Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Building blocksBackground for the math
Quantum effects and security
CS3235 - Computer SecurityFourth topic - Asymmetric (and other)
Cryptography
Hugh Anderson
National University of SingaporeSchool of Computing
September, 2019
Hugh Anderson CS3235 - Computer Security Fourth topic - Asymmetric (and other) Cryptography
Keys...
Every Egyptian received two names, which were known respectively as thetrue name and the good name, or the great name and the little name; andwhile the good or little name was made public, the true or great nameappears to have been carefully concealed. —The Golden Bough, Sir JamesGeorge Frazer .
Building blocksBackground for the math
Quantum effects and security
Outline
1 Building blocksSymmetric and AsymmetricA high-level view
2 Background for the mathModulo, Fields and Primes...The maths for RSA
3 Quantum effects and securityComputation computationQuantum cryptography
Hugh Anderson CS3235 - Computer Security Fourth topic - Asymmetric (and other) Cryptography
Building blocksBackground for the math
Quantum effects and security
Outline
1 Building blocksSymmetric and AsymmetricA high-level view
2 Background for the mathModulo, Fields and Primes...The maths for RSA
3 Quantum effects and securityComputation computationQuantum cryptography
Hugh Anderson CS3235 - Computer Security Fourth topic - Asymmetric (and other) Cryptography
Building blocksBackground for the math
Quantum effects and security
Outline
1 Building blocksSymmetric and AsymmetricA high-level view
2 Background for the mathModulo, Fields and Primes...The maths for RSA
3 Quantum effects and securityComputation computationQuantum cryptography
Hugh Anderson CS3235 - Computer Security Fourth topic - Asymmetric (and other) Cryptography
Building blocksBackground for the math
Quantum effects and security
Symmetric and AsymmetricA high-level view
Outline
1 Building blocksSymmetric and AsymmetricA high-level view
2 Background for the mathModulo, Fields and Primes...The maths for RSA
3 Quantum effects and securityComputation computationQuantum cryptography
Hugh Anderson CS3235 - Computer Security Fourth topic - Asymmetric (and other) Cryptography
Symmetric key systems
Alice uses a key to send to Bob, who uses the same key...
C=E(K,P)
(Harry−the−hacker)
(Encrypted)
K
*
K
* PP(Plaintext)(Plaintext)
BobAlice
Asymmetric key systems
A model for public/private keys
C=E(K ,P)
Kpriv
Kpriv
Kpub
(Encrypted)
pub
pub
priv
pub
* * PP(Plaintext) (Plaintext)
Kpub
hacker
Alice
Alice uses K to encrypt
Keeps K secret.
Bob
Bob creates a pair of K keysFreely gives away K
Harry the
Kpub is public key for Bob, Kpriv is his private key.Only Bob can decrypt a message sent to him, but anyone can encrypt it.
Uses of asymmetric encryption
What use is asymmetric encryption?1 Generating encrypted passwords with 1-way functions2 Checking integrity by appending digital signature3 Checking the authenticity of a message.4 Encrypting timestamps with messages to prevent replay attacks.5 Exchanging a key.
Note that...Participants each have private and public keys, and that these two keyscannot be derived from each other
Asymmetric encryption
A model for public/private keys
Asymmetric authentication
A model for asymmetric authentication
Doing both...
Possible technique...
MessageSource
MessageDest.
X
Figure 9.4 Public-Key Cryptosystem: Authentication and Secrecy
EncryptionAlgorithm
Key PairSource
PUb PRb
Source A Destination B
Key PairSource
PRa PUa
Y EncryptionAlgorithm
Z DecryptionAlgorithm
Y DecryptionAlgorithm
X
Doing both...
Actual technique...
pub
pub
P(Plaintext)
*
priv
pubJ
J
(Compare)
pubE(K ,P)
E(J ,hash(E(K ,P)))priv
Kpub
*P(Plaintext)
Jpriv * * Jpub
Kpriv privK
K
George
Hash functionHash function
Barbara
Man-in-the-middle for Public Keys
Motivation for PKI:
his own public
BobHarryAlice
Alice asks
Bob for
his public
key
Bob for
his public
key
Harry asks
key
his public
Bob returnsHarry returns
key
1:
3:
2:
5: Alice now uses
wrong public
key
4:
6: Harry can read,
and re−encode
Alice’s msgs
The certification mechanism
RA and CA:
Bob
RA (Registration Authority)
1: Bob registers with CA through RA
CA (Certification Authority)
2: RA verifies Bob, and
Bob
Bob
Bob
Bob
3: CA generates a certificate
with Bob’s identity and public key
4: Anyone can check Bob’s key
using CA’s public key
requests certificate
(SIGNED)
Certificates
Viewing a signed certificate:
Building blocksBackground for the math
Quantum effects and security
Symmetric and AsymmetricA high-level view
Outline
1 Building blocksSymmetric and AsymmetricA high-level view
2 Background for the mathModulo, Fields and Primes...The maths for RSA
3 Quantum effects and securityComputation computationQuantum cryptography
Hugh Anderson CS3235 - Computer Security Fourth topic - Asymmetric (and other) Cryptography
Asymmetry through “one-way” or “trapdoor”functions...
We will see examples using these functions:We use operations that are easy to do one way, say of O(k), and difficult toreverse and do the other way: perhaps O(ek ).
We want our mathematical systems to be
of fixed size (i.e. modulo), and
to operate over all values.
A trapdoor function is such a one-way function, but it can be reversed if someother information is ater given. Suitable mathematical structures are to usefinite cyclic groups (perhaps modular arithmetic) and/or finite fields.
Asymmetric system #1: Diffie Hellman
The discrete logarithm problem (one-way function):easy to calculate n = gk mod p given g, k and p, (p is a prime)
hard to calculate k in the same equation, given g, n and p.
Two separated users create and share a secret key. A thirdparty is not realistically able to calculate the shared key.
g mod pa
g mod pb
g mod pg mod p
p,g,a
a
b
p,g
g mod pb
g mod pa
p,g,b
Alice Bob
Ted
After exchange, knowledge is different
Only Alice knows a, only Bob knows b...
Ted
Bob
a
g,pag mod p, g mod pb
g mod p, g mod p
g mod p, g mod p
g,p
g,p
a
a
b
b
bAlice
Diffie-Hellman key agreement
So what does each party do?Both Alice and Bob can now calculate the value gab mod p.
1 Alice calculates (gb mod p)a mod p = (gb)a mod p.2 Bob calculates (ga mod p)b mod p = (ga)b mod p.
Shared key is (gb)a mod p = (ga)b mod p = gab mod p.
Ted has a much more difficult problem.It is difficult to calculate gab mod p without knowing either a or b. Thealgorithmic run-time of the (so-far best) algorithm is exponential.
Diffie-Hellman key agreement
Forward function may be done in O(r)
Bit size Forward Reverse: Discrete logarithm solution
10 10 23
100 100 1,386,282
1,000 1,000 612,700,000,000,000,000,000,000
Relies on doing BIG number maths1000 bit maths involves numbers with more than 300 decimal digits.The C “int” has 10 or so digits.
To calculate gb mod p where g, b and p are small is easy, but we needsome math tricks when they are large.
Why primes?Fermat’s little theorem
Asymmetric system #2: ElGamal
ELGamal is an encryption scheme based onDiffie-Hellman:This system conflates the key-exchange, followed by encryption into anannouncement of a public key, followed by one transmission for eachmessage.
Announcement: Alice announces a “public key value”: ga mod p
Send messages: Later Bob sends a message m by choosing a randomvalue (b), and sending
⟨gb mod p,E(gab mod p,m)
⟩. The encryption
scheme E(k ,m) is symmetric, but using a secret key that Alice can alsocompute.
Asymmetric system #3: RSA
RSA is a well known public key encryption technique:This public key system relies on the difficult problem of trying to find thecomplete factorization of a large compositea integer whose prime factorsb
are not known.
aAn integer larger than 1 is called composite if it has at least one divisorlarger than 1.
bThe Fundamental Theorem of Arithmetic states that any integer N(greater than 0) may be expressed uniquely as the product of prime numbers.
How easy is it to crack?Two RSA-encrypted messages have been cracked:
The inventors of RSA published a 129-digits (430 bits) RSA public key.In 1994, it was factored with 5000 MIPS-years of computing time.
A year later, a 384-bit PGP key was cracked. It needed 1300MIPS-years to factor the key in three months.
Note that these efforts each only cracked a single RSA key.
The factorization problem
State of the art factorizationSee http://en.wikipedia.org/wiki/Integer_factorization.A 768 bits number (RSA-768) was factored in Dec 2009, using hundreds ofmachines over 2 years:
1230186684530117755130494958384962720772853569595334792197322452151726400507263657518745202199786469389956474942774063845925192557326303453731548268507917026122142913461670429214311602221240479274737794080665351419597459856902143413 =33478071698956898786044169848212690817704794983713768568912431388982883793878002287614711652531743087737814467999489 ×36746043666799590428244633799627952632279158164343087642676032283815739666511279233373417143396810270092798736308917
A Quantum computer can factor in polynomial time. In 2001, a 7-qubitsquantum computer was built to factor 15.In Nov 2007, D-Wave Systems announced a working 28-qubit computer:
http://www.nanowerk.com/news/newsid=3274.php
RSA coding algorithms
The four processes needed for RSA encryption:1 Creating a public key2 Creating a secret key3 Encrypting messages4 Decoding messages
To create public key Kp and private key Ks
Step 1 - create public key1 Select two large primes P and Q. Assign x = (P − 1)(Q − 1).2 Choose E relative prime to x . Assign N = P ∗Q.3 Kp is N concatenated with E .
Step 2 - create private/secret key1 Choose D: D ∗ E mod x = 1 (i.e. multiplicative inverses)2 Ks is N concatenated with D.
Step 3 - encoding1 Pretend m is a number. Calculate c = mE mod N.
Step 4 - decoding1 Calculate m = cD mod N.
System 4: ECC: using Fields (more detail later...)
A field has two operations traditionally called + and *1 +, with elements of the field forming a commutative group. Identity is 0
and inverse of a is −a.2 ∗, with elements of the field except 0 forming another commutative
group, identity denoted by 1 and inverse of a denoted by a−1.
There is also the distributive identity, linking + and ∗ :
a ∗ (b + c) = (a ∗ b) + (a ∗ c)
If c is not zero and a ∗ c = b ∗ c, then a = b.
Asymmetric system #4: ECC
Addition over cubic elliptic curves, such asy2 = x3 + ax + b, with zero O, and the points E(a, b) = {(x0, y0), (x1, y1), . . .}on the curve. These are points on a plane not a line.
An addition operation +E(a,b) for points on this curve: the sum of P +E(a,b) Qis reflection R of the intersection. The group is
⟨+E(a,b),E(a, b)
⟩.
ECC uses curves whose elements are finite: prime curves Ep(a, b) definedover Zp, and binary curves E2m (a, b) defined over GF (2m).
ECC adding: real and in Ep(a,b)
Adding points in E(a,b)If we had P = (xP , yP) and Q = (xQ , yQ), and P 6= ±Q. We can findR = P +E(a,b) Q by finding gradient of line, and then intersection with curve:
Gradient: ∆ =yQ−yPxQ−xP
x coordinate for R: xR = ∆2 − xP − xQ
y coordinate for R: yR = ∆(xP − xR)− yP
Finally: R = (xR , yR)
P +E(a,b) P uses a different method
Adding points in Ep(a,b)We find R as before, modulo p:
Gradient: ∆ =yQ−yPxQ−xP
mod px coordinate for R: xR = ∆2 − xP − xQ mod py coordinate for R: yR = ∆(xP − xR)− yP mod p
Finally: R = (xR , yR)
P +Ep(a,b) P again uses the different method.
Dont expect operations to “look” nice
Points on the discrete curve y2 = x3 + x + 1 mod 23:
Example P +E23(1,1) Q operations
All operations modulo 23...
P+Q Gradient ∆ x coordinate xR y coordinate yR R
(4, 0) + (7, 11) = 113 = 19 = 192 − 4 − 7 = 5 = 19(4 − 5) − 0 = 4 (5, 4)
(3, 10) + (9, 7) = −36 = 11 = 112 − 3 − 9 = 17 = 11(3 − 17) − 10 = 20 (17, 20)
Comments on ECCECC addition is an analog of modulo multiply. ECC repeated addition isanalog of modulo exponentiation.
Need a “hard” problem equivalent to the discrete log problem. ConsiderQ = kP, where Q,P belong to a prime curve... it is
“easy” to compute Q given k ,P but
“hard” to find k given Q,P.
This is known as the elliptic curve logarithm problem.
Algorithms for ECC cryptography
Step 1 - create Alices’s private/secret key KsA
Using an elliptic group Ep(a, b), select a point G on the curve which hasa large order n. The order of a point is the smallest value n such thatn ×G = 0.
Choose nA : nA < n. KsA is 〈nA,Ep(a, b),G〉 .
Step 2 - create Alice’s public key KpA
Calculate PA = nA ×G. KpA is 〈PA,Ep(a, b),G〉
Step 3 - encoding using Alice’s public key KpA
Choose a random k , and calculate C = 〈c1, c2〉 = 〈k ×G,m + k × PA〉
Step 4 - decoding using Alice’s private key KsA
Calculate m = c2 − c1 × nA
Note that m + kPA − kGnA = m + knAG − kGnA = m.
Why use ECC?
Comparable key sizes
The advantage of ECC is that we can use much smaller bit sizes to get muchthe same levels of security.
Calculating 2P = P +EP(a,b) P for ECC
Doubling a point in⟨+Ep(a,b),Ep(a,b)
⟩If yP = 0, return O, the zero point.
P = (xP , yP), and yP 6= 0.
Find R = P +Ep(a,b) P by finding gradient of the tangent, and thenintersection with curve:
Gradient: ∆ =3x2
P +a2yP
mod p
x coordinate for R: xR = ∆2 − 2xP mod py coordinate for R: yR = ∆(xP − xR)− yP mod p
Finally: R = (xR , yR)
All operations modulo 23...
P+P Gradient ∆ x coordinate xR y coordinate yR R
(7, 11) + (7, 11) = 1022 = 13 = 132 − 14 = 17 = 13(7 − 17) − 11 = 20 (17, 20)
(9, 7) + (9, 7) = 1414 = 1 = 12 − 18 = 6 = 1(9 − 6) − 7 = 19 (6, 19)
On ab mod p calculation for ECC
Dividing by b is the same as multiplication by b−1:To calculate a
b mod p,
Use extended euclidean algorithm to calculate b−1 mod p.Then multiply a× b−1 mod p.
All operations modulo 23...
To calculate 711 mod 23
Calculate 11−1 mod 23 = 21.7× 21 mod 23 = 9
Back to the high level view...
Attacks!Can the keysize be reduced, perhaps by convincing systems to use a lowergrade of encryption? This is the mechanism used by NSA to spy onHTTPS/SSL connections.
Can the key be brute-forced? Can some pre-computation scheme be used,storing the results on a disk?
Can the key be predicted? Keys are often generated as needed bygenerating numbers using pseudo random number generators.
Defences!Do not downgrade encryption, or at least warn users if this is happening.
Use large sized keys, that are randomly generated, using high quality randomnumber generators. If the key size is huge, neither brute-force, norpre-computation would be feasible.
Perhaps use actual random number generator chips instead of pseudorandom number generators.
Back to the high level view...
SummaryWe saw how cryptographic schemes are using keysizes that are largeenough that they cannot be brute-forced.
The ways around cryptographic schemes involve downgrading, or trickingsoftware to use less complex systems.
A general approach is to use systems in which the use time goes up perhapsby the number of bits in the key O(k), but the attack time goes up muchfaster - perhaps by the actual size of the key O(2k ). Schemes like this can bemade arbitrarily hard: still be usable, but with infeasible attack times.
Building blocksBackground for the math
Quantum effects and security
Modulo, Fields and Primes...The maths for RSA
Outline
1 Building blocksSymmetric and AsymmetricA high-level view
2 Background for the mathModulo, Fields and Primes...The maths for RSA
3 Quantum effects and securityComputation computationQuantum cryptography
Hugh Anderson CS3235 - Computer Security Fourth topic - Asymmetric (and other) Cryptography
Modular (clock) arithmetic: +, ∗ in Z7
A finite field: +,* in Z7
+ 0 1 2 3 4 5 6
0 0 1 2 3 4 5 6
1 1 2 3 4 5 6 0
2 2 3 4 5 6 0 1
3 3 4 5 6 0 1 2
4 4 5 6 0 1 2 3
5 5 6 0 1 2 3 4
6 6 0 1 2 3 4 5
∗ 0 1 2 3 4 5 6
0 0 0 0 0 0 0 0
1 0 1 2 3 4 5 6
2 0 2 4 6 1 3 5
3 0 3 6 2 5 1 4
4 0 4 1 5 2 6 3
5 0 5 3 1 6 4 2
6 0 6 5 4 3 2 1
Steps towards finite fields
Closed algebraic systems: a group isa set of group elements with
a binary operation •
If one denotes the group operation by •, then the above says that for anygroup elements a and b, a • b is defined and is also a group element (i.e. it isclosed)
For all group elements a,b,c, GROUPS..are associative, meaning that a • (b • c) = (a • b) • c
have an identity e satisfying a • e = e • a = a for any a.
have an inverse a−1 satisfying a • a−1 = a−1 • a = e.
and if a • b = b • a then the group is commutative or abelian. Otherwise it isnon-commutative. Notice that even in a non-commutative group, a • b = b • amight sometimes be true for example if a or b is the identity. A group withonly finitely many elements is called finite; otherwise it is infinite.
Examples
Infinite groups: (Integers,+), and (positive rationals,*)1 The integers (all whole numbers, including 0 and negative numbers)
form an infinite commutative group using addition. The identity is 0 andthe inverse of a is −a.
2 The positive rationals (all positive fractions, including all positiveintegers) form a group if ordinary multiplication is the operation. Theidentity is 1 and the inverse of r is 1/r = r−1.
Finite group: (Integers (mod N),+ (mod N))The integers mod n form a group for any integer n > 0. This group is oftendenoted Zn. Here the elements are 0, 1, 2, . . ., n − 1 and the operation isaddition followed by remainder on division by n. The identity is 0 and theinverse of a is n − a (except for 0 which is its own inverse).
Fields (repeated slide...)
A field has two operations traditionally called + and *1 +, with elements of the field forming a commutative group. Identity is 0
and inverse of a is −a.2 ∗, with elements of the field except 0 forming another commutative
group, identity denoted by 1 and inverse of a denoted by a−1.
There is also the distributive identity, linking + and ∗ :
a ∗ (b + c) = (a ∗ b) + (a ∗ c)
If c is not zero and a ∗ c = b ∗ c, then a = b.
Examples of fields
Infinite fields: rationals, reals and complex numbersThe rational numbers (fractions) Q, or the real numbers R, or the complexnumbers C, using ordinary addition and multiplication (extended in the lastcase to the complex numbers).
Finite field: Integers modulo a primeThe integers mod p, denoted Zp, where p is a prime number (2, 3, 5, 7, 11,13, 17, 19, 23, 29, . . . ).
A group using +.
Elements without 0 form a group under ∗.The identity is clearly 1, but
the inverse of a non-zero element a is not obvious.
Modular arithmetic: +, ∗ inverses in Z7
Properties of elements for a field (Z7,+,*)
a −a a−1
0 0 -
1 6 1
2 5 4
3 4 5
4 3 2
5 2 3
6 1 6
Additive inverse:a + (−a) mod p = 0
Multiplicative inverse:(a ∗ a−1) mod p = 1.
Reducibility:
(a + b) mod p =(a mod p + b mod p) mod p(a ∗ b) mod p =(a mod p ∗ b mod p) mod p
Modular arithmetic: +, ∗ in Z8
Lets look at modular arithmetic in Z8
+ 0 1 2 3 4 5 6 7
0 0 1 2 3 4 5 6 7
1 1 2 3 4 5 6 7 0
2 2 3 4 5 6 7 0 1
3 3 4 5 6 7 0 1 2
4 4 5 6 7 0 1 2 3
5 5 6 7 0 1 2 3 4
6 6 7 0 1 2 3 4 5
7 7 0 1 2 3 4 5 6
∗ 0 1 2 3 4 5 6 7
0 0 0 0 0 0 0 0 0
1 0 1 2 3 4 5 6 7
2 0 2 4 6 0 2 4 6
3 0 3 6 1 4 7 2 5
4 0 4 0 4 0 4 0 4
5 0 5 2 7 4 1 6 3
6 0 6 4 2 0 6 4 2
7 0 7 6 5 4 3 2 1
Modular arithmetic: +, ∗ inverses in Z8?
... and the inverses go bad ...
a −a a−1
0 0 -
1 7 1
2 6 -
3 5 3
4 4 -
5 3 5
6 2 -
7 1 7
Later we will see how by changing the def-initions for + and ∗ we will be able to havean algebraic number field in Z8.
Why primes?
In the book Contact, the heroine recognizes an aliencommunication because it starts...
2.. 3.. 5.. 7.. 11.. 13.. 17.. 19.. 23...a
aActually, in the book, Sagan used 1,2,3,5... :)
Is it just a coincidence that the numbers on the main RealMadrid player’s jerseys were: Carlos, No 3; Zidane, No 5;Raul, No 7; Owen, No 11?
Why primes?For 2500 years mathematicians studied prime numbers just because theywere interesting, without any idea they would have practical applications.
Possible real-world uses:1 Sometimes... a prime number of ball bearings arranged in a bearing, to
cut down on periodic wear (also gear teeth).2 Possibly... the 13 and 17-year periodic emergence of cicadas may be
due to coevolution with predators (that lost and became extinct).
We do not know how to guess when the next one willoccur. But ... we do know that the density is predictable...
(Asymptotic to xlog x )
Why primes?
Because 2500 years of mathematics has failed to uncover some basicprime properties, they make a good candidate for constructing difficult(impossible to decrypt) translations... and hence our interest in them...
Because primes are beautiful...
Consider the following problem:Question: Is it possible to find an arbitrary sized sequence of numbers
that are not primes?
Answer: YES!
How to get n not-primes in a row:If you want 3 not-primes in a row, calculate 4 ∗ 3 ∗ 2 ∗ 1 = 4!, andchoose the numbers 4! + 2, 4! + 3 and 4! + 4. None can be a prime.
If you want 42,000 not-primes in a row, calculate42001 ∗ . . . ∗ 2 ∗ 1 = 42001!, and choose the numbers 42001! + 2,42001! + 3... None can be a prime.
If you want 4847584765843775375983487509485945495840not-primes ...
Fermat’s little theorem
In cryptography, one often wants to raise a number to a power, moduloanother number.For the integers mod p where p is a prime (Zp), there is a result know asFermat’s little theorem, discovered by the 17th century French mathematicianPierre de Fermat, 1601-1665.
Fermat’s (little) theorem:If p is a prime and a is any non-zero number less than p, then
ap−1 mod p = 1
Sometimes use ap−1 mod p = 1, sometimes ap−1 ≡ 1 (modp).
Fermat’s little theorem, p = 11
A table showing a and powers-of-a
a a1 a2 a3 a4 a5 a6 a7 a8 a9 a10
2 2 4 8 5 10 9 7 3 6 1
3 3 9 5 4 1 3 9 5 4 1
4 4 5 9 3 1 4 5 9 3 1
5 5 3 4 9 1 5 3 4 9 1
6 6 3 7 9 10 5 8 4 2 1
7 7 5 2 3 10 4 6 9 8 1
8 8 9 6 4 10 3 2 5 7 1
9 9 4 3 5 1 9 4 3 5 1
10 10 1 10 1 10 1 10 1 10 1
Fermat’s little theorem
ObservationsFor p = 11 the value is always 1 when the power gets to 10
Sometimes the value gets to 1 earlier
Lengths of runs are always numbers that divide evenly into 10
A value of a for which the whole row is needed is called a generator. 2,6, 7, and 8 are generators.
Simplifying expressionsBecause a to a power mod p always starts repeating after the power reachesp − 1, you can do this:
ax mod p = ax mod (p−1) mod p.
Thus modulo p in the expression requires modulo p − 1 in the exponent. Forp = 13, then
a29 mod 13 = a29 mod 12 mod 13 = a5 mod 13.
Another example result = 71215 mod 13
a big number...
(7^1215)%13
result=62247027506732273704655645590797926890623986483292191309020787710924869910727405870651989078101738389949782679348130096777089278266013135577736536148404478380085122281739226134142137076240050702683456450161478881858016233581815507729190060733863810985820998417753776670372868147396701203157123969140001848223403523559064551556675341024739645354137741258367626070635933104840329377905370464877106976413186542262299505280557584280574185802694213299802280179325494560628948940739344482284649151197141168698959587947320242857426901802324494025671010508311496735633429580921945571119113124697462717311124279255445332116504914530077241996189357298508605206780120789880835525222341940514585567320868420423888932091570407998648719010649912308602886575458785483803190210993511026450389154414587258074783062229406697804705969808888224976779404912792017633095411318555938776800816778624695807909497057871925962771277963034877818141061473753709046271959955890872768469943 mod 13 = 5
(Use bc...)
But look at this:
result = 71215 mod 13
= 71215 mod 13= 71215 mod 12 mod 13= 73 mod 13= 343 mod 13= 5
We can do BIG NUMBER maths without calculating BIG numbers!
But look at this:
result = 71215 mod 13
= 71215 mod 13= 71215 mod 12 mod 13= 73 mod 13= 343 mod 13= 5
We can do BIG NUMBER maths without calculating BIG numbers!
But look at this:
result = 71215 mod 13
= 71215 mod 13= 71215 mod 12 mod 13= 73 mod 13= 343 mod 13= 5
We can do BIG NUMBER maths without calculating BIG numbers!
But look at this:
result = 71215 mod 13
= 71215 mod 13= 71215 mod 12 mod 13= 73 mod 13= 343 mod 13= 5
We can do BIG NUMBER maths without calculating BIG numbers!
But look at this:
result = 71215 mod 13
= 71215 mod 13= 71215 mod 12 mod 13= 73 mod 13= 343 mod 13= 5
We can do BIG NUMBER maths without calculating BIG numbers!
Building blocksBackground for the math
Quantum effects and security
Modulo, Fields and Primes...The maths for RSA
Outline
1 Building blocksSymmetric and AsymmetricA high-level view
2 Background for the mathModulo, Fields and Primes...The maths for RSA
3 Quantum effects and securityComputation computationQuantum cryptography
Hugh Anderson CS3235 - Computer Security Fourth topic - Asymmetric (and other) Cryptography
The maths to RSA
Note that it decodes back to m
cD mod N = mED mod N
= mk(P−1)(Q−1)+1 mod PQ
= m ∗mk(P−1)(Q−1) mod PQ
= m
mP−1 mod P = 1, so (m(P−1))k(Q−1) mod P = 1
mQ−1 mod Q = 1, and so (m(P−1))k(Q−1) mod PQ = 1.
Why? ... Euler’s (1707-1783) theorem
A generalization of Fermat’s Theorem...
Euler’s theoremIf n is any positive integer and a is any positive integer less than n with nodivisors in common with n, then
aφ(n) mod n = 1,
where φ(n) is the Euler phi function:
φ(n) = n(1− 1/p1) . . . (1− 1/pm),
and p1, . . . , pm are all the prime numbers that divide evenly into n, includingn itself in case it is a prime.
Special case #1
Special case #1If n is a prime, then using the formula,
φ(n) = n(1− 1/n) = n(n − 1
n) = n − 1
Fermat’s result is a special case of Euler’s:
aφ(n) mod n = an−1 mod n = 1
Special case #2
Special case #2Another special case needed for RSA comes when the modulus is a productof two primes: n = pq. Then
φ(n) = n(1− 1/p)(1− 1/q) = (p − 1)(q − 1)
So - we have
a(p−1)(q−1) mod pq = 1
(if a has no divisors in common with pq and p, q prime)
Euler: table of a and powers of a: n = 15, φ(n) = 8
a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12 a13 a14
4 8 1 2 4 8 1 2 4 8 1 2 4
9 12 6 3 9 12 6 3 9 12 6 3 9
1 4 1 4 1 4 1 4 1 4 1 4 1
10 5 10 5 10 5 10 5 10 5 10 5 10
6 6 6 6 6 6 6 6 6 6 6 6 6
4 13 1 7 4 13 1 7 4 13 1 7 4
4 2 1 8 4 2 1 8 4 2 1 8 4
6 9 6 9 6 9 6 9 6 9 6 9 6
10 10 10 10 10 10 10 10 10 10 10 10 10
1 11 1 11 1 11 1 11 1 11 1 11 1
9 3 6 12 9 3 6 12 9 3 6 12 9
4 7 1 13 4 7 1 13 4 7 1 13 4
1 14 1 14 1 14 1 14 1 14 1 14 1
Table
AnalysisThe table illustrates Euler’s theorem for n = 15 = 3 · 5, with
φ(15) = 15 · (1− 1/3) · (1− 1/5) = (3− 1) · (5− 1) = 8
Notice here that a 1 is reached when the power is 8, but only for numberswith no divisors in common with 15.For other base numbers, the value never gets to 1.
PropertiesArithmetic in the exponent is taken mod φ(n), so that, if a has no divisors incommon with n,
ax mod n = ax mod φ(n) mod n.
If n = 15 as above, then φ(n) = 8, and if neither 3 nor 5 divides evenly into a,then φ(n) = 8. Thus for example,
a28 mod 15 = a28 mod 8 mod 15 = a4 mod 15.
RSA code
Perl script that (kind of) does RSA#!/usr/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj$/=unpack(’H*’,$_);$_=‘echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1lK[d2%Sa2/d0$^Ixp"|dc‘;s/\W//g;$_=pack(’H*’,/((..)*)$/)
and thenecho "squeamish ossifrage" | ./rsa.perl -k=10001 -n=1967cb529 > msg.rsa./rsa.perl -d -k=ac363601 -n=1967cb529 < msg.rsa
Building blocksBackground for the math
Quantum effects and security
Computation computationQuantum cryptography
Outline
1 Building blocksSymmetric and AsymmetricA high-level view
2 Background for the mathModulo, Fields and Primes...The maths for RSA
3 Quantum effects and securityComputation computationQuantum cryptography
Hugh Anderson CS3235 - Computer Security Fourth topic - Asymmetric (and other) Cryptography
Quantum physics
First interest: Quantum computing...1. Quantum computers may be able to compute HARD problems quickly(such as factorizing large composites).
How? The underlying data elements are quantum bits (qubits), not limited tojust 0,1 states - instead considered to be a superposition of states. Anoperation performed on a qubit is performed on all the states simultaneously.Shor’s algorithm.
DWave systems have sold the first commercial quantum computer, with(evidently) 128 qubits. However, it is unable to perform Shor’s algorithm:
http://www.dwavesys.com/
It is likely that no effective quantum computer has yet been built that couldfactor a large composite.
Shor’s Algorithm
A very slow way to find factors of p × q?Choose some number a, with no factors in common with pqa. Imagine youcalculate a2, a3, a4, all modulo pq, until the sequence repeats for the first time(perhaps after r steps). The repetition value r evenly divides (p − 1)(q − 1).Have a look at the Euler table in slide set 9 - it shows the powers modulo15 = pq = 3× 5, and all repetitions divide (p − 1)(q − 1) = 8.
In addition, ar ≡ 1 mod pq. , and since this was the first repetition,b = a
r2 6= 1 mod pq. But, b2 ≡ 1 mod pq.
We have four square roots of 1: ±1 and ±b. If we know b, we can calculatethe factors of pq (as we will see again in oblivious transfer).
aOf course if your number a does have factors in common with pq, youhave either discovered p or q.
It is slow because......the sequences may be very very long. So this is not some secret fastalgorithm if you have to calculate long sequences a2, a3, a4, all modulo pq.
Shor’s Algorithm
Find repetition values for all powers simultaneously:A Quantum register holds all possible values at the same time, and weperform an amplifying operation, that only leaves stable repetition values.
Mark the same times every day... In the simulation, only the clock with arepetition rate that we are interested in remains:
Building blocksBackground for the math
Quantum effects and security
Computation computationQuantum cryptography
Outline
1 Building blocksSymmetric and AsymmetricA high-level view
2 Background for the mathModulo, Fields and Primes...The maths for RSA
3 Quantum effects and securityComputation computationQuantum cryptography
Hugh Anderson CS3235 - Computer Security Fourth topic - Asymmetric (and other) Cryptography
Quantum cryptography
Second interest: Quantum cryptography2. Quantum cryptography uses laws of quantum mechanics - HeisenbergUncertainty applies to some pairs (of properties) of (atomic) particles.Measuring one property affects another.
A snooper is easily detected, and there are various protocols for usingquantum effects to share keys.
BB84: Key sharing protocolAlice randomly chooses one of four polarizations: rectilinear: 0, 90, ordiagonal: 45, 135 (degrees).
Alice transmits 10000 photons
BB84: Encoded using different polarizations:
time
BobAlice
����
����
����
��������
��������
����
����
�������
�������
��������
��������
����
����
����
���������������
���������������
��������
��������
����
����
��������
��������
��������
��������
����
����
����
����
����
����
LEDFilter
Photons ...
Alice and Bob’s protocol
BB84: choose bits - no reveal...1 Alice records what she has sent. Bob randomly chooses polarizations,
and for each one reads the resultant value. (If he chooses correctly getsa valid 1 or 0, if not gets a random value)
2 Bob tells Alice the polarizations he has used: diag, diag, rectilinear,diag...
3 Alice replies by telling Bob which ones were correct. (1,3,4, 8,9,1012,17...)
4 They now have 5000 (approx) bits in common.
Harry the hacker listens in, but...
BB84: Harry has a problem1 If Harry the hacker senses (some of) the photons, he must choose
which polarization to use, and will affect the photon.2 Bob and Alice compare a subset of the bits that they think they know to
detect snooping.3 If no snooping, then rest of bits are likely to be OK.
Current stateQuantum cryptography systems are now commercially available, operatingover reasonably long (40km) fibre.Note the probabilistic nature of the algorithm. By choosing bit length can getany degree of assurance.