Great Theoretical Ideas in Computer Science

15-251

Raising numbers to powers, Cryptography and RSA

Lecture 16 March 7, 2013

p-1

!p

E(m) " me mod (pq) D(r) " rd mod (pq)

Zn* = {x 2 Zn | GCD(x,n) =1} Define +n and *n: a +n b = (a+b mod n) a *n b = (a*b mod n)

Zn = {0, 1, 2, , n-1}

Euler Phi Function #(n) = size of zn*

c *n ( a +n b) n (c *n a) +n (c*n b) <Zn, +n> 1.! Closed 2.! Associative 3.! 0 is identity 4.! Additive Inverses 5.! Cancellation 6.! Commutative <Zn*, *n> 1.! Closed 2.! Associative 3.! 1 is identity 4.! Multiplicative Inverses 5.! Cancellation 6.! Commutative

= number of 1<k<n that are relatively prime to n. p prime ) Zp*= {1,2,3,,p-1} ) #(p) = p-1

$(pq) = (p-1)(q-1) if p,q distinct primes

pq = # of numbers from 1 to pq p = # of multiples of q up to pq q = # of multiples of p up to pq 1 = # of multiple of both p and q up to pq $(pq) = pq p q + 1 = (p-1)(q-1)

Euler Totient Function !(n) !(n) = size of Zn*

p prime % !(p) = p-1 p, q distinct primes % !(pq) = (p-1)(q-1)

Eulers Theorem a2 Zn*, a$(n) n 1

Fundamental lemma of powers.

Suppose x2 Zn*, and a,b,n are naturals.

If a #(n) b Then xa n xb
Fermats Little Theorem

p prime, a2 Zp*) ap-1 p 1

xa mod #(n)

Equivalently,

n xb mod #(n)

Zn = {0, 1, 2, , n-1} Zn* = {x 2 Zn | GCD(x,n) =1} Define +n and *n: a +n b = (a+b mod n) a *n b = (a*b mod n)

Definition of a FIELD: A set S with two operations + and * satisfying: (S,+) is an Abelian Group (S-{0},*) is an Abelian group + distributes over *.

c *n ( a +n b) n (c *n a) +n (c*n b)
<Zn, +n>is an Abelian group.
Field? Only if Z*n {0} = Zn

<Zn*, *n> is a an Abelian group.

Fundamental Theorem Of Polynomials Modulo A Prime p Each of the degree d polynomials mod p computes a distinct function. Any non-zero, degree d polynomial over Zp has at most d roots. Two distinct, degree d polynomials can agree in at most d places. pd+1

Repeated Doubling of 1
1, 2, 4, 8, 16, 32, ., 2k Doubling 1 K times will get you 2k

Repeated Doubling of X
X, 2X, 4X, 8X, 16X, 32X, ., 2k X Doubling X K times will get you 2k X

Halving X defined as &x/2'

Repeated halving of 13: 13 6 3 1 0

Written from right to left 1 3 6 13

Repeated Halving of X Written from right to left.

Repeated Halving of X Mark each even number 0 Mark each odd number 1
For x = 13

For x = 13 13 6 13

13 6 1 0

13 1

Rhind Papyrus (1650 BC) 70*16 = 2208

70 140 280 5604 2208 16 8 4 2 1 * 70 140 280 560 2208

Rhind Papyrus (1650 BC) 70*13 = 910

13! * 6 3! * 1 * 70 350 910

Rhind Papyrus (1650 BC) 70*13

70 140 280 560 13! * 6 3! * 1 * 70 350 910

Egyptian Repeated Halving To Represent X In Binary

Output stream will print right to left. Input X. Repeat until X=0 { If X is even then Output O; Otherwise Output 1 } X:= &X/2'

Binary for 13 is 1101 = 23 + 22 + 20 70*13 = 70*23 + 70*22 + 70*20

Repeated Halving of X Odd numbers got a 1; Even numbers get a 0

For x = 21 1 2 5 0 1 10 21 0 1

Start the algorithm

010101 Repeat until X=0 { If X is even then Output O; Otherwise Output 1; X:= &X/2' } 1

Start the algorithm

01010 Repeat until X=0 { If X is even then Output O; Otherwise Output 1; X:= &X/2' } 1

Start the algorithm

01010 Repeat until X=0 { If X is even then Output O; Otherwise Output 1; X:= &X/2' } 01

Start the algorithm

0101 Repeat until X=0 { If X is even then Output O; Otherwise Output 1; X:= &X/2' } 01

Start the algorithm

0101 Repeat until X=0 { If X is even then Output O; Otherwise Output 1; X:= &X/2' } 101

Start the algorithm

010 Repeat until X=0 { If X is even then Output O; Otherwise Output 1; X:= &X/2' } 101

And Keep Going until 0

0 010101

Repeat until X=0 { If X is even then Output O; Otherwise Output 1; X:= &X/2' }

Rhind Papyrus (1650 BC) X*5 = 5X

X 2X 4X 5* 2 1* X 4X 5X

Standard Binary Multiplication

******** 101 ******** ******** ***********

Standard Binary Multiplication = Egyptian Multiplication!

Repeated Doubling to make 13. (Find MSB first)

1, 2, 4, 8 stop if (next power of 2) > 13 Use 8, 13-8 = 5 Use 4, 5-4 = 1 Use 1, 1-1 = 0 13 = 8 + 4 + 1 = 1101 in binary.

********=X 101 ******** ********

= X = 4X

* * * * * * * * * * * = 5X

Rhind Papyrus (1650 BC) 184 / 17 = 10 remainder 14

17 34* 68 136* 17 34 68 136

Rhind Papyrus (1650 BC)

1 2 * 4 8 *

184

48

14

184 48 14 184 = 17*8 + 17*2 + 14 184/17 = 10 with remainder 14

How do you compute

This method is called Egyptian Multiplication/Division or Russian Peasant Multiplication/Division.

58
First idea:

using few multiplications?

5 52 53 54 55 56 57 58 = 52*5 = 5*5

How do you compute 58

Better idea: 5 52 54 58 24*54 =5 = 52*5 = 5*5 Used only 3 mults instead of 7 !!!

Repeated squaring calculates k a2 in k multiply operations

compare with (2k 1) multiply operations used by the nave method

How do you compute 513

Use repeated squaring again? 5 52 54 58 516 too high! what now? assume no divisions allowed

How do you compute 513

Use repeated squaring again? 5 52 54 58 Note that 13 = 8+4+1 So a13 = a8 * a4 * a1 Two more multiplies! 1310 = (1101)2

To compute am
Suppose 2k !"m < 2k+1 a a2 a4 a8 ... a2
k

This takes k multiplies Now write m as a sum of distinct powers of 2 say, m = 2k + 2i1 + 2i2 + 2it am = a2 * a2 * * a2
k i1 it

Hence, we can compute am while performing at most 2 &log2 m' multiplies

at most k more multiplies

How do you compute 513 (mod 11)

First idea: Compute 513 using 5 multiplies = 1 220 703 125 5 52 54 58 512 513 4 12*5 =5 = 58*5 then take the answer mod 11 1220703125 (mod 11) = 4

How do you compute 513 (mod 11)

Better idea: keep reducing the answer mod 11 5 52 54
11 9

25 11 3

11 81 11 4

58

11 36 11 3

512

513
11 15 11 4

How do we implement this?

Lets use my favorite programming language Ocaml.

Hence, we can compute am (mod n) while performing at most 2 &log2 m' multiplies where each time we multiply together numbers with &log2 n' + 1 bits

Its a functional language that automatically infers the types of variables. It compiles to fast code. It has an interactive shell so that you can play with the functions youve written. (Similar to SML which you will learn about in 15-212 or 15-150.)

How do you compute 5121242653 (mod 11)

The current best idea would still need about 54 calculations answer = 4 Can we exponentiate any faster?

Fundamental lemma of powers.

Suppose x2 Zn*, and a,b,n are naturals.

If a #(n) b Then xa n xb

xa mod #(n)

Equivalently,

n xb mod #(n)

How do you compute 5121242653 (mod 11)

121242653 (mod 10) = 3 53 (mod 11) = 125 mod 11 = 4 Why did we take mod 10?

for a ( Zn*, ax !n ax mod !(n)

Hence, we can compute am (mod n) while performing at most 2 &log2 !(n)' multiplies where each time we multiply together numbers with &log2 n' + 1 bits

The multiplicative inverse of a2 Zn* is the unique b2 Zn* such that a *n b n 1. We denote this inverse by a-1 or 1/a.

What is 1/29 mod 67? Euclids Extended GCD algorithm

Input: X,Y Output: r,s,d such that rX+sY = d = GCD(X,Y)
Euclid(67,29) Euclid(29,9) Euclid(9,2) Euclid(2,1) 67=<1,0> 29=<0,1> 9=67 2*29 9 =<1,-2> 2=29 3*9 2=<-3,7> 1=9 4*2 1=<13,-30> 0=2 2*1 2=<-3,7> 1 = 13*67 30*29

Efficient algorithm to compute a-1 from a and n. Execute the Extended Euclid Algorithm on a and n (previous lecture). It will give two integers r and s such that: ra + sn = (a,n) = 1 Taking both sides mod n, we obtain: rn n 1 Output r, which is the inverse of a

Euclid(1,0) outputs

HENCE 1/29 = 30.

Zn* = {x 2 Zn | GCD(x,n) =1} Quick raising to power. <Zn, +n> 1.! Closed 2.! Associative 3.! 0 is identity 4.! Additive Inverses Fast + amd 5.! Cancellation 6.! Commutative <Zn*, *n> 1.! Closed 2.! Associative 3.! 1 is identity 4.! Multiplicative Inverses Fast * and / 5.! Cancellation 6.! Commutative
Rivest Shamir Adleman

Zn = {0, 1, 2, , n-1}

The RSA Cryptosystem

Euler

Fermat

Pick secret, random large primes: p,q Multiply n = p*q Publish: n $(n) = $(p) $(q) = (p-1)*(q-1) Pick random e ( Z*$(n) Publish: e Compute d = inverse of e in Z*$(n) Hence, e*d = 1 [ mod $(n) ] Private/Secret Key: d

p,q random primes e random ( Z*$(n) n = p*q e*d = 1 [ mod $(n) ]

n,e is my public key. Use it to send me a message.

p,q prime, e random ( Z*$(n) n = p*q e*d = 1 [ mod $(n) ]

How hard is cracking RSA?

message m If we can factor products of two large primes, can we crack RSA?

n, e
me [mod n]
(me)d !n m

If we know n and !(n), can we crack RSA?

How about the other way? Does cracking RSA mean we must do one of these two? We dont know (yet)

Generator Theorem: g2 Zn is a generator if the order of g = $(n). i.e., powers of g hit every element of Zn
*

20

Z7* = {1,2,3,4,5,6} = 1; 21 = 2; 22 = 4; 23 = 1

30=1; 31 = 3; 32 = 2; 33 = 6; 34 =4; 35 = 5; 36 = 1 Orbit of 2: {1, 2, 4} Orbit of 3: {1,2,3,4,5,6} Order 3 Order 6

p prime ) Zp* has a generator g. This will mean that Zp* has an alternative representation as the powers of g: {g,g2,g3,,gp-1}.

3 is a generator, but 2 is not.

10

Open Problem (Gauss)

Generator Theorem: p prime ) Zp* has a generator g. In fact, it has $(p-1) generators. Proof not given here. Is there an efficient algorithm, given a prime p, to find a single generator in
Zp* ?

CRYPTOGRAPHY based on the presumed computational difficulty of a number theoretic problem.

Let p be prime. g be a generator mod p. DHp.g (x) = gx mod p is fast to compute. DISCRETE-LOGp,g (r) = x means that gx =r mod p. No one knows a fast algorithm given a random r to compute x.

Diffie-Hellman [1976] New Directions In Cryptography.

Let p be prime. g be a generator mod p. DHp.g (x) = gx mod p is fast to compute. DISCRETE-LOGp,g (r) = x means that gx =r mod p. No one knows a fast algorithm given a random r to compute x.

Diffie-Hellman [1976] New Directions In Cryptography.

Let p be prime. g be a generator mod p. Alice: Picks random x2 Zp-1 Sends Bob gx mod p Bob: Picks random y2 Zp-1 Sends Alice gy mod p Both parties can compute (gx)y = (gy)x = gxy mod p-1

Adversary Eve: has seen gx mod p and gy mod p. Can she quickly compute gxy mod p?
Let p be prime. g be a generator mod p. Alice: Picks random x2 Zp-1 Sends Bob gx mod p Bob: Picks random y2 Zp-1 Sends Alice gy mod p Both parties can compute (gx)y = (gy)x = gxy mod p-1

11

Diffie Hellmann has an *amazing* feature. Two people who have never met and have no prior shared secrets can use the system. Without this property, commerce on the net would be impossible.

Diffie Hellman Secret Key Agreement Protocol. Agree on a random string even though you have no private information in common.

Typical use: Agree on a random string r. Use r as your secret-key in a more conventional private-key crypto system.

k out of n secret sharing scheme

Fundamental Theorem Of Polynomials Modulo A Prime p Each of the pd+1 degree d polynomials mod p computes a distinct function. Any non-zero, degree d polynomial over Zp has at most d roots. Two distinct, degree d polynomials can agree in at most d places.

Secret S in Zp* Pick k-1 random numbers in Z_p: cd"1, ###, c2 , c1 p((x) = cd"1 xd"1 + ### + c2 x2 + c1 x + S n shares are p(1). P(2), .p(n) Interpolate from any k shares to yield S Any k-1 shares gives no information about S I.e, there are exactly p-1 polynomials of degree k-1 going through those points.

12