Cryptography and Network SecurityThird Editionby William Stallingsand by Lawrie BrownModified without permission. Dr. M. Sakalli

RSARSAVery Briefly:Very Briefly: - Determine two large primes, p and q. Determine two large primes, p and q. - Find n=pq (the public modulus) and Find n=pq (the public modulus) and ø(n) = ø(n) = (p-1)(q-1). Euler’s (p-1)(q-1). Euler’s

Totient function. Totient function. - Choose encryption key e (public key), coprime to n such that e < n. Choose encryption key e (public key), coprime to n such that e < n. - Compute d private key such that e.d mod(Compute d private key such that e.d mod(ø(n)ø(n))= 1 mod()= 1 mod(ø(n))ø(n)). . - e is the public exponent and d is the private one. e is the public exponent and d is the private one.

• p and q never revealed, preferably destroyed p and q never revealed, preferably destroyed • PGP keeps p and q to speed up operations by use of the Chinese PGP keeps p and q to speed up operations by use of the Chinese

Remainder Theorem, but they are kept encrypted. Remainder Theorem, but they are kept encrypted.

• Public one segments the message into blocks smaller than n and Public one segments the message into blocks smaller than n and then applies modular exponentiation to encipher with your public then applies modular exponentiation to encipher with your public key, key, C = PC = Pee mod(n) mod(n)

• And only key owner can decipher, P = CAnd only key owner can decipher, P = Cdd mod(n). mod(n).

• The time to carry out modular exponentation increases with the number of bits set to one in The time to carry out modular exponentation increases with the number of bits set to one in the exponents. Encryption, an appropriate choice of the exponents. Encryption, an appropriate choice of ee to reduce the computational burden to reduce the computational burden required C = Prequired C = P mod n. mod n.

• Popular choices Popular choices e,e, Fermat’s primes 3, 17 and 65537, but all primes with only two bits set. Fermat’s primes 3, 17 and 65537, but all primes with only two bits set. • Fermat’s primes: Fermat’s primes: aa22jj H, a=2, k:0.. H, a=2, k:0..

• However, the bits in the decryption exponent However, the bits in the decryption exponent dd, will not be so convenient and so the time , will not be so convenient and so the time for decryption will take longer than encryption, with the standard modular exponentiation. for decryption will take longer than encryption, with the standard modular exponentiation.

• Don't make mistake of trying to contrive a small value for Don't make mistake of trying to contrive a small value for dd; it comprises security. ; it comprises security. • An alternative method of representing the An alternative method of representing the dd uses uses Chinese Remainder TheoremChinese Remainder Theorem (CRT). (CRT). • dd is represented as a quintuple (p, q, dP, dQ, and qInv), where p and q are prime factors of is represented as a quintuple (p, q, dP, dQ, and qInv), where p and q are prime factors of

n, dP and dQ are known as the n, dP and dQ are known as the CRT exponentsCRT exponents, and qInv is the , and qInv is the CRT coefficientCRT coefficient. The CRT . The CRT method of decryption is four times faster overall than calculating P = Cmethod of decryption is four times faster overall than calculating P = Cdd mod n. Pre- mod n. Pre-computed values along with p and q as the private key are:computed values along with p and q as the private key are:

• dP = (1/e) mod (p-1) dP = (1/e) mod (p-1) • dQ = (1/e) mod (q-1) dQ = (1/e) mod (q-1) • v = (1/q) mod p where p > q v = (1/q) mod p where p > q • To compute the message m for given CT To compute the message m for given CT • mm11 = c = cdPdP mod p mod p • mm22 = c = cdQdQ mod q mod q • h = v (mh = v (m11 - m - m22) mod(p) ) mod(p) • m = mm = m22 + hq + hq • Even though there are many steps in this procedure, the modular exponentation uses Even though there are many steps in this procedure, the modular exponentation uses

much shorter exponents and so it is less expensive overall. much shorter exponents and so it is less expensive overall.

• A better approach to compute modular exponentiations use Montgomery's multiplications.A better approach to compute modular exponentiations use Montgomery's multiplications.

Esoteric RSA Attacks. Chosen cipher-text attack

• This attack is not a critical weakness to RSA itself, just for the protocol to be careful in the implementation stage.

• An attacker snoofing on an insecure channel in which RSA messages are passed thr, collecting an encrypted messages CT. In here attacker simply wants to be able to read without giving a serious factoring effort, P = Cdd.

• To recover PT message, attacker uses target’s public key info, e and n, – chooses a random number, R < n, and multiplicative inverse of R, T=R -1-1 mod n.– encrypts X = Ree mod n – Then computes Y = X C mod n

• The attacker counts on the fact that: Target will try decipher Y, and return it back to clarify at least since it is not clear to the target.

• For attacker X=Ree mod n, and R=Xdd mod n • Then the party attacked, receives Y, and signs with her private-key, (which

actually decrypts y) U = Ydd mod n, and sends U back. • Attacker computes TU, to eliminate random R, TU mod n = (R-1-1)(Ydd) mod n, • TU mod n = (R-1-1)(Ydd) mod n = (R-1-1)(XC)dd mod n = (R-1-1)(RededCdd) mod n • = (R-1-1)(RededCdd) mod n = Cdd mod n = M

• To avoid this attack, do not sign some random document presented to you. Sign a one-way hash of the message instead.

• Avoid, low encryption key, e=3, – M [for M < 3rdroot(N)]33 mod(N) will be equivalent to M33

Timing attack against RSA

• Exploiting computational timing differences in RSA to recover d. Passive attack, attacker snoofing a network and tracing the RSA operations.

• Measuring the time of each operation it takes, t, to compute each modular exponentiation operation: M = Cdd mod n.

• Pseudo code of the attack is: – Computing M = Cdd mod n:

M00 = 1. C00 = x.

for i=0 to length(d-1), if (bit i of d) is 1 Mi+1 i+1 = (Mii * Cii) mod n.else Mi+1 i+1 = mii. di+1 i+1 = dii

22 mod n. End.

Sun-Tsu’s Chinese Remainder Thr To compute faster modular exponentiation (comprising security). States that when the moduli of a system of linear congruencies are

pairwise prime, there is a unique solution of the system modulo, the product of the moduli.

ax = b (mod m).

The 1st Century CE (Common Era, ~400 AD), the Chinese mathematician Sun Tsu Suan-Ching asking the following problem:

“There are certain things whose number is unknown. When divided by 3, the remainder is 2; when divided by 5, the remainder is 3; and when divided by 7, the remainder is 2. What will be the number of things?”

Discrete Math Kenneth H Rosen, page 186.

x = 2 mod(3) x = 3 mod(5) x = 2 mod(7)

Let m11, m22, …, mnn be (pairwise) relatively prime numbers. Then the system: x = a11 mod (m11) = a22 mod (m22) = …. = ann mod (mnn) Has a unique solution moduloa unique solution modulo M = mM = m11mm22 … m … mnn.The CRT says that only one number of x mod(3x5x7) satisfies all eqns.

x = 23 (mod 105),. x = 23 = 7*3 + 2 = 2 (mod 3), x = 23 = 4*5 + 3 = 3 (mod 5), x = 23 = 3*7 + 2 = 2 (mod 7)

How to construct the solution in mod(M)• 23 mod(105) = 23 + 105 n { …, -292, -187, -82,

23, 128, 233, 338, …}• Therefore, all these congruent numbers are

solutions of Sun-Tsu’s three equations. – M = (πk=1:nk=1:n mii) = mm11mm22 … m … mnn all mkk’s have to be pairwise

relatively prime.

– For each equation of x = akk mod(mkk) calculate Mkk = M / mkk; all mk k except for mkk.

– ykk inverse of Mkk from Mkk ykk = 1 mod (mkk) = Mkkmod(mkk)ykk

x = 2 mod (3) (5*7) y11 = 1 mod(3) y11 =2.

x = 3 mod (5) (3*7) y22 = 1 mod(5) y22 =1

x = 2 mod (7) (3*5) y33 = 1 mod(7) y33 =1

– x = (a1 1 M11 y1 1 + a2 2 M22 y2 2 + a3 3 M33 y33) = 233 = 23 mod(105)

Why does this work? (without going into detail)

Suppose I take the solution x and “mod” it by m1:

M1y1 is equal to a1, since M1y1 = 1 mod (m1).

M2y2, M3y3 , …, every other term is zero mod(m1), since MK is a multiple of m1.

x = a1M1y1 + a2M2y2 + … + anMnyn.

= 2 (5*7) 2 + 3 (3*7) 1 + 2 (3*5) 1

But it would be true for any of the mk. Therefore, x satisfies all of the equations.

Ancient Chinese Problem:

A band of 17 pirates stole a sack of gold coins. When they tried to divide the fortune into equal portions, 3 coins remained. In the ensuing brawl over who should get the extra coins, one pirate was killed. The wealth was redistributed, but this time an equal division left 10 coins. Again an argument developed in which another pirate was killed, but now the fortune could be evenly distributed.

What was the least number of coins which could have been stolen?

What are all possible numbers of coins which could have been stolen?

If x is the number of coins, it has to satisfy the following modular equations:x = 3 mod (17)x = 10 mod (16)x = 0 mod (15)

These numbers are relatively prime, so the Chinese Remainder Theorem says there IS a solution mod 17x16x15 = 4080. It might have been possible that there is NO SOLUTION.

Write down the equations for yk:x = 3 (mod 17) (16 . 15) y1 =1 (mod 17) 240 y1 =1(mod 17)

x = 10 (mod 16) (17 . 15) y2 = 1 (mod 16) 255 y2 =1(mod 16)

x = 0 (mod 15) (17 . 16) y3 = 1 (mod 15) 272 y3 =1(mod 15)

Solve the equations for yk by whatever way is easiest (brute force or by finding inverses):

(16 . 15) y1 = 1 (mod 17) 2 y1 = 1 y1 = 9 (mod 17)

(17 . 15) y2 = 1 (mod 16) 15 y2 = 1 y2 = 15 (mod 16)

(17 . 16) y3 = 1 (mod 15) 2 y3 = 1 y3 = 8 (mod 15)

Construct the solution x (mod 17x16x15): x = a1M1y1 + a2M2y2 + … + anMnyn. = 3 . (16 .15) . 9 + 10 . (17 . 15) . 15 + 0 . (17 . 16) . 8

= 44730 = 3930 (mod 105).3930 = 231 . 17 + 3 = 3 (mod 17)

= 245 . 16 + 10 = 10 (mod 16)= 262 . 15 = 0 (mod 15)

Therefore the solution worksWhat is the smallest number of coins which the pirates could have stolen? 3930.What other possible numbers of coins could the pirates have stolen?Any number which satisfies all of those equations is equal to 3930 (mod 4080). Therefore, Any number of the form 3930 + 4080n could have been stolen.N = { 3930, 8010, 12090, 16170, …}

Systems of Linear Modular Equations:Suppose a system of n linear modular equations : a1x = b1 (mod m1)

a2x = b2 (mod m2)….anx = bn (mod mn)

From the last section how to solve each equation aix = bi (mod mi) individually. (when the solution actually exists).

a1x = b1 (mod m1) x = c1 (mod m1) a2x = b2 (mod m2) x = c2 (mod m2) …. ….anx = bn (mod mn) x = cn (mod mn)

Solve the following set of simultaneous congruences:i) x = 5 (mod 6) iii) 2x = 1 (mod 5)

x = 4 (mod 11) 3x = 9 (mod 6)x = 3 (mod 17) 4x = 1 (mod 7)

5x = 9 (mod 11)ii) x = 5 (mod 11) x = 14 (mod 29)

x = 15 (mod 21)Question iii is a bit harder than I would probably ask on a test. How badly do you want an A+?

Homeworks:

Answer Brahmagupta’s question: (7th century AD)An old woman goes to market and a horse steps on her basket and crashes the eggs. The rider offers to pay for the damages and asks her how many eggs she had brought. She does not remember the exact number, but when she had taken them out two at a time, there was one egg left. The same happened when she picked them out three, four, five, and six at a time, but when she took them seven at a time they came out even. What is the smallest number of eggs she could have had?

What other possible number of eggs could she have?

[Hint: x = 1 (mod 2,3,4,5,6), x = 0 (mod 7).]

Chinese Remainder Theorem• used to speed up modulo computations • working modulo a product of numbers

– eg. mod M = m1m2..mk • Chinese Remainder theorem lets us work in each

moduli mi separately • since computational cost is proportional to size, this

is faster than working in the full modulus M• can implement CRT in several ways• to compute (A mod M) can firstly compute all (a i

mod mi) separately and then combine results to get answer using:

Euler Totient Function ø(n) • For p prime, Fermat;s little thr says For p prime, Fermat;s little thr says

aa(p(p)) = a mod(p) = a mod(p) aa((p-1p-1 = 1 mod(p). = 1 mod(p). • a does not have a p as its product. • Its converse is not true, for example p=11*31

• The Sieve of Eratosthenes (κόσκινον Ἐρατοσθένους) • Euler generalizes Fermat’s thr, • aø(n)mod N = 1, where gcd(a,N)= 1, coprimes to n

form a group• reduced set of residues is those numbers (residues) which

are relatively prime to n – eg for n=10, complete set of residues is {0,1,2,3,4,5,6,7,8,9}

reduced set of residues is {1,3,7,9} • to compute ø(n): exclude every fold of its primes.. and count

excluded ones.. • For coprimes of p.q,

– for p (p prime) ø(p) = p-1 – for p.q (p,q prime) ø(p.q) = ø(q) ø(q)=(p-1)(q-1)

Euler Totient Function ø(n) • Consider the # of integers that are not relatively prime in {0…

(pq-1)} {p,2 p,..., (q-1)p}, and {q,2 q,..., (p-1)q}, therefore – ø(p.q)= p.q-(p-1)-(q-1)-1 = p.q-p-q+1 = (p-1)(q-1)

• eg.– ø(37) = 36– ø(21) = (3–1)×(7–1) = 2×6 = 12

• For p prime, For p prime, ΦΦ(p) = p-1; and from Fermat’s thr (p) = p-1; and from Fermat’s thr aa(p(p-1)-1) = 1 mod(p) = 1 mod(p) aa((p)p) = a mod(p). = a mod(p).

• eg.– a=3;n=10; ø(10)= (5-1)(2-1)=4; – hence 34 = 81 = 1 mod 10– a=2;n=11; ø(11)=10;– hence 210 = 1024 = 1 mod 11

Euler’s theoremEuler’s theorem• Corollary, n=pq, both primes, and 0<m<n, Corollary, n=pq, both primes, and 0<m<n,

mmΦΦ(n)(n) = = mm(p-1)(q-1)(p-1)(q-1) =1 mod(n) =1 mod(n) holds. holds. If gcd(m, n) =1, by virtue of Euler’s thr it holds. If gcd(m, n) =1, by virtue of Euler’s thr it holds.

Suppose gcd(m,n) Suppose gcd(m,n) ≠ ≠ 1, then n= pq, means that, either p or q must divide 1, then n= pq, means that, either p or q must divide m. If m=cm. If m=c11p, (or m=cp, (or m=c22q, where c is integer and c>0) then m and n cannot q, where c is integer and c>0) then m and n cannot be relative to each other, therefore gcd(m,n) be relative to each other, therefore gcd(m,n) ≠≠ 1. 1.

• Suppose p, q are primes, m = cp, and gcd(m, q)=1, from Euler’s thr Suppose p, q are primes, m = cp, and gcd(m, q)=1, from Euler’s thr mmΦΦ(q)(q) = 1 mod(q), = 1 mod(q), [m[mΦΦ(q)(q)]]ΦΦ(p)(p) mod(q) = 1 mod(q) mod(q) = 1 mod(q) mmΦΦ(n)(n) mod(q) mod(q) = 1 mod(q) = 1 mod(q) mmΦΦ(n)(n) mod(q) mod(q) = 1 + kq, k is an arbitrary constant, = 1 + kq, k is an arbitrary constant,

mmΦΦ(n)+1(n)+1 = m + mkq = m + kcpq = = m + mkq = m + kcpq = mm + kcn + kcn

mmΦΦ(n)+1(n)+1 = m mod(n)= m mod(n)

• Or an alternative way, Or an alternative way, mmkkΦΦ(n)+1(n)+1 =[[ =[[mmΦΦ(n)(n) ] ]k + 1k + 1 ]mod(n)= [ ]mod(n)= [11k k m] mod(q) =m mod(n) m] mod(q) =m mod(n)

• Factoring a number n: n=a b c • Relatively hard when compared to multiplying

the factors together to generate the number • Prime factorisation of a number n

– eg. 91=7 13; 3600=24 32 52

• two numbers are relatively prime to each other if.. • Conversely; gcd the common least powers of

prime factorizations. – 300=21 31 52 18=21 32 hence GCD(18,300)=21 31

50=6

• Fermat’s Little TheoremFermat’s Little Theorem: aap-1p-1 = 1 mod p = 1 = 1 mod p = 1where p is prime and naturally gcd(a, p)=1

Primality TestingPrimality Testing• traditionally sieve using trial division

– ie. divide by all numbers (primes) in turn less than the square root of the number – only works for small numbers

• Wilson’s test (p-1)!=-1mod(p), in proof pair numbers with their inverse, a^2=1mod(p)p|a^2=(a-1)(a+1)..

• Miller Rabin Algorithm Miller Rabin Algorithm based on Fermat’s Theorem abased on Fermat’s Theorem a(n-1)(n-1) =1 mod(n) = 1 if n is =1 mod(n) = 1 if n is prime. prime.

• Consider an odd number n>2, then n-1 is even number, therefore equal to Consider an odd number n>2, then n-1 is even number, therefore equal to 22kkqq with k>0, q must be odd. Keep dividing n-1 by 2, k divisions, you’ve got the with k>0, q must be odd. Keep dividing n-1 by 2, k divisions, you’ve got the qq, , determine a number 1<a<n-1, compute determine a number 1<a<n-1, compute 22kkqq power of the number a, and check power of the number a, and check the equality to n-1 (line 5), or to 1 (line 3):the equality to n-1 (line 5), or to 1 (line 3):

• TEST (TEST (nn) is:) is:1. Find integers 1. Find integers kk, , qq, , k k > 0, > 0, q q odd, so that odd, so that ((nn–1)=2–1)=2kkq;q;2. Select a random integer 2. Select a random integer aa, 1<, 1<aa<<nn–1;–1;3. 3. if if aaqq mod mod n n = 1= 1 then then return (“maybe prime");return (“maybe prime");4. 4. for for j j = 0 = 0 to to k k – 1 – 1 dodo

5. 5. ifif ( (aa22jjqq mod mod n n = = nn-1-1)) then then return(" maybe prime ")return(" maybe prime ")

6. return ("composite")6. return ("composite")

Primality TestingPrimality TestingIf n is prime there is a smallest value of j, 0If n is prime there is a smallest value of j, 0jjk, such thatk, such that

aa22jjqq mod mod n n = 1= 1. ???. ???

For j=0, For j=0, aaqq-1 = 0, -1 = 0, or or n|(an|(aqq-1). -1).

For 1For 1jjk, k, aa22jjqqmod(n) = 1 mod(n) = 1

(a(a22(j-1)(j-1)q q mod(n) - 1) * (amod(n) - 1) * (a22(j-1)(j-1)q q mod(n) + 1) = 1 mod(n) + 1) = 1

n divides either side, by assumption j is the smallest such n divides either side, by assumption j is the smallest such

that n does not divide (athat n does not divide (a22(j-1)(j-1)q q mod(n)-1), therefore n|(amod(n)-1), therefore n|(a22(j-(j-

1)1)q q mod(n)-1). mod(n)-1).

Or equivalently a^(Or equivalently a^(22(j-1(j-1))qq))mod(n)=(-1)mod(n)=n-1; line5. mod(n)=(-1)mod(n)=n-1; line5.

• Millar-Rabin test returns inconclusive for (n-1)/4 < ¼ Millar-Rabin test returns inconclusive for (n-1)/4 < ¼

• if Miller-Rabin returns “composite” the number is definitely if Miller-Rabin returns “composite” the number is definitely not prime otherwise is a prime or a pseudo-prime chance not prime otherwise is a prime or a pseudo-prime chance it detects a pseudo-prime is < ¼ it detects a pseudo-prime is < ¼

• Therefore if test returns inclusive t times in succession ..Therefore if test returns inclusive t times in succession ..then probability n is prime is 1-4then probability n is prime is 1-4-t-t……

• Prime distribution: Considering distribution of the primes, Prime distribution: Considering distribution of the primes, ““prime number theorem states that the primes near n are prime number theorem states that the primes near n are spaced on the average one every ln(n) integersspaced on the average one every ln(n) integers”, so the is ”, so the is on the order of ln(n), even integers and fold of 5 are on the order of ln(n), even integers and fold of 5 are rejected.. So, 0.4ln(n), for example if the order of prime rejected.. So, 0.4ln(n), for example if the order of prime number is number is 22200200, , 0.4ln(n0.4ln(n)=55 trials. Closely located ones, )=55 trials. Closely located ones, 1.000.000.000.061, 1.000.000.000.063 are primes.1.000.000.000.061, 1.000.000.000.063 are primes.

Probabilistic ConsiderationsProbabilistic Considerations

• n=29, n=29, 22kkqq=28= =28= 2222 7 7, k=2; , k=2; • a=10a=10; ;

– j=0, 10j=0, 1077mod(29)=17, neither 28, nor 1.. mod(29)=17, neither 28, nor 1.. – j=1, (10j=1, (1077))2 2 mod(29)=28, inconclusive, may be pr..mod(29)=28, inconclusive, may be pr..

• a=2, a=2, – j=0, 2j=0, 277mod(29)=12,mod(29)=12,– j=1, 2j=1, 21414mod(29)=28, inc..mod(29)=28, inc..

• For all a’s this will give inconclusive, so n is a prime.. For all a’s this will give inconclusive, so n is a prime..

• n=13*17=221, n=13*17=221, 22kkqq=220= =220= 2222 55 55, k=2;, k=2;• a=5a=5; ;

– j=0, 5j=0, 55555mod(221)=112.. mod(221)=112.. – j=1, (5j=1, (55555))2 2 mod(221)=168, n returns composite..mod(221)=168, n returns composite..

• But if a would have been chosen as 21, But if a would have been chosen as 21, – j=0, 21j=0, 2177mod(221)=200..mod(221)=200..– j=1, 21j=1, 211414mod(221)=220, returns inclusive, which points 221 as prime..mod(221)=220, returns inclusive, which points 221 as prime..

• In fact of the 220 integers, 1, 21, 47, 174, 200, 220 return inc.. In fact of the 220 integers, 1, 21, 47, 174, 200, 220 return inc..

Probabilistic Considerations of Miller-RabinProbabilistic Considerations of Miller-Rabin

Primitive Roots

• From Euler’s theorem have From Euler’s theorem have aaø(n)ø(n)mod n=1 mod n=1 • consider consider aammmod n=1, and (mod n=1, and (aa, n) , n) relative prime relative prime GCD(GCD(aa,n)=1,n)=1– at least one positive m<n satisfying at least one positive m<n satisfying aammmod n=1,mod n=1, for example m = for example m =

ø(n) or may be smaller, this is called the order of a (mod n).. ø(n) or may be smaller, this is called the order of a (mod n).. – once powers reach m, cycle will repeatonce powers reach m, cycle will repeat

• if smallest is m= if smallest is m= ø(n) then corresponding ø(n) then corresponding aa is called a is called a primitive rootprimitive root

• To check if a number x is primitive root, it suffices to check To check if a number x is primitive root, it suffices to check xxmm=1 mod p=1 mod p,, *** ***– the order of any x coprime to p has to be a divisor of (p − 1) since the order of any x coprime to p has to be a divisor of (p − 1) since xxp-p-

11=1 mod p,=1 mod p, *** following words are not clear yet to me too but the *** following words are not clear yet to me too but the statement written is valid** --- if n is not a primitive root, then there statement written is valid** --- if n is not a primitive root, then there exists a strict positive divisor m of p-1, such that p-1, exists a strict positive divisor m of p-1, such that p-1, xxmm=1 mod p,=1 mod p, so there the statement we made suffices.. ---so there the statement we made suffices.. ---

• if if pp is prime, then successive powers of is prime, then successive powers of aa "generate" the "generate" the group group mod pmod p

Primitive RootsPrimitive Roots

• Example: from previous table, Example: from previous table, p=19, p-1 p=19, p-1 = = 2.32.322, divisors 1, 2, 3, 6, 9, 18, divisors 1, 2, 3, 6, 9, 18, , check check aa=10, 10=10, 1022=5, 10=5, 1033=12, 10=12, 1033=5, 10=5, 1066=11, =11, 101099=18, 10=18, 101818=1 mod(19), =1 mod(19), so the smallest power of x, such that so the smallest power of x, such that xxmm=1 mod p =1 mod p is 18, is 18,

hence ordhence ordpp(a) = ord(a) = ord1919(10)=18. (10)=18.

• Check if the rule applies to Check if the rule applies to aa=5, =5, 5533=11, 5=11, 599=1,.. Then will recycle the numbers =1,.. Then will recycle the numbers periodically since 10periodically since 101818= 1 mod(19)= 1 mod(19)

. .

Primitive RootsPrimitive Roots

• Similarly, you can do the rest of the homework by Similarly, you can do the rest of the homework by yourselves. The complete list of primitive roots is:yourselves. The complete list of primitive roots is:– mod 3 : 2mod 3 : 2– mod 5 : 2, 3mod 5 : 2, 3– mod 7 : 3, mod 7 : 3, 55– mod 11 : 2, mod 11 : 2, 6, 6, 7, 7, 88– mod 13 : 2, 6, mod 13 : 2, 6, 7, 7, 1111– mod 17 : 3, 5, mod 17 : 3, 5, 6, 6, 7, 7, 10, 10, 11, 11, 1212– mod 19 : 2, 3, mod 19 : 2, 3, 10, 10, 13, 13, 14, 14, 1515

• Once you have found Once you have found ''((p p − − 1) many primitive roots mod 1) many primitive roots mod pp, , you are done, because mod you are done, because mod p p there are exactly there are exactly ''((p p − − 1) 1) distinct primitive roots.distinct primitive roots.

Primitive RootsPrimitive Roots

• Input: Input: p p - prime number, - prime number, aa- primitive root of - primitive root of pp, , b b - a residue - a residue mod p.mod p.

• Goal: Find Goal: Find k k such that such that aakk = b( mod p). (In other words, find the = b( mod p). (In other words, find the position of position of y y in the large list of in the large list of {{aa, , aa22, . . . , , . . . , aaq-1q-1}}..

• 14 is a primitive root of 19.14 is a primitive root of 19.• The powers of 14 (mod 19) are in order: 14 6 8 17 10 7 3 4 18 5 The powers of 14 (mod 19) are in order: 14 6 8 17 10 7 3 4 18 5

13 11 2 9 12 16 15 113 11 2 9 12 16 15 1• For example For example LL1414(5) = 10 mod 19, because 14(5) = 10 mod 19, because 141010 = 5( mod 19)= 5( mod 19)..

• the inverse problem to exponentiation is to find the the inverse problem to exponentiation is to find the discrete logarithmdiscrete logarithm of a number modulo p of a number modulo p

• that is to find x where that is to find x where aaxx = b mod p = b mod p • written as written as x=logx=logaa b mod p b mod p oror x=ind x=indaa,p,p(b)(b)• if a is a primitive root then always exists, otherwise may notif a is a primitive root then always exists, otherwise may not

– x = logx = log33 4 mod 13 (x st 3 4 mod 13 (x st 3xx = 4 mod 13) has no answer = 4 mod 13) has no answer – x = logx = log22 3 mod 13 = 4 by trying successive powers 3 mod 13 = 4 by trying successive powers

• whilst exponentiation is relatively easy, finding discrete logarithms is whilst exponentiation is relatively easy, finding discrete logarithms is generally a generally a hardhard problem problem

Discrete Logarithms or IndicesDiscrete Logarithms or Indices

• Based on the difficulty of computing discrete logarithms of large numbers. Based on the difficulty of computing discrete logarithms of large numbers. • No known successful attack strategies. No known successful attack strategies.

• Two numbers public: a prime p, a primitive root q of P. Two numbers public: a prime p, a primitive root q of P. • User A chooses a random integer XUser A chooses a random integer XAA < q and computes Y < q and computes YAA = q = qXaXamod(p) for mod(p) for

secret A (known only to itself) and similarly user B chooses Xsecret A (known only to itself) and similarly user B chooses XBB < q and < q and computes Ycomputes YBB = q = qXbXbmod(p).. mod(p)..

• Each exchanges YEach exchanges YAA and Y and YBB, while X, while XAA, X, XBB remains private remains private• Parties A and B compute K = YParties A and B compute K = YBB

XaXamod(p) and K= Ymod(p) and K= YAAXbXbmod(p), respectively,mod(p), respectively,

• K= (YK= (YBB))XaXa mod p = (q mod p = (qXbXb))XaXa mod p = (q mod p = (qXaXa))XbXb mod p = (Y mod p = (YAA))XbXb mod p mod p

• Attacking the secret key of user A for example will require opponent to Attacking the secret key of user A for example will require opponent to calculatecalculate

XXAA= ind= indb,pb,p(Y(YAA)= dlog)= dlogb,pb,p(Y(YAA))or the other way around. or the other way around. • Example p= 353 and a primitive root of 353, q Example p= 353 and a primitive root of 353, q . Suppose A and B choose . Suppose A and B choose

XXAA=97, X=97, XAA= 233. = 233. • YYAA = 3 = 39797mod(353) = 40, Ymod(353) = 40, YBB = 3 = 3233233mod(353) = 248mod(353) = 248• K= 160.. Attacker must K= 160.. Attacker must 33XaXamod(353) = 40 or 3mod(353) = 40 or 3XbXbmod(353)=248.. mod(353)=248..

Diffie-Hellman, 1976, Section 10.2 of StallingsDiffie-Hellman, 1976, Section 10.2 of Stallings

• RSA is more convenient because there is no need to distribute keys. RSA is more convenient because there is no need to distribute keys.

• DES is within two orders of magnitude faster. DES is within two orders of magnitude faster.

• A viable combination is to distribute the secret keys using RSA, A viable combination is to distribute the secret keys using RSA, and then, for the bulk data to use DES. and then, for the bulk data to use DES.

• Similar combination is implemented in the Pretty Good Privacy Similar combination is implemented in the Pretty Good Privacy (PGP) method.(PGP) method.

• A number of public-key ciphers are based on the use of A number of public-key ciphers are based on the use of an abelian an abelian groupgroup. . For example, Diffie-Hellman key exchange involves For example, Diffie-Hellman key exchange involves multiplying pairs of nonzero integers modulo a prime number pmultiplying pairs of nonzero integers modulo a prime number p. . Keys are generated by exponentiation over the group, with Keys are generated by exponentiation over the group, with exponentiation defined as repeated multiplication. exponentiation defined as repeated multiplication.

• The same level of security but shorter key are possible.The same level of security but shorter key are possible.

• An equation in two variables. For cryptography, the variables An equation in two variables. For cryptography, the variables and coefficients are and coefficients are restricted to elements in a finite fieldrestricted to elements in a finite field, , which results in the definition of a finite which results in the definition of a finite abelian groupabelian group. .

• Elliptic curves are not ellipsesElliptic curves are not ellipses. They are so named because . They are so named because described by cubic equations, similar to the circumference of an described by cubic equations, similar to the circumference of an ellipse. In general, cubic equations for elliptic curves take the ellipse. In general, cubic equations for elliptic curves take the form of yform of y22 + axy + by = x + axy + by = x33 + cx + cx22 + dx + e.. + dx + e..

• Limiting attention (Stallings) to yLimiting attention (Stallings) to y22 = y = y33 + ax + b is sufficient. y + ax + b is sufficient. y = sqrt(y= sqrt(y33 + ax + b) + ax + b)

Elliptic Curves Chapter 10.3 and 10.4..Elliptic Curves Chapter 10.3 and 10.4..

El Gamal public-key cryptosystemEl Gamal public-key cryptosystem• Secure against CT only attacks. Secure against CT only attacks. • Each party (say Bob) chooses the following parameters.Each party (say Bob) chooses the following parameters.• p, large prime number, q- primitive root of p, made public. p, large prime number, q- primitive root of p, made public. • a random a random aa { {22, , 33, . . . , p , . . . , p − − 11}, private}, private• ¯̄= q= qaa(mod (mod pp), made public. ), made public.

• Encrypting:Encrypting: Choose a random k Choose a random k {1 {1, , 33, . . . , p , . . . , p − − 11} (} (aa)). . Suppose message is a number x < p.Suppose message is a number x < p.

• EEpublicpublic−−kk((xx) = {) = {qqkk(mod (mod pp)), , x x · · ¯̄kk( mod ( mod pp))}. }. • Two numbers, the first one hides k, and the second Two numbers, the first one hides k, and the second

one the messageone the message. .

• Decrypting:Decrypting: DDprivateprivate−−kk((yy11, y, y22) = ) = yy22 · · ((yy11aa))-1-1(mod p)(mod p)

• yy22 · · ((yy11aa))-1 -1 = = xx · · ¯̄kk((qqakak))-1 -1 = = xx · · = = xx · · ((qqakak)) · · ((qqakak))-1-1(mod p) (mod p)

= = xx• Check example next slight. Check example next slight.

El Gamal public-key cryptosystemEl Gamal public-key cryptosystem• Example: Example:

– p = 43, q=3 primitive root of p, Alice’s choice of secret p = 43, q=3 primitive root of p, Alice’s choice of secret key is key is aa=7, =7,

– ¯ ¯ = q= qaa( mod ( mod pp) = 3) = 377( mod 43) = 37, ( mod 43) = 37, – Bob picks a random key k=26, and his message Bob picks a random key k=26, and his message

x=14, x=14, yy11= 3= 32626 = 15 mod(43), = 15 mod(43), yy22= 37= 372626 14 = 31 14 = 31 mod(43), mod(43),

– CT= {15, 43}CT= {15, 43}large prime number, q- primitive root of p, made public. large prime number, q- primitive root of p, made public.

• Alice: 31 Alice: 31 · · (15(1577))-1-1 = 14( mod 43)= 14( mod 43)..

• El Gamal encryption is randomized, depends on El Gamal encryption is randomized, depends on random k. So the same x has many encryptions.random k. So the same x has many encryptions.