sign in sign up
<<
Home , Division algorithm

EE 418 Network Security and Lecture #4 October 11, 2016

Polyalphabetic Classical cryptosystems. Lecture notes prepared by Professor Radha Poovendran. Tamara Bonaci Department of Electrical Engineering University of Washington, Seattle

Outline:

1. Review: The Affine Cipher 2. The Euclidean 3. The Vigen`ereCipher

1 Review: The Affine Cipher

Last week, we introduced several classical cryptosystems, and among them the Affine Cipher, The idea of the affine cipher is to first scale and then to shift, which is known as the affine transformation.

y = eK (x) = (ax + b) mod 26, (1) −1 dK (y) = a (y − b) mod 26. (2)

In this scheme, the pair (a, b) denotes the cryptographic key K used for encryption/decryption. Here we need to know which pairs (a, b) are valid keys that yield an injective encryption function, and we need to know a−1, the modular of a, for decryption.

1.1 Decryption with Affine Cipher Given the modular multiplicative inverse, the congruence y ≡ ax+b (mod 26) can be solved for x as follows:

ax ≡ y − b (mod 26) (3) a−1(ax) ≡ a−1(y − b) (mod 26) (4) a−1(ax) ≡ (a−1a)x ≡ 1x ≡ x (mod 26) (5) x = a−1(y − b) (mod 26) (6)

1.2 Problem with the Choice of a

We have shown that not all choices of a have a multiplicative inverse. In order to examine when they do, we first reviewed a concept of the .

Definition 1. Given two integers a and b, the greatest common divisor of a and b (denoted gcd (a, b)) is equal to the largest integer c that divides both a and b.

We have then stated the following two theorems.

Theorem 1. An integer a has an inverse (mod m) if and only if there exist numbers p and q such that

ap + qm = 1 (mod m) (7)

Theorem 2. If gcd(a, m) = 1 then ax ≡ y (mod m) has a unique solution.

1 Example: Given m = 26, for a = 13 we have gcd(13, 26) = 13 6= 1. Also if a = 2 then gcd(2, 26) = 2.

But for a = 9, gcd(9, 26) = 1 and hence the affine cipher works. Similarly for a = 1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25 we have gcd(a, 26) = 1. Hence, a can take a total of 12 values with unique inverses in Z26, and b can take any of the 26 values in Z26. Therefore the key space is limited to 12 × 26 = 312 values for K, and a brute force attack (exhaustive search is possible).

Today we focus on the following question: given an integer a, how do we find its modular multiplicative inverse (mod m)? To answer this question, we need to refresh our memory about Euclidean .

2 Background: The (s)

The modular multiplicative inverse of an integer a ∈ Zm can be found using either an extended Euclidean Algorithm, or the Direct method. We will first review the basic Euclid’s algorithm for finding the greatest common divisor (gcd) between two integers a, b, with the assumption a > b. We will then present the extended Euclidean algorithm that helps us find the a−1 under modulo arithmetic with base b. Lemma 1. Let a and b be integers. There exists a unique integer d satisfying the following properties: 1. d|a and d|b 2. If c is another integer such that c|a and c|b, then c|d. d is defined to be the greatest common divisor (gcd) of a and b. The Euclidean algorithm can be used to find the gcd of two integers. This algorithm finds the gcd through repeated integer . First, r0 = a is divided by r1 = b and the r2 is found. In the next step, r1 = b is divided by r2 and the remainder r3 is found. The process continues until the remainder of rm−1 divided by rm is zero. The gcd(a, b) = gcd(r0, r1) is the last non-zero divisor, namely rm. The steps of the are as follows:

r0 = q1r1 + r2

r1 = q2r2 + r3

r2 = q3r3 + r4 ······

rm−2 = qm−1rm−1 + rm

rm−1 = qmrm

The terms ri are the at each step of the equations. The terms qi are the quotients. Now consider the equation ri = qi+1ri+1 + ri+2. The relationship between the divisor ri+1 and the remainder ri+2 is given by 0 ≤ ri+2 < ri+1. We also assumed that r0 > r1. Hence, we can write r0 > r1 > r2 > ··· rm.

Example: Let a = 87 and b = 24. Then we have:

87 = 3(24) + 15 24 = 1(15) + 9 15 = 1(9) + 6 9 = 1(6) + 3 6 = 2(3)

Therefore gcd (87, 24) = 3.

2 EUCLIDEAN ALGORITHM Input: Positive integers a and b Output: Greatest common divisor d of a and b r0 ← a r1 ← b m ← 1 while rm 6= 0 rm−1 qm ← b c rm rm+1 ← rm−1 − qmrm m ← m + 1 end while m ← m − 1 d ← rm−1 return d

Fig. 1. The Euclidean algorithm. Finds the greatest common divisor of a and b, where a > b.

Some Properties of the Euclidean Algorithm

1. Algorithm terminates in finite steps. 2. rm is the gcd(a, b) = gcd(r0, r1).

Proof: The remainder sequence ri is non-negative and monotonically decreasing. The first term r0 is finite. Since each remainder is integer, the difference between any two adjacent remainders is at least one. Hence, the sequence must reach the limit value of 0 in finite steps. In the worst case, it will take r0 steps to terminate. To show that rm is the gcd(a, b), let’s denote d = gcd(a, b). Then d|a, d|b. Hence d|r2. In addition, since d|r1, d|r2, and r1 = q2r2 + r3, we can conclude d|r3. By induction, let’s assume that d|ri for all values of i < j. Then rj−2 = qj−1rj−1 + rj implies that d|rj. Hence, by induction, d divides all the remainders. In particular, d|rm, the last non-zero divisor. On the other hand, rm|rm−1 at the last step. Looking up one step above the last step, we have rm−2 = qm−1rm−1 + rm. Since rm divides the right hand side, rm|rm−2. Continuing this way up, by induction, let’s assume that rm|rm−l for l < j. Then looking at rm−j = qm−(j−1)rm−(j−1) + rm−(j−2), the right hand side is divisible by rm. Hence, rm|rm−j. Therefore, by induction, we have that rm|b and rm|a. Hence, rm is a common divisor of a, b. Since d=gcd(a,b), by definition, rm|d. We now have rm|d and d|rm. Hence, d = rm = gcd(a, b).

When the gcd(a, b) = 1, the Euclidean algorithm also allows us to find the multiplicative inverse of a under modulo b. The following lemma is key to finding the inverses.

Lemma 2. Let a and b be positive integers, and let d = gcd (a, b). Then there exist integers x and y such that ax + by = d (8)

Question: Suppose we have such integers x and y. How can we use them to find the inverse of a modulo b?

Answer: We have seen that a has an inverse mod b if and only if gcd (a, b) = 1. By Lemma 2, there exist x and y such that ax + by = 1 (9) Then we can write 1 − ax = by, which is the same as b|(ax − 1). Finally, by definition:

ax ≡ 1 (mod b) (10)

Thus, if we can find x and y satisfying Eq. (9), we can invert a modulo b. The algorithm for finding x and y is called the extended Euclidean algorithm:

3 EXTENDED EUCLIDEAN ALGORITHM Input: Positive integers a and b Output: Integers r, s, and t such that r = gcd (a, b) and sa + tb = r a0 ← a b0 ← b t0 ← 0 t ← 1 s0 ← 1 s ← 0 q ← b a0 c b0 r ← a0 − qb0 while r > 0 temp ← t0 − qt t0 ← t t ← temp temp ← s0 − qs s0 ← s s ← temp a0 ← b0 b0 ← r q ← b a0 c b0 r ← a0 − qb0 end while r ← b0 return (r, s, t)

Fig. 2. The extended Euclidean algorithm.

Example: Let a = 7, m = 26. Find a−1 mod m. First, let’s look at the Euclidean algorithm.

26 = 3(7) + 5 (11) 7 = 1(5) + 2 (12) 5 = 2(2) + 1 (13)

Now, let’s rewrite the last equation to put the gcd (which is 1) on to the left-hand side of the equation.

1 = 5 − 2(2) (14)

From Eq. (13), we have: 2 = 7 − 5 (15) Substituting Eq. (15) into Eq. (14) yields

1 = 5 − 2(7 − 5) = 3(5) − 2(7) (16)

We’re almost there; the last step is to use Eq. (12), as follows:

5 = 26 − 3(7) (17)

so that 1 = 3(26 − 3(7)) − 2(7) = 3(26) − 11(7) (18) And so 7−1 mod 26 = −11 mod 26 = 15 mod 26.

Example 2: Let a = 9, m = 26. Find a−1 mod m.

4 Again, let’s first look at the Euclidean algorithm.

26 = 2(9) + 8 (19) 9 = 1(8) + 1 (20) 8 = 8(1) (21) (22)

Now, let’s rewrite the last equation to put the gcd (which is 1) on to the left-hand side of the equation.

1 = 9 − 1(8) (23)

From Eq. (19), we have: 8 = 26 − 2(9) (24) Substituting equation (24) into equation (23), we get:

1 = 9 − 1{26 − 2(9)} = 3(9) − 26 (25)

From equation (25), it follows that modular multiplicative inverse of a = 9 is a−1 = 3 in m = 26 arithmetic.

The math behind the computation of x, y, has its own update equations as shown below. The main statement is the following:

Lemma 3. Let r0 = a and r1 = b be positive integers, and let d = gcd (a, b). If the sequences ri, i > 1 satisfy the division algorithm such that ri−2 = qi−1ri−1 + ri, Then there exist integers xi and yi such that

axi + byi = ri. (26)

The logical proof goes via induction as follows: We know from r0 = q1r1 +r2 that r2 = r0 −q1r1 = a−q1b. Similarly, from r1 = q2r2 + r3, we have r3 = r1 − q2r2 = b − q2(a − q1b) = (1 + q1q2)b − q2a. Hence, letting x2 = 1, y2 = −q1, x3 = −q2, y3 = (1 + q1q2), we have r2 = ax2 + by2 and r3 = ax3 + by3. Let this be true for all values of i < j. Then we can write rj = rj−2 − qj−1rj−1. But by induction, we then have rj = (axj−2 + byj−2) − qj−1(axj−1 + byj−1) leading to rj = a(xj−2 − qj−1xj−1) + b(yj−2 − qj−1yj−1). Letting xj = xj−2 − qj−1xj−1 and yj = yj−2 − qj−1yj−1 leads to rj = axj + byj. Hence by induction, at the final step of the division algorithm, we have rm = d = gcd(a, b) = axm + bym. Setting the final values to x = xm and y = ym leads to d = ax + by as desired.

2.1 The Vigen`ereCipher The Vigen`erecipher is the first polyalphabetic cryptosystem that we are encountering in this course. A polyalphabetic cryptosystem is a cryptosystem where multiple alphabetic characters are encrypted at a time. In other words, each plaintext element is equivalent to m alphabetic characters. The idea behind this cryptosystem is to use a vector of m keys, i.e., K = (K1,K2, .., Km). m m P = C = K = (Z26) where (Z26) is an m-tuple:

y = eK (x1, x2, .., xm) = (x1 + K1, x2 + K2, .., xm + Km) mod 26, (27)

dK (y1, y2, .., ym) = (y1 − K1, y2 − K2, .., ym − Km) mod 26. (28)

Note: The difference between the Vigen`erecipher and the shift, substitution, and affine ciphers is that in the Vigen`erecipher each alphabetic character is not uniquely mapped to another alphabetic character.

Example Let the plaintext be vector, and let m = 4, K = (2, 4, 6, 7). From the correspondence table we have x = (21, 4, 2, 19, 14, 17), and the cipher is shown in Table 2.1. To decrypt, we use the same keyword, but modulo subtraction is performed instead of modulo addition. The number of possible keywords of length m is 26m, so even for small m an exhaustive search attack requires a long time.

5 PLAINTEXT: 21 4 2 19 14 17 KEY: 2 4 6 7 2 4 CIPHER: 23 8 8 0 16 21 XIIA QV

Sources for Today’s Lecture:

1. Douglas R. Stinson, Cryptography, Theory and Practice, 3rd edition. CRC Press, 2005, p. 1–21 and 26–27. 2. Wade Trappe and Lawrence C. Washington Introduction to Cryptography with Coding Theory. Prentice Hall, 2002, p. 1–26 and 59–74. 3. Neil Daswani, Christoph Kern, and Anita Kesavan Foundations of Security, What Every Programmer Needs to Know. Apress, 2007, p. 203–221.

6