computer and network security

1
computer and network security

• matt barrie
• ltmattb_at_alumni.stanford.orggt

2
introduction to number theory

• Motivation
• To understand the security of Diffie-Hellman
• To understand asymmetric crypto (e.g. RSA)
• Notation
• Z the set of all integers
• Z the set of all non-negative integers
• ab a divides b i.e. there exists c ? Z such
  that bac
• -318, since 18 (-3)(-6)
• 1730, since 0 (173)(0)
• p, q will be reserved for prime numbers
• The prime decomposition of n ? Z is n ? piei
  where ei ? Z
• in other words, n p1e1p2e2p3e3 pkek (note ei
  can be zero)

3
groups

• A Group (G, ) consists of a set G with a binary
  operation on G satisfying
• The group operation is associative i.e. a(bc)
  (ab)c
• There is an element 1 ? G called the identity
  element
• a 1 1 a a for all a ? G
• For each element a ? G, there exists and element
  a-1 ? G, called the inverse of a, such that a
  a-1 a-1 a 1
• A Group is commutative, if furthermore
• a b b a for all a, b ? G
• Example the set of integers Z with addition
  forms a group
• The identity element is 0 and the inverse of a is
  -a

4
rings

• A ring (R, , x) consists of a set R with two
  binary operations arbitrarily denoted
  (addition) and x (multiplication) on R where
• (R, ) is a commutative group
• The operation x is associative i.e. a x (b x c)
  (a x b) x c
• There is a multiplicative identity denoted 1,
  with 1 ? 0 such that 1 x a a x 1 a for all a
  ? R
• The operation x is distributive over , that is
• a x (b c) (a x b) (a x c) and
• (b c) x a (b x a) (c x a)
• The ring is a commutative ring if
• a x b b x a for all a, b ? R
• Example the set of integers Z with addition and
  multiplication forms a commutative ring

5
fields

• A field is a commutative ring in which all
  non-zero elements have inverses.
• Fact Zp is only a field if p is a prime number.
• For example, Zn lt0, 1, n-1gt where n is a
  composite (product of two primes) is not a field
  (it is a ring).
• e.g. Z6 lt0,1,2,3,4,5gt
• 2 x 3 0 (mod 6)
• 2-1 does not exist so Z6 is not a field
• no element e such that 2 x e 1 (mod 6)

6
gcd, lcm

• The greatest common divisor, gcd(a,b) of a, b ? Z
  is the largest possible integer, d, such that da
  and db.
• e.g. gcd(12, 18) 6
• The least common multiple, lcm(a,b) of a, b ? Z
  is the smallest integer, m, such that am and
  bm.
• e.g. lcm(12, 18) 36
• In terms of prime factors, if a ? pidi and b
  ? piei then
• gcd(a,b) p1min(d1,e1) p2min(d2,e2) ...
  pkmin(dk,ek) ? pimin(di,ei)
• lcm(a,b) p1max(d1,e1) p2max(d2,e2) ...
  pkmax(dk,ek) ? pimax(di,ei)

7
euclidean algorithm

• Suppose we wish to find gcd(a, b) with a b
• Algorithm
• while b ? 0 do
• set r ? a mod b, a ? b, b ? r
• return a
• Example gcd(4864, 3458)
• 4864 1 . 3458 1406
• 3458 2 . 1406 646
• 1406 2 . 646 114
• 646 5 . 114 76
• 114 1 . 76 38
• 76 2 . 38 0
• Hence gcd(4864, 3458) 38

8
extended euclidean algorithm

• EEA extended to find u,v such that gcd(a, b)
  ua vb
• Algorithm
• INPUT two non-negative integers a, b with a b
• OUTPUT d gcd(a, b) and integers x, y such that
  ax by d
• (1) If b 0 then set d ? a, x ? 1, y ? 0 and
  return (d, x, y)
• (2) Set x2 ? 1, x1 ? 0, y2 ? 0, y1 ? 1
• (3) While b gt 0 do
• q ? floor(a/b), r ? a - qb, x ? x2 - qx1, y ?
  y2 - qy1
• a ? b, b ? r, x2 ? x1, x1 ? x, y2 ? y1, y1? y
• (4) Set d ? a, x ? x2 , y ? y2 and return (d, x,
  y)

9
finite fields, Zn and Zp

• Again, Zp lt0, p-1gt where p is prime is a
  called a field
• In a field we can add, multiply, take inversions,
  and the commutative and distributive laws hold.
• If a and b are integers, then a is said to be
  congruent to b mod p, if p divides (a-b) i.e.
  pa-b
• a b (mod p)
• We can say b is a residue of a (mod p)
• The inverse of a ? Z is b ? Z such that
• ab 1 (mod p)
• We can find a-1 by noting that gcd(a, p) 1,
  since p is prime.

10
inverses

• So by the Extended Euclidean Algorithm (EEA) we
  can find u, v such that
• ua vp 1
• therefore ua -vp 1
• i.e. ua 1 (mod p)
• so u (mod p) a-1 ? Zp
• Again Zn lt0, 1, n-1gt where n is a composite
  (product of two or more primes) is a ring.
• If a ? Zn is such that gcd(a, n) 1, then we say
  a is relatively prime to n. Then, by the EEA,
  there exists u ? Z (the inverse) where
• ua 1 (mod n)

11
Z, F(n)

• Define Zn a ? Zn gcd (a, n) 1
• i.e. all the integers of Zn relatively prime to n
  (n is composite)
• otherwise known as the reduced set of residues
  (mod n)
• in other words, all the elements which have
  inverses
• Since 0 is not ? Zn, Zn forms a multiplicative
  group
• a,b ? Zn implies ab ? Zn
• a ? Zn implies a-1 ? Zn
• We define Eulers (Oiler) Totient Function F(n)
  as the number of elements in this set Zn
• If p is prime, then F(p) p - 1
• If gcd(m, n) 1, then F(mn) F(m) . F(n)

12
finding inverses with eulers theorem

• Eulers theorem states that for any a ? Zn
• (a is relatively prime to n)
• aF(n) 1 (mod n)
• This is Eulers generalisation of Fermats little
  theorem
• If p is prime and a is a positive integer not
  divisible by p then
• ap-1 1 (mod p)
• Now finding an inverse a-1 mod n is easy
• x aF(n)-1 mod n
• Example what is the inverse of 5 (mod 7)?
• Since 7 is prime, F(n) 7-1 6
• x 56-1 mod 7 55 mod 7 3

13
order, generators

• An element, a ? Zn has order d if d is the
  smallest positive integer such that
• ad 1 (mod n)
• It may be that all of the elements in Zn can be
  obtained as powers of a single element, g, called
  the generator or primitive element of Zn
• Zn lt1, g, g2, ., gF(n)-1gt ltggt
• If it has a generator, we say Zn is a cyclic
  group.
• It may be shown that Zn is a cyclic group if and
  only if n 2, 4, pa, 2pa for odd primes p

14
exponentiation in Zn

• Can be done efficiently with repeat-and-square
• Algorithm
• INPUT a ? Zn and integer 0 k lt n
• (where k is t-bits in binary Si0 ki2i)
• OUTPUT ak mod n
• (1) b ? 1. If k 0 then return (b)
• (2) A ? a
• (3) If k0 1 then b ? a
• (4) for i 1 .. t do
• A ? A2 mod n
• if ki 1 then b ? A . b mod n
• (5) return b

t
15
quadratic residues

• Does y2 x (mod p) have a solution?
• By calculus, we know it has 0 or 2 solutions (in
  a field)
• Example
• y2 3 (mod 7) has no solution
• y2 3 (mod 11) has solution y 5 5 or 6 (mod
  7)
• Define x a quadratic residue (QR) if y2 x (mod
  p) has a solution
• By Eulers theorem, x is a QR mod p if and only
  if
• x(p-1)/2 1 (mod p)
• Solving y2 x (mod n) where n is composite is
  computationally equivalent to factoring n.

16
QR proof I

• Suppose x is a QR, then there exists y such that
• y2 x (mod p)
• Raising both sides to (p-1)/2 we get
• yp-1 x(p-1)/2 (mod p)
• But from Fermats little theorem,
• yp-1 1 (mod p)
• So
• x(p-1)/2 1 (mod p)

17
QR proof II

• Now to prove the reverse, suppose
• x(p-1)/2 1 (mod p)
• Let x ga where g is a generator, Zp ltggt
• (note g can always be found)
• ga(p-1)/2 g(p-1)a/2 (mod p)
• 1a/2 (mod p)
• 1 (mod p)
• Therefore 2a implies x ga/2 is a solution
• Hence x is a QR (mod p)

18
summary computing in Zp

• Let p be a large prime (300 digits or 1024
  bits).
• The following are easy to do in Zp
• Generate a random element.
• Addition and multiplication.
• Computing gr mod p, even if r is large.
• Inverting an element.
• Solving linear systems.
• Testing if an element is a QR and computing its
  root if it is.
• Solving polynomial equations of degree d in
  polynomial time d.
• Problems believed to be hard
• Let g be a generator of Zp. Given x ? Zp find r
  such that x gr mod p.
• This is known as the discrete log problem.

19
summary computing in Zn

• Let n be a large composite (1024 bits) which is
  a product of two primes (512 bits).
• The following are easy to do in Zn
• Generating a random element.
• Addition and multiplication.
• Computing gr mod n, even if r is large.
• Inverting an element.
• Solving linear systems.
• Problems believed to be hard if the factorisation
  of n is unknown
• Finding prime factors of n.
• Testing if an element is a QR in Zn.
• Computing the square root (as hard as factoring
  n).
• Solving polynomial equations of degree d.

20
summary computing in Zn

• Problems believed to be hard in Zn
• Let g be a generator of Zn.
• Given x ? Zn find r such that x gr mod n.
• This is known as the discrete log problem.
• Let g be a generator of Zn.
• Given x, y ? Zn where x ga and y gb, find
  gab.
• This is known as the Diffie-Hellman problem.

21
discrete log problem revisited

• Given
• Consider the finite field Zp ltggt
• Let g ? Zp be the generator, i.e. Zp ltg, g2,
  , gp-1gt
• gp-1 1 mod p
• The discrete log problem asks how to find r given
  gr
• Example Z11 lt1, 2, 3, , 10gt
• Consider
• g 2, g2 4, g3 8, g4 5, g5 10 -1
• g6 9, g7 7, g8 3, g9 6, g10 1 (thus 2
  is a generator)
• Now consider
• g 3, 32 9, 33 5, 34 4, 35 1
• thus 3 is not a generator of Z11 - order 5 not
  order 10

22
diffie-hellman key exchange
p, g, ga (mod p)
Alice
Bob
gb (mod p)
Computes gab (mod p)
Computes gab (mod p)
Eve ???
Only knows p, g, ga, gb
23
diffie-hellman key exchange

• Protocol
• Consider the finite field Zp ltggt
• Let g ? Zp be the generator, i.e. Zp ltg0, g,
  g2, , gp-1gt
• gp-1 1 mod p
• g and p are public information
• (1) Alice Alice chooses a random large
  integer a ? Zp
• (2) Alice ? Bob Alice sends Bob ga (mod p)
• (3) Bob Bob chooses a random large integer b
  ? Zp
• (4) Bob ? Alice Bob sends Alice gb (mod p)
• (5) Alice and Bob compute gab
• Alice computes (gb)a gab (mod p)
• Bob computes (ga)b gab (mod p)
• gt Alice and Bob now share secret gab

24
strength of diffie-hellman

• The strength of Diffie-Hellman is based upon two
  issues
• given p, g, ga, it is difficult to calculate a
  (the discrete logarithm problem)
• given p, g, ga, gb it is difficult to calculate
  gab (the Diffie-Hellman problem)
• we know that DL ? DH but it is not known if DH ?
  DL
• Essentially, the strength of the system is based
  on the difficulty of factoring numbers the same
  size as p.

25
attacks on discrete log

• Question
• Given Gltggt, gn 1, y ga where 1 a n-1
• Find a logg(y)
• Most obvious algorithm exhaustive search
• Algorithm
• Compute g, g2, g3, until we find ga y (i.e.
  a)
• Problem
• computation is O(n)
• i.e. slow

26
attacks on discrete log

• Question
• Find a logg(y)
• Baby-step giant-step (square root) algorithm
• A time-memory tradeoff of the exhaustive search
  method.
• Algorithm
• Let m floor(vn)
• Create a table containing j, gj (j 0 .. m-1)
• Sort the table by gj
• Compute g-m
• Set ? y
• for i 0 .. m-1
• 1. if ? is in the table then break
• 2. Else set ? ? g-m and loop
• output a j im

27
example of baby-step giant-step

• Let p 113, g 3 is a generator of Z113 of
  order n 112
• Question Find log357
• Set m ? floor(v112) 11
• j 0 1 8 2 5 9 3 7 6 10
  4
• 3j mod 113 1 3 7 9 17 21 27 40 51
  63 81
• Now g-1 3-1 mod 113 38 as (38 . 3) 1 mod
  113
• So g-m 3811 mod 113 58
• Next ? y g-mi for i 0, 1, 2
• i 0 1 2 3 4 5 6 7 8
  9
• ? 57.58i mod 113 57 29 100 37 112 55 26
  39 2 3
• Since y g-9m 3 is in the table (g1),
• we output a j im 1 9.11 100 i.e. 57
  3100 or log357 100

Baby Step
Giant Step
28
attacks on discrete log

• Baby-step giant-step is a time-memory tradeoff of
  the exhaustive search method (which is obviously
  O(n)).
• Requires O(vn) storage for group elements
• Requires O(vn) multiplications to construct
• Requires O(vn log n) to do sort of table
• Loop takes O(vn) multiplications and O(vn) table
  lookups
• Under the assumption that group multiplication
  takes longer than log n comparisons
• the running time complexity of baby-step
  giant-step is O(vn)
• the storage complexity is O(vn)
• Pollard-rho is another, more efficient attack on
  DL.

29
references

• Handbook of Applied Cryptography
• read 1, 2-2.4.4, 2.5 - 2.5.3
• Stallings
• 7