Lecture 3.1: Public Key Cryptography I CS 436/636/736 Spring 2015 Nitesh Saxena

Today’s Informative/Fun Bit – Acoustic Emanations anations&btnG=Google+Search anations&btnG=Google+Search 22/19/2016Public Key Cryptography -- I

Course Administration HW1 posted – due at 11am on Feb 2 (Mon) – Any questions? Regarding programming portion of the homework – Submit the whole modified code that you used to measure timings – Comment the portions in the code where you modified the code Include a small “readme” for us to understand this 32/19/2016Public Key Cryptography -- I

Outline of Today’s Lecture Public Key Crypto Overview Number Theory Modular Arithmetic 42/19/2016Public Key Cryptography -- I

Recall: Private Key/Public Key Cryptography Private Key: Sender and receiver share a common (private) key – Encryption and Decryption is done using the private key – Also called conventional/shared-key/single-key/ symmetric-key cryptography Public Key: Every user has a private key and a public key – Encryption is done using the public key and Decryption using private key – Also called two-key/asymmetric-key cryptography 52/19/2016Public Key Cryptography -- I

Private key cryptography revisited. Good: Quite efficient (as you’ll see from the HW#1 programming exercise on AES) Bad: Key distribution and management is a serious problem – for N users O(N 2 ) keys are needed 62/19/2016Public Key Cryptography -- I

Public key cryptography model Good: Key management problem potentially simpler Bad: Much slower than private key crypto (we’ll see later!) 72/19/2016Public Key Cryptography -- I

Public Key Encryption Two keys: – public encryption key e – private decryption key d Encryption easy when e is known Decryption easy when d is known Decryption hard when d is not known We’ll study such public key encryption schemes; first we need some number theory. 82/19/2016Public Key Cryptography -- I

Public Key Encryption: Security Notions Very similar to what we studied for private key encryption – What’s the difference? 92/19/2016Public Key Cryptography -- I

Group: Definition (G,.) (where G is a set and. : GxG  G) is said to be a group if following properties are satisfied: 1.Closure : for any a, b G, a.b G 2.Associativity : for any a, b, c G, a.(b.c)=(a.b).c 3.Identity : there is an identity element such that a.e = e.a = a, for any a G 4.Inverse : there exists an element a -1 for every a in G, such that a.a -1 = a -1.a = e Abelian Group: Group which also satisfies commutativity, i.e., a.b = b.a 10

Groups: Examples Set of all integers with respect to addition -- (Z,+) Set of all integers with respect to multiplication (Z,*) – not a group Set of all real numbers with respect to multiplication (R,*) Set of all integers modulo m with respect to modulo addition (Z m, “modular addition”) 112/19/2016Public Key Cryptography -- I

Divisors x divides y (written x | y) if the remainder is 0 when y is divided by x – 1|8, 2|8, 4|8, 8|8 The divisors of y are the numbers that divide y – divisors of 8: {1,2,4,8} For every number y – 1|y – y|y 122/19/2016Public Key Cryptography -- I

Prime numbers A number is prime if its only divisors are 1 and itself: – 2,3,5,7,11,13,17,19, … Fundamental theorem of arithmetic: – For every number x, there is a unique set of primes {p 1, …,p n } and a unique set of positive exponents {e 1, …,e n } such that 132/19/2016Public Key Cryptography -- I

Common divisors The common divisors of two numbers x,y are the numbers z such that z|x and z|y – common divisors of 8 and 12: intersection of {1,2,4,8} and {1,2,3,4,6,12} = {1,2,4} greatest common divisor: gcd(x,y) is the number z such that – z is a common divisor of x and y – no common divisor of x and y is larger than z gcd(8,12) = 4 142/19/2016Public Key Cryptography -- I

Euclidean Algorithm: gcd(r 0,r 1 ) 15 Main idea: If y = ax + b then gcd(x,y) = gcd(x,b) 2/19/2016Public Key Cryptography -- I

Example – gcd(15,37) 37 = 2 * = 2 * = 7 *  gcd(15,37) = 1 162/19/2016Public Key Cryptography -- I

Relative primes x and y are relatively prime if they have no common divisors, other than 1 Equivalently, x and y are relatively prime if gcd(x,y) = 1 – 9 and 14 are relatively prime – 9 and 15 are not relatively prime 172/19/2016Public Key Cryptography -- I

Modular Arithmetic Definition: x is congruent to y mod m, if m divides (x-y). Equivalently, x and y have the same remainder when divided by m. Notation: Example: We work in Z m = {0, 1, 2, …, m-1}, the group of integers modulo m Example: Z 9 ={0,1,2,3,4,5,6,7,8} We abuse notation and often write = instead of 182/19/2016Public Key Cryptography -- I

Addition in Z m : Addition is well-defined: – = 7 mod 9. – = 2 mod /19/2016Public Key Cryptography -- I

Additive inverses in Z m 0 is the additive identity in Z m Additive inverse of a is -a mod m = (m-a) – Every element has unique additive inverse. – 4 + 5= 0 mod 9. – 4 is additive inverse of /19/2016Public Key Cryptography -- I

Multiplication in Z m : Multiplication is well-defined: – 3 * 4 = 3 mod 9. – 3 * 8 = 6 mod 9. – 3 * 3 = 0 mod /19/2016Public Key Cryptography -- I

Multiplicative inverses in Z m 1 is the multiplicative identity in Z m Multiplicative inverse (x*x -1 =1 mod m) – SOME, but not ALL elements have unique multiplicative inverse. – In Z 9 : 3*0=0, 3*1=3, 3*2=6, 3*3=0, 3*4=3, 3*5=6, …, so 3 does not have a multiplicative inverse (mod 9) – On the other hand, 4*2=8, 4*3=3, 4*4=7, 4*5=2, 4*6=6, 4*7=1, so 4 -1 =7, (mod 9) 222/19/2016Public Key Cryptography -- I

Which numbers have inverses? In Z m, x has a multiplicative inverse if and only if x and m are relatively prime or gcd(x,m)=1 – E.g., 4 in Z 9 232/19/2016Public Key Cryptography -- I

Extended Euclidian: a -1 mod n Main Idea: Looking for inverse of a mod n means looking for x such that x * a – y * n = 1. To compute inverse of a mod n, do the following: – Compute gcd(a, n) using Euclidean algorithm. – Since a is relatively prime to m (else there will be no inverse) gcd(a, n) = 1. – So you can obtain linear combination of r m and r m-1 that yields 1. – Work backwards getting linear combination of r i and r i-1 that yields 1. – When you get to linear combination of r 0 and r 1 you are done as r 0 =n and r 1 = a. 242/19/2016Public Key Cryptography -- I

Example – mod = 2 * = 2 * = 7 * Now, 15 – 2 * 7 = 1 15 – 2 (37 – 2 * 15) = 1 5 * 15 – 2 * 37 = 1 So, mod 37 is /19/2016Public Key Cryptography -- I

Modular Exponentiation: Square and Multiply method Usual approach to computing x c mod n is inefficient when c is large. Instead, represent c as bit string b k-1 … b 0 and use the following algorithm: z = 1 For i = k-1 downto 0 do z = z 2 mod n if b i = 1 then z = z* x mod n 262/19/2016Public Key Cryptography -- I

Example: mod z = z 2 mod n if b i = 1 then z = z* x mod n i b z =1*1*30 mod =30*30 mod =53*53 mod =37*37*30 mod =29*29 mod =71*71*30 mod 77 2/19/2016Public Key Cryptography -- I

Other Definitions An element g in G is said to be a generator of a group if a = g i for every a in G, for a certain integer i – A group which has a generator is called a cyclic group The number of elements in a group is called the order of the group Order of an element a is the lowest i (>0) such that a i = e (identity) A subgroup is a subset of a group that itself is a group 28Public Key Cryptography -- I2/19/2016

Lagrange’s Theorem Order of an element in a group divides the order of the group 292/19/2016Public Key Cryptography -- I

Euler’s totient function Given positive integer n, Euler’s totient function is the number of positive numbers less than n that are relatively prime to n Fact: If p is prime then – {1,2,3,…,p-1} are relatively prime to p. 302/19/2016Public Key Cryptography -- I

Euler’s totient function Fact: If p and q are prime and n=pq then Each number that is not divisible by p or by q is relatively prime to pq. – E.g. p=5, q=7: {1,2,3,4,-,6,-,8,9,-,11,12,13,-,-,16,17,18,19,-,-,22,23,24,-,26,27,-,29,-,31,32,33,34,-} – pq-p-(q-1) = (p-1)(q-1) 312/19/2016Public Key Cryptography -- I

Euler’s Theorem and Fermat’s Theorem If a is relatively prime to n then If a is relatively prime to p then a p-1 = 1 mod p Proof : follows from Lagrange’s Theorem 322/19/2016Public Key Cryptography -- I

Euler’s Theorem and Fermat’s Theorem EG: Compute mod 17: p =17, so p-1 = = 6·16+4. Therefore, =9 6·16+4 =(9 16 ) 6 (9) 4. So mod 17 we have  (9 16 ) 6 (9) 4 (mod 17)  (1) 6 (9) 4 (mod 17)  (81) 2 (mod 17)  16 Public Key Cryptography -- I 2/19/201633

Some questions 2 -1 mod 4 =? What is the complexity of – (a+b) mod m – (a*b) mod m – x c mod (n) Order of a group is 5. What can be the order of an element in this group? 342/19/2016Public Key Cryptography -- I

Further Reading Chapter 4 of Stallings Chapter 2.4 of HAC 352/19/2016Public Key Cryptography -- I