Lecture Number

8/13/2019 Lecture Number

1/81

COMP202Complexity of Algorithms

Number Theory and Cryptography

[See relevant Sections ofChapter 10 in Goodrich and Tamassia.]
http://find/


2/81

Learning Outcomes

At the conclusion of this set of lecture notes, you should:

1. Be familiar with the basic ideas of cryptography.

2. Have comfortable knowledge of the RSAencryption/decryption method.

3. Understand the mathematical background that underlies

the RSA method, including the Euclidean algorithm, etc.
http://find/http://goback/


3/81

Cryptographic communications

Throughout history there has often been the need (or desire) to

securelytransmit information throughinsecurechannels. Such

applications include communications for military purposes and

business reasons (to keep proprietary information secure), and

most recently, transactions through the Internet.
http://find/


4/81

Cryptographic communications

Throughout history there has often been the need (or desire) to

securelytransmit information throughinsecurechannels. Such

applications include communications for military purposes and

business reasons (to keep proprietary information secure), and

most recently, transactions through the Internet.

A variety ofcryptographicmethods have been developed to

facilitate this type of communication.

These methods include encryption/decryption transformations

and digital signatures.
http://find/


5/81

Encryption schemes

Confidentially in communication can be achieved byencryption

schemes, orciphers.
http://find/


6/81

Encryption schemes


schemes, orciphers.

The general idea behind these schemes is that the messageM

to be sent, often referred to as the plaintext, is encrypted(before transmission) into an unrecognizable string (we hope!)

of charactersC, theciphertext.
http://find/


7/81

Encryption schemes


schemes, orciphers.

The general idea behind these schemes is that the messageM

to be sent, often referred to as the plaintext, is encrypted(before transmission) into an unrecognizable string (we hope!)

of charactersC, theciphertext.

The ciphertextCis then transmitted to the recipient who

decryptsCto recover the original messageM.
http://find/


8/81

Alice

Message M

"Eve is nosey"Message M

"Eve is nosey"

Eve

ciphertextC

decryptionencryption

(xrjf%kjs*43s)

Bob
http://find/


9/81

Symmetric encryption schemes and secret keys

In a traditional encryption scheme a common secret key, K, is

shared by Alice and Bob.
http://find/


10/81




This common keyKis used for both encryption and decryption

of messages.
http://find/


11/81




This common keyKis used for both encryption and decryption

of messages.

Such an encryption scheme is called symmetricsince the

recipient and receiver both have access to the same secret key,

and it is used for both the encryption and decryption processes.
http://find/


12/81

Substitution ciphers

A classic example of a symmetric cipher is a substitutioncipher.

In this case the secret key is a permutation of the charactersof the alphabet. (For example, each A gets replaced by the

letter D, eachBgets replaced by the letterH, etc.)
http://find/


13/81





Encryption of the plaintext M is accomplished by mapping each

characterxwith its corresponding charactery=(x).
http://find/


14/81





Encryption of the plaintext M is accomplished by mapping each

characterxwith its corresponding charactery=(x).

Decrypting the ciphertextCis easily accomplished with

knowledge of the permutation, i.e. each characteryofC isreplaced withx=1(y).
http://find/


15/81

The Caesar cipher

TheCaesar cipheris an early example of a substitution cipher

wherein each characterx is replaced by the character

y= (x+ k) mod n, wherenis the size of the alphabet and the

integerk, 1k


16/81

The Caesar cipher

TheCaesar cipheris an early example of a substitution cipher

wherein each characterx is replaced by the character

y= (x+ k) mod n, wherenis the size of the alphabet and the

integerk, 1k


17/81

Breaking substitution ciphers

While very easy to use, substitution ciphers are not secure.

B ki b tit ti i h
http://find/


18/81

Breaking substitution ciphers

While very easy to use, substitution ciphers are not secure.

The secret key of a substitution cipher is very easily broken by

using frequency analysis, based on knowledge of the frequency

of the various letters, or groups of letters, in the alphabet beingused.

For example, e is the most common letter in the English

language, followed by t, etc.

Th O ti d
http://find/http://goback/


19/81

The One-time pad

Secure symmetric ciphers do exist!

The One time pad
http://find/


20/81

The One-time pad


In fact, the most secure cipher known is the symmetric cipher

thats referred to as theone-time pad.

The One time pad
http://find/


21/81

The One-time pad


In fact, the most secure cipher known is the symmetric cipher

thats referred to as theone-time pad.

For this encryption scheme Alice and Bob share arandombit

stringKthat is as long as any message that they are going to

send.

This keyKis the symmetric key that is used for the encryption

and decryption process.

The One time pad (encryption)
http://find/


22/81

The One-time pad (encryption)

To encrypt the messageM, Alice computesC=M K, wherethesymbol denotes the bitwise exclusive-or operation.

(Note: 0 0= 1 1= 0 and 0 1=1 0=1.)

Alice then sendsCto Bob on any reliable communicationschannel.

The One time pad (encryption)
http://find/


23/81

The One-time pad (encryption)

To encrypt the messageM, Alice computesC=M K, wherethesymbol denotes the bitwise exclusive-or operation.

(Note: 0 0= 1 1= 0 and 0 1=1 0=1.)

Alice then sendsCto Bob on any reliable communicationschannel.

The communication is secure because Cis computationally

indistinguishable from arandombit string. (This relies highly on

the fact thatKwas selected randomly!!)

The One time pad (decryption)
http://find/


24/81

The One-time pad (decryption)

Bob can easily decrypt the ciphertextCto recoverM in the

following fashion:

C K = (M K) K =M (K K) =M 0= M

where 0represents the all-zero string with the same length as

M.

This is clearly a symmetric scheme as Alice and Bob use the

same keyK for encryption and decryption.

The One-time pad (analysis)
http://goforward/http://find/http://goback/


25/81


Advantages:

Computationally efficient since the bitwise exclusive-or iseasy to perform.

Very secure (providedK is chosen randomly)!!

http://find/


26/81


Advantages:



Disadvantages:

Alice and Bob must share a very long keyK. Security depends on the fact that the key is usedonly

once!!

http://find/


27/81

The One time pad (analysis)

Advantages:



Disadvantages:

Alice and Bob must share a very long keyK. Security depends on the fact that the key is usedonly

once!!

In practice, we prefer secret keys that can be reused, and that

the keys we use are much shorter than the messages that we

must transmit.

How can we do this?

Public-key cryptography
http://find/


28/81

Public key cryptography

A major problem with symmetric encryption schemes iskey

distribution, or how tosecurely distributethe secret keys.

One idea is to dispense with using symmetricencryption

schemes and seek another method for generating (anddeciphering) the ciphertexts.

Public-key cryptography
http://find/


29/81

Public key cryptography

A major problem with symmetric encryption schemes iskey

distribution, or how tosecurely distributethe secret keys.

One idea is to dispense with using symmetricencryption

schemes and seek another method for generating (anddeciphering) the ciphertexts.

In 1976 Diffie and Hellman described an abstractsystem that

overcomes the problem of key distribution Public-key

cryptosystems.

Public-key cryptosystems
http://find/


30/81

Public key cryptosystems

Apublic-key cryptosystemconsists of an encryption function E

and a decryption functionD. For any messageM, the following

properties must hold:

D(E(M)) =M. BothEandDare easy to compute.

It iscomputationally infeasibleto deriveDfromE.

E(D(M)) =M.

Public-key cryptosystems (cont.)
http://find/


31/81

Public key cryptosystems (cont.)

The third property is the particularly important one. It means

that knowledge of the encryption method gives no information

about the decryption scheme. Anybody can send a privatemessage to the holder of the function D, butonly that person

knows how to decrypt it.

http://find/


32/81

y yp y ( )





For this reasonEis referred to as a one-wayfunction, or

sometimes atrapdoor function.

http://find/


33/81

y yp y ( )







In this kind of encryption methodE is madepublicandDis

keptprivate.

http://find/


34/81

y yp y ( )







In this kind of encryption methodE is madepublicandDis

keptprivate.

The fourth property allows fordigital signatures. This can allowsomeone to send a message to another person and the

recipient can verify that it came from the sender, assuming that

the sender is the only person who has the private key. (More on

this later.)

The RSA encryption scheme
http://find/


35/81

yp

Diffie and Hellmans idea was ingenious, but it was an abstractconcept about how such a system would operate.

http://find/


36/81


Rivest, Shamir, and Adleman proposed a public-key encryption

method that is probably the most well-known, and is still in use

today for communications via web-browsers, etc.

Their method is tied to the difficulty of factoringlarge numbers.

http://find/


37/81


Rivest, Shamir, and Adleman proposed a public-key encryption

method that is probably the most well-known, and is still in use

today for communications via web-browsers, etc.

Their method is tied to the difficulty of factoringlarge numbers.

Before we can get into the details of the RSA method, we must

first discuss some concepts from the branch of mathematicscalled number theory.

Elementary number theory - Divisibility
http://find/


38/81

Given integersaandb, we use the notation a|bto denote thatadividesb, i.e.bis a multiple of a.

Ifa|bthen there is another integerksuch thatb=a k.
http://find/


39/81

Prime numbers and composite numbers


40/81

An integern2 is said to be primeif the only divisors ofnarethe trivial divisors 1 andn.

An integern2 that is not prime is said to becomposite.

Prime numbers and composite numbers
http://find/


41/81

An integern2 is said to be primeif the only divisors ofnarethe trivial divisors 1 andn.

An integern2 that is not prime is said to becomposite.

For example, 11, 107, and 98711 are prime, but 25,69, and10403= 101 103 are composite.

Fundamental Theorem of Arithmetic
http://find/


42/81

Theorem: Letn>1 be an integer. Then there is a unique setof prime numbers{p1, . . . , pk}and positive integers{e1, . . . , ek}such that

n=p

e1

1 p

ek

k .

The productpe11 p

ekk is known as theprime decompositionof

n. It is unique, up to the ordering of the primes in the

factorization.

Greatest common divisor (GCD)


43/81

Letaandbdenote positive integers. Thegreatest common

divisorofaandb, denoted gcd(a,b), is thelargestinteger that

divides bothaandb.



44/81



divides bothaandb.

If gcd(a,b) =1, then we say that aandbarerelatively prime.

http://find/


45/81



divides bothaandb.


The definition of the GCD can be extended in a natural fashion:

Ifa>0, then gcd(a,0) =gcd(0,a) =a.

gcd(a,b) =gcd(|a|, |b|)ifaand/orbis negative.

For example, gcd(56,24) =8,gcd(25,31) =1,gcd(45, 25) =5,

and gcd(27, 51) =3.

http://find/


46/81



divides bothaandb.


The definition of the GCD can be extended in a natural fashion:

Ifa>0, then gcd(a,0) =gcd(0,a) =a.

gcd(a,b) =gcd(|a|, |b|)ifaand/orbis negative.

For example, gcd(56,24) =8,gcd(25,31) =1,gcd(45, 25) =5,

and gcd(27, 51) =3.

Note that gcd(0, 0)is undefined (as, of course, there is nolargest integer that divides 0).

Greatest common divisor (cont.)
http://find/


47/81

We note the following important fact:

Theorem: Ifd=gcd(a,b), then there exist (unique) integers jandksuch that

d=j a+ k b.

In other words, the greatest common divisor of aandbisexpressible as alinear combinationof aandb.

Greatest common divisor (cont.)
http://find/


48/81

We note the following important fact:

Theorem: Ifd=gcd(a,b), then there exist (unique) integers jandksuch that

d=j a+ k b.

In other words, the greatest common divisor of aandbisexpressible as alinear combinationof aandb.

gcd(56,24) =8 8=1 56 + (2) (24)

gcd(25,31) =1 1=5 25 + (4) 31

gcd(45,25) =5 5= (1) 45 + 2 25

gcd(57,363) =3 3= 57 51 + (8) 363

The modulo operator and congruences

The mod lo operator denoted b a mod b defines the
http://find/


49/81

The modulo operator, denoted byamod b, defines the

remainder ofawhen divided byb. That isr=amod bmeansthatr=a

an

n.

In other words,ris always an integer in the set

{0,1,2, . . . b 1}(even whenais negative), and there is anintegerqsuch that

a= q b+ r.

The modulo operator and congruences

The modulo operator denoted by a mod b defines the
http://find/


50/81

The modulo operator, denoted byamod b, defines the

remainder ofawhen divided byb. That isr=amod bmeansthatr=a

an

n.

In other words,ris always an integer in the set

{0,1,2, . . . b 1}(even whenais negative), and there is anintegerqsuch that

a= q b+ r.

Sometimes we find it convenient to talk about congruence

modulon. If

a mod n=b mod n,

we say thataiscongruent to b modulo nand write

ab (mod n).

Ifa b(mod n), thena b=knfor some integerk.
http://find/


51/81

Euclids algorithm


52/81

Euclids algorithm is a method to find the greatest common

divisor of two integersaandb.
http://find/


53/81

Euclids algorithm (cont.)


54/81

EUCLIDGCD(a,b)Input: Nonnegative integersaandb(not both zero).

Output: gcd(a,b).1 whileb=0 do2 (a,b)(b,amod b)

3 returna

Note: Ifb=0, this routine will return the value of a(which, byour assumption on the input, is not zero), giving the correct

result.

Examples of Euclids algorithm
http://find/


55/81

1 2 3 4 5 6 7a 412 260 152 108 44 20 4

b 260 152 108 44 20 4 0

Hence, gcd(412,260) =4.

1 2 3 4 5

a 408 162 84 78 6

b 162 84 78 6 0

Thus, gcd(408,162) =6.

Euclids algorithm - Complexity


56/81

Fori>0, letaidenote the first element of the ordered pairduring theith step in the while loop in Euclids algorithm. The

second argument is equal toai+1. So

ai+2 =ai mod ai+1.

This implies that, after the first time through the loop, the

sequence ai is strictly decreasing.

Euclids algorithm - Complexity
http://find/


57/81

Fori>0, letaidenote the first element of the ordered pairduring theith step in the while loop in Euclids algorithm. The

second argument is equal toai+1. So

ai+2 =ai mod ai+1.

This implies that, after the first time through the loop, the

sequence ai is strictly decreasing.

We can show thatai+2< 12 ai.

This leads to the following result:

Theorem: Leta, bbe two positive integers. Euclids algorithmcomputes gcd(a, b)by executingO(log(max{a,b}))arithmeticoperations.

The Extended Euclidean Algorithm


58/81

As mentioned earlier, ifd=gcd(a,b), there are integersjandksuch thatd=j a+ k b.

We can modify Euclids algorithm to find these numbers jandkwhile we compute gcd(a,b). This is the so-called ExtendedEuclidean algorithm.

The Extended Euclidean Algorithm (cont.)


59/81

EXTENDEDEUCLIDGCD(a,b)

Input: Nonnegative integersaandb(not both zero).

Output:d=gcd(a,b), integersj, kwhered=j a+ k b.1 ifb=0 then

2 return(a, 1,0)3 r amod b4 Letqbe the integer such that a=q b+ r(that is,q=

ab

).

5 (d,j, k)ExtendedEuclidGCD(b, r)6 return(d, k,j kq)

Extended Euclidean Algorithm examples
http://find/


60/81

Note that by the recursive nature of the algorithm, the values of

a,b,q,andrare filled in the table from left-to-right, but those of

jandkare filled in from right-to-left.

To find gcd(412, 260)we have these values:

1 2 3 4 5 6 7

a 412 260 152 108 44 20 4b 260 152 108 44 20 4 0

q=

ab

1 1 1 2 2 5 *

r=amod b 152 108 44 20 4 0 *

j 12 -7 5 -2 1 0 1k -19 12 -7 5 -2 1 0

As can be checked, we have 12 412 + (19) 260=4.

Extended Euclidean Algorithm examples (cont.)


61/81

Finding gcd(408,162)gives this table:

1 2 3 4 5

a 408 162 84 78 6

b 162 84 78 6 0

q 2 1 1 13 *

r 84 78 6 0 *j 2 -1 1 0 1

k -5 2 -1 1 0

We see that 2 408 + (5) 162= 6, as guaranteed previously.

The Extended Euclidean algorithm is useful for the RSA

encryption method, as we will soon see.

The RSA method
http://find/


62/81

Given the previous information (review?) about same very

basic number theory, we are now ready to describe the basic

method of the RSA encryption/decryption method.
http://find/


63/81

The RSA method


64/81

Given the previous information (review?) about same very

basic number theory, we are now ready to describe the basic

method of the RSA encryption/decryption method.

Recall that this is a public-key encryption method. So this is a

non-symmetricencryption scheme, where there is an

encryption function and a separate decryption function.

The main idea of the RSA method is that I can publish my

encryption function (i.e. make it freely available to anyone who

wishes to use it to send a message to me), but only I know thedecryption function.

The RSA method (cont.)
http://find/


65/81

Letpandqdenote two (large) prime numbers.

Letn=p qand define(n) = (p 1)(q 1).

The RSA method (cont.)
http://find/


66/81

Letpandqdenote two (large) prime numbers.

Letn=p qand define(n) = (p 1)(q 1).

We then choose two numbers eanddsuch that

1. eand(n)are relatively prime, i.e. gcd(e, (n)) =1, and

2. ed1 (mod (n)).

(We can use the Extended Euclidean algorithm to findd,

givene.)
http://find/


67/81

Encryption via RSA


68/81

Let us assume that the message Mis an integer and that

0< M


69/81

Let us assume that the message Mis an integer and that

0< M


70/81

Decryption of the received ciphertext,C, is again handled bymodular exponentiation:

MCd mod n.

Decryption with RSA
http://find/


71/81

Decryption of the received ciphertext,C, is again handled bymodular exponentiation:

MCd mod n.

The correctness of the RSA method is guaranteed because it

can be shown that with the choices of e, n, andd(with theproperties listed earlier), then for every integer 0


72/81

Digital signatures

As mentioned earlier, the RSA cryptosystem supports digital

signatures Suppose that Bob sends a message M to Alice and


73/81

signatures. Suppose that Bob sends a message Mto Alice and

that Alice wants toverifythat it was Bob who sent it. Bob can

create asignatureusing the decryption function applied to M:

SMd mod n.

Alice verifies the digital signature using the encryption function,

that is by checking that

MSe (mod n).

Digital signaturesAs mentioned earlier, the RSA cryptosystem supports digital

signatures Suppose that Bob sends a message M to Alice and
http://find/


74/81

signatures. Suppose that Bob sends a message Mto Alice and

that Alice wants toverifythat it was Bob who sent it. Bob can

create asignatureusing the decryption function applied to M:

SMd mod n.

Alice verifies the digital signature using the encryption function,

that is by checking that

MSe (mod n).

Since only Bob knows the decryption function, this will verifythat it was indeed Bob who sent the message. (Of course, any

person can use the encryption function as well to reconstruct

the messageM, so this is not a method to secretlypass

information from Bob to Alice.)

The difficulty of breaking RSA

Note that even knowingedoesnt allow us to figure outd,

nless e kno ( )
http://find/


75/81

unless we know(n).
http://find/


76/81

The difficulty of breaking RSA

Note that even knowingedoesnt allow us to figure outd,

unless we know (n)


77/81

unless we know(n).

Most cryptographers believe that breaking RSA requires thecomputation of(n), which in turn requires factoring n.

Factoring hasnotbeenprovento be difficult, but many (many!)

people have worked on this problem over the last several

hundred years.

For example, it took some heavy duty mathematics and a

network of 700 computers (including one supercomputer) four

months to factor the number 2512

1 which is 155 digits long.

As the ability to factor larger numbers increases, we simply

have to choose larger primes pandqso thatn=p q isoutside of the current factoring capabilities.

Fast exponentiation


78/81

A possible bottleneck in the RSA algorithm is computing

expressions of the form

xk mod n.

The naive approach is to calculatex2 mod n, then use that to

getx3 mod n, thenx4 mod n, etc.

Fast exponentiation (cont.)
http://find/


79/81

We can do much better with an algorithm based on repeated

squaring. For example, if we wanted to compute x16, we could

first findx2, then(x2)2 =x4, then(x4)2 =x8, and finally(x8)2 =x16. This requires only four multiplications instead of

fifteen with the naive method.

If we are performing modular exponentiation as in RSA, after

each step we can findxi mod nto keep the results small

(between 0 andn 1).

Fast exponentiation (cont.)
http://find/


80/81

FASTEXPONENTIATION(x, k,n)

Input: Integersx, k0, andn>0.Output: r=xk mod n.

1 r 12 tx

3 whilek=0 do4 ifk is odd then

5 rr t mod n6 tt2 mod n7 k k/28 returnr

Complexity of RSA
http://find/


81/81

Using the FASTEXPONENTIATION(x, k,n)algorithm, thesizeofthe operands is never more thanO(log n)bits, and it takesO(log k)arithmetic operationsto findxk mod n.

This leads to the following result:Theorem: Letnbe the modulus of the RSA algorithm. Then

RSA encryption, decryption, signature, and verification each

takeO(log n)arithmetic operations (per block).

Date post:	04-Jun-2018
Category:	Documents
Upload:	strokenfilled
View:	217 times
Download:	0 times

Lecture Number

Documents