EE 418 Network Security and Cryptography Lecture #4 October 11, 2016 Polyalphabetic Classical cryptosystems. Lecture notes prepared by Professor Radha Poovendran. Tamara Bonaci Department of Electrical Engineering University of Washington, Seattle Outline: 1. Review: The Affine Cipher 2. The Euclidean Algorithm 3. The Vigen`ereCipher 1 Review: The Affine Cipher Last week, we introduced several classical cryptosystems, and among them the Affine Cipher, The idea of the affine cipher is to first scale and then to shift, which is known as the affine transformation. y = eK (x) = (ax + b) mod 26; (1) −1 dK (y) = a (y − b) mod 26: (2) In this scheme, the pair (a; b) denotes the cryptographic key K used for encryption/decryption. Here we need to know which pairs (a; b) are valid keys that yield an injective encryption function, and we need to know a−1, the modular multiplicative inverse of a, for decryption. 1.1 Decryption with Affine Cipher Given the modular multiplicative inverse, the congruence y ≡ ax+b (mod 26) can be solved for x as follows: ax ≡ y − b (mod 26) (3) a−1(ax) ≡ a−1(y − b) (mod 26) (4) a−1(ax) ≡ (a−1a)x ≡ 1x ≡ x (mod 26) (5) x = a−1(y − b) (mod 26) (6) 1.2 Problem with the Choice of a We have shown that not all choices of a have a multiplicative inverse. In order to examine when they do, we first reviewed a concept of the greatest common divisor. Definition 1. Given two integers a and b, the greatest common divisor of a and b (denoted gcd (a; b)) is equal to the largest integer c that divides both a and b. We have then stated the following two theorems. Theorem 1. An integer a has an inverse (mod m) if and only if there exist numbers p and q such that ap + qm = 1 (mod m) (7) Theorem 2. If gcd(a; m) = 1 then ax ≡ y (mod m) has a unique solution. 1 Example: Given m = 26, for a = 13 we have gcd(13; 26) = 13 6= 1. Also if a = 2 then gcd(2; 26) = 2. But for a = 9, gcd(9; 26) = 1 and hence the affine cipher works. Similarly for a = 1; 3; 5; 7; 9; 11; 15; 17; 19; 21; 23; 25 we have gcd(a; 26) = 1. Hence, a can take a total of 12 values with unique inverses in Z26, and b can take any of the 26 values in Z26. Therefore the key space is limited to 12 × 26 = 312 values for K; and a brute force attack (exhaustive search is possible). Today we focus on the following question: given an integer a, how do we find its modular multiplicative inverse (mod m)? To answer this question, we need to refresh our memory about Euclidean Algorithms. 2 Background: The Euclidean Algorithm(s) The modular multiplicative inverse of an integer a 2 Zm can be found using either an extended Euclidean Algorithm, or the Direct Modular Exponentiation method. We will first review the basic Euclid's algorithm for finding the greatest common divisor (gcd) between two integers a; b; with the assumption a > b. We will then present the extended Euclidean algorithm that helps us find the a−1 under modulo arithmetic with base b. Lemma 1. Let a and b be integers. There exists a unique integer d satisfying the following properties: 1. dja and djb 2. If c is another integer such that cja and cjb, then cjd. d is defined to be the greatest common divisor (gcd) of a and b. The Euclidean algorithm can be used to find the gcd of two integers. This algorithm finds the gcd through repeated integer division. First, r0 = a is divided by r1 = b and the remainder r2 is found. In the next step, r1 = b is divided by r2 and the remainder r3 is found. The process continues until the remainder of rm−1 divided by rm is zero. The gcd(a; b) = gcd(r0; r1) is the last non-zero divisor, namely rm. The steps of the division algorithm are as follows: r0 = q1r1 + r2 r1 = q2r2 + r3 r2 = q3r3 + r4 ······ rm−2 = qm−1rm−1 + rm rm−1 = qmrm The terms ri are the remainders at each step of the equations. The terms qi are the quotients. Now consider the equation ri = qi+1ri+1 + ri+2: The relationship between the divisor ri+1 and the remainder ri+2 is given by 0 ≤ ri+2 < ri+1: We also assumed that r0 > r1: Hence, we can write r0 > r1 > r2 > ··· rm: Example: Let a = 87 and b = 24. Then we have: 87 = 3(24) + 15 24 = 1(15) + 9 15 = 1(9) + 6 9 = 1(6) + 3 6 = 2(3) Therefore gcd (87; 24) = 3. 2 EUCLIDEAN ALGORITHM Input: Positive integers a and b Output: Greatest common divisor d of a and b r0 a r1 b m 1 while rm 6= 0 rm−1 qm b c rm rm+1 rm−1 − qmrm m m + 1 end while m m − 1 d rm−1 return d Fig. 1. The Euclidean algorithm. Finds the greatest common divisor of a and b, where a > b. Some Properties of the Euclidean Algorithm 1. Algorithm terminates in finite steps. 2. rm is the gcd(a; b) = gcd(r0; r1). Proof: The remainder sequence ri is non-negative and monotonically decreasing. The first term r0 is finite. Since each remainder is integer, the difference between any two adjacent remainders is at least one. Hence, the sequence must reach the limit value of 0 in finite steps. In the worst case, it will take r0 steps to terminate. To show that rm is the gcd(a; b), let's denote d = gcd(a; b). Then dja; djb: Hence djr2: In addition, since djr1; djr2; and r1 = q2r2 + r3; we can conclude djr3: By induction, let's assume that djri for all values of i < j: Then rj−2 = qj−1rj−1 + rj implies that djrj: Hence, by induction, d divides all the remainders. In particular, djrm; the last non-zero divisor. On the other hand, rmjrm−1 at the last step. Looking up one step above the last step, we have rm−2 = qm−1rm−1 + rm: Since rm divides the right hand side, rmjrm−2: Continuing this way up, by induction, let's assume that rmjrm−l for l < j: Then looking at rm−j = qm−(j−1)rm−(j−1) + rm−(j−2); the right hand side is divisible by rm: Hence, rmjrm−j: Therefore, by induction, we have that rmjb and rmja: Hence, rm is a common divisor of a; b: Since d=gcd(a,b), by definition, rmjd: We now have rmjd and djrm: Hence, d = rm = gcd(a; b): When the gcd(a; b) = 1, the Euclidean algorithm also allows us to find the multiplicative inverse of a under modulo b: The following lemma is key to finding the inverses. Lemma 2. Let a and b be positive integers, and let d = gcd (a; b). Then there exist integers x and y such that ax + by = d (8) Question: Suppose we have such integers x and y. How can we use them to find the inverse of a modulo b? Answer: We have seen that a has an inverse mod b if and only if gcd (a; b) = 1. By Lemma 2, there exist x and y such that ax + by = 1 (9) Then we can write 1 − ax = by; which is the same as bj(ax − 1): Finally, by definition: ax ≡ 1 (mod b) (10) Thus, if we can find x and y satisfying Eq. (9), we can invert a modulo b. The algorithm for finding x and y is called the extended Euclidean algorithm: 3 EXTENDED EUCLIDEAN ALGORITHM Input: Positive integers a and b Output: Integers r, s, and t such that r = gcd (a; b) and sa + tb = r a0 a b0 b t0 0 t 1 s0 1 s 0 q b a0 c b0 r a0 − qb0 while r > 0 temp t0 − qt t0 t t temp temp s0 − qs s0 s s temp a0 b0 b0 r q b a0 c b0 r a0 − qb0 end while r b0 return (r; s; t) Fig. 2. The extended Euclidean algorithm. Example: Let a = 7, m = 26. Find a−1 mod m. First, let's look at the Euclidean algorithm. 26 = 3(7) + 5 (11) 7 = 1(5) + 2 (12) 5 = 2(2) + 1 (13) Now, let's rewrite the last equation to put the gcd (which is 1) on to the left-hand side of the equation. 1 = 5 − 2(2) (14) From Eq. (13), we have: 2 = 7 − 5 (15) Substituting Eq. (15) into Eq. (14) yields 1 = 5 − 2(7 − 5) = 3(5) − 2(7) (16) We're almost there; the last step is to use Eq. (12), as follows: 5 = 26 − 3(7) (17) so that 1 = 3(26 − 3(7)) − 2(7) = 3(26) − 11(7) (18) And so 7−1 mod 26 = −11 mod 26 = 15 mod 26. Example 2: Let a = 9, m = 26. Find a−1 mod m. 4 Again, let's first look at the Euclidean algorithm. 26 = 2(9) + 8 (19) 9 = 1(8) + 1 (20) 8 = 8(1) (21) (22) Now, let's rewrite the last equation to put the gcd (which is 1) on to the left-hand side of the equation. 1 = 9 − 1(8) (23) From Eq. (19), we have: 8 = 26 − 2(9) (24) Substituting equation (24) into equation (23), we get: 1 = 9 − 1f26 − 2(9)g = 3(9) − 26 (25) From equation (25), it follows that modular multiplicative inverse of a = 9 is a−1 = 3 in m = 26 arithmetic.