Group 5: Daryl, Etkin, Supartha, Rajendra and Aarthi 1.

The RSA Algorithm and Reed-Solomon Codes

Group 5: Daryl, Etkin, Supartha, Rajendra and Aarthi

1

2

Introduction

Two Information Coding Schemes

RSA Algorithm Privacy Authenticity

Reed-Solomon Codes (Bursty) Noise Tolerance

3

Welcome to the Matrix

4

Privacy

5

Authenticity

Trinity?

Yes, it’s me.

6

Shared Key Cryptography

Encrypt messages with a symmetric-key cryptosystem (e.g. DES, AES, etc…)

Requires prior agreement on a shared key over a secure channel

What if Neo and Trinity have yetto meet?

7

Public Key Cryptography

Mathematically-related public/private key pairs are generated

Messages encrypted with public keyCan only be decrypted with private

key

Infeasible to compute private key from public key alone

No need to agree on a shared key!

8

RSA Algorithm

Rivest, Shamir and Adleman (1977)Based on difficulty of computing prime factors of large integers

9

RSA Algorithm

1. Pick two distinct primes p and q

2. Compute n = pq and ɸ(n) = (p – 1)(q – 1)

3. Pick e where 1 < e < ɸ(n) and

gcd(e, ɸ(n)) = 1

4. Compute d where

de ≡ 1 (mod ɸ(n))

5. Public key is (n, e), private key is (n, d)

6. Encrypt with C ≡ M

e (mod n)

7. Decrypt with M ≡ C

d (mod n)

Setup

Usage

10

RSA Algorithm




gcd(e, ɸ(n)) = 1

4. Compute d where




e (mod n)


d (mod n)

11

Modular Multiplicative Inverse Let e, d, n be integers with n ≠ 0

Fact:

If gcd(e, n) = 1 (i.e. e and n are coprime)

then there exists d such that de ≡ 1 (mod n)

In other words, the multiplicative inverse of e (mod n) exists when gcd(e, n) = 1

12

RSA Algorithm




gcd(e, ɸ(n)) = 1

4. Compute d where




e (mod n)


d (mod n)

13

RSA Algorithm




gcd(e, ɸ(n)) = 1

4. Compute d where




e (mod n)


d (mod n)

14Euler’s Totient Function

ɸ(n)

Definition:no. of integers 1 ≤ a ≤ n with gcd(a,

n) = 1Formula:

For n = pq where p and q are primes

15

Modular Exponentiation

Let x, y, m, n be integers with n ≥ 0

Fact:

If x ≡ y (mod ɸ(n)) ,

then mx ≡ m

y (mod n)

In other words, working in mod n requires that we work mod ɸ(n) in the exponent

16

RSA Algorithm




gcd(e, ɸ(n)) = 1

4. Compute d where




e (mod n)


d (mod n)

17

RSA Algorithm




gcd(e, ɸ(n)) = 1

4. Compute d where




e (mod n)


d (mod n)

(M

e)

d ≡ M (mod n)

and

(M

d)

e ≡ M (mod n)

18

Example: M = 1234

1. Pick p = 37 and q = 43

2. Compute n = 1591 and ɸ(n) = 1512

3. Pick e = 71

gcd(e, ɸ(n)) = gcd(71, 1512) = 1

4. Compute d = 575 (Extended Euclidean Algorithm)

de = 40825 ≡ 1 (mod 1512)


6. Encrypt: C ≡ M

e ≡ 1234

71 ≡ 908 (mod 1591)

7. Decrypt: M ≡ C

d ≡ 908 575 ≡ 1234 (mod 1591)

19

RSA Algorithm for Signatures




gcd(e, ɸ(n)) = 1

4. Compute d where



6. Sign M with S ≡ M

d (mod n); Send (M, S)

7. Verify that M ≡ S

e (mod n)

Reversed!Sign with private

keyVerify with public

key

20

Implementing…

1. Modular exponentiation▪ Successive-Squaring

2. Computing d from e and ɸ(n) ▪ Extended Euclidean Algorithm

3. Finding large primes

21

Modular Exponentiation Algo. Successive-Squaring to Compute C ≡ M

e (mod n)

Let e = ek ek–1 … e0 (binary representation of e)

C := 1

For i := k, k – 1, …, 0

C := (C * C) mod n

If ei = 1 Then C := (C * M) mod n

End For

Performance: O(log e) Memory: O(1)

22

Computing d from e and ɸ(n)

Extended Euclidean Algorithm:

Since e and ɸ(n) are coprime,

solving

yields d = y satisfying

Find max. qi satisfying and xi and yi

satisfying

When rk = 0, stop and output gcd(a, b) = rk-1 andx = xk-1 and y = yk-1

Similar to Euclidean Algorithm for gcd(a, b), but retain quotients qi at each step i to compute xi and yi

Generating Large Primes

Generate a large random integer Apply primal test repeatedly

Primality Tests: Miller-Rabin Solovay-Strassen Fermat Primality Test

Euler Witness, Euler Liar

23

Algorithm

1: Pick a large random integer 2: If for any small prime (Sieving) 3: go back to step 1

4: repeat times (Miller-Rabin)5: pick random integer 6: do a primality test on (, )7: if test fails8: go back to step 19: is probably prime

24

Sieving

Sieve of Eratosthenes

1: Pick a large random integer 2: If for any small prime 3: go back to step 1

25

http://www.cut-the-knot.org/Curriculum/Arithmetic/Eratosthenes.shtml

Miller-Rabin Primality Test

4: repeat times5: pick random integer 6: do a primality test on (, )7: if test fails8: go back to step 19: is probably prime

26


divides or or

By Euclid’s Lemma

27

Fermat’s Little TheoremIf is prime and for any integer

such that doesn’t divide

28


: prime candidate: random integer

is odd

29


or

30

Psuedocode

31

Example

prime candidate

random integer

32

Example

Either is a prime or is an Euler liar Now, we try another a

33

Example

prime candidate

random integer

34

Example

is a composite is an Euler liar is an Euler witness

35

Deterministic Miller-RabinTrying all possible witnesses below a

limit

Not used in practice

if p < 341,550,071,728,321, it is enough to test a = 2, 3, 5, 7, 11, 13, and 17.

36

Complexity and Error

Complexity of Sieve of Eratosthenes: log(S)

Complexity of Miller-Rabin: : number of tests

Complexity of Deterministic Miller-

Rabin

37

Reed-Solomon Codes

38

39

Agent Smith is Frustrated

???

40

Disrupts Channel

41

Noisy Channel

Noise is Natural

Studied models in general Binary Symmetric Channel Binary Erasure Channel Noisy Typewriter Channel Continuous Output Channel …

42

Error Correction (Toy Example)

𝐸 : {0,1 }𝑘→ {0,1 }𝑛 ,𝑛≥𝑘

43

Error Correction

A

Code

MC

00000

01001

10010

11011

100

101

110

111

[𝑛 ,𝑘 ,𝑑 ]=[3,2 , ? ]

44

Code Distance (Toy Example)

𝑑(𝑅𝑒𝑑 ,𝐵𝑙𝑢𝑒)

𝑑/2

𝑑/2

45

Hamming Distance d

Distance between ∆

For example,

1010010001 ∆

Code Distance

46

Linear Codes

MC

00000

01001

10010

11011

100

101

110

111

No Structure??Have to store the whole mapping in a codebook

Linear Code: If is a field and , is a subspace of then is said to be a linear code

47

Linear Codes

As is a subspace, there exists a basis where is the dimension of the subspace

Any code word can be expressed as a linear combination of these basis vectors.

Linear Code: If is a field and , is a subspace of then is said to be a linear code

1 0 0 00 1 0 00 0 1 00 0 0 10 1 1 11 0 1 1

1 1 01¿ ¿ ¿

G =

1 ¿0 ¿01

¿

n x k, where n =7, k=4

for example,

Hamming Code is Linear[𝑛 ,𝑘 ,𝑑 ]=[7,4,3 ]

1 ¿0 ¿01100

¿=

48

Singleton Bound

a code over alphabet of length and min distance

How many code words possible?

Singleton Bound

Reed Solomon Code

Applications: CDs, Space Communication, …

Robust against Burst errors

49

From left: Gustave Solomon & Irving S. Reed

[1960] Reed Solomon Code

50

Reed Solomon Code (Original View)Given Create a polynomial p

p has degree at most A non zero polynomial of degree

with coefficients from field has at most roots in .

51

Reed Solomon Sketch (Original View)

points are sufficient for describing the polynomial.

Instead, we evaluate the polynomial at points and send them.

52

Reed Solomon Sketch

Decoding: look at all possible subset from the

set of n symbols received Interpolate a message polynomial for

each subset Most popular message is the correct

result But, impractical

For, [255,249,6], = 359 billion

53

RS Sketch

54

Reed Solomon Code

55

Finite Fields

56

Field

A set of elements with two operations “Addition” and “Multiplication” defined on these elements.

Closed under these two operations Basically all arithmetic operations

are allowed

Examples: Set of Real numbers, Set of Rational numbers…

57

Finite Field

A field with finite number of elements.

Example: {0,1} with modulo operationsIn general {0,1,2….p-1} is a field with p elements with modulo operations. (p is prime)

How to construct fields with 8 elements?

In general how to construct pr elements??

58

Galois Field GF(2m)

A field with 2m elements can be constructed by extending the field GF(2) which is {0,1}.

Let α denotes an additional element in GF(2m).

Now GF(2m) ={ 0,1, α ,α2,….. α2m

-1, α2m,

…}

To make the number of elements 2m, we restrict

α2m

-1 = 1 = α0

59

GF(2m)={0, α0, α,…… α2m-2 }

Any non-zero element in GF(2m) can be written as a polynomial of degree at most m-1.

Coefficients are from GF(2) Also they can be mapped to binary values.

60

Primitive Polynomial

An irreducible polynomial f(x) of degree m is said to be primitive if the smallest positive integer n for which f(x) divides xn+1 is n=2m-1.

Example: 1 + x + x4 because it divides xn+1 for n=15 and not for other values less than 15.

Used for construction GF(2m) RS codes use GF(2m).

61

The Field GF(23) Let f(x) = 1 + x + x3 be a primitive

polynomial. Let α an element of the extension field

be defined as the root of the polynomial f(x).

1 + α + α3 =0 α3 = 1 + αÞ α4 = α + α2

Þ α5 = 1 + α + α2

Þ α6 = 1+ α2

Þ α7 = 1

62

63

Reed Solomon Code: RS[n,k,d]• Given n = 2m -1, k =2m-1-2t, RS code can

be constructed as ( t is number of errors it can correct)– Construct a finite field GF(2m) with 2m

elements using irreducible polynomial– Choose α1, …αn from the Field GF(2m)

Given in GF(2m)Create a polynomial

p– The codeword is

64

Properties of RS(n,k,d)

Linear Code Cyclic d = n-k+1 (Maximum Distance

Separable) Can correct up to n-k erasures Can correct up to (n-k)/2 symbol

errors

65

Systematic Encoding

This form of encoding is not in Systematic form

Systematic form : Parity symbols message symbols

010 110 111 100 001 011 101 010 110 111

Message polynomial α + α3x + α5x2

Code Polynomial α0 + α2x + α4x2+ α6x3+ αx4+ α3x5+ α5x6

A generator polynomial g(x) is defined as g(x) = (x-α) (x-α2) …………… (x-α2t)

66

Encoding in Systematic Form

Shift the message polynomial m(x) by 2t positions by multiplying m(x) by x2t.

Define p(x) = x2t m(x) (mod g(x))

The final codeword polynomial u(x) is

u(x) = p(x) + x2t m(x)

67

Example RS[7,3,5]

Message polynomial α + α3x + α5x2

Yielding αx4 + α3x5 + α5x6 after multiplication with x2t i.e. x4

Take g(x) = (x- α)(x- α2)(x- α3)(x- α4) = x4 – α3x3+ α0x2 – αx + α3

= α3 + αx + α0x2 + α3x3+x4

Next divide α x4 + α3x5 + α5x6 by g(x) to find the remainder p(x) = α0 + α2x4+ α4x2+ α6x3.Now u(x)=α0 + α2x + α4x2+ α6x3+ αx4+ α3x5+ α5x6

68

Syndrome Computation

The syndrome is the result of a parity check performed on the received polynomial r(x) to determine whether r(x) is a valid codeword.

The syndromes are basically evaluations of the received polynomial r(x) at α, α2, α3,… α2t.

Si = r(αi) , i=1,2,….2t If r(x) is a valid codeword then we get all the Si

evaluate to zero. Any non-zero Si indicates the presence of

errors.

69

Error Polynomial

The errors introduced by the channel during transmission can be modeled as a polynomial e(x) over the field GF(2m).

Hence r(x) = u(x) + e(x).

The problem finding e(x) from r(x) (or the syndromes) is decoding.

70

Properties of RS codes

Given any collection of k coefficients from the polynomial u(x), it is possible to construct the remaining coefficients of u(x).

If at most ‘t’ of the coefficients of u(x) are incorrect, it is possible to reconstruct all the coefficients of u(x) correctly.

Polynomial multiplication/division using FFT takes O(klogk) where k is the max of degrees of the polynomial.

71

Structure of Syndrome

Error polynomial e(x) = e0 + e1x +….enxn

Suppose the received polynomial r(x) has ν errors in it at the locations i1,i2,…iν. The magnitude of error at these locations are eij.

Then syndromes can be written in the form

Sj = e1jxl

j + e2jxlj + ….+eνjxl

j

j=1,2,…2t

where Xl= αil

Decoders for Reed Solomon Codes

72

Outline

1. Calculate Syndromes

2. Find the error locator polynomial Peterson-Gorenstein-Zierler Decoder

3. Find error locations Chien Search

4. Find error values Forney’s Algorithm

73

Generating Syndrome Polynomials

74

Sj =P

k YkX jk where Yk = ei k ;X k = ®i kSj =

Pk YkX j

k where Yk = ei k ;X k = ®i kSj =P

k YkX jk where Yk = ei k ;X k = ®i k

Sj =X

k

YkX jk where Yk = ei k ;X k = ®i k

Non-LinearSystem!!

Finding Sj for j = 1 to 2t

Error Locator Polynomial

a = 3

75

Intuition: The roots of this polynomial are inverses of the error locations

Help to find the locations where an error has occurred

Expanding Λ(x):

Using Error Locator Polynomial

76

For x = Xl-1 and for any

1 ≤ l ≤ ν

Multiplying throughout by Yl Xl

(j+ν)


77

Sum over l = 1 to t


78

Repeating for j = 1 to

Equation (1) – (4) now form a system of Linear Equations

Peterson-Gorenstein-Zierler Decoder (1960)

79

Solved for Λis by finding the largest value of ν for which Mν is non-singular starting from ν = t

Overall this algorithms runs in polynomial time ν ≤ t; 2t = n – k = O(n) (could also be O(1) for large n & k) Use polynomial-time algorithms for matrix determinants and

inversion

Outline





82

Chien Search

Find roots of Error Locator Polynomial, Λ(x), by exhaustive search

Evaluate Λ(αi) for i = 1, 2, …, 2t

Find all i where Λ(αi) = 0 αi is a root of Λ(x)

Error locations will also be of the form: αj

Here, αj = α-1 and j = 2t – i.

If number of errors found is ≥ t, abort process

83

Lambda

Outline





86

Finding error values87

Convert to matrix formVandermondeMatrix

Forney’s Algorithm88

Defining the Syndrome polynomial:

Defining the Error Evaluator polynomial:

Error value Yi for all i ϵ{1, 2, …, }:

where, b is the degree of the smallest root of the generating function of the code &

Outline





90

Dial ‘D’ for you message

r(x) = u(x) + e(x)

Decoding techniques help determine e(x) completely

Hence, u(x) = r(x) – e(x) = Message sent is recovered

91

We are done!!

Extras

Other more efficient (implementation wise) algorithms for decoding: Berlekamp-Massey Decoder (LFSR and

iterative correction) Euclidean Algorithm (Values and locations

simultaneously determined using iterative GCD of polynomials)

Decoders implemented as dedicated chips by manufacturers (Hardware and Software)

92

ReferencesRSA:1. Evgeny Milanov, RSA algorithm, http://www.math.washington.edu/~

morrow/336_09/papers/Yevgeny.pdf2. Kenneth Rose, Elementary Number Theory and its applications, 5th Ed., Pearson

International3. Trappe & Washington, Introduction to Cryptography with Coding Theory, 2nd Ed.,

Pearson International

Reed-Solomon Codes:4. Bernard Sklar, Reed Solomon error correction, http://

ptgmedia.pearsoncmg.com/images/art_sklar7_reed-solomon/elementLinks/art_sklar7_reed-solomon.pdf

5. V. Guruswami, Introduction to Coding Theory, CMU, http://www.cs.cmu.edu/~venkatg/teaching/codingtheory/

6. John Gill, EE 387 Note #7, Stanford University, http://www.stanford.edu/class/ee387/handouts/notes7.pdf

7. Wikipedia

93

http://www.math.washington.edu/~morrow/336_09/papers/Yevgeny.pdf



http://ptgmedia.pearsoncmg.com/images/art_sklar7_reed-solomon/elementLinks/art_sklar7_reed-solomon.pdf




http://www.cs.cmu.edu/~venkatg/teaching/codingtheory/

http://www.stanford.edu/class/ee387/handouts/notes7.pdf



Thanks for your

attention!!

94

Group 5: Daryl, Etkin, Supartha, Rajendra and Aarthi 1.

Documents