- By
**dolph** - Follow User

- 77 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about 'Prelude to Public-Key Cryptography' - dolph

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### Prelude to Public-Key Cryptography

Rocky K. C. Chang, February 2014

Outline

- Motivations for public-key cryptography
- Affine Cipher
- Generalizing Affine Cipher to multiplicative groups.
- Computing the multiplicative inverses using Euclidean algorithms
- The Chinese Remainder Theorem
- Other useful Group Theory results
- Multiplication modulo prime
- Primitive elements

Public-key cryptography

- Drawbacks of the symmetric key cryptosystems:
- Require a secret key established before sending ciphertext.
- Cannot be used for digital signatures.
- Main ideas behind the public-key cryptosystems:
- It is computationally infeasible to determine DK() given EK().
- Therefore, EK() can be public and DK() must be private.

Public-key cryptography

- Key people behind the public-key cryptography:
- Diffie and Hellman
- Rivest, Shamir, and Adleman
- The RSA algorithm is based on the difficulty of factoring large integers.
- ElGamal, Elliptic Curve, and Diffie-Hellman are based on the difficulty of solving the discrete logarithm problem.

Recall that the Affine Cipher is:

- Let M = C = Z26 = {0, 1, 2, …, 25}
- K = (a, b), where a, b {0, 1, 2, …, 25}.
- Encryption and decryption functions:
- EK(m) = am + b mod 26
- DK(c) = a-1(c b) mod 26
- EK(m) is not an one-to-one function for all a.
- When a = 1, Affine Cipher is the same as a Shift Cipher.
- Affine Cipher is still a special case of the Substitution Cipher.

EK(m) is not an one-to-one function for all a.

- Not all (a, b) can be used as keys.
- E.g., a = 2 and b = 1: E(m) = 2m + 1 mod 26.
- But E(0) = E(13) = 1.
- For any c Z26, the decryption is possible iff the congruence am c (mod 26) has a unique solution for m.
- Decryption is possible iff there is a unique solution m in am + b c (mod 26) or am c b (mod 26).
- Note that b just shifts c to the left hand side by b, which gives the same set of values for c.
- Thus, decryption is possible iff there is a unique solution m in am c (mod 26).

The values of a: gcd(a,26) = 1.

- The congruence am c (mod 26) has a unique solution for any c Z26 iff gcd(a,26) = 1 (i.e., a and 26 are relative prime).
- Assume that gcd(a,26) = d > 1.
- Without loss of generality, take c = 0.
- Then am 0 (mod 26) has two solutions: m = 0 and m = 26/d.
- The congruence does not have a unique solution.
- Assume that gcd(a,26) = 1.
- Consider some m1 and m2 for which am1 am2 (mod 26) or a(m1m2) 0 (mod 26).
- That is, 26 | a(m1m2) (i.e., 26 divides a(m1m2)).
- Since gcd(a,26) = 1, we have 26 | (m1m2).
- By definition,m1 m2 (mod 26).
- Therefore, a unique solution m Z26.

What is the size of the key space?

- How many a Z26 for which gcd(a,26) = 1?
- All odd numbers except for 13 (i.e., 12 of them).
- Thus, the size of the key space = 1226 = 312.
- Define a-1 to be the multiplicative inverse of a for which aa-1 a-1a 1 (mod 26).

Inverses of a Z26

- a a-1
- 1 1
- 3 9
- 5 21
- 7 15
- 9 3
- 11 19

- a a-1
- 15 7
- 17 23
- 19 11
- 21 5
- 23 17
- 25 25

- Multiplicative inverses for the set of a for which gcd(a,26) = 1:

- Multiplicative inverses do not exist for the set of a for which gcd(a,26) ≠ 1.

Decryption function

- c am + b (mod 26)
- am c b (mod 26)
- Assuming that the a-1 exists, we have a-1(am) a-1(c b) (mod 26)
- The left side is a-1(am) (a-1a)m 1m m (mod 26).
- Therefore, m = a-1(c b) mod 26.

Abelian Group or Commutative Group

- A group G is a set of numbers together with an operation that satisfies the following requirements:
- (Closure) For all a, b G, a b G.
- (Associative) For all a, b, c G, a (b c) = (a b) c.
- (Identity) Exists some unique e G such that for all a G, a e = e a = a. (e is the identity element)
- (Inverse) For all a G, there exists an a-1 G, such that a a-1 = a-1 a = e. (a-1is the inverse of a).
- (Commutative) For all a, b G, a b = b a.

For example,

- The set of real numbers under addition is a (additive) group.
- e = 0 and a-1 = -a.
- The set of non-zero real numbers under multiplication is a (multiplicative) group.
- e = 1 and a-1 = 1/a.
- The set of integers under addition is a group, but the set of integers under multiplication is not a group.
- Zn = {0, 1, 2, …, n–1} under addition modulo n is a group.

Multiplicative group

- Let Z*26 = {1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25} under multiplication modulo 26 forms a group.
- Z*26 is the set of residues modulo 26 that are relatively prime to 26.
- We can generalize the modulo 26 to any modulo p.
- am c (mod p) has a unique solution m Zp for every c Zp iff gcd(a,p) = 1.
- The number of integers in Zp that are relatively prime to p is denoted by (p).
- (26) = ?
- There is a formula to compute (p).

Multiplicative group

- Suppose a Zp, a-1 exists iff gcd(a,p) = 1.
- If a-1 exists, it is unique.
- It is not difficult to prove that Z*p forms a group under multiplication modulo p.
- As a special case, if p is prime, then every nonzero element of Zp has a multiplicative inverse.
- Therefore, (p) = p – 1.
- Z*p = Zp \ {0}.

How to compute the multiplicative inverse?

- Use the Euclidean algorithm to compute gcd(a,b).
- E.g., gcd(108,42) = gcd(42,24) = gcd(24,18) = gcd(18,6) = 6.
- E.g., gcd(75,28) = gcd(28,19) = gcd(19,9) = gcd(9,1) = 1.
- Can determine whether a positive integer a < p has a multiplicative inverse modulo p.

The Extended Euclidean algorithm

- Use the Extended Euclidean algorithm to compute r, s, t, such that sa + tb = r = gcd(a,b).
- For example, a = 108, b = 42 (i.e., gcd(a,b) > 1),
- 108 = 242+24 (24 = a–2b)
- 42 = 124+18 (b=1(a–2b)+18 or -a+3b=18)
- 24 = 118+6 (a–2b=1(-a+3b)+6 or 2a–5b=6)
- 18 = 36+0
- Therefore, 2a–5b=6 (s = 2, t = -5, and r = 6).

The Extended Euclidean algorithm

- For example, a = 75, b = 28 (i.e., gcd(a,b) = 1),
- 75 = 228+19 (19 = a–2b)
- 28 = 119+9 (b=1(a–2b)+9 or -a+3b=9)
- 19 = 29+1 (a–2b=2(-a+3b)+1 or 3a–8b=1)
- 9 = 91+0
- Therefore, 3a–8b=1 (s = 3, t = -8, and r = 1).

Compute the multiplicative inverse

- Consider a Zpand gcd(p,a) = 1.
- From the Extended Euclid. Algorithm, we have sp + ta = 1.
- Reducing the above modulo p, we have ta 1 (mod p).
- In other words, t is the multiplicative inverse of a. Note that it is also unique.
- E.g., for a =28 and Z75, a-1 = -8 mod 75 = 67.
- Check aa-1 mod 75 = 1876 mod 75 = 1!

The Chinese Remainder Theorem

- The CRT is a method of solving the followings for x, where gcd(pi, pj) = 1 for i j.
- x a1 (mod p1)
- x a2 (mod p2)
- …
- x ar (mod pr),
- The CRT asserts that there is a unique solution in {0, 1, …, p1…pr – 1}.
- To see why, consider mapping x to x mod pi (called X).

For example,

- Consider p1 = 5 p2 = 3, P = p1p2 = 15, and x {0, 1, 2, …, 14}.
- X(0) = (0,0), X(1) = (1,1), X(2) = (2,2),
- X(3) = (3,0), X(4) = (4,1), X(5) = (0,2),
- X(6) = (1,0), X(7) = (2,1), X(8) = (3,2),
- X(9) = (4,0), X(10) = (0,1), X(11) = (1,2),
- X(12) = (2,0), X(13) = (3,1), X(14) = (4,2)
- The mapping X(x) is bijective => a unique solution to
- x a1 (mod p1)
- x a2 (mod p2).

The Chinese Remainder Theorem

- Suppose p1, …, pr are pairwise relatively prime, and a1, …, ar are integers. Then the system of r congruences x ai (mod pi) has a unique solution modulo P = p1… pr, which is given by
- x = a1P1y1 mod P + … + arPryr mod P,
- where Pi = P/pi and yi = Pi-1 mod pi, i=1, …, r.
- For example, (p1,p2,p3) = (7,11,13) and (a1,a2,a3)=(5,3,10).
- P = 1001.
- From the Extended Euclid. Algorithm, y1 = 5, y2 = 4, and y3 = 12.
- From the CRT, x = ( 5(1113)5 + 3(713)4 + 10(711)12 ) mod 1001 = 894.

Lagrange’s theorem

- For a finite multiplicative group G under modulo p, define
- The order of G is (p) (i.e., the number of elements in G)
- The order of an element g G to be the smallest +ve integer n such that gn mod p = 1.
- E.g., for Z*26 = {1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25}, recall that (p) = 12.
- The order of 1 is 1.
- The order of 3 is 3, because 33 mod 26 = 1.
- The order of 5 is 4, because 54 mod 26 = 1.
- …
- (Lagrange) Suppose G is a multiplicative group of order n, and g G. Then the order of g divides n.

Multiplicative group modulo prime

- From the Lagrange’s theorem, we immediately have
- If b Z*p, then b(p) 1 (mod p).
- If p is a prime and b Z*p, then bp b (mod p).
- If p is prime, then Z*p is a cyclic group.
- There exists at least an element g Z*p having order equal to (p) = p – 1.
- Such element is called the primitive element modulo p.
- E.g., for Z*7, 3 is a primitive, because 3i mod 7 1, i=1,…,5, and 37-1 mod 7 = 1.

Properties of the primitive elements

- An element g is a primitive element modulo p iff gi, i = 0, 1, …, p–2, generate Z*p. E.g., for p = 7
- 30 mod 7 = 1,
- 31 mod 7 = 3,
- 32 mod 7 = 2,
- 33 mod 7 = 6,
- 34 mod 7 = 4,
- 35 mod 7 = 5.
- The order of an element a = gi is given by (p–1)/gcd(p–1,i).
- Thus, a = gi is a primitive element iff gcd(p–1,i) = 1.
- In other words, the number of primitive elements is (p–1).

For example,

- For p = 7, p–1 = 6 = 23. Therefore, (6) = (21–21-1)(31–31-1) = 2.
- Test for primitive elements:
- gcd(6,0) = 6
- gcd(6,1) = 1 31 is a primitive element.
- gcd(6,2) = 2
- gcd(6,3) = 3
- gcd(6,4) = 2
- gcd(6,5) = 1 35 mod 7 = 5 is another primitive element.

A quicker method for testing for primitive elements

- Suppose that p is prime and a Z*p. Then a is a primitive element modulo p iff a(p–1)/q 1 (mod p) for all primes q such that q | (p–1).
- Back to p = 7, all primes, for which q | (p–1), are 2 and 3.
- 1 is clearly not a primitive element.
- 26/2 1 (mod 7).
- 36/2 6 (mod 7) and 36/3 2 (mod 7) 3 is a primitive element.
- 46/2 1 (mod 7).
- 56/2 6 (mod 7) and 56/3 4 (mod 7) 5 is a primitive element.

Conclusions

- We have laid down some foundations for understanding the public-key cryptography.
- Affine Cipher
- Multiplicative groups (Diffie-Hellman)
- The Chinese Remainder Theorem (RSA)
- Multiplicative groups modulo prime (Diffie-Hellman)

Acknowledgments

- The notes are prepared mostly based on
- D. Stinson, Cryptography: Theory and Practice, Chapman & Hall/CRC, Second Edition, 2002.

Download Presentation

Connecting to Server..