Chap. 8,9: Introduction to number theory and RSA algorithm Jen-Chang Liu, 2004 Adapted from Lecture slides by Lawrie Brown
The Devil said to Daniel Webster: "Set me a task I can't carry out, and I'll give you anything in the world you ask for." Daniel Webster: "Fair enough. Prove that for n greater than 2, the equation an + bn = cn has no non-trivial solution in the integers." They agreed on a three-day period for the labor, and the Devil disappeared. At the end of three days, the Devil presented himself, haggard, jumpy, biting his lip. Daniel Webster said to him, "Well, how did you do at my task? Did you prove the theorem?' "Eh? No . . . no, I haven't proved it." "Then I can have whatever I ask for? Money? The Presidency?' "What? Oh, that—of course. But listen! If we could just prove the following two lemmas—" —The Mathematical Magpie, Clifton Fadiman
Clifton Fadiman Clifton Fadiman was a multi-talented writer, critic, raconteur and bookworm. He is best remembered as moderator of the erudite radio quiz show Information, Please, which ran from 1938 until 1952. He wrote a book: The Lifetime Reading Plan (一生的讀書計畫),列出 西方經典一百本
Motivation: RSA public-key algorithm Whether symmetric cipher can be refined into a public-key cipher? One key for encryption, one key for decryption
Preview of RSA algorithm k-bit block cipher, 2k < n ≤ 2k+1 Plaintext M, ciphertext C C = Me mod n, where 0 ≤ M < n M = Cd mod n = (Med) mod n Q: Is there e, d, n such that (Med)≡ M mod n ? A: Euler’s theorem Q: Given e , is it possible to compute M directly from C ?
Outline Prime numbers Fermat’s and Euler’s Theorems RSA algorithm Testing for primality
Prime Numbers prime numbers only have divisors of 1 and self they cannot be written as a product of other numbers note: 1 is prime, but is generally not of interest eg. 2,3,5,7 are prime, 4,6,8,9,10 are not prime numbers are central to number theory list of prime number less than 200 is: 2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 89 97 101 103 107 109 113 127 131 137 139 149 151 157 163 167 173 179 181 191 193 197 199
Prime Factorisation prime factorisation: any integer a>1 can be factored in a unique way , are primes each ai is a positive integer eg. 91=7×13 ; 3600=24×32×52 Note: factoring a number is relatively hard compared to multiplying the factors together to generate the number The idea of "factoring" a number is important - finding numbers which divide into it. Taking this as far as can go, by factorising all the factors, we can eventually write the number as a product of (powers of) primes - its prime factorisation.
Relatively Prime Numbers & GCD two numbers a,b are relatively prime if have no common divisors apart from 1 eg. 8 & 15 are relatively prime since factors of 8 are 1,2,4,8 and of 15 are 1,3,5,15 and 1 is the only common factor conversely can determine the greatest common divisor by comparing their prime factorizations and using least powers eg. 300=22×31×52 18=21×32 hence GCD(18,300)=21×31×50=6
Outline Prime numbers Fermat’s and Euler’s Theorems RSA algorithm Testing for primality
Fermat's Theorem also known as Fermat’s Little Theorem ap-1 mod p = 1 where p is prime and gcd(a,p)=1 [a, p互質] useful in public key and primality testing
Proof of Fermat’s law Recall: p is a prime, Zp is a Galois Field Any a multiplied by {1,2,…,p-1} will span {1,2,…,p-1} in some order a×2a×…×((p-1)a) ≡ [(a mod p)×(2a mod p)×…×((p-1)a mod p)] mod p ≡ [1×2×…×(p-1)] mod p ≡ (p-1)! mod p (p-1)! ap-1 ≡ (p-1)! mod p
Proof of Fermat’s law (cont.) (p-1)! ap-1 ≡ (p-1)! mod p Because (p-1)! is relatively prime to p ap-1 ≡ 1 mod p This can be re-written as ap ≡ a mod p Example: a = 7, p = 19 => 718 ≡ 1 mod 19 ? 718 =716×72 ≡(7×11) mod 19 = 1 mod 19 72=49≡11 mod 19 74=72×72≡(11×11) mod 19= 7 mod 19 78=74×74≡(7×7) mod 19= 11 mod 19 716=78×78≡(11×11) mod 19= 7 mod 19
Euler’s Totient Function ø(n) when doing arithmetic modulo n complete set of residues is: 0..n-1 reduced set of residues is those numbers (residues) which are relatively prime to n eg. for n=10, complete set of residues is {0,1,2,3,4,5,6,7,8,9} reduced set of residues is {1,3,7,9} number of elements in reduced set of residues is called the Euler Totient Function ø(n) i.e. is the number of positive integers less than n and relatively prime to n
Example: totient function ø(37)=? 37 is a prime, {1,…,36} are all relatively prime to 37 ø(37)=36 ø(35)=? List them: {1,2,3,4,6,8,9,11,12,13,16,17,18,19,22,23,24,26,27,29,31,32,33,34} ø(35)=24
Euler’s Totient Function ø(n) Some special case: for p (p prime) : ø(p) = p-1 for p•q (pq, both prime): ø(p•q)=(p-1)×(q-1) Proof for ø(p•q) = (p-1)×(q-1) {1,2,3,…, pq-1} 與 pq 互質的個數? => 與 pq 非互質個數: 1. p 的倍數:{p, 2p, 3p,…, (q-1)p} 2. q 的倍數:{q, 2q, 3q,…, (p-1)q} ø(p•q) =pq-1 – (p-1) – (q-1) = pq-p-q+1 = (p-1)(q-1)= ø(p)×ø(q)
Euler's Theorem Fermat's Theorem: an-1 ≡ 1 mod n Euler’s theorem: aø(n)≡ 1 mod n where gcd(a,n)=1 eg. a=3;n=10; ø(10)=4; hence 34 = 81 = 1 mod 10 a=2;n=11; ø(11)=10; hence 210 = 1024 = 1 mod 11
Proof for Euler’s theorem aø(n)≡ 1 mod n, gcd(a,n)=1 n is a prime => Fermat’s theorem Arbitrary n: ø(n) means the number of integers that is relatively prime to n, denote the set of integers as Multiply each by a, modulo n: S is a permutation of R !!! * a is relatively prime to n, and xi is relative prime to n => so does axi * There is no duplicate in S
Proof for Euler’s theorem (cont.) is the permutation of mod n OR Recall: RSA algorithm (Med)≡ M mod n
Corollary to Euler’s theorem RSA algorithm: Euler’s theorem: Given prime p and q, n=pq, 0<a<n (Med)≡ M mod n gcd(a, n)=1 a: plaintext => not necessary prime to n !!! 1. a is prime to n => Euler’s theorem 2. a is NOT prime to n => a 是 p 的倍數 或 a 是 q 的倍數 Prove case 1: a = cp but a qp, because 0<a<n=pq => gcd(a, q) = 1
Corollary to Euler’s theorem (cont.) case 1: a = cp, gcd(a,q)=1 Euler’s theorem 自乘 ø(p) 次 Totient function => => Multiply a=cp => => Δ
Corollary to Euler’s theorem (cont.) Given prime p and q, n=pq, 0<a<n Alternative form of the corollary (used in RSA) By Euler’s theorem
RSA from Euler’s corollary RSA algorithm: find e, d, n to satisfy Euler’s corollary: given primes p and q, n=pq, 0<a<n, and arbitrary k (Med)≡ M mod n We want ed = kf( n) + 1 ed ≡ 1 mod f( n) => or d ≡ e-1 mod f( n) (d is the multiplicative inverse of e, it exists If d (and e) is relatively prime to f(n) )
Outline Prime numbers Fermat’s and Euler’s Theorems RSA algorithm Testing for primality
RSA algorithm – decide parameters Example: 1. Select primes p and q. 2. Calculate n=pq. 3. Calculate f(n)=(p-1)(q-1) 4. Select e that is relative prime to and less than f(n) 5. Determine d such that de ≡ 1 mod f(n),and d< f(n) (d is the multiplicative inverse of e, find it using Extended Euclid’s algorithm) p=17, q=11 n= 17x11 = 187 f(n)= 16x10 = 160 e = 7 d = 23
RSA encryption/decryption example Public key: KU={e,n}={7,187} Private key: KR={d,n}={23,187}
Ingredient and security of RSA p, q: two primes (private, chosen) n=pq (public, calculated) e, with gcd(f(n),e)=1 (public, chosen) 1<e< f(n) d ≡ e-1 mod f(n) (private, calculated) p, q must be secrets => f(n) = (p-1)(q-1) n is known => f(n) can be calculated from n? => p, q calculated from n? f(n) must be a secret, else d can be calculated
The security of RSA Brute-force: try all private keys Mathematical attacks: Factor n into its two prime factors, n=> p×q Determine f(n) directly Determine d directly without f(n) Timing attacks: depends on the running time of the decryption algorithm Same complexity
Complexity of factorization problem (key size) (key size)
Computation – encryption/decryption Modular exponentiation: Fast algorithm use the property: Write exponential d as binary number: bkbk-1…b1b0 ex. 2310 = 101112 = 24+22+21+20 M = Cd mod n (a x b) mod n = (a mod n) x (b mod n) mod n 1123 mod 187 =(1116×114×112×111) mod 187 =[(1116 mod 187)×(114 mod 187)×(112 mod 187)×(111 mod 187)] mod 187 =…=88
Pseudo-code for fast exponentiation Timing attacks c=0; /* c will be the exponent at last */ d=1; /* d will be the ab mod n at last */ for(i=k; i>=0; i--){ /* k+1 bits for b */ c = 2*c; d = (d*d) mod n; if ( bi == 1 ){ c = c+1; d = (d*a) mod n } If this bit is 1, exec. Time will be slower
Resist to timing attacks Constant exponentiation time return the results of exponentiation after a fixed time Random delay Add random delay to the exp. execution time Blinding Multiply ciphertext by a random number