1 / 55

Cryptography: Algorithms on Numbers

Cryptography: Algorithms on Numbers. A Typical Setting. Alice. Bob. e(x). x. x = d(e(x)). Encoder. Decoder. Eve. Encryption Function e: <messages>  <encoded messages> Decryption Function d: <encoded messages>  <messages>.

venus
Download Presentation

Cryptography: Algorithms on Numbers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptography: Algorithms on Numbers

  2. A Typical Setting Alice Bob e(x) x x = d(e(x)) Encoder Decoder Eve Encryption Function e: <messages>  <encoded messages> Decryption Function d: <encoded messages>  <messages> Goal: Design e() and d() so that without knowing d(), e(x) gives away very little information

  3. Codes in History • 405 BC: the Greek general LYSANDER OF SPARTA was sent a coded message about an impending Persian attack written on the inside of a servant's belt. To decipher it, it had to be wound on a staff (scytale). The spartans were forewarned, and defeated the persians • Caeser’s cipher: message sent by Caeser to Cicero during Gallic Wars

  4. Codes in History • 1586 AD: Mary, Queen of Scotts tried for plotting against Queen Elizabeth of England • As evidence, Francis Walsingham presented encrypted letters written by Mary, supporting the plot.

  5. Codes in History: World War I • Jan 1917: Telegram sent by Arthur Zimmerman, foreign secretary of Germany: asking Mexican govt. to attach United States • Feb 1917: Message was decoded by British Intelligence and delivered to president Woodrow Wilson • April 1917: US declares war on Germany

  6. Codes in History: World War II Blechtley park: center of British Intelligence Bombe: decryption machine Built by British Intelligence Enigma: German Encryption machine German submarine locations were communicated by encrypted messages using Enigma Made it easy for Allied forces to destroy German submarines Alan Turing: contributed significantly to Allied cryptography effort

  7. Secret Writing • Steganography: • steganos=covered, graphein=to write • (Chinese) hidden messages on silk, covered in wax • (Italy) write message on hard boiled egg that penetrates and stays on the albumen • Invisible ink that shows up on heating Cryptography: kryptos=hidden, graphein=to write

  8. Private Key Protocols

  9. Private-Key Protocol Alice and Bob meet beforehand and choose secret e() and d() functions Disadvantage: Need to meet beforehand Example: Choose secret string r, e.g. r=01110010 Encryption e(x) = x  r e.g. : e(11110000) = 11110000  01110010 = 10000010 Decryption d(y) = y  r e.g.: d(10000010) = 10000010  01110010 = 11110000 Problem: e(x)  e(x’) = (x  r)  (x  r) = (x  x’) Some information can come out by repeated use

  10. Private-Key Protocol: AES • Advanced Encryption Standard (AES) • Also known as Rijndael • Block Cipher • Developed by Belgian mathematicians Vincent Rijmen Joan Daemen • Approved by the US Govt. in 2001 • Repeated use possible • Security not rigorously established..

  11. Visual Cryptography Share 1 original Share 2 Share 3 Share 4

  12. Visual Cryptography Shares 1, 2 Shares 1,3 Shares 3,4

  13. Public Key Protocol Bob’s padlock (publicly available)

  14. Public Key Cryptosystems: RSA • Alice encrypts using Bob’s publicly available key e() • Bob decodes using his private function d() • Alice, Bob need not have met before • Computation easy if e() and d() known -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzKEgQgAAAEEALoDOnC4PKs4+G5LBXm5aP4djv56wm9kOCzpk4eEcpm0jNtl IKyuAf1EXauFVCFSCri11hwUCXm5kv4x5bNYyE6NqxY29G9VU4Niwmt7L8dGIqHu kS4FXcufA6sSMfoM8+oIzOv8d18dYhyf4PvAyl43EPgne/pw1c4T3nOFCCzVAAUR tClEb25hbGQgQSBXYXRyb3VzIDx3YXRyb3VzQGNzLnJ1dGdlcnMuZWR1PokAlQMF EDLWfyakXBby1t0uxQEBRNYD/jbc7ujRpCSI6uVLdDprzaYiCMgAajLyK53zrMrE Oj+zURDIMRVtPT2ugVHPUQFoXRMaXKi0IacI2WjetgHgaCwzra2swVj1sp2sFbr1 9bhDzTlf6gosbcmXcRzhGC76jVowphSfw6KN3/VAYyBxI/RtkDN/dKLrRDnniGSO M6X7iQCVAwUQMoSKmM4T3nOFCCzVAQE7dAP/SjXFV5XdvRLdjh6NoT2NIsaTceMn mXGsTAk4OM6DQztlM822uru9d0PoeTBu4som50T3C4BS6S54h7QoThwo96s0lgz7 ljcQozW1fKMSGVD+BQ5DO81DNnsZeT48OEZueUEzrMiazPMrlpkZNf1meD1A2JvI ThxQ3V71HwUvu5Q= =i41f -----END PGP PUBLIC KEY BLOCK-----

  15. Rivest-Shamir-Adleman (RSA) Cryptosystem • Need the following tools • Modular arithmetic • Euclid’s algorithm • Primality testing • Generating random primes

  16. Two’s complement method for storing signed integers • n-bits used to represent numbers in the range [-2n-1,2n-1-1] • Storing positive numbers in the range 0 to 2n-1-1: in regular binary with leading bit 0 • Storing negative numbers -x with 1 ≤ x ≤ 2n-1: • Construct x in binary • Flip all bits of x • Add 1 • Equivalent description: • Store modulo 2n • Negative numbers get stored as 2n - x = 2n-1 - x + 1 • Example: n=4 • (5)10 = (0101)2 • -5 stored as 1010+1 = 1011 • Equivalently: 1111 - 0101 + 1 = 1010 + 1

  17. Integer Multiplication (13)2 1 1 0 1 X 1 0 1 1 1 3 X 1 1 (11)2 1 3 1 3 1 1 0 1 1 1 0 1 0 0 0 0 1 1 0 1 1 4 3 (143)2 1 0 0 0 1 1 1 1 • Time Complexity • Each row has n bits • n rows • O(n2) time

  18. Write #s next to each other Divide first # by 2, multiply second by 2, rounding the result Keep going till first # gets down to 1 Strike out all rows in which first # is even Add what remains in column 2 1 1 13 5 26 2 52 1 104 143 Al-Khwarizmi’s method Combination of Binary and Decimal!

  19. Multiply (x,y) Input: two n-bit #s x,y Output: their product If y=0, return 0 z = Multiply (x, y/2) If y is even return 2z Else return x+2z Running Time Each recursive call halves y  #bits reduces by 1  O(n) recursive calls Each recursive call: Division by 2: O(n) steps Test for odd/even: O(1) One addition: O(n) O(n) per recursive call Al-Khwarizmi’s method Recursive algorithm Still O(n2) time overall Can we muliply faster? Divide-and-Conquer approach gives a o(n2) time algorithm

  20. Divide(x,y) Input: n-bit integers x,y, with y≥ 1 Output: Quotient q and remainder r of x divided by y If x=0: return (q,r) = (0,0) (q,r) = divide(x/2,y) q = 2q, r = 2r If x is odd: r=r+1 If r ≥ y: r = r-y, q = q+1 return (q,r) Example: Divide(11,3): 11 = 3· 3 + 2 q = 3, r = 2 (1,2) = divide(5,3) q = 2, r = 4 11 is odd => r=5 r=5 > 3 => r = 2, q = 3 Integer Division

  21. Factorization • Factors and prime numbers • Simplest algorithms for finding factors

  22. Prime Numbers • Definition A number a if prime if the only factors it has are 1 and a • Examples 6 is not a prime: it has factors 2 and 3 • 5 is a prime • Checking for primality of number N • Naive method: test all numbers 2 ,…, N-1 for factors • Suffices to test only up to √N • Too slow to do if N has 500 bit - 225 tests to make! • Faster method based on Fermat’s theorem • French lawyer, govt. official, did math in his spare time • Fermat’s last theorem took 357 years to be proved! 1601-1665

  23. Modular Arithmetic Seconds: counted modulo 60 Minutes: counted modulo 60 Hours: counted modulo 12 Days of the week: counted modulo 7 Keeps numbers from getting too big Computer Arithmetic: modulo 232

  24. Modular Arithmetic x  y (mod N)  N divides (x-y) Complexity of computing x (mod N) Examples: 253  13 (mod 60) 59  -1 (mod 60) Equivalence classes: Modular arithmetic deals with all integers but divides them into N equivalence classes of the form {i+kN : k is an integer} Equivalence classes modulo 3: ….. -9 -6 -3 0 3 6 9 ……. ….. -8 -5 -2 1 4 7 10 ……. ….. -7 -4 -1 2 5 8 11 ……..

  25. Modular Arithmetic • Substitution Rule • If x  y (mod N) and x’  y’ (mod N), then: • x + x’  y + y’ (mod N), and xx’  yy’ (mod N) Proof? • Example: 14 + 10 (mod 3)  2 + 1 (mod 3)  0 (mod 3) • 14 · 10 (mod 3)  2 · 1  (mod 3)  2 (mod 3) • Associative rule: x + (y + z)  (x + y) + z (mod N) • x(yz)  (xy)z (mod N) • Commutative rule: x + y  y + x (mod N) • xy  yx (mod N) • Distributive rule: x(y+z)  xy + xz (mod N) • Example: (2)345 (25)69  (32)69  (1)69  1 (mod 31)

  26. Implementing modular addition and multiplication • Adding x and y mod N • Compute x+y  {0,..,2(N-1)} • If sum exceeds N-1, subtract N • Running time O(n), where n = log N • Multiplying x and y mod N • Compute x · y  {0,…,(N-1)2} • Number of bits needed to store x · y ≤ 2n • Divide x · y by N to find remainder • O(n2) running time

  27. Modular Division • Multiplicative inverse in real arithmetic • Every number a  0 has an inverse 1/a • Example: inverse of 5 is 1/5 = 0.2 • Division by number a  0 is equivalent to multiplying by 1/a • Example: 10/5 = 10·(1/5) = 10 · (0.2) = 2 • Multiplicative inverse modulo N • x is the multiplicative inverse of a modulo N if ax  1 (mod N) • Example: 2 · 3  1 (mod 5). So (2)-1 = 3 (mod 5) • Sometimes there may be no inverse: (2)-1 (mod 6)? • For any x, 2x (mod 6) is even - therefore there is no x such that • 2x  1 (mod 6)

  28. Modular Exponentiation • Common operation: compute xy (mod N) • Numbers can become huge: • x, y are 20-bit numbers => xy can be 10 million bits long • Can be computed by repeated multiplications • x mod N  x2 mod N  ….  xy mod N • Take y multiplications • Suppose y is 500 bits long? 2500 multiplications!

  29. Modexp(x, y, N) Input: n-bit integers x and N, and integer exponent y Output: xy mod N If y=0: return 1 z = modexp(x, y/2, N) If y is even: return z2 mod N Else: return x·z2 mod N Running Time Each recursive call halves the exponent O(n) multiplications O(n3) time overall (xy/2)2, if y is even xy = x· (xy/2)2, if y is odd Repeated Squaring Recursive rule

  30. Greatest Common Divisor • Given numbers a, b: • gcd(a,b) = largest number d that divides both a and b • Example • 1035 = 32 · 5· 23, 759 = 3 · 11 · 23 • gcd( 1035, 759) = 3 · 23 = 69 • gcd can be computed by complete factorization, but no efficient algorithm is known for factorization • Euclid’s algorithm: First known algorithm • in history BC 325-265

  31. Useful properties for computing gcd • Symmetry • gcd(x,y) = gcd(y,x) • Euclid’s Rule • If x, y are positive integers with x ≥ y, then • gcd(x,y) = gcd (x mod y, y) • Example • gcd(24, 15) = gcd(23· 3, 3·5) = 3 • gcd(24 mod 15, 15) = gcd(9, 15) = gcd(32, 3·5) = 3

  32. Proof of Euclid’s Rule • Sufficient to show that gcd(x,y) = gcd(x-y, y): • Suppose x = qy+r • gcd(x,y) = gcd(x-y,y) = gcd(x-2y, y) = … = gcd(x-qy, y) • Suppose d divides x, y • Then d divides x-y • Therefore, gcd(x,y) ≤ gcd (x-y, y) • Suppose d divides x-y, y • Then d divides x, y • Therefore, gcd(x-y, y) ≤ gcd(x,y) • Therefore, gcd(x,y) = gcd(x-y, y) Property: if d divides x,y, then d divides ax+by

  33. Euclid’s Algorithm • Euclid(a,b) • Input: Integers a,b with a ≥ b • Output: gcd(a,b) • If b=0: return a • return Euclid(b, a mod b) • Running Time: Need to know how fast the arguments are reducing

  34. Analysis of Euclid’s Algorithm • Lemma: If a ≥ b, then a mod b < a/2 • Proof: • Case I: b ≤ a/2 Case II: b > a/2 • a mod b < b ≤ a/2 Then, a mod b = a-b < a/2 • Running Time: • In two rounds, both arguments are halved • #bits reduces by 1 for both arguments • Base case reached in ≤ 2n recursive calls • Each recursive call: O(n2) time division • O(n3) time overall a a b a/2 a/2 b a mod b a mod b

  35. Another Useful Property • Lemma: If d divides a and b, and d = ax+by for some integers x and y, then necessarily d = gcd(a,b) • Proof Since d divides a and b, d ≤ gcd(a,b) • Since gcd(a,b) divides a and b, gcd(a,b) divides ax+by = d  gcd(a,b) ≤ d Therefore, gcd(a,b) = d Example 24·2 + 15·(-3) = 3, and 3 divides 24, 15 gcd(24, 15) = 3 When can gcd(a,b) be expressed as ax+by? Always!!

  36. Extended Euclid’s Algorithm • Extended-euclid(a,b) • Input: Positive integers a,b with a ≥ b ≥ 0 • Output: Integers x, y, d such that d = gcd(a,b) and ax+by=d • If b = 0: return (1,0,a) • (x’, y’, d) = Extended-euclid(b, a mod b) • return (y’, x’ - a/by’, d) • Example: a = 25, b = 11 • 25 = 2· 11 + 3 gcd(25, 11) = gcd(11,3) • 11 = 3· 3 + 2 = gcd(3, 2) • 3 = 1· 2 + 1 = gcd(2, 1) • 2 = 2· 1 + 0 = gcd(1, 0) • = 1

  37. Example (contd.) • 25 = 2· 11 + 3 • 11 = 3· 3 + 2 • 3 = 1· 2 + 1 • 2 = 2· 1 + 0 • Extended-euclid(1,0) gives: ( 1, 0, 1) • Extended-euclid(2,1) gives: ( 0, 1 - 2·0, 1) = ( 0, 1, 1) • Extended-euclid(3,2) gives: ( 1, 0 - 1·1, 1) = ( 1, -1, 1) • Extended-euclid(11,3) gives: ( -1, 1 - 3·(-1), 1) = ( -1, 4, 1) • Extended-euclid(25,11) gives: ( 4, -1 - 2·4, 1) = (4, -9, 1) • 25 · 4 + 11 · (-9) = 1

  38. Proof of Extended Euclid’s algorithm • Lemma: For any positive integers a and b, extended-euclid(a,b) returns integers a, y and d such that gcd(a,b) = d = ax + by • Proof: The computation of gcd is unchanged. So d = gcd(a,b) • Proof by induction on b: • Base case: b=0. Then gcd(a,0)=a = a·1 + b·0 • Induction: consider extended-euclid(a,b) • Since a mod b < b, by induction, we have integers x’, y’ such that • gcd(b, a mod b) = bx’ + (a mod b)y’ • = bx’ + (a - a/bb)y’ • = ay’ + b(x’ - a/by’) • Therefore, gcd(a,b) = gcd(b, a mod b) = ax + by, • where x = y’, y = x’ - a/by’

  39. Modular Division • Recall • x is the multiplicative inverse of a modulo N if ax  1 (mod N) • Some times there is no inverse, e.g. (2)-1 (mod 6) • Modular division theorem For any a mod N, a has a multiplicative inverse modulo N if and only if gcd(a,N)=1. When this inverse exists, it can be computed in O(n3) time by the Extended-euclid algorithm. • Proof • Suppose (a,N)=1 • Extended-euclid() algorithm gives us integers a, y s.t. ax + Ny = 1 • Therefore, ax  1 (mod N) • Suppose there is an x s.t. ax 1 (mod N). Suppose gcd(a,N) = d. • Then ax = Nq + 1 for some integer q • d divides ax and Nq. Therefore, d divides 1, i.e., d=1

  40. Prime Numbers • Definition A number a if prime if the only factors it has are 1 and a • Examples 6 is not a prime: it has factors 2 and 3 • 5 is a prime • Checking for primality of number N • Naive method: test all numbers 2 ,…, N-1 for factors • Suffices to test only up to √N • Too slow to do if N has 500 bit - 225 tests to make! • Faster method based on Fermat’s theorem • French lawyer, govt. official, did math in his spare time • Fermat’s last theorem took 357 years to be proved! 1601-1665

  41. Fermat’s Little Theorem • Theorem (year 1640) If p is a prime, then for every 1 ≤ a < p, • ap-1 1 (mod p). • Example p = 5 • 24 = 16  1 (mod 5) • 34 = 92  42 = 16  1 (mod 5) • 44 = 162  12 = 1 (mod 5) • p=7, a=3 • 36  (32)3  23  1 (mod 7)

  42. Effect of multiplying by a • p = 7, S = { 1, 2, 3, 4, 5, 6} • Multiplying by a=3 has the effect of permuting the elements of S 1 1 S = { 1, 2, 3, 4, 5, 6} = { 3 · 1 mod 7, 3 · 2 mod 7, 3 · 3 mod 7, 3 · 4 mod 7, 3 · 5 mod 7, 3 · 6 mod 7 } 2 2 3 3 4 4 5 5 Multiplying the elements of both sets gives 6!  36 · 6! mod 7 Dividing by 6! (why can we do this?): 36 1 (mod 7) 6 6 Can we do this for any p?

  43. Proof of Fermat’s Little Theorem • S = { 1, 2, …, p-1} • Claim The numbers a · i mod p are distinct for i  S • Proof Suppose a · i  a · j mod p. Dividing by a, we have i  j mod p • Therefore, S = { a · 1 mod p, a · 2 mod p, … , a · (p-1) mod p } • Multiplying the elements of both sets • (p-1)!  ap-1 (p-1)! mod p • Dividing by (p-1)!, we get ap-1  1 (mod p)

  44. A “factorless” test for Primality “prime” Pass Pick Some a Is aN-1 1 mod N ? Fail “composite” • Problem Fermat’s test is not an if-and-only-if test • Does not say what happens if N is not a prime • Example: N=341 = 11·13 is not a prime, but 2340 1 mod 341  2 is a witness for 341 being composite • If N is composite, are there a lot of witnesses? • True for almost all composite numbers

  45. Example • N=9 • 28  4 (mod 9) • 38  0 (mod 9) • 48  7 (mod 9) • 58  7 (mod 9) • 68  0 (mod 9) • 78  4 (mod 9) • 88  1 (mod 9) • Algorithm makes a mistake only if it chooses a=8 • let A = { a: aN-1 1 (mod N) } • If we pick a not in A, aN-1 1 (mod N) : such a number is a “witness” for the non-primality of N • How many witnesses can there be for a composite number?

  46. Carmichael Numbers • Definition N is a carmichael number if for every number a < N, we have aN-1 1 (mod N) • Smallest carmichael number: 561 = 3 · 11 · 17 • Such numbers are exceedingly rare…. • For almost all composite numbers, there are enough witnesses

  47. Using Fermat’s Little Theorem • Lemma If aN-1 1 mod N for some a relatively prime to N, then it must hold for at least half the choices of a < N • Proof Fix some value of a such that aN-1 1 mod N. Suppose b < N • Satisfies the test, i.e., bN-1  1 mod N. • Then, (a·b)N-1  aN-1·bN-1  aN-1  1 mod N • Let S be the set of all b < N that pass the test. Then, all the numbers a · b, where b  S, fail the test. These numbers are distinct (why?). • Therefore, ignoring Carmichael numbers, we can assert the following: • If N is prime, then aN-1  1 (mod N) for all a < N • If N is not prime, then aN-1  1 (mod N) for at most half the values of a < N

  48. Test for Primality • Primality ( N) • Input: Positive integer N • Output: yes/no • Pick a positive integer a < N uniformly at random • if aN-1 1 (mod N): return yes • else: return no • Running Time O(n3) • let A = { a: aN-1 1 (mod N) } • Property • Pr[ Primality(N) returns yes when N is prime] = 1 • Pr[ Primality(N) returns yes when N is not prime] Error • = |A|/(N-1) ≤ 1/2 probability

  49. Reducing the error probability • Primality2 (N) • Input: Positive integer N • Output: yes/no • Pick positive integers a1, a2, …, ak < N at random • If aiN-1 1 (mod N) for all i=1, …, k: • return yes • Else: return no • Running Time O(kn3) • Pr[ Primality2(N) returns yes when N is not prime] ≤ 1/2k • For k=10, error probability ≤ 0.001

  50. RSA Protocol • Bob chooses his public and secret keys • Pick two large n-bit random primes p and q • His public key is (N,e), where N = pq, and e is any 2n-bit number relatively prime to (p-1)(q-1) • His secret key is d = (e)-1 (mod (p-1)(q-1)), computed using Extended-euclid algorithm • Alice wishes to send message x to Bob • She looks up his public key (N,e) • She sends him y = xe mod N, computed using algorithm modexp • Bob decodes message y • He computes x = yd mod N

More Related