inside pk cryptography: math and implementation

Inside PK Cryptography:

Math and Implementation

Sriram Srinivasan (“Ram”) [email protected]

mailto:[email protected]

Sriram Srinivasan 2/47

Agenda Introduction to PK Cryptography Essential Number Theory

Fundamental Number Theorem GCD, Euclid’s algorithm Linear combinations Modular Arithmetic Euler’s Totient Function

Java implementation of RSA


Security Issues

Authentication, Authorization, and Encryption, Non-repudiation

Shared Secrets (e.g passwords, Enigma) Something shared, something (else)

secret Concept by Ellis, Cocks and Williams

Popularly attributed to Diffie and Hellman Algorithm by Rivest, Shamir and Adelman

Used everywhere: https, SSL, email, certificates.


Public Key Cryptography Consider a pair of magic pens.

Write with one, use the other to decode. Symmetric: either can be used to encode

You want to send a message to me You borrow one of my pens and write with it. I decode it with my other pen. Avoids problems of shared secrets

Same tools for authentication, encryption and non-repudiation.

Mathematics


Fundamental Theorem of Arithmetic All numbers are expressible as a unique

product of primes 10 = 2 * 5, 60 = 2 * 2 * 3 * 5

Proof in two parts 1. All numbers are expressible as products

of primes 2. There is only one such product sequence

per number


Fundamental Theorem proof First part of proof

All numbers are products of primesLet S = {x | x is not expressible as a product of primes}Let c = min{S}. c cannot be primeLet c = c1 . c2

c1, c2 < c c1, c2 S (because c is min{S}) c1, c2 are products of primes c is too S is an empty set


Fundamental Theorem proof Second part of proof

The product of primes is unique

Let n = p1p2p3p4… = q1q2q3q4…Cancel common primes. Now unique primes on both sidesNow, p1 | p1p2p3p4

p1 | q1q2q3q4…p1 | one of q1, q2, q3, q4…p1 = qi which is a contradiction


GCD (Greatest Common Divisor) gcd(a,b) = the greatest of the

divisors of a,b Many ways to compute gcd

Extract common prime factors Express a, b as products of primes Extract common prime factors gcd(18, 66) = gcd(2*3*3, 2*3*11) = 2*3 = 6 Factoring is hard. Not practical

Euclid’s algorithm


r

r1r

r = a % b

Euclid’s algorithma

b

b

r % r1 = 0. gcd (a,b) = r1

r1 = b % r

1

2

3


Proof that r1 divides a and b

Euclid’s algorithm proof

r1 | rb = r1 + r

r1 | b

a = qb + rr1 | br1 | r

r1 | a


Euclid’s algorithm proof (contd)

Proof that r1 is the greatest divisorSay, c | a and c | b

c | qb + rc | r

c | q’b + r1

c | r1


Linear Combination ax + by = “linear combination” of a

and b 12x + 20y = {…, -12,-8,-4,0,4,8,12, … }

The minimum positive linear combination of a & b = gcd(a,b) Proof in two steps:

1. If d = min(ax+by) and d > 0, then d | a, d | b 2. d is the greatest divisor.


GCD & Linear combination (contd.)

Let S = {z = ax + by | z 0 }Let d = min{S} = ax1 + by1

Let a = qd + r. 0 <= r < dr = a - qd = a - q(ax1 + by1)r = a(1 - qx1) + (-qy1)bIf r > 0, r SBut r < d, which is a contradiction, because d = min{S}r = 0 d | a


GCD & Linear combination (contd.)

Let c | a, c | b, c > 0a = cm, b = cnd = ax1 + by1 = c(mx1 + ny1)c | dd is the gcd

Second part of proof Any other divisor is smaller than d


Summary 1 All numbers are expressible as unique

products of prime numbers GCD calculated using Euclid’s

algorithm gcd(a,b) = 1 a & b are mutually

prime gcd(a,b) equals the minimum positive

ax+by linear combination


Modular/Clock Arithmetic 1:00 and 13:00 hours are the same

1:00 and 25:00 hours are the same 1 13 (mod 12) a b (mod n)

n is the modulus a is “congruent” to b, modulo n a - b is divisible by n a % n = b % n


Modular Arithmetic a b (mod n), c d (mod n) Addition

a + c b + d (mod n) Multiplication

ac bd (mod n)

a - b = jnc - d = kna + c - (b + d) = (j + k) n


Modular Arithmetic (contd.) Power

a b (mod n) ak bk (mod n)

Going n times around the clock a + kn b (mod n)

Using induction,If ak bk (mod n), a . ak b . bk (mod n), by multiplication ruleak+1 bk+1 (mod n)


Chinese Remainder Theorem m a (mod p), m a (mod q)

m a (mod pq) (p,q are primes)

m-a = cp. Now, m-a is expressible as p1. p2 .p3 . . .

If m - a is divisible by both p and q, p and q must be one of p1 , p2 , p3

m - a is divisible by pq


GCD and modulus If gcd(a,n) = 1, and a = b (mod n),

then gcd(b,n) = 1a b (mod n) a = b + kngcd(a,n) = 1 ax1 + ny1 = 1, for some x1 and y1

(b + kn)x1 + ny1 = 1 bx1 + n(kx1 + y1) = bx1 + ny2 = 1 gcd(b,n) = 1


Multiplicative Inverse If a, b have no common factors,

there exists ai such that a.ai 1 (mod b) ai is called the “multiplicative inverse”gcd(a,b) = 1 = ax1+ by1, for some x1 and y1

ax1 = 1 – by1

ax1 = 1 + by2 (making y2 = -y1)ax1 - 1 = by2

ax1 1 (mod b) (x1 is the multiplicative inverse)


Summary 2 Modular arithmetic

Addition, multiplication, power, inverse Chinese Remainder Theorem

If m a (mod p) and m a (mod q),then m a (mod pq)

Relationship between gcd and modular arithmetic gcd(a,b) = 1 aai 1 (mod b)


Euler’s Totient function (n) = Totient(n)

= Count of integers n coprime to n (10) = 4 (1, 3, 7, 9 are coprime to 10) (7) = 6 (1, 2, 3, 4, 5, 6 coprime to 10)

(p) = p - 1, if p is a prime


Totient lemma #2: product (pq) = (p - 1)(q - 1) = (p) . (q)

if p and q are primeWhich numbers pq share factors with pq? 1.p, 2.p, 3.p, … (q-1)p and 1.q, 2.q, 3.q, … (p-1)q and pqThe rest are coprime to pq. Count them.(pq) = pq - (p - 1) - (q - 1) - 1 = (p - 1)(q - 1)


Totient lemma #3: power (pk) = pk - pk-1 , if p is prime and k >

0Only numbers that are a multiple of p have a common factor with pk : 1.p, 2.p, 3.p, … pk-1 . p andThe rest don’t share any factors, so are coprime(pk) = pk - pk-1


Totient lemma #4: product (mn) = (m) . (n)

if m and n are coprime ( gcd(m,n) = 1)Organize into a matrix of m columns, n rows1 2 3 … r … mm+1 m+2 m+3 m+r … 2m2m+1 2m+2 2m+3 2m+r … 3m…(n-1)m+1 (n-1)m+2 (n-1)m+3 (n-1)m+r nm


Totient lemma #4 (contd.)

If gcd(m,r) = 1, gcd(m,km+r) = 1 All cells under that rth column have no common factors with m Others have a common factor with mn, so can be eliminated (m) columns survive

Step 1: Eliminate columns


Totient lemma #4 (contd.) Step 2: Examine cells in remaining

columnsNo two cells in a column are congruent mod n Because if im + r jm + r (mod n), im + r - jm - r = kn ni - j), which is not possible because i - j < nBecause there are n (non-congruent) cells in each column, label them as 0, 1, 2, … n-1 in some order.(n) cells in each column coprime to n(n) (m) cells left that are coprime to both m and n


Totient lemma #5

If gcd(c,n) = 1 and x1,x2,x3 … x(n) are coprime to n, then cx1,cx2,… cx(n) are congruent to x1,x2,x3… in some order. 1, 3, 5, 7 are coprime to 8. Multiply each with c=15, (also coprime to 8) {15, 45, 75, 105} {7, 5, 3, 1} (mod 8)


Totient lemma #5 (contd.) cxi is not cxj (mod n). Because if cxi cxj (mod n) c(xi - xj) = kn . But gcd(c,n) = 1 n | (xi - xj), which is impossible because xi - xj < nRemember the old identity: gcd(a,n) =1 and a b (mod n) gcd(b,n) = 1Let cxi b (mod n) gcd(cxi, n) = 1 gcd(b,n) = 1 b must be one of xj


Euler’s Theorem

If gcd(a,n) = 1, a(n) 1 (mod n)Consider x1, x2, … x(n) < n and coprime to nSince a is also coprime to n, from previous result ax1 xi (mod n), ax2 xj (mod n), … etc.a(n) x1x2x3…x(n) x1x2x3…x(n) (mod n)a(n) x x (mod n) where x = x1x2x3…x(n)

n | x(a(n) - 1) But n doesn’t divide xn | (a(n) - 1)a(n) 1 (mod n)


Fermat’s little theorem Special case of Euler’s theorem.

If gcd(a,p) = 1 and p is prime, ap-1 1 (mod p)

We now have all the essential number theory. Whew!

Because (p) = p - 1


RSA Algorithm Bob generates public and private keys

public key : encrypting key e and modulus n private key: decrypting key d and modulus n

Alice wants to send Bob a message m m treated as a number

Alice encrypts m using Bob’s “public pen” encrypted ciphertext, c = me (mod n)

Bob decrypts using his own private key To decrypt, compute cd (mod n). Result is m


RSA Key Generation Bob selects primes p, q computes n = pq (n) = (p) (q) = (p - 1) (q - 1) Select e, such that gcd(e, (n)) = 1 Compute the decrypting key, d, where

ed 1 (mod (n)) Bob publishes public key info: e, n Keeps private key: d, n Important: m < n


RSA Key Generation Bob selects primes p, q computes n = pq (n) = (p) (q) = (p - 1) (q - 1) Select e, such that gcd(e, (n)) = 1 Compute the decrypting key, d, where

ed 1 (mod (n)) Bob publishes public key pair: e, n Keeps private key: d, n

p = 3, q = 11 n = 33(n) = (3 - 1)(11 - 1) = 20e = 77d = 1 (mod 20) d = (1 + 20k)/7 d = 3Public key = (7, 33)Private key = (3, 33)


RSA algorithm Treat each letter or block as m (m <

n) n = 33, e = 7, d = 3

Encryption: for each m compute c=me (mod n)

Decryption: for each c, compute cd (mod n)

“RSA” {18, 19, 1}

63 % 33 {18133 % 33 {18, 1913 % 33 {18, 19, 1}

187 % 33 {6197 % 33 {6, 1317 % 33 {6, 13, 1}


RSA proof Prove c = me (mod n) cd(mod n) =

mReview: a b (mod n) ak bk (mod n) a < n a = a (mod n) gcd(a,n) = 1 a(n) 1 (mod n) a (mod p) a (mod q) m = a (mod pq)(pq) = (p)(q) ed 1 (mod (n) ) ed = 1 + k (n)


RSA proof (contd.)

c = me (mod n) c me (mod n)cd med (mod n)Consider, med (mod p) and med (mod q) If p | m, med (mod p) = 0 = m (mod p)If not, med (mod p) m1+k(n) (mod p) m. mk(p) (q) (mod p)m. (m(p)) k(q) (mod p)m. (1) k(q) (mod p) (by euler)

m (mod p)


RSA proof (contd.)

So, in both cases, med m (mod p)

Similarly, med m (mod q)

med m (mod pq) (chinese remainder theorem)m (mod n)

med (mod n) = m


Creating a big random prime

n = pq

(n) = (p - 1) (q - 1)

RSA Implementation

SecureRandom r = new SecureRandom();BigInteger p = new BigInteger(nbits, 100, r);

n = p.multiply(q);

phi = p.subtract(BigInteger.ONE) .multiply(q.subtract(BigInteger.ONE));


Select e coprime to (n)

Select d, such that ed 1 (mod (n))

RSA Implementation

e = new BigInteger("3"); while(phi.gcd(e).intValue() > 1) e = e.add(new BigInteger("2"));

d = e.modInverse(phi);


Encrypt/decrypt

RSA Implementation

BigInteger encrypt (BigInteger message) { return message.modPow(e, n); }

BigInteger decrypt (BigInteger message) { return message.modPow(d, n); }


Digital Signature med (mod n) = mde (mod n) Bob encrypts his name using private

key Alice, the recipient, decrypts it using

Bob’s public key


RSA Deployment If msg m > n, m chop it up in blocks < n p and q are usually 512 bits, e = 65537. Ensure p - 1 doesn’t have small prime

factors. Ensure d is large Pad m with random bits Never reuse n Sign documents very carefully


Examples of RSA Attacks Exploiting algorithm parameter values

Low e or d values Exploiting implementation

Measuring time and power consumption of smart cards

Exploiting random errors in hardware Exploiting error messages

Social Engineering: Blinding attack


Ellis / Diffie-Hellman Key Exchange RSA is slow in practice

Encrypt AES’s keys using RSA Alice and Bob agree publicly on a

prime p, and some integer, c < p. gcd(p,c) = 1

Alice chooses a privately, and Bob chooses b. a, b < p


Ellis / Diffie-Hellman Key Exchange (contd)

Alice computes A=ca (mod p). Bob computes B=cb (mod p)

They exchange these numbers. Alice computes Ba. Bob computes Ab Both of them compute cab (mod p) Both use this number as a key for

AES.


References “Cryptological Mathematics”, Robert Lewand “Twenty Years of Attacks on the RSA

Cryptosystem”, Dan Boneh http://crypto.stanford.edu/~dabo

pajhome.org.uk/crypt/index.html “Concrete Mathematics”, Donald Knuth et al. "The Code Book", Simon Singh

inside pk cryptography: math and implementation

Documents

cmx1 ny1 c d d

products of primes c

primelet c

c2 c c1

r sbut r d

b mod nn

products of primeslet

gcd linear combination