Cryptographic Algorithms and Protocols

1
Cryptographic Algorithms and Protocols

• Text Book Williams Stalling
• Lecture Notes Adapted from that of Lawrie Brown
• Lecturer
• Professor Frances Yao Professor Xiaotie Deng
• Department of Computer Science
• City University of Hong Kong

2
Chapter 8 Introduction to Number Theory

• The Devil said to Daniel Webster "Set me a task
  I can't carry out, and I'll give you anything in
  the world you ask for."
• Daniel Webster "Fair enough. Prove that for n
  greater than 2, the equation an bn cn has no
  non-trivial solution in the integers."
• They agreed on a three-day period for the labor,
  and the Devil disappeared.
• At the end of three days, the Devil presented
  himself, haggard, jumpy, biting his lip. Daniel
  Webster said to him, "Well, how did you do at my
  task? Did you prove the theorem?'
• "Eh? No . . . no, I haven't proved it."
• "Then I can have whatever I ask for? Money? The
  Presidency?'
• "What? Oh, thatof course. But listen! If we
  could just prove the following two lemmas"
• The Mathematical Magpie, Clifton Fadiman

3
Prime Numbers

• Prime numbers only have divisors of 1 and self
• they cannot be written as a product of other
  numbers
• note 1 is prime, but is generally not of
  interest
• eg. 2,3,5,7 are prime, 4,6,8,9,10 are not
• Prime numbers are central to number theory
• List of prime number less than 200
• 2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59
  61 67 71 73 79 83 89 97 101 103 107 109 113 127
  131 137 139 149 151 157 163 167 173 179 181 191
  193 197 199

4
Prime Factorisation

• To factor a number n is to write it as a product
  of other numbers na b c
• Note that factoring a number is relatively hard
  compared to multiplying the factors together to
  generate the number
• The prime factorisation of a number n is when its
  written as a product of primes
• eg. 91713 3600243252

5
Relatively Prime Numbers GCD

• Two numbers a, b are relatively prime if have no
  common divisors apart from 1
• eg. 8 15 are relatively prime since factors of
  8 are 1,2,4,8 and of 15 are 1,3,5,15 and 1 is the
  only common factor
• Conversely their greatest common divisor can be
  obtained by comparing their prime factorizations
  and using least powers
• eg. 300213152 182132 hence
  GCD(18,300)2131506

6
Fermat's Theorem

• ap-1 mod p 1
• where p is prime and gcd(a,p)1
• also known as Fermats Little Theorem
• useful in public key and primality testing

7
Reduced set of residues mod n

• Complete set of residues is 0..n-1
• Reduced set of residues consists of numbers
  (residues) which are relatively prime to n
• eg for n10,
• complete set of residues is 0,1,2,3,4,5,6,7,8,9
  
• reduced set of residues is 1,3,7,9
• Denoted by Zn k gcd(k,n)1, 0ltkltn
• The number of elements in reduced set of residues
  is called the Euler Totient Function ?(n)

8
The Multiplicative Group Zn

• Zn k gcd(k,n)1, 1ltkltn
• For any positive integer n, Zn forms a group
  under multiplication modulo n.
• If GCD(a,n)GCD(b,n)1, then
• GCD(ab,n)GCD(a,n)GCD(b,n)111.
• 1 is the identity element.
• (Zn ,) forms a group.
• From group theory
• For any ?? Zn , ??(n)1 (mod n) since ?(n)
  Zn

9
Euler Totient Function ?(n)

• Eulers Totient Function ? is defined by
• ?(2)11
• ?(3)1,22
• ?(4)1,32
• ?(5)1,2,3,44
• ?(6)1,52

10
Euler's Theorem

• a?(n)mod N 1
• where gcd(a,N)1
• eg.
• a3n10 ?(10)4
• hence 34 81 1 mod 10
• a2n11 ?(11)10
• hence 210 1024 1 mod 11

11
Euler Totient Function ?(n)

• In general we need prime factorization to
  calculate ?(n)
• for p (p prime) ?(p) p-1
• for p.q (p,q prime) ?(p.q) (p-1)(q-1)
• eg.
• ?(37) 36
• ?(21) (31)(71) 26 12

12
RSA function and its inverse

• RSA(n, e, x)cxe mod n, where
• npq, here p and q are two equal length, randomly
  selected prime numbers
• gcd(e, ?(n))1. Note that ?(n) ?(p)
  ?(q)(p-1)(q-1).
• If we know ?(n),
• then we can calculate the inverse d of e
• such that de1 (mod ?(n)).
• Then we can calculate the inverse
• RSA-1(n,d, c)cd (xe)dxdexk?(n)1x (mod n).
• If we dont know ?(n), it is unknown how to find
  the inverse fast.

13
Primality Testing

• We often need to find large prime numbers
• Traditionally sieve using trial division
• ie. divide by each number (primes) less than the
  square root of the number
• only works for small numbers
• Alternatively can use statistical primality tests
  based on properties of primes
• for which all primes numbers satisfy property
• but some composite numbers, called pseudo-primes,
  also satisfy the property

14
Theorem of Miller Rabin

• If n is a prime, then
• Find integers k, q, k gt 0, q odd,
• so that (n1)2kq
• For any random integer a, 1ltaltn1
• either
• aq mod n 1
• or
• for some j from 0 to k 1
• (a2jq mod n n-1)

15
The Idea of Miller Rabin

• Based on Fermats Theorem an-1 mod n 1 for any
  number a and any prime n.
• We only need to consider the case n is odd since
  there is only one prime which is even.
• There are two integers k and q
• k gt 0,
• q odd
• n12kq

16
Example

• n13
• There are two integers k and q
• k gt 0,
• q odd
• n12kq
• n-143
• k2
• q3

17
The Idea of Miller Rabin

• Since n12kq and an-1 mod n 1,
• Consider aq,a2q,,an-1
• There must be a smallest index i such that
• 0ltiltk
• t2i
• atq1(mod n)
• (note in the worst case ik)

18
The Idea of Miller Rabin

• Consider a4
• Then
• aq431643412(mod 13)
• a2q46122(-1)21 (mod 13)
• There must be a smallest index i such that
• a4,q3,i1,t2i
• atq4231(mod 13)

19
The Idea of Miller Rabin

• i is the smallest index i
• 0ltiltk
• t2i
• atq1(mod n)
• If i0,
• aq1(mod n)

20
The Idea of Miller Rabin

• i is the smallest index i
• 0ltiltk
• t2i
• atq1(mod n)
• By the choice of t (Here, we consider the case
  igt0)
• Let st/2. Then, asq(mod n) is not 1
• n does not divide (asq-1)
• n divides atq-1(asq-1)(asq1)
• Since n is a prime and divides atq-1(asq-1)(asq1
  ), n must divides either (asq-1) or (asq1)

21
The Idea of Miller Rabin

• i1 is the smallest integer such that
• For a4,q3,i1,t2i
• atq4231(mod 13)
• By the choice of t
• Let st/21. asq413(mod n) is -1 not 1
• n13 does not divide (asq-1)63
• n divides atq-1(asq-1)(asq1)6365
• Since n13 is a prime and divides
  atq-1(asq-1)(asq1), n must divides either
  (asq-1)63 or (asq1)65

22
The Idea of Miller Rabin

• From
• n does not divide (asq-1)
• n must divide either (asq-1) or (asq1)
• It follows that
• n must divide(asq1)
• asq-1 (mod n )n-1 (mod n)

23
The Idea of Miller Rabin

• From
• n does not divide (asq-1)63
• n must divide either (asq-1)63 or (asq1)65
• It follows that
• n must divide(asq1)65
• asq64-1 (mod 13)12 (mod 13)

24
Theorem of Miller Rabin

• If n is a prime, then
• Find integers k, q, k gt 0, q odd,
• so that (n1)2kq
• For any random integer a, 1ltaltn1
• either
• aq mod n 1
• or
• for some j from 0 to k 1
• (a2jq mod n n-1)

25
Miller Rabin Algorithm

• a test based on Fermats Theorem
• algorithm is
• TEST (n) is
• 1. Find integers k, q, k gt 0, q odd, so that
  (n1)2kq
• 2. Select a random integer a, 1ltaltn1
• 3. if aq mod n 1 then return (maybe prime")
• 4. for j 0 to k 1 do
• 5. if (a2jq mod n n-1)
• then return(" maybe prime ")
• 6. return ("composite")

26
Probabilistic Considerations

• if Miller-Rabin returns composite the number is
  definitely not prime
• otherwise is a prime or a pseudo-prime
• chance it detects a pseudo-prime is lt ¼
• Advance self-study topic Why?
• hence if repeat test with different random a then
  chance n is prime after t tests is
• Pr(n prime after t tests) 1-4-t
• eg. for t10 this probability is gt 0.99999

27
A recent deterministic primality test

• An Efficient Algorithm by Three Indians
• M. Agrawal, N. Kayal, and N. Saxena,
• 6 August 2002
• Readings
• http//mathworld.wolfram.com/news/2002-08-07/prime
  test/

28
Prime Distribution

• Prime number theorem states that primes occur
  roughly every (ln n) integers
• Since we can immediately ignore evens and
  multiples of 5, in practice only need test 0.4
  ln(n) numbers of size n before locate a prime
• It is therefore it is easy in average to find a
  prime number (takes time polynomial in the input
  size)
• But sometimes primes are close together, at other
  times are quite far apart

29
Chinese Remainder Theorem

• Used to speed up modulo computations
• Working modulo a product of numbers
• eg. mod M m1m2..mk
• where GCD(mi,mj)1 for each pair i, j
• Chinese Remainder theorem lets us work in each
  moduli mi separately

30
Chinese Remainder Theorem

• Let
• aiA (mod mi), i1,2,,k
• biB (mod mi), i1,2,,k
• Then, aibiAB (mod mi), i1,2,,k and
• aibiAB (mod mi), i1,2,,k
• ai-biA-B (mod mi), i1,2,,k

31
Chinese Remainder Theorem

• In addition, given a set
• 0ltailt mi, i1,2,,k
• There exists a unique A 0ltAltM such that
• aiA (mod mi), i1,2,,k

32
Chinese Remainder Theorem

• Let
• MiM/mi
• ciMi(Mi-1 (mod mi))
• Then
• Asumaici i1,2,,k (mod M)

33
Primitive Roots

• From Eulers theorem, a?(n)mod n1, if GCD(a,n)1
• Thus, am (mod n)1 for m ?(n) but may be smaller
• once powers reach m, cycle will repeat
• If the smallest is m ?(n) then
• a is called a primitive root
• If p is prime, then successive powers of a
  "generate" the group mod p
• Primitive roots are useful but relatively hard to
  find

34
Discrete Logarithms or Indices

• the inverse problem to exponentiation is to find
  the discrete logarithm of a number modulo p
• that is to find x where ax b mod p
• written as xloga b mod p or xinda,p(b)
• if a is a primitive root then always exists,
  otherwise may not
• x log3 4 mod 13 (x st 3x 4 mod 13) has no
  answer
• x log2 3 mod 13 4 by trying successive powers
  
• whilst exponentiation is relatively easy, finding
  discrete logarithms is generally a hard problem

35
Summary

• have considered
• prime numbers
• Fermats and Eulers Theorems
• Primality Testing
• Chinese Remainder Theorem
• Discrete Logarithms