Building blocks Background for the math Quantum effects

Building blocksBackground for the math

Quantum effects and security

CS3235 - Computer SecurityFourth topic - Asymmetric (and other)

Cryptography

Hugh Anderson

National University of SingaporeSchool of Computing

September, 2019

Hugh Anderson CS3235 - Computer Security Fourth topic - Asymmetric (and other) Cryptography

Keys...

Every Egyptian received two names, which were known respectively as thetrue name and the good name, or the great name and the little name; andwhile the good or little name was made public, the true or great nameappears to have been carefully concealed. —The Golden Bough, Sir JamesGeorge Frazer .



Outline

1 Building blocksSymmetric and AsymmetricA high-level view

2 Background for the mathModulo, Fields and Primes...The maths for RSA

3 Quantum effects and securityComputation computationQuantum cryptography




Outline







Outline







Symmetric and AsymmetricA high-level view

Outline





Symmetric key systems

Alice uses a key to send to Bob, who uses the same key...

C=E(K,P)

(Harry−the−hacker)

(Encrypted)

K

*

K

* PP(Plaintext)(Plaintext)

BobAlice

Asymmetric key systems

A model for public/private keys

C=E(K ,P)

Kpriv

Kpriv

Kpub

(Encrypted)

pub

pub

priv

pub

* * PP(Plaintext) (Plaintext)

Kpub

hacker

Alice

Alice uses K to encrypt

Keeps K secret.

Bob

Bob creates a pair of K keysFreely gives away K

Harry the

Kpub is public key for Bob, Kpriv is his private key.Only Bob can decrypt a message sent to him, but anyone can encrypt it.

Uses of asymmetric encryption

What use is asymmetric encryption?1 Generating encrypted passwords with 1-way functions2 Checking integrity by appending digital signature3 Checking the authenticity of a message.4 Encrypting timestamps with messages to prevent replay attacks.5 Exchanging a key.

Note that...Participants each have private and public keys, and that these two keyscannot be derived from each other

Asymmetric encryption

A model for public/private keys

Asymmetric authentication

A model for asymmetric authentication

Doing both...

Possible technique...

MessageSource

MessageDest.

X

Figure 9.4 Public-Key Cryptosystem: Authentication and Secrecy

EncryptionAlgorithm

Key PairSource

PUb PRb

Source A Destination B

Key PairSource

PRa PUa

Y EncryptionAlgorithm

Z DecryptionAlgorithm

Y DecryptionAlgorithm

X

Doing both...

Actual technique...

pub

pub

P(Plaintext)

*

priv

pubJ

J

(Compare)

pubE(K ,P)

E(J ,hash(E(K ,P)))priv

Kpub

*P(Plaintext)

Jpriv * * Jpub

Kpriv privK

K

George

Hash functionHash function

Barbara

Man-in-the-middle for Public Keys

Motivation for PKI:

his own public

BobHarryAlice

Alice asks

Bob for

his public

key

Bob for

his public

key

Harry asks

key

his public

Bob returnsHarry returns

key

1:

3:

2:

5: Alice now uses

wrong public

key

4:

6: Harry can read,

and re−encode

Alice’s msgs

The certification mechanism

RA and CA:

Bob

RA (Registration Authority)

1: Bob registers with CA through RA

CA (Certification Authority)

2: RA verifies Bob, and

Bob

Bob

Bob

Bob

3: CA generates a certificate

with Bob’s identity and public key

4: Anyone can check Bob’s key

using CA’s public key

requests certificate

(SIGNED)

Certificates

Viewing a signed certificate:



Symmetric and AsymmetricA high-level view

Outline





Asymmetry through “one-way” or “trapdoor”functions...

We will see examples using these functions:We use operations that are easy to do one way, say of O(k), and difficult toreverse and do the other way: perhaps O(ek ).

We want our mathematical systems to be

of fixed size (i.e. modulo), and

to operate over all values.

A trapdoor function is such a one-way function, but it can be reversed if someother information is ater given. Suitable mathematical structures are to usefinite cyclic groups (perhaps modular arithmetic) and/or finite fields.

Asymmetric system #1: Diffie Hellman

The discrete logarithm problem (one-way function):easy to calculate n = gk mod p given g, k and p, (p is a prime)

hard to calculate k in the same equation, given g, n and p.

Two separated users create and share a secret key. A thirdparty is not realistically able to calculate the shared key.

g mod pa

g mod pb

g mod pg mod p

p,g,a

a

b

p,g

g mod pb

g mod pa

p,g,b

Alice Bob

Ted

After exchange, knowledge is different

Only Alice knows a, only Bob knows b...

Ted

Bob

a

g,pag mod p, g mod pb

g mod p, g mod p

g mod p, g mod p

g,p

g,p

a

a

b

b

bAlice

Diffie-Hellman key agreement

So what does each party do?Both Alice and Bob can now calculate the value gab mod p.

1 Alice calculates (gb mod p)a mod p = (gb)a mod p.2 Bob calculates (ga mod p)b mod p = (ga)b mod p.

Shared key is (gb)a mod p = (ga)b mod p = gab mod p.

Ted has a much more difficult problem.It is difficult to calculate gab mod p without knowing either a or b. Thealgorithmic run-time of the (so-far best) algorithm is exponential.

Diffie-Hellman key agreement

Forward function may be done in O(r)

Bit size Forward Reverse: Discrete logarithm solution

10 10 23

100 100 1,386,282

1,000 1,000 612,700,000,000,000,000,000,000

Relies on doing BIG number maths1000 bit maths involves numbers with more than 300 decimal digits.The C “int” has 10 or so digits.

To calculate gb mod p where g, b and p are small is easy, but we needsome math tricks when they are large.

Why primes?Fermat’s little theorem

Asymmetric system #2: ElGamal

ELGamal is an encryption scheme based onDiffie-Hellman:This system conflates the key-exchange, followed by encryption into anannouncement of a public key, followed by one transmission for eachmessage.

Announcement: Alice announces a “public key value”: ga mod p

Send messages: Later Bob sends a message m by choosing a randomvalue (b), and sending

⟨gb mod p,E(gab mod p,m)

⟩. The encryption

scheme E(k ,m) is symmetric, but using a secret key that Alice can alsocompute.

Asymmetric system #3: RSA

RSA is a well known public key encryption technique:This public key system relies on the difficult problem of trying to find thecomplete factorization of a large compositea integer whose prime factorsb

are not known.

aAn integer larger than 1 is called composite if it has at least one divisorlarger than 1.

bThe Fundamental Theorem of Arithmetic states that any integer N(greater than 0) may be expressed uniquely as the product of prime numbers.

How easy is it to crack?Two RSA-encrypted messages have been cracked:

The inventors of RSA published a 129-digits (430 bits) RSA public key.In 1994, it was factored with 5000 MIPS-years of computing time.

A year later, a 384-bit PGP key was cracked. It needed 1300MIPS-years to factor the key in three months.

Note that these efforts each only cracked a single RSA key.

The factorization problem

State of the art factorizationSee http://en.wikipedia.org/wiki/Integer_factorization.A 768 bits number (RSA-768) was factored in Dec 2009, using hundreds ofmachines over 2 years:

1230186684530117755130494958384962720772853569595334792197322452151726400507263657518745202199786469389956474942774063845925192557326303453731548268507917026122142913461670429214311602221240479274737794080665351419597459856902143413 =33478071698956898786044169848212690817704794983713768568912431388982883793878002287614711652531743087737814467999489 ×36746043666799590428244633799627952632279158164343087642676032283815739666511279233373417143396810270092798736308917

A Quantum computer can factor in polynomial time. In 2001, a 7-qubitsquantum computer was built to factor 15.In Nov 2007, D-Wave Systems announced a working 28-qubit computer:

http://www.nanowerk.com/news/newsid=3274.php

http://en.wikipedia.org/wiki/Integer_factorization

http://www.nanowerk.com/news/newsid=3274.php

RSA coding algorithms

The four processes needed for RSA encryption:1 Creating a public key2 Creating a secret key3 Encrypting messages4 Decoding messages

To create public key Kp and private key Ks

Step 1 - create public key1 Select two large primes P and Q. Assign x = (P − 1)(Q − 1).2 Choose E relative prime to x . Assign N = P ∗Q.3 Kp is N concatenated with E .

Step 2 - create private/secret key1 Choose D: D ∗ E mod x = 1 (i.e. multiplicative inverses)2 Ks is N concatenated with D.

Step 3 - encoding1 Pretend m is a number. Calculate c = mE mod N.

Step 4 - decoding1 Calculate m = cD mod N.

System 4: ECC: using Fields (more detail later...)

A field has two operations traditionally called + and *1 +, with elements of the field forming a commutative group. Identity is 0

and inverse of a is −a.2 ∗, with elements of the field except 0 forming another commutative

group, identity denoted by 1 and inverse of a denoted by a−1.

There is also the distributive identity, linking + and ∗ :

a ∗ (b + c) = (a ∗ b) + (a ∗ c)

If c is not zero and a ∗ c = b ∗ c, then a = b.

Asymmetric system #4: ECC

Addition over cubic elliptic curves, such asy2 = x3 + ax + b, with zero O, and the points E(a, b) = {(x0, y0), (x1, y1), . . .}on the curve. These are points on a plane not a line.

An addition operation +E(a,b) for points on this curve: the sum of P +E(a,b) Qis reflection R of the intersection. The group is

⟨+E(a,b),E(a, b)

⟩.

ECC uses curves whose elements are finite: prime curves Ep(a, b) definedover Zp, and binary curves E2m (a, b) defined over GF (2m).

ECC adding: real and in Ep(a,b)

Adding points in E(a,b)If we had P = (xP , yP) and Q = (xQ , yQ), and P 6= ±Q. We can findR = P +E(a,b) Q by finding gradient of line, and then intersection with curve:

Gradient: ∆ =yQ−yPxQ−xP

x coordinate for R: xR = ∆2 − xP − xQ

y coordinate for R: yR = ∆(xP − xR)− yP

Finally: R = (xR , yR)

P +E(a,b) P uses a different method

Adding points in Ep(a,b)We find R as before, modulo p:

Gradient: ∆ =yQ−yPxQ−xP

mod px coordinate for R: xR = ∆2 − xP − xQ mod py coordinate for R: yR = ∆(xP − xR)− yP mod p


P +Ep(a,b) P again uses the different method.

Dont expect operations to “look” nice

Points on the discrete curve y2 = x3 + x + 1 mod 23:

Example P +E23(1,1) Q operations

All operations modulo 23...

P+Q Gradient ∆ x coordinate xR y coordinate yR R

(4, 0) + (7, 11) = 113 = 19 = 192 − 4 − 7 = 5 = 19(4 − 5) − 0 = 4 (5, 4)

(3, 10) + (9, 7) = −36 = 11 = 112 − 3 − 9 = 17 = 11(3 − 17) − 10 = 20 (17, 20)

Comments on ECCECC addition is an analog of modulo multiply. ECC repeated addition isanalog of modulo exponentiation.

Need a “hard” problem equivalent to the discrete log problem. ConsiderQ = kP, where Q,P belong to a prime curve... it is

“easy” to compute Q given k ,P but

“hard” to find k given Q,P.

This is known as the elliptic curve logarithm problem.

Algorithms for ECC cryptography

Step 1 - create Alices’s private/secret key KsA

Using an elliptic group Ep(a, b), select a point G on the curve which hasa large order n. The order of a point is the smallest value n such thatn ×G = 0.

Choose nA : nA < n. KsA is 〈nA,Ep(a, b),G〉 .

Step 2 - create Alice’s public key KpA

Calculate PA = nA ×G. KpA is 〈PA,Ep(a, b),G〉

Step 3 - encoding using Alice’s public key KpA

Choose a random k , and calculate C = 〈c1, c2〉 = 〈k ×G,m + k × PA〉

Step 4 - decoding using Alice’s private key KsA

Calculate m = c2 − c1 × nA

Note that m + kPA − kGnA = m + knAG − kGnA = m.

Why use ECC?

Comparable key sizes

The advantage of ECC is that we can use much smaller bit sizes to get muchthe same levels of security.

Calculating 2P = P +EP(a,b) P for ECC

Doubling a point in⟨+Ep(a,b),Ep(a,b)

⟩If yP = 0, return O, the zero point.

P = (xP , yP), and yP 6= 0.

Find R = P +Ep(a,b) P by finding gradient of the tangent, and thenintersection with curve:

Gradient: ∆ =3x2

P +a2yP

mod p

x coordinate for R: xR = ∆2 − 2xP mod py coordinate for R: yR = ∆(xP − xR)− yP mod p



P+P Gradient ∆ x coordinate xR y coordinate yR R

(7, 11) + (7, 11) = 1022 = 13 = 132 − 14 = 17 = 13(7 − 17) − 11 = 20 (17, 20)

(9, 7) + (9, 7) = 1414 = 1 = 12 − 18 = 6 = 1(9 − 6) − 7 = 19 (6, 19)

On ab mod p calculation for ECC

Dividing by b is the same as multiplication by b−1:To calculate a

b mod p,

Use extended euclidean algorithm to calculate b−1 mod p.Then multiply a× b−1 mod p.


To calculate 711 mod 23

Calculate 11−1 mod 23 = 21.7× 21 mod 23 = 9

Back to the high level view...

Attacks!Can the keysize be reduced, perhaps by convincing systems to use a lowergrade of encryption? This is the mechanism used by NSA to spy onHTTPS/SSL connections.

Can the key be brute-forced? Can some pre-computation scheme be used,storing the results on a disk?

Can the key be predicted? Keys are often generated as needed bygenerating numbers using pseudo random number generators.

Defences!Do not downgrade encryption, or at least warn users if this is happening.

Use large sized keys, that are randomly generated, using high quality randomnumber generators. If the key size is huge, neither brute-force, norpre-computation would be feasible.

Perhaps use actual random number generator chips instead of pseudorandom number generators.

Back to the high level view...

SummaryWe saw how cryptographic schemes are using keysizes that are largeenough that they cannot be brute-forced.

The ways around cryptographic schemes involve downgrading, or trickingsoftware to use less complex systems.

A general approach is to use systems in which the use time goes up perhapsby the number of bits in the key O(k), but the attack time goes up muchfaster - perhaps by the actual size of the key O(2k ). Schemes like this can bemade arbitrarily hard: still be usable, but with infeasible attack times.



Modulo, Fields and Primes...The maths for RSA

Outline





Modular (clock) arithmetic: +, ∗ in Z7

A finite field: +,* in Z7

+ 0 1 2 3 4 5 6

0 0 1 2 3 4 5 6

1 1 2 3 4 5 6 0

2 2 3 4 5 6 0 1

3 3 4 5 6 0 1 2

4 4 5 6 0 1 2 3

5 5 6 0 1 2 3 4

6 6 0 1 2 3 4 5

∗ 0 1 2 3 4 5 6

0 0 0 0 0 0 0 0

1 0 1 2 3 4 5 6

2 0 2 4 6 1 3 5

3 0 3 6 2 5 1 4

4 0 4 1 5 2 6 3

5 0 5 3 1 6 4 2

6 0 6 5 4 3 2 1

Steps towards finite fields

Closed algebraic systems: a group isa set of group elements with

a binary operation •

If one denotes the group operation by •, then the above says that for anygroup elements a and b, a • b is defined and is also a group element (i.e. it isclosed)

For all group elements a,b,c, GROUPS..are associative, meaning that a • (b • c) = (a • b) • c

have an identity e satisfying a • e = e • a = a for any a.

have an inverse a−1 satisfying a • a−1 = a−1 • a = e.

and if a • b = b • a then the group is commutative or abelian. Otherwise it isnon-commutative. Notice that even in a non-commutative group, a • b = b • amight sometimes be true for example if a or b is the identity. A group withonly finitely many elements is called finite; otherwise it is infinite.

Examples

Infinite groups: (Integers,+), and (positive rationals,*)1 The integers (all whole numbers, including 0 and negative numbers)

form an infinite commutative group using addition. The identity is 0 andthe inverse of a is −a.

2 The positive rationals (all positive fractions, including all positiveintegers) form a group if ordinary multiplication is the operation. Theidentity is 1 and the inverse of r is 1/r = r−1.

Finite group: (Integers (mod N),+ (mod N))The integers mod n form a group for any integer n > 0. This group is oftendenoted Zn. Here the elements are 0, 1, 2, . . ., n − 1 and the operation isaddition followed by remainder on division by n. The identity is 0 and theinverse of a is n − a (except for 0 which is its own inverse).

Fields (repeated slide...)

A field has two operations traditionally called + and *1 +, with elements of the field forming a commutative group. Identity is 0

and inverse of a is −a.2 ∗, with elements of the field except 0 forming another commutative

group, identity denoted by 1 and inverse of a denoted by a−1.

There is also the distributive identity, linking + and ∗ :

a ∗ (b + c) = (a ∗ b) + (a ∗ c)

If c is not zero and a ∗ c = b ∗ c, then a = b.

Examples of fields

Infinite fields: rationals, reals and complex numbersThe rational numbers (fractions) Q, or the real numbers R, or the complexnumbers C, using ordinary addition and multiplication (extended in the lastcase to the complex numbers).

Finite field: Integers modulo a primeThe integers mod p, denoted Zp, where p is a prime number (2, 3, 5, 7, 11,13, 17, 19, 23, 29, . . . ).

A group using +.

Elements without 0 form a group under ∗.The identity is clearly 1, but

the inverse of a non-zero element a is not obvious.

Modular arithmetic: +, ∗ inverses in Z7

Properties of elements for a field (Z7,+,*)

a −a a−1

0 0 -

1 6 1

2 5 4

3 4 5

4 3 2

5 2 3

6 1 6

Additive inverse:a + (−a) mod p = 0

Multiplicative inverse:(a ∗ a−1) mod p = 1.

Reducibility:

(a + b) mod p =(a mod p + b mod p) mod p(a ∗ b) mod p =(a mod p ∗ b mod p) mod p

Modular arithmetic: +, ∗ in Z8

Lets look at modular arithmetic in Z8

+ 0 1 2 3 4 5 6 7

0 0 1 2 3 4 5 6 7

1 1 2 3 4 5 6 7 0

2 2 3 4 5 6 7 0 1

3 3 4 5 6 7 0 1 2

4 4 5 6 7 0 1 2 3

5 5 6 7 0 1 2 3 4

6 6 7 0 1 2 3 4 5

7 7 0 1 2 3 4 5 6

∗ 0 1 2 3 4 5 6 7

0 0 0 0 0 0 0 0 0

1 0 1 2 3 4 5 6 7

2 0 2 4 6 0 2 4 6

3 0 3 6 1 4 7 2 5

4 0 4 0 4 0 4 0 4

5 0 5 2 7 4 1 6 3

6 0 6 4 2 0 6 4 2

7 0 7 6 5 4 3 2 1

Modular arithmetic: +, ∗ inverses in Z8?

... and the inverses go bad ...

a −a a−1

0 0 -

1 7 1

2 6 -

3 5 3

4 4 -

5 3 5

6 2 -

7 1 7

Later we will see how by changing the def-initions for + and ∗ we will be able to havean algebraic number field in Z8.

Why primes?

In the book Contact, the heroine recognizes an aliencommunication because it starts...

2.. 3.. 5.. 7.. 11.. 13.. 17.. 19.. 23...a

aActually, in the book, Sagan used 1,2,3,5... :)

Is it just a coincidence that the numbers on the main RealMadrid player’s jerseys were: Carlos, No 3; Zidane, No 5;Raul, No 7; Owen, No 11?

Why primes?For 2500 years mathematicians studied prime numbers just because theywere interesting, without any idea they would have practical applications.

Possible real-world uses:1 Sometimes... a prime number of ball bearings arranged in a bearing, to

cut down on periodic wear (also gear teeth).2 Possibly... the 13 and 17-year periodic emergence of cicadas may be

due to coevolution with predators (that lost and became extinct).

We do not know how to guess when the next one willoccur. But ... we do know that the density is predictable...

(Asymptotic to xlog x )

Why primes?

Because 2500 years of mathematics has failed to uncover some basicprime properties, they make a good candidate for constructing difficult(impossible to decrypt) translations... and hence our interest in them...

Because primes are beautiful...

Consider the following problem:Question: Is it possible to find an arbitrary sized sequence of numbers

that are not primes?

Answer: YES!

How to get n not-primes in a row:If you want 3 not-primes in a row, calculate 4 ∗ 3 ∗ 2 ∗ 1 = 4!, andchoose the numbers 4! + 2, 4! + 3 and 4! + 4. None can be a prime.

If you want 42,000 not-primes in a row, calculate42001 ∗ . . . ∗ 2 ∗ 1 = 42001!, and choose the numbers 42001! + 2,42001! + 3... None can be a prime.

If you want 4847584765843775375983487509485945495840not-primes ...

Fermat’s little theorem

In cryptography, one often wants to raise a number to a power, moduloanother number.For the integers mod p where p is a prime (Zp), there is a result know asFermat’s little theorem, discovered by the 17th century French mathematicianPierre de Fermat, 1601-1665.

Fermat’s (little) theorem:If p is a prime and a is any non-zero number less than p, then

ap−1 mod p = 1

Sometimes use ap−1 mod p = 1, sometimes ap−1 ≡ 1 (modp).

Fermat’s little theorem, p = 11

A table showing a and powers-of-a

a a1 a2 a3 a4 a5 a6 a7 a8 a9 a10

2 2 4 8 5 10 9 7 3 6 1

3 3 9 5 4 1 3 9 5 4 1

4 4 5 9 3 1 4 5 9 3 1

5 5 3 4 9 1 5 3 4 9 1

6 6 3 7 9 10 5 8 4 2 1

7 7 5 2 3 10 4 6 9 8 1

8 8 9 6 4 10 3 2 5 7 1

9 9 4 3 5 1 9 4 3 5 1

10 10 1 10 1 10 1 10 1 10 1

Fermat’s little theorem

ObservationsFor p = 11 the value is always 1 when the power gets to 10

Sometimes the value gets to 1 earlier

Lengths of runs are always numbers that divide evenly into 10

A value of a for which the whole row is needed is called a generator. 2,6, 7, and 8 are generators.

Simplifying expressionsBecause a to a power mod p always starts repeating after the power reachesp − 1, you can do this:

ax mod p = ax mod (p−1) mod p.

Thus modulo p in the expression requires modulo p − 1 in the exponent. Forp = 13, then

a29 mod 13 = a29 mod 12 mod 13 = a5 mod 13.

Another example result = 71215 mod 13

a big number...

(7^1215)%13

result=62247027506732273704655645590797926890623986483292191309020787710924869910727405870651989078101738389949782679348130096777089278266013135577736536148404478380085122281739226134142137076240050702683456450161478881858016233581815507729190060733863810985820998417753776670372868147396701203157123969140001848223403523559064551556675341024739645354137741258367626070635933104840329377905370464877106976413186542262299505280557584280574185802694213299802280179325494560628948940739344482284649151197141168698959587947320242857426901802324494025671010508311496735633429580921945571119113124697462717311124279255445332116504914530077241996189357298508605206780120789880835525222341940514585567320868420423888932091570407998648719010649912308602886575458785483803190210993511026450389154414587258074783062229406697804705969808888224976779404912792017633095411318555938776800816778624695807909497057871925962771277963034877818141061473753709046271959955890872768469943 mod 13 = 5

(Use bc...)

But look at this:

result = 71215 mod 13

= 71215 mod 13= 71215 mod 12 mod 13= 73 mod 13= 343 mod 13= 5

We can do BIG NUMBER maths without calculating BIG numbers!

But look at this:




But look at this:




But look at this:




But look at this:






Modulo, Fields and Primes...The maths for RSA

Outline





The maths to RSA

Note that it decodes back to m

cD mod N = mED mod N

= mk(P−1)(Q−1)+1 mod PQ

= m ∗mk(P−1)(Q−1) mod PQ

= m

mP−1 mod P = 1, so (m(P−1))k(Q−1) mod P = 1

mQ−1 mod Q = 1, and so (m(P−1))k(Q−1) mod PQ = 1.

Why? ... Euler’s (1707-1783) theorem

A generalization of Fermat’s Theorem...

Euler’s theoremIf n is any positive integer and a is any positive integer less than n with nodivisors in common with n, then

aφ(n) mod n = 1,

where φ(n) is the Euler phi function:

φ(n) = n(1− 1/p1) . . . (1− 1/pm),

and p1, . . . , pm are all the prime numbers that divide evenly into n, includingn itself in case it is a prime.

Special case #1

Special case #1If n is a prime, then using the formula,

φ(n) = n(1− 1/n) = n(n − 1

n) = n − 1

Fermat’s result is a special case of Euler’s:

aφ(n) mod n = an−1 mod n = 1

Special case #2

Special case #2Another special case needed for RSA comes when the modulus is a productof two primes: n = pq. Then

φ(n) = n(1− 1/p)(1− 1/q) = (p − 1)(q − 1)

So - we have

a(p−1)(q−1) mod pq = 1

(if a has no divisors in common with pq and p, q prime)

Euler: table of a and powers of a: n = 15, φ(n) = 8

a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12 a13 a14

4 8 1 2 4 8 1 2 4 8 1 2 4

9 12 6 3 9 12 6 3 9 12 6 3 9

1 4 1 4 1 4 1 4 1 4 1 4 1

10 5 10 5 10 5 10 5 10 5 10 5 10

6 6 6 6 6 6 6 6 6 6 6 6 6

4 13 1 7 4 13 1 7 4 13 1 7 4

4 2 1 8 4 2 1 8 4 2 1 8 4

6 9 6 9 6 9 6 9 6 9 6 9 6

10 10 10 10 10 10 10 10 10 10 10 10 10

1 11 1 11 1 11 1 11 1 11 1 11 1

9 3 6 12 9 3 6 12 9 3 6 12 9

4 7 1 13 4 7 1 13 4 7 1 13 4

1 14 1 14 1 14 1 14 1 14 1 14 1

Table

AnalysisThe table illustrates Euler’s theorem for n = 15 = 3 · 5, with

φ(15) = 15 · (1− 1/3) · (1− 1/5) = (3− 1) · (5− 1) = 8

Notice here that a 1 is reached when the power is 8, but only for numberswith no divisors in common with 15.For other base numbers, the value never gets to 1.

PropertiesArithmetic in the exponent is taken mod φ(n), so that, if a has no divisors incommon with n,

ax mod n = ax mod φ(n) mod n.

If n = 15 as above, then φ(n) = 8, and if neither 3 nor 5 divides evenly into a,then φ(n) = 8. Thus for example,

a28 mod 15 = a28 mod 8 mod 15 = a4 mod 15.

RSA code

Perl script that (kind of) does RSA#!/usr/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj$/=unpack(’H*’,$_);$_=‘echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1lK[d2%Sa2/d0$^Ixp"|dc‘;s/\W//g;$_=pack(’H*’,/((..)*)$/)

and thenecho "squeamish ossifrage" | ./rsa.perl -k=10001 -n=1967cb529 > msg.rsa./rsa.perl -d -k=ac363601 -n=1967cb529 < msg.rsa



Computation computationQuantum cryptography

Outline





Quantum physics

First interest: Quantum computing...1. Quantum computers may be able to compute HARD problems quickly(such as factorizing large composites).

How? The underlying data elements are quantum bits (qubits), not limited tojust 0,1 states - instead considered to be a superposition of states. Anoperation performed on a qubit is performed on all the states simultaneously.Shor’s algorithm.

DWave systems have sold the first commercial quantum computer, with(evidently) 128 qubits. However, it is unable to perform Shor’s algorithm:

http://www.dwavesys.com/

It is likely that no effective quantum computer has yet been built that couldfactor a large composite.

http://www.dwavesys.com/

Shor’s Algorithm

A very slow way to find factors of p × q?Choose some number a, with no factors in common with pqa. Imagine youcalculate a2, a3, a4, all modulo pq, until the sequence repeats for the first time(perhaps after r steps). The repetition value r evenly divides (p − 1)(q − 1).Have a look at the Euler table in slide set 9 - it shows the powers modulo15 = pq = 3× 5, and all repetitions divide (p − 1)(q − 1) = 8.

In addition, ar ≡ 1 mod pq. , and since this was the first repetition,b = a

r2 6= 1 mod pq. But, b2 ≡ 1 mod pq.

We have four square roots of 1: ±1 and ±b. If we know b, we can calculatethe factors of pq (as we will see again in oblivious transfer).

aOf course if your number a does have factors in common with pq, youhave either discovered p or q.

It is slow because......the sequences may be very very long. So this is not some secret fastalgorithm if you have to calculate long sequences a2, a3, a4, all modulo pq.

Shor’s Algorithm

Find repetition values for all powers simultaneously:A Quantum register holds all possible values at the same time, and weperform an amplifying operation, that only leaves stable repetition values.

Mark the same times every day... In the simulation, only the clock with arepetition rate that we are interested in remains:



Computation computationQuantum cryptography

Outline





Quantum cryptography

Second interest: Quantum cryptography2. Quantum cryptography uses laws of quantum mechanics - HeisenbergUncertainty applies to some pairs (of properties) of (atomic) particles.Measuring one property affects another.

A snooper is easily detected, and there are various protocols for usingquantum effects to share keys.

BB84: Key sharing protocolAlice randomly chooses one of four polarizations: rectilinear: 0, 90, ordiagonal: 45, 135 (degrees).

Alice transmits 10000 photons

BB84: Encoded using different polarizations:

time

BobAlice

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

LEDFilter

Photons ...

Alice and Bob’s protocol

BB84: choose bits - no reveal...1 Alice records what she has sent. Bob randomly chooses polarizations,

and for each one reads the resultant value. (If he chooses correctly getsa valid 1 or 0, if not gets a random value)

2 Bob tells Alice the polarizations he has used: diag, diag, rectilinear,diag...

3 Alice replies by telling Bob which ones were correct. (1,3,4, 8,9,1012,17...)

4 They now have 5000 (approx) bits in common.

Harry the hacker listens in, but...

BB84: Harry has a problem1 If Harry the hacker senses (some of) the photons, he must choose

which polarization to use, and will affect the photon.2 Bob and Alice compare a subset of the bits that they think they know to

detect snooping.3 If no snooping, then rest of bits are likely to be OK.

Current stateQuantum cryptography systems are now commercially available, operatingover reasonably long (40km) fibre.Note the probabilistic nature of the algorithm. By choosing bit length can getany degree of assurance.

Documents

Building blocks Background for the math Quantum effects