Upload
hoangnhi
View
231
Download
3
Embed Size (px)
Citation preview
Mathematical Foundations ofPublic-Key Cryptography
Adam C. Champion and Dong Xuan
CSE 4471: Information Security
Material based on (Stallings, 2006) and (Paar and Pelzl, 2010)
Outline
• Review: Basic Mathematical Foundations
• Group Theory• Number Theory• Case Study: RSA Cryptosystem
Review: Sets
• A set S is an unordered collection of “similar”mathematical objects
– Duplicate objects are not double counted– Suppose S1 = {1, 2, 3, 4} and S2 = {1, 2, 3, 4, 2}. Both
sets have four elements• Operations:
– Intersection: S1 \ S2 = {s1, s2 : s1 2 S1 ^ s2 2 S2}– Union: S1 [ S2 = {s1, s2 : s1 2 S1 _ s2 2 S2}– Cardinality: |S| = number of elements in S
• Well-known sets:– N = {1, 2, . . .}– Z = {0,±1,±2, . . .}– Q = {p/q : p, q 2 Z ^ q 6= 0}– R = {real numbers}– C = {complex numbers}
Review: Relations
• A relation R on sets S1, . . . , SN is a subset of theirCartesian product: R ✓ S1 ⇥ · · ·⇥ SN
• R’s arity equals N (binary, n-ary)• Properties:
– Reflexive: if for all s 2 S, s R s
– Symmetric: if s1 R s2 =) s2 R s1 for all s1, s2 2 S
– Transitive: ifs1 R s2 ^ s2 R s3 =) s1 R s3 for all s1, s2, s3 2 S
– Equivalence relation: a relation R that is reflexive,symmetric, and transitive
Review: Integer Division
• For an integer divisor d, we can write any integer n asn = d⇥ q + r, where r 2 [0, . . . , d� 1]. As n� r = d⇥ q,n ⌘ r (mod d).
• Division by d actually partitions Z into equivalence classesw.r.t. congruence modulo d:
– Example 1: Odd and even integers. d = 2. Every oddinteger n can be written as 2⇥ q + 1 for some integer q.Every even integer m can be written as 2⇥ q
0 for someinteger q0. The equivalence classes are{. . . ,�3,�1, 1, 3, . . .} and {. . . ,�4,�2, 0, 2, 4, . . .}.
– Example 2: d = 5. Notice 8� 3 = 5⇥ 1 and23� 3 = 5⇥ 4, so 23 ⌘ 8 (mod 5). Remainders are notunique! What are the equivalence classes?
• See (Knuth, 1997; Paar and Pelzl, 2010) for more details.
Outline
• Review: Basic Mathematical Foundations• Group Theory
• Number Theory• Case Study: RSA Cryptosystem
Groups I
• A group comprises a set G and an operator �, which mapseach pair (a, b) (where a, b 2 G) to (a � b) 2 G subject tothe following axioms: (Stallings, 2006):(A1) Closure: a, b 2 G =) a � b 2 G;(A2) Associativity: a � (b � c) = (a � b) � c for all
a, b, c 2 G;(A3) Identity element: There is an element " 2 G such
that a � " = " � a = a for all a 2 G.(A4) Inverse element: For each a 2 G, there is an
element a0 2 G such that a � a0 = a
0 � a = ".• Abelian groups obey axiom (A5), commutativity:a � b = b � a for all a, b 2 G. Not all groups are abelian!
• � refers to any generic operator that obeys axioms(A1)–(A4)
Groups II
• Example group: Sn, the set of all possible permutations ofN = {1, . . . , n} distinct symbols, � denotes permutationoperation (Stallings, 2006)
– Permuting a permutation of N yields a permutation of N ,e.g., {3, 2, 1} � {1, 3, 2} = {2, 3, 1} for n = 3
– Associativity holds too– Identity element: {1, . . . , n}– Inverse element: permutation mapping N ’s current
permutation to {1, . . . , n}
Rings I
• A ring R is an abelian group with “addition” and“multiplication” operations +, ⇥ satisfying the followingaxioms: (Stallings, 2006)(A1)–(A5) Abelian group axioms (closure under addition
operator +, associativity of addition, existence ofidentity element 0, existence of inverse element �a)
(M1) Closure under multiplication: for alla, b 2 R, a⇥ b 2 R
(M2) Associativity of multiplication:
(a⇥ b)⇥ c = a⇥ (b⇥ c) for all a, b, c 2 R
(M3) Distributive laws: a⇥ (b+ c) = (a⇥ b) + (a⇥ c)
for all a, b, c 2 R; (a+ b)⇥ c = (a⇥ c) + (b⇥ c)
for all a, b, c 2 R.
Rings II
• Commutative rings satisfy axiom (M4), commutativity of
multiplication: a⇥ b = b⇥ a for all a, b 2 R
• Integral domains are commutative rings satisfying thefollowing additional axioms:(M5) Multiplicative identity: There is an element 1 2 R
such that a⇥ 1 = 1⇥ a = a for all a 2 R
(M6) No zero divisors: If a, b 2 R and a⇥ b = 0, thena = 0 or b = 0
Rings III
• Example: Ring of integers Zm = {0, . . . ,m� 1} withaddition, multiplication operators +, ⇥ such that, fora, b 2 Zm: (Paar and Pelzl, 2010)(1) a+ b = c (mod m) (c 2 Zm);(2) a⇥ b = d (mod m) (d 2 Zm).
– If m = 9, then Z9 = {0, 1, 2, 3, 4, 5, 6, 7, 8}.– 6 + 8 = 14 ⌘ 5 (mod 9)
– 6⇥ 8 = 48 ⌘ 3 (mod 9)
– Multiplicative inverse exists only for integers a 2 Zm
coprime to m. For such integers,(a⇥ b) ⌘ (a⇥ c) (mod n) =) b ⌘ c (mod n).
Fields
• A field F is a set of elements with “addition” and“multiplication” operations +, ⇥ satisfying the followingaxioms:(A1)–(M6) Integral domain axioms
(M7) Multiplicative inverse: For all a 2 F (except 0), thereis an element a�1 2 F such thata⇥ a
�1= (a
�1 ⇥ a) = 1.
• Examples of fields: rational numbers Q, real numbers R,complex numbers C
Outline
• Review: Basic Mathematical Foundations• Group Theory• Number Theory
• Case Study: RSA Cryptosystem
Primality
• An integer n is prime if and only if n has two divisors: 1and n. Example primes:
– P = {2, 3, 5, 7, 11, 13, 17, 19, . . . } = {p1, p2, . . . }• Fundamental Theorem of Arithmetic: Every integern > 1 is either prime or can be written as a unique productof primes.
• Examples:– 7 = 7
1= 2
0 ⇥ 3
0 ⇥ 5
0 ⇥ 7
1 ⇥ · · ·– 60 = 2⇥ 2⇥ 3⇥ 5 = 2
2 ⇥ 3
1 ⇥ 5
1 ⇥ 7
0 ⇥ · · ·– More generally,
n = p
e11 ⇥ p
e22 ⇥ · · · =
Y
pi2Pp
eii , where ei 2 {0, 1, 2, . . . }
(1)
Greatest Common Divisor
• The greatest common divisor (GCD) of integers m and n
is the largest integer d that divides both m and n. Notation:
gcd(m,n) = d.• If gcd(m,n) = 1 for integers m and n, then m and n are
coprime.• How do we find the GCD?
– Small numbers: multiply common prime factors.– Example: m = 84, n = 30.
m = 2⇥ 2⇥ 3⇥ 7;n = 2⇥ 3⇥ 5; gcd(m,n) = 2⇥ 3 = 6
– This approach is inefficient for large numbers
Euclid’s Algorithm
• Faster algorithm to find GCD, exploits the followingtheorem: gcd(m,n) = gcd(n,m mod n) (m > n)
– PROOF: Let d = gcd(m,n). As d|m and d|n, we can writem = d⇥ k and n = d⇥ ` for coprime integers k, `(k > ` > 0). (k � `) and ` are coprime too. Thengcd(x� y, y) = gcd(d⇥ (k � `), d⇥ `) = d.
Algorithm 1 EUCLID(m, n)1: A m;B n
2: while B 6= 0 do
3: R A mod B
4: A B
5: B R
6: return A
• Compute gcd(84, 30) and gcd(973, 301).
Extended Euclidean Algorithm• If gcd(m,n) = 1 for positive integer m < n, there is a
positive multiplicative inverse modulo m, n�1, such thatn⇥ n
�1= 1 mod m
• Euclidean algorithm can be extended to compute n
�1 if itexists (and return gcd(m,n)) (Stallings, 2006)
Algorithm 2 EXTEND ED EUCLID(m, n)1: (A1, A2, A3) (1, 0,m); (B1, B2, B3) (0, 1, n)
2: while true do
3: if B3 == 0 then return A3 // no inverse4: if B3 == 1 then return B3 // B2 = n
�1mod m
5: Q = bA3/B3c6: (T1, T2, T3) (A1 �Q⇥B1, A2 �Q⇥B2, A3 �Q⇥B3)
7: (A1, A2, A3) (B1, B2, B3)
8: (B1, B2, B3) (T1, T2, T3)
Euler’s Totient Function I
• Consider the ring Zm = {0, . . . ,m� 1}. We want to findhow many integers in Zm are coprime to m, i.e., '(m).
• Convention: '(1) = 1.• Let’s compute '(5) and '(6) . . .
Euler’s Totient Function II
• If m is prime, '(m) = (m� 1).• Otherwise, we need to determine m’s (unique) prime
factorization to compute '(m). Recall Eq. (1):
m =
Y
pi2P
p
eii , where ei 2 {0, 1, 2, . . . }.
• Let ⇡ be the smallest prime larger than m (⇡ is the n-thprime). Then
'(m) =
nY
i=1
(p
eii � p
ei�1i ). (2)
• Let’s compute '(240) using Eq. (2). . .
More Number Theory Theorems
• Fermat’s Little Theorem: Let a be an integer and p be aprime. Then a
p ⌘ a (mod p). Equivalently,a
p�1 ⌘ 1 (mod p). So we can invert a modulo p:a
�1 ⌘ a
p�2(mod p).
• Euler’s Theorem: Let a and m be integers such thatgcd(a,m) = 1. Then a
'(m) ⌘ 1 (mod m).• Notice that Euler’s Theorem is a generalization of Fermat’s
Little Theorem (arbitrary modulus).
Outline
• Review: Basic Mathematical Foundations• Group Theory• Number Theory• Case Study: RSA Cryptosystem
RSA Cryptosystem
• Widely used public-key (asymmetric) cryptosystem• Security based on the following: it’s easy to multiply large
primes, but very hard to factor the product (Paar and Pelzl,2010)
• Computations in integer ring Zn, where plaintext m 2 Zn
• RSA Encryption: Given public key (n, e) = kpub andplaintext m, the encryption function is
c = Ekpub(m) ⌘ m
e(mod n), (3)
where x, y 2 Zn.• RSA Decryption: Given private key (n, d) = kpriv and
ciphertext c, the decryption function is
m = Dkpriv ⌘ c
d(mod n), (4)
where x, y 2 Zn.
RSA Key Generation
Algorithm 3 RSA KEY GENERATION1: Choose two large primes p and q
2: Compute n p · q3: Compute '(n) = (p� 1)(q � 1)
4: Select public exponent e 2 {1, 2, . . . ,'(n)} such thatgcd(e,'(n)) = 1
5: Choose private exponent d such that d · e ⌘ 1 (mod '(n))
• Suppose Alice picks p = 3 and q = 11 and wants to sendm = 4 to Bob. How would the RSA scheme work?
RSA in Practice
• This “textbook RSA” scheme has several weaknesses: (Paarand Pelzl, 2010)
– RSA encryption is deterministic– Plaintext values m = 0,m = 1,m = �1 produce the same
ciphertext values (c = 0, c = 1, c = �1)– Attacks are possible with small plaintext and exponent
values
• In practice, RSA encryption is combined with zero padding,salt, and message hash functions to securely transmitmessages
RSA Digital Signatures
• The RSA algorithm can be repurposed for digitally signinga message m
• Public key kpub = (n, d), private key kpriv = (n, e)
• Signing: Compute s = Signkpriv(m) ⌘ m
d(mod n)
• Verification: Compute m
0= s
emod n. If
m
0 ⌘ m (mod n), the signature is valid.
Questions & Comments?
Thank you!
• If you find this material interesting, consider taking CSE5473 (Introduction to Network Security) and/or CSE 5431(Introduction to Cryptography).
• More to explore:– (Sage Math, 2012) (http://www.sagemath.org);– Sage-based notes on the RSA cryptosystem (van Nguyen,
2010);– Free book on number theory (Stein, 2008)
References IKnuth, D. E. (1997). The Art of Computer Programming,
volume 1. Addison-Wesley, 3rd edition.Paar, C. and Pelzl, J. (2010). Understanding Cryptography: A
Textbook for Students and Practioners. Springer, 2nd edition.http://crypto-textbook.com.
Sage Math (2012). http://www.sagemath.org.Stallings, W. (2006). Cryptography and Network Security.
Addison-Wesley, 4th edition.Stein, W. (2008). Elementary Number Theory: Primes,
Congruences, and Secrets. Springer.http://wstein.org/ent/.
van Nguyen, M. (2010). Number Theory and the RSACryptosystem.https://bitbucket.org/mvngu/numtheory-crypto/
downloads/numtheory-crypto-1.1.pdf.