Ch1 - Algorithms with numbers Basic arithmetic Basic arithmetic Addition Addition Multiplication...
-
Upload
morgan-nichols -
Category
Documents
-
view
246 -
download
5
Transcript of Ch1 - Algorithms with numbers Basic arithmetic Basic arithmetic Addition Addition Multiplication...
Ch1 - Algorithms with numbers
Basic arithmetic Addition Multiplication Division
Modular arithmetic RSA –factoring is hard Primality testing
Addition
53+35=88
Cost? (n – number of bits) O(n)
Multiplication 13x11=143
Cost? O(n2)
al-Khwārizmī
Operations determining parity (even or odd) addition duplation (doubling a number, left shift) mediation (halving a number, rounding down,
right shift)
al-Khwārizmī
Cost? O(n2) Can we do better?
Division
Cost?
Modular arithmetic A system for dealing with restricted
ranges of integers
Addition x+y mod N, assuming x, y <N O(n), n - number of bits N has (size of
input)(x+y mod N = x+y or x+y-N)
Multiplication x*y mod N ?
Modular arithmetic
RSA Ron Rivest, Adi Shamir, Leonard
Adleman (1977) Algorithm for public-key cryptography,
based on the presumed difficulty of the factoring problem.
2002 A.M. Turing Award RSA is one of the most used
cryptographic protocols on the net. Your browser uses it to establish a secure session with a site.
Needed for implementing RSA: FLT (Fermat’s Little Theorem) Fast Exponentiation Extended Euclidean Algorithm Modular inverses CRT (Chinese Remainder Theorem)
Turing Lecture on Early RSA Days, Ronald
L. Rivest
Turing Lecture on Early RSA Days, Ronald L. Rivest
Turing Lecture on Early RSA Days, Ronald L. Rivest
In April 2012, the factorization of 143 is achieved.
RSA public-key cryptosystem
In a public-key cryptosystem, everyone has a public key and a secret key. Suppose Alice and Bob are two participants.
Alice PA , SA
Bob PB , SB
The keys specify 1-1 functions from message M to itself:
M= SA (PA (M))M= PA (SA (M))
Communicationchannel
PA(M)
encrypt decrypt
Encryption:
M PA SA
M
Bob Alice
RSADigital signatures:
Communicationchannel
SA(M)
Accept=?
SA PA
M MBobAlice
RSA algorithm Select at random 2 large prime numbers p &
q;(p & q might be, say, 100 decimal digits each.)
Compute n: n = pq; Select an odd integer e that is relatively prime
to (n) = (p-1)(q-1);
Compute d as the multiplicative inverse of e, modulo (n);
(de 1 mod (n)) Publish P = (e, n) as the RSA public key; Keep secret S = (d, n) as the RSA secret key.
If M Zn ={0,1,…,n-1},
P(M) = Me mod nS(C) = Cd mod n, C=P(M).
RSA examplePick p = 47, q=71.n=pq=3337.(n) = (p-1)(q-1)=46*70=3220, choose e=79 (at random).d =79-1 mod 3220 = 1019.PA=(79, 3337).
SA=(1019, 3337).Message: M = 6882326879666683
= 688 232 687 966 668 3M1 = 688 68879 mod 3337 = 1570 =C1M2 = 232 23279 mod 3337 = 2756 =C2…C = 1570 2756 2091 2276 2423 158C1 = 1570 15701019 mod 3337 = 688 =M1…C2 = 158 1581019 mod 3337 = 3 =M2
Another example
n = 4559, e = 13. Smiley Transmits: “Last name
Smiley” L A S T N A M E S M I L E
Y 1201 1920 0014 0113 0500 1913 0912
0525
120113 mod 4559, 192013 mod 4559, …
1074 0116 1478 2150 3906 4256 1445 2462
m e mod n
RSA
Bob receives the encrypted blocks c = m e mod n. He have a private decryption exponent d which when applied to c recovers the original blocks m : (m e mod n )d mod n = m
For n = 4559, e = 13 the decryptor d = 3397.
RSA
n = 4559, d = 3397 1074 0116 1478 2150 3906 4256 1445
2462
1074 3397 mod 4559, 01163397 mod 4559, …
1201 1920 0014 0113 0500 1913 0912 0525
L A S T N A M E S M I L E Y
RSA
Technical difficulties:
How do we know the algorithm works correctly?
How to pick large prime numbers? Compute pq How to choose e Compute d How to compute Me, Cd
Can any one break the code?
RSA
If I want to encrypt credit card numbers, how big my p and q should be?
If I want to encrypt words of four random characters from ASCII set, how big my p and q should be?
How to pick large prime numbers ?
Primality testing Hard, but much easier than factoring. Fermat’s Little Theorem(~1640):
If p is prime, then a, s.t. 1≤a<p, ap-11 (mod p).
The numbers make us fail are called Fermat pseudoprime -extremely rare (ex. 2340=1mod341; Carmichael number 561, 2560=1mod561)
?
Lagrange’s Prime Number Theorem
Theorem: The number of prime numbers between 1 and x is “about” x/lnx .
Not only are primes easy to detect, but they are also relatively abundant.
Carmichael number
A number c is a Carmichael number if it is not a prime, and still for all prime divisors d of c it so happens that d-1divides c-1. The smallest Carmichael number is 561 = 31117 .
If c is a Carmichael number and a is relatively prime to c, then ac-1 1 mod c.
Primality testing
Primality testing
Fermat's Last Theorem
Fermat's Last Theorem states that
xn + yn = zn has no non-zero
integer solutions for x, y and z when n > 2.
RSA
Technical difficulties:
How do we know the algorithm works correctly?
How to pick large prime numbers? Compute pq How to choose e Compute d How to compute Me, Cd? Can any one break the code?
How to compute Me, Cd ?
Modular exponentiation
In order to implement RSA, exponentiation relative some modulo needs to be done a lot. So this operation better be doable, and fast.
Q: How is it even possible to compute 28533397 mod 4559 ? After all, 28533397 has approximately 3397·4 digits!
Modular exponentiation
A: By taking the mod after each multiplication.
For example:
233 mod 30 -73 (mod 30) (-7)2 ·(-7) (mod 30) 49 · (-7) (mod
30) 19·(-7) (mod 30) -133 (mod 30) 17 (mod 30)
Modular exponentiation
Therefore, 233 mod 30 = 17.
Q: What if had to figure out 2316 mod 30. Same way tedious: need to multiply 15 times.
Is there a better way?
Modular exponentiation
A: Better way. Notice that 16 = 2·2·2·2 so that 2316 = 232·2·2·2 = (((232)2)2)2
Therefore:2316 mod 30 (((-72)2)2)2 (mod 30) (((49)2)2)2 (mod 30) (((-11)2)2)2 (mod 30) ((121)2)2 (mod 30) ((1)2 )2 (mod 30) (1)2 (mod 30) 1(mod 30)
Which implies that 2316 mod 30 = 1.Q: How about 2325 mod 30 ?
Modular exponentiation
A: The previous method of repeated squaring works for any exponent that’s a power of 2. 25 isn’t. However, we can break 25 down as a sum of such powers: 25 = 16 + 8 + 1. Apply repeated squaring to each part, and multiply the results together. Previous calculation:
238 mod 30 = 2316 mod 30 = 1 Thus: 2325 mod 30 2316+8+1 (mod 30)
Modular exponentiation
x25 mod N
Cost? – polynomial time (n=logN)
Modular exponentiation
How do we compute xy mod m , m>0?
repeated squaring algorithm:
mod-exp(x, y, m)if y = 0 then return(1)else
z = mod-exp(x, y div 2, m)if y mod 2 = 0 then return(z * z mod m)else return(x * z * z mod m)
Compute d ?
Modular Inverse
GCD
Greatest common divisor
Example:
Euclid AlgorithmIf a,bZ+, apply division (mod) repeatedly
as follows:a = q1b + r1, where 0 < r1 < b
b = q2r1 + r2, where 0 < r2 < r1
r1 = q3r2 + r3, where 0 < r3 < r2
……rk-2 = qkrk-1+ rk, where 0 < rk-1 <
rk
rk-1 = qk+1rk
Then, rk = GCD(a,b).
Proof: (1) rk|a, rk|b
(2) if d|a, d|b, then d| rk.
Recursion Theorem
a,b N, b0, gcd(a,b) = gcd(b, a mod b).
Proof :
Let d = gcd(a,b). d|a, d|b.d|a-qb = a mod b d|b, d|a mod b d|gcd(b, a mod b).
Let d = gcd(b, a mod b). d|b, d| a mod b.d|a-qb, d|b d|a d|gcd(a,b).
gcd(a,b) = gcd(b, a mod b).
Computing GCD
Euclid gcd(x,y) {if y = 0 then return(x)else return(gcd(y,x mod y))
}
Euclid AlgorithmExample: Computing gcd(125, 87)
125 = 1*87 + 38 87 = 2*38 + 11 38 = 3*11 + 5 11 = 2*5 + 1 5 = 5*1
gcd(125,87)=1
gcd(125,87) = 111 - 2*5 = 111 - 2*(38-3*11) = 1 - 2*38 + 7*11 = 1- 2*38 + 7*(87 - 2*38) = 17*87 - 16*38 = 17*87 - 16*(125-1*87) = 1- 16*125 + 23*87 = 1
1 = 125*(-16) + 87*231 = as + bt
Extended Euclidean Algorithm
obtain gcd(a,b) and x,y, s.t. gcd(a,b) = ax+by.
Extended-Euclid (a,b)if (b= =0)
return (a,1,0);(d’,x’,y’)=Extended-Euclid(b, a mod b);(d,x,y)=(d’, y’, x’-a/by’);return (d,x,y);
Ex:
4
1
0
5
4
20
4
0
1
0
4
4
5
-2
2
44
108
4
-7
5 1
4
-2
-7
4
12
12
4
-19
2
20
44
1
152
260
1
260
412
1
108
152
x
q
d
y
b
a
demo
Cost?
Theorem: The algorithm above correctly computes the gcd of x and y in time O(n), where n is the total number of bits in the input (x; y)
Multiplicative Inverse
Multiplicative inverse x of a, modulo n:
ax = 1 mod n.ax = kn+1If gcd(a,n)=1, ax-kn = gcd(a,n).
ax+ny = gcd(a,n).Therefore, x can be found using
extended Euclidean algorithm. Is the multiplicative inverse unique?
Multiplicative Inverse
Theorem: n>1, if gcd(a,n)=1, then ax=1 (mod n) has a unique positive solution, modulo n.
Example:a = 79; n = 3220.x = 1019.ax = 80501 = 25*3220+1.
x = -2201. ax = -173879 = -54*3220+1.
RSA
Technical difficulties:
How do we know the algorithm works correctly?
How to pick large prime numbers? Compute pq How to choose e Compute d How to compute Me, Cd? Can any one break the code?
How do we know RSA works correctly?
Chinese Remainder Theorem (~1700 old)
http://en.wikipedia.org/wiki/RSA_Factoring_Challenge#The_prizes_and_records