Cryptography: Algorithms on Numbers

Cryptography: Algorithms on Numbers

2

A Typical Setting

Encoder Decoder

Alice Bob

Eve

x x = d(e(x))e(x)

Goal: Design e() and d() so that without knowing d(), e(x) gives away very little information

Encryption Function e: <messages> <encoded messages>Decryption Function d: <encoded messages> <messages>

3

Codes in History

405 BC: the Greek general LYSANDER OF

SPARTA was sent a coded message about an

impending Persian attack written on the inside

of a servant's belt. To decipher it, it had to be

wound on a staff (scytale). The spartans were

forewarned, and defeated the persians

Caeser’s cipher: message sent by Caeser to

Cicero during Gallic Wars

4

Codes in History

1586 AD: Mary, Queen of Scotts

tried for plotting against Queen

Elizabeth of England

As evidence, Francis Walsingham

presented encrypted letters written

by Mary, supporting the plot.

5

Codes in History: World War I

Jan 1917: Telegram sent by Arthur

Zimmerman, foreign secretary of

Germany: asking Mexican govt. to

attach United States

Feb 1917: Message was decoded by

British Intelligence and delivered to

president Woodrow Wilson

April 1917: US declares war on

Germany

6

Codes in History: World War II

Enigma: GermanEncryption machine

Bombe: decryption machineBuilt by British Intelligence

Blechtley park: centerof British Intelligence

German submarine locations were communicated by encrypted messages using EnigmaMade it easy for Allied forces to destroy German submarines

Alan Turing: contributed significantly to Allied cryptography effort

7

Secret Writing

Steganography: steganos=covered, graphein=to write (Chinese) hidden messages on silk, covered in wax (Italy) write message on hard boiled egg that penetrates and stays on the albumen Invisible ink that shows up on heating

Cryptography: kryptos=hidden, graphein=to write

8

Private Key Protocols

9

Private-Key Protocol

Alice and Bob meet beforehand and choose secret e() and d() functionsDisadvantage: Need to meet beforehand

Example:Choose secret string r, e.g. r=01110010

Encryptione(x) = x re.g. : e(11110000) = 11110000 01110010 = 10000010

Decryptiond(y) = y re.g.: d(10000010) = 10000010 01110010 = 11110000

Problem:e(x) e(x’) = (x r) (x r) = (x x’)Some information can come out by repeated use

10

Private-Key Protocol: AES

Advanced Encryption Standard

(AES) Also known as Rijndael Block Cipher Developed by Belgian

mathematicians Vincent Rijmen

Joan Daemen Approved by the US Govt. in 2001 Repeated use possible Security not rigorously

established..

11

Visual Cryptography

original

Share 1

Share 2 Share 3 Share 4

12

Visual Cryptography

Shares 1, 2 Shares 1,3

Shares 3,4

13

Public Key Protocol

Bob’s padlock (publicly available)

14

Public Key Cryptosystems: RSA

Alice encrypts using Bob’s publicly available key e() Bob decodes using his private function d() Alice, Bob need not have met before Computation easy if e() and d() known

-----BEGIN PGP PUBLIC KEY BLOCK-----Version: 2.6.2

mQCNAzKEgQgAAAEEALoDOnC4PKs4+G5LBXm5aP4djv56wm9kOCzpk4eEcpm0jNtlIKyuAf1EXauFVCFSCri11hwUCXm5kv4x5bNYyE6NqxY29G9VU4Niwmt7L8dGIqHukS4FXcufA6sSMfoM8+oIzOv8d18dYhyf4PvAyl43EPgne/pw1c4T3nOFCCzVAAURtClEb25hbGQgQSBXYXRyb3VzIDx3YXRyb3VzQGNzLnJ1dGdlcnMuZWR1PokAlQMFEDLWfyakXBby1t0uxQEBRNYD/jbc7ujRpCSI6uVLdDprzaYiCMgAajLyK53zrMrEOj+zURDIMRVtPT2ugVHPUQFoXRMaXKi0IacI2WjetgHgaCwzra2swVj1sp2sFbr19bhDzTlf6gosbcmXcRzhGC76jVowphSfw6KN3/VAYyBxI/RtkDN/dKLrRDnniGSOM6X7iQCVAwUQMoSKmM4T3nOFCCzVAQE7dAP/SjXFV5XdvRLdjh6NoT2NIsaTceMnmXGsTAk4OM6DQztlM822uru9d0PoeTBu4som50T3C4BS6S54h7QoThwo96s0lgz7ljcQozW1fKMSGVD+BQ5DO81DNnsZeT48OEZueUEzrMiazPMrlpkZNf1meD1A2JvIThxQ3V71HwUvu5Q==i41f-----END PGP PUBLIC KEY BLOCK-----

15

Rivest-Shamir-Adleman (RSA) Cryptosystem

Need the following tools Modular arithmetic Euclid’s algorithm Primality testing Generating random primes

16

Two’s complement method for storing signed integers

n-bits used to represent numbers in the range [-2n-1,2n-1-1] Storing positive numbers in the range 0 to 2n-1-1: in regular binary with leading bit 0 Storing negative numbers -x with 1 ≤ x ≤ 2n-1:

Construct x in binary Flip all bits of x Add 1

Equivalent description: Store modulo 2n

Negative numbers get stored as 2n - x = 2n-1 - x + 1 Example: n=4

(5)10 = (0101)2

-5 stored as 1010+1 = 1011 Equivalently: 1111 - 0101 + 1 = 1010 + 1

17

Integer Multiplication

1 3X 1 1

1 31 3

1 4 3

1 1 0 1X 1 0 1 1

(13)2

(11)2

1 1 0 1 1 1 0 1 0 0 0 0 1 1 0 1

1 0 0 0 1 1 1 1 (143)2

Time Complexity• Each row has n bits• n rows• O(n2) time

18

Al-Khwarizmi’s method

Write #s next to each other Divide first # by 2, multiply

second by 2, rounding the result Keep going till first # gets down to

1 Strike out all rows in which first #

is even Add what remains in column 2

1 1 13

5 26

2 52

1 104

143

Combination of Binary and Decimal!

19

Al-Khwarizmi’s method

Multiply (x,y)

Input: two n-bit #s x,y

Output: their product

If y=0, return 0 z = Multiply (x, y/2) If y is even return 2z Else return x+2z

Running Time Each recursive call halves y #bits

reduces by 1 O(n) recursive calls Each recursive call:

Division by 2: O(n) steps Test for odd/even: O(1) One addition: O(n) O(n) per recursive call

Recursive algorithm

Still O(n2) time overall

Can we muliply faster?Divide-and-Conquer approach givesa o(n2) time algorithm

20

Integer Division

Divide(x,y)

Input: n-bit integers x,y, with y≥ 1

Output: Quotient q and remainder r

of x divided by y If x=0: return (q,r) = (0,0) (q,r) = divide(x/2,y) q = 2q, r = 2r If x is odd: r=r+1 If r ≥ y: r = r-y, q = q+1 return (q,r)

Example:

Divide(11,3):

11 = 3· 3 + 2

q = 3, r = 2

(1,2) = divide(5,3)

q = 2, r = 4

11 is odd => r=5

r=5 > 3 => r = 2, q = 3

21

Factorization

Factors and prime numbers

Simplest algorithms for finding factors

22

Prime Numbers

Definition A number a if prime if the only factors it has are 1 and aExamples 6 is not a prime: it has factors 2 and 3

5 is a prime

Checking for primality of number N Naive method: test all numbers 2 ,…, N-1 for factors Suffices to test only up to √N Too slow to do if N has 500 bit - 225 tests to make! Faster method based on Fermat’s theorem

1601-1665

•French lawyer, govt. official, did math in his spare time•Fermat’s last theorem took 357 years to be proved!

23

Modular Arithmetic

Seconds: counted modulo 60Minutes: counted modulo 60Hours: counted modulo 12

Days of the week: counted modulo 7

Keeps numbers from getting too big

Computer Arithmetic: modulo 232

24

Modular Arithmetic

x y (mod N) N divides (x-y)Complexity of computing x (mod N)

Examples: 253 13 (mod 60)59 -1 (mod 60)

Equivalence classes:Modular arithmetic deals with all integers but divides them intoN equivalence classes of the form {i+kN : k is an integer}

Equivalence classes modulo 3:

….. -9 -6 -3 0 3 6 9 …….….. -8 -5 -2 1 4 7 10 …….….. -7 -4 -1 2 5 8 11 ……..

25

Modular Arithmetic

Substitution RuleIf x y (mod N) and x’ y’ (mod N), then:x + x’ y + y’ (mod N), and xx’ yy’ (mod N) Proof?

Example: 14 + 10 (mod 3) 2 + 1 (mod 3) 0 (mod 3)14 · 10 (mod 3) 2 · 1 (mod 3) 2 (mod 3)

Associative rule: x + (y + z) (x + y) + z (mod N) x(yz) (xy)z (mod N)

Commutative rule: x + y y + x (mod N) xy yx (mod N)

Distributive rule: x(y+z) xy + xz (mod N)

Example: (2)345 (25)69 (32)69 (1)69 1 (mod 31)

26

Implementing modular addition and multiplication

Adding x and y mod N Compute x+y {0,..,2(N-1)} If sum exceeds N-1, subtract N Running time O(n), where n = log N

Multiplying x and y mod N Compute x · y {0,…,(N-1)2} Number of bits needed to store x · y ≤ 2n Divide x · y by N to find remainder O(n2) running time

27

Modular Division

Multiplicative inverse in real arithmetic Every number a 0 has an inverse 1/a Example: inverse of 5 is 1/5 = 0.2 Division by number a 0 is equivalent to multiplying by 1/a Example: 10/5 = 10·(1/5) = 10 · (0.2) = 2

Multiplicative inverse modulo N x is the multiplicative inverse of a modulo N if ax 1 (mod N) Example: 2 · 3 1 (mod 5). So (2)-1 = 3 (mod 5) Sometimes there may be no inverse: (2)-1 (mod 6)? For any x, 2x (mod 6) is even - therefore there is no x such that 2x 1 (mod 6)

28

Modular Exponentiation

Common operation: compute xy (mod N) Numbers can become huge:

x, y are 20-bit numbers => xy can be 10 million bits long Can be computed by repeated multiplications

x mod N x2 mod N …. xy mod N Take y multiplications Suppose y is 500 bits long? 2500 multiplications!

29

Repeated Squaring

Modexp(x, y, N)

Input: n-bit integers x and N, and

integer exponent y

Output: xy mod N

If y=0: return 1 z = modexp(x, y/2, N) If y is even: return z2 mod N Else: return x·z2 mod N

Running Time Each recursive call halves the

exponent O(n) multiplications O(n3) time overall

xy =

(xy/2)2, if y is even

x· (xy/2)2, if y is odd

Recursive rule

30

Greatest Common Divisor

Given numbers a, b:gcd(a,b) = largest number d that divides both a and b

Example1035 = 32 · 5· 23, 759 = 3 · 11 · 23gcd( 1035, 759) = 3 · 23 = 69

gcd can be computed by complete factorization, but no efficient algorithm is known for factorization

Euclid’s algorithm: First known algorithmin history

BC 325-265

31

Useful properties for computing gcd

Symmetrygcd(x,y) = gcd(y,x)

Euclid’s RuleIf x, y are positive integers with x ≥ y, thengcd(x,y) = gcd (x mod y, y)

Examplegcd(24, 15) = gcd(23· 3, 3·5) = 3gcd(24 mod 15, 15) = gcd(9, 15) = gcd(32, 3·5) = 3

32

Proof of Euclid’s Rule

Sufficient to show that gcd(x,y) = gcd(x-y, y): Suppose x = qy+r gcd(x,y) = gcd(x-y,y) = gcd(x-2y, y) = … = gcd(x-qy, y)

Suppose d divides x, y Then d divides x-y Therefore, gcd(x,y) ≤ gcd (x-y, y)

Suppose d divides x-y, y Then d divides x, y Therefore, gcd(x-y, y) ≤ gcd(x,y)

Therefore, gcd(x,y) = gcd(x-y, y)

Property: if d divides x,y,then d divides ax+by

33

Euclid’s Algorithm

Euclid(a,b)Input: Integers a,b with a ≥ bOutput: gcd(a,b)

If b=0: return a return Euclid(b, a mod b)

Running Time: Need to know how fast the arguments are reducing

34

Analysis of Euclid’s Algorithm

Lemma: If a ≥ b, then a mod b < a/2Proof:

Case I: b ≤ a/2 Case II: b > a/2a mod b < b ≤ a/2 Then, a mod b = a-b < a/2

Running Time: In two rounds, both arguments are halved #bits reduces by 1 for both arguments Base case reached in ≤ 2n recursive calls Each recursive call: O(n2) time division O(n3) time overall

aa/2b

a mod b

aa/2 b

a mod b

35

Another Useful Property

Lemma: If d divides a and b, and d = ax+by for some integers x and y, then necessarily d = gcd(a,b)Proof Since d divides a and b, d ≤ gcd(a,b)Since gcd(a,b) divides a and b, gcd(a,b) divides ax+by = d gcd(a,b) ≤ dTherefore, gcd(a,b) = d

Example24·2 + 15·(-3) = 3, and 3 divides 24, 15gcd(24, 15) = 3

When can gcd(a,b) be expressed as ax+by?Always!!

36

Extended Euclid’s Algorithm

Extended-euclid(a,b)Input: Positive integers a,b with a ≥ b ≥ 0Output: Integers x, y, d such that d = gcd(a,b) and ax+by=d

If b = 0: return (1,0,a) (x’, y’, d) = Extended-euclid(b, a mod b) return (y’, x’ - a/by’, d)

Example: a = 25, b = 1125 = 2· 11 + 3 gcd(25, 11) = gcd(11,3)11 = 3· 3 + 2 = gcd(3, 2)3 = 1· 2 + 1 = gcd(2, 1)2 = 2· 1 + 0 = gcd(1, 0)

= 1

37

Example (contd.)

25 = 2· 11 + 311 = 3· 3 + 2 3 = 1· 2 + 1 2 = 2· 1 + 0

Extended-euclid(1,0) gives: ( 1, 0, 1)Extended-euclid(2,1) gives: ( 0, 1 - 2·0, 1) = ( 0, 1, 1)Extended-euclid(3,2) gives: ( 1, 0 - 1·1, 1) = ( 1, -1, 1)Extended-euclid(11,3) gives: ( -1, 1 - 3·(-1), 1) = ( -1, 4, 1)Extended-euclid(25,11) gives: ( 4, -1 - 2·4, 1) = (4, -9, 1)

25 · 4 + 11 · (-9) = 1

38

Proof of Extended Euclid’s algorithm

Lemma: For any positive integers a and b, extended-euclid(a,b) returns integers a, y and d such that gcd(a,b) = d = ax + byProof: The computation of gcd is unchanged. So d = gcd(a,b)

Proof by induction on b:

Base case: b=0. Then gcd(a,0)=a = a·1 + b·0Induction: consider extended-euclid(a,b)Since a mod b < b, by induction, we have integers x’, y’ such thatgcd(b, a mod b) = bx’ + (a mod b)y’

= bx’ + (a - a/bb)y’= ay’ + b(x’ - a/by’)

Therefore, gcd(a,b) = gcd(b, a mod b) = ax + by,where x = y’, y = x’ - a/by’

39

Modular Division

Recallx is the multiplicative inverse of a modulo N if ax 1 (mod N)Some times there is no inverse, e.g. (2)-1 (mod 6)

Modular division theorem For any a mod N, a has a multiplicative inverse modulo N if and only if gcd(a,N)=1. When this inverse exists, it can be computed in O(n3) time by the Extended-euclid algorithm.ProofSuppose (a,N)=1 Extended-euclid() algorithm gives us integers a, y s.t. ax + Ny = 1 Therefore, ax 1 (mod N)

Suppose there is an x s.t. ax 1 (mod N). Suppose gcd(a,N) = d. Then ax = Nq + 1 for some integer q d divides ax and Nq. Therefore, d divides 1, i.e., d=1

40

Prime Numbers

Definition A number a if prime if the only factors it has are 1 and aExamples 6 is not a prime: it has factors 2 and 3

5 is a prime

Checking for primality of number N Naive method: test all numbers 2 ,…, N-1 for factors Suffices to test only up to √N Too slow to do if N has 500 bit - 225 tests to make! Faster method based on Fermat’s theorem

1601-1665

•French lawyer, govt. official, did math in his spare time•Fermat’s last theorem took 357 years to be proved!

41

Fermat’s Little Theorem

Theorem (year 1640) If p is a prime, then for every 1 ≤ a < p,ap-1 1 (mod p).

Example p = 524 = 16 1 (mod 5)34 = 92 42 = 16 1 (mod 5)44 = 162 12 = 1 (mod 5)

p=7, a=336 (32)3 23 1 (mod 7)

42

Effect of multiplying by a

p = 7, S = { 1, 2, 3, 4, 5, 6}Multiplying by a=3 has the effect of permuting the elements of S

1

2

3

4

5

6

12

3

45

6

S = { 1, 2, 3, 4, 5, 6} = { 3 · 1 mod 7, 3 · 2 mod 7, 3 · 3 mod 7, 3 · 4 mod 7, 3 · 5 mod 7, 3 · 6 mod 7 }

Multiplying the elements of both sets gives6! 36 · 6! mod 7Dividing by 6! (why can we do this?):36 1 (mod 7)

Can we do this for any p?

43

Proof of Fermat’s Little Theorem

S = { 1, 2, …, p-1}Claim The numbers a · i mod p are distinct for i SProof Suppose a · i a · j mod p. Dividing by a, we have i j mod p

Therefore, S = { a · 1 mod p, a · 2 mod p, … , a · (p-1) mod p }Multiplying the elements of both sets(p-1)! ap-1 (p-1)! mod pDividing by (p-1)!, we get ap-1 1 (mod p)

44

A “factorless” test for Primality

Is aN-1 1 mod N ?PickSome a

Pass

Fail

“prime”

“composite”

Problem Fermat’s test is not an if-and-only-if test Does not say what happens if N is not a prime Example: N=341 = 11·13 is not a prime, but 2340 1 mod 341 2 is a witness for 341 being composite If N is composite, are there a lot of witnesses? True for almost all composite numbers

45

Example

N=928 4 (mod 9)38 0 (mod 9)48 7 (mod 9)58 7 (mod 9)68 0 (mod 9)78 4 (mod 9)88 1 (mod 9)

Algorithm makes a mistake only if it chooses a=8

let A = { a: aN-1 1 (mod N) }If we pick a not in A, aN-1 1 (mod N) : such a number is a “witness” for the non-primality of NHow many witnesses can there be for a composite number?

46

Carmichael Numbers

Definition N is a carmichael number if for every number a < N, we have aN-1 1 (mod N)

Smallest carmichael number: 561 = 3 · 11 · 17Such numbers are exceedingly rare….

For almost all composite numbers, there are enough witnesses

47

Using Fermat’s Little Theorem

Lemma If aN-1 1 mod N for some a relatively prime to N, then it must hold for at least half the choices of a < NProof Fix some value of a such that aN-1 1 mod N. Suppose b < NSatisfies the test, i.e., bN-1 1 mod N. Then, (a·b)N-1 aN-1·bN-1 aN-1 1 mod N

Let S be the set of all b < N that pass the test. Then, all the numbers a · b, where b S, fail the test. These numbers are distinct (why?).

Therefore, ignoring Carmichael numbers, we can assert the following:

If N is prime, then aN-1 1 (mod N) for all a < NIf N is not prime, then aN-1 1 (mod N) for at most half the values of a < N

48

Test for Primality

Primality ( N)Input: Positive integer NOutput: yes/no Pick a positive integer a < N uniformly at random if aN-1 1 (mod N): return yes else: return no

Running Time O(n3)let A = { a: aN-1 1 (mod N) }

PropertyPr[ Primality(N) returns yes when N is prime] = 1Pr[ Primality(N) returns yes when N is not prime] Error

= |A|/(N-1) ≤ 1/2 probability

49

Reducing the error probability

Primality2 (N)Input: Positive integer NOutput: yes/no

Pick positive integers a1, a2, …, ak < N at random If ai

N-1 1 (mod N) for all i=1, …, k:

– return yes Else: return no

Running Time O(kn3)

Pr[ Primality2(N) returns yes when N is not prime] ≤ 1/2k

For k=10, error probability ≤ 0.001

50

RSA Protocol

Bob chooses his public and secret keys Pick two large n-bit random primes p and q His public key is (N,e), where N = pq, and e is any 2n-bit number relatively prime to (p-1)(q-1) His secret key is d = (e)-1 (mod (p-1)(q-1)), computed using Extended-euclid algorithm

Alice wishes to send message x to Bob She looks up his public key (N,e) She sends him y = xe mod N, computed using algorithm modexp

Bob decodes message y He computes x = yd mod N

51

Example: RSA protocol

Let p = 5, q = 11Then, N = 5 · 11 = 55Let e = 3. Then, d = (e)-1 (mod 40) = 27 (mod 40)gcd( e, (p-1)(q-1)) = gcd( 3, 40) = 1

Encryption of message xy = x3 (mod 55)e.g. x = 13Then, y = 133 ( mod 55) 169 · 13 (mod 55)

4 · 13 (mod 55) 52 (mod 55)

Decryption of yx = y27 (mod 55)For y = 52, x = (52)27 mod 55 (-3)27 mod 55 13 mod 55

52

Analyzing RSA

Property: Let p and q be two primes and N=pq. For any e relatively prime to (p-1)(q-1):1. The mapping x xe mod N is a bijection on {0, …, N-1}2. The inverse mapping is simple: let d = (e)-1 mod (p-1)(q-1). Then, for all x {0, …, N-1}: (xe)d x (mod N)

Property 1 every message is encoded in a unique manner - no information is lost

Property 2 decoding possible

53

Proof

Property 2 the map in Prop. 1 is invertible it is a bijection– Suffices to prove property 2

ed 1 mod (p-1)(q-1) ed = 1+k(p-1)(q-1) for some integer k Then, xed - x = x1+k(p-1)(q-1) - x Statement true if x 0 (mod p) and x 0 (mod q) Suppose x 0 (mod p) and x 0 (mod q)

Then, xp-1 1 (mod p) and xq-1 1 (mod q) x1+k(p-1)(q-1) - x 0 (mod p) x1+k(p-1)(q-1) - x 0 (mod q) Therefore, pq=N divides xde - x

Suppose x 0 (mod p). Then x 0 (mod q) x1+k(p-1)(q-1) - x 0 (mod q), as before x1+k(p-1)(q-1) - x 0 (mod p), since p divides x Therefore, N=pq divides xde - x

54

Security of RSA protocol

Given y = xe mod N, and (N,e), how can x be retrieved?

Blind guess? Too many choices Factor N to compute p, q and then find d=(e)-1 mod (p-1)(q-1) Factorization is believed to be hard Small errors in estimation of d can lead to significant # errors

p=5, q=11, N=55 e = 3. Then, d = (e)-1 (mod 40) = 27 (mod 40) Let x=13. Then y = x3 (mod 55) 52 (mod 55), y27 mod 55

13 Suppose d’=25 (slightly incorrect estimate of secret key) y25 mod 55 (-3)25 (-3)6X4+1 (14)4(-3) 32

55

Authentication

Anyone can pretend to be Alice and send a message to Bob Using RSA to authenticate the message: digital signatures