Mathematical Foundations of Public-Key Cryptography Adam C. Champion and Dong Xuan CSE 4471: Information Security Material based on (Stallings, 2006) and (Paar and Pelzl, 2010)
Mathematical Foundations ofPublic-Key Cryptography
Adam C. Champion and Dong Xuan
CSE 4471: Information Security
Material based on (Stallings, 2006) and (Paar and Pelzl, 2010)
Outline
• Review: Basic Mathematical Foundations• Group Theory• Number Theory• Case Study: RSA Cryptosystem
Review: Sets
• A set S is an unordered collection of “similar”mathematical objects
– Duplicate objects are not double counted– Suppose S1 = {1, 2, 3, 4} and S2 = {1, 2, 3, 4, 2}. Both
sets have four elements
• Operations:– Intersection: S1 ∩ S2 = {s1, s2 : s1 ∈ S1 ∧ s2 ∈ S2}– Union: S1 ∪ S2 = {s1, s2 : s1 ∈ S1 ∨ s2 ∈ S2}– Cardinality: |S| = number of elements in S
• Well-known sets:– N = {1, 2, . . .}– Z = {0,±1,±2, . . .}– Q = {p/q : p, q ∈ Z ∧ q 6= 0}– R = {real numbers}– C = {complex numbers}
Review: Relations
• A relationR on sets S1, . . . , SN is a subset of theirCartesian product: R ⊆ S1 × ◦ × SN
• R’s arity equals N (binary, n-ary)• Properties:
– Reflexive: if for all s ∈ S, sR s– Symmetric: if s1 R s2 =⇒ s2 R s1 for all s1, s2 ∈ S– Transitive: if
s1 R s2 ∧ s2 R s3 =⇒ s1 R s3 for all s1, s2, s3 ∈ S– Equivalence relation: a relationR that is reflexive,
symmetric, and transitive
Review: Integer Division
• For an integer divisor d, we can write any integer n asn = d ◦ q + r, where r ∈ [0, . . . , d− 1]. As n− r = d ◦ q,n ≡ r (mod d).
• Division by d actually partitions Z into equivalence classesw.r.t. congruence modulo d:
– Example 1: Odd and even integers. d = 2. Every oddinteger n can be written as 2 ◦ q + 1 for some integer q.Every even integer m can be written as 2 ◦ q′ for someinteger q′. The equivalence classes are{. . . ,−3,−1, 1, 3, . . .} and {. . . ,−4,−2, 0, 2, 4, . . .}.
– Example 2: d = 5. Notice 8− 3 = 5 ◦ 1 and 23− 3 = 5 ◦ 4,so 23 ≡ 8 (mod 5). Remainders are not unique! What arethe equivalence classes?
• See (Knuth, 1997; Paar and Pelzl, 2010) for more details.
Outline
• Review: Basic Mathematical Foundations• Group Theory• Number Theory• Case Study: RSA Cryptosystem
Groups I
• A group comprises a set G and an operator- ◦, which mapseach pair (a, b) (where a, b ∈ G) to (a ◦ b) ∈ G subject tothe following axioms: (Stallings, 2006):(A1) Closure: a, b ∈ G =⇒ a ◦ b ∈ G;(A2) Associativity: a ◦ (b ◦ c) = (a ◦ b) ◦ c for all
a, b, c ∈ G;(A3) Identity element: There is an element ε ∈ G such
that a ◦ ε = ε ◦ a = a for all a ∈ G.(A4) Inverse element: For each a ∈ G, there is an
element a′ ∈ G such that a ◦ a′ = a′ ◦ a = ε.• Abelian groups obey axiom (A5), commutativity:a ◦ b = b ◦ a for all a, b ∈ G. Not all groups are abelian!
• ◦ refers to any generic operator that obeys axioms(A1)–(A4)
Groups II
• Example group: Sn, the set of all possible permutations ofN = {1, . . . , n} distinct symbols, ◦ denotes permutationoperation (Stallings, 2006)
– Permuting a permutation of N yields a permutation of N ,e.g., {3, 2, 1} ◦ {1, 3, 2} = {2, 3, 1} for n = 3
– Associativity holds too– Identity element: {1, . . . , n}– Inverse element: permutation mapping N ’s current
permutation to {1, . . . , n}
Rings I
• A ring R is an abelian group with “addition” and“multiplication” operations +, × satisfying the followingaxioms: (Stallings, 2006)(A1)–(A5) Abelian group axioms (closure under addition
operator +, associativity of addition, existence ofidentity element 0, existence of inverse element −a)
(M1) Closure under multiplication: for alla, b ∈ R, a× b ∈ R
(M2) Associativity of multiplication:(a× b)× c = a× (b× c) for all a, b, c ∈ R
(M3) Distributive laws: a× (b+ c) = (a× b) + (a× c)for all a, b, c ∈ R; (a+ b)× c = (a× c) + (b× c)for all a, b, c ∈ R.
Rings II
• Commutative rings satisfy axiom (M4), commutativity ofmultiplication: a× b = b× a for all a, b ∈ R
• Integral domains are commutative rings satisfying thefollowing additional axioms:(M5) Multiplicative identity: There is an element 1 ∈ R
such that a× 1 = 1× a = a for all a ∈ R(M6) No zero divisors: If a, b ∈ R and a× b = 0, then
a = 0 or b = 0
Rings III
• Example: Ring of integers Zm = {0, . . . ,m− 1} withaddition, multiplication operators +, × such that, fora, b ∈ Zm: (Paar and Pelzl, 2010)(1) a+ b = c (mod m) (c ∈ Zm);(2) a× b = d (mod m) (d ∈ Zm).
– If m = 9, then Z9 = {0, 1, 2, 3, 4, 5, 6, 7, 8}.– 6 + 8 = 14 ≡ 5 (mod 9)– 6× 8 = 48 ≡ 3 (mod 9)– Multiplicative inverse exists only for integers a ∈ Zm
coprime to m. For such integers,(a× b) ≡ (a× c) (mod n) =⇒ b ≡ c (mod n).
Fields
• A field F is a set of elements with “addition” and“multiplication” operations +, × satisfying the followingaxioms:(A1)–(M6) Integral domain axioms
(M7) Multiplicative inverse: For all a ∈ F (except 0), thereis an element a−1 ∈ F such thata× a−1 = (a−1 × a) = 1.
• Examples of fields: rational numbers, real numbers,complex numbers
Outline
• Review: Basic Mathematical Foundations• Group Theory• Number Theory• Case Study: RSA Cryptosystem
Primality
• An integer n is prime if and only if n has two divisors: 1and n. Example primes:
– P = {2, 3, 5, 7, 11, 13, 17, 19, . . . } = {p1, p2, . . . }• Fundamental Theorem of Arithmetic: Every integern > 1 is either prime or can be written as a unique productof primes.
• Examples:– 7 = 71 = 20 × 30 × 50 × 71 × · · ·– 60 = 2× 2× 3× 5 = 22 × 31 × 51 × 70 × · · ·– More generally,
n = pe11 × pe22 × · · · =∏pi∈P
peii , where ei ∈ {0, 1, 2, . . . }
(1)
Greatest Common Divisor
• The greatest common divisor (GCD) of integers m and nis the largest integer d that divides both m and n. Notation:gcd(m,n) = d.
• If gcd(m,n) = 1 for integers m and n, then m and n arecoprime.
• How do we find the GCD?– Small numbers: multiply common prime factors.– Example: m = 84, n = 30.
m = 2× 2× 3× 7;n = 2× 3× 5; gcd(m,n) = 2× 3 = 6– This approach is inefficient for large numbers
Euclid’s Algorithm• Faster algorithm to find GCD, exploits the following
theorem: gcd(m,n) = gcd(n,m mod n) (m > n)– PROOF : Let d = gcd(m,n). As d|m and d|n, we can write
m = d× k and n = d× ` for coprime integers k, `(k > ` > 0). (k − `) and ` are coprime too. Thengcd(x− y, y) = gcd(d× (k − `), d× `) = d.
Algorithm 1 EUCLID(m, n)1: A← m;B ← n2: while B 6= 0 do3: R← A mod B4: A← B5: B ← R6: return A
• Compute gcd(84, 30) and gcd(973, 301).
Extended Euclidean Algorithm• If gcd(m,n) = 1 for positive integer m < n, there is a
positive multiplicative inverse modulo m, n−1, such thatn× n−1 = 1 mod m
• Euclidean algorithm can be extended to compute n−1 if itexists (and return gcd(m,n)) (Stallings, 2006)
Algorithm 2 EXTENDED EUCLID(m, n)1: (A1, A2, A3)← (1, 0,m); (B1, B2, B3)← (0, 1, n)2: while true do3: if B3 == 0 then return A3 // no inverse4: if B3 == 1 then return B3 // B2 = n−1 mod m5: Q = bA3/B3c6: (T1, T2, T3)← (A1 −Q×B1, A2 −Q×B2, A3 −Q×B3)7: (A1, A2, A3)← (B1, B2, B3)8: (B1, B2, B3)← (T1, T2, T3)
Euler’s Totient Function I
• Consider the ring Zm = {0, . . . ,m− 1}. We want to findhow many integers in Zm are coprime to m, i.e., ϕ(m).
• Convention: ϕ(1) = 1.• Let’s compute ϕ(5) and ϕ(6) . . .
Euler’s Totient Function II
• If m is prime, ϕ(m) = (m− 1).• Otherwise, we need to determine m’s (unique) prime
factorization to compute ϕ(m). Recall Eq. (1):
m =∏pi∈P
peii , where ei ∈ {0, 1, 2, . . . }.
• Let π be the smallest prime larger than m (π is the n-thprime). Then
ϕ(m) =n∏
i=1
(peii − pei−1i ). (2)
• Let’s compute ϕ(240) using Eq. (2). . .
More Number Theory Theorems
• Fermat’s Little Theorem: Let a be an integer and p be aprime. Then ap ≡ a (mod p). Equivalently,ap−1 ≡ 1 (mod p). So we can invert a modulo p:a−1 ≡ ap−2 (mod p).
• Euler’s Theorem: Let a and m be integers such thatgcd(a,m) = 1. Then aϕ(m) ≡ 1 (mod m).
• Notice that Euler’s Theorem is a generalization of Fermat’sLittle Theorem (arbitrary modulus).
Outline
• Review: Basic Mathematical Foundations• Group Theory• Number Theory• Case Study: RSA Cryptosystem
RSA Cryptosystem• Widely used public-key (asymmetric) cryptosystem• Security based on the following: it’s easy to multiply large
primes, but very hard to factor the product (Paar and Pelzl,2010)
• Computations in integer ring Zn, where plaintext m ∈ Zn
• RSA Encryption: Given public key (n, e) = kpub andplaintext m, the encryption function is
c = Ekpub(m) ≡ me (mod n), (3)
where x, y ∈ Zn.• RSA Decryption: Given private key (n, d) = kpriv and
ciphertext c, the decryption function is
m = Dkpriv ≡ cd (mod n), (4)
where x, y ∈ Zn.
RSA Key Generation
Algorithm 3 RSA KEY GENERATION1: Choose two large primes p and q2: Compute n← p · q3: Compute ϕ(n) = (p− 1)(q − 1)4: Select public exponent e ∈ {1, 2, . . . , ϕ(n)} such that
gcd(e, ϕ(n)) = 15: Choose private exponent d such that d · e ≡ 1 (mod ϕ(n))
• Suppose Alice picks p = 3 and q = 11 and wants to sendm = 4 to Bob. How would the RSA scheme work?
RSA in Practice
• This “textbook RSA” scheme has several weaknesses: (Paarand Pelzl, 2010)
– RSA encryption is deterministic– Plaintext values m = 0,m = 1,m = −1 produce the same
ciphertext values (c = 0, c = 1, c = −1)– Attacks are possible with small plaintext and exponent
values
• In practice, RSA encryption is combined with zero padding,salt, and message hash functions to securely transmitmessages
RSA Digital Signatures
• The RSA algorithm can be repurposed for digitally signinga message m
• Public key kpub = (n, d), private key kpriv = (n, e)
• Signing: Compute s = Signkpriv(m) ≡ md (mod n)
• Verification: Compute m′ = se mod n. Ifm′ ≡ m (mod n), the signature is valid.
Questions & Comments?
Thank you!
• If you find this material interesting, consider taking CSE5473 (Introduction to Network Security) and/or CSE 5431(Introduction to Cryptography).
• More to explore:– (Sage Math, 2012) (http://www.sagemath.org);– Sage-based notes on the RSA cryptosystem (van Nguyen,
2010);– Free book on number theory (Stein, 2008)
References IKnuth, D. E. (1997). The Art of Computer Programming,
volume 1. Addison-Wesley, 3rd edition.Paar, C. and Pelzl, J. (2010). Understanding Cryptography: A
Textbook for Students and Practioners. Springer, 2nd edition.http://crypto-textbook.com.
Sage Math (2012). http://www.sagemath.org.Stallings, W. (2006). Cryptography and Network Security.
Addison-Wesley, 4th edition.Stein, W. (2008). Elementary Number Theory: Primes,
Congruences, and Secrets. Springer.http://wstein.org/ent/.
van Nguyen, M. (2010). Number Theory and the RSACryptosystem.https://bitbucket.org/mvngu/numtheory-crypto/
downloads/numtheory-crypto-1.1.pdf.