Professional Documents
Culture Documents
MahalingamRamkumar
DepartmentofCSE
MississippiStateUniversity
MathematicalPreliminaries
CRTChineseRemainderTheorem
EulerPhiFunction
Fermat'sTheorem
EulerFermat'sTheorem
CRT
Recall Basic Theorem of Arithmetic
m=
i=0
n
p
i
e
i
=
i =0
n
m
i
( m
i
, m
j
)=1ij
Consider any number in aZ
m
aa
1
mod m
1
aa
2
mod m
2
aa
n
mod m
n
Now given a
1
a
n
can we find a ?
Is a unique?
CRT
Example 180=2
2
3
2
5=495
233 mod 4
235 mod 9
233 mod 5
Is there any other number (apart from 23)
which satisfies these equations?
Answer - no!
So we could represent 23 as (3,5,3)
4,9,5 are orthogonal axes
(3,5,3) are projections of 23 on those axes!
CRT
xa
1
mod m
1
xa
2
mod m
2
xa
n
mod m
n
xy mod m, m=
i=1
n
m
i
, (m
i
, m
j
)=1, ij
Let M
i
=m/ m
i
, N
i
=M
i
1
mod m
i
xy
i =1
n
a
i
M
i
N
i
mod m
Check : x mod m
i
a
i
M
i
N
i
mod m
i
1, M
i
N
i
mod m
j
0, ij
CRTExample
x5 mod 13
x6 mod 11
x9 mod 17
x4 mod 19
m=13.11.17.19=46189,
M
1
=46189/13=3553, N
1
=3553
1
4
1
mod 1310 mod 13
M
2
=46189/11=4199,N
1
=4199
1
8
1
mod 117 mod 11
M
3
=46189/17=2717, N
1
=2717
1
14
1
mod 1711 mod 17
M
4
=46189/ 19=2431,N
1
=2431
1
18
1
mod 1918 mod 19
x
i =1
4
a
i
M
i
N
i
mod 46189
x(5.3553.10+6.4199.7+9.2717.11+4.2431.18) mod 46189
x12810 mod 46189
CRTAUsefulRelationship
xa mod m
1
xa mod m
2
xa mod m
n
then xa mod m
EulerPhiFunction
HowmanynumbersinZ
m
arerelativelyprime
tom?
OrhowmanynumbersinZ
m
have
multiplicativeinverses?
m=
i =1
n
p
i
e
i
1(m)=
i =1
n
p
i
e
i
p
i
e
i
1
EulerPhiFunction
SpecialCases
misprime;saym=p
(m)=(p)=p1(allnumbers1tom1arerelativelyprime
toaprimenumber!)
m=p
1
*p
2
(m)=(p
1
1)(p
2
1)
Checkequationwithe
1
=e
2
=1
(m=p
1
p
2
)=m{p
1
+p
2
1}excludenumberswhich
aremultiplesofp
1
orp
2
p
1
multiplesofp
2
p
2
multiplesofp
1
{01234567891011121314}(15=5x3)
m=
i =1
n
p
i
e
i
1(m)=
i =1
n
p
i
e
i
p
i
e
i
1
1
1 1
1
Fermat'sTheorem
aZ
p
, a
p1
1 mod p
Z
p
=0,1,2,,p2, p1
Consider aZ
p
and 0i , j,p1
Can two terms of aZ
p
, say i , j be equal?
If iaja0 mod p then p(ij)a
No two terms can be equal!
aZ
p
is a permutation of Z
p
Either p( ij) or pa
Only possible if (i j)=0 or i =j
Fermat'sTheoremContinued
Verifyforp=7,31(assignment3)
aZ
p
, a
p1
1 mod p
Product of all terms in Z
p
and aZ
p
should be identical (neglecting 0)
(p1) !a
p1
( p1)! mod p
1a
p1
mod p
EulerFermat'sTheorem
Proofform=p
e
byinduction
Canextendproofforanymduetothe
multiplicativepropertyof(m)
Verifyform=25=5
2
(assignment3)
Verifyform=12=2
2
*3(assignment3)
a
1( m)
1 mod m if aZ
m
and (a, m)=1,
1
ASpecialCase
m=
i =1
n
p
i
, 1( m)=
i =1
n
( p
i
1)
If (a, m)=1, we know a
1(m) +1
a mod m
What if (a, m)1a=k p
i
a0 mod p
i
a
1( m) +1
a
t( p
j
1)+1
a mod p
j
ji
a
1(m)+1
0a mod p
i
Note that a
1(m)+1
a mod p
k
k
Or a
1( m)+1
a mod ma even if (a, m)1!
SquareandMultiplyAlgorithm
How do we efficiently calculate ya
x
mod n
Let b
r
b
r 1
b
1
b
0
be binary representation of x
x=
i=0
r
b
i
2
i
a
x
=
i=0
r
a
b
i
2
i
=a
b
r
2
r
a
b
r1
2
r1
a
2b
1
a
b
0
z=1
for i=r downto 0
z=z
2
mod n
if (b
i
=1)z=za mod n endif
endfor
y z
SquareandMultiplyAlgorithm
Example
36
43
mod 87
x=43=101011
b
; r=5; a=36;
z=1;
b
5
=1; z=1; z=z
2
a mod 8736 mod 87
b
4
=0;z=36; z=z
2
mod 8778 mod 87
b
3
=1;z=78; z=z
2
a mod 8745 mod 87
b
2
=0; z=45; z=z
2
mod 8724 mod 87
b
1
=1; z=24; z=z
2
a mod 8730 mod 87
b
0
=1; z=30; z=z
2
a mod 8736 mod 87
PrimalityTesting
Howdowecheckifanumbernisaprime?
Aprimenumberdoesnothaveanyfactors
Noprimesmallerthannisafactor
Socheckallprimessmallerthann?
Impracticalsaynisahundreddigitprime
Howmanyprimenumberslessthann?
Roughlyn/log(n)
Forahundreddigitnumberlog(n)islessthan
250
Sothenumberofprimeslessthannisofthe
orderof10
97
Primenumbersaredense
PrimalityChecking
UsesFermat'stheorem
Weknowifanumbernisprime
Ifnisnotprimecantheaboveequationhold
forsomea?Yes.
Howdoesthishelp?Doweneedtocheckall
possiblea?
Wedonot.Iftheequationdoesnotholdfor
evenonevalueofathenitwillnotholdfor
atleasthalfthevaluesofa
a
n1
mod n1(a, n)=1
ProbabilisticPrimalityChecking
Wehaven
Fork=1toN
Chooseanumbera<nrandomly
Checkifa|n
ifsonisnotprime.Quit
Checkifa
(n1)
=1modn.
Iftestfailsnisnotprime.Quit.
Continue
Endfor
IftestpassesNchecksprobabilitythatnis
notprimeis(1/2)
N
Observations
Choosinglargeprimesrandomlyisnotdifficult
Choosealargeoddnumber
Checkifitisaprime
Probabilisticprimalitytesting
Ifnotprimeincrementnumberby2andcheckagain
Rememberprimesaredensewe'lleventuallyfindone
forhundreddigitnumbersthemeansearchlengthisonly
125numbers!
Modularexponentiationistrivialwithsquareand
multiplyalgorithm
Ifpandqaretwolargeprimes,andifn=pq
determiningpandqgivennisextremelydifficult!
Noknownpolynomialcomplexityalgorithmfor
factorization.
RSA(RivestShamirAdelman)
Choose two large primes p, q. Let n=pq
We know 1(n)=( p1)(q1)
Choose eZ
n
such that (e, 1( n))=1
Calculate de
1
mod 1(n)
Now e is the public encryption key
and d is the private decryption key
Remember ed1 mod 1( n) or ed=k1(n)+1
For any an, a
ed
a mod n. From Euler-Phi Theorem
Throw away p, q, and 1( n)
Encryption CP
e
modn
Decryption PC
d
modn
Check C
d
P
ed
P
k1(n) +1
(P
1(n)
)
k
P(1)
k
PP mod n
StrengthofPublicKey
Cryptography
Ifmodulusis64bitvalueisPKCasstrongas
symmetriccryptographywithkeylengthof64bits?
Noveryeasytofactorize/calculatediscretelogs
insuchsmalldomains
Typicallyneedmodulusoftheorderof1024bits!
Computationallymuchmoreexpensivethan
symmetriccryptographyabout3orderof
magnitudesmore
Usuallyusedonlyforestablishingshared
symmetrickeys
ExponentialCiphers
ExponentialCiphers
DiffieHelman
ElGamal
HASHFunctions
SignatureSchemes
Orderofanumber
Let Z
p
=0,1,, p1
What is the order of a number aZ
p
The minimum value of x such that a
x
1 mod p
Example - order of 1 is 1
Order of p1 is 2 (Why?)
Order of any number divides (p1)
Or order of any number is of the form ( p1)/ d
How many numbers of order (p1) ? 1(p1)=1(1(p))
How many numbers of order (p1)/ d ? 1((p1)/ d)
Let p=7. Orders of numbers 1 to 6 are
Element 1 2 3 4 5 6
Order 1 3 6 3 6 2
A number of full order is called a GENERATOR
DiffieHelmanKeyExchange
Large prime p, and g preferably a generator
Alice chooses aZ
p
and calculates og
a
mod p
Bob chooses bZ
p
and calculates g
b
mod p
Public values p, g
Shared secret between Alice and Bob is Kg
ab
mod p
Alice can calculate K
a
g
ab
mod p
Bob can calculate Ko
b
g
ba
mod p
ElGamalCryptosystem
Large prime p, and g preferably a generator
Public values p, g
Alice chooses aZ
p
and calculates og
a
mod p
Alice's public key o, private key a
Message from Bob to Alice, P
Bob chooses a random kZ
p
Bob calculates jg
k
mod p, CPo
k
mod p
Bob sends j, C to Alice
Alice calculates +j
a
mod p and PC+
1
mod p
C+
1
Po
k
(j
a
)
1
P(g
a
)
k
((g
k
)
a
)
1
Pg
ak
(g
ak
)
1
P mod p
Bob masks message P with g
ak
Sends a clue jg
k
mod p for unmasking
Caution - should use different k every time!
RSAvsElGamal
ForRSAeverynodeusesadifferent
modulus
Eachnodehastogeneratetwoprimes
generatingprimesismuchmorecomputationally
intensivethanexponentiation
ForElGamalallnodescanusethesamep,g
Easytochooseprivatekey!
Extrabandwidthneededformask
Usuallyasasymmetriccryptoisusedjustfor
transmittingasinglevalueElGamalneeds
twicethebandwidthofRSA
HashFunctions
h=H(M)
Mcanbeofanysize
hisalwaysoffixedsize
Typicallyh<<size(M)
h=H(x)iseasytocomputegivenx
Virtuallyimpossibletocalculatexgivenh
Weakcollisionresistance
Infeasibletofind
StrongCollisionresistance
Infeasibletofind
any ( x, y) such that H( x)=H( y)
xy such that H( x)=H( y)
BirthdayParadox
50peopleinaroomwhatistheprobabilitythat
twopeoplehavethesamebirthday?
Extremelyhighabout0.977
AmessageMhashestoNbitssayh.Whatisthe
probabilitythatanothermessageM
1
hashestoh?
1/2
N
weneedtosearch2
N
toseeahit.
Whatistheprobabilitythattwomessageshavethe
samehash?
Weneedtosearchonly2
N/2
messages
64bithashisnotstronglycollisionresistant
Normallyweuse160bithashfunctions
MD5128bithash
MessagelengthK
PadmessagewithPbitssuchthatK+Pis448mod
512(64bitslessthanamultipleof512)
PaddingisdoneevenifKisalready448mod512!
Paddingis1followedbyP1zeros
Lengthofpaddingisatleast1.Maximumvalueis
512
Appendlengthasa64bitvalue.
TotallengthisLx512
Outputhinitializedtofourfixed32bitquantities
A,B,C,D
MD5
HMD5 HMD5 HMD5
IV
Block 1 Block 2
Block L
128 bit
128 bit
128 bit
128 bit
128 bit
512 bit
512 bit
512 bit
Each HMD5 block involves 64 rounds of data mangling
4 stages of 16 rounds each
Each stage has different compression functions F,G,H,I
Each round uses an entry from a fixed Table of length 64
Every bit of the hash code is a function of every bit of input
Other hash functions SHA, SHA-1, RIPEMD-160
DigitalSignatures
Signerandverifier
Anyoneshouldbeabletoverifyasignature
DSwithpublickeycryptography
Signerencryptsmessagewithhisprivatekey
Verifierchecks(decrypts)withsigner'spublic
key
Usuallyonlymessagehashissigned!
RSASignaturescheme
MessageM
h=H(M)
Alicesigner.Privatekeyd,publickeye,
modulusn.
Signatures=h
d
modn
SignedmessageM|s
Verification
Verifiercalculatesh=H(M)
Checksifs
e
modnequalsh
ElGamalSignatureScheme
Large prime p, and g preferably a generator
Public values p, g
Message M.
Message hash h=H(M)
Alice chooses aZ
p
and calculates og
a
mod p
Alice's public key o, private key a
To sign h Alice chooses 1kp2 and calculates
g
k
mod p
6( ha)k
1
mod ( p1)
Send M6
Verification o
6
g
a
(g
k
)
( ha) k
1
g
a
g
ha
g
h
mod p
ElGamalSignatureExample
p=79,g=7
Alice's private key a=43
og
a
mod p7
43
48 mod 79
Let hash of a message be 12
Alice chooses k=5, k
1
mod p147 mod 78
g
k
mod p7
5
59
6( ha)k
1
(124359)4741 mod (p1)
o
6
48
59
59
41
8 mod 79
Check g
h
mod p7
12
mod 798 mod 79
SchnorrSignatureScheme
Large prime p, and smaller prime q such that q(p1)
Typically p is 1024 bits and q is 160 bits
A number g
q
of order q
Public values p, q, g
q
Alice chooses aZ
p
and calculates og
q
a
mod p
Alice's public key o, private key a
Message M. Hash function H( ).
To sign a message
H(Mg
q
k
) ,1kq1
6k+a mod q
Both and 6 are 160 bit quantities!
Verification
H(Mg
q
6
o
)H(Mg
q
k+a
g
q
a
)H(Mg
q
k
) mod p