sign in sign up
<<
Home , Multiplicative order, Primitive root modulo n

AN EXPLORATION OF MATHEMATICAL APPLICATIONS IN

THESIS

Presented in Partial Fulfillment of the Requirements for the Degree Masters of

Mathematical Sciences in the Graduate School of the Ohio State University

By

Amy Kosek, B.S. in Mathematics

Graduate Program in Mathematical Sciences

The Ohio State University

2015

Thesis Committee:

James Cogdell, Advisor

Rodica Costin c Copyright by

Amy Kosek

2015 ABSTRACT

Modern cryptography relies heavily on concepts from mathematics. In this thesis we will be discussing several cryptographic ciphers and discovering the mathematical applications which can be found by exploring them. This paper is intended to be accessible to undergraduate or graduate students as a supplement to a course in or modern algebra. The structure of the paper also lends itself to be accessible to a person interested in learning about mathematics in cryptography on their own, since we will always give a review of the background material which will be needed before delving into the cryptographic ciphers.

ii ACKNOWLEDGMENTS

My sincerest thanks to Jim Cogdell for working with me as my advisor for this thesis project. His encouragement and guidance during the last year has meant so much to me, and I am exceedingly grateful for it. Working with him has been a pleasure and an honor. Also, thank you to Rodica Costin for being a member of my thesis committee and my academic advisor. I so appreciate all of the advice and support she has given me during my time at OSU. Lastly, I would like to thank my wonderful husband, Pete Kosek. He has loved and supported me through every part of this process, and I wouldn’t be where I am today without him.

iii VITA

2013 ...... B.S. in Mathematics, The College at Brockport, SUNY

2013-Present ...... Graduate Teaching Associate, The Ohio State University

PUBLICATIONS

Benjamin D. Sokolowsky, Amy G. VanHooft, Rachel M. Volkert, and Clifford A. Reiter. An Infinite Family of Perfect Parallelepipeds. Mathematics of Computation, 83(289):2441-2454, 2014.

FIELDS OF STUDY

Major Field: Mathematical Sciences

Specialization: Mathematics for Educators

iv TABLE OF CONTENTS

Abstract ...... ii

Acknowledgments ...... iii

Vita ...... iv

CHAPTER PAGE

1 Introduction ...... 1

1.1 Motivation ...... 1 1.2 Public-Key vs. Private-Key Ciphers ...... 2

2 Number Theory and the RSA Cipher ...... 5

2.1 Elementary Number Theory ...... 5 2.2 The RSA Cipher ...... 13

3 Cryptographic Systems Based on the Problem . . . 20

3.1 The Discrete Logarithm Problem ...... 20 3.2 Diffie-Hellman Key Exchange ...... 25 3.3 ElGamal Cipher ...... 29

4 Elliptic Curve Cryptography ...... 34

4.1 Elliptic Curves ...... 34 4.2 Diffie-Hellman Key Exchange for Elliptic Curves ...... 41 4.3 ElGamal Cipher for Elliptic Curves ...... 43 4.4 The Elliptic Curve Digital Signature Algorithm ...... 45

Bibliography ...... 49

v CHAPTER 1

INTRODUCTION

1.1 Motivation

In cryptography people design systems which can be used for protecting data. A cryptographic cipher can be used to encrypt information so that it cannot be read except by the person who can decrypt it. It is as if you put the message which you want safe into a box with a lock on it; that way only someone with the key to the lock can read the message. Information security is an extremely important and relevant problem in the world, particularly in this day and age in which so much of our communication occurs over the internet. Think about the last time you paid for something online with your credit card. Did you trust that your card information was safe and that it couldn’t be stolen by someone intercepting it? It most likely was safe, and that was most likely thanks to cryptography!

Modern cryptography relies heavily on concepts from number theory. We are going to learn several different cryptographic ciphers and focus on what types of mathematical concepts we can find by exploring them. Chapters 2 and 3 should be very accessible to anyone who is familiar with elementary number theory or theory. In each of those chapters, we will do a brief refresher of the main mathe- matical concepts which we will use before we jump into learning the cryptographic ciphers. Chapter 4 will look into the study of elliptic curves and their applications to

1 cryptography. In that chapter we will give an introduction to elliptic curves before studying the way they can be used in cryptographic ciphers. So you do not need to have any prior exposure to elliptic curves to be able to study that section. It may be helpful, however, to have some familiarity with finite fields in to easily understand the theory of elliptic curves which we will discuss.

1.2 Public-Key vs. Private-Key Ciphers

The main purpose of both public-key and private-key cryptographic ciphers is to be able to send important or sensitive messages and information from party to party in such a way that it cannot be intercepted or tampered with. Some examples could be communicating military plans or banks sending information about money transfers.

Public-key and private-key ciphers provide two techniques for this. In each of these types of ciphers we will discuss encryption keys and decryption keys. The encryption key is what will be used to encode the message from “plaintext” into “ciphertext”, whereas the decryption key is what will be used to decode the ciphertext back into the plaintext message [1].

In a private-key cipher (also known as a symmetric cipher) knowledge of the encryption key is equivalent to knowledge of the decryption key. A simple example of this is Caesar’s Cipher, which is a very simple shift cipher. To do this you take each letter in your message and replace it with a different letter which is a fixed number of places further in the alphabet. For example you could replace A with

E, B with F, C with G, etc. To decrypt the message you simply reverse shift the letters the same fixed amount you used in the encryption. So anyone who knows how the message was encrypted could decrypt it. Currently used symmetric ciphers are far more complicated and provide far more security than Caesar’s Cipher. The main idea to grasp at this point, however, is that in a private-key cipher both the

2 encryption key and decryption key must be kept secret from those who are not a part of the communications at hand in order to ensure the cipher’s security. Because of this encryption/decryption keys must be generated for pairs of people each time they wish to communicate. One thing to note is that because the encryption key and decryption key for a symmetric cipher are essentially equivalent we will sometimes only refer to the cipher having a single key.

In contrast, public-key ciphers (also known as asymmetric ciphers) are devel- oped in such a way that knowledge of the encryption key gives no information as to what the decryption key is (at least not in any reasonable amount of computing time).

A way in which public-key ciphers are developed is by making use of a mathematical problem which is “easy” in one direction, but “difficult” in the other direction. For example, the RSA Cipher which we will discuss in the next chapter uses the notion that multiplying two large primes together, each on the order of 1080 or larger, is relatively easy in a computational sense, versus trying to factor a large number, say on the order of 10160 or larger, into its prime factors, which is seemingly impossible to do in any realistic amount of time. This may not make perfect sense now, but as we move on to the sections describing the various public-key ciphers we will explain how it works in greater detail.

The benefit of a public-key cipher is that one person, say Bob, could use it to set up an encryption key which he then makes public and keeps his decryption key private to himself. Now several parties could look up Bob’s encryption key and send him a message which only he will be able to decrypt. This reduces the number of keys needed to be generated and remembered tremendously.

A disadvantage of public-key ciphers is that they are much more computationally costly than symmetric ciphers. A common method which is used in cryptography is to use a public-key cipher in order to encrypt and send a shared private-key which can

3 then be used for communication using a faster running symmetric cipher. This shared private-key will be used for a single session of communication and then discarded after that session is finished.

4 CHAPTER 2

NUMBER THEORY AND THE RSA CIPHER

2.1 Elementary Number Theory

In this section we will be outlining several topics from number theory which we will need in order to explore the mathematics behind the cryptographic cipher known as the RSA Cipher. The RSA Cipher is a wonderful example of a real world application of the theoretical topics learned in elementary number theory. As you read through this section you will find that we have omitted much of the material surrounding the definitions and theorems given, and instead trimmed it down into just the basics which we will need to recall when we learn the RSA cipher. If you need a more in depth explanation of any of these topics there are several wonderful resources such as [3] and [7] referenced at the conclusion of this paper.

Definition 2.1.1. Suppose we have two a and b with a 6= 0. If an c exists so that we can write b = ac then we say that a divides b, or that a is a of b. Often we will use the notation a | b which is read as “a divides b.”

Lemma 2.1.1. Suppose we have two integers a and b with a common divisor d 6= 0.

That is, d | a and d | b, then we will have d | (ra + sb) for any integers r and s.

Proof. Because d is a divisor of both a and b then we can write a = dj and b = dk for some integers j and k. Then ra + sb = r(dj) + s(dk) = d(rj + sk). Since (rj + sk) is an integer then it follows that d | (ra + sb). 5 Proposition 2.1.1. Given two non-negative integers a and b, with a 6= 0, there exists a pair of unique integers q and r with 0 ≤ r < a such that b = aq + r. We call q the quotient and r the remainder when b is divided by a.

Finding such a quotient and remainder is what we find when performing long division. After doing long division it is sometimes common to represent the ratio of b r b divided by a as = q + , but we can see that this statement is equivalent to the a a statement b = aq + r given in the proposition above.

Definition 2.1.2. The greatest common divisor of two non-zero integers a and b is the largest integer c such that c divides both a and b. This is denoted by gcd

(a, b) = c or sometimes by (a, b) = c, however we will use the former notation in this text. If the greatest common divisor of a and b is 1 then we say that a and b are relatively prime.

There is a very useful procedure for computing the greatest common divisor of two positive integers. It is known as the Euclidean algorithm. Let us suppose we have two positive integers a and b, with a ≤ b and let d = gcd(a, b). By Proposition

2.1.1, we can write b = aq1 + r1 with 0 ≤ r1 < a. Then because d | a and d | b it follows that d | r1, since we can write r1 = b−aq1. So then d is a common divisor of a and r1. Continuing the process, next we write a = r1q2 + r2. Now, because d | a and d | r1 we have d | r2 because we can write r2 = a−r1q2. So similarly, we can conclude that d is also a common divisor of r1 and r2. Iterating this process we continue until we obtain an rk+1 = 0. Then we have that d = rk. We can see that the process will terminate because the remainders are getting smaller with each iteration, but remain non-negative by definition, so eventually we must reach a remainder of zero.

It should be clear that rk is a common divisor of a and b, but we will omit the proof that rk is actually the greatest common divisor. Let us do a few examples to better understand this algorithm. 6 Example: Find gcd(522, 213). First divide 522 by 213.

522 = 213(2) + 96

Next, divide 213 by the remainder 96 and continue this process.

213 = 96(2) + 21

96 = 21(4) + 12

21 = 12(1) + 9

12 = 9(1) + 3

9 = 3(3) + 0.

So gcd(522, 213) = 3.

Example: Find gcd(1549, 726). Using the Euclidean Algorithm we find,

1549 = 726(2) + 97

726 = 97(7) + 47

97 = 47(2) + 3

47 = 3(15) + 2

3 = 2(1) + 1.

The next remainder we obtain will be zero, so gcd(1549, 726) = 1.

Definition 2.1.3. We say that a number p is prime if it is an integer greater than

1, whose only positive are 1 and itself. An integer greater than 1 which is not prime is said to be composite.

Theorem 2.1.1. (The Fundamental Theorem of Arithmetic) Given an in- teger greater than 1 we can write that integer as a unique product of primes (up to reordering of the factors). 7 Examples: 10 = 2 · 5, since 2 and 5 are prime. 7800 = 23 · 3 · 52 · 13 because

2, 3, 5, and 13 are prime. 23 = 23 since 23 is a .

Definition 2.1.4. For a positive integer m, which we will call our modulus, we say that two integers a and b are congruent modulo m if m|(a − b) or equivalently if a and b have the same remainder when divided by m. Symbolically this is written as a ≡ b (mod m) which is read as “a is congruent to b mod m.”

Examples: 23 is congruent to 3 modulo 10 since 10 | (23−3) = 20. Also we have

59 ≡ −6 (mod 13) because 13 | (59 − (−6)) = 65. We find though, 7 6≡ 3 (mod 5) since 5 - (7 − 3) = 4.

Definition 2.1.5. Given an integer a and a positive integer n, satisfying gcd(a, n) =

1, we define the multiplicative inverse of a modulo n to be an integer d such that ad ≡ 1 (mod n). This d is sometimes represented symbolically by d = a−1.

The Euclidean Algorithm which we described earlier can provide a convenient way of finding multiplicative inverses modulo n. The way we can do this is by first using the algorithm to show that gcd(a, n) = 1. We then work backwards through the equations that were found in order to represent 1 = ad + nc for some integers d and c. We then will have that the multiplicative inverse of a modulo n is d. This is because if we consider the equation 1 = ad + nc modulo n then we see:

1 ≡ ad + nc ≡ ad + 0 ≡ ad (mod n).

Let us do a few examples to see how this works.

Example: Find the multiplicative inverse of 9 modulo 32. First let us perform the Euclidean Algorithm to show that gcd(32, 9) = 1; this is seen in the left hand column below. At each step we will also solve for the remainder in the equation,

8 which can be seen in the right hand column below. These remainder equations are then labeled in a reverse ordering for later reference.

32 = 9(3) + 5 → 5 = 32 − 9(3) (iii)

9 = 5(1) + 4 → 4 = 9 − 5(1) (ii)

5 = 4(1) + 1 → 1 = 5 − 4(1) (i)

Now we work backwards through these equations. First we use the last equation (i) which states 1 = [5 − 4(1)]. Next we use the second to last equation (ii) to substitute

4 = [9 − 5(1)] into our previous expression. We then distribute and group our terms to obtain an expression of 1 = 9j + 5k for some integers j and k. Lastly we will replace 5 = [32 − 9(3)] (iii) and again group our terms to obtain the desired equation in terms of 32 and 9.

1 = [5 − 4(1)] (i)

= 5 − [9 − 5(1)] (ii)

= 5 − 9 + 5 distribute

= 9(−1) + 5(2) group terms

= 9(−1) + 2[32 − 9(3)] (iii)

= 9(−1) + 32(2) + 9(−6) distribute

= 32(2) + 9(−7) group terms

Thus we see that 9−1 ≡ −7 ≡ 25 (mod 32). We can confirm this by checking that

9(−7) ≡ −63 ≡ 1 (mod 32).

Example: Find the multiplicative inverse of 726 modulo 1549. Recall earlier we

9 used the Euclidean Algorithm to find that gcd(1549, 726) = 1 by finding:

1549 = 726(2) + 97 → 97 = 1549 − 726(2) (v)

726 = 97(7) + 47 → 47 = 726 − 97(7) (iv)

97 = 47(2) + 3 → 3 = 97 − 47(2) (iii)

47 = 3(15) + 2 → 2 = 47 − 3(15) (ii)

3 = 2(1) + 1 → 1 = 3 − 2(1) (i)

Working backwards through these equations we obtain:

1 = [3 − 2] (i)

= 3 − [47 − 3(15)] (ii)

= −47 + 3(16)

= −47 + 16[97 − 47(2)] (iii)

= 97(16) − 47(33)

= 97(16) − 33[726 − 97(7)] (iv)

= −726(33) + 97(247)

= −726(33) + 247[1549 − 726(2)] (v)

= 726(−527) + 1549(247).

Thus 726−1 ≡ −527 ≡ 1022 (mod 1549).

Definition 2.1.6. The Euler φ-function, φ(n), is defined to be the number of positive integers less than or equal to n which are relatively prime to n.

Examples: Consider n = 10. We see that the only positive integers k ≤ 10 such that gcd(k, 10) = 1 are k = 1, 3, 7, 9. Thus we have φ(10) = 4.

Consider n = 7. Then all positive integers strictly less than 7 are relatively prime to

7, since 7 is a prime number. So φ(n) = 7 − 1 = 6. 10 Another example is φ(1) = 1 because the only positive integer k ≤ 1 is k = 1 and gcd(1, 1) = 1.

Proposition 2.1.2. φ(n) is a multiplicative function. This means that if gcd(a, b) = 1 then φ(ab) = φ(a)φ(b).

We can find a formula for computing φ(n), given the prime factorization of n. We do this by first considering cases where n is a .

Consider n = p for any prime p. Then we see that all positive integers k < p satisfy gcd(k, p) = 1. There are p − 1 such k’s thus φ(p) = p − 1.

Consider n = pj where p is any prime and j is any positive integer. The only integers which will have a common (non-trivial) factor with pj are multiples of p.

The multiples of p less than or equal to pj are: p, 2p, 3p, ..., (pj−1)p = pj. So we see that there are pj−1 such multiples. We can then conclude that the number of positive integers less than or equal to pj which are relatively prime to pj will be  1 φ(pj) = pj − pj−1 = pj 1 − . p We can now conclude the following proposition:

a1 a2 ak Proposition 2.1.3. For a positive integer n where n = p1 p2 ··· pk we have

k Y  1  φ(n) = n 1 − p i=1 i

11 Proof. Since φ(n) is multiplicative then we have

a1 a2 ak φ(n) = φ(p1 )φ(p2 ) ··· φ(pk )       a1 1 a2 1 ak 1 = p1 1 − p2 1 − ··· pk 1 − p1 p2 pk       a1 a2 ak 1 1 1 = p1 p2 ··· pk 1 − 1 − ··· 1 − p1 p2 pk  1   1   1  = n 1 − 1 − ··· 1 − p1 p2 pk k Y  1  = n 1 − . p i=1 i

Y  1 An alternative way of representing this product is to write φ(n) = n 1 − , p p|n where it is understood that this will mean to index the product over all prime divisors of n.

Theorem 2.1.2. (Euler’s theorem) For two positive integers n and m which are relatively prime we have that

mφ(n) ≡ 1 (mod n) where φ(n) is the Euler φ-function.

Examples: Let n = 10. We saw earlier that φ(10) = 4. Consider m = 3. We have that gcd(3, 10) = 1 and we can confirm that 34 ≡ 81 ≡ 1 (mod 10).

Let n = 7 and m = 2. Then φ(7) = 7 − 1 = 6, and we have gcd(2, 7) = 1. We can confirm that 26 ≡ (23)2 ≡ (8)2 ≡ (1)2 ≡ 1 (mod 7).

It is interesting to point out that Euler’s Theorem is a generalization of Fermat’s

Little Theorem, which states that for any prime p and integer a we have ap ≡ a 12 (mod p). Restricting a to be not divisible by p then makes Fermat’s Little Theorem equivalent to ap−1 ≡ 1 (mod p) which is the same as Euler’s Theorem in the case that n is a prime p. Also, for those readers familiar with groups we can see that Euler’s theorem is a specific case of the fact that in a finite group, the order of an element of that group divides the order of the group.

2.2 The RSA Cipher

One of the most well known and widely used public-key cipher systems is the RSA

Cipher [1,8]. It is named for its authors Ron Risvest, Adi Shamir, and Leonard Adle- man who first publicly described the system in 1977. Clifford Cocks, a cryptographer working for the British government, independently discovered an equivalent encryp- tion cipher to RSA in 1973, but his work was not declassified until 1997, so Risvest,

Shimir and Adleman are commonly credited with the discovery of the cipher [8]. The security of this system is based upon the difficulty of factoring large numbers into their prime factorizations. This cipher is a wonderful example of an application of elementary number theory topics to the realm of cryptography. The cipher utilizes topics such as congruences, , modular multiplicative inverses, the Euler φ-function, and Euler’s Theorem. We will first explain how the cipher works and work through an example of its implementation. We then will delve into some of the mathematics behind how it works.

The RSA Cipher: Bob wishes to establish a public encryption key so that people may send him encrypted messages which only he can decrypt. To do so,

first Bob will choose two secret large prime numbers, p and q. Bob then forms his modulus n by computing n = pq. Next, Bob will choose an integer e such that gcd(e, (p − 1)(q − 1)) = 1. This e will serve as his encryption key. Bob then computes his decryption key d such that de ≡ 1 (mod (p − 1)(q − 1)). That is, d is

13 the multiplicative inverse of e modulo (p − 1)(q − 1). Bob then makes n and e public, keeping p, q, and d secret.

If Alice wants to send a secret message to Bob, she will first convert her plaintext message into an integer m. (Note that if m ≥ n then Alice should break up m into several blocks which are each smaller than n and send the blocks individually. For now we will assume m < n). Alice then encrypts her plaintext message m into her ciphertext c by computing

c ≡ me (mod n) and choosing the value for c such that 0 < c < n. Alice will send the ciphertext c to

Bob.

In order to read Alice’s message, Bob will then decrypt her ciphertext c by com- puting

m ≡ cd (mod n) and choosing the value m which satisfies 0 < m < n.

We will do an example now to see how this cipher will work before we continue on to explore the mathematics behind why it works.

Example: For this example we will use small numbers in order to simplify the work. In practice, however, numbers such as the choice of n will need to be on the order of 10160. For a few of the computations we will still likely need the use of a computer.

Bob chooses his prime numbers p = 47 and q = 67 and then computes n = pq =

3149. Next he needs to choose an encryption key e so that gcd(e, (p − 1)(q − 1)) = 1.

We see that since p = 47 and q = 67 then (p − 1)(q − 1) = 3036. Bob chooses e = 5.

We can use the Euclidean Algorithm to verify that gcd(5, 3036) = 1. We write:

3036 = (607)5 + 1 14 5 = (5)1 + 0.

So indeed we have gcd(5, 3036) = 1. Now Bob must compute his decryption exponent d by computing d as the multiplicative inverse of e modulo (p − 1)(q − 1). That is, we need:

d ≡ 5−1 (mod 3036).

Working backwards through the Euclidean Algorithm we see that

3036 + (−607)5 = 1.

Considering this modulo 3036 we see

0 + (−607)5 ≡ 1 (mod 3036)

(2429)5 ≡ 1 (mod 3036).

Thus we have that d = 2429. Bob now has his secret primes p and q, his modulus n, his encryption key e and his decryption key d. Bob keeps p, q, and d secret, and he makes n and e public so that Alice can send him an encrypted message.

Suppose Alice wants to send the plaintext message “HI” to Bob. One way Alice could convert her message into an integer m is to use a basic mapping of A → 01,

B → 02, etc. So she gets “HI” becomes m = 0809 = 809 which is strictly less than n = 3149. Then Alice takes Bob’s encryption key and computes

c ≡ me (mod n) obtaining

c ≡ 8095 ≡ 2522 (mod 3149).

An efficient technique for computing powers modulo n is through the technique of successive squaring. To do this we rewrite the exponent as a sum of powers of 2. So for the above example we would write 5 = 4 + 1 = 22 + 20. Then we would compute

8095 ≡ 8094+1 ≡ (8092)2(809)1 ≡ (654481)2(809) (mod 3149). 15 To simplify the process we continually reduce modulo 3149 as we compute multi- plications. We see that 654481 ≡ 2638 (mod 3149). So by reducing, next we will obtain:

(654481)2(809) ≡ (2638)2(809) ≡ (6959044)(809) ≡ (2903)(809)

≡ 2348527 ≡ 2522 (mod 3149).

So Alice has computed that c ≡ 2522 (mod 3149) and since 0 < 2522 < 3149 she will choose c = 2522. Alice then sends her cipher text c to Bob.

Bob can now decrypt Alice’s message as

m ≡ cd (mod n)

m ≡ 25222429 ≡ 809 (mod 3149).

He notes that 0 < 809 < 3149 so Bob knows that Alice’s message m must be m = 809.

So we see Bob was able to recover and read Alice’s message “HI”.

This example allows us to see that the RSA cipher works. That is Alice was able to encrypt her message, send it to Bob, and Bob was then able to properly decrypt it and read her message. What is not as easy to see is why the cipher works. To see this we will use several of the number theory topics we have discussed so far.

Let us look at several of the elements of the RSA cipher and figure out why we chose things to have the described qualities.

Why do we choose e such that gcd(e, (p − 1)(q − 1)) = 1? Looking ahead in the cipher algorithm we see that the decryption key d is chosen so that d ≡ e−1

(mod (p−1)(q −1)). Thus e must have a multiplicative inverse modulo (p−1)(q −1), and recall that this inverse exists if and only if gcd(e, (p − 1)(q − 1)) = 1. Thus we need this property for e in order to have a decryption key d exist. 16 Why is it now then that we choose d so that de ≡ 1 (mod (p − 1)(q − 1))? What is special about (p − 1)(q − 1) when n = pq? Recall Euler’s φ -function. We have Y  1 that φ(n) = n 1 − Where p is prime. Thus for our choice of n = pq where p p p|n and q are primes we see

 1  1 φ(n) = φ(pq) = pq 1 − 1 − = (p − 1)(q − 1). p q

Then since de ≡ 1 (mod φ(n)) we are able to write de = 1+kφ(n) for some integer k.

Euler’s Theorem then tells us that for two positive integers, a and n, if gcd(a, n) = 1 then we have aφ(n) ≡ 1 (mod n).

Now consider the following:

k cd ≡ (me)d ≡ mde ≡ m1+kφ(n) ≡ m1 · mφ(n) ≡ m · 1k ≡ m (mod n).

So indeed, because of the construction of e, d, and c we have proved mathematically that Bob is able to successfully recover the secret message m.

You may have noticed that Euler’s Theorem has a condition that gcd(a, n) = 1.

But in the RSA cipher we never state that we need m relatively prime to n. In fact, because of the construction of the RSA algorithm we do not need the condition of gcd(m, n) = 1. The cipher will still work even if they are not relatively prime. A curious reader could prove this by following the outline given in Chapter 6, Exercise

19 of [8].

Intuitively we can also discover, however, that the probability of having an m such that gcd(m, n) 6= 1 is extremely small for our choice of n = pq where p and q are very large primes. That is because to have gcd(m, n) 6= 1 then we must have that m is a positive multiple of p or of q. Suppose that we would like to find a random integer k in the range 0 < k ≤ n = pq. The probability that k will be divisible by p or q will be q p 1 1 1 1 + − = + − . That is because the positive multiples of p which are less pq pq pq p q pq than or equal to n are p, 2p, 3p, . . . , qp = n. So there are q such possibilities. Similarly 17 the positive multiples of q which are less than or equal to n are q, 2q, 3q, . . . , pq = n.

So there are p such possibilities. We then get the final result by adding up these two probabilities and subtracting off the overlap (that k = pq = qp = n). So if p and q are large numbers then the probability of m and n not being relatively prime is extremely small.

The security of the RSA cipher is based on the difficulty of factoring large integers into their prime factorization. The decryption key d is easily computed when φ(n) is known, however φ(n) is not easily know without having the prime factorization n = pq which is difficult to deduce from knowing only n.

To give a bit of intuition behind this consider that a common way of looking for prime factors of a number n is to divide n by all of the prime numbers less than √ or equal to n and see if they divide n. In mathematics there is a prime-counting function π(x) which estimates the number of primes less than or equal to x. The Prime x Number Theorem tells us that is a good approximation for π(x) as x → ∞. So ln x √ for a large value of n, we will have that π( n) is a very large number. That would lead to many divisibility checks needing to be made which would be an extremely time consuming computational process. This example is certainly not the best way of attempting to factor n, but it gives some intuition as to why it is hard to factor n. Even the best known algorithms for attempting to factor n are very “bad” in that they take an infeasible amount of time to run if n is very large [1,8].

Something important to notice about the RSA algorithm is how c and m are chosen after the modular computation has been completed. In order to determine them we calculate that c ≡ me (mod n) and m ≡ cd (mod n). When we compute a (mod n) what we are really finding are equivalence classes of numbers which all have the same remainder when divided by n. This is called the residue class of a modulo n and can be denoted a n. So for example we see that r ≡ 2 (mod 5) J K

18 is really describing the set of numbers {..., −8, −3, 2, 7, 12, ...} = 2 5. In the RSA J K algorithm, however, what we really want are particular numbers c and m. This is why we choose c and m so that they lie in the interval (0, n). In doing so we guarantee the uniqueness of c and m for the use of the cipher. Such a c and m are called the least positive residue of me (mod n) and cd (mod n) respectively. That is to say,

e for example, c is the smallest positive integer in m n. (Note that based on our J K orginal creation of m we will not have c or m equal to 0 in the RSA cipher. In general settings, however, a residue can be 0 and so the least non-negative residue is used.)

When implementing this in computer coding often we would use b = a % n rather than using b ≡ a (mod n) and specifying which value of b to choose. The command a%n returns the least non-negative residue of a (mod n) which is precisely the desired result.

19 CHAPTER 3

CRYPTOGRAPHIC SYSTEMS BASED ON THE

DISCRETE LOGARITHM PROBLEM

3.1 The Discrete Logarithm Problem

There is a famous problem in mathematics known as the Discrete Logarithm Problem

(DLP) which has been very well used in the world of cryptography. The DLP has the potential of being a very difficult problem to solve and so cryptographers have created ciphers in which cracking the system would require solving the DLP. We will explain this in greater detail once we define the Discrete Log Problem, but before we do so, we will explain several preliminary concepts. For more in depth explanations of any of these topics, readers can reference [3] or [7].

Definition 3.1.1. The multiplicative group of units modulo n, represented by the

× notation (Z/nZ) , is the set of integers, k, with 1 ≤ k < n such that gcd(k, n) = 1, combined with the operation of multiplication modulo n.

Definition 3.1.2. Given a positive integer n and an integer a satisfying gcd(a, n) = 1 we define the of a modulo n to be the smallest positive integer

k k such that a ≡ 1 (mod n). We will denote this by ordn(a) = k.

Example: Consider n = 9 and find the order of a = 4 modulo 9.

41 ≡ 4 6≡ 1 (mod 9), 20 42 ≡ 16 ≡ 7 6≡ 1 (mod 9),

43 ≡ (42)(4) ≡ 7 · 4 ≡ 28 ≡ 1 (mod 9).

k So ord9(4) = 3 since 3 is the smallest positive integer satisfying 4 ≡ 1 (mod 9). We saw in Chapter 1 (Theorem 2.1.2) that for any a satisfying gcd(a, n) = 1, we

φ(n) had a ≡ 1 (mod n). Thus we can conclude that we must have ordn(a) ≤ φ(n).

A much stronger conclusion can be shown which states that ordn(a) must divide φ(n). For those familiar with group theory, this can be seen as a specific example of the order of an element dividing the order of the group since the order of the group

× (Z/nZ) is φ(n). Knowing this fact can make the process of finding the order of an element much easier. Rather than checking all possible exponents from 1 up to φ(n), we only need to check those exponents which are divisors of φ(n). For the above example, we could have determined that ord9(4) was either 3 or 9 since those are the only divisors of 9 that are less than or equal to 9 and only checked those values.

Definition 3.1.3. Given a positive integer n we call an integer g a if every integer a which is relatively prime to n can be expressed as gk ≡ a

(mod n) for some positive integer k.

This is the same as saying that g satisfies ordn(g) = φ(n). Thinking of this in

× terms of group theory, this would mean that the group (Z/nZ) is cyclic and that g is a generator for that group.

It is important to note that in general primitive roots will not exist for all arbitrary n. The following theorem states for which moduli n a primitive root will exist.

Theorem 3.1.1. Given a positive integer n, a primitive root modulo n will exist if and only if n is of one of the following forms:

• n = pk for and odd prime p and an integer k with k ≥ 1

21 • n = 2pk for and odd prime p and an integer k with k ≥ 1

• n = 2, or 4

It is sometimes also included that n = 1 has a primitive root trivially. The main point which we will take away from this theorem for use in the cryptographic ciphers we will discuss is that every modulus which is an odd prime will have a primitive root.

Examples: Consider n = 10. We see that 10 = 2 · 5 and since 5 is an odd prime, then it follows that there will be a primitive root modulo 10. We will show that g = 3 is a primitive root modulo 10. The integers less than or equal to 10 which are relatively prime to 10 are 1, 3, 7, and 9. We see:

31 ≡ 3 (mod 10),

32 ≡ 9 (mod 10),

33 ≡ 27 ≡ 7 (mod 10),

34 ≡ 81 ≡ 1 (mod 10).

So we can see that g = 3 can generate all of the integers relatively prime to 10. We also see that ord10(3) = 4 = φ(10). Consider n = 7. Since 7 is prime then a primitive root will exist. We will show g = 5 is a primitive root modulo 7. All positive integers strictly less than 7 are relatively prime to 7 and so for each such integer j there should be an exponent k such that 5k ≡ j (mod 7). Consider:

51 ≡ 5 (mod 7),

52 ≡ 25 ≡ 4 (mod 7),

53 ≡ (52)(5) ≡ (4)(5) ≡ 20 ≡ 6 (mod 7), 22 54 ≡ (53)(5) ≡ (6)(5) ≡ 30 ≡ 2 (mod 7),

55 ≡ (54)(5) ≡ (2)(5) ≡ 10 ≡ 3 (mod 7),

56 ≡ (55)(5) ≡ (3)(5) ≡ 15 ≡ 1 (mod 7).

So indeed 5 is a primitive root modulo 7 and ord7(5) = 6 = φ(7). When working with a modulus, n, which we know will have a primitive root, then we can find a more efficient way to check if g is a primitive root modulo n. Recalling from above we saw that ordn(a) must be less than or equal to φ(n) and must divide

φ(n). We also had that g was a primitive root modulo n if ordn(g) = φ(n). Thus, we can check that g is a primitive root modulo n by checking that no proper divisor, k, of φ(n) satisfies gk ≡ 1 (mod n). That is to say, that no proper divisor of φ(n) is the order of g modulo n and so we must have ordn(g) = φ(n) so g must be a primitive root modulo n. Another important note to make is that if ordn(g) = k then we have gck ≡ (gk)c ≡ (1)c ≡ 1 (mod n) for any positive integer c. Thus we can use the following process to check if g is a primitive root modulo n, when given the prime factoriation of φ(n).

a1 a2 ak Check if g is a primitive root modulo n: Given φ(n) = p1 p2 ··· pk , for each i = 1, 2, . . . , k compute gφ(n)/pi (mod n). If gφ(n)/pi 6≡ 1 (mod n) for all i = 1, 2, . . . , k then g is a primitive root modulo n, otherwise g is not a primitive root modulo n.

This check works much faster than checking all of the proper divisors of φ(n) to see

a1 a2 ak if they are ordn(g). What we have is that any proper divisor of φ(n) = p1 p2 ··· pk , will be a proper divisor of, or equal to, φ(n)/pi for some i = 1, 2, . . . , k. Thus if ordn(g) is a proper divisor if φ(n) then it will be a divisor of, or equal to φ(n)/pi for some i = 1, 2, . . . , k, and so we will have gφ(n)/pi ≡ 1 (mod n) for that value of i.

23 Example: Check that g = 11 is a primitive root modulo p = 71 given that

φ(p) = 70 = 2 · 5 · 7. Check the following:

1170/2 ≡ 70 6≡ 1 (mod 71),

1170/5 ≡ 54 6≡ 1 (mod 71),

1170/7 ≡ 32 6≡ 1 (mod 71).

So we can see that none of the divisors of φ(71) = 70 are the order of 11 modulo 71, so it must be that ord71(11) = 70 = φ(71). Thus g = 11 is a primitive root modulo p = 71.

An interesting point to make here is that trying to find the prime factorization of φ(n) is a “hard” problem. In fact, if n is not a prime, even finding φ(n) can be hard because we would need to know the prime factorization of n. We can recall that the security of the RSA cipher discussed in Section 2.2 was based on the fact that factoring large numbers was hard. So unless we know φ(n) and its factorization, this method is not very practical. We will discuss this issue and how it could be handled in the next section after we discuss the ElGamal Cipher.

Now that we have discussed these preliminary topics, let us discuss the Discrete

Logarithm Problem.

Discrete Logarithm Problem (DLP): Given a positive integer modulus n, and two positive integers s and t = sm, both reduced modulo n, find m. We call the smallest positive integer m such that t ≡ sm (mod n) the discrete logarithm base s of t modulo n.

Example: Find the discrete logarithm base 5 of 2 modulo 7. That is, we want to find the smallest integer m so that 5m ≡ 2 (mod 7). With a small amount of trial and error we can find that 54 ≡ 2 (mod 7) so m = 4.

24 When working in the standard real numbers, solving logarithms is a very well understood problem. We can use series to accurately solve for or give good approx- imations for real valued logarithms, and so for a computer this would be considered

× an “easy” problem. When working in the finite group of (Z/pZ) for an odd prime p, the Discrete Log Problem (DLP) can be a very difficult problem to solve. In par- ticular if we choose s = g where g is a primitive root modulo p then solving the DLP becomes extremely difficult, especially as p becomes very large. The intuition behind why this particular problem is so hard is that since g is a primitive root modulo p then, by its definition, every integer a which is relatively prime to p can be expressed as gk ≡ a (mod p) for some positive integer k ∈ [1, φ(p)] where φ(p) = p − 1. Since p is a large prime then all integers 1, . . . , p − 1 are relatively prime to p. Thus for a random exponent k ∈ [1, p − 1], gk has an equal probability of being equivalent modulo p to any a ∈ [1, p − 1]. As p then becomes very large, the probability of choosing the correct exponent, k, for which gk ≡ t (mod p) for a given integer t is 1 which is extremely small. p − 1 To date, there are no known “fast” algorithms which can solve this DLP [1, 8].

Because of this difficulty, cryptographers have developed ciphers which are based upon the DLP. That is, they have developed systems in which, in order to crack the system, one would need to be able to solve the DLP. In the next two sections we will discuss two different cryptographic ciphers which implement the Discrete Log

Problem, and we will explain the mathematical applications that we can find in them.

3.2 Diffie-Hellman Key Exchange

We can recall from Section 1.2 the difference between public-key ciphers and private- key ciphers. One benefit of private-key ciphers is that they are often much faster computationally than public-key ciphers are. So for this benefit they are still widely

25 used for communication. A very real issue can arise, however, when trying to use a private-key cipher.

Suppose Bob and Alice want to communicate privately using a symmetric cipher.

To do this they both need to know a shared key which will allow them to encrypt and decrypt the information that they send to one another. But, they currently do not have any secure way of communicating (it is possible they have never even met each other before!), so they cannot just publicly discuss what key to use as it might be overheard and intercepted by Eve the eavesdropper. They need a way to securely establish a secret shared key which they can use for their private-key cipher without

Eve (who presumably can read/hear all of their current communication) being able to find out what the key is.

One way that this problem can be solved is with the Diffie-Hellman Key Exchange.

This key exchange was first published by Whitfield Diffie and Martin Hellman in

1976 [1, 8]. The idea is that we can use a type of dual public-key cipher in order to create a shared key for a private-key cipher. We will explain how this cipher works and then discuss some of the mathematical applications that we can see are used.

Diffie-Hellman Key Exchange: Suppose Bob and Alice wish to establish a shared secret key for use in a private-key cipher. They can do so using the following method.

A large prime number p is chosen and a primitive root g modulo p is chosen. Both numbers p and g can be made public, and so Alice and Bob can share these with each other through insecure channels.

Once p and g are established then Alice will choose a secret large integer x and

Bob will choose a secret large integer y. They can choose these such that 1 ≤ x < p−1 and 1 ≤ y < p − 1.

Alice computes X = gx (mod p), chooses the value of X satisfying 0 < X < p,

26 and sends X to Bob. Similarly, Bob computes Y = gy (mod p), chooses the value of

Y satisfying 0 < Y < p, and sends Y to Alice.

Once they have received these messages each of Alice and Bob can compute a shared private-key K. Alice does this by computing K ≡ Y x (mod p) and Bob does this by computing K ≡ Xy (mod p) and each chooses K such that 0 < K < p. We can see that they have computed the same key K by observing that

Y x ≡ (gy)x ≡ (gx)y ≡ Xy (mod p).

Let us do an example so that we can see how this system works. For our example we will be using relatively small numbers so that the computations we need to make do not get out of hand. A true implementation of the Diffie-Hellman Key Exchange would need to use a very large value of p and would use a computer to carry out all of the computations.

Example: Bob and Alice agree to use p = 71. They need to find a primitive root g modulo p = 71. They try g = 11. We have already shown in a previous example in Section 3.1 that g = 11 is a primitive root modulo p = 71, so we will skip the computation here.

Alice then chooses her secret integer. She picks x = 12 which is in the interval

[1, 70). Similarly Bob chooses his secret integer y = 47 which is in [1, 70).

Alice computes

X ≡ gx ≡ 1112 ≡ 38 (mod 71).

She chooses X = 38 since 0 ≤ 38 < 71 and sends X = 38 to Bob.

Bob computes

Y ≡ gy ≡ 1147 ≡ 33 (mod 71), chooses Y = 33 since 0 ≤ 33 < 71, and sends Y = 33 to Alice. 27 Once Alice receives Bob’s message containing Y = 33 she computes

K ≡ Y x ≡ 3312 ≡ 15 (mod 71) and determines K = 15 since 0 ≤ 15 < 71.

Similarly once Bob receives Alice’s X = 38 he computes

K ≡ Xy ≡ 3847 ≡ 15 (mod 71) and determines K = 15 since 0 ≤ 15 < 71. Now Bob and Alice have a secret shared key of K = 15. We won’t discuss how they can use it specifically, but they now have K as a commonly shared piece of secret information, which they can use as a private-key for encryption in a symmetric cipher in order to communicate without

Eve being able to decipher what they are saying.

Why is it that the Diffie-Hellman key exchange is secure? That is, if Eve is an eavesdropper listening in on Bob and Alice’s communications, why is Eve not able to

find K for herself? Eve will be able to know p, g, X and Y since all of these are sent via insecure communication channels. If Eve wanted to compute K she would need to compute gxy (mod p). Eve does not know x or y, however, unless she can solve the discrete logarithm problem to obtain either y from Y ≡ gy (mod p) or x from

X ≡ gx (mod p). Thus the security of the Diffie-Helman key exchange is based on the difficulty of computing discrete logarithms over finite groups. In particular the discrete log problem is difficult in the group of units modulo p when the base of the logarithm, g, is a primitive root modulo p.

Let us consider why it is sufficient for Alice and Bob to choose integers x and y which lie in the interval [1, p−1). In Chapter 1 we looked at the Euler- φ function and

Euler’s Theorem (Definition 2.1.6 and Theorem 2.1.2). We saw that for a prime p we had φ(p) = p−1 and that for any integer a relatively prime to a modulus n, aφ(n) ≡ 1

(mod n). When computing modular exponentiation, then, it is sufficient to consider 28 the exponent modulo φ(n). This is because, for any k we can write k = qφ(n) + r for an integer q and integer r satisfying 0 ≤ r < φ(n). So then

ak ≡ aqφ(n)+r ≡ (aφ(n))q(a)r ≡ (1)q(a)r ≡ ar (mod n).

So if, for example, Alice chose x > φ(p) = p − 1 then gx (mod p) would be equivalent to gx0 (mod p) for some integer x0 in [0, p − 1) with x ≡ x0 (mod p − 1). Alice further does not want to choose x = 0 since then gx ≡ 1 (mod p) which is not very secure.

So she should choose x in [1, p − 1), and Bob should choose y similarly, in order to minimize the time it takes them to compute X and Y .

In this key exchange, we see that, Bob and Alice have to compute several modular exponentiations. To do this efficiently they should use a method such as successive squaring. Example of how this is done can be seen in the example of the RSA Cipher in Section 2.2, and in the example of the ElGamal Cipher in the section below.

3.3 ElGamal Cipher

The ElGamal Cipher is another example of a public-key cipher which was developed by Taher ElGamal in 1985 [1, 8]. It allows a person, say Bob, to publically publish an encryption key, which another person such as Alice can use to encode a secret message to send to Bob and only he will have the ability to decode the message. The security of ElGamal, similar to Diffie-Hellman, is based on the difficulty of solving the

× discrete log problem in the multiplicative group (Z/pZ) . Let us now look at how the ElGamal Cipher works, after which, we will work through an example which will give us some good practice applying the number theory concepts we have learned. Then we will discuss some interesting complications which can arise in the implementation of both the ElGamal Cipher and the Diffie-Hellman Key Exchange.

ElGamal Cipher: Bob wishes to establish a public-key so that people may send

29 him encypted messages which only he can decrypt. To do this, Bob will choose a secret large prime p and find a primitive root g modulo p. He then chooses a secret integer d in the interval [1, p − 1). This value d will serve as his decryption key later.

Bob then computes x ≡ gd (mod p), and chooses x satisfying 0 < x < p. Bob then publishes (p, g, x) as his encryption public-key.

Alice wants to send a secret message m to Bob. If m ≥ p then she will break up m into smaller blocks each of which is less than p and encrypt them individually. For now we will assume 0 < m < p. First Alice will choose her own secret random integer r and computes k ≡ gr (mod p) choosing k satisfying 0 < k < p. Next she computes c ≡ xrm (mod p) choosing c satisfying 0 < c < p. Alice sends the pair (k, c) to Bob.

(Note that k is sometimes referred to as a “header” for the message and it serves as a key for Bob to decrypt Alice’s ciphertext c.) r Once Bob receives Alice’s pair (k, c) he first computes kd ≡ (gr)d ≡ gd ≡ xr

(mod p). Then he finds the multiplicative inverse (xr)−1 of xr modulo p. Finally, he can decrypt Alice’s message by computing the multiplication (xr)−1 · c ≡ m (mod p) and choosing m satisfying 0 < m < p.

This final decryption step works because we see:

(xr)−1 · c ≡ (xr)−1 · (xrm) ≡ (xr)−1 · xr · m ≡ 1 · m ≡ m (mod p).

Example: Bob chooses p = 1549 as his secret prime, and g = 19 as a primitive root modulo p. Let us check that g = 19 is in fact a primitive root modulo p = 1549 using the method described in Section 3.1. We see φ(1549) = 1548 and have that

1548 = 22 · 32 · 43. Now check:

191548/2 ≡ 1548 6≡ 1 (mod 1549),

191548/3 ≡ 1273 6≡ 1 (mod 1549),

191548/43 ≡ 425 6≡ 1 (mod 1549). 30 So none of the divisors of φ(p) are the order of 19 modulo 1549, so 19 must satisfy ord1549(19) = 1548 = φ(1549) and be a primitive root. Now Bob chooses a secret integer d in the interval [1, 1548). He chooses d = 23. Next he computes

x ≡ gd (mod p).

An efficient way to compute modular exponentiation is by a process known as successive squaring. This process will be outlined in the computation bellow. Notice that with each step we continually are reducing modulo 1549 so that the numbers we are working with are all relatively small. For more description on successive squaring, see the example of the RSA cipher in Section 2.2.

x ≡ 1923 ≡ 1916+4+2+1 ≡ 1924+22+2+1 ≡ (((192)2)2)2 · (192)2 · (19)2 · (19)

≡ (((361)2)2)2 · (361)2 · (361)(19) ≡ ((205)2)2 · (205)(361)(19)

≡ (202)2(205)(361)(19) ≡ (530)(205)(361)(19)

≡ (220)(361)(19) ≡ (421)(19) ≡ 254 (mod 1549).

Since 0 < 254 < 1549 Bob chooses x = 254. Now Bob can publish his public-key

(p, g, x) = (1549, 19, 254).

Alice wants to send a secret message “OK” to Bob. First she has to convert her message into an integer. One way she could do this is with a simple substitution of

A → 01, B → 02, etc. So she uses O → 15, K → 11 and obtains m = 1511 which is less than p = 1549 so she does not need to break up her message. Next she will choose her own secret integer r in the interval [1, 1548). She chooses r = 5. She then computes,

k ≡ gr (mod p),

k ≡ 195 ≡ 797 (mod 1549).

31 Since 0 < 797 < 1549 she chooses k = 797. Next she will compute,

c ≡ xrm (mod p),

c ≡ (254)5(1511) ≡ (726)(1511) ≡ 294 (mod 1549).

She chooses c = 294 since 0 < 294 < 1549. She then sends her message with header

(k, c) = (797, 294) to Bob.

Once Bob receives Alice’s encrypted message he first computes kd (mod p) be- cause kd ≡ (gr)d ≡ (gd)r ≡ xr (mod p).

kd ≡ (797)23 ≡ 726 (mod 1549).

So Bob has found the same xr = 726 that Alice found. Next Bob will find the multi- plicative inverse of 726 modulo 1549. To do this he can use the Euclidean Algorithm and then work backwards. This process is described in Section 2.1, following Defini- tion 2.1.5. The computation for computing the multiplicative inverse of 726 modulo

1549 can be found in the second example after Definition 2.1.5. Using this computa- tion, Bob concludes that the inverse of xr = 726 modulo p = 1549 is (xr)−1 = 1022.

To finish his decryption he then computes:

(xr)−1 · c ≡ (1022)(294) ≡ 1511 (mod 1549).

He determines Alice’s message was m = 1511 since 0 < 1511 < 1549. So Bob was indeed able to receive and decrypt Alice’s message of “OK”.

When the Diffie-Helman key exchange and ElGamal cipher are implemented, a problem arises with the way in which we have been computing primitive roots. To determine if g is a primitive root modulo p we have been checking g(p−1)/q 6≡ 1

(mod p) for all prime divisors q of (p − 1) = φ(p). This requires that we know the

32 prime factorization of (p − 1). We have purposefully chosen p to be large, which means that (p − 1) will be large. This is an issue, because the problem of finding prime factorizations of large numbers is a difficult problem. In fact, it is the difficulty of this problem that provided the security of the RSA cipher. So we cannot expect to be able to do this type of computation easily or quickly.

How then, can we determine a pair p and g so that p is prime and g is a primitive root modulo p? One way that this could be done [4] is to first choose a product of

a1 a2 ak a1 a2 ak primes q1 · q2 ··· qk , set (p − 1) = q1 · q2 ··· qk , and then check if (p − 1) + 1 = p is a prime number. If p is not prime, then the factorization of (p − 1) is altered and the new resulting p is checked for primality. Once we find a p which is a prime, we have by our construction the prime factorization of φ(p) = (p − 1), so we can now use the process of choosing a g and checking if it is a primitive root modulo p by the process described in Section 3.1. By clever choices for (p − 1) we can find a prime p in a reasonable amount of time.

It also may seem surprising that checking if p is prime is an easier problem than

finding a prime factorization. Primes satisfy many special properties and these prop- erties can be used to create clever algorithms which check for primality (or sometimes for compositeness). For example the Rabin-Miller Strong Pseudoprime Test uses facts from Fermat’s Little Theorem to test probabilistically if a number is prime [10]. This algorithm runs in “polynomial time” which simply means it is considered to be “fast” in a computational sense. So checking for primality can be done without having to try factoring the number into prime factors and is indeed a much easier problem than prime factorization.

33 CHAPTER 4

ELLIPTIC CURVE CRYPTOGRAPHY

In the previous chapters we have been looking at several cryptographic ciphers which

× were based on the multiplicative group (Z/nZ) , that is, the multiplicative group of units modulo n. Several cryptographic ciphers, such as Diffie-Hellman and ElGamal, can be generalized to be used with other groups. A different group which has become popular for use in cryptography is the additive group defined by the rational points of an elliptic curve over a finite field. We will explain further what this group is and how the group addition works in a moment. For now we will note that for the sake of this paper, we will not be delving into the study of elliptic curves with any real amount of depth. We will simply be introducing the group which they can generate, and observing how this new group can be applied to the area of cryptography. The key thing to remember is that an elliptic curve over a finite field generates an additive,

finite, abelian group in which we can define the discrete logarithm problem. As additional resources, readers can reference [6] or [9].

4.1 Elliptic Curves

An elliptic curve, E, is a curve which is given by an equation of the form

E : y2 = x3 + Ax + B

34 such that the discriminant of the curve is non-zero. That is, we need the curve to be nonsingular. The discriminant of E as written above is given by ∆ = 4A3 + 27B2.

An elliptic curve is often considered over a field. This means that for the curve

E, we will have A, B, x, and y belonging to some field F, and the discriminant of E, 3 2 ∆ = 4A + 27B , to be nonzero as an element of F. This field, for example, could be k R, Q, C, or Fq which is the finite field with q elements where q = p for some prime p and positive integer k.

We will run into some problems with the the discriminant of the curve E given above if our field is of characteristic 2 or 3. If we are working with such a field then we can use a more general form of a curve given by,

2 3 2 E : y + c1xy + c2y = x + c3x + c4x + c5.

When our field, F, is not of characteristic 2 or 3 then this curve, E, can be “normalized” to be written in the form given by E. An elliptic curve in the form of

E is often referred to as a curve in Weierstass normal form. We will continue to use and refer to elliptic curves given by E, in Weierstass normal form, but just be aware that a generalized form of a curve as given by, E, could be used.

Elliptic curves over finite fields are very useful in application to cryptography. In general any finite field, Fq, could be used. For the examples this paper we will often choose to work in Fp, where p is an odd prime. This is because the field structure for a general q can be rather difficult to work with, whereas, the structure of the

field Fp simply requires us to work modulo p which will simplify our explanations and examples nicely.

Once we have a curve E over a field, we can form an additive group from the set of points on the curve. A point on an elliptic curve over a field is defined to be a point (x, y) which is a solution to the equation given by E (denoted by (x, y) ∈ E), and satisfies that both x and y are elements of the field. There additionally will be a 35 point O, which is the point “at infinity”, which will be on every curve. The derivation of this point O comes from projective geometry, and we will skip it for this paper as it veers to far away from our desired discussions. Thus, we can define the set of points on the curve E over the field F by

E(F) = {O, (x, y) ∈ E | x, y ∈ F}.

Such points are often referred to as the rational points of the curve. We will discuss how a group law is defined for such a set in a moment, but first let us give an example of finding rational points on an elliptic curve over a finite field.

Example: Let us consider the elliptic curve Ee : y2 = x3 + x + 1 over the finite

field F5. We wish to find all of the rational points of the curve. We know that we will have Ee(F5) = {O, (x, y) ∈ Ee | x, y ∈ F5}. So to find all such points (x, y) we can plug in each of the elements of F5 in for x and determine which yield a square in F5. Before we do that let’s find what the squares in F5 are. Recalling that we are working modulo 5, we have:

02 = 0, 12 = 1, 22 = 4, 32 = 4, and, 42 = 1.

So the squares in F5 are 0, 1, and 4. Now plug in x = 0, 1, 2, 3, 4 into the right hand side of Ee and see if the result is a square. (Remember, for all of our computations in

F5 we work modulo 5).

03 + 0 + 1 = 1 (1 = 12 or 42)

13 + 1 + 1 = 3 not a square

23 + 2 + 1 = 3 + 2 + 1 = 1 (1 = 12 or 42)

33 + 3 + 1 = 2 + 3 + 1 = 1 (1 = 12 or 42)

43 + 4 + 1 = 4 + 4 + 1 = 4 (4 = 22 or 32)

Thus we have Ee(F5) = {O, (0, 1), (0, 4), (2, 1), (2, 4), (3, 1), (3, 4), (4, 2), (4, 3)}. 36 An additive group operation can be defined for E(F). The way in which the addition law is defined is found through a geometric construction involving drawing lines through rational points. For our needs, however, let us just look at a specific case. We will give the resulting formulas which are used for E(Fq) where E is the 2 3 curve given by y = x + Ax + B and Fq is the finite field with q elements, where q = pk for an odd prime p and positive integer k [5].

Addition Law for E(Fq):

To add two points P1 and P2 in E(Fq) there several main cases:

• First case

 If P1 = O then P1 + P2 = O + P2 = P2. (Similarly if P2 = O.)

• For the rest of the cases, let us assume that neither P1 nor P2 are equal to O.

 If P1 6= P2 and x1 = x2 then we have P1 + P2 = O.

 Also if P1 = P2 and y1 = y2 = 0 then we have P1 + P2 = 2P1 = O

• For the next two cases we will define a λ and an υ which will then be used to

compute P1 + P2.

 If P1 6= P2 and x1 6= x2 then let

−1 −1 λ = (y2 − y1)(x2 − x1) and υ = (y1x2 − y2x1)(x2 − x1) .

 If P1 = P2 and y1 6= 0 then let

2 −1 3 −1 λ = (3x1 + A)(2y1) and υ = (−x1 + Ax1 + 2B)(2y1) .

2 3  Then, for both of these cases, we have P1 + P2 = (λ − x1 − x2, −λ +

λ(x1 + x2) − υ).

37 In all of the above calculations it is important to remember that the values we are working with are all to be considered as elements of the finite field Fq. If we have q = p for an odd prime p then in all of the computations we can continually be reducing modulo p, and the value of (n)−1 is the multiplicative inverse of n modulo p.

Another important note to make is that the calculations above are specific to the curve E : y2 = x3 + Ax + B. There is a general process through which these calculations were derived which could be used to calculate an explicit addition rule for other elliptic curves. We will skip the discussion of this process since we do not need to know it to understand the cryptographic applications which we are interested in discussing. An interested reader can learn more about this process from [6].

It can be shown that the set E(Fq) under the additive operation gives a finite abelian group. This group has its identity element as O, and the additive inverse of the point P = (x, y) is −P = (x, −y), where −y is the additive inverse of y in Fq. For the specific case described above, in which we gave instructions on how to add two points in E(Fq), it is a fairly simple exercise to show these two facts as well as to show that the addition described is commutative. It is not as easy so show that the addition is associative, which is necessary as a group property, however with a bit of work and a lot of cases it can be proved that it is.

Let us take a look at an example of how to add points on an elliptic curve over a

finite field.

Example: Recall that for the elliptic curve Ee : y2 = x3 +x+1 over the finite field

F5, we found Ee(F5) = {O, (0, 1), (0, 4), (2, 1), (2, 4), (3, 1), (3, 4), (4, 2), (4, 3)}. Let’s practice adding some of these points using the rules described above. (Remember that because we are working in F5, our numerical computations are all made modulo 5.)

38 • Add O to O: O + O = O.

• Add O to (0, 4): O + (0, 4) = (0, 4).

• Add (3, 1) to (3, 4): The points are not equal, but the x coordinates are, so

these points are inverses of one another and we have (3, 1) + (3, 4) = O.

• Add (0, 1) to (2, 4): We have (0, 1) 6= (2, 4) and 0 6= 2 so let

λ = (4 − 1)(2 − 0)−1 = (3)(2)−1 = (3)(3) = 4

and υ = (1 · 2 − 4 · 0)(2 − 0)−1 = (2)(3) = 1.

Then (0, 1) + (4, 2) = (42 − 0 − 2, −43 + 4(0 + 2) − 1) = (4, 3).

• Add (0, 1) to (4, 2): We have (0, 1) 6= (4, 2) and 0 6= 4 so let

λ = (2 − 1)(4 − 0)−1 = (1)(4)−1 = (1)(4) = 4

and υ = (1 · 4 − 2 · 0)(4 − 0)−1 = (4)(4) = 1.

Then (0, 1) + (4, 2) = (42 − 0 − 4, −43 + 4(0 + 4) − 1) = (2, 1).

• Add (0, 1) to (0, 1): Since the two points are equal and y 6= 0 then let

λ = (3 · 02 + 1)(2 · 1)−1 = (1)(3) = 3

and υ = (−03 + 1 · 0 + 2 · 1)(2 · 1)−1 = (2)(3) = 1.

Then (0, 1) + (0, 1) = 2(0, 1) = (32 − 0 − 0, −33 + 3(0 + 0) − 1) = (4, 2).

When considering an elliptic curve over a finite field, we can also define the discrete logarithm problem for the group E(Fq). Elliptic Curve Discrete Logarithm Problem (ECDLP): Given two points

S and T = mS in E(Fq), find m. We call the smallest positive integer m such that

T = mS in E(Fq) the discrete logarithm base S of T in E(Fq). 39 × Recall that in (Z/nZ) , the discrete logarithm was described through exponentia- tion, whereas now for E(Fq) it is described through multiplication by an integer. This × is because for (Z/nZ) the operation being performed is multiplicative, whereas for

E(Fq) it is additive. For a multiplicative group, repeated operations are expressed via exponentiation. For example x·x·x = x3. But for an additive group, repeated opera- tions are expressed through multiplication by an integer. For example x+x+x = 3x.

So the representation of the discrete logarithm is altered slightly in this new context to account for this difference.

In order to use elliptic curves in the area of cryptography we again make use of the difficulty of the discrete logarithm problem, as was done in Chapter 3. In order to make this successful the implementation must make use of elliptic curves over finite

fields which create a group in which the ECDLP is actually hard. For certain “bad” curves, the ECDLP will be too easy to solve and would compromise the security of the cipher. An example of this would be if the group E(Fp) has exactly p elements. In this case there is a homomorphism from E(Fp) to the additive group Z/pZ (integers modulo p) and solving the discrete log problem in Z/pZ is an easy problem since we know how to find multiplicative inverses modulo p [5]. So such a curve would not be a very good choice to use for a cryptographic cipher.

For most elliptic curves, however, the fastest known algorithms for solving the

ECDLP are extremely slow, and for large enough values of q in E(Fq) running such algorithms would be infeasible [5]. There has been a lot of study as to which curves are best to use and these curves are used when the ciphers we will discuss are actually implemented.

A benefit of using elliptic curves in cryptography is that these ciphers can use smaller key sizes and message sizes while still offering the same level of security as

× ciphers using (Z/pZ) . This can cause them to run faster and be more efficient.

40 4.2 Diffie-Hellman Key Exchange for Elliptic Curves

In Section 3.2 we learned about the Diffie-Hellman Key Exchange for the multiplica-

× tive group (Z/nZ) . The same algorithm can be redefined to instead use the additive group E(Fq) [9]. The implementation of these two versions will look very different × because working in E(Fq) is very different than working in (Z/nZ) . However, if we compare the algorithms for the two versions, we will discover that they have the exact same structure. The differences which we can see are only a result of the dif- ferences in the way in which repeated operations are expressed and computed in the two different groups.

Diffie-Hellman Key Exchange for Elliptic Curves: Suppose Bob and Alice wish to establish a shared secret key for use in a private-key cipher. They can do so using the following method.

Alice and Bob choose an elliptic curve E over a finite field Fq. Next they choose a rational point on the curve, P , so that P has a large order in the group of rational points, E(Fq). E, Fq and P can be sent through insecure channels. Once these have been chosen, Alice will choose a secret integer w and compute

W = wP as a point in E(Fq), and then send W to Bob. Similarly Bob will choose a secret integer z and then compute Z = zP as a point in E(Fq), sending Z to Alice. Bob and Alice can then compute their shared key as follows. Alice computes

K = wZ and Bob computes K = zW as points in E(Fq). They can then use some agreed upon number derived from this point such as the value of the x coordinate as their shared key. They will be sure to obtain the same point K because we have:

wZ = w(zP ) = wzP = zwP = z(wP ) = zW.

Example: Bob and Alice decide to use the curve Ee : y2 = x3 + x + 1 over the

41 finite field F5. They also choose to use the point P = (0, 1). Recall that in our examples in Section 4.1, we found

Ee(F5) = {O, (0, 1), (0, 4), (2, 1), (2, 4), (3, 1), (3, 4), (4, 2), (4, 3)}.

We also found in our previous examples in Section 4.1 that in this group, 2(0, 1) =

(4, 2) and that 3(0, 1) = (0, 1) + (4, 2) = (2, 1). If we continued to compute these additions we would find that the point P = (0, 1) is a generator of the group Ee(F5) because we have:

P = (0, 1) 2P = (4, 2) 3P = (2, 1)

4P = (3, 4) 5P = (3, 1) 6P = (2, 4)

7P = (4, 3) 8P = (0, 4) 9P = O.

So P = (0, 1) has order 9 in the group Ee(F5).

The information E,e Fq and P can be sent back and forth between Alice and Bob using insecure channels. To send this they could just send cetain key information in a pattern which would be understood. For example Alice could send Bob the combination (q, A, B, x, y) = (5, 1, 1, 0, 1) and he would then know that they are

2 3 3 using Fq = F5 as their finite field with the curve Ee : y = x + Ax + B = x + x + 1 and the point P = (x, y) = (0, 1).

Alice now chooses her secret integer w and computes W = wP . She chooses w = 2 and so W = 2P = (4, 2) (we know this based on the table we gave above). She sends this point W = (4, 2) to Bob.

Similarly, Bob chooses his secret integer z and computes Z = zP . Bob chooses z = 6 and computes Z = 6P = (2, 4), sending this point Z to Alice.

When Alice receives Bob’s Z she computes K = wZ = 2(2, 4). Similarly once Bob received Alice’s W he would compute K = zW = 6(4, 2). They would do this using the addition rules described in Section 4.1. We will skip showing these additions since 42 it would require a fair amount of work, and tell you that K = (2, 1). We can check this because we as readers (who know all of the information, including both Alice’s and Bob’s secret integers) can find that:

• For Alice: K = 2Z = 2(6P ) = 12P = 9P + 3P = O + 3P = 3P = (2, 1).

• For Bob: K = 6W = 6(2P ) = 12P = (2, 1).

So Alice and Bob now both have a shared point K = (2, 1) from which they can obtain a secret shared key.

4.3 ElGamal Cipher for Elliptic Curves

In Section 3.3 we discussed a public-key encryption system known as the ElGamal

Cipher. When originally described the cipher uses the finite multiplicative group of

× (Z/nZ) . Similar to the Diffie-Hellman Key Exchange, the ElGamal Cipher can be restated to use the additive group E(Fq) [9]. Let us now look at how the cipher works using elliptic curves.

ElGamal Cipher for Elliptic Curves: Bob wishes to establish a public-key so that people may send him encrypted messages which only he can decrypt. To do so,

Bob chooses an an elliptic curve E over a finite field Fq. Then he chooses a rational point P on E, so that P has a large order in the group of rational points, E(Fq).

Next he chooses a secret integer d and computes X = dP as a point in E(Fq). Bob then publishes the information E, Fq, P , and X as his public encryption key. Alice wants to send Bob a secret message, so she first expresses her message as a point M in the group E(Fq). Then Alice chooses her own secret integer r and computes K = rP as a point in E(Fq). Next she will compute C = rX + M as a point in E(Fq). Alice will then send the information pair, K and C to Bob.

43 Once Bob receives this information from Alice, he will first compute dK = d(rP ) = drP = rdP = r(dP ) = rX. Next he finds (−rX). This is the additive inverse of rX and by the construction of the group we know that this will be ob- tained by finding the additive inverse of the y coordinate of the point rX in Fq. Once he has (−rX), Bob then decrypts Alice’s message by computing M = C + (−rX) as a point in E(Fq). This final decryption works because we have:

C + (−rX) = rX + M + (−rX) = M + rX + (−rX) = M + O = M.

This cipher requires us to express a message as a point on an elliptic curve. It may be confusing as to how this could be accomplished. There are many possible ways that a message could be imbedded as a point in E(Fq). We will give one example of how this can be done for a restricted family of curves [2].

2 3 Suppose we have a curve E : y = x + Ax + B over the finite field Fp for a large prime p satisfying p ≡ 3 (mod 4). First represent the plaintext message as an p integer m in the range 0 ≤ m < − 1. Try appending three digits to the end 1000 of the integer m to create a new integer x. We hope to find an x in the range of

3 1000m ≤ x < 1000(m + 1) < p, satisfying that x + Ax + B is a square in Fp. That is that x will be part of a solution to the equation defining E. If the x we obtain after appending digits to m does not satisfy these conditions, then we try appending three different digits to the end of m to obtain a different x and check the conditions again. We will do this until we obtain an x which works. Once we have such an x, we then can choose P to be a rational point in E(Fp) given by P = (x, y) where y is such that y2 = x3 + Ax + B. There may be two choices for y but it will not matter which you choose. To then reobtain the message m we simply drop the last three digits from the coordinate x. This imbedding is called “probabilistic” because there

44 is an extremely small probability that x3 + Ax + B will be nonsquare for all x in

1000m ≤ x < 1000(m + 1) < p. Thus the imbedding will nearly always work.

4.4 The Elliptic Curve Digital Signature Algorithm

A signature is a common concept in the world of paper and pens in order to validate a person’s identity and approval of a document. When we shift into the world of sending messages and documents through electronic sources the simple concept of a person’s signature becomes a very tricky problem.

Suppose Alice is sending Bob a message and she wants to sign it so that Bob knows that it came from her and she approves its contents. How can Alice sign her message which is no longer a traditional document, but has now been converted electronically into some sort of integer? A naive solution would be to make a digital copy of Alice’s signature and send it off to Bob along with her message. This causes an issue, though, because our eavesdropper Eve could get her hands on Alice’s digitized signature and start sending out messages with Alice’s signature, masquerading as

Alice. The recipients of these fake messages sent by Eve would have no way of knowing that these documents were not in fact authentic. This could cause a lot of problems for Alice! So Alice needs a way to create a digital signature which is directly tied to her document so that only she can use it. That way, the signature cannot be separated from the document and reused with another message.

One algorithm which can be used to solve this problem is the Digital Signature

Algorithm (DSA). The original version of the DSA was formed using multiplicative

× groups such as (Z/nZ) , but a new version has recently been created to be used with elliptic curves. This new version is known as the Elliptic Curve Digital Signature

Algorithm (ECDSA) [9]. We will now take a look at how this algorithm works.

ECDSA: Alice is sending a message to Bob and she wants to be able to sign her

45 document so that Bob can ensure its authenticity. In order to do this, Alice will choose an elliptic curve E over a finite field Fq. These should satisfy that #E(Fq) = nr, where r is a large prime number and n is a small integer. n should be chosen as a small integer to help keep the algorithm efficient, common choices are n = 1, 2, or

4. Then Alice chooses a point P in E(Fq) which has order r. Next, Alice chooses a secret integer a and she computes Q = aP . She makes public Fq, E, r, P, and Q. To sign her message m, where m is an integer representation of her actual message, she first shooses a random integer k with 1 ≤ k < r and computes R = kP = (x, y).

Once she has this she computes s = k−1(m + ax) (mod r) and chooses s satisfying

0 ≤ s < r, where k−1 is the multiplicative inverse of k modulo r. Her signed document is then the triple (m, R, s).

When Bob receives the document from Alice he can verify her signature by com-

−1 pleting the following steps. First he computes u1 = s m (mod r) and chooses u1

−1 satisfying 0 ≤ u1 < r. He then computes u2 = s x (mod r) and chooses u2 sat-

−1 isfying 0 ≤ u2 < r, where s is the multiplicative inverse of s modulo r. He then computes V = u1P + u2Q. He determines that the signature is valid if he finds V = R.

We can find that this verification holds by considering that:

−1 −1 −1 −1 −1 V = u1P + u2Q = (s m)P + (s x)Q = s mP + s xaP = s (m + xa)P

= (k−1(m + xa))−1(m + xa)P = k(m + ax)−1(m + ax)P = kP = R.

The notation above may be slightly confusing. What we find is that since the order of P is r then when we compute nP we can reduce n modulo r and the result will remain the same. This is because if we write n = qr + n0 then we find that

nP = (qr + n0)P = qrP + n0P = q(rP ) + n0P = qO + n0P = O + n0P = n0P.

46 Thus by using multiplicative inverses modulo r we can obtain the desired reductions.

So the last few steps of the verification of the DSA work because we have that

(m + ax)−1(m + ax) ≡ 1 (mod r) so k(m + ax)−1(m + ax)P = k(1)P = kP = R.

The security of the ECDSA is based on the Elliptic Curve Discrete Logarithm

Problem. Say evil Eve wants to masquerade as Alice and send a document with

Alice’s signature on it. Eve would need to be able to produce a signature triple

(m, R, s) which are consistent with Alice’s publicly published information Fq, E, r, P, and, Q. Eve will be able to create her own message m and the point R = (x, y) by using Alice’s published point P and choosing her own secret integer k. Eve won’t be able to sign this message validly, however, unless she can create the corresponding s value to her m and R. In order to do this Eve must compute s = k−1(m + ax).

But, recall that a was Alice’s secret integer. So Eve would need to know a in order to masquerade as Alice. Eve knows, P and Q = aP , so in order to find a Eve would need to be able to solve the ECDLP.

It is worth noting that this algorithm is not a way to encrypt Alice’s message. If

Alice wishes to keep the contents of the message she is sending a secret, she must first encrypt the message using a cipher such as the ones we have discussed previously.

This encryption could result in her message being a very large number which would make the computations of the ECDSA very complicated and time consuming. As a result a common practice is to sign a hash of the message instead. A hash function is a type of function in computer science which takes inputs of a very large size and outputs a value of a small fixed length. So for example Alice’s message might be billions of bits long, but the hash of her message could be just 160 bits. This will greatly cut down on the computing time of creating and verifying a signature for her message.

If Alice and Bob agreed to do this then they would first need to agree on a hash

47 function to use. Alice would then take her message m and compute its hash value h. When signing her document she would use h in all of the computations instead of m. She then could still send Bob the triple (m, R, s) and when Bob received this he would know to use the agreed upon hash function to find the hash value h of m to use in his verification computations. This way Bob receives Alice’s message and has a way of validating its authenticity.

48 BIBLIOGRAPHY

[1] Paul Garrett. Making, Breaking Codes: An Introduction to Cryptology. Prentice Hall, Upper Saddle River, New Jersey, 2001.

[2] Neal Koblitz. Elliptic curve cryptosystems. Math. Comp., 48(177):203–209, 1987.

[3] William J. LeVeque. Fundamentals of Number Theory. Dover Publications, Inc., New York, 1977.

[4] Victor Shoup. A Computational Introduction to Number Theory and Algebra. Cambridge University Press, 2008.

[5] Joseph H. Silverman. An Introduction to the Theory of Elliptic Curves, 2006. Slides of a summer school on Computational Number Theory and Applications to Cryptography at University of Wyoming. http://www.math.brown.edu/ ∼ jhs/Presentations/WyomingEllipticCurve.pdf.

[6] Joseph H. Silverman and John Tate. Rational Points on Elliptic Curves. Springer-Verlag, New York, 1992.

[7] Harold M. Stark. An Introduction to Number Theory. The MIT Press, Cam- bridge, Massachusetts, 1970.

[8] Wade Trappe and Lawrence C. Washington. Introduction to Cryptography with Coding Theory. Pearson Prentice Hall, Upper Saddle River, New Jersey 07458, 2006.

[9] Lawrence C. Washington. Elliptic Curves: Number Theory and Cryptography. Chapman & Hall/CRC, Boca Raton, 2003.

[10] Eric W. Weisstein. Rabin-Miller Strong Pseudoprime Test. From Math- World – A Wolfram Web Resource. http://mathworld.wolfram.com/Rabin- MillerStrongPseudoprimeTest.html.

49