1 / 89

# The RSA Algorithm and Reed-Solomon Codes - PowerPoint PPT Presentation

Group 5: Daryl, Etkin , Supartha , Rajendra and Aarthi. The RSA Algorithm and Reed-Solomon Codes. Introduction. Two Information Coding Schemes RSA Algorithm Privacy Authenticity Reed-Solomon Codes ( Bursty ) Noise Tolerance. Welcome to the Matrix. Privacy. Authenticity.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about 'The RSA Algorithm and Reed-Solomon Codes' - tiva

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Group 5: Daryl, Etkin, Supartha, Rajendra and Aarthi

### The RSA Algorithm and Reed-Solomon Codes

• Two Information Coding Schemes

• RSA Algorithm

• Privacy

• Authenticity

• Reed-Solomon Codes

• (Bursty) Noise Tolerance

Trinity?

Yes, it’s me.

• Encrypt messages with a symmetric-key cryptosystem (e.g. DES, AES, etc…)

• Requires prior agreement on a shared key over a secure channel

• What if Neo and Trinity have yetto meet?

• Mathematically-related public/private key pairs are generated

• Messages encrypted with public key

• Can only be decrypted with private key

• Infeasible to compute private key from public key alone

• No need to agree on a shared key!

• Rivest, Shamir and Adleman (1977)

• Based on difficulty of computing prime factors of large integers

• Pick two distinct primes p and q

• Compute n =pqandɸ(n)= (p – 1)(q – 1)

• Pick e where 1 < e < ɸ(n) andgcd(e, ɸ(n)) = 1

• Compute d wherede≡ 1 (mod ɸ(n))

• Public key is (n, e), private key is (n, d)

• Encrypt with C ≡Me (mod n)

• Decrypt with M ≡Cd (mod n)

Setup

Usage

• Pick two distinct primes p and q

• Compute n =pqandɸ(n)= (p – 1)(q – 1)

• Pick e where 1 < e < ɸ(n) andgcd(e, ɸ(n)) = 1

• Compute d wherede≡ 1 (mod ɸ(n))

• Public key is (n, e), private key is (n, d)

• Encrypt with C ≡Me (mod n)

• Decrypt with M ≡Cd (mod n)

• Let e, d, n be integers with n ≠ 0

• Fact: If gcd(e, n) = 1(i.e. e and n are coprime)

then there exists d such that de≡1 (mod n)

• In other words, the multiplicative inverseof e(mod n) exists when gcd(e, n) = 1

• Pick two distinct primes p and q

• Compute n =pqandɸ(n)= (p – 1)(q – 1)

• Pick e where 1 < e < ɸ(n) andgcd(e, ɸ(n)) = 1

• Compute d wherede≡ 1 (mod ɸ(n))

• Public key is (n, e), private key is (n, d)

• Encrypt with C ≡Me (mod n)

• Decrypt with M ≡Cd (mod n)

• Pick two distinct primes p and q

• Compute n =pqandɸ(n)= (p – 1)(q – 1)

• Pick e where 1 < e < ɸ(n) andgcd(e, ɸ(n)) = 1

• Compute d wherede≡ 1 (mod ɸ(n))

• Public key is (n, e), private key is (n, d)

• Encrypt with C ≡Me (mod n)

• Decrypt with M ≡Cd (mod n)

Euler’s Totient Function ɸ(n)

• Definition: no. of integers 1 ≤a ≤ n with gcd(a, n) = 1

• Formula:

• For n =pqwhere p and q are primes

• Let x, y, m, n be integers with n ≥ 0

• Fact:If x ≡ y (mod ɸ(n)) , then mx≡my(mod n)

• In other words, working in mod n requires that we work mod ɸ(n) in the exponent

• Pick two distinct primes p and q

• Compute n =pqandɸ(n)= (p – 1)(q – 1)

• Pick e where 1 < e < ɸ(n) andgcd(e, ɸ(n)) = 1

• Compute d wherede≡ 1 (mod ɸ(n))

• Public key is (n, e), private key is (n, d)

• Encrypt with C ≡Me (mod n)

• Decrypt with M ≡Cd (mod n)

• Pick two distinct primes p and q

• Compute n =pqandɸ(n)= (p – 1)(q – 1)

• Pick e where 1 < e < ɸ(n) andgcd(e, ɸ(n)) = 1

• Compute d wherede≡ 1 (mod ɸ(n))

• Public key is (n, e), private key is (n, d)

• Encrypt with C ≡Me (mod n)

• Decrypt with M ≡Cd (mod n)

(Me)d≡ M (mod n)

and

(Md)e≡ M (mod n)

• Pick p = 37and q =43

• Compute n = 1591 andɸ(n) = 1512

• Pick e= 71gcd(e, ɸ(n)) = gcd(71, 1512) = 1

• Compute d = 575 (Extended Euclidean Algorithm)de = 40825 ≡1 (mod 1512)

• Public key is (n, e), private key is (n, d)

• Encrypt: C ≡ Me ≡ 123471 ≡ 908 (mod 1591)

• Decrypt: M ≡ Cd ≡ 908575 ≡ 1234 (mod 1591)

• Pick two distinct primes p and q

• Compute n =pqandɸ(n)= (p – 1)(q – 1)

• Pick e where 1 < e < ɸ(n) andgcd(e, ɸ(n)) = 1

• Compute d wherede≡ 1 (mod ɸ(n))

• Public key is (n, e), private key is (n, d)

• Sign M with S ≡ Md (mod n); Send (M, S)

• Verify that M ≡ Se (mod n)

Reversed!

Sign with private key

Verify with public key

• Modular exponentiation

• Successive-Squaring

• Computing d from e and ɸ(n)

• Extended Euclidean Algorithm

• Finding large primes

• Successive-Squaring to Compute C ≡ Me (mod n)

Let e = ekek–1 … e0 (binary representation of e)

C := 1

Fori := k, k – 1, …, 0

C := (C * C) mod n

If ei = 1 Then C := (C * M) mod n End For

• Performance: O(log e)

• Memory: O(1)

Computing d from e and ɸ(n)

• Extended Euclidean Algorithm:

• Since eandɸ(n)are coprime, solving yields d = y satisfying

Find max. qi satisfying and xiand yisatisfying

When rk = 0, stop and output gcd(a, b) = rk-1 andx = xk-1and y= yk-1

Similar to Euclidean Algorithm for gcd(a, b),

but retain quotients qi at each step ito compute xiand yi

• Generate a large random integer

• Apply primal test repeatedly

• Primality Tests:

• Miller-Rabin

• Solovay-Strassen

• Fermat Primality Test

• Euler Witness, Euler Liar

1: Pick a large random integer

2: If for any small prime (Sieving)

3: go back to step 1

4: repeat times(Miller-Rabin)

5:pick random integer

6:do a primality test on (,)

7: if test fails

8: go back to step 1

9: is probably prime

• Sieve of Eratosthenes

1: Pick a large random integer

2: If for any small prime

3: go back to step 1

Miller-Rabin Primality Test

4: repeat times

5: pick random integer

6: do a primality test on (, )

7: if test fails

8: go back to step 1

9: is probably prime

Miller-Rabin Primality Test

• divides or

or

• By Euclid’s Lemma

• If is prime and for any integer such that doesn’t divide

Miller-Rabin Primality Test

• : prime candidate

• : random integer

• is odd

Miller-Rabin Primality Test

or

• prime candidate

• random integer

• Either is a prime or is an Euler liar

• Now, we try another a

• prime candidate

• random integer

• is a composite

• is an Euler liar

• is an Euler witness

• Trying all possible witnesses below a limit

• Not used in practice

• if p< 341,550,071,728,321, it is enough to test a = 2, 3, 5, 7, 11, 13, and 17.

• Complexity of Sieve of Eratosthenes:

• log(S)

• Complexity of Miller-Rabin:

• : number of tests

• Complexity of Deterministic Miller-Rabin

### Reed-Solomon Codes

Noise is Natural

Studied models in general

• Binary Symmetric Channel

• Binary Erasure Channel

• Noisy Typewriter Channel

• Continuous Output Channel

• A

• Code

M C

00 000

01 001

10 010

11 011

100

101

110

111

Distance between

For example,

10100

10001∆

Code Distance

M C

00 000

01 001

10 010

11 011

100

101

110

111

No Structure??Have to store the whole mapping in a codebook

Linear Code: If is a field and , is a subspace of then is said to be a linear code

Linear Code: If is a field and , is a subspace of then is said to be a linear code

• As is a subspace, there exists a basis where is the dimension of the subspace

• Any code word can be expressed as a linear combination of these basis vectors.

for example,

Hamming Code is Linear

=

G =

n x k,

where n =7, k=4

• a code over alphabet of length and min distance

• How many code words possible?

• Singleton Bound

• Applications: CDs, Space Communication, …

• Robust against Burst errors

[1960] Reed Solomon Code

From left: GustaveSolomon & Irving S. Reed

Given

Create a polynomial

p

• p has degree at most

• A non zero polynomial of degree with coefficients from field has at most roots in .

• points are sufficient for describing the polynomial.

• Instead, we evaluate the polynomial at points and send them.

• Decoding:

• look at all possible subset from the set of n symbols received

• Interpolate a message polynomial for each subset

• Most popular message is the correct result

• But, impractical

• For, [255,249,6], = 359 billion

### Finite Fields

• A set of elements with two operations “Addition” and “Multiplication” defined on these elements.

• Closed under these two operations

• Basically all arithmetic operations are allowed

Examples: Set of Real numbers, Set of Rational numbers…

• A field with finite number of elements.

Example: {0,1} with modulo operations

In general {0,1,2….p-1} is a field with p elements with modulo operations. (p is prime)

How to construct fields with 8 elements?

In general how to construct pr elements??

• A field with 2m elements can be constructed by extending the field GF(2) which is {0,1}.

• Let α denotes an additional element in GF(2m).

• Now GF(2m) ={ 0,1, α ,α2,….. α2m-1, α2m,…}

• To make the number of elements 2m, we restrict

α2m-1 = 1 = α0

GF(2m)={0, α0, α,…… α2m-2 }

• Any non-zero element in GF(2m)

can be written as a

polynomial of degree

at most m-1.

• Coefficients are from GF(2)

• Also they can be mapped

to binary values.

• An irreducible polynomial f(x) of degree m is said to be primitive if the smallest positive integer n for which f(x) divides xn+1 is n=2m-1.

• Example: 1 + x + x4 because it divides xn+1 for n=15 and not for other values less than 15.

• Used for construction GF(2m)

• RS codes use GF(2m).

• Let f(x) = 1 + x + x3 be a primitive polynomial.

• Let α an element of the extension field be defined as the root of the polynomial f(x).

• 1 + α+ α3 =0

α3 = 1 + α

• α4 = α + α2

• α5 = 1 + α + α2

• α6 = 1+ α2

• α7 = 1

Reed Solomon Code: RS[n,k,d]

• Given n = 2m -1, k =2m-1-2t, RS code can be constructed as ( t is number of errors it can correct)

• Construct a finite field GF(2m) with 2m elements using irreducible polynomial

• Choose α1, …αn from the Field GF(2m)

Given in GF(2m)

Create a polynomial

p

• The codeword is

Properties of RS(n,k,d)

• Linear Code

• Cyclic

• d = n-k+1 (Maximum Distance Separable)

• Can correct up to n-k erasures

• Can correct up to (n-k)/2 symbol errors

• This form of encoding is not in Systematic form

• Systematic form : Parity symbols message symbols

• 010 110 111 100 001 011 101 010 110 111

• Message polynomial α + α3x + α5x2

• Code Polynomial α0 + α2x + α4x2+ α6x3+αx4+α3x5+α5x6

• A generator polynomial g(x) is defined as

g(x) = (x-α) (x-α2) …………… (x-α2t)

• Shift the message polynomial m(x) by 2t positions by multiplying m(x) by x2t.

• Define p(x) = x2t m(x) (mod g(x))

• The final codeword polynomial u(x) is

u(x) = p(x) + x2t m(x)

• Message polynomial α + α3x + α5x2

• Yielding αx4 + α3x5 + α5x6 after multiplication with x2t i.e. x4

• Take g(x) = (x- α)(x- α2)(x- α3)(x- α4)

= x4 – α3x3+ α0x2 – αx + α3

= α3 + αx + α0x2 + α3x3+x4

Next divide α x4 + α3x5 + α5x6 by g(x) to find the remainder p(x) = α0 + α2x4+ α4x2+ α6x3.

Now u(x)=α0 + α2x + α4x2+ α6x3+ αx4+ α3x5+ α5x6

• The syndrome is the result of a parity check performed on the received polynomial r(x) to determine whether r(x) is a valid codeword.

• The syndromes are basically evaluations of the received polynomial r(x) at α,α2, α3,… α2t.

Si = r(αi) , i=1,2,….2t

• If r(x) is a valid codeword then we get all the Si evaluate to zero.

• Any non-zero Si indicates the presence of errors.

• The errors introduced by the channel during transmission can be modeled as a polynomial e(x) over the field GF(2m).

• Hence r(x) = u(x) + e(x).

• The problem finding e(x) from r(x) (or the syndromes) is decoding.

• Given any collection of k coefficients from the polynomial u(x), it is possible to construct the remaining coefficients of u(x).

• If at most ‘t’ of the coefficients of u(x) are incorrect, it is possible to reconstruct all the coefficients of u(x) correctly.

• Polynomial multiplication/division using FFT takes O(klogk) where k is the max of degrees of the polynomial.

• Error polynomial e(x) = e0 + e1x +….enxn

• Suppose the received polynomial r(x) has ν errors in it at the locations i1,i2,…iν. The magnitude of error at these locations are eij.

• Then syndromes can be written in the form

Sj = e1jxlj + e2jxlj + ….+eνjxlj j=1,2,…2t

where Xl= αil

### Decoders for Reed Solomon Codes

• Calculate Syndromes

• Find the error locator polynomial

• Peterson-Gorenstein-Zierler Decoder

• Find error locations

• ChienSearch

• Find error values

• Forney’s Algorithm

Finding Sjfor j = 1 to 2t

Non-Linear

System!!

• Help to find the locations where an error has occurred

• Intuition: The roots of this polynomial are inverses of the error locations

Expanding Λ(x):

For x = Xl-1 and for any 1 ≤ l ≤ ν

Multiplying throughout by YlXl (j+ν)

Sum over l = 1 to t

Repeating for j = 1 to

• Equation (1) – (4) now form a system of Linear Equations

Peterson-Gorenstein-ZierlerDecoder (1960)

• Solved for Λis by finding the largest value of νfor which Mνis non-singular starting from ν = t

• Overall this algorithms runs in polynomial time

• ν≤ t; 2t = n – k = O(n) (could also be O(1) for large n & k)

• Use polynomial-time algorithms for matrix determinants and inversion

• Calculate Syndromes

• Find the error locator polynomial

• Peterson-Gorenstein-Zierler Decoder

• Find error locations

• ChienSearch

• Find error values

• Forney’s Algorithm

Chien Search

• Find roots of Error Locator Polynomial, Λ(x), by exhaustive search

• Evaluate Λ(αi) for i = 1, 2, …, 2t

• Find all iwhere Λ(αi) = 0  αiis a root of Λ(x)

• Error locations will also be of the form: αj

• Here, αj = α-1and j = 2t – i.

• If number of errors found is ≥ t, abort process

• Calculate Syndromes

• Find the error locator polynomial

• Peterson-Gorenstein-Zierler Decoder

• Find error locations

• ChienSearch

• Find error values

• Forney’s Algorithm

Vandermonde

Matrix

Convert to matrix form

• Defining the Syndrome polynomial:

• Defining the Error Evaluator polynomial:

• Error value Yi for all iϵ{1, 2, …, }:

where, b is the degree of the smallest root of the generating function of the code &

• Calculate Syndromes

• Find the error locator polynomial

• Peterson-Gorenstein-Zierler Decoder

• Find error locations

• ChienSearch

• Find error values

• Forney’s Algorithm

• r(x) = u(x) + e(x)

• Decoding techniques help determine e(x) completely

• Hence, u(x) = r(x) – e(x) = Message sent is recovered

We are done!!

• Other more efficient (implementation wise) algorithms for decoding:

• Berlekamp-Massey Decoder (LFSR and iterative correction)

• Euclidean Algorithm (Values and locations simultaneously determined using iterative GCD of polynomials)

• Decoders implemented as dedicated chips by manufacturers (Hardware and Software)

RSA:

• EvgenyMilanov, RSA algorithm,http://www.math.washington.edu/~morrow/336_09/papers/Yevgeny.pdf

• Kenneth Rose, Elementary Number Theory and its applications, 5th Ed., Pearson International

• Trappe & Washington, Introduction to Cryptography with Coding Theory, 2nd Ed., Pearson International

Reed-Solomon Codes:

• Bernard Sklar, Reed Solomon error correction,http://ptgmedia.pearsoncmg.com/images/art_sklar7_reed-solomon/elementLinks/art_sklar7_reed-solomon.pdf

• V. Guruswami, Introduction to Coding Theory, CMU, http://www.cs.cmu.edu/~venkatg/teaching/codingtheory/

• John Gill, EE 387 Note #7, Stanford University, http://www.stanford.edu/class/ee387/handouts/notes7.pdf

• Wikipedia