Beruflich Dokumente
Kultur Dokumente
Cryptography
Prof.FaramarzFekri
NotesbyJamesS.Hall
Spring2008
OverviewofCryptography
Objective:Twopeople(usuallyreferredtoasAliceandBob)tocommunicateoveraninsecurechannel
insuchawaythatanadversary,Oscar,cannotunderstandthecommunication.
Alice
Oscar
Bob
Definitions:
Plaintext
Encipher(Encrypt)
Ciphertext
Encryption
Decryption
Themessagewhichistobeputinthesecureform
Torenderplaintextunintelligibletoallbuttheintendedrecipients
Whatisproducedbytheencryptionoftheplaintext
Aninvertibletransformation,ek()
Theinverseofek(),dk()
Then
And
C=ek(M)
M=dk(M)=dk(ek(M))
WhereC:Ciphertext
and
M:Message
Moreformally:Acryptosystemisafivetuple(P,C,K,E,D)wherethefollowingconditionsaresatisfied:
1.
2.
3.
4.
Pisafinitesetofpossibleplaintext
Cisafinitesetofpossibleciphertext
K,thekeyspace,isafinitesetofpossiblekeys
Foreachk K,thereisanencryptionruleek Eandacorrespondingdecryptionruledk D.Each
ek:P Canddk:C Parefunctionssuchthat
dk(ek(x))=xfor x P
and
|P| |C|
Principle:Itisgenerallyassumedincryptographythattheknowledgeofthegeneralsystemoralgorithm
(ek,dk)isknowntotheenemy.Onlythekey,k,isassumednottobeintheenemyspossession.
Lecture1(1/7/08)
SimpleClassicalCryptosystem: SubstitutionCipher
A
X
B
N
C
Y
ek(A)=X
KeySpace
Z
Q
ek(C)=Y
|K|=26! 4x1026
Exhaustivesearchonkeyisnotcomputationallyfeasible!However,cryptanalysiscanbreakthesystem.
Ideally:
ek()isaonewayfunctionsuchthat
AND
1. itiseasytoencrypty=ek(x)
2. easytodecryptx=dk(y)
AND
3. (computationally)impossibletoinvertwithoutthekey,k,tofindx.
Suchaonewayfunctioncannotexistbecauseallthesystemsarefiniteandhencecan,
inprinciple,becrackedbyexhaustivesearchofallpossibilities.
Theoryofcomputationalcomplexityisconcernedwiththeclassificationofproblemsaccordingtotheir
computationaldifficultyastheamountoftimeorspacetheirsolutionwouldrequire.
InformationTheoreticSecurity:
ComputationallySecure:Bestknownmethodofbreakingthesystemrequiresanunreasonably
largeamountofcomputingtime
ProvablySecure:Evidenceofcomputationalsecurityisprovidedbyreducingsecurityofthe
cryptosystemtosomewellstudiedhardproblems(suchasfactoring,solvingdiscretelog
problem,ornonlinearsystemsofequations)thatisthoughttobedifficult.
UnconditionallySecure:Whenasystemissecurewithnoboundonthecomputationalpowerof
theadversary.
Lecture1(1/7/08)
ClassesofCryptosystems:
1. SecretKeySystems(SymmetricKeySystems)
2. PublicKeySystems(AsymmetricKeySystems)
Anycryptosystemneedsaonewayfunction(easytocompute,buthardtoinvert).However,the
intendedusershouldbeabletoinverttheonewayfunction(computationally)easy.Therefore,a
cryptosystemrequiresatrapdooronewayfunction.Inotherwords,weplaceatrapdoorintheone
wayfunctionsothatweprovidetheinformationaboutthetrapdoor(thekey)totheintendeduserby
whichhecandecrypttheciphertext(i.e.inverttheonewayfunction).Withoutknowingthekey,it
willbecomputationallyhardtoinverttheonewayfunction.
SecretKeySystems:
BothAliceandBobshareasecretkey.ExDES,AES(NewUSGovtStandard)
Problem:SecretKeySystemsrequireasecurechanneltodistributethesharedkey.Notfeasiblein
manyapplications.
Solution:
PublicKeySystems:ExRSA,EllipticCurve
Donotrequiresharedkeybetweenusers
Everyuserhasasecretkeyandapublickey
o AliceusesBobspublickeytoencryptthemessage
o Bobuseshisownsecretkeytodecrypteverymessagesenttohim
Publickeysystemsusetrapdooronewayfunctionsthatarebasedon
1. Factoringlargeintegers(n=pq)
2. Discretelogproblem(a=bxmodp)
3. Solvingnonlinearequations
Ex:RSA
Bob: Secrets:p,q,b(p,qareprimenumbers)
(Alice)Encryption:
c=mamodn
(Bob)Decryption:
m=cbmodn
Public:n=pq,a
Lecture1(1/7/08)
SignatureSchemes:
Asignatureissomethingthatisattachedtoadocumenttospecifythepersonresponsibleforit
Challenges:
SignaturemustsomehowbeBOUNDtothedocument
Copyofasignatureisidenticaltotheoriginalsignature
Mustbeverifiablebyapubliclyknownverificationalgorithm
Notation:
SignedDocument:
Transmitted:
Verification:
Y=sigk(x)
(x,y)
verk()isPublicAlgorithm
True ify=sigk(x)
verk(x,y)=
Itshouldbecomputationallyinfeasibleforadversary(oranyoneotherthanAlice)tocompute/forgea
signatureysuchthatverk(x,y)=true
HashFunctions:
Notethatthesignatureis(atleast)asbigasthemessage
X
h(x)
sign
[11001](longmessage)
[10](160bitmessagedigest)
Hash
Properties:
1. Givenx,h(x)canbequicklycalculated
2. Topreventforgery,giveny=h(x),itiscomputationallyinfeasibletofindx(hisoneway)
3. Computationallyinfeasibletofindmeasagesx1andx2withh(x1)=h(x2)(i.e.hiscollision
free)
Attack:
Lecture1(1/7/08)
ClassicalCryptography
Definition:
Supposeaandbareintegers,andmisapositiveinteger.
Thenwewrite
a bmodm(aisCONGRUENTtob,modulom)if
m|(ab)(abdividesm)
ModularAddition:
ModularMultiplication:
=>
m|(ab)
q Zsuchthatab=mq
a+b=mx+c
ab cmodm
ab=mx+c
=>
EquivalentClasses:
AdditionmodulomdividesthesetofintegersZintomdistinctequivalentclasses.Twointegersa,bare
inthesameclassmodmifa bmodm
Ex:EquivalenceClassesofintegersundermod5addition
Label
Equivalence Classes
[0]
[1]
[2]
[3]
[4]
{..., 8, 3, 2, 7,...}
{..., 7, 2,3,8,...}
{..., 6, 1, 4,9,...}
Note:Unionofallclasses Z
ThereisNOOVERLAPbetweenclasses
2membersofZareinthesameclassiftheyareCONGRUENT
DefineZmtobetheset{0,1,2,,m1}withmodmadditionandmultiplication.
ShiftCipher:
Let
A
0
B
1
C
2
D
3
E
4
F
5
Messagestring:
x=x1x2x3
P=C=K=Z26(26EnglishLetters)
Cipherstring:
yi=ek(xi)
(Forsomekin0 k 25definey=ek(x)=x+kmod26)
Decryption:
x=dk(y)=ykmod26 (Easilybrokenbyexhaustivekeysearch)
Lecture2(1/9/08)
AffineCipher:
Encryption:
Decryption:
e(x)=y
yb
1
a (yb)
d(y)=x
ax+b
ax
x
a1(yb)
modm
modm
modm
modm
a,b Zm
|P|=|C|=Z26
Numberofpossiblea=(26)=>|K|=26(26){26possiblechoicesforb,(26)possiblechoicesfor
a}.Thisisamuchlargerkeyspacethantheshiftcipher.However,itcanstillbebrokenbyexhaustive
searchonthekey.
Sincee(x)mustbeinvertible,weneedtospecifyconditionsforwhichtheaffinefunctionisinjective
(onetoone).
Generally:Lety ax+b modm
a,b Zm
=>ax yb
modm
=>ax r
modm
r Zm
Thus,weneedtofindaconditionforwhichax rmodmhasauniquesolution.
Theorem:Thecongruenceax rmodmhasauniquesolutionx Zmforeveryr Zmiffgcd(a,m)=1
Proof:
Definition:Anumbera1iscalledtheinverseofamodulomifaa1 1modm
Proposition:AnintegeraisinvertiblemodulomiffaandmareRELATIVELYPRIMEorCOPRIME
{gcd(a,m)=1}.
1. Ifgcd(a,m)=1thenax rmodmhasauniquesolution.
a. Ifaninverseexists,thenasolutionalwaysexists.
=>
a(a1r) rmodm
{Findingax rmodm}
=>
x a1rmodm
{Solntoxexists}
b. Needtoshowuniqueness:
Suppose
ax1 rmodm
=>ax1 ax2modm=> a(x1x2) 0modm
ax2 rmodm
=>m|a(x1x2)
Sincegcd(a,m)=1=>m|(x1x2)
=>x1 x2modm
Thusx2isinthesameequivalenceclassasx1(notnecessarily
distinctsolutions,butthesolutionisunique.
aa1 1modm
Lecture2(1/9/08)
2. Needtoshowthatifgcd(a,m)=d>1thenthereexistmorethanonesolution.
Letax1 rmodm
Let x2
m
+ x1 mod m
d
Thenx2isalsoadistinctsolutionbecause:
a + x2 + my r mod m
d
ax2 + m + y r mod m
d
+ y is an integer
d
Note:
a
since
is an integer
d
Thusax2 rmodm
Moreover,x2 x1modmbecause x2 x1
EulerPhiFunction((m)):Leta>=1andm>=2beintegers.Ifgcd(a,m)=1,aandmarerelativelyprime.
Define(m)tobethenumberofintegersinZmthatarerelativelyprimeto
m.
n
n
Theorem:
(write t =
pici ( t ) =
pici to
( t ) = {1 < t : GCD ( , t ) = 1}
1
= t 1
p
p|t
i =1
( )
i =1
derivethistheorem)
1. (p)=p1p,prime
2. (pm)=pm1(p1)p,prime
3. Ifgcd(p,q)=1=>(prqs)=(pr)(qs)
Overallprimesp tthatdividet
VigenereCipher:
LetLbeafixedpositiveinteger.DefineP=C=K=(Z26)LforakeyK=(K1,K2,,KL)
So,wetakeL
Encryption: (y1,y2,,yL)=ek(x1,x2,,xL)=(x1+k1,x2+k2,,xL+kL)mod26
Decryption:
(x1,x2,,xL)=dk(y1,y2,,yL)=(y1k1,y2k2,,yLkL)mod26
symbolsatatime
andencryptthem.
Advantage:AletterismappedtoanotherbasedonitslocationinthevectoroflengthL.
HillCipher:
Encryption: y=ek(x)=xK mod26
(x:1xmrowvectorandK:mxmmatrix)
1
Decryption:
x=dk(y)=yK mod26
m
|P|=|C|=26 |K|={setofmxminvertiblematricesoverZ26}
ThusKmustbeinvertiblematrixinZ26.ItcanbeshownthatKisaninvertiblematrixintheringZ26if
gcd(det(K),26)=1,i.e.ifdet(K)isrelativelyprimeto26.
3
Lecture2(1/9/08)
StreamCiphers:
Generateakeystreamz=z1,z2,toencryptaplaintextstringx=x1,x2,accordingtotherule:
y=y1,y2,=ez1(x1),ez2(x2),
Letfunctionfigeneratezi(theithelementofthekeystream)
zi=fi(k,x1,,xi1)
Intheencryptionprocess,wecompute:z1,y1,z2,y2
Inthedecryptionprocess,wecompute:z1,x1,z2,x2
Astreamcipherissynchronousifthekeystreamisindependentoftheplaintextstream.
Ex:
GeneratingasynchronousstreamcipherinZ2:
KeyGenerator
KeyGenerator
zi
Plaintext
Where
xi
zi
yi
CipherText
yi
xi
Plaintext
m 1
zi + m = c j zi + j mod 2
j =0
= ( c0 zi + c1 zi +1 + " + cm 1 zi + m 1 ) mod 2
c0=1andcj Z2
Therecurrenceissaidtohavedegree*m*.
Withsuitablechoiceofc0,,cm1andanyarbitrarynonzeroinitializationvectork=(k1,,km),the
linearrecursionwillgenerateaperiodickeystream.(ifc0=1,thentherecursionwillalwaysbe
periodicw/anynonzerok).
Thereexistchoicesforc0,,cm1(makingthecharacteristicpolynomial,p(x),aprimitive
polynomial)forwhichwegetthemaximumpossibleperiod,whichis2m1.
Ex:
Ateachtimeindex,thefollowingwillbeperformedconcurrently:
1. k1willbetappedasthenextkeystream(zi)
2. k2k4willbeshiftedonestagetoleft
c0
3. Thenewvalueofkm(k4)willbecomputed
m 1
zi
c j k j +i mod 2
+
zi+4
c1
k1
k2
k3
k4
j= 0
Lecture2(1/9/08)
Cryptanalysis
Cryptanalysis:Theprocessbywhichanunauthorizedreceiverofacryptogramy=ek(x)determinex
withoutpriorknowledgeofthekeyk.(Wealwaysassumethattheenemyknowsthecryptographic
algorithm)
AttackModels
Specifiestheinformationavailabletotheadversarywhenhemountshisattack.
CiphertextOnlyAttack:Theadversarypossessesciphertext.Hemayalsohaveparticular
knowledgeoftheplaintext:Eonlyoccurs12%ofthetimeinEnglishlanguage,theisthemost
frequentsetofrecurrentletters,etc
KnownPlaintextAttack:Theadversaryhasobtainedastringofplaintextandthecorresponding
ciphertexty.
ChosenPlaintextAttack:Thecryptanalysthastemporaryaccesstotheencryptionmachinery.
Hence,he/shecanchooseanyarbitraryplaintextstringx,andconstructthecorresponding
ciphertextstring,y.
ChosenCiphertextAttack:Theadversaryhasobtainedtemporaryaccesstothedecryption
machinery.Hence,he/shecanchooseanyarbitraryciphertextstring,y,andconstructthe
correspondingplaintextstring,x.
CryptanalysisoftheAffineCipher
Ek(x)=ax+bmod26
gcd(a,26)=1
k=(a,b)
(**2unknowns>2equations)
ConsiderCiphertextOnlyAttack:
Thiscanbedonebyusingprobabilitiesofoccurrenceofthe26letters.Inanymeaningful
Englishtext:
Givenciphertext:FMXYwecanfindthefrequencyanalysisoftheciphertext
Forexample,wefindthatoutof57charactersofciphertext
R 8D 7E,H,K 5
Firstguess: E R
T D
Numerically: 4 17
4a b 17
a 6
19 3
19a b 3
b 19
Numerically: 4 17
4a b 17
a 3
19a b 12
b 5
Butgcd(a,26) 1wrongguess
Firstguess: E R
T K
19 12
Toverifytheguess,weneedtodecrypttheciphertextandseeifwegetameaningfulstring.
Lecture3(1/11/08)
CryptanalysisoftheHillCipher
Y=xK
DifficulttobreakbyCiphertextOnlyAttack.EasytobreakbyKnownPlaintextAttack.
ConsiderKnownPlaintextAttack:
y1 = x1 K
y = x2 K
Let 2
Y = XK
#
ym = xm K
y1
x1
y
x
Where Y = 2 and X = 2
#
#
ym
xm
IfXisinvertibleinZ26,thenK=X1Y.IfXisnotinvertible,thentheadversaryneedstofindother
pairsofciphertextandplaintextpairs.
CryptanalysisofLFSRStreamCipher
KeyGenerator
zi
Z m +i = m1 c j zi + j mod 2
j =0
c0 = 1
xi
Plaintext
yi
Notethatifthecoefficientcjareallknownbypublic,wecanfindtheentirestringzibyonlyobserving
theciphertextanditscorrespondingplaintextformconsecutivesymbols.
a) Cjareknownbyenemy:KnownPlaintextAttack
Knowingxi,yi:forI=L,,L+m1forsomeL
Zi=yi+xiforI=L,,L+m1=>entirezicanberecoveredusingLFSR
b) cjareNOTinpublicdomain(theinitialvalueoftheLFSRissecret).Assumingadversary
knowsm.Thiscanbebrokenby2mconsecutiveKnownPlaintextAttack(doesnothaveto
startw/z1).UsingLFSR:
[ zm+1
zm + 2 ... z2 m ] = [ c0
c1
z1
z
... cm 1 ] 2
#
zm
z2
z3
#
zm +1
zm
" zm +1
%
#
" z2 m 1
...
Weonlyneedz1,,z2mtoconstructtheaboverelation.ItcanbeshownthatthematrixZis
alwaysinvertibleinZ2ifthedegreeoftherecurrenceism.
Oncewefindthecoefficientscj,(similartoparta),theentirezicanbefound
Lecture3(1/11/08)
ComputationalComplexity:
Acryptosystemwhosedecryptionprobleminvolvescomputinganoncomputable(oneway)function
wouldbeverydifficulttoattack.However,itiseasilyseenthatsuchaonewayfunctioncannotexist
becauseallthecryptosystemsarefinite(theplaintext,ciphertext,andkeyareallfinitesets).Thus,in
principle,allcryptosystemscanbecrackedbyexhaustivesearchofallpossibilities.
Thetheoryofcomputationalcomplexityisconcernedwiththeclassofproblemsthatcanbesolvedin
principle;but,withinthisclass,thetheoryattemptstoclassifyproblemsaccordingtotheir
computationaldifficultymeasuredastheamounttotimeorspacetheirsolutionwouldtake.Thusan
understandingofbasicconceptsofcomplexitytheoryisessentialforcryptography.
BigONotation:
Letf(n),g(n) 0,forallpositiveintegers,n.Wesayf(n)=O(g(n))(orsimplyf=O(g))ifandonlyif a
constantCsuchthatf(n) Cg(n)foralln n0.
Ex:
f(n)=2n2+3n3
=>
f(n)=O(n2)
(ThisisbecauseforC=3,f(n) Cn2)
Inpractice,weonlycareaboutf(n)andg(n)forlargevaluesonnwhenweusebigOnotation.
Define:Supposethatforalln n0,thetwofunctionsf(n),g(n)aredefined,takepositivevalues,andfor
someconstantC,satisfytheinequalityf(n) Cg(n).Then,wesayf=O(g).
Remark:Itisdesirabletohavesimplefunctionsg(n)thatdoesnotincreaseawholelotfasterthanf(n).
Remark:Ifforn n0, lim n
f (n) constant
=
g (n) 0
f = O( g )
f = o( g )
LengthofNumbers:
Thenumberofbits(binaryrepresentation):
ln n
= ln n
ln 2
note: 4.7 = 5
Wemeasurethecomplexityofacomputationintermsofthenumberoffundamentaloperationittakes.
Thesecouldbebitoperationsuchasbitadditions,comparison,etc.
Wenotethatthecomplexityisregardedasafunctionoftheinputsize.
Q:Whatisthelengthoftheadding/multiplyingnumbersNpositiveintegers,eachofwhichhaslength
atmostk.
Thesumoftwointegershaslengtheitherequaltothelengthofthelargernumberorelseequaltoone
plusthelengthofthelargernumber.
Addition:
1
Sum<n2k
=>
length(sum) k+length(n)
Lecture4(1/1416/08)
Multiplication:
m1andm2
length(m1m2)
m1m2mn
length(m1m2mn)
=>
=>
=>
2k1 m1<2kwherek=length(m1)
2l1 m2<2lwherel=length(m2)
2k+l2 m1m2<2k+l
length(m1)+length(m2)ORlength(m1)+length(m2)1
=>
=>
nk(n1)<length(m1m2mn) nk
BitOperations:
Alltheproceduresthatinvolveaddingtwobitswithpossibleacarryiscalledabitoperation.When
wespeakofestimatingtimetoperformatask,wemeanfindinganestimateforthenumberofbit
operations.Thisisbecausetheamountoftimeacomputertakestoperformataskisproportionalto
thenumberofbitoperations(weignoretheadministrativematters(timeformemoryaccessetc.))
Remark:Thecomplexityisthetimetakenintheworstpossiblecase.
Timetoaddtwointegersu,vis:
Addingtwokbitnumbersrequirekbitoperations
Time(u+v)=O(max(length(u),length(v))
Subtractiontimeisthesameasaddition.
Timetomultiplyakbitintegerbyanlbitinteger:Totalbitoperations<l*k=>Time=O(lk)
Timetodivideakbitintegerbyanlbitinteger:Time=O(l(kl+1))toobtainquotientandrem
Remark:Multiplyingtwointegersoflengthkbybestalgorithmhastime=
O(k*length(k)*length(length(k)))whichisbetterthanO(k1+)forany>0
Ex:ShowthatbNmodmcanbecomputedintimeO(k2l),wherel=length(N)=log2Nandk=log2mand
assume|b|<m
Polynomialtime:
Def:Analgorithmtoperformacomputationissaidtobeapolynomialtimealgorithmifthereexistsan
integerdsuchthatthenumberofbitoperations(timeestimate)requiredtoperformthealgorithmon
integersoftotallengthatmostk(binarylength)isO(kd).
ExponentialTimeAlgorithm:Time=O(eck)
Wherecisaconstant,kistotalbinarylengthofintegerstowhichthealgorithmisbeingapplied.
Problem:
Instance:
DecisionProblem:
SearchProblem:
Referstoageneraldescriptionofatask
Particularcaseofthetask
Isaproblemwhosesolutionconsistsofayesornoanswer
Ifthedesiredoutputismorethanayesorno,thenwecalltheproblema
searchproblem
Lecture4(1/1416/08)
Remark:Unlikeadecisionproblem,asearchproblemmighthaveseveralcorrectanswers.Ex:
Solutionstotheproblemofnonlinearequations.
Remark:TogivedefinitionofPandNP,weneedtomodifyourproblemsothattheyareadecision
problem
Ex:
(SearchProblem):
(DecisionProblem):
Theintegerfactorizationsearchproblemistheproblemofeitherfinding
anontrivialfactorMofanintegerNorelsedeterminingthatno
nontrivialfactorexists.
GivenpositiveintegersNandK,DoesNhaveafactorMsatisfying
2 M K?
PandNPProblems:
Def:AdecisionproblempisintheclassPofpolynomialtimeproblemsifthereexistsapolynomialQ(n)
andanalgorithmAsuchthatifaninstanceofphasinputlength n,thenthealgorithmanswersthe
questioncorrectlyintimetA(n) Q(n)i.e.,tA(n)=O(nd)forsomed
Remark:ItisnotalwaysclearifclassPistherightclasstocaptureaclassofproblemsthatinpractice
canbesolvedrapidly.Forexample,analgorithmwithrunningtimen100isslowerthananother
algorithmwithexponentialtimee0.0001nuntilnisgreaterthanabout10million.
Note:SometimesaproblemthatisinP(orisbelievedtobeinP)hasapractical,efficientalgorithmthat
isnotpolynomialtime.Exampleofthisis:GivenapositiveintegerN,isNaprimenumber?
AdecisionproblemPisintheclassNP(nondeterministicpolynomialtime)if,givenanyinstanceofp,a
personwithunlimitedcomputingpowernotonlycananswerthequestion,butinthecasethatthe
answerisyes,shecansupplyevidencethatanotherpersoncouldusetoverifythecorrectnessofthe
answerinpolynomialtime.
NP
NotethatP NP
P
TheclaimthatP NPisthemostfamousconjectureincomputerscience.
GivenpositiveintegersNandK,doesNhaveafactorintheinterval[2,k]?
TheaboveproblemisalmostsurelynotinP.Butifsomeonewithunlimitedcomputingpowergives
thefactorizationandsuppliesaswithM,wecanverifytheyesanswerinpolynomialtimeby
performingN/M.
Lecture4(1/1416/08)
Reduction:
Incryptology,itisverydesirabletobeabletoreduceacryptologicsystemtoaknownhardproblem.
Givenproblemclasses,P1andP2,P1reducestoP2ifonecanfindapolynomialtimealgorithm,A,such
thatforanyp1 P1,A(p1)=>p2 P2
Example:LetP1bethefollowingproblem:
LetP2be:
Givenaquadraticpolynomialf(x)withintegercoeff,
doesf(x)havetwodistinctroots?
ForagivenintegerN,isNpositive?
Sincethediscriminantof f1 ( x ) = ax 2 + bx + c iszerowhenb24ac=0,P1reducestoP2
Lecture4(1/1416/08)
ShannonsTheory:
Inpractice,wesayasystemiscomputationallysecureifthebestknownmethodofbreakingthe
systemrequiresanunreasonablylargeamountofcomputertime(Itisnotaproofofcourse,because
securityagainstonespecificattackdoesnotinsuresecurityagainstotherattacks).
Anotherapproachistoprovideevidenceofcomputationalsecuritybyreducingthesecurityofthe
systemtosomewellstudiedproblemthatisthoughttobedifficult.Thesearecalledprovablysecure
systems.
Butitmustbeunderstoodthatthisonlyprovidesaproofrelativetosomeotherproblem.Notabsolute
proofofsecurity(computationaldifficultyofsolvingtheproblem).
Ex:Agivencryptosystemissecureifagivenintegerncannotbefactored.
Whenthereisnoboundplacedontheamountofcomputationoftheadversary.
Inchapter2,westudyclassicalShannonsapproachtocryptosystems.Thisgivessomegoodinsightinto
thebehavioranddesignofcryptosystems(althoughitisonlyamathematicalmodel).
Sinceweareinterestedinunconditionalsecurity,weneedtostudythesecurityfromprobabilitypoint
ofview(notcomputationalpointofview).
Remark:WeconsiderCiphertextOnlyAttackModelwithunboundedcomputationalpowerinthis
chapter.
EntropyH(x):
P(x,y):
P(x|y):
Amathematicalmeasureofinformationoruncertainty.
ProbabilitythatXtakesthevaluexandYtakesthevaluey.
ProbabilitythatXtakesthevaluexGIVENTHATYhastakenthevaluey.
p ( x | y) =
p ( x, y )
p( y)
Bayesrule:
p ( x | y) =
p ( x, y ) p ( x ) p ( y | x )
=
p ( y)
p ( y)
Independence:
p ( x | y) = p ( x)
TotalProbability: p ( x ) =
x, y
p ( x | y ) p ( y ) = p ( x, y )
y
Lecture5(1/1823/08)
Assumearandomvariable,X,whichtakesonafinitesetofvaluesxiwithprobabilityPi(1<=i<=n).
Thentheuncertaintyofr.v.XisafunctionoftheprobabilitiesP1,P2,,PndenotedbyH(P1,,Pn).
Properties:
H(P1,,Pn)ismaximumwhenP1=P2==Pn=
H(P1,,Pn)>=0
= Pk log 2 Pk
k =1
IfXandYareanytwor.v.takingonlyfinitelymanyvalues,then
all ai ,bi
H ( x | y ) = H ( x | y = b j ) Prob [ y = bi ]
k =1
Note: H(x|y)istheuncertaintyofXgivenaparticularvalueofY,averagedovertherangeofvalues
thatYcantake.
H(X|X)=0
H(X,Y)=H(Y)+H(X|Y)=H(X)+H(Y|X)
H(X|Y) H(X),equalityholdsiffXandYareindependent
Lecture5(1/1823/08)
Cryptosystem(M,K,C)
a) UsenotationM=Pplaintextsequencetopreventconfusion.
b) Pm(x)denotestheaprioriprobabilitythatplaintextxoccurs(letPm(x)=Prob[M=x])
c) Pk(k)istheprobabilitythatthekeykischosen(usuallyuniform).Obviouslykandxare
independent.(Note:Pk(k)=Prob[k=k])
Thesetwoprobabilitiesinduceaprobabilitydistributiononthesetofpossiblecryptograms,y.
Pc ( y | x ) =
Pc ( y ) =
Pk ( k )
Pk ( k ) Pm ( d k ( y ) )
{k : y = ek ( x )}
{k : yC ( k )}
Sumisovermessagekeypairs(xi,kj)suchthat
ekj(xi)=y
C(k)isthesetofpossibleciphertextsifk(afixed
key)isthekey.
where C ( k ) = {ek ( x ) : x M }
Since Pc ( y ) =
{k : yC ( k )}
Pk ( k ) Pm ( d k ( y ) ) ,thesetupiscompletelyanalogoustoacommunication
channelwhereMisthezeromemorysourceandtheencryptionfunctiontogetherwiththekeysserves
asthechannel.
Message M: H ( M ) =
Pm ( x ) log 2 Pm ( x )
Pk ( k ) log 2 Pk ( k )
Key K: H ( K ) =
Cipher C: H ( C ) =
Pc ( y ) log 2 Pc ( y )
KeyEquivocationH(K|C):measurestheaverageuncertaintyremainingaboutthekeywhena
cryptogramhasbeenintercepted.(DesireH(K|C)=H(K))
MessageEquivocationH(M|C)isdefinedthesameway.(Unconditionally/PerfectlySecure:H(M|C)=
H(M))
Theorem:Thekeyequivocationisrelatedtothemessageequivocationby:H(K|C)=H(M|C)+H(K|M,C)
{Also H(K|C)=H(K)+H(M)H(C)}
(Thekeyequivocationisatleastasbigasthemessageequivocation)
Proof:ForanyX,Y:H(X|Y) =H(X,Y)H(Y)
Wewrite:H(M|C) =H(M,C)H(C)
=H(M,K,C)H(K|M,C)H(C){B/CH(K|M)=H(K,M)H(M)}
=H(M,K,C)H(M|K,C)H(C)
But: H(M|K,C)=0(uncertaintyofmessagegivenkeyforanyciphertext)
Thus:H(K|C)=H(M|C)+H(K|M,C)
3
Lecture5(1/1823/08)
SinceH(M|C)measurestheaverageuncertaintyofthemessageafterinterceptionofthecryptogram,it
isnaturaltosaythatasystem(M,K,C)hasperfectsecrecyifH(M|C)=H(M).Perfectsecrecymeansthat
theenemycanobtainnoinfoaboutplaintextbyobservingtheciphertext.
Theorem:AsystemhasperfectsecrecyIFFforallpossiblemessagesx Mandpossiblecryptogramy C,
wehave:pm(x|y)=pm(x)
Proof:WeknowthatH(X|Y)=H(X)IFFXandYareindependent.Thismeansthatpm(x|y)=pm(x).
Example:Supposethe26keysintheshiftcipherareusedwithequalprobability1/26.Thenforany
plaintextprobabilitydistribution,theshiftcipherhasperfectsecrecy.
Proof: Note:C=M=K=Z26.Forany0 K 25ek(x)=x+kmod26
Pc ( y ) = kZ Pk ( k ) Pm ( d k ( k ) )
26
= kZ
1
Pm ( y k mod 26 )
26
26
Butforafixedy,ykmod26takesallpossiblevaluesofZ26:
kZ 26
Moreover,Pc(y|x)=Pk(yxmod26)=1/26sinceforanyx,yanduniquek:ek(x)=y
1
Pm ( x ) Pc ( y | x ) Pm ( x ) 26
=
= Pm ( x )
Bayesrule: Pm ( x | y ) =
1
Pc ( y )
26
P ( y k mod 26 ) = P ( y ) P ( y ) =
m
kZ 26
=1
1
for any y Z 26
26
Thus,usingaciphertextonlyattack,theshiftcipherisunbreakable(withunlimited
computationalpowerforadversary)providedthatanewrandomkeyisusedtoencryptEVERY
PLAINTEXTCHARACTER.
Pc ( y ) Pm ( x | y )
= Pc ( y ) for all x M , y C
Pm ( x )
Ex:
K={0,1}
y=ek(x)=x+kmod26
Let|M|=|C|=Z26
Assume:pm(A)=pm(B)==pm(Z)=1/26aprioriprobability
Lecture5(1/1823/08)
Pc(y|x)=butpc(y)=1/26
Ex:
pm(x=A|y=D)=0butp(x=A)=1/26
=>Notperfectsecrecy
=>
pm(x|y) pm(x)
RealizationofPerfectSecrecy:
Letn>=1integer,M=C=K= Z 2n .
Ifx=(x1,,xn)K=(k1,kn)andy=ek(x)=(x1+k1,x2+k2,,xn+kn)mod2
Decryption:dk(y)=(y1k1,,ynkn)mod2
Notethatkeykmustbechangedforthenextencryption.
Disadvantage:|K|>=|M|whichimpliestheamountofkeythatmustbecommunicatedsecretlyisat
leastasbigasthemessage.
Applications:Militaryanddiplomaticcontextswhereunconditionalsecurityisimportant
Theorem: Suppose (M, C, K, E, D) is a cryptosystem where |K| = |C| = |M|. Then the cryptosystem
providesperfectsecrecyifandonlyifeverykeyisusedwithequalprobability1/|K|,andfor
everyx Mandeveryy C,thereisauniquekeyKsuchthatek(x)=y.
Proof: Supposethegivencryptosystemhasperfectsecrecy.
Sinceyi=eki(x),yi=ekj(x)andki kjwouldimply|K|>|C|,itisNOTpossible.Keyis
UNIQUE.
Claim: pk(K)=1/|K|
Since|M|=|K|,M={xi,1 i |K|}
Bayesrule: pm ( xi | y ) =
pc ( y | xi ) pm ( xi ) pk ( ki ) pm ( xi )
=
pc ( y )
pc ( y )
Butpm(xi|y)=pm(xi)becauseofperfectsecrecy.
Therefore:pk(ki)=pc(y)for1 i |K|andallkeyshaveequalprobability
Sincewehave|K|keys,pk(K)=1/|K|
Sincethetwoconditionsaresatisfied,itcanbeprovedlikeshiftcipherthatthecryptosystem
hasperfectsecrecy.
Lecture5(1/1823/08)
PerfectSecrecy:
Inthestudyofperfectsecrecyweassumed:
1. Ciphertextonlyattack
2. Adversaryhasunboundedcomputationalpower
3. Keyisusedonce.Everytimeweuseencryptionalgorithm,weneedanewkey
Wewanttostudyconsequencesofrelaxingthethirdassumptionandusingthesamekeyforntimes.
Wewouldliketoseehowmuchinformationisreleasedtotheadversary.
Forperfectlysecuresystem:H(k|yn)=H(k){yisobservedmultipletimes}
Forlesssecuresystem,informationisobtainedaslettersareobserved.
EX:
Knownenglishplaintext,1key.
Ciphertext WNAJW
Onlytwopossible5letterwordsw/thisformat:Plaintext
RIVER,ARENA
Therefore,keyspacehasbeenreducedtoonlytwokeys.Oneisactual,theother(s)are
spurious.
Remark:Thesuccessoftheattackdependsonthefactthattheremustexistonlyonekeyasacandidate
(spuriouskeys=0)
AssumingcaseinsensitiveEnglishlanguagefromthispointforward,|M|=Z26.
WhatisaverageentropyperletterintheEnglishlanguage?
Ifletterschosenw/equalprobability,HL=log2(26)=4.7
However,usinghistogramoflettersHL=
Usingntuplesasn>, H =
H ( pn )
RedundancyofalanguageL:
RL = 1
p log p
i
4.19
,1 HL 1.5
HL
(ForEnglish,HL=1.25,log2|M|=4.7=>RL=.75)
log 2 | M |
Lecture6(1/2529/08)
Unicity:**Shouldbeabletodetermineunicityfromagivencipher**
Unicityistheaveragelengthoftheciphertextthatwillallowanadversarytouniquelyidentifytheactual
key.Suppose(M,C,K,E,D)isacryptosystemandkeysarechosenequiprobably.Thentheunicityis:
Nu =
Andsince RL = 1
log 2 | K |
log 2 | C | H L
HL
log 2 | K |
if|M|=|C|then N u =
log 2 | M |
RL log 2 | C |
Proof: Lemma:H(K|C)=H(K)+H(M)H(C)
Proof:H(K,M,C)
=H(C|K,M)+H(K,M)
=H(K,M)
=H(K)+H(M)
H(K,M,C)
=H(M|K,C)+H(K,C)
=H(K,C)
=H(K|C)+H(C)
H(K|C)=H(K)+H(M)H(C)
{H(C|K,M)=0}
{H(M|K,C)=0}
(1)
(2)
Assuming:
MNtobear.v.representinganntupleofplaintext
CNtobear.v.representinganntupleofciphertext
ThenH(K|CN)=H(MN)+H(K)H(CN).UnicityisthenthesmallestN>0suchthatH(K|CN)=0
Nowassume:
a) TheunderlyingnaturallanguageissuchthatareasonableestimateofH(MNu)is:
H M Nu N u H L
b) ThecryptosystemissuchthatallNusequencesofsymbolsareequallylikelyas
ciphertext:
H C Nu N u log 2 | C |
Notethateverycryptosystemshouldaimatpossessingtheaboveproperty.
Thus:
N u H L + H ( K ) N u log 2 | C |= 0
SincekeysareequiprobableH(K)=log2|K|and Nu =
Example:
Nu =
H (K )
log 2 | C | H L
log 2 | K |
log 2 | C | H L
Substitutioncipher.AssumeHL=2
Nu =
log 2 ( 26!)
32
log 2 ( 26 ) 2
RecallsubstitutionciphermapseachletterfromAZtoaletterinalphabetAtoZ.
Lecture6(1/2529/08)
Productcryptosystem:
Anaturalwaytoincreasesecurityistotakedifferentsystemsandcombinethem:
S1:
S2:
y1=eK1(x)
y2=eK2(y1)
S=S2xS1
DomainofS2mustcontaintherangeofS1.NotethatS2=SxS.IfS2=S,thenthereisnopointofusing
S2.
Example:ShiftCipher
S:
y1
=x+b1mod26
2
S =SxS:
y2
=y1+b2mod26
=x+(b1+b2)mod26
=x+bmod26**anewshiftcipherw/b=b1+b2mod26
2
ThusS =Sforshiftcipher
BlockCiphers:
DES:
AES:
DataEncryptionStandard
(1973,IBM.In1999itwasreplacedbyAES)
AdvancedEncryptionStandard
Atthemoment,thereisnofastalgorithmforNPHardproblems,andifNP P,nosuchalgorithmsexists.
Idea:BuildcryptosystemaroundanNPHardproblem
DecisionProblem:
Input:PolynomialsP1,,Pkinx1,,xnandcoefficientsinZ2
Question:Dothesepolynomialshaveacommonzero(x1,,xn)inmod2arithmetic?
Ex:
x1 x4 x6 + x2 x4 x5 1 = 0
x1 x2 + x2 x3 + x3 x4 1 = 0 solution: (1,0,1,1,1,1)
x1 x3 + x4 x5 + x1 x6 1 = 0
Theproblemofdecidingwhetheralgebraicequationsmod2haveasolutionisNPhard.
Lecture6(1/2529/08)
ModesofOperation:
ElectronicCodebookMode(ECB):Eachblockxiofplaintextisencryptedwiththesamekey,K.
yi = eK ( xi )
CipherFeedbackMode(CFB):Alsogeneratesakeystreamforuseinasynchronousstreamcipher.
zi = eK ( yi 1 )
yi = xi zi
CipherBlockChainingMode(CBC):Eachciphertextblock,yi,isxoredwiththenextplaintextblock,xi+1,
beforexi+1isencryptedwiththekey,K.(usefulforauthentication)
yi = eK ( xi yi 1 )
OutputFeedbackMode(OFM):Actuallyasynchronousstreamcipher.Thekeystreamisproducedby
repeatedlyencryptinganinitializationvector.Note:encryptionfunctionisusedforbothencryptionand
decryptioninthismode.
zi = eK ( zi 1 )
yi = xi zi
CounterMode:SimilartoOFB,exceptthatthekeyisincrementedwitheachiteration.
Ti = ctr + i 1mod 2m
yi = xi eK (Ti )
CounterwithCipherBlockChainingMode(CCM):Combinestheuseofcountermode(forencryption)
withCBCmode(forauthentication).
Lecture6(1/2529/08)
DES:
16rounditeratedcipher/FeistelCipher
Priortothe16roundsofencryptionthereisafixedinitialpermutationIPthatisappliedtotheplaintext:
IP(x)=L0R0
M=(L0,R0)
where length(L0)=length(R0)=n
g(Li1,Ri1,Ki)=(Li,Ri)
where Li=Ri1and
Ri=Li1 f(Ri1,Ki)w/f():fixednonlinear,noninvertiblefunction
1
64bits=(L0,R0)
ciphertextc=IP1(R16,L16)
Keys,Ki(48bit),aregeneratedfromtheoriginal56bitsecretkeyusingkeyschedulingalgorithm.
EverythinginDESstructure(e.g.,permutations,expansion,sboxes,)ispublic(adversaryhasaccess)
exceptthekeysk1,,k16.
SecuritydependsonthenonlinearityoftheSBoxes.NotethattheonlynonlinearoperationinDESis
theSBox.ThedesigncriteriaoftheSBoxesarenotknown.Somethinkthattherearehidden
trapdoorsinsidetheSBoxesthatwouldallowNSAtodecryptanymessageswhilemaintainingDES
secure.
Solvingforthekeybitsusingplaintextciphertextpairsisreducedtosolvingalgebraicequationsinthe
keyvariables.ThisisNPhard.
Smallkeysize:(256)meansthatanexhaustivesearchISPOSSIBLE!(~106)
IBMLucifercryptosystem(apredecessorofDES)hada128bitkey.
Eveninthe70s,amachinew/106chipscouldsearchtheentirekeyspaceinaboutaday(the
estimatedpriceofsuchamachine,atthetime,was$20M).
IntheCrypto93conference,itwasarguedthatamachinecosting$100KcouldfindtheDESkeyin
about1.5days.
In1998,byElectronicFrontierFoundation,amachinewasbuiltcosting$250K.ItwascalledDES
Cracker.ThemachinewouldfindDESkeysin56hours.
Lecture7(2/1/08)
Otherthananexhaustivekeysearch,therearetwoimportantattacks:
LinearCryptanalysis:Knownplaintextattackusing243plaintextciphertextpairs,allofwhichare
encryptedusingthesame(unknown)key.Notethatthisisnotpractical,becauseitisunlikelythat
anadversarywouldbeabletoacquirethisnumberofplaintextciphertextpairs.
DifferentialCryptanalysis:NotasefficientasLinearCryptanalysis.
Remark:Permutationisalinearoperation:
IP(x1)=y1
IP(x2)=y2
>
IP(x1+x2)=y1+y2
ThepermutationsIPandIP1havenocryptographicsignificance(identitymatrices).
SBBblock:
EisaLINEAROPERATION(E(x1+x2)=E(x1)+E(x2))thatexpandsbitstringRi1from32to48bits.
ExpansionEisspecifiedby:Ri1=(a1,a2,a3,,a32)=>E(Ri1)=(a32,a1,a2,a3,a4,a5,a4,a5,a6,,a31,a32,a1)
E-bit Selection Table
32
4
8
5
9
6 7 8 9
10 11 12 13
12 13 14 15 16 17
16 17 18 19
20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32
LetB=E(Ri1)+K=>B=B1,B2,,B8whereBhaslength48andeachBiissixbits
Lecture7(2/1/08)
Thereare8SboxesdenotedbyS1,S2,,S8.EachSimapssixbitstofourbitsofbinarysequence
Si:{0,1}6>{0,1}4
EachSicanbeshownby4x16matrixwhoseentriesarenumbers015.(24possibilities).Wenotethat
eachrowofSiisapermutationof015.
GivenabitstringBj=b1,b2,,b6,wecomputeSj(Bj)as:b1b6determinestherowrofSjandthefourbits
b2b3b4b5determinesthecolumninSj.
b2b3b4b5
Sj(Bj)=
suuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu
14
4 13 1 ... 0 7t
...
b1b6
...
...
NotethateachSboxisdifferent.Thespecialarrangementofnumbersinsboxesisoneofmanydesign
criteriathatwererequiredoftheSboxestopreventcertaincryptanalysisattacks.
Lecture7(2/1/08)
ThepermutationPwithinSBBblockis:P(c1,,c32)=(c16,c7,c20,c21,)
Permutation Table
16 7 20 21
29 12 28 17
1
5
15 23 26
18 31 10
2 8 24 14
32 27 3 9
19 13 30 6
22 11 4 25
KeyGeneration:
OriginalKey=64bits,butthekeyiseffectively56bits(every7bitscontainsanassociatedparitybit)
Lecture7(2/1/08)
PC1/PC2aredescribedas:
PC 1
57
1
10
19
63
7
14
21
13
Ci=LSi(Ci1)
Di=LSi(Di1)
PC 2
49 41 33 25 17
58 50 42 34 26
2 59 51 43 35
11 3 60 52 44
55 47 39 31 23
62 54 46 38 30
6 61 53 45 37
5
28 20 12
LSi:
9
18
27
36
15
22
29
i=1,2,9,16
otherwise
14
3
23
16
41
30
44
46
17 11 24
28 15
19 12
21
26
6
4
7 27 20 13
52 31 37 47
40 51 45 33
49 39 56 34
42 50 36 29
5
10
8
2
55
48
53
32
CyclicShifttoLeftby1position
CyclicShifttoLeftby2positions
Lecture7(2/1/08)
AES:AdvancedEncryptionStandard
In1997,NationalInstituteofStandardsandTechnology(NIST)calledforcandidatestoreplaceDES.
Newalgorithmswouldhavetosupportkeysof128,197,and256bits.Theywouldalsohavetoworkon
blocksizesof128bitsandonavarietyofhardwarelike8bitprocessors(smartcards),37bit
architecturesusedinpersonalcomputers.Criteriaforsuccesswere:
1) Security
2) Costeffective
FiveFinalists
MARS(fromIBM)
RC6(fromRSA)
Rijndael(fromJ.Daemen,V.Rimen)
Serpent(fromR.Anderson,E.Biham,L.Knudsen)
Twofish(fromB.Schneier,J.Kelsey,)
GF(256):
Fieldw/256elements(eachelementisrepresentedby8bits(since28=256)
**EventuallyChosen**
Addition:
XORoperationsbitwise:(00010011)+(00001010)=(00011001)
Multiplication:Usesprimitive(characteristic)polynomialp(x)=x8+x4+x3+x+1
A:x4+x+1
B:x3+x
AB=(x4+x+1)(x3+x)=r(x)modp(x)
BasicAlgorithm:
10rounds
Eachroundhasakeyderivedfromtheoriginalkey
Zeroroundkeyistheoriginalkey
128
a
ByteSubstitution
(BS)
ShiftRow(SR)
(Forsimplicity,werestrictto128bits)
MixColumn(MC)
AddRoundKey
(ARK)
128
e
Therearefourbasicsteps,calledlayers:
1.
2.
3.
4.
ByteSubstitutionTransformation:Nonlinearlayertoresistlinearanddifferentialattacks.
ShiftRowTransformation:Diffusionofthebitsovermultiplerounds
MixColumnTransformation:PurposesimilartoShiftRow
AddRoundKey:TheroundkeyisXORedwiththeresultoflayer
RinjndaelEncryptionAES:
1. ARKusingk0
2. NineroundsofBS,SR,MC,ARKusingroundkeysk1tok9
3. Finalround,BS,SR,ARKusingk10(NoMCstepinlastround)
Lecture8(2/4/08)
TheAESLayers:
128bitsaregroupedin16byesof8bitseach.Arrangeinamatrix
a00
a10
a20
a30
Note:
a01
a11
a21
a31
a02
a12
a22
a32
a03
a13
a23
a33
whereaij GF(256)
ElementsofGF(256)arebytesconsistingof8bits
Eachnonzeroelement,b,hasaninverse:bb=1
ByteSubstitution:
EachbyteinthematrixischangedtoanotherbytebySBox.
Writeabyte:
b00
b
11
b22
b33
c00
c
10
c20
c30
MixColumn:
a01 a02
a11 a12
a21 a22
a31 a32
a03
a13
a23
a33
c01 c02
c11 c12
c21 c22
c31 c32
c03 b00
c13 b11
=
c23 b22
c33 b33
b01 b02
b12 b13
b23 b20
b30 b31
b03
b10
b21
b32
TC=DwhereCisoutputofShiftRow.POLYNOMIALMULTSinGF(256)!!!
3 1 1
2 3 1
1 2 3
1 1 2
RoundKeyAddition:
efgh(column)
Thefourrowsofmatrixare(byte)shiftedcyclicallytotheleftbyoffsetsof0,1,
2,and3
ShiftRow:
2
1
T =
1
abcd(row)
d 00
d
11
d 22
d33
d 01
d12
d 23
d30
d 00
d
11
d 22
d33
d 01
d12
d 23
d30
d 02
d13
d 20
d31
d 03 k00
d10 k10
d 21 k20
d32 k30
d 02
d13
d 20
d31
d 03 2
d10 1
=
d 21 1
d32 3
k01
k11
k21
k31
k02
k12
k22
k32
3 1 1 c00
2 3 1 c10
1 2 3 c20
1 1 2 c30
k03 e00
k13 e10
=
k23 e20
k33 e30
c01 c02
c11 c12
c21 c22
c31 c32
e01 e02
e11 e12
e21 e22
e31 e32
c03
c13
c23
c33
e03
e13
e23
e33
Lecture8(2/4/08)
ConstructionofSBox(w/inByteSubstitution):
x>x1=ytoachievenonlinearity
Startwithabyte[x7x0] GF(256)(xiisabit).ComputeitsinverseinGF(256)(ifzerojustreplacew/
zero).Theresultingbyte[y7y0](yiisabit)
1
1
1 0 0 0 1 1 1 1
y
1 1 0 0 0 1 1 1 0 0 z0
y 0 z
1 1 1 0 0 0 1 1 1+ = 1
# 0 #
%
%
%
%
%
%
%
%
y 1 z
0 0 0 1 1 1 1 1 7 7
1
0
Remark:
*ArithmeticinGF(2)!!!
Z0=y0+y4+y5+y6+y7+1mod2
*Z=[z0z7]isSBoxOutput
Matrixischosenforitssimplicity.Tableavailableforlookupofflineandinverselookup.
ThevectorwaschosensuchthatnoinputeverequalsitsSBoxoutputorthe
complementofitsSBoxoutput.
KeySchedule:
[w(0)|w(1)|w(2)|w(3)||w(43)]
Eachw(n)isacolumnvectoroflength4(4bytes,32bits)
Original128bitkey=[w(0)|w(1)|w(2)|w(3)]
Supposeweknowcolumnsupthroughw(n1)
Then: w(n)= w(n4) w(n1)
ifi 0mod4
a
b
e
b
c
f
Cyclic Shift
Use S-Box in BS Step
w(i 1) =
c
d
g
d
a
h
Compute r ( i ) = 2
i 4
4
= ( 00000010 )
i 4
4
*ArithmeticinGF(256)*
i4
willbeaninteger
4
e r ( i )
Then T ' ( w ( n 1) ) =
g
h
Theroundkeyforithroundis: [w(4i)|w(4i+1)|w(4i+2)|w(4i+3)]
Lecture8(2/4/08)
Decryption:
1.
2.
3.
4.
InverseofByteSubstitution:(onetoone),anotherlookuptable.
InverseofShiftRow:Shiftingrowstotheright.
InverseofMixColumn:ThematrixischoseninvertibleinGF(256)
AddRound:Inverseissameasitself
Encryption/DecryptionSteps:
EncryptionStep Key DecryptionStep Key DecryptionStep Key DecryptionStep Key
ARK
K0 ARK,ISR,IBS
K10
ARK
K10
ARK
K10
BS,SR,MC,ARK K1 ARK,IMC,ISR,IBS K9 IBS,ISR,ARK,IMC K9 IBS,ISR,IMC,ARK K9
ARK
K0
IBS,ISR,ARK
K0
IBS,ISR,ARK
K0
Towritedecryptiontomakeitlooklikeencryption:BSandSRcommute=>IBSandISRcommute
Also,applyingMCthenARKtoamatrixC:
MC
ARK
C
TC
E = TC + K
Now,applyingIMCthenARKtoE:
IMC
ARK
E
T 1 E
C = T 1 E + K '
Then T
(TC + K ) + K ' = C .
Thus:K=T1K
Thus,EncryptionandDecryptioncanbeperformedusingidenticalhardware(Differentlookuptables,
shiftdirections,andkeys/keyordersthough)
Lecture8(2/4/08)
PreliminariestoPublicKeyEncryption
Set:
Cardinality/Order:
Group:
1.
2.
3.
4.
Arbitrarycollectionofelements.Setscanbefiniteorinfinite.
Thenumberofobjectscontainedintheset|S|.
AgroupisasetGtogetherwithanoperationthatsatisfies:
Closure:
Associativity:
Identity:
Inverse:
ab Gifa,b G
(ab)c=a bc) a,b,c G
auniquee G,ae=ea=a a G
a G auniquea1 G,aa1=a1a=e
Agroupissaidtobecommutative(abelian)ifforalla,b G:ab=ba
Weareinterestedinfinitegroups.
Ex:
Thesetofintegersformagroupunder+(addition).
ThesetofintegersdoesNOTformagroupunder*(multiplication).Becausezerodoesnot
haveaninverse.
Theorem:
Proof:
Remark:
Theorem:
Proof:
Subgroup:
Theequivalenceclasses{0,1,2,,m1}formacommutativegroupofordermunder
modulomintegeradditionforanypositiveintegerm.
Verifytheconditionsareheld.
{0,1,,m1}isnotagroupundermodulommultiplications(theinverseelementdoes
notexist)
ThesetS={1,2,3,,p1}formsanabeliangroupoforderp1undermodulop
multiplicationifpisaprimeinteger.
Commutative/Associative/Identityareeasytoverifyevenifpisnotaprime
Closure/Inversearemetonlyifpisaprime
Ifpisnotaprime, m,n Ssuchthat1<m,n<pandmn 0modp(the
closureisviolated).IfpISaprime,notwoa,bexistsothat
Toshowexistenceofinverse,letxbeanyarbitraryelementinS.
Verify{x1,x2,,x p1)}arealldistinct,
Otherwise(xy)=(xz)modp
=>
x(yz) 0modp
Thus,{x1,x2,,x p1)}aredistinct.Hence,oneofthemmustbe
equaltotheidentity,I.
AsubsetHofagroupGiscalledasubgroupifithasthefollowingproperties:
a) Closure
b) Identity
c) Inverses
NotethattheothertwopropertiesofGarenaturallytransferredtoH.
Lecture9(2/8/08)
Orderofagroupelement:
Ex:
LetGbeagroupunderandg G,denote:
g2 gg
g3 ggg
Theorderofgisthesmallestpositiveinteger,ord(g),suchthat
gord(g)=e(e:IdentityofG)
S={1,2,3,4}isagroupundermod5multiplication.Identityis1.
Element
1
2
3
4
Order
1
4
4
2
Remark:
LetGbeafinitegroupanda G.Consider{a,a2,a3,,am,,an,} G.
Sincethecardinalityoftheabovesetis|G|,am=anforsomemandn(n>m).
Thuse=(am)(am)1=an(am)1=anmandforanyfinitegroup,therealwaysexistsa
finiteorderforeacha G.
Remark:
IfGisagroupandH G,thenHiscalledasubgroupofGifHisalsoagroupunderthe
sameoperationsofG.
LagrangeTheorem:
Remark:
IfGisafinitegroupandHisasubgroupofG,then H | G (HdividesG).
LetGbeafinitegroupandleta G.Considerord(a)=K.
ThenH={e,a,a2,,ak1},H GandHisasubgroupofG.
Since H | G (HdividesG),thenweconcludeK||G|,meaningthattheorderofany
elementingroupGmustdividetheorderofthegroup,|G|.
Remark:
TrivialsubgroupsofGareGand{e}.
If
If
If
p|xy
Then p|xORp|y
p|xandq|x
Then pq|x
z xmodp xmodq Then z xmodpq
Lecture9(2/8/08)
ContinuedFractionExpansion/EuclideanAlgorithm
(Computinggcd(n,a)w/n>a>0)
NotethatthiscanbeusedtotestfortheEXISTANCEofaninverseb/cgcd(a,n)=1foratohavean
inverse.
Considergcd(a,b)wherea>b>0:
(1)
( 2)
( 3)
a = q0b + r0
b = q1r0 + r1
r0 = q2 r1 + r2
rn 2 = qn rn 1 + rn
Notethatri<ri1
Notethata,b,qiandriareallpositiveintegers
Then
rn1=gcd(rn2,rn1)=gcd(rn2,rn3)==gcd(a,b)
rn = 0
Divide (1) by b
r
a
= q0 + 0
b
b
1
= q0 +
b
= q0 +
= q0 +
r0
1
q1 + r1 r0
(using (2))
1
q1 +
1
q2 +
%
1
qn + 0
Asimplecontinuedfractionisanexpressionof
theformtotheleft(CFE)
WecalltheqspartialquotientsoftheCFEand
wewriteitas<q0,q1,,qn>
Consider:<q0,q1,,qn>
Wedefinecm=<q0,,qm>wherem nthe
mthconvergentofCFE
Ex:0thconvergentc0=<q0>=q0
1stconvergentc1=<q0,q1>=q0+1/q1
cn=<q0,q1,,qn>=a/b
Theorem1:
Proof:
LetA2=0,A1=1,B2=1,B1=0anddefine
Thencm=<q0,,qm>isthesameasAm/Bm.
NotethatcmisCFEofsome(a,b)
ByInduction.
Theorem2:
Proof:
AkBk1BkAk1=(1)k+1
ByInduction.
Ak+1=qk+1Ak+Ak1k=1,0,1,2,
Bk+1=qk+1Bk+Bk1
Lecture9(2/8/08)
LinearDiophantineEquation
(computinga1modn)
5x3y=1
9x6y=2
=>
=>
x=2;y=3
sincegcd(9,6) 2nosolutionispossible
Thus,anecessaryconditionfor(*)tobesolvableisthatgcd(a,b)|c
Remark:
Anequation4x6y=8canbethoughtofas(x)4+(y)6=8(allpositivecoefficients)
Givenax+by=c,letd=gcd(a,b)
( a d ) x + ( b d ) y = ( c d )
=>
ax+by=cwithgcd(a,b)=1
a/b=<q0,q1,,qn>canbefoundusingCFE
a/b=An/Bn
LetAi,BibegeneratedperTheorem1. Then
where AnBn1BnAn1=(1)n1(Theorem2)
Thus An=a/d
and Bn=b/d
a B b A = ( 1)n 1
d n 1
d n 1
aBn 1 bAn 1 = d ( 1)
a ( 1)
ac ' ( 1)
n 1
n 1
n 1
Bn 1 + b ( 1) An 1 = d
n
Since c ' =
c
d
Bn 1 + bc ' ( 1) An 1 = c
n
Settingx0=(1)n1cBn1(calledtheExtendedEuclideanAlgorithm)
y0=(1)ncAn1
Notethatif
ax0 + by0 = c
= ax + by
b
x x0
b
= = d
a
y y0
a
d
b
x = x0 d t
(wheretisanarbitraryinteger)
Thenthegeneralsolutionsto(*)are
y = y + a t
0
d
Thiscanbeusedtosolvefortheinverseofanumbermodnbyobservingthatsinceaa1 1modn
a(a1)+n(k)=1=>
x=a1andy=k
Then
aa1=kn+1 =>
Lecture9(2/8/08)
SystemofCongruences
Theorem:
(a.k.a.ChineseRemainderTheorem(CRT))
Supposem1,m2,,mrarerelativelyprimepositiveintegersandsupposea1,a2,,arare
integers.Thenthesystemofrcongruences
x aimodmifor1 i r
hasauniquesolutionmoduloM=m1m2mrwhichisgivenby
r
x ai M i yi mod M where M i =
i =1
Proof:
M
and yi M i1 mod mi for1 i r
mi
|Range|=m1m2m3=M=|Domain|
Define:Zm Zm1xZm2xZmr
Forx Zm,(x)=(xmodm1,xmodm2,,xmodmr)
Weneedtoproveisbijective(onetooneandonto)andfindtheinverseof.
For1 i r: M i =
mi
Define yi M i1 mod mi
gcd(Mi,mi)=1
(yiexistsbecausegcd(Mi,mi)=1)
Thus yi M i 1mod mi
r
P ( a1 , a2 ,..., ar ) = ai M i yi mod M
DefineP:Zm1xZm2xZmr Zm
i =1
ShowP=1:
Definex=P(a1,a2,,ar)andlet1ir
Thenifi=j
aiMiyi aimodmi
ij
aiMiyi 0modmjsincemj|Miifij
Thus x
a M y mod m
i =1
Example:
a j mod m j =>xisasolution
Nowweneedtoshowthatxisunique.ThefunctionisfromadomainofcardinalityM
toarangeofcardinalityM.Byfindingthesolutionxforthesystemofrcongruences,
wehaveshownthatissubjective(onto).
Sincethedomainandrangehavethesamecardinality,thusmustbeinjective.
Therefore,isbijective.
r=3
m1=7
m2=11
m3=13ThenM=m1m2m3=1001
M1=143
Compute
M2=91
M3=77
Then
y1=5
y2=4
y3=12
1
(a1,a2,a3)=715a1+364a2+924a3mod1001
If
x=5mod7=3mod11=10mod13
Then x=715*5+364*3+924*10mod1001=13907mod1001=894mod1001
Lecture10(2/14/08)
r.s cmodm
*
m
Itisclearthat Z isafinitegroupoforder(n),where(n)isEulerPhifunction.
Claim:
Z m* formsanabeliangroupundermodmmultiplication.
Inverse:
Closure:
becausegcd(r,m)=1.CansolveforsandyusingtheDiphantine
Equationsbynotingthat y,
r.s 1+mymodm
=>
rs+my 1modmandgcd(r,m)=1
a.bisrelativelyprimetomwheneveraandbarerelativelyprimetom
EulerTheorem:
PrimitiveRoots:
gisaprimitiverootif Z m* =<g>(i.e.ord(g)=(m))
Letm=7
g=3
Compute:
g1 3mod7
g2 2mod7
g3 6mod7
g4 4mod7
g5 5mod7
g6 1mod7
(then Z m* ={1,2,3,4,5,6})
Example:
Then Z m* =<3>
Theorem:
Theonlyintegermwhichcanhaveprimitiverootsare2,4,pn,2pn.Wherenisapositive
integerandpisanyODDPRIME
Theorem:
Example:
Ifmhasaprimitiveroot,thenithas((m))primitiveroots.
m=7 (7)=6
(6)=2
Thereareonly2primitiveroots:3,5(36=56=1)
FermatTheorem:
Proof:
Theorem:
Ifpisprime,then Z *p isacyclicgroup
PrimitiveElement:
Anelementhavingorderp1iscalledaprimitiveelementmodulop(pis
prime)
NotethatisaprimitiveelementIFF{i:fori=0,1,,p2}=
If
Z *p
Z *p =>=iforsome0 i p2.Itcanbeshown
p 1
ord ( ) =
gcd ( p 1, i )
Thusisitselfprimitiveiffgcd(p1,i)=1.
Therefore,thenumberofprimitiveelementsin
2
Z *p is(p1)(b/cgcd(p1,i)=1)
Lecture10(2/14/08)
PublicKeyCryptography
Designacryptosystemwhereitiscomputationallyinfeasibletodeterminedkgivenek.
EverybodycansendencryptedmessagetoBobusingek(x).However,onlyBobcandecryptthecipher
usinghissecretdecryptionrule.
Publickeysystemislikeatrapdooronewayfunction.
OneWayFunction:
1)
2)
Encryptionisveryeasytocompute
Hardtoinvertthefunction
Thereareseveralfunctionsthatarebelievedtobeoneway.Butwedonthaveanyproofthata
functionisoneway.
RSA(1977)
Rivest,Shamir,Adleman
Letn=pq,wherepandqareprimes.LetP=C=Zn.
DefineK={(n,p,q,a,b):n=pq;p,qprime;ab 1mod(n)}
ForK=(n,p,q,a,b)define:
Verifydecryption:
y=ek(x) xbmodn
X=dk(y) yamodn
ab 1mod(n)
*
n
Z then:
b,n:public|p,q,a:private
(Encryption)
(Decryption)
=>ab t(n)+1
(xb)a xt(n)+1modn
1txmodn
(1)
x(n))txmodn
xmodn
Assumex
Sincep,qareprime:(n)=(pq)=(p)(q)=(p1)(q1)
Then
x(xp1)t(q1)modp
UsingFermatsTheorem:
x(1)t(q1)modp xmodp
Bysimilarreasoning: (xb)a xmodq
Since (xb)a xmodp xmodq
Then (xb)a xmodn
ImplementingRSA:
1.
2.
3.
4.
5.
Bobgeneratestwolargeprimes: p,q
Bobcomputesn=pqand(n)=(p1)(q1)
Bobchoosesarandomb(1<b<(n))suchthatgcd(b,(n))=1
Bobcomputesa b1mod(n)usingEEA
Bobpublishesnandbinadirectorashispublickey
Itisobviousthatifonecanfactorn,he/shecanfindp,q=>(n)=>a,whichisneededfordecryption.It
isconjecturedthatbreakingRSAispolynomiallyequivalenttofactoringn,butthisremainsunsolved.
Security:n=pqmustbeVERYlarge.Mustbecomputationallyinfeasibletofactorn.
3
Lecture10(2/14/08)
Factorization:
Withcurrentfactoringalgorithmsweareabletofactornumbershavingupto130decimaldigits.
RSAis512bitinlength =>
154decimaldigits
=>
doesnotoffergoodlongtermsecurity
ComputationalComplexity:
Encryption:
Step1:
Step2:
Step3and4:
xbmodn
ThemostefficienthardwareimplementationofRSAachievesencryptionratesof600
kbit/susing512bits.Comparedto1Gbit/sinDES.=>RSAisabout1500timesslower
thanDES.
Asaresult,RSAistypicallyusedtoexchangeAESkeys.AESisthenusedtoexchange
messages.
Usingrepeatedsquaring:
O(k2l) O(k3)where k:length(n)andl:length(b)
Ifwedontusetheabovealgorithmthen(xymodn)takesO(k2).Sincewehavetodo
thisbtimesandb 2k=>O(2kk2)
Willbediscussedlater
OrderofcomplexityisO((log(n))2))=O(k2)
gcd(r1,r0)=?
Dividingr0byr1requiresContinuedFactorExpansionandhascomplexityO((log(r0))2)
NeedanupperboundonnumberofCFEiterations,s,requiredtofindzeroremainder.
LamesTheorem:
Ifsisthenumberofiterations,thenfs+2<r0,wherefiistheith
Fibonaccinumber(fn+1=fn+fn1).
fn =
Since
n 'n
where =
1+ 5
fi
1+ 5
1 5
and ' =
2
2
=>
S=O(log(r0))
Therefore,EuclidsAlgorithmhascomplexityO((log(n))3).
Inpractice,itisonlyO((log(n)2)
Lecture10(2/14/08)
ProbabilisticPrimalityTesting
TosetupRSA,weneedtogeneratelargerandomprimes
Inpracticewegeneratelargerandomnumbersandthentestthemforprimalityusingaprobabilistic
polytimeMonteCarlomethod,suchasSolovayStrassenorMillerRabinalgorithms.
Anintegerncanbetestedintimethatispolynomialinlog2nbutthealgorithmmayclaimthatthe
numberisprimewhenitisnot.However,byrunningthealgorithmenoughtimes,theerrorprobability
canbereducedbelowanydesiredthreshold.
Howmanyrandomintegers(ofaspecificsize)willberequiredtobetesteduntilwefindonethatis
prime:
N
.
ln N
ThennumberofprimesnotexceedingNisapproximately
IfpischoseninrandomfromNnumbers,theprobabilitythatitisprimeis
Fora512bitRSAcase,wehave p
Therefore,RSAsetupispractical
1
.
ln p
2512
1
1
2
then
(
foroddintegers)
2
ln p 177 177
AyesbiasedMonteCarloalgorithmisaprobabilisticalgorithmforadecisionprobleminwhichayes
answeris(always)correct,butanoanswermaybeincorrect.WesaythatayesbiasedMonteCarlo
algorithmhaserrorprobabilityequalto if,foranyinstanceinwhichtheanswerisyes,thealgorithm
willgivetheincorrectanswernowithprobabilityatmost .
Prob(output=No|correct_output=Yes)
Supposepisanoddprimeandxisaninteger,1 x p1.
Xisdefinedtobeaquadraticresiduemodulop(QRp)if(y2 xmodp)hasasolutiony Zp.
Xisdefinedtobeaquadraticnonresiduemodulop(QNp)if(x 0modp)andxisnota
quadraticresiduemodulop.
Ex:
QuadraticResiduesmodulo11are(1,3,4,5,9)
( 1)2=1
( 5)2=3
( 4)2=5
( 3)2=9
Remark:
Z *p = QR p QN p
where QRp:QuadraticResidue
( 2)2=4
QNp:QuadraticNonresidue
IsittruethatZp=Zp*?
Lecture11(2/18/08)
NotethatQRmisagroup:
Identity:
Closure:
1
ifa,b, QRmthenab QRmbecause
x12 a mod m
x b mod m
2
2
( x1 x2 )
=>
x12 a mod m
x1 x2 = 1mod m
Thereforeb QRm
Let ab 1mod m
Inverse:
EulersCriterion
a QRpIFF a
p 1
2
1mod p
Then a
p 1
2
( x2 )
Nowassume a
p 1
2
p 1
2
1mod p .Letgbeaprimitiverootofp.Theremustexistsomeisuchthat
g i a mod p .
( )
i
Then g
p 1
2
p 1
2
mod p 1mod p
p 1
p 1
= k ( p 1) +
2
2
IfiisNOTEVEN,theni=2k+1. i
( )
i
Andasaresult g
p 1
2
( gk )
( p 1)
p 1
2
p 1
2
1mod p
Butghasorderp1,thereforethisisacontradictionandiMUSTBEEVEN(i=2k).
Since g i g 2 k
p 1
2
( )
= (g )
Thismeansthat g
k 2
(gk )
( p 1)
1mod p
Lecture11(2/18/08)
LegendreSymbols
Foranyintegera 0andoddprime,p,wesaythat( a p )(theLegendreSymbol)is
0 if
a
= 1 if
p 1 if
Theorem
LetpbeanODDprime,then
Ifp|athen a
Proof
p 1
2
p 1
2
a QR p
a QN p
a
mod p
p
0 mod p and(a/p)=0
Ifa QRp,then a
p|a
Ifa QNp,then a
p 1
2
p 1
2
1mod p byEulerCriterion
= 1mod p .hasordertwo.Thisistruebecauseap1 1
modp(byFermat).Weknownthat1isonesolutionbecause(1)2 1modp.Wealso
knowthatthenumberofelementsofordertwoisequalto(2).But(2)=1.Thus(1)
istheonlysolution.Thus, a
p 1
2
PropertiesofLegendreSymbol:
p 1
1
1 if
= ( 1) 2 =
p
1 if
a b ab
2) =
p p p
1)
p 1mod 4
p 3mod 4
a b
= ifa bmodp
p p
3)
p 1
2
1 if
8 =
=
1
(
)
p
1 if
4)
p 1 mod 8
p 3 mod 8
t2
5) = 1 ifpdoesNOTdividet
p
p 1 q 1
q
p
= ( 1) 2 2
p
q
6)
Remark:
pandqareODDprimes(LawofQuadraticReciprocity)
QRp={g2i:I=1,2,,(p1)/2}
QNp={g2i1:I=1,2,,(p1)/2}
|QRp|=|QNp|=(p1)/2
Lecture11(2/18/08)
JacobiSymbols
P k P
=
Q i =1 qi
Where Q =
(q )
i =1
p
istheLegendreSymbol.
qi
aredistinctprimesand
Note:IfQisaprime,thentheJacobiSymbolisthesameastheLegendreSymbol.
RulesoftheJacobiSymbol:
t2
rule)
p
(SameasLegendre,withoutthe
Q 1
1
= ( 1) 2
Q
1)
P1 P2 P1 P2
=
Q Q Q
2)
P1 P2
= ifP1 P2modQ
Q Q
3)
Q 2 1
2
1 if
8
=
1
=
(
)
Q
1 if
4)
P 1 Q 1
P
Q
= ( 1) 2 2
P
Q
5)
Q 1 mod 8
Q 3 mod 8
PisODD
Remark:
Example:
TakeQ=P1P2whereP1andP2areprimes.
Takeanumbersuchthat( a P1 )=1,( a P2 )=1
x 2 a mod P1
doesnothaveanysolutionforx.
Then
But
x 2 a mod P1
If x a mod Q hadsolutionthen 2
wouldhavesolution.
x a mod P2
x 2 a mod P2
a a a
= = ( 1)( 1) = 1
Q P1 P2
Lecture11(2/18/08)
Examples:
BruteForce:compute 319
Evaluate(319/1031)
10311
2
mod1031
319
11 29
==
1031
1031 1031
( 3)
Legendre:
8 16
=
11 29
8
=
11
( 5)
( 2)
( 6)
1031 1031
=
11 29
( 3)
2
=
11
t2
16
=
1
by
= 1
29
p
( 2,5)
= ( 1)
(1)
319
1031
74
=
=
1031
319
319
Jacobi:
37
=
319
14
=
23
( 4)
( 3)
( 6)
( 3)
( 4)
=1
2 37
=
319 319
(1)
319
23
=
=
37
37
7
=
23
( 4)
(1)
( 3)
(1)
37
=
23
23
2
= =
7
7
( 2)
( 3)
=1
Lecture11(2/18/08)
ProbabilisticPrimalityTesting
BasebPseudoPrime(bpsp):
Acomposite(notaprime)number,N,suchthat
gcd(b,N)=1 and
bN1 1modN
Ifpisaprime,andpdoesNOTdivideathen
IfNisacomposite,itmayormaynotbetruethat
p 1
2
a
mod p
p
N 1
2
b
mod N
N
EulerBasebPseudoPrime(bepsp):
AcompositeNsuchthat
{Lessthanofb<N1arebepsp}
gcd(b,N)=1
Theorem:
N 1
2
b
mod N
N
IfNisanyoddcompositeinteger,theremustexistsomebsuchthatgcd(b,N)=1andN
isnotabepsp.(i.e. b
Proof:
and
N 1
2
b
mod N )
N
SupposeNisanoddcompositeintegersuchthatNisabepspforallbsuchthat
gcd(b,N)=1.(Wewillshowthatthisisimpossible!)
Letpbeanyprimesuchthatp|N.
Letp|Nbutp+1!|N (isthelargestintegerforwhichp|N)
Wecanselectavalueforbsuchthat
b 1mod
p wheregisaprimitiverootofp.
b g mod p
(1)
Thesolutionforb ZNexistsbecausegcd(N/p,p)=1andtheChineseRemainder
Theorem.
N 1
2
b
1mod N
N
Sincebepsp,
Notethat
b
0 mod N ifandonlyifgcd(b,N)1
N
Then
Replacingfrom(1)
Thisimpliesthat
(p)|(N1)(because g
bN1 1modp
( )
1mod p in Z *p = g )
Then p1(p1)|(N1)
Since
(p)=p1(p1)
Then
p1|(N1)
and
(p1)|(N1)
1
Since
p (odd)|(N1)(even)
Then=1,whichmeansthatNdoesnothaveanysquarefactor.Inotherwords,Nis
theproductofdistinctprimes.
Lecture12(2/22/08)
LetN=rs,whererandsaredistinctprimes(gcd(r,s)=1)
K
= 1
r
SelectanyKsuchthat
Selecta,bsuchthat
b Kmodr
and
b 1mods
Again,byChineseRemainderTheorem,asolutionforb Z N* (i.e.gcd(b,N)=1)exists
becausegcd(r,s)=1.
N 1
b
2
b
mod N
N
b b b K 1
( 1)(1) 1
rs r s r s
Thus,if
Then
N 1
2
1mod N
and
Whichisacontradictionbecause
N 1
2
N 1
2
1mod s
1mod s
N 1
b
2
mod N
b
Therefore,wefindbsuchthatgcd(b,N)=1and
Nowweshowthatifweselectabaseb,gcd(b,N)=1,atrandom,theprobabilitythatNisbepspisless
thanorequalto.
Claim:
LetNbeanoddcomposite.ConsiderthesubsetGof Z N* definedbyG={[b]suchthat
b
mod N }.ThenGisasubgroupof Z N* andG Z N* .
N
Asanexercise,showthatGisasubgroupof Z N* .Thenitisclearthat G Z N* (because
b
Proof:
N 1
2
bypreviousTheorem,wefindsomeb,whereb Z N* ,but b
N 1
2
b
mod N ).Thus
N
|G|<| Z N* |.
ByLagrangesTheorem,weknowthat|G||| Z N* |.Thus|G|<| Z N* |
ThisprovesthattheprobabilitythatNisbepspforanybwheregcd(b,N)=1islessthanorequalto.
Lecture12(2/22/08)
SolovayStrassen(bepspTest)
(CompositeTestforoddintegern)
1. Choosearandomintegerb,1 b n
2. Ifgcd(b,n) 1
thenCOMPOSITE(YES)
b
n
3. If b
n 1
2
mod n
thenPRIME(NO)otherwiseCOMPOSITE(YES)
Note: ThealgorithmisyesbiasedbecausetheYesisalwayscorrect
Theerrorprobabilitythatniscomposite,butthisisnotdetectedisATMOST.
a
a
n
WecanevaluatetheJacobisymbol
n 1
2
mod n withoutaneedforfactorizationofn,using
numbertheoryresultsinpolynomialtime.
Theonlyarithmeticoperations:ModularReductionandFactoringoutpowersoftwo
NominallyO((logn)3)(actuallyO((logn)2))tocomputeJacobisymbol.
SupposewehavegeneratedarandomnumbernandtesteditusingSolovayStrassenAlgorithm.Ifwe
haverunthealgorithmmtimes,whatisourconfidencethatnisprime?(not12m)
Events:a)Arandomoddintegernofaspecifiedsizeiscomposite.
b)Thealgorithmanswersnisprimemtimesinsuccession
WeneedtofindPr(a|b)notPr(b|a).
NotethatPr(b|a) 1/2m.
Pr(a | b) =
Pr(b | a ) Pr(a )
Pr(b)
2N
N
N
n
ln 2 N ln N ln N ln n
SincethereareN/2 n/2oddintegersbetweenNand2N.
( ) ()
Pr ( b ) = Pr ( b | a ) Pr ( a ) + Pr b | a Pr a
2 2
Pr ( b ) = Pr ( b | a ) 1
+
ln n ln n
Pr ( a ) = 1 Pr ( odd prime ) = 1
ln n
Pr ( b | a ) 1
ln n
Total Probability Pr ( a | b ) =
2 2
Pr ( b | a ) 1
+
n
n
ln
ln
Since Pr b | a = 1
2 m ( ln n 2 )
ln n 2
Pr ( a | b ) m
=
2 ( ln n 2 ) + 2 ln n 2 + 2m +1
( )
Forn=2256,Pr(a|b)and2mhasbeencompared.Inpracticem 50100reducestheprobabilityoferror
toaverysmallquantity1013to1028.
3
Lecture12(2/22/08)
Remarks:
Supposepisanoddprimeandhencep=2st+1wheretisoddands 1.
Claim:
Foranya,wherepdoesnotdividea,wehaveEITHER
at 1modp
Proof:
or
(a
(a
2s 1 t
2 s 2 t
)(
1)( a
1 a2
s 1
(Since p 1 = 2 s t )
2 s 2 t
)
+ 1)( a
+ 1 0 mod p
(a
forsome0 r s1
p1
a 2 t 1mod p
a 2 t 1mod p
2s1 t
+ 1 0 mod p
) (
Thuseitherat 1modpor a
2r t
s 2
)(
+ 1 a2
s 1
+ 1 0 mod p
1mod p forsome0 r s1
StrongPseudoPrime(bspsp): LetNbeanoddcompositeinteger,thatisN=1+2stwhere2doesnot
dividet(tisodd).NisaBasebStrongPseudoPrime(bspsp)ifeither
Remark:
Theorem:
LetG={bsuchthatNisbspsp}then|G| | Z N* |.
Remark:
Theabovetheoremimpliesthatifweselectabasebatrandom,theprobabilitythatany
oddcompositeintegerisbspspislessthanorequalto.
Inotherwords,ifNisanoddcompositeinteger,thenNisbspspforatmost25%ofall1
b N1.
MillerRabin(bspspTest)
(CompositeTestforoddintegern)
1. Writen1=2kmwheremisodd
2. Choosearandomintegera,1an1
3. Ifgcd(n,a) 1
then COMPOSITE(YES)
4. Compute b a m mod n
5. Ifb 1modn
6. Fori=0k1
If
b 1modn
else b b2modn
7. Return
then PRIME(NO)
then
PRIME(NO)
COMPOSITE(YES)
Note: ThealgorithmisYesbiasedbecauseifalgorithmoutputsniscomposite,thisansweris
certainlycorrect.Ifitanswersnisprime,itmayormaynotbethecorrectanswer(i.e.nmight
beacompositethatisbspspinsteadofprime).
4
Lecture12(2/22/08)
SquareRootsModulon
Letpbeanoddprimeandaanintegersuchthatgcd(a,p)=1
Fact: Thecongruencex2 amodphaseithernosolutionsorithastwodistinctsolutions
Proof: Tohavesolution,weshouldhavea QRp.
NotethatZpisafield.BytheFundamentalTheoremofAlgebra,x2a=0hasatmosttwodistinct
solutionsinanyfield.Weknowthatifxisasolutiontox2 amodpthenxisalsoasolution.
xandxareincongruentbecauseifx xmodpthen2x 0modpthenp|2x
butgcd(p,2)=1,thereforep|xisimpossible
Thusxandxaretwodistinctsolutionsforx2 amodpifa QRp.
Fact:
Letpbeanoddprimesuchthatgcd(p,a)=1.Letbeapositiveinteger.Then
y2 amodphasnosolutionif(a/p)=1(a QNp)andtwosolutionsif(a/p)=1(a QRp)
Fact:
x2 1modpwherepisaprime.
x= 1aretheonlytwodistinctsolutions.Notethatx=1=p1modp.
Let n =
p
i =1
ei
i
Proof: (Exactlysameaslastproof)
Theorem:
Letnbeanoddintegeras n =
p
i =1
ei
i
wherepiareprimeandgcd(a,n)=1.Thenthe
Lecture13(2/27/08)
Example:
x2 1modnwheren=pq
x2 1modn =>
x2 1modp =>
x 1modp
2
x 1modq
x 1modq =>
ThisgivesusfoursolutionsforxbyChineseRemainderTheorem(CRT):
x 1modp
x 1modp
x 1modp
x 1modp
x 1modq
x 1modq
x 1modq
x 1modq
Twoofthesolutionsaretrivial:x 1modn
Theothertwosolutionsarenontrivial.Theyaredistinct(incongruent)andnegativeof
eachothermodulon.
Fact:
Letn=pq(wherepandqaredistinctprimes).Thenknowledgeofanontrivialsquare
rootof1modnyieldsthefactorizationofnwithpolynomialtimecomputation.
Letx1beanontrivialsolutiontox2 1modn
Thenx121 0modn impliesthatn|(x11)(x1+1)
Sincex1 1modn(itisnontrivialbyassumption),thenndoesNOTdivide(x11)OR
(x1+1)
Thuspq|(x11)(x1+1)implieseither {p|(x11)andq|(x1+1)}
or
{q|(x11)andp|(x1+1)}
Ifp|(x11)thengcd(n,x11)=p(becausep|n)OR
Ifq|(x11)thengcd(n,x11)=q(becausep|n)
ThuseitherporqcanbefoundbyEEAwhichcomputesgcd(n,x11)inO((logn)3)
Proof:
AttacksonRSA
Computing(n):
Notethatknowing(n),theadversarycanfindp,q:
n=p,q
(n)=(p1)(q1)
Then p2(n(n)+1)p+n=0
solveforp
Computing(n)(withoutknowledgeforpandq)isnoeasierthanfactoringn.
Breakingbyknowingdecryptionexponent:
Weshowthatifthedecryptionexponentaisrevealed,thenncanbefactorized(notethatitwillnotbe
sufficientforBobtojustchangetheexponent.Hemustuseanewntosecurethesystem).
Thealgorithmweusetofactorizen,giventhedecryptionexponentisavailable,iscalledaLasVegas
algorithm.
LasVegasAlgorithm:
Probabilisticalgorithmsuchthat,foranyinstanceI,thealgorithmmayfailtogiveananswerwith
probabilityatmost(i.e.itcanterminatewiththemessagenoanswer).However,ifthealgorithm
returnsananswerthentheanswermustbecorrect.
Lecture13(2/27/08)
IfwehaveaLasVegasAlgorithmtosolveaproblem,wesimplyrunthealgorithmoverandovertoget
ananswer.Theprobabilitythatthealgorithmreturnsnoanswermtimesinsuccessionism.In
homework,youwillshowthattheaveragenumberoftimesthealgorithmmustberaninorderto
obtainanansweris
1
.
1
WeshowthattheLasVegasAlgorithm(thathasaccesston,a,b)canfactornwithprobabilityatleast
0.5.Ifthealgorithmisrunmtimes,thennwillbefactoredwithprobabilityofatleast 1
RSAFactor(n,a,b):
1
.
2m
Comment:assumeab 1mod(n)
1. Choosewatrandomsuchthat1 w n1
2. Computex=gcd(w,n)
if 1<x<nthen
returnx(Success:x=p)
s
3. ab1=2 r
r
4. v w modn
5. Ifv 1modn
returnFailure
6. Whilev 1modn
v0=v
v=v2modn
returnFailure
7. If
v0 1modn
8. Computex=gcd(v0+1,n)
returnx(Success:x=p)
(ensureswhileloopwill
succeedeventually)
(nisawspsp)
(nisawspsp)
FirstwenotethatthealgorithmwillterminatetheloopafteratmostSiterations.Thisisbecause
w(n) 1modn
w Z n*
ab1=2sr 0mod(n)
=>
2sr=d(n)
Thenwd(n)modn (w(n))dmodn 1d 1modn
=>
Now,wenotethatifthealgorithmfinishestheloopaftersiterations(doesntquittheloopinlessthans
iterations),wehaveavaluev0suchthat:
v02 1modn
but
v0 1modn
gcd(v0+1,n)=p
Notethatthealgorithmreturnsfailureif:
1.wr 1modn
OR
(nisshowntobewspsp)
2. w2 r 1mod n for0 t s1
Itcanbeshownthatthealgorithmsucceedswithprobabilityofatleast( failure).(Note:
becausetheprobabilitythatanoddcompositeinteger,n,iswspspislessthanorequalto)
Lecture13(2/27/08)
WienersLowDecryptionExponentAttack
n=pq
(n)=(p1)(q1)
a:DecryptionExponent
b:EncryptionExponent
Ifthefollowingholds: 3a<nandq<p<2qthenthisattackwillwork.
Remark:
Bychoosing3a<n,runningtimeofdecryptionisintentionallyreducedbyalmost75%!!
Noticethat: log(3)+log(a)<log(n)=>log(a) l/4=>O(1/4l3)
Notethatifnislbits,thenaislessthanl/41bits.
Attack:
ab=1mod(n)
(n) =
ab 1
a 1
= b
t
t t
=>
ab1=t(n)
=>
t<a
=>
q< n
Sincen=pq>q2
0<n(n)=p+q1<2q+q1=3q1<3 n
b t
ba tn 1 + t ( (n) n ) 1 + 3t n
1
3t
3t
=
=
n a
an
an
an
an a n a n
b t
1
1
4 < 2 whichisVERYSMALL!
n a a n 3a
Since3t<3a<n
Thusthefractiont/aisverycloseapproximationtob/n.Itcanbeshownthatt/amust
beoneoftheconvergencesofb/n(inthecontinuedfractionexpansionofb/n).
n
= q0 +
b
q1 +
n
= q0 , q1 , q2 ,..., qs
b
q0 = q0 first approx
1
q2 +
q0 , q1 = q0 +
1
q1
q0 , q1 , q2 = q0 +
1
qs + 0
Ift/aisaconvergentofb/n,then(n)=
ab 1
1
q1 +
1
q2
Oncewehave(n),wecancomputepandqusingthe(n)=(p1)(q1)(b/cn=pq)
Notethatbandnarepublic.Sincewedontknowaheadoftimewhichconvergentof
b/nweshouldusefort/a,wetryeachofthe<q0>,<q0,q1>,,<q0,q1,,qs>tillone
ofthemgivesthefactorizationofn.
Lecture13(2/27/08)
LowExponentAttackonRSA
Forahighspeedencryption:
b=3
where gcd(3,(n))=1
Attack: y1=m3modn
y2 (m+1)3modn
since (m+1)3=m3+3m+3m2+1
and
y m3modn
3
y2 + 2 y1 1 ( m + 1) + 2m 1
=
=m
y2 y1 + 2 ( m + 1)3 m3 + 2
3
Thisattackcanbegeneralizedtob>3.Itcanalsoworkforkmessagesrelatedbyapolynomial:
mandm2+m+c
rischosenatrandom,itisequallylikelytobeanyofthesefourpossiblevalues.Thustheprobabilityof
successis.
TheabovealgorithmprovesthatRabinssystemisinsecureagainstchosenplaintextattackbecausewe
simplysubstituteA(g)withthedecryptionalgorithmofBob.
Lecture13(2/27/08)
FactoringAlgorithms
Threemosteffectivemethodson
largenumbers:
1. QuadraticSieve
2. EllipticCurveAlgorithm
3. NumberFieldSieve
OtherMethods:
1. PollardsRhoMethod
2. PollardsP1Algorithm
3. WilliamsP+1Algorithm
4. ContinuedFractionAlgorithm
5. TrialDivision(efficientforn<1012)
O(n(logn)3)~exponentialtopowerofl/2
n
odd integer up to n
PollardsP1FactoringAlgorithms
BasedonFermatsTheorem: bp11modp.Supposepisoneofthefactorsofn
Alltheprimefactorsof(p1)areSMALL.Therefore(p1)willdivideB!=>(p1)|B!
Ex:
p=11
p1=10=2x5 =>
(p1)|5!
Letpbeanyprimedivisorofn,andassumeqB.Itworkswhenalltheprimesdividing(p1)are
relativelysmallandallofthemarelessthanB.
Then (p1)d=B!
2B!(2(p1))d1modp
and
p|n then p|a=gcd(n,2B!1)
Since p|(2B!1)
Theintegeraisanontrivialdivisorofn(unlessa=1).Thenweattempttofactoraandn/aiftheyare
composite.
Input: nandB(theBound)
1. a=2
2. Forj=2toBdo
a=2B!modn
a=ajmodn
3. d=gcd(a1,n)
4. if1<d<nthen
disafactorofn
else
nofactorofnisfound
Algorithmispolynomialtime
Biterations
O((logB)(logn)2)formultoperation
O((logn)3)
Success
Failure
Total:O(B(logB)(logn)2+(logn)3)
GuaranteedsuccessifB=n,butthatimpliesanonpolynomialorder.Thereforealgorithmhassmall
probabilityofsuccessinpolynomialtime.
Remark:ItiseasytomakeRSAresistanttothePollardsP1Factorization.Methodworksifp1hasonly
smallprimefactors,butwecanconstructn=pqwhere p=2p1+1
q=2q1+1
Wherep1andq1areverylargeprimes.Thencheckthatp,qarealsoprime.
Lecture14(3/5/08)
QuadraticSieve
Tofind(xymodn) suchthat(x2y2modn)
thengcd(xy,n)isanontrivialfactorofn
Thisisbecausen|(x2y2)
=>
n|(xy)(x+y) =>
Considerasequencez1,z2,suchthat:
pq|(xy)(x+y) =>
p|(xy)
zi2Q(n)modn
Q ( n) = Y
andsupposewehaveasetofscriptsSsuchthat
nS
DixonsFactorizationAlgorithm
DefineBtobeasetofbsmallestprimes(B={2,3,5,7,11,13,}Note:gcd(n,pi)=1).
|B|=b
Needtofindzjsuchthatzj2modnisfactorizedusingtheprimesinB:
b
z 2j mod n Q ( j ) pi ij wherepiB
i =1
Assumewegeneratesuchzjforj=1,,cwherecisslightlylargerthanb.(ex:c=b+10)
Foreachjconsideravector:
aj=(1jmod2,2jmod2,,bjmod2)Note:ajZ2b
Ifwefindasubsetofajsthatsumtothezerovector(0,0,,0)mod2,thentheproductofthe
correspondingQ(j)swillgiveacongruentasx2Y2modn.(Thisisbecauseeveryprimeisusedaneven
numberoftimes).
Ex:
Letn=15770708441 B={2,3,5,7,11,13}
Consider:
z12=834093415623x7(Q(1))modn
z22=1204494294422x7x13(Q(2))modn
z32=277370001122x3x13(Q(3))modn
2
Then (z1z2z3) (2x3x7x13)2modn
Notethat
a1=(010100)
a2=(100101)
a1+a2+a3=0mod2
a3=(110001)
Thusweset
x2=(z1z2z3)2
And
Y2=(2x3x7x13)2
Since
x2Y2modn
=>
wecanusegcd(n,xy)tofactorn
Lecture14(3/5/08)
Howtopicknumberofzj:
Supposewehavecbdimensionalvectorsaj.Sincec>b,thenwecanalwaysfindasubsetofajsfor
whichaj=0mod2.ThisisdonebyGaussianElimination:
LetEbeamatrixwhoserowsareajforj=1,,c.
M=(E|Icxc)
PerformGaussianEliminationonMmod2.(addrowsofMbymod2operations,alsoexchangerowsof
M)suchthatwegetarowinEpartthatiszero.ThenthesamerowinIcxcpart(whichisnolongeran
identitymatrix)willgiveusthoseajsthatsumtothezerovector.
Example:
Let
B={2,5,7,11,17,19}
(b=6)
2
Q(1)=2.7.11
Q(2)=5.11.17
Q(3)=2.17.19
2
Q(4)=7.17 .19
Q(5)=2.5.19
Q(6)=2.5.7.11 (assumec=6)
a1 1
a2 0
a3 1
E=
a4 0
a5 1
a6 1
0
1
0
0
1
1
1
0
0
1
0
1
0
1
0
0
0
1
0
1
1
0
0
0
0
0
1
1
1
0
0
M =
0
0
0 1 0 0 0 1 0 0 0 0 0
1 0 1 1 0 0 1 0 0 0 0
0 1 0 1 1 1 0 1 0 0 0
0 0 1 0 0 0 1 1 0 0 1
0 0 0 1 0 1 0 1 1 0 1
0 0 0 0 0 0 1 1 1 0 1
NotethezerorowofMindicatesthat a2a3a4a60mod2
Therefore
Q(2)Q(3)Q(4)Q(6)(2.5.11.172.19)2
Howtopickzj:
Thereareseveralmethodstofindzjssuchthatzj2modnfactorinprimesB.Wediscussthefollowing3
methods:
1. Choosezjatrandom
2. Choosezj=j+ kn wherej=0,1,2,
andk=1,2,
Zj2modnislikelytobeasmallnumber.ThusthereisagoodchancetofactoroverB
3. Choosezj= kn
Zj modntendstobeabitlessthann
zj2modnissmallandperhapsbefactoredoverB(needtoinclude1inBaswell!)
Lecture14(3/5/08)
Expectedrunningtime:
O e(
1+ o (1) )
Optimumchoiceofb:
|B| e
( ln n )( ln ln n )
( ln n )( ln ln n )
Approximatetiming:
#ofDigits
50
75
100
TimetoFactor
3.9Hours
104Days
74Years
Inpractice,thefollowingthreemethodsareusedoften:
1. QuadraticSieve
2. EllipticCurve(usefulwhenprimefactorsareofdifferentsize)
3. NumberFieldSieve(methodofchoicenow,usedwhenprimesareverylarge)
Lecture14(3/5/08)
RabinsCryptosystem
Letn=pqwherep,qaredistinctprimessuchthat
Let
|P|=|C|=Zn
PublicKey:
PrivateKey:
Encryption:
y=ek(x)=x(x+B)modn
x=dk(y)=
y+
p 3mod4
q 3mod4
n,B
p,q
(FasterthanRSA)
B2 B
modn
4 2
Notecomputingsquarerootmodulonwithoutknowingp,qisashardasfactoringn.
Considerdecryption: x2+Bx ymodn
(quadraticequation)
Let
x1=x+B/2modn
=>
x=x1B/2
2
2
x1 =B /4+ymodn
=>
x12=cmodn
Let
B2/4+y=c
Therefore,weneedtoextractthesquarerootofcmodn.
Decryptionusingthesecretinformationp,q:
x12 cmodn =>
x12 cmodp
(2distinctsolutionsifc QRp)
2
(2distinctsolutionsifc QRq)
x1 cmodq
Sincecistheresultoftheencryption,weconcludethatx12 cmodndefinitelyhasasolution.Thus
bothmodpandmodqequationshavesolutions.ThususingChineseRemainderTheorem(CRT),weget
foursolutionsforx1.
z1 c
p +1
4
Tofindsolutions:
Proof:
p4+1
p21
c
c
c mod p
(EulerFormula)
CRTtofindx12 cmodn
p +1
x
c
mod p
1
Thus
q +1
x c 4 mod q
1
Usingx1,wecompute d k ( y ) x1
Remark:
=>
B2
B
+ y mod n
4
2
Forp 1mod4,thereisnoknownpolynomialtimedeterministicalgorithmto
computexinx2 cmodp.(ThereisapolynomialtimeLasVegasalgorithmtosolvefor
x).
Lecture15(3/10/08)
(**THISISNOTTRUEFORRABINSSYSTEM**)
xa ymodnwheregcd(a,(n))=1
Thiscanbesolvedifweknow(n)b/cthereexistsab,csuchthatab+c(n)=1
Claim: x ybmodn
Proof: xamodn xabmodn a1c(n)modn a(a(n))cmodn amodn
Remark:
Problemw/RabinsSystem:
Theencryptionfunctionek(x)isNOTINJECTIVE(i.e.thedecryptioncannotbedoneinanunambiguous
way).Therearefourpossiblesolutionsfordecryption:
Letw2 1modn
ek(w(x+B/2)B/2)=w2(x+B/2)2(B/2)2=x2+Bx=ek(x)
Wecanshowthatthefourpossibleplaintextsolutions:
x
xB
w(x+B/2)B/2
w(x+B/2)B/2
Touniquelyidentifytheplaintext,weneedtohavesomesideinformation:
Claim: Havingek(m)
m
,and
n
Jacobi
whetherm<n/2orm>n/2
Thenmisidentifieduniquelybydecryptionofek(m).
Proof:
Letx2
Withoutlossofgenerality,assume
Thus
ThustheJacobirulesouttwooutoffoursolutions.
ifx1>n/2
=>
x4=nx1<n/2
Weknowthatx1 x4modn =>
Thusoneoutoftworemainingsolutionsisidentifiedbywhetherx<n/2orx>n/2
cmodn
>
x1
x3
amodp
bmodq
amodp
bmodq
x2
x4
amodp
bmodq
amodp
bmodq
a b
= = 1
p q
x1 x1 x1 a b
= =
n p q p q
x2
= 1
n
x3
= 1
n
x4
=1
n
Lecture15(3/10/08)
FactoringRabinmodulusngivenadecryptionoracle
Ifwecantakesquareroot,thenwecanfactorn.AssumeB=0intheRabinPublicKeySystem
1. Choosearandomr:
1<r n1
2
2. Computey r modn
3. CalldecryptionoracleforRabinSystem,A(y),obtainingdecryptionx1
4. Ifx1 rmodn then
FAILURE
else gcd(x1+r,n)=p
SUCCESS
FAILURE
SUCCESS
AlthoughRabinssystemissecureagainstchosenplaintextattack,itisbrokenbychosen
ciphertextattack.
UseachosenciphertextasoracleAinthepreviousalgorithm
Lecture15(3/10/08)
SemanticSecurity
Adversary
Goals:
TotalBreak
DetermineSecretKey
PartialBreak
Decryptapreviouslyunseenciphertext(w/outknowingkey)w/
somenonnegligibleprobability.
Distinguishability
ofCipherText
Withsomeprobability>0.5,theadversarycandistinguishbetween
encryptionoftwogivenplaintext.
GivenPlaintext:A,B
ChoosebetweenAandBatrandom(w/prob)andencryptity=ek(x)wherex=Aorx=
B.Bylookingatciphertext,y,adversarycantellwhetherAorBisencryptedw/probability
>0.5(betterthanrandom)
Remark:Itishardertomakeacryptosystemtobesecureagainstalessambitious(weaker)goalfrom
adversary.
SemanticSecurity
Theadversarycannot(inpolynomialtime)distinguishciphertexts,providedthat
certaincomputationalassumptionsareheld.
PartialInformationLeakageofRSA
y xbmodn
Jacobi:
b
b 1
y x x x
=
=
n n n n
y x
= 1
n n
gcd(b,(n))=1
=>
bisoddnumber
sincexb1issquare
Thus,giventheciphertext,y,anyonecanefficientlycompute(x/n)withoutdecryptingtheciphertext.
Thus,RSAleakssomeinformationconcerningtheplaintextx,namelytheJacobi(x/n).
Ingeneral,itisverydifficulttaketodesignapublickeysystemthatdoesnotleakANYinformationtothe
adversaryregardingtheplaintext.
Lecture16(3/12/08)
RSADecryptionusingpartialinformationaboutplaintextbits
Partialinformation:
y=ek(x)
Parity(y)denotestheloworderbitofx (even/odd)
Half(y) =
0
if0 x<n/2
1
ifn/2 x n1
Remark:Wewillshowthatanyalgorithmthatcomputesparity(y)orhalf(y)canbeusedasanoracleto
constructanalgorithmthatcomputestheplaintextx.
Inotherwords,givenaciphertext,computingtheloworderbitoftheplaintextispolynomially
equivalenttodeterminingthewholeplaintext.
half(y) =parity(yek(2)modn) =parity((2x)bmodn)
parity(y)=half(yek(21)modn) =half((21x)bmodn)
Example:
=>
2xmodn 2x(x<n/22x=zEVEN)
2xn(x>n/22xn=zEVEN)
Binarysearchusinghalf*(y)
Letn=8
log2n=3
x=3 y=ek(x)=ek(3)
Assumehalf*(y)islookingintoxintherangeofconcern([lo,hi])
0 1 2 3 4 5 6 7
Lo hi
lo=0
hi=7
mid=4
half*(y)=0
=>hi=mid
lo=0
hi=4
mid=2
half*(y)=1=>lo=mid
lo=2
hi=4
mid=3
half*(y)=1=>hi=mid
RSADecryptionAlgorithmUsingHalf(y)
1. Denotek= log 2 n
note:
2. Forn=0tokdo
i
hi=half(y)=half(y(ek(2) )=half(ek(x2i))
y=(yek(2))modn =>
y=ek(2y)
3. lo=0
note:
4. hi=n
5. Fori=0tokdo
note:
mid=(hi+lo)/2
Ifhi=1then
lo=mid
else
hi=mid
6. Return hi
Note:ek(x1)ek(x2)=ek(x1x2)
2
Lecture16(3/12/08)
SemanticallySecurePublicKeySystem
Noinformationleakageregardingtheplaintextinpolynomialtimebyexaminingtheciphertext
Adversarycannotdistinguishciphertexts
CiphertextDistinguishability
Letfbeanencryptionfunctionsuchthat:
Instance:
f F:P>C
x1,x2 P,y=f(xi)wherei=1ori=2
Question:
Isi=1?
Wenotethatiftheencryptionfunctionfisdeterministic,thentheadversarycancomputef(x1)andf(x2)
andhenceidentifythevalueofibycheckingy.Thus,tomakeCiphertextDistinguishabilityataskthatis
computationallyinfeasible,werequirerandomizedencryption.
LetplaintextP={0,1}m (mbitbinarymessage;m=log2n)
and k:positiveinteger
Letfbeafamilyoftrapdooronewaypermutationssuchthatf:{0,1}k>{0,1}kforallf F
LetG:{0,1}k>{0,1}mbearandomoracle
Encryption:
Pickarandomr {0,1}k
ek(x)=(y1,y2)
where y1=f(r)andy2=G(r) x
Decryption:
dk(y1,y2)=G(f1(y1)) y2
NotethatfandGarepublic,butf1isaprivatekey
SupposeweuseRSAasatrapdooronewaypermutationf.
n=pq P=Zn
f(x) xbmodn
f1(x) xamodn
whereab 1mod(n)
WenotethatthenewsemanticpublickeyRSArequiresverysubtleextracomputation.
Maindrawback:
dataexpansion,becausetheciphertexthasn+mbitsratherthannbits.Data
expansionisinevitableinsemanticsystems.
Intuitiveargumentforsemanticsecurityoftheproposedsystem:
Toobtainanyinformationaboutplaintextx,wemusthavesomeinformationaboutG(r).SinceGisa
randomoracle,theonlywaytohavesomeinformationaboutG(r)istofirstcomputer=f1(y1).Itisnot
sufficienttocomputepartialinformationaboutr(whichispossibleiff=RSA).Theadversaryrequires
thistoobtainr,however,fisoneway.Thusrcannotbedeterminedinpolynomialtimebyanadversary
whodoesntknowthekeyinf.
Thus,theadversarycannotobtainanypartialinformationaboutx.
Lecture16(3/12/08)
PublicKeyCryptographybasedonDiscreteLogarithmProblem(DLP)
DiscreteLogProblem I=(p,,),wherepisprime, ZpandZp*=<>,and Zp*
Findauniqueintegera,0 a p2,suchthat
a = mod p
(a=logdiscretelogof)
**p~atleast150digits,andp1shouldhaveatleastonelargeprimefactor
ElGamalCryptosystem
P=Zp* C=Zp*xZp*
PublicKey:
K={(p,,a,): a = mod p }
p,,
PrivateKey:
LetpbeaprimesuchthatthediscretelogprobleminZpisintractable
Zp*={1,2,3,,p1}=<>={i:0 i p2}
(note:p1=1)(cyclicgroupundermodpmult)
ek(x,k)=(y1,y2)
ForK=(p,,a,)andasecret,randomnumberk Zp*,define:
Where
y1=kmodp
y2=xkmodp
Fory1,y2 Zp*define:
dk(y1,y2)=y2(y1a)1modp
Notethatthisisarandomizedcryptosystemthatminimizesciphertextdistinguishability.
AlgorithmforAttackingDiscreteLogProblem
P:prime
Zp*=<>
a = mod p
Zp*
Findagiven,,p
*DiscretelogcanbecomputedbyexhaustivesearchinO(p)
ShanksAlgorithm:
Leta=qk+jwhere k = p 1 ,0 j k
Then =
a
qk+j
=( )
k q j
( p ) insteadofO(p).
CreatealistL={j|j=0,1,,k1}.Thisrunsin O
Thencompute(k)0,(k)1,untilwefindsome(k)q L
Suchthat(k)q=j =>
a=qk+j
Algorithmneeds O
( p ) memoryandrunsinBESTCASEtime O ( p ) (WORSTCASEtimeO(p)).
Lecture17(3/28/08)
PohligHellmanAlgorithm
Since0 a p2,wearefindingamod(p1)
p 1 = pici Primefactorization(piaredistinctprimes)
i =1
Note:p1 0modqc
Goal:Findx amodqc
Note: a=x+sqcforsomes
Since0 x qc1representxas: x =
c 1
a q
i =0
Letsfinda0first:
( p 1)
( p 1)a0
( x + qc S )
( p 1)
( p 1)
mod p
mod p because
c
( p1)( x+q S )
( p1)a0
q
q
mod p .Thiswillbetrueiff
Needtoshow
( p 1) ( x + q c S ) ( p 1) a0
mod
q
( p 1)
( p 1) ( x + q c S ) ( p 1) a0 ( p 1) c 1 i c
aq +q S a
=
q
i =1
mod ( p 1)
( p 1) c 1 a qi + q c S mod
i =0
( p 1)
c 1
= ( p 1) ai +1q i + q c 1S mod ( p 1)
i =0
= 0 mod ( p 1)
Thuswecancompute
Otherwise
( p 1)
q
( p 1)
modp.
If
( p 1)
1mod p
mod p ,2,3,untilforsomei:i
=>
a0=0
( p 1)
q
modp
a0=i
=>
Ifc=1,wearefinished.Ifc>1,weproceedtofinda1:
( a mod p )
Define:
1 a
Define:
x1 log1modqc
Findx1:
x1 = ai q i
c 1
i =1
( p 1)
Wecansimilarlyshowthat 1
q2
( p 1)a1
mod p
( p 1)
Thuswecancompute 1
q2
mod p andwecanfindisuchthat
( p 1)
i 1
q2
mod p
Ifc=2,wearedone.Otherwisefinda2,a3,,ac1similarlyusing j =
=>
a0 + a1q + a2 q 2 +...+ a j 1q j 1
a1=i
Lecture17(3/28/08)
PohligHellmanAlgorithm
1. Compute i
logmodqc
( p1)i
q
mod p for0iq1
2. Setj=0andj=
3. Whilejc1do
( p1)
Compute = j
q j +1
mod p
Findisuchthat=i
aj=i
j +1 j
a j q j
mod p
j=j+1
Onceallajsarefound, x =
c 1
a q
i =0
mod q c .Withallxs,acanbeobtainedusingChineseRemainder
Theorem(CRT).
Thisattackcanberesistedbyensuringthatap1hasalargeprimefactor.
BitsecurityofDiscreteLogProblem
Howhardisittocomputeindividualbitsofadiscretelog?
Remark:InRSA,knowledgeaboutLSBorMSBbitoftheplaintextresultsinfindingplaintextx
TheLSBbitofdiscretelogcanbecomputedby
Proof:
0if QRp(
( p1)
1if QNp(
( p1)
1mod p )
1mod p )
= modp
Weknowthat QRp={2i:i=1,,(p1)/2}
QNp={2i1:i=1,,(p1)/2}
a
Thus QRpiffaiseven.Henceisquadraticresidueiffaiseven
ComputingOtherBitsinDiscreteLog
Supposep1=2StwheretisoddandS1.ItcanbeshownthatthefirstSlowestsignificantbitsinDLP
canbecomputedeasily.However,computinganyotherbitisashardasDLP.(Ifwecancomputeany
otherbitsinpolynomialtime,thenwecansolveDLPprobleminpolynomialtime).Notethatifp1hasa
largeprime,thisalsoensuresminimalbitleakage.
Lecture17(3/28/08)
IndexCalculusMethod
(ThismethodresemblesDixonsAlgorithm(FactorBaseMethod))
Let xmodpandB={p1,p2,,pB}wherepiaresmallprimenumbers
1. Findlog pifori=1,2,,B
Constructc=B+10(orsomenumberthatensuressufficientnumberofindependentequations)
congruencesmodp,asfollows:
Findanrandomvaluexjsuchthat
= p1 p2 ... pB mod p
Equivalently:
xj=a1jlogp1++aBjlogpBmod(p1) forj=1,,c
xj
a1 j
a2 j
aBj
forj=1,,c
GivenccongruencesintheBunknowns,logpi,wehopethereisauniquesolutionmodp1.If
thisisthecase,wecancomputelogpiforI=1,,B
2. ChoosearandomS,0Sp2,andattempttofindthefactorizationof
factorbaseB
Smodpoverthe
Ifsuchafunctiondoesnotexist,wechooseanotherrandomnumberS,andrepeat.
3. OnceanShasbeenfound,
x ymodp1
Thus,wecanfindlogfromtheaboveequation
Lecture17(3/28/08)
GeneralizedDiscreteLogProblemin(G,)
DiscreteLogProblem I=(G,,),whereGisafinitegroupwithgroupoperation, Gand H,
whereH=<>isthesubgroupgeneratedby.
Objective:
Findtheuniqueintegera,0 a |H|1,and
a = mod p
Whereameansatimes.Wedenoteabylog(discretelogof)
GeneralizedElGamalPublicKeyCryptosystem
LetGbeafinitegroupwithoperation.Let GbeanelementsuchthatDLPisintractableinH
definedasH=<>={i:0 i}.
Let
P=G C=GxG
K={(G,,a,): a = }
PublicKey:
p,,
PrivateKey:
Encryption:
Decryption:
Forasecretrandomnumberk Z|H|,define:
Where
Fory1,y2 Gdefine:
Remark:
Gdoesnotneedtoabelian,however,Hisabeliansinceitiscyclic.
Kcanalsobechosen0 k |G|1ifAlicedoesntknow|H|.
ek(x,k)=(y1,y2)
y1=k
y2=xk
dk(y1,y2)=y2(y1a)1modp
ThedifficultyofDLPdependsontherepresentationofthegroup.
Ex:
DLPiseasytosolvein(Zn,+)
(additivecyclicgroupZn)
Letgcd(,n)=1
=>
Zn=<>
DLP: a a modn
Thuswecancompute1byEuclideanAlgorithmandfinda 1modn
**ThereforeweshouldnotuseDLPinadditivecyclicgroupsforpublickeysystems
UsingothergroupstostudyDLP:
1. MultiplicationgroupofGF(pn)
2. GroupofanEllipticcurvedefinedoverafinitefield
Lecture18(4/2/08)
GaloisFieldGF(pn)
AfieldisasetthatformsagroupunderadditionANDallnonzeroelementsofthesetformagroup
undermultiplication
Zpisafieldifpisaprime.Arithmeticistheusualmodpaddition/multiplication.Weshowthisfieldas
GF(p).
Anothertypeoffinitefield:GF(q)whereq=pn,andpisaprime,andn 1.Arithmeticinthisfieldisno
longermodpaddition/multiplication.
Supposepisprime.DefineZp[x]tobethesetofallpolynomialsintheindeterminatexwithcoefficients
inZp.Bydefiningadditionandmultiplicationofpolynomialsintheusualway(andreducingcoefficients
modp),weconstructaring.
Ex:
f1(x)=x3+1 f2(x)=x3+x+1inZ2[x]
f1(x)+f2(x)=x3+x3+x+1+1=x
f1(x)f2(x)=x6+x4+x3+x3+x+1=x6+x+1
Letf(x),g(x),h(x) Zp[x]
Define deg(f)=n
Define g(x) h(x)modf(x)iff(x)|{g(x)h(x)}
Letdeg(f)=n Divideg(x)byf(x)
Ex:
x3+x2+1
DefineZp[x]/f(x):
g(x)=q(x)f(x)+r(x)
g(x) r(x)modf(x)
x3mod(x2+1)
xmod(x2+1)
{q(x)=x+1
{r(x)=x}
wheredeg(r)<n
=>
(x2+1)(x+1)=x3+x2+x+1}
CollectionofallpolynomialswithcoefficientsinZpanddegreeatmostn1where
n=deg(f)
Apolynomialf(x)inZp[x]issaidtobeirreducibleiftheredonotexistpolynomialfunctionsf1(x),f2(x)in
(Ex:x3+x+1)
Zp[x]suchthatf(x)=f1(x)f2(x)wheredeg(f1),deg(f2)>0
Lecture18(4/2/08)
Zp[x]/f(x)constructsafinitefieldif:
1. f(x)isirreductiblepolynomialoverZp[x]
2. AdditionofpolynomialsinZp[x]/f(x)isdoneintheusualway(exceptthatwereduce
coefficientsmodp)
3. MultiplicationoftwopolynomialsinZp[x]/f(x)isdoneintheusualway(reducing
coefficientsmodp).Thenreducetheresultingpolynomialmodf(x).
Remark:
TheorderofthefieldZp[x]/f(x)ispniff(x)isirreducibleinZpofdegreen.
Remark:
WedenoteZp[x]/f(x)byGaloisfieldGF(pn)
Remark:
Study DLP
Z p
Z *p
(MultiplicativegroupofZp,whichiscyclic)
Study DLP
GF ( p n ) = Z p f ( x )
GF * ( p n ) (MultiplicativegroupofGF(pn))
Note:
GF*(pn)isacyclicgroupoforder(pn1)
GF(pm)hasfieldelementsrepresentedbypolynomialsoftheforma0+a1x++am1xm1whereai GF(p)
Ex:
ConstructionofGF(23)
(note:GF*(23)=<>)
GF ( 23 ) = , 2 , 3 ,..., 2 1
(note:|GF*(23)|=7)
Thereexistsanirreduciblepolynomial(ofdegreem=3)forwhichisaroot.Wecallthispolynomial,
p(x),aprimitivepolynomial.ThisisthepolynomialthatisusedindefiningmultiplicationinGF(pm).For
GF(23),theprimitivepolynomialisp(x)=x3+x+1.
Thus,p()=0=3++1
=>
3=+1
ExponentialRepresentationofGF(23)
0
1
2
3
4
5
6
7
0
PolynomialRepresentationofGF(23)
1
2
1
2
3 2 2 1
3 2 2 1
3 1
0
Remark:Forlargen>800(~1024bits!),DLPinGF(2n)isthoughttobeintractableprovidedthat2n1has
atleastonelargeprimefactor(toresistthePohligHellmanAlgorithm)
Lecture18(4/2/08)
EllipticCurves
Letp>3beaprime.Theellipticcurvey2=x3+ax+boverZpisthesetofsolutions(x,y) ZpxZptothe
equationy2 x3+ax+bmodpwherea,b Zpareconstantssuchthat4a3+27b2 0modp(this
ensuresthatthereisnomultiplerootsofx3+ax+b=0andhencethecurveisnotsupersingular),
togetherwithaspecialpoint calledthepointatinfinity.
y2+a1xy+a3y=x3+a2x2+a4x+a5
y2=x3+ax+b,4a3+27b2 0modp
y2+cy=x3+ax+b
y2+xy=x3+ax2+b
y2=x3+ax2+bx+c
wheretherighthandsideshouldnothave
multipleroots.
ThesetofpointsonEformanabeliangroup.
GeneralForm:
InGF(pn),p>3:
InGF(2n):
either
Or
n
InGF(3 ):
Remarks:
Foramomentassumethatthefieldisreals:
y2=x3+ax+b
Eisthesetofpointsonthecurveand (pointininfinity),whichservesastheidentityelement.
Pisdefinedas:
P+Qisdefinedas:
P(x,y)
P=(x,y)=(x,y)
n
InGF(2 )orGF(3n),drawaverticallinefromPtofindP.
Note:if(x,y)isonthecurve,then(x,y)isalsoonthecurve.
1. IfP&Qhavedifferentxcoordinates,thennormallytheline l = PQ intersectsthecurvein
exactlyonemorepointR.DefineP+QtobeR(themirrorimagewrtxaxis).
2. Iftheline l = PQ istangenttothecurveatQ,thenR=Q.
3. IfQ=PthenP+Q=
4. IfP=Q,thenletlbethetangentlinetothecurveatP
a) LetRbetheonlyotherpointofintersectionoflwiththecurve,defineP+Q=R.(see2)
b) Ristakentobe ifthetangentlinehasadoubletangency.P+Q=
Lecture19(4/7/08)
GroupOperation:
y2=x3+ax+b
Ifx2=x1andy2=y1
OtherwiseP+Q=(x3,y3)
=>
LetP=(x1,y1) Q=(x2,y2) E
P+Q=
y2 y1
x x mod p if
x3 = x1 x2
2 1
where
and = 2
y3 = ( x1 x3 ) y1
3 x1 + a mod p if
2 y1
2
PQ
P=Q
*defineP+ = +P=P
HassesTheorem:
LetNbethenumberofpointsonE,usuallydenotedby#E,whereEisdefined
overGF(q).Then
Computing#Eisdifficult.SchoofsAlgorithmwithpolynomialcomplexityO((log
p)8)computes#E(w/EoverGF(p))
|#E(q+1)| 2 q
If#Eisaprimeorproductofdistinctprimes,thenthepointsonEformacyclicgroup.
ThenE=<>andord()=#EandeverynonzeropointinEwillbeagenerator
Forsecurity,thecyclicgroupgeneratedbymustbeagroupinwhichDLPisintractable.Thiswillbe
thecaseiftheorderofhasaverylargeprimefactor(toresistPohligHellman)
DiscreteLogoverE
IfEisanEllipticCurveoverGF(q)and,p E,thenDLPonE(tothebase)istheproblemoffindingan
integerx Zsuchthatx x p(b/cEisanadditivecyclicgroup),ifsuchanintegerxexists.
DLPisinsecureoverGF*(2r)(themultiplicativegroupofGF(2r))unlessrisverylarge(~1024).Onthe
otherhand,itturnsoutthatDLPissecureoverEdefinedonGF(2r)forsignificantlysmallerr(ex
GF(2160)).Therearepracticalreasons(hardware&software)touseEonGF(2r)insteadofoverother
fields.
Ex:
E:y2=x3+x+6overZ11(GF(11))
HowmanypointsonE?
3
Takex Z11andcomputex +x+6mod11andseeifitisQR11byusingEulercriterion.
Since11 3mod4,useexplicitformulatocomputesquarerootofx3+x+6mod11.
Thatis,x3+x+6 zmod11wherez y2mod11>
y z
11+1
4
mod11
ItcanbeshownbydirectcomputationthatEhas13points(12pointsplustheinfinitypoint).
Since#E=13,thenEiscyclic.Anypoint(excepttheinfinitypoint)isageneratorofthegroup.
Let=(2,7)bethegenerator.
Allotherpointscanbegeneratedbypowersof(sinceitisanadditivegroup)bymultiplesof.
2=+=(2,7)+(2,7)=(x3,y3)
=8 =>
x3=8222mod11=5
y3=2
Lecture19(4/7/08)
ElGamaloverE
Let
=(2,7)anda=7
=a 7 7=(7,2)
ek(x,k)=(y1,y2)
k
k
=( ,x )
=(k(2,7),x+k(7,2))
Supposemessagex=(10,9) Eandrandomk=3
Encryption:
y1=3(2,7)=(8,3)
y2=(10,9)+3(7,2)=(10,2)
Decryption:
x=(10,2)7(8,3)=(10,9)
dk(y1,y2)=y2(y1a)1=y27y1
x E&0 k 12
y=((8,3),(10,2))
PracticaldifficultyoftherealizationofElGamal:
ElGamalonZp* >
messageexpansionoffactortwo
ElGamalonE >
messageexpansionoffactorfour
Embeddingplaintext: Noconvenientmethodisknowntodeterministicallymapmessageonpoints
overE.
MappingMessageontopointsoverE
LetEbedefinedoverGF(q)(whereq=pn)
1. NopolynomialtimedeterministicalgorithmknowntomapmessagemontoE
2. ThereISaprobabilisticmethodforwhichthechanceoffailureissmall.
LetEbeonGF(q)andkbeanumbersuchthatafailureprobabilitiy2kisacceptable.(ex:k=30,k=50).
Letmessagembeintherange0 m<Mandq>Mk
Wewriteintegers1toMkintheform(mk+j)where1 j k.Thus(mk+j):elementsofGF(q).
Givenamessagem,foreachj=1,2,,k,weobtainanelementxofGF(q)correspondingtomk+j.
Forsuchanx,wecheckifx3+ax+b=zisinQRq(inotherwords,(x,y) E).Ifnot,weincrementjby
oneandtryagain.
Sincezissquareforalmost50%ofallx,thereisaprobabilityoffailureof2ktoproduceapointonE
whosexcoordinatecorrespondstoanintegerbetween(mk+1)and(mk+k).
Lecture19(4/7/08)
MenezesVanstoneEllipticCurveCryptosystem
Properties:
Messageexpansionoftwo(insteadoffour)
Plaintextandciphertextareallowedtobearbitraryorderedpairsofnonzerofield
elements(notnecessarilyonE)
LetEbeellipticcurveoverZp(p>3prime)suchthatEcontainsacyclicsubgroupHinwhichDLPis
intractable.
LetP=Zp*xZp* C=ExZp*xZp*
Define K={(E,,a,):=a a}where Eisthegenerator
Encryption:
Decryption:
PublicKey:
PrivateKey:
,
a
x=(x1,x2)wherex1,x2 Zp*butx=(x1,x2)isnotnecessarilyonE
Pickarandomk Z|H|
y0=k=k
(thusy0 E)
ek(x,k)=(y0,y1,y2)where
k
y1=c1x1modp (scalarinZp*)
Compute(c1,c2)= =k
y2=c2x2modp (scalarinZp*)
dk(y)=(y1c11modp,y2c21modp)
wherec1andc2areobtainedbyay0=(c1,c2)sincea=a=
Lecture19(4/7/08)
SignatureScheme
Signature:
Somethingthatisattachedtoadocumenttospecifythepersonresponsibleforit.
Conventional(paper)
Digital
Boundedtothedocument
Notattached,sometypeofbindingrequired
Verificationpossibleinpublicdomain
Verifiedbypubliclyknownalgorithm
Forgeryisdifficult
Copyisidenticaltotheoriginalsignature
Anysignatureschemewillhave:
PRIVATEgenerationalgorithm (bothpolynomialtimealgs)
PUBLICverificationalgorithm
{P,A,K,Sig,Ver}
P:
A:
Message
SignedMessage
(FiniteSet)
(FiniteSet)
K:
Key
(FiniteSet)
Sig
P
A
Ver
T / F
( A, P )
ItshouldbecomputationallyinfeasibleforOscartoforgeBobssignatureonamessagex.
LikePublicKeySystems,wewantthesignatureschemetobecomputationallysecure.
NotethatasignatureschemecannotbeunconditionallysecurebecauseOscarcanexhaustally Aona
messagexuntilitcanbeverifiedbyverk.
RSASignature
SignusingDecryptionRuledk
VerifyusingEncryptionRuleek
sigk(x) xamodn
verk(x,y)=true
x ybmodn
Security
SupposeOscarwantstoputAlicessignatureonanotherdocumentx1,but(x1,y)doesntwork(isnot
verified).Oscarneedsy1suchthaty1b x1modn(heneedstofindy1forsuchanintendedx1).Thisis
equivalenttodecryptionproblemofRSA.Thisishard.
Oscarchoosesy1first.Letthemessagebem1=y1bmodnandsendthepair(m1,y1).Alicecannotdeny
thatitisnthersignature.Butitisveryunlikelythatm1beameaningfulmessage(thatOscarreally
wantstoforge).ThusAlicesclaimthatshehasbeenforgedwillbebelieved.
Lecture20(4/11/08)
ElGamalSignature
Requires130150digits/value,2x512bitsforcomputationalsecurity
Zp*=<>
k Zp1*(random)
P=Zp* A=Zp*xZp1
Sign:
sigk(x,k)=(,)
Verify: verk(x,,)=true
=amodp
Public: p,,
Private:0<a<p
kmodp
(note:Zp*=<>)
(xa)k1mod(p1)
ak xmodpb/c(k+a) xmod(p1)
Security
1. Oscarchoosesavalueandthentriestofindcorresponding.Inordertosatisfy xmodp
Mustcompute
logx(DLP)
2. Oscarchoosesandtriestosolvefor.Needstosatisfy: xmodp.Nofeasiblesolutionhas
beenfound.ItisnotrelatedtowellstudiedproblemssuchasDLP.
3. ChoosingandalsoleadstoDLPand/orrandomx.
ThustheadversarycannotsignagivenmessagexusingtheElGamalsignaturealgorithm.However,it
canbeshownthattheadversarycansignarandommessagebychoosing,,andxsimultaneouslybut
thisisnotathreatfortworeasons
1. xislikelytohavenomeaning
2. Inpracticeahashfunctionisusedpriortosignature.Usingasecurehashwillpreventany
threat.
CarelessUseofElGamalSignature
1. Therandomnumberkshouldnotberevealed.Ifkisknown,completebreakresults:
a=(xk)1mod(p1)
2. Usingthesamerandomvaluekinsigningtwodifferentmessages. sig(x1,k)=(,1)
Sig(x2,k)=(,2)
x2
x1
2
Wehave modp and modp
x1x2 12modp but
kmodp
Then
Thus
x1x2 k(12)modp =>
x1x2 k(12)mod(p1) Letgcd(12,p1)=d
1
Ifd=1
thenk (12) (x1x2)modp1
=>
d|(x1x2)
Otherwised|(p1)andd|(12)
x=(x1x2)/d
Define
Thenx kmodp
=(12)/d
p=(p1)/d
Sincegcd(,p)=1,wehave
k=x()1modp
Letk=x()1+ipmodp1 wherei=0,1,,d1
Ofthesedcandidates,theuniquecorrectonesatisfies:
kmodp
Lecture20(4/11/08)
DigitalSignatureStandard(DSS)
Inordertoensurecomputationalsecurity,theDLPofElGamalrequiresalargemodulus(p>512bits),
whichifuseddirectlywouldrequirea2x512bitsignature.Formanyapplications,ex.Smartcards,a
shortersignatureisrequired.
DSSisthemodificationoftheElGamalSignatureSchemeStandard1994.DSSmodifiesElGamalsothat
160bitmessageissigned.Resultingina320bitsignature.
p:512bitprime
q:160bitprime,q|(p1),p=kq+1
g:primitiverootofp(Zp*=<g>)
a:randominteger(0<a<q)
x:message
Public:{p,q,,}
Private:{a}
p 1
q
Define g
q 1modp
=>orderofisq:
i 1modp0<i<q
amodp
Tosignmessagex:
Selectrandomk,1 k
(kmodp)modq
(x+a)k1modq
sigk(x,k)=(,)
Toverifymessagex:
gcd(,q)=1unless=0
w=1modq
e1=xwmodq
e2=wmodq
v (e1e2modp)modq
ver(x,, truewhenv=
Proof:
k 1 x a modq
w x a modq
e1 e2
v modp)modq
q1
g k mod p (0<<p)
***CouldalternativelyuseSHA1(x)***
0<<q
(thisisb/cord()=q)** 0**
320bits
e1e2modp
k
( modp)modq
xwwmodp
xwawmodp
xw awmodp
kmodp
Note:Wehaveasmallsignature(320bits)butcomputationsaredonemodp.SecurityisbasedonDLP
in<>;acyclicsubgroupofZpthathasorder160bits.
Lecture20(4/11/08)
EllipticCurveDSA
p:prime(orpowerof2)
E:EllipticcurveoverGF(p)
:PointonEhavingprimeorderq(suchthatDLPishard)
CyclicgroupisasubgroupofEgeneratedby.
Public:{p,q,E,,=m}
Private:{m}
Tosignmessagex:
Selectrandomk,1kq1
K=(u,v)
(i.e.apointonE)
R umodq
S k1(x+mR)modq
**EnsureS 0**
sig(x,k)=(R,S)
Toverifymessagex:
w=S1modq
gcd(S,q)=1unlessS=0
i=xwmodq
j=Rwmodq
(u,v)=i+j
ver(x,R,S)=truewhenR umodq
Proof: (u,v)
i+j
(wxmodq)+(wrmodq)m
{w(x+mr)modq}
(wkSmodq)
k
u,v
R umodq
Lecture20(4/11/08)
HashFunction
LongMessage,x
h:X>Z
Properties:
|X||Z|
Givenx,h(x)shouldbequicklycomputed
Applications:
Hash
MessageDigest(160bits)
DataIntegrity
a) UnkeyedHash:Givenamessagex,computey=h(x)andstoreysecurely
Ifxismodified,onecandetectitbycomputingy=h(x)andverifyingthaty y
b) KeyedHash(akaMACMessageAuthenticationCode):Supposey=hk(x){orek(h(x))}whereKisthe
secretsharedbyAliceandBob.Alicetransmitsthepair(x,y)throughinsecurechannel.Now,ifxor
yismodifiedbytheadversary,thenBobcandetectmodificationbyverifyingy=h(x).
c) Signature:Sincemessagexistoolongtohaveefficientsignaturescheme,wefirst(efficiently)
computethemessagedigestz=h(x)andthensigntheshortersequencez(usually160bits)usingan
unkeyedhashfunction.
SecurityofHashFunctions
Notethatahashfunctionh(x)isinthepublicdomain
Ahashfunctionissecureifitishardtosolvethefollowingthreeproblems:
1. Preimage:
Given: h:X>Yandy Y
Find: x Xsuchthaty=h(x)
Ifcomputingpreimageishardforahashfunction,itissaidtobeonewayor
preimageresistant.
Thismakesrandomforgeryinakeyedsignatureschemeimpossible.
2. SecondPreimage: Given: h:X>Yandx X
Find: x Xsuchthatx xandh(x)=h(x)
Thismakesselectiveforgeryimpossible.
3. Collision:
Given: h:X>Y
Find: x,x Xsuchthatx xandh(x)=h(x)
Ifitisdifficulttocomputethecollision,thehashiscalledcollisionresistant
(hardesttoachieve).
Notethatthecollisionriskalwaysexistsbecauseofthemanytoonemapping
natureofthehashfunction.Goalistomakethiscomputationallyinfeasible
Example:
Letx X,y=sigk(h(x))
Toperformselectiveforgery,adversaryattemptstofindx xbuth(x)=h(x).Ifhe
succeeds,then(x,y)isavalidsignature.
Topreventthis,weneedtohaveahashwithwiththesecondpreimageresistant
property.
Lecture21(4/18/08)
Example:
ExistentialForgeryinRSASignature
RSASignature: y zamodn
z ybmodn
<(sigk)
<(verk)
z=h(x),x:message
Toperformexistentialforgery,adversarypicksarandomyandcomputeszbyz=yb
modn.Hence(z,y)isverifiedbyverification.However,adversaryALSOneedstofind
xfromz=h(x)if(x,y)isgoingtobeavalidsignature.
Ifhashispreimageresistant,thenadversarycannotperformexistentialforgeryonRSA
signaturescheme(Notethatwithouttheuseofhash,thisattackwaspossibleonthe
RSAsignatureschemewitharandom/jibberishmessage).
LasVegasAlgorithmtoFindPreimage:
Leth:X>Y
where|X|=N,|Y|=M
Findpreimage(h,y,q)
ChooseanyX0 X,|X0|=q
Foreachx X0:
Return(failure)
(ex:M=2160for160bithash)
(qiterations)
ifh(x)=ythen return(x)
Thesuccessprobabilityofthisalgorithmforanyfixedy,isconstantandequalto
Pr(h(x)==y)
Pr(h(x)!=y)
Pr(h(X0)!=y)
Pr(success)
=1/M
=11/M
=Pr(failure) =(11/M)q
=1Pr(failure) =1(11/M)q q/M(assumingq<<M)
SincePr(h(x)==y)isuniformacrossallys,thesuccessprobabilityaveragedoverally Yisthesameas
above.
Thissameapproachcanbeextendedtotheprobabilityofsuccessforfindingthesecondpreimage:
Pr(success)
=1(11/M)q1
LasVegasAlgorithmtoFindCollision:
Input:h:X>Yandq
LetX0 X,|X0|=q
Foreachx X0:yx=h(x)
Ifyx=yxforsomex x
else
thenreturn(x,x)
return(failure)
(qiterations)
Notethatthealgorithmcomputesyx=h(x)andstoretheminamemorystackforfuturecomparison.
GiventhatH:X>Y;X,Y:finitesets;|Y|=M;and|X| 2|Y|,therewillbeatleastMcollisions.
2
Lecture21(4/18/08)
BirthdayParadox
Ifthereare23peopleinaroom,theprobabilityisslightlymorethan50%thattwoofthemhavethe
samebirthday.Ifthereare30people,theprobabilityisaround70%...Why?Howisthisrelatedto
collisioninahash?
Let
h:
|X|:
y=h(x):
X>Y
livinghumanbeings
birthdayofpersonx
=>
|Y|=365
Hence,findingtwopeoplewiththesamebirthdayisthesameasfindingacollisionforahash.Ifwetry
q=23timestofindthehash(inthealgorithm),thebirthdayparadoxsaysthattheprobabilityof
collisionisabout50%whenq=23andM=365.
Ingeneral:
SupposewehaveMbinsandwethrowqballsrandomlyintothoseMbins.Then,we
checktoseeifsomebinscontainatleasttwoballs.
Thisisequivalenttosayingthatgivenahashfunction: h:X>Zwhere|Z|=M,|X|=N
Findacollisionbychoosingqrandomdistinctelementsx X0 Xandcomputingzi=h(xi)i=1,,q.
Whatistheprobabilityofatleastonecollisionhere?
Wefindalowerboundontheprobabilityoffindingacollision.ThislowerbounddependsonqandM,
butnotN.Weassumethatforanyz Z,|h1(z)| N/M(ifthisassumptiondoesnothold,the
probabilityoffindingacollisionwillincrease).
Ifweassumethat|h1(z)| N/M,weconcludethatziarerandom(notnecessarilydistinct).
Considerz1,z2,,zq.
Thefirstchoicez1isarbitrary
Thesecondchoicez2: Pr(z2 z1)=11/M
Pr(z3 z2andz3 z1)=12/M
Thethirdchoicez3:
Thus
Pr(nocollision)=(11/M)(12/M)(1(q1)/M)
q 1
1
M
i =1
q 1
=e
i
M
e x = 1 x +
x 2 x3
+ ... 1 x when|x|<<1
2! 3!
ifq/missmall
i =1
=e
= e
Thus
Pr(collision)
1
M
q 1
i
i =1
q ( q 1)
2M
=1 e
q ( q 1)
2M
Lecture21(4/18/08)
Since e
q ( q 1)
2M
1
= 1 then q 2 q = 2 M ln
1
Taking=0.5 >
q 1.17M
2
10
assumingq<<q (q~2 )=> q 2M ln
1
(ForM=365,q 22.3)
ThisimpliesthathashingjustaboveMrandomelementsinXyieldsacollisionwithprobabilityofat
least50%.Notethatforany,westillhaveq M.
Remark:Birthdayparadoximposesalowerboundonthesizeofamessagedigest.IfM=240=|z|.In
otherwords,a40bithashoutputsh:X>Zthehashwouldbeinsecurebecauseacollisioncanbefound
w/probabilitywithjustoverM=220randomhashes.Thustheminimumacceptablemessagedigest
is128bits(requires264attemptstofind1collision).DSSuses160bits,soitissecureagainstthe
birthdayattack.
ApplicationtoCryptography
Supposewehavetwosetsofqballs:
qblue,qred
WethrowblueandredballsintoMbins.Whatistheprobabilitythatatleastoneofthebinscontains
ballswithdifferentcolors?
Let
h(x)=z
1 e
q ( q 1)
M
(and q
|z|=250(50bitmessagedigest)
Gooddocumentx
30placesinxisedited
230almostidenticaldocuments
qblueballs
=>q=230
1
M ln
1
M=250 q =
1
M ln
1
Baddocumentx
30placesinxisedited
230almostidenticaldocuments
qredballs
=>
Thuswithalmostcertainprobability,aversionofagooddocumentwillmatchtoaversionofabad
document.AdversarycanpresentagooddocumenttoAlicetohashandsignit.
But
sigk(h(x0))=y
h(x0)=h(x0)
=>
=>
(x0,y)willbeverified
(x0,y)willalsobeverified
Therefore,thebirthdayattackmustbepreventedinhashing.
Lecture21(4/18/08)
DiscreteLogHashFunction
Algorithm(slowmethod)
(Chaum,VanHeijst,Pfitzmann)
Letpbealargeprimeandq=(p1)/2isalsoprime.
LetandbetwoprimitiveelementsofZp(ord()=ord()=p1).
ThevaluelogisnotpublicandwecanassumeDLPishardinZp
Thenh:{0,1,,q1}x{0,1,,q1}>Zp*
Ifdefinedas h(x1,x2)=x1x2modp=x1+ax2
Security
GivenonecollisionfortheChaumVanHeijstPfitzmannhashfunction,h(h(x1,x2)=h(x3,x4)),the
discretelog,log,canbecomputedefficientlysincex1x2=x3x4modp.SinceDLPishard,then
collisionsmustnotexist.
Ifacollisionexists:
x1+ax2 x3+ax4modp
x1+ax2 x3+ax4modp1
a (x3x1)(x2x4)1modp1
Sincep1=2q(given),gcd(x2x4,2q)=2ifx2andx4arerestrictedtoEITHER
evensorodds
Therefore,noinverseexistsandaissecureifx2andx4arerestricted.
Lecture21(4/18/08)
IteratedHashFunctions
Mosthashfunctionsaresomeformofiteratedhashinpractice
Iteratedhashmapsasequenceofinfinitelengthtoafinitelengthoutput.
Definecompression
g:{0,1}m+t>{0,1}m
Iteratedhashconsistsofthreesteps:
1) Preprocessing
Givenaninputstringx,|x| m+t+1,constructastringysuchthat|y| 0modt
y=[y1|y2||yr]where|yi|=tfor1 i r
Remark:
Acommonpreprocessingstepistouseapaddingfunctionpad(x)
y=[x|pad(x)] suchthat|x|+|pad(x)|=0modt
pad(x)mustensurethatx>yisaonetoonemapping(forcollisionresistance)
2) Processing
LetIVbeapublicinitialvaluewhichisabitstringoflengthm.Then:
z0
<
IV
y1
y2
y3
z1
<
g([z0|y1])
<
g([z1|y2])
z2
z0
g
g
g
zr
<
g([zr1|yr])
z1
z2
yr
z3
zr
3) OutputTransform(optional) R:{0,1}m>{0,1}l
whichisapublicfunction
Hash:h(x)=R(zr)wherezristhelastoutputintheprocessingstep
Lecture21(4/18/08)
SecureHashAlgorithm(SHA1)
Iteratedhashw/160bitmessagedigest.Word(32bit)orientedoperationsonbitstrings
Operationsareveryfast.Constructedby:
X Y
X Y
X Y
~X
X+Y
ROTLs(X)
BitwiseAND
BitwiseOR
BitwiseXOR
ComplementofX
Integeradditionmod(232)
CircularLeftShiftbyspositions
x>ywhere|y| 0mod512
d=447|x|mod512
L=64bitsthatisbinaryrepresentationof|x|by64bits(by
addingsufficientzerostotheleftof|x|)
Notethatthisensuresthatthemappingisonetoone(forcollisionresistance).
y=[M1|M2||Mn]
whereeachMiis512bits
2) Processing(Compression)
g:{0,1}512+160>{0,1}160
zi = H 0i | H1i | H 2i | H 3i | H 4i
z0=[67452301|EFCDAB89|98BADCFE|10325476|C3D2E1F0]
M3
M1
M2
Mn
512b
z0
160b
z1
z2
z3
160b
zn
andzi+1=g(zi,Mi+1)isdescribedby:
5A827999
6ED9EBA1
8F1BBCDC
CA62C1D6
f(t,B,C,D)=
(B C) (~B D)
B C D
(B C) (B D) (C D)
B C D
0
20
40
60
t
t
t
t
19
39
59
79
K(t)=
[A|B|C|D|E]=zi
For0 t 79
[A|B|C|D|E]=[ROTL5(A)+f(t,B,C,D)+E+Wt+K(t)|A|ROTL30(B)|C|D]
zi+1=zi+[A|B|C|D|E]
Lecture21(4/18/08)
KeyDistributionandEstablishment
Cryptosystems:
PublicKey(Asymmetric)
PrivateKey(Symmetric)
Nosecurechannelisneeded
Securechannelisneeded
/
/
Slower
Faster
KeyEstablishmentforSecretKeyCryptosystems:
1. KeyDistribution:
2. KeyAgreement:
Onepartychoosesasecretkeyandthentransmitsitsecurelyto
anotherpartyorparties.ThesecuretransmissionofaSharedSecret
Keycanbeperformedbyapublickeysystem.(Thisrequiresaserver
oratrustedthirdpartythatkeepsthepublickeyoftheclients)
Neitherpartyknowsthekeyinadvance.Itisdeterminedasaresultof
theirinteraction.
DiffieHellmanKeyExchange
TwoClientsU,V
1. EitherUorVselectsalargesecureprime,p,andagenerator,,suchthatZp*=<>.
2. Uchoosesasecretrandomau,1 au p2
/ Vchoosesasecretrandomav,1 av p2
au
3. Ucomputes(u modp)andsendstoV / Vcomputes(v avmodp)andsendstoU
/ VcomputessigV(av,au)andsendstoU
a) UcomputessigU(au,av)andsendstoV
4. UcomputesK (v)au (av)aumodp
/ VcomputesK (u)av (au)avmodp
a) UverifiesverV(av,au)
/ VverifiesverU(au,av)
IntruderintheMiddleAttack
1.
2.
3.
4.
Oscarchoosesanexponentz
Oscarinterceptsauandav
OscarsendsztoUandV(UbelievessheisreceivingavandVthinksheisreceivingau)
Oscarcomputeskus=(au)zmodpandkvs=(av)zmodp
UandVnotrealizingthatOscarisinthemiddle,alsocomputeskus,andkvs.
5. WhenUsendsamessagetoV,encryptedwithkus,Oscardecryptsit,andthenreencryptsitw/kvs
andsendsittoV.Vcandecryptthecipherusingkvs.Vhasnoideathatthecommunicationis
insecure.
NotethatusingasignaturepreventstheManInMiddleAttack!
Lecture21(4/18/08)