1

Numerical AlgorithmsChapter 10

2

Facts About Numbers

• Prime number p:– p is an integer– p 2– The only divisors of p are 1and p

• Examples– 2, 7, 19 are primes 3, 1, 6 are not primes

• Prime decomposition of a positive integer n:

n p1e

1 … pke

k

• Example:– 200 23 52

Fundamental Theorem of ArithmeticThe prime decomposition of a positive integer is unique

3

Greatest Common Divisor

• The greatest common divisor (GCD) of two positive integers a and b, denoted gcd(a, b), is the largest positive integer that divides both a and b

• The above definition is extended to arbitrary integers• Examples:

gcd(18, 30) 6 gcd(0, 20) 20gcd(21, 49) 7

• Two integers a and b are said to be relatively prime if they have no common factors:

gcd(a, b) 1

• Example: Integers 15 and 28 are relatively prime

4

Modular Arithmetic

• Modulo operator for a positive integer nr a mod n

equivalent toa rkn

andr a a/n n

• Example:29 mod 13 3 13 mod 13 0 1 mod 13 1229 3 213 13 0 113 12 1 113

• Facts for Euclids Algorithm: Modulo and GCD: as a mod b = r means a = r + kb

gcd(a, b) = gcd(b, r+kb) =gcd(b,r) = gcd(b,a mod b)• Why? gcd(a, b) = gcd(b, r+kb) everything that divides b already divides kb,

so the only thing of interest is what divides r. (The kb holds no information as there is no restriction.)

• Example: gcd(21, 12) gcd(12, 9)= gcd(9,3) gcd(3,0) 3

5

Euclid’s GCD Algorithm

• Euclid’s algorithm for computing the GCD repeatedly applies the formulagcd(a, b) gcd(b, a mod b)

• Example– gcd(412, 260) 4– Note b decreases by half in two

iterations

a 412 260 152 108 44 20 4

b 260 152 108 44 20 4 0

Algorithm EuclidGCD(a, b)Input integers a and bOutput gcd(a, b)

if b = 0return a

elsereturn EuclidGCD(b, a mod b)

6

Analysis

• Let ai and bi be the arguments of the i-th recursive call of algorithm EuclidGCD

• We have

ai2 bi1 ai mod ai1ai1

• Sequence a1, a2, …, an decreases exponentially in two rounds, namely ai2 ½ ai for i 1Case 1 ai1½ ai ai2ai1½ ai

Case 2 ai1½ ai ai2ai mod ai1 = aiai1 ½ ai

• Thus, the maximum number of recursive calls of algorithm EuclidGCD(a. b) is

1 2 log max(a, b)• Algorithm EuclidGCD(a, b) executes O(log max(a, b)) arithmetic

operations

7

Euclid’s Binary Algorithm(Faster on computers)

int Algorithm EuclidBinaryGCD(int a,int b){if (a==0) return bif (b==0) return a;if (a mod 2==0 and b mod 2 ==0) return 2*EuclidBinaryGCD(a/2,b/2)if (a mod 2==0 and b mod 2 ==1) return EuclidBinaryGCD(a/2,b)if (a mod 2==1 and b mod 2 ==0) return EuclidBinaryGCD(a,b/2)// gcd(a,b) = gcd(a mod b , b) = gcd(a-kb,b) for any k// letting k=1. a-b is even.// since b is odd, we know 2 isn’t a factor, so we can divide it out// need min(a,b) or otherwise could make problem largerreturn EuclidBinaryGCD(|a-b|/2,min(a,b))}

8

Prove ab mod n = (a mod n)(b mod n) mod n

• Let a = c +dn

• Let b = e + fn

• ab mod n = (c +dn)(e + fn) mod n

• =(ce +cfn +dne +dfn2) mod n

• = ce mod n

9

Multiplicative Inverses

• The residues modulo a positive integer n are the set

Zn {0, 1, 2, …, (n1)}

• Let x and y be two elements of Zn such that

xy mod n 1

We say that y is the multiplicative inverse of x in Zn and we write y x1

• Example (can do by trying all possibilities):– Multiplicative inverses of the residues modulo 11

x 0 1 2 3 4 5 6 7 8 9 10

x1 1 6 4 3 9 2 8 7 5 10

What if n = 12?

10

   Mult 1 2 3 4 5 6 7 8 9 10 11

1 1 2 3 4 5 6 7 8 9 10 11

2 2 4 6 8 10 0 2 4 6 8 10

3 3 6 9 0 3 6 9 0 3 6 9

4 4 8 0 4 8 0 4 8 0 4 8

5 5 10 3 8 1 6 11 4 9 2 7

6 6 0 6 0 6 0 6 0 6 0 6

7 7 2 9 4 11 6 1 8 3 10 5

8 8 4 0 8 4 0 8 4 0 8 4

9 9 6 3 0 9 6 3 0 9 6 3

10 10 8 6 4 2 0 10 8 6 4 2

11 11 10 9 8 7 6 5 4 3 2 1

11

Multiplicative Inverses

What if n=12? Not everything HAD an inverse.

x 0 1 2 3 4 5 6 7 8 9 10 11

x1 1 5 7 11

12

Questions

• Why would someone want to find inverses?Helpful for encryption. Multiply by x to encrypt and by x-1 to decrypt.

Example: Want to send a series of numbers privately.

You tell the recipient (via private delivery) that whatever you send needs to be multiplied by 4 and mod-ed by 11.

I want to send 6, I multiply by 3 (mod 11) and get 7

You take the 7 multiply by 4 (mod 11) and get 6 TADA!!!

• How do you find inverses?• Can you easily tell if an inverse exists?

13

Theorem 10.3: gcd(a,b) is the smallest positive integer d such that d= ia+jb (for integers i,j)

Why: A. anything that divides both a and b clearly divides d, so d gcd(a,b) B. need to show d gcd(a,b) let h=a/d, by definition of mod d>a mod d = a-hd = a-h(ia+jb) =(1-hi)a + (-hj)b

thus a mod d is a linear combination of a,bBut d is the smallest positive linear combination. Problem as we just

found a smaller one (a mod d). Solution – a mod d must be 0 as we restricted d to be a positive integer.

Thus, d evenly divides a. Through a similar argument, d evenly divides b, so it is a divisor of a and b. d gcd(a,b).

14

Theorem 10.6

An element x of Zn has a multiplicative inverse if and only if x and n are relatively prime

• Example The elements of Z10 with a multiplicative inverse are 1, 3, 5, 7

• Why? Prove each direction separately

If x and n are relatively prime, x has an inverse

gcd(x,n) = 1 so ix +jn = 1 so ix mod n =1

Tada: i and x are inverses (mod n)! if x has a multiplicative inverse, x and n are relatively prime. Proof by

contraction. Assume gcd(x,n) >1 (not relatively prime)

Let y be the inverse – so xy mod n = 1

Thus xy – dn = 1 (for some value, d) by definition of mod

But then 1 would be the gcd(x,n) – contradiction!

15

Thm 10.3: gcd(a,b) is the smallest positive integer d such that d= ia+jb (for integers i,j)

Proof sketch: Try to prove that d gcd(a,b) AND d gcd(a,b). If we could do that, we would show d = gcd(a,b).

Part 1: SHOW d gcd(a,b) 1. Anything that divides both a and b clearly divides d = ia +jb BECAUSE_____________________________________________

2. Therefore…

Part 2: SHOW d gcd(a,b). 1. let h=a/d 2. d > a mod d BECAUSE ________________________________________ 3. a mod d = a-hd = a-h(ia+jb) =(1-hi)a + (-hj)b

4. So a mod d is a linear combination of a and b. 5. But we have a problem BECAUSE_________________________________________ 6. The solution is a mod d = 0 7. But that is GOOD NEWS as d evenly divides a. Through a similar argument d evenly divides b. 8. Since d divides both a and b, we call it a divisor of a and b (right?) 9. Can d be bigger than the greatest common divisor? 10. Therefore…

16

Theorem 10.6

An element x of Zn has a multiplicative inverse if and only if x and n are relatively prime

Proof sketch: to prove if and only if, we have to prove in each direction:

If x and n are relatively prime, x has an inverse 1. gcd(x,n) = 1 BECAUSE _____________________________ 2. ix +jn = 1 BECAUSE______________________________ 3. ix mod n =1 BECAUSE _____________________________ 4. Therefore….

if x has a multiplicative inverse, x and n are relatively prime. 1. Let y be the inverse of x; so xy mod n = 1 2. xy – qn = 1 BECAUSE_____________________________ 3. Therefore…

17

Corollary:

If p is prime, every nonzero residue (remainder) in Zp has a multiplicative inverse

Great! so now know inverses mod p will exist for every number if p is a prime.

Fill in table below!

x 0 1 2 3 4 5 6 7 8 9 10 11 12

x-1 1 7 9

18

TheoremA variation of Euclid’s GCD algorithm computes the multiplicative inverse of an element x of Zn or determines that it does not exist. All we have to do is return the coefficients of a and b.

19

Consider an extended version of Euclid algorithm which not only returns the gcd BUT also the multipliers of a and b which prove the gcd.

(gcd, amult, bmult) ExtendedEuclidGCD(a,b){

if (b==0) return (a,1,0)

(d,a1,b1)= ExtendedEuclidGCD(b,a mod b)

// d = b*a1 + (a mod b)*b1 (by def of ExtendedEuclid)

// = b*a1+(a -a/bb)*b1

// = b1*a + b(a1- a/b*b1)

return (d,b1,a1-a/b*b1)

}

20

From this algorithm, how find inverses?

• Theorem 10.6 tells us that x of Zn has an inverse iff gcd(x,n) = 1

• So…• use extended Euclid to find gcd(x,n)• if gcd(x,n) != 1, there is no inverse• if gcd(x,n) == 1 then ix +jn = 1• ix = (1-jn) • ix = 1 (mod n) so i is the inverse of x• Try to find the inverse of 5 mod 9 using this

technique

21

Corollary (to theorem 10.6)10.7: if gcd(x,n) = 1 then

Zn={ix mod n:i=0,1,...,n-1}

Nice! used in hash functions to make sure all entries are reached

Try it: gcd(5,9) = 1

i5 mod 9 (i=0..n-1)=

(0 5 10 15 20 25 30 35 40) mod 9

=(0 5 1 6 2 7 3 8 4 )

22

Proof by contradiction:

Left as exercise to reader

23

Powers• Let p be a prime• The sequences of successive powers of the elements of Zp (mod p)

exhibit repeating subsequences • The sizes of the repeating subsequences and the number of their

repetitions are the divisors of p 1• Example (p 7) Notice how [xp-1 = 1 ] (mod p) for any x!• I don’t know why anyone was prompted to play with this, but wouldn’t it have been exciting

to discover?

x x2 x3 x4 x5 x6

1 1 1 1 1 1

2 4 1 2 4 1

3 2 6 4 5 1

4 2 1 4 2 1

5 4 6 2 3 1

6 1 6 1 6 1

24

Fermat’s Little TheoremStated in 1640, generalized by Euler in 1760.

Let p be a prime. For each nonzero residue x of Zp we have xp1 mod p 1

• Example (p 5):14 mod 5 1 24 mod 1 16 mod 5 1

34 mod 1 81 mod 5 1 44 mod 1 256 mod 5 1

**Corollary

Let p be a prime. For each nonzero residue x of Zp the multiplicative inverse of x is xp2 mod p Proof

x(xp2 mod p) mod p xxp2 mod p xp1 mod p 1

25

Proof of Fermat’s theoremLet p be a prime. For each nonzero residue x of Zp we have xp1

mod p 1

Sufficient to prove if 0 < x <p because

xp-1 =p (x mod p)p-1

By Corolary 10.7:{1,2,...p-1} = {x*1,x*2,x*3...x*(p-1)}

So their products are equal:

(p-1)! = x*1*x*2*...x*(p-1) = xp-1(p-1)!

Since p is prime, every non null element in Zp has a multiplicative inverse. So (p-1)! has an inverse.

1 = xp-1

Converse is not true (prove primality by observing mods), although Chinese thought it was. It is probable that the Chinese observed this experimentally and never thought to prove it. Numbers which are counter examples are called Carmichael numbers (pseudoprime to any base) .

26

The multiplicative group for Zn, denoted Z*n, is the subset of elements of Zn relatively prime with n

A group is an abstract algebra concept:

Given a non-empty set of elements with an operation *

1. Closed

2. is associative

3. has an identity element,e (a*e = a, for all a)

4. every element has an inverse a*a-1 = e• The totient function of n, denoted (n), (pronounced “fee

of n”) is the size of Z*n

• Example Z*10 { 1, 3, 7, 9 } (10) 4

At seats: Prove the group properties.

• If p is prime, we have

Z*p {1, 2, …, (p1)} (p) p1

27

• If p isn’t prime, how many elements are in Z*n?

Let p=ab, where a and b are prime

(p) (a-1)(b-1) so (10) = (2-1)(5-1) = 4

why?

There are p possible elements of (p)

If p is composite (p=ab), Thus, there are a multiples of b and b multiples of a in the set of possibilities (but ab=ba, so don’t count it twice).

Because a and b are prime, there are no other numbers less than ab which are multiples of both.

so we have ab – a – (b-1) = a(b-1) – (b-1) = (a-1)(b-1)

28

Euler’s (pronounced oilers) TheoremGeneralization of Fermat’s theorem

(Leonhard Euler was a brilliant Swiss mathematician. Contemporaries said he could master any problem, although  Fermat's last theorem stumped him. He  invented imaginary numbers while trying to prove the theorem. Some of his very advanced mathematics had no practical use, but recently one of his obscure equations was rediscovered and helped develop super-string theory.)

Theorem

For each element x of Z*n, we have x(n) mod n 1•Example (n 10) Z*10 { 1, 3, 7, 9 }

3(10) mod 10 34 mod 10 81 mod 10 17(10) mod 10 74 mod 10 2401 mod 10 19(10) mod 10 94 mod 10 6561 mod 10 1

For each element x of Z*n, we have x-1 = x(n)-1

29

What if p is not the product of two primes, how do we compute (n)?

• Our text doesn’t tell us.

• There are lots of interesting facts about totient functions.

• http://mathworld.wolfram.com/TotientFunction.html

30

Generators

• Given a prime p and an integer a between 1 and p-1, the order of a is the smallest exponent r > 1 such that

ar =1 (mod p)

A generator (also called a primitive root) of Zp is an element g of Zp with order p-1.

We use the term generator because repeated exponentiation of g can generate all of Zp*

Theorem 10:10 if p is prime then set Zp has (p-1) generators.

31

Example:if p is prime then set Zp has (p-1) generators.

• p=7, (7-1) = (6) =2 generators Z*6 = {1,5} x x2 x3 x4 x5 x6

1 1 1 1 1 1

2 4 1 2 4 1

3 2 6 4 5 1

4 2 1 4 2 1

5 4 6 2 3 1

6 1 6 1 6 1

32

Example:if p is prime then set Zp has (p-1) generators.

• p=11, (11-1) = (10) =4 generators Z*10 = {1,3,7,9} x x2  x3  x4  x5  x6  x7  x8  x9  x10 

1 1 1 1 1 1 1 1 1 1

2 4 8 5 10 9 7 3 6 1

3 9 5 4 1 3 9 5 4 1

4 5 9 3 1 4 5 9 3 1

5 3 4 9 1 5 3 4 9 1

6 3 7 9 10 5 8 4 2 1

7 5 2 3 10 4 6 9 8 1

8 9 6 4 10 3 2 5 7 1

9 4 3 5 1 9 4 3 5 1

10 1 10 1 10 1 10 1 10 1

33

Modular Power: We need a fast way of computing ap mod n.The algorithm is easier than the explanation

int FastExp(a,p,n) // return ap mod n

{if p==0 return 1 // anything to the zero power is 1

if p mod2 ==0 {

half = fastExp(a,p/2, n)

return half2 mod n}

// p is odd t

half = fastExp(a,(p-1)/2,n) // take out 1 a; find power of ap-1

return a(half2mod n) mod n

}

34

Pseudoprimality Testing• Experimental evidence suggests:The number of primes less than or

equal to n (for large n) is about n ln nSo if n = 2b = 210, there are about 210/10 primes = 100 primes.• Testing whether a number is prime (primality testing) is believed to be a

hard problem• An integer n2 is said to be a base-x pseudo-prime if

– xn1 mod n1 (Fermat’s little theorem)– For example, for n = 341, 2340 mod n = 1 so 341 is pseudoprime to base 2.

• (They often use the term pseudoprime for both primes and non-primes that pass this test.)

• Non-prime base-x pseudoprimes are rare:– A random 100-bit integer is a composite base-2 pseudoprime with probability

less than 10-13

– The smallest composite base-2 pseudoprime is 341• Base-x pseudoprimality testing for an integer n:

– Check whether xn1 mod n1 – Can be performed efficiently with the repeated squaring algorithm– If you repeated this for many x’s, you would have greater confidence that n is

prime. (A Monte Carlo approach, right?)

35

Randomized Primality Testing• Compositeness witness function

isComposite(x, n) with error probability q for a random variable xCase 1: isComposite w(x, n)true

we know x is not prime!Case 2: isComposite w(x, n)false

lies with probability q1

• Algorithm RandPrimeTest tests whether n is prime by repeatedly evaluating isComposite(x, n)

• A variation of base- x pseudoprimality provides a function for randomized primality testing (Rabin-Miller algorithm)

• isComposite =true if xn-1≠1 (mod n)

Algorithm RandPrimeTest(n, k)Input integer n,confidence parameter k and composite witness function isComposite(x,n) with error probability qOutput an indication of whether n is composite or prime with probability 2k

t klog2(1q)for i 1 to t

// try same n with different xx random()if isComposite(x,n)= true

return “n is composite”return “n is prime”

36

• Skip rest of section 10.1.6

37

Encryption

• Scenario:– Alice wants to send a message (plaintext p) to Bob. – The communication channel is insecure and can be eavesdropped.

If Alice and Bob have previously agreed on an encryption scheme (cipher), the message can be sent encrypted (ciphertext c)

• Issues:– What is a good encryption scheme?– What is the complexity of encrypting/decrypting?– What is the size of the ciphertext, relative to the plaintext?– If Alice and Bob have never interacted before, how can they agree

on an encryption scheme?

ciphertextencrypt decrypt plaintextplaintext

38

Traditional Cryptography

• Ciphers were studied in ancient times• Caesar’s cipher (replace with symbol X away):

– replace a with d– replace b with e– ...– replace z with c

• Caesar’s cipher is an example of a monoalphabetic substitution cipher, which permutes the characters

• Armed with simple statistical knowledge, one can easily break a monoalphabetic substitution cipher– most frequent letters in English: e, t, o, a, n, i, ... – most frequent digrams: th, in, er, re, an, ... – most frequent trigrams: the, ing, and, ion, ...

• The first description of the frequency analysis attack appears in a book written in the 9th century by the Arab philosopher al-Kindi

39

Decryption• Code: X Z A V O I D B Y G E R S P C F H J K L M N Q T U W

Org: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z• Ciphertext:

PCQ VMJYPD LBYK LYSO KBXBJXWXV BXV ZCJPO EYPD KBXBJYUXJ LBJOO KCPK. CP LBO LBCMKXPV XPV IYJKL PYDBL, QBOP KBO BXV OPVOV LBO LXRO CI SX'XJMI, KBO JCKO XPV EYKKOV LBO DJCMPV ZOICJO BYS, KXUYPD: “DJOXL EYPD, ICJ X LBCMKXPV XPV CPO PYDBLK Y BXNO ZOOP JOACMPLYPD LC UCM LBO IXZROK CI FXKL XDOK XPV LBO RODOPVK CI XPAYOPL EYPDK. SXU Y SXEO KC ZCRV XK LC AJXNO X IXNCMJ CI UCMJ SXGOKLU?”

OFYRCDMO, LXROK IJCS LBO LBCMKXPV XPV CPO PYDBLK• Plaintext:

Now during this time Shahrazad had borne King Shahriyar three sons. On the thousand and first night, when she had ended the tale of Ma'aruf, she rose and kissed the ground before him, saying: “Great King, for a thousand and one nights I have been recounting to you the fables of past ages and the legends of ancient kings. May I make so bold as to crave a favour of your majesty?”Epilogue, Tales from the Thousand and One Nights

40

Secret-Key Encryption

• A secret-key cipher uses a unique key K to encrypt and decrypt• Caesar’s generalized cipher uses the modular addition of each

character (viewed as an integer) with the key: C[i]P[i]K )mod m (p is plaintext)

P[i]C[i]K) mod m• More secure secret-key encryption schemes have been devised

in this century• Examples:

– DES– 3DES– IDEA– BLOWFISH

• With private-key encryption, a distinct secret key must be established for every pair of parties

41

Public-Key Encryption

• Bob uses a pair of keys (KE,KD) and

– makes key KE public

– keeps key KD private

• Anyone can use the public key KE to encrypt a plaintext into a ciphertext sent to Bob

• Only Bob can decrypt the ciphertext using the private key KD

• The most popular encryption scheme is RSA, named after its inventors Rivest, Shamir, and Adleman (1978)

• The RSA patent expired in 2000

ciphertextencrypt decrypt plaintextplaintext

public key private key

Advantages/Disadvantages of Public Key Encryption

• Advantages

If two people have never communicated before, they can still send secure messages

• Disadvantages

If the key is public, someone may be able to figure out the private key.

42

43

RSA Cryptosystem• Setup:

– npq, with p and q primes

– e relatively prime to(n)(p 1) (q 1)

– d inverse of e in Z(n)

• Keys:–Public key: KE(n, e)–Private key: KD(n,d)

• Encryption:–Plaintext M in Zn

– C = Me mod n• Decryption: (see text for why)

– M = Cd mod n = Med mod n– as xed = x (mod n) Thm 10.21

• Example– Setup:

• p7, q17• n717119(n)61696 • e5• d77

– Keys:• public key: (119, 5)• private key: 77

– Encryption:• M19• C195 mod 119 = 66

– Decryption:• C6677 mod 119 = 19

44

Correctness• We show the correctness of

the RSA cryptosystem for the case when the plaintext M has no common factors with n

• Namely, we show that(Me)d mod nM

• Since ed mod (n)1, there is an integer k such that

ed k(n)1• Since gcd(M, n)=1, by Euler’s

theorem we haveM(n) mod n1

• Thus, we obtain(Me)d mod n

Med mod nMk(n)1 mod nMMk(n) mod

nM (M(n))k mod nM (M(n) mod n)k mod

nM (1)k mod nM mod n

M• See the book for the proof of

correctness in the case when the plaintext M is not relatively prime with respect to n

45

Security• The security of the RSA

cryptosystem is based on the widely believed difficulty of factoring large numbers–The best known factoring algorithm (general number field sieve) takes time exponential in the number of bits of the number to be factored

• The RSA challenge, sponsored by RSA Security, offers cash prizes for the factorization of given large numbers

• In April 2002, prizes ranged from $10,000 (576 bits) to $200,000 (2048 bits)

• In 1999, a 512-bit number was factored in 4 months using the following computers:–160 175-400 MHz SGI and Sun

– 8 250 MHz SGI Origin

– 120 300-450 MHz Pentium II

– 4 500 MHz Digital/Compaq

• Estimated resources needed to factor a number within one year

Bits PCs Memory

430 1 MB = 106 128MB

760 215,000 GB = 109 4GB

1,020 342106 170GB

1,620 1.61015 TB=1012 120TB

46

Algorithmic Issues

• The implementation of the RSA cryptosystem requires various algorithms

• Overall–Representation of integers of arbitrarily large size and arithmetic operations on them

• Encryption–Modular power

• Decryption–Modular power

• Setup–Generation of random numbers with a given number of bits (to generate candidates p and q)

–Primality testing (to check that candidates p and q are prime)

–Computation of the multiplicative inverse (to compute d from e)

47

Information Security

fingerprintfH(M)

one-way hashmessageM

48

Digital Signature• Author A wants to send message M so that the message is known to come

from A and M is known not to have been altered.• A digital signature is a string S associated with a message M and the

author A that has the following propertiesIntegrity: S establishes that M has not been altered Nonrepudiation: S unequivocally identifies the author A of M and proves that A did

indeed sign M• A digital signature scheme provides algorithms for

– Signing a message by the author– Verifying the signature of a message by the reader

• A recently passed law (2000) in the US gives digital signatures the same validity of handwritten signatures

• A public-key cryptosystem yields a digital signature scheme provided encrypt(KE, decrypt(KD, M))M (is symmetric – can go both ways)

Signature: Alice (author) computes Sdecrypt(KD,M) using her private key KD and sends both (the pair (M,S)) to Bob

Verification: Bob (reader) computes M´encrypt(KE, S) using Alice’s public key KE and checks that M´M

49

RSA Digital Signature• Setup:

– npq, with p and q primes– e relatively prime to

(n)(p 1) (q 1) – d inverse of e in Z(n)

• Keys:– Public key: KE(n, e)– Private key: KDd

• Signature: use private key first

– Message M in Zn

– Signature S = Md mod n• Verification (send message

and encrypted message):– Check that M = Se mod n

• Setup:– p5, q11

n51155 (n)41040

e3– d2732781 240 + 1)

• Keys:– Public key: KE(55, 3)– Private key: KD27

• Signature:– M51– S5127 mod 556

• Verification:– S63 mod 55216 mod 55 = 51

50

One-Way Hash Function

• A one-way hash function H has the following properties– H maps a string M of arbitrary length into an integer dH(M)

with a fixed number of bits, called the fingerprint or digest of M– H can be computed efficiently– Given an integer d, it is computationally infeasible to find a

string M such that that H(M)d (one way, not invertible)

– Given a string M , it is computationally infeasible to find another string M´ such that H(M)H(M´) (collision resistance – for specific pair)

– It is computationally infeasible to find two strings M and M´ such that H(M)H(M´) (strong collision resistance – for all pairs)

51

• Used to speed up construction of digital signatures• Overcomes significant restriction of RSA. Now message

does not have to be less than the modulus.• Two widely used one-way hash functions are

– MD5 (Message Digest 5, 1992), which uses a 128-bit (16 bytes) fingerprint (size of hash table)

– SHA-1 (Secure Hash Algorithm 1, 1995), which uses a 160-bit (20 bytes) fingerprint

52

Example of One-Way Hash Digitally Signed Fingerprints

M f=H(m)

ciphertextf=H(m)

hash

hash

d

e

As before, send both message and hash/signed message.Alice computes first fH(M) and then the signature S of f by using her private key, d.Bob first computes fH(M) and then converts S by applying Alice’s public key (e). If he doesn’t get f, he knows Alice didn’t sign or M was changed.

Notice, M is not private. We just want verification that M was sent by Alice and not changed.

Bob’s part

53

• Since the one-way hash function H has the collision-resistance property, it is computationally infeasible to modify the message M while preserving the signature of the fingerprint fH(M)

fingerprint

fH(M)

one-way hash

sign

signatureSf d mod n

messageM

messageM

Alice:

Bob (received M and S):

one-way hash

H(M)

apply Alice’s public key e

S’S e mod n = f

Signature S

if f H(M) have

a problem