1

Why Pierre de Why Pierre de Fermat Would be Fermat Would be

a Billionaire a Billionaire TodayToday

Lecture Notes 6Lecture Notes 6SYCS 653 – Fall 2009SYCS 653 – Fall 2009

2

Or, HowOr, HowCryptology Will Affect Cryptology Will Affect

Us AllUs All-- Asymmetric Crypto-- Asymmetric Crypto

• Wayne Patterson• Senior Fellow, • The Graduate School• Howard University

• SYCS 653, Howard University• Fall 2009

3

Public-Key CryptologyPublic-Key Cryptology• Despite the pluses or

minuses of DES, one problem DES can never solve is the “key management problem.”

• 6 users, (6 5)/2 = 15 keys

• 1000 users (1000 999)/2 = 499,500 keys

4

The PKC Model The PKC Model • For each user, choose a key ki = (kpi , ksi ), i=1, ..., 1000. In a system-wide public directory,

list all of the “public” keys kpi, i=1, ..., 1000. Then, to send a message m to user j, select the public key, kpi, and apply the encryption transformation

• c = T(kpi , m).• Send the ciphertext, c.• Only user j has the rest of the key necessary to

compute:• T( (kpi, ksi) , c ) = m.

5

The PKC Solution to Key The PKC Solution to Key ManagementManagement

• Thus, rather than having to manage the secret distribution of O(n2) keys in a network of n users, only n keys are required, and they need not be distributed secretly.

• Furthermore, the public-key concept could also be used for the authentication of messages in a way that a “secret-key” system could not address.

6

AuthenticationAuthentication• Consider a cryptosystem based on the traditional

“secret-key” approach. Consider also that it is used for funds transfer in a banking network. One day the system manager receives a message from X. The manager decrypts the message using the secret key agreed upon by X and the manager. The message reads, “transfer $1,000,000 from my account to the system manager’s account.” The manager dutifully does so.

• X complains to the authorities, saying that the message was a forgery, sent by the manager himself(herself). The system manager, when reached for comment by long distance telephone from Tahiti, says that the message was authentic and that X had recanted his desire to make the transfer.

7

AuthenticationAuthentication• Since both X and the manager had to know

the secret key, there is no way, using the cryptosystem, to resolve the dispute.

• However, a public-key cryptosystem could have resolved the issue. Suppose that, in addition to the message, every transmission in the network is required to be “signed,” that is, to contain a trailer encrypted using X’s public key. Then, this requirement would carry with it the ability to authenticate X’s message, since only X, knowing the rest of the key, would be able to decrypt the trailer.

8

Can We Devise a PKC?Can We Devise a PKC?• Therefore, if we could devise a PKC, it

would certainly have most desirable features. But many questions remain to be asked. First of all, can we devise a PKC? What should we look for? Second, if we can find one, will it be secure? Will it be efficient?

• For now, we will consider only the general parameters of finding PKCs.

9

FactoringFactoring• From the earlier description, we need to

find functions that are “one-way,” that is, that enable an efficient computation sufficient for encryption, but whose inverses are cryptanalytically very difficult to find.

• The example we will study involves the ease of multiplying numbers together combined with the difficulty of finding the original factors, given a product.

10

Who is Pierre de Fermat?Who is Pierre de Fermat?• French mathematician

of the 17th century (1601-1665)

• purchased the offices of councillor at the parliament in Toulouse

• This allowed him to change his name from “Pierre Fermat” to “Pierre de Fermat” (!)

• Pioneer in geometry and number theory

11

Fermat’s Last TheoremFermat’s Last Theorem• 32 + 42 = 52

– (9 + 16 = 25)• 52 + 122 = 132

– (25 + 144 = 169)• 72 + 242 + 252

– (49 + 576 = 625)• Is there an example

for n > 2 where • xn + yn = zn ???

xn + yn = zn

n > 2

I hav

e di

scov

ered

a tr

uly

rem

arka

ble

proo

f whi

ch th

is m

argi

n is

too

smal

l to

cont

ain.

12

The 323-Year MarginaliaThe 323-Year Marginalia• Fermat’s marginal

comments led to many, many futile efforts to solve his “Last Theorem”

• Finally solved in 1993 by Andrew Wiles =>

• Saudi Arabia awarded Wiles a $500,000 prize

• Who says math doesn’t pay?

• I could prove it now --- in text, it takes 1,000 pages to provide the complete proof

13

The Little Fermat TheoremThe Little Fermat Theorem• Prime numbers are

those with no proper divisors, e.g. 2, 3, 5, …, 13, 17,..., 23, 29, ..

• For the product of two prime numbers, p, q, there is a function (n) = (p-1) (q-1)

• The “Little Fermat” theorem says that if I take any number, raise it to a power (n), and divide the result by n … I will get a remainder of 1.

• In mathematical notation,

• a(n) (mod n) = 1.

14

The RSA CryptosystemThe RSA Cryptosystem• About twenty years ago, three computer

scientists, Ron Rivest, Adi Shamir, and Len Adleman, developed a “public-key” cryptosystem that they called the RSA cryptosystem (wonder why ???)

• It is based entirely on the Little Fermat theorem

• If Pierre de Fermat only could’ve gotten royalties, he could have bought all of Toulouse.

15

What is the RSA What is the RSA Cryptosystem?Cryptosystem?

• Short enough that RSA Security has put it on a T-Shirt =>

• Take two prime numbers (of 200 digits), multiply n = pq

• Find e and d such that their product gives a remainder of 1 when divided by (p-1)(q-1)

• To encrypt, raise the message m to the power e (mod n)

• To decrypt, raise the cipher c to the power d (mod n)

Why You Should Be Skeptical …Why You Should Be Skeptical …• 1. Can we find prime numbers p, q of

200 digits?• 2. Can we multiply them together?• 3. Can we find an e such that GCD(e,

φ(n)) = 1?• 4. If we can find such an e, can we find d

such that e × d 1 (modφ(n))?• 5. Can we realistically compute either me

(mod n) or cd (mod n)?

16

17

Modular Modular ArithmeticArithmetic

SYCS 653 Fall 2009SYCS 653 Fall 2009

18

Consider First ZConsider First Z66• Addition• + 0 1 2 3 4 5• 0 0 1 2 3 4 5• 1 1 2 3 4 5 0• 2 2 3 4 5 0 1• 3 3 4 5 0 1 2• 4 4 5 0 1 2 3• 5 5 0 1 2 3 4

• Multiplication• 0 1 2 3 4 5• 0 0 0 0 0 0 0• 1 0 1 2 3 4 5• 2 0 2 4 0 2 4• 3 0 3 0 3 0 3• 4 0 4 2 0 4 2• 5 0 5 4 3 2 1

19

Now Consider ZNow Consider Z77• Addition• + 0 1 2 3 4 5 6• 0 0 1 2 3 4 5 6• 1 1 2 3 4 5 6 0• 2 2 3 4 5 6 0 1• 3 3 4 5 6 0 1 2• 4 4 5 6 0 1 2 3• 5 5 6 0 1 2 3 4• 6 6 0 1 2 3 4 5

• Multiplication• 0 1 2 3 4 5 6• 0 0 0 0 0 0 0 0• 1 0 1 2 3 4 5 6• 2 0 2 4 6 1 3 5• 3 0 3 6 2 5 1 4• 4 0 4 1 5 2 6 3• 5 0 5 3 1 6 4 2• 6 0 6 5 4 3 2 1

20

What Are the Differences in What Are the Differences in the Tables?the Tables?

• An element (in any multiplication table) has a multiplicative inverse there is a “1” in the row corresponding to that element

• Which elements have inverses in Z6?• Which elements have inverses in Z7?

21

What is the Essential What is the Essential Difference Between 6 and Difference Between 6 and

7?7?• One is prime (all non-zero elements have

inverses)

• The other is composite (certain non-zero elements do not have inverses)

– indeed, the elements that do not have inverses are exactly those which have a common factor with the composite number

22

Computing the Computing the GCD and the GCD and the

Modular Modular InverseInverse

SYCS 653 Fall 2009SYCS 653 Fall 2009

23

The “3x2” Algorithm for The “3x2” Algorithm for GCDGCD

• Suppose we want to compute GCD(36583, 17286).

• First construct a 32 matrix whose first row consists of the two numbers whose GCD we wish to compute

• Next write for the second row: 1 0• And for the third row: 0 1, i.e.• 36583 17286• 1 0• 0 1

24

The algorithmThe algorithm• Multiply the right-most column by the

largest integer so the product of the element in the first row is less than its left-hand neighbor, in this case 2.

• Create a new column to the right, which is [left column] – multiplier [right column]

• 36583 17286 2011• 1 0 1• 0 1 -2

25

Finally, repeat until the first Finally, repeat until the first row has a “0.”row has a “0.”

2 8 1 1 2 8 1 20 2

36583

17286

2011 1198 813 385 43 41 2 1 0

1 0 1 -8 9 -17 43 -361 404 -8441

17286

0 1 -2 17 -19 36 -91 764 -855 17864

-36583

GCD Inverse (if it exists)

26

Another ExampleAnother Example2 8 1 1 2 2 1 2 1 1 2 2

36585

17286

2013

1182

831 351 129 93 36 21 15 6 3 0

1 0 1 -8 9 -17 43 -103

146 -395

541 -936

2413

-5762

0 1 -2 17 -19 36 -91 218 -309

836 -1145

1981

-5107

12195

GCD

27

Primality Primality TestingTesting

SYCS 653 Fall 2009SYCS 653 Fall 2009

28

If We Can’t Factor Big If We Can’t Factor Big Numbers …Numbers …

• How can we tell if they are prime?

• The answer is, we can’t …– But we can choose a number p, which, if

it passes a set of tests “primality tests,” we will be willing to accept as a prime, with a probability of 1/(2100) of guessing wrong.

29

Either the Solovay-Strassen or Either the Solovay-Strassen or the Lehman-Peralta Primality the Lehman-Peralta Primality

TestTest• To test p for primality, first choose 100

numbers at random < p, e1, …, e100.• Compute GCD[ei, p] for i = 1,…,100• If any GCD is > 1, throw out p and start over!• For each ei and p, compute a number called

the Jacobi symbol. It is either 1 or –1. If the Jacobi symbol is 1, there is only a 50% chance that p is not prime and the Jacobi symbol is 1.

• Thus, if all 100 Jacobi symbols are 1, there is only a 1/(2100) chance that p is not prime.

30

The Fast The Fast Exponentiation Exponentiation

AlgorithmAlgorithmSYCS 653 Fall 2009SYCS 653 Fall 2009

31

How Not to Compute xHow Not to Compute x1637492716374927

• Compute x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x × x … × x

• 16,374,927 times

32

Maybe for 16 million …Maybe for 16 million …• But of course, the former method will

never complete if we’re trying to compute

• x172834761934872304876209384761247108746208347631208

• For example.

33

Fast Exponentiation for Fast Exponentiation for xx1437414374

• First, convert 14374 to binary:

• 14374• - 8192 ( = 213 )• 6182• - 4096 ( = 212 )• 2086• - 2048 ( = 211 )• 38

• 38• - 32 ( = 25 )• 6• - 4 ( = 22 )• 2• - 2 ( = 21 )• 0• Therefore the

binary is 11100000100110

34

Now, 14374 = Now, 14374 = 111000001001101110000010011022

• Call the bits b13b12b11…b2b1b0.• Ignore the high bit• To compute x14374, set m = x• Do i = 12 downto 0• m := m * m• if bi = 1 then m = m * x• End do• m is the desired exponent.

35

Specifically:Specifically:• m = x• i = 12: x x2,

– x2 x = x3

• i = 11: x3 x6, – x6 x = x7

• i = 10: x7 x14

• i = 9: x14 x28

• i = 8: x28 x56

• i = 7: x56 x112

• i = 6: x112 x224

• i = 5: x224 x448

– x448 x = x449

• i = 4: x449 x898

• i = 3: x898 x1796

• i = 2: x1796 x3592

– x3592 x = x3593

• i = 1: x3593 x7186

– x7186 x = x7187

• i = 0: x7187 x14374

36

Checking the ResultsChecking the Results• Go to Mathematica

If Your Skepticism is Cured If Your Skepticism is Cured … Why Does It Work?… Why Does It Work?

• Aha! Little Fermat Theorem:• cd = (me)d (definition of decryption) med (multiplication of exponents) mkφ(n)+1 (since ed 1 mod φ(n)) mkφ(n) × m1 (addition of exponents) 1 × m = m (by the Little Fermat

Theorem)• All computations mod n.

37

38

Digital SignaturesDigital Signatures• Conceivably a more important challenge in

security than encryption is authentication• How can I prove that a given document was

really produced by the purported author?• Technique is often called “digital

signatures” in comparison with ordinary written signatures

• Current methodology also uses “Little Fermat” and the same underlying theory

39

Digital Signatures: the Digital Signatures: the ModelModel

• Also a “public-key” approach

• Every user has a public key for signing

• To “sign” a message M, append to the message a few bytes requiring private key S. Send M+S.

• Anyone can verify that M+S came from legitimate source by doing a computation on M+S using legitimate sender’s public key.

M

M+S

S

40

Digital Signature StandardDigital Signature Standard• Conceivably a more important challenge in

security than encryption is authentication• How can I prove that a given document was really

produced by the purported author?• Technique is often called “digital signatures” in

comparison with ordinary written signatures• Current methodology also uses “Little Fermat”

and the same underlying theory• The definition of the standard can be found at:

– http://www.itl.nist.gov/fipspubs/fip186.htm

41

Digital Signature StandardDigital Signature StandardThe DSA makes use of the following parameters:

• 1. p = a prime modulus, where 2L-1 < p < 2L for 512 = < L = <1024 and L a multiple of 64

• 2. q = a prime divisor of p - 1, where 2159 < q < 2160 • 3. g = h(p-1)/q mod p, where h is any integer with 1 < h <

p - 1 such that h(p-1)/q mod p > 1(g has order q mod p)

• 4. x = a randomly or pseudorandomly generated integer with 0 < x < q

• 5. y = gx mod p • 6. k = a randomly or pseudorandomly generated integer

with 0 < k < q

42

Digital Signature StandardDigital Signature Standard• The integers p, q, and g can be public and can be

common to a group of users. A user's private and public keys are x and y, respectively. They are normally fixed for a period of time. Parameters x and k are used for signature generation only, and must be kept secret. Parameter k must be regenerated for each signature.

Parameters p and q shall be generated as specified in Appendix 2, or using other FIPS approved security methods. Parameters x and k shall be generated as specified in Appendix 3, or using other FIPS approved security methods.

43

Signature GenerationSignature GenerationThe signature of a message M is the pair of numbers r and s computed according to the equations below:• r = (gk mod p) mod q and • s = (k-1(SHA(M) + xr)) mod q.

• In the above, k-1 is the multiplicative inverse of k, mod q; i.e., (k-1 k) mod q = 1 and 0 < k-1 < q. The value of SHA(M) is a 160-bit string output by the Secure Hash Algorithm specified in FIPS 180. For use in computing s, this string must be converted to an integer.

44

Signature Generation Signature Generation • As an option, one may wish to check if r

= 0 or s = 0. If either r = 0 or s = 0, a new value of k should be generated and the signature should be recalculated (it is extremely unlikely that r = 0 or s = 0 if signatures are generated properly).

The signature is transmitted along with the message to the verifier.

45

Signature VerificationSignature Verification• Prior to verifying the signature in a signed message, p, q

and g plus the sender's public key and identity are made available to the verifier in an authenticated manner.

Let M', r' and s' be the received versions of M, r, and s, respectively, and let y be the public key of the signatory. To verifier first checks to see that 0 < r' < q and 0 < s' < q; if either condition is violated the signature shall be rejected. If these two conditions are satisfied, the verifier computes

• w = (s')-1 mod q u1 = ((SHA(M')w) mod q u2 = ((r')w) mod q v = (((g)ul (y)u2) mod p) mod q.

46

Signature VerificationSignature Verification• If v = r', then the signature is verified and the

verifier can have high confidence that the received message was sent by the party holding the secret key x corresponding to y. For a proof that v = r' when M' = M, r' = r, and s' = s, see Appendix1.

If v does not equal r', then the message may have been modified, the message may have been incorrectly signed by the signatory, or the message may have been signed by an impostor. The message should be considered invalid.

47

The DilemmaThe Dilemma• “Lucifer” or DES-

Type Methods– Very suspicious

definitions– Don’t solve key

management problem

– Very fast, efficient

• Number Theoretic Methods– Very clear methods

– Public-key methods solve key management

– Inherently slow

This is the ultimate dilemma!

48

ReferencesReferences• General Scientific Reference:

– Mathematical Cryptology, Wayne Patterson, Rowman and Littlefield, 1987.

• Mathematical infrastructure:– Number Theory, Wayne Patterson, in the Wiley Encyclopedia

of Electrical and Electronics Engineering, Wiley, 1999.• Website for current technology (and some history):

– http://www.rsasecurity.com/experience/esecurity/index.html#

• WW II History:– The Hut Six Story, Gordon Welchman, Classical Crypto

Books, 1997.• Current Security Issues:

– Secrets and Lies, Bruce Schneier, Wiley, 2000.