Outline CPSC 418/MATH 318 Introduction to Cryptography More Number - PowerPoint PPT Presentation

Outline CPSC 418/MATH 318 Introduction to Cryptography More Number Theory 1 Primitive Roots (Recall) Number Theory, Security and Efficiency of Diffie-Hellman, Hash Euler’s φ Function Functions Security of Diffie-Hellman 2 Discrete Log Attack Renate Scheidler Parameter Choice for Diffie-Hellman Department of Mathematics & Statistics Active Attack Department of Computer Science University of Calgary The Power Algorithm (Binary Exponentiation) 3 Week 6 Where are we at? 4 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 6 1 / 28 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 6 2 / 28 More Number Theory Primitive Roots (Recall) More Number Theory Euler’s φ Function Recall: Primitive Roots More Number Theory Let p be a fixed prime. Z p = { 0 , 1 , 2 , . . . , p − 1 } is the set of integers modulo p ; Z ∗ p := Z p \ { 0 } = { 1 , 2 , . . . , p − 1 } . Define for m ∈ N (set of positive integers): Z m = { 0 , 1 , . . . , m − 1 } set of integers modulo m Definition 1 (Primitive Root) Z ∗ m = { a ∈ Z m | gcd( a , m ) = 1 } set of integers between 1 and m that are coprime to m (no common divisors with m ). A primitive root of p is an integer g ∈ Z ∗ p such that the smallest positive exponent k with g k ≡ 1 (mod p ) is p − 1. These are generalizations of Z p and Z ∗ p for to arbitrary integers. Note: a p − 1 ≡ 1 (mod p ) for any a ∈ Z ∗ p by Fermat’s Little Theorem. The powers g 0 , g 1 , . . . , g p − 2 (mod p ) of a primitive root g are all Example 2 distinct. Z 28 = { 0 , 1 , . . . , 27 } and Z ∗ 28 = { 1 , 3 , 5 , 9 , 11 , 13 , 15 , 17 , 19 , 23 , 25 , 27 } . Every element in Z ∗ p is a power of a primitive root g . Primitive root test: g is a primitive root of p iff g ( p − 1) / q �≡ 1 (mod p ) for every prime factor q of p − 1. Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 6 3 / 28 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 6 4 / 28

More Number Theory Euler’s φ Function More Number Theory Euler’s φ Function φ ( p n ) , p prime Euler’s φ Function Let p be a prime. Then Definition 3 (Euler’s φ Function) φ ( p ) = p − 1 = p 0 ( p − 1) Let m be a positive integer. Euler’s phi function is defined via φ ( p 2 ) = p 2 − p = p 1 ( p − 1) φ ( m ) = | Z ∗ m | , the cardinality of Z ∗ m . . . . φ ( p n ) = p n − p n − 1 = p n − 1 ( p − 1) . Interpretation: φ ( m ) is the number of integers between 1 and m − 1 which are coprime to m . What about composites with more than one prime factor? Example 4 Theorem 1 φ (28) = | Z ∗ 28 | = |{ 1 , 3 , 5 , 9 , 11 , 13 , 15 , 17 , 19 , 23 , 25 , 27 }| = 12 If gcd( m 1 , m 2 ) = 1 , then φ ( m 1 m 2 ) = φ ( m 1 ) φ ( m 2 ) . In other words, Euler’s phi function is multiplicative . Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 6 5 / 28 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 6 6 / 28 More Number Theory Euler’s φ Function More Number Theory Euler’s φ Function Computing φ ( m ) Euler’s Theorem Recall Fermat’s Little Theorem : Corollary 2 Theorem 3 (Fermat) If the prime factorization of m is given by If a is an integer and p is a prime with p ∤ a, then a p − 1 ≡ 1 (mod p ) . m = p e 1 1 p e 2 2 · · · p e k k , p i prime , then The generalization to composite numbers is Euler’s Theorem : φ ( m ) = φ ( p e 1 1 ) φ ( p e 2 2 ) · · · φ ( p e k k ) Theorem 4 (Euler) ( p 2 − 1) · · · p e k − 1 = p e 1 − 1 ( p 1 − 1) p e 2 − 1 ( p k − 1) . If a and m are integers with m > 0 and gcd( a , m ) = 1 , then a φ ( m ) ≡ 1 1 2 k (mod m ) . Example 5 Fermat’s Little Theorem is the special case of Euler’s Theorem with m = p φ (28) = φ (2 2 × 7) = φ (2 2 ) φ (7) = 2 2 − 1 (2 − 1) × (7 − 1) = 12 . prime. Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 6 7 / 28 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 6 8 / 28

More Number Theory Euler’s φ Function More Number Theory Euler’s φ Function Sizes of φ ( m ) versus m Euler’s Theorem and Primitive Roots Theorem 5 For any prime p, there are exactly φ ( p − 1) primitive roots of p . For any prime p , we have φ ( p ) = p − 1 � p (for p large). How does φ ( m ) compare to m in general? It can be shown that for Example 6 sufficiently large m , m For p = 7 , there are φ ( p − 1) = φ (6) = (3 − 1)(2 − 1) = 2 primitive roots. φ ( m ) ≥ C log log( m ) , where C ≈ 1 . 7. So for large m , φ ( m ) is not much smaller than m . Recall that p − 1 φ ( p − 1) ≥ 1 . 7 log log( p − 1) . That’s a lot of primitive roots! Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 6 9 / 28 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 6 10 / 28 Security of Diffie-Hellman Security of Diffie-Hellman Discrete Log Attack Recall: Diffie-Hellman Key Agreement Protocol Security of Diffie-Hellman Adversary’s objective: find K . Alice and Bob agree on Diffie-Hellman Problem (DHP): a large public prime p , a primitive root g of p . Given p , g , g a (mod p ), g b (mod p ), find g ab (mod p ). Alice Public channel Bob equivalent to finding K . Selects a randomly Selects b randomly (1 < a < p − 1) (1 < b < p − 1) Recall the Discrete Logarithm Problem (DLP): y a ≡ g a (mod p ) y a − → y a Given p , g , g x (mod p ), find x . y b ≡ g b (mod p ) y b ← − y b If an adversary can solve an instance of the DLP, she can solve the K ≡ y a K ≡ y b b (mod p ) a (mod p ) DHP. Shared key: K ≡ g ab (mod p ). It is unknown if there are ways of solving the DHP, and hence breaking DH key agreement, other than extracting discrete logs. Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 6 11 / 28 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 6 12 / 28

Security of Diffie-Hellman Discrete Log Attack Security of Diffie-Hellman Parameter Choice for Diffie-Hellman DLP Algorithms and Record Diffie-Hellman – Best Choice for p The best choice for p is a safe prime, i.e. a prime of the form The fastest known algorithm for extracting discrete logs is the Number Field Sieve which is a very complicated algorithm using extremely p = 2 q + 1 with q prime . sophisticated number theory. Such a q is called a Sophie Germain prime. Note 1 p − 1 = 2 q has a prime factor that is as large as possible, thus foiling The current NFS DL record is for the prime p = RSA-240 + 49204 Pohlig-Hellman attacks; (798 bits, 240 decimal digits), held by Boudot-Gaudry-Guillevic-Heninger- Lots of primitive roots of p : Thom´ e-Zimmerman (December 2019): φ ( p − 1) = φ (2) φ ( q ) = 1 · ( q − 1) = p − 3 ≈ p log 5 (774356626343973985966622216006087686926705588649958206166317147722421706101723470351970238538755049093424997) 2 . = 92603135928144195363094955331732855502961099191437611616729420475898744562365366788100548099072093487548258752802923326 2 447367244150096121629264809207598195062213366889859186681126928982506005127728321426751244111412371767375547225045851716 Select 1 < g < p − 1. Since the only prime factors of p − 1 are 2 and q , the primitive root test only needs to check that g q ≡ 1 (mod p ). Another algorithm for extracting discrete logs, due to Pohlig and Hellman, is very efficient if p − 1 is smooth . i.e. has only small prime factors. Its run p is found by first finding a prime q (1023 bits) and then checking that time is governed by the largest prime factor of p − 1. p = 2 q + 1 is prime. Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 6 13 / 28 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 6 14 / 28 Security of Diffie-Hellman Parameter Choice for Diffie-Hellman Security of Diffie-Hellman Parameter Choice for Diffie-Hellman Diffie-Hellman – Best Choice for g Generating Primes Recall Fermat’s Little Theorem If p is a prime and a is an integer with p ∤ a , then a p − 1 ≡ 1 (mod p ). Best choice for g : a primitive root of p . Maximizes the number of possible values K . Given N (which may or may not be prime), let a ∈ Z N . Assuming p = 2 q + 1 is a safe prime (i.e. q a Sophie-Germain prime): If a N − 1 �≡ 1 (mod N ), then N is composite (by Fermat). g is easily found via random choices (almost half of all integers If a N − 1 ≡ 1 (mod N ), then N could be prime, or it could be modulo p are primitive roots of p ); composite in which case it is referred to as a “base a pseudoprime”. Primitive root test is very fast and simple: a squaring and an exponentiation by q . Example 7 N = 15 : 11 N − 1 ≡ 11 14 ≡ 1 (mod 15) , but 13 14 ≡ 4 (mod 15) . So 15 is a base 11 pseudoprime. Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 6 15 / 28 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 6 16 / 28