- By
**tiva** - Follow User

- 148 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' The RSA Algorithm and Reed-Solomon Codes' - tiva

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

RSA AlgorithmOutline

Introduction

- Two Information Coding Schemes
- RSA Algorithm
- Privacy
- Authenticity
- Reed-Solomon Codes
- (Bursty) Noise Tolerance

Shared Key Cryptography

- Encrypt messages with a symmetric-key cryptosystem (e.g. DES, AES, etc…)
- Requires prior agreement on a shared key over a secure channel
- What if Neo and Trinity have yetto meet?

Public Key Cryptography

- Mathematically-related public/private key pairs are generated
- Messages encrypted with public key
- Can only be decrypted with private key
- Infeasible to compute private key from public key alone
- No need to agree on a shared key!

RSA Algorithm

- Rivest, Shamir and Adleman (1977)
- Based on difficulty of computing prime factors of large integers

RSA Algorithm

- Pick two distinct primes p and q
- Compute n =pqandɸ(n)= (p – 1)(q – 1)
- Pick e where 1 < e < ɸ(n) andgcd(e, ɸ(n)) = 1
- Compute d wherede≡ 1 (mod ɸ(n))
- Public key is (n, e), private key is (n, d)
- Encrypt with C ≡Me (mod n)
- Decrypt with M ≡Cd (mod n)

Setup

Usage

RSA Algorithm

- Pick two distinct primes p and q
- Compute n =pqandɸ(n)= (p – 1)(q – 1)
- Pick e where 1 < e < ɸ(n) andgcd(e, ɸ(n)) = 1
- Compute d wherede≡ 1 (mod ɸ(n))
- Public key is (n, e), private key is (n, d)
- Encrypt with C ≡Me (mod n)
- Decrypt with M ≡Cd (mod n)

Modular Multiplicative Inverse

- Let e, d, n be integers with n ≠ 0
- Fact: If gcd(e, n) = 1(i.e. e and n are coprime)

then there exists d such that de≡1 (mod n)

- In other words, the multiplicative inverseof e(mod n) exists when gcd(e, n) = 1

RSA Algorithm

- Pick two distinct primes p and q
- Compute n =pqandɸ(n)= (p – 1)(q – 1)
- Pick e where 1 < e < ɸ(n) andgcd(e, ɸ(n)) = 1
- Compute d wherede≡ 1 (mod ɸ(n))
- Public key is (n, e), private key is (n, d)
- Encrypt with C ≡Me (mod n)
- Decrypt with M ≡Cd (mod n)

RSA Algorithm

- Pick two distinct primes p and q
- Compute n =pqandɸ(n)= (p – 1)(q – 1)
- Pick e where 1 < e < ɸ(n) andgcd(e, ɸ(n)) = 1
- Compute d wherede≡ 1 (mod ɸ(n))
- Public key is (n, e), private key is (n, d)
- Encrypt with C ≡Me (mod n)
- Decrypt with M ≡Cd (mod n)

Euler’s Totient Function ɸ(n)

- Definition: no. of integers 1 ≤a ≤ n with gcd(a, n) = 1
- Formula:
- For n =pqwhere p and q are primes

Modular Exponentiation

- Let x, y, m, n be integers with n ≥ 0
- Fact:If x ≡ y (mod ɸ(n)) , then mx≡my(mod n)
- In other words, working in mod n requires that we work mod ɸ(n) in the exponent

- Pick two distinct primes p and q
- Compute n =pqandɸ(n)= (p – 1)(q – 1)
- Pick e where 1 < e < ɸ(n) andgcd(e, ɸ(n)) = 1
- Compute d wherede≡ 1 (mod ɸ(n))
- Public key is (n, e), private key is (n, d)
- Encrypt with C ≡Me (mod n)
- Decrypt with M ≡Cd (mod n)

RSA Algorithm

- Pick two distinct primes p and q
- Compute n =pqandɸ(n)= (p – 1)(q – 1)
- Pick e where 1 < e < ɸ(n) andgcd(e, ɸ(n)) = 1
- Compute d wherede≡ 1 (mod ɸ(n))
- Public key is (n, e), private key is (n, d)
- Encrypt with C ≡Me (mod n)
- Decrypt with M ≡Cd (mod n)

(Me)d≡ M (mod n)

and

(Md)e≡ M (mod n)

Example: M = 1234

- Pick p = 37and q =43
- Compute n = 1591 andɸ(n) = 1512
- Pick e= 71gcd(e, ɸ(n)) = gcd(71, 1512) = 1
- Compute d = 575 (Extended Euclidean Algorithm)de = 40825 ≡1 (mod 1512)
- Public key is (n, e), private key is (n, d)
- Encrypt: C ≡ Me ≡ 123471 ≡ 908 (mod 1591)
- Decrypt: M ≡ Cd ≡ 908575 ≡ 1234 (mod 1591)

RSA Algorithm for Signatures

- Pick two distinct primes p and q
- Compute n =pqandɸ(n)= (p – 1)(q – 1)
- Pick e where 1 < e < ɸ(n) andgcd(e, ɸ(n)) = 1
- Compute d wherede≡ 1 (mod ɸ(n))
- Public key is (n, e), private key is (n, d)
- Sign M with S ≡ Md (mod n); Send (M, S)
- Verify that M ≡ Se (mod n)

Reversed!

Sign with private key

Verify with public key

Implementing…

- Modular exponentiation
- Successive-Squaring
- Computing d from e and ɸ(n)
- Extended Euclidean Algorithm
- Finding large primes

Modular Exponentiation Algo.

- Successive-Squaring to Compute C ≡ Me (mod n)

Let e = ekek–1 … e0 (binary representation of e)

C := 1

Fori := k, k – 1, …, 0

C := (C * C) mod n

If ei = 1 Then C := (C * M) mod n End For

- Performance: O(log e)
- Memory: O(1)

Computing d from e and ɸ(n)

- Extended Euclidean Algorithm:
- Since eandɸ(n)are coprime, solving yields d = y satisfying

Find max. qi satisfying and xiand yisatisfying

When rk = 0, stop and output gcd(a, b) = rk-1 andx = xk-1and y= yk-1

Similar to Euclidean Algorithm for gcd(a, b),

but retain quotients qi at each step ito compute xiand yi

Generating Large Primes

- Generate a large random integer
- Apply primal test repeatedly
- Primality Tests:
- Miller-Rabin
- Solovay-Strassen
- Fermat Primality Test
- Euler Witness, Euler Liar

Algorithm

1: Pick a large random integer

2: If for any small prime (Sieving)

3: go back to step 1

4: repeat times(Miller-Rabin)

5:pick random integer

6:do a primality test on (,)

7: if test fails

8: go back to step 1

9: is probably prime

Sieving

- Sieve of Eratosthenes

1: Pick a large random integer

2: If for any small prime

3: go back to step 1

Miller-Rabin Primality Test

4: repeat times

5: pick random integer

6: do a primality test on (, )

7: if test fails

8: go back to step 1

9: is probably prime

Fermat’s Little Theorem

- If is prime and for any integer such that doesn’t divide

Miller-Rabin Primality Test

- : prime candidate
- : random integer
- is odd

Example

- prime candidate
- random integer

Example

- Either is a prime or is an Euler liar
- Now, we try another a

Example

- prime candidate
- random integer

Example

- is a composite
- is an Euler liar
- is an Euler witness

Deterministic Miller-Rabin

- Trying all possible witnesses below a limit
- Not used in practice
- if p< 341,550,071,728,321, it is enough to test a = 2, 3, 5, 7, 11, 13, and 17.

Complexity and Error

- Complexity of Sieve of Eratosthenes:
- log(S)
- Complexity of Miller-Rabin:
- : number of tests
- Complexity of Deterministic Miller-Rabin

Noisy Channel

Noise is Natural

Studied models in general

- Binary Symmetric Channel
- Binary Erasure Channel
- Noisy Typewriter Channel
- Continuous Output Channel

…

Linear Codes

M C

00 000

01 001

10 010

11 011

100

101

110

111

No Structure??Have to store the whole mapping in a codebook

Linear Code: If is a field and , is a subspace of then is said to be a linear code

Linear Codes

Linear Code: If is a field and , is a subspace of then is said to be a linear code

- As is a subspace, there exists a basis where is the dimension of the subspace
- Any code word can be expressed as a linear combination of these basis vectors.

for example,

Hamming Code is Linear

=

G =

n x k,

where n =7, k=4

Singleton Bound

- a code over alphabet of length and min distance
- How many code words possible?
- Singleton Bound

Reed Solomon Code

- Applications: CDs, Space Communication, …
- Robust against Burst errors

[1960] Reed Solomon Code

From left: GustaveSolomon & Irving S. Reed

Reed Solomon Code (Original View)

Given

Create a polynomial

p

- p has degree at most
- A non zero polynomial of degree with coefficients from field has at most roots in .

Reed Solomon Sketch (Original View)

- points are sufficient for describing the polynomial.
- Instead, we evaluate the polynomial at points and send them.

Reed Solomon Sketch

- Decoding:
- look at all possible subset from the set of n symbols received
- Interpolate a message polynomial for each subset
- Most popular message is the correct result
- But, impractical
- For, [255,249,6], = 359 billion

Field

- A set of elements with two operations “Addition” and “Multiplication” defined on these elements.
- Closed under these two operations
- Basically all arithmetic operations are allowed

Examples: Set of Real numbers, Set of Rational numbers…

Finite Field

- A field with finite number of elements.

Example: {0,1} with modulo operations

In general {0,1,2….p-1} is a field with p elements with modulo operations. (p is prime)

How to construct fields with 8 elements?

In general how to construct pr elements??

Galois Field GF(2m)

- A field with 2m elements can be constructed by extending the field GF(2) which is {0,1}.
- Let α denotes an additional element in GF(2m).
- Now GF(2m) ={ 0,1, α ,α2,….. α2m-1, α2m,…}
- To make the number of elements 2m, we restrict

α2m-1 = 1 = α0

- Any non-zero element in GF(2m)

can be written as a

polynomial of degree

at most m-1.

- Coefficients are from GF(2)
- Also they can be mapped

to binary values.

Primitive Polynomial

- An irreducible polynomial f(x) of degree m is said to be primitive if the smallest positive integer n for which f(x) divides xn+1 is n=2m-1.
- Example: 1 + x + x4 because it divides xn+1 for n=15 and not for other values less than 15.
- Used for construction GF(2m)
- RS codes use GF(2m).

The Field GF(23)

- Let f(x) = 1 + x + x3 be a primitive polynomial.
- Let α an element of the extension field be defined as the root of the polynomial f(x).
- 1 + α+ α3 =0

α3 = 1 + α

- α4 = α + α2
- α5 = 1 + α + α2
- α6 = 1+ α2
- α7 = 1

Reed Solomon Code: RS[n,k,d]

- Given n = 2m -1, k =2m-1-2t, RS code can be constructed as ( t is number of errors it can correct)
- Construct a finite field GF(2m) with 2m elements using irreducible polynomial
- Choose α1, …αn from the Field GF(2m)

Given in GF(2m)

Create a polynomial

p

- The codeword is

Properties of RS(n,k,d)

- Linear Code
- Cyclic
- d = n-k+1 (Maximum Distance Separable)
- Can correct up to n-k erasures
- Can correct up to (n-k)/2 symbol errors

Systematic Encoding

- This form of encoding is not in Systematic form
- Systematic form : Parity symbols message symbols
- 010 110 111 100 001 011 101 010 110 111
- Message polynomial α + α3x + α5x2
- Code Polynomial α0 + α2x + α4x2+ α6x3+αx4+α3x5+α5x6
- A generator polynomial g(x) is defined as

g(x) = (x-α) (x-α2) …………… (x-α2t)

Encoding in Systematic Form

- Shift the message polynomial m(x) by 2t positions by multiplying m(x) by x2t.
- Define p(x) = x2t m(x) (mod g(x))
- The final codeword polynomial u(x) is

u(x) = p(x) + x2t m(x)

Example RS[7,3,5]

- Message polynomial α + α3x + α5x2
- Yielding αx4 + α3x5 + α5x6 after multiplication with x2t i.e. x4
- Take g(x) = (x- α)(x- α2)(x- α3)(x- α4)

= x4 – α3x3+ α0x2 – αx + α3

= α3 + αx + α0x2 + α3x3+x4

Next divide α x4 + α3x5 + α5x6 by g(x) to find the remainder p(x) = α0 + α2x4+ α4x2+ α6x3.

Now u(x)=α0 + α2x + α4x2+ α6x3+ αx4+ α3x5+ α5x6

Syndrome Computation

- The syndrome is the result of a parity check performed on the received polynomial r(x) to determine whether r(x) is a valid codeword.
- The syndromes are basically evaluations of the received polynomial r(x) at α,α2, α3,… α2t.

Si = r(αi) , i=1,2,….2t

- If r(x) is a valid codeword then we get all the Si evaluate to zero.
- Any non-zero Si indicates the presence of errors.

Error Polynomial

- The errors introduced by the channel during transmission can be modeled as a polynomial e(x) over the field GF(2m).
- Hence r(x) = u(x) + e(x).
- The problem finding e(x) from r(x) (or the syndromes) is decoding.

Properties of RS codes

- Given any collection of k coefficients from the polynomial u(x), it is possible to construct the remaining coefficients of u(x).
- If at most ‘t’ of the coefficients of u(x) are incorrect, it is possible to reconstruct all the coefficients of u(x) correctly.
- Polynomial multiplication/division using FFT takes O(klogk) where k is the max of degrees of the polynomial.

Structure of Syndrome

- Error polynomial e(x) = e0 + e1x +….enxn
- Suppose the received polynomial r(x) has ν errors in it at the locations i1,i2,…iν. The magnitude of error at these locations are eij.
- Then syndromes can be written in the form

Sj = e1jxlj + e2jxlj + ….+eνjxlj j=1,2,…2t

where Xl= αil

Outline

- Calculate Syndromes
- Find the error locator polynomial
- Peterson-Gorenstein-Zierler Decoder
- Find error locations
- ChienSearch
- Find error values
- Forney’s Algorithm

Error Locator Polynomial

- Help to find the locations where an error has occurred

- Intuition: The roots of this polynomial are inverses of the error locations

Expanding Λ(x):

Using Error Locator Polynomial

For x = Xl-1 and for any 1 ≤ l ≤ ν

Multiplying throughout by YlXl (j+ν)

Using Error Locator Polynomial

Sum over l = 1 to t

Using Error Locator Polynomial

Repeating for j = 1 to

- Equation (1) – (4) now form a system of Linear Equations

Peterson-Gorenstein-ZierlerDecoder (1960)

- Solved for Λis by finding the largest value of νfor which Mνis non-singular starting from ν = t
- Overall this algorithms runs in polynomial time
- ν≤ t; 2t = n – k = O(n) (could also be O(1) for large n & k)
- Use polynomial-time algorithms for matrix determinants and inversion

Outline

- Calculate Syndromes
- Find the error locator polynomial
- Peterson-Gorenstein-Zierler Decoder
- Find error locations
- ChienSearch
- Find error values
- Forney’s Algorithm

Chien Search

- Find roots of Error Locator Polynomial, Λ(x), by exhaustive search
- Evaluate Λ(αi) for i = 1, 2, …, 2t
- Find all iwhere Λ(αi) = 0 αiis a root of Λ(x)
- Error locations will also be of the form: αj
- Here, αj = α-1and j = 2t – i.
- If number of errors found is ≥ t, abort process

Outline

- Calculate Syndromes
- Find the error locator polynomial
- Peterson-Gorenstein-Zierler Decoder
- Find error locations
- ChienSearch
- Find error values
- Forney’s Algorithm

Forney’s Algorithm

- Defining the Syndrome polynomial:

- Defining the Error Evaluator polynomial:

- Error value Yi for all iϵ{1, 2, …, }:

where, b is the degree of the smallest root of the generating function of the code &

- Calculate Syndromes
- Find the error locator polynomial
- Peterson-Gorenstein-Zierler Decoder
- Find error locations
- ChienSearch
- Find error values
- Forney’s Algorithm

Dial ‘D’ for you message

- r(x) = u(x) + e(x)
- Decoding techniques help determine e(x) completely
- Hence, u(x) = r(x) – e(x) = Message sent is recovered

We are done!!

Extras

- Other more efficient (implementation wise) algorithms for decoding:
- Berlekamp-Massey Decoder (LFSR and iterative correction)
- Euclidean Algorithm (Values and locations simultaneously determined using iterative GCD of polynomials)
- Decoders implemented as dedicated chips by manufacturers (Hardware and Software)

References

RSA:

- EvgenyMilanov, RSA algorithm,http://www.math.washington.edu/~morrow/336_09/papers/Yevgeny.pdf
- Kenneth Rose, Elementary Number Theory and its applications, 5th Ed., Pearson International
- Trappe & Washington, Introduction to Cryptography with Coding Theory, 2nd Ed., Pearson International

Reed-Solomon Codes:

- Bernard Sklar, Reed Solomon error correction,http://ptgmedia.pearsoncmg.com/images/art_sklar7_reed-solomon/elementLinks/art_sklar7_reed-solomon.pdf
- V. Guruswami, Introduction to Coding Theory, CMU, http://www.cs.cmu.edu/~venkatg/teaching/codingtheory/
- John Gill, EE 387 Note #7, Stanford University, http://www.stanford.edu/class/ee387/handouts/notes7.pdf
- Wikipedia

Download Presentation

Connecting to Server..