1. Prelude to Public-Key Cryptography Rocky K. C. Chang, February 2014 1

2. The next 2 sets of slides address 2

3. Outline 3  Motivations for public-key cryptography  Affine Cipher  Generalizing Affine Cipher to multiplicative groups.  Computing the multiplicative inverses using Euclidean algorithms  The Chinese Remainder Theorem  Other useful Group Theory results  Multiplication modulo prime  Primitive elements

4. Public-key cryptography 4  Drawbacks of the symmetric key cryptosystems:  Require a secret key established before sending ciphertext.  Cannot be used for digital signatures.  Main ideas behind the public-key cryptosystems:  It is computationally infeasible to determine D K () given E K ().  Therefore, E K () can be public and D K () must be private.

5. Public-key cryptography 5  Key people behind the public-key cryptography:  Diffie and Hellman  Rivest, Shamir, and Adleman  The RSA algorithm is based on the difficulty of factoring large integers.  ElGamal, Elliptic Curve, and Diffie-Hellman are based on the difficulty of solving the discrete logarithm problem.

6. The Affine Cipher 6

7. Recall that the Affine Cipher is: 7  Let M = C = Z 26 = {0, 1, 2, …, 25}  K = (a, b), where a, b  {0, 1, 2, …, 25}.  Encryption and decryption functions:  E K (m) = a  m + b mod 26  D K (c) = a -1 (c  b) mod 26  E K (m) is not an one-to-one function for all a.  When a = 1, Affine Cipher is the same as a Shift Cipher.  Affine Cipher is still a special case of the Substitution Cipher.

8. E K (m) is not an one-to-one function for all a. 8  Not all (a, b) can be used as keys.  E.g., a = 2 and b = 1: E(m) = 2m + 1 mod 26.  But E(0) = E(13) = 1.  For any c  Z 26, the decryption is possible iff the congruence a  m  c (mod 26) has a unique solution for m.  Decryption is possible iff there is a unique solution m in a  m + b  c (mod 26) or a  m  c  b (mod 26).  Note that  b just shifts c to the left hand side by b, which gives the same set of values for c.  Thus, decryption is possible iff there is a unique solution m in a  m  c (mod 26).

9. The values of a: gcd(a,26) = 1. 9  The congruence a  m  c (mod 26) has a unique solution for any c  Z 26 iff gcd(a,26) = 1 (i.e., a and 26 are relative prime).  Assume that gcd(a,26) = d > 1.  Without loss of generality, take c = 0.  Then a  m  0 (mod 26) has two solutions: m = 0 and m = 26/d.  The congruence does not have a unique solution.  Assume that gcd(a,26) = 1.  Consider some m 1 and m 2 for which a  m 1  a  m 2 (mod 26) or a  (m 1  m 2 )  0 (mod 26).  That is, 26 | a  (m 1  m 2 ) (i.e., 26 divides a  (m 1  m 2 )).  Since gcd(a,26) = 1, we have 26 | (m 1  m 2 ).  By definition, m 1  m 2 (mod 26).  Therefore, a unique solution m  Z 26.

10. What is the size of the key space? 10  How many a  Z 26 for which gcd(a,26) = 1?  All odd numbers except for 13 (i.e., 12 of them).  Thus, the size of the key space = 12  26 = 312.  Define a -1 to be the multiplicative inverse of a for which a  a -1  a -1  a  1 (mod 26).

11. Inverses of a  Z 26  a a -1 1111 3939  521  715 9393  1119  a a -1  157  1723  1911  215  2317  2525  Multiplicative inverses for the set of a for which gcd(a,26) = 1: 11  Multiplicative inverses do not exist for the set of a for which gcd(a,26) ≠ 1.

12. Decryption function 12  c  a  m + b (mod 26)  a  m  c  b (mod 26)  Assuming that the a -1 exists, we have a -1 (a  m)  a -1 (c  b) (mod 26)  The left side is a -1 (a  m)  (a -1 a)  m  1  m  m (mod 26).  Therefore, m = a -1 (c  b) mod 26.

13. Multiplicative group 13

14. Abelian Group or Commutative Group 14  A group G is a set of numbers together with an operation  that satisfies the following requirements:  (Closure) For all a, b  G, a  b  G.  (Associative) For all a, b, c  G, a  (b  c) = (a  b)  c.  (Identity) Exists some unique e  G such that for all a  G, a  e = e  a = a. (e is the identity element)  (Inverse) For all a  G, there exists an a -1  G, such that a  a -1 = a -1  a = e. (a -1 is the inverse of a).  (Commutative) For all a, b  G, a  b = b  a.

15. For example, 15  The set of real numbers under addition is a (additive) group.  e = 0 and a -1 = -a.  The set of non-zero real numbers under multiplication is a (multiplicative) group.  e = 1 and a -1 = 1/a.  The set of integers under addition is a group, but the set of integers under multiplication is not a group.  Z n = {0, 1, 2, …, n–1} under addition modulo n is a group.

16. Multiplicative group 16  Let Z * 26 = {1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25} under multiplication modulo 26 forms a group.  Z * 26 is the set of residues modulo 26 that are relatively prime to 26.  We can generalize the modulo 26 to any modulo p.  a  m  c (mod p) has a unique solution m  Z p for every c  Z p iff gcd(a,p) = 1.  The number of integers in Z p that are relatively prime to p is denoted by  (p).   (26) = ?  There is a formula to compute  (p).

17. Multiplicative group 17  Suppose a  Z p, a -1 exists iff gcd(a,p) = 1.  If a -1 exists, it is unique.  It is not difficult to prove that Z * p forms a group under multiplication modulo p.  As a special case, if p is prime, then every nonzero element of Z p has a multiplicative inverse.  Therefore,  (p) = p – 1.  Z * p = Z p \ {0}.

18. How to compute the multiplicative inverse?  Use the Euclidean algorithm to compute gcd(a,b).  E.g., gcd(108,42) = gcd(42,24) = gcd(24,18) = gcd(18,6) = 6.  E.g., gcd(75,28) = gcd(28,19) = gcd(19,9) = gcd(9,1) = 1.  Can determine whether a positive integer a < p has a multiplicative inverse modulo p. 18

19. The Extended Euclidean algorithm 19  Use the Extended Euclidean algorithm to compute r, s, t, such that s  a + t  b = r = gcd(a,b).  For example, a = 108, b = 42 (i.e., gcd(a,b) > 1),  108 = 2  42+24 (24 = a–2b)  42 = 1  24+18 (b=1  (a–2b)+18 or -a+3b=18)  24 = 1  18+6 (a–2b=1  (-a+3b)+6 or 2a–5b=6)  18 = 3  6+0  Therefore, 2a–5b=6 (s = 2, t = -5, and r = 6).

20. The Extended Euclidean algorithm 20  For example, a = 75, b = 28 (i.e., gcd(a,b) = 1),  75 = 2  28+19 (19 = a–2b)  28 = 1  19+9 (b=1  (a–2b)+9 or -a+3b=9)  19 = 2  9+1 (a–2b=2  (-a+3b)+1 or 3a–8b=1)  9 = 9  1+0  Therefore, 3a–8b=1 (s = 3, t = -8, and r = 1).

21. Compute the multiplicative inverse 21  Consider a  Z p and gcd(p,a) = 1.  From the Extended Euclid. Algorithm, we have s  p + t  a = 1.  Reducing the above modulo p, we have t  a  1 (mod p).  In other words, t is the multiplicative inverse of a. Note that it is also unique.  E.g., for a =28 and Z 75, a -1 = -8 mod 75 = 67.  Check a  a -1 mod 75 = 1876 mod 75 = 1!

22. The Chinese Remainder Theorem 22

23. The Chinese Remainder Theorem 23  The CRT is a method of solving the followings for x, where gcd(p i, p j ) = 1 for i  j.  x  a 1 (mod p 1 )  x  a 2 (mod p 2 ) ……  x  a r (mod p r ),  The CRT asserts that there is a unique solution in {0, 1, …, p 1  …  p r – 1}.  To see why, consider mapping x to x mod p i (called X).

24. For example, 24  Consider p 1 = 5 p 2 = 3, P = p 1  p 2 = 15, and x  {0, 1, 2, …, 14}.  X(0) = (0,0), X(1) = (1,1), X(2) = (2,2),  X(3) = (3,0), X(4) = (4,1), X(5) = (0,2),  X(6) = (1,0), X(7) = (2,1), X(8) = (3,2),  X(9) = (4,0), X(10) = (0,1), X(11) = (1,2),  X(12) = (2,0), X(13) = (3,1), X(14) = (4,2)  The mapping X(x) is bijective => a unique solution to  x  a 1 (mod p 1 )  x  a 2 (mod p 2 ).

25. The Chinese Remainder Theorem 25  Suppose p 1, …, p r are pairwise relatively prime, and a 1, …, a r are integers. Then the system of r congruences x  a i (mod p i ) has a unique solution modulo P = p 1  …  p r, which is given by  x = a 1 P 1 y 1 mod P + … + a r P r y r mod P,  where P i = P/p i and y i = P i -1 mod p i, i=1, …, r.  For example, (p 1,p 2,p 3 ) = (7,11,13) and (a 1,a 2,a 3 )=(5,3,10).  P = 1001.  From the Extended Euclid. Algorithm, y 1 = 5, y 2 = 4, and y 3 = 12.  From the CRT, x = ( 5  (11  13)  5 + 3  (7  13)  4 + 10  (7  11)  12 ) mod 1001 = 894.

26. Multiplicative group modulo prime 26

27. Lagrange’s theorem 27  For a finite multiplicative group G under modulo p, define  The order of G is  (p) (i.e., the number of elements in G)  The order of an element g  G to be the smallest +ve integer n such that g n mod p = 1.  E.g., for Z * 26 = {1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25}, recall that  (p) = 12.  The order of 1 is 1.  The order of 3 is 3, because 3 3 mod 26 = 1.  The order of 5 is 4, because 5 4 mod 26 = 1. ……  (Lagrange) Suppose G is a multiplicative group of order n, and g  G. Then the order of g divides n.

28. Multiplicative group modulo prime 28  From the Lagrange’s theorem, we immediately have  If b  Z * p, then b  (p)  1 (mod p).  If p is a prime and b  Z * p, then b p  b (mod p).  If p is prime, then Z * p is a cyclic group.  There exists at least an element g  Z * p having order equal to  (p) = p – 1.  Such element is called the primitive element modulo p.  E.g., for Z * 7, 3 is a primitive, because 3 i mod 7  1, i=1,…,5, and 3 7-1 mod 7 = 1.

29. Properties of the primitive elements 29  An element g is a primitive element modulo p iff g i, i = 0, 1, …, p–2, generate Z * p. E.g., for p = 7  3 0 mod 7 = 1,  3 1 mod 7 = 3,  3 2 mod 7 = 2,  3 3 mod 7 = 6,  3 4 mod 7 = 4,  3 5 mod 7 = 5.  The order of an element a = g i is given by (p–1)/gcd(p–1,i).  Thus, a = g i is a primitive element iff gcd(p–1,i) = 1.  In other words, the number of primitive elements is  (p–1).

30. For example, 30  For p = 7, p–1 = 6 = 2  3. Therefore,  (6) = (2 1 – 2 1-1 )  (3 1 – 3 1-1 ) = 2.  Test for primitive elements:  gcd(6,0) = 6  gcd(6,1) = 1  3 1 is a primitive element.  gcd(6,2) = 2  gcd(6,3) = 3  gcd(6,4) = 2  gcd(6,5) = 1  3 5 mod 7 = 5 is another primitive element.

31. A quicker method for testing for primitive elements 31  Suppose that p is prime and a  Z * p. Then a is a primitive element modulo p iff a (p–1)/q  1 (mod p) for all primes q such that q | (p–1).  Back to p = 7, all primes, for which q | (p–1), are 2 and 3.  1 is clearly not a primitive element.  2 6/2  1 (mod 7).  3 6/2  6 (mod 7) and 3 6/3  2 (mod 7)  3 is a primitive element.  4 6/2  1 (mod 7).  5 6/2  6 (mod 7) and 5 6/3  4 (mod 7)  5 is a primitive element.

32. Conclusions 32  We have laid down some foundations for understanding the public-key cryptography.  Affine Cipher  Multiplicative groups (Diffie-Hellman)  The Chinese Remainder Theorem (RSA)  Multiplicative groups modulo prime (Diffie-Hellman)

33. Acknowledgments 33  The notes are prepared mostly based on  D. Stinson, Cryptography: Theory and Practice, Chapman & Hall/CRC, Second Edition, 2002.