Transcript Public Key
Lecture 3.1: Public Key Cryptography I
CS 436/636/736
Spring 2014
Nitesh Saxena
Today’s Informative/Fun Bit –
Acoustic Emanations
•
•
http://www.google.com/search?source=ig&hl=en&rlz=&q=keyboard+acoustic+em
anations&btnG=Google+Search
http://tau.ac.il/~tromer/acoustic/
4/5/2017
Public Key Cryptography -- I
2
Course Administration
• HW1 posted – due at 5pm on Jan 30 (Thu)
– Any questions?
• Regarding programming portion of the
homework
– Submit the whole modified code that you used to
measure timings
– Comment the portions in the code where you
modified the code
• Include a small “readme” for us to understand this
4/5/2017
Public Key Cryptography -- I
3
Outline of Today’s Lecture
• Public Key Crypto Overview
• Number Theory
• Modular Arithmetic
4/5/2017
Public Key Cryptography -- I
4
Recall: Private Key/Public Key Cryptography
• Private Key: Sender and receiver share a
common (private) key
– Encryption and Decryption is done using the
private key
– Also called conventional/shared-key/single-key/
symmetric-key cryptography
• Public Key: Every user has a private key and a
public key
– Encryption is done using the public key and
Decryption using private key
– Also called two-key/asymmetric-key cryptography
4/5/2017
Public Key Cryptography -- I
5
Private key cryptography revisited.
• Good: Quite efficient (as you’ll see from the HW#1
programming exercise on AES)
• Bad: Key distribution and management is a serious
problem – for N users O(N2) keys are needed
4/5/2017
Public Key Cryptography -- I
6
Public key cryptography model
• Good: Key management problem potentially simpler
• Bad: Much slower than private key crypto (we’ll see later!)
4/5/2017
Public Key Cryptography -- I
7
Public Key Encryption
• Two keys:
– public encryption key e
– private decryption key d
•
•
•
•
Encryption easy when e is known
Decryption easy when d is known
Decryption hard when d is not known
We’ll study such public key encryption schemes; first
we need some number theory.
4/5/2017
Public Key Cryptography -- I
8
Public Key Encryption: Security
Notions
• Very similar to what we studied for private key
encryption
– What’s the difference?
4/5/2017
Public Key Cryptography -- I
9
Group: Definition
(G,.) (where G is a set and . : GxGG) is said to be a
group if following properties are satisfied:
1. Closure : for any a, b G, a.b G
2. Associativity : for any a, b, c G, a.(b.c)=(a.b).c
3. Identity : there is an identity element such that a.e =
e.a = a, for any a G
4. Inverse : there exists an element a-1 for every a in G,
such that a.a-1 = a-1.a = e
Abelian Group: Group which also satisfies commutativity ,
i.e., a.b = b.a
10
Groups: Examples
• Set of all integers with respect to addition -(Z,+)
• Set of all integers with respect to
multiplication (Z,*) – not a group
• Set of all real numbers with respect to
multiplication (R,*)
• Set of all integers modulo m with respect to
modulo addition (Zm, “modular addition”)
4/5/2017
Public Key Cryptography -- I
11
Divisors
• x divides y (written x | y) if the remainder is 0
when y is divided by x
– 1|8, 2|8, 4|8, 8|8
• The divisors of y are the numbers that divide y
– divisors of 8: {1,2,4,8}
• For every number y
– 1|y
– y|y
4/5/2017
Public Key Cryptography -- I
12
Prime numbers
• A number is prime if its only divisors are 1 and
itself:
– 2,3,5,7,11,13,17,19, …
• Fundamental theorem of arithmetic:
– For every number x, there is a unique set of
primes {p1, … ,pn} and a unique set of positive
exponents {e1, … ,en} such that
x p1
e1
4/5/2017
* ... *
pn
Public Key Cryptography -- I
en
13
Common divisors
• The common divisors of two numbers x,y are
the numbers z such that z|x and z|y
– common divisors of 8 and 12:
• intersection of {1,2,4,8} and {1,2,3,4,6,12}
• = {1,2,4}
• greatest common divisor: gcd(x,y) is the
number z such that
– z is a common divisor of x and y
– no common divisor of x and y is larger than z
4/5/2017
• gcd(8,12) = 4
Public Key Cryptography -- I
14
Euclidean Algorithm: gcd(r0,r1)
Main idea: If y = ax + b then gcd(x,y) = gcd(x,b)
r0 q1r1 r2
r1 q2 r2 r3
...
rm 2 qm 1rm 1 rm
rm 1 qm rm 0
gcd(r0 , r1 ) gcd(r1 , r2 ) ... gcd(rm 1 , rm ) rm
4/5/2017
Public Key Cryptography -- I
15
Example – gcd(15,37)
• 37 = 2 * 15 + 7
• 15 = 2 * 7 + 1
• 7=7*1+0
gcd(15,37) = 1
4/5/2017
Public Key Cryptography -- I
16
Relative primes
• x and y are relatively prime if they have no
common divisors, other than 1
• Equivalently, x and y are relatively prime if
gcd(x,y) = 1
– 9 and 14 are relatively prime
– 9 and 15 are not relatively prime
4/5/2017
Public Key Cryptography -- I
17
Modular Arithmetic
• Definition: x is congruent to y mod m, if m
divides (x-y). Equivalently, x and y have the
same remainder when divided by m.
Notation: x y (mod m)
Example: 14 5(mod 9)
• We work in Zm = {0, 1, 2, …, m-1}, the group of
integers modulo m
• Example: Z9 ={0,1,2,3,4,5,6,7,8}
• We abuse notation and often write = instead
of
4/5/2017
Public Key Cryptography -- I
18
Addition in Zm :
• Addition is well-defined:
if
x x' (mod m)
y y ' (mod m)
then
x y x' y ' (mod m)
– 3 + 4 = 7 mod 9.
– 3 + 8 = 2 mod 9.
4/5/2017
Public Key Cryptography -- I
19
Additive inverses in Zm
• 0 is the additive identity in Zm
x 0 x(mod m) 0 x(mod m)
• Additive inverse of a is -a mod m = (m-a)
– Every element has unique additive inverse.
– 4 + 5= 0 mod 9.
– 4 is additive inverse of 5.
4/5/2017
Public Key Cryptography -- I
20
Multiplication in Zm :
• Multiplication is well-defined:
if
x x' (mod m)
y y ' (mod m)
then
x y x' y ' (mod m)
– 3 * 4 = 3 mod 9.
– 3 * 8 = 6 mod 9.
– 3 * 3 = 0 mod 9.
4/5/2017
Public Key Cryptography -- I
21
Multiplicative inverses in Zm
• 1 is the multiplicative identity in Zm
x 1 x(mod m) 1 x(mod m)
• Multiplicative inverse (x*x-1=1 mod m)
– SOME, but not ALL elements have unique
multiplicative inverse.
– In Z9 : 3*0=0, 3*1=3, 3*2=6, 3*3=0, 3*4=3,
3*5=6, …, so 3 does not have a multiplicative
inverse (mod 9)
– On the other hand, 4*2=8, 4*3=3, 4*4=7, 4*5=2,
4*6=6, 4*7=1, so 4-1=7, (mod 9)
4/5/2017
Public Key Cryptography -- I
22
Which numbers have inverses?
• In Zm, x has a multiplicative inverse if and only
if x and m are relatively prime or gcd(x,m)=1
– E.g., 4 in Z9
4/5/2017
Public Key Cryptography -- I
23
Extended Euclidian: a-1 mod n
• Main Idea: Looking for inverse of a mod n means looking for x
such that x*a – y*n = 1.
• To compute inverse of a mod n, do the following:
– Compute gcd(a, n) using Euclidean algorithm.
– Since a is relatively prime to m (else there will be no inverse) gcd(a, n)
= 1.
– So you can obtain linear combination of rm and rm-1 that yields 1.
– Work backwards getting linear combination of ri and ri-1 that yields 1.
– When you get to linear combination of r0 and r1 you are done as r0=n
and r1= a.
4/5/2017
Public Key Cryptography -- I
24
Example – 15-1 mod 37
• 37 = 2 * 15 + 7
• 15 = 2 * 7 + 1
• 7=7*1+0
Now,
• 15 – 2 * 7 = 1
• 15 – 2 (37 – 2 * 15) = 1
• 5 * 15 – 2 * 37 = 1
So, 15-1 mod 37 is 5.
4/5/2017
Public Key Cryptography -- I
25
Modular Exponentiation:
Square and Multiply method
• Usual approach to computing xc mod n is
inefficient when c is large.
• Instead, represent c as bit string bk-1 … b0 and
use the following algorithm:
z = 1
For i = k-1 downto 0 do
z = z2 mod n
if bi = 1 then z = z* x mod n
4/5/2017
Public Key Cryptography -- I
26
Example: 3037 mod 77
z = z2 mod n
if bi = 1 then z = z* x mod n
i
4/5/2017
b
z
5
1
30
=1*1*30 mod 77
4
0
53
=30*30 mod 77
3
0
37
=53*53 mod 77
2
1
29
=37*37*30 mod 77
1
0
71
=29*29 mod 77
0
1
2
=71*71*30 mod 77
Public Key Cryptography -- I
27
Other Definitions
• An element g in G is said to be a generator of
a group if a = gi for every a in G, for a certain
integer i
– A group which has a generator is called a cyclic
group
• The number of elements in a group is called
the order of the group
• Order of an element a is the lowest i (>0) such
that ai = e (identity)
• A subgroup is a subset of a group that itself is
a group
4/5/2017
Public Key Cryptography -- I
28
Lagrange’s Theorem
• Order of an element in a group divides the
order of the group
4/5/2017
Public Key Cryptography -- I
29
Euler’s totient function
• Given positive integer n, Euler’s totient
function (n) is the number of positive
numbers less than n that are relatively prime
to n
( p) p 1
• Fact: If p is prime then
– {1,2,3,…,p-1} are relatively prime to p.
4/5/2017
Public Key Cryptography -- I
30
Euler’s totient function
• Fact: If p and q are prime and n=pq then
(n) ( p 1)( q 1)
• Each number that is not divisible by p or by
q is relatively prime to pq.
– E.g. p=5, q=7: {1,2,3,4,-,6,-,8,9,-,11,12,13,-,,16,17,18,19,-,-,22,23,24,-,26,27,-,29,,31,32,33,34,-}
– pq-p-(q-1) = (p-1)(q-1)
4/5/2017
Public Key Cryptography -- I
31
Euler’s Theorem and Fermat’s Theorem
• If a is relatively prime to n then
(n)
a
1 mod n
• If a is relatively prime to p then
ap-1 = 1 mod p
Proof : follows from Lagrange’s Theorem
4/5/2017
Public Key Cryptography -- I
32
Euler’s Theorem and Fermat’s Theorem
EG: Compute 9100 mod 17:
p =17, so p-1 = 16. 100 = 6·16+4. Therefore,
9100=96·16+4=(916)6(9)4 . So mod 17 we have 9100
(916)6(9)4 (mod 17) (1)6(9)4 (mod 17)
(81)2 (mod 17) 16
4/5/2017
Public Key Cryptography -- I
33
Some questions
• 2-1 mod 4 =?
• What is the complexity of
– (a+b) mod m
– (a*b) mod m
– xc mod (n)
• Order of a group is 5. What can be the order of an element in
this group?
4/5/2017
Public Key Cryptography -- I
34
Further Reading
• Chapter 4 of Stallings
• Chapter 2.4 of HAC
4/5/2017
Public Key Cryptography -- I
35