Mathematical Foundations of Public-Key Cryptography

Mathematical Foundations of Public-Key Cryptography Adam C. Champion and Dong Xuan CSE 4471: Information Security Material based on (Stallings, 2006) and (Paar and Pelzl, 2010)

Outline Review: Basic Mathematical Foundations Group Theory Number Theory Case Study: RSA Cryptosystem

Review: Sets A set S is an unordered collection of similar mathematical objects Duplicate objects are not double counted Suppose S 1 = {1, 2, 3, 4} and S 2 = {1, 2, 3, 4, 2}. Both sets have four elements Operations: Intersection: S 1 S 2 = {s 1, s 2 : s 1 S 1 s 2 S 2 } Union: S 1 S 2 = {s 1, s 2 : s 1 S 1 s 2 S 2 } Cardinality: S = number of elements in S Well-known sets: N = {1, 2,...} Z = {0, ±1, ±2,...} Q = {p/q : p, q Z q 0} R = {real numbers} C = {complex numbers}

Review: Relations A relation R on sets S 1,..., S N is a subset of their Cartesian product: R S 1 S N R s arity equals N (binary, n-ary) Properties: Reflexive: if for all s S, s R s Symmetric: if s 1 R s 2 = s 2 R s 1 for all s 1, s 2 S Transitive: if s 1 R s 2 s 2 R s 3 = s 1 R s 3 for all s 1, s 2, s 3 S Equivalence relation: a relation R that is reflexive, symmetric, and transitive

Review: Integer Division For an integer divisor d, we can write any integer n as n = d q + r, where r [0,..., d 1]. As n r = d q, n r (mod d). Division by d actually partitions Z into equivalence classes w.r.t. congruence modulo d: Example 1: Odd and even integers. d = 2. Every odd integer n can be written as 2 q + 1 for some integer q. Every even integer m can be written as 2 q for some integer q. The equivalence classes are {..., 3, 1, 1, 3,...} and {..., 4, 2, 0, 2, 4,...}. Example 2: d = 5. Notice 8 3 = 5 1 and 23 3 = 5 4, so 23 8 (mod 5). Remainders are not unique! What are the equivalence classes? See (Knuth, 1997; Paar and Pelzl, 2010) for more details.

Groups I A group comprises a set G and an operator-, which maps each pair (a, b) (where a, b G) to (a b) G subject to the following axioms: (Stallings, 2006): (A1) Closure: a, b G = a b G; (A2) Associativity: a (b c) = (a b) c for all a, b, c G; (A3) Identity element: There is an element ε G such that a ε = ε a = a for all a G. (A4) Inverse element: For each a G, there is an element a G such that a a = a a = ε. Abelian groups obey axiom (A5), commutativity: a b = b a for all a, b G. Not all groups are abelian! refers to any generic operator that obeys axioms (A1) (A4)

Groups II Example group: S n, the set of all possible permutations of N = {1,..., n} distinct symbols, denotes permutation operation (Stallings, 2006) Permuting a permutation of N yields a permutation of N, e.g., {3, 2, 1} {1, 3, 2} = {2, 3, 1} for n = 3 Associativity holds too Identity element: {1,..., n} Inverse element: permutation mapping N s current permutation to {1,..., n}

Rings I A ring R is an abelian group with addition and multiplication operations +, satisfying the following axioms: (Stallings, 2006) (A1) (A5) Abelian group axioms (closure under addition operator +, associativity of addition, existence of identity element 0, existence of inverse element a) (M1) Closure under multiplication: for all a, b R, a b R (M2) Associativity of multiplication: (a b) c = a (b c) for all a, b, c R (M3) Distributive laws: a (b + c) = (a b) + (a c) for all a, b, c R; (a + b) c = (a c) + (b c) for all a, b, c R.

Rings II Commutative rings satisfy axiom (M4), commutativity of multiplication: a b = b a for all a, b R Integral domains are commutative rings satisfying the following additional axioms: (M5) Multiplicative identity: There is an element 1 R such that a 1 = 1 a = a for all a R (M6) No zero divisors: If a, b R and a b = 0, then a = 0 or b = 0

Rings III Example: Ring of integers Z m = {0,..., m 1} with addition, multiplication operators +, such that, for a, b Z m : (Paar and Pelzl, 2010) (1) a + b = c (mod m) (c Z m ); (2) a b = d (mod m) (d Z m ). If m = 9, then Z 9 = {0, 1, 2, 3, 4, 5, 6, 7, 8}. 6 + 8 = 14 5 (mod 9) 6 8 = 48 3 (mod 9) Multiplicative inverse exists only for integers a Z m coprime to m. For such integers, (a b) (a c) (mod n) = b c (mod n).

Fields A field F is a set of elements with addition and multiplication operations +, satisfying the following axioms: (A1) (M6) Integral domain axioms (M7) Multiplicative inverse: For all a F (except 0), there is an element a 1 F such that a a 1 = (a 1 a) = 1. Examples of fields: rational numbers, real numbers, complex numbers

Primality An integer n is prime if and only if n has two divisors: 1 and n. Example primes: P = {2, 3, 5, 7, 11, 13, 17, 19,... } = {p 1, p 2,... } Fundamental Theorem of Arithmetic: Every integer n > 1 is either prime or can be written as a unique product of primes. Examples: 7 = 7 1 = 2 0 3 0 5 0 7 1 60 = 2 2 3 5 = 2 2 3 1 5 1 7 0 More generally, n = p e 1 1 pe 2 2 = p i P p e i i, where e i {0, 1, 2,... } (1)

Greatest Common Divisor The greatest common divisor (GCD) of integers m and n is the largest integer d that divides both m and n. Notation: gcd(m, n) = d. If gcd(m, n) = 1 for integers m and n, then m and n are coprime. How do we find the GCD? Small numbers: multiply common prime factors. Example: m = 84, n = 30. m = 2 2 3 7; n = 2 3 5; gcd(m, n) = 2 3 = 6 This approach is inefficient for large numbers

Euclid s Algorithm Faster algorithm to find GCD, exploits the following theorem: gcd(m, n) = gcd(n, m mod n) (m > n) P RO O F: Let d = gcd(m, n). As d m and d n, we can write m = d k and n = d l for coprime integers k, l (k > l > 0). (k l) and l are coprime too. Then gcd(x y, y) = gcd(d (k l), d l) = d. Algorithm 1 EUCLID(m, n) 1: A m; B n 2: while B 0 do 3: R A mod B 4: A B 5: B R 6: return A Compute gcd(84, 30) and gcd(973, 301).

Extended Euclidean Algorithm If gcd(m, n) = 1 for positive integer m < n, there is a positive multiplicative inverse modulo m, n 1, such that n n 1 = 1 mod m Euclidean algorithm can be extended to compute n 1 if it exists (and return gcd(m, n)) (Stallings, 2006) Algorithm 2 EXTENDED EUCLID(m, n) 1: (A 1, A 2, A 3 ) (1, 0, m); (B 1, B 2, B 3 ) (0, 1, n) 2: while true do 3: if B 3 == 0 then return A 3 // no inverse 4: if B 3 == 1 then return B 3 // B 2 = n 1 mod m 5: Q = A 3 /B 3 6: (T 1, T 2, T 3 ) (A 1 Q B 1, A 2 Q B 2, A 3 Q B 3 ) 7: (A 1, A 2, A 3 ) (B 1, B 2, B 3 ) 8: (B 1, B 2, B 3 ) (T 1, T 2, T 3 )

Euler s Totient Function I Consider the ring Z m = {0,..., m 1}. We want to find how many integers in Z m are coprime to m, i.e., ϕ(m). Convention: ϕ(1) = 1. Let s compute ϕ(5) and ϕ(6)...

Euler s Totient Function II If m is prime, ϕ(m) = (m 1). Otherwise, we need to determine m s (unique) prime factorization to compute ϕ(m). Recall Eq. (1): m = p i P p e i i, where e i {0, 1, 2,... }. Let π be the smallest prime larger than m (π is the n-th prime). Then ϕ(m) = n i=1 (p e i i p e i 1 i ). (2) Let s compute ϕ(240) using Eq. (2)...

More Number Theory Theorems Fermat s Little Theorem: Let a be an integer and p be a prime. Then a p a (mod p). Equivalently, a p 1 1 (mod p). So we can invert a modulo p: a 1 a p 2 (mod p). Euler s Theorem: Let a and m be integers such that gcd(a, m) = 1. Then a ϕ(m) 1 (mod m). Notice that Euler s Theorem is a generalization of Fermat s Little Theorem (arbitrary modulus).

RSA Cryptosystem Widely used public-key (asymmetric) cryptosystem Security based on the following: it s easy to multiply large primes, but very hard to factor the product (Paar and Pelzl, 2010) Computations in integer ring Z n, where plaintext m Z n RSA Encryption: Given public key (n, e) = k pub and plaintext m, the encryption function is c = E kpub (m) m e (mod n), (3) where x, y Z n. RSA Decryption: Given private key (n, d) = k priv and ciphertext c, the decryption function is where x, y Z n. m = D kpriv c d (mod n), (4)

RSA Key Generation Algorithm 3 RSA KEY GENERATION 1: Choose two large primes p and q 2: Compute n p q 3: Compute ϕ(n) = (p 1)(q 1) 4: Select public exponent e {1, 2,..., ϕ(n)} such that gcd(e, ϕ(n)) = 1 5: Choose private exponent d such that d e 1 (mod ϕ(n)) Suppose Alice picks p = 3 and q = 11 and wants to send m = 4 to Bob. How would the RSA scheme work?

RSA in Practice This textbook RSA scheme has several weaknesses: (Paar and Pelzl, 2010) RSA encryption is deterministic Plaintext values m = 0, m = 1, m = 1 produce the same ciphertext values (c = 0, c = 1, c = 1) Attacks are possible with small plaintext and exponent values In practice, RSA encryption is combined with zero padding, salt, and message hash functions to securely transmit messages

RSA Digital Signatures The RSA algorithm can be repurposed for digitally signing a message m Public key k pub = (n, d), private key k priv = (n, e) Signing: Compute s = Sign kpriv (m) m d (mod n) Verification: Compute m = s e mod n. If m m (mod n), the signature is valid.

Questions & Comments? Thank you! If you find this material interesting, consider taking CSE 5473 (Introduction to Network Security) and/or CSE 5431 (Introduction to Cryptography). More to explore: (Sage Math, 2012) (http://www.sagemath.org); Sage-based notes on the RSA cryptosystem (van Nguyen, 2010); Free book on number theory (Stein, 2008)

References I Knuth, D. E. (1997). The Art of Computer Programming, volume 1. Addison-Wesley, 3rd edition. Paar, C. and Pelzl, J. (2010). Understanding Cryptography: A Textbook for Students and Practioners. Springer, 2nd edition. http://crypto-textbook.com. Sage Math (2012). http://www.sagemath.org. Stallings, W. (2006). Cryptography and Network Security. Addison-Wesley, 4th edition. Stein, W. (2008). Elementary Number Theory: Primes, Congruences, and Secrets. Springer. http://wstein.org/ent/. van Nguyen, M. (2010). Number Theory and the RSA Cryptosystem. https://bitbucket.org/mvngu/numtheory-crypto/ downloads/numtheory-crypto-1.1.pdf.