ECE596C: Handout #11

Similar documents
Public Key Cryptography

Introduction to Public-Key Cryptosystems:

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Ma/CS 6a Class 3: The RSA Algorithm

Mathematical Foundations of Public-Key Cryptography

Topics in Cryptography. Lecture 5: Basic Number Theory

Theory of RSA. Hiroshi Toyoizumi 1. December 8,

Elementary Number Theory MARUCO. Summer, 2018

Number Theory & Modern Cryptography

CIS 551 / TCOM 401 Computer and Network Security

Chapter 8 Public-key Cryptography and Digital Signatures

Congruence Classes. Number Theory Essentials. Modular Arithmetic Systems

Encryption: The RSA Public Key Cipher

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

Introduction to Cryptography. Lecture 6

Carmen s Core Concepts (Math 135)

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

Ma/CS 6a Class 2: Congruences

MATH3302 Cryptography Problem Set 2

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

10 Modular Arithmetic and Cryptography

Number Theory and Group Theoryfor Public-Key Cryptography

Solution to Midterm Examination

ICS141: Discrete Mathematics for Computer Science I

Iterated Encryption and Wiener s attack on RSA

Applied Cryptography and Computer Security CSE 664 Spring 2018

Basic elements of number theory

Basic elements of number theory

AN ALGEBRAIC PROOF OF RSA ENCRYPTION AND DECRYPTION

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

Homework #2 solutions Due: June 15, 2012

Solution to Problem Set 3

CRYPTOGRAPHY AND NUMBER THEORY

CPSC 467: Cryptography and Computer Security

RSA. Ramki Thurimella

Introduction to Cybersecurity Cryptography (Part 5)

Know the Well-ordering principle: Any set of positive integers which has at least one element contains a smallest element.

Number Theory and Algebra: A Brief Introduction

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

Elementary Number Theory Review. Franz Luef

A Readable Introduction to Real Mathematics

Ma/CS 6a Class 2: Congruences

Math.3336: Discrete Mathematics. Mathematical Induction

Ma/CS 6a Class 4: Primality Testing

Mathematics of Cryptography

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Outline. Number Theory and Modular Arithmetic. p-1. Definition: Modular equivalence a b [mod n] (a mod n) = (b mod n) n (a-b)

Congruence of Integers

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

Number Theory Notes Spring 2011

basics of security/cryptography

Introduction to Modern Cryptography. Benny Chor

Outline. Some Review: Divisors. Common Divisors. Primes and Factors. b divides a (or b is a divisor of a) if a = mb for some m

Outline. AIT 682: Network and Systems Security. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

Discrete Mathematics GCD, LCM, RSA Algorithm

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

For your quiz in recitation this week, refer to these exercise generators:

CPSC 467: Cryptography and Computer Security

CSC 474 Network Security. Outline. GCD and Euclid s Algorithm. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p.

CPSC 467b: Cryptography and Computer Security

Numbers. Çetin Kaya Koç Winter / 18

ECE 646 Lecture 5. Mathematical Background: Modular Arithmetic

Candidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

Cryptography: Joining the RSA Cryptosystem

Cryptosystem. Traditional Cryptosystems: The two parties agree on a secret (one to one) function f. To send a message M, thesendersendsthemessage

All variables a, b, n, etc are integers unless otherwise stated. Each part of a problem is worth 5 points.

Number theory (Chapter 4)

NUMBER THEORY FOR CRYPTOGRAPHY

CPSC 467b: Cryptography and Computer Security

CHAPTER 6. Prime Numbers. Definition and Fundamental Results

Applied Cryptography and Computer Security CSE 664 Spring 2017

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Lecture Notes, Week 6

Ma/CS 6a Class 1. Course Details

Review. CS311H: Discrete Mathematics. Number Theory. Computing GCDs. Insight Behind Euclid s Algorithm. Using this Theorem. Euclidian Algorithm

The RSA public encryption scheme: How I learned to stop worrying and love buying stuff online

Discrete mathematics I - Number theory

Number Theory. Modular Arithmetic

MATH 145 Algebra, Solutions to Assignment 4

COMP239: Mathematics for Computer Science II. Prof. Chadi Assi EV7.635

10 Public Key Cryptography : RSA

Introduction to Cryptography. Lecture 8

An Introduction to Cryptography

Introduction to Cryptography

Some Facts from Number Theory

5199/IOC5063 Theory of Cryptology, 2014 Fall

Discrete Mathematics with Applications MATH236

Cryptography. P. Danziger. Transmit...Bob...

7. Prime Numbers Part VI of PJE

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

CS 5319 Advanced Discrete Structure. Lecture 9: Introduction to Number Theory II

Elementary Number Theory and Cryptography, 2014

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Math 324, Fall 2011 Assignment 7 Solutions. 1 (ab) γ = a γ b γ mod n.

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

Transcription:

ECE596C: Handout #11 Public Key Cryptosystems Electrical and Computer Engineering, University of Arizona, Loukas Lazos Abstract In this lecture we introduce necessary mathematical background for studying the RSA public key cryptosystem Readings from Chapter 5 of D Stinson 1 Public Key Cryptosystems The idea of public keys is that Alice uses a key K 1 A to encrypt and Bob uses key K A to decrypt, with K A K 1 A, ie encryption and decryption use different keys (asymmetric encryption/decryption) 11 Euler s φ-function φ(n) is defined as the number of integers less than n and relatively prime to n Examples: 1 If p is a prime then, φ(p) = p 1, since {1,2,,p 1} are relatively prime to p 2 φ(2) = 1, {1} 3 φ(3) = 2, {1,2} 4 φ(4) = 2, {1,3} 5 φ(6) = 2, {1,5}; 6 φ(p 2 ) = p 2 p2 p = p(p 1), every other pth element is divided by p 7 Let p,q be primes, p q Then, φ(pq) = pq (p+q 1) (remove p+q 1 elements from pq elements) Further simplifying we get, φ(pq) = (p 1)(q 1) = φ(p)φ(q) (Think of φ(pq) = (p 1 p 0 ) (q 1 q 0 )) 12 The Euclidean Algorithms Let Z n denote the set of residues relatively prime to n Any element in Z n will have a multiplicative inverse also in Z n Problem is how do we find such inverse (remember we used this inverse to decrypt affine ciphers) The Euclidean GCD algorithm First, we present the Euclidean algorithm for finding the gcd of two numbers (a, b) Let a = bq +r, then find a number u which divides both a and b (so that a = su and b = tu), then u also divides r since r = a bq = su qtu = (s qt)u (1) Similarly, find a number v which divides b and r (so that b = s v and r = t v), then v divides a since a = bq +r = qs v +t v = (qs +t )v (2)

2 ECE 596C: Cryptography for Secure Communications with Applications to Network Security Therefore, every common divisor of a and b is a common divisor of b and r, and the procedure can be iterated as follows: a = r 0 = q 1 r 1 +r 2, 0 < r 2 < r 1, q 1 = r 0 r 1 b = r 1 = q 2 r 2 +r 3, 0 < r 3 < r 2, q 2 = r 1 r 2 r m 2 = q m 1 r m 1 +r m, 0 < r m < r m 1, q m 1 = r m 2 r m 1 r m 1 = q m r m (3) It follows that gcd(r 0,r 1 ) = gcd(r 1,r 2 ) = = gcd(r m 1,r m ) = r m, (4) and hence, gcd(a,b) = gcd(r 0,r 1 ) = r m Example (a,b) = (42,30) 42 = 1 30+12 30 = 2 12+6 12 = 2 6 (5) and the gcd(42,30) = 6 Example (a,b) = (144,55) 144 = 2 55+34 55 = 1 34+21 34 = 1 21+13 21 = 1 13+8 13 = 1 8+5 8 = 1 5+3 5 = 1 3+2 3 = 1 2+1 2 = 2 1 and the gcd(144,55) = 1 (the two numbers are relatively prime) Define the following two sequences of numbers t 0,t 1,t 2 t m, s 0,s 1,,s m (6) with t 0 = 0, t 1 = 1, t j = t j 2 q j 1 t j 1 and s 0 = 1, s 1 = 0, s j = s j 2 q j 1 s j 1 Then

Handout # 11 3 Theorem 1 For 0 j m, r j = s j a+t j b Proof Can be proved via induction Extended Euclidean Algorithm Let (a, b) be two integers We compute integers r, s, t such that r = gcd(a,b) and sa+tb = r Corollary 1 Let gcd(r 0,r 1 ) = 1 (condition for the existence of r1 1 ) Then r 1 1 mod r 0 = t m mod r 0 Proof From previous theorem r m = s m r 0 +t m r 1, but r m = gcd(a,b) = 1 Hence, Example: We want to calculate 28 1 mod 75 s m r 0 +t m r 1 = 1 (7) t m r 1 = 1 (mod r 0 ) (8) i r i q i s 1 t i 0 75 1 0 1 28 2 0 1 2 19 1 1-2 3 9 2-1 2 4 1 9 3-8 Therefore 3 75 8 28 = 1 Based on Corollary 1, 28 1 mod 75 = 8 mod 75 = 67 13 Chinese Remainder Theorem Let m 1,m 2,,m r be integers such that gcd(m i,m j ) = 1, i j (relatively prime) Then the set of congruences X a i mod m i, i = 1,2,,r, has a unique solution modulo M, where M = m 1 m 2 m r = r i=1 m i Proof: Let M i = M m i Note gcd(m i,m i ) = 1 Let y i = M 1 i mod m i M i y i = 1 mod m i (The inverse exists because gcd(m i,m i ) = 1, and can be found using the Extended Euclidean Algorithm) Let ρ(a 1,a 2,,a r ) = r i=1 a im i y i mod M, be the solution Denote X = ρ(a 1,a 2,,a r ) and let 1 j r Consider a term of ρ reduced modulo m j If i = j a i M i y i = a i mod m i, because M i y i 1 mod m i If i j then a i M i y i 0 mod m j since m j M i Hence, X = r i=1 a im i y i mod m j a j mod m j

4 ECE 596C: Cryptography for Secure Communications with Applications to Network Security This is true for all j and hence X is a solution to the system of congruences This solution can also be shown to be unique modulo M since the cardinalities of the domain and the range are equal Example: Solve the system of congruences X 5 (mod 7) X 3 (mod 11) X 10 (mod 13) Step 1: r = 3,m 1 = 7,m 2 = 11,m 3 = 13,a 1 = 5,a 2 = 3,a 3 = 10,M = 7 11 13 = 1001 Step 2: M 1 = 143,M 2 = 91,M 3 = 77 Step 3: Use Extended Euclidean Algorithm and find y 1 = 5,y 2 = 4,y 3 = 12 Step 4: Compute X = (5 143 5)+(3 91 4)+(10 77 12) mod 1001 = 894 Step 5: Verify 894 5 (mod 7), 894 3 (mod 11), 894 10 (mod 13) Note that X (mod M) = a 1 (mod m 1 ) = a r (mod m r ) (we will use this fact in the RSA cryptosystem) 14 Euler s Theorem Given gcd(a,n) = 1, then a φ(n) = 1 mod n Let Z n = {x 1,x 2,,x φ(n) } be such that gcd(x i,n) = 1 Let S = {ax 1,ax 2,,ax φ(n) } be elements of ax i mod n Claims: (1) ax i ax j if x i x j (2) ax i 0 if x i 0 That is S is a permutation of Z n Proof of the claims and theorem: (1) (By contradiction:) Let x i x j, but ax i = ax j mod n Note, 0 x i n 1, 0 x j n 1 (n 1) x i x j (n 1), x i x j n 1 Now, if ax i = ax j mod n n a(x i x j ) 1 Note that gcd(a,n) = 1 n does not divide a Hence n (x i x j ) n divides x i x j But we have x i x j n 1 < n So n divides (x i x j ), but (x i x j ) < n x i x j = 0, ie x i = x j This contradicts with initial assumption that x i x j Hence if x i x j ax i ax j 1 Recall that a b indicates a divides b

Handout # 11 5 (2) Assume that for some element x i ax i = 0 mod n That means that either n a or n x i But gcd(a,n) = 1 and gcd(x i,n) = 1, hence ax i 0 Hence this implies that no element of S is 0, and S is a permutation of Z n From the above two claims, we can now prove Euler s theorem as follows Multiply all elements of Zn to get x 1 x 2 x φ(n) = φ(n) i=1 x i Multiply all elements of S to get ax 1 ax 2 ax φ(n) = a φ(n) φ(n) i=1 x i φ(n) i=1 x i = a φ(n) φ(n) i=1 x i mod n (because of the permutation property the two products are congruent modulo n) gcd(x i,n) = 1 a φ(n) = 1 mod n This is Euler s Theorem Example: a = 2, n = 11, φ(n) = 10 Then, a φ(n) 2 10 1024 93 11+1 1 mod 11 Note that if n = p, a prime, then φ(n) = p 1 a p 1 = 1 mod p This is Fermat s Little Theorem 2 RSA Public Key Cryptosystem 21 Basic Idea of RSA Alice chooses two distinct primes p, q, and sets n = pq Now, φ(n) = φ(p)φ(q) = (p 1)(q 1) Alice then picks a, b to set ab 1 mod φ(n), ie ab = 1+λφ(n) Then the encryption key (public key) of Alice, K A = (b,n), and decryption key (private key), K 1 A = (a,n) The encryption and decryption algorithms are: c = E KA (m) = m b mod n, D KA (c) = x = c a mod n, = (m b ) a mod n, = m ab mod n Now since ab 1 mod φ(q)φ(p) ab 1 (mod φ(p)) and ab 1 (mod φ(q)) Let ab = kφ(p)+1 If m is not a multiple of p, m Z p, that is m,p are relatively prime, since m is prime In that case we can apply Euler s theorem (Fermat s little theorem) and obtain: m ab mod p = m kφ(p)+1 mod p = (m φ(p) ) k m mod p 1 k m mod p = m (mod p) (9) If m is a multiple of p it follows that m ab mod p 0 mod p m mod p Hence in any case m ab m mod p Similarly we can obtain that m ab m (mod q) Now for the system of congruences we can apply the Chinese Reminder Theorem and obtain that m ab mod n = m mod n

6 ECE 596C: Cryptography for Secure Communications with Applications to Network Security 22 Implementation of the RSA Algorithm 1 Choose two large primes p, q with p q and let n = pq 2 Randomly choose b with 1 < b < φ(n) such that gcd(b,φ(n) = 1 3 Compute a = b 1 mod φ(n) 4 The public key is (b,n) and the private key is (n,a) 5 Encryption of a message using the public key is c = E {b,n} (m) = m b mod n 6 Decryption of the ciphertext is D {a,n} = c a mod n Note: As we will see later in digital signatures, Alice can use (a,n) as the signing key, while Bob s verification key is (b, n) 23 How many primes are there? Because we need primes for RSA, an interesting question to ask is how many primes are there? A proof was given by Euler It is as follows Assume there are k distinct primes only, p 1,p 2,,p k Define the integer l = k j=1 p j +1 Note that each p i, i = 1,2,,k divides k i=1 p i We denote this as p i k j=1 p j, i = 1,2,,k Now if l is not a prime, then it is divisible by p i, i = 1,2,,k ie p i l = p i ( k j=1 p j + 1) Because p i k j=1 p j, then p i 1, and this implies that p i = 1, i = 1,2,,k But this contradicts with the fact that the p i s are distinct primes Hence p i does not divide l, which implies that l is not divisible by any of the primes we know so far Therefore, there must be another prime that divides l We have found a new prime! This continues 24 Examples for RSA (1) Eve claims that if she knows n and φ(n), she can factor n How? n = pq, φ(n) = (p 1)(q 1) = pq (p+q)+1, n φ(n) = p+q 1, p+q = n φ(n)+1 Since pq = n, we can write, (X p)(x q) = X 2 (p+q)x +pq = X 2 (n φ(n)+1)x +n The solution is p,q = n φ(n)+1± (n φ(n)+1) 2 4n 2 Supposing n = 221 then φ(n) = 192 and, p,q = (221 192+1)± 221 192+1) 2 4 221 2 = 13,17 (2) If Eve knows a,b, she can possibly factor n We will see this later (3) Given n = 11413 = 101 113, b = 7467 Find a such that ab = 1 mod φ(n) φ(n) = φ(101 113) = φ(101)φ(113) = 100 112 Then,

Handout # 11 7 ab 1 mod (100 112), ab = 1+λ(100 112), = 1+λ(4 25 16 7), ab = 1+λ(7 25 64) ab 1 mod 7, ab 1 mod 25, ab 1 mod 64 The last three congruences are a result of the application of the Chinese Remainder Theorem to ab 1 mod (7 25 64) Now, a = 7467 5 mod 7 Then, 7467b (5)b 1 mod 7 We get, 5d = 1+λ(7) = 1+λ(5+2), ie 5d = (1+2λ)+5λ We now need to choose λ such that (1+2λ) is divisible by 5 Setting λ = 2, we get 1+2λ = 5 And 5b = (1+2λ)+5λ = 15 b = 3 Hence the keys are (a,b) = (7467,3) (4) Assume that p is a prime, and that m = x, and c = x b mod p How to find a such that c a x mod p? Note that c a = (x b ) d = x ab mod p Using Fermat s Little Theorem/Euler s theorem, gcd(x,p) = 1 x p 1 1 mod p x ab x x λ(p 1) x mod p ab = 1+λ(p 1), ab 1 mod (p 1)

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback