560 likes | 694 Views
The Algebra of Encryption. CS 6910 Semester Research and Project University of Colorado at Colorado Springs By Cliff McCullough 18 July 2011. Modern Cryptography. Multi-Precision Calculator. That’s a lot of digits. Modular Arithmetic. The Division Algorithm a = m b + r
E N D
The Algebra of Encryption CS 6910 Semester Research and Project University of Colorado at Colorado Springs By Cliff McCullough 18 July 2011
Modern Cryptography Cliff McCullough
Multi-Precision Calculator Cliff McCullough
That’s a lot of digits Cliff McCullough
Modular Arithmetic • The Division Algorithm a = m b + r “Any integer a can be divided by b in such a way that the remainder is smaller than b.” (Burton, 2007, p. 17) Cliff McCullough
Examples • 13 = 1 * 12 + 1 • 13 ≡ 1 mod 12 • 9 = 0 * 12 + 9 • 9 ≡ 9 mod 12 Cliff McCullough
Addition • First express the numbers in modular form • Add the numbers and collect the terms • Adjust the multiplier if needed so that the residue is positive and less than the modulus Cliff McCullough
Subtraction • First express the numbers in modular form • Subtract the numbers and collect the terms • Adjust the multiplier if needed so that the residue is positive and less than the modulus Cliff McCullough
Multiplication • Multiplication is merely repeated addition • Adjust the multiplier so that the residue is positive and less than the modulus Cliff McCullough
Division • Division is tricky • Instead of c ---- = e d • We write c = d * e • Ask by what number, e, can we multiply d to result in c, in modular arithmetic? Cliff McCullough
Division by Multiplicative Inverse • Another way to divide is to multiply by the MMI c * d-1 = e • MMI: d * d-1≡1 mod modulus • Ask by what number, d-1 , can we multiply d such that the result is 1 in modular arithmetic? Cliff McCullough
Useful Functions • Euclidean Algorithm • Greatest Common Divisor • Modular Multiplicative Inverse • Modular Exponentiation • Chinese Remainder Theorem • Euler’s Totient Function Cliff McCullough
Greatest Common Divisor • Compare the smaller number to the larger • Find the quotient of the two numbers • Multiply the smaller by the quotient and subtract • Now compare the residue with the previous smaller number • Continue until the residue is zero Cliff McCullough
GCD Example Example from (Euclidean algorithm, 2011) Cliff McCullough
GCD Results AE = 3 * CF CD = 2 * AE + CF = 2 * 3 * CF + CF = 7 * CF AB = CD + AE = 7 * CF + 3 * CF = 10 * CF Cliff McCullough
Extended Euclidean Algorithm • Use Extended Euclidean Algorithm • Basically keep track of the coefficients • Start by writing the two numbers • Find the quotient • Multiply the second equation by the quotient and subtract from the first • Repeat steps 2 and 3 until the residue is zero Cliff McCullough
Extended Euclid Example • 50 = 50 ( 1) + 35 ( 0) • 35 = 50 ( 0) + 35 ( 1), q = 1 • 15 = 50 ( 1) + 35 ( -1), q = 2 • 5 = 50 ( -2) + 35 ( 3), q = 3 • 0 = 50 ( 7) + 35 (-10) Cliff McCullough
Finding the MMI • 13 = 13 ( 1) + 4 ( 0) • 4 = 13 ( 0) + 4 ( 1), q = 3 • 1 = 13 ( 1) + 4 ( -3) • 1 = 13 (1) + 4 (-3) + 13 (-4) + 4 (13) • 1 = 13 (1 - 4) + 4 (-3 + 13) • 1 = 13 (-3) + 4 (10) Cliff McCullough
Modular Exponentiation • Initiate X = base, E = exponent, Y = 1 • If E is odd • Replace Y = X * Y • Replace E = E - 1 • E is not even • Replace X = X * X • Replace E = E ÷2 • When E = 0, Y is the answer (Garrett, 2004, p. 123) Cliff McCullough
Exponentiation Example E = 11 = 8 + 2 + 1 Y = 38 * 32 * 31 = 6561 * 9 * 3 Cliff McCullough
Modular Exponentiation Example E = 11 = 8 + 2 + 1 Y = 38 * 32 * 31 = 237 * 9 * 3 mod 527 Cliff McCullough
Consider Multiplication 1111 11 x 1111 x 11 ---------------- -------- 1111 11 1111 + 11 1111 -------- + 1111 1001 ---------------- 11100001 Cliff McCullough
Chinese Remainder Theorem • Reduces calculation time by dealing with smaller numbers • Some elements may be pre-calculated and used repeatedly for subsequent calculations Cliff McCullough
How To CRT • Pre-calculations • Know the Factors of M • Calculate each Mi • Calculate MMI of each Mi mod mi • Calculate Ai • Perform the operation • Combine the results (Stallings, 2011, pp. p 254-257) Cliff McCullough
CRT Pre-calculations • Chose m1 and m2 M = m1 * m2 = 37 * 49 = 1813 • Calculate Mi = M ÷ mi M1= 1813 ÷ 37 = 49 M2 = 1813 ÷ 49 = 37 • Calculate Mi-1 mod mi M1-1mod m1 = 49-1 mod 37 ≡ 34 M2-1mod m2= 37-1 mod 49 ≡ 4 Cliff McCullough
CRT Pre-calculations too • Calculate Ai A1 = M1 * M1-1 mod M = 49 * 34 mod 1813 ≡ 1666 A2= M2* M2-1mod M = 37 * 4 mod 1813 ≡ 148 Cliff McCullough
CRT Addition • Compute x + y = zi mod mi for each mi 973 mod 37 = 11 973 mod 49 = 42 + 678 mod 37 = 12 + 678 mod 49 = 41 ----------------- ----------------- z1 = 23 mod 37 z2 = 34 mod 49 • Combine results (x + y) mod M = (z1 * A1 + z2 * A2) mod M (973 + 678) mod 1813 = (23 * 1666 + 34 * 148) mod 1813 ≡ 1651 Cliff McCullough
CRT Multiplication • Compute x * y = zi mod mi for each mi 973 mod 37 = 11 973 mod 49 = 42 * 678 mod 37 = 12 * 678 mod 49 = 41 ----------------- ----------------- z1 = 14 mod 37 z2 = 32 mod 49 • Combine results (x * y) mod M = (z1 * A1 + z2 * A2) mod M (973 + 678) mod 1813 = (14 * 1666 + 32 * 148) mod 1813 ≡ 865 Cliff McCullough
Euler’s Totient Function Euler’s totient function, Φ(n), identifies the number of integers, less than n, that are relatively prime to n. A good treatment of Euler’s Totient function can be found in (Burton, 2007, pp. 131-135). Φ(n)=(pi)*(qj)=(pi - pi-1)*(qj - qj-1) (Burton, 2007, pp. 131-135) Cliff McCullough
Phi Examples 21 = 3 * 7 Φ(21)=(3 - 1) * (7 - 1) = 2 * 6 = 12 • 1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19, 20 are the 12 numbers less than 21 that are coprime to 21 20 = 4 * 5 Φ(21)=(22-21) * (51-50) = (4-2)*(5-1)=2*4=8 • The 8 integers less than 20 coprime to 20 are1, 3, 7, 9, 11, 13, 17, 19 Cliff McCullough
Public Key Cryptography - RSA • RSA uses Euler’s theorem • If a and n are coprime • then aΦ(n) ≡ 1 mod n (Burton, 2007, p. 137) Cliff McCullough
How to RSA • Chose two prime numbers p and q • Form n = p * q and find Φ(n) • Choose encryption exponent e coprime to Φ(n) • Find MMI of e mod Φ(n) • Encrypt: C = Me mod n • Decrypt: M = Cd mod n Cliff McCullough
Why Does RSA Work • C = Me mod n • M = (C)d = Me*d mod n • e and d were chosen such that e * d ≡ 1 mod Φ(n), therefore: e * d = m * Φ(n) + 1 • Remember the Euler’s Theorem MΦ(n) ≡ 1 mod n • Me*d = MmΦ(n)+1 = (MΦ(n))m * M ≡1m * M mod n Cliff McCullough
RSA and CRT • To use CRT, we need to know the factors of n • Thus, we only use CRT to decrypt Cliff McCullough
RSA Example • Let: p = 17 q = 31 e = 11 message: M = 3 n = p * q = 17 * 31 = 527 Φ(n) = 16 * 30 = 480 d = e-1 mod Φ(n) ≡ 131 Cliff McCullough
RSA-CRT Pre-calculations P = n ÷ p = 31 P-1 mod p ≡ 11 Ap = P * P-1 mod n = 31 * 11 mod 527 ≡ 341 Q = n ÷ q = 17 Q-1 mod q ≡ 11 Aq = Q * Q-1 mod n = 17 * 11 mod 527 ≡ 187 dp = d mod Φ(p) = 131 mod 16 ≡ 3 dq= d mod Φ(q) = 131 mod 30 ≡ 11 Cliff McCullough
RSA Encrypt • Encrypt is standard C = Me mod n = 311 mod 527 ≡ 75 Cliff McCullough
RSA-CRT Decrypt • Decrypt uses CRT • Complete the operation Mp = Cdp mod p = 753 mod 17 ≡ 3 Mq = Cdq mod q = 7511 mod 31 ≡ 3 • Combine the results M = (Mp * Ap + Mq * Aq) mod n = (3 * 341 + 3 * 187) mod 527 ≡ 3 Cliff McCullough
How to Share a Secret • (Shamir, November, 1979) describes how to share a secret • A simple way of looking at this is to use a curve described by a polynomial function f(x) = atxt + at-1xt-1 ... a1x + a0 • Typically a0 is the secret information • a1 through at are chosen randomly Cliff McCullough
Why It Is Secret • We have t + 1 unknowns • the t + 1 coefficients • We need t + 1 points on the curve to identify all the coefficients • The secret shares are points on the curve • x, f(x) number pairs • x can be an index. Only f(x) must be secret Cliff McCullough
Paillier Cryptography • Carmichael function is very similar to Euler’s totient function λ(n) = lcm(p-1, q-1) • Useful properties wλ≡ 1 mod n wλn≡ 1 mod n2 • Which implies wλ = an + 1 wλn = bn2 + 1 (Paillier, 1999) Cliff McCullough
How to Paillier • Choose two safe primes p and q • Calculate n = p * q and λ(n) • Define the function u - 1 L(u) = ---------- n • Choose a generator value g such that L(gλ mod n2) and n are coprime • Public key is (g, n) • Private key is λ Cliff McCullough
Paillier Encrypt • For plaintext message m < n • Chose a random number r < n • Encrypt c = gmrn mod n2 Cliff McCullough
Paillier Decrypt • Decrypt L(cλ mod n2) m = ------------------ mod n L(gλ mod n2) Cliff McCullough
The Generator g • Start from the Carmichael function gλ= 1 + an gλx= (1 + an)x • Use binomial expansion (1+an)x=1 + x(an) + n2 ... • Result gλx = (1 + an)x = (1 + xan) mod n2 Cliff McCullough
Decrypt Numerator cλ - 1 gλmr λ n - 1 L(cλ mod n2) = -------- mod n2 = -------------- mod n2 n n • Applying the Generator g Result and Carmichael function L(cλ mod n2) = ma mod n2 Cliff McCullough
Decrypt Denominator gλ - 1 (1 + an) - 1 L(gλmod n2) = -------- mod n2 = -------------- mod n2 n n L(cλ mod n2) = a mod n2 Cliff McCullough
The Decrypt Result • Combining the results gives L(cλ mod n2) ma mod n2 m = ------------------ mod n = ---------------- mod n L(gλ mod n2) a mod n2 Cliff McCullough
Cryptographic Blinding • Cryptographic blinding allows for a message to be multiplied by a specially treated random number, while still allowing the message to be decrypted without knowledge of the random number. (Blinding (cryptography), 2011) Cliff McCullough
Paillier Blinding • We can apply any succession of blinding factors without affecting the successful decryption c = gm * r1n r2n ... rkn mod n2 = gm * rn mod n2 Cliff McCullough