RSA and Public Key Cryptography
Chester Rebeiro IIT Madras
CR STINSON : chapter 5, 6 Ciphers
• Symmetric Algorithms – Encryp on and Decryp on use the same key
– i.e. KE = KD – Examples: • Block Ciphers : DES, AES, PRESENT, etc. • Stream Ciphers : A5, Grain, etc. • Asymmetric Algorithms – Encryp on and Decryp on keys are different
– KE ≠ KD – Examples: • RSA • ECC
CR 2 Asymmetric Key Algorithms
KE KD
untrusted communica on link Alice E D Bob #%AR3Xf34^$ “A ack at Dawn!!” Plaintext encryp on (ciphertext) decryp on “A ack at Dawn!!”
The Key K is a secret
Encryp on Key KE not same as decryp on key KD Advantage : No need of secure KE known as Bob’s public key; K is Bob’s private key key exchange between Alice and D Bob
Asymmetric key algorithms based on trapdoor one-way func ons
CR 3 One Way Func ons
• Easy to compute in one direc on • Once done, it is difficult to inverse
Press to lock Once locked it is (can be easily done) difficult to unlock without a key
CR 4 Trapdoor One Way Func on
• One way func on with a trapdoor • Trapdoor is a special func on that if possessed can be used to easily invert the one way
trapdoor
Locked (difficult to unlock) Easily Unlocked
CR 5 Public Key Cryptography (An Anology) • Alice puts message into box and locks it • Only Bob, who has the key to the lock can open it and read the message
CR 6 Mathema cal Trapdoor One way func ons • Examples – Integer Factoriza on (in NP, maybe NP-complete) • Given P, Q are two primes • and N = P * Q – It is easy to compute N – However given N it is difficult to factorize into P and Q • Used in cryptosystems like RSA – Discrete Log Problem (in NP) • Consider b and g are elements in a finite group and bk = g, for some k • Given b and k it is easy to compute g • Given b and g it is difficult to determine k • Used in cryptosystems like Diffie-Hellman • A variant used in ECC based crypto-systems
CR 7 Applica ons of Public key Cryptography • Encryp on • Digital Signature : “Is this message really from Alice?” • Alice signs by ‘encryp ng’ with private key • Anyone can verify signature by ‘decryp ng’ with Alice’s public key • Why it works? – Only Alice, who owns the private key could have signed
CR 8 Applica ons of Public key
Cryptography Diffie-Hellman Key Exchange • Key Establishment : “Alice and Bob want to use a block cipher for encryp on. How do they agree upon the secret key”
Alice and Bob agree upon a prime p and a generator g. This is public information
choose a secret a choose a secret b compute A = ga mod p compute B = gb mod p
B A Compute K = Ba mod p Compute K = Ab mod p
b a b b a a A mod p = (g ) mod p = (g ) mod p = B mod p
CR 9 RSA
Shamir, Rivest, Adleman (1977)
CR 10 More Number Theory
Mathema cal Background
CR 11 RSA : Key Genera on
Bob first creates a pair of keys (one public the other private)
1. Generatetwolargeprimes p,q ( p ≠ q) 2.Computen = p× q and φ(n) = ( p −1)(q −1) 3. Choosea randomb (1< b < φ(n))and gcd(b,φ(n)) =1 4.Computea = b−1 mod(φ(n))
Given the private key it is easy to Bob's public key is(n,b) compute the public key Bob's private key is( p,q,a) Given the public key it is difficult to derive the private key
CR 12 RSA Encryp on & Decryp on
Encryption Decryption
b eK (x) = y = x mod n a dK (x) = y mod n where x∈ Zn
CR 13 RSA Example
1. Take twoprimesp = 653and q = 877 2. n = 653×877 = 572681; φ(n) = 652×876 = 571152 3. Choose public key b =13; note that gcd(13,571152) =1 4. Privatekey a = 395413 =13-1 mod571152
Message x =12345 encryption : y =1234513 mod572681 ≡ 536754 decryption : x = 536754395413 mod 572681 ≡12345
CR 14 Correctness
when x ∈ Zn and gcd(x,n) =1
Encryption Decryption b eK (x) = y = x mod n d (x) = ya mod n where x∈ Zn K y a ≡ (xb )a mod n ab ≡1modϕ(n) ab 1 t (n) ab − = ϕ ≡(x ) mod n ab = tϕ(n) +1 ≡(xtφ (n)+1) mod n From Fermat’s theorem ≡ (xtφ (n) x) mod n ≡ x CR 15 Correctness
when x∈ Zn and gcd(x,n) ≠ 1 Since n = pq,gcd(x,n) = p or gcd(x,n) = q Assumegcd(n, x) = p If =▹ p | x =▹ pk = x x xab mod p ≡ LHS : x mod p ≡ pk mod p ≡ 0 ab x ≡ x mod q RHS : xab mod p ≡ 0 ab =▹ x ≡ x mod n ∵gcd( p, x) = pitimpliesgcd(q, x) =1 (by CRT ) xab mod q ≡ xtφ (n)+1 mod q ≡ xtφ ( p)φ (q)+1 mod q ≡ (xφ (q) )tϕ ( p) ⋅ x mod q tϕ ( p) CR ≡ (1) ⋅ x mod q ≡ x 16 RSA Implementa on
y = xc mod n
i ei z 4 1 12* x = x 3 0 x2 4 5 c = 23 = (10111)2 2 1 x * x = x 1 1 X10 * x = x11 0 1 x22 * x = x23
CR 17 RSA Implementa on in So ware (Mul -precision Arithme c) • RSA requires arithme c in 1024 or 2048 bit numbers • Modern processors have ALUs that are 8, 16, 32, 64 bit – Typically can perform arithme c on 8/16/32/64 bit numbers • solu on: mul -precision arithme c (gmp library)
base : 2b, where b = 64/32/16/8 bits
1024 bits CR 18 Mul -precision Addi on
• ADD : a = 9876543210 = (2, 76, 176, 22, 234)256
b = 1357902468 = (80, 239, 242, 132)256 base = 8 bit (256)
i ai bi cin ai+bi+cin(mod 256) Carry? cout 0 234 132 0 110 (110 < 234)? 1 1 22 242 1 9 (9 < 22)? 1 2 176 239 1 160 (160 ≤ 176)? 1 3 76 80 1 157 (157 ≤ 76)? 0 4 2 0 0 2 (2 ≤ 2)? 0
a + b = (2, 157, 160, 9, 110)256 = 11234445678
CR “Computa onal Number Theory”, Abhijit Das, CRC Press 19 Mul -Precision Addi on Algorithm
CR 20 Mul -precision Subtrac on
• SUB : a = 9876543210 = (2, 76, 176, 22, 234)256
b = 1357902468 = (80, 239, 242, 132)256 base = 256 (8 bit)
i ai bi Cin Borrow? Cout ai-bi-cin(mod 256) 0 234 132 0 (234 < 132)? 0 102 1 22 242 0 (22 < 242)? 1 -220 = 36 2 176 239 1 (176 < 239)? 1 -64=192 3 76 80 1 (76 < 80)? 1 -5=251 4 2 0 1 (2 < 0)? 0 1
a - b = (1, 251, 192, 36, 102)256 = 8658640742
CR 21 Mul -Precision Subtrac on Algorithm
CR 22 Mul -Precision Mul plica on
C = A x B mod N (without Modular opera on) • Classical (School book) algorithm • Karatusba algorithm • Toom-3 algorithm • FFT
CR 23 Mul -precision Mul plica on (Classical Mul plica on)
• MUL : a = 1234567 = (18, 214, 135)256
b = 76543210 = (4, 143, 244, 234)256 base = 8 bit (256)
a * b =
(0 85 241 247 25 195 102)256 = 99447721140070
CR 24 Mul -precision Mul plica on (Karatsuba Mul plica on)
Let a,b be twomultiprecision integers with n B − ary words. Let m = n / 2 m a = ah B + al m b = bh B + bl 2m m a×b = (ahbh )B + (ahbl + albh )B + albl 2m m = (ahbh )B + (ahbh + albl +- (ah − al )(bh − bl ))B + albl
using (ah − al )(bh − bl ) = ahbh − ahbl − albh + albl
Karatsuba multiplication converts n bit multiplications into 3 multiplications of n/2 bits The penalty is an increased number of additions
CR 25 Mul -precision Mul plica on (Karatsuba Mul plica on)
B = 256; a b = (1, 176, 254, 234) a = 123456789 = (7, 91, 205, 21) h h 256 256 a b = (83, 222, 83, 133) b = 987654321 = (58, 222, 104, 177)256 l l 256 ah - bh = -(197, 186)256 al - bl = -(45, 211)256 n=4; m=2 (ah - bh) (al - bl) = (35, 100, 170, 78)256 ah = (7, 91); al = (205, 21) ahbl + albh 2 a = (7, 91)256 + (205, 21) = ahbh+ albl - (ah - bh) (al - bl)
= (50, 42, 168, 33)256 bh = (58, 222); bl = (104, 177) b = (58, 222)2562 + (104, 177)
1 176 254 234 50 42 168 33 83 222 83 133 1 177 49 20 251 255 83 133
CR 26 Performing Modular Reduc on
• Divide and get remainder (repeated subtrac on)
Alterna vely, we could use Montgomery mul plica on that will not require modular reduc on.
CR 27 Montgomery Mul plica on
c = a x b mod m
Select R = 2x, gcd(R, m) =1, R slightlygreater than m
Use Extended Euclidean Algorithm to find R−1 and m' s.t R⋅ R−1 − m⋅ m' =1 Convert multiplicands to Montgomery domain a = aRmod m −2 b = bRmod m Note that c = a ⋅ b⋅ R mod m
The Montgomery multiplier computes c = a ⋅ b⋅ R−1 mod m No specific benefits this way CR 28 Montgomery’s Trick
Montgomery's trick 1) t = a ⋅ b 2) u= (t +((t modr)⋅ m'modr)⋅ m) / r 3) if (u ≥ m) return u − m; else return u.
CR 29 Montgomery’s Trick (why it works) Montgomery's trick 1) t = a ⋅ b 2) u= (t +((t mod R)⋅ m'mod R)⋅ m) / R 3) if (u ≥ m) return u − m; else return u. • First note that R | t • Then R | (t ⋅ m'⋅ mmod R) ....this follows because RR−1 − m'm =1; then takemod R • Therefore R | (t + t ⋅ m'⋅ mmod R) ....the division in step 2 is valid • u⋅ R = t + t ⋅ m'⋅ mmod R = t + t ⋅ m'⋅ m = t + k ⋅ m = t mod m See google groups for more details
CR 30 Speeding RSA decryp on with CRT
• Decryp on is done as follows : x = ya mod n • Bob can also decrypt by using CRT x = ya mod p x = ya mod q (since he knows the factors of n, i.e. p,q) • CRT turns out to be much faster since the size (in bits) of p and q is about ½ that of n
CR 31 Mul -precision libraries
• GMP : GNU Mul -precision library • Make use of Intel’s SSE/AVX instruc ons – These are SIMD instruc ons that have large registers (128, 256, 512 bit) • Crypto libraries – OpenSSL, PolarSSL, NaCL, etc.
CR 32 RSA Speeds
CR 33 RSA Speeds 32 Bit ARM Cortex
16 Bit TI Micro-controller
CR 34 Finding Primes
CR 35 Test for Primes
• How to generate large primes? – Select a random large number – Test whether or not the number is prime • What is the probability that the chosen number is a prime? – Let π(N) be the number of primes < N – From number theory, π(N) ≈ N/ln N – Therefore probability of a random number (< N) being a prime is 1/ln N • As N increases, it becomes increasingly difficult to find large primes
CR 36 GIMPS
• There are infinite prime numbers (proved by Euclid) • Finding them becomes increasingly difficult as N increases • GIMPS : Great Internet Mersenne Prime Search – Mersenne Prime has the form 2n – 1 – Largest known prime (found in 2016) has 22 million digits 2274,207,281 − 1 • $3000 to beat this J
h ps://en.wikipedia.org/wiki/Largest_known_prime_number CR 37 Primality Tests with Trial Division
• School book methods (trial division) – Find if N divides any number from 2 to N-1 – find if N divides any number from 2 to N1/2 – Find if N divides any prime number from 2 to N1/2 – Too slow!!! • Need to divide by N-1 numbers • Need to divide by N1/2 numbers • Need to divide by (N/lnN)1/2 primes – For example, if n is approx 21024, then need to check around 2507 numbers • Need something be er for large primes – Randomized algorithms
CR 38 Randomized Algorithms for Primality Tes ng • Monte-carlo Randomized Algorithms – Always runs in polynomial me – May produce incorrect results with bounded probability
– Yes-based Monte-carlo method • Answer YES is always correct, but answer NO may be wrong – No-based Monte-carlo method • Answer NO is always correct, but answer YES may be wrong
CR 39 Finding Large Primes (using Fermat’s Theorem)
n 1 is _ prime(n){ If n is prime, then a − ≡ 1 mod n is true for any ‘a’ pick a ← Zn If n is composite n−1 n−1 a ≡1mod n if (a ≡1mod n) is false but may be true for some values of a. returnTRUE For example: n = 221 (13*17) else and a = 38 then 38220 mod 221 ≡ 1. return FALSE We need to increase our confidence } with more values of a
CR 40 Fermat’s Primality Test
• Increasing confidence with mul ple bases
primality _ test(n){ c = 0 for(i = 0;i <1000;+ +i){ if (is _ prime(n) == FALSE) returnCOMPOSITE } return probably PRIME }
CR 41 Carmichael Number
Some composites act as primes. Irrespective of the ‘a’ chosen, the test an−1 ≡1mod n passes.
for example Carmichael numbers are composite numbers which satisfy Fermat’s little theorem irrespective of the value of a.
Eg. 561 = 3 x 11 x 17
CR 42 Strong probable-primality test
• If n is prime, the square root of an-1 is either +1 or -1 n−1 let a 2 = b
b2 ≡1modn b2 −1≡ modn (b +1)(b −1) ≡ 0modn either(b +1) ≡ 0modn or(b −1) ≡ 0modn
CR 43 Miller-Rabin Primality Test
• Yes-base primality test for composites • Does not suffer due to Carmichael numbers • Write n-1 = 2sd – where d is odd and s is non-nega ve – n is a composite if r ad ≠1modn and (ad )2 ≠ −1modn for all numbersrlessthans
CR 44 Proof of Miller-Rabin test
• Write n-1 = 2sd r ad ≠1mod n and (ad )2 ≠ −1mod n for all number r lessthan s
• Proof: We prove the contra-posi ve. We will assume n to be prime. Thus, r ad ≡1mod n or (ad )2 ≡ −1mod n for somenumber r lessthan s
CR 45 Proof of Miller-Rabin test
Proof: We prove the contra-posi ve. We will assume n to be prime. Thus we prove, r ad ≡1mod n or (ad )2 ≡ −1mod n
for somenumber r lessthan s 1 (Fermat ‘s) • Consider the sequence : d 21 d 22 d 23 d 2s−1 d 2s d a , a , a , a ,!!, a , a
– The roots of x2 = 1 mod n is either +1 or -1 – In the sequence, if ad is 1, then all elements in the sequence will be 1 – If ad is not 1, then there should be some element in the sequence which is -1, in order to have the final element as 1
CR 46 Miller-Rabin Algorithm (test for composites)
Input n T1. Find an oddintegerd such that n −1 = 2s d
T 2. Select at randoma nonzero a ∈ Zn T3. Compute b = ad mod n If b = ±1, return'nisprime'
i T 4. Fori =1,!,r −1,calculate c ≡ b2 mod n If c = −1, return'nisprime' T5. Otherwisereturn'niscomposite'
CR 47 Quadra c Residues
a cannot be 0 • Example : m=13, square elements in Z13. 1,4,9, 3, 12, 10, 10, 12, 3, 9, 4, 1
The quadra c residues Z13 are therefore {1, 4, 3, 9, 10, 12}
If an element is not a quadratic residue, then it is a quadratic non-residue
quadratic non-residues in Z13 are {2, 5, 6, 7, 8, 11}
CR 48 Legendre Symbol
⎧ 0 if p | a ⎛ a ⎞ ⎪ ⎜ ⎟ = ⎨1 if aisaQR mod p ⎝ p ⎠ ⎪ ⎩−1 if aisaQNR mod p
Given p is an odd prime
CR 49 Euler’s Criteria
A result from Euler
p−1 ⎛ a ⎞ 2 ⎜ ⎟ ≡ a mod p ⎝ p ⎠
when aisaQR,∃x ∈ Z s.t. a ≡ x2 mod p when p | a p p−1 ( p−1) p 1 2 − =▹ a 2 ≡ x 2 mod p a 2 ≡ 0mod p ≡ x p−1 mod p ≡1
CR 50 when Quadra c Non Residue
2 when aisaQNR, no such x ∈ Z pexists s.t. a ≡ x mod p p−1 consider : a 2 mod p (note p −1 iseven,if pisan odd prime) squaring : a p−1 mod p ≡1 2 ⎛ p−1 ⎞ so,⎜a 2 ⎟ 1mod p ⎜ ⎟ ≡ ⎝ ⎠ p−1 Thus, a 2 ≡ ±1mod p p−1 a 2 ≠1mod p, sincea isnot a QR p−1 Thus a 2 ≡ −1mod p
CR 51 Examples when holds always Congruence
p−1 ⎛ a ⎞ prime odd n is an ⎜ ⎟ ≡ a 2 mod p 4 isaQR mod13 ⎜ p ⎟ ⎝ ⎠ 13−1 4 2 mod13 ≡ 46 mod13 ≡1 5isaQNR mod13 56 mod13 ≡12 mod13 ≡ −1 Congruence or may notor may
15−1 n is not prime Euler’s Witness 2 7
7 mod15 ≡ 7 mod15 ≡ −2 when
15−1 may Euler’s Liar hold 14 2 mod15 ≡147 mod15 ≡ −1
CR 52 Solovay Strassen Primality Test
SOLOVAYSTRASSEN(n){ choose a randomintegerasuch that 1 ≤ a ≤ n-1 ⎛ a ⎞ compute x =⎜ ⎟ ⎝ n ⎠ How to compute if (x = 0) returnCOMPOSITE Legendre’s symbol n−1 compute y = a 2 mod n if (x ≡ y mod n) return possiblyPRIME else returnCOMPOSITE }
error probability is at most ½
CR 53 Jacobi Symbol
• Jacobi Symbol is a generaliza on of the Legendre symbol • Let n be any posi ve odd integer and a>=0 any integer. The Jacobi symbol is defined as:
Suppose nisan odd positive integer with prime factorization
e1 e2 e3 e4 n = p1 ×p2 ×p3 ×p4 ... T
Then,
e1 e2 e3 e4 ⎛ a ⎞ ⎛ a ⎞ ⎛ a ⎞ ⎛ a ⎞ ⎛ a ⎞ ⎜ ⎟ = ⎜ ⎟ ×⎜ ⎟ ×⎜ ⎟ ×⎜ ⎟ × ! ⎝ n ⎠ ⎝ p1 ⎠ ⎝ p2 ⎠ ⎝ p3 ⎠ ⎝ p4 ⎠
CR 54 Jacobi Proper es
⎛ a ⎞ ⎛ b ⎞ P1. If a ≡ b mod n then⎜ ⎟ = ⎜ ⎟ ⎝ n ⎠ ⎝ n ⎠ ⎛ 2 ⎞ ⎧ 1 if n ≡ ±1mod8 P2. ⎜ ⎟ = ⎨ ⎝ n ⎠ ⎩−1 if n ≡ ±3mod8 ⎛ ab ⎞ ⎛ a ⎞⎛ b ⎞ P3. ⎜ ⎟ = ⎜ ⎟⎜ ⎟ ⎝ n ⎠ ⎝ n ⎠⎝ n ⎠ k k ⎛ a ⎞ ⎛ 2 ⎞ ⎛ t ⎞ P4. if aiseven, a = 2 t, ⎜ ⎟ = ⎜ ⎟ ⎜ ⎟ ⎝ n ⎠ ⎝ n ⎠ ⎝ n ⎠ P5. if aisodd, ⎧ ⎛ n ⎞ ⎪ − ⎜ ⎟ if n ≡ a ≡ 3mod 4 ⎛ a ⎞ ⎪ ⎝ a ⎠ ⎜ ⎟ = ⎨ n ⎛ n ⎞ ⎝ ⎠ ⎪ ⎜ ⎟ otherwise ⎩⎪ ⎝ a ⎠ CR 55 Compu ng Jacobi
From the theorem P5, P1, then P2
P5, P1, P5, P1, P3, P2
P5, P1 and 1 is a QR mod 13
CR 56 Factoring Algorithms
CR 57 Factoriza on to get the private key • Public informa on (n, b) • If Mallory can factorize n into p and q then, • She can compute φ(n) = (p-1)(q-1) • She can then computethe private key by finding a ≡ b-1 mod φ(n)
How to factorize n?
CR 58 Trial Division
Fundamental theorem of arithme c Any integer number (greater than 1) is either prime or a product of prime powers e1 e2 e3 ek n = p1 p2 p3 ! pk
prime generation algorithm
Prime factors of n cannot be greater than ⎣ n⎦
n = n / p : remove this factor from n
Running Time of algorithm order of π(2n/2)
CR 59 Pollard p-1 Factoriza on
n = p× q 1 choose a random integer a(1< a < n). If gcd(a, n) ≠1, then a is a prime factor. However, this is most likely not the case.
2 L Supposeweselectsome Land compute d=gcd(a -1,n) why aL -1? if 1< d < n then we have factored n since d is prime and d | (aL −1) L d | n and d | (a −1) aL ≡1mod d d has to be the prime p or the prime q ϕ(d) | L => (d −1)k=L Thus we need to find L which is some factor of (d −1). 3 If gcd(aL −1, n) = n How to choose L? No easy way, trial and This is possible only when p | n and p | aL 1 (or q | n and q | aL 1) − − error!! and aL −1> n Factorials have a lot of divisors. So that is a nice way. So, take L as a factorial of some number r. CR 60 Pollard p-1 Factoriza on
Pollard p-1 factorization for n. S1. a ← 2 S2. if gcd(a, n) > 1, then this gcd is a prime factor of n, we are done. S3. compute d ← gcd(ar!-1, n) if d = n, start again from S1 with next value of a else if d =1 , increment r and repeat S3 else d is the prime factor of n; we are done!
r = 2,3, 4, ….. 1. Will the algorithm terminate? 2. When will we choose the next value of a? (will we get an infinite loop?) When r = d-1 then L = r! = (d-1)! = d-1(d-2)! = (d-1)k (d-1) | L à we will get the gcd(ak(d-1), n) = n or its prime factor.
CR 61 Pollard Rho Algorithm
• Form a sequence S1 by selec ng randomly (all different) from the set Zn x0 ≡ x mod p S1= x0 , x1, x2 , x3, x4 ,! 0
• Also assume we magically find a x1 ≡ x1 mod p new sequence S2 comprising of x2 ≡ x2 mod p S2 = x0 ,x1, x2 , x3, x4,! where x3 ≡ x3 mod p
• If we keep adding elements to x4 ≡ x4 mod p
S1, we will eventually find an xi and xj (i≠j) such that xi = x j When this happens,
p | (xi − x j )
∵p | nalso, gcd((xi − x j ),n)is p.We found a factor of n!! CR 62 Doing without magic
• Form a sequence S1 by selec ng randomly (with replacement) from the set Zn
S1= x0 , x1, x2 , x3, x4 ,!
• For every pair i,j in the sequence compute
d ← gcd((xi − x j ,n)
• If d > 1 then it is a factor of n
CR 63 Selec ng elements of S1
To choose the next element of S1, Pollard suggests
using a func on f : Zn → Zn with requirement that the output looks random. Example : f (x) = x2 +1mod n
⎛⎧x0 where x0 ischosen randomly fromZn ⎞ S1= ⎜⎨ ⎟ ⎜ x i 0 and x f (x ) ⎟ ⎝⎩ i > i = i−1 ⎠
CR 64 Example This column is just • N= 82123, x = 631, f(x) = x2 + 1 for understanding. 0 In reality we will not know this
Drawback… Large number of GCD Computations. 55 gcd computations in this case
Can we reduce the number of gcd computations?
Given xi mod N, we compute gcds of every pair until we find a gcd greater than 1
gcd(x3 − x10 , N) = gcd(63222,82123) =41 A factor of N
CR 65 The Rho in Pollard-Rho
2 • N= 82123, x0 = 631, f(x) = x + 1 21 26
5 32
2 0 40 1
11
16
xt = xt+l mod p • The smallest value of t and l, for which the above congruence holds is t=3, l=7 • For l=7, all values of t > 3 satisfy the congruence • This leads to a cycle as shown in the figure (and a shape like the Greek letter rho) x j = x j+l mod p t ≥ 3 CR 66 Reducing gcd computa ons
• GCD computa ons can be expensive. • Use Floyd’s cycle detec on algorithm to reduce the number 21 of GCD computa ons. 26 5 32
choose a random x0 = y0 ∈ Zn 2 0 xi = f (xi 1) − 40 1 yi = x2i = f ( f (yi−1)) 11 loop
If d = gcd(xi − yi , N) > 0,return d 16
claim : The first time xi = yi mod p occurs when i ≤ t + l This means that we get a collision before x completing an entire circle
CR 67 The first me xi = yi mod p occurs is when i ≤ t + l • l is the number of points in the cycle • t is the smallest value of i such that xi ≡ yi mod p
xi and yi meet at the same point in the cycle Therefore, yi must have traversed (some) cycles more
xi ≡ yi mod N consider i =(k +1)l = t + (−t modl) xi ≡ x2i mod N ≤t + l l | (2i −i) l | i =▹ l(k +1) = i (−t modl)
CR 68 Expected number of opera ons before a collision • Can be obtained from Birthday paradox to be p
CR 69 Congruences of Squares
• Given N=p x q, we need to find p and q • Suppose we find an x and y such that x2 ≡ y2 mod N • Then, N | (x2 − y2 ) =▹ N | (x − y)(x + y) • This implies,
gcd(N,(x − y)) or gcd(N,(x + y)) factors N
CR 70 Example
• Consider N = 91
102 ≡ 32 mod91 34 2 ≡ 82 mod 91 91| (10 − 3)(10 + 3) 91| (34 + 8)(34 −8) 91| (7×13) 91| 42 × 26 gcd(91,13) =13 gcd(91,26) =13 gcd(91,7) = 7 gcd(91,42) = 7
So… we can use x and y to factorize N. x2 ≡ y2 mod N But how do we find such pairs?
CR 71 Another Example
• N = 1649
2 32 and 200 are not perfect squares. 41 ≡ 32 mod1649 However (32x200 = 6400) = 802 432 ≡ 200mod1649 is a perfect square (41×43)2 ≡ (32 ×200)mod1649 ≡ 80 2 mod1649
Thus, it is possible to combine non-squares to form a prefect square
the examples are borrowed from Mark Stamp (http://cs.sjsu.edu/faculty/stamp/) CR 72 Forming Perfect Squares
Recall, Fundamental theorem of arithme c Any integer number (greater than 1) is either prime or a product of prime powers e1 e2 e3 ek n = p1 p2 p3 ! pk
Thus, a number is a perfect square if it prime factors have even powers.
e1,e2 ,e3,... iseven Thus, 32 = 2550 not a perfect square 200 = 2352 not a perfect square (32x200) = 2550 x 2352 = 2852 = (2451)2 is a prefect square
CR 73 Dixon’s Random Squares Algorithm 1. Choose a set B comprising of ‘b’ smallest primes. Add -1 to this set. (A number is said to be b-smooth, if its factors are in this set) 2. Select an r at random – Compute y = r 2 mod N – Test if y factors completely in the set B. – If NO, then discard. ELSE save (y, r) (these are called B-smooth numbers) 3. Repeat step 2, un l we have b+1 such (y,r) pairs 4. Solve the system of linear congruencies
CR 74 Example
• N = 1829 • b = 6 B = {-1, 2,3,5,7,11,13} • Choose random values of r, square and factorize
All numbers are 6-smooth except 60 and 75. Leave these and consider all others
CR 75 Check Exponents
-1 2 3 5 7 11 13 -65 1 0 0 1 0 0 1 20 0 2 0 1 0 0 0 63 0 0 2 0 1 0 0 -11 1 0 0 0 0 1 0 -91 1 0 0 0 1 0 1 80 0 4 0 1 0 0 0
CR 76 Check Exponents
-1 2 3 5 7 11 13 -65 1 0 0 1 0 0 1 20 0 2 0 1 0 0 0 63 0 0 2 0 1 0 0 -11 1 0 0 0 0 1 0 -91 1 0 0 0 1 0 1 80 0 4 0 1 0 0 0
Find rows where exponents sum is even -65, 20, 63, -91
sum 2 2 2 2 2 0 2 (42 ×43×61×85)2 ≡ (−1×2×3×5×7×13)2 mod1829 14592 ≡ 9012 mod1829 CR 77 Final Steps
(42 ×43×61×85)2 ≡ (−1×2×3×5×7×13)2 mod1829 14592 ≡ 9012 mod1829
1829 | (1459 + 901)(1459 − 901) =▹1829 | 2360 gcd(1829,2360) = 59 =▹1829 | 558 gcd(1829,558) = 31
Thus 1829 = 59 ×31
CR 78 State of the Art Factoriza on Techniques • Quadra c Sieve – Fastest for less than 100 digits • General Number field Sieve – Fastest technique known so far for greater than 100 digits – Open source code (google GGNFS) • RSA factoring challenge – Best so far is 768 bit factoriza on – Current challenges 896 bits (reward $75,000), 1024 bit ($100,000)
https://en.wikipedia.org/wiki/RSA_Factoring_Challenge CR 79 RSA A acks
a acks that don’t require factoriza on algorithms
CR 80 Φ(n) leaks
• If an a acker gets Φ(n) then n can be factored n = pq q = n / p φ(n) = ( p −1)(q −1) = pq − ( p + q) +1 n φ(n) = n − ( p + ) +1 p p2 − (n −φ(n) +1) p + n = 0
Solve to get p (a factor of n)
CR 81 square roots of 1 mod n 2 There are two trivial and two non-trivial solu ons for y ≡1mod n The trivial solu ons are +1 and -1 By CRT, these congruences are equivalent ⎧ y ≡1mod p ⎨ ⎧y2 ≡1mod p ⎩y ≡ −1mod p y2 1mod n ≡ 〈=〉⎨ 2 ⎩ y ≡1mod q ⎧ y ≡1mod q ⎨ ⎩y ≡ −1mod q
To get the non-trivial solutions solve using CRT
y ≡ +1mod p y ≡ −1mod p y ≡ −1mod q y ≡ +1mod q
CR 82 Example
• n=403 = 13 x 31 2 • To get the non-trivial solu ons of solve using CRT y ≡1mod n
y ≡ +1mod p y ≡ −1mod p y ≡ −1mod q y ≡ +1mod q
(31⋅31−1 mod13 −13⋅13−1 mod31) mod 403 (31⋅8 −13⋅12) mod 403 ≡ 92 403− 91 = 311
2 2 The non-trivial solutions are 92 and 311 Note:92 ≡ 311 ≡1mod 403
What happens when we solve y ≡ +1mod p y ≡ +1mod q CR 83 Decryp on exponent leaks
• If the decryp on exponent ‘a’ leaks, then n can be factored • The a acker can then compute ab ab ≡1modφ(n) kφ(n) = (ab −1) • Now, for any message x ≠ 0 xab−1 ≡1mod n ab−1 • A ack Plan, take square root : y ≡ x 2 mod n y 2 ≡1 mod n =▹ n | (y 2 −1) i.e., However we =▹ n | (y −1)(y +1) need y ≠ ±1 gcd(n, y −1)isa factor of n to have a non- trivial result CR 84 The A ack (basic idea) we assume we know the private key a
ab ≡1modφ(n) 1.given a computeab −1 kφ(n) = ab −1
ab −1 ab−1 2.Represent t = 2 2 y1 = x ≡1mod n 2 3. chooseany message x thus,(y1 −1) ≡ 0mod n 4.put y = xt mod n n | (y +1)(y −1) 5.computed ← gcd( y −1,n) This will only work if y ≠±1 mod n. 6.if d ≠ 1, return"a factorof n isd"; exit If y = ±1 mod n. then goto step 7 7.if (t is even) t = t / 2; goto step4 elsereturn" failure"
Probability of success of the attack is at-least 1/2
CR 85 Example
• N=403, b=23, a=47 t = ab −1 =1080 x = 2 1080 loop1: t = = 540 y ≡ xt mod 403 = 2540 mod 403 ≡1 2 540 loop2 : t = = 270 y ≡ xt mod 403 = 2270 mod 403 ≡ 311 2 gcd(310,403) = 31 (a factor of n)
t = ab −1 =1080 x = 9 1080 loop1: t = = 540 y ≡ xt mod 403 = 9540 mod 403 ≡1 2 540 loop2 : t = = 270 y ≡ xt mod 403 = 9270 mod 403 ≡1 2 270 loop3: t = =135 y ≡ xt mod 403 = 9135 mod 403 ≡1 2 can’t divide 135 further. failure CR 86 Small Encryp on Exponent
• In order to improve efficiency of encryp on, a small encryp on exponent is preferred • However, this can lead to a vulnerability
CR 87 Small Encryp on Exponent
3 c1 Alice m mod N1 m 3 c2 m mod N2 c 3 3 m mod N2
Insecure channel • Consider, Alice sending the same message x to 3 different people.
• Each having a different N (say N1, N2, N3) • But same public key b (say 3)
CR 88 Small Encryp on Exponent
3 c1 Alice m mod N1 3 m c1 ≡ m mod N1 3 c2 m mod N2 3 c2 ≡ m mod N2 c c m3 mod N 3 3 3 ≡ 3 m mod N2
Insecure channel • Consider, Alice sending the same message x to 3 different people.
• Each having a different N (say N1, N2, N3) • But same public key b (say 3) • This allows Mallory to snoop in and get 3 ciphertexts
CR 89 Small Encryp on Exponent
By CRT
3 ⎧c1 ≡ m mod N1 ⎪ 3 3 ⎨c2 ≡ m mod N2 〈=〉 X ≡ m mod(N1 ⋅ N2 ⋅ N3 ) ⎪c m3 mod N ⎩ 3 ≡ 3 • Thus, Mallory can compute X
• Since m < N1, m
It is temp ng to have small private and public keys, so that encryp on or decryp on may be carried out efficiently. However you would do this at the cost of security!!
CR 90 Low Decryp on Exponent
• The a ack applies when the private key a is 4 n a < small, 3
• In such a case ‘a’ can be computed efficiently
CR 91 Par al Informa on of Plaintexts
Compu ng Jacobi of the plaintext y ≡ xb mod n yistheciphertext; x themessage bis the public key and gcd(b, φ(n)) =1 Thus, gcd(b, (p-1)(q-1))=1 ( p −1)(q −1) iseven, therefore b must be odd consider Jacobi ⎛ y ⎞ ⎜ ⎟ = ±1 ⎝ n ⎠ b ⎛ y ⎞ ⎛ x ⎞ ⎛ x ⎞ ⎜ ⎟ = ⎜ ⎟ = ⎜ ⎟ ⎝ n ⎠ ⎝ n ⎠ ⎝ n ⎠ sincebisodd
⎛ x ⎞ thus, RSA encryp on leaks the value of the Jacobi symbol ⎜ ⎟ ⎝ n ⎠ CR 92 Par al Informa on of Plaintexts first half or second half? • given y = xbmod n, – is it possible to determine if (0 ≤ x < n/2) or (n/2 ≤ x < n-1) first half second half
• We prove that RSA does not leak this informa on • If there exists an efficient algorithm that can determine if x is in the first or second half then, the en re plaintext can be obtained
CR 93 Binary Search Trees on x
Consider this function [0,13) ⎧ n ⎪0 if 0 ≤ x < 0 HALF (x) = 2 ⎨ n [0-6.5) [6.5,13) ⎪1 if ≤ x < n −1 ⎩ 2 0 example [0,3.25) x = 3mod13 HALF (x) = 0 [0,1.625) 1 2x ≡ 6mod13 HALF (2x) = 0 4x ≡12 mod13 HALF (4x) =1 [1.625,3.25) 8x ≡11mod13 HALF (8x) =1 16x ≡ 9mod13 HALF (16x) =1 3
CR 94 Par al Informa on of Plaintexts (first or second half proof) • Assume a hypothe cal oracle called HALF as follows ⎧ n ⎪0 if 0 ≤ x < HALF (n,b, y) = 2 ⎨ n y ≡ xb mod n ⎪1 if ≤ x < n −1 ⎩ 2 2b ⋅ y ≡ (2x)b mod n b b n 4 ⋅ y ≡ (4x) mod n HALF (y)= 0 =▹ x∈[0, ) b b 2 8 ⋅ y ≡ (8x) mod n 16b ⋅ y ≡ (16x)b mod n n n n HALF (2b y) = 0 =▹ x∈[0, ) HALF (2b y)=1 =▹ x∈[ , ) 4 4 2
n n n HALF (22b y)= 0 =▹ x∈[0, ) HALF (22b y)= 0 =▹ x∈[ , ) 8 8 4
CR 95 Example
n=1457, b=779, y=722
hi 1 0 1 0 1 1 1 1 1 0 0
Thus, if we have an efficient function HALF, we can recover the plaintext message.
CR 96 Man in the Middle A ack
• The process of encryp on with a public key cipher
Bob sends his public key
Alice encrypts with Bob’s public key
Bob decrypts with his private key
CR 97 Man in the Middle A ack
• The process of encryp on with a public key cipher Man in the middle Intercepts messages
Bob Mallory sends his public key sends her public key
Alice encrypts Mallory decrypts with Mallory’s public key with her private key and re- encrypts Bob decrypts with Bob’s with his private public key key CR 98 Searching the Message Space
• Suppose message space is small, – Mallory can try all possible messages, encrypt them (since she knows Bob’s public key) and check if it matches Alice’s ciphertext
Bob sends his public key
Alice encrypts with Bob’s public key Bob decrypts with his private key
CR 99 Bad Prime Genera on Algorithms
• Suppose the prime genera on was faulty – So that, primes generated were always from a small subset – Then, RSA can be broken • Pairwise GCD of over a million RSA modulii collected from the Internet showed that – 2 in 1000 have a common prime factor
CR Ron was Wrong, Whit is right, 2012 100 Discrete Log Problem, ElGamal, and Diffie Hellman
CR STINSON : chapter 6 101 Primi ve Elements of a Group
Let (G,⋅ )be a group of order n. Let α ∈G, The order of α is the smallest integer m such that α m = 1 α is termed as a primitive element if it has order n. If α is a primitive element then α = {α i : 0 ≤ i ≤ n -1} generates all elements in G
Consider Z * {1,2,3, ,12} 13 = ! * (Z13,⋅) formsa groupof order12 Let 7∈ Z * , <7> has order 12 13 and generates all elements in Z. 7 = {7, 10, 5,9,11,12,6,3,8,4,2,1} Thus, 7 is a primitive element
CR 102 Discrete Log Problem
Let (G,⋅)be a group Letα ∈G be a primitiveelement in thegroup with order n Define theset α = {α i : 0 ≤ i ≤ n −1}
For any uniqueintegera (0 ≤ a ≤ n −1), let α a = β
Denote a = logα β as thediscrete logarithmof β
Given α and a, it is easy to compute β Given α and β it is computationally difficult to determine what a was
CR 103 ElGamal Public Key Cryptosystem
• Fix a prime p (and group Zp)
• Let be a primi ve element α ∈ Z p • Choose a secret ‘a’ and compute β ≡ α a mod p
Public keys : α , β, p Private key : a
Encryption Decryption
choose a random (secret) k Z a −1 ← p dk (x) = y2 (y1 ) mod p e (x) (y , y ) k ka −1 k = 1 2 = x⋅ β (α ) mod p k where y1 = α mod p, ka ka −1 k = x⋅α (α ) mod p y2 = x⋅ β mod p CR ≡ x 104 ElGamal Example
• p = 2579, α = 2 (α is a primi ve element mod p) • Choose a random a = 765 • Compute β ≡ 2765 mod 2579 Encryp on of message x = 1299 choose a random key k = 853 853 y1 = 2 mod 2579 = 435 853 y2 = 1299 x 949 = 2396
Decryp on of cipher (435, 2396) 2396 x (435765)-1 mod p = 1299
CR 105 Finding the Log
β ≡ α a mod p Given α and β it is computationally difficult to determine what a was • Brute force (compute intensive) compute α,α 2 ,α 3,α 4...... (until you reach β) this would definitely work, but not prac cal if p is large complexity O(p), space complexity O(1) • Memory Intensive precompute (all values). Sort and store. α,α 2 ,α 3,α 4...... For any given β look up the table of stored values. complexity O(1) but space complexity O(n)
CR 106 Shank’s Algorithm (also known as Baby-step Giant-step)
β ≡ α a mod p
Rewrite a as a = mq + r where m = ⎡ p⎤
β ≡ α mqα r mod p q β(α −m ) ≡ α r mod p
We neither know q nor r, so we need to try out several values for q and r until we find a collision
CR 107 Shank’s Algorithm (example) • p= 31 and α=3. Suppose β=6. • What is a? (3−1)6 mod 31 = 2 m = ⎡ 31⎤= 6 collision α ≡ 3 β (α −6 )0 = 6⋅20 = 6 α 2 ≡ 9 β (α −6 )1 = 6⋅21 =12 α 3 ≡ 27 β (α −6 )2 = 6⋅22 = 24 List1 List2 α 4 = 81 ≡19 mod 31 β (α −6 )3 = 6⋅23 ≡17 mod 31 α 5 =19 ⋅3 ≡ 26 mod31 β (α −6 )4 = 6⋅24 ≡ 3mod 31
Thus, m=6, q=4, r=1, a= mq+r = 25
CR 108 Shank’s Algorithm
Create List 1
Create List 2
Find collision
CR 109 Complexity of Shank’s Algorithm
O(m) O(mlog m)
O(m) O(mlog m)
O(log m)
O(mlogm) ~ O(m) = O(p1/2)
CR 110 Other Discrete Log Algorithms
β ≡ α a mod n
• Pollard-Hellman Algorithm used when n is a composite • Pollard-Rho Algorithm about the same run me as the Shank’s algorithm, but has much less memory requirements
CR 111 Diffie Hellman Problem
Let (G,⋅)be a group Letα ∈G be a primitiveelement in thegroup with order n Define theset α = {α i : 0 ≤ i ≤ n −1}
a b ab given α and α , find α Computational DH (CDH) given α a ,α b and α c , determineif c ≡ ab mod n Decision DH (DDH)
CR 112 Recall… Diffie Hellman Key Exchange
Alice and Bob agree upon a prime p and a generator g. This is public information
choose a secret a choose a secret b compute A = ga mod p compute B = gb mod p
B A Compute K = Ba mod p Compute K = Ab mod p
b a b b a a A mod p = (g ) mod p = (g ) mod p = B mod p
CR 113 CR 114