chap. 8,9: introduction to number theory and rsa algorithm
DESCRIPTION
Chap. 8,9: Introduction to number theory and RSA algorithm. Jen-Chang Liu, 2004 Adapted from Lecture slides by Lawrie Brown. The Devil said to Daniel Webster: "Set me a task I can't carry out, and I'll give you anything in the world you ask for." - PowerPoint PPT PresentationTRANSCRIPT
Chap. 8,9: Introduction to number theory and RSA algorithm
Jen-Chang Liu, 2004
Adapted fromLecture slides by Lawrie Brown
The Devil said to Daniel Webster: "Set me a task I can't carry out, and I'll give you anything in the world you ask for."
Daniel Webster: "Fair enough. Prove that for n greater than 2, the equation an + bn = cn has no non-trivial solution in the integers."
They agreed on a three-day period for the labor, and the Devil disappeared.
At the end of three days, the Devil presented himself, haggard, jumpy, biting his lip. Daniel Webster said to him, "Well, how did you do at my task? Did you prove the theorem?'
"Eh? No . . . no, I haven't proved it.""Then I can have whatever I ask for? Money? The
Presidency?'"What? Oh, that—of course. But listen! If we could just prove
the following two lemmas—"—The Mathematical Magpie, Clifton Fadiman
Clifton Fadiman Clifton Fadiman was a multi-talented
writer, critic, raconteur and bookworm. He is best remembered as moderator of the erudite radio quiz show Information, Please, which ran from 1938 until 1952.
He wrote a book: The Lifetime Reading Plan ( 一生的讀書計畫 ) ,列出 西方經典一百本
Motivation: RSA public-key algorithm
One key for encryption, one key for decryption
Preview of RSA algorithm k-bit block cipher, 2k < n ≤ 2k+1
Plaintext M, ciphertext C
C = Me mod n, where 0 ≤ M < nM = Cd mod n = (Med) mod n
Q: Is there e, d, n such that (Med)≡ M mod n ?A: Euler’s theorem
Q: Given e , is it possible to compute M directly from C ?
Outline Prime numbers Fermat’s and Euler’s Theorems RSA algorithm Testing for primality
Prime Numbers prime numbers only have divisors of 1 and
self they cannot be written as a product of other
numbers note: 1 is prime, but is generally not of interest
eg. 2,3,5,7 are prime, 4,6,8,9,10 are not prime numbers are central to number theory list of prime number less than 200 is:
2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 89 97 101 103 107 109 113 127 131 137 139 149 151 157 163 167 173 179 181 191 193 197 199
Prime Factorisation prime factorisation: any integer a>1
can be factored in a unique way , are primes each ai is a positive
integer eg. 91=7×13 ; 3600=24×32×52
Note: factoring a number is relatively hard compared to multiplying the factors together to generate the number
tat
aa pppa 2121 tppp 21
Relatively Prime Numbers & GCD
two numbers a,b are relatively prime if have no common divisors apart from 1 eg. 8 & 15 are relatively prime since factors
of 8 are 1,2,4,8 and of 15 are 1,3,5,15 and 1 is the only common factor
conversely can determine the greatest common divisor by comparing their prime factorizations and using least powers eg. 300=22×31×52 18=21×32 hence GCD(18,300)=21×31×50=6
Outline Prime numbers Fermat’s and Euler’s Theorems RSA algorithm Testing for primality
Fermat's Theorem also known as Fermat’s Little Theorem ap-1 mod p = 1
where p is prime and gcd(a,p)=1 [a, p 互質 ]
useful in public key and primality testing
Proof of Fermat’s law Recall: p is a prime, Zp is a Galois Field
Any a multiplied by{1,2,…,p-1} will span{1,2,…,p-1} in some order
a×2a×…×((p-1)a) ≡ [(a mod p)×(2a mod p)×…×((p-1)a mod p)] mod p ≡ [1×2×…×(p-1)] mod p ≡ (p-1)! mod p
(p-1)! ap-1 ≡ (p-1)! mod p
Proof of Fermat’s law (cont.)
(p-1)! ap-1 ≡ (p-1)! mod pBecause (p-1)! is relatively prime to p
ap-1 ≡ 1 mod pThis can be re-written as
ap ≡ a mod pExample: a = 7, p = 19 => 718 ≡ 1 mod 19 ?
718 =716×72
72=49≡11 mod 1974=72×72≡(11×11) mod 19= 7 mod 1978=74×74≡(7×7) mod 19= 11 mod 19716=78×78≡(11×11) mod 19= 7 mod 19
≡(7×11) mod 19 = 1 mod 19
Euler’s Totient Function ø(n)
when doing arithmetic modulo n complete set of residues is: 0..n-1 reduced set of residues is those numbers
(residues) which are relatively prime to n eg. for n=10, complete set of residues is {0,1,2,3,4,5,6,7,8,9} reduced set of residues is {1,3,7,9}
number of elements in reduced set of residues is called the Euler Totient Function ø(n)
i.e. is the number of positive integers less than n and relatively prime to n
Example: totient function ø(37)=?
37 is a prime, {1,…,36} are all relatively prime to 37
ø(37)=36 ø(35)=?
List them: {1,2,3,4,6,8,9,11,12,13,16,17,18,19,22,23,24,26,27,29,31,32,33,34}
ø(35)=24
Euler’s Totient Function ø(n)
Some special case: for p (p prime) : ø(p) = p-1 for p•q (pq, both prime): ø(p•q)=(p-1)×(q-1)
Proof for ø(p•q) = (p-1)×(q-1) {1,2,3,…, pq-1} 與 pq 互質的個數? => 與 pq 非互質個數:
1. p 的倍數: {p, 2p, 3p,…, (q-1)p}2. q 的倍數: {q, 2q, 3q,…, (p-1)q}
ø(p•q) =pq-1 – (p-1) – (q-1) = pq-p-q+1 = (p-1)(q-1)= ø(p)×ø(q)
Euler's Theorem Fermat's Theorem: an-1 ≡ 1 mod n Euler’s theorem: aø(n)≡ 1 mod n
where gcd(a,n)=1 eg.
a=3;n=10; ø(10)=4; hence 34 = 81 = 1 mod 10 a=2;n=11; ø(11)=10; hence 210 = 1024 = 1 mod 11
Proof for Euler’s theorem aø(n)≡ 1 mod n, gcd(a,n)=1 n is a prime => Fermat’s theorem Arbitrary n: ø(n) means the number of integers
that is relatively prime to n, denote the set of integers as )(21 ,,, nxxxR
Multiply each by a, modulo n: n) mod (,,n) mod (,n) mod ( )(21 naxaxaxS
S is a permutation of R !!!* a is relatively prime to n, and xi is relative prime to n => so does axi* There is no duplicate in S
Proof for Euler’s theorem (cont.) )(21 ,,, nxxxR
n) mod (,,n) mod (,n) mod ( )(21 naxaxaxS is the permutation of
)(
1
)(
1
n) mod (n
ii
n
ii xax
n) (mod
)(
1
)(
1
n
ii
n
ii xax
n) (mod )(
1
)(
1
)(
n
ii
n
ii
n xxa
mod n
n) (mod 1)( na
OR n) (mod 1)( aa n
(Med)≡ M mod nRecall: RSA algorithm
Corollary to Euler’s theorem
RSA algorithm: Euler’s theorem: Given prime p and q, n=pq, 0<a<n
(Med)≡ M mod nn) (mod 1)( aa n
n) (mod 1)1)(1(1)( aaa qpn
gcd(a, n)=1
a: plaintext => not necessary prime to n !!!1. a is prime to n => Euler’s theorem
2. a is NOT prime to n => a 是 p 的倍數 或 a 是 q 的倍數 Prove case 1: a = cp
but a qp, because 0<a<n=pq => gcd(a, q) = 1
Corollary to Euler’s theorem (cont.)
case 1: a = cp, gcd(a,q)=1Euler’s theorem
q mod 1)( qa
自乘 ø(p) 次 q mod 1 )()( pqa
=> q mod 1)( naTotient function
=> 1kq)( na
=>Multiply a=cp akcnakcpq1)( na
=> n mod 1)( aa n
Δ
Corollary to Euler’s theorem (cont.)
Given prime p and q, n=pq, 0<a<n
Alternative form of the corollary (used in RSA)
n) (mod 1)1)(1(1)( aaa qpn
n mod )( )(1)( aaa knnk
n mod )1( ak By Euler’s theoremn mod a
RSA from Euler’s corollary RSA algorithm: find e, d, n to satisfy
Euler’s corollary: given primes p and q, n=pq,
0<a<n, and arbitrary k
(Med)≡ M mod n
n mod 1)1)(1(1)( aaa qpknk
We want ed = k( n) + 1=> ed ≡ 1 mod ( n)or d ≡ e-1 mod ( n)(d is the multiplicative inverse of e, it existsIf d (and e) is relatively prime to (n) )
Outline Prime numbers Fermat’s and Euler’s Theorems RSA algorithm Testing for primality
RSA algorithm – decide parameters
1. Select primes p and q.2. Calculate n=pq.3. Calculate (n)=(p-1)(q-1)4. Select e that is relative
prime to and less than (n)5. Determine d such that de ≡ 1 mod (n),and d< (n)(d is the multiplicative inverse of e, find it
using Extended Euclid’s algorithm)
Example:p=17, q=11n= 17x11 = 187(n)= 16x10 = 160
e = 7
d = 23
RSA encryption/decryption example
Public key: KU={e,n}={7,187} Private key: KR={d,n}={23,187}
Ingredient and security of RSA
p, q: two primes (private, chosen)
n=pq (public, calculated)
e, with gcd((n),e)=1 (public, chosen) 1<e< (n) d ≡ e-1 mod (n) (private, calculated)
(n) must be a secret, else d can be calculated
n is known => (n) can be calculated from n?
p, q must be secrets => (n) = (p-1)(q-1)
=> p, q calculated from n?
The security of RSA Brute-force: try all private keys Mathematical attacks:
Factor n into its two prime factors, n=> p×q
Determine (n) directly Determine d directly without (n)
Timing attacks: depends on the running time of the decryption algorithm
Samecomplexity
Complexity of factorization problem
(key size)(key size)
Computation – encryption/decryption
Modular exponentiation: Fast algorithm use the property:
Write exponential d as binary number: bkbk-1…b1b0
ex. 2310 = 101112 = 24+22+21+20
M = Cd mod n
(a x b) mod n = (a mod n) x (b mod n) mod n
n mod n mod n mod n mod 0
2
0
2
j
j
j
j
bb
d CCC
1123 mod 187 =(1116×114×112×111) mod 187=[(1116 mod 187)×(114 mod 187)×(112 mod 187)×(111 mod 187)] mod 187=…=88
Pseudo-code for fast exponentiation
c=0; /* c will be the exponent at last */d=1; /* d will be the ab mod n at last */
for(i=k; i>=0; i--){ /* k+1 bits for b */ c = 2*c; d = (d*d) mod n; if ( bi == 1 ){ c = c+1; d = (d*a) mod n }}
Timing attacks
If this bit is 1, exec. Time willbe slower
Resist to timing attacks Constant exponentiation time
return the results of exponentiation after a fixed time
Random delay Add random delay to the exp. execution
time Blinding
Multiply ciphertext by a random number