1 / 52

Ch1 - Algorithms with numbers

Ch1 - Algorithms with numbers. Basic arithmetic Addition Multiplication Division Modular arithmetic RSA –factoring is hard Primality testing. Addition. 53+35=88 Cost? (n – number of bits) O(n). Multiplication. 13x11=143 Cost? O(n 2 ). al-Khwārizmī. Operations

lanza
Download Presentation

Ch1 - Algorithms with numbers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ch1 - Algorithms with numbers • Basic arithmetic • Addition • Multiplication • Division • Modular arithmetic • RSA –factoring is hard • Primality testing

  2. Addition • 53+35=88 • Cost? (n – number of bits) • O(n)

  3. Multiplication • 13x11=143 • Cost? • O(n2)

  4. al-Khwārizmī • Operations • determining parity (even or odd) • addition • duplation (doubling a number, left shift) • mediation (halving a number, rounding down, right shift)

  5. al-Khwārizmī • Cost? • O(n2) • Can we do better?

  6. Division Cost?

  7. Modular arithmetic • A system for dealing with restricted ranges of integers • Addition • x+y mod N, assuming x, y <N • O(n), n - number of bits N has (size of input) (x+y mod N = x+y or x+y-N) • Multiplication • x*y mod N • ?

  8. Modular arithmetic

  9. RSA • Ron Rivest, Adi Shamir, Leonard Adleman (1977) • Algorithm for public-key cryptography, based on the presumed difficulty of the factoring problem. • 2002 A.M. Turing Award • RSA is one of the most used cryptographic protocols on the net. Your browser uses it to establish a secure session with a site. • Needed for implementing RSA: • FLT (Fermat’s Little Theorem) • Fast Exponentiation • Extended Euclidean Algorithm • Modular inverses • CRT (Chinese Remainder Theorem)

  10. Turing Lecture on Early RSA Days, Ronald L. Rivest

  11. Turing Lecture on Early RSA Days, Ronald L. Rivest

  12. Turing Lecture on Early RSA Days, Ronald L. Rivest In April 2012, the factorization of 143 is achieved.

  13. Encryption: M PA SA M Bob Alice encrypt decrypt Communication channel PA(M) RSA public-key cryptosystem In a public-key cryptosystem, everyone has a public key and a secret key. Suppose Alice and Bob are two participants. Alice PA , SA Bob PB , SB The keys specify 1-1 functions from message M to itself: M= SA (PA (M)) M= PA (SA (M))

  14. SA PA =? Communication channel Accept M M Alice Bob SA(M) RSA Digital signatures:

  15. RSA algorithm • Select at random 2 large prime numbers p & q; (p & q might be, say, 100 decimal digits each.) • Compute n: n = pq; • Select an odd integer e that is relatively prime to (n) = (p-1)(q-1); • Compute d as the multiplicative inverse of e, modulo (n); (de  1 mod (n)) • Publish P = (e, n) as the RSA public key; • Keep secret S = (d, n) as the RSA secret key. If M Zn ={0,1,…,n-1}, P(M) = Me mod n S(C) = Cd mod n, C=P(M).

  16. RSA example Pick p = 47, q=71. n=pq=3337. (n) = (p-1)(q-1)=46*70=3220, choose e=79 (at random). d =79-1 mod 3220 = 1019. PA=(79, 3337). SA=(1019, 3337). Message: M = 6882326879666683 = 688 232 687 966 668 3 M1 = 688  68879 mod 3337 = 1570 =C1 M2 = 232  23279 mod 3337 = 2756 =C2 … C = 1570 2756 2091 2276 2423 158 C1 = 1570  15701019 mod 3337 = 688 =M1 … C2 = 158  1581019 mod 3337 = 3 =M2

  17. Another example m emod n n = 4559, e = 13. Smiley Transmits: “Last name Smiley” • L A S T N A M E S M I L E Y • 1201 1920 0014 0113 0500 1913 0912 0525 • 120113mod 4559, 192013mod 4559, … • 1074 0116 1478 2150 3906 4256 1445 2462

  18. RSA Bob receives the encrypted blocks c = m emod n. He have a private decryption exponent d which when applied to c recovers the original blocks m : (m emod n )dmod n = m For n = 4559, e = 13 the decryptor d = 3397.

  19. RSA n = 4559, d = 3397 • 1074 0116 1478 2150 3906 4256 1445 2462 • 1074 3397mod 4559, 01163397mod 4559, … • 1201 1920 0014 0113 0500 1913 0912 0525 • L A S T N A M E S M I L E Y

  20. RSA If I want to encrypt credit card numbers, how big my p and q should be? If I want to encrypt words of four random characters from ASCII set, how big my p and q should be?

  21. RSA Technical difficulties: • How do we know the algorithm works correctly? • How to pick large prime numbers? • Compute pq • How to choose e • Compute d • How to compute Me, Cd • Can any one break the code?

  22. How to pick large prime numbers ?

  23. Primality testing ? Hard, but much easier than factoring. Fermat’s Little Theorem: If p is prime, then a, s.t. 1≤a<p, ap-11 mod p. The numbers make us fail are called Fermat pseudoprime -extremely rare (ex. 2340=1mod341; Carmichael number 561, 2560=1mod561)

  24. Lagrange’s Prime Number Theorem Theorem: The number of prime numbers between 1 and x is “about” x/lnx . Not only are primes easy to detect, but they are also relatively abundant.

  25. Carmichael number A number c is a Carmichael number if it is not a prime, and still for all prime divisors d of c it so happens that d-1divides c-1. The smallest Carmichael number is 561 = 31117 . If c is a Carmichael number and a is relatively prime to c, then ac-1 1 mod c.

  26. Primality testing

  27. Primality testing

  28. Fermat's Last Theorem Fermat's Last Theorem states that xn + yn = zn has no non-zero integer solutions for x, y and z when n > 2.

  29. RSA Technical difficulties: • How do we know the algorithm works correctly? • How to pick large prime numbers? • Compute pq • How to choose e • Compute d • How to compute Me, Cd? • Can any one break the code?

  30. How to compute Me, Cd?

  31. Modular exponentiation In order to implement RSA, exponentiation relative some modulo needs to be done a lot. So this operation better be doable, and fast. Q: How is it even possible to compute 28533397mod 4559 ? After all, 28533397 has approximately 3397·4 digits!

  32. Modular exponentiation A: By taking the modafter each multiplication. For example: 233mod 30  -73 (mod30) (-7)2 ·(-7)(mod30)  49 · (-7)(mod30)  19·(-7)(mod30)  -133(mod30)  17(mod30)

  33. Modular exponentiation Therefore, 233mod 30 = 17. Q: What if had to figure out 2316mod 30. Same way tedious: need to multiply 15 times. Is there a better way?

  34. Modular exponentiation A: Better way. Notice that 16 = 2·2·2·2 so that 2316 = 232·2·2·2 = (((232)2)2)2 Therefore: 2316mod 30  (((-72)2)2)2 (mod30)  (((49)2)2)2 (mod30)  (((-11)2)2)2 (mod30)  ((121)2)2 (mod30)  ((1)2 )2 (mod30)  (1)2 (mod30) 1(mod30) Which implies that 2316mod 30 = 1. Q: How about 2325mod 30 ?

  35. Modular exponentiation A: The previous method of repeated squaring works for any exponent that’s a power of 2. 25 isn’t. However, we can break 25 down as a sum of such powers: 25 = 16 + 8 + 1. Apply repeated squaring to each part, and multiply the results together. Previous calculation: 238mod 30 = 2316mod 30 = 1 Thus: 2325mod 30  2316+8+1(mod30) 

  36. Modular exponentiation • x25 mod N • Cost? – polynomial time (n=logN)

  37. Modular exponentiation How do we compute xy mod m , m>0? repeated squaring algorithm: mod-exp(x, y, m) if y = 0 then return(1) else z = mod-exp(x, y div 2, m) if y mod 2 = 0 then return(z * z mod m) else return(x * z * z mod m)

  38. Compute d ?

  39. Modular Inverse

  40. GCD Greatest common divisor Example:

  41. Euclid Algorithm If a,bZ+, apply division (mod) repeatedly as follows: a = q1b + r1, where 0 < r1 < b b = q2r1 + r2, where 0 < r2 < r1 r1 = q3r2 + r3, where 0 < r3 < r2 …… rk-2 = qkrk-1+ rk, where 0 < rk-1 < rk rk-1 = qk+1rk Then, rk = GCD(a,b). Proof: (1) rk|a, rk|b (2) if d|a, d|b, then d| rk.

  42. Recursion Theorem a,b N, b0, gcd(a,b) = gcd(b, a mod b). Proof : Let d = gcd(a,b).  d|a, d|b. d|a-qb = a mod b  d|b, d|a mod b  d|gcd(b, a mod b). Let d = gcd(b, a mod b).  d|b, d| a mod b. d|a-qb, d|b  d|a  d|gcd(a,b).  gcd(a,b) = gcd(b, a mod b).

  43. Computing GCD Euclid gcd(x,y) { if y = 0 then return(x) else return(gcd(y,x mod y)) }

  44. Euclid Algorithm Example: Computing gcd(125, 87) 125 = 1*87 + 38 87 = 2*38 + 11 38 = 3*11 + 5 11 = 2*5 + 1 5 = 5*1 • gcd(125,87) = 1 • 11 - 2*5 = 1 • 11 - 2*(38-3*11) = 1 • - 2*38 + 7*11 = 1 • - 2*38 + 7*(87 - 2*38) = 1 • 7*87 - 16*38 = 1 • 7*87 - 16*(125-1*87) = 1 • - 16*125 + 23*87 = 1 • 1 = 125*(-16) + 87*23 • 1 = as + bt  gcd(125,87)=1

  45. a 412 260 152 108 44 20 4 b 260 152 108 44 20 4 0 q 1 1 1 2 2 5 x 12 -7 5 -2 1 0 1 y -19 12 -7 5 -2 1 0 d 4 4 4 4 4 4 4 Extended Euclidean Algorithm • obtain gcd(a,b) and x,y, s.t. gcd(a,b) = ax+by. Extended-Euclid (a,b) if (b==0) return (a,1,0); (d’,x’,y’)=Extended-Euclid(b, a mod b); (d,x,y)=(d’, y’, x’-a/by’); return (d,x,y); Ex: demo

  46. Cost? Theorem: The algorithm above correctly computes the gcd of x and y in time O(n), where n is the total number of bits in the input (x; y)

  47. RSA Technical difficulties: • How do we know the algorithm works correctly? • How to pick large prime numbers? • Compute pq • How to choose e • Compute d • How to compute Me, Cd? • Can any one break the code?

  48. How do we know RSA works correctly? Chinese Remainder Theorem (~1700 old)

  49. Exponential Inverses In RSA encryption, c = m emod N. We want to find a different exponent d based on e and N which will give us back m, i.e. we want m demod N = m. In other words, we want an exponential inverse for e modulo N. (recall: (de  1 mod (n)))

  50. Theorem Given e and distinct prime numbers p, q. Suppose that e is relatively prime to (p-1)(q-1). Then the exponential inverse of e is the inverse of e modulo (p-1)(q-1). If this is a theorem, then we can claim RSA works correctly.

More Related