Prelude to Public-Key Cryptography Rocky K. C. Chang, February
The next 2 sets of slides address 2
Outline 3 Motivations for public-key cryptography Affine Cipher Generalizing Affine Cipher to multiplicative groups. Computing the multiplicative inverses using Euclidean algorithms The Chinese Remainder Theorem Other useful Group Theory results Multiplication modulo prime Primitive elements
Public-key cryptography 4 Drawbacks of the symmetric key cryptosystems: Require a secret key established before sending ciphertext. Cannot be used for digital signatures. Main ideas behind the public-key cryptosystems: It is computationally infeasible to determine D K () given E K (). Therefore, E K () can be public and D K () must be private.
Public-key cryptography 5 Key people behind the public-key cryptography: Diffie and Hellman Rivest, Shamir, and Adleman The RSA algorithm is based on the difficulty of factoring large integers. ElGamal, Elliptic Curve, and Diffie-Hellman are based on the difficulty of solving the discrete logarithm problem.
The Affine Cipher 6
Recall that the Affine Cipher is: 7 Let M = C = Z 26 = {0, 1, 2, …, 25} K = (a, b), where a, b {0, 1, 2, …, 25}. Encryption and decryption functions: E K (m) = a m + b mod 26 D K (c) = a -1 (c b) mod 26 E K (m) is not an one-to-one function for all a. When a = 1, Affine Cipher is the same as a Shift Cipher. Affine Cipher is still a special case of the Substitution Cipher.
E K (m) is not an one-to-one function for all a. 8 Not all (a, b) can be used as keys. E.g., a = 2 and b = 1: E(m) = 2m + 1 mod 26. But E(0) = E(13) = 1. For any c Z 26, the decryption is possible iff the congruence a m c (mod 26) has a unique solution for m. Decryption is possible iff there is a unique solution m in a m + b c (mod 26) or a m c b (mod 26). Note that b just shifts c to the left hand side by b, which gives the same set of values for c. Thus, decryption is possible iff there is a unique solution m in a m c (mod 26).
The values of a: gcd(a,26) = 1. 9 The congruence a m c (mod 26) has a unique solution for any c Z 26 iff gcd(a,26) = 1 (i.e., a and 26 are relative prime). Assume that gcd(a,26) = d > 1. Without loss of generality, take c = 0. Then a m 0 (mod 26) has two solutions: m = 0 and m = 26/d. The congruence does not have a unique solution. Assume that gcd(a,26) = 1. Consider some m 1 and m 2 for which a m 1 a m 2 (mod 26) or a (m 1 m 2 ) 0 (mod 26). That is, 26 | a (m 1 m 2 ) (i.e., 26 divides a (m 1 m 2 )). Since gcd(a,26) = 1, we have 26 | (m 1 m 2 ). By definition, m 1 m 2 (mod 26). Therefore, a unique solution m Z 26.
What is the size of the key space? 10 How many a Z 26 for which gcd(a,26) = 1? All odd numbers except for 13 (i.e., 12 of them). Thus, the size of the key space = 12 26 = 312. Define a -1 to be the multiplicative inverse of a for which a a -1 a -1 a 1 (mod 26).
Inverses of a Z 26 a a -1 1111 3939 521 715 9393 1119 a a -1 157 1723 1911 215 2317 2525 Multiplicative inverses for the set of a for which gcd(a,26) = 1: 11 Multiplicative inverses do not exist for the set of a for which gcd(a,26) ≠ 1.
Decryption function 12 c a m + b (mod 26) a m c b (mod 26) Assuming that the a -1 exists, we have a -1 (a m) a -1 (c b) (mod 26) The left side is a -1 (a m) (a -1 a) m 1 m m (mod 26). Therefore, m = a -1 (c b) mod 26.
Multiplicative group 13
Abelian Group or Commutative Group 14 A group G is a set of numbers together with an operation that satisfies the following requirements: (Closure) For all a, b G, a b G. (Associative) For all a, b, c G, a (b c) = (a b) c. (Identity) Exists some unique e G such that for all a G, a e = e a = a. (e is the identity element) (Inverse) For all a G, there exists an a -1 G, such that a a -1 = a -1 a = e. (a -1 is the inverse of a). (Commutative) For all a, b G, a b = b a.
For example, 15 The set of real numbers under addition is a (additive) group. e = 0 and a -1 = -a. The set of non-zero real numbers under multiplication is a (multiplicative) group. e = 1 and a -1 = 1/a. The set of integers under addition is a group, but the set of integers under multiplication is not a group. Z n = {0, 1, 2, …, n–1} under addition modulo n is a group.
Multiplicative group 16 Let Z * 26 = {1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25} under multiplication modulo 26 forms a group. Z * 26 is the set of residues modulo 26 that are relatively prime to 26. We can generalize the modulo 26 to any modulo p. a m c (mod p) has a unique solution m Z p for every c Z p iff gcd(a,p) = 1. The number of integers in Z p that are relatively prime to p is denoted by (p). (26) = ? There is a formula to compute (p).
Multiplicative group 17 Suppose a Z p, a -1 exists iff gcd(a,p) = 1. If a -1 exists, it is unique. It is not difficult to prove that Z * p forms a group under multiplication modulo p. As a special case, if p is prime, then every nonzero element of Z p has a multiplicative inverse. Therefore, (p) = p – 1. Z * p = Z p \ {0}.
How to compute the multiplicative inverse? Use the Euclidean algorithm to compute gcd(a,b). E.g., gcd(108,42) = gcd(42,24) = gcd(24,18) = gcd(18,6) = 6. E.g., gcd(75,28) = gcd(28,19) = gcd(19,9) = gcd(9,1) = 1. Can determine whether a positive integer a < p has a multiplicative inverse modulo p. 18
The Extended Euclidean algorithm 19 Use the Extended Euclidean algorithm to compute r, s, t, such that s a + t b = r = gcd(a,b). For example, a = 108, b = 42 (i.e., gcd(a,b) > 1), 108 = 2 (24 = a–2b) 42 = 1 (b=1 (a–2b)+18 or -a+3b=18) 24 = 1 18+6 (a–2b=1 (-a+3b)+6 or 2a–5b=6) 18 = 3 6+0 Therefore, 2a–5b=6 (s = 2, t = -5, and r = 6).
The Extended Euclidean algorithm 20 For example, a = 75, b = 28 (i.e., gcd(a,b) = 1), 75 = 2 (19 = a–2b) 28 = 1 19+9 (b=1 (a–2b)+9 or -a+3b=9) 19 = 2 9+1 (a–2b=2 (-a+3b)+1 or 3a–8b=1) 9 = 9 1+0 Therefore, 3a–8b=1 (s = 3, t = -8, and r = 1).
Compute the multiplicative inverse 21 Consider a Z p and gcd(p,a) = 1. From the Extended Euclid. Algorithm, we have s p + t a = 1. Reducing the above modulo p, we have t a 1 (mod p). In other words, t is the multiplicative inverse of a. Note that it is also unique. E.g., for a =28 and Z 75, a -1 = -8 mod 75 = 67. Check a a -1 mod 75 = 1876 mod 75 = 1!
The Chinese Remainder Theorem 22
The Chinese Remainder Theorem 23 The CRT is a method of solving the followings for x, where gcd(p i, p j ) = 1 for i j. x a 1 (mod p 1 ) x a 2 (mod p 2 ) …… x a r (mod p r ), The CRT asserts that there is a unique solution in {0, 1, …, p 1 … p r – 1}. To see why, consider mapping x to x mod p i (called X).
For example, 24 Consider p 1 = 5 p 2 = 3, P = p 1 p 2 = 15, and x {0, 1, 2, …, 14}. X(0) = (0,0), X(1) = (1,1), X(2) = (2,2), X(3) = (3,0), X(4) = (4,1), X(5) = (0,2), X(6) = (1,0), X(7) = (2,1), X(8) = (3,2), X(9) = (4,0), X(10) = (0,1), X(11) = (1,2), X(12) = (2,0), X(13) = (3,1), X(14) = (4,2) The mapping X(x) is bijective => a unique solution to x a 1 (mod p 1 ) x a 2 (mod p 2 ).
The Chinese Remainder Theorem 25 Suppose p 1, …, p r are pairwise relatively prime, and a 1, …, a r are integers. Then the system of r congruences x a i (mod p i ) has a unique solution modulo P = p 1 … p r, which is given by x = a 1 P 1 y 1 mod P + … + a r P r y r mod P, where P i = P/p i and y i = P i -1 mod p i, i=1, …, r. For example, (p 1,p 2,p 3 ) = (7,11,13) and (a 1,a 2,a 3 )=(5,3,10). P = From the Extended Euclid. Algorithm, y 1 = 5, y 2 = 4, and y 3 = 12. From the CRT, x = ( 5 (11 13) (7 13) (7 11) 12 ) mod 1001 = 894.
Multiplicative group modulo prime 26
Lagrange’s theorem 27 For a finite multiplicative group G under modulo p, define The order of G is (p) (i.e., the number of elements in G) The order of an element g G to be the smallest +ve integer n such that g n mod p = 1. E.g., for Z * 26 = {1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25}, recall that (p) = 12. The order of 1 is 1. The order of 3 is 3, because 3 3 mod 26 = 1. The order of 5 is 4, because 5 4 mod 26 = 1. …… (Lagrange) Suppose G is a multiplicative group of order n, and g G. Then the order of g divides n.
Multiplicative group modulo prime 28 From the Lagrange’s theorem, we immediately have If b Z * p, then b (p) 1 (mod p). If p is a prime and b Z * p, then b p b (mod p). If p is prime, then Z * p is a cyclic group. There exists at least an element g Z * p having order equal to (p) = p – 1. Such element is called the primitive element modulo p. E.g., for Z * 7, 3 is a primitive, because 3 i mod 7 1, i=1,…,5, and mod 7 = 1.
Properties of the primitive elements 29 An element g is a primitive element modulo p iff g i, i = 0, 1, …, p–2, generate Z * p. E.g., for p = 7 3 0 mod 7 = 1, 3 1 mod 7 = 3, 3 2 mod 7 = 2, 3 3 mod 7 = 6, 3 4 mod 7 = 4, 3 5 mod 7 = 5. The order of an element a = g i is given by (p–1)/gcd(p–1,i). Thus, a = g i is a primitive element iff gcd(p–1,i) = 1. In other words, the number of primitive elements is (p–1).
For example, 30 For p = 7, p–1 = 6 = 2 3. Therefore, (6) = (2 1 – ) (3 1 – ) = 2. Test for primitive elements: gcd(6,0) = 6 gcd(6,1) = 1 3 1 is a primitive element. gcd(6,2) = 2 gcd(6,3) = 3 gcd(6,4) = 2 gcd(6,5) = 1 3 5 mod 7 = 5 is another primitive element.
A quicker method for testing for primitive elements 31 Suppose that p is prime and a Z * p. Then a is a primitive element modulo p iff a (p–1)/q 1 (mod p) for all primes q such that q | (p–1). Back to p = 7, all primes, for which q | (p–1), are 2 and 3. 1 is clearly not a primitive element. 2 6/2 1 (mod 7). 3 6/2 6 (mod 7) and 3 6/3 2 (mod 7) 3 is a primitive element. 4 6/2 1 (mod 7). 5 6/2 6 (mod 7) and 5 6/3 4 (mod 7) 5 is a primitive element.
Conclusions 32 We have laid down some foundations for understanding the public-key cryptography. Affine Cipher Multiplicative groups (Diffie-Hellman) The Chinese Remainder Theorem (RSA) Multiplicative groups modulo prime (Diffie-Hellman)
Acknowledgments 33 The notes are prepared mostly based on D. Stinson, Cryptography: Theory and Practice, Chapman & Hall/CRC, Second Edition, 2002.