410 likes | 678 Views
CHAPTER 6: NUMBER THEORY Topics to be covered - prime numbers, relative prime numbers, modular arithmetic, discovering primes, finding inverses of large primes, Euclid’s algorithm, Fermat’s theorem, & Euler’s totient function Motivation - public key cryptography is based on large primes
E N D
CHAPTER 6: NUMBER THEORY Topics to be covered - prime numbers, relative prime numbers, modular arithmetic, discovering primes, finding inverses of large primes, Euclid’s algorithm, Fermat’s theorem, & Euler’s totient function Motivation - public key cryptography is based on large primes that have to be generated & tested using modular arithmetic. Fermat & Euler’s work is used to determine whether numbers are prime or relatively prime. Euclid’s algorithm is used to find multiplicative inverses that are needed to find appropriate encryption keys in public key cryptography. Chapter 6: Number Theory
Prime Numbers in Cryptography Numbers used - Non-negative integers Prime # - A positive integer > 1 is prime iff it is evenly divisible (has a zero remainder) by only two other numbers = 1 & itself. Divisor- If a & b are positive integers, and b 0, b is a divisor of a (i.e., b divides a) if a = mb for some integer m, such that a/b = m Notation - b|a means b divides a with no remainder, or b is a divisor of a. Examples: Positive divisors of 36 are: 1, 2, 3, 4, 6, 9, 12, 18, & 36 (i.e., 36 is not a prime number) Positive divisors of 17 are: 1 & 17 (i.e., 17 is a prime number) Chapter 6: Number Theory
Properties of Divisors If a|1, then a = 1 (if a divides 1, then a must be 1 - any larger a would produce a non-integer - fractional result) If a|b and b|a, then a = b (if not =, one of the divisions would produce a fraction - 2|4, but 4|2 isn’t true). a|0 for all a 0 (i.e., 0/5 = 0, but 0/0 0) If a|k and a|l, then a|(mk + nl) for arbitrary m & n That is, since a|k, then k must be of the form k = ak1, and If a|l, then l is of the form l = al1, for some integers, k1 and l1 Then: For a|(mk + nl), and substituting for k & l, we have a|(mak1 + nal1) = a|a(mk1 + nl1), so a divides (mk + nl) If a = 6; k = 36; l = 54, m = 2; n = 3 6|36 = 6 & 6|54 = 9, so does 6|(2x36 + 3x54) and = (2x6x6 + 3x6x9) = 6(2x6 + 3x9), so 6|(2x36 + 3x54) a|(m x k + n x l) Chapter 6: Number Theory
Prime Numbers - Special Cases of Divisors Prime = Integer p > 1 with only divisors being 1 & p. Also means a prime is a whole number that is not the product of 2 smaller integers. Primes < 100 = 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97. Primes < 2000, see Stallings, pg 237. Primes: For the first 10,000, see http://www.utm.edu/research/ primes/lists/small/10000.html The number 1 is not considered a prime - creates problems in the mathematics of primes Chapter 6: Number Theory
Relatively Prime Numbers Two numbers are relatively prime if their gcd (greatest common divisor) or gcf (greatest common factor) = 1. gcd (a, b) means the greatest common divisor of a & b. If gcd (a, b) = c, then c is a divisor of a & b (i.e., c|a, c|b), and any divisor of c is a divisor of a & b (i.e., d|c means d|a & d|b). Example: gcd (10,100) = 10 gcd (24, 36) = 12 gcd (a, 0) = a, since all pos integers > 0 divide 0 Method: Find factors of each number, then match up their common factors. Chapter 6: Number Theory
Common Factors gcd (102, 5292) Factors of 102 = 2 x 51 = 2 x 3 x 17= 2 x 3 x 17 = 21 x 31 x 171 Factors of 5292 = 2 x 2646 = 2 x 2 x 1323 = 2 x 2 x 27 x 49 = 2 x 2 x 3 x 9 x 7 x 7 = 2 x 2 x 3 x 3 x 3 x 7 x 7 = 22 x 33 x 72 So, 102 = 20 x 21 x 31 x 171 5292 = 20 x 22 x 33 x 72 Common factors (divisors) are 2, and 3 (7 & 17 are not common) Since gcd(gcf) > 1, these numbers are not relatively prime. Chapter 6: Number Theory
Common Factors The case we are interested in is gcd = 1 Consider gcd (5, 14) Factors of 5 are 1, 5 Factors of 14 are: 1, 2, 7, and 14 They share only the one common factor = 1, thus 5 &14 are relatively prime! Another method: Form 14/5 = 2, remainder 4 Form 5/4 = 1, remainder 1 Form 4/1 = 4, remainder 0 Last divisor = gcd = 1 Chapter 6: Number Theory
Euclid’s Algorithm - greatest common factors Iterative method, by successive factor removal. That is: For x & y, with x > y: (x, y) and (x - y, y) have the same gcd. Example: (100,10) gcf = 10 (100-10,10) = (90,10) gcf = 10 (90-10,10) = (80,10) gcf = 10 ……. (20-10, 10) = (10,10) gcf = 10 (10-10, 10) = (0,10) no gcf terminates with y = gcf This is true because if d|x & d|y, then y = kd & x = jd, so x - y = jd - kd = (j - k)d (i.e., the difference of x & y have same gcd). Chapter 6: Number Theory
Euclid’s Algorithm - greatest common factors The same behavior holds in modulo arithmetic. In modulo arithmetic: gcd(a, b) = gcd(a, a mod b) Example: gcd(100,10) = gcd(100, 100 mod 10) 100 mod 10; 100/10 = 10, R = 0 True because if d = gcd(a, b), then d|a & d|b. If 10 = gcd(100,10), then 10|100 & 10|10. This simply means that d is a divisor of a & b and also a divisor of a mod b. This is the basis for Euclid's algorithm. Chapter 6: Number Theory
Euclid’s Algorithm - gcd of X, Y 1 If Y = 0, done with gcd = X R = X mod Y X = Y Y = R GOTO 1 Example: gcd 595, 408 595/408 = 1, R = 187 (x mod y = 187) 408/187 = 2, R = 34 187/34 = 5, R = 17 34/17 = 2, R = 0 17/0 Y is = 0 Stop gcd 595, 408 = 17 Note: Computationally intense for large numbers. Chapter 6: Number Theory
Discovering Primes Many methods, oldest being the Sieve of Eratosthenes. Given the first 100 numbers (1-100) 1. Remove 1 since it is not a prime by definition 2. Test 2 to see if it is only divisible by 1 and itself. Keep 2, it passes. 3. Cross out every number divisible by 2 since they are composite numbers with 2 as a factor. 4. Test 3. Keep 3, it passes. 5. Eliminate all multiples of 3 since they contain 3 as a factor 6. Test 5. Keep 5, it passes. (we didn’t do 4 - a factor of 2). Repeat this process for all numbers up to 100. Easy to understand, but like Euclid is computationally intense. Chapter 6: Number Theory
Example - Sieve of Eratosthenes 1 is eliminated, so starting matrix is: 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 Chapter 6: Number Theory
Example - Sieve of Eratosthenes Test 2, it is prime, retain 2, and eliminate all multiples of 2 since they are composite numbers with 2 as a factor. 02 03 05 07 09 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47 49 51 53 55 57 59 61 63 65 67 69 71 73 75 77 79 81 83 85 87 89 91 93 95 97 99 Chapter 6: Number Theory
Example - Sieve of Eratosthenes Test 3, it is prime, retain 3, and eliminate all multiples of 3 since they are composite numbers with 3 as a factor. 02 03 05 07 11 13 17 19 23 25 29 31 35 37 41 43 47 49 53 55 59 61 65 67 71 73 77 79 83 85 89 91 95 97 Chapter 6: Number Theory
Example - Sieve of Eratosthenes Test 5, it is prime, retain 5, and eliminate all multiples of 5 since they are composite numbers with 5 as a factor. 02 03 05 07 11 13 17 19 23 29 31 37 41 43 47 49 53 59 61 67 71 73 77 79 83 89 91 97 Chapter 6: Number Theory
Example - Sieve of Eratosthenes Test 7, it is prime, retain 7, and eliminate all multiples of 7 since they are composite numbers with 7 as a factor. 02 03 05 07 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 89 97 Chapter 6: Number Theory
Example - Sieve of Eratosthenes Test 11, it is prime, retain 11, and eliminate all multiples of 11 since they are composite numbers with 11 as a factor (there aren’t any). We have discovered all the primes less than 100 (13, = 26, 39, 52, 65, 78 91) (17 = 34, 51, 68, 85), (19 = 38, 57, 76, 95), (23 = 46, 69, 92), (29 = 58, 87), (31 = 62, 93), (37 = 74), (41 = 82), (43 = 86), (47 = 94) 02 03 05 07 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 89 97 Chapter 6: Number Theory
Computing Primes - Some Properties The sieve sounds incredibly computationally intensive and dull! So how do we really compute primes? First, there are infinitely many primes. Why? Suppose you have a finite set of primes. Just multiply them all together and add 1. The result will not be divisible by any of the primes in your set (the remainder will always be one when you divide). It is not in your set - you have a new prime! Example: the set is 2,3,5,7 - all primes 2x3x5x7 = 210 + 1 = 211; is it prime - yep! 2x3x5x7x11 = 2,310 + 1 = 2311; is it prime - yep! Chapter 6: Number Theory
Computing Primes - More Properties Primes thin out as the numbers get bigger (result of multiplying). 3 digit primes 25 in 100 (1 out of 4 numbers - 25%) 10 digit primes , 1 in 23 - 4.3% 100 digit primes, 1 in 230 - .43% Going through all of them like the sieve does is too slow. We are interested in about 100 - 150 digit primes. That means if we guess a 150 digit number, we have 1 chance in 230 of it being a prime. This is a feasible process. If you test 230 150 digit numbers, the probability it will be a prime is about .63. So, on average you will need to test about 230 numbers before you find a prime. Chapter 6: Number Theory
Modulo Arithmetic Given some positive integers, a & n; a/n = quotient + remainder. Or a = n(q) + r, 0 < r < n; for 5/3 = 1 + 2 or 1, 2. Consider the reals expressed on a line from 0 to some large value (q+1)n: Chapter 6: Number Theory
Modulo Arithmetic a, a positive integer can appear anywhere on the line. If a is a multiple of n it will appear in the same location as one of the n’s with r = 0. If a is not a multiple of n, it will appear between two n’s, and the distance between the lower n and a = r, the remainder or residue. The same relationship can be expressed in modulo arithmetic. That is, a modulo n, or a mod n = the remainder of a/n. If a = 17, n = 7, then a/n = 2 + 3, so 7 mod 17 = 3 Just like clock arithmetic (12 hours then repeat with no carry). Chapter 6: Number Theory
Modulo Arithmetic - Properties Congruence: If a mod n = b mod n, a & b are congruent. Notation: a b mod n (a is congruent to b mod n) a b mod n if n|(a-b), n divides a-b a b mod n implies a mod n = b mod n; as above a b mod n implies b = a mod n a b mod n and b c mod n implies a mod n Arithmetic operations (normal operations hold) [(a mod n) + (b mod n)] mod n = (a + b) mod n [(a mod n) - (b mod n)] mod n = (a - b) mod n [(a mod n) x (b mod n)] mod n = (a x b) mod n See Stallings, page 111 for worked examples. Chapter 6: Number Theory
Inverses - Key for Asymmetrical Encryption/Decryption Addition, Modulo 10 0 1 2 3 4 5 6 7 8 9 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 0 2 3 4 5 6 7 8 9 0 1 3 4 5 6 7 8 9 0 1 2 4 5 6 7 8 9 0 1 2 3 5 6 7 8 9 0 1 2 3 4 6 7 8 9 0 1 2 3 4 5 7 8 9 0 1 2 3 4 5 6 8 9 0 1 2 3 4 5 6 7 9 0 1 2 3 4 5 6 7 8 Chapter 6: Number Theory
Inverses Observe that if (a + b) (a + c) mod n, then b c mod n For a = 5; b = 23; c = 7, n = 8 If (5 + 23) (5 + 7) mod 8; then 23 7 mod 8. Is this true? Part 1: Is (5 + 23) (5 + 7) mod 8? (5 + 23) = 28; 28/8 = 3, 4 (i.e., r = 4), and (5 + 7) mod 8 = 12 mod 8 = 12/8 = 1, 4 (i.e., r = 4) OK! Part 2: Is 23 7 mod 8? 23/8 = 2, 7 (i.e., r = 7), and 7 mod 8 = 0, 7 (I.e., r = 7) OK! So, what is the point? This is true because there is an additive inverse. It is the number you would have to subtract from the original number to get 0. That is: (a + b) - a -a + (a + c) mod n, or b c mod n Chapter 6: Number Theory
Inverses in Cryptography Consider an input string to be encrypted = 3692. Add a constant mod 10 to map the string to a new string (char by char) (3 + 6) mod 10 = 9 (6 + 6) mod 10 = 2 (9 + 6) mod 10 = 5 (2 + 6) mod 10 = 8 The encrypted string for 3692 = 9258 Now use the additive inverse of 6; it is 6 + x = 0; x = 4 (9 + 4) mod 10 = 3 (2 + 4) mod 10 = 6 (5 + 4) mod 10 = 9 (8 + 4) mod 10 = 2 The encrypted string is decrypted! This is a simple substitution cipher (e.g., Caesar). The only difference is numbers were used instead of letters. Chapter 6: Number Theory
Inverses in Cryptography - Multiplicative 0 1 2 3 4 5 6 7 8 9 x 0 1 2 3 4 5 6 7 8 9 0 0 0 0 0 0 0 0 0 0 0 1 2 3 4 5 6 7 8 9 0 2 4 6 8 0 2 4 6 8 0 3 6 9 2 5 8 1 4 7 0 4 8 2 6 0 4 8 2 6 5 0 0 5 0 5 0 5 0 5 0 6 2 8 4 0 6 2 8 4 0 7 4 1 8 5 2 9 6 3 8 0 6 4 2 0 8 6 4 2 0 9 8 7 6 5 4 3 2 1 If this works like addition, we should be able to encrypt and decrypt. Trouble is, it only work part of the time. We can Encrypt/decrypt with some numbers, but not all. Chapter 6: Number Theory
Multiplicative Inverses in Cryptography Encrypt the string 8732 using a muliplicative constant = 5 mod 10 (8 x 5) mod 10 = 0; (40/10 = 4, 0) (7 x 5) mod 10 = 5; (35/10 = 3, 5) (3 x 5) mod 10 = 5; (15/10 = 1, 5) (2 x 5) mod 10 = 0; (10/10 = 1, 0) Trouble is, half the characters mapped to 0 and half to 5. We might guess this is a problem since results are not unique. However, if we use 3 mod 10 we get unique results: (8 x 3) mod 10 = 4; (24/10 = 2, 4) (7 x 3) mod 10 = 1; (21/10 = 2, 1) (3 x 3) mod 10 = 9; (9/10 = 0, 9) (2 x 3) mod 10 = 6; (6/10 = 0, 6) Better, but do inverses work? Chapter 6: Number Theory
Multiplicative Inverses in Cryptography The multiplicative inverse of n is m, where (n x m) mod 10 = 1. Since 3 gave a unique result, try decrypting using the multiplicative inverse of 3. It is (3 x m) mod 10 = 1; so m = 7. Now try decrypting 4196 (previous slide) using 7 : (4 x 7) mod 10 = 8 (1 x 7) mod 10 = 7 (9 x 7) mod 10 = 3 (6 x 7) mod 10 = 2; So… the inverse decrypts the cipher! What is the condition that makes 3 work and 5 not work? Chapter 6: Number Theory
Multiplicative Inverses in Cryptography Why 3 works. If (a x b) (a x c) mod n, then b c mod n, if and only if (iff) a is relatively prime to n Because ((a-1) x a x b) ((a-1) x a x c) mod n = b c mod n, This is in accordance with Fermat’s theorem. That is, plain words: a mod n will not produce a complete & unique set of residues if a & n have any factors in common except 1! Chapter 6: Number Theory
Finding Multiplicative Inverses - Fermat For any prime p and any element a < p; ap mod p = a OR ap-1 mod p = 1 Also… the inverse of a is x where ax mod p = 1 Substituting ax mod p = 1 = ap-1 mod p So x = ap-1 mod p/a mod p = ap-2 mod p The inverse of 3 mod 5 = 3-1 mod 5 = 35-2 mod 5 33 mod 5 = 27 mod 5 = Q = 5, R = 2 And 25-2 mod 5 = 23 mod 5 = 8 mod 5 = 3 Chapter 6: Number Theory
Multiplicative Inverses in Cryptography So what is the implication for cryptography? We use one number to encrypt and a second number, the inverse to decrypt – but only if an inverse exists. A number and its inverse are used as the keys. They are asymmetrical (public key cryptography). Finding inverses of the simple integer was easy, but how do we find inverses for large keys (56, 90, 128 bits)? Use an extended version of Euclid’s gcd algorithm. For the notation GCD (d, f) = 1, d has a multiplicative inverse mod f such that for d < f, there exists a d-1, such that d x d-1 = 1 mod f Euclid’s gcd algorithm is given in detail by Stallings (page 119). Chapter 6: Number Theory
Multiplicative Inverses by Euclid’s Algorithm Euclid (d, f) 1 (X1,X2,X3) (1, 0, f); (Y1, Y2, Y3) (0, 1, d) 2 IF Y3 = 0, RETURN X3 = GCD (d, f); No inverse 3 If Y3 = 1, RETURN Y3 = GCD (d, f); Y2 = d-1 mod f 4 Q = X3/Y3 5 (T1,T2,T3) (X1 - QY1, X2 - QY2, X3 - QY3) 6 (X1,X2,X3) (Y1,Y2,Y3) 7 (Y1,Y2,Y3) (T1,T2,T3) 8 GOTO 2 Relationships that hold during computation: fT1 + dT2 = T3; fX1 + dX2 = X3; fY1 + dY2 = Y3 X3 & Y3 are comparable to X & Y in the original Euclid’s algorithm. Chapter 6: Number Theory
Euler’s Totient Function We need to know how many numbers less than n are relatively prime to n. For n = 10, we know 1, 3, 7, and 9 are relatively prime to 10. Generally, the number of positive integers that are relatively prime to a number n is (n), where is Euler’s Totient Function. A number less than or equal to and relatively prime to a number is called a totative. The Totient Function, then, is simply the number of totatives of n For example, the totient of 4 is defined as the number of numbers that are relatively prime to 4. Those numbers are 1 and 3. 2 isn’t a totative of 4 since it divides 4. So.. (4) = 2. Chapter 6: Number Theory
Euler’s Totient Function Similarly: (20) = 1, 3, 7, 9, 11, 13, 17, 19 = 8 (24) = 1, 5, 7, 11, 13, 17, 19, 23 = 8 See Stallings, page 241 for the 1st 30 totatives (i.e., n = 1-30). In the case of cryptography we are interested in certain totatives. If n is a prime number (divisible by only 1 and itself), then all the integers (1, 2, 3….n-1) are relatively prime to n, so (n) = n-1. Thus, the gcd for any prime number n, for any number less than n, is exactly 1, so all numbers less than n are relatively prime to n! If n is a product of two primes, p and q, such that n = pq, there are (p-1)(q-1) numbers relatively prime to n and (n) = (p-1)(q-1). Chapter 6: Number Theory
Theorems Important in Cryptography Fermat's theorem: an-1 = 1 mod n; if a and n are relatively prime Also (a)(an-1) = (a)(1 mod n) or simply that an = a mod n, if n & a are relatively prime. Euler's Theorem: a(n) = 1 mod n; if a and n are relatively prime That is, if n is prime, then (n) = n-1, so (n) can be substituted in Fermat's Theorem and be = 1 mod n. We will use these to test candidate numbers for key generation. Chapter 6: Number Theory
Modulo Exponentiation We would expect modulo exponentiation to operate similar to modulo multiplication since exponentiation is a repeated form of multiplication. That is: 212 = 2x2x2x2x2x2x2x2x2x2x2x2 = 4096, and 212 = 6 mod 10; 4096/10 = Q + R = 409 + 6 In exponentiation, like multiplication, not all numbers have inverses. We also know that numbers without inverses cannot be used to encrypt because they give ambiguous results. The characteristics of prime numbers, and modular arithmetic as well as the functions and theorems we have described form the mathematical basis for public key cryptography. Chapter 6: Number Theory
Rivest, Shamir, and Adelman (RSA) Algorithm RSA is an asymmetrical (public key) algorithm that uses two keys, one public and one private. Keys are variable in length and typically on the order of 512 bits long. The basic algorithm is: 1. Generate two large prime numbers, p & q, say 512 bits long. 2. Multiply the prime numbers p & q together; p x q = n 3. Keep p & q secret. 4. Generate a public key: a. Compute the totient of n: (n) = (p-1)(q-1). b. Choose a number e, relatively prime to (n). The public key is [e, n] Chapter 6: Number Theory
The RSA Algorithm - contd 5. Generate a private key. a. Find the multiplicative inverse d = e mod (n) The private key is [d, n] 6. To encrypt a message, m < n, use the public key e and compute: me mod n = c 7. To decrypt the encrypted message, compute: m = cd mod n using the private key d RSA’s capability to encrypt and decrypt comes from number theory. It derives its strength from the difficulty in factoring large prime numbers n into the factors p & q which is computationally infeasible for large n (recall n = p x q, p & q > 512 bits. Chapter 6: Number Theory
Selecting p, q, and e • We know that we have to pick the primes p & q, and then e. • From these we compute (p-1), (q-1), n, (n), and d. • We already said we could find q and p by trying some large • Numbers. We know e must be relatively prime to (p-1)(q-1). • Finally, we compute de = 1 mod (n) using Euler’s algorithm. • What about e? There are Two options: • Pick p & q, choose e at random and test for primality with • (p-1)(q-1), if the primality test fails, select another e. • 2. Select e first, then select p-1 & q-1 to be relatively prime to e. • In reality we tend to pick e first. Moreover, e is often picked to be 3. Chapter 6: Number Theory
Picking a small e Turns out RSA security is not weakened by either a small e or even if e is always the same number. The advantage is that if e, the public key, is small, operations with the public key are fast. Two popular values of e are 3 and 65537 (216 = 1). 3 because it only takes 2 multiplies to encrypt. 65537 takes 17 multiplies to encrypt. A 512 bit number takes about 768 multiplies (on average). There are some precautions in using 3. Short messages need to be padded (easy) and messages encrypted with the same key should not be sent to more than 2 recipients. Chapter 6: Number Theory
The Strength of the RSA Algorithm Only the public key = [e, n] is known, p & q and the private key are kept secret. To find the private key an adversary must find the exponential inverse of e mod n = d Creating the keys is relatively easy since two large primes p & q were used to create n order 512-1024 bits. (n) was also required and easy to compute = (p-1)(q-1). Finding d requires that the adversary find p & q by factoring n. Factoring a 512 bit number is formidable - required on the order of 30,000 MIP-Years in 1995, but is no longer considered secure. 1024 bit numbers are still considered secure. Chapter 6: Number Theory