Cryptography and Network Security

M. Sakalli

Source: Third Editionby William Stallings

And Modified Lecture Slides of Lawrie Brown

Sun-Tsu’s Chinese Remainder Thr States that when the moduli of a system of linear congruencies are

pairwise prime, there is a unique solution of the system modulo, the product of the moduli.

ax = b (mod m).

The 1st Century CE (Common Era, ~400 AD), the Chinese mathematician Sun Tsu Suan-Ching asking the following problem:

“There are certain things whose number is unknown. When divided by 3, the remainder is 2; when divided by 5, the remainder is 3; and when divided by 7, the remainder is 2. What will be the number of things?”

Discrete Math Kenneth H Rosen, page 186.

x = 2 mod(3) x = 3 mod(5) x = 2 mod(7)

Let m11, m22, …, mnn be (pairwise) relatively prime numbers. Then the system: x = a11 mod (m11) = a22 mod (m22) = …. = ann mod (mnn) Has a unique solution moduloa unique solution modulo M = mM = m11mm22 … m … mnn.The CRT says that only one number of x mod(3x5x7) satisfies all eqns.

x = 23 (mod 105),. x = 23 = 7*3 + 2 = 2 (mod 3), x = 23 = 4*5 + 3 = 3 (mod 5), x = 23 = 3*7 + 2 = 2 (mod 7)

How to construct the solution in mod(M)How to construct the solution in mod(M)• 23 mod(105) = 23 + 105 n 23 mod(105) = 23 + 105 n { …, -292, -187, -82, { …, -292, -187, -82,

2323, 128, 233, 338, …}, 128, 233, 338, …}• Therefore, all these congruent numbers are Therefore, all these congruent numbers are

solutions of Sun-Tsu’s three equations. solutions of Sun-Tsu’s three equations. i.i. MM = ( = (ππk=1:nk=1:n mmii) = ) = mm11mm22 … m … mnn all m all mkk’s have to be ’s have to be

pairwise relatively prime. pairwise relatively prime.

ii.ii. For each equation of For each equation of xx= = aakk mod( mod(mmkk) calculate ) calculate

MMkk =M/m =M/mkk; all m; all mi i except for mexcept for mkk. .

i.i. yykk inverse of M inverse of Mkk from from MMkk y ykk=1 mod(m=1 mod(mkk)=(M)=(Mkkmod(mmod(mkk)) y)) ykk

x = 2 mod (3)x = 2 mod (3) (5*7) y(5*7) y11 = 1 mod(3) = 1 mod(3) y y11 =2. =2.

x = 3 mod (5)x = 3 mod (5) (3*7) y(3*7) y22 = 1 mod(5) = 1 mod(5) y y22 =1 =1

x = 2 mod (7)x = 2 mod (7) (3*5) y(3*5) y33 = 1 mod(7) = 1 mod(7) y y33 =1 =1

i.i. x = x = ΣΣ((aaiiMMiiyyii) = ) = (a(a1 1 MM11 y y1 1 + a+ a2 2 MM22 y y2 2 + a+ a3 3 MM33 y y33)) = 233 = 23 mod(105)= 233 = 23 mod(105)

Why does this work? (without going into detail)Why does this work? (without going into detail)

Suppose the solution x and “mod” it by mSuppose the solution x and “mod” it by m11::

MM11yy11 is equal to a is equal to a11, since , since MM11yy11 = 1 mod (m1). = 1 mod (m1).

MM22yy22, , MM33yy33 , …, every other term is zero mod(m , …, every other term is zero mod(m11), since M), since MKK is a multiple of m is a multiple of m11..

x = ax = a11MM11yy11 + a + a22MM22yy2 2 + … + a+ … + annMMnnyynn..

= 2 (5*7) 2 + 3 (3*7) 1 + 2 (3*5) 1= 2 (5*7) 2 + 3 (3*7) 1 + 2 (3*5) 1

But would be true for any of the mBut would be true for any of the mkk. Therefore, x satisfies all of the . Therefore, x satisfies all of the

equations.equations.

OneOne of the most useful results of number theory is in speeding up some operations in of the most useful results of number theory is in speeding up some operations in the RSA public-key scheme, since it allows to perform calculations modulo factors, the RSA public-key scheme, since it allows to perform calculations modulo factors, and then combine the answers to get the actual result. and then combine the answers to get the actual result. Since the computational cost Since the computational cost is proportional to size, such manipulating is faster than working in the full size is proportional to size, such manipulating is faster than working in the full size modulus, modulus, ie when M is 150 digits or more. However it is necessary to know ie when M is 150 digits or more. However it is necessary to know beforehand the factorization of M. operations in n-tuples. beforehand the factorization of M. operations in n-tuples.

See worked examples in Stallings section 8.4.See worked examples in Stallings section 8.4.

What was the least number of coins which could have been stolen?What was the least number of coins which could have been stolen?

What are all possible numbers of coins which could have been stolen?What are all possible numbers of coins which could have been stolen?

If x is the number of coins, it has to satisfy the following modular equations:If x is the number of coins, it has to satisfy the following modular equations:x = 3 mod (17)x = 3 mod (17)x = 10 mod (16)x = 10 mod (16)x = 0 mod (15)x = 0 mod (15)

These numbers are relatively prime, so the Chinese Remainder Theorem says These numbers are relatively prime, so the Chinese Remainder Theorem says there IS a solution mod 17*16*15 = 4080. there IS a solution mod 17*16*15 = 4080. It It mightmight have been possible there that there is NO SOLUTION. have been possible there that there is NO SOLUTION.

Ancient Chinese Pirates:Ancient Chinese Pirates:

A band of 17 pirates stole a sack of gold A band of 17 pirates stole a sack of gold coins. When they tried to divide the fortune coins. When they tried to divide the fortune into equal portions, 3 coins remained. In the into equal portions, 3 coins remained. In the ensuing brawl over who should get the extra ensuing brawl over who should get the extra coins, one pirate was killed. The wealth was coins, one pirate was killed. The wealth was redistributed, but this time an equal division redistributed, but this time an equal division left 10 coins. Again an argument developed in left 10 coins. Again an argument developed in which another pirate was killed, but now the which another pirate was killed, but now the fortune could be evenly distributed. fortune could be evenly distributed.

Write down the equations for yWrite down the equations for ykk::

x = 3 (mod 17)x = 3 (mod 17) (16x15) y(16x15) y11 =1 (mod 17) =1 (mod 17) 240 y240 y11 = 1 = 1

x = 10 (mod 16)x = 10 (mod 16) (17x15) y(17x15) y22 = 1 (mod 16) = 1 (mod 16) 255 y255 y22 =1 =1

x = 0 (mod 15)x = 0 (mod 15) (17x16) y(17x16) y33 = 1 (mod 15) = 1 (mod 15) 272 y272 y33 =1 =1

Solve the equations for yk by whatever way is easiest (brute force or by finding Solve the equations for yk by whatever way is easiest (brute force or by finding inverses):inverses):

(16*15) y(16*15) y11 = 1 (mod 17) = 1 (mod 17) 2 y 2 y11 = 1 = 1 y y11 = 9 (mod 17) = 9 (mod 17)

(17*15) y (17*15) y22 = 1 (mod 16) = 1 (mod 16) 15 y 15 y22 = 1= 1 y y22 = 15 (mod 16) = 15 (mod 16)

(17*16) y (17*16) y33 = 1 (mod 15) = 1 (mod 15) 2 y 2 y33 = 1= 1 y y33 = 8 (mod 15) = 8 (mod 15)

Construct the solution x (mod 17*16*15):Construct the solution x (mod 17*16*15): xx = a1M1y1 + a2M2y2 + … + anMnyn.= a1M1y1 + a2M2y2 + … + anMnyn. = 3 * (16*15) * 9 + 10 * (17*15) * 15 + 0 * (17*16) * 8= 3 * (16*15) * 9 + 10 * (17*15) * 15 + 0 * (17*16) * 8

= 44730 = 3930 (mod 4080).= 44730 = 3930 (mod 4080).3930 3930 = 231*17 + 3 = 231*17 + 3 = 3 (mod 17)= 3 (mod 17)

= 245*16 + 10 = 245*16 + 10 = 10 (mod 16)= 10 (mod 16)= 262*15 = 262*15 = 0 (mod 15)= 0 (mod 15)

Therefore the solution worksTherefore the solution worksThe smallest number of coins which the pirates could have stolen: 3930.The smallest number of coins which the pirates could have stolen: 3930.Other possible numbers of coins could the pirates have stolen?Other possible numbers of coins could the pirates have stolen?Any number satisfying 3930 + 4080n could have been stolen.Any number satisfying 3930 + 4080n could have been stolen.N = { 3930, 8010, 12090, 16170, …} N = { 3930, 8010, 12090, 16170, …}

• Pairs representing nonnegative integers less than 12, when Pairs representing nonnegative integers less than 12, when represented with ordered pairs, first remainder of mod(3), represented with ordered pairs, first remainder of mod(3), and the second remainder of mod(4), and the second remainder of mod(4),

0={0, 0}, 1={1, 1}, 2={ }.. 0={0, 0}, 1={1, 1}, 2={ }.. 3={0, 3} 3={0, 3} 4={1, 0}, ………….4={1, 0}, ………….…… …….. …… 11={2, 3}11={2, 3}

• By CRT, n-tuples on a processor will run quicker, ie, every By CRT, n-tuples on a processor will run quicker, ie, every nonnegative integer less than 100; using moduli of pairwise nonnegative integer less than 100; using moduli of pairwise relatively prime integers: 99, 98, 97, 95.. Any integer < relatively prime integers: 99, 98, 97, 95.. Any integer < 89403930 can be represented uniquely. Suppose two 89403930 can be represented uniquely. Suppose two numbers 123684 numbers 123684 (33, 8, 9, 89) and 413456 (33, 8, 9, 89) and 413456 (32, 92, 42, (32, 92, 42, 16).. Find remainder (congruencies) for each module and 16).. Find remainder (congruencies) for each module and (proceed with an operation) sum in each tuple and merge (proceed with an operation) sum in each tuple and merge the results to reach the final sum as 537140.. Unique the results to reach the final sum as 537140.. Unique nonnegative solution. nonnegative solution.

• Particular good (applicable) choices of moduli with large Particular good (applicable) choices of moduli with large integers are of the form 2integers are of the form 2kk -1, (binary), -1, (binary), kk a positive integer. a positive integer. Binary operations, the second reason is that Binary operations, the second reason is that gcd(2gcd(2aa -1, 2 -1, 2bb -1) =2 -1) =2gcd(a,b)gcd(a,b) -1 -1, , (proof of which is in page 112 (proof of which is in page 112 104 Number Theory Problems, 104 Number Theory Problems, source in our webpagesource in our webpage))

Systems of Linear Modular Equations:Systems of Linear Modular Equations:aa11x = bx = b11 (mod m (mod m11))aa22x = bx = b22 (mod m (mod m22))….….aannx = bx = bnn (mod m (mod mnn))Solve each equation aSolve each equation a iix = bx = bii (mod m (mod mii) individually. ) individually. aa11x = bx = b11 (mod m (mod m11) ) x = cx = c11 (mod m (mod m11) ) aa22x = bx = b11 (mod m (mod m22) ) x = cx = c22 (mod m (mod m22) ) …. …. ….….aannx = bx = b11n (mod mn (mod mnn)) x = cx = cnn (mod m (mod mnn) )

Solve the following set of simultaneous congruences:Solve the following set of simultaneous congruences:i)i) x = 5 (mod 6) x = 5 (mod 6) iii)iii) 2x = 1 (mod 5)2x = 1 (mod 5)

x = 4 (mod 11) x = 4 (mod 11) 3x = 9 (mod 6)3x = 9 (mod 6)x = 3 (mod 17) x = 3 (mod 17) 4x = 1 (mod 7)4x = 1 (mod 7)

5x = 9 (mod 11)5x = 9 (mod 11)ii)ii) x = 5 (mod 11)x = 5 (mod 11) x = 14 (mod 29)x = 14 (mod 29)

x = 15 (mod 21)x = 15 (mod 21)Question iii is a bit harder. How badly do you want an A+?Question iii is a bit harder. How badly do you want an A+?

Homeworks:

Answer Brahmagupta’s question: (7th century AD)An old woman goes to market and a horse steps on her basket and crashes the eggs. The rider offers to pay for the damages and asks her how many eggs she had brought. She does not remember the exact number, but when she had taken them out two at a time, there was one egg left. The same happened when she picked them out three, four, five, and six at a time, but when she took them seven at a time they came out even. What is the smallest number of eggs she could have had?

What other possible number of eggs could she have?

[Hint: x = 1 (mod 2,3,4,5,6), x = 0 (mod 7).]

PseudoprimesPseudoprimes• Suppose integers larger than 2Suppose integers larger than 23535, in our computers.. Moduli , in our computers.. Moduli

of 2of 23535 -1, 2 -1, 23434 -1, 2 -1, 23333 -1, 2 -1, 23131 -1, 2 -1, 22929 -1, 2 -1, 22323 -1 are pairwise prime, -1 are pairwise prime, giving in the possibility working with the integers (not giving in the possibility working with the integers (not exceeding) 2exceeding) 2184184..

• An integer An integer nn is prime when not divisible by any prime smaller is prime when not divisible by any prime smaller than sqrt(than sqrt(nn). ie 101, easy.. But inefficient. ). ie 101, easy.. But inefficient.

• Chinese mathematicians: believed that p is prime whenever Chinese mathematicians: believed that p is prime whenever congruence of 2congruence of 2p-1p-1 = mod(p) holds but couldn’t show for = mod(p) holds but couldn’t show for composite numbers. composite numbers.

• Fermat shows that the congruence holds when n is prime. Fermat shows that the congruence holds when n is prime. Fermat’s Little theorem, if p is prime and a is an integer not Fermat’s Little theorem, if p is prime and a is an integer not divisible with p, then adivisible with p, then ap-1p-1 = 1 mod(p), besides for every = 1 mod(p), besides for every integer a, ainteger a, app = a mod(p). = a mod(p).

• The corollary, if 2The corollary, if 2n-1n-1 = 1 mod(n), n is always prime, is not = 1 mod(n), n is always prime, is not always correct. always correct.

• Composite positive integers for which 2Composite positive integers for which 2n-1n-1 = 1 mod(n) holds = 1 mod(n) holds are pseudoprime numbers, for example for n=341=11*31, n are pseudoprime numbers, for example for n=341=11*31, n is pseudoprime to base 2. is pseudoprime to base 2.

• Definition: for n, a>0 integers, and if n is composite such that Definition: for n, a>0 integers, and if n is composite such that aan-1n-1 = 1 mod(n), then n is a pseudoprime to a. = 1 mod(n), then n is a pseudoprime to a.

• So if n satisfies, So if n satisfies, 22n-1n-1 = 1 mod(n) = 1 mod(n), n is either prime or , n is either prime or pseudoprime to the base 2, performing similar tests for the pseudoprime to the base 2, performing similar tests for the other bases coprime to n. other bases coprime to n.

• More than 40*10More than 40*1066 prime numbers <10 prime numbers <1010-110-1, but only 14884 , but only 14884 pseudoprime numbers to the base 2. pseudoprime numbers to the base 2.

• Not easy to distinguish, due to the other composite numbers Not easy to distinguish, due to the other composite numbers that pass all the tests with bases; gcd(b, n)=1. that pass all the tests with bases; gcd(b, n)=1.

• Composite integer numbers n satisfying both bComposite integer numbers n satisfying both bn-1n-1 = 1 mod(n) = 1 mod(n) and gcd(b, n), are Carmichael numbers. (6and gcd(b, n), are Carmichael numbers. (6kk + 1)(12 + 1)(12kk + 1) + 1)(18(18kk + 1), where k is prime, not proved for large numbers. + 1), where k is prime, not proved for large numbers. Example 561=3*11*17, if gcd(b, 561) = 1; then gcd(b, 3) = Example 561=3*11*17, if gcd(b, 561) = 1; then gcd(b, 3) = gcd(b, 11) = gcd(b, 17) = 1; 561 passes fermat’s little thr, gcd(b, 11) = gcd(b, 17) = 1; 561 passes fermat’s little thr, bb3-13-1 = 1 mod(3), b= 1 mod(3), b11-111-1 = 1 mod(11), = b = 1 mod(11), = b17-117-1 = 1 mod(17) = 1 mod(17)

• bb560560 = b = b(2)280(2)280 = 1 mod(3), b = 1 mod(3), b560560 = b = b(10)56(10)56 = 1 mod(11), b = 1 mod(11), b560560 = b = b(16)35(16)35 = 1 mod(17)= 1 mod(17)

• bb560560 = 1 mod(561), for every b with gcd(b, 561) = 1. there are = 1 mod(561), for every b with gcd(b, 561) = 1. there are many infinite number of carmichael numbers.many infinite number of carmichael numbers.

Magicicada Species: Wikipedia. New Lease of Life for Prime NumbersTwo discoveries in the last 30 years. One is amusing, the other important in the business world.

Periodic cicadas - a type of insect found in North America - hibernate for many years, lying dormant in the ground. After a long period, they emerge to begin a new life. It has been found that there are two distinct types of Cicada, those that remain dormant for 13 years and those that choose to sleep for 17 years. It is no coincidence that these two numbers are primes! This is explained in the Guide entry on cicadas.

Euler Totient Function Euler Totient Function ΦΦ(n) (n)

• coprimes to ncoprimes to n form a group form a group• reduced set of residuesreduced set of residues is those numbers (residues) which is those numbers (residues) which

are relatively prime to n are relatively prime to n – eg for n=10, complete set of residues is eg for n=10, complete set of residues is – {0,1,2,3,4,5,6,7,8,9} {0,1,2,3,4,5,6,7,8,9} reduced set of residues is {1,3,7,9} reduced set of residues is {1,3,7,9}

• to compute to compute ΦΦ(n): exclude every fold of its primes.. and count (n): exclude every fold of its primes.. and count excluded ones.. excluded ones..

Theorem 1.Theorem 1. If p is prime then If p is prime then ΦΦ(p) = p – 1.(p) = p – 1.– for p (p prime) for p (p prime) ø(p) = p-1ø(p) = p-1 – for p.q (p,q prime) for p.q (p,q prime) ø(p.q) = ø(q) ø(q)=(p-1)(q-1)ø(p.q) = ø(q) ø(q)=(p-1)(q-1)

Theorem 2. Theorem 2. If gcd(n, m) = 1, then If gcd(n, m) = 1, then ΦΦ(nm) = (nm) = ΦΦ(n) · (n) · ΦΦ(m).(m). • Examples: Examples: ΦΦ(3) and (3) and ΦΦ(5) above.(5) above.• Relatively prime, so the theorem claims that Relatively prime, so the theorem claims that ΦΦ(15) = (15) = ΦΦ(3) · (3) ·

ΦΦ(5) = 2 · 4 = 8, which is correct.(5) = 2 · 4 = 8, which is correct.

Euler Totient Function Euler Totient Function ΦΦ(n) (n) • Proof: Consider the # of integers that are not relatively prime Proof: Consider the # of integers that are not relatively prime

in {0…(pq-1)} in {0…(pq-1)} {p,2 p,..., (q-1)p}, and {q,2 q,..., (p-1)q}, {p,2 p,..., (q-1)p}, and {q,2 q,..., (p-1)q},

thereforethereforeΦΦ(p.q) (p.q) = p.q-(p-1)-(q-1)-1 = p.q-(p-1)-(q-1)-1

= p.q-p-q+1 = (p-1)(q-1)= p.q-p-q+1 = (p-1)(q-1) • eg.eg.

– ΦΦ(37) = 36(37) = 36– ΦΦ(21) = (3–1)×(7–1) = 2×6 = 12(21) = (3–1)×(7–1) = 2×6 = 12

Theorem 3.Theorem 3. If p is prime and n ≥ 1, then If p is prime and n ≥ 1, then ΦΦ(p(pnn) = p) = pnn – p – pn-1n-1..• Examples: Consider p = 3 and n = 2. Integers relatively Examples: Consider p = 3 and n = 2. Integers relatively

prime to 9: {1, 2, 4, 5, 7, 8}<9.prime to 9: {1, 2, 4, 5, 7, 8}<9.• ΦΦ(5(522) = 20, inspect: 1 2 3 4 ) = 20, inspect: 1 2 3 4 55 6 7 8 9 6 7 8 9 1010 11 12 13 14 11 12 13 14 1515 16 16

17 18 19 17 18 19 2020 21 22 23 24 21 22 23 24

Theorem 4 (Euler's Theorem)Theorem 4 (Euler's Theorem). For any integer n > 1, if gcd(a, . For any integer n > 1, if gcd(a, n) = 1, then an) = 1, then aΦΦ(n)(n) ≡ ≡ aaΦΦ(n)(n)mod mod N ≡ 1 (mod n)..N ≡ 1 (mod n)..

• Examples: For n = 10, Examples: For n = 10, ΦΦ(10) = 4. (10) = 4. gcd(a, n) = 1gcd(a, n) = 1::• a = 1: a = 1: 1144 = 1 = 1• a = 3: a = 3: 3344 = 81 = 81• a = 7: a = 7: 7744 = 2401 = 2401 all of these are all of these are ≡ ≡ 1 1

(mod 10)(mod 10)• a = 9: a = 9: 9944 = 6561 = 6561• a = 17: a = 17: 171744 = 83521 = 83521• a = 57: a = 57: 575744 = 10556001 = 10556001• nn=11, =11, aa=2, ø(11)=10 =2, ø(11)=10 2 21010=1024=1 mod(11)=1024=1 mod(11)

Theorem 5 (Fermat's Theorem)Theorem 5 (Fermat's Theorem). If p is prime and gcd(a, p) = . If p is prime and gcd(a, p) = 1, then a1, then app-1 ≡ 1 (mod p).-1 ≡ 1 (mod p).

• From Euler's Theorem by applying Theorems 1 and 4.From Euler's Theorem by applying Theorems 1 and 4.• Example: p = 5 and a = 6, which is relatively prime to 5. 6Example: p = 5 and a = 6, which is relatively prime to 5. 65-15-1

≡ 1 (mod 5) = 1296.≡ 1 (mod 5) = 1296.

Theorem 6Theorem 6. For any n > 1, if gcd(a, n) = 1, then the equation . For any n > 1, if gcd(a, n) = 1, then the equation ax ≡ 1 (mod n) has a unique solution, modulo n. From the ax ≡ 1 (mod n) has a unique solution, modulo n. From the gcd identity, there is a linear combination of a and n such gcd identity, there is a linear combination of a and n such that 1 = ax + ny. Since n divides ny evenly, ax mod n must that 1 = ax + ny. Since n divides ny evenly, ax mod n must be 1.be 1.

• Example: Example: • 3·0 ≡ 0 mod 53·0 ≡ 0 mod 5• 3·1 ≡ 3 mod 53·1 ≡ 3 mod 5• 3·2 ≡ 1 mod 5 (for a = 3, n = 5, the solution is x = 2)3·2 ≡ 1 mod 5 (for a = 3, n = 5, the solution is x = 2)• 3·3 ≡ 4 mod 53·3 ≡ 4 mod 5• 3·4 ≡ 2 mod 53·4 ≡ 2 mod 5Theorem 7Theorem 7. From CRT, if gcd(p, q) = 1, then for all integers x . From CRT, if gcd(p, q) = 1, then for all integers x

and a, x ≡ a (mod p) and x ≡ a (mod q) if and only if x ≡ a and a, x ≡ a (mod p) and x ≡ a (mod q) if and only if x ≡ a mod(pq). This is a corollary of the Chinese Remainder mod(pq). This is a corollary of the Chinese Remainder Theorem.Theorem.

• Example: gcd(3, 5) = 1Example: gcd(3, 5) = 1• 32 ≡ 2 mod 1532 ≡ 2 mod 15• 32 ≡ 2 mod 332 ≡ 2 mod 3• 32 ≡ 2 mod 532 ≡ 2 mod 5

• FactoringFactoring a number a number nn: : n=a b c n=a b c • Relatively hardRelatively hard when when compared to multiplying compared to multiplying

the factorsthe factors together to generate the number together to generate the number • Prime factorisationPrime factorisation of a number of a number nn

– eg. eg. 91=7 13; 3600=291=7 13; 3600=24 4 332 2 5522

• two numbers are two numbers are relatively primerelatively prime to each other if.. to each other if.. • Conversely; gcd Conversely; gcd the common least powers of the common least powers of

prime factorizations. prime factorizations. – 300300=2=21 1 331 1 5522 18=2 18=21 1 3322 hencehence GCD(18,300)=2 GCD(18,300)=21 1 331 1

5500=6=6

• Fermat’s Little TheoremFermat’s Little Theorem: : aap-1p-1 = 1 mod p = 1 = 1 mod p = 1where where pp is prime and naturally is prime and naturally gcdgcd(a, p)=1(a, p)=1

The RSA Algorithm• Rivest, Shamir, Adleman, MIT, 1978Rivest, Shamir, Adleman, MIT, 1978• Reference: From Cormen et al at end of handout] Reference: From Cormen et al at end of handout]

1.1. Select two large primes p and q such that p ≠ qSelect two large primes p and q such that p ≠ q. Typical values might . Typical values might be integers with 200 digits. RSA currently recommends a module of at be integers with 200 digits. RSA currently recommends a module of at least 768 bits long.least 768 bits long.

2.2. Compute N = pq. Compute N = pq. 3.3. Select an exponent odd integer Ke relatively prime to Φ(N) = (p – 1)(q – Select an exponent odd integer Ke relatively prime to Φ(N) = (p – 1)(q –

1), where Φ(N) is kept private. (Theorem 2 and 1). Finding p and q, 1), where Φ(N) is kept private. (Theorem 2 and 1). Finding p and q, probabilistic primality test. However this can not be done for 400 digits probabilistic primality test. However this can not be done for 400 digits in a reasonable time. in a reasonable time.

4.4. Find Kd such that Ke*Kd ≡ 1 (mod Φ(N)). Theorem 6: a solution for Kd Find Kd such that Ke*Kd ≡ 1 (mod Φ(N)). Theorem 6: a solution for Kd exists and that given Ke and Φ(N), it is uniquely defined. (Euclid's exists and that given Ke and Φ(N), it is uniquely defined. (Euclid's Algorithm), Kd and Ke are multiplicative inverses in modulo Φ(N), since Algorithm), Kd and Ke are multiplicative inverses in modulo Φ(N), since their product modulo Φ(N) is 1. Note that Kd is easy to compute only if their product modulo Φ(N) is 1. Note that Kd is easy to compute only if one knows the value of Φ(N) which is essentially the same as knowing one knows the value of Φ(N) which is essentially the same as knowing the values of P and Q.the values of P and Q.

5.5. Publish Ke and N as the public key.Publish Ke and N as the public key.6.6. Keep secret Kd, which along with N, is the private key.Keep secret Kd, which along with N, is the private key.

Finally: Ke (made public) and Kd(kept private), Finally: Ke (made public) and Kd(kept private), • If If PTPT is a numeric encoding of a block of is a numeric encoding of a block of

plaintext, the cipher text plaintext, the cipher text is CT = PTis CT = PTKe Ke mod N.mod N.• PT = CTPT = CTKd Kd mod N. = (PTmod N. = (PT(Ke)(Ke)))Kd Kd mod N.mod N.• P = 5, Q=11. N = P*Q = 55 P = 5, Q=11. N = P*Q = 55 • Message length encoded < log(N)= 5 the length Message length encoded < log(N)= 5 the length

of message. A larger message, break it is into of message. A larger message, break it is into blocks.blocks.

• Φ(N) = (P-1)*(Q-1) = 40. Φ(N) = (P-1)*(Q-1) = 40. • Ke, relatively prime, gcd(Ke, Φ(N)): Ke=13 Ke, relatively prime, gcd(Ke, Φ(N)): Ke=13 • Kd, such that Kd * Ke =1 mod(Φ(N)): Kd=37Kd, such that Kd * Ke =1 mod(Φ(N)): Kd=37

The RSA Algorithm

• Multiplying P by Q is Multiplying P by Q is easyeasy: the number of operations depends on the : the number of operations depends on the number of bitsnumber of bits in P and Q. in P and Q.

• For example, multiplying two 384-bit numbers takes approximately 384For example, multiplying two 384-bit numbers takes approximately 3842 =2 = 147,456 bit operations147,456 bit operations

• If one knows only N, factoring P and Q is If one knows only N, factoring P and Q is hardhard: in essence, the # of : in essence, the # of operations depends on the operations depends on the value value of N.of N.The simplest method for factoring a 768-bit number takes about 2The simplest method for factoring a 768-bit number takes about 2384 384 3.94 3.94

*10*10115115 trial divisions, 2 trial divisions, 285 85 3.87 3.87 10 102525 trial divisions, 2 trial divisions, 241 41 219,000,000,000 219,000,000,000 trial divisions trial divisions

• A quick factoring algorithm of large number A quick factoring algorithm of large number MM hasn’t been done yet. And hasn’t been done yet. And also the absence or impossibility of such an algorithm not proven yet.also the absence or impossibility of such an algorithm not proven yet.

• Peter Shor has devised a very fast factoring algorithm for a Peter Shor has devised a very fast factoring algorithm for a quantum quantum computercomputer, if anyone manages to build one., if anyone manages to build one.

• ***Prove that M***Prove that MKeKd KeKd mod(N) = M mod(N). In other words Pub(Priv(M)) = mod(N) = M mod(N). In other words Pub(Priv(M)) = Priv(Pub(M)) = M.Priv(Pub(M)) = M.

• It turns out that there are feasible attacks on RSA. To guarantee security, It turns out that there are feasible attacks on RSA. To guarantee security, a very large modulus must be used and some preprocessing of the a very large modulus must be used and some preprocessing of the message should be done.message should be done.

The RSA Algorithm

Euler’s theoremEuler’s theorem• For every a and n relatively prime, For every a and n relatively prime,

aaΦΦ(n)(n) =1 mod(n). =1 mod(n). • For example, n=10, a=3, or n=11, a=21For example, n=10, a=3, or n=11, a=21

• For n prime, For n prime, ΦΦ(n) = n-1; from Fermat’s thr (n) = n-1; from Fermat’s thr aa((n-1)n-1) = 1 mod(n) = 1 mod(n) aa((n)n) = n mod(n). = n mod(n).

• It holds for any integer n, relatively prime numbers It holds for any integer n, relatively prime numbers R={xR={x11, …, x, …, xΦΦ(n)(n)} to n, a} to n, aR, R, S=a{xS=a{x11mod(n), …, xmod(n), …, xΦΦ(n) (n) mod(n)} = {axmod(n)} = {ax11, …, a x, …, a xΦΦ(n)(n)}, },

any of axany of axii must be relatively prime to n, and less then n, must be relatively prime to n, and less then n, since R and a are both prime to n. since R and a are both prime to n.

• There are no duplicates in S and There are no duplicates in S and ππi=1:i=1:ΦΦ(n)(n) ax axi i mod(n) = mod(n) = ππi=1:i=1:ΦΦ(n)(n) x xii, …, … aaΦΦ(n) (n) ππi=1:i=1:ΦΦ(n)(n) x xi i = = ππi=1:i=1:ΦΦ(n)(n) x xi i mod(n) mod(n) aaΦΦ(n)(n) =1 mod(n) =1 mod(n) aaΦΦ(n)+1(n)+1 =a mod(n) =a mod(n). .

Euler’s theoremEuler’s theorem• Corollary, n=pq, both primes, and 0<m<n, Corollary, n=pq, both primes, and 0<m<n,

mmΦΦ(n)+1(n)+1 = = mm(p-1)(q-1)+1(p-1)(q-1)+1 =m mod(n) =m mod(n) holds. holds. If gcd(m, n) =1, by virtue of Euler’s thr it holds. If gcd(m, n) =1, by virtue of Euler’s thr it holds.

Suppose gcd(m,n) not one, then n= pq, gcd(m, n)=1, means that, neither Suppose gcd(m,n) not one, then n= pq, gcd(m, n)=1, means that, neither p nor q divides m. p nor q divides m. If m=cIf m=c11p, (or m=cp, (or m=c22q, where c is integer and c>0) then m and n cannot be q, where c is integer and c>0) then m and n cannot be relative therefore gcd(m,n) =not 1. relative therefore gcd(m,n) =not 1.

• If gcd(m, q)=1, from Euler’s thr If gcd(m, q)=1, from Euler’s thr mmΦΦ(q)(q) = 1 mod(q), = 1 mod(q), [m[mΦΦ(q)(q)]]ΦΦ(p)(p) = 1 mod(q) = 1 mod(q) mmΦΦ(n)(n) = 1 mod(q) = 1 mod(q) mmΦΦ(n)(n) = 1 +kq = 1 +kq mmΦΦ(n)+1(n)+1 = m + kcpq = = m + kcpq = mm + kcn + kcn mmΦΦ(n)+1(n)+1 = m mod(n)= m mod(n)

• Or an alternative way, Or an alternative way, mmkkΦΦ(n)+1(n)+1 =[[ =[[mmΦΦ(n)(n) ] ]k k m ]mod(n)= [m ]mod(n)= [11k k m] mod(q) =m mod(n) m] mod(q) =m mod(n)

Primality TestingPrimality Testing• traditionally traditionally sievesieve using using trial divisiontrial division

– ie. divide by all numbers (primes) in turn less than the square root of the ie. divide by all numbers (primes) in turn less than the square root of the number number

– only works for small numbersonly works for small numbers• Miller Rabin Algorithm Miller Rabin Algorithm based on Fermat’s Theorem abased on Fermat’s Theorem a(n-1)(n-1) =1 mod(n) = 1 =1 mod(n) = 1

if n is prime. if n is prime.

• Consider an odd number n>2, then n-1 is even number, therefore Consider an odd number n>2, then n-1 is even number, therefore equal to equal to 22kkqq with k>0, q must be odd. Keep dividing n-1 by 2, k with k>0, q must be odd. Keep dividing n-1 by 2, k divisions, you’ve got the divisions, you’ve got the qq, determine a number 1<a<n-1, compute , determine a number 1<a<n-1, compute 22kkqq power of the number a, and check power of the number a, and check the equality to n-1 (line 5), or the equality to n-1 (line 5), or to 1 (line 3):to 1 (line 3):

• TEST (TEST (nn) is:) is:1. Find integers 1. Find integers kk, , qq, , k k > 0, > 0, q q odd, so that odd, so that ((nn–1)=2–1)=2kkq;q;2. Select a random integer 2. Select a random integer aa, 1<, 1<aa<<nn–1;–1;3. 3. if if aaqq mod mod n n = 1= 1 then then return (“maybe prime");return (“maybe prime");4. 4. for for j j = 0 = 0 to to k k – 1 – 1 dodo

5. 5. ifif ( (aa22jjqq mod mod n n = = nn-1-1)) then then return(" maybe prime ")return(" maybe prime ")

6. return ("composite")6. return ("composite")

Primality TestingPrimality TestingIf n is prime there is a smallest value of j, 0If n is prime there is a smallest value of j, 0jjk, such k, such

that (a)^(that (a)^(22jjqq)mod(n) = 1. )mod(n) = 1.

For j=0, For j=0, aaqq-1 = 0, -1 = 0, or or n|(an|(aqq-1). -1).

For 1For 1jjk, k, a^(a^(22jjqq)mod(n) = 1)mod(n) = 1

(a^((a^(22(j-1(j-1))qq))mod(n)-1)*(a^(mod(n)-1)*(a^(22(j-1(j-1))qq))mod(n)+1) = 1 mod(n)+1) = 1

n divides either side, by assumption j is the smallest n divides either side, by assumption j is the smallest such that n does not divide (a^(such that n does not divide (a^(22(j-1(j-1))qq))mod(n)-1), mod(n)-1), therefore n|(a^(therefore n|(a^(22(j-1(j-1))qq))mod(n)-1). mod(n)-1). Or equivalently a^(Or equivalently a^(22(j-1(j-1))qq))mod(n)=(-1)mod(n)=n-1; mod(n)=(-1)mod(n)=n-1; line5. line5.

• Millar-Rabin test returns inconclusive for (n-1)/4 < ¼ Millar-Rabin test returns inconclusive for (n-1)/4 < ¼

• if Miller-Rabin returns “composite” the number is definitely if Miller-Rabin returns “composite” the number is definitely not prime otherwise is a prime or a pseudo-prime chance not prime otherwise is a prime or a pseudo-prime chance it detects a pseudo-prime is < ¼ it detects a pseudo-prime is < ¼

• Therefore if test returns inclusive t times in succession ..Therefore if test returns inclusive t times in succession ..then probability n is prime is 1-4then probability n is prime is 1-4-t-t……

• Prime distribution: Considering distribution of the primes, Prime distribution: Considering distribution of the primes, ““prime number theorem states that the primes near n are prime number theorem states that the primes near n are spaced on the average one every ln(n) integersspaced on the average one every ln(n) integers”, so the is ”, so the is on the order of ln(n), even integers and fold of 5 are on the order of ln(n), even integers and fold of 5 are rejected.. So, 0.4ln(n), for example if the order of prime rejected.. So, 0.4ln(n), for example if the order of prime number is number is 22200200, , 0.4ln(n0.4ln(n)=55 trials. Closely located ones, )=55 trials. Closely located ones, 1.000.000.000.061, 1.000.000.000.063 are primes.1.000.000.000.061, 1.000.000.000.063 are primes.

Probabilistic ConsiderationsProbabilistic Considerations

• n=29, n=29, 22kkqq=28= =28= 2222 7 7, k=2; , k=2; • a=10a=10; ;

– j=0, 10j=0, 1077mod(29)=17, neither 28, nor 1.. mod(29)=17, neither 28, nor 1.. – j=1, (10j=1, (1077))2 2 mod(29)=28, inconclusive, may be pr..mod(29)=28, inconclusive, may be pr..

• a=2, a=2, – j=0, 2j=0, 277mod(29)=12,mod(29)=12,– j=1, 2j=1, 21414mod(29)=28, inc..mod(29)=28, inc..

• For all a’s this will give inconclusive, so n is a prime.. For all a’s this will give inconclusive, so n is a prime..

• n=13*17=221, n=13*17=221, 22kkqq=220= =220= 2222 55 55, k=2;, k=2;• a=5a=5; ;

– j=0, 5j=0, 55555mod(221)=112.. mod(221)=112.. – j=1, (5j=1, (55555))2 2 mod(221)=168, n returns composite..mod(221)=168, n returns composite..

• But if a would have been chosen as 21, But if a would have been chosen as 21, – j=0, 21j=0, 2177mod(221)=200..mod(221)=200..– j=1, 21j=1, 211414mod(221)=220, returns inclusive, which points 221 as prime..mod(221)=220, returns inclusive, which points 221 as prime..

• In fact of the 220 integers, 1, 21, 47, 174, 200, 220 return inc.. In fact of the 220 integers, 1, 21, 47, 174, 200, 220 return inc..

Probabilistic Considerations of Millar-RabinProbabilistic Considerations of Millar-Rabin

Primitive Roots

• From Euler’s theorem have From Euler’s theorem have aaø(n)ø(n)mod n=1 mod n=1 • consider consider aammmod n=1, and (mod n=1, and (aa, n) , n) relative prime relative prime GCD(GCD(aa,n)=1,n)=1– at least one positive m<n satisfying at least one positive m<n satisfying aammmod n=1,mod n=1, for example m = for example m =

ø(n) or may be smaller, this is called the order of a (mod n).. ø(n) or may be smaller, this is called the order of a (mod n).. – once powers reach m, cycle will repeatonce powers reach m, cycle will repeat

• if smallest is m= if smallest is m= ø(n) then corresponding ø(n) then corresponding aa is called a is called a primitive rootprimitive root

• To check if a number x is primitive root, it suffices to check To check if a number x is primitive root, it suffices to check xxmm=1 mod p=1 mod p,, *** ***– the order of any x coprime to p has to be a divisor of (p − 1) since the order of any x coprime to p has to be a divisor of (p − 1) since xxp-p-

11=1 mod p,=1 mod p, *** following words are not clear yet to me too but the *** following words are not clear yet to me too but the statement written is valid** --- if n is not a primitive root, then there statement written is valid** --- if n is not a primitive root, then there exists a strict positive divisor m of p-1, such that p-1, exists a strict positive divisor m of p-1, such that p-1, xxmm=1 mod p,=1 mod p, so there the statement we made suffices.. ---so there the statement we made suffices.. ---

• if if pp is prime, then successive powers of is prime, then successive powers of aa "generate" the "generate" the group group mod pmod p

Primitive RootsPrimitive Roots

• Example: from previous table, Example: from previous table, p=19, p-1 p=19, p-1 = = 2.32.322, divisors 1, 2, 3, 6, 9, 18, divisors 1, 2, 3, 6, 9, 18, , check check aa=10, 10=10, 1022=5, 10=5, 1033=12, 10=12, 1033=5, 10=5, 1066=11, =11, 101099=18, 10=18, 101818=1 mod(19), =1 mod(19), so the smallest power of x, such that so the smallest power of x, such that xxmm=1 mod p =1 mod p is 18, is 18,

hence ordhence ordpp(a) = ord(a) = ord1919(10)=18. (10)=18.

• Check if the rule applies to Check if the rule applies to aa=5, =5, 5533=11, 5=11, 599=1,.. Then will recycle the numbers =1,.. Then will recycle the numbers periodically since 10periodically since 101818= 1 mod(19)= 1 mod(19)

. .

Primitive RootsPrimitive Roots

• Similarly, you can do the rest of the homework by Similarly, you can do the rest of the homework by yourselves. The complete list of primitive roots is:yourselves. The complete list of primitive roots is:– mod 3 : 2mod 3 : 2– mod 5 : 2, 3mod 5 : 2, 3– mod 7 : 3, mod 7 : 3, 55– mod 11 : 2, mod 11 : 2, 6, 6, 7, 7, 88– mod 13 : 2, 6, mod 13 : 2, 6, 7, 7, 1111– mod 17 : 3, 5, mod 17 : 3, 5, 6, 6, 7, 7, 10, 10, 11, 11, 1212– mod 19 : 2, 3, mod 19 : 2, 3, 10, 10, 13, 13, 14, 14, 1515

• Once you have found Once you have found ''((p p − − 1) many primitive roots 1) many primitive roots mod mod pp, you are done, because mod , you are done, because mod p p there are there are exactly exactly ''((p p − − 1)1) distinct primitive roots. distinct primitive roots.

• CHECK THIS.CHECK THIS.

Primitive RootsPrimitive Roots

• Input: Input: p p - prime number, - prime number, aa- primitive root of - primitive root of pp, , b b - a residue - a residue mod p.mod p.

• Goal: Find Goal: Find k k such that such that aakk = b( mod p). (In other words, find the = b( mod p). (In other words, find the position of position of y y in the large list of in the large list of {{aa, , aa22, . . . , , . . . , aaq-1q-1}}..

• 14 is a primitive root of 19.14 is a primitive root of 19.• The powers of 14 (mod 19) are in order: 14 6 8 17 10 7 3 4 18 5 The powers of 14 (mod 19) are in order: 14 6 8 17 10 7 3 4 18 5

13 11 2 9 12 16 15 113 11 2 9 12 16 15 1• For example For example LL1414(5) = 10 mod 19, because 14(5) = 10 mod 19, because 141010 = 5( mod 19)= 5( mod 19)..

• the inverse problem to exponentiation is to find the the inverse problem to exponentiation is to find the discrete logarithmdiscrete logarithm of a number modulo p of a number modulo p

• that is to find x where that is to find x where aaxx = b mod p = b mod p • written as written as x=logx=logaa b mod p b mod p oror x=ind x=indaa,p,p(b)(b)• if a is a primitive root then always exists, otherwise may notif a is a primitive root then always exists, otherwise may not

– x = logx = log33 4 mod 13 (x st 3 4 mod 13 (x st 3xx = 4 mod 13) has no answer = 4 mod 13) has no answer – x = logx = log22 3 mod 13 = 4 by trying successive powers 3 mod 13 = 4 by trying successive powers

• whilst exponentiation is relatively easy, finding discrete logarithms is whilst exponentiation is relatively easy, finding discrete logarithms is generally a generally a hardhard problem problem

Discrete Logarithms or IndicesDiscrete Logarithms or Indices

• Based on the difficulty of computing discrete logarithms of large numbers. Based on the difficulty of computing discrete logarithms of large numbers. • No known successful attack strategies. No known successful attack strategies.

• Two numbers public: a prime p, a primitive root q of P. Two numbers public: a prime p, a primitive root q of P. • User A chooses a random integer XUser A chooses a random integer XAA < q and computes Y < q and computes YAA = q = qXaXamod(p) for mod(p) for

secret A (known only to itself) and similarly user B chooses Xsecret A (known only to itself) and similarly user B chooses XBB < q and < q and computes Ycomputes YBB = q = qXbXbmod(p).. mod(p)..

• Each exchanges YEach exchanges YAA and Y and YBB, while X, while XAA, X, XBB remains private remains private• Parties A and B compute K = YParties A and B compute K = YBB

XaXamod(p) and K= Ymod(p) and K= YAAXbXbmod(p), respectively,mod(p), respectively,

• K= (YK= (YBB))XaXa mod p = (q mod p = (qXbXb))XaXa mod p = (q mod p = (qXaXa))XbXb mod p = (Y mod p = (YAA))XbXb mod p mod p

• Attacking the secret key of user A for example will require opponent to Attacking the secret key of user A for example will require opponent to calculatecalculate

XXAA= ind= indb,pb,p(Y(YAA)= dlog)= dlogb,pb,p(Y(YAA))or the other way around. or the other way around. • Example p= 353 and a primitive root of 353, q Example p= 353 and a primitive root of 353, q . Suppose A and B choose . Suppose A and B choose

XXAA=97, X=97, XAA= 233. = 233. • YYAA = 3 = 39797mod(353) = 40, Ymod(353) = 40, YBB = 3 = 3233233mod(353) = 248mod(353) = 248• K= 160.. Attacker must K= 160.. Attacker must 33XaXamod(353) = 40 or 3mod(353) = 40 or 3XbXbmod(353)=248.. mod(353)=248..

Diffie-Hellman, 1976, Section 10.2 of StallingsDiffie-Hellman, 1976, Section 10.2 of Stallings

• RSA is more convenient because there is no need to distribute keys. RSA is more convenient because there is no need to distribute keys.

• DES is within two orders of magnitude faster. DES is within two orders of magnitude faster.

• A viable combination is to distribute the secret keys using RSA, A viable combination is to distribute the secret keys using RSA, and then, for the bulk data to use DES. and then, for the bulk data to use DES.

• Similar combination is implemented in the Pretty Good Privacy Similar combination is implemented in the Pretty Good Privacy (PGP) method.(PGP) method.

• A number of public-key ciphers are based on the use of A number of public-key ciphers are based on the use of an abelian an abelian groupgroup. . For example, Diffie-Hellman key exchange involves For example, Diffie-Hellman key exchange involves multiplying pairs of nonzero integers modulo a prime number pmultiplying pairs of nonzero integers modulo a prime number p. . Keys are generated by exponentiation over the group, with Keys are generated by exponentiation over the group, with exponentiation defined as repeated multiplication. exponentiation defined as repeated multiplication.

• The same level of security but shorter key are possible.The same level of security but shorter key are possible.

• An equation in two variables. For cryptography, the variables An equation in two variables. For cryptography, the variables and coefficients are and coefficients are restricted to elements in a finite fieldrestricted to elements in a finite field, , which results in the definition of a finite which results in the definition of a finite abelian groupabelian group. .

• Elliptic curves are not ellipsesElliptic curves are not ellipses. They are so named because . They are so named because described by cubic equations, similar to the circumference of an described by cubic equations, similar to the circumference of an ellipse. In general, cubic equations for elliptic curves take the ellipse. In general, cubic equations for elliptic curves take the form of yform of y22 + axy + by = x + axy + by = x33 + cx + cx22 + dx + e.. + dx + e..

• Limiting attention (Stallings) to yLimiting attention (Stallings) to y22 = y = y33 + ax + b is sufficient. y + ax + b is sufficient. y = sqrt(y= sqrt(y33 + ax + b) + ax + b)

Elliptic Curves Chapter 10.3 and 10.4..Elliptic Curves Chapter 10.3 and 10.4..

El Gamal public-key cryptosystemEl Gamal public-key cryptosystem• Secure against CT only attacks. Secure against CT only attacks. • Each party (say Bob) chooses the following parameters.Each party (say Bob) chooses the following parameters.• p, large prime number, q- primitive root of p, made public. p, large prime number, q- primitive root of p, made public. • a random a random aa { {22, , 33, . . . , p , . . . , p − − 11}, private}, private• ¯̄= q= qaa(mod (mod pp), made public. ), made public.

• Encrypting:Encrypting: Choose a random k Choose a random k {1 {1, , 33, . . . , p , . . . , p − − 11} (} (aa)). . Suppose message is a number x < p.Suppose message is a number x < p.

• EEpublicpublic−−kk((xx) = {) = {qqkk(mod (mod pp)), , x x · · ¯̄kk( mod ( mod pp))}. }. • Two numbers, the first one hides k, and the second Two numbers, the first one hides k, and the second

one the messageone the message. .

• Decrypting:Decrypting: DDprivateprivate−−kk((yy11, y, y22) = ) = yy22 · · ((yy11aa))-1-1(mod p)(mod p)

• yy22 · · ((yy11aa))-1 -1 = = xx · · ¯̄kk((qqakak))-1 -1 = = xx · · = = xx · · ((qqakak)) · · ((qqakak))-1-1(mod p) (mod p)

= = xx• Check example next slight. Check example next slight.

El Gamal public-key cryptosystemEl Gamal public-key cryptosystem• Example: Example:

– p = 43, q=3 primitive root of p, Alice’s choice of secret p = 43, q=3 primitive root of p, Alice’s choice of secret key is key is aa=7, =7,

– ¯ ¯ = q= qaa( mod ( mod pp) = 3) = 377( mod 43) = 37, ( mod 43) = 37, – Bob picks a random key k=26, and his message Bob picks a random key k=26, and his message

x=14, x=14, yy11= 3= 32626 = 15 mod(43), = 15 mod(43), yy22= 37= 372626 14 = 31 14 = 31 mod(43), mod(43),

– CT= {15, 43}CT= {15, 43}large prime number, q- primitive root of p, made public. large prime number, q- primitive root of p, made public.

• Alice: 31 Alice: 31 · · (15(1577))-1-1 = 14( mod 43)= 14( mod 43)..

• El Gamal encryption is randomized, depends on El Gamal encryption is randomized, depends on random k. So the same x has many encryptions.random k. So the same x has many encryptions.

• Authentication Server• Based on the fact that there exists a trustworthy authentication server. • The authentication server provides a secure way for pair of processes to

obtain secret keys. • Needham & Schroeder suggested two mechanisms to construct such a

server: – Authentication with secret keys. – Authentication with public keys.

• Kerberos is based on the secret-key method.

• Secret Key Authentication• A,B : the processes. • S : the server • N : a nonce • K : a key.• Only the server knows K and K

• A S:A,B,Na• SA:{Na, B, Kab, {Kab, A, timestamp}Kb}Ka• AB:{Kab, A, timestamp}Kb• BA:{Nb}Kab• AB:{Nb-1}Kab

• Digital Signatures• Enable to verify that a message was originally

produced by the signatory. • Enable to verify that a message content was not

subsequently altered.• Handwritten signatures cannot entirely provide that.• Hard to detect forged signatures. • Hard to prevent alteration of the document.• Digital Signature with Public Key• For each message we add a signature which is

constructed as follows: – Compute a digest function of the message (like hash function) to

reduce length. – Encrypt the result using our private key.

• The receiver – Deciphers the signature using our public key. – Computes the digest function on the document. – Compares the two to validate the document.