You are on page 1of 35

AsymmetricCryptography

MahalingamRamkumar
DepartmentofCSE
MississippiStateUniversity
MathematicalPreliminaries

CRTChineseRemainderTheorem

EulerPhiFunction

Fermat'sTheorem

EulerFermat'sTheorem
CRT
Recall Basic Theorem of Arithmetic
m=

i=0
n
p
i
e
i
=

i =0
n
m
i
( m
i
, m
j
)=1ij
Consider any number in aZ
m
aa
1
mod m
1
aa
2
mod m
2

aa
n
mod m
n
Now given a
1
a
n
can we find a ?
Is a unique?
CRT
Example 180=2
2
3
2
5=495
233 mod 4
235 mod 9
233 mod 5
Is there any other number (apart from 23)
which satisfies these equations?
Answer - no!
So we could represent 23 as (3,5,3)
4,9,5 are orthogonal axes
(3,5,3) are projections of 23 on those axes!
CRT
xa
1
mod m
1
xa
2
mod m
2

xa
n
mod m
n
xy mod m, m=

i=1
n
m
i
, (m
i
, m
j
)=1, ij
Let M
i
=m/ m
i
, N
i
=M
i
1
mod m
i
xy

i =1
n
a
i
M
i
N
i
mod m
Check : x mod m
i
a
i
M
i
N
i
mod m
i
1, M
i
N
i
mod m
j
0, ij
CRTExample
x5 mod 13
x6 mod 11
x9 mod 17
x4 mod 19
m=13.11.17.19=46189,
M
1
=46189/13=3553, N
1
=3553
1
4
1
mod 1310 mod 13
M
2
=46189/11=4199,N
1
=4199
1
8
1
mod 117 mod 11
M
3
=46189/17=2717, N
1
=2717
1
14
1
mod 1711 mod 17
M
4
=46189/ 19=2431,N
1
=2431
1
18
1
mod 1918 mod 19
x

i =1
4
a
i
M
i
N
i
mod 46189
x(5.3553.10+6.4199.7+9.2717.11+4.2431.18) mod 46189
x12810 mod 46189
CRTAUsefulRelationship
xa mod m
1
xa mod m
2

xa mod m
n
then xa mod m
EulerPhiFunction

HowmanynumbersinZ
m
arerelativelyprime
tom?

OrhowmanynumbersinZ
m
have
multiplicativeinverses?
m=

i =1
n
p
i
e
i
1(m)=

i =1
n
p
i
e
i
p
i
e
i
1

EulerPhiFunction
SpecialCases

misprime;saym=p

(m)=(p)=p1(allnumbers1tom1arerelativelyprime
toaprimenumber!)

m=p
1
*p
2

(m)=(p
1
1)(p
2
1)

Checkequationwithe
1
=e
2
=1

(m=p
1
p
2
)=m{p
1
+p
2
1}excludenumberswhich
aremultiplesofp
1
orp
2

p
1
multiplesofp
2

p
2
multiplesofp
1

{01234567891011121314}(15=5x3)
m=

i =1
n
p
i
e
i
1(m)=

i =1
n
p
i
e
i
p
i
e
i
1

1
1 1
1
Fermat'sTheorem

aZ
p
, a
p1
1 mod p
Z
p
=0,1,2,,p2, p1
Consider aZ
p
and 0i , j,p1
Can two terms of aZ
p
, say i , j be equal?
If iaja0 mod p then p(ij)a
No two terms can be equal!
aZ
p
is a permutation of Z
p
Either p( ij) or pa
Only possible if (i j)=0 or i =j
Fermat'sTheoremContinued

Verifyforp=7,31(assignment3)
aZ
p
, a
p1
1 mod p
Product of all terms in Z
p
and aZ
p
should be identical (neglecting 0)
(p1) !a
p1
( p1)! mod p
1a
p1
mod p
EulerFermat'sTheorem

Proofform=p
e
byinduction

Canextendproofforanymduetothe
multiplicativepropertyof(m)

Verifyform=25=5
2
(assignment3)

Verifyform=12=2
2
*3(assignment3)
a
1( m)
1 mod m if aZ
m
and (a, m)=1,
1
ASpecialCase
m=

i =1
n
p
i
, 1( m)=

i =1
n
( p
i
1)
If (a, m)=1, we know a
1(m) +1
a mod m
What if (a, m)1a=k p
i
a0 mod p
i
a
1( m) +1
a
t( p
j
1)+1
a mod p
j
ji
a
1(m)+1
0a mod p
i
Note that a
1(m)+1
a mod p
k
k
Or a
1( m)+1
a mod ma even if (a, m)1!
SquareandMultiplyAlgorithm
How do we efficiently calculate ya
x
mod n
Let b
r
b
r 1
b
1
b
0
be binary representation of x
x=

i=0
r
b
i
2
i
a
x
=

i=0
r
a
b
i
2
i
=a
b
r
2
r
a
b
r1
2
r1
a
2b
1
a
b
0
z=1
for i=r downto 0
z=z
2
mod n
if (b
i
=1)z=za mod n endif
endfor
y z
SquareandMultiplyAlgorithm
Example
36
43
mod 87
x=43=101011
b
; r=5; a=36;
z=1;
b
5
=1; z=1; z=z
2
a mod 8736 mod 87
b
4
=0;z=36; z=z
2
mod 8778 mod 87
b
3
=1;z=78; z=z
2
a mod 8745 mod 87
b
2
=0; z=45; z=z
2
mod 8724 mod 87
b
1
=1; z=24; z=z
2
a mod 8730 mod 87
b
0
=1; z=30; z=z
2
a mod 8736 mod 87
PrimalityTesting

Howdowecheckifanumbernisaprime?

Aprimenumberdoesnothaveanyfactors

Noprimesmallerthannisafactor

Socheckallprimessmallerthann?

Impracticalsaynisahundreddigitprime

Howmanyprimenumberslessthann?

Roughlyn/log(n)

Forahundreddigitnumberlog(n)islessthan
250

Sothenumberofprimeslessthannisofthe
orderof10
97

Primenumbersaredense
PrimalityChecking

UsesFermat'stheorem

Weknowifanumbernisprime

Ifnisnotprimecantheaboveequationhold
forsomea?Yes.

Howdoesthishelp?Doweneedtocheckall
possiblea?

Wedonot.Iftheequationdoesnotholdfor
evenonevalueofathenitwillnotholdfor
atleasthalfthevaluesofa
a
n1
mod n1(a, n)=1
ProbabilisticPrimalityChecking

Wehaven

Fork=1toN

Chooseanumbera<nrandomly

Checkifa|n

ifsonisnotprime.Quit

Checkifa
(n1)
=1modn.

Iftestfailsnisnotprime.Quit.

Continue

Endfor

IftestpassesNchecksprobabilitythatnis
notprimeis(1/2)
N
Observations

Choosinglargeprimesrandomlyisnotdifficult

Choosealargeoddnumber

Checkifitisaprime

Probabilisticprimalitytesting

Ifnotprimeincrementnumberby2andcheckagain

Rememberprimesaredensewe'lleventuallyfindone
forhundreddigitnumbersthemeansearchlengthisonly
125numbers!

Modularexponentiationistrivialwithsquareand
multiplyalgorithm

Ifpandqaretwolargeprimes,andifn=pq
determiningpandqgivennisextremelydifficult!

Noknownpolynomialcomplexityalgorithmfor
factorization.
RSA(RivestShamirAdelman)
Choose two large primes p, q. Let n=pq
We know 1(n)=( p1)(q1)
Choose eZ
n
such that (e, 1( n))=1
Calculate de
1
mod 1(n)
Now e is the public encryption key
and d is the private decryption key
Remember ed1 mod 1( n) or ed=k1(n)+1
For any an, a
ed
a mod n. From Euler-Phi Theorem
Throw away p, q, and 1( n)
Encryption CP
e
modn
Decryption PC
d
modn
Check C
d
P
ed
P
k1(n) +1
(P
1(n)
)
k
P(1)
k
PP mod n
StrengthofPublicKey
Cryptography

Ifmodulusis64bitvalueisPKCasstrongas
symmetriccryptographywithkeylengthof64bits?

Noveryeasytofactorize/calculatediscretelogs
insuchsmalldomains

Typicallyneedmodulusoftheorderof1024bits!

Computationallymuchmoreexpensivethan
symmetriccryptographyabout3orderof
magnitudesmore

Usuallyusedonlyforestablishingshared
symmetrickeys
ExponentialCiphers

ExponentialCiphers

DiffieHelman

ElGamal

HASHFunctions

SignatureSchemes
Orderofanumber
Let Z
p
=0,1,, p1
What is the order of a number aZ
p
The minimum value of x such that a
x
1 mod p
Example - order of 1 is 1
Order of p1 is 2 (Why?)
Order of any number divides (p1)
Or order of any number is of the form ( p1)/ d
How many numbers of order (p1) ? 1(p1)=1(1(p))
How many numbers of order (p1)/ d ? 1((p1)/ d)
Let p=7. Orders of numbers 1 to 6 are
Element 1 2 3 4 5 6
Order 1 3 6 3 6 2
A number of full order is called a GENERATOR
DiffieHelmanKeyExchange
Large prime p, and g preferably a generator
Alice chooses aZ
p
and calculates og
a
mod p
Bob chooses bZ
p
and calculates g
b
mod p
Public values p, g
Shared secret between Alice and Bob is Kg
ab
mod p
Alice can calculate K
a
g
ab
mod p
Bob can calculate Ko
b
g
ba
mod p
ElGamalCryptosystem
Large prime p, and g preferably a generator
Public values p, g
Alice chooses aZ
p
and calculates og
a
mod p
Alice's public key o, private key a
Message from Bob to Alice, P
Bob chooses a random kZ
p
Bob calculates jg
k
mod p, CPo
k
mod p
Bob sends j, C to Alice
Alice calculates +j
a
mod p and PC+
1
mod p
C+
1
Po
k
(j
a
)
1
P(g
a
)
k
((g
k
)
a
)
1
Pg
ak
(g
ak
)
1
P mod p
Bob masks message P with g
ak
Sends a clue jg
k
mod p for unmasking
Caution - should use different k every time!
RSAvsElGamal

ForRSAeverynodeusesadifferent
modulus

Eachnodehastogeneratetwoprimes
generatingprimesismuchmorecomputationally
intensivethanexponentiation

ForElGamalallnodescanusethesamep,g

Easytochooseprivatekey!

Extrabandwidthneededformask

Usuallyasasymmetriccryptoisusedjustfor
transmittingasinglevalueElGamalneeds
twicethebandwidthofRSA
HashFunctions

h=H(M)

Mcanbeofanysize

hisalwaysoffixedsize

Typicallyh<<size(M)

h=H(x)iseasytocomputegivenx

Virtuallyimpossibletocalculatexgivenh

Weakcollisionresistance

Infeasibletofind

StrongCollisionresistance

Infeasibletofind
any ( x, y) such that H( x)=H( y)
xy such that H( x)=H( y)
BirthdayParadox

50peopleinaroomwhatistheprobabilitythat
twopeoplehavethesamebirthday?

Extremelyhighabout0.977

AmessageMhashestoNbitssayh.Whatisthe
probabilitythatanothermessageM
1
hashestoh?

1/2
N
weneedtosearch2
N
toseeahit.

Whatistheprobabilitythattwomessageshavethe
samehash?

Weneedtosearchonly2
N/2
messages

64bithashisnotstronglycollisionresistant

Normallyweuse160bithashfunctions
MD5128bithash

MessagelengthK

PadmessagewithPbitssuchthatK+Pis448mod
512(64bitslessthanamultipleof512)

PaddingisdoneevenifKisalready448mod512!

Paddingis1followedbyP1zeros

Lengthofpaddingisatleast1.Maximumvalueis
512

Appendlengthasa64bitvalue.

TotallengthisLx512

Outputhinitializedtofourfixed32bitquantities
A,B,C,D
MD5
HMD5 HMD5 HMD5
IV
Block 1 Block 2
Block L
128 bit
128 bit
128 bit
128 bit
128 bit
512 bit
512 bit
512 bit
Each HMD5 block involves 64 rounds of data mangling
4 stages of 16 rounds each
Each stage has different compression functions F,G,H,I
Each round uses an entry from a fixed Table of length 64
Every bit of the hash code is a function of every bit of input
Other hash functions SHA, SHA-1, RIPEMD-160
DigitalSignatures

Signerandverifier

Anyoneshouldbeabletoverifyasignature

DSwithpublickeycryptography

Signerencryptsmessagewithhisprivatekey

Verifierchecks(decrypts)withsigner'spublic
key

Usuallyonlymessagehashissigned!
RSASignaturescheme

MessageM

h=H(M)

Alicesigner.Privatekeyd,publickeye,
modulusn.

Signatures=h
d
modn

SignedmessageM|s

Verification

Verifiercalculatesh=H(M)

Checksifs
e
modnequalsh
ElGamalSignatureScheme
Large prime p, and g preferably a generator
Public values p, g
Message M.
Message hash h=H(M)
Alice chooses aZ
p
and calculates og
a
mod p
Alice's public key o, private key a
To sign h Alice chooses 1kp2 and calculates
g
k
mod p
6( ha)k
1
mod ( p1)
Send M6
Verification o

6
g
a
(g
k
)
( ha) k
1
g
a
g
ha
g
h
mod p
ElGamalSignatureExample
p=79,g=7
Alice's private key a=43
og
a
mod p7
43
48 mod 79
Let hash of a message be 12
Alice chooses k=5, k
1
mod p147 mod 78
g
k
mod p7
5
59
6( ha)k
1
(124359)4741 mod (p1)
o

6
48
59
59
41
8 mod 79
Check g
h
mod p7
12
mod 798 mod 79
SchnorrSignatureScheme
Large prime p, and smaller prime q such that q(p1)
Typically p is 1024 bits and q is 160 bits
A number g
q
of order q
Public values p, q, g
q
Alice chooses aZ
p
and calculates og
q
a
mod p
Alice's public key o, private key a
Message M. Hash function H( ).
To sign a message
H(Mg
q
k
) ,1kq1
6k+a mod q
Both and 6 are 160 bit quantities!
Verification
H(Mg
q
6
o

)H(Mg
q
k+a
g
q
a
)H(Mg
q
k
) mod p

You might also like