114
CR RSA and Public Key Cryptography Chester Rebeiro IIT Madras STINSON : chapter 5, 6
CR
RSAandPublicKeyCryptography
ChesterRebeiroIITMadras
STINSON:chapter5,6
CR
Ciphers• SymmetricAlgorithms
– EncrypAonandDecrypAonusethesamekey– i.e.KE=KD– Examples:
• BlockCiphers:DES,AES,PRESENT,etc.• StreamCiphers:A5,Grain,etc.
• AsymmetricAlgorithms– EncrypAonandDecrypAonkeysaredifferent– KE≠KD– Examples:
• RSA• ECC
2
CR
AsymmetricKeyAlgorithms
Alice Bob
Plaintext“APackatDawn!!”
untrustedcommunicaAonlink
TheKeyKisasecret
E D
KE KD
“APackatDawn!!”encrypAon decrypAon
#%AR3Xf34^$(ciphertext)
3
Encryp<onKeyKEnotsameasdecryp<onkeyKD
KEknownasBob’spublickey;KDisBob’sprivatekey
Advantage:NoneedofsecurekeyexchangebetweenAliceand
Bob
Asymmetrickeyalgorithmsbasedontrapdoorone-wayfunc<ons
CR
OneWayFunc<ons• EasytocomputeinonedirecAon• Oncedone,itisdifficulttoinverse
Press to lock (can be easily done)
Once locked it is difficult to unlock
without a key
4
CR
TrapdoorOneWayFunc<on• OnewayfuncAonwithatrapdoor• TrapdoorisaspecialfuncAonthatifpossessedcanbeusedto
easilyinverttheoneway
Locked (difficult to unlock) Easily Unlocked
trapdoor
5
CR
PublicKeyCryptography(AnAnology)
• Aliceputsmessageintoboxandlocksit• OnlyBob,whohasthekeytothelockcanopenitandread
themessage
6
CR
Mathema<calTrapdoorOnewayfunc<ons
• Examples– IntegerFactorizaAon(inNP,maybeNP-complete)
• GivenP,Qaretwoprimes• andN=P*Q
– ItiseasytocomputeN– HowevergivenNitisdifficulttofactorizeintoPandQ
• UsedincryptosystemslikeRSA
– DiscreteLogProblem(inNP)• Considerbandgareelementsinafinitegroupandbk=g,forsomek• Givenbandkitiseasytocomputeg• Givenbandgitisdifficulttodeterminek• UsedincryptosystemslikeDiffie-Hellman• AvariantusedinECCbasedcrypto-systems
7
CR
Applica<onsofPublickeyCryptography
• Encryp<on• DigitalSignature:
“IsthismessagereallyfromAlice?”• Alicesignsby‘encrypAng’withprivatekey• Anyonecanverifysignatureby‘decrypAng’withAlice’spublickey• Whyitworks?
– OnlyAlice,whoownstheprivatekeycouldhavesigned
8
CR
Applica<onsofPublickeyCryptography
• KeyEstablishment:“AliceandBobwanttouseablockcipherforencrypAon.Howdotheyagreeuponthesecretkey”
9
Alice and Bob agree upon a prime p and a generator g. This is public information
choose a secret a compute A = ga mod p
choose a secret b compute B = gb mod p
B A
Compute K = Ba mod p Compute K = Ab mod p
Ab mod p = (ga)b mod p = (gb)a mod p = Ba mod p
Diffie-HellmanKeyExchange
CR
RSA
Shamir,Rivest,Adleman(1977)
10
CR
MoreNumberTheory
MathemaAcalBackground
11
CR
RSA:KeyGenera<on
12
Bob first creates a pair of keys (one public the other private)
),,('),('
))(mod(Compute.41))(,gcd(and))(1(randomaChoose.3
)1)(1()(andCompute.2)(,primeslargetwoGenerate.1
1
aqpiskeyprivatesBobbniskeypublicsBob
nbanbnbb
qpnqpnqpqp
φ
φφ
φ
−=
=<<
−−=×=
≠
Giventheprivatekeyitiseasytocomputethepublickey
Giventhepublickeyitisdifficultto
derivetheprivatekey
CR
RSAEncryp<on&Decryp<on
13
Encryption
n
bK
Zxwherenxyxe
∈
== mod)(
Decryption
nyxd aK mod)( =
CR
RSAExample
14
12345572681 mod536754x:decryption536754572681mod12345:
12345
571152mod13395413keyPrivate.41)571152,13gcd(thatnote;13bkey public Choose3.
571152876652(n)572681;877653.2877and653pprimestwoTake1.
395413
13
1-
≡=
≡=
=
==
==
=×==×=
==
yencryptionxMessage
a
nq
φ
CR
Correctness
15
Encryption
n
bK
Zxwherenxyxe
∈
== mod)(Decryption
nyxd aK mod)( =
xnxxnx
nxnxy
nt
nt
ab
aba
≡
≡
≡
≡
≡
+
mod)(mod)(
mod)(mod)(
)(
1)(
φ
φ
1),gcd( =∈ nxandZxwhen n
1)()(1)(mod1
+=
=−
≡
ntabntabnab
ϕ
ϕ
ϕ
FromFermat’stheorem
CR
Correctness
16
1),gcd( ≠∈ nxandZxwhen n
qnxorpnxpqnSince === ),gcd(),gcd(,
)(modmodmod
CRTbynxxqxxpxx
If
ab
ab
ab
≡=
≡
≡
▹0mod:
0modmod:|
),gcd(
≡
≡≡
===
=
pxRHSppkpxLHS
xpkxppxnAssume
ab
▹▹
xqxqxx
qxqxqx
xqimpliesitpxp
pt
ptq
qpt
ntab
≡⋅≡
⋅≡
≡
≡
==
+
+
mod)1(mod)(
modmodmod
1),gcd(),gcd(
)(
)()(
1)()(
1)(
ϕ
ϕφ
φφ
φ
∵
CR
RSAImplementa<on
17
nxy c mod=
c = 23 = (10111)2
i ei z
4 1 12*x=x
3 0 x2
2 1 x4*x=x5
1 1 X10*x=x11
0 1 x22*x=x23
CR
RSAImplementa<oninSoSware(Mul<-precisionArithme<c)
• RSArequiresarithmeAcin1024or2048bitnumbers• ModernprocessorshaveALUsthatare8,16,32,64bit
– TypicallycanperformarithmeAcon8/16/32/64bitnumbers
• soluAon:mulA-precisionarithmeAc(gmplibrary)
18
base : 2b, where b = 64/32/16/8 bits
1024 bits
CR
Mul<-precisionAddi<on• ADD:a=9876543210
b=1357902468base=8bit(256)
19
= (2, 76, 176, 22, 234)256
= (80, 239, 242, 132)256
i ai bi cin ai+bi+cin(mod256) Carry? cout0 234 132 0 110 (110<234)? 1
1 22 242 1 9 (9<22)? 1
2 176 239 1 160 (160≤176)? 1
3 76 80 1 157 (157≤76)? 0
4 2 0 0 2 (2≤2)? 0
a+b=(2,157,160,9,110)256=11234445678“ComputaAonalNumberTheory”,AbhijitDas,CRCPress
CR
Mul<-PrecisionAddi<onAlgorithm
20
CR
Mul<-precisionSubtrac<on
21
• SUB:a=9876543210b=1357902468
base=256(8bit)
= (2, 76, 176, 22, 234)256
= (80, 239, 242, 132)256
i ai bi Cin Borrow? Cout ai-bi-cin(mod256)
0 234 132 0 (234<132)? 0 102
1 22 242 0 (22<242)? 1 -220=36
2 176 239 1 (176<239)? 1 -64=192
3 76 80 1 (76<80)? 1 -5=251
4 2 0 1 (2<0)? 0 1
a-b=(1,251,192,36,102)256=8658640742
CR
Mul<-PrecisionSubtrac<onAlgorithm
22
CR
Mul<-PrecisionMul<plica<on
C=AxBmodN(withoutModularoperaAon)• Classical(Schoolbook)algorithm• Karatusbaalgorithm• Toom-3algorithm• FFT
23
CR
Mul<-precisionMul<plica<on(ClassicalMul<plica<on)
24
• MUL:a=1234567b=76543210
base=8bit(256)
= (18, 214, 135)256
= (4, 143, 244, 234)256
a*b=(08524124725195102)256=99447721140070
CR
Mul<-precisionMul<plica<on(KaratsubaMul<plica<on)
25
( )
llhllhhhlhlh
llm
lhlhllhhm
hh
llm
hllhm
hh
lm
h
lm
h
bababababbaa
baBbbaababaBbabaBbabaBbaba
bBbbaBaa
nmLetnba
+−−=−−
+−−+++=
+++=×
+=
+=
=
−
))((using
))(()(
)()(
2/.wordsaryBwithintegerssionmultiprecitwobe,Let
2
2
Karatsuba multiplication converts n bit multiplications into 3 multiplications of n/2 bits The penalty is an increased number of additions
-
CR
Mul<-precisionMul<plica<on(KaratsubaMul<plica<on)
26
B = 256; a = 123456789 = (7, 91, 205, 21)256 b = 987654321 = (58, 222, 104, 177)256
n=4; m=2 ah = (7, 91); al = (205, 21) a = (7, 91)2562 + (205, 21) bh = (58, 222); bl = (104, 177) b = (58, 222)2562 + (104, 177)
ahbh = (1, 176, 254, 234)256 albl = (83, 222, 83, 133)256 ah - bh = -(197, 186)256 al - bl = -(45, 211)256 (ah - bh) (al - bl) = (35, 100, 170, 78)256 ahbl + albh = ahbh+ albl - (ah - bh) (al - bl) = (50, 42, 168, 33)256
1 176 254 234 50 42 168 33 83 222 83 133 1 177 49 20 251 255 83 133
CR
PerformingModularReduc<on
• Divideandgetremainder(repeatedsubtracAon)AlternaAvely,wecoulduseMontgomerymulAplicaAonthatwillnotrequiremodularreducAon.
27
CR
MontgomeryMul<plica<on
28
c = a x b mod m
No specific benefits this way
Select R = 2x, gcd(R,m) =1,R slightlygreater than m
Use ExtendedEuclideanAlgorithm to find R−1 and m 's.t R ⋅R−1 −m ⋅m ' =1
Convert multiplicands to Montgomery domain
a = aRmodm
b = bRmodm Note that c = a ⋅b ⋅R−2 modm
The Montgomery multiplier computes
c = a ⋅b ⋅R−1modm
CR
Montgomery’sTrick
29
Montgomery 's trick
1) t = a ⋅b2) u= (t +((tmod r) ⋅m 'mod r) ⋅m) / r3) if (u ≥m) return u−m; else return u.
CR
Montgomery’sTrick(whyitworks)
30
Montgomery 's trick
1) t = a ⋅b2) u= (t +((tmodR) ⋅m 'modR) ⋅m) / R3) if (u ≥m) return u−m; else return u.
• First note that R | t• ThenR | (t ⋅m '⋅mmodR).... this follows because RR−1 −m 'm =1; then takemodR
• Therefore R | (t + t ⋅m '⋅mmodR )....the division in step 2 is valid
• u ⋅R = t + t ⋅m '⋅mmodR= t + t ⋅m '⋅m= t + k ⋅m= tmodm See google groups for more details
CR
SpeedingRSAdecryp<onwithCRT
• DecrypAonisdoneasfollows:x=yamodn
• BobcanalsodecryptbyusingCRT x=yamodp
x=yamodq(sinceheknowsthefactorsofn,i.e.p,q)• CRTturnsouttobemuchfastersincethesize(inbits)ofpandqisabout½thatofn
31
CR
Mul<-precisionlibraries
• GMP:GNUMulA-precisionlibrary• MakeuseofIntel’sSSE/AVXinstrucAons
– TheseareSIMDinstrucAonsthathavelargeregisters(128,256,512bit)
• Cryptolibraries– OpenSSL,PolarSSL,NaCL,etc.
32
CR
RSASpeeds
33
CR
RSASpeeds
34
32 Bit ARM Cortex
16 Bit TI Micro-controller
CR
FindingPrimes
35
CR
TestforPrimes
• Howtogeneratelargeprimes?– Selectarandomlargenumber– Testwhetherornotthenumberisprime
• Whatistheprobabilitythatthechosennumberisaprime?– Letπ(N)bethenumberofprimes<N– Fromnumbertheory,π(N)≈N/lnN– Thereforeprobabilityofarandomnumber(<N)beingaprimeis1/lnN
• AsNincreases,itbecomesincreasinglydifficulttofindlargeprimes
36
CR
GIMPS
• Thereareinfiniteprimenumbers(provedbyEuclid)• FindingthembecomesincreasinglydifficultasNincreases
• GIMPS:GreatInternetMersennePrimeSearch– MersennePrimehastheform2n–1– Largestknownprime(foundin2016)has22milliondigits2274,207,281−1
• $3000tobeatthisJ
37hPps://en.wikipedia.org/wiki/Largest_known_prime_number
CR
PrimalityTestswithTrialDivision
• Schoolbookmethods(trialdivision)– FindifNdividesanynumberfrom2toN-1– findifNdividesanynumberfrom2toN1/2
– FindifNdividesanyprimenumberfrom2toN1/2
– Tooslow!!!• NeedtodividebyN-1numbers• NeedtodividebyN1/2numbers• Needtodivideby(N/lnN)1/2primes
– Forexample,ifnisapprox21024,thenneedtocheckaround2507numbers
• NeedsomethingbePerforlargeprimes– Randomizedalgorithms
38
CR
RandomizedAlgorithmsforPrimalityTes<ng
• Monte-carloRandomizedAlgorithms– AlwaysrunsinpolynomialAme– Mayproduceincorrectresultswithboundedprobability
– Yes-basedMonte-carlomethod• AnswerYESisalwayscorrect,butanswerNOmaybewrong
– No-basedMonte-carlomethod• AnswerNOisalwayscorrect,butanswerYESmaybewrong
39
CR
FindingLargePrimes(usingFermat’sTheorem)
40
}
)mod1(
){(_
1
FALSEreturnelse
TRUEreturnnaif
Zapicknprimeis
nn
≡
←−
If n is prime, then is true for any ‘a’ If n is composite is false but may be true for some values of a. For example: n = 221 (13*17) and a = 38 then 38220 mod 221 ≡ 1. We need to increase our confidence with more values of a
nan mod11 ≡−
nan mod11 ≡−
CR
Fermat’sPrimalityTest
• IncreasingconfidencewithmulAplebases
41
}
}
))(_(){;1000;0(
0){(_
PRIMEprobablyreturn
COMPOSITEreturnFALSEnprimeisifiiifor
cntestprimality
==
++<=
=
CR
CarmichaelNumber
42
Some composites act as primes. Irrespective of the ‘a’ chosen, the test
passes. for example Carmichael numbers are composite numbers which satisfy Fermat’s little theorem irrespective of the value of a. Eg. 561 = 3 x 11 x 17
nan mod11 ≡−
CR
Strongprobable-primalitytest
• Ifnisprime,thesquarerootofan-1iseither+1or-1
43
b2 ≡1modnb2 −1≡ modn(b+1)(b−1) ≡ 0modneither (b+1) ≡ 0modn or (b−1) ≡ 0modn
let an−12 = b
CR
Miller-RabinPrimalityTest
• Yes-baseprimalitytestforcomposites• DoesnotsufferduetoCarmichaelnumbers• Writen-1=2sd
– wheredisoddandsisnon-negaAve– nisacompositeif
44
ad ≠1modn and (ad )2r
≠ −1modnfor all numbersr less thans
CR
ProofofMiller-Rabintest• Writen-1=2sd
• Proof:Weprovethecontra-posiAve.Wewillassumentobe
prime.Thus,
45
sthanlessrnumberallfornaandna
rdd mod1)(mod1 2 −≠≠
sthanlessrnumbersomefornaorna
rdd mod1)(mod1 2 −≡≡
CR
ProofofMiller-RabintestProof:Weprovethecontra-posiAve.Wewillassumentobe
prime.Thusweprove,
• Considerthesequence:
– Therootsofx2=1modniseither+1or-1– Inthesequence,ifadis1,thenallelementsinthesequencewillbe1– Ifadisnot1,thenthereshouldbesomeelementinthesequence
whichis-1,inordertohavethefinalelementas1
46
sthanlessrnumbersomefornaorna
rdd mod1)(mod1 2 −≡≡
ad,a21d,a2
2 d,a23d,!!,a2
s−1d,a2s d
1 (Fermat ‘s)
CR
Miller-RabinAlgorithm(testforcomposites)
47
'compositeis'Otherwise.5'primeis',1
modbc calculate,1,,1For.4
'primeis',1modCompute.3
nonzeroarandomatSelect.221thatsuchintegeroddanFind.1
i2
nreturnTnreturncIf
nriT
nreturnbIfnabT
ZaTdndT
dn
s
−=
≡−=
±=
=
∈
=−
!
Input n
CR
Quadra<cResidues
• Example:m=13,squareelementsinZ13. 1,4,9,3,12,10,10,12,3,9,4,1
ThequadraAcresiduesZ13aretherefore{1,4,3,9,10,12}
48
If an element is not a quadratic residue, then it is a quadratic non-residue
quadratic non-residues in Z13 are {2, 5, 6, 7, 8, 11}
a cannot be 0
CR
LegendreSymbol
49
⎪⎩
⎪⎨
⎧
−
=⎟⎟⎠
⎞⎜⎜⎝
⎛
pQNRaisaifpQRaisaifapif
pa
mod1mod1
|0
Given p is an odd prime
CR
Euler’sCriteria
50
1modmod
mod..,when
1
2)1(2
21
2
≡
≡
≡=
≡∈∃
−
−−
pxpxa
pxatsZxQRaisa
p
pp
p
▹
papa p
mod21−
≡⎟⎟⎠
⎞⎜⎜⎝
⎛
A result from Euler
pa
app
mod0
|when
21
≡−
CR
whenQuadra<cNonResidue
51
paThus
pa
paThus
paso
pasquaringprimeoddanispifevenispnotepaconsider
pxatsexistsZxsuchnoQNRaisa
p
p
p
p
p
p
p
mod1
QRanotisasince,mod1
mod1,
mod1,
1mod:),1(mod:
mod..,when
21
21
21
2
21
1
21
2
−≡
≠
±≡
≡⎟⎟⎠
⎞⎜⎜⎝
⎛
≡
−
≡∈
−
−
−
−
−
−
CR
Examples
52
papa p
mod21−
≡⎟⎟⎠
⎞⎜⎜⎝
⎛
113mod1213mod513mod5
113mod413mod4
13mod4
6
62113
−≡≡
≡≡−
QNRais
QRais
215mod715mod7 72115
−≡≡−
115mod1415mod14 72115
−≡≡−
Euler’s Witness
Euler’s Liar
Congruence alw
ays holds when
n is an odd prime
Congruence m
ay or m
ay not hold w
hen n is not prim
e
CR
SolovayStrassenPrimalityTest
53
}
)mod(mod
)0(
compute
11that suchintegerrandomachoose){(
21
COMPOSITEreturnelsePRIMEpossiblyreturnnyxif
naycompute
COMPOSITEreturnxifnax
n-a anASSENSOLOVAYSTR
n
≡
=
=
⎟⎠
⎞⎜⎝
⎛=
≤≤
−
error probability is at most ½
How to compute Legendre’s symbol
CR
JacobiSymbol• JacobiSymbolisageneralizaAonoftheLegendresymbol• LetnbeanyposiAveoddintegeranda>=0anyinteger.The
Jacobisymbolisdefinedas:
54
...ppppn
ionfactorizatprimewithintegerpositiveoddanisSuppose4321 e4
e3
e2
e1 ×××=
n
!×⎟⎟⎠
⎞⎜⎜⎝
⎛×⎟⎟
⎠
⎞⎜⎜⎝
⎛×⎟⎟
⎠
⎞⎜⎜⎝
⎛×⎟⎟
⎠
⎞⎜⎜⎝
⎛=⎟⎠
⎞⎜⎝
⎛4321
4321
eeee
pa
pa
pa
pa
na
Then,
T
CR
JacobiProper<es
55
⎪⎪⎩
⎪⎪⎨
⎧
⎟⎠
⎞⎜⎝
⎛
≡≡⎟⎠
⎞⎜⎝
⎛−=⎟
⎠
⎞⎜⎝
⎛
⎟⎠
⎞⎜⎝
⎛⎟⎠
⎞⎜⎝
⎛=⎟⎠
⎞⎜⎝
⎛=
⎟⎠
⎞⎜⎝
⎛⎟⎠
⎞⎜⎝
⎛=⎟⎠
⎞⎜⎝
⎛
⎩⎨⎧
±≡−
±≡=⎟
⎠
⎞⎜⎝
⎛
⎟⎠
⎞⎜⎝
⎛=⎟⎠
⎞⎜⎝
⎛≡
otherwisean
anifan
na
oddisaifnt
nnataevenisaif
nb
na
nab
nifnif
n
nb
nathennbaIf
kk
4mod3
,.5P
2,2,.4P
.3P
8mod318mod112.2P
mod.1P
CR
Compu<ngJacobi
56
From the theorem
P5, P1, then P2
P5, P1, P5, P1, P3, P2
P5, P1 and 1 is a QR mod 13
CR
FactoringAlgorithms
57
CR
Factoriza<ontogettheprivatekey
• PublicinformaAon(n,b)• IfMallorycanfactorizenintopandqthen,
• Shecancomputeφ(n)=(p-1)(q-1)• Shecanthencomputetheprivatekeybyfindinga≡b-1modφ(n)
58
How to factorize n?
CR
TrialDivisionFundamentaltheoremofarithmeAc
Anyintegernumber(greaterthan1)iseitherprimeoraproductofprimepowers
59
kek
eee ppppn !321321=
prime generation algorithm
Prime factors of n cannot be greater than ⎣ ⎦n
n = n / p : remove this factor from n
Running Time of algorithm order of π(2n/2)
CR
Pollardp-1Factoriza<on
60
qpn ×= choose a random integer a(1< a < n).If gcd(a,n) ≠1, then a is a prime factor.However, this is most likely not the case.
1
Supposeweselectsome L and compute d=gcd(aL -1,n)if 1< d < n then we have factored nd | n and d | (aL −1)d has to be the prime p or the prime q
2
If gcd(aL −1,n) = nThis is possible only when p | n and p | aL −1 (or q | n and q | aL −1)and aL −1> n
3How to choose L? No easy way, trial and error!! Factorials have a lot of divisors. So that is a nice way. So, take L as a factorial of some number r.
why aL -1?since d is prime and d | (aL −1)aL ≡1moddϕ(d) | L => (d −1)k=LThus we need to find L which is some factor of (d −1).
CR
Pollardp-1Factoriza<on
61
done! are we; offactor prime theis 3repeat andincrement , 1
of next value with 1 fromagain start , 1gcdcompute 3
done. are wen, offactor prime a is gcd then this,1gcdif221
nelse dSr d ifelse
aSndif, n)-(ad.S
(a, n) > .Sa.S
r!
=
=
←
←
Pollard p-1 factorization for n.
r = 2,3, 4, …..
1. Will the algorithm terminate? 2. When will we choose the next value of a? (will we get an infinite loop?)
When r = d-1 then L = r! = (d-1)! = d-1(d-2)! = (d-1)k (d-1) | L à we will get the gcd(ak(d-1), n) = n or its prime factor.
CR
PollardRhoAlgorithm• FormasequenceS1byselecAngrandomly(alldifferent)from
thesetZn
• AlsoassumewemagicallyfindanewsequenceS2comprisingof
• IfwekeepaddingelementstoS1,wewilleventuallyfindanxiandxj(i≠j)suchthatWhenthishappens,
62
!,,,,,1 43210 xxxxxS =
!,,,,,2 43210 xxxxxS =
pxx
pxx
pxx
pxx
pxx
mod
mod
mod
mod
mod
44
33
22
11
00
≡
≡
≡
≡
≡
where
ji xx =
!!.)),gcd((,|
)(|
noffactorafoundWepisnxxalsonpxxp
ji
ji
−
−
∵
CR
Doingwithoutmagic• FormasequenceS1byselecAngrandomly(with
replacement)fromthesetZn
• Foreverypairi,jinthesequencecompute
• Ifd>1thenitisafactorofn
63
!,,,,,1 43210 xxxxxS =
),gcd(( nxxd ji −←
CR
Selec<ngelementsofS1
TochoosethenextelementofS1,PollardsuggestsusingafuncAon
withrequirementthattheoutputlooksrandom.
64
nn ZZf →:
Example : nxxf mod1)( 2 +=
⎟⎟⎠
⎞⎜⎜⎝
⎛
⎩⎨⎧
=>=
− )(01
1
00
iii
n
xfxandixZfromrandomlychosenisxwherex
S
CR
Example• N=82123,x0=631,f(x)=x2+1
65
41)82123,63222gcd(),gcd( 103 ==− Nxx A factor of N
Drawback… Large number of GCD Computations. 55 gcd computations in this case Can we reduce the number of gcd computations?
This column is just for understanding. In reality we will not know this
Given xi mod N, we compute gcds of every pair until we find a gcd greater than 1
CR
TheRhoinPollard-Rho• N=82123,x0=631,f(x)=x2+1
66
pxx ltt mod+=• The smallest value of t and l, for which the above congruence holds is t=3, l=7 • For l=7, all values of t > 3 satisfy the congruence • This leads to a cycle as shown in the figure (and a shape like the Greek letter rho)
16
11
40
2
5
26 21
32
0 1
3mod ≥= + tpxx ljj
CR
Reducinggcdcomputa<ons• GCDcomputaAonscanbeexpensive.• UseFloyd’scycledetecAonalgorithmtoreducethenumber
ofGCDcomputaAons.
67
))(()(
12
1
00
−
−
==
=
∈=
iii
ii
n
yffxyxfx
Zyxrandomachoose
16
11
40
2
5
26 21
32
0 1
claim : The first time xi = yi mod p occurs when i ≤ t + l
dreturnNyxdIf ii ,0),gcd( >−=
loop
This means that we get a collision before x completing an entire circle
CR
Thefirst<mexi=yimodpoccursiswheni≤t+l
• listhenumberofpointsinthecycle• tisthesmallestvalueofisuchthat
68
xi ≡ yimod p
xi ≡ yimodNxi ≡ x2imodNl | (2i− i)l | i =▹ l(k +1) = i
xi and yi meet at the same point in the cycle Therefore, yi must have traversed (some) cycles more
consider i =(k +1)l = t + (−tmod l)≤t + l
(−tmod l)
CR
Expectednumberofopera<onsbeforeacollision
• CanbeobtainedfromBirthdayparadoxtobe
69
p
CR
CongruencesofSquares
• GivenN=pxq,weneedtofindpandq• Supposewefindanxandysuchthat• Then,
• Thisimplies,
70
Nyx mod22 ≡
))((|)(| 22 yxyxNyxN +−=− ▹
NyxNyxN factors))(,gcd(or))(,gcd( +−
CR
Example
• ConsiderN=91
71
)137(|91)310)(310(|91
91mod310 22
×
+−
≡
7)42,91gcd(13)26,91gcd(
2642|91)834)(834(|91
91mod834 22
=
=
×
−+
≡
7)7,91gcd(13)13,91gcd(
=
=
So… we can use x and y to factorize N.
Nyx mod22 ≡But how do we find such pairs?
CR
AnotherExample
• N=1649
72
1649mod801649mod)20032()4341(
2
2
≡
×≡×
32 and 200 are not perfect squares. However (32x200 = 6400) = 802
is a perfect square 1649mod200431649mod3241
2
2
≡
≡
Thus, it is possible to combine non-squares to form a prefect square
the examples are borrowed from Mark Stamp (http://cs.sjsu.edu/faculty/stamp/)
CR
FormingPerfectSquares
73
Recall,FundamentaltheoremofarithmeAcAnyintegernumber(greaterthan1)iseitherprimeoraproductofprimepowers
kek
eee ppppn !321321=
Thus,anumberisaperfectsquareifitprimefactorshaveevenpowers. eveniseee ,...,, 321
Thus,32=2550notaperfectsquare200=2352 not a perfect square (32x200) = 2550 x 2352 = 2852 = (2451)2 is a prefect square
CR
Dixon’sRandomSquaresAlgorithm
1. ChooseasetBcomprisingof‘b’smallestprimes.Add-1tothisset.(Anumberissaidtobeb-smooth,ifitsfactorsareinthisset)
2. Selectanratrandom– Compute– TestifyfactorscompletelyinthesetB.– IfNO,thendiscard.ELSEsave(y,r)(thesearecalledB-smooth
numbers)
3. Repeatstep2,unAlwehaveb+1such(y,r)pairs4. Solvethesystemoflinearcongruencies
74
Nry mod2=
CR
Example• N=1829• b=6B={-1,2,3,5,7,11,13}• Chooserandomvaluesofr,squareandfactorize
75
All numbers are 6-smooth except 60 and 75. Leave these and consider all others
CR
CheckExponents-1 2 3 5 7 11 13
-65 1 0 0 1 0 0 1
20 0 2 0 1 0 0 0
63 0 0 2 0 1 0 0
-11 1 0 0 0 0 1 0
-91 1 0 0 0 1 0 1
80 0 4 0 1 0 0 0
76
CR
CheckExponents-1 2 3 5 7 11 13
-65 1 0 0 1 0 0 1
20 0 2 0 1 0 0 0
63 0 0 2 0 1 0 0
-11 1 0 0 0 0 1 0
-91 1 0 0 0 1 0 1
80 0 4 0 1 0 0 0
77
Find rows where exponents sum is even -65, 20, 63, -91
sum 2 2 2 2 2 0 2
1829mod90114591829mod)1375321()85614342(
22
22
≡
×××××−≡×××
CR
FinalSteps
78
1829mod90114591829mod)1375321()85614342(
22
22
≡
×××××−≡×××
31591829
31)558,1829gcd(558|182959)2360,1829gcd(2360|1829
)9011459)(9011459(|1829
×=
==
==
−+
Thus
▹▹
CR
StateoftheArtFactoriza<onTechniques
• QuadraAcSieve– Fastestforlessthan100digits
• GeneralNumberfieldSieve– Fastesttechniqueknownsofarforgreaterthan100digits– Opensourcecode(googleGGNFS)
• RSAfactoringchallenge– Bestsofaris768bitfactorizaAon– Currentchallenges896bits(reward$75,000),1024bit($100,000)
79https://en.wikipedia.org/wiki/RSA_Factoring_Challenge
CR
RSAAdacks
adacksthatdon’trequirefactoriza<onalgorithms
80
CR
Φ(n)leaks
• IfanaPackergetsΦ(n)thenncanbefactored
81
0)1)((
1)()(
1)()1)(1()(/
2 =++−−
++−=
++−=
−−=
==
npnnppnpnn
qppqqpn
pnqpqn
φ
φ
φ
Solve to get p (a factor of n)
CR
squarerootsof1modn
Therearetwotrivialandtwonon-trivialsoluAonsforThetrivialsoluAonsare+1and-1
82
ny mod12 ≡
⎩⎨⎧
≡
≡〈=〉≡
qypy
nymod1mod1
mod1 2
22
By CRT, these congruences are equivalent
⎩⎨⎧
−≡
≡
pypy
mod1mod1
⎩⎨⎧
−≡
≡
qyqy
mod1mod1
qypy
mod1mod1
−≡
+≡
qypy
mod1mod1
+≡
−≡
To get the non-trivial solutions solve using CRT
CR
Example• n=403=13x31• Togetthenon-trivialsoluAonsofsolveusingCRT
83
qypy
mod1mod1
−≡
+≡
qypy
mod1mod1
+≡
−≡
3119140392403mod)1213831(
403mod)31mod131313mod3131( 11
=−
≡⋅−⋅
⋅−⋅ −−
403mod131192: 22 ≡≡Note
ny mod12 ≡
The non-trivial solutions are 92 and 311
What happens when we solve qypy
mod1mod1
+≡
+≡
CR
Decryp<onexponentleaks• IfthedecrypAonexponent‘a’leaks,thenncanbefactored• TheaPackercanthencompute
• Now,foranymessagex≠0
84
)1()()(mod1 −=≡ abnknab φφ
nxab mod11 ≡−
• APackPlan,takesquareroot:i.e.,
nxyab
mod21−
≡
)1)(1(|
)1(|mod1 22
+−=
−=≡
yyn
ynny
▹
▹
noffactoraisyn )1,gcd( −
Howeverweneed
tohaveanon-trivialresult
1±≠y
ab
CR
TheAdack(basicidea)
85
""4step;2/)evenis(.7;"disnoffactora",1.6
),1gcd(compute.5modput.4messageanychoose.3
21Represent.2
1computegiven.1
failurereturnelsegototttif
exitreturndifnyd
nxyx
abt
aba
t
=
≠
−←
=
−=
−
)1)(1(|mod0)1(,
mod121
21
1
−+
≡−
≡=−
yynnythus
nxyab
1)()(mod1
−=
≡
abnknab
φ
φ
we assume we know the private key a
This will only work if y ≠±1 mod n. If y = ±1 mod n. then goto step 7
Probability of success of the attack is at-least 1/2
CR
Example
• N=403,b=23,a=47
86
)(31)403,310gcd(
311403mod2403mod2702540:2
1403mod2403mod5402
1080:1
210801
270
540
noffactora
xytloop
xytloop
xabt
t
t
=
≡=≡==
≡=≡==
==−=
1403mod9403mod1352270:3
1403mod9403mod2702540:2
1403mod9403mod5402
1080:1
910801
135
270
540
≡=≡==
≡=≡==
≡=≡==
==−=
t
t
t
xytloop
xytloop
xytloop
xabt
can’t divide 135 further. failure
CR
SmallEncryp<onExponent• InordertoimproveefficiencyofencrypAon,asmall
encrypAonexponentispreferred• However,thiscanleadtoavulnerability
87
CR
SmallEncryp<onExponent
88
Alice m3modN1
m m3modN2
m3modN2
• Consider, Alice sending the same message x to 3 different people. • Each having a different N (say N1, N2, N3) • But same public key b (say 3)
Insecure channel
c1
c2
c3
CR
SmallEncryp<onExponent
89
Alice m3modN1
m m3modN2
m3modN2
• Consider, Alice sending the same message x to 3 different people. • Each having a different N (say N1, N2, N3) • But same public key b (say 3)
• This allows Mallory to snoop in and get 3 ciphertexts
Insecure channel
c1
c2
c3 33
3
23
2
13
1
mod
mod
mod
NmcNmcNmc
≡
≡
≡
CR
SmallEncryp<onExponent
• Thus,MallorycancomputeX• Sincem<N1,m<N2,m<N3=>n<(N1xN2xN3)• Thus,X1/3=m
– i.e.Themessagecanbedecrypted
90
)mod(modmodmod
3213
33
3
23
2
13
1
NNNmXNmcNmcNmc
⋅⋅≡〈=〉⎪⎩
⎪⎨
⎧
≡
≡
≡
By CRT
ItistempAngtohavesmallprivateandpublickeys,sothatencrypAonordecrypAonmaybecarriedoutefficiently.Howeveryouwoulddothisat
thecostofsecurity!!
CR
LowDecryp<onExponent
• TheaPackapplieswhentheprivatekeyaissmall,
• Insuchacase‘a’canbecomputedefficiently
91
3
4 na <
CR
Par<alInforma<onofPlaintextsCompuAngJacobioftheplaintext
92
oddbemusttherefore,evenis)1)(1(111gcd Thus,
1))(gcd( andkey public theismessagethe;ciphertexttheismod
bqp)))(q-(b, (p-
nb, φbxynxy b
−−
=
=
≡
oddissince
1
bnx
nx
ny
ny
Jacobiconsider
b
⎟⎠
⎞⎜⎝
⎛=⎟⎠
⎞⎜⎝
⎛=⎟⎠
⎞⎜⎝
⎛
±=⎟⎠
⎞⎜⎝
⎛
thus,RSAencrypAonleaksthevalueoftheJacobisymbol ⎟⎠
⎞⎜⎝
⎛nx
CR
Par<alInforma<onofPlaintextsfirsthalforsecondhalf?
• giveny=xbmodn,– isitpossibletodetermineif(0≤x<n/2)or(n/2≤x<n-1)
93
• WeprovethatRSAdoesnotleakthisinformaAon• Ifthereexistsanefficientalgorithmthatcandetermineifxisinthefirstorsecondhalfthen,theenAreplaintextcanbeobtained
first half second half
CR
BinarySearchTreesonx
94
1)16(13mod9161)8(13mod1181)4(13mod1240)2(13mod620)(13mod3
=≡
=≡
=≡
=≡
==
xHALFxxHALFxxHALFxxHALFxxHALFx
⎪⎩
⎪⎨
⎧
−<≤
<≤=
12
12
00)(
nxnif
nxifxHALF
Consider this function
example
[0-6.5) [6.5,13)
[0,13)
[0,3.25)
[0,1.625)
[1.625,3.25)
0
0
1
3
CR
Par<alInforma<onofPlaintexts(firstorsecondhalfproof)
• AssumeahypotheAcaloraclecalledHALFasfollows
95
⎪⎩
⎪⎨
⎧
−<≤
<≤=
12
12
00),,(
nxnif
nxifybnHALF
nxynxynxynxy
nxy
bb
bb
bb
bb
b
mod)16(16mod)8(8mod)4(4mod)2(2
mod
≡⋅
≡⋅
≡⋅
≡⋅
≡
)[2,00)( nxyHALF ∈== ▹
)[2,4
1)2( nnxyHALF b ∈== ▹)[4,00)2( nxyHALF b ∈== ▹
)[8,00)2( 2 nxyHALF b ∈== ▹ )[
4,8
0)2( 2 nnxyHALF b ∈== ▹
CR
Example
96
1 0 1 0 1 1 1 1 1 0 0
Thus, if we have an efficient function HALF, we can recover the plaintext message.
hi
n=1457, b=779, y=722
CR
ManintheMiddleAdack
• TheprocessofencrypAonwithapublickeycipher
97
Bob sends his public key
Alice encrypts with Bob’s public key Bob decrypts with his private key
CR
ManintheMiddleAdack
• TheprocessofencrypAonwithapublickeycipher
98
Bob
sends his public key
Alice encrypts with Mallory’s public key Bob decrypts with his private key
Man in the middle Intercepts messages
Mallory
sends her public key
Mallory decrypts with her private key and re-encrypts with Bob’s public key
CR
SearchingtheMessageSpace
99
Bob sends his public key
Alice encrypts with Bob’s public key Bob decrypts with his private key
• Supposemessagespaceissmall,– Mallorycantryallpossiblemessages,encryptthem(sincesheknowsBob’spublickey)andcheckifitmatchesAlice’sciphertext
CR
BadPrimeGenera<onAlgorithms
• SupposetheprimegeneraAonwasfaulty– Sothat,primesgeneratedwerealwaysfromasmallsubset
– Then,RSAcanbebroken• PairwiseGCDofoveramillionRSAmoduliicollectedfromtheInternetshowedthat– 2in1000haveacommonprimefactor
100RonwasWrong,Whitisright,2012
CR
DiscreteLogProblem,ElGamal,andDiffieHellman
101STINSON:chapter6
CR
Primi<veElementsofaGroup
102
Gin elements all generates1}-n i 0 : {enelement th primitive a is If
.order hasit if a as termedis 1 = such that integer smallest theis oforder The
G,Let .order ofgroupabeLet
i
m
≤≤=
∈
⋅
αα
α
α
αα
α
nelementprimitive m
n)(G,
}1,2,4,8,3,6,12,11,9,5,10,7{7,7Let
12orderofgroupaforms),(
}12,,3,2,1{
*13
*13
*13
=
∈
⋅
=
ZZ
ZConsider !
<7> has order 12 and generates all elements in Z. Thus, 7 is a primitive element
CR
DiscreteLogProblem
103
}10:{settheDefine
orderwithgrouptheinelementprimitiveabe),(
−≤≤=
∈
⋅
ni
nGLetgroupabeGLet
iαα
α
ββ
βα
α oflogarithmdiscretetheaslogDenotelet
),10(integeruniqueanyFor
=
=
−≤≤
a
naaa
Given α and a, it is easy to compute β Given α and β it is computationally difficult to determine what a was
CR
ElGamalPublicKeyCryptosystem
104
• Fixaprimep(andgroupZp)• LetbeaprimiAveelement• Chooseasecret‘a’andcompute
pZ∈α
pa modαβ ≡
Private key : Public keys : p,,βα a
Encryption
pxypywhere
yyxeZkretrandomachoose
k
kk
p
mod
,mod
),()(
)(sec
2
1
21
β
α
⋅=
=
=
←
Decryption
xpxpx
pyyxd
kaka
kak
ak
≡
⋅=
⋅=
=
−
−
−
mod)(mod)(
mod)()(
1
1
112
αα
αβ
CR
ElGamalExample• p=2579,α=2(αisaprimiAveelementmodp)• Choosearandoma=765• Computeβ≡2765mod2579
105
Encryp<onofmessagex=1299 choosearandomkeyk=853 y1=2853mod2579=435
y2=1299x949853=2396
Decryp<onofcipher(435,2396)2396x(435765)-1modp=1299
CR
FindingtheLog
• Bruteforce(computeintensive) compute
thiswoulddefinitelywork,butnotpracAcalifpislarge complexityO(p),spacecomplexityO(1)
• MemoryIntensive precompute(allvalues).Sortandstore.
Foranygivenβlookupthetableofstoredvalues. complexityO(1)butspacecomplexityO(n)
106
pa modαβ ≡Given α and β it is computationally difficult to determine what a was
......,,, 432 αααα (until you reach β)
......,,, 432 αααα
CR
Shank’sAlgorithm(alsoknownasBaby-stepGiant-step)
107
pa modαβ ≡
⎡ ⎤pmwhere
Rewrite
=
+= rmqaasa
( ) p
prqm
rmq
mod
mod
ααβ
ααβ
≡
≡−
We neither know q nor r, so we need to try out several values for q and r until we find a collision
CR
Shank’sAlgorithm(example)
• p=31andα=3.Supposeβ=6.• Whatisa?
108
31mod2631931mod1981
2793
5
4
3
2
≡⋅=
≡=
≡
≡
≡
α
α
α
α
α⎡ ⎤ 631 ==m 231mod)3( 61 =−
31mod326)(31mod1726)(
2426)(1226)(626)(
446
336
226
116
006
≡⋅=
≡⋅=
=⋅=
=⋅=
=⋅=
−
−
−
−
−
αβ
αβ
αβ
αβ
αβcollision
Thus, m=6, q=4, r=1, a= mq+r = 25
List
1
List
2
CR
Shank’sAlgorithm
109
Create List 1
Create List 2
Find collision
CR
ComplexityofShank’sAlgorithm
110
O(m)
O(mlog m)
O(m)
O(mlog m)
O(log m)
O(mlogm) ~ O(m) = O(p1/2)
CR
OtherDiscreteLogAlgorithms
• Pollard-HellmanAlgorithm usedwhennisacomposite
• Pollard-RhoAlgorithmaboutthesamerunAmeastheShank’salgorithm,buthasmuchlessmemoryrequirements
111
na modαβ ≡
CR
DiffieHellmanProblem
112
}10:{settheDefine
orderwithgrouptheinelementprimitiveabe),(
−≤≤=
∈
⋅
ni
nGLetgroupabeGLet
iαα
α
abba findandgiven ααα , Computational DH (CDH)
nabcandgiven cba modifdetermine,, ≡αααDecision DH (DDH)
CR
Recall…DiffieHellmanKeyExchange
113
Alice and Bob agree upon a prime p and a generator g. This is public information
choose a secret a compute A = ga mod p
choose a secret b compute B = gb mod p
B A
Compute K = Ba mod p Compute K = Ab mod p
Ab mod p = (ga)b mod p = (gb)a mod p = Ba mod p
CR 114
