cryptography: algorithms on numbers
DESCRIPTION
Cryptography: Algorithms on Numbers. A Typical Setting. Alice. Bob. e(x). x. x = d(e(x)). Encoder. Decoder. Eve. Encryption Function e: Decryption Function d: . - PowerPoint PPT PresentationTRANSCRIPT
Cryptography: Algorithms on Numbers
2
A Typical Setting
Encoder Decoder
Alice Bob
Eve
x x = d(e(x))e(x)
Goal: Design e() and d() so that without knowing d(), e(x) gives away very little information
Encryption Function e: <messages> <encoded messages>Decryption Function d: <encoded messages> <messages>
3
Codes in History
405 BC: the Greek general LYSANDER OF
SPARTA was sent a coded message about an
impending Persian attack written on the inside
of a servant's belt. To decipher it, it had to be
wound on a staff (scytale). The spartans were
forewarned, and defeated the persians
Caeser’s cipher: message sent by Caeser to
Cicero during Gallic Wars
4
Codes in History
1586 AD: Mary, Queen of Scotts
tried for plotting against Queen
Elizabeth of England
As evidence, Francis Walsingham
presented encrypted letters written
by Mary, supporting the plot.
5
Codes in History: World War I
Jan 1917: Telegram sent by Arthur
Zimmerman, foreign secretary of
Germany: asking Mexican govt. to
attach United States
Feb 1917: Message was decoded by
British Intelligence and delivered to
president Woodrow Wilson
April 1917: US declares war on
Germany
6
Codes in History: World War II
Enigma: GermanEncryption machine
Bombe: decryption machineBuilt by British Intelligence
Blechtley park: centerof British Intelligence
German submarine locations were communicated by encrypted messages using EnigmaMade it easy for Allied forces to destroy German submarines
Alan Turing: contributed significantly to Allied cryptography effort
7
Secret Writing
Steganography: steganos=covered, graphein=to write (Chinese) hidden messages on silk, covered in wax (Italy) write message on hard boiled egg that penetrates and stays on the albumen Invisible ink that shows up on heating
Cryptography: kryptos=hidden, graphein=to write
8
Private Key Protocols
9
Private-Key Protocol
Alice and Bob meet beforehand and choose secret e() and d() functionsDisadvantage: Need to meet beforehand
Example:Choose secret string r, e.g. r=01110010
Encryptione(x) = x re.g. : e(11110000) = 11110000 01110010 = 10000010
Decryptiond(y) = y re.g.: d(10000010) = 10000010 01110010 = 11110000
Problem:e(x) e(x’) = (x r) (x r) = (x x’)Some information can come out by repeated use
10
Private-Key Protocol: AES
Advanced Encryption Standard
(AES) Also known as Rijndael Block Cipher Developed by Belgian
mathematicians Vincent Rijmen
Joan Daemen Approved by the US Govt. in 2001 Repeated use possible Security not rigorously
established..
11
Visual Cryptography
original
Share 1
Share 2 Share 3 Share 4
12
Visual Cryptography
Shares 1, 2 Shares 1,3
Shares 3,4
13
Public Key Protocol
Bob’s padlock (publicly available)
14
Public Key Cryptosystems: RSA
Alice encrypts using Bob’s publicly available key e() Bob decodes using his private function d() Alice, Bob need not have met before Computation easy if e() and d() known
-----BEGIN PGP PUBLIC KEY BLOCK-----Version: 2.6.2
mQCNAzKEgQgAAAEEALoDOnC4PKs4+G5LBXm5aP4djv56wm9kOCzpk4eEcpm0jNtlIKyuAf1EXauFVCFSCri11hwUCXm5kv4x5bNYyE6NqxY29G9VU4Niwmt7L8dGIqHukS4FXcufA6sSMfoM8+oIzOv8d18dYhyf4PvAyl43EPgne/pw1c4T3nOFCCzVAAURtClEb25hbGQgQSBXYXRyb3VzIDx3YXRyb3VzQGNzLnJ1dGdlcnMuZWR1PokAlQMFEDLWfyakXBby1t0uxQEBRNYD/jbc7ujRpCSI6uVLdDprzaYiCMgAajLyK53zrMrEOj+zURDIMRVtPT2ugVHPUQFoXRMaXKi0IacI2WjetgHgaCwzra2swVj1sp2sFbr19bhDzTlf6gosbcmXcRzhGC76jVowphSfw6KN3/VAYyBxI/RtkDN/dKLrRDnniGSOM6X7iQCVAwUQMoSKmM4T3nOFCCzVAQE7dAP/SjXFV5XdvRLdjh6NoT2NIsaTceMnmXGsTAk4OM6DQztlM822uru9d0PoeTBu4som50T3C4BS6S54h7QoThwo96s0lgz7ljcQozW1fKMSGVD+BQ5DO81DNnsZeT48OEZueUEzrMiazPMrlpkZNf1meD1A2JvIThxQ3V71HwUvu5Q==i41f-----END PGP PUBLIC KEY BLOCK-----
15
Rivest-Shamir-Adleman (RSA) Cryptosystem
Need the following tools Modular arithmetic Euclid’s algorithm Primality testing Generating random primes
16
Two’s complement method for storing signed integers
n-bits used to represent numbers in the range [-2n-1,2n-1-1] Storing positive numbers in the range 0 to 2n-1-1: in regular binary with leading bit 0 Storing negative numbers -x with 1 ≤ x ≤ 2n-1:
Construct x in binary Flip all bits of x Add 1
Equivalent description: Store modulo 2n
Negative numbers get stored as 2n - x = 2n-1 - x + 1 Example: n=4
(5)10 = (0101)2
-5 stored as 1010+1 = 1011 Equivalently: 1111 - 0101 + 1 = 1010 + 1
17
Integer Multiplication
1 3X 1 1
1 31 3
1 4 3
1 1 0 1X 1 0 1 1
(13)2
(11)2
1 1 0 1 1 1 0 1 0 0 0 0 1 1 0 1
1 0 0 0 1 1 1 1 (143)2
Time Complexity• Each row has n bits• n rows• O(n2) time
18
Al-Khwarizmi’s method
Write #s next to each other Divide first # by 2, multiply
second by 2, rounding the result Keep going till first # gets down to
1 Strike out all rows in which first #
is even Add what remains in column 2
1 1 13
5 26
2 52
1 104
143
Combination of Binary and Decimal!
19
Al-Khwarizmi’s method
Multiply (x,y)
Input: two n-bit #s x,y
Output: their product
If y=0, return 0 z = Multiply (x, y/2) If y is even return 2z Else return x+2z
Running Time Each recursive call halves y #bits
reduces by 1 O(n) recursive calls Each recursive call:
Division by 2: O(n) steps Test for odd/even: O(1) One addition: O(n) O(n) per recursive call
Recursive algorithm
Still O(n2) time overall
Can we muliply faster?Divide-and-Conquer approach givesa o(n2) time algorithm
20
Integer Division
Divide(x,y)
Input: n-bit integers x,y, with y≥ 1
Output: Quotient q and remainder r
of x divided by y If x=0: return (q,r) = (0,0) (q,r) = divide(x/2,y) q = 2q, r = 2r If x is odd: r=r+1 If r ≥ y: r = r-y, q = q+1 return (q,r)
Example:
Divide(11,3):
11 = 3· 3 + 2
q = 3, r = 2
(1,2) = divide(5,3)
q = 2, r = 4
11 is odd => r=5
r=5 > 3 => r = 2, q = 3
21
Factorization
Factors and prime numbers
Simplest algorithms for finding factors
22
Prime Numbers
Definition A number a if prime if the only factors it has are 1 and aExamples 6 is not a prime: it has factors 2 and 3
5 is a prime
Checking for primality of number N Naive method: test all numbers 2 ,…, N-1 for factors Suffices to test only up to √N Too slow to do if N has 500 bit - 225 tests to make! Faster method based on Fermat’s theorem
1601-1665
•French lawyer, govt. official, did math in his spare time•Fermat’s last theorem took 357 years to be proved!
23
Modular Arithmetic
Seconds: counted modulo 60Minutes: counted modulo 60Hours: counted modulo 12
Days of the week: counted modulo 7
Keeps numbers from getting too big
Computer Arithmetic: modulo 232
24
Modular Arithmetic
x y (mod N) N divides (x-y)Complexity of computing x (mod N)
Examples: 253 13 (mod 60)59 -1 (mod 60)
Equivalence classes:Modular arithmetic deals with all integers but divides them intoN equivalence classes of the form {i+kN : k is an integer}
Equivalence classes modulo 3:
….. -9 -6 -3 0 3 6 9 …….….. -8 -5 -2 1 4 7 10 …….….. -7 -4 -1 2 5 8 11 ……..
25
Modular Arithmetic
Substitution RuleIf x y (mod N) and x’ y’ (mod N), then:x + x’ y + y’ (mod N), and xx’ yy’ (mod N) Proof?
Example: 14 + 10 (mod 3) 2 + 1 (mod 3) 0 (mod 3)14 · 10 (mod 3) 2 · 1 (mod 3) 2 (mod 3)
Associative rule: x + (y + z) (x + y) + z (mod N) x(yz) (xy)z (mod N)
Commutative rule: x + y y + x (mod N) xy yx (mod N)
Distributive rule: x(y+z) xy + xz (mod N)
Example: (2)345 (25)69 (32)69 (1)69 1 (mod 31)
26
Implementing modular addition and multiplication
Adding x and y mod N Compute x+y {0,..,2(N-1)} If sum exceeds N-1, subtract N Running time O(n), where n = log N
Multiplying x and y mod N Compute x · y {0,…,(N-1)2} Number of bits needed to store x · y ≤ 2n Divide x · y by N to find remainder O(n2) running time
27
Modular Division
Multiplicative inverse in real arithmetic Every number a 0 has an inverse 1/a Example: inverse of 5 is 1/5 = 0.2 Division by number a 0 is equivalent to multiplying by 1/a Example: 10/5 = 10·(1/5) = 10 · (0.2) = 2
Multiplicative inverse modulo N x is the multiplicative inverse of a modulo N if ax 1 (mod N) Example: 2 · 3 1 (mod 5). So (2)-1 = 3 (mod 5) Sometimes there may be no inverse: (2)-1 (mod 6)? For any x, 2x (mod 6) is even - therefore there is no x such that 2x 1 (mod 6)
28
Modular Exponentiation
Common operation: compute xy (mod N) Numbers can become huge:
x, y are 20-bit numbers => xy can be 10 million bits long Can be computed by repeated multiplications
x mod N x2 mod N …. xy mod N Take y multiplications Suppose y is 500 bits long? 2500 multiplications!
29
Repeated Squaring
Modexp(x, y, N)
Input: n-bit integers x and N, and
integer exponent y
Output: xy mod N
If y=0: return 1 z = modexp(x, y/2, N) If y is even: return z2 mod N Else: return x·z2 mod N
Running Time Each recursive call halves the
exponent O(n) multiplications O(n3) time overall
xy =
(xy/2)2, if y is even
x· (xy/2)2, if y is odd
Recursive rule
30
Greatest Common Divisor
Given numbers a, b:gcd(a,b) = largest number d that divides both a and b
Example1035 = 32 · 5· 23, 759 = 3 · 11 · 23gcd( 1035, 759) = 3 · 23 = 69
gcd can be computed by complete factorization, but no efficient algorithm is known for factorization
Euclid’s algorithm: First known algorithmin history
BC 325-265
31
Useful properties for computing gcd
Symmetrygcd(x,y) = gcd(y,x)
Euclid’s RuleIf x, y are positive integers with x ≥ y, thengcd(x,y) = gcd (x mod y, y)
Examplegcd(24, 15) = gcd(23· 3, 3·5) = 3gcd(24 mod 15, 15) = gcd(9, 15) = gcd(32, 3·5) = 3
32
Proof of Euclid’s Rule
Sufficient to show that gcd(x,y) = gcd(x-y, y): Suppose x = qy+r gcd(x,y) = gcd(x-y,y) = gcd(x-2y, y) = … = gcd(x-qy, y)
Suppose d divides x, y Then d divides x-y Therefore, gcd(x,y) ≤ gcd (x-y, y)
Suppose d divides x-y, y Then d divides x, y Therefore, gcd(x-y, y) ≤ gcd(x,y)
Therefore, gcd(x,y) = gcd(x-y, y)
Property: if d divides x,y,then d divides ax+by
33
Euclid’s Algorithm
Euclid(a,b)Input: Integers a,b with a ≥ bOutput: gcd(a,b)
If b=0: return a return Euclid(b, a mod b)
Running Time: Need to know how fast the arguments are reducing
34
Analysis of Euclid’s Algorithm
Lemma: If a ≥ b, then a mod b < a/2Proof:
Case I: b ≤ a/2 Case II: b > a/2a mod b < b ≤ a/2 Then, a mod b = a-b < a/2
Running Time: In two rounds, both arguments are halved #bits reduces by 1 for both arguments Base case reached in ≤ 2n recursive calls Each recursive call: O(n2) time division O(n3) time overall
aa/2b
a mod b
aa/2 b
a mod b
35
Another Useful Property
Lemma: If d divides a and b, and d = ax+by for some integers x and y, then necessarily d = gcd(a,b)Proof Since d divides a and b, d ≤ gcd(a,b)Since gcd(a,b) divides a and b, gcd(a,b) divides ax+by = d gcd(a,b) ≤ dTherefore, gcd(a,b) = d
Example24·2 + 15·(-3) = 3, and 3 divides 24, 15gcd(24, 15) = 3
When can gcd(a,b) be expressed as ax+by?Always!!
36
Extended Euclid’s Algorithm
Extended-euclid(a,b)Input: Positive integers a,b with a ≥ b ≥ 0Output: Integers x, y, d such that d = gcd(a,b) and ax+by=d
If b = 0: return (1,0,a) (x’, y’, d) = Extended-euclid(b, a mod b) return (y’, x’ - a/by’, d)
Example: a = 25, b = 1125 = 2· 11 + 3 gcd(25, 11) = gcd(11,3)11 = 3· 3 + 2 = gcd(3, 2)3 = 1· 2 + 1 = gcd(2, 1)2 = 2· 1 + 0 = gcd(1, 0)
= 1
37
Example (contd.)
25 = 2· 11 + 311 = 3· 3 + 2 3 = 1· 2 + 1 2 = 2· 1 + 0
Extended-euclid(1,0) gives: ( 1, 0, 1)Extended-euclid(2,1) gives: ( 0, 1 - 2·0, 1) = ( 0, 1, 1)Extended-euclid(3,2) gives: ( 1, 0 - 1·1, 1) = ( 1, -1, 1)Extended-euclid(11,3) gives: ( -1, 1 - 3·(-1), 1) = ( -1, 4, 1)Extended-euclid(25,11) gives: ( 4, -1 - 2·4, 1) = (4, -9, 1)
25 · 4 + 11 · (-9) = 1
38
Proof of Extended Euclid’s algorithm
Lemma: For any positive integers a and b, extended-euclid(a,b) returns integers a, y and d such that gcd(a,b) = d = ax + byProof: The computation of gcd is unchanged. So d = gcd(a,b)
Proof by induction on b:
Base case: b=0. Then gcd(a,0)=a = a·1 + b·0Induction: consider extended-euclid(a,b)Since a mod b < b, by induction, we have integers x’, y’ such thatgcd(b, a mod b) = bx’ + (a mod b)y’
= bx’ + (a - a/bb)y’= ay’ + b(x’ - a/by’)
Therefore, gcd(a,b) = gcd(b, a mod b) = ax + by,where x = y’, y = x’ - a/by’
39
Modular Division
Recallx is the multiplicative inverse of a modulo N if ax 1 (mod N)Some times there is no inverse, e.g. (2)-1 (mod 6)
Modular division theorem For any a mod N, a has a multiplicative inverse modulo N if and only if gcd(a,N)=1. When this inverse exists, it can be computed in O(n3) time by the Extended-euclid algorithm.ProofSuppose (a,N)=1 Extended-euclid() algorithm gives us integers a, y s.t. ax + Ny = 1 Therefore, ax 1 (mod N)
Suppose there is an x s.t. ax 1 (mod N). Suppose gcd(a,N) = d. Then ax = Nq + 1 for some integer q d divides ax and Nq. Therefore, d divides 1, i.e., d=1
40
Prime Numbers
Definition A number a if prime if the only factors it has are 1 and aExamples 6 is not a prime: it has factors 2 and 3
5 is a prime
Checking for primality of number N Naive method: test all numbers 2 ,…, N-1 for factors Suffices to test only up to √N Too slow to do if N has 500 bit - 225 tests to make! Faster method based on Fermat’s theorem
1601-1665
•French lawyer, govt. official, did math in his spare time•Fermat’s last theorem took 357 years to be proved!
41
Fermat’s Little Theorem
Theorem (year 1640) If p is a prime, then for every 1 ≤ a < p,ap-1 1 (mod p).
Example p = 524 = 16 1 (mod 5)34 = 92 42 = 16 1 (mod 5)44 = 162 12 = 1 (mod 5)
p=7, a=336 (32)3 23 1 (mod 7)
42
Effect of multiplying by a
p = 7, S = { 1, 2, 3, 4, 5, 6}Multiplying by a=3 has the effect of permuting the elements of S
1
2
3
4
5
6
12
3
45
6
S = { 1, 2, 3, 4, 5, 6} = { 3 · 1 mod 7, 3 · 2 mod 7, 3 · 3 mod 7, 3 · 4 mod 7, 3 · 5 mod 7, 3 · 6 mod 7 }
Multiplying the elements of both sets gives6! 36 · 6! mod 7Dividing by 6! (why can we do this?):36 1 (mod 7)
Can we do this for any p?
43
Proof of Fermat’s Little Theorem
S = { 1, 2, …, p-1}Claim The numbers a · i mod p are distinct for i SProof Suppose a · i a · j mod p. Dividing by a, we have i j mod p
Therefore, S = { a · 1 mod p, a · 2 mod p, … , a · (p-1) mod p }Multiplying the elements of both sets(p-1)! ap-1 (p-1)! mod pDividing by (p-1)!, we get ap-1 1 (mod p)
44
A “factorless” test for Primality
Is aN-1 1 mod N ?PickSome a
Pass
Fail
“prime”
“composite”
Problem Fermat’s test is not an if-and-only-if test Does not say what happens if N is not a prime Example: N=341 = 11·13 is not a prime, but 2340 1 mod 341 2 is a witness for 341 being composite If N is composite, are there a lot of witnesses? True for almost all composite numbers
45
Example
N=928 4 (mod 9)38 0 (mod 9)48 7 (mod 9)58 7 (mod 9)68 0 (mod 9)78 4 (mod 9)88 1 (mod 9)
Algorithm makes a mistake only if it chooses a=8
let A = { a: aN-1 1 (mod N) }If we pick a not in A, aN-1 1 (mod N) : such a number is a “witness” for the non-primality of NHow many witnesses can there be for a composite number?
46
Carmichael Numbers
Definition N is a carmichael number if for every number a < N, we have aN-1 1 (mod N)
Smallest carmichael number: 561 = 3 · 11 · 17Such numbers are exceedingly rare….
For almost all composite numbers, there are enough witnesses
47
Using Fermat’s Little Theorem
Lemma If aN-1 1 mod N for some a relatively prime to N, then it must hold for at least half the choices of a < NProof Fix some value of a such that aN-1 1 mod N. Suppose b < NSatisfies the test, i.e., bN-1 1 mod N. Then, (a·b)N-1 aN-1·bN-1 aN-1 1 mod N
Let S be the set of all b < N that pass the test. Then, all the numbers a · b, where b S, fail the test. These numbers are distinct (why?).
Therefore, ignoring Carmichael numbers, we can assert the following:
If N is prime, then aN-1 1 (mod N) for all a < NIf N is not prime, then aN-1 1 (mod N) for at most half the values of a < N
48
Test for Primality
Primality ( N)Input: Positive integer NOutput: yes/no Pick a positive integer a < N uniformly at random if aN-1 1 (mod N): return yes else: return no
Running Time O(n3)let A = { a: aN-1 1 (mod N) }
PropertyPr[ Primality(N) returns yes when N is prime] = 1Pr[ Primality(N) returns yes when N is not prime] Error
= |A|/(N-1) ≤ 1/2 probability
49
Reducing the error probability
Primality2 (N)Input: Positive integer NOutput: yes/no
Pick positive integers a1, a2, …, ak < N at random If ai
N-1 1 (mod N) for all i=1, …, k:
– return yes Else: return no
Running Time O(kn3)
Pr[ Primality2(N) returns yes when N is not prime] ≤ 1/2k
For k=10, error probability ≤ 0.001
50
RSA Protocol
Bob chooses his public and secret keys Pick two large n-bit random primes p and q His public key is (N,e), where N = pq, and e is any 2n-bit number relatively prime to (p-1)(q-1) His secret key is d = (e)-1 (mod (p-1)(q-1)), computed using Extended-euclid algorithm
Alice wishes to send message x to Bob She looks up his public key (N,e) She sends him y = xe mod N, computed using algorithm modexp
Bob decodes message y He computes x = yd mod N
51
Example: RSA protocol
Let p = 5, q = 11Then, N = 5 · 11 = 55Let e = 3. Then, d = (e)-1 (mod 40) = 27 (mod 40)gcd( e, (p-1)(q-1)) = gcd( 3, 40) = 1
Encryption of message xy = x3 (mod 55)e.g. x = 13Then, y = 133 ( mod 55) 169 · 13 (mod 55)
4 · 13 (mod 55) 52 (mod 55)
Decryption of yx = y27 (mod 55)For y = 52, x = (52)27 mod 55 (-3)27 mod 55 13 mod 55
52
Analyzing RSA
Property: Let p and q be two primes and N=pq. For any e relatively prime to (p-1)(q-1):1. The mapping x xe mod N is a bijection on {0, …, N-1}2. The inverse mapping is simple: let d = (e)-1 mod (p-1)(q-1). Then, for all x {0, …, N-1}: (xe)d x (mod N)
Property 1 every message is encoded in a unique manner - no information is lost
Property 2 decoding possible
53
Proof
Property 2 the map in Prop. 1 is invertible it is a bijection– Suffices to prove property 2
ed 1 mod (p-1)(q-1) ed = 1+k(p-1)(q-1) for some integer k Then, xed - x = x1+k(p-1)(q-1) - x Statement true if x 0 (mod p) and x 0 (mod q) Suppose x 0 (mod p) and x 0 (mod q)
Then, xp-1 1 (mod p) and xq-1 1 (mod q) x1+k(p-1)(q-1) - x 0 (mod p) x1+k(p-1)(q-1) - x 0 (mod q) Therefore, pq=N divides xde - x
Suppose x 0 (mod p). Then x 0 (mod q) x1+k(p-1)(q-1) - x 0 (mod q), as before x1+k(p-1)(q-1) - x 0 (mod p), since p divides x Therefore, N=pq divides xde - x
54
Security of RSA protocol
Given y = xe mod N, and (N,e), how can x be retrieved?
Blind guess? Too many choices Factor N to compute p, q and then find d=(e)-1 mod (p-1)(q-1) Factorization is believed to be hard Small errors in estimation of d can lead to significant # errors
p=5, q=11, N=55 e = 3. Then, d = (e)-1 (mod 40) = 27 (mod 40) Let x=13. Then y = x3 (mod 55) 52 (mod 55), y27 mod 55
13 Suppose d’=25 (slightly incorrect estimate of secret key) y25 mod 55 (-3)25 (-3)6X4+1 (14)4(-3) 32
55
Authentication
Anyone can pretend to be Alice and send a message to Bob Using RSA to authenticate the message: digital signatures