Number Theory: Applications CSE235 Introduction Hash Functions Pseudorandom Numbers Representation of Integers Euclid’s Algorithm C.R.T. Cryptography Number Theory: Applications Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry Spring 2006 Computer Science & Engineering 235 Introduction to Discrete Mathematics Sections 2.4–2.6 of Rosen [email protected]1 / 109
109
Embed
Number Theory: Applications - University of Nebraska–Lincolncse.unl.edu/~choueiry/S06-235/files/NumberTheoryApplications.pdf · Number Theory: Applications CSE235 Introduction Hash
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Number Theory: Applications
Slides by Christopher M. BourkeInstructor: Berthe Y. Choueiry
Spring 2006
Computer Science & Engineering 235Introduction to Discrete Mathematics
Results from Number Theory have countless applications inmathematics as well as in practical applications includingsecurity, memory management, authentication, coding theory,etc. We will only examine (in breadth) a few here.
Hash Functions
Pseudorandom Numbers
Fast Arithmetic Operations
Cryptography
2 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Hash Functions I
Some notation: Zm = {0, 1, 2, . . . ,m− 2,m− 1}
Define a hash function h : Z → Zm as
h(k) = k mod m
That is, h maps all integers into a subset of size m bycomputing the remainder of k/m.
3 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Hash Functions II
In general, a hash function should have the following properties
It must be easily computable.
It should distribute items as evenly as possible among allvalues addresses. To this end, m is usually chosen to be aprime number. It is also common practice to define a hashfunction that is dependent on each bit of a key
It must be an onto function (surjective).
Hashing is so useful that many languages have support forhashing (perl, Lisp, Python).
4 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Hash Functions III
However, the function is clearly not one-to-one. When twoelements, x1 6= x2 hash to the same value, we call it a collision.
There are many methods to resolve collisions, here are just afew.
Open Hashing (aka separate chaining) – each hash addressis the head of a linked list. When collisions occur, the newkey is appended to the end of the list.
Closed Hashing (aka open addressing) – when collisionsoccur, we attempt to hash the item into an adjacent hashaddress. This is known as linear probing.
5 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Pseudorandom Numbers
Many applications, such as randomized algorithms, require thatwe have access to a random source of information (randomnumbers).
However, there is not truly random source in existence, onlyweak random sources: sources that appear random, but forwhich we do not know the probability distribution of events.
Pseudorandom numbers are numbers that are generated fromweak random sources such that their distribution is “randomenough”.
6 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Pseudorandom Numbers ILinear Congruence Method
One method for generating pseudorandom numbers is thelinear congruential method.
Choose four integers:
m, the modulus,
a, the multiplier,
c the increment and
x0 the seed.
Such that the following hold:
2 ≤ a < m
0 ≤ c < m
0 ≤ xo < m7 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Pseudorandom Numbers IILinear Congruence Method
Our goal will be to generate a sequence of pseudorandomnumbers,
{xn}∞n=1
with 0 ≤ xn ≤ m by using the congruence
xn+1 = (axn + c) mod m
For certain choices of m,a, c, x0, the sequence {xn} becomesperiodic. That is, after a certain point, the sequence begins torepeat. Low periods lead to poor generators.
Furthermore, some choices are better than others; a generatorthat creates a sequence 0, 5, 0, 5, 0, 5, . . . is obvious bad—itsnot uniformly distributed.
For these reasons, very large numbers are used in practice.8 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Linear Congruence MethodExample
Example
Let m = 17, a = 5, c = 2, x0 = 3. Then the sequence is asfollows.
xn+1 = (axn + c) mod m
x1 = (5 · x0 + 2) mod 17 = 0x2 = (5 · x1 + 2) mod 17 = 2x3 = (5 · x2 + 2) mod 17 = 12x4 = (5 · x3 + 2) mod 17 = 11x5 = (5 · x4 + 2) mod 17 = 6x6 = (5 · x5 + 2) mod 17 = 15x7 = (5 · x6 + 2) mod 17 = 9x8 = (5 · x7 + 2) mod 17 = 13 etc.
9 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Linear Congruence MethodExample
Example
Let m = 17, a = 5, c = 2, x0 = 3. Then the sequence is asfollows.
xn+1 = (axn + c) mod m
x1 = (5 · x0 + 2) mod 17 = 0
x2 = (5 · x1 + 2) mod 17 = 2x3 = (5 · x2 + 2) mod 17 = 12x4 = (5 · x3 + 2) mod 17 = 11x5 = (5 · x4 + 2) mod 17 = 6x6 = (5 · x5 + 2) mod 17 = 15x7 = (5 · x6 + 2) mod 17 = 9x8 = (5 · x7 + 2) mod 17 = 13 etc.
10 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Linear Congruence MethodExample
Example
Let m = 17, a = 5, c = 2, x0 = 3. Then the sequence is asfollows.
Let m = 17, a = 5, c = 2, x0 = 3. Then the sequence is asfollows.
xn+1 = (axn + c) mod m
x1 = (5 · x0 + 2) mod 17 = 0x2 = (5 · x1 + 2) mod 17 = 2x3 = (5 · x2 + 2) mod 17 = 12x4 = (5 · x3 + 2) mod 17 = 11x5 = (5 · x4 + 2) mod 17 = 6x6 = (5 · x5 + 2) mod 17 = 15x7 = (5 · x6 + 2) mod 17 = 9x8 = (5 · x7 + 2) mod 17 = 13 etc.
17 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
IntegerOperations
ModularExponentiation
Euclid’sAlgorithm
C.R.T.
Cryptography
Representation of Integers I
This should be old-hat to you, but we review it to be complete(it is also discussed in great detail in your textbook).
Any integer n can be uniquely expressed in any base b by thefollowing expression.
n = akbk + ak−1b
k−1 + · · ·+ a2b2 + a1b + a0
In the expression, each coefficient ai is an integer between 0and b− 1 inclusive.
18 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
IntegerOperations
ModularExponentiation
Euclid’sAlgorithm
C.R.T.
Cryptography
Representation of Integers II
For b = 2, we have the usual binary representation.b = 8, gives us the octal representation.b = 16 gives us the hexadecimal representation.b = 10 gives us our usual decimal system.
We use the notation
(akak−1 · · · a2a1a0)b
For b = 10, we omit the parentheses and subscript. We alsoomit leading 0s.
This concept is formally stated in the following Lemma.
Lemma
Let a = bq + r, a, b, q, r ∈ Z, then
gcd(a, b) = gcd(b, r)
36 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
Computing theinverse
Solving a linearcongruence
C.R.T.
Cryptography
Euclid’s Algorithm IIIIntuition
The algorithm we present here is actually the ExtendedEuclidean Algorithm. It keeps track of more information to findintegers such that the gcd can be expressed as a linearcombination.
Theorem
If a and b are positive integers, then there exist integers s, tsuch that
gcd(a, b) = sa + tb
37 / 109
Input : Two positive integers a, b.
Output : r = gcd(a, b) and s, t such that sa + tb = gcd(a, b).
To solve the system in the previous example, it was necessary todetermine the inverses of Mk modulo mk—how’d we do that?
One way (as in this case) is to try every single element a,2 ≤ a ≤ m− 1 to see if
aMk ≡ 1(mod m)
But there is a more efficient way that we already know how todo—Euclid’s Algorithm!
59 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Arithmetic
Cryptography
Computing Inverses
Lemma
Let a, b be relatively prime. Then the linear combinationcomputed by the Extended Euclidean Algorithm,
gcd(a, b) = sa + tb
gives the inverse of a modulo b; i.e. s = a−1 modulo b.
Note that t = b−1 modulo a.
Also note that it may be necessary to take the modulo of theresult.
60 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Arithmetic
Cryptography
Chinese Remainder Representations
In many applications, it is necessary to perform simplearithmetic operations on very large integers.
Such operations become inefficient if we perform them bitwise.
Instead, we can use Chinese Remainder Representations toperform arithmetic operations of large integers using smallerintegers saving computations. Once operations have beenperformed, we can uniquely recover the large integer result.
61 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Arithmetic
Cryptography
Chinese Remainder Representations
Lemma
Let m1,m2, . . . ,mn be pairwise relatively prime integers,mi ≥ 2. Let
m = m1m2 · · ·mn
Then every integer a, 0 ≤ a < m can be uniquely representedby n remainders over mi; i.e.
(a mod m1, a mod m2, . . . , a mod mn)
62 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Arithmetic
Cryptography
Chinese Remainder Representations IExample
Example
Let m1 = 47,m2 = 48,m3 = 49,m4 = 53. Compute2, 459, 123 + 789, 123 using Chinese RemainderRepresentations.
By the previous lemma, we can represent any integer up to5,858,832 by four integers all less than 53.
First,2, 459, 123 mod 47 = 362, 459, 123 mod 48 = 352, 459, 123 mod 49 = 92, 459, 123 mod 53 = 29
63 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Arithmetic
Cryptography
Chinese Remainder Representations IIExample
Next,789, 123 mod 47 = 40789, 123 mod 48 = 3789, 123 mod 49 = 27789, 123 mod 53 = 6
So we’ve reduced our calculations to computing (coordinatewise) the addition:
We use the Extended Euclidean Algorithm to find the inversesof each of these w.r.t. the appropriate modulus:
y1 = 4y2 = 19y3 = 43y4 = 34
66 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Arithmetic
Cryptography
Chinese Remainder Representations VExample
And so we have that
x = 29(124656 mod 47)4 + 38(122059 mod 48)19+36(119568 mod 49)43 + 35(110544 mod 53)34
= 3, 248, 246= 2, 459, 123 + 789, 123
67 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Caesar Cipher
Affine Cipher
RSA
Caesar Cipher I
Cryptography is the study of secure communication viaencryption.
One of the earliest uses was in ancient Rome and involved whatis now known as a Caesar cipher.
This simple encryption system involves a shift of letters in afixed alphabet. Encryption and decryption is simple modulararithmetic.
68 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Caesar Cipher
Affine Cipher
RSA
Caesar Cipher II
In general, we fix an alphabet, Σ and let m = |Σ|. Second, wefix an secret key, an integer k such that 0 < k < m. Then theencryption and decryption functions are
ek(x) = (x + k) mod mdk(y) = (y − k) mod m
respectively.
Cryptographic functions must be one-to-one (why?). It is leftas an exercise to verify that this Caesar cipher satisfies thiscondition.
69 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Caesar Cipher
Affine Cipher
RSA
Caesar CipherExample
Example
Let Σ = {A,B, C, . . . , Z} so m = 26. Choose k = 7. Encrypt“HANK” and decrypt “KLHU”.
“HANK” can be encoded (7-0-13-10), so
e(7) = (7 + 7) mod 26 = 14e(0) = (0 + 7) mod 26 = 7e(13) = (13 + 7) mod 26 = 20e(10) = (10 + 7) mod 26 = 17
so the encrypted word is “OHUR”.
70 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Caesar Cipher
Affine Cipher
RSA
Caesar CipherExample Continued
“KLHU” is encoded as (10-11-7-20), so
e(10) = (10− 7) mod 26 = 3e(11) = (11− 7) mod 26 = 4e(7) = (7− 7) mod 26 = 0e(20) = (20− 7) mod 26 = 13
So the decrypted word is “DEAN”.
71 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Caesar Cipher
Affine Cipher
RSA
Caesar CipherExample Continued
“KLHU” is encoded as (10-11-7-20), so
e(10) = (10− 7) mod 26 = 3
e(11) = (11− 7) mod 26 = 4e(7) = (7− 7) mod 26 = 0e(20) = (20− 7) mod 26 = 13
So the decrypted word is “DEAN”.
72 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Caesar Cipher
Affine Cipher
RSA
Caesar CipherExample Continued
“KLHU” is encoded as (10-11-7-20), so
e(10) = (10− 7) mod 26 = 3e(11) = (11− 7) mod 26 = 4
e(7) = (7− 7) mod 26 = 0e(20) = (20− 7) mod 26 = 13
So the decrypted word is “DEAN”.
73 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Caesar Cipher
Affine Cipher
RSA
Caesar CipherExample Continued
“KLHU” is encoded as (10-11-7-20), so
e(10) = (10− 7) mod 26 = 3e(11) = (11− 7) mod 26 = 4e(7) = (7− 7) mod 26 = 0
e(20) = (20− 7) mod 26 = 13
So the decrypted word is “DEAN”.
74 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Caesar Cipher
Affine Cipher
RSA
Caesar CipherExample Continued
“KLHU” is encoded as (10-11-7-20), so
e(10) = (10− 7) mod 26 = 3e(11) = (11− 7) mod 26 = 4e(7) = (7− 7) mod 26 = 0e(20) = (20− 7) mod 26 = 13
So the decrypted word is “DEAN”.
75 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Caesar Cipher
Affine Cipher
RSA
Caesar CipherExample Continued
“KLHU” is encoded as (10-11-7-20), so
e(10) = (10− 7) mod 26 = 3e(11) = (11− 7) mod 26 = 4e(7) = (7− 7) mod 26 = 0e(20) = (20− 7) mod 26 = 13
So the decrypted word is “DEAN”.
76 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Caesar Cipher
Affine Cipher
RSA
Affine Cipher I
Clearly, the Caesar cipher is insecure—the key space is only aslarge as the alphabet.
An alternative (though still not secure) is what is known as anaffine cipher. Here the encryption and decryption functions areas follows.
ek(x) = (ax + b) mod mdk(y) = a−1(y − b) mod m
Question: How big is the key space?
77 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Caesar Cipher
Affine Cipher
RSA
Affine CipherExample
Example
To ensure a bijection, we choose m = 29 to be a prime (why?).Let a = 10, b = 14. Encrypt the word “PROOF” and decryptthe message “OBGJLK”.
“PROOF” can be encoded as (16-18-15-15-6). The encryptionis as follows.
When do we attack? Computing the inverse, we find thata−1 = 3.
We can decrypt the message “OBGJLK” (14-1-6-9-11-10) asfollows.
e(14) = 3(14− 14) mod 29 = 0 = Ae(1) = 3(1− 14) mod 29 = 19 = Te(6) = 3(6− 14) mod 29 = 5 = Fe(9) = 3(9− 14) mod 29 = 14 = Oe(11) = 3(11− 14) mod 29 = 20 = Ue(10) = 3(10− 14) mod 29 = 17 = R
85 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Caesar Cipher
Affine Cipher
RSA
Affine CipherExample Continued
When do we attack? Computing the inverse, we find thata−1 = 3.
We can decrypt the message “OBGJLK” (14-1-6-9-11-10) asfollows.
e(14) = 3(14− 14) mod 29 = 0 = A
e(1) = 3(1− 14) mod 29 = 19 = Te(6) = 3(6− 14) mod 29 = 5 = Fe(9) = 3(9− 14) mod 29 = 14 = Oe(11) = 3(11− 14) mod 29 = 20 = Ue(10) = 3(10− 14) mod 29 = 17 = R
86 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Caesar Cipher
Affine Cipher
RSA
Affine CipherExample Continued
When do we attack? Computing the inverse, we find thata−1 = 3.
We can decrypt the message “OBGJLK” (14-1-6-9-11-10) asfollows.
e(14) = 3(14− 14) mod 29 = 0 = Ae(1) = 3(1− 14) mod 29 = 19 = T
e(6) = 3(6− 14) mod 29 = 5 = Fe(9) = 3(9− 14) mod 29 = 14 = Oe(11) = 3(11− 14) mod 29 = 20 = Ue(10) = 3(10− 14) mod 29 = 17 = R
87 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Caesar Cipher
Affine Cipher
RSA
Affine CipherExample Continued
When do we attack? Computing the inverse, we find thata−1 = 3.
We can decrypt the message “OBGJLK” (14-1-6-9-11-10) asfollows.
e(14) = 3(14− 14) mod 29 = 0 = Ae(1) = 3(1− 14) mod 29 = 19 = Te(6) = 3(6− 14) mod 29 = 5 = F
e(9) = 3(9− 14) mod 29 = 14 = Oe(11) = 3(11− 14) mod 29 = 20 = Ue(10) = 3(10− 14) mod 29 = 17 = R
88 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Caesar Cipher
Affine Cipher
RSA
Affine CipherExample Continued
When do we attack? Computing the inverse, we find thata−1 = 3.
We can decrypt the message “OBGJLK” (14-1-6-9-11-10) asfollows.
e(14) = 3(14− 14) mod 29 = 0 = Ae(1) = 3(1− 14) mod 29 = 19 = Te(6) = 3(6− 14) mod 29 = 5 = Fe(9) = 3(9− 14) mod 29 = 14 = O
e(11) = 3(11− 14) mod 29 = 20 = Ue(10) = 3(10− 14) mod 29 = 17 = R
89 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Caesar Cipher
Affine Cipher
RSA
Affine CipherExample Continued
When do we attack? Computing the inverse, we find thata−1 = 3.
We can decrypt the message “OBGJLK” (14-1-6-9-11-10) asfollows.
e(14) = 3(14− 14) mod 29 = 0 = Ae(1) = 3(1− 14) mod 29 = 19 = Te(6) = 3(6− 14) mod 29 = 5 = Fe(9) = 3(9− 14) mod 29 = 14 = Oe(11) = 3(11− 14) mod 29 = 20 = U
e(10) = 3(10− 14) mod 29 = 17 = R
90 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Caesar Cipher
Affine Cipher
RSA
Affine CipherExample Continued
When do we attack? Computing the inverse, we find thata−1 = 3.
We can decrypt the message “OBGJLK” (14-1-6-9-11-10) asfollows.
e(14) = 3(14− 14) mod 29 = 0 = Ae(1) = 3(1− 14) mod 29 = 19 = Te(6) = 3(6− 14) mod 29 = 5 = Fe(9) = 3(9− 14) mod 29 = 14 = Oe(11) = 3(11− 14) mod 29 = 20 = Ue(10) = 3(10− 14) mod 29 = 17 = R
91 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Caesar Cipher
Affine Cipher
RSA
Public-Key Cryptography I
The problem with the Caesar & Affine ciphers (aside from thefact that they are insecure) is that you still need a secure wayto exchange the keys in order to communicate.
Public key cryptosystems solve this problem.
One can publish a public key.
Anyone can encrypt messages.
However, decryption is done with a private key.
The system is secure if no one can feasibly derive theprivate key from the public one.
Essentially, encryption should be computationally easy,while decryption should be computationally hard (withoutthe private key).
Such protocols use what are called “trap-door functions”.92 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Caesar Cipher
Affine Cipher
RSA
Public-Key Cryptography II
Many public key cryptosystems have been developed based onthe (assumed) hardness of integer factorization and the discretelog problems.
Systems such as the Diffie-Hellman key exchange protocol(used in SSL, SSH, https) and the RSA cryptosystem are thebasis of modern secure computer communication.
93 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Caesar Cipher
Affine Cipher
RSA
The RSA Cryptosystem I
The RSA system works as follows.
Choose 2 (large) primes p, q.
Compute n = pq.
Compute φ(n) = (p− 1)(q − 1).
Choose a, 2 ≤ a ≤ φ(n) such that gcd(a, φ(n)) = 1.
Compute b = a−1 modulo φ(n).
Note that a must be relatively prime to φ(n).
Publish n, a
Keep p, q, b private.
94 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Caesar Cipher
Affine Cipher
RSA
The RSA Cryptosystem II
Then the encryption function is simply
ek(x) = xa mod n
The decryption function is
dk(y) = yb mod n
95 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Caesar Cipher
Affine Cipher
RSA
The RSA CryptosystemComputing Inverses Revisited
Recall that we can compute inverses using the ExtendedEuclidean Algorithm.
With RSA we want to find b = a−1 mod φ(n). Thus, wecompute
gcd(a, φ(n)) = sa + tφ(n)
and so b = s = a−1 modulo φ(n).
96 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Caesar Cipher
Affine Cipher
RSA
The RSA CryptosystemExample
Example
Let p = 13, q = 17, a = 47.
We have
n = 13 · 17 = 221.φ(n) = 12 · 16 = 192.Using the Euclidean Algorithm, b = 47−1 = 143 moduloφ(n)
e(130) = 13047 mod 221 =
65
d(99) = 99143 mod 221 =
96
97 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Caesar Cipher
Affine Cipher
RSA
The RSA CryptosystemExample
Example
Let p = 13, q = 17, a = 47.
We have
n = 13 · 17 = 221.φ(n) = 12 · 16 = 192.Using the Euclidean Algorithm, b = 47−1 = 143 moduloφ(n)
e(130) = 13047 mod 221 = 65
d(99) = 99143 mod 221 =
96
98 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Caesar Cipher
Affine Cipher
RSA
The RSA CryptosystemExample
Example
Let p = 13, q = 17, a = 47.
We have
n = 13 · 17 = 221.φ(n) = 12 · 16 = 192.Using the Euclidean Algorithm, b = 47−1 = 143 moduloφ(n)
e(130) = 13047 mod 221 = 65
d(99) = 99143 mod 221 = 9699 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Caesar Cipher
Affine Cipher
RSA
Public-Key Cryptography ICracking the System
How can we break an RSA protocol? “Simple”—just factor n.
If we have the two factors p and q, we can easily compute φ(n)and since we already have a, we can also easily computeb = a−1 modulo φ(n).
Thus, the security of RSA is contingent on the hardness ofinteger factorization.
100 / 109
NumberTheory:
Applications
CSE235
Introduction
HashFunctions
PseudorandomNumbers
Representationof Integers
Euclid’sAlgorithm
C.R.T.
Cryptography
Caesar Cipher
Affine Cipher
RSA
Public-Key Cryptography IICracking the System
If someone were to come up with a polynomial time algorithmfor factorization (or build a feasible quantum computer and useShor’s Algorithm), breaking RSA may be a trivial matter.Though this is not likely.
In practice, large integers, as big as 1024 bits are used. 2048bit integers are considered unbreakable by today’s computer;4096 bit numbers are used by the truly paranoid.