Lecture 3.1: Public Key Cryptography I 1/17/2019 Lecture 3.1: Public Key Cryptography I CS 436/636/736 Spring 2014 Nitesh Saxena

Today’s Informative/Fun Bit – Acoustic Emanations 1/17/2019 Today’s Informative/Fun Bit – Acoustic Emanations http://www.google.com/search?source=ig&hl=en&rlz=&q=keyboard+acoustic+emanations&btnG=Google+Search http://tau.ac.il/~tromer/acoustic/ 1/17/2019 Public Key Cryptography -- I

Course Administration 1/17/2019 Course Administration HW1 posted – due at 5pm on Jan 30 (Thu) Any questions? Regarding programming portion of the homework Submit the whole modified code that you used to measure timings Comment the portions in the code where you modified the code Include a small “readme” for us to understand this 1/17/2019 Public Key Cryptography -- I

Outline of Today’s Lecture 1/17/2019 Outline of Today’s Lecture Public Key Crypto Overview Number Theory Modular Arithmetic 1/17/2019 Public Key Cryptography -- I

Recall: Private Key/Public Key Cryptography 1/17/2019 Recall: Private Key/Public Key Cryptography Private Key: Sender and receiver share a common (private) key Encryption and Decryption is done using the private key Also called conventional/shared-key/single-key/ symmetric-key cryptography Public Key: Every user has a private key and a public key Encryption is done using the public key and Decryption using private key Also called two-key/asymmetric-key cryptography 1/17/2019 Public Key Cryptography -- I

Private key cryptography revisited. 1/17/2019 Private key cryptography revisited. Good: Quite efficient (as you’ll see from the HW#1 programming exercise on AES) Bad: Key distribution and management is a serious problem – for N users O(N2) keys are needed 1/17/2019 Public Key Cryptography -- I

Public key cryptography model 1/17/2019 Public key cryptography model Good: Key management problem potentially simpler Bad: Much slower than private key crypto (we’ll see later!) 1/17/2019 Public Key Cryptography -- I

Public Key Cryptography -- I 1/17/2019 Public Key Encryption Two keys: public encryption key e private decryption key d Encryption easy when e is known Decryption easy when d is known Decryption hard when d is not known We’ll study such public key encryption schemes; first we need some number theory. 1/17/2019 Public Key Cryptography -- I

Public Key Encryption: Security Notions 1/17/2019 Public Key Encryption: Security Notions Very similar to what we studied for private key encryption What’s the difference? 1/17/2019 Public Key Cryptography -- I

1/17/2019 Group: Definition (G,.) (where G is a set and . : GxGG) is said to be a group if following properties are satisfied: Closure : for any a, b G, a.b G Associativity : for any a, b, c G, a.(b.c)=(a.b).c Identity : there is an identity element such that a.e = e.a = a, for any a G Inverse : there exists an element a-1 for every a in G, such that a.a-1 = a-1.a = e Abelian Group: Group which also satisfies commutativity , i.e., a.b = b.a

Public Key Cryptography -- I 1/17/2019 Groups: Examples Set of all integers with respect to addition --(Z,+) Set of all integers with respect to multiplication (Z,*) – not a group Set of all real numbers with respect to multiplication (R,*) Set of all integers modulo m with respect to modulo addition (Zm, “modular addition”) 1/17/2019 Public Key Cryptography -- I

Public Key Cryptography -- I 1/17/2019 Divisors x divides y (written x | y) if the remainder is 0 when y is divided by x 1|8, 2|8, 4|8, 8|8 The divisors of y are the numbers that divide y divisors of 8: {1,2,4,8} For every number y 1|y y|y 1/17/2019 Public Key Cryptography -- I

Public Key Cryptography -- I 1/17/2019 Prime numbers A number is prime if its only divisors are 1 and itself: 2,3,5,7,11,13,17,19, … Fundamental theorem of arithmetic: For every number x, there is a unique set of primes {p1, … ,pn} and a unique set of positive exponents {e1, … ,en} such that 1/17/2019 Public Key Cryptography -- I

Public Key Cryptography -- I 1/17/2019 Common divisors The common divisors of two numbers x,y are the numbers z such that z|x and z|y common divisors of 8 and 12: intersection of {1,2,4,8} and {1,2,3,4,6,12} = {1,2,4} greatest common divisor: gcd(x,y) is the number z such that z is a common divisor of x and y no common divisor of x and y is larger than z gcd(8,12) = 4 1/17/2019 Public Key Cryptography -- I

Euclidean Algorithm: gcd(r0,r1) 1/17/2019 Euclidean Algorithm: gcd(r0,r1) Main idea: If y = ax + b then gcd(x,y) = gcd(x,b) 1/17/2019 Public Key Cryptography -- I

Public Key Cryptography -- I 1/17/2019 Example – gcd(15,37) 37 = 2 * 15 + 7 15 = 2 * 7 + 1 7 = 7 * 1 + 0 gcd(15,37) = 1 1/17/2019 Public Key Cryptography -- I

Public Key Cryptography -- I 1/17/2019 Relative primes x and y are relatively prime if they have no common divisors, other than 1 Equivalently, x and y are relatively prime if gcd(x,y) = 1 9 and 14 are relatively prime 9 and 15 are not relatively prime 1/17/2019 Public Key Cryptography -- I

Public Key Cryptography -- I 1/17/2019 Modular Arithmetic Definition: x is congruent to y mod m, if m divides (x-y). Equivalently, x and y have the same remainder when divided by m. Notation: Example: We work in Zm = {0, 1, 2, …, m-1}, the group of integers modulo m Example: Z9 ={0,1,2,3,4,5,6,7,8} We abuse notation and often write = instead of 1/17/2019 Public Key Cryptography -- I

Public Key Cryptography -- I 1/17/2019 Addition in Zm : Addition is well-defined: 3 + 4 = 7 mod 9. 3 + 8 = 2 mod 9. 1/17/2019 Public Key Cryptography -- I

Additive inverses in Zm 1/17/2019 Additive inverses in Zm 0 is the additive identity in Zm Additive inverse of a is -a mod m = (m-a) Every element has unique additive inverse. 4 + 5= 0 mod 9. 4 is additive inverse of 5. 1/17/2019 Public Key Cryptography -- I

Public Key Cryptography -- I 1/17/2019 Multiplication in Zm : Multiplication is well-defined: 3 * 4 = 3 mod 9. 3 * 8 = 6 mod 9. 3 * 3 = 0 mod 9. 1/17/2019 Public Key Cryptography -- I

Multiplicative inverses in Zm 1/17/2019 Multiplicative inverses in Zm 1 is the multiplicative identity in Zm Multiplicative inverse (x*x-1=1 mod m) SOME, but not ALL elements have unique multiplicative inverse. In Z9 : 3*0=0, 3*1=3, 3*2=6, 3*3=0, 3*4=3, 3*5=6, …, so 3 does not have a multiplicative inverse (mod 9) On the other hand, 4*2=8, 4*3=3, 4*4=7, 4*5=2, 4*6=6, 4*7=1, so 4-1=7, (mod 9) 1/17/2019 Public Key Cryptography -- I

Which numbers have inverses? 1/17/2019 Which numbers have inverses? In Zm, x has a multiplicative inverse if and only if x and m are relatively prime or gcd(x,m)=1 E.g., 4 in Z9 1/17/2019 Public Key Cryptography -- I

Extended Euclidian: a-1 mod n 1/17/2019 Extended Euclidian: a-1 mod n Main Idea: Looking for inverse of a mod n means looking for x such that x*a – y*n = 1. To compute inverse of a mod n, do the following: Compute gcd(a, n) using Euclidean algorithm. Since a is relatively prime to m (else there will be no inverse) gcd(a, n) = 1. So you can obtain linear combination of rm and rm-1 that yields 1. Work backwards getting linear combination of ri and ri-1 that yields 1. When you get to linear combination of r0 and r1 you are done as r0=n and r1= a. 1/17/2019 Public Key Cryptography -- I

Public Key Cryptography -- I 1/17/2019 Example – 15-1 mod 37 37 = 2 * 15 + 7 15 = 2 * 7 + 1 7 = 7 * 1 + 0 Now, 15 – 2 * 7 = 1 15 – 2 (37 – 2 * 15) = 1 5 * 15 – 2 * 37 = 1 So, 15-1 mod 37 is 5. 1/17/2019 Public Key Cryptography -- I

Modular Exponentiation: Square and Multiply method 1/17/2019 Modular Exponentiation: Square and Multiply method Usual approach to computing xc mod n is inefficient when c is large. Instead, represent c as bit string bk-1 … b0 and use the following algorithm: z = 1 For i = k-1 downto 0 do z = z2 mod n if bi = 1 then z = z* x mod n Show an example: x^64 will require 6 squarings (or 6 multiplications). 1000000 1/17/2019 Public Key Cryptography -- I

Public Key Cryptography -- I 1/17/2019 Example: 3037 mod 77 z = z2 mod n if bi = 1 then z = z* x mod n i b z 5 1 30 =1*1*30 mod 77 4 53 =30*30 mod 77 3 37 =53*53 mod 77 2 29 =37*37*30 mod 77 71 =29*29 mod 77 2 =71*71*30 mod 77 1/17/2019 Public Key Cryptography -- I

Public Key Cryptography -- I 1/17/2019 Other Definitions An element g in G is said to be a generator of a group if a = gi for every a in G, for a certain integer i A group which has a generator is called a cyclic group The number of elements in a group is called the order of the group Order of an element a is the lowest i (>0) such that ai = e (identity) A subgroup is a subset of a group that itself is a group 1/17/2019 Public Key Cryptography -- I

Public Key Cryptography -- I 1/17/2019 Lagrange’s Theorem Order of an element in a group divides the order of the group 1/17/2019 Public Key Cryptography -- I

Euler’s totient function 1/17/2019 Euler’s totient function Given positive integer n, Euler’s totient function is the number of positive numbers less than n that are relatively prime to n Fact: If p is prime then {1,2,3,…,p-1} are relatively prime to p. 1/17/2019 Public Key Cryptography -- I

Euler’s totient function 1/17/2019 Euler’s totient function Fact: If p and q are prime and n=pq then Each number that is not divisible by p or by q is relatively prime to pq. E.g. p=5, q=7: {1,2,3,4,-,6,-,8,9,-,11,12,13,-,-,16,17,18,19,-,-,22,23,24,-,26,27,-,29,-,31,32,33,34,-} pq-p-(q-1) = (p-1)(q-1) 1/17/2019 Public Key Cryptography -- I

Euler’s Theorem and Fermat’s Theorem 1/17/2019 Euler’s Theorem and Fermat’s Theorem If a is relatively prime to n then If a is relatively prime to p then ap-1 = 1 mod p Proof : follows from Lagrange’s Theorem 1/17/2019 Public Key Cryptography -- I

Euler’s Theorem and Fermat’s Theorem 1/17/2019 Euler’s Theorem and Fermat’s Theorem EG: Compute 9100 mod 17: p =17, so p-1 = 16. 100 = 6·16+4. Therefore, 9100=96·16+4=(916)6(9)4 . So mod 17 we have 9100  (916)6(9)4 (mod 17)  (1)6(9)4 (mod 17)  (81)2 (mod 17)  16 1/17/2019 Public Key Cryptography -- I

Public Key Cryptography -- I 1/17/2019 Some questions 2-1 mod 4 =? What is the complexity of (a+b) mod m (a*b) mod m xc mod (n) Order of a group is 5. What can be the order of an element in this group? 1/17/2019 Public Key Cryptography -- I

Public Key Cryptography -- I 1/17/2019 Further Reading Chapter 4 of Stallings Chapter 2.4 of HAC 1/17/2019 Public Key Cryptography -- I