Lecture 14. Encryption

Copyright 2000-2017 Networking Laboratory

Lecture 14.

Encryption

T. H. Cormen, C. E. Leiserson and R. L. Rivest

Introduction to Algorithms, 3rd Edition, MIT Press, 2009

Sungkyunkwan University

Hyunseung Choo

[email protected]

mailto:[email protected]

Algorithms Networking Laboratory 2/49

Security Risks of Internet

Communication

Eavesdropping

Intermediaries listen in on private conversations

Solution: Encryption (public or private-key)

Manipulation

Intermediaries change information in a private communication

Solution: Methods for preserving data integrity (one-way hash

functions and Message Authentication Codes (MACs))

Impersonation

A sender or receiver communicates under false ID

Solution: Authentication (digital signature, etc)


Terminology

A sender (Bob) wants to send a message to a receiver (Alice) securely

wants to make sure no eavesdropper can read message.

Plaintext – original message

Encryption – process of disguising message to hide its contents

Ciphertext – encrypted message

Decryption – process of turning ciphertext back into plaintext

Cryptography – science of keeping messages secure

Cryptography – science of breaking ciphertext


Background:

Number-Theoretic Algorithm

Useful for public-key encryption schemes

Easy to find large primes

Difficult to factor products of large primes


Size of Inputs

Few inputs of large integers

Size of input = #bits

An algorithm with integer inputs a1, a2, …, ak is a

polynomial time algorithm if it runs time polynomial in lg a1,

lg a2 , …, lg ak; i.e., polynomial in the lengths of the binary-

encoded inputs


Cost of Operations

Arithmetic on large integers takes time

Cost is measured in terms of bit operations

Multiplying two -bit integers takes bit operations

Faster methods do exist, but we will use the others in this

lecture

)( 2


Review of Number Theory

For two integers d and a, d | a (d divides a) if a = kd, k Z. In this case,

a is a multiple of d, and d is a divisor of a (if d >= 0). Every integer

divides 0.

Examples: 2 | 8, 3 | 9, 2 | 10

Every integer a has the trivial divisors 1 and a.

Nontrivial divisors are called factors.

Examples: 2 is a factor of 8 and 10, 3 is a factor of 9.

An integer a > 1 with only trivial divisors is a prime number; otherwise,

a is a composite. The integers are neither prime nor

composite. There are infinitely many prime numbers.

} 2, 1, {0, numbers natural ofset N

}2 1, 0, 1,- 2,- ,{ integers ofset Z

1} 0, 1,- 2,- , {


Division Theorem

For any integer a and positive integer n, there are unique

integer q and r such that and a = qn + r

Example

n r 0

n) (mod b a then n), mod (b n) mod a( If

n a/n - a n mod aor n) mod (a n a/n a

______________ theis )n mod a(r

division theof ______________ theis )a/n( q

5 mod 13-

5 mod 22


Equivalence

If (a mod n) = (b mod n), then a is equivalent to b, modulo

n, denoted .

An equivalence class modulo n containing an integer a is

n) (mod b a

Z}.k |kn a{ a n

______________________________ 2

______________________________ 1

6 3 ______________________________ 0

aren modulo classes eequivalenc The

_________.____________________

are a b some and _, r _, q then 3,n 8, a if :Example

3

3

333


Common Divisors

If d | a and d | b, then d is a common divisor of a and b.

The greatest common divisor gcd(a, b) is the largest such

divisor d.

For example, some common divisors of 12 and 18 are 1, 2,

3 and 6. The greatest common divisor of 12 and 18 is 6.

otherwise ) b , a (min x 1

0 b 0,a if b

0 b 0,a if a

0 ba if 0

b) a,gcd(


Euclid’s Theorem

If a and b are any integers, not both zero, then gcd(a,b) is

the smallest positive element of the set

of linear combinations of a and b.

Example: gcd(9, 15) = 3

9x + 15y = 3

x = 2, y = -1

Z}y x,:by {ax


Relative Primes

Two integers a and b are relatively prime if gcd(a, b) = 1.

Integers are pairwise relatively prime

if

Example: 8, 9, and 25 are pairwise relatively prime.

knnn ,...,, 21

j. i allfor 1),gcd( ji nn


Unique Factorization

Theorem 33.7 For all primes p and all integers a and b, if

p | ab, then p | a or p | b.

Theorem 33.8 A composite integer a can be written in

exactly one way as a product of the form a =

where the are prime, , and the are

positive integers.

Examples:

,21

21re

r

eeppp

rppp 21ipie

1753255

5321350

53675

23

23


Finding the gcd

Given prime factorizations of positive integers a and b,

where some , may be 0.

Then gcd(a,b) =

Example:

However, factoring is not a polynomial time algorithm.

rr f

r

ffe

r

eepppbpppa 2121

2121 ,

ie if

.),min(),min(

2

),min(

12211 rr fe

r

fefeppp

15531753)675,255gcd( 011


Euclid’s Algorithm (1/2)

For any non-negative integer a and any positive integer b,

gcd(a, b) = gcd(b, a mod b)

b) mod a Euclid(b,return else 3

areturn then 2

0 b if 1

decreasingstrictly isargument second; b) Euclid(a,


Euclid’s Algorithm (2/2)

Example

6. 654) gcd(2322, Therefore,

6 0) gcd(6,

6 6) gcd(30, 56 654

6) gcd(30, 30) gcd(66, 6 230 654

30) gcd(66, 66) gcd(294, 30 466 654

66) gcd(294, 294) gcd(360, 66 1294 360

294) gcd(360, 360) gcd(654, 294 1360 654

360) gcd(654, 654) gcd(2322, 360 3654 2332

654.b 2333, aLet


Analysis

For any integer , if and , then

Euclid(a,b) makes fewer than k recursive calls.

Remember that

1k 0ba 1 kFb

operationsbit )O(

operations arithmetic )O(

calls recursive b) O(lgk

5log

5

55

2

51

5

3

1

1

21

bkb,

, bF b

, F FFF

k

kk

k

k

k, kkk


Extended Euclid (1/2)

Since , finding x and y will be

useful for computing modular multiplicative inverses

Running time same as Euclid algorithm.

Zy x,by, ax b)gcd(a,

y) x,return(d,

)y'b

a - x',y' ,(d' y) x,(d,

b) mod a Euclid(b,-Extended )y' , x',(d'

0) 1, (a,return then

0 b if

b) Euclid(a,-Extended


Extended Euclid (2/2)

Example

3 13 06

d 3y 6x

1y 0, x3,d

1 0 6/3 - 1 y 0, x 3, d

0) 1, (3,

0) Euclid(3,-Extended )y' , x',(d'

3) Euclid(6,-Extended y) x,(d,


Correctness of Extended-Euclid

y'b

ax'-y

y' x

byaxd'd

termsRearrange ; )y'b

a - b(x' ay'

TheoremDivision ; b)y'b

a - (a bx' d

Algorithm sEuclid' ; b) (a, gcd d

Theorem sEuclid'; b)y' mod (a bx'

b) mod a gcd(b, d'


Modular Arithmetic

n mod )(a a n mod a andn mod)(a n moda identities uses

(inverse) 1 n mod ab b n moda

n mod ab n) mod (b n) mod (a

n mod b)(a n) mod b( n) mod (a

2c12c2c2c

1-


Solving Modular Linear Equations

Theorem 33.23 If d | b and d = ax’ + ny’ (as computed by

Extended-Euclid) then one solution is x0 = x’(b / d) mod n.

Theorem 33.24 Given one solution x0 , there are exactly d

distinct solutions, modulo n, given by xi = x0 + i(n / d) for i =

0, 2, 3, …, d-1.

b | d iff Solvable

n) gcd(a, dLet

x.find 0; n b, a,Given

n) (mod b ax


Pseudo code

solution). one(only n moda gives n) (mod 1 ax Solving :Note

solutions" no"print else

n mod i(n/d)) (xprint

1-d to0 ifor

n mod (b/d)x' x then

b) | (d if

operations arithmetic ; n) Euclid(a,-Extended )y' , x'(d,

n)) gcd(a,O(lgn; n) b, nSolver(a,earEquatioModularLin

1-

0

0


Chinese Remainder Theorem

Find integers x that leave remainder 2, 3, 2 when divided

by 3, 5, 7 respectively. [Sun-Tsu, 100 A.D.]

Theorem 33.27 Let , where are pairwise

relatively prime and consider the correspondence

where

ink21 nnn n

),a ,...,a ,(a a k21

k. ..., 1, ifor n mod a a and , Z a Z, a iini i


Chinese Remainder Theorem

Theorem 33.27 (cont. )

n) (mod )ca c(a a

)n mod (mm c

k .., 1, ifor n/n m )n mod a ..., ,n mod (a

)a ..., ,(a a From )a ..., ,(a a From

)n mod ba ..., ,n mod b(a n mod ab

)n mod )b(a , ,n mod )b ((a n mod b)(a

)n mod )b(a , ,n mod )b ((a n mod b)(a

then

)b ..., ,b ,(b b and )a , ,a ,(a a If

kk11

i

1-

iii

iki

k1k1

kkk111

kkk111

kkk111

k21k21


Example

i

1

1-

11

1-

2

1-

2

11-

1

1-

1

21

21

21

n moduloor n moduloin can work weThus,

11 11(1) )n mod (mm c

9 11 mod 5 n mod m

1 5 mod 11 n mod m

11 n 5, n

5 m 11, m

3 a 2, a

55) (mod x a Find

11) (mod 3 a 5), (mod 2 aGiven

55) (mod 47

55) (mod 157

55) (mod 135 22

55) (mod 45 3 11 2a

45 5(9) )n mod (mm c 2

-1

222


Corollary 33.29

If are pairwise relatively prime and

then for all integers x and a

n , ,n ,n k21

n , ,n ,nn k21

n. mod a xiff n mod ax i


Euler’s phi function

Euler’s phi function is the size of

, the multiplicative group mod n.

Euler’s Theorem

For any integer

Fermat’s Theorem

If p is prime, then

1} n) gcd(a, : Z a{ Z nn

*

n

(n)

prime. is p if 1-p (p)

. Z a allfor n) (mod 1 a 1, n *

n

(n)

. Z a allfor p) (mod 1 a *

p

1-p


Repeated Squaring

Compare: ab mod n, where a and b are nonnegative

integer and n is a positive integer.

Let b = <bk, bk-1, …, b1, b0>

Compute ac mod n by doubling c for each i and incrementing c

when bi = 1.


Pseudo code(1/2)

dreturn n mod a) (d d

1c c then

1 b if

n mod d) (dd

2c c

0 downtok ifor

b of encodingbinary be b ,b ...., ,bb blet

1 d

0 c

n) b, tion(a,Exponentia-Modular

i

011-kk


Pseudo code(2/2)

Modular-Exponentiation(a=5, b=501, n=6) b = 111110101

i = 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 |

c = 0 1 | 2 3 | 6 7 | 14 15 | 30 31 | 62 - |124 125 | 250 - |

d = 1 5 | 1 5 | 1 5 | 1 5 | 1 5 | 1 - | 1 5 | 1 - |


Analysis

If a, b, n are -bit numbers, there are arithmetic

operations and bit operations.

)O(

)O( 3


Encryption – Symmetric Cryptography

Private Key

Alice and Bob share a key K the adversary does not know

Alice and Bob agree on cryptosysytem and key

Bob encrypts plaintext using key, sends ciphertext to Alice

Alice decrypts ciphertext with same key and reads the

message

Advantage: fast

Disadvantage: keys must be distributed secretly

Disadvantage: if key is compromised, all is lost

Disadvantage: number of needed keys is n2


Encryption – Public-Key Cryptography

Encryption key is public

Decryption key is private (secret)

Private key cannot be calculated from public key in a

reasonable amount of time


RSA Public-Key Cryptosystem

Rivest, Shamir, and Adleman, 1977

Most commonly used encryption and authentication

algorithm today

Used in Netscape, Microsoft browsers, Internet and

computing standards

Send encrypted messages

Append unforgeable digital signature

Based on ease of finding large primes and difficulty of

factoring their products


Public Key Cryptography

Each participant has

Public key – released to others

Secret key – kept secret

Example

Public and Secret functions are inverses

M =

M =

Must be able to reveal while remains uncomputable (or at least very to

compute)

Security depends on method of computing keys

RSA – factoring large integers

McEliecee – decoding linear code (NP-Complete)

El Gamal – discrete logarithm problem

Chor-Rivest – knapsack (NP-complete)

) ,( Bob ), ,( Alice BBAA SPSP

))M(( AA PS))M(( AA SP

AP AS


Protocol for Sending Encryption

Message M

Bob looks up Alice’s public key

Bob computes ciphertext message for his

original message M

Bob sends C to Alice (eavesdroppers do not have )

Alice computes

AP

)M(C AP

AS

M))M(()C( AAA PSS


Protocol for Sending a Signed Message M’

Alice computes digital signature

Alice sends (M’, ) to Bob

Bob check that

Message M’ is not encrypted

)M'(AS

' M))' M(()(' M AAA SPP


Protocol for Sending a Signed,

Encrypted Message M

Bob computes digital signature , and creates

new message

Bob computes and sends to Alice

Alice computes and then verifies

signature using

)M(BS

M, M'

)(M'P C A C

)C( M, AS

)( M BP


RSA Cryptosystem

Public and secret keys are created as follows

Select at random two large prime numbers p and q (say > 100

decimal digits each)

Compute n = pq

Select a small odd integer e that is relatively prime to

Computed (multiplicative inverse)

Publish pair P = (e, n) as RSA Public Key

Keep pairs S = (d, n) as RSA Secret Key

1)1)(q(p)( n

(n) mode d -1

)n (modM)M(P e

)n (modC)C(S d


Example of RSA Encryption

possible are messagedifferent 2419only :Note

2419) (mod M P(M)

2419) (mod M P(M)

2419) (1547, n) (d, S 6.

2419) (3, n) (e, P 5.

1 2320 mod 3 1547 (n) mod e d

1547 d

2320 mod 3 (n) mode d 4.

works3 e odd and small is e and 1 2320) gcd(e,such that e Find

2320 58*40 1)-1)(q-(p (n) .3

2419 pq n 2.

59 q 41, p 1.

1547

3

1-1-


Implementing RSA

Bob generates two large primes, p and q

probabilistic primality testing

Bob computes n = nq and

Bob chooses random e such that

Bob computes

Extended Euclidean Algorithm

Bob publishes n and e in a directory as his public key

)O((lgn) 3

1)-1)(q-(pn)(

(n)) e (1 1(n)) gcd(e,

(n) mode d -1

)O((lgn) 2


RSA Computation

Using public key P = (e, n) to transform messages M:

Using secret key S = (d, n) to transform ciphertext C:

Use Modular-Exponentiation:

Then Public key requires modular multiplications,

bit operations

Secret key requires modular multiplications, bit

operations

O(1) )O( 2

)O( )O( 3

nd O(1), e If

n) (modM)M( eP

n) (modC)C( dS


Correctness

hard is but this broken, is code then theq, and p inton factor can adversary theIf

n) (mod M M Theorem,Remainder Chinese thetoCorollary by the Thus,

pqn prime, are q and p

q) (mod MM

p) (mod M M

thusq,for Similarly

p) M(mod

Theorem sFermat' p) M(1)(mod

p) (mod)M(MM

thenp), (mod 0 M If

p) M(modM then p), (mod 0 M If

1)-1)(q-k(p 1 edThen

1)]-1)(q-[(p mode d Since

n modM n mod n) mod(MP(S(M))

n modM n mod n) mod(MP(S(M))

ed

ed

ed

1)-k(q1-ped

ed

1-

edde

eded


Primality Testing

Finding large primes

Density Of Primes

The prime distribution function specifies number of primes n

Theorem 33.37

for example,

The probability that randomly-chosen n is prime Thus, try odd

numbers near n to find a prime with high probability.

For example, 100-digit number . Try 115 odd numbers

near 10100. About 1/230 100-digit numbers are prime. Break input

message M into numerical blocks smaller than n.

(n)

1lnn/

)(lim

n

nn

lnn)(

nn

lnn

1

942,254,48)10( 9

2

lnn

230ln10100


Trial Division

Try all odd numbers 3,…, to test n for primality.

Running Time , but

(exponential)

This works well only for small n.

n

)n( )2()1lg( 2

nn


Pseudo

Z+= nonzero elements of . By

Fermat’s Theorem, if n is prime, then

for every .

IF some a violates, then n is composite.

Pseudo test tries formula for a=2. If satisfied, declare n prime.

Does not always work, but the numbers errantly declared prime

(base a pseudo primes) are rare.

Carmichael Numbers are composites that satisfy formula for

all . Very rare

Miller-Rabin randomized primality test overcomes this deficiency in

the pseudo test (tries random “a”s).

1}n ..., 2, {1,Zn

n) 1(moda 1n

nZa

*

nZa


Integer Factorizations

Trial division by all integers up to B to factor number up to

Pollard-Rho factors numbers up to (usually)

Works well in practice on numbers with small factors

Analysis: to find factor p

To factor -bit composite number n

Try all prime factors <

The run time is arithmetic operations

bit operations

2B4B

)p(

n

44

1

2

n334

1

2

n


Hybrid Crytosystems

In practice, public-key crypto used to secure and distribute

session keys, which are then used with private-key crypto

to secure message traffic.

Lecture 14. Encryption

Documents

Transcript of Lecture 14. Encryption