of Public Key Cryptography

Applied Cryptography and Computer Security CSE 664 Spring 2018

NUMBER THEORY. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

8 Primes and Modular Arithmetic

Chapter 8. Introduction to Number Theory

Senior Math Circles Cryptography and Number Theory Week 2

Cryptography IV: Asymmetric Ciphers

Mathematics of Cryptography

Aspect of Prime Numbers in Public Key Cryptosystem

RSA: Genesis, Security, Implementation & Key Generation

ECE 646 Lecture 8. RSA: Genesis, Security, Implementation & Key Generation

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Public Key Cryptography

CPSC 467b: Cryptography and Computer Security

cse 311: foundations of computing Spring 2015 Lecture 12: Primes, GCD, applications

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

CPSC 467: Cryptography and Computer Security

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Lecture Notes, Week 6

Chapter 8 Public-key Cryptography and Digital Signatures

Ma/CS 6a Class 4: Primality Testing

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

Mathematical Foundations of Cryptography

Introduction to Cybersecurity Cryptography (Part 5)

cse 311: foundations of computing Fall 2015 Lecture 12: Primes, GCD, applications

ECEN 5022 Cryptography

COMP4109 : Applied Cryptography

Cryptography. pieces from work by Gordon Royle

CS March 17, 2009

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

CSCI3390-Lecture 16: Probabilistic Algorithms: Number Theory and Cryptography

Theory of RSA. Hiroshi Toyoizumi 1. December 8,

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Encryption: The RSA Public Key Cipher

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Biomedical Security. Overview 9/15/2017. Erwin M. Bakker

Introduction to Number Theory

Modular Arithmetic and Elementary Algebra

MATH 361: NUMBER THEORY FOURTH LECTURE

Public-Key Cryptosystems CHAPTER 4

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

ECE 646 Lecture 5. Motivation: Mathematical Background: Modular Arithmetic. Public-key ciphers. RSA keys. RSA as a trap-door one-way function

Some Facts from Number Theory

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

RSA Implementation. Oregon State University

Cryptography: Joining the RSA Cryptosystem

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

CS483 Design and Analysis of Algorithms

Asymmetric Encryption

Security II: Cryptography exercises

3 The fundamentals: Algorithms, the integers, and matrices

download instant at

LARGE PRIME NUMBERS (32, 42; 4) (32, 24; 2) (32, 20; 1) ( 105, 20; 0).

Transcription:

Public Key Encryption 3/13/2012 Cryptography 1 Facts About Numbers Prime number p: p is an integer p 2 The only divisors of p are 1 and p s 2, 7, 19 are primes -3, 0, 1, 6 are not primes Prime decomposition of a positive integer n: n = p 1 e 1 p k e k : 200 = 2 3 5 2 Fundamental Theorem of Arithmetic The prime decomposition of a positive integer is unique 3/13/2012 Cryptography 2 Symmetric Cryptography 1

Greatest Common Divisor The greatest common divisor (GCD) of two positive integers a and b, denoted gcd(a, b), is the largest positive integer that divides both a and b The above definition is extended to arbitrary integers s: gcd(18, 30) = 6 gcd(0, 20) = 20 gcd(-21, 49) = 7 Two integers a and b are said to be relatively prime if : gcd(a, b) = 1 Integers 15 and 28 are relatively prime 3/13/2012 Cryptography 3 Modular Arithmetic Modulo operator for a positive integer n, computes a remainder r: r = a mod n if there exists r and k s.t. 0 r < n and a = r + kn which is equivalent to: r = a - a/n n : 29 mod 13 = 3 13 mod 13 = 0-1 mod 13 = 12 29 = 3 + 2 13 13 = 0 + 1 13 12 = -1 + 1 13 Modulo and GCD: gcd(a, b) = gcd(b, a mod b) : gcd(21, 12) = 3 gcd(12, 21 mod 12) = gcd(12, 9) = 3 3/13/2012 Cryptography 4 Symmetric Cryptography 2

Euclid s GCD Algorithm Euclid s algorithm for computing the GCD repeatedly applies the formula gcd(a, b) = gcd(b, a mod b) gcd(412, 260) = 4 Algorithm EuclidGCD(a, b) Input integers a and b Output gcd(a, b) if b = 0 return a else return EuclidGCD(b, a mod b) a 412 260 152 108 44 20 4 b 260 152 108 44 20 4 0 3/13/2012 Cryptography 5 Analysis of Running Time Let a i and b i be the arguments of the i-th recursive call of algorithm EuclidGCD We have a i + 2 = b i + 1 = a i mod a i + 1 < a i + 1 Sequence a 1, a 2,, a n decreases exponentially, namely a i + 2 ½ a i for i > 1 Case 1 a i + 1 ½ a i a i + 2 < a i + 1 ½ a i Case 2 a i + 1 > ½ a i a i + 2 = a i mod a i + 1 = a i - a i + 1 ½ a i Thus, the maximum number of recursive calls of algorithm EuclidGCD(a, b) is 1 + 2 log min(a, b) => Running time is linear in the number of bits describing a and b 3/13/2012 Cryptography 6 Symmetric Cryptography 3

Multiplicative Inverses (1) The residues modulo a positive integer n are the set Z n = {0, 1, 2,, (n - 1)} Let x and y be two elements of Z n such that xy mod n = 1 We say that y is the multiplicative inverse of x in Z n and we write y = x -1 : Multiplicative inverses of the residues modulo 11 x 0 1 2 3 4 5 6 7 8 9 10 x -1 1 6 4 3 9 2 8 7 5 10 3/13/2012 Cryptography 7 Multiplicative Inverses (2) Theorem An element x of Z n has a multiplicative inverse if and only if x and n are relatively prime The elements of Z 10 with a multiplicative inverse are 1, 3, 7, 9 x 0 1 2 3 4 5 6 7 8 9 x -1 1 7 3 9 Corollary If is p is prime, every nonzero residue in Z p has a multiplicative inverse 3/13/2012 Cryptography 8 Symmetric Cryptography 4

Computing Multiplicative Inverses: Extended Euclidean Algorithm Euclid GCD algorithm on input (a,b) computes n = gcd(a,b) A simple variant of EuclidGCD algorithm, called Extended Euclid algorithm, on inputs (a,b) outputs also n=gcd(a,b) together with integers z,k s.t. n = z*a + k*b Note that if x is co-prime to n then ExtEucGCD(a,b,c) outputs (n,z,k) s.t. n=1, because gcd(x,n)=1, and therefore z,k satisfy: 1 = z*x + k*b Therefore z = x -1 mod b, i.e. z is a multiplicative inverse x modulo b. Therefore computing multiplicative inverses is as easy as computing GCD. 3/13/2012 Cryptography 9 Modular Powers: We observe interesting cycles Let p be a prime A sequence of successive powers of any element x in Z p exhibit repeating subsequences, i.e. cycles (p = 7) x x 2 x 3 x 4 x 5 x 6 1 1 1 1 1 1 2 4 1 2 4 1 3 2 6 4 5 1 4 2 1 4 2 1 5 4 6 2 3 1 6 1 6 1 6 1 Notice: The sizes of the cycles, 1,3,6,3,6,2, are all divisors of p-1 3/13/2012 Cryptography 10 Symmetric Cryptography 5

Fermat s Little Theorem Theorem Let p be a prime. For each nonzero residue x of Z p, we have x p - 1 mod p = 1 (p = 5): 1 4 mod 5 = 1 2 4 mod 5 = 16 mod 5 = 1 3 4 mod 5 = 81 mod 5 = 1 4 4 mod 5 = 256 mod 5 = 1 Corollary Let p be a prime. For each nonzero residue x of Z p, the multiplicative inverse of x is x p - 2 mod p Proof x(x p - 2 mod p) mod p = xx p - 2 mod p = x p - 1 mod p = 1 3/13/2012 Cryptography 11 Euler s Theorem The multiplicative group for Z n, denoted with Z* n, is the subset of elements of Z n relatively prime with n The totient function of n, denoted with f(n), is the size of Z* n Z* 10 = { 1, 3, 7, 9 } f(10) = 4 If p is prime, we have Z* p = {1, 2,, (p - 1)} f(p) = p - 1 Euler s Theorem For each element x of Z* n, we have x f(n) mod n = 1 (n = 10) 3 f(10) mod 10 = 3 4 mod 10 = 81 mod 10 = 1 7 f(10) mod 10 = 7 4 mod 10 = 2401 mod 10 = 1 9 f(10) mod 10 = 9 4 mod 10 = 6561 mod 10 = 1 3/13/2012 Cryptography 12 Symmetric Cryptography 6

RSA Cryptosystem Setup: n = pq, with p and q primes e relatively prime to f(n) = (p - 1) (q - 1) d inverse of e in Z f(n) Keys: Public key: K E = (n, e) Private key: K D = d Encryption: Plaintext M in Z n C = M e mod n Decryption: M = C d mod n Setup: p = 7, q = 17 n = 7 17 = 119 f(n) = 6 16 = 96 e = 5 d = 77 Keys: public key: (119, 5) private key: 77 Encryption: M = 19 C = 19 5 mod 119 = 66 Decryption: C = 66 77 mod 119 = 19 3/13/2012 Cryptography 13 Correctness We show the correctness of the RSA cryptosystem for the case when the plaintext M does not divide n Namely, we show that (M e ) d mod n = M Since ed mod f(n) = 1, there is an integer k such that ed = kf(n) + 1 Since M does not divide n, by Euler s theorem we have M f(n) mod n = 1 Thus, we obtain (M e ) d mod n = M ed mod n = M kf(n) + 1 mod n = MM kf(n) mod n = M (M f(n) ) k mod n = M (M f(n) mod n) k mod n = M (1) k mod n = M mod n = M Proof of correctness can be extended to the case when the plaintext M divides n 3/13/2012 Cryptography 14 Symmetric Cryptography 7

Complete RSA Example Setup: p = 5, q = 11 n = 5 11 = 55 f(n) = 4 10 = 40 e = 3 d = 27 (3 27 = 81 = 2 40 + 1) Encryption C = M 3 mod 55 Decryption M = C 27 mod 55 M 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 C 1 8 27 9 15 51 13 17 14 10 11 23 52 49 20 26 18 2 M 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 C 39 25 21 33 12 19 5 31 48 7 24 50 36 43 22 34 30 16 M 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 C 53 37 29 35 6 3 32 44 45 41 38 42 4 40 46 28 47 54 3/13/2012 Cryptography 15 Security of RSA based on difficulty of factoring Widely believed Best known algorithm takes exponential time RSA Security factoring challenge (discontinued) In 1999, 512-bit challenge factored in 4 months using 35.7 CPU-years 160 175-400 MHz SGI and Sun 8 250 MHz SGI Origin 120 300-450 MHz Pentium II 4 500 MHz Digital/Compaq Security In 2005, a team of researchers factored the RSA-640 challenge number using 30 2.2GHz CPU years In 2004, the prize for factoring RSA- 2048 was $200,000 Current practice is 2,048-bit keys Estimated resources needed to factor a number within one year Length (bits) 3/13/2012 Cryptography 16 PCs Memory 430 1 128MB 760 215,000 4GB 1,020 342 10 6 170GB 1,620 1.6 10 15 120TB Symmetric Cryptography 8

Algorithmic Issues The implementation of the RSA cryptosystem requires various algorithms Overall Representation of integers of arbitrarily large size and arithmetic operations on them Encryption Modular exponentiation Decryption Modular exponentiation Setup Generation of random numbers with a given number of bits (to generate candidates p and q) Primality testing (to check that candidates p and q are prime) Computation of the GCD (to verify that e and f(n) are relatively prime) Computation of the multiplicative inverse (to compute d from e) 3/13/2012 Cryptography 17 Computing Modular Exponentiation: Efficient Algorithm The repeated squaring algorithm speeds up the computation of a modular power a p mod n Write the exponent p in binary p = p b - 1 p b - 2 p 1 p 0 Start with Q 1 = a p b - 1 mod n Repeatedly compute Q i = ((Q i - 1 ) 2 mod n)a p b - i mod n We obtain Q b = a p mod n The repeated squaring algorithm performs O (log p) arithmetic operations 3 18 mod 19 (18 = 10010) Q 1 = 3 1 mod 19 = 3 Q 2 = (3 2 mod 19)3 0 mod 19 = 9 Q 3 = (9 2 mod 19)3 0 mod 19 = 81 mod 19 = 5 Q 4 = (5 2 mod 19)3 1 mod 19 = (25 mod 19)3 mod 19 = 18 mod 19 = 18 Q 5 = (18 2 mod 19)3 0 mod 19 = (324 mod 19) mod 19 = 17 19 + 1 mod 19 = 1 p 5 - i 1 0 0 1 0 2 p 5 - i 3 1 1 3 1 Q i 3 9 5 18 1 3/13/2012 Cryptography 18 Symmetric Cryptography 9

Modular Inverse Theorem Given positive integers a and b, let d be the smallest positive integer such that d = ia + jb for some integers i and j. We have d = gcd(a,b) a = 21 b = 15 d = 3 i = 3, j = -4 3 = 3 21 + (-4) 15 = 63-60 = 3 Given positive integers a and b, the extended Euclid s algorithm computes a triplet (d,i,j) such that d = gcd(a,b) d = ia + jb To test the existence of and compute the inverse of x Z n, we execute the extended Euclid s algorithm on the input pair (x,n) Let (d,i,j) be the triplet returned d = ix + jn Case 1: d = 1 i is the inverse of x in Z n Case 2: d > 1 x has no inverse in Z n 3/13/2012 Cryptography 19 Pseudoprimality Testing The number of primes less than or equal to n is about n / ln n Thus, we expect to find a prime among O(b) randomly generated numbers with b bits each Testing whether a number is prime (primality testing) is a difficult problem, though polynomial-time algorithms exist An integer n 2 is said to be a base-x pseudoprime if x n - 1 mod n = 1 (Fermat s little theorem) Composite base-x pseudoprimes are rare: A random 100-bit integer is a composite base-2 pseudoprime with probability less than 10-13 The smallest composite base-2 pseudoprime is 341 Base-x pseudoprimality testing for an integer n: Check whether x n - 1 mod n = 1 Can be performed efficiently with the repeated squaring algorithm 3/13/2012 Cryptography 20 Symmetric Cryptography 10

Randomized Primality Testing Compositeness witness function witness(x, n) with error probability q for a random variable x Case 1: n is prime witness(x, n) = false always Case 2: n is composite witness(x, n) = true in most cases, false with small probability q < 1 Algorithm RandPrimeTest tests whether n is prime by repeatedly evaluating witness(x, n) A variation of base- x pseudoprimality provides a suitable compositeness witness function for randomized primality testing (Rabin-Miller algorithm) Algorithm RandPrimeTest(n, k) Input integer n,confidence parameter k and composite witness function witness(x,n) with error probability q Output an indication of whether n is composite or prime with probability 2 -k t k/log 2 (1/q) for i 1 to t x random() if witness(x, n) = true return n is composite return n is prime 3/13/2012 Cryptography 21 Symmetric Cryptography 11

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback