Ch08

04/09/2304/09/23 Vijay KattaVijay Katta 11

Cryptography and Network Cryptography and Network SecuritySecurity

Chapter 8Chapter 8

by William Stallingsby William Stallings

by B . A . Forouzanby B . A . Forouzan


Objectives

❏ To introduce prime numbers and their applications in cryptography.

❏ To discuss some primality test algorithms and their efficiencies.

❏ To discuss factorization algorithms and their applications in cryptography.

❏ To describe the Chinese remainder theorem and its application.

❏ To introduce quadratic congruence.

❏ To introduce modular exponentiation and logarithm.


9Definition

Figure Three groups of positive integers

A prime is divisible only by itself and 1.

Note


Prime NumbersPrime Numbers

prime numbers only have divisors of 1 and prime numbers only have divisors of 1 and self self they cannot be written as a product of other they cannot be written as a product of other

numbers numbers note: 1 is prime, but is generally not of interest note: 1 is prime, but is generally not of interest

eg. 2,3,5,7 are prime, 4,6,8,9,10 are noteg. 2,3,5,7 are prime, 4,6,8,9,10 are notprime numbers are central to number prime numbers are central to number

theorytheory


Primes Under 2000 Prime Numbers


Cardinality of Primes

Infinite Number of Primes

There is an infinite number of primes.

Note

Number of Primes


Continued

Find the number of primes less than 1,000,000.

Example

SolutionThe approximation gives the range 72,383 to 78,543. The actual number of primes is 78,498.


Given a number n, how can we determine if n is a prime? The answer is that we need to see if the number is divisible by all primes less than

Checking for Primeness

We know that this method is inefficient, but it is a good start.


Continued

Is 97 a prime?

Example

SolutionThe floor of 97 = 9. The primes less than 9 are 2, 3, 5, and 7. We need to see if 97 is divisible by any of these numbers. It is not, so 97 is a prime.

Is 301 a prime?

Example

SolutionThe floor of 301 = 17. We need to check 2, 3, 5, 7, 11, 13, and 17. The numbers 2, 3, and 5 do not divide 301, but 7 does. Therefore 301 is not a prime.


Sieve of Eratosthenes

Continued


Prime FactorisationPrime Factorisation

to to factorfactor a number a number nn is to write it as a is to write it as a product of other numbers: product of other numbers: n=a x b x cn=a x b x c

note that factoring a number is relatively note that factoring a number is relatively hard compared to multiplying the factors hard compared to multiplying the factors together to generate the number together to generate the number

thethe prime factorisation prime factorisation of a number of a number nn is is when its written as a product of primes when its written as a product of primes eg. eg. 91=7x13 ; 3600=291=7x13 ; 3600=244x3x322x5x522


Relatively Prime Numbers & GCDRelatively Prime Numbers & GCD

two numbers two numbers a, ba, b are are relatively primerelatively prime if have if have no common divisorsno common divisors apart from 1 apart from 1 eg. 8 & 15 are relatively prime since factors of 8 are eg. 8 & 15 are relatively prime since factors of 8 are

1,2,4,8 and of 15 are 1,3,5,15 and 1 is the only 1,2,4,8 and of 15 are 1,3,5,15 and 1 is the only common factor common factor

conversely can determine the greatest common conversely can determine the greatest common divisor by comparing their prime factorizations divisor by comparing their prime factorizations and using least powersand using least powers eg. eg. 300300=2=211x3x311x5x522 18=2 18=211x3x322 hencehence GCD(18,300)=2GCD(18,300)=211x3x311x5x500=6=6


Fermat's TheoremFermat's Theorem

aap-1p-1 = 1 (mod p) = 1 (mod p)where where pp is prime and is prime and gcd(a,p)=1gcd(a,p)=1

also known as Fermat’s Little Theoremalso known as Fermat’s Little Theoremalso also aapp = p (mod p) = p (mod p)useful in public key and primality testinguseful in public key and primality testing


Fermat’s Little TheoremFermat’s Little Theorem

TheoremTheorem If p is prime and a is a positive integer not divisible by p, If p is prime and a is a positive integer not divisible by p, then then aap-1p-1 1 mod p 1 mod p

ProofProofStart by listing the first p – 1 positive multiples of a:Start by listing the first p – 1 positive multiples of a:

a, 2a, 3a, …, (p-1)aa, 2a, 3a, …, (p-1)aSuppose that Suppose that jja and a and kka are the same modulo p, then we have a are the same modulo p, then we have jj kk mod p, so the p-1 multiples of a above are distinct and mod p, so the p-1 multiples of a above are distinct and nonzero; that is, they must be congruent to 1, 2, 3, …, p-1 in nonzero; that is, they must be congruent to 1, 2, 3, …, p-1 in some order. Multiply all these congruencesome order. Multiply all these congruencess together and we find together and we finda a 2a 2a 3a 3a (p-1)a (p-1)a 1 1 2 2 3 3 (p-1) mod p (p-1) mod por better, aor better, ap-1p-1(p-1)! (p-1)! (p-1)! mod p. Divide both side by (p-1)! to (p-1)! mod p. Divide both side by (p-1)! to complete the proofcomplete the proof. .

CorollaryCorollary If p is prime and a is a positive integer, then If p is prime and a is a positive integer, then aapp a mod p a mod p CorollaryCorollary If p is prime and a is a positive integer not divisible by p, If p is prime and a is a positive integer not divisible by p,

then then aap-2p-2 is an inverse of a modulo p is an inverse of a modulo p


Euler’s phi-function, (n), which is sometimes called theEuler’s totient function plays a very important role in cryptography. The function finds number of integer that are smaller than n and relativly prime to n.

Euler’s Phi-Function


Euler Totient Function Euler Totient Function ø(n)ø(n)

when doing arithmetic modulo n when doing arithmetic modulo n complete set of residuescomplete set of residues is: is: 0..n-10..n-1 reduced set of residuesreduced set of residues is those numbers is those numbers

(residues) which are relatively prime to n (residues) which are relatively prime to n eg for n=10, eg for n=10, complete set of residues is {0,1,2,3,4,5,6,7,8,9} complete set of residues is {0,1,2,3,4,5,6,7,8,9} reduced set of residues is {1,3,7,9} reduced set of residues is {1,3,7,9}

number of elements in reduced set of residues is number of elements in reduced set of residues is called the called the Euler Totient Function ø(n)Euler Totient Function ø(n)


Euler Totient Function Euler Totient Function ø(n)ø(n)

to compute ø(n) need to count number of to compute ø(n) need to count number of residues to be excludedresidues to be excluded

in general need prime factorization, butin general need prime factorization, but for p (p prime) for p (p prime) ø(p) = p-1ø(p) = p-1 for p.q (p,q prime)for p.q (p,q prime) ø(pq) =(p-ø(pq) =(p-1)x(q-1)1)x(q-1)

eg.eg.ø(37) = 36ø(37) = 36ø(21) = (3–1)x(7–1) = 2x6 = 12ø(21) = (3–1)x(7–1) = 2x6 = 12


We can combine the above four rules to find the value of (n). For example, if n can be factored as n = p1

e1 × p2e2 × … × pk

ek

then we combine the third and the fourth rule to find

Continued

The difficulty of finding (n) depends on the difficulty of finding the factorization of n.

Note


Continued

What is the value of (13)?

Example

SolutionBecause 13 is a prime, (13) = (13 −1) = 12.


Example

SolutionWe can use the third rule: (10) = (2) × (5) = 1 × 4 = 4, because 2 and 5 are primes.


Continued


Example

Solution

Can we say that (49) = (7) × (7) = 6 × 6 = 36?

Example

Solution


Continued


Example

SolutionWe can write 240 = 24 × 31 × 51. Then

(240) = (24 −23) × (31 − 30) × (51 − 50) = 64

Can we say that (49) = (7) × (7) = 6 × 6 = 36?

Example

SolutionNo. The third rule applies when m and n are relatively prime. Here 49 = 72. We need to use the fourth rule: (49) = 72 − 71 = 42.


Continued

What is the number of elements in Z14*?

Example

SolutionThe answer is (14) = (7) × (2) = 6 × 1 = 6. The members are 1, 3, 5, 9, 11, and 13.

Interesting point: If n > 2, the value of (n) is even.

Note


Euler's TheoremEuler's Theorem

a generalisation of Fermat's Theorem a generalisation of Fermat's Theorem aaø(n)ø(n) = 1 (mod n) = 1 (mod n)

for any for any a,na,n where where gcd(a,n)=1gcd(a,n)=1 eg.eg.

aa=3;=3;nn=10; ø(10)=4; =10; ø(10)=4; hence 3hence 34 4 = 81 = 1 mod 10= 81 = 1 mod 10

aa=2;=2;nn=11; ø(11)=10;=11; ø(11)=10;hence 2hence 210 10 = 1024 = 1 mod 11= 1024 = 1 mod 11


Euler’s TheoremEuler’s Theorem Generalization of Fermat’s little theoremGeneralization of Fermat’s little theorem TheoremTheorem For every a and n that are relatively prime, For every a and n that are relatively prime,

aa((n)n) 1 mod n1 mod n ProofProof

The proof is completely analogous to that of the Fermat's Theorem The proof is completely analogous to that of the Fermat's Theorem except that instead of the set of residues {1,2,...,n-1} we now except that instead of the set of residues {1,2,...,n-1} we now consider the set of residues {xconsider the set of residues {x11,x,x22,...,x,...,x((n)n)} which are relatively prime } which are relatively prime

to n. In exactly the same manner as before, multiplication by a to n. In exactly the same manner as before, multiplication by a modulo n results in a permutation of the set {xmodulo n results in a permutation of the set {x11, x, x22, ..., x, ..., x((n)n)}. }.

Therefore, two products are congruent:Therefore, two products are congruent:

xx11xx22 ... x ... x((n)n) (ax(ax11)(ax)(ax22) ... (ax) ... (ax((n)n)) mod n ) mod n

dividing by the left-hand side proves the theorem.dividing by the left-hand side proves the theorem. CorollaryCorollary

(1) a(1) a((n)+1n)+1 a mod na mod n

(2)(2) If gcd(a,n) = 1, then If gcd(a,n) = 1, then aa((n)-1n)-1 is an inverse of a modulo nis an inverse of a modulo n


Primality TestingPrimality Testing

often need to find large prime numbers often need to find large prime numbers traditionally traditionally sievesieve using using trial divisiontrial division

ie. divide by all numbers (primes) in turn less than the ie. divide by all numbers (primes) in turn less than the square root of the number square root of the number

only works for small numbersonly works for small numbers alternatively can use statistical primality tests alternatively can use statistical primality tests

based on properties of primes based on properties of primes for which all primes numbers satisfy property for which all primes numbers satisfy property but some composite numbers, called pseudo-primes, but some composite numbers, called pseudo-primes,

also satisfy the propertyalso satisfy the property can use a slower deterministic primality testcan use a slower deterministic primality test


Miller Rabin AlgorithmMiller Rabin Algorithm a test based on Fermat’s Theorem for odd integer a test based on Fermat’s Theorem for odd integer

number p.number p. algorithm is:algorithm is:

TEST (p) is:TEST (p) is:1. Find integers1. Find integers b,c b,c such that such that bb > 0> 0, , cc is odd, so that is odd, so that (p–1)=2(p–1)=2bb*c*c2. Select a random integer 2. Select a random integer aa, , 1<1<aa<p–1<p–13. 3. if if aacc mod pmod p ==r r == ±1±1 then then return (“return (“maybe primemaybe prime");");4. 4. for for j j == 0 0 to to bb– 1– 1 dodo

5. 5. ifif ( (rr2j2j mod pmod p == nn-1-1==-1-1))then then return(" maybe prime ")return(" maybe prime ") elseelse return ("composite")return ("composite")


Probabilistic ConsiderationsProbabilistic Considerations

if Miller-Rabin returns “composite” the if Miller-Rabin returns “composite” the number is definitely not primenumber is definitely not prime

otherwise is a prime or a pseudo-primeotherwise is a prime or a pseudo-primechance it detects a pseudo-prime is < chance it detects a pseudo-prime is < 11//44

hence if repeat test with different random a hence if repeat test with different random a then chance n is prime after t tests is:then chance n is prime after t tests is:Pr(n prime after t tests) = 1-4Pr(n prime after t tests) = 1-4-t-t

eg. for t=10 this probability is > 0.99999eg. for t=10 this probability is > 0.99999


Apply the Miller Rabin Test to P=23.Apply the Miller Rabin Test to P=23.Step 1Step 1:- (p-1) =2= 2:- (p-1) =2= 211 * 11 * 11

b=1,c=11.b=1,c=11.Step 2Step 2:- select random number a=15.:- select random number a=15.Step 3Step 3:-compute 15:-compute 151111 mod 23 mod 23 15151111 mod 23 =22 mod 23 =22 ≡ -1mod 23≡ -1mod 23

thus 23 may be a prime number.thus 23 may be a prime number.

Example


Apply the Miller Rabin Test to P=143.Apply the Miller Rabin Test to P=143. Step 1Step 1:- (p-1) =144= 2:- (p-1) =144= 244 * 9 * 9

b=4,c=9, j=1,2,3.b=4,c=9, j=1,2,3. Step 2Step 2:- select random number a=47.:- select random number a=47. Step 3Step 3:-compute 47:-compute 4799 mod 143 mod 143 474799 mod 143 =125 mod 143 =125 Step 4Step 4:-compute r:-compute r2j 2j mod 143 where r=125,j=1,2,3.mod 143 where r=125,j=1,2,3.

for j =1 , rfor j =1 , r22 mod 143 =125 mod 143 =12522 mod 143 =38≠ -1 mod 143 =38≠ -1



Thus we can say that p is not a prime number definitely Thus we can say that p is not a prime number definitely

Example


CHINESE REMAINDER THEOREMCHINESE REMAINDER THEOREM

The Chinese remainder theorem (CRT) is used to solve The Chinese remainder theorem (CRT) is used to solve a set of congruent equations with one variable but a set of congruent equations with one variable but different moduli, which are relatively prime, as showndifferent moduli, which are relatively prime, as shownbelow:below:


ContinuedContinued

The following is an example of a set of equations with different moduli:

Example

The solution to this set of equations is given in the next section; for the moment, note that the answer to this set of equations is x = 23. This value satisfies all equations: 23 ≡ 2 (mod 3), 23 ≡ 3 (mod 5), and 23 ≡ 2 (mod 7).


ContinuedContinued

Solution To Chinese Remainder Theorem

1. Find M = m1 × m2 × … × mk. This is the common modulus. 2. Find M1 = M/m1, M2 = M/m2, …, Mk = M/mk. 3. Find the multiplicative inverse of M1, M2, …, Mk using the corresponding moduli (m1, m2, …, mk). Call the inverses M1

−1, M2−1, …, Mk −1.

4. The solution to the simultaneous equations is


ContinuedContinued

Find the solution to the simultaneous equations:

Example

SolutionWe follow the four steps.

1. M = 3 × 5 × 7 = 105

2. M1 = 105 / 3 = 35, M2 = 105 / 5 = 21, M3 = 105 / 7 = 15

3. The inverses are M1−1 = 2, M2

−1 = 1, M3 −1 = 1

4. x = (2 × 35 × 2 + 3 × 21 × 1 + 2 × 15 × 1) mod 105 = 23 mod 105


ContinuedContinued

Find an integer that has a remainder of 3 when divided by 7 and 13, but is divisible by 12.

Example

SolutionThis is a CRT problem. We can form three equations and solve them to find the value of x.

If we follow the four steps, we find x = 276. We can check that 276 = 3 mod 7, 276 = 3 mod 13 and 276 is divisible by 12 (the quotient is 23 and the remainder is zero).


Chinese Remainder TheoremChinese Remainder Theorem

used to speed up modulo computations used to speed up modulo computations if working modulo a product of numbers if working modulo a product of numbers

eg. eg. mod M = mmod M = m11mm22..m..mkk

Chinese Remainder theorem lets us work Chinese Remainder theorem lets us work in each moduli min each moduli mi i separately separately

since computational cost is proportional to since computational cost is proportional to size, this is faster than working in the full size, this is faster than working in the full modulus Mmodulus M



can implement CRT in several wayscan implement CRT in several ways to compute to compute A(mod M)A(mod M)

first compute all first compute all aaii = A mod m = A mod mii separately separately determine constants determine constants ccii below, where below, where MMii = M/m = M/mii

then combine results to get answer using:then combine results to get answer using:



Chinese Remainder Theorem (CRT)Chinese Remainder Theorem (CRT)

Suppose mSuppose m1 1 ,, … , m… , mkk are pairwise relatively prime are pairwise relatively prime

positive positive integers, and suppose aintegers, and suppose a1 1 ,, … , a… , akk are integers. are integers.

Then the Then the system of k congruences x system of k congruences x a aii (mod m (mod mii) (1 ≤ i ≤ ) (1 ≤ i ≤

k) has a k) has a unique solution modulo M = munique solution modulo M = m1 1 m mkk, ,

which is given bywhich is given by

where cwhere cii = M = Mi i (M(Mii-1-1 mod m mod mii) and M) and Mii = M / m = M / mii , for 1 ≤ i ≤ k. , for 1 ≤ i ≤ k.

Chinese Remainder Theorem


Chinese Remainder TheoremChinese Remainder TheoremProofProof Let M = mLet M = m1 1 mm2 2 … … m mkk, where m, where mii’s are pairwise relatively prime, i.e., ’s are pairwise relatively prime, i.e.,

gcd(mgcd(mi i , m, mjj) = 1, 1 ≤ i ≠ j ≤ k) = 1, 1 ≤ i ≠ j ≤ k

A A (a (a11, a, a22, … ,a, … ,akk), where A ), where A Z ZMM, a, aii Z Zmmii, and a, and aii = A mod m = A mod mii for 1 ≤ i ≤ k for 1 ≤ i ≤ k

One to one correspondence (bijection) between ZOne to one correspondence (bijection) between ZMM and the Cartesian product and the Cartesian product

ZZmm11 Z Zmm22 … … Z Zmmkk

For every integer A such that 0 ≤ A For every integer A such that 0 ≤ A << M, there is a unique k-tuple (a M, there is a unique k-tuple (a11, a, a22, ,

… ,a… ,akk)) with 0 ≤ awith 0 ≤ ai i << m mii

For every such k-tuple (aFor every such k-tuple (a11, a, a22, … ,a, … ,akk), there is a unique A in Z), there is a unique A in ZM M

Computing A from (aComputing A from (a11, a, a22, … ,a, … ,akk) is done as follows:) is done as follows:

Let MLet Mi i = M/m= M/mii for 1 ≤ i ≤ k, i.e., M for 1 ≤ i ≤ k, i.e., Mii = m = m11 m m22 … … m mi-1i-1 m mi+1i+1 … …

mmkk

Note that MNote that Mii ≡ 0 (mod m ≡ 0 (mod mjj) for all j ≠ i and gcd (M) for all j ≠ i and gcd (Mii, m, mii) = 1) = 1

Let cLet cii = M = Mii x (M x (Mii-1-1 mod m mod mii) for 1 ≤ i ≤ k) for 1 ≤ i ≤ k

Then A ≡ (aThen A ≡ (a11cc11+ a+ a22cc2 2 + + + a + akkcckk) mod M) mod M

aaii = A mod m = A mod mii, since c, since cjj ≡ M ≡ Mjj ≡ 0 (mod m ≡ 0 (mod mii) if j≠ i and c) if j≠ i and cii ≡ 1 (mod m ≡ 1 (mod mii))




Operations performed on the elements of ZOperations performed on the elements of ZM M can be equivalently can be equivalently

performed on the corresponding k-tuples by performing the operation performed on the corresponding k-tuples by performing the operation independently in each coordinate positionindependently in each coordinate position ex) A ↔ (aex) A ↔ (a11, a, a22, ... ,a, ... ,akk), B ↔ (b), B ↔ (b11, b, b22, … ,b, … ,bkk))

(A (A B) mod M ↔ ((a B) mod M ↔ ((a11 b b11) mod m) mod m11, … ,(a, … ,(ak k b bkk) mod m) mod mkk))

(A (A B) mod M ↔ ((a B) mod M ↔ ((a11 b b11) mod m) mod m11, … ,(a, … ,(akk b bkk) mod m) mod mkk))

(A (A B) mod M ↔ ((a B) mod M ↔ ((a11 b b11) mod m) mod m11, … ,(a, … ,(akk b bkk) mod m) mod mkk))

CRT provides a way to manipulate (potentially large) numbers mod M in CRT provides a way to manipulate (potentially large) numbers mod M in term of tuples of smaller numbersterm of tuples of smaller numbers



Chinese Remainder TheoremChinese Remainder TheoremChinese Remainder Theorem

ExampleExample Let mLet m11 = 37, m = 37, m22 = 49, M = m = 49, M = m11 mm22 = 1813, A = 973 = 1813, A = 973, B = 678, B = 678

MM11 = 49, M = 49, M22 = 37 = 37 Using the extended Euclid’s algUsing the extended Euclid’s algorithmorithm

MM11-1-1 mod m mod m11 = 34, = 34, and Mand M22

-1-1 mod m mod m2 2 = 4= 4 Taking residues modulo 37 and 49Taking residues modulo 37 and 49

973 973 (11, 42), 678 (11, 42), 678 (12, 41) (12, 41) Add the tuples element-wiseAdd the tuples element-wise

(11 + 12 mod 37, 42 + 41 mod 49) = (23, 34)(11 + 12 mod 37, 42 + 41 mod 49) = (23, 34) To verify, we computeTo verify, we compute

(23, 34) (23, 34) (a (a11cc11+ a+ a22cc22) mod M = (a) mod M = (a11MM11MM11-1-1 + a + a22MM22MM22

-1-1 ) mod M ) mod M

= [(23)(49)(34) + (34)(37)(4)] mod 1813 = = [(23)(49)(34) + (34)(37)(4)] mod 1813 = 16511651

which is equal to (678 + 973) mod 1813 = 1651which is equal to (678 + 973) mod 1813 = 1651


Primitive RootsPrimitive Roots

from Euler’s theorem have from Euler’s theorem have aaø(n)ø(n)mod n=1 mod n=1 consider consider aamm=1 (mod n), GCD(a,n)=1=1 (mod n), GCD(a,n)=1

must exist for must exist for m = m = ø(n)ø(n) but may be smaller but may be smaller once powers reach m, cycle will repeatonce powers reach m, cycle will repeat

if smallest is if smallest is m = m = ø(n)ø(n) then then aa is called a is called a primitive rootprimitive root

if if pp is prime, then successive powers of is prime, then successive powers of aa "generate" the group "generate" the group mod pmod p

these are useful but relatively hard to find these are useful but relatively hard to find


Powers of Integers, modulo 19Powers of Integers, modulo 19Discrete Logarithms

a : primitive root


Discrete LogarithmsDiscrete Logarithms

the inverse problem to exponentiation is to find the inverse problem to exponentiation is to find the the discrete logarithmdiscrete logarithm of a number modulo p of a number modulo p

that is to find that is to find xx such that such that y = gy = gxx (mod p) (mod p) this is written as this is written as x = logx = loggg y (mod p) y (mod p) if g is a primitive root then it always exists, if g is a primitive root then it always exists,

otherwise it may not, eg.otherwise it may not, eg.x = logx = log33 4 mod 13 has no answer 4 mod 13 has no answer

x = logx = log22 3 mod 13 = 4 by trying successive powers 3 mod 13 = 4 by trying successive powers whilst exponentiation is relatively easy, finding whilst exponentiation is relatively easy, finding

discrete logarithms is generally a discrete logarithms is generally a hardhard problem problem


Powers of Integers, modulo 19Powers of Integers, modulo 19Discrete Logarithms

a : primitive root


SummarySummary

have considered:have considered:prime numbersprime numbersFermat’s and Euler’s Theorems & Fermat’s and Euler’s Theorems & ø(n)ø(n) Primality TestingPrimality TestingChinese Remainder TheoremChinese Remainder TheoremDiscrete LogarithmsDiscrete Logarithms

Technology

Ch08