Numerical Alg. & Cryptography1 Numerical Algorithms x0123456789 x1x1 1739

Numerical Alg. & Cryptography

1

Numerical Algorithms

9876543210x

9371x1


2

Outline

Divisibility and primesModular arithmeticEuclid’s GCD algorithmMultiplicative inversesPowersFermat’s little theoremEuler’s theorem


3

Facts About NumbersPrime number p:

p is an integer p 2 The only divisors of p are 1and p

Examples 2, 7, 19 are primes 3, 1, 6 are not primes

Prime decomposition of a positive integer n:

n p1e

1 … pke

k

Example: 200 23 52

Fundamental Theorem of ArithmeticThe prime decomposition of a positive integer is unique


4

Greatest Common DivisorThe greatest common divisor (GCD) of two positive integers a and b, denoted gcd(a, b), is the largest positive integer that divides both a and bThe above definition is extended to arbitrary integersExamples:

gcd(18, 30) 6 gcd(0, 20) 20gcd(21, 49) 7

Two integers a and b are said to be relatively prime if

gcd(a, b) 1

Example: Integers 15 and 28 are relatively prime


5

Modular ArithmeticModulo operator for a positive integer n

r a mod nequivalent to

a rknand

r a a/n nExample:

29 mod 13 3 13 mod 13 0 1 mod 13 1229 3 213 13 0 113 12 1 113

Modulo and GCD:gcd(a, b) gcd(b, a mod b)

Example: gcd(21, 12) 3 gcd(12, 21 mod 12) gcd(6, 9) 3


6

Euclid’s GCD AlgorithmEuclid’s algorithm for computing the GCD repeatedly applies the formulagcd(a, b) gcd(b, a mod b)

Example gcd(412, 260) 4

a 412 260 152 108 44 20 4

b 260 152 108 44 20 4 0

Algorithm EuclidGCD(a, b)Input integers a and bOutput gcd(a, b)

if b = 0return a

elsereturn EuclidGCD(b, a mod b)


7

AnalysisLet ai and bi be the arguments of the i-th recursive call of algorithm EuclidGCDWe have

ai2 bi1 ai mod ai1ai1

Sequence a1, a2, …, an decreases exponentially, namely

ai2 ½ ai for i 1Case 1 ai1½ ai ai2ai1½ ai

Case 2 ai1½ ai ai2ai mod ai1 = aiai1 ½ ai

Thus, the maximum number of recursive calls of algorithm EuclidGCD(a. b) is

1 2 log max(a. b)Algorithm EuclidGCD(a, b) executes O(log max(a, b)) arithmetic operations


8

Multiplicative Inverses (1)The residues modulo a positive integer n are the set

Zn {0, 1, 2, …, (n1)}

Let x and y be two elements of Zn such that

xy mod n 1

We say that y is the multiplicative inverse of x in Zn and we write y x1

Example: Multiplicative inverses of the residues modulo 11

109876543210x

10578293461x1


9

Multiplicative Inverses (2)Theorem

An element x of Zn has a multiplicative inverse if and only if x and n are relatively primeExample

The elements of Z10 with a multiplicative inverse are 1, 3, 5, 7

CorollaryIf is p is prime, every nonzero residue in Zp has a multiplicative inverse

TheoremA variation of Euclid’s GCD algorithm computes the multiplicative inverse of an element x of Zn or determines that it does not exist

9876543210x

9371x1


10

PowersLet p be a primeThe sequences of successive powers of the elements of Zp exhibit repeating subsequences The sizes of the repeating subsequences and the number of their repetitions are the divisors of p 1Example (p 7)

x x2 x3 x4 x5 x6

1 1 1 1 1 1

2 4 1 2 4 1

3 2 6 4 5 1

4 2 1 4 2 1

5 4 6 2 3 1

6 1 6 1 6 1


11

Fermat’s Little TheoremTheorem

Let p be a prime. For each nonzero residue x of Zp, we have xp1 mod p 1Example (p 5):14 mod 5 1 24 mod 1 16 mod 5 134 mod 1 81 mod 5 1 44 mod 1 256 mod 5 1

CorollaryLet p be a prime. For each nonzero residue x of Zp, the multiplicative inverse of x is xp2 mod p Proof x(xp2 mod p) mod p xxp2 mod p xp1 mod p 1


12

Euler’s TheoremThe multiplicative group for Zn, denoted with Z*n, is the subset of elements of Zn relatively prime with n

The totient function of n, denoted with (n), is the size of Z*n

ExampleZ*10 { 1, 3, 7, 9 } (10) 4

If p is prime, we haveZ*p {1, 2, …, (p1)} (p) p1

TheoremFor each element x of Z*n, we have x(n) mod n 1

Example (n 10)3(10) mod 10 34 mod 10 81 mod 10 1

7(10) mod 10 74 mod 10 2401 mod 10 1

9(10) mod 10 94 mod 10 6561 mod 10 1


13

The Fast Fourier Transform

0 1110987654321 1512 1413

0 1110987654321 1512 1413


14

Outline and Reading

Polynomial Multiplication Problem Primitive Roots of Unity (§10.4.1)The Discrete Fourier Transform (§10.4.2)The FFT Algorithm (§10.4.3)Integer Multiplication (§10.4.4)Java FFT Integer Multiplication (§10.5)


15

PolynomialsPolynomial:

In general,

432 43825)( xxxxxp

11

2210

1

0

)(

or

)(

nn

n

i

ii

xaxaxaaxp

xaxp


16

Polynomial EvaluationHorner’s Rule:

Given coefficients (a0,a1,a2,…,an-1), defining polynomial

Given x, we can evaluate p(x) in O(n) time using the equation

Eval(A,x): [Where A=(a0,a1,a2,…,an-1)] If n=1, then return a0

Else, Let A’=(a1,a2,…,an-1) [assume this can be done in constant

time] return a0+x*Eval(A’,x)

1

0

)(n

i

ii xaxp

)))((()( 12210 nn xaaxaxaxaxp


17

Polynomial Multiplication Problem

Given coefficients (a0,a1,a2,…,an-1) and (b0,b1,b2,…,bn-1) defining two polynomials, p() and q(), and number x, compute p(x)q(x).

Horner’s rule doesn’t help, since

where

A straightforward evaluation would take O(n2) time. The “magical” FFT will do it in O(n log n) time.

1

0

)()(n

i

ii xcxqxp

i

jjiji bac

0


18

Polynomial Interpolation & Polynomial Multiplication

Given a set of n points in the plane with distinct x-coordinates, there is exactly one (n-1)-degree polynomial going through all these points.Alternate approach to computing p(x)q(x):

Calculate p() on 2n x-values, x0,x1,…,x2n-1. Calculate q() on the same 2n x values. Find the (2n-1)-degree polynomial that goes through the

points {(x0,p(x0)q(x0)), (x1,p(x1)q(x1)), …, (x2n-1,p(x2n-1)q(x2n-

1))}.

Unfortunately, a straightforward evaluation would still take O(n2) time, as we would need to apply an O(n)-time Horner’s Rule evaluation to 2n different points. The “magical” FFT will do it in O(n log n) time, by picking 2n points that are easy to evaluate…


19

Primitive Roots of UnityA number is a primitive n-th root of unity, for n>1, if

n = 1 The numbers 1, , 2, …, n-1 are all distinct

Example 1: Z*

11:

2, 6, 7, 8 are 10-th roots of unity in Z*11

22=4, 62=3, 72=5, 82=9 are 5-th roots of unity in Z*11

2-1=6, 3-1=4, 4-1=3, 5-1=9, 6-1=2, 7-1=8, 8-1=7, 9-1=5

Example 2: The complex number e2i/n is a primitive n-th root of unity, where

x x^2 x^3 x^4 x^5 x^6 x^7 x^8 x^9 x^101 1 1 1 1 1 1 1 1 12 4 8 5 10 9 7 3 6 13 9 5 4 1 3 9 5 4 14 5 9 3 1 4 5 9 3 15 3 4 9 1 5 3 4 9 16 3 7 9 10 5 8 4 2 17 5 2 3 10 4 6 9 8 18 9 6 4 10 3 2 5 7 19 4 3 5 1 9 4 3 5 110 1 10 1 10 1 10 1 10 1

1i


20

Properties of Primitive Roots of Unity

Inverse Property: If is a primitive root of unity, then -

1=n-1

Proof: n-1=n=1

Cancellation Property: For non-zero -n<k<n, Proof:

Reduction Property: If w is a primitve (2n)-th root of unity, then 2 is a primitive n-th root of unity.

Proof: If 1,,2,…,2n-1 are all distinct, so are 1,2,(2)2,…,(2)n-1

Reflective Property: If n is even, then n/2 = -1. Proof: By the cancellation property, for k=n/2:

Corollary: k+n/2= -k.

01

0

n

j

kj

01

11

1

1)1(

1

1)(

1

1)(1

0

kk

k

k

kn

k

nkn

j

kj

)1)(2/(0 2/2/02/02/01

0

)2/( nnnnn

j

jn n


21

The Discrete Fourier Transform

Given coefficients (a0,a1,a2,…,an-1) for an (n-1)-degree polynomial p(x)The Discrete Fourier Transform is to evaluate p at the values

1,,2,…,n-1

We produce (y0,y1,y2,…,yn-1), where yj=p(j) That is,

Matrix form: y=Fa, where F[i,j]=ij.

The Inverse Discrete Fourier Transform recovers the coefficients of an (n-1)-degree polynomial given its values at 1,,2,…,n-1

Matrix form: a=F -1y, where F -1[i,j]=-ij/n.

1

0

n

i

ijij ay


22

Correctness of the inverse DFT

The DFT and inverse DFT really are inverse operationsProof: Let A=F -1F. We want to show that A=I, where

If i=j, then

If i and j are different, then

1

0

1],[

n

k

kjki

njiA

Property)onCancellati(by 01

],[1

0

)(

n

k

kij

njiA

1111

],[1

0

01

0

nnnn

iiAn

k

n

k

kiki


23

ConvolutionThe DFT and the inverse DFT can be used to multiply two polynomials

So we can get the coefficients of the product polynomial quickly if we can compute the DFT (and its inverse) quickly…

Pad with n 0's Pad with n 0's

[a0,a1,a2,...,an-1] [b0,b1,b2,...,bn-1]

DFT DFT

[a0,a1,a2,...,an-1,0,0,...,0] [b0,b1,b2,...,bn-1,0,0,...,0]

[y0,y1,y2,...,y2n-1] [z0,z1,z2,...,z2n-1]

ComponentMultiply

inverse DFT

[y0z0,y1z1,...,y2n-1z2n-1]

[c0,c1,c2,...,c2n-1]

(Convolution)


24

The Fast Fourier TransformThe FFT is an efficient algorithm for computing the DFTThe FFT is based on the divide-and-conquer paradigm:

If n is even, we can divide a polynomial

into two polynomials

and we can write


25

The FFT Algorithm

The running time is O(n log n). [inverse FFT is similar]


26

Multiplying Big IntegersGiven N-bit integers I and J, compute IJ.Assume: we can multiply words of O(log N) bits in constant time.Setup: Find a prime p=cn+1 that can be represented in one word, and set m=(log p)/3, so that we can view I and J as n-length vectors of m-bit words.Finding a primitive root of unity.

Find a generator x of Z*p.

Then =xc is a primitive n-th root of unity in Z*p (arithmetic is

mod p)

Apply convolution and FFT algorithm to compute the convolution C of the vector representations of I and J.Then compute

K is a vector representing IJ, and takes O(n log n) time to compute.

1

0

2n

i

miicK


27

Java Example: Multiplying Big Integers

Setup: Define BigInt class, and include essential parameters, including the prime, P, and primitive root of unity, OMEGA.

10;


28

Java Integer Multiply Method

Use convolution to multiply two big integers, this and val:


29

Java FFT in Z*p


30

Support Methods for Java FFT in Z*

p


31

Non-recursive FFTThere is also a non-recursive version of the FFT Performs the FFT in place Precomputes all roots of unity Performs a cumulative collection of shuffles on A

and on B prior to the FFT, which amounts to assigning the value at index i to the index bit-reverse(i).

The code is a bit more complex, but the running time is faster by a constant, due to improved overhead


32

Experimental ResultsLog-log scale shows traditional multiply runs in O(n2) time, while FFT versions are almost linear


33

Cryptography

ciphertextencryptplaintext


34

Outline

Traditional cryptographyStatistical attacksSecret-key encryptionPublic-key encryption


35

EncryptionScenario:

Alice wants to send a message (plaintext p) to Bob. The communication channel is insecure and can be

eavesdropped If Alice and Bob have previously agreed on an encryption scheme (cipher), the message can be sent encrypted (ciphertext c)

Issues: What is a good encryption scheme? What is the complexity of encrypting/decrypting? What is the size of the ciphertext, relative to the plaintext? If Alice and Bob have never interacted before, how can they

agree on an encryption scheme?

ciphertextencrypt decrypt plaintextplaintext


36

Traditional CryptographyCiphers were already studied in ancient timesCaesar’s cipher:

replace a with d replace b with e ... replace z with c

Caesar’s cipher is an example of a monoalphabetic substitution cipher, which permutes the charactersArmed with simple statistical knowledge, one can easily break a monoalphabetic substitution cipher

most frequent letters in English: e, t, o, a, n, i, ... most frequent digrams: th, in, er, re, an, ... most frequent trigrams: the, ing, and, ion, ...

The first description of the frequency analysis attack appears in a book written in the 9th century by the Arab philosopher al-Kindi


37

Statistical AttacksArmed with statistical knowledge about the plaintext language, one can easily break a monoalphabetic substitution cipher

Most frequent characters in English: e, t, o, a, n, i, ... Most frequent digrams: th, in, er, re, an, ... Most frequent trigrams: the, ing, and, ion, ...

The first description of the frequency analysis attack appears in a book written in the 9th century by the Arab philosopher al-KindiExample (S. Singh, The Code Book, 1999):PCQ VMJYPD LBYK LYSO KBXBJXWXV BXV ZCJPO EYPD KBXBJYUXJ LBJOO KCPK. CP LBO LBCMKXPV XPV IYJKL PYDBL, QBOP KBO BXV OPVOV LBO LXRO CI SX'XJMI, KBO JCKO XPV EYKKOV LBO DJCMPV ZOICJO BYS, KXUYPD: “DJOXL EYPD, ICJ X LBCMKXPV XPV CPO PYDBLK Y BXNO ZOOP JOACMPLYPD LC UCM LBO IXZROK CI FXKL XDOK XPV LBO RODOPVK CI XPAYOPL EYPDK. SXU Y SXEO KC ZCRV XK LC AJXNO X IXNCMJ CI UCMJ SXGOKLU?”

OFYRCDMO, LXROK IJCS LBO LBCMKXPV XPV CPO PYDBLK


38

Frequency Analysis (1)We identify the most common characters, digrams and trigrams in the ciphertextExamplePCQ VMJYPD LBYK LYSO KBXBJXWXV BXV ZCJPO EYPD KBXBJYUXJ LBJOO KCPK. CP LBO LBCMKXPV XPV IYJKL PYDBL, QBOP KBO BXV OPVOV LBO LXRO CI SX'XJMI, KBO JCKO XPV EYKKOV LBO DJCMPV ZOICJO BYS, KXUYPD: “DJOXL EYPD, ICJ X LBCMKXPV XPV CPO PYDBLK Y BXNO ZOOP JOACMPLYPD LC UCM LBO IXZROK CI FXKL XDOK XPV LBO RODOPVK CI XPAYOPL EYPDK. SXU Y SXEO KC ZCRV XK LC AJXNO X IXNCMJ CI UCMJ SXGOKLU?”

OFYRCDMO, LXROK IJCS LBO LBCMKXPV XPV CPO PYDBLKFirst guess:

LBO is THE


39

Frequency Analysis (2)

Assuming LBO represents THE, we replace L with T, B with H, and O with E and get

PCQ VMJYPD THYK TYSE KHXHJXWXV HXV ZCJPE EYPD KHXHJYUXJ THJEE KCPK. CP THE THCMKXPV XPV IYJKT PYDHT, QHEP KHO HXV EPVEV THE LXRE CI SX'XJMI, KHE JCKE XPV EYKKEV THE DJCMPV ZEICJE HYS, KXUYPD: “DJEXT EYPD, ICJ X THCMKXPV XPV CPE PYDHTK Y HXNE ZEEP JEACMPTYPD TC UCM THE IXZREK CI FXKT XDEK XPV THE REDEPVK CI XPAYEPT EYPDK. SXU Y SXEE KC ZCRV XK TC AJXNE X IXNCMJ CI UCMJ SXGEKTU?”EFYRCDME, TXREK IJCS THE THCMKXPV XPV CPE PYDBTK


40

DecryptionCode:

X Z A V O I D B Y G E R S P C F H J K L M N Q T U WA B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Ciphertext:PCQ VMJYPD LBYK LYSO KBXBJXWXV BXV ZCJPO EYPD KBXBJYUXJ LBJOO KCPK. CP LBO LBCMKXPV XPV IYJKL PYDBL, QBOP KBO BXV OPVOV LBO LXRO CI SX'XJMI, KBO JCKO XPV EYKKOV LBO DJCMPV ZOICJO BYS, KXUYPD: “DJOXL EYPD, ICJ X LBCMKXPV XPV CPO PYDBLK Y BXNO ZOOP JOACMPLYPD LC UCM LBO IXZROK CI FXKL XDOK XPV LBO RODOPVK CI XPAYOPL EYPDK. SXU Y SXEO KC ZCRV XK LC AJXNO X IXNCMJ CI UCMJ SXGOKLU?”

OFYRCDMO, LXROK IJCS LBO LBCMKXPV XPV CPO PYDBLKPlaintext:Now during this time Shahrazad had borne King Shahriyar three sons. On the thousand and first night, when she had ended the tale of Ma'aruf, she rose and kissed the ground before him, saying: “Great King, for a thousand and one nights I have been recounting to you the fables of past ages and the legends of ancient kings. May I make so bold as to crave a favour of your majesty?”Epilogue, Tales from the Thousand and One Nights


41

Secret-Key EncryptionA secret-key cipher uses a unique key K to encrypt and decryptCaesar’s generalized cipher uses the modular addition of each character (viewed as an integer) with the key:

C[i]P[i]K mod m

P[i]C[i]K mod mMore secure secret-key encryption schemes have been devised in this centuryExamples:

DES 3DES IDEA BLOWFISH

With private-key encryption, a distinct secret key must be established for every pair of parties


42

Public-Key EncryptionBob uses a pair of keys (KE,KD) and

makes key KE public keeps key KD private

Anyone can use the public key KE to encrypt a plaintext into a ciphertext sent to BobOnly Bob can decrypt the ciphertext using the private key KD

The most popular encryption scheme is RSA, named after its inventors Rivest, Shamir, and Adleman (1978)The RSA patent expired in 2000

ciphertextencrypt decrypt plaintextplaintext

public key private key


43

RSA Cryptosystem

Bits PCs Memory

430 1 128MB

760 215,000 4GB

1,020 342106 170GB

1,620 1.61015 120TB


44

OutlineEuler’s theorem (§10.1.3)RSA cryptosystem (§10.2.3) Definition Example Security Correctness

Algorithms for RSA Modular power (§10.1.4) Modular inverse (§10.1.5) Randomized primality testing (§10.1.6)


45

Euler’s TheoremThe multiplicative group for Zn, denoted with Z*n, is the subset of elements of Zn relatively prime with n

The totient function of n, denoted with (n), is the size of Z*n

ExampleZ*10 { 1, 3, 7, 9 } (10) 4

If p is prime, we haveZ*p {1, 2, …, (p1)} (p) p1

Euler’s TheoremFor each element x of Z*n, we have x(n) mod n 1

Example (n 10)3(10) mod 10 34 mod 10 81 mod 10 1

7(10) mod 10 74 mod 10 2401 mod 10 1

9(10) mod 10 94 mod 10 6561 mod 10 1


46

RSA CryptosystemSetup:

npq, with p and q primes

e relatively prime to(n)(p 1) (q 1)

d inverse of e in Z(n)

Keys: Public key: KE(n, e) Private key: KDd

Encryption: Plaintext M in Zn

C = Me mod n

Decryption: M = Cd mod n

Example Setup:

p7, q17 n717119 (n)61696 e5 d77

Keys: public key: (119, 5) private key: 77

Encryption: M19 C195 mod 119 = 66

Decryption: C6677 mod 119 = 19


47

Complete RSA Example

M 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18C 1 8 27 9 15 51 13 17 14 10 11 23 52 49 20 26 18 2M 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36C 39 25 21 33 12 19 5 31 48 7 24 50 36 43 22 34 30 16M 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54C 53 37 29 35 6 3 32 44 45 41 38 42 4 40 46 28 47 54

Setup: p5, q11 n51155 (n)41040 e3 d2732781 240 + 1)

Encryption CM3 mod 55

Decryption MC27 mod 55


48

SecurityThe security of the RSA cryptosystem is based on the widely believed difficulty of factoring large numbers

The best known factoring algorithm (general number field sieve) takes time exponential in the number of bits of the number to be factored

The RSA challenge, sponsored by RSA Security, offers cash prizes for the factorization of given large numbersIn April 2002, prizes ranged from $10,000 (576 bits) to $200,000 (2048 bits)

In 1999, a 512-bit number was factored in 4 months using the following computers:

160 175-400 MHz SGI and Sun 8 250 MHz SGI Origin 120 300-450 MHz Pentium II 4 500 MHz Digital/Compaq

Estimated resources needed to factor a number within one year

Bits PCs Memory

430 1 128MB

760 215,000 4GB

1,020 342106 170GB

1,620 1.61015 120TB


49

CorrectnessWe show the correctness of the RSA cryptosystem for the case when the plaintext M does not divide n

Namely, we show that(Me)d mod nM

Since ed mod (n)1, there is an integer k such that

ed k(n)1

Since M does not divide n, by Euler’s theorem we haveM(n) mod n1

Thus, we obtain(Me)d mod n

Med mod nMk(n)1 mod nMMk(n) mod

nM (M(n))k mod nM (M(n) mod n)k mod

nM (1)k mod nM mod n

MSee the book for the proof of correctness in the case when the plaintext M divides n


50

Algorithmic IssuesThe implementation of the RSA cryptosystem requires various algorithmsOverall

Representation of integers of arbitrarily large size and arithmetic operations on them

EncryptionModular power

DecryptionModular power

SetupGeneration of random numbers with a given number of bits (to generate candidates p and q)

Primality testing (to check that candidates p and q are prime)

Computation of the GCD (to verify that e and (n) are relatively prime)

Computation of the multiplicative inverse (to compute d from e)


51

Modular PowerThe repeated squaring algorithm speeds up the computation of a modular power ap mod nWrite the exponent p in binaryp pb1 pb2 … p1 p0

Start withQ1 apb1 mod n

Repeatedly computeQi ((Qi1)2 mod n)apbi mod n

We obtainQb ap mod n

The repeated squaring algorithm performs O (log p) arithmetic operations

Example318 mod 19 (18 010)Q1 31 mod 19 3

Q2 32 mod 19)30 mod 19 = 9

Q3 92 mod 19)30 mod 19 = 81 mod 19 = 5

Q4 52 mod 19)31 mod 19 =(25 mod 19)3 mod 19 =18 mod 19 = 18

Q5 182 mod 19)30 mod 19 = (324 mod 19) mod 19 = 1719 + 1 mod 19 = 1

p511 0 0 1 0

2p5i 3 1 1 3 1

Qi 3 9 5 18 1


52

Modular InverseTheorem

Given positive integers a and b, let d be the smallest positive integer such that

dia + jbfor some integers i and j.We have

dgcd(a,b)Example

a21 b15 d3 i3, j4 3321 + (4)15

6360 3

Given positive integers a and b, the extended Euclid’s algorithm computes a triplet (d,i,j) such that

dgcd(a,b) dia + jb

To test the existence of and compute the inverse of x Zn, we execute the extended Euclid’s algorithm on the input pair (x,n)Let (d,i,j) be the triplet returned

dix + jn

Case 1: d1

i is the inverse of x in Zn

Case 2: d1

x has no inverse in Zn


53

Pseudoprimality TestingThe number of primes less than or equal to n is about n ln n

Thus, we expect to find a prime among, O(b) randomly generated numbers with b bits eachTesting whether a number is prime (primality testing) is believed to be a hard problemAn integer n2 is said to be a base-x pseudoprime if

xn1 mod n1 (Fermat’s little theorem)

Composite base-x pseudoprimes are rare: A random 100-bit integer is a composite base-2 pseudoprime

with probability less than 10-13

The smallest composite base-2 pseudoprime is 341

Base-x pseudoprimality testing for an integer n: Check whether xn1 mod n1 Can be performed efficiently with the repeated squaring

algorithm


54

Randomized Primality Testing

Compositeness witness function witness(x, n) with error probability q for a random variable xCase 1: n is prime

witness w(x, n)falseCase 2: n is composite

witness w(x, n)false with probability q1

Algorithm RandPrimeTest tests whether n is prime by repeatedly evaluating witness(x, n)A variation of base- x pseudoprimality provides a suitable compositeness witness function for randomized primality testing (Rabin-Miller algorithm)

Algorithm RandPrimeTest(n, k)Input integer n,confidence parameter k and composite witness function witness(x,n) with error probability qOutput an indication of whether n is composite or prime with probability 2k

t klog2(1q)for i 1 to t

x random()if witness(x,n)= true

return “n is composite”return “n is prime”


55

Information Security

fingerprintfH(M)

one-way hashmessageM


56

Outline and ReadingDigital signatures Definition (§10.2.2) RSA signature and verification (§10.2.3)

One-way hash functions Definition (§10.3.1) Applications (§10.3.2)

Key distribution Certificates (§10.3.5) Revocation (§10.3.5)


57

Digital SignatureA digital signature is a string S associated with a message M and the author A of M that has the following propertiesIntegrity: S establishes that M has not been altered Nonrepudiation: S unequivocally identifies the author A of M and

proves that A did indeed sign MA digital signature scheme provides algorithms for

Signing a message by the author Verifying the signature of a message by the reader

A recently passed law in the US gives digital signatures the same validity of handwritten signaturesA public-key cryptosystem yields a digital signature scheme provided encrypt(KE, decrypt(KD, M))MSignature: Alice (author) computes Sdecrypt(KD,M) using her

private key KD and sends the pair (M,S) to Bob

Verification: Bob (reader) computes M´encrypt(KE, S) using Alice’s public key KE and checks that M´M


58

RSA Digital SignatureSetup:

npq, with p and q primes

e relatively prime to(n)(p 1) (q 1)

d inverse of e in Z(n)

Keys: Public key: KE(n, e) Private key: KDd

Signature: Message M in Zn

Signature S = Md mod n

Verification: Check that M = Se mod n

Setup: p5, q11

n51155 (n)41040

e3 d2732781 240 +

1)

Keys: Public key: KE(55, 3) Private key: KD27

Signature: M51 S5127 mod 556

Verification: S63 mod 55216 mod 55 =

51


59

One-Way Hash FunctionA one-way hash function is a function H with the following properties

M maps a string M of arbitrary length into an integer fH(M) with a fixed number of bits, called the fingerprint or digest of M

H can be computed efficiently Given an integer f, it is computationally infeasible to find a

string M such that that H(M)d Given a string M , it is computationally infeasible to find

another string M´ such that H(M)H(M´) (collision resistance) It is computationally infeasible to find two strings M and M´

such that H(M)H(M´) (strong collision resistance) Two widely used one-way hash functions are

MD5 (Message Digest 5, 1992), which uses a 128-bit (16 bytes) fingerprint

SHA-1 (Secure Hash Algorithm 1, 1995), which uses a 160-bit (20 bytes) fingerprint


60

Coin Flipping Over the Net

Alice and Bob want to flip a random coin by communicating over the internetThe following protocol, based on a one-way hash function H, ensures the fairness of the outcome

Alice picks a random integer x, computes the fingerprint fH(x) and sends f to Bob

Bob sends to Alice his guess of whether x is odd or even Alice announces the result of the coin flip: heads if Bob has

guessed correctly and tails otherwise Alice sends to Bob integer x as a proof of the outcome of

the flip Bob verifies that fH(x)

Because of the strong-collision resistance property, it is computationally infeasible for Alice to cheat


61

Digitally Signed Fingerprints

In the RSA digital signature scheme with modulus n, the message to be signed must be an integer in Zn , i.e., the message should have at most blog n bits To overcome the above restriction on the message length, we can use the fingerprint fH(M) of the message instead of the message itself, where H is a one-way hash function

Alice computes first fH(M) and then the signature S of f Bob first computes fH(M) and then verifies S

Since the one-way hash function H has the collision-resistance property, it is computationally infeasible to modify the message M while preserving the signature of the fingerprint fH(M)

fingerprintfH(M)

one-way hash sign signatureSf d mod n

messageM


62

CertificatesPublic-key cryptography is based on the knowledge by each participant of the public key of the other participantsIt is complicated to securely distribute the public keys of all the participantsA certificate is a message of the type (name, public key) signed by a third-partyPublic-key infrastructure (PKI)

An entity trusted by all the participants, called certification authority (CA), issues to each participant a certificate (Name, KE) that authoritatively binds the participants to their public keys

Only the CA’s public key needs to be distributed securely Before sending an encrypted message to Bob or verifying a

message digitally signed by Bob, Alice determines Bob’s public key KE by using Bob’s certificate (Bob, KE)


63

Web Server CertificatesA Web server certificate is used to authenticate the public key of a Web serverFields of a Web server certificate

Serial number Hash and signature schemes

(e.g., MD5 and RSA) Issuer (certification authority) Period of validity (from, to) Subject (URL and organization) Public key

The SSL (secure socket layer) protocol uses Web server certificates to provide encryption and authentication in a secure Web connection (https)


64

Certificate RevocationIn certain circumstances, a certificate may have to be revoked before its expiration date

The private key of the subject has been compromised The certificate was incorrectly issued by the CA

Certificate Revocation List (CRL) Time-stamped list of all the unexpired certificates that have

been revoked by the CA Periodically published and signed by the CA

When presented with a certificate, one should Verify the CA’s signature on the certificate Check that the certificate has non been revoked by searching

in the latest available CRL

By default, Web browsers do not check the revocation status of a Web server certificate, which poses a security risk

Documents

Numerical Alg. & Cryptography1 Numerical Algorithms x0123456789 x1x1 1739