Encrypting Communication Review Extended Euclid’s Algorithm Extended Euclid’s Algorithm : ◮ If b = 0, then egcd( a , 0 ) = ( a , 1 , 0 ) . Z / m Z = { 0 , 1 ,..., m − 1 } with operations of addition and multiplication modulo m . ◮ Otherwise, let ( d ′ , x ′ , y ′ ) := egcd( b , a mod b ) . Return ( d ′ , y ′ , x ′ −⌊ a / b ⌋ y ′ ) . ( Z / m Z ) × is the set of elements in Z / m Z which have Extended Euclid is just as fast as Euclid’s Algorithm. multplicative inverses. ◮ In other words, a ∈ ( Z / m Z ) × if and only if gcd( a , m ) = 1. We have proved: we can express gcd( a , b ) as an integer linear combination of a and b . I want to buy my favorite show on Amazon. For a ∈ ( Z / m Z ) × , we can compute a − 1 efficiently. (Extended If d = x · a + y · b , then multiply both sides by k . Euclid’s Algorithm) I enter my credit card information online. kd = kx · a + ky · b . If p is prime, then ( Z / p Z ) × = { 1 ,..., p − 1 } . What if someone is trying to steal my credit card information? A number can be expressed as an integer linear combination of a and b if and only if it is a multiple of gcd( a , b ) . Today: Encrypt communication using RSA. Back to Multiplicative Inverses Euler’s Totient Function Bijections We define ϕ ( 1 ) := 1, and for positive integers m , ϕ ( m ) := | ( Z / m Z ) × | . Recall: Let f ( x ) = ax mod m . The map f is a bijection if and In other words, ϕ ( m ) is the number of elements with only if gcd( a , m ) = 1. Let a ∈ Z / m Z . multiplicative inverses in Z / m Z . ◮ Run Extended Euclid on a , m , which gives So if gcd( a , m ) = 1, { 0 , 1 , 2 ,..., m − 1 } = { 0 , a , 2 a ,..., ( m − 1 ) a } . gcd( a , m ) = x · a + y · m . In other words, ϕ ( m ) is the number of integers in ◮ If gcd( a , m ) > 1, then a − 1 does not exist. But what if you only apply f to elements in ( Z / m Z ) × ? { 0 , 1 ,..., m − 1 } which are relatively prime to m . ◮ Otherwise, we have 1 = x · a + y · m . Since a is coprime with m , and elements in ( Z / m Z ) × are Examples: ◮ Take both sides modulo m : 1 ≡ x · a (mod m ) . ◮ ϕ ( 2 ) = 1. ( Z / 2 Z ) × = { 1 } . coprime with m , the result is still coprime with m . ◮ Thus, a − 1 ≡ x (mod m ) . ◮ ϕ ( 3 ) = 2. ( Z / 3 Z ) × = { 1 , 2 } . We can now efficiently compute multiplicative inverses! But we know f is one-to-one. ◮ ϕ ( 4 ) = 2. ( Z / 4 Z ) × = { 1 , 3 } . Thus, f is also a bijection ( Z / m Z ) × → ( Z / m Z ) × . ◮ ϕ ( 5 ) = 4. ( Z / 5 Z ) × = { 1 , 2 , 3 , 4 } . ◮ ϕ ( 6 ) = 2. ( Z / 6 Z ) × = { 1 , 5 } . ◮ ϕ ( p ) for p prime? ϕ ( p ) = p − 1.
Euler’s Theorem Euler’s Theorem Exclusive OR If gcd( a , m ) = 1, then f ( x ) = ax mod m is a bijection Euler’s Theorem : If gcd( a , m ) = 1, then a ϕ ( m ) ≡ 1 (mod m ) . ( Z / m Z ) × → ( Z / m Z ) × . Remember XOR: x y x ⊕ y Consider the case when the modulus is a prime p . Example: m = 5, a = 3. 1 1 0 ◮ ( Z / 5 Z ) × = { 1 , 2 , 3 , 4 } = { 3 , 6 , 9 , 12 } . 1 0 1 Corollary (Fermat’s Little Theorem) : If a is not a multiple of p , 0 1 1 In general, ( Z / m Z ) × = { ax : x ∈ ( Z / m Z ) × } . then a p − 1 ≡ 1 (mod p ) . 0 0 0 Consider the equation a p ≡ a (mod p ) . Idea : Multiply all elements in both sides. Notice: x ⊕ y = x + y (mod 2 ) . ◮ If a ≡ 0 (mod p ) , the equation is true. ∏ ∏ x ≡ ax (mod m ) . Facts: x ⊕ x = 0. Also, x ⊕ 0 = x . ◮ If a �≡ 0 (mod p ) , then the equation is true because of x ∈ ( Z / m Z ) × x ∈ ( Z / m Z ) × Fermat’s Little Theorem. Consequence: y ⊕ x ⊕ x = y ⊕ 0 = y . Each x ∈ ( Z / m Z ) × has an inverse, so divide! ∏ x ∈ ( Z / m Z ) × a ≡ 1 Thus, for all a ∈ Z / p Z , a p ≡ a (mod p ) . (mod m ) . How many elements in ( Z / m Z ) × ? ϕ ( m ) . Cryptosystems One-Time Pad Public-Key Cryptography In public-key cryptography : Alice has a message (a bit string). ◮ There are two keys, a public key K , and a private key k . One-Time Pad : ◮ Pass it through an encryption function E . ◮ The encrypted message is E ( m , K ) and the decryption is ◮ k is a bit string of the same length as m . ◮ Send encrypted message E ( m ) to Bob. D ( E ( m , K ) , k ) = m . ◮ Choose: E ( m , k ) = D ( m , k ) = m ⊕ k . ◮ Bob passes message through decryption function D , so ◮ Anyone can send a message to Bob, since the encryption ◮ This works since D ( E ( m , k ) , k ) = m ⊕ k ⊕ k = m . that D ( E ( m )) = m . function and public key are revealed to the public. ◮ Advantage: If Eve does not know k , then communication is ◮ Only Bob can decode the message, since only he has the We allow the encryption and decryption functions to depend on secure. All possible input messages m are possible. a key k : D ( E ( m , k ) , k ) = m . private key. ◮ Disadvantage: After one use, the pad should be discarded to maintain security. Annoying to use! This implies that E must be one-to-one. Think of Bob as Amazon. Anyone can encrypt credit card ◮ Disadvantage: Alice and Bob must agree upon the key k information and send it to Amazon. Only Amazon can decrypt. An eavesdropper Eve intercepts the message E ( m ) . We must beforehand. make sure she cannot recover m . Is public-key cryptography possible? Open question, but we can still try.
RSA Correctness of RSA Another Look at Correctness Public: ( N = pq , e ) , private: d = e − 1 (mod ( p − 1 )( q − 1 )) . RSA Protocol (Rivest-Shamir-Adleman): Theorem : For any m ∈ { 0 , 1 ,..., N − 1 } , m ed ≡ m (mod N ) . ◮ Pick two large (2048-bit) distinct primes p and q . ◮ Let N := pq . Pick an integer e . The public key is ( N , e ) . Given any m ∈ { 0 , 1 ,..., N − 1 } , Proof . ◮ The decryption key is d := e − 1 (mod ( p − 1 )( q − 1 )) . D ( E ( m )) = E ( D ( m )) = m ed = m . ◮ By definition of d , ed = 1 + k ( p − 1 )( q − 1 ) for some k ∈ N . ◮ Encryption function: E ( m ) = m e mod N . ◮ So, m ed = m · m k ( p − 1 )( q − 1 ) . The maps E and D are bijections Z / N Z → Z / N Z . ◮ Decryption function: D ( c ) = c d mod N . ◮ If p divides m , then p divides m ed − m . ◮ Otherwise, by Fermat’s Little Theorem, m p − 1 ≡ 1 (mod p ) . The key idea behind cryptography is that E is easy to compute We have a lot of work to do. So, m ed − m = m ( m k ( p − 1 )( q − 1 ) − 1 ) ≡ 0 (mod p ) . but hard to invert. ◮ Prove RSA works: m ed ≡ m (mod N ) . ◮ In both cases, m ed − m is divisible by p . ◮ Explain why we can do the steps efficiently . ◮ Similarly, m ed − m is divisible by q . ◮ Explain why we think Eve cannot break it. ◮ Since p � = q , then m ed − m is divisible by pq = N , i.e., m ed ≡ m (mod N ) . Implementing RSA Is Fast Fast Modular Exponentiation Breaking RSA Is Slow? Pick two 2048-bit prime numbers. What is 2 1000000 (mod 12 ) ? Cryptograph relies on assumptions . ◮ How? By the Prime Number Theorem, the “probability” that RSA Assumption : Given N , e , and m e mod N , there is no a random number between 1 and N is prime is ≈ 1 / ln N . Multiply 2 by itself, a million times. Wait! Use repeated squaring. 2 1000000 = 4 500000 = 16 250000 = ··· ◮ We need to generate and check O (ln N ) primes. efficient algorithm for finding m . ◮ This is linear in the number of bits! Insight: 16 250000 is 250000 products of 16. But 16 ≡ 4 In other words, we believe Eve cannot break RSA. ◮ Use a randomized primality test: test if N is prime in time (mod 12 ) . So, 16 · 16 · 16 ··· (mod 12 ) ≡ 4 · 4 · 4 ··· (mod 12 ) . ◮ Why do we believe this? One way to break RSA is to factor which is polynomial in the number of bits of N . N = pq to get ( p − 1 )( q − 1 ) and compute d yourself. Continue: 4 250000 ≡ 16 125000 . Reduce modulo 12 again: 4 125000 . ◮ Works with very high probability. The probability of failure ◮ How do we factor N ? There are no good algorithms known! can be made as low as the probability of meteor crash! ◮ The na¨ Repeated squaring: ıve algorithms for factoring N (brute force) take time Compute d = e − 1 (mod ( p − 1 )( q − 1 )) . exponential in the number of bits. ◮ Square the base and cut the exponent in half. ◮ Extended Euclid is fast! ◮ No one has ever factored a 2048-bit RSA key before ◮ If the base exceeds m , reduce the base modulo m . Compute m e mod N and ( m e ) d mod N . (without knowing p and q beforehand). What if there is an odd exponent, 2 17 ? Write this as 2 · 2 16 . ◮ Repeated squaring! (fast modular exponentiation)
Recommend
More recommend
