9 Modular Exponentiation and Cryptography



Similar documents
An Introduction to the RSA Encryption Method

Public Key Cryptography: RSA and Lots of Number Theory

Number Theory. Proof. Suppose otherwise. Then there would be a finite number n of primes, which we may

8 Primes and Modular Arithmetic

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

RSA Encryption. Tom Davis October 10, 2003

The application of prime numbers to RSA encryption

Mathematics of Internet Security. Keeping Eve The Eavesdropper Away From Your Credit Card Information

RSA Question 2. Bob thinks that p and q are primes but p isn t. Then, Bob thinks Φ Bob :=(p-1)(q-1) = φ(n). Is this true?

The Mathematics of the RSA Public-Key Cryptosystem

Some practice problems for midterm 2

Discrete Mathematics, Chapter 4: Number Theory and Cryptography

CIS 5371 Cryptography. 8. Encryption --

Public Key Cryptography and RSA. Review: Number Theory Basics

Computing exponents modulo a number: Repeated squaring

Applied Cryptography Public Key Algorithms

CHAPTER 5. Number Theory. 1. Integers and Division. Discussion

RSA and Primality Testing

CSCE 465 Computer & Network Security

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

RSA Attacks. By Abdulaziz Alrasheed and Fatima

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Advanced Cryptography

Lecture 13 - Basic Number Theory.

Software Tool for Implementing RSA Algorithm

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

1. The RSA algorithm In this chapter, we ll learn how the RSA algorithm works.

Basic Algorithms In Computer Algebra

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay

How To Know If A Message Is From A Person Or A Machine

Maths delivers! A guide for teachers Years 11 and 12. RSA Encryption

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Lukasz Pater CMMS Administrator and Developer

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Overview of Public-Key Cryptography

Elements of Applied Cryptography Public key encryption

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, Notes on Algebra

Factoring Algorithms

ALGEBRAIC APPROACH TO COMPOSITE INTEGER FACTORIZATION

Secure Network Communication Part II II Public Key Cryptography. Public Key Cryptography

Cryptography and Network Security Chapter 9

Applications of Fermat s Little Theorem and Congruences

Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and

Lecture 13: Factoring Integers

Number Theory and Cryptography using PARI/GP

SECURITY IN NETWORKS

A Factoring and Discrete Logarithm based Cryptosystem

MATH 537 (Number Theory) FALL 2016 TENTATIVE SYLLABUS

Cryptography and Network Security

Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Primes in Sequences. Lee 1. By: Jae Young Lee. Project for MA 341 (Number Theory) Boston University Summer Term I 2009 Instructor: Kalin Kostadinov

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

8 Divisibility and prime numbers

Notes on Network Security Prof. Hemant K. Soni

Cryptography and Network Security

Math 319 Problem Set #3 Solution 21 February 2002

CS 758: Cryptography / Network Security

Primality Testing and Factorization Methods

= = 3 4, Now assume that P (k) is true for some fixed k 2. This means that

Introduction to Hill cipher

Public-key cryptography RSA

Homework until Test #2

Cryptography: Authentication, Blind Signatures, and Digital Cash

Quotient Rings and Field Extensions

SUM OF TWO SQUARES JAHNAVI BHASKAR

Solutions to Problem Set 1

MATH 13150: Freshman Seminar Unit 10

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Cryptography and Network Security Chapter 8

The Prime Numbers. Definition. A prime number is a positive integer with exactly two positive divisors.

Lecture 6 - Cryptography

Hill s Cipher: Linear Algebra in Cryptography

Number Theory and the RSA Public Key Cryptosystem

Lecture 3: One-Way Encryption, RSA Example

Thinking of a (block) cipher as a permutation (depending on the key) on strings of a certain size, we would not want such a permutation to have many

I. GROUPS: BASIC DEFINITIONS AND EXAMPLES

CRYPTOGRAPHY IN NETWORK SECURITY

Public Key (asymmetric) Cryptography

7! Cryptographic Techniques! A Brief Introduction

Kevin James. MTHSC 412 Section 2.4 Prime Factors and Greatest Comm

Network Security. HIT Shimrit Tzur-David

Every Positive Integer is the Sum of Four Squares! (and other exciting problems)

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

The science of encryption: prime numbers and mod n arithmetic

Symmetric Key cryptosystem

LUC: A New Public Key System

NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES

FACTORING LARGE NUMBERS, A GREAT WAY TO SPEND A BIRTHDAY

Clock Arithmetic and Modular Systems Clock Arithmetic The introduction to Chapter 4 described a mathematical system

Shor s algorithm and secret sharing

SECTION 10-2 Mathematical Induction

Number Theory: A Mathemythical Approach. Student Resources. Printed Version

K80TTQ1EP-??,VO.L,XU0H5BY,_71ZVPKOE678_X,N2Y-8HI4VS,,6Z28DDW5N7ADY013

A SOFTWARE COMPARISON OF RSA AND ECC

An Introduction to Hill Ciphers Using Linear Algebra

Factoring integers, Producing primes and the RSA cryptosystem Harish-Chandra Research Institute

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Computer Security: Principles and Practice

Transcription:

9 Modular Exponentiation and Cryptography 9.1 Modular Exponentiation Modular arithmetic is used in cryptography. In particular, modular exponentiation is the cornerstone of what is called the RSA system. We consider first an algorithm for calculating modular powers. The modular exponentiation problem is: compute g A mod n, given g, A, and n. The obvious algorithm to compute g A mod n multiplies g together A times. But there is a much faster algorithm to calculate g A mod n, which uses at most 2 log 2 A multiplications. The algorithm uses the fact that one can reduce modulo n at each and every point. For example, that ab mod n = (a mod n) (b mod n) mod n. But the key savings is the insight that g 2B is the square of g B. dexpo(g,a,n) if A = 0 then return 1 else if A odd { z = dexpo(g, A 1, n) return(zg mod n) % uses g A = g g A 1 } else { z = dexpo (g, A/2, n) return(z 2 mod n) % uses g A = (g A/2 ) 2 } c Wayne Goddard, Clemson University, 2013

9 MODULAR EXPONENTIATION AND CRYPTOGRAPHY 54 Note that the values of g and n are constant throughout the recursion. Further, at least every second turn the value of A is even and therefore is halved. Therefore the depth of recursion is at most 2 log 2 A. We can do a modular exponentiation calculation by hand, by working out the sequence of values of A, and then calculating g A mod n for each of the A, starting with the smallest (which is g 0 = 1). Example 9.1. Calculate 3 12 mod 5. A g A mod n 12 4 2 mod 5 = 1 6 2 2 mod 5 = 1 3 3 4 mod 5 = 2 2 3 2 mod 5 = 4 1 3 1 mod 5 = 3 0 1 For you to do! 1. Use the above algorithm to calculate 4 14 mod 11. 9.2 Modular Theorems We start with a famous theorem called Fermat s Little Theorem. Theorem 9.1 Fermat s little theorem. If p is a prime, then for a with 1 a p 1, a mod p = 1. Proof. Let S be the set { ia mod p : 1 i p 1 }. That is, multiply a by all integers in the range 1 to p 1 and write down the remainders when each is divided by p. Actually, we already looked at this set: it is the row corresponding to a from the multiplication table for p. And in Theorem 8.3 we showed that these values are all distinct. Therefore, S is actually just the set of integers from 1 up to p 1. Now, let A be the product of the elements in S. To avoid ugly formulas, we use x p y to mean x mod p = y mod p. And we use Π-notation, which is the same as Σ-notation except

9 MODULAR EXPONENTIATION AND CRYPTOGRAPHY 55 that it is the product rather than the sum. By Theorem 8.3 and the above discussion, ((ia) mod p) = i But, we can also factor out the a s: (ia) mod p p a i It follows that i p a i Divide both sides by i 1 i and we get that a p 1; that is, a mod p = 1. The above result is generalized by Euler s Theorem. We will need the following special case: Theorem 9.2 Special case of Euler s theorem. If a and n = pq are relatively prime, with p and q distinct primes, then a φ mod n = 1 where φ = (p 1)(q 1). We omit the proof. Recall that in Exercise 8.16, we defined a square-root of a in Z n as any element b such that b 2 mod n. Note that if b is a square-root, then so is n b (since (n b) 2 = n 2 2nb + b 2 n b 2 n a). In the exercise you had to show that: Lemma 9.3 If n is any prime, then a has at most two square-roots modulo n. We will also need the following result: Lemma 9.4 If n = pq where p and q are distinct primes, and we know the square-roots of c modulo p and q, then we can find the square-roots of c modulo n. Proof. Let a 1, a 2 be the square-roots of c in Z p and let b 1, b 2 be the square-roots of c in Z q, which we know. Further, let x be the square-root of c in Z n. Then if we take x mod p and square it in Z p, we get that x 2 p c. That is, x (or at least its remainder) is a square-root of c in Z p as well. Thus, we have that x p a i and x q b j

9 MODULAR EXPONENTIATION AND CRYPTOGRAPHY 56 for some i {1, 2} and j {1, 2}. Thus, we need to solve a pair of congruences. For this, we need the Chinese Remainder Theorem, that we omitted in the previous chapter. But there is an algorithm for this. From the theory of Chinese Remainders we get: Theorem 9.5 If p and q are primes, then the solution to the pair of congruences is all integers x such that x p a and x q b x pq qaq 1 + pbp 1 where p 1 is the inverse of p modulo q and q 1 is the inverse of q modulo p. We omit the proof. But that still raises the question of how to compute modular square-roots. Under certain circumstances, this can be done using modular exponentiation. Theorem 9.6 If p is a prime such that p mod 4 = 3, and if a has a square-root modulo p, then the square-roots of a are given by where x means p x. ±a (p+1)/4 mod p Proof. To show that ±a (p+1)/4 is a square-root, simply square it! Say b is one of the square-roots of a. That is, b 2 mod p = a. Then ( ±a (p+1)/4) 2 mod p = a (p+1)/2 mod p = b (p+1) mod p = b () b 2 mod p = b 2 mod p (By Fermat) = a, as required. Example 9.2. Consider square-roots modulo 11. The square-root of 3 is ±3 3 mod 11, which is 5 or 6. Note that the theorem assumed the existence of a square-root. If we blindly exponentiate, things can be wrong: for example, it is not true that the square-roots of 2 modulo 11 are ±2 3 mod 11, which is 8 and 3. So one has to check whether the powers really are squareroots.

9 MODULAR EXPONENTIATION AND CRYPTOGRAPHY 57 9.3 Encryption and Decryption Encryption is used to send messages secretly. The sender has a message or plaintext. Encryption by the sender takes the plaintext and a key and produces ciphertext. Decryption by the receiver takes the ciphertext and a key and produces the plaintext. Ideally, encryption and decryption with the key should be easy, without the key it should be hard. A famous idea is the Caesar cipher. Here the plaintext is written in letters. Then to encrypt it, we choose some small positive integer k, and replaces each letter by the letter k places along in the alphabet, with wrap around. For example, if the plaintext is the phrase WAYNE RULES and k = 4, then the ciphertext is AECRI VYPIW where spaces are left unchanged in this example. In traditional cryptography, the encryption key has to be kept secret, since it is essentially the same as the decryption key. But in public-key cryptography, the two keys are related but in some way that is very difficult to get one from the other. So you can publish the one key and keep secret the other key. Indeed, this has been commercially exploited by RSA cryptosystems, formed by Rivest, Shamir, and Adleman. 9.4 RSA Described Here is the original RSA cryptosystem. This allows Alice to send messages secretly to Bob. (Tradition requires that it is Alice and Bob.) That is, the ciphertext is unintelligible to anyone else. 1. Bob randomly picks two large distinct primes p and q. 2. Bob calculates n = pq and φ = (p 1)(q 1). 3. Bob randomly picks some integer a with 1 a < φ such that a and φ are relatively prime. 4. Bob publishes n and a, and the public encryption function is e(x) = x a mod n. That is, to send message M, Alice calculates and sends M a mod n. 5. Bob uses the Extended Euclidean Algorithm to calculate b = a 1 modulo φ. 6. The decryption function is d(y) = y b mod n. That is, to decrypt message N, Bob calculates N b mod n. Example 9.3. A baby example.

9 MODULAR EXPONENTIATION AND CRYPTOGRAPHY 58 Take p = 7 and q = 11. Then n = 77 and φ(n) = 6 10 = 60. We need an a less than 60 that is relatively prime to 60; say a = 13. By the Extended Euclidean Algorithm (or a handy-dandy computer), b = 37. If M = 26, then Alice calculates y = 26 13 mod 77 = 75. Bob calculates x = 75 37 mod 77, which equals 26. We now show that RSA really works as a cryptosystem. Theorem 9.7 For all M Z n, d(e(m)) = M. Proof. Well, let me first assume that M and n are relatively prime. Then, using the notation x n y to mean x mod n = y mod n, d(e(m)) n (M a ) b = M cφ+1 for some integer c = (M φ ) c M n M by Theorem 9.2. It can also be shown that the claim is true if M and n do have a common factor. But actually, in that case the cryptosystem has been broken, since then we have found a factor of n. 9.5 Rabin s Public-Key Method A year or so later, Rabin introduced a related idea. 1. Bob chooses two large primes p and q such that pmod4 = q mod4 = 3. He calculates n = pq, and publishes n. 2. If M is Alice s plaintext, she calculates N = M 2 mod n and sends that to Bob. 3. When Bob receives N, Bob calculates the square-roots of N modulo p by evaluating a 1 = N (p+1)/4 mod p and b 1 = N (q+1)/4 mod q The square-roots of N modulo p are a 1 and a 2 = p a 1 and the square-roots of N modulo q are b 1 and b 2 = q b 1.

9 MODULAR EXPONENTIATION AND CRYPTOGRAPHY 59 4. Bob determines the 4 possibilities for M by using the Chinese Remainder Theorem to solve the four sets of congruences: M p a i and M q b i And hopefully Bob can distinguish the real message from the three options that are garbage. Example 9.4. A baby example. Suppose Bob chooses p = 3 and q = 11. Then n = 33. Suppose Alice s plaintext is 8. Then Alice calculates 8 2 mod 33 = 31. Bob receives N = 31. He first finds a square-root of 31 modulo 3. He applies the above formula. That is, the square-roots are ±31 1 mod 3 = 1, 2. Bob then finds the square-root of 31 modulo 11. Applying the above formula, the square-roots are ±31 3 mod 11 = 3, 8. Then Bob solves four sets of congruences. The first is: M 3 1 and M 11 3. Applying the formula in Theorem 9.5, 3 1 modulo 11 is 4, and 11 1 modulo 3 is 2. Thus M n 11 1 2 + 3 4 3 = 58 n 25. The other sets of congruences are: M 3 1 and M 11 8 which yields M = 19; M 3 2 and M 11 3 which yields M = 14; and M 3 2 and M 11 8 which yields M = 8. Hopefully, it is clear to you that if one can factor quickly, then both RSA and Rabin are breakable. The converse has been shown for Rabin; that is, if you can break Rabin quickly, then you can factor quickly. Exercises 9.1. (a) Compute 2 38 mod 7. (b) Compute 3 29 mod 20. (c) Compute 5 33 mod 13. 9.2. Using the Binomial Theorem (and without using Fermat s Little Theorem), prove that for any odd prime p, it holds that 2 p mod p = 2. 9.3. Let a > 1 be an integer. (a) Show that a k 1 is a multiple a 1 for any positive k. (b) Show that if positive m and n are not relatively prime, then a m 1 and a n 1 are not relatively prime.

9 MODULAR EXPONENTIATION AND CRYPTOGRAPHY 60 (c) Show that if positive m and n are relatively prime, then a m 1 and a n 1 are relatively prime. 9.4. (a) Show that if n = pq for distinct primes p and q, then the number of integers from 1 up to n that are relatively prime to n is (p 1)(q 1). (b) Show that if n = p 2 for prime p, then the number of integers from 1 up to n that are relatively prime to n is p(p 1). (c) Generalize this. Let φ(n) be the number of values in Z n that are relatively prime to n. Develop a formula for φ(n) based on the prime factorization of n. 9.5. Extend Theorem 9.6: prove that if p is a prime such that p mod 4 = 3, then a (p+1)/4 mod p is always the square-root of either a or p a. 9.6. Take p = 5, q = 11 and a = 27 in RSA. Verify that b = 3. If M = 4, what does Alice send? If Bob receives 9, what was M? 9.7. Take p = 11, q = 13 and a = 37 in RSA. Verify that b = 13. If M = 62, what does Alice send? 9.8. Take n = 65 and a = 11 in RSA. Determine b. If M = 2, determine what Alice sends. 9.9. Beth sets up a Rabin system with public key 77. (a) If Alain s plaintext is 10, what does he send? (b) Calculate the square roots of 4 in Z 7 and in Z 11. (c) If Beth receives 4, give at least two possibilities for Alain s plaintext. Solutions to Practice Exercises 1. A g A mod n 14 3 7 5 6 4 3 9 2 5 1 4 0 1

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information