Notes+ +All+Lectures
-
Upload
cory-ocker -
Category
Documents
-
view
66 -
download
0
Transcript of Notes+ +All+Lectures
ECE‐6280
Cryptography Prof. Faramarz Fekri
Notes by James S. Hall
Spring 2008
Overview of Cryptography
Objective: Two people (usually referred to as Alice and Bob) to communicate over an insecure channel in such a way that an adversary, Oscar, cannot understand the communication.
Alice Bob
Oscar
Definitions:
Plaintext The message which is to be put in the secure form Encipher (Encrypt) To render plaintext unintelligible to all but the intended recipients Ciphertext What is produced by the encryption of the plaintext Encryption An invertible transformation, ek(∙) Decryption The inverse of ek(∙), dk(∙)
Then C = ek(M) Where C: Ciphertext And M= dk(M)= dk(ek(M)) and M: Message
More formally: A cryptosystem is a five‐tuple (P,C,K,E,D) where the following conditions are satisfied:
1. P is a finite set of possible plaintext 2. C is a finite et of possible ciphertext s3. K, the key ace, is a finite set of possible keys sp4. For each k K, there is an encryption rule e E and a corresponding decryption rule dk D. Each
ek: P C and dk:C P are functions such h t k
t adk(ek(x))=x for x P and |P| |C|
Principle: It is generally assumed in cryptography that the knowledge of the general system or algorithm (ek, dk) is known to the enemy. Only the key, k, is assumed not to be in the enemy’s possession.
1 L e c t u r e 1 ( 1 / 7 / 0 8 )
Simple Classical Cryptosystem: Substitution Cipher
A B C … Z X N Y … Q
ek(A)=X ek(C)=Y Key Space |K| = 26! 4x1026
Exhaustive search on key is not computationally feasible! However, cryptanalysis can break the system.
Ideally:
• ek(∙) is a one‐way function such that 1. it is easy to encrypt y= ek(x) AND 2. easy to decrypt x=dk(y) AND 3. (computationally) impossible to invert without the key, k, to find x.
• Such a one‐way function cannot exist because all the systems are finite and hence can, in principle, be cracked by exhaustive search of all possibilities.
Theory of “computational complexity” is concerned with the classification of problems according to their computational difficulty as the amount of time or space their solution would require.
Information Theoretic Security:
• Computationally Secure: Best known method of breaking the system requires an unreasonably large amount of computing time
• Provably Secure: Evidence of computational security is provided by reducing security of the cryptosystem to some well‐studied hard problems (such as factoring, solving discrete log problem, or non‐linear systems of equations) that is thought to be difficult.
• Unconditionally Secure: When a system is secure with no bound on the computational power of the adversary.
2 L e c t u r e 1 ( 1 / 7 / 0 8 )
Classes of Cryptosystems:
1. Secret Key Systems (Symmetric Key Systems) 2. Public Key Systems (Asymmetric Key Systems)
Any cryptosystem needs a one‐way function (easy to compute, but hard to invert). However, the intended user should be able to invert the one‐way function (computationally) easy. Therefore, a cryptosystem requires a “trap‐door” one‐way function. In other words, we place a trap‐door in the one‐way function so that we provide the information about the trap‐door (the “key”) to the intended user by which he can decrypt the ciphertext (i.e. invert the one‐way function). Without knowing the “key”, it will be computationally “hard” to invert the one‐way function.
Secret Key Systems: Both Alice and Bob share a secret key. Ex ‐ DES, AES (New US Gov’t Standard)
Problem: Secret Key Systems require a “secure channel” to distribute the “shared key”. Not feasible in many applications.
Solution:
Public Key Systems: Ex – RSA, Elliptic Curve
• Do not require shared key between users
• Every user has a secret key and a public key o Alice uses Bob’s public key to encrypt the message o Bob uses his own secret key to decrypt every message sent to him
Public key systems use trap‐door one‐way functions that are based on
1. Factoring large integers (n=pq) 2. Discrete log problem (a=bx mod p) 3. Solving non‐linear equations
Ex: RSA
Bob: Secrets: p, q, b (p, q are prime numbers)
Public: n=pq, a
(Alice) Encryption: c = ma mod n
(Bob) Decryption: m = cb mod n
3 L e c t u r e 1 ( 1 / 7 / 0 8 )
Signature Schemes:
A signature is something that is attached to a document to specify the person responsible for it
Challenges:
• Signature must somehow be BOUND to the document
• Copy of a signature is identical to the original signature
• Must be verifiable by a publicly known verification algorithm
Notation:
Signed Document: Y = sigk(x) Transmitted: (x,y) Verification: verk() is Public Algorithm verk(x,y) = True if y=sigk(x) False if y sigk(x)
It should be computationally infeasible for adversary (or anyone other than Alice) to compute/forge a signature y such that verk(x,y)=true
Hash Functions:
Note that the signature is (at least) as big as the message
X h(x) sign [ … 1 1 0 0 … 1 …] (long message)
Hash
[… 1 0 …] (160 bit message digest)
Properties:
1. Given x, h(x) can be quickly calculated 2. To prevent forgery, given y=h(x), it is computationally infeasible to find x (h is one‐way) 3. Computationally infeasible to find measages x1 and x2 with h(x1)=h(x2) (i.e. h is collision
free)
Attack: Bob Signature: (x,y) where y = sigk(h(x)) Oscar: Attempt to find x’ x but h(x’)=h(x) => (x’,y) valid signed message
To prevent this, we need the collision free property
4 L e c t u r e 1 ( 1 / 7 / 0 8 )
Classical Cryptography
Definition: Suppose a and b are integers, and m is a positive integer.
Then we write a b mod m (a CONGRUENT to b, modulo m) if m|(a‐b) is
m|(a‐b) (“a‐b divide ”) => q Z such that a‐b = mq s m
Modular Addition: a c mod m => a b = mx + c + b +
Modular Multiplication: a·b c mod m => a·b = mx + c
Equivalent Classes:
Addition modulo m divides the set of integers Z into m distinct equivalent classes. Two integers a, b are in the same class mod m if a b mod m
Ex: Equivalence Classes of integers under mod 5 addition
{ }{ }{ }{ }{ }
Label Equivalence Classes[0] ..., 10, 5,0,5,...
[1] ..., 9, 4,1,6,...
[2] ..., 8, 3, 2,7,...
[3] ..., 7, 2,3,8,...
[4] ..., 6, 1, 4,9,...
→ − −
→ − −
→ − −
→ − −
→ − −
Note: Union of all classes Z
There is NO OVERLAP between classes
2 members of Z are in the same class if they are CONGRUENT
Define Zm to be the set {0,1,2,…,m‐1} with mod m addition and multiplication.
Shift Cipher:
Let
A B C D E F … 0 1 2 3 4 5 …
Message string: x = x1 x2 x3 … P = C = K = Z26 (2 E glish Letters) 6 n
Cipher string: yi = ek(xi) (For some k in 0 k 25 define y=ek(x) = x+ k mod 26)
Decryption: x’ = dk(y) = y ‐ k mod 26 (Easily broken by exhaustive key search)
1 L e c t u r e 2 ( 1 / 9 / 0 8 )
2 L e c t u r e 2 ( 1 / 9 / 0 8 )
Affine Cipher:
Encryption: e(x) = y + b mod m a, b Zm a·x y – b ·x mod m a a‐1 (y – b) mod m xDecryption: d(y) = x a‐1 (y‐b) mod m
|P| =| C| = Z26
Number of possible a = φ(26) => |K|=26· φ(26) {26 possible choices for b, φ(26) possible choices for a}. This is a much larger key space than the shift cipher. However, it can still be broken by exhaustive search on the key.
Since e(x) must be invertible, we need to specify conditions for which the affine function is injective (one‐to‐one).
Generally: Let a·x + b mod m a, b Zm y => a x y ‐ b mod m · => a·x r mod m Zm r Thus, we need to find a condi io for which a·x r mod m has a unique solution. t n
Theorem: The congruence a ·x r mod m has a unique solution x Zm for every r Zm iff gcd(a,m) = 1
Proof:
Definition: A number a‐1 is called the inverse of a modulo m if aa‐1 1 mod m
Proposition: An integer a is invertible modulo m iff a and m are RELATIVELY PRIME or COPRIME {gcd(a,m) = 1}.
1. If gcd(a,m) = 1 then a·x r mod m has a unique solution. a I. an
a· a‐1 1 mod m => a a‐1 r mod m { Finding a ·x r mod m}
f inverse exists, then a solution always exists.
·( ·r)=> x a‐1·r mod m {Sol’n to x exists}
b. Need to show un ueness: iq
Suppose a x1 r mod m
·
a·x2 r mod m => m | a(x1‐x2) => a·x1 a·x2 mod m => a(x1‐x2) 0 mod m
Since gcd(a,m) = 1 => m | (x1‐x2) => x1 x2 mod m Thus x2 is in the same equivalence class as x1 (not necessarily
distinct solutions, but the solution is unique.
2. Need to ho that if gcd(a,m) = d > 1 then there exist more than one solution. s w
Let a· r mod m x1 Then y such that 1 modax my r m+ ≡
Let 2 1 modmx x md
≡ +
Then x2 is also a distinct solution because:
3 L e c t u r e 2 ( 1 / 9 / 0 8 )
2
2
a mod
mod
m x my r md
aa m y r md
⎛ ⎞− + + ≡⎜ ⎟⎝ ⎠
⎛ ⎞+ − + ≡⎜ ⎟⎝ ⎠
x Note:
is an integer
since is an integer
a yd
ad
⎛ ⎞− +⎜ ⎟⎝ ⎠
Thus a·x2 r od m m
Moreover, x2 x1 mod m because 2 1mx xd
− ≡
Thus the Affine Cipher e(x) a·x + b mod m where a, b Zm and gcd(a,m) = 1 is invertible.
Euler Phi Function (φ(m)): Let a>=1 and m>=2 be integers. If gcd(a,m)=1, a and m are relatively prime. Define φ(m) to be the number of integers in Zm that are relatively prime to m.
Theorem:
( ) ( ){ }
|
1 :
11p t
t t GCD t
t
1ϕ λ λ= ≤ < , =
⎛ ⎞= −⎜ ⎟
⎝ ⎠∏
) (write to
deri this theorem)
( ) (1 1
i i
n nc ci i
i i
t p t pϕ ϕ= =
= → =∏ ∏ve
1. φ p)=p‐1 p, prime
(2. φ(pm)=pm‐1(p‐1) p prime
p
Over all primes p t that divide t
, 3. If gcd(p,q)=1 => φ(prqs)= φ(pr) φ(qs)
Vigenere Cipher:
Let L be a fixed positive integer. Define P=C=K=(Z26)L for a key K = (K1, K2, …, KL)
Encryption: (y1, y2, …, yL) = ek(x1, x2, …, xL) = (x1+k1, x2+k2, …, xL+kL) mod 26 Decryption: (x1, x2, …, xL) = dk(y1, y2, …, yL) = (y1‐k1, y2‐k2, …, yL‐kL) mod 26
So, we take L symbols at a time and encrypt them.
Advantage: A letter is mapped to another based on its location in the vector of length L.
Hill Cipher:
Encryption: y= ek(x) =xK mod 26 (x: 1xm row vector and K: mxm matrix) Decryption: x = dk(y) = yK
‐1 mod 26 |P|=|C|=26m |K| = {set of mxm invertible matrices over Z26}
Thus K must be invertible matrix in Z26. It can be shown that K is an invertible matrix in the “ring” Z26 if gcd(det(K), 26) = 1, i.e. if det(K) is “relatively prime” to 26.
4 L e c t u r e 2 ( 1 / 9 / 0 8 )
k1 k2 k3 k4
+
zi
c0 c1 zi+4
0j=
Stream Ciphers:
Generate a keystream z = z1, z2, … to encrypt a plaintext string x = x1, x2, … according to the rule:
y = y1, y2, … = ez1(x1), ez2(x2), …
Let function fi generate zi (the ith element of the key stream)
zi = fi(k, x1, …, xi‐1)
In the encryption process, we compute: z1, y1, z2, y2 In the decryption process, we compute: z1, x1, z2, x2
A stream cipher is synchronous if the keystream is independent of the plaintext stream.
Ex: Generating a synchronous stream cipher in Z2:
Where
( )
1
0
0 1 1 1 1
mod 2
mod 2
m
i m j i jj
i i m i m
z c z
c z c z c z
−
+ +=
+ − + −
=
= + + +
∑c0=1 and cj Z2
The recurrence is said to have degree *m*.
With suitable choice of c0, …,cm‐1 and any arbitrary nonzero initialization vector k=(k1, …, km), the linear recursion will generate a periodic keystream. (if c0=1, then the recursion will always be periodic w/ any nonzero k).
There exist choices for c0, …,cm‐1 (making the characteristic polynomial, p(x), a “primitive polynomial”) for which we get the maximum possible period, which is 2m‐1.
Ex: => c0 = 1, c1 = 1, m = 4 => Characteristic Polynomial: p(x) = x4 + x + 1 4 1 mod 2i i iz z z+ +≡ +
At each time index, the following will be performed concurrently:
1. k1 will be tapped as the next keystream (zi) 2. k2…k4 will be shifted one stage to left 3. The new value of km (k4) will be computed
1
mod 2m
j j ic k−
+∑
Plaintext
zi
yi xi
Key Generator
+ CipherText
zi
xi yi
Key Generator
+ Plaintext
1 L e c t u r e 3 ( 1 / 1 1 / 0 8 )
Cryptanalysis
Cryptanalysis: The process by which an unauthorized receiver of a cryptogram y=ek(x) determine x without prior knowledge of the key k. (We always assume that the enemy knows the cryptographic algorithm)
Attack Models Specifies the information available to the adversary when he mounts his attack.
• Ciphertext Only Attack: The adversary possesses ciphertext. He may also have particular knowledge of the plaintext: ‘E’ only occurs 12% of the time in English language, ‘the’ is the most frequent set of recurrent letters, etc…
• Known Plaintext Attack: The adversary has obtained a string of plaintext and the corresponding ciphertext y.
• Chosen Plaintext Attack: The cryptanalyst has temporary access to the encryption machinery. Hence, he/she can choose any arbitrary plaintext string x, and construct the corresponding ciphertext string, y.
• Chosen Ciphertext Attack: The adversary has obtained temporary access to the decryption machinery. Hence, he/she can choose any arbitrary ciphertext string, y, and construct the corresponding plaintext string, x.
Cryptanalysis of the Affine Cipher
Ek(x) = ax + b mod 26 gcd(a,26) = 1 k = (a,b) (**2 unknowns‐>2 equations)
Consider Ciphertext Only Attack:
This can be done by using probabilities of occurrence of the 26 letters. In any meaningful English text:
E 12.7% T 9.1% D,L 4% V,K,J,X,Q,Z 1% T,A,O,I,N,S,H,R 6‐9% Rest
is of the ciphertext…
1.5‐2.8%
Given ciphertext: FMXY… we can find the frequency analys
that out of 57 characters of ciphertext For example, we find
R 8 D 7 E,H,K 5
First gu ss: umeri ally: e E R N c 4 17 4a b 17 a 6
T D 19 3 19a b 3 b 19
) But gcd(a,26 1…wrong guess
First gu ss: umeri ally: e E R N c 4 17 4a b 17 a 3
T K 19 12 19a b 12 b 5
To verify the guess, we need to decrypt the ciphertext and see if we get a meaningful string.
Cryptanalysis of the Hill Cipher
Y = x·K
Difficult to break by Ciphertext Only Attack. Easy to break by Known Plaintext Attack.
Consider Known Plaintext Attack:
1 1
2 2Let
m m
y x Ky x K
Y XK
y x K
= ⎫⎪= ⎪⇒ =⎬⎪⎪= ⎭
1 1
2 2Where and
m m
y xy x
Y X
y x
⎡ ⎤ ⎡ ⎤⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢= = ⎥⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢ ⎥⎣ ⎦ ⎣ ⎦
1
If X is invertible in Z26, then K=X‐1Y. If X is not invertible, then the adversary needs to find other
pairs of ciphertext and plaintext pairs.
2 L e c t u r e 3 ( 1 / 1 1 / 0 8 )
Cryptanalysis of LFSR Stream Cipher
1
0
0
mod 2
1
mm i j i jj
Z c z
c
−+ +=
⎧ =⎪⎨
=⎪⎩
∑
Note that if the coefficient cj are all known by public, we can find the entire string zi by only observing the ciphertext and its corresponding plaintext for m consecutive symbols.
a) Cj are known by enemy: Known Plaintext Attack
Knowing xi, yi: for I = L,…,L+m‐1 for some L
Zi = yi + xi for I = L, …, L+m‐1 => entire zi can be recovered using LFSR
b) cj are NOT in public domain (the initial value of the LFSR is secret). Assuming adversary knows m. This can be broken by 2m consecutive Known Plaintext Attack (does not have to start w/ z1). Using LFSR:
[ ] [ ]1 2
2 3 11 2 2 0 1 1
1 2
...
... ...
m
mm m m m
m m m
z z zz z z
z z z c c c
z z z
++ + −
+ −
⎡ ⎤⎢ ⎥⎢ ⎥=⎢ ⎥⎢ ⎥⎣ ⎦
We only need z1, …, z2m to construct the above relation. It can be shown that the matrix Z is always invertible in Z2 if the degree of the recurrence is m. Once we find the coefficients cj, (similar to part a), the entire zi can be found
Plaintext
zi
yi xi
Key Generator
+
1 L e c t u r e 4 ( 1 / 1 4 ‐ 1 6 / 0 8 )
Computational Complexity:
A cryptosystem whose decryption problem involves computing a “non‐computable” (one‐way) function would be very difficult to attack. However, it is easily seen that such a one‐way function cannot exist because all the cryptosystems are finite (the plaintext, ciphertext, and key are all finite sets). Thus, in principle, all cryptosystems can be cracked by exhaustive search of all possibilities.
The theory of computational complexity is concerned with the class of problems that can be solved in principle; but, within this class, the theory attempts to classify problems according to their computational difficulty measured as the amount to time or space their solution would take. Thus an understanding of basic concepts of complexity theory is essential for cryptography.
Big‐O Notation:
Let f(n), g(n) 0, for all positive integers, n. We say f(n) = O(g(n)) (or simply f=O(g)) if and only if a constant C such that f(n) Cg(n) for all n n0.
Ex: f(n) = 2n2 + 3n – 3 => f(n) = O(n2) (This is because for C = 3, f(n) Cn2)
In practice, we only care about n) and g(n) for large values on n when we use big‐O notation. f(
Define: Suppose that for all n n0, the two functions f(n), g(n) are defined, take positive values, and for some constant C, satisfy the inequality f(n) Cg(n). Then, we say f = O(g).
Remark: It is desirable to have simple functions g(n) that does not increase a whole lot faster than f(n).
Remark: If for n n0, constant ( )( )lim
0 (( )n )f O gf nf o gg n→∞
→ =⎧= ⎨ → =⎩
Length of Numbers:
The number of bits (binary representation): [ ]2 2
lnLength(n) 1 log log lnln 2
note: 4.7 5
nn n= + = = =⎡ ⎤⎢ ⎥
=⎡ ⎤⎢ ⎥
n
We measure the complexity of a computation in terms of the number of fundamental operation it takes. These could be bit operation such as “bit additions”, comparison, etc.
We note that the complexity is regarded as a function of the input size.
Q: What is the length of the adding/multiplying numbers N positive integers, each of which has length at most k.
The sum of two integers has length either equal to the length of the larger number or else equal to one plus the length of the larger number.
Addition: Sum < n2k => length(sum) k + length(n)
2 L e c t u r e 4 ( 1 / 1 4 ‐ 1 6 / 0 8 )
Multiplication: m1 and m2 => 2k‐1 m1 < 2k where k = length(m1)
2l‐1 2 < 2l where l = length(m2) m
=> 2k+l‐2
12 2nnk n nk
iim−
=≤ <
m1m2 < 2k+l
length(m1m2) => length(m1) + length(m2) OR length(m1) + length(m2) – 1
m1m2…mn => ∏
length(m1m2…mn) => nk‐(n‐1) < length(m1m2…mn) nk
Bit Operations:
All the procedures that involve adding two bits with possible a “carry” is called a “bit operation”. When we speak of estimating time to perform a task, we mean finding an estimate for the number of “bit operations”. This is because the amount of time a computer takes to perform a task is proportional to the number of bit operations (we ignore the administrative matters (time for memory access etc.))
Remark: The complexity is the time taken in the worst possible case.
Time to add two integers u, v is: Adding two k‐bit numbers require k‐bit operations Time(u+v) = O(max(length(u),length(v)) Subtraction time is the same as addition.
Time to multiply a k‐bit integer by an l‐bit integer: Total bit operations < l*k => Time = O(lk)
Time to divide a k‐bit integer by an l‐bit integer: Time = O(l(k‐l+1)) to obtain quotient and rem
Remark: Multiplying two integers of length k by best algorithm has time = O(k*length(k)*length(length(k))) which is better than O(k1+ε) for any ε>0
Ex: Show that bN mod m can be computed in time O(k2l), where l = length(N) = log2N and k = log2m and assume |b| < m
Polynomial time:
Def: An algorithm to perform a computation is said to be a polynomial time algorithm if there exists an integer d such that the number of bit operations (time estimate) required to perform the algorithm on integers of total length at most k (binary length) is O(kd).
Exponential Time Algorithm: Time = O(eck)
Where c is a constant, k is total binary length of integers to which the algorithm is being applied.
Problem: Refers to a general description of a task Instance: Particular case of the task Decision Problem: Is a problem whose solution consists of a yes or no answer Search Problem: If the desired output is more than a “yes” or “no”, then we call the problem a
“search problem”
3 L e c t u r e 4 ( 1 / 1 4 ‐ 1 6 / 0 8 )
Remark: Unlike a decision problem, a search problem might have several correct answers. Ex: Solutions to the problem of nonlinear equations.
Remark: To give definition of P and NP, we need to modify our problem so that they are a “decision problem”
Ex: (Search Problem): The integer factorization search problem is the problem of either finding a nontrivial factor M of an integer N or else determining that no nontrivial factor exists.
(Decision Problem): Given positive integers N and K, Does N have a factor M satisfying 2 M K?
P and NP Problems:
Def: A decision problem p is in the class P of polynomial time problems if there exists a polynomial Q(n) and an algorithm A such that if an instance of p has input length n, then the algorithm answers the question correctly in time tA(n) Q(n) i.e., tA(n) = O(n
d) for some d
Remark: It is not always clear if class P is the right class to capture a class of problems that in practice can be solved rapidly. For example, an algorithm with running time n100 is slower than another algorithm with exponential time e0.0001n until n is greater than about 10 million.
Note: Sometimes a problem that is in P (or is believed to be in P) has a practical, efficient algorithm that is not polynomial time. Example of this is: Given a positive integer N, is N a prime number?
A decision problem P is in the class NP (non‐deterministic polynomial time) if, given any instance of p, a person with unlimited computing power not only can answer the question, but in the case that the answer is “yes”, she can supply evidence that another person could use to verify the correctness of the answer in polynomial time.
Note that P NP
The claim that P NP is the most famous conjecture in computer science.
Given positive integers N and K, does N have a factor in the interval [2,k]?
The above problem is “almost surely” not in P. But if someone with unlimited computing power gives the factorization and supplies as with M, we can verify the “yes” answer in polynomial time by performing N/M.
NP
P
4 L e c t u r e 4 ( 1 / 1 4 ‐ 1 6 / 0 8 )
Reduction:
In cryptology, it is very desirable to be able to reduce a cryptologic system to a known hard problem.
Given problem classes, P1 and P2, P1 reduces to P2 if one can find a polynomial time algorithm, A, such that for any p1 P1, A(p1) => p2 P2
Example: Let P1 be the following problem: Given a quadratic polynomial f(x) with integer coeff, does f(x) have two distinct roots?
Let P2 be: For a given integer N, is N positive?
Since the discriminant of ( ) 21f x ax bx c= + + is zero when b2‐4ac = 0, P1 reduces to P2
Shannon’s Theory:
In practice, we say a system is “computationally secure” if the best known method of breaking the system requires an unreasonably large amount of computer time (It is not a proof of course, because security against one specific attack does not insure security against other attacks).
Another approach is to provide evidence of computational security by reducing the security of the system to some well‐studied problem that is thought to be difficult. These are called “provably secure” systems.
But it must be understood that this only provides a proof relative to some other problem. Not absolute proof of security (computational difficulty of solving the problem).
Ex: “A given cryptosystem is secure if a given integer n cannot be factored.”
When there is no bound placed on the amount of computation of the adversary.
In chapter 2, we study classical Shannon’s approach to cryptosystems. This gives some good insight into the behavior and design of cryptosystems (although it is only a mathematical model).
Since we are interested in unconditional security, we need to study the security from probability point of view (not computational point of view).
Remark: We consider “Ciphertext Only Attack Model” with unbounded computational power in this chapter.
Entropy H(x): A mathematical measure of information or uncertainty. P(x,y): Probability that X takes the value x and Y takes the value y. P(x|y): Probability that X takes the value x GIVEN THAT Y has taken the value y.
( ) ( )( ),
|p x y
p x yp y
=
Bayes rule: ( ) ( )( )
( ) ( )( )
, ||
p x y p x p y xp x y
p y p y= =
Independence: ( ) ( )| ,p x y p x x y= ∀
Total Probability: ( ) ( ) ( ) ( )| ,y y
p x p x y p y p x y= =∑ ∑
1 L e c t u r e 5 ( 1 / 1 8 ‐ 2 3 / 0 8 )
2 L e c t u r e 5 ( 1 / 1 8 ‐ 2 3 / 0 8 )
Assume a random variable, X, which takes on a finite set of values xi with probability Pi (1<= i <= n). Then the uncertainty of r.v. X is a function of the probabilities P1, P2, …, Pn denoted by H(P1, …, Pn). Properties:
H(P1, …, Pn) is maximum when P1=P2=…=Pn=1n
H(P1, …, Pn) >= 0
( ) [ ] [ ]( )
( )
2
21
2
Prob log Prob
log
1log equality holds iff for all
i
i iall a
n
k kk
i
H x x a x a
P P
H x n P in
=
= − = =
= −
⎛ ⎞≤ =⎜ ⎟⎝ ⎠
∑
∑
If X and Y are any two r.v. taking only finitely many values, then
( ) ( ) ( )( ) [ ] [ ]( )
( ) ( ) [ ]
( ) [ ] ( )
2 ,
21
, (w/equality if X,Y are independent)
, Prob , log Prob ,
| H | Prob
where | Prob | log Prob |
i i
i i i iall a b
j ij
n
j k i kk
H x y H x H y
H x y x a y b x a y b
H x y x y b y b
H x y b x a y b x a y b=
≤ +
= − = = = =
= = =
j⎡ ⎤= = − = = = =⎣ ⎦
∑
∑
∑
Note: H(x|y) is the uncertainty of X given a particular value of Y, averaged over the range of values that Y can take. H(X|X) 0 =
H H(X|Y) H(X), equality holds iff X and Y are independent H(X,Y) = (Y) + H(X|Y) = H(X) + H(Y|X)
Cryptosystem (M, K, C)
a) Use notation M = P plaintext sequence to prevent confusion. b) Pm(x) denotes the a priori probability that plaintext x occurs (let Pm(x) = Prob[M=x]) c) Pk(k) is the probability that the key k is chosen (usually uniform). Obviously k and x are
independent. (Note: Pk(k) = Prob[k=k])
These two probabilities induce a probability distribution on the set of possible cryptograms, y.
3 L e c t u r e 5 ( 1 / 1 8 ‐ 2 3 / 0 8 )
k
( ) ( )( ){ }
( ) ( ) ( )( )( ){ }
( ) ( ){ }
:
:
|
where :
k
c kk y e x
c k mk y C k
k
P y x P k
P y P k P d y
C k e x x M
=
∈
=
=
= ∈
∑
∑
Sum is over message‐key pairs (xi,kj) such that ekj(xi)=y
C(k) is the set of possible ciphertexts if k (a fixed key) is the key.
Since ( ) ( ) ( )( )( ){ }:
c k mk y C k
P y P k P d y∈
= ∑ k , the setup is completely analogous to a communication
channel where M is the zero‐memory source and the encryption function together with the keys serves as the channel.
( ) ( ) ( )2Message M: logm mH M P x P x= −
( ) ( ) ( )
( ) ( ) ( )
all poss msg
2all poss key
2all poss ciphers
Key K: log
Cipher C: log
k k
c c
H K P k P k
H C P y P y
= −
= −
∑
∑
∑
Key Equivocation H(K|C): measures the average uncertainty remaining about the key when a cryptogram has been intercepted. (Desire H(K|C) = H(K))
Message Equivocation H(M|C) is defined the same way. (Unconditionally/Perfectly Secure: H(M|C) = H(M))
Theorem: The key equivocation is related to the message equivocation by: H(K|C) = H(M|C) + H(K|M,C) {Also H(K|C) = H(K) + H(M) – H(C)}
(The key equivocation is at least as big as the message equivocation)
Proof: For any X, Y: H(X|Y) = H(X,Y) – H(Y) We write: H(M|C) = H(M,C) – H(C) = H(M,K,C) – H(K|M,C) – H(C) {B/C H(K|M) = H(K,M) – H(M)} Now: H(K|C) = H(K,C) – H(C) = H(M,K,C) – H(M|K,C) – H(C) But: H(M|K,C) = 0 (uncertainty of message given key for any ciphertext) Thus: H(K|C) = H(M|C) + H(K|M,C)
4 L e c t u r e 5 ( 1 / 1 8 ‐ 2 3 / 0 8 )
Since H(M|C) measures the average uncertainty of the message after interception of the cryptogram, it is natural to say that a system (M,K,C) has perfect secrecy if H(M|C) = H(M). Perfect secrecy means that the enemy can obtain no info about plaintext by observing the ciphertext.
Theorem: A system has perfect secrecy IFF for all possible messages x M and possible cryptogram y C, we have: pm(x|y) = pm(x)
Proof: We know that H(X|Y) = H(X) IFF X and Y are independent. This means that pm(x|y) = pm(x).
Example: Suppose the 26 keys in the shift cipher are used with equal probability 1/26. Then for any plaintext probability distribution, the ipher has perfect secrecy. shift c
Proof: Note: C=M=K=Z26. For any 0 K 25 ek(x) = x + k mod 26
( ) ( ) ( )( )
( )26
26
1 mod 2626
c k m kk Z
mk Z
P y P k P d k
P y k
∈
∈
=
= −
∑
∑
But for a fixed y, y‐k mod 26 takes all possible values of Z26:
( )
26 26
mod 26
1
m mk Z k Z
P y k P y∈ ∈
− =
=
∑ ∑ ( ) ( ) 261 for any 26cP y y Z⇒ = ∈
Moreover, Pc(y|x) = Pk(y‐x mod 26) = 1/26 since for any x, y and unique k: ek(x) = y
Bayes’ rule: ( ) ( ) ( )( )
( )( )
1| 26| 1
26
mm c
m mc
P xP x P y xP x y P x
P y= = =
Thus, using a ciphertext only attack, the shift cipher is unbreakable (with unlimited computational power for adversary) provided that a new random key is used to encrypt EVERY PLAINTEXT CHARACTER.
A necessary condition that a cryptosystem has perfect secrecy is that |K| |C| |M| (It has at least as many keys as messages).
Proof: Note that |C |M| by injective (invertible) property of cryptosystems. |To show |K| |C|, we note that: Perfect Secrecy pm(x|y) = pm(x) for all x M, y C
( ) ( ) ( )( ) ( )|
| for all ,c mc c
m
P y P x yP y x P y x M y C
P x= = ∈ ∈
Since Pc(y) > 0 for any y C, for any fixed x M we have Pc(y|x) > 0 for each y C. Thus there must be at leas ne key k K ch that ek(x) = y. t o suThus |K| |C| => |K| |C| |M|
Ex: Let |M| = |C| = Z26 K = {0, 1} y = ek(x) = x + k mod 26 Assume: pm(A) = pm(B) = … = pm(Z) = 1/26 a priori probability
Pc(y|x) = ½ but pc(y) = 1/26 => Not perfect s crecy e
Ex: pm(x=A|y=D) = 0 but p(x=A) = 1/26 => pm(x|y) pm(x)
Realization of Perfect Secrecy:
5 L e c t u r e 5 ( 1 / 1 8 ‐ 2 3 / 0 8 )
2nZ . Let n>=1 integer, M = C = K =
If x = (x1, …, xn) K = (k1, … kn) and y = ek(x) = (x1 + k1, x2 + k2, …, xn + kn) mod 2 Decryption: dk(y) = (y1 ‐ k1, …, yn ‐ kn) mod 2 Note that key k must be changed for the next encryption.
Disadvantage: |K| >= |M| which implies the amount of key that must be communicated secretly is at least as big as the message.
Applications: Military and diplomatic contexts where unconditional security is important
Theorem: Suppose (M, C, K, E, D) is a cryptosystem where |K| = |C| = |M|. Then the cryptosystem provides perfect secrecy if and only if every key is used with equal probability 1/|K|, and for every x M and every y C, there is a unique key K such that ek(x) = y.
Proof: Suppose the given cryptosystem ha erfe secrecy. s p ct Claim: The key is unique for any x M y : y = k(x) because |K|=|C|, let {y1, y2, … , yn} = C ,
Since yi=eki(x), yi = ekj(x) and ki kj would imply |K|>|C|, it is NOT possible. Key is UNIQUE.
C e Note: Since pc(y|x) = pc(y) > 0 any fixed x M, y C, there exists a key ki such that y = eki(x).
Claim: pk(K) = 1/|K| Since | | = |K|, M = {xi, 1 i |M |K } Fix a y C, and let eki(xi) = y for 1 i |K|
Baye’s rule: ( ) ( ) ( )( )
( ) ( )( )
|| c i m i k i m
m ii
c
p y x p x p k p xp x y
p y p y= =
c
f Therefore: pk(ki) = pc(y) for 1 i |K| and all keys have equal probability But pm(xi|y) = pm(xi) because o perfect secrecy.
Since we have |K| keys, pk(K) = 1/|K| Since the two conditions are satisfied, it can be proved like shift cipher that the cryptosystem
has perfect secrecy.
Perfect Secrecy:
In the study of perfect secrecy we assumed:
1. Ciphertext only attack 2. Adversary has unbounded computational power 3. Key is used once. Every time we use encryption algorithm, we need a new key
We want to study consequences of relaxing the third assumption and using the same key for n times. We would like to see how much information is released to the adversary.
For perfectly secure system: H(k|yn) = H(k) {y is observed multiple times}
For less secure system, information is obtained as letters are observed.
EX: Known english plaintext, 1 key. Ciphertext ‐ WNAJW Only two possible 5 letter words w/ this format: Plaintext ‐ RIVER, ARENA Therefore, keyspace has been reduced to only two keys. One is “actual”, the other(s) are
“spurious”.
Remark: The success of the attack depends on the fact that there must exist only one key as a candidate (spurious keys = 0)
Assuming case‐insensitive English language from this point forward, |M| = Z26.
What is average entropy per letter in the English language?
If letters chosen w/ equal probability, HL = log2(26) = 4.7
However, using histogram of letters HL = log 4.19i ip p− ≅∑
Using n‐tuples as n‐>∞, ( )nH p
Hn
= , 1 HL 1.5
Redundancy of a language L: 2
1log | |
LL
HRM
= − (For English, HL=1.25, log2|M|=4.7 => RL = .75)
1 L e c t u r e 6 ( 1 / 2 5 ‐ 2 9 / 0 8 )
2 L e c t u r e 6 ( 1 / 2 5 ‐ 2 9 / 0 8 )
Unicity: ** Should be able to determine unicity from a given cipher**
Unicity is the average length of the ciphertext that will allow an adversary to uniquely identify the actual key. Suppose (M,C,K,E,D) is a cryptosystem and keys are chosen equiprobably. Then the unicity is:
2
2
log | |log | |u
L
KNC H
=−
And since 2
1log | |
LL
HRM
= − if |M| = |C| then 2
2
log | |log | |u
L
KNR C
=
Proof: Lemma: H(K|C) = H(K) + H(M) – H(C) Proof: H(K,M,C) = H(C|K,M) + H(K,M) {H(C|K,M) = 0} = H(K,M)
= H(K) + H(M) (1) H(K,M,C) = H(M|K,C) + H(K,C) {H(M|K,C) = 0} = H(K,C)
= H(K|C) + H(C) (2) H(K|C) = H(K) + H(M) – H(C)
Assuming: MN to be a r.v. representing an n‐tuple of plaintext CN to be a r.v. representing an n‐tuple of ciphertext
Then H(K|CN) = H(MN) + H(K) – H(CN). Unicity is then the smallest N > 0 such that H(K|CN) = 0
Now assume: a) The underlying natural language is such that a reasonable estimate of H(MNu) is:
( )uNu LH M N≅ H
b) The cryptosystem is such that all Nu‐sequences of symbols are equally likely as ciphertext:
( ) 2log | |uNuH C N≅ C
Note that every cryptosystem should aim at possessing the above property. Thus:
( ) ( )2
2
log | | 0 log | |u L u u
L
H KN H H K N C N
C H+ − = ⇒ =
−
Since keys are equiprobable H(K) = log2|K| and 2
2
log | |log | |u
L
KNC H
=−
Example: Substitution cipher. Assume HL = 2
( )( )2
2
log 26!32
log 26 2uN = ≅−
Recall substitution cipher maps each letter from A‐Z to a letter in alphabet A to Z.
3 L e c t u r e 6 ( 1 / 2 5 ‐ 2 9 / 0 8 )
Product cryptosystem:
A natural way to increase security is to take different systems and combine them:
S1: y1 = eK1(x) S2: y2 = eK2(y1) S = S2xS1
Domain of S2 must contain the range of S1. Note that S2 = SxS. If S2 = S, then there is no point of using S2.
Example: Shift Cipher S: y1 = x + b1 mod 26 S2 = SxS: y2 = y1 + b2 mod 26 = x + (b1 + b2) mod 26 = x + b mod 26 ** a new shift cipher w/ b = b1 + b2 mod 26 Thus S2 = S for shift cipher…
Block Ciphers:
DES: Data Encryption Standard (1973, IBM. In 1999 it was replaced by AES) AES: Advanced Encryption Standard
At the moment, there is no fast algorithm for NP‐Hard problems, and if NP P, no such algorithms exists.
Idea: Build cryptosystem around an NP‐Hard problem
Decision Problem:
Input: Polynomials P1, …, Pk in x1, …, xn and coefficients in Z2 Question: Do these polynomials have a common zero (x1, …, xn) in mod 2 arithmetic?
Ex: x x 1 4 6 2 4 5
1 2 2 3 3 4
1 3 4 5 1 6
1 01 0 solution: (1,0,1,1,1,1)1 0
x x x x x xx x x x
x x x x x x
+ − =+ + − =+ + − =
The problem of deciding whether algebraic equations mod 2 have a solution is NP‐hard.
Modes of Operation:
Electronic Codebook Mode (ECB): Each block xi of plaintext is encrypted with the same key, K.
( )i K iy e x=
Cipher Feedback Mode (CFB): Also generates a keystream for use in a synchronous stream cipher.
( )1i K i
i i i
z e yy x z
−=
= ⊕
Cipher Block Chaining Mode (CBC): Each ciphertext block, yi, is x‐ored with the next plaintext block, xi+1, before xi+1 is encrypted with the key, K. (useful for authentication)
( )1i K i iy e x y −= ⊕
Output Feedback Mode (OFM): Actually a synchronous stream cipher. The keystream is produced by repeatedly encrypting an initialization vector. Note: encryption function is used for both encryption and decryption in this mode.
( )1i K i
i i i
z e zy x z
−=
= ⊕
Counter Mode: Similar to OFB, except that the key is incremented with each iteration.
( )1mod 2m
i
i i K i
T ctr iy x e T= + −
= ⊕
Counter with Cipher‐Block‐Chaining Mode (CCM): Combines the use of counter mode (for encryption) with CBC mode (for authentication).
4 L e c t u r e 6 ( 1 / 2 5 ‐ 2 9 / 0 8 )
DES: 16‐round “iterated cipher”/ Feistel Cipher
Prior to the 16 rounds of encryption there is a fixed initial permutation IP that is applied to the plaintext: IP(x) = L0R0 M = (L0, R0) where length(L0)=length(R0)=n g(Li‐1,Ri‐1,Ki) = (Li,Ri) where Li=Ri‐1 and
Ri = Li‐1 ⊕ f(Ri‐1,Ki) w/ f(): fixed nonlinear, noninvertible function (Li‐1,Ri‐1) = g
‐1(Li,Ri,Ki) where Ri‐1=Li and Li‐1 = Ri ⊕ f(Li,Ki)
For decryption, each SBB is exactly the same as the ones used in Encryption of DES, except in reverse order and Ri and Li are swapped.
64bits = (L0,R0) ciphertext c = IP‐1(R16, L16)
Keys, Ki (48bit), are generated from the original 56bit secret key using key scheduling algorithm.
Everything in DES structure (e.g., permutations, expansion, s boxes, …) is public (adversary has access) except the keys k1, …, k16.
Security depends on the nonlinearity of the S‐Boxes. Note that the only non‐linear operation in DES is the S‐Box. The design criteria of the S‐Boxes are not known. Some think that there are hidden trapdoors inside the S‐Boxes that would allow NSA to decrypt any messages while maintaining DES “secure”.
Solving for the key bits using plaintext‐ciphertext pairs is reduced to solving algebraic equations in the key variables. This is NP‐hard.
Small key size: (256) means that an exhaustive search IS POSSIBLE! (~106)
• IBM Lucifer cryptosystem (a predecessor of DES) had a 128‐bit key.
• Even in the 70’s, a machine w/ 106 chips could search the entire key space in about a day (the estimated price of such a machine, at the time, was $20M).
• In the Crypto’93 conference, it was argued that a machine costing $100K could find the DES key in about 1.5 days.
• In 1998, by Electronic Frontier Foundation, a machine was built costing $250K. It was called DES Cracker. The machine would find DES keys in 56 hours.
1 L e c t u r e 7 ( 2 / 1 / 0 8 )
Other than an exhaustive key search, there are two important attacks:
• Linear Cryptanalysis: Known plaintext attack using 243 plaintext‐ciphertext pairs, all of which are encrypted using the same (unknown) key. Note that this is not practical, because it is unlikely that an adversary would be able to acquire this number of plaintext‐ciphertext pairs.
• Differential Cryptanalysis: Not as efficient as Linear Cryptanalysis.
Remark: Permutation is a linear operation: IP(x1) = y1 IP(x2) = y2 ‐> IP(x1 + x2) = y1 + y2
The permutations IP and IP‐1 have no cryptographic significance (identity matrices).
SBB block:
E is a LINEAR OPERATION (E(x1 + x2) = E(x1) + E(x2)) that expands bitstring Ri‐1 from 32 to 48 bits. Expansion E is specified by: Ri‐1 = (a1, a2, a3, …, a32) => E(Ri‐1) = (a32, a1, a2, a3, a4, a5, a4, a5, a6, …, a31, a32, a1)
E-bit Selection Table32 1 2 3 4 54 5 6 7 8 98 9 10 11 12 13
12 13 14 15 16 1716 17 18 19 20 2120 21 22 23 24 2524 25 26 27 28 2928 29 30 31 32 1
Let B = E(Ri‐1) + K => B = B1, B2, …, B8 where B has length 48 and each Bi is six bits
2 L e c t u r e 7 ( 2 / 1 / 0 8 )
There are 8 S‐boxes denoted by S1, S2, …, S8. Each Si maps six bits to four bits of binary sequence Si: {0,1}
6 ‐> {0,1}4
Each Si can be shown by 4x16 matrix whose entries are numbers 0‐15. (24 possibilities). We note that each row of Si is a permutation of 0‐15.
Given a bitstring Bj = b1, b2, …, b6, we compute Sj(Bj) as: b1b6 determines the row r of Sj and the four bits b2b3b4b5 determines the column in Sj.
Sj(Bj) =
2 3 4 5
1 6
14 4 13 1 ... 0 7
...
...
...
b b b b
b b
⎧⎪⎪⎪⎨⎪⎪⎪⎩
Note that each S‐box is different. The special arrangement of numbers in s‐boxes is one of many design criteria that were required of the S‐boxes to prevent certain cryptanalysis attacks.
3 L e c t u r e 7 ( 2 / 1 / 0 8 )
The permutation P within SBB block is: P(c1, …, c32) = (c16, c7, c20, c21, …)
Permutation Table16 7 20 2129 12 28 171 15 23 265 18 31 102 8 24 14
32 27 3 919 13 30 622 11 4 25
Key Generation:
Original Key = 64 bits, but the key is effectively 56 bits (every 7 bits contains an associated parity bit)
4 L e c t u r e 7 ( 2 / 1 / 0 8 )
PC‐1/PC‐2 are described as: …
157 49 41 33 25 17 91 58 50 42 34 26 18
10 2 59 51 43 35 2719 11 3 60 52 44 3663 55 47 39 31 23 157 62 54 46 38 30 22
14 6 61 53 45 37 2921 13 5 28 20 12 4
PC −
⎡ ⎤⎢ ⎥⎢ ⎥⎢ ⎥⎢ ⎥⎢ ⎥⎢ ⎥⎢ ⎥⎢ ⎥⎢ ⎥⎢ ⎥⎢ ⎥⎣ ⎦
214 17 11 24 1 53 28 15 6 21 1023 19 12 4 26 816 7 27 20 13 241 52 31 37 47 5530 40 51 45 33 4844 49 39 56 34 5346 42 50 36 29 32
PC −
⎡ ⎤⎢ ⎥⎢ ⎥⎢ ⎥⎢ ⎥⎢ ⎥⎢ ⎥⎢ ⎥⎢ ⎥⎢ ⎥⎢ ⎥⎢ ⎥⎣ ⎦
Ci = LSi(Ci‐1) LSi: i=1,2,9,16 Cyclic Shift to Left by 1 position Di = LSi(Di‐1) otherwise Cyclic Shift to Left by 2 positions
5 L e c t u r e 7 ( 2 / 1 / 0 8 )
1 L e c t u r e 8 ( 2 / 4 / 0 8 )
AES: Advanced Encryption Standard
In 1997, National Institute of Standards and Technology (NIST) called for candidates to replace DES. New algorithms would have to support keys of 128,197, and 256 bits. They would also have to work on block sizes of 128 bits and on a variety of hardware like 8‐bit processors (smart cards), 37‐bit architectures used in personal computers. Criteria for success were:
1) Security 2) Cost effective
Five Finalists MARS (from IBM) RC6 (from RSA) Rijndael (from J. Daemen, V. Rimen) ** Eventually Chosen ** Serpent (from R. Anderson, E. Biham, L. Knudsen) Two fish (from B. Schneier, J. Kelsey, …)
GF(256): Field w/ 256 elements (each element is represented by 8 bits (since 28=256)
Addition: XOR operations bitwise: (00010011) + (00001010) = (00011001) Multiplication: Uses primitive (characteristic) polynomial p(x) = x8 + x4 + x3 + x + 1
A: x4 + x + 1 B: x3 + x AB = (x4 + x + 1)(x3 + x) = r(x) mod p(x)
Basic Algorithm: (For simplicity, we restrict to 128 bits)
10 rounds Each round has a key derived from the original key Zero round key is the original key
There are four basic steps, called layers:
1. Byte Substitution Transformation: Nonlinear layer to resist linear and differential attacks. 2. Shift Row Transformation: Diffusion of the bits over multiple rounds 3. Mix Column Transformation: Purpose similar to Shift Row 4. Add Round Key: The round key is XORed with the result of layer
Rinjndael Encryption AES:
1. ARK using k0 2. Nine rounds of BS, SR, MC, ARK using round keys k1 to k9 3. Final round, BS, SR, ARK using k10 (No MC step in last round)
Byte Substitution (BS)
Shift Row (SR) Mix Column (MC)Add Round Key
(ARK) 128 128
a b c d e
2 L e c t u r e 8 ( 2 / 4 / 0 8 )
The AES Layers:
128 bits are grouped in 16 byes of 8 bits each. Arrange in a matrix
00
10
20
30
a aa aa aa a
01 02 03
11 12 13
21 22 23
31 32 33
a aa aa aa a
where aij GF(256)
Elements of GF(256) are bytes consisting of 8 bits
Note: Each nonzero element, b, has an inverse: bb’ = 1
Byte Substitution: Each byte in the matrix is changed to another byte by S‐Box.
Write a byte: abcd (row) efgh (column)
00 01 02 03 00 01 02 03
11 12 13 10 10 11 12 13
22 23 20 21 20 21 22 23
33 30 31 32 30 31 32 33
b b b b a a a ab b b b a a a ab b b b a a a ab b b b a a a a
⎡ ⎤ ⎡⎢ ⎥ ⎢⎢ ⎥ ⎢=⎢ ⎥ ⎢⎢ ⎥ ⎢⎣ ⎦ ⎣
⎤⎥⎥⎥⎥⎦
Shift Row: The four rows of matrix are (byte) shifted cyclically to the left by offsets of 0, 1, 2, and 3
00 01 02 03 00 01 02 03
10 11 12 13 11 12 13 10
20 21 22 23 22 23 20 21
30 31 32 33 33 30 31 32
c c c c b b b bc c c c b b b bc c c c b b b bc c c c b b b b
⎡ ⎤ ⎡⎢ ⎥ ⎢⎢ ⎥ ⎢=⎢ ⎥ ⎢⎢ ⎥ ⎢⎣ ⎦ ⎣
⎤⎥⎥⎥⎥⎦
Mix Column: TC = D where C is output of Shift Row. POLYNOMIAL MULTS in GF(256)!!!
00 01 02 03 00 01 02 03
11 12 13 10 10 11 12 13
22 23 20 21 20 21 22 23
33 30 31 32 30 31 32 33
2 3 1 1 2 3 1 11 2 3 1 1 2 3 1
=1 1 2 3 1 1 2 33 1 1 2 3 1 1 2
d d d d c c c cd d d d c c c c
Td d d d c c c cd d d d c c c c
⎡ ⎤ ⎡⎡ ⎤ ⎡ ⎤⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥=⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥
⎣ ⎦ ⎣ ⎦⎣ ⎦ ⎣
⎤⎥⎥⎥⎥⎦
Round Key Addition:
00 01 02 03 00 01 02 03 00 01 02 03
11 12 13 10 10 11 12 13 10 11 12 13
22 23 20 21 20 21 22 23 20 21 22 23
33 30 31 32 30 31 32 33 30 31 32 33
d d d d k k k k e e e ed d d d k k k k e e e ed d d d k k k k e e e ed d d d k k k k e e e e
⎡ ⎤ ⎡ ⎤ ⎡⎢ ⎥ ⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥ ⎢⊕ =⎢ ⎥ ⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥ ⎢⎣ ⎦ ⎣ ⎦ ⎣
⎤⎥⎥⎥⎥⎦
3 L e c t u r e 8 ( 2 / 4 / 0 8 )
Construction of S‐Box (w/in Byte Substitution): x ‐> x‐1 = y to achieve nonlinearity
Start with a byte [x7 … x0] GF(256) (xi is a bit). Compute its inverse in GF(256) (if zero just replace w/ zero). The resulting byte [y7 … y0] (yi is a bit)
0 0
1 1
7 7
11
1 0 0 0 1 1 1 10
1 1 0 0 0 1 1 10
1 1 1 0 0 0 1 101
0 0 0 1 1 1 1 110
y zy z
y z
⎡ ⎤⎢ ⎥⎢ ⎥⎡ ⎤⎢ ⎥⎡ ⎤ ⎡⎢ ⎥⎢ ⎥
⎤⎢ ⎥ ⎢⎢ ⎥
⎢ ⎥⎥
⎢ ⎥ ⎢⎢ ⎥ + =⎢ ⎥⎥
⎢ ⎥ ⎢⎢ ⎥⎢ ⎥
⎥⎢ ⎥ ⎢⎢ ⎥
⎢ ⎥⎥
⎣ ⎦ ⎣⎢ ⎥⎣ ⎦ ⎢ ⎥⎢ ⎥⎢ ⎥⎣ ⎦
⎦
*Arithmetic in GF(2) !!! Z0 = y0 + y4 + y5 + y6 + y7 + 1 mod 2
*Z = [z0 … z7] is S‐Box Output
Remark: Matrix is chosen for its simplicity. Table available for lookup offline and inverse lookup.
The vector was chosen such that no input ever equals its S‐Box output or the complement of its S‐Box output.
Key Schedule: [w(0) | w(1) | w(2) | w(3) | … | w(43)]
Each w(n) is a column vector of length 4 (4‐bytes, 32‐bits)
Original 128‐bit key = [ w(0) | w(1) | w(2) | w(3) ]
Suppose we know columns up through w(n ) ‐1
Then: w(n) = w(n‐4) w(n‐1) if i 0 mod 4 ⊕ w(n‐4) T’{w(n‐1)} if i 0 mod 4 ⊕
Where T’{w(n‐1)} is obtained as:
Cyclic Shift Use S-Box in BS Step( 1)
a bb c
w ic dd a
⎡ ⎤ ⎡ ⎤ ⎡ ⎤⎢ ⎥ ⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢ ⎥ ⎢ ⎥− = ⎯⎯⎯⎯→ ⎯⎯⎯⎯⎯⎯→⎢ ⎥ ⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢ ⎥ ⎢ ⎥⎣ ⎦ ⎣ ⎦ ⎣ ⎦
efgh
Compute ( ) ( )4 4
4 42 00000010i i
r i− −
= = *Arithmetic in GF(256) *4
4i −
will be an integer
Then ( )( )( )
' 1
e r if
T w ngh
⎡ ⊕ ⎤⎢ ⎥⎢ ⎥− =⎢ ⎥⎢ ⎥⎣ ⎦
The round key for ith round is: [w(4i) | w(4i+1) | w(4i+2) | w(4i+3)]
Decryption:
1. Inverse of Byte Substitution: (one‐to‐one), another lookup table. 2. Inverse of Shift Row: Shifting rows to the right. 3. Inverse of Mix Column: The matrix is chosen invertible in GF(256) 4. Add Round: Inverse is same as itself
Encryption / Decryption Steps:
Encryption Step Key Decryption Step Key Decryption Step Key Decryption Step KeyARK K0 ARK, ISR, IBS K10 ARK K10 ARK K10BS, SR, MC, ARK K1 ARK, IMC, ISR, IBS K9 IBS, ISR, ARK, IMC K9 IBS, ISR, IMC, ARK K’9 … … … BS, SR, MC, ARK K9 ARK, IMC, ISR, IBS K1 IBS, ISR, ARK, MC K1 IBS, ISR, IMC, ARK K’1 BS, SR, ARK ARK K0 IBS, ISR, ARK K0 IBS, ISR, ARK K0
To write decryption to make it look like encryption: BS and SR commute => IBS and ISR commute
Also, applying MC then ARK to a matrix C: MC ARKC TC E TC K⎯⎯→ ⎯⎯⎯→ = +
Now, applying IMC then ARK to E: 1 1 'IMC ARKE T E C T E K− −⎯⎯⎯→ ⎯⎯⎯→ = +
Then . Thus: K’ = T‐1K ( )1 'T TC K K C− + + =
Thus, Encryption and Decryption can be performed using identical hardware (Different lookup tables, shift directions, and keys/key orders though)
4 L e c t u r e 8 ( 2 / 4 / 0 8 )
Preliminaries to Public Key Encryption
Set: Arbitrary collection of elements. Sets can be finite or infinite. Cardinality / Order: The number of objects contained in the set |S|. Group: A group is s t G toget with an operation ‘·’ that satisfies: a e her
1. Closure: a · if a, b G b G2. Associativity: · b) · c = a · b · c) a, b G(a , c 3. Identity: a iq e e G, a · e e · a a a un u = = G4. Inverse: a G a unique a‐1 , a · a = a‐1 = e G ‐1 · a
A group is said to be commutative (abelian) if for all a, b G: a · b = b · a
We are interested in finite groups.
Ex: The set of integers form a group under ‘+’ (addition). The set of integers does NOT form a group under ‘*’ (multiplication). Because zero does not have an inverse.
Theorem: The equivalence classes {0, 1, 2, …, m‐1} form a commutative group of order m under modulo m integer addition for any positive integer m.
Proof: Verify the conditions are held. Remark: {0, 1, …, m‐1} is not a group under modulo m multiplications (the inverse element does
not exist)
Theorem: The set S = {1, 2, 3, …, p‐1} forms an abelian group of order p‐1 under modulo p multiplication if p is a prime integer.
Proof: Commutative / Associative / Identity are easy to verify even if p is not a prime Closure / Inverse are met only if p a prime is
If p is not a prime, m, n S such that 1 < m, n < p and m·n 0 mod p (the closure is violated). If p IS a prime, no two a, b exist so that To show existence of se x be any arbitrary element in S. inver , let
• Verify {x·1, x· …, x· p‐1)} are all distinct, 2,
• Otherwise ( · y) = z) mod p => x · (y ‐ z) 0 mod p x (x · • Thus, {x·1, x·2, …, x· p‐1)} are distinct. Hence, one of them must be
equal to the identity, ‘I’. Subgroup: A subset H of a group G is called a subgroup if it has the following properties:
a) Closure b) Identity c) Inverses
Note that the other two properties of G are naturally transferred to H.
1 L e c t u r e 9 ( 2 / 8 / 0 8 )
Order of a group element: Let G be nder ‘ denote: a group u ·’ and g G, g2 g · g g3 g · g · g
The order of g is the smallest positive integer, ord(g), such that gord(g) = e (e: Identity of G)
Ex: S = {1, 2, 3, 4} is a group under mod 5 multiplication. Identity is 1.
Element Order1 1 2 4 3 4 4 2
Remark: Let G be a finite group and a G. Consider {a, a2, a3, … , am, …, an, …} G. ⊆Since the cardinality of the above set is ≤ |G|, am = an for some m and n (n>m). Thus e = (am) ∙ (am)‐1 = an ∙ (am)‐1 = an‐m and for any finite group, there always exists a finite order for each a G.
Remark: If G is a group and H⊆G, then H is called a subgroup of G if H is also a group under the
same operations of G.
|H G (H divides G). Lagrange Theorem: If G is a finite group and is a subgroup of G, then H
Remark: Let G be a finite group and let a G. Consider ord(a) = K.
Then H = {e, a, a2, …, ak‐1}, H G and H is a subgroup of G. ⊆
Since |H G (H divides G), then we conclude K | |G|, meaning that the order of any
element in group G must divide the order of the group, |G|.
Remark: Trivial subgroups of G are G and {e}.
Cyclic Group: A group like H={e, a, a2, …, ak‐1} is called a cyclic group if there exists g H such that for every b H we have b = gi (i Z) for some i. We denote this group by <g>, which is called the generator of H.
Remark: If p|xy Then p|x OR p|y If p and q|x Then pq|x |x
If z x mod p x mod q Then z x mod pq
2 L e c t u r e 9 ( 2 / 8 / 0 8 )
3 L e c t u r e 9 ( 2 / 8 / 0 8 )
Continued Fraction Expansion / Euclidean Algorithm (Computing gcd(n,a) w/ n>a>0)
Note that this can be used to test for the EXISTANCE of an inverse b/c gcd(a,n) = 1 for a to have an inverse.
Consider gcd(a,b) where a > b > 0:
( )( )( )
1
2
123
0n n
rrr
r r =
0 0
1 0
0 2 1
2 1n n n
a q bb q rr q r
r q r− −
⎧ = +⎪ = +⎪⎪
= +⎨⎪⎪
= +⎪⎩
Note that ri < ri‐1 Note that a, b, qi and ri are all positive integers
Then rn‐1 = gcd(rn‐2, rn‐1) = gcd(rn‐2, rn‐3) = … = gcd(a, b)
( )
0
10
00
0
01
0
12
Divide 1 by b
1
1 (using (2))
11
10
br
rr
n
ra qb b
q
qq q
q
= +
= +
= ++
= ++
+
+
A simple continued fraction is an expression of the form to the left (CFE) We call the q’s partial quotients of the CFE and we write it as <q0, q1, …, qn> Consider: <q0, q1, …, qn> We define cm = <q0, …, qm> where m n the mth convergent of CFE Ex: 0th convergent c0 = <q0> = q0 1st convergent c1 = <q0, q1> = q0 + 1/q1 … cn = <q0, q1, …, qn> = a/b
Theorem 1: Let A‐2 = 0, A‐1 = 1, B‐2 = 1, B‐1 = 0 and define Ak+1 = qk+1Ak + Ak‐1 k = ‐1, 0, 1, 2, … Bk+1 = qk+1Bk + Bk‐1 Then cm = <q0, …, qm> is the same as Am/Bm. Note that cm is CFE of some (a, b) Proof: By Induction.
Theorem 2: AkBk‐1 – BkAk‐1 = (‐1)k+1
Proof: By Induction.
Linear Diophantine Equation (computing a‐1 mod n)
Let a, b, c, Z+. Consider ax + by = c (*). We want x, y Z such that (*) holds.
Ex: 5x – 3y = 1 => x = 2; y = 3 9x – 6y = 2 => since gcd(9,6) 2 no solution is possible
Thus, a necessary condition for (*) to be solvable is that gcd(a,b) | c
Remark: An equation 4x – 6y = ‐8 can be thought of as (‐x)4 + (y)6 = 8 (all positive coefficients)
Given ax + by = c, let d = gcd(a,b)
( ) ( ) ( )a b cx yd d+ = d => a’x + b’y = c’ with gcd(a’, b’) = 1
a’/b’ = <q0, q1, …, qn> can be found using CFE
Let Ai, Bi be generated per Theorem 1. Then a’/b’ = An/Bn where AnBn‐1 – BnAn‐1 = (‐1)
n‐1 (Theorem 2) Thus An = a/d and Bn = b/d
( )
( )
( ) ( )
( ) ( )
11 1
11 1
11 1
11 1
1
1
1 1 Since '
' 1 ' 1
nn n
nn n
n nn n
n nn n
a bB Ad daB bA d
ca B b A d cd
ac B bc A c
−− −
−− −
−− −
−− −
− = −
− = −
− + − =
− + − =
=
Setting x0 = (‐1)n‐1c’Bn‐1 (called the Extended Euclidean Algorithm)
y0 = (‐1)nc’An‐1
Note that if
0 0
0
0
ax by cax by
bx x b day y a d
+ == +
−= − = −
−
Then the general solutions to (*) are 0
0
bx x tday yd
⎧ = −⎪⎪⎨⎪ = +⎪⎩
t (where t is an arbitrary integer)
This can be used to solve for the inverse of a number mod n by observing that since aa‐1 1 mod n Then aa‐1 = kn + 1 => a(a‐1) + n(‐k) = 1 => x = a‐1 and y = ‐k
4 L e c t u r e 9 ( 2 / 8 / 0 8 )
1 L e c t u r e 1 0 ( 2 / 1 4 / 0 8 )
System of Congruences (a.k.a. Chinese Remainder Theorem (CRT))
Theorem: Suppose m1, m2, …, mr are relatively prime positive integers and suppose a1, a2, …, ar are integers. Then the system of r co gruences n
x ai mod mi for 1 i r
has a unique solution modulo M = m1m2…mr which is given by
1
modr
i i ii
x a M y M=
≡ ∑ where ii
MMm
= and for 1 i r 1 modi iy M m−≡ i
Proof: Defin π: Zm Zm1 x Zm2 x … Zmr |Range| = m1m2m3… = M = |Domain| e For x Zm, π(x) = (x mod m1, x mod m2, …, x mod mr) We ne prove π is bijective (o e‐to‐one and onto) and find the inverse of π. ed to n
For 1 i r: ii
MMm
= gcd(Mi, mi) = 1
Define (yi exists because gcd(Mi, mi) = 1) 1 modi iy M m−≡ i
iThus 1modi iy M m≡
Define P: Zm1 x Zm2 x … Zmr Zm ( )1 21
, ,..., modr
r i i ii
P a a a a M y M=
= ∑ Show P = π‐1: Define x = P(a1, a2, …, a and let 1 ≤ i ≤ r r
i ≠ j aiMiyi 0 mod mj since mj | Mi if i≠ j
) Then if i = j aiMiyi ai mod mi
Thus 1
mod mr
i i i j ji
od jx a M y m a m=
≡ ≡∑ => x is a solution
Now we need to show that x is unique. The function π is from a domain of cardinality M to a range of cardinality M. By finding the solution x for the system of r congruences, we have shown that π is subjective (onto).
Since the domain and range have the same cardinality, thus π must be injective. Therefore, π is bijective.
Example: r = 3 m1 = 7 m2 = 11 m3 = 13 Then M = m1m2m3 = 1001 mpute M1 = 143 M2 = 91 M3 = 77 Co
Th Π‐1(a1, a2, a3) = 715a1 + 364a2 + 924a3 mod 1001 en y1 = 5 y2 = 4 y3 = 12
If x = 5 mod 7 = 3 mod 11 = 10 mod 13 Then x = 715*5 + 364*3 + 924*10 mod 1001 = 13907 mod 1001 = 894 mod 1001
2 L e c t u r e 1 0 ( 2 / 1 4 / 0 8 )
Elementary Number Theory: *mZ ={ r Zm : gcd(r, m) 1} (Reduced set of residues mod m) =
Define the multiplication operation (*) on Z as: s c mod m m r.
It is clear that *mZ is a finite group of order φ(n), where φ(n) is Euler Phi function.
Claim: *mZ forms an abelian group under mod m multiplication.
Inverse: Given r *mZ there exists a unique s *
mZ such that r.s 1 mod m
because gcd(r,m) = 1. Can solve for s and y using the Diphantine Equations by noting that y, r.s 1 + my mod m => rs + my 1 mod m and gcd(r, m) = 1
Closure: a.b is relatively prime to m whenever a and b are relatively prime to m
Euler Theorem: If a *mZ then aφ(M) = 1 mod m (This is true by the Lagrange Theorem)
Primitive Roots: g is a primitive root if *mZ = <g> (i.e. ord(g) = φ(m))
Example: Let m = 7 g = (th 3 en *mZ = {1, 2, 3 , 5, 6}) , 4
Compute: g1 3 mod 7 g2 2 mod 7 g3 6 mod 7 g4 4 mod 7 g5 5 mod 7 g6 1 mod 7 Then *
mZ = <3>
Theorem: The only integer m which can have primitive roots are 2, 4, pn, 2pn. Where n is a positive integer and p is any ODD PRIME
Theorem: If m has primitive root hen it has φ(φ(m)) primitive roots. a , tExample: m = 7 φ(7) = 6 φ(6) = 2 There a only 2 primitive roots: 3, 5 (36=56=1) re
Fermat Theorem: Suppose is a prime and b Zp then b b mod p p b 0
Since b Zp, by evious corollary φ(p) 1 mod p => bp b mod p
p
Proof: If p is prime, then φ(p) = p‐1. So for mod p. pr b
Note that for b 0 mod p, the bp b mod p is again true
Theorem: If p is prime, hen t *pZ is a cyclic group
Primitive Element: An element α having order p‐1 is called a primitive element modulo p (p is prime)
Not hat α is a primitive element F { αi : for i = 0, 1, …, p‐2} = e t IF*pZ
If β *pZ => β = αi for some 0 i p – 2. It can be shown
( ) ( )1
gcd 1,pordp i
β −=
−
Thus β is itself primitive iff gcd(p‐1, i) = 1.
Therefore, the number of primitive elements in *pZ is φ(p‐1) (b/c gcd(p‐1,i) =1)
3 L e c t u r e 1 0 ( 2 / 1 4 / 0 8 )
Public Key Cryptography
Design a cryptosystem where it is computationally infeasible to determine dk given ek.
Everybody can send encrypted message to Bob using ek(x). However, only Bob can decrypt the cipher using his secret decryption rule.
Public key system is like a trapdoor one‐way function.
One‐Way Function: 1) Encryption is very easy to compute 2) Hard to invert the function
There are several functions that are believed to be one way. But we don’t have any proof that a function is one‐way.
RSA (1977) Rivest, Shamir, Adleman
Let n = pq, where p and q are primes. Let P = C n. = Z
Define K = { (n, p, q, a, b) : n = pq; p,q prime; ab 1 mod φ(n) } b, n: public | p, q, a: private
For K = (n, p, q, a, b) define: y = ek(x) xb mod n (Encryption) X = d ) ya mod n e ption) k(y (D cry
Verify decryption: ab 1 mo φ(n) => ab t φ(n) + 1 (1) d
Assume x *nZ then: (xb)a t φ(n) + 1 mod n x φ(n))tx mod n x
1tx od n x mod n m
If x Zn \ *nZ , Given ( => b)a x φ(p p 1) (x .xt q) mod
Since p,q are prime: φ(n) = φ(pq = φ(p) φ(q) = (p‐1)(q‐1) ) Then x(xp‐1) t(q‐1) mod p
By similar rea (xb)a x mod q
Using Fermat’s Theorem: x(1) t(q‐1) mod p x mod p
soning: Since (xb)a x mod p x mod q Then (xb)a x mod n
Implementing RSA:
1. Bob generates two large primes: p, q 2. Bob computes n pq and φ(n) = (p‐1)(q‐1) = 3. Bob chooses a random b (1 < b < φ(n)) such that gcd(b, φ(n)) = 1 4. Bob computes a b‐1 mod φ(n) using EEA 5. Bob publishes n and b in a director as his public key
It is obvious that if one can factor n, he/she can find p,q => φ(n) => a, which is needed for decryption. It is conjectured that breaking RSA is polynomially equivalent to factoring n, but this remains unsolved.
Security: n = pq must be VERY large. Must be computationally infeasible to factor n.
Factorization:
With current factoring algorithms we are able to factor numbers having up to 130 decimal digits.
RSA is 512 bit in length => 154 decimal digits => does not offer good long‐term security
Computational Complexity:
Encryption: xb mod n The most efficient hardware implementation of RSA achieves encryption rates of 600 kbit/s using 512 bits. Compared to 1 Gbit/s in DES. => RSA is about 1500 times slower than DES. As a result, RSA is typically used to exchange AES keys. AES is then used to exchange messages.
Using repeated squaring: O(k2l) O(k3) where k: length(n) and l: length(b) If we don’t use the above algorithm then (xy mod n) takes O(k2). Since we have to do this b times and b 2k => O(2kk2)
Step 1: Will be discussed later… Step 2: Order of complexity is O((log(n))2)) = O(k2) Step 3 and 4: gcd(r1, r0) = ?
Dividing r0 by r1 requires Continued Factor Expansion and has complexity O((log(r0))2)
Need an upper bound on number of CFE iterations, s, required to find zero remainder. Lame’s Theorem: If s is the number of iterations, then fs+2 < r0, where fi is the i
th Fibonacci number (fn+1 = fn + fn‐1).
Since
' 1 5 1where and '2 25
1 52
n n
n
i
i
f
f
α α α α− += =
⎛ ⎞+≅ ⎜ ⎟⎜ ⎟⎝ ⎠
5−=
=> S = O(log(r0))
Therefore, Euclid’s Algorithm has complexity O((log(n))3). In practice, it is only O((log(n)2)
4 L e c t u r e 1 0 ( 2 / 1 4 / 0 8 )
1 L e c t u r e 1 1 ( 2 / 1 8 / 0 8 )
Probabilistic Primality Testing
To setup RSA, we need to generate large random primes
In practice we generate large random numbers and then test them for primality using a probabilistic polytime Monte Carlo method, such as Solovay‐Strassen or Miller‐Rabin algorithms.
An integer n can be tested in time that is polynomial in log2n but the algorithm may claim that the number is prime when it is not. However, by running the algorithm enough times, the error probability can be reduced below any desired threshold.
How many random integers (of a specific size) will be required to be tested until we find one that is prime:
Then number of primes not exceeding N is approximately lnNN
.
If p is chosen in random from N numbers, the probability that it is prime is 1
ln p.
For a 512 bit RSA case, we have 51222
p ≅ then 1 1
ln 177p≅ (
2177
for odd integers)
Therefore, RSA setup is practical
A yes‐biased Monte Carlo algorithm is a probabilistic algorithm for a decision problem in which a “yes” answer is (always) correct, but a “no” answer may be incorrect. We say that a yes‐biased Monte Carlo algorithm has error probability equal to if, for any instance in which the answer is “yes”, the algorithm will give the incorrect answer “no” with probability at most .
Prob(output=“No” o ct_output=“Yes”) ≤ | c rre
Suppose p is an odd prime and x is an integer, 1 x p‐1.
X is defined to be a quadratic residue modulo p (QRp) if (y2 x od p) has a solution y Zp. m
X is defined to be a quadratic non‐residue modulo p (QNp) if (x 0 mod p) and x is not a quadratic residue modulo p.
Ex: Quadratic Residues modulo 11 ar (1, 3, 4, 5, 9) e ( 1)2=1 ( 5)2=3 ( 4)2=5 ( 3)2=9 ( 2)2=4
Remark: *p p pZ QR QN= ∪ where QRp: Quadratic Residue
QNp: Quadratic Nonresidue
Is it true that Zp = Zp*?
2 L e c t u r e 1 1 ( 2 / 1 8 / 0 8 )
Note that QRm is a group:
Identity: 1 Closure: if a, b, QRm then ab QRm because
212
mod
2 mod
x a m
x b m≡
≡ => ( )2
1 2 modx x ab≡ m => 2 mody ab m≡
Inverse: Let
21
1 2
mod1mod
1mod
x a mab mx x m
≡≡=
then ( )21 2 modx x ab≡ m and 2
2 modx b m≡
Therefore b QRm
Euler’s Criterion
a QRp IFF 1
2 1modp
a p−
≡
Proof: If a QRp then (x
2 a mod p) for some x
Then ( )1 1
2 12 2 mod mod 1modp p
pa x p x p− −
−≡ ≡ ≡ p (Fermat’s Theorem)
Now assume 1
2 1modp
a−
≡ p . Let g be a primitive root of p. There must exist some i such that
. modig a p≡
Then ( )11
22 mod 1modpp
ig a p−−
≡ ≡ p
If i is NOT EVEN, then i = 2k+1. ( )1 112 2
p pi k p− −⎛ ⎞ = − +⎜ ⎟⎝ ⎠
And as a result ( ) ( )( ) 1 11 12 22 1mod
p pp pi kg g g g− −−
−≡ ≡ ≡ p
But g has order p‐1, therefore this is a contradiction and i MUST BE EVEN (i=2k).
This means that ( ) ( )( )1 12 1mod
p pi kg g−
−≡ ≡ p
p
Since Then a QRp. ( )22 2 modi k kg g g x a≡ = ≡ ≡
3 L e c t u r e 1 1 ( 2 / 1 8 / 0 8 )
Legendre Symbols
For any integer a 0 and odd prime, p, we say that ( ap ) (the Legendre Symbol) is
0 |11
p
p
if p aa if a QRp
if a QN
⎧⎛ ⎞ ⎪= ∈⎨⎜ ⎟⎝ ⎠ ⎪− ∈⎩
Theorem Let p be an ODD prime, then 1
2 modp aa p
p
− ⎛ ⎞≡ ⎜ ⎟⎝ ⎠
Proof If p| then a1
2 0modp
a−
≡ p and (a/p) = 0
If a QRp, then 1
2 1modp
a−
≡ p by Euler riterion C
If a QNp, then 1
2 1modp
a γ−
= ≡ − p . Γ has order two. This is true because ap‐1 1
mod p (by Fermat). We known that ‐1 is one solution because (‐1)2 1 mod p. We also know that the number of elements of order two is equal to φ(2). But φ(2)=1. Thus (‐1)
is the only solution. Thus, 1
2 1modp
a−
≡ − p when a QNp.
Properties of Legendre Symbol:
1) ( )1
21 1m1 11 3m
p if pif pp
− ≡⎛ ⎞ ⎧−= − = ⎨⎜ ⎟ − ≡⎝ ⎠ ⎩
od 4od 4
2) a b abp p p
⎛ ⎞⎛ ⎞ ⎛ ⎞=⎜ ⎟⎜ ⎟ ⎜ ⎟
⎝ ⎠⎝ ⎠ ⎝ ⎠
3)
a bp p
⎛ ⎞ ⎛ ⎞=⎜ ⎟ ⎜ ⎟
⎝ ⎠ ⎝ ⎠if a b mod p
4) ( )1
81 12 11 3
p if pif pp
− ≡ ±⎛ ⎞ ⎧= − = ⎨⎜ ⎟ − ≡ ±⎝ ⎠ ⎩
mod8mod8
5) 2
1tp
⎛ ⎞=⎜ ⎟
⎝ ⎠ if p does NOT divide t
6) ( )1 1
2 21p qq p
p q
− −⎛ ⎞ ⎛ ⎞= −⎜ ⎟ ⎜ ⎟
⎝ ⎠ ⎝ ⎠ p and q are ODD primes (Law of Quadratic Reciprocity)
Remark: QRp = { g2i : I = 1, 2, …, (p‐1)/2} |QRp| = |QNp| = (p‐1)/2
QNp = {g2i‐1 : I = 1, 2, …, (p‐1)/2}
4 L e c t u r e 1 1 ( 2 / 1 8 / 0 8 )
Jacobi Symbols
For any integer P 0 and odd integer, Q, we say that ( PQ ) (the Jacobi Symbol) is
1
ik
i i
P PQ q
α
=
⎛ ⎞⎛ ⎞= ⎜ ⎟⎜ ⎟
⎝ ⎠ ⎝ ⎠∏
Where ( )1
ik
ii
Q q α
=
=∏ are distinct primes and i
pq
⎛ ⎞⎜⎝ ⎠
⎟ is the Legendre Symbol.
Note: If Q is a prime, then the Jacobi Symbol is the same as the Legendre Symbol.
Rules of the Jacobi Symbol: (Same as Legendre, without the 2tp
⎛ ⎞⎜ ⎟⎝ ⎠
rule)
1) ( )1
21 1
Q
Q
−⎛ ⎞−= −⎜ ⎟
⎝ ⎠
2) 1 2 1 2PP P PQ Q Q
⎛ ⎞ ⎛ ⎞⎛=⎜ ⎟ ⎜ ⎟⎜
⎝ ⎠ ⎝ ⎠⎝
⎞⎟⎠
3)
1P PQ Q
⎛ ⎞ ⎛ ⎞=⎜ ⎟ ⎜ ⎟
⎝ ⎠ ⎝ ⎠2 if P1 P2 mod Q
4) ( )2 18
1 12 11 3
Q if Qif QQ
− ≡ ±⎛ ⎞ ⎧= − = ⎨⎜ ⎟ − ≡ ±⎝ ⎠ ⎩
mod8mod8
5) ( )1 1
2 21P QP Q
Q P
− −⎛ ⎞ ⎛ ⎞= −⎜ ⎟ ⎜ ⎟⎝ ⎠⎝ ⎠
P is ODD
Remark: If the Jacobi Symbol ( PQ )=1, we cannot conclude that (x
2 a mod Q) has solutions for x.
Example: Take Q = P1P2 where P1 and P2 are primes.
Take a number such that (1
aP ) = ‐1, (
2a
P ) = ‐1
Then 2
12
2
modmod
x a Px a P
≡
≡ does not have any solution for x.
But ( )( )1 2
1 1a a aQ P P
⎛ ⎞⎛ ⎞⎛ ⎞= = − −⎜ ⎟⎜ ⎟⎜ ⎟
⎝ ⎠ ⎝ ⎠⎝ ⎠1=
If 2 modx a≡ Q had solution then 2
12
2
mod
mod
x a P
x a P
⎧ ≡⎪⎨
≡⎪⎩ would have solution.
Examples: Evaluate (319/1031)
1031 12 mod1031−
319 Brute Force: compute
Legendre:
( ) ( ) ( )
( ) ( )
( ) ( )
( )( )
2 6 6
3 3
5 2,54
319 11 29 1031 10311031 1031 1031 11 29
8 1611 29
8 2 1 111 11
⎛ ⎞ ⎛ ⎞⎛ ⎞ ⎛ ⎞ ⎛ ⎞== = −⎜ ⎟ ⎜ ⎟⎜ ⎟ ⎜ ⎟ ⎜ ⎟⎝ ⎠ ⎝ ⎠⎝ ⎠ ⎝ ⎠ ⎝ ⎠
⎛ ⎞ ⎛ ⎞= −⎜ ⎟ ⎜ ⎟⎝ ⎠ ⎝ ⎠
⎛ ⎞ ⎛ ⎞= − = − = − − =⎜ ⎟ ⎜ ⎟⎝ ⎠ ⎝ ⎠
216 1 by 129
tp
⎛ ⎞⎛ ⎞ = =⎜ ⎟⎜ ⎟⎝ ⎠ ⎝ ⎠
Jacobi:
( ) ( ) ( )
( ) ( ) ( ) ( )
( ) ( ) ( ) ( )
1 3
4 1 3
3 4 1 3
319 1031 74 2 371031 319 319 319 319
37 319 23 37319 37 37 23
14 7 23 2 123 23 7 7
⎛ ⎞ ⎛ ⎞ ⎛ ⎞ ⎛ ⎞⎛ ⎞= − = − = −⎜ ⎟ ⎜ ⎟ ⎜ ⎟ ⎜ ⎟⎜ ⎟⎝ ⎠ ⎝ ⎠ ⎝ ⎠ ⎝ ⎠⎝ ⎠
⎛ ⎞ ⎛ ⎞ ⎛ ⎞ ⎛ ⎞= − = − = − = −⎜ ⎟ ⎜ ⎟ ⎜ ⎟ ⎜ ⎟⎝ ⎠ ⎝ ⎠ ⎝ ⎠ ⎝ ⎠
⎛ ⎞ ⎛ ⎞ ⎛ ⎞ ⎛ ⎞= − = − = = =⎜ ⎟ ⎜ ⎟ ⎜ ⎟ ⎜ ⎟⎝ ⎠ ⎝ ⎠ ⎝ ⎠ ⎝ ⎠
2
1
5 L e c t u r e 1 1 ( 2 / 1 8 / 0 8 )
1 L e c t u r e 1 2 ( 2 / 2 2 / 0 8 )
Probabilistic Primality Testing
Base‐b Pseudo Prime (b‐psp): A composite (not a prime) number, N such that , gcd(b, N) = 1 and bN‐1 1 mod N
If p is a prime, and p does NOT divide a then 1
2 modp aa p
p
− ⎛ ⎞≡ ⎜ ⎟⎝ ⎠
If N is a composite, it may or may not be true that 1
2 modN bb N
N
− ⎛ ⎞≡ ⎜ ⎟⎝ ⎠
Euler Base‐b Pseudo Prime (b‐epsp): A composite N such that
{Less than ½ of b < N‐1 are b‐epsp} gcd(b, N) = 1 and 1
2 modN bb N
N
− ⎛ ⎞≡ ⎜ ⎟⎝ ⎠
Theorem: If N is any odd composite integer, there must exist some b such that gcd(b, N) = 1 and N
is not a b‐epsp. (i.e. 1
2 modN bb N
N
− ⎛ ⎞≠ ⎜ ⎟⎝ ⎠
)
Proof: Suppose N is an odd composite integer such that N is a b‐epsp for all b such that gcd(b,N) = 1. (We ill show that this is impossible!) w
be h Let pα | N but pα+1 !| N (α is the largest integer for which pα | N) Let p any prime such t at p | N.
We can select a value for b such that
(1) 1mod
mod
Nbp
b g p
α
α
⎧ ≡⎪⎨⎪ ≡⎩
where g is a primitive root of pα.
The solution for b ZN exists because gcd(N/pα, pα) = 1 and the Chinese Remainder
Theorem.
Since b‐epsp, 1
2 1modN bb N
N
− ⎛ ⎞≡ ≡ ±⎜ ⎟⎝ ⎠
Note that 0 m≡ g
Then bN‐1 1 mod N => bN‐1 1 mod pα
odb NN
if and only if cd(b,N) ≠ 1
Replacing from (1) gN‐1 1 mod pα
This implies that φ(pα) | (N‐1) (because ( ) 1modpg p
αϕ α≡ in *p
Z gα = )
Since φ(pα) = pα‐1(p‐1) Then pα‐1(p‐1) | (N‐1) Then pα‐1| (N‐1) and (p‐1) | (N‐1) Since pα‐1 (odd) | (N‐1) (even)
Then α = 1, which means that N does not have any square factor. In other words, N is the product of distinct primes.
2 L e c t u r e 1 2 ( 2 / 2 2 / 0 8 )
Let N = rs, where r and s are distinct primes (gcd(r,s) = 1)
Select any K such that 1K⎛ ⎞r
= −⎜ ⎟⎝ ⎠
Select a, b such that b K mod r and b 1 mod s
Again, by Chinese Remainder Theorem, a solution for b *NZ (i.e. gcd(b,N) = 1) exists
because gcd(r,s) = 1.
Thus, if
( )( )
12 mod
1 1 1 1
Nb b NN
b b b Krs r s r s
−⎛ ⎞ ≡⎜ ⎟⎝ ⎠
⎛ ⎞ ⎛ ⎞⎛ ⎞ ⎛ ⎞⎛ ⎞≡ ≡ ≡ ≡ −⎜ ⎟ ⎜ ⎟⎜ ⎟ ⎜ ⎟⎜ ⎟⎝ ⎠ ⎝ ⎠⎝ ⎠ ⎝ ⎠⎝ ⎠
≡ −
Then 1
2 1modN
b N−
≡ − and 1
2 1modN
b s−
≡ −
Which is a contradiction because 1
2 1modN
b s−
≡
Therefore, we find b such that gcd(b,N) = 1 and 1
2 modNb b N
N
−⎛ ⎞ ≠⎜ ⎟⎝ ⎠
Now we show that if we select a base b, gcd(b, N) = 1, at random, the probability that N is b‐epsp is less than or equal to ½.
Claim: Let N be an odd composite. Consider the subset G of *NZ defined by G = {[b] such that
12 mod
N bbN
− ⎛ ⎞≡ ⎜ ⎟⎝ ⎠
N }. Then G is a subgroup of *NZ and G *
NZ .
Proof: As an exercise, show that G is a subgroup of *NZ . Then it is clear that *
NG Z≠ (because
by previous Theorem, we find some b, where b *NZ , but
12 modbb N
N⎛ ⎞⎜ ⎟⎝ ⎠
N−
≠ ). Thus
|G| < | *NZ |.
By Lagrange’s Theorem, we know that |G| | | *NZ |. Thus |G| < ½| *
NZ |
This proves that the probability that N is b‐epsp for any b where gcd(b, N) = 1 is less than or equal to ½.
3 L e c t u r e 1 2 ( 2 / 2 2 / 0 8 )
Solovay‐Strassen (b‐epsp Test) (Composite Test for odd integer n)
1. Choose a random integer b, 1 b n 2. If gcd(b,n) 1 then COMPOSITE (YES)
3. If 1
2 modnb b n
n
−⎛ ⎞ ≡⎜ ⎟⎝ ⎠
then PRIME (NO) otherwise COMPOSITE (YES)
Note: The algorithm is yes‐biased because the “Yes” is always correct The error probability that n is composite, but this is not detected is AT MOST ½.
We can evaluate the Jacobi symbol 1
2 modna a
n
−⎛ ⎞ ≡⎜ ⎟⎝ ⎠
n without a need for factorization of n, using
number theory results in polynomial time.
The only arithmetic operations: Modular Reduction and Factoring out powers of two Nominally O((log n)3) (actually O((log n)2)) to compute Jacobi symbol.
Suppose we have generated a random number n and tested it using Solovay‐Strassen Algorithm. If we have run the algorithm m times, what is our confidence that n is prime? (not 1‐2‐m)
Events: a) A random odd integer n of a specified size is composite. b) The algorithm answers “n is prime” m times in ccession su
We need to find Pr(a|b) not Pr(b|a). Note that Pr(b|a) 1/2m.
Pr( | ) Pr( )Pr( | )Pr( )
b a aa bb
=
What is Pr(a)? Let N n 2N. Then the number of odd primes between N and 2N is
2
ln 2 ln ln lnN N N nN N N− ≅ ≅
n
Since there are N/2 n/2 odd integers between N and 2N. ( ) ( ) 2Pr 1 Pr odd prime 1ln
an
= − = −
( ) ( ) ( ) ( ) ( )( ) ( ) ( )
Pr Pr | Pr Pr | Pr Total Probability
2 2Pr Pr | 1 Since Pr | 1ln ln
b b a a b a a
b b a b an n
= +
⎛ ⎞= − + =
( )( )
⎜ ⎟⎝ ⎠
( )
( ) ( )( ) 1
2Pr | 1lnPr |
2 2Pr | 1ln ln
2 ln 2 ln 2Pr |2 ln 2 2 ln 2 2
m
m m
b ana b
b an n
n na bn n
−
− +
⎛ ⎞−⎜ ⎟⎝ ⎠=
⎛ ⎞− +⎜ ⎟⎝ ⎠− −
≤ =− + − +
For n = 2256, Pr(a|b) and 2‐m has been compared. In practice m 50‐100 reduces the probability of error to a very small quantity 10‐13 to 10‐28.
Remarks: Suppose p is an odd prime and hence p = 2st+1 where t is odd and s 1.
Claim: Fo a, where p does not divide a, we have EITHER
4 L e c t u r e 1 2 ( 2 / 2 2 / 0 8 )
2 1modr ta p≡ −
p
p
r any
at 1 mod p or for some 0 r s‐1
Proof: Since p does not divide a, then ap‐1 1 mod p (Fermat Theorem)
( )( )( )( )( )
( )( )( )( ) ( )(
1 1
2 2 1
2 2 1
2
2 2
2 2 2
2 2 2 2
1mod (Since 1 2 )
1 1 0 mod
1 1 1 0mod
1 1 1 1 1 1 0 od
s
s s
s s s
s s
t s
t t
t t t
t t t t t t
a p p t
a a p
a a a p
a a a a a a
− −
− − −
− −
≡ − =
− + ≡
− + + ≡
− + + + + + ) m≡
Thus either at 1 mod p or for some 0 r s‐1 2 1modr ta ≡ −
Strong Pseudo Prime (b‐spsp): Let N be an odd composite integer, that is N = 1 + 2st where 2 does not divide t (t is odd). N is a Base‐b Strong Pseudo Prime (b‐spsp) if either
bt 1 mod N or for some r such that 0 r s‐1 2 1modr tb ≡ − N
Remark: It can be shown that if N is b‐spsp, then N is b‐epsp. Further, if N is b‐epsp then N is also b‐psp. But the converse is not true!
Theorem: Let G = {b such that N is b‐spsp} then |G| | *NZ |.
Remark: The above theorem implies that if we select a base b at random, the probability that any odd composite integer is b‐spsp is less than or equal to ¼. In other words, if N is an odd composite integer, then N is b‐spsp for at most 25% of all 1 b N‐1.
Miller‐Rabin (b‐spsp Test) (Composite Test for odd integer n)
1. Write n‐1 = 2km where m is odd 2. Choose a random integer a, 1 ≤ a ≤ n‐1 3. If gcd(n, a) 1 then COMPOSITE (YES)
4. Compute modmb a n≡5. If b 1 mod n then PRIME (NO) 6. For i = 0…k‐1
If b ‐1 mod n then PRIME (NO) else b b2 mod n
7. Return COMPOSITE (YES) Note: The algorithm is “Yes‐biased” because if algorithm outputs “n is composite”, this answer is
certainly correct. If it answers “n is prime”, it may or may not be the correct answer (i.e. n might be a composite that is b‐spsp instead of prime).
Square Roots Modulo n
Let p be an odd prime and integer such that gcd(a, p) = 1 a an
Fact: The congruence x2 a mod p has either no solutions or it has two distinct solutions Proof: To have solution, we should have a QRp.
Note that Zp is a field. By the Fundamental Theorem of Algebra, x2‐a = 0 has at most two distinct solutions in any field. We know that if is a solution to x2 a mod p then –x is also a solution. x x and –x are incongruent because if x ‐x mod p then 2x 0 mod p then p | 2x but gcd(p,2) = 1, therefore p | x is impossible Thus x and –x are two distinct solutions for x2 a od p if a QRp. m
Fact: Le be an o d prime such that gcd(p,a) = 1. α be a positive integer. Then t p d Let y2 a mod pα has no solution if (a/p) = ‐1 (a QNp) and two solutions if (a/p) = 1 (a QRp)
Fact: x2 mod p where p is a prime. 1 x 1 are the only two distinct solutions. Note that x = ‐1 = p‐1 mo p. = d
Fact: y mod pq (where p and q are relatively prime) IF AND ONLY IF y x mod p and y x mod q x Proof: If y x mod pq then pq | (y‐x)
then p (y‐x) and q (y‐x) | | which implies y x mod p and y x mod q Alternatively, if y x mod p and y x mod q (Could use Chinese Remainder Theorem) Then y‐x = Ap and y‐x Bq therefore, Ap = Bq. =Since gcd(p q) = 1 then A = δ and B = γp , qThus y‐x = δqp and finally y x mod pq
Fact: Let where pi are distinct primes. Then y x mod n if and only if 1
i
lei
i
n p=
=∏ mod ieiy x p≡
Proof: (Exactly same as last proof)
Theorem: Let n be an odd integer as 1
i
lei
i
n p=
=∏ where pi are prime and gcd(a,n) = 1. Then the
congruence y2 a mod n has 2l solutions if a QRpi for all I = 1, 2, …, l, and no solutions otherwise.
Proof: y2 a mod n has a solution IF AND ONLY IF for i = 1, …,2 od ieiy a p≡ m l
Thus, if has no solution for some i { 1, 2, …, l} then y2 a mod n has
no solution.
2 mod ieiy a p≡
But if has solutions for ALL i { 1, 2, …, l} (a QRpi for all i { 1, 2, …, l})
then it has two distinct solutions for each d . Thus there are 2l distinct
solutions (by the Chinese Remainder Theorem) to y2 a mod n.
2 mod ieiy a p≡
2 mo ieiy a p≡
1 L e c t u r e 1 3 ( 2 / 2 7 / 0 8 )
Example: x2 1 mod n where n = pq x2 1 mod n => x2 1 mod p => x 1 mod p x2 mod q => x 1 mod q 1
is gi s for x 1 mod p x 1 mod x ‐ mod p x 1 mod p Th ves us four solution x by Chinese Remainder Theorem (CRT):
1 ‐ x 1 mod q x ‐1 mo x 1 mod q x ‐1 mod q
pd q
Two of the solutions are trivial: x 1 mod n The other two solutions are non‐trivial. They are distinct (incongruent) and negative of
each other modulo n.
Fact: Let n = pq (where p and q are distinct primes). Then knowledge of a nontrivial square root of 1 mod n yields the factorization of n with polynomial time computation.
Proof: Let x1 be trivial solution to x2 1 mod n a no – 1
Since x1 1 mod n (it is nontrivial by assumption), then n does NOT divide (x1 ‐ 1) OR (x1 + 1)
n Then x1
2 0 mod n implies that n | (x1 ‐ 1)(x1 + 1)
Thus pq | (x1 ‐ 1)(x1 + 1) implies either {p | (x1 ‐ 1) and q | (x1 + 1)} or {q | (x1 ‐ 1) and p | (x1 + 1)} If p | (x1 ‐ 1) then gcd(n, x1 – 1) = p (because p | n) OR
If q | (x1 ‐ 1) then gcd(n, x1 – 1) = q (because p | n) Thus either p or q can be found by EEA which computes gcd(n, x1 – 1) in O((log n)
3)
Attacks on SA R
Computing φ(n): Note that knowing φ(n), the adversary can find p, q:
n = p,q φ(n) = (p‐1)(q‐1) Then p2‐(n‐ φ(n)+1)p + n = 0 solve for p
Computing φ(n) (without knowledge for p and q) is no easier than factoring n.
Breaking by knowing decryption exponent:
We show that if the decryption exponent ‘a’ is revealed, then n can be factorized (note that it will not be sufficient for Bob to just change the exponent. He must use a new n to secure the system).
The algorithm we use to factorize n, given the decryption exponent is available, is called a Las Vegas algorithm.
Las Vegas Algorithm:
Probabilistic algorithm such that, for any instance I, the algorithm may fail to give an answer with probability at most ε (i.e. it can terminate with the message “no answer”). However, if the algorithm returns an answer then the answer must be correct.
2 L e c t u r e 1 3 ( 2 / 2 7 / 0 8 )
3 L e c t u r e 1 3 ( 2 / 2 7 / 0 8 )
If we have a Las Vegas Algorithm to solve a problem, we simply run the algorithm over and over to get an answer. The probability that the algorithm returns “no answer” m times in succession is εm. In homework, you will show that the average number of times the algorithm must be ran in order to
obtain an answer is 1
1 ε−.
We show that the Las Vegas Algorithm (that has access to n, a, b) can factor n with probability at least
0.5. If the algorithm is run m times, then n will be factored with probability of at least 11
2m− .
RSA‐Factor (n, a, b): Comment: assume ab 1 mod φ(n)
1. Choose w at random such that 1 w n‐1 2. Compute x = gcd(w, n)
if 1 < x < n then return x (Success: x = p) 3. ab 1 = 2sr (ensures while loop will –4. v r mod n succeed eventually) w5. If v 1 d n return “Failure” (n is a w‐spsp) mo6. While v 1 mod n
v0 = v v v2 mod n =
7. If v0 ‐1 mod n return “Failure” (n is a w‐spsp) 8. Compute x = gcd(v0 + 1, n) return x (Success: x = p)
First we note that the algorithm will terminate the lo after at most S iterations. This is because op
w *nZ => wφ(n) mod n 1
ab – 1 = 2sr 0 mo φ(n) => 2 = dφ(n) d sr Then wdφ(n) mod n (w φ(n))d mod n 1d 1 mod n
Now, we note that if the algorithm finishes the loop after s iterations (doesn’t quit the loop in less than s iterations), e have a value v0 such that: w
v02 1 mod n but v0 1 mod n
If (v0 ‐1 mod n) then the algorithm has found a nontrivial solution for x2 1 mod n (that is, x v0 mod n). Thus, using previous fact: gcd(v0 + n) = p 1,
Note that the algorithm returns failure if: 1. wr 1 mod n OR
(n is shown to be w‐spsp) 2. for 0 s‐1 2 1modt rw ≡ − n t
It can be shown that the algorithm succeeds with probability of at least ½ (ε ½ failure). (Note: ε ¼ because the probability that an odd composite integer, n, is w‐spsp is less than or equal to ¼)
4 L e c t u r e 1 3 ( 2 / 2 7 / 0 8 )
Wiener’s Low cryption Exponent Attack De
n = pq φ(n) = (p‐1) (q‐1) a: Decryption Exponent b: Encryption Exponent If the following holds: 3a < n¼ and q < p < 2q then this attack will work.
Remark: By choosing 3a < n¼, running time of decryption is in entionally reduced by almost 75%!! t Notice that: log(3) + log(a) < ¼ log(n) => log(a) l/4 => O(1/4 l3)
Note that if n is l bits, then a less than l/4‐1 bits. is
Attack: ab = 1 mod φ(n) => ab‐1 = tφ(n)
( ) 1 1ab an bt t t
ϕ − ⎛ ⎞= = −⎜ ⎟⎝ ⎠
=> t < a
Since n pq > q2 => q < = n
0 < n ‐ φ(n) = p + q – 1 < 2q + q – 1 = 3q – 1 < 3 n
( )1 ( ) 1 3 1 3 3t n nb t ba tn t n t t
n a an an an an a n a nϕ+ −− +
− = = ≤ ≤ + ≈
Since 3t < 3a < n¼ 24
1 13
b tn a aa n− ≤ < which is VERY SMALL!
Thus the fraction t/a is very close approximation to b/n. It can be shown that t/a must be one of the convergences of b/n (in the continued fraction expansion of b/n).
0
12
n qb q q
= ++
+
11
10sq +
0 1 2
0 0
0 1 01
0 1 2 0
12
, , ,...,
first approx1,
1, , 1
sn q q q qb
q q
q q qq
q q q qq
q
=
=
= +
= ++
If t/a is a convergent of b/n, then φ(n) = 1ab
t−
Once we have φ(n), we can compute p and q using the φ(n) = (p‐1)(q‐1) (b/c n = pq)
Note that b and n are public. Since we don’t know ahead of time which convergent of b/n we should use for t/a, we try each of the <q0>, <q0, q1>, …, <q0, q1, …, qs> till one of them gives the factorization of n.
Low Exponent Attack on RSA
For a high‐speed encryption: b = 3 where gcd(3, φ(n)) = 1 and y m3 mod n
Attack: y1 3 mod n = m
y2 (m+1)3 mod n since (m+1)3 = m3 + 3m + 3m2 + 1
( )( )
5 L e c t u r e 1 3 ( 2 / 2 7 / 0 8 )
3 32 1
3 32 1
1 2 12 12 1 2
m my y my y m m
+ + −+ −= =
− + + − +
This attack can be generalized to b > 3. It can also work for k messages related by a polynomial: m and αm2 + βm + c
… r is chosen at random, it is equally likely to be any of these four possible values. Thus the probability of success is ½. The above algorithm proves that Rabin’s system is insecure against chosen plaintext attack because we simply substitute A(g) with the decryption algorithm of Bob.
Factoring Algorithms
Three most effective methods on large numbers:
1. Quadratic Sieve 2. Elliptic Curve Algorithm 3. Number Field Sieve
Other Methods: 1. Pollard’s Rho Method 2. Pollard’s P‐1 Algorithm 3. Williams P+1 Algorithm 4. Continued Fraction Algorithm 5. Trial Division (efficient for n < 1012)
O(√n(log n)3) ~ exponential to power of l/2
odd integer up to n
n⎢ ⎥⎣ ⎦
Pollard’s P‐1 Factoring Algorithms
Based on Fermat’s Theorem: bp‐1 1 mod p. Suppose p is one of the factors of n All the prime factors of (p‐1) are SMALL. Therefore (p‐1) will divide B! => (p‐1)| B!
Ex: p = 11 p‐1 = 10 = 2 x 5 => (p‐1) | 5!
Let p be any prime divisor of n, and assume q ≤ B. It works when all the primes dividing (p‐1) are relatively small and all of them are l s than B. es
Then (p‐1)d = B! 2B! (2(p‐1))d 1 mod p Since p | (2B! – 1) and p | n then p | a = gcd(n, 2B! – 1)
The integer a is a nontrivial divisor of n (unless a = 1). Then we attempt to factor a and n/a if they are composite.
Input: n and B (the Bound) Algorithm is polynomial time 1. a = 2 2. For j = 2 to B do a = 2B! mod n B iterations
a = aj mod n O((log B)(log n)2) for mult operation 3. d = gcd(a‐1, n) O((log n)3) 4. if 1 < d < n then
d is a factor of n “Success” else no factor of n is found “Failure” Total: O(B(log B) (log n)2 + (log n)3)
Guaranteed success if B = √n, but that implies a non‐polynomial order. Therefore algorithm has small probability of success in polynomial time.
Remark: It is easy to make RSA resistant to the Pollard’s P‐1 Factorization. Method works if p‐1 has only small prime factors, but we can construct n = pq where p = 2p1 + 1 q = 2q1 + 1 Where p1 and q1 are very large primes. Then check that p, q are also prime.
1 L e c t u r e 1 4 ( 3 / 5 / 0 8 )
2 L e c t u r e 1 4 ( 3 / 5 / 0 8 )
Quadratic Sieve
To find (x ≠ ±y mod n) such that (x2 y2 mod n) then gcd(x‐y, n) is a nontrivial factor of n This is because n | (x2 – y2) => n | (x‐y)(x ) => pq | (x‐y)(x+y) => p|(x‐y) + y
Consider a sequence z1, z2, … such that: zi2 Q(n) mod n
and suppose we have a set of scripts S such that ( ) 2
n S
Q n Y∈
=∏
Dixon’s Factorization Algorithm
Define B to be a set of b smallest primes( B = {2, 3, 5, 7, 11, 13, …} Note: gcd(n,pi)=1). |B| = b
Need to find zj such that zj2 mod n is factorized using the primes in B:
( )2
1
mod ijb
j ii
z n Q j pα
=
≡ ≡∏ where pi B
Assume we generate such zj for j = 1, …, c where c is slightly larger than b. (ex: c = + 10) b
For each j consider a vector: aj = (α1j mod 2, α2j mod 2, …, αbj mod 2) Note: aj Z2b
If we find a subset of aj’s that sum to the zero vector (0, 0, …, 0) mod 2, then the product of the corresponding Q(j)’s will give a congruent as x2 Y2 mod n. (This is because every prime is used an even number of times).
Ex: Let n = 15770708441 B = {2, 3, 5 , 11, 13} , 7 Consider: z1
2 = 83409341562 x 7 (Q(1)) mod n 2
z = 27737000112 2 x 3 x 13 (Q(3)) mod n
3 z2
32
Then (z1z2z3)2 (2 x 3 x 7 x 13)2 mod n
2 = 12044942944 2 x 7 x 13 (Q(2)) mod n
Note that a1 = (0 1 0 1 0 0) a2 = (1 0 0 1 0 1) a1 + a2 + a3 = 0 mod 2 a3 = (1 1 0 0 0 1) Thus we set x2 (z1z2z3)
2 = =
Since x2 Y2 mod n => we can use gcd(n, x‐y) to factor n And Y2 (2 x 3 x 7 x 13)2
3 L e c t u r e 1 4 ( 3 / 5 / 0 8 )
How to pick number of zj:
Suppose we have c b‐dimensional vectors aj. Since c > b, then we can always find a subset of aj’s for which ∑aj = 0 mod 2. This is done by Gaussian Elimination:
Let E be a matrix whose rows are aj for j = 1, …, c. M = (E | Icxc)
Perform Gaussian Elimination on M mod 2. (add rows of M by mod 2 operations, also exchange rows of M) such that we get a row in E part that is zero. Then the same row in Icxc part (which is no longer an identity matrix) will give us those aj’s that sum to the zero vector.
Example: Let B = {2, 5, 7, 11, 17, 19} (b = 6) Q(1) = 2.7.112 Q(2) = 5.11.17 Q(3) = 2.17.19 Q(4) = 7.172.19 Q(5) = 2.5.19 Q(6) = 2.5.7.11 (assume c = 6)
1
2
3
4
5
6
1 0 1 0 0 00 1 0 1 1 01 0 0 0 1 10 0 1 0 0 11 1 0 0 0 11 1 1 1 0 0
aaa
Eaaa
⎡ ⎤⎢ ⎥⎢ ⎥⎢ ⎥
= ⎢ ⎥⎢ ⎥⎢ ⎥⎢ ⎥⎣ ⎦
1 0 1 0 0 0 1 0 0 0 0 00 1 0 1 1 0 0 1 0 0 0 00 0 1 0 1 1 1 0 1 0 0 00 0 0 1 0 0 0 1 1 0 0 10 0 0 0 1 0 1 0 1 1 0 10 0 0 0 0 0 0 1 1 1 0 1
M
⎡ ⎤⎢ ⎥⎢ ⎥⎢ ⎥
= ⎢ ⎥⎢ ⎥⎢ ⎥⎢ ⎥⎢ ⎥⎣ ⎦
Note the zero row of M indicates that a2 a3 a4 a6 mod 2 0 Therefore Q(2)Q(3)Q(4)Q(6) (2.5.11.172.19)2
How to pick zj:
There are several methods to find zj’s such that zj2 mod n factor in primes B. We discuss the following 3
methods: 1. Choose zj at random
2. Choose zj = j + kn⎡⎢
⎤⎥ where j = 0, 1, 2, … and k = 1, 2, …
Zj2 mod n is likely to be a small number. Thus there is a good chance to factor over B
3. Choose zj = kn⎢ ⎥⎣ ⎦
Zj2 mod n tends to be a bit less than n
‐zj2 mod n is small and perhaps be factored over B (need to include ‐1 in B as well!)
Expected running time: ( )( ) ( )( )( )1 1 ln ln lno n nO e +
Optimum choice of b: |B| ( )( )ln ln lnn ne
Approximate timing:
# of Digits Time to Factor 50 3.9 Hours 75 104 Days 100 74 Years
In practice, the following three methods are used often:
1. Quadratic Sieve 2. Elliptic Curve (useful when prime factors are of different size) 3. Number Field Sieve (method of choice now, used when primes are very large)
4 L e c t u r e 1 4 ( 3 / 5 / 0 8 )
1 L e c t u r e 1 5 ( 3 / 1 0 / 0 8 )
Rabin’s Cryptosystem
Let n = pq where p,q are distinct primes such that p 3 mod 4 q 3 mod 4
Let |P| = |C| = Zn Public Key: n, B Private Key: p, q
Encryption: y = ek(x) = x(x + B) mod n (Faster than RSA)
x = dk(y) = 2
4 2B By + − mod n
Note computing square root modulo n without knowing p,q is as hard as factoring n.
Consider decryption: x2 +Bx y mod n (quadratic equation) Let x1 = x + B/2 mod n => x = x1 – B/2 x1
2 = B2/4 + y mod n Let B2/4 + y = c => x1
2 = c mod n Therefore, we need to extract the square root of c mod n.
Decryption ing the secret informa on p,q: us tix1
2 c mod n => x12 c mod p (2 distinct solutions if c QRp)
x12 c mod q (2 tinct solutions if c QRq) dis
Since c is the result of the encryption, we conclude that x12 c mod n definitely has a solution. Thus
both mod p and mod q equations have solutions. Thus using Chinese Remainder Theorem (CRT), we get four solutions for x1.
To find solutions: If p 3 mod 4 then 1
41 mod
p
z c+
≡ ± p is the solution for z12 c mod p
Proof:
( )
21 14 2 mod
1 mod mod
p p
c c c p
c p c
+ −⎛ ⎞ ⎛ ⎞± ≡⎜ ⎟ ⎜ ⎟⎝ ⎠ ⎝ ⎠
≡ ≡ p
(Euler Formula)
Thus
14
11
41
mod
mod
p
q
x c p
x c q
+
+
⎧≡ ±⎪
⎨⎪ ≡ ±⎩
=> CRT to find x12 c mod n
Using x1, we compute ( )2
1 mod2 4 2kB B Bd y x y n≡ − ≡ + −
Remark: For p 1 mod 4, there is no known polynomial‐time deterministic algorithm to compute x in x2 c mod p. (There is a polynomial time Las‐Vegas algorithm to solve for x).
2 L e c t u r e 1 5 ( 3 / 1 0 / 0 8 )
Remark: xa y mod n where gcd(a, φ(n = 1 (** THIS IS NOT TRUE FOR RABIN SYSTEM**) )) ’S This can b solved if we know (n) b/c there exists a b, c such that ab + cφ(n) = 1 e Claim: x yb mo n
φd
Proof: xa mod n xab mod n a1‐cφ(n) mod n a(a φ(n))‐c mod n a mod n
Problem w/ Rabin’s System:
The encryption function ek(x) is NOT INJECTIVE (i.e. the decryption cannot be done in an unambiguous way). There ar four possible solutions for decryption: e
Let w2 1 mod n ek(w(x + B/2) – B/2) = w2(x+B/2)2 – (B/2)2 = x2 + Bx = ek(x)
We can show that the four possible plaintext solutions: x ‐x – B w(x + B/2) – B/2 ‐w(x + B/2) – B/2
To uniquely identify the plaintext, we need to have some side information:
Claim: Having ek(m)
Jacobi mn
⎛ ⎞⎜ ⎟⎝ ⎠
, and
whether m < n/2 or m > n/2 Then m is identified uniquely by de yption of ek(m). cr
Proof: Let x2 c mod n ‐> x1 a mod p x2 a mod p
x3 ‐a mod p x4 ‐a mod p b mod q ‐b mod q
b mod q ‐b mod q
Without loss of generality, assume 1a bp q
⎛ ⎞ ⎛ ⎞= =⎜ ⎟ ⎜ ⎟
⎝ ⎠ ⎝ ⎠
Thus 1 1 1x x x a bn p q p
⎛ ⎞⎛ ⎞ ⎛ ⎞⎛⎛ ⎞ = =⎜ ⎟⎜ ⎟ ⎜ ⎟⎜⎜ ⎟⎝ ⎠ ⎝ ⎠⎝ ⎠ ⎝ ⎠⎝ q
⎞⎟⎠ 2 1x
n⎛ ⎞ = −⎜ ⎟⎝ ⎠
3 1xn
⎛ ⎞ = −⎜ ⎟⎝ ⎠
4 1xn
⎛ ⎞ =⎜ ⎟⎝ ⎠
Thus the Jacobi rules out two out of four solutions. We know that x1 ‐x4 mod n => if x1 > n/2 => x4 = n‐x1 < n/2 Thus one out of two remaining solutions is identified by whether x < n/2 or x > n/2
3 L e c t u r e 1 5 ( 3 / 1 0 / 0 8 )
Factoring Rabin modulus n given a decryption oracle
If we can take square root, then we can facto . Assume B = 0 in the Rabin Public Key System r n1. Choose a random r: 1 < r n‐1 2. Compute y r2 mod n 3. Call yption oracle for Rabin System, A(y), obtaining decryption x1 decr4. If x1 r mod n then FAILURE
else gc x + r, n) = p SUCCESS d( 1
Note that if x 2 mod n then either x1 r mod n FAILURE 12 r
(note that w 1 mod n) Or x1 wr mod here w2 1 mod n) SUCCESS n (w
Bottom line: If you can solve x2 1 mod n whe x 1 mod n, then n can be factored… re
Probability of success: There are four solutions { r, wr}. Since r is chosen randomly, it is equally likely to get any of the four possible solutions. Thus probability of success is ½.
Remark: Although Rabin’s system is secure against chosen plaintext attack, it is broken by chosen ciphertext attack.
Proof: Use a chosen ciphertext as oracle A in the previous algorithm…
1 L e c t u r e 1 6 ( 3 / 1 2 / 0 8 )
Semantic Security
Adversary Goals:
Total Break Determine Secret Key
Partial Break Decrypt a previously unseen ciphertext (w/out knowing key) w/ some non‐negligible probability.
Distinguishability of CipherText
With some probability > 0.5, the adversary can distinguish between encryption of two given plaintext.
Given Plaintext: A, B Choose between A and B at random (w/ prob ½) and encrypt it y = ek(x) where x = A or x = B. By looking at ciphertext, y, adversary can tell whether A or B is encrypted w/ probability > 0.5 (better than random)
Remark: It is harder to make a cryptosystem to be secure against a less ambitious (weaker) goal from adversary.
Semantic Security The adversary cannot (in polynomial time) distinguish ciphertexts, provided that certain computational assumptions are held.
Partial Information Leakage of ARS
y xb mod n gcd(b, φ(n)) = 1 => b is odd number
Jacobi: 1b by x x x
n n n n
−⎛ ⎞ ⎛ ⎞⎛ ⎞ ⎛ ⎞= =⎜ ⎟ ⎜ ⎟⎜ ⎟ ⎜ ⎟⎝ ⎠ ⎝ ⎠⎝ ⎠ ⎝ ⎠
since xb‐1 is square
1y xn n
⎛ ⎞ ⎛ ⎞=⎜ ⎟ ⎜ ⎟⎝ ⎠ ⎝ ⎠
Thus, given the ciphertext, y, anyone can efficiently compute (x/n) without decrypting the ciphertext. Thus, RSA leaks some information concerning the plaintext x, namely the Jacobi (x/n).
In general, it is very difficult take to design a public key system that does not leak ANY information to the adversary regarding the plaintext.
RSA Decryption using partial information about plaintext bits
Partial information: y = ek(x)
Parity(y) denotes the low or bit f x (even/odd) deHalf(y) = 0 if 0 < n 2
r ox /
1 if n/2 x n‐1
Remark: We will show that any algorithm that computes parity(y) or half(y) can be used as an oracle to construct an algorithm that computes the plaintext x.
In other words, given a ciphertext, computing the low order bit of the plaintext is polynomially equivalent to determining the whole plaintext.
half(y) = parity ·ek(2) mod n) = parity((2x)b mod n) => 2x (x < n/2 2x = z EVEN) (y 2x mod n parity(y)= half(y·ek(2‐1) mod n) = half((2‐1x)b mod n) 2x‐n (x > n/2 2x‐n = z EVEN)
Example: Binary search using half*(y) Let n = 8 log2n = 3 x = 3 y = ek(x) = ek(3) Assume half*(y) is looking into x in the range of concern ([lo, hi])
0 1 2 3 4 5 6 7 Lo hi
lo = 0 lo = 0 lo = 2 … hi = 7 hi = 4 hi = 4 … mid = 4 mid = 2 mid = 3 … half*(y) = 0 => hi = mid half*(y) = 1 => lo = mid half*(y) = 1 => hi = mid …
RSA Decryption Algorithm Using Half(y)
1. Denote k = 2log n⎢ ⎥⎣ ⎦2. For n = 0 to k do ote: half(ek(x)) = 0 => x [0, n/2] n
hi = half(y) = half(y·(ek(2)i) = half(ek(x·2i)) half(ek(2x)) = 0 => x [0, n/4] [n/2, 3n/4] y = (y·ek(2)) mod n => y = ek(2y) half(ek(4x)) = 0 => x [0, n/8] [n/4, 3n/8]…
3. lo = 0 note: ***After (2) h is binary rep of x! *** 4. hi = n 5. For i = 0 to k do note: binary search on x
mid = (hi+lo)/2 If hi = 1 then lo = mid else hi = mid
6. Return hi⎢ ⎥⎣ ⎦
Note: ek(x1)ek(x2) = ek(x1x2)
2 L e c t u r e 1 6 ( 3 / 1 2 / 0 8 )
Semantically Secure Public Key System
No information leakage regarding the plaintext in polynomial time by examining the ciphertext Adversary cannot distinguish ciphertexts
Ciphertext Distinguishability
Let f be an encryption unction such that: f F: P ‐> C f
Instance: x1, x2 P, y = f(xi) where i = 1 or i = 2 Question: Is i = 1?
We note that if the encryption function f is deterministic, then the adversary can compute f(x1) and f(x2) and hence identify the value of i by checking y. Thus, to make Ciphertext Distinguishability a task that is computationally infeasible, we require randomized encryption.
Let plaintext P = {0, 1}m (m‐bit binary message; m = log2n) and k: positive integer Let f be a family of trapdoor one‐way permutations such that f : {0, 1}k ‐> {0, 1}k for all f F Let G : {0, 1}k ‐> {0, 1}m b a random oracle e
Encryption: Pick a random r {0, 1}k
⊕ x ek(x) = (y1, y2) where y1 = f(r) and y2 = G(r)
Decryption: dk(y1, y2) = G(f‐1(y1)) y2 ⊕
Note that f and G are public, but f‐1 is a private key
Suppose we use RSA as a trapdoor one‐way permutation f.
n = pq P = Zn f(x) xb mod n f‐1(x) xa mod n where ab 1 mod φ(n)
We note that the new semantic public key RSA requires very subtle extra computation.
Main drawback: data expansion, because the ciphertext has n + m bits rather than n bits. Data expansion is inevitable in semantic systems.
Intuitive argument for semantic security of the proposed system:
To obtain any information about plaintext x, we must have some information about G(r). Since G is a random oracle, the only way to have some information about G(r) is to first compute r = f‐1(y1). It is not sufficient to compute partial information about r (which is possible if f = RSA). The adversary requires this to obtain r, however, f is one‐way. Thus r cannot be determined in polynomial time by an adversary who doesn’t know the key in f.
Thus, the adversary cannot obtain any partial information about x.
3 L e c t u r e 1 6 ( 3 / 1 2 / 0 8 )
1 L e c t u r e 1 7 ( 3 / 2 8 / 0 8 )
Public Key Cryptography ba e on Discrete Logarithm Problem (DLP) s d
Discrete Log Problem I = (p, α, β), where p is pri Zp and Zp* = <α> , and β Zp
* me, α Find a unique integer a, 0 a p‐2, such that
moda pα β= (a = logαβ … discrete log of β)
** p ~ at least 150 digits, and p‐1 should have at least one large rim factor p e
ElGamal Cryptosystem P = Zp* C = Zp
* x * K = {(p, α, a, β) : Zp moda pα β= }
Public Key: p, α, β Private Key: a
Let p be a prime such that the discrete problem in Zp is intra table log c
Zp* {1, , 3, …, p‐1} = <α> = { αi : 0 i p } (note: αp‐1 = 1) (cyclic group under mod p mult) = 2 ‐2
For K = (p, α, a, β) and a secret, random number k Zp*, define: ek(x, = (y1, y2) k)
Where y1 = α mod p k y2 = xβk mod p
For y1, y2 Zp* define: dk(y1, y2) = y2(y1
a)‐1 mod p Note that this is a randomized cryptosystem that minimizes ciphertext distinguishability.
Algorithm for Attacking Discr t Log Problem e e
P: prime Zp* = <α> β Zp
* moda pα β= Find a given α, β, p * Discrete log can be computed by exhaustive search in O(p)
Shank’s Algorithm: Let a = q he e k + j w r 1k p⎡ ⎤= −⎢ ⎥ , 0 j k
Then β αa = αqk+j = (αk)qαj
Create a list L = α‐j j = 0, 1, …, k‐1}. This runs {β | in ( )O instead of O(p). p
Then compute (αk)0, (αk)1, … until we find some (αk)q L Such that (αk)q = α‐jβ => a = qk + j
Algorithm needs ( )O p memory and runs in BEST CASE time ( )O p (WORST CASE time O(p)).
2 L e c t u r e 1 7 ( 3 / 2 8 / 0 8 )
Pohlig‐Hellman Algorithm Since 0 a p‐2, we are finding a mod (p‐1)
1
1 i
kci
i
p p=
− =∏p
Prime factorization (pi are distinct primes)
To find a mod (p‐1), we find then use Chinese Remainder Theorem (CRT), to get a mod (p‐1) mod icia
Select a specific and call it qc, where q is prime. Note: p‐1 0 mod qc icip
Goal: F a mod qc Note: sqc for some s ind x a = x +
Since 0 x qc‐1 represent x as: 1
0
ci
ii
x a q−
=
= ∑ where 0 ai q‐1 for 0 i c‐1 => Need to specify ai
Lets find a0 first: ( ) ( )1 1 0
modp p a
q q pβ α≡− −
because ( ) ( )( )11
modcp x q Sp
q q pβ− +−
≡α
Need to show ( )( ) ( )1 1 0
modcp x q S p a
q q pα α− + −
≡ . This will be true iff
( )
( ) ( ) ( )
( )( ) ( ) ( ) ( )
( ) ( )
( ) ( )
( )
0
10
00
1
1
11
10
1 1mod 1
1 1 1mod 1
1mod 1
1 mod
0mod 1
c
c ci c
ii
ci c
ii
ci c
ii
p x q S p ap
q q
p x q S p a pa q q S a p
q q qp
a q q S pq
p a q q S p
p
−
=
−
=
−−
+=
− + −≡ −
− + − − ⎛ ⎞− = + −⎜ ⎟⎝ ⎠
− ⎛ ⎞= + −⎜ ⎟
⎝ ⎠⎛ ⎞= − + −⎜ ⎟⎝ ⎠
= −
∑
∑
∑ 1
−
Thus we can compute ( )1p
qβ−
mod p. If ( )1
1modp
q p
Otherwise
β−
≡ => a0 = 0 ( )1
modp
q pγ α−
≡ , γ2, γ3, … until for some i: γi ( )1p
qβ−
mod p
=> a0 = i If c = 1, we are finished. If c > 1, we proceed to find a1:
Define: 01
aβ βα −≡ ( moda pβ α≡ )
Define: x1 logαβ1 mod qc
Find x1: 1
11
ci
ii
x a q−
=
= ∑
We can similarly show that ( ) ( )1 1 12
1 modp p a
q q pβ α− −
≡
Thus we can comp e ut( )1
2
1 modp
q pβ−
and we can find i such that
γi ( )1
2
1 modp
q pβ−
=> a1 = i
If c = 2, we are done. Otherwise find a2, a3, …, ac‐1 similarly using ( )2 10 1 2 1... j
ja a q a q a qjβ βα
−−− + + + +
=
3 L e c t u r e 1 7 ( 3 / 2 8 / 0 8 )
Pohlig‐Hellman Algorithm logαβ mod qc
1. Compute ( )1
modp i
qi pγ α
−
≡ for 0 ≤ i ≤ q‐1
2. Set j = 0 and βj = β 3. While j ≤ c‐1 do
Compute ( )1
1 modp
jqj pδ β−
+=
Find i such that δ = γi aj = i
1 modj
ja qj j pβ β α−+ ≡
j = j + 1
Once all aj’s are found, 1
0
modc
ii
i
cx a q q−
=
= ∑ . With all x’s, a can be obtained using Chinese Remainder
Theorem (CRT).
This attack can be resisted by ensuring that a p‐1 has a large prime factor.
Bit security of Discrete Log Problem
How hard is it to compute individual bits of a discrete‐log?
Remark: In RSA, knowledge about LSB or MSB bit of the plaint xt results in finding plaintext x e
The LSB bit of discrete log can be computed by 0 if β QRp (( )1
2 1modp
pβ−
≡ )
1 if β QNp (( )1
2 1modp
pβ−
≠ )
Proof: β = αa mod p We know that QRp = {α
2i : i = 1, …, (p‐1)/2} QNp = { α
2i‐1 : i = 1, …, (p‐1)/2} Thus αa QRp iff “a” is even. Hence β is quadratic residue iff “a” is even
Computing Other Bits in Discrete Log
Suppose p‐1 = 2St where t is odd and S ≥ 1. It can be shown that the first S lowest significant bits in DLP can be computed easily. However, computing any other bit is as hard as DLP. (If we can compute any other bits in polynomial time, then we can solve DLP problem in polynomial time). Note that if p‐1 has a large prime, this also ensures minimal bit leakage.
Index a culus Method (This method resembles Dixon’s Algorithm (Factor Base Method)) C l
Let β αx mod p and B = {p1, p2, …, pB} where pi are small prime numbers
1. Find log pi for i = 1, 2, …, B
Construct c = B + 10 (or some number that ensures sufficient number of independent equations) congruences mod p, as follows:
Find an random value xj such that 1 2
1 2 ... modj j j Bjx a a aBp p pα = p for j = 1, …, c
Equivalently: xj = a1jlogαp1 + … + aBjlogαpB mod (p‐1) for j = 1, …, c
Given c congruences in the B unknowns, logαpi, we hope there is a unique solution mod p‐1. If this is the case, we can compute logαpi for I = 1, …, B
2. Choose a random S, 0 ≤ S ≤ p‐2, and attempt to find the factorization of S mod p over the factor base B
1 21 2 ... modBc c cS
Bp p p pβα =
If such a function does not exist, we choose another random number S, and repeat. 3. Once an S h ,as been found
l gαpB mod p‐1 logαβ S c1 ogαp1 c2logαp2 … cBlo
d p x y mod p‐1 Note: αx αy mo
Thus, we can find logαβ from the above equation
4 L e c t u r e 1 7 ( 3 / 2 8 / 0 8 )
Generalized Discrete Log Problem in (G,·)
Discrete Lo iteen
Objective: Find the unique integer a, 0 a |H|‐1, and
g Problem I = (G, α, β), where G is a fin group with group operation ·, α G and β H, where H = <α> is the subgroup g erated by α.
moda pα β=
Where αa means α·α·α·α·… a times. We denote a by logαβ (discrete log of β)
Generalized ElGamal Public Key Crypto ystems
Let G be a finite group with operation ·. Let α G be an element such that DLP is intractable in H defined as H = <α> = { αi : 0 i }.
Let P = G C = G x G K = {(G, α, a, β) : aα β= } Public Key: p, α, β
Private Key: a
Encryption: For a secret random number k Z|H|, define: ek(x, = (y1, y2) k) Where y1 = αk y2 = x·βk Decryption: For y1, y2 G define: dk(y1, y2) = y2·(y1a)‐1 mod p
Remark: G does not need to abelian owever, H is abelian since it is cyclic. , h K can also be chosen 0 k |G|‐1 if Alice doesn’t know |H|.
The difficulty of DLP depends on the representation of the group.
Ex: DLP is easy to solve in (Z , +) (additive cyclic group Zn) n
α,n) = 1 => Z = <α> Let gcd( n
DLP: αa α·α·α·… α α α … αa β mod n Thus we can compute α‐1 by Euclidean Algorithm and find a βα‐1 mod n ** Therefore we should not use DLP in additive cyclic groups for public key systems…
Using other groups to study DLP:
1. Multiplication group of GF(pn) 2. Group of an Elliptic curve defined over a finite field
1 L e c t u r e 1 8 ( 4 / 2 / 0 8 )
Galois Field GF(pn)
A field is a set that forms a group under addition AND all non‐zero elements of the set form a group under multiplication
Zp is a field if p is a prime. Arithmetic is the usual mod p addition/multiplication. We show this field as GF(p).
Another type of finite field: GF(q) where q = pn, and p is a prime, and n 1. Arithmetic in this field is no longer mod p addition / multiplication.
Suppose p is prime. Define Zp[x] to be the set of all polynomials in the indeterminate x with coefficients in Zp. By defining addition and multiplication of polynomials in the usual way (and reducing coefficients mod p), we construct a ring.
Ex: f1(x) = x3 + 1 f2(x) = x
3 + x + 1 in Z2[x] f1(x) f2(x) = x
3 + x3 + x + 1+ 1 = x + f1(x) · f2(x x6 + x4 + x3 + x3 + x + 1 = x6 + x + 1 ) =
Let f(x), g(x), h(x) Zp[x] Define deg( = n f) Define g(x) h(x mod f(x) if f(x) | {g(x) – h(x)} )
Let deg(f) = n Divide g(x) by f(x) g(x) x)·f(x) + r(x) where deg(r) < n = q(g(x) r(x) mod f(x)
Ex: x3 + x2 + 1 x3 mod (x2 + 1) {q(x) = x + 1 => (x2 + 1)(x + 1) = x3 + x2 + x + 1} x mod (x2 + 1) {r(x) = x}
Define Zp[x] / f(x): Collection of all polynomials with coefficients in Zp and degree at most n‐1 where n = deg(f)
A polynomial f(x) in Zp[x] is said to be irreducible if there do not exist polynomial functions f1(x), f2(x) in Zp[x] such that f(x) = f1(x)·f2(x) where deg(f1), deg(f2) > 0 (Ex: x3 + x + 1)
2 L e c t u r e 1 8 ( 4 / 2 / 0 8 )
Zp[x] / f(x) constructs a finite field if:
1. f(x) is irreductible polynomial over Zp[x] 2. Addition of polynomials in Zp[x] / f(x) is done in the usual way (except that we reduce
coefficients mod p) 3. Multiplication of two polynomials in Zp[x] / f(x) is done in the usual way (reducing
coefficients mod p). Then reduce the resulting polynomial mod f(x).
Remark: The order of the field Zp[x] / f(x) is pn if f(x) is irreducible in Zp of degree n.
Remark: We denote Zp[x] / f(x) by Galois field GF(pn)
Remark: Study DLP *p pZ Z⎯⎯⎯⎯→ (Multiplicative group of Zp, which is cyclic)
( ) ( ) ( )Study DLP *pZnf xGF p GF p= ⎯⎯⎯⎯→ n (Multiplicative group of GF(pn))
Note: GF*(pn) is a cyclic group of order (pn‐1)
GF(pm) has field elements represented by polynomials of the form a0 + a1x + … + am‐1xm‐1 where ai GF(p)
Ex: Construction of GF(23) (note: GF*(23) = <α>)
( ) { }33 2 3 22 , , ,...,GF α α α α −= 1 (note: |GF*(23)| = 7)
There exists an irreducible polynomial (of degree m = 3) for which α is a root. We call this polynomial, p(x), a primitive polynomial. This is the polynomial that is used in defining multiplication in GF(pm). For GF(23), the primitive olynomial is p(x) = 3 + + 1. p x x
Thus, p(α) = 0 = α3 + α + 1 => α3 = α + 1
Exponential Representation of GF(23) Polynomial Representation of GF(23) α1
2
0 1 α
3
ααα
4
2
αα
5
α 1
α 2 α
α3 2 1α3 2 1
α α α
α α2 αα2 α αα3 α 1
6
7
0 0
Remark: For large n > 800 (~1024 bits!), DLP in GF(2n) is thought to be intractable provided that 2n‐1 has at least one large prime factor (to resist the Pohlig‐Hellman Algorithm)
3 L e c t u r e 1 8 ( 4 / 2 / 0 8 )
Elliptic Curves
Let p > 3 be a prime. The elliptic curve y2 = x3 + ax + b over Zp is the set of solutions (x, y) Zp x Zp to the equation y2 x3 + ax + b mod p where a, b Zp are constants such that 4a
3 + 27b2 0 mod p (this ensures that there is no multiple roots of x3 + ax + b = 0 and hence the curve is not supersingular), together with a special point called the point at infinity.
General Form: y2 + a1xy + a3y = x3 + a2x
2 + x + a5 a4In GF(pn), p > 3: y2 = x3 + ax + b, 4a3 + 27b2 0 mod p In GF(2n): either y2 + cy = x3 + ax + b Or y2 + xy = x3 + ax2 + b In GF(3n): y2 = x3 + ax2 + bx + c where the right hand side should not have
multiple roots. Remarks: The set of points on E form an abelian group.
For a moment assume that the field is eals: y2 = x3 + ax + b r
E is the set of points on the curve and (point in infinity), which serves as the identity element.
‐P is defined as: P(x,y) ‐P = ‐(x,y) = (x, ‐y) In GF(2n) or GF(3n), draw a vertical line from P to find –P. Note: if (x,y) is on the curve, then (x,‐y) is also on the curve.
P + Q is defined as:
1. If P & Q have different x‐coordinates, then normally the line l PQ= intersects the curve in
exactly one more point R. Define P + Q to be –R (the mirror image wrt x‐axis).
2. If the line l PQ= is tangent to the curve at Q, then R = Q.
3. If Q = ‐P then P + Q = 4. If P = Q, then let l be he tangent line to the curve at P t
a) Let R be the only point of intersection of l with the curve, define + Q = ‐R. (see 2) other Pb) R is taken to be if the tangent line has a “double tangency”. P + Q =
1 L e c t u r e 1 9 ( 4 / 7 / 0 8 )
2 L e c t u r e 1 9 ( 4 / 7 / 0 8 )
Group Operation: y2 = x3 + ax + b Let P = , y1) Q = (x2, y2) E (x1 If x2 = x1 and y2 = ‐y1 => P + Q = Otherwise P + Q = (x3, y3)
where ( )
23 1 2
3 1 3
x x x
1y x x yλλ
= − −
= − − and
2 1
2 121
1
mod
3 mod2
y y p if P Qx x
x a p if P Qy
λ
−⎧ ≠⎪ −⎪= ⎨+⎪ =
⎪⎩
*define P + = + P = P
Hasse’s Theorem: Let N be the number of points on E, usually denoted by #E, where E is defined over GF(q). Then
|#E ‐ (q+1)| 2 q
Computing #E is difficult. Schoof’s Algorithm with polynomial complexity O((log p)8) computes #E (w/ E over GF(p))
If #E is a prime or prod t of distinct primes, then the points on E form a cyclic group. uc
Then E = <α> and ord(α) = #E and every no ‐zero point in E will be a generator n
For security, the cyclic group generated by α must be a group in which DLP is intractable. This will be the case if the order of α has a very large prime factor (to resist Pohlig‐Hellman)
Discrete Log over E
If E is an Elliptic Curve over GF(q) and α, p E, then DLP on E (to the base α) is the problem of finding an integer x Z such that αx α·x p (b/c E is an additive cyclic group), if such an integer x exists.
DLP is insecure over GF*(2r) (the multiplicative group of GF(2r)) unless r is very large (~1024). On the other hand, it turns out that DLP is secure over E defined on GF(2r) for significantly smaller r (ex GF(2160)). There are practical reasons (hardware & software) to use E on GF(2r) instead of over other fields.
Ex: E: y2 = + x + 6 over Z11 (GF(11)) How many points on E? x3
Take x 1 and compute x3 + x + 6 mod 11 and see if it is QR11 by using Euler criterion. Z1Since 11 3 mod , use explicit formula to compute square root of x3 + x + 6 mod 11. 4
That is, x3 + x + 6 z mod 11 where z y2 mod 11 ‐> 11 1
4 mod11y z+
≡ ±
It can be shown by direct computation that E has 13 points (12 points plus the infinity point). Since #E = 13, then E is cyclic. Any point (except the infinity point) is a generator of the group. Let α = (2, 7) be the generator.
A other oints can be generated by powers of α (since it is an additive group) by multiples of α. ll p 2α = α + α = (2, 7) + (2, 7) = (x3, y3) λ =8 => x3 = 8
2 – 2 – 2 mod 11 = 5 y3 = 2
El Gamal over E t , 7) and a = 7 Le α = (2 β = αa α7 7α (7, 2) =
y1 2) = (αk, x·βk)
ek(x, k) = ( , y dk(y1, y2) = y2 · (y1a)‐1 = y2 – 7y1
= (k(2, 7), x + k(7, 2)) x E & 0 k 12
Suppose message x = (10, 9) E and random k = 3 Encryption: y1 = 3(2, 7) = (8, 3) y = ((8, 3), (10, 2))
y2 = (10, 9) + 3(7, 2) = (10, 2) Decryption: x = (10, 2) – 7(8, 3) = (10, 9)
Practical difficulty of the realization of ElGamal:
• ElGamal on Zp* ‐> message expansion of factor two
• ElGamal on E ‐> message expansion of factor four
Embedding plaintext: No convenient method is known to deterministically map message on points over E.
Mapping Message onto points over E
Let E be defined over GF(q) (where q = pn) 1. No polynomial time deterministic algorithm known to map message m onto E 2. There IS a probabilistic method for which the chance of failure is small.
Let E be on GF(q) and k be a num r such that a failure probabilitiy 2‐k is acceptable. (ex: k=30, k=50). be
Let message m be in the range 0 m < M and q > Mk
We write integers 1 to Mk in the form (mk + j) where 1 j k. Thus (mk + j) : elements of GF(q).
Given a message m, for each j = 1, 2, …, k, we obtain an element x of G q) corresponding to mk + j. F(
For such an x, we check if x3 + ax + b = z is in QRq (in other words, (x, y) E). If not, we increment j by one and try again.
Since z is square for almost 50% of all x, there is a probability of failure of 2‐k to produce a point on E whose x‐coordinate corresponds to an integer between (mk+1) and (mk+k).
3 L e c t u r e 1 9 ( 4 / 7 / 0 8 )
4 L e c t u r e 1 9 ( 4 / 7 / 0 8 )
Menezes – Vanstone Elliptic Curve Cryptosystem
Properties: Message expansion of two (instead of four) Plaintext and ciphertext are allowed to be arbitrary ordered pairs of nonzero field
elements (not necessarily on E)
Let E be elliptic curve over Zp (p > 3 prime) such that E contains a cyclic subgroup H in which DLP is intractable.
Let P = Zp* x Zp
* = E Zp* Z * C x x p
Define K = { (E, α, a, β) : β = αa αa} where α E is the generator Public Key: α, β Private Key: a
Encryption: x = (x1, x2) where 1, x2 Zp* but x = (x , x2) is not necessarily on E xPick a random k
1
ek(x, k) = (y0, y1, y2) her y0 = αk = kα (thus y0 E) Z|H| w e
Compute (c1, c2) = βk = kβ y1 = c1x1 mod p (scalar in Zp*)
y2 = c2x2 mod p (scalar in Zp*)
Decryption: dk(y) = (y1c1‐1 mod p, y2c2
‐1 mod p) where c1 and c2 are obtained by ay0 = (c1, c2) since αa = aα = β
1 L e c t u r e 2 0 ( 4 / 1 1 / 0 8 )
Signature Scheme
Signature: Something that is attached to a document to specify the person responsible for it.
Conventional (paper) Digital Bounded to the document Not attached, some type of binding required Verification possible in public domain Verified by publicly known algorithm Forgery is difficult Copy is identical to the original signature Any signature scheme will have: PRIVATE generation algorithm (both polynomial time alg’s)
PUBLIC verification algorithm
{P, A, K, Sig, Ver} P: Message (Finite Set) SigP A⎯⎯→ A: Signed Message (Finite Set)
K: Key (Finite Set) ( ), /VerA P T⎯⎯→ F
It should be computationally infeasible for Oscar to “forge” Bob’s signature on a message x. Like “Public Key Systems”, we want the signature scheme to be computationally secure. Note that a signature scheme cannot be unconditionally secure because Oscar can exhaust all y A on a message x until it can be verified by verk.
RSA Signature
Sign using Decryption Rule dk sigk(x) xa mod n Verify using Encryption Rule ek verk(x, y) = true x yb mod n
Security
Suppose Oscar wants to put Alice’s signature on another document x1, but (x1, y) doesn’t work (is not verified). Oscar needs y1 such that y1
b x1 mod n (he needs to find y1 for such an intended x1). This is equivalent to decryption problem of RSA. This is hard.
Oscar chooses y1 first. Let the message be m1 = y1b mod n and send the pair (m1, y1). Alice cannot deny
that it isn’t her signature. But it is very unlikely that m1 be a meaningful message (that Oscar really wants to forge). Thus Alice’s claim that she has been forged will be believed.
ElGama gnature Requires 130‐150 digits/valu 2x512 bits for computat n l security l Si e, io a
α Zp* = <α > P = Zp
* A = Zp* x Zp‐1 β = αa mod p Public: p, α, β
k Zp‐1* (rand m) Private: 0 < a < p o
Sign: sigk(x, k) = (γ, δ) αk p (no e: Z * γ>) γ mod t p = <δ (x a )k‐1 mo
Verify: verk(x, γ, δ) = true βγγδ αγaαkδ αx mod p b/c (kδ + aγ) x mod (p‐1) – γ d (p‐1)
Security 1. Oscar chooses a value γ and then tries to find corresponding δ. In order to satisfy βγγδ mod p αx
st compute logγ αxβ‐γ (DLP) Mu2. Oscar chooses δ nd tries to solve for γ. Needs to satisfy: βγγδ αx mod p. No feasible solution has
been found. It is not related to well studied problems such as DLP. a
3. Choosing γ and δ also leads to DLP and/or random x.
Thus the adversary cannot sign a given message x using the ElGamal signature algorithm. However, it can be shown that the adversary can sign a random message by choosing γ, δ, and x simultaneously but this is not a threat for two reasons
1. x is likely to have no meaning 2. In practice a hash function is used prior to signature. Using a secure hash will prevent any
threat.
Careless Use of ElGamal Signature
1. The random number k should be revealed. If k is known, complete break results: not
a = (x – kδ)γ‐1 mod (p‐1)
2. Using the same random value k in signing two different messages. sig(x1, k) = ( ) γ, δ1 Sig(x2, k) = (γ, δ2)
We have βγγ α o p and βγγδ2 αx2 δ1 x1 m d mod pThen x1‐x2 δ ‐δ mod p but γ αk α 1 2 mod pThus αx1‐x2 k 1‐δ2) od p => x1 – x2 k(δ1 – δ2) mod (p‐1) Let gcd (δ1 – δ2, p‐1) = d
γ α (δ m
If d = 1 then k (δ1 – δ2)‐ x1 – 2) mod p‐1 1( xOtherwise d | (p ) and d | (δ1 – δ2) => d | (x1 – x2) ‐1
x’ x1 2
δ’ = (δ1 – δ2) / d Then x’ kδ’ mod p’ Define = ( – x ) / d
p’ = (p‐1) / d Since gcd ’, p’) = 1, we have k = x’(δ’)‐1 mod p’ (δLet k = x’(δ’)‐1 + ip’ mod p‐1 where i = 0, 1, …, d‐1 Of these d candidates, the unique correct one satisfies: δ αk mod p’
2 L e c t u r e 2 0 ( 4 / 1 1 / 0 8 )
3 L e c t u r e 2 0 ( 4 / 1 1 / 0 8 )
Digital Signature Standard (DSS)
In order to ensure computational security, the DLP of ElGamal requires a large modulus (p > 512 bits), which if used directly would require a 2x512 bit signature. For many applications, ex. Smart cards, a shorter signature is required.
DSS is the modification of the ElGamal Signature Scheme Standard 1994. DSS modifies ElGamal so that 160‐bit message is signed. Resulting in a 320 bit signature.
p: 512‐bit prime Define 1
mog pq: 160‐bit prime, q | (p‐1), p = kq + 1 => orde α is q: q 1 p
dp
kq gα−
≡ ≡ (0 < α < p) r of α mod
αi 1 ma: random integer (0 < a < q) => if a1 a2 mod q => αa1 αa2 mod p
g: primitive root of p (Zp
* = <g>) od p 0 < i < q
x : message
Public: {p, q, α, β} β αa mod p Private: {a}
To sign message x: random k, 1 k q‐1 *** ould alternatively use SHA‐1(x) *** Select C (αk m d p mod q 0 < γ < q γ o δ (x + aγ)k‐1 od q (this is b/c ord(α) = q) **δ 0 **
) m
sigk( k) = (γ, δ) 320‐ its x, b
To verify message x: w = δ‐1 mod q gcd(δ, q) = 1 unless δ = 0 e1 = mod q xw e2 γ mod q = w
v’ (α 1 od p) mod q e βe2 m true when ’ γ ver(x, γ, δ v =
mod p Proof: k δ‐1 x aγ mod q αe1βe2 mod p xwβγw w x aγ mod q xw w mod p
ααaγ
xw aγw mod p αα
αk mod p v’ αe1βe2 mod p) mod q (αk mod p) mod q γ
Note: We have a small signature (320 bits) but computations are done mod p. Security is based on DLP in <α>; a cyclic subgroup of Zp that has order 160 bits.
4 L e c t u r e 2 0 ( 4 / 1 1 / 0 8 )
Elliptic Curve DSA
p: prime (or power of 2) Public: {p, q, E, α, β = mα} E: Elliptic curve over GF(p) Private: {m} α: Point on E having prime order q (such that DLP is hard) Cyclic group is a subgroup of E generated by α.
To sign message x: Select random k, 1 ≤ k ≤ q‐1 Kα (u, v) (i.e. a point on E) = R u mod q S k‐1(x + mR) mod q ** Ensure S 0 ** sig(x, k) = (R, S)
To verify message x: w = S‐1 mod q gcd(S, q) = 1 unless S = 0 i = xw mod q j = Rw mod q (u’, v’) = iα + jβ
v
Proof: (u’, v’) iα + jβ
er(x, R, S) = true when R u’ mod q
(wx mod q)α + (wr od q)mα
(w S mod q)α
m {w(x + mr) mod q}α
kα u, v R u’ mod q
k
Hash Function Long Message, x
h: X ‐> Z HashProperties: |X| ≥ |Z|
Message Digest (160 bits)Given x, h(x) should be quickly computed
Applications: Data Integrity
a) Unkeyed Hash: Given a message x, compute y = h(x) and store y securely If x is modified, one can detect it by computing y’ = h(x’) and verifying that y’ y
b) Keyed Hash (aka MAC – Message Authentication Code): Suppose y = hk(x) {or ek(h(x))}where K is the secret shared by Alice and Bob. Alice transmits the pair (x, y) through insecure channel. Now, if x or y is modified by the adversary, then Bob can detect modification by verifying y = h(x).
c) Signature: Since message x is too long to have efficient signature scheme, we first (efficiently) compute the message digest z = h(x) and then sign the shorter sequence z (usually 160‐bits) using an unkeyed hash function.
Security of Hash Functions
Note that a hash function h(x) is in the public domain
A hash function is secure if it is hard to solve th following three problems: e
1. Preimage: Given: h: ‐> Y and y Y XFind: x X such that y = h(x) If computing preimage is hard for a hash function, it is said to be one‐way or preimage resistant. This makes random forgery in a keyed signature scheme impossible.
2. Second Preimage: Given: h: ‐> Y and x X X Find: x’ X such that x’ x and h(x’) = h(x) This makes “selective forgery” impossible.
3. Collision: Given: h: X Y ‐>Find: x, x’ X such that x’ x and h(x’) = h(x) If it is difficult to compute the collision, the hash is called collision resistant (hardest to achieve). Note that the collision risk always exists because of the many‐to‐one mapping nature of the hash function. Goal is to make this computationally infeasible…
Example: Let x X, y = sigk(h(x))
To perform “selective forgery”, adversary attempts to find x’ x but h(x’) = h(x). If he succeeds, then (x’, y) is a valid signature.
To prevent this, we need to have a hash with with the second preimage resistant property.
1 L e c t u r e 2 1 ( 4 / 1 8 / 0 8 )
Example: Existential Forgery n RSA Signature i
RSA Signature: y za mod n <‐ (sigk) z = h(x), x: message z yb mod n <‐ (verk)
To perform existential forgery, adversary picks a random y’ and computes z’ by z’ = yb mod n. Hence (z’, y’) is verified by verification. However, adversary ALSO needs to find x’ from z’ = h(x’) if (x’, y’) is going to be a valid signature.
If hash is preimage resistant, then adversary cannot perform existential forgery on RSA signature scheme (Note that without the use of hash, this attack was possible on the RSA signature scheme with a random/jibberish message).
Las‐Vegas Algorithm to Find Preimage:
Let h: X ‐> Y where |X| = N, |Y| = M (ex: M = 2160 for 160 bit hash) Find preimage (h, y, q) Choose any 0 X, |X0| = q X
For each x X0: if h(x) = y then return (x) (q iterations)
⊆
Return (failure)
The success probability of this algorithm for any fixed y, is constant and equal to
Pr(h(x) == y) = 1/M Pr(h(x) != y) = 1 – 1/M Pr(h(X0) != y) = Pr(failure) = (1‐1/M)q Pr(success) = 1‐Pr(failure) = 1‐(1‐ 1/M)q q/M ssuming q << M) (a
Since Pr(h(x) == y) is uniform across all y’s, the success probability averaged over all y Y is the same as above.
This same approach can be extended to the probability of success for finding the second preimage:
Pr(success) = 1‐(1‐ 1/M)q‐1
Las‐Vegas Algorithm to Find Collision:
Input: h: X‐>Y and q Let X0 X 0| = q ⊆ , |X
For each x X0: yx h(x) (q iterations) = If yx = yx’ for some x’ x then return (x, x’) else return (failure)
Note that the algorithm computes yx = h(x) and store them in a memory stack for future comparison.
2 L e c t u r e 2 1 ( 4 / 1 8 / 0 8 )
Given that H: X ‐> Y; X, Y: finite sets; |Y| = M; and |X| 2|Y|, there will be at least M collisions.
3 L e c t u r e 2 1 ( 4 / 1 8 / 0 8 )
Birthday Paradox
If there are 23 people in a room, the probability is slightly more than 50% that two of them have the same birthday. If there are 30 people, the probability is around 70%...Why? How is this related to collision in a hash?
Let h: X ‐> Y |X|: living human beings y = h(x): birthday of person x => |Y| = 365
Hence, finding two people with the same birthday is the same as finding a collision for a hash. If we try q = 23 times to find the hash (in the algorithm), the birthday paradox says that the probability of collision is about 50% when q = 23 and M = 365.
In general: Suppose we have M bins and we throw q balls randomly into those M bins. Then, we check to see if some bins contain at least two balls.
This is equivalent to saying that given a hash function: h X‐>Z where |Z| = M, |X| = N : Find a collision by choosing q random distinct elements x X0 X and computing zi = h(xi) i = 1, …, q.
What is the probability of at least one collision here?
⊆
We find a lower bound on the probability of finding a collision. This lower bound depends on q and M, but not N. We assume that for any z Z, |h‐1(z)| N/M (if this assumption does not hold, the probability of finding a col ion will increase). lis
If we assume that |h‐1(z)| N/M , we conclude that zi are random (not necessarily distinct).
Consider z1, z2, …, zq. The first choice z1 is arbitrary The second choice z2: Pr(z2 z1) = 1 – 1/ M The third choice z3: Pr(z3 z2 and z3 z1) = 1 – 2/M
Thus Pr(no collision) = (1‐1/M)(1‐2/M)…(1‐(q‐1)/M)
=1
1
1q
i
iM
−
=
⎛ ⎞−⎜ ⎟⎝ ⎠
∏ 2 3
1 ... 12! 3!
x x xe x− x= − + − + ≅ − when |x| <<1
=1
1
iqM
i
e− −
=∏ if q/m is small
=
1
1
1 q
i
iMe
−
=
− ∑
= ( )12
q qMe−
−
Thus Pr(collision) = 1 ‐ ( )12
q qMe−
−
= ε
4 L e c t u r e 2 1 ( 4 / 1 8 / 0 8 )
Since ( )12 1
q qMe ε−
−= − then 2 12 ln
1q q M
ε⎛− = ⎜
⎞⎟−⎝ ⎠ assuming q << q2 (q ~210) =>
12 ln1
q Mε
⎛ ⎞⎜ −⎝ ⎠
⎟
Taking ε = 0.5 ‐> q 1.17√M (For M = 365, q 22.3)
This implies that hashing just above √M random elements in X yields a collision with probability of at least 50%. Note that for any ε, we still have q √M.
Remark: Birthday paradox imposes a lower bound on the size of a message digest. If M = 240 = |z|. In other words, a 40‐bit hash outputs h: X ‐> Z the hash would be insecure because a collision can be found w/ probability ½ with just over √M = 220 random hashes. Thus the minimum acceptable message digest is 128 bits (requires 264 attempts to find 1 collision). DSS uses 160 bits, so it is secure against the birthday attack.
Application to Cryptography
Suppose we have two sets of q balls: q blue, q red We throw blue and red balls into M bins. What is the probability that at least one of the bins contains
balls with different colors? ( )1
1q q
Me ε−
−− = (and
1ln1
q Mε
⎛ ⎞⎜ ⎟−⎝ ⎠
)
Let h(x) = z |z| = 250 (50‐bit message digest)
Good document x Bad document x’ 30 places in x is edited 30 places in x’ is edited
230 almost identical documents 230 almost identical documents q blue balls q red balls
=> q = 230 M = 250 1ln
1q M
ε⎛ ⎞= ⎜ −⎝ ⎠
⎟ => ε 1
Thus with almost certain probability, a version of a “good document” will match to a version of a “bad document”. Adversary can present a “good document” to Alice to hash and sign it.
sigk(h(x0)) = y => (x0, y) will be verified But h(x0) = h(x0’) => (x0’, y) will also be verified
Therefore, the birthday attack must be prevented in hashing.
Discrete Log Hash Function (Chaum, Van Heijst, Pfitzmann)
Algorithm (slow method) Let p be a large prime and q = (p‐1)/2 is also prim e. Let α and β be two primitive elements of Zp (ord(α) = ord(β) = p‐1). The value logα β is not public and we can assume DLP is hard in Zp Then h: {0, 1, …, q‐1}x{0, 1, …, q‐1} ‐> Zp
* If defined as h(x1, x2) = α
x1βx2 mod p = αx1+ax2
Security
Given one collision for the Chaum ‐ Van Heijst – Pfitzmann hash function, h (h(x1, x2) = h(x3, x4)), the discrete log, logα β, can be computed efficiently since αx1βx2 = αx3βx4 mod p. Since DLP is hard, then collisions must not exist.
If a collision exists: αx1+ax2 αx3+ax4 mod p
a (x3 – x1)(x2 – x4)‐1 mod p‐1
x1 + ax2 x3 + ax4 mod p‐1
Since p‐1 = 2q (given), gcd(x2 – x4, 2q) = 2 if x2 and x4 are restricted to EITHER evens or odds Therefore, no inverse exists and a is secure if x2 and x4 are restricted.
5 L e c t u r e 2 1 ( 4 / 1 8 / 0 8 )
Iterated Hash Functions
Most hash functions are some form of iterated hash in practice
Iterated hash maps a sequence of infinite length to a finite length output.
Define compression g: {0, 1}m+t ‐> {0, 1}m
Iterated hash consists of three steps:
1) Preprocessing Given an input string x, |x| m + t + 1, construct a string such that |y| 0 mod t y
y = [ y1 | y2 | … | yr ] where |yi| = t for 1 i r
Remark: A common preprocessing step is to use a padding function pad(x) y = [x | pad(x)] such that |x| + |pad(x)| = 0 mod t pad(x) must ensure that x‐>y is a one‐to‐one mapping (for collision resistance)
2) Processing Let IV be a public initial value which is a bit string of length m. Then: z0 <‐ IV z1 <‐ g([z0 | y1]) z2 <‐ g([z1 | y2]) … zr <‐ g([zr‐1 | yr])
y1 y2 y3 yr
g g g g … z0
z1 z2 z3 zr
3) Output Transform (optional) R: {0, 1}m ‐> {0, 1}l which is a public function Hash: h(x) = R(zr) where zr is the last output in the processing step
6 L e c t u r e 2 1 ( 4 / 1 8 / 0 8 )
Secure Hash Algorithm (SHA‐1)
Iterated hash w/ 160 bit message digest. Word (32‐bit) oriented operations on bitstrings
Operations are very fast. Constructed by: X ∧ Y ‐ Bitwise AND X ∨ Y ‐ Bitwise OR
X ⊕ Y ‐ Bitwise XOR ~X ‐ Complement of X X + Y ‐ Integer addition mod(232) ROTLs(X) ‐ Circular Left Shift by s positions
1) Preprocessing (|x| 264‐1) x ‐> y where |y| 0 mod 512 Where y <‐ [ x | 1 | 0d | L] d = 447 ‐ |x| mod 512
L = 64 bits that is binary representation of |x| by 64 bits (by adding sufficient zeros to the left of |x|)
Note that this ensures that the mapping is one‐to‐one (for collision resistance).
y = [M1 | M2 | … | Mn] where each Mi is 512 bits
2) Processing (Compression) g: {0, 1}512+160 ‐> {0, 1}160 0 1 2 3 4| | | |i i i i iiz H H H H H⎡ ⎤= ⎣ ⎦
z0 = [ 67452301 | EFCDAB89 | 98BADCFE | 10325476 | C3D2E1F0 ] M3 M1 M2 Mn
g 160b
160b
g g g …
512b z0 z1 z2 z3 zn
and zi+1 = g(zi, Mi+1) is described by:
5A827999 (B∧ C) ∨ (~B∧ D) 0 t 19
K(t) = 6ED9EBA1 f(t, B, C, D) = B ⊕ C ⊕D 20 t 39 8F1BBCDC (B∧ C) ∨ (B∧ D) (C∨ ∧ D) 40 t 59
CA62C1D6 B ⊕ C ⊕D 60 t 79
[W0 | W1 | … | W15] = Mi+1 and Wt = ROTL1(Wt‐3⊕Wt‐8⊕Wt‐14⊕Wt‐16) for all 15 < t < 80
[A | B C | E] = zi | | D
For 0 t 79 [A | B | C | D | E] = [ROTL5(A) + f(t, B, C, D) + E + Wt + K(t) | A | ROTL
30(B) | C | D]
zi+1 = zi + [A | B | C | D | E]
7 L e c t u r e 2 1 ( 4 / 1 8 / 0 8 )
8 L e c t u r e 2 1 ( 4 / 1 8 / 0 8 )
Key Distribution and Establishment
Cryptosystems: Public Key (Asymmetric) ‐ No secure channel is needed / Slower Private Key (Symmetric) ‐ Secure channel is needed / Faster
Key Establishment for Secret Key Cryptosystems:
1. Key Distribution: One party chooses a secret key and then transmits it “securely” to another party or parties. The secure transmission of a “Shared Secret Key” can be performed by a public key system. (This requires a server or a trusted third party that keeps the public key of the clients)
2. Key Agreement: Neither party knows the key in advance. It is determined as a result of their interaction.
Diffie‐Hellman Key Exchange
Two Clients U, V
1. Either U or V selects a large secu pr e, p, and a generator, α, such that Zp* = <α>. re im2. U chooses a secret dom au, 1 au p‐2 / V chooses a s c t ndom av, 1 av p‐2 ran e re ra3. U computes (β au mod p) and sends to V / V computes (β av mod p) and sends to U u α v α
s ig au, av) gVa au) d
4. U computes K (βv)au (αav)au mod p / V computes K (βu)av (αau)av mod p
a) U compute s U(α α and sends to V / V computes si (α v, α an sends to U
a) U verifies verV(αav, αau) / V verifies verU(α
au, αav)
Intruder in the Middle Attack
1. Oscar chooses an xpone t z e n2. Oscar interce ts αau and αav p3. Oscar sends αz to U an V (U believes she is ceiving αav and V thinks he is receiving αau) d re4. Oscar computes kus = (αau)z mod p and kvs = (αav)z mod p
U and V not realizing that Oscar is in the middle, also computes kus, and kvs. 5. When U sends a message to V, encrypted with kus, Oscar decrypts it, and then re‐encrypts it w/ kvs
and sends it to V. V can decrypt the cipher using kvs. V has no idea that the communication is insecure.
Note that using a signature prevents the Man‐In‐Middle Attack!